linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.16 00/83] 3.16.78-rc1 review
@ 2019-11-20 15:37 Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 01/83] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Ben Hutchings
                   ` (83 more replies)
  0 siblings, 84 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm, Denis Kirjanov

This is the start of the stable review cycle for the 3.16.78 release.
There are 83 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Nov 22 15:37:10 UTC 2019.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

Alan Stern (1):
      USB: core: Fix races in character device registration and deregistraion
         [303911cfc5b95d33687d9046133ff184cf5043ff]

Andreas Koop (1):
      mmc: mmc_spi: Enable stable writes
         [3a6ffb3c8c3274a39dc8f2514526e645c5d21753]

Bandan Das (1):
      x86/apic: Do not initialize LDR and DFR for bigsmp
         [bae3a8d3308ee69a7dbdf145911b18dfda8ade0d]

Björn Gerhart (1):
      hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
         [f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf]

Charles Keepax (1):
      ALSA: compress: Fix regression on compressed capture streams
         [4475f8c4ab7b248991a60d9c02808dbb813d6be8]

Christophe JAILLET (3):
      ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
         [d23dbc479a8e813db4161a695d67da0e36557846]
      net: seeq: Fix the function used to release some memory in an error handling path
         [e1e54ec7fb55501c33b117c111cb0a045b8eded2]
      sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
         [b456d72412ca8797234449c25815e82f4e1426c0]

Cong Wang (1):
      sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
         [d4d6ec6dac07f263f06d847d6f732d6855522845]

Dave Wysochanski (1):
      cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
         [cb248819d209d113e45fed459773991518e8e80b]

Dirk Morris (1):
      netfilter: conntrack: Use consistent ct id hash calculation
         [656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a]

Dou Liyang (1):
      x86/apic: Drop logical_smp_processor_id() inline
         [8f1561680f42a5491b371b513f1ab8197f31fd62]

Eric Dumazet (2):
      mld: fix memory leak in mld_del_delrec()
         [a84d016479896b5526a2cc54784e6ffc41c9d6f6]
      net/packet: fix race in tpacket_snd()
         [32d3182cd2cd29b2e7e04df7b0db350fbe11289f]

Fuqian Huang (1):
      KVM: x86: work around leak of uninitialized stack contents
         [541ab2aeb28251bf7135c7961f3a6080eebcc705]

Gustavo A. R. Silva (1):
      sh: kernel: hw_breakpoint: Fix missing break in switch statement
         [1ee1119d184bb06af921b48c3021d921bbd85bac]

Hans de Goede (1):
      x86/sysfb_efi: Add quirks for some devices with swapped width and height
         [d02f1aa39189e0619c3525d5cd03254e61bf606a]

Hans van Kranenburg (2):
      btrfs: alloc_chunk: fix more DUP stripe size handling
         [baf92114c7e6dd6124aa3d506e4bc4b694da3bc3]
      btrfs: partially apply b8b93addde
         [b8b93addde1e0192b045da8995e296fc1e40c80f]

Henk van der Laan (1):
      usb-storage: Add new JMS567 revision to unusual_devs
         [08d676d1685c2a29e4d0e1b0242324e564d4589e]

Hillf Danton (1):
      keys: Fix missing null pointer check in request_key_auth_describe()
         [d41a3effbb53b1bcea41e328d16a4d046a508381]

Ian Abbott (2):
      staging: comedi: dt3000: Fix rounding up of timer divisor
         [8e2a589a3fc36ce858d42e767c3bcd8fc62a512b]
      staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
         [b4d98bc3fc93ec3a58459948a2c0e0c9b501cd88]

Jan Beulich (1):
      x86/apic/32: Avoid bogus LDR warnings
         [fe6f85ca121e9c74e7490fe66b0c5aae38e332c3]

Jann Horn (1):
      sched/fair: Don't free p->numa_faults with concurrent readers
         [16d51a590a8ce3befb1308e0e7ab77f3b661af33]

Jia-Ju Bai (1):
      net: sched: Fix a possible null-pointer dereference in dequeue_func()
         [051c7b39be4a91f6b7d8c4548444e4b850f1f56c]

Jiri Pirko (1):
      net: fix ifindex collision during namespace removal
         [55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df]

Juergen Gross (1):
      xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
         [50f6393f9654c561df4cdcf8e6cfba7260143601]

Kai-Heng Feng (2):
      USB: storage: ums-realtek: Update module parameter description for auto_delink_en
         [f6445b6b2f2bb1745080af4a0926049e8bca2617]
      USB: storage: ums-realtek: Whitelist auto-delink support
         [1902a01e2bcc3abd7c9a18dc05e78c7ab4a53c54]

Kees Cook (1):
      libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
         [71d6c505b4d9e6f76586350450e785e3d452b346]

Kefeng Wang (1):
      hpet: Fix division by zero in hpet_time_div()
         [0c7d37f4d9b8446956e97b7c5e61173cdb7c8522]

Liangyan (1):
      sched/fair: Don't assign runtime for throttled cfs_rq
         [5e2d2cc2588bd3307ce3937acbc2ed03c830a861]

Mikulas Patocka (1):
      dm table: fix invalid memory accesses with too high sector number
         [1cfd5d3399e87167b7f9157ef99daa0e959f395d]

Nadav Amit (1):
      VMCI: Release resource if the work is already queued
         [ba03a9bbd17b149c373c0ea44017f35fc2cd0f28]

Nathan Chancellor (1):
      net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx
         [125b7e0949d4e72b15c2b1a1590f8cece985a918]

Neal Cardwell (1):
      tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
         [af38d07ed391b21f7405fa1f936ca9686787d6d2]

Nigel Croxon (1):
      md/raid: raid5 preserve the writeback action after the parity check
         [b2176a1dfb518d870ee073445d27055fea64dfb8]

Nikolay Aleksandrov (1):
      net: bridge: mcast: don't delete permanent entries when fast leave is enabled
         [5c725b6b65067909548ac9ca9bc777098ec9883d]

Oliver Neukum (2):
      USB: cdc-wdm: fix race between write and disconnect due to flag abuse
         [1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e]
      usb: cdc-acm: make sure a refcount is taken early enough
         [c52873e5a1ef72f845526d9f6a50704433f9c625]

Ondrej Mosnacek (1):
      selinux: fix memory leak in policydb_init()
         [45385237f65aeee73641f1ef737d7273905a233f]

Paolo Bonzini (1):
      KVM: nVMX: handle page fault in vmread
         [f7eea636c3d505fe6f1d1066234f1aaf7171b681]

Pavel Shilovsky (2):
      CIFS: Fix use after free of file info structures
         [1a67c415965752879e2e9fad407bc44fc7f25f23]
      SMB3: Fix deadlock in validate negotiate hits reconnect
         [e99c63e4d86d3a94818693147b469fa70de6f945]

Peter Zijlstra (1):
      tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
         [952041a8639a7a3a73a2b6573cb8aa8518bc39f8]

Phong Tran (1):
      usb: wusbcore: fix unbalanced get/put cluster_id
         [f90bf1ece48a736097ea224430578fe586a9544c]

Qian Cai (1):
      asm-generic: fix -Wtype-limits compiler warnings
         [cbedfe11347fe418621bd188d58a206beb676218]

Qu Wenruo (1):
      btrfs: volumes: Cleanup stripe size calculation
         [793ff2c88c6397b3531c08cc4f920619b56a9def]

Ricardo Neri (1):
      ptrace,x86: Make user_64bit_mode() available to 32-bit builds
         [e27c310af5c05cf876d9cad006928076c27f54d4]

Robert Hodaszi (1):
      Revert "cfg80211: fix processing world regdomain when non modular"
         [0d31d4dbf38412f5b8b11b4511d07b840eebe8cb]

Ryan Kennedy (1):
      usb: pci-quirks: Correct AMD PLL quirk detection
         [f3dccdaade4118070a3a47bef6b18321431f9ac6]

Sean Christopherson (1):
      x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
         [b63f20a778c88b6a04458ed6ffc69da953d3a109]

Sebastian Mayr (1):
      uprobes/x86: Fix detection of 32-bit user mode
         [9212ec7d8357ea630031e89d0d399c761421c83b]

Stefan Haberland (1):
      s390/dasd: fix endless loop after read unit address configuration
         [41995342b40c418a47603e1321256d2c4a2ed0fb]

Stephane Grosjean (1):
      can: peak_usb: fix potential double kfree_skb()
         [fee6a8923ae0d318a7f7950c6c6c28a96cea099b]

Steve French (1):
      smb3: send CAP_DFS capability during session setup
         [8d33096a460d5b9bd13300f01615df5bb454db10]

Subash Abhinov Kasiviswanathan (1):
      net: Fix null de-reference of device refcount
         [10cc514f451a0f239aa34f91bc9dc954a9397840]

Sudarsana Reddy Kalluru (1):
      bnx2x: Disable multi-cos feature.
         [d1f0b5dce8fda09a7f5f04c1878f181d548e42f5]

Suzuki K Poulose (1):
      usb: yurex: Fix use-after-free in yurex_delete
         [fc05481b2fcabaaeccf63e32ac1baab54e5b6963]

Sven Eckelmann (1):
      batman-adv: Only read OGM tvlv_len after buffer len check
         [a15d56a60760aa9dbe26343b9a0ac5228f35d445]

Takashi Iwai (2):
      ALSA: hda - Fix potential endless loop at applying quirks
         [333f31436d3db19f4286f8862a00ea1d8d8420a1]
      ALSA: seq: Fix potential concurrent access to the deleted pool
         [75545304eba6a3d282f923b96a466dc25a81e359]

Thadeu Lima de Souza Cascardo (1):
      alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
         [f18ddc13af981ce3c7b7f26925f099e7c6929aba]

Tiwei Bie (1):
      vhost/test: fix build for vhost test
         [264b563b8675771834419057cbe076c1a41fb666]

Tomas Bortoli (1):
      can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
         [ead16e53c2f0ed946d82d4037c630e2f60f4ab69]

Tony Lindgren (1):
      USB: serial: option: Add Motorola modem UARTs
         [6caf0be40a707689e8ff8824fdb96ef77685b1ba]

Trond Myklebust (1):
      NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
         [c77e22834ae9a11891cb613bd9a551be1b94f2bc]

Ulf Hansson (1):
      mmc: core: Fix init of SD cards reporting an invalid VDD range
         [72741084d903e65e121c27bd29494d941729d4a1]

Vidya Sagar (1):
      PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30
         [7be142caabc4780b13a522c485abc806de5c4114]

Wenwen Wang (3):
      ALSA: firewire: fix a memory leak bug
         [1be3c1fae6c1e1f5bb982b255d2034034454527a]
      ALSA: hda - Fix a memory leak bug
         [cfef67f016e4c00a2f423256fc678a6967a9fc09]
      sound: fix a memory leak bug
         [c7cd7c748a3250ca33509f9235efab9c803aca09]

Will Deacon (1):
      arm64: compat: Allow single-byte watchpoints on all addresses
         [849adec41203ac5837c40c2d7e08490ffdef3c2c]

Xin Long (2):
      sctp: fix the transport error_count check
         [a1794de8b92ea6bc2037f445b296814ac826693e]
      sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
         [10eb56c582c557c629271f1ee31e15e7a9b2558b]

Yang Yingliang (1):
      tun: fix use-after-free when register netdev failed
         [77f22f92dff8e7b45c7786a430626d38071d4670]

Yoshiaki Okamoto (1):
      USB: serial: option: Add support for ZTE MF871A
         [7e7ae38bf928c5cfa6dd6e9a2cf8b42c84a27c92]

Yoshihiro Shimoda (1):
      usb: host: ohci: fix a race condition between shutdown and irq
         [a349b95d7ca0cea71be4a7dac29830703de7eb62]

Yunfeng Ye (1):
      genirq: Prevent NULL pointer dereference in resend_irqs()
         [eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a]

ZhangXiaoxu (2):
      dm btree: fix order of block initialization in btree_split_beneath
         [e4f9d6013820d1eba1432d51dd1c5795759aa77f]
      dm space map metadata: fix missing store of apply_bops() return value
         [ae148243d3f0816b37477106c05a2ec7d5f32614]

Zhenzhong Duan (1):
      x86/speculation/mds: Apply more accurate check on hypervisor platform
         [517c3ba00916383af6411aec99442c307c23f684]

 Makefile                                           |  4 +-
 arch/arm64/kernel/hw_breakpoint.c                  |  7 +--
 arch/sh/kernel/hw_breakpoint.c                     |  1 +
 arch/x86/include/asm/nospec-branch.h               |  2 +-
 arch/x86/include/asm/ptrace.h                      |  6 ++-
 arch/x86/include/asm/smp.h                         | 10 -----
 arch/x86/kernel/apic/apic.c                        | 25 ++++++-----
 arch/x86/kernel/apic/bigsmp_32.c                   | 24 +----------
 arch/x86/kernel/cpu/bugs.c                         |  4 +-
 arch/x86/kernel/sysfb_efi.c                        | 46 ++++++++++++++++++++
 arch/x86/kernel/uprobes.c                          | 17 +++++---
 arch/x86/kvm/vmx.c                                 |  7 ++-
 arch/x86/kvm/x86.c                                 |  7 +++
 drivers/ata/libata-zpodd.c                         |  2 +-
 drivers/char/hpet.c                                |  3 +-
 drivers/hwmon/nct6775.c                            |  3 +-
 drivers/md/dm-table.c                              |  5 ++-
 drivers/md/persistent-data/dm-btree.c              | 31 +++++++-------
 drivers/md/persistent-data/dm-space-map-metadata.c |  2 +-
 drivers/md/raid5.c                                 | 10 ++++-
 drivers/misc/vmw_vmci/vmci_doorbell.c              |  6 ++-
 drivers/mmc/card/queue.c                           |  5 +++
 drivers/mmc/core/sd.c                              |  6 +++
 drivers/net/can/usb/peak_usb/pcan_usb_core.c       |  8 ++--
 drivers/net/can/usb/peak_usb/pcan_usb_pro.c        |  2 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c    |  2 +-
 drivers/net/ethernet/seeq/sgiseeq.c                |  7 +--
 drivers/net/ethernet/toshiba/tc35815.c             |  2 +-
 drivers/net/tun.c                                  | 17 +++++---
 drivers/pci/host/pci-tegra.c                       |  7 ++-
 drivers/s390/block/dasd_alias.c                    | 22 +++++++---
 drivers/staging/comedi/drivers/dt3000.c            |  8 ++--
 drivers/tty/tty_ldsem.c                            |  5 +--
 drivers/usb/class/cdc-acm.c                        | 18 ++++----
 drivers/usb/class/cdc-wdm.c                        | 16 +++++--
 drivers/usb/core/file.c                            | 10 ++---
 drivers/usb/host/hwa-hc.c                          |  2 +-
 drivers/usb/host/ohci-hcd.c                        | 13 +++++-
 drivers/usb/host/pci-quirks.c                      | 31 ++++++++------
 drivers/usb/misc/yurex.c                           |  2 +-
 drivers/usb/serial/option.c                        |  6 +++
 drivers/usb/storage/realtek_cr.c                   | 15 ++++---
 drivers/usb/storage/unusual_devs.h                 |  2 +-
 drivers/vhost/test.c                               | 13 ++++--
 drivers/xen/swiotlb-xen.c                          |  4 +-
 fs/btrfs/volumes.c                                 | 22 +++++-----
 fs/cifs/file.c                                     | 33 ++++++--------
 fs/cifs/smb2pdu.c                                  |  7 ++-
 fs/exec.c                                          |  2 +-
 fs/nfs/nfs4_fs.h                                   |  3 +-
 fs/nfs/nfs4client.c                                |  5 ++-
 fs/nfs/nfs4state.c                                 | 27 +++++++++---
 include/asm-generic/getorder.h                     | 50 +++++++++-------------
 include/linux/sched.h                              |  4 +-
 include/sound/compress_driver.h                    |  5 +--
 kernel/fork.c                                      |  2 +-
 kernel/irq/resend.c                                |  2 +
 kernel/sched/fair.c                                | 37 +++++++++++++---
 kernel/time/alarmtimer.c                           |  8 ++--
 net/batman-adv/bat_iv_ogm.c                        | 18 +++++---
 net/bridge/br_multicast.c                          |  3 ++
 net/core/dev.c                                     |  4 ++
 net/ipv4/tcp_input.c                               |  2 +-
 net/ipv6/mcast.c                                   |  5 ++-
 net/ipv6/ping.c                                    |  2 +-
 net/netfilter/nf_conntrack_core.c                  | 16 +++----
 net/packet/af_packet.c                             |  7 +++
 net/sched/sch_codel.c                              |  3 +-
 net/sched/sch_hhf.c                                |  2 +-
 net/sctp/protocol.c                                |  2 +-
 net/sctp/sm_sideeffect.c                           |  4 +-
 net/wireless/reg.c                                 |  2 +-
 security/keys/request_key_auth.c                   |  6 +++
 security/selinux/ss/policydb.c                     |  6 ++-
 sound/core/compress_offload.c                      | 16 ++++---
 sound/core/seq/seq_clientmgr.c                     |  3 +-
 sound/core/seq/seq_fifo.c                          | 17 ++++++++
 sound/core/seq/seq_fifo.h                          |  2 +
 sound/firewire/packets-buffer.c                    |  2 +-
 sound/pci/hda/hda_auto_parser.c                    |  4 +-
 sound/pci/hda/hda_generic.c                        |  2 +-
 sound/sound_core.c                                 |  3 +-
 82 files changed, 497 insertions(+), 286 deletions(-)

-- 
Ben Hutchings
Theory and practice are closer in theory than in practice - John Levine


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 01/83] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 02/83] x86/sysfb_efi: Add quirks for some devices with swapped width and height Ben Hutchings
                   ` (82 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Guenter Roeck, Björn Gerhart

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Björn Gerhart <gerhart@posteo.de>

commit f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf upstream.

Fixed address of third NCT6106_REG_WEIGHT_DUTY_STEP, and
added missed NCT6106_REG_TOLERANCE_H.

Fixes: 6c009501ff200 ("hwmon: (nct6775) Add support for NCT6102D/6106D")
Signed-off-by: Bjoern Gerhart <gerhart@posteo.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hwmon/nct6775.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/hwmon/nct6775.c
+++ b/drivers/hwmon/nct6775.c
@@ -598,7 +598,7 @@ static const u16 NCT6106_REG_TARGET[] =
 static const u16 NCT6106_REG_WEIGHT_TEMP_SEL[] = { 0x168, 0x178, 0x188 };
 static const u16 NCT6106_REG_WEIGHT_TEMP_STEP[] = { 0x169, 0x179, 0x189 };
 static const u16 NCT6106_REG_WEIGHT_TEMP_STEP_TOL[] = { 0x16a, 0x17a, 0x18a };
-static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x17c };
+static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x18b };
 static const u16 NCT6106_REG_WEIGHT_TEMP_BASE[] = { 0x16c, 0x17c, 0x18c };
 static const u16 NCT6106_REG_WEIGHT_DUTY_BASE[] = { 0x16d, 0x17d, 0x18d };
 
@@ -3339,6 +3339,7 @@ static int nct6775_probe(struct platform
 		data->REG_FAN_TIME[0] = NCT6106_REG_FAN_STOP_TIME;
 		data->REG_FAN_TIME[1] = NCT6106_REG_FAN_STEP_UP_TIME;
 		data->REG_FAN_TIME[2] = NCT6106_REG_FAN_STEP_DOWN_TIME;
+		data->REG_TOLERANCE_H = NCT6106_REG_TOLERANCE_H;
 		data->REG_PWM[0] = NCT6106_REG_PWM;
 		data->REG_PWM[1] = NCT6106_REG_FAN_START_OUTPUT;
 		data->REG_PWM[2] = NCT6106_REG_FAN_STOP_OUTPUT;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 02/83] x86/sysfb_efi: Add quirks for some devices with swapped width and height
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 01/83] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 03/83] mmc: mmc_spi: Enable stable writes Ben Hutchings
                   ` (81 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Hans de Goede, Thomas Gleixner

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit d02f1aa39189e0619c3525d5cd03254e61bf606a upstream.

Some Lenovo 2-in-1s with a detachable keyboard have a portrait screen but
advertise a landscape resolution and pitch, resulting in a messed up
display if the kernel tries to show anything on the efifb (because of the
wrong pitch).

Fix this by adding a new DMI match table for devices which need to have
their width and height swapped.

At first it was tried to use the existing table for overriding some of the
efifb parameters, but some of the affected devices have variants with
different LCD resolutions which will not work with hardcoded override
values.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1730783
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190721152418.11644-1-hdegoede@redhat.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/sysfb_efi.c | 46 +++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

--- a/arch/x86/kernel/sysfb_efi.c
+++ b/arch/x86/kernel/sysfb_efi.c
@@ -216,9 +216,55 @@ static const struct dmi_system_id efifb_
 	{},
 };
 
+/*
+ * Some devices have a portrait LCD but advertise a landscape resolution (and
+ * pitch). We simply swap width and height for these devices so that we can
+ * correctly deal with some of them coming with multiple resolutions.
+ */
+static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = {
+	{
+		/*
+		 * Lenovo MIIX310-10ICR, only some batches have the troublesome
+		 * 800x1280 portrait screen. Luckily the portrait version has
+		 * its own BIOS version, so we match on that.
+		 */
+		.matches = {
+			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "MIIX 310-10ICR"),
+			DMI_EXACT_MATCH(DMI_BIOS_VERSION, "1HCN44WW"),
+		},
+	},
+	{
+		/* Lenovo MIIX 320-10ICR with 800x1280 portrait screen */
+		.matches = {
+			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
+					"Lenovo MIIX 320-10ICR"),
+		},
+	},
+	{
+		/* Lenovo D330 with 800x1280 or 1200x1920 portrait screen */
+		.matches = {
+			DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
+					"Lenovo ideapad D330-10IGM"),
+		},
+	},
+	{},
+};
+
 __init void sysfb_apply_efi_quirks(void)
 {
 	if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI ||
 	    !(screen_info.capabilities & VIDEO_CAPABILITY_SKIP_QUIRKS))
 		dmi_check_system(efifb_dmi_system_table);
+
+	if (screen_info.orig_video_isVGA == VIDEO_TYPE_EFI &&
+	    dmi_check_system(efifb_dmi_swap_width_height)) {
+		u16 temp = screen_info.lfb_width;
+
+		screen_info.lfb_width = screen_info.lfb_height;
+		screen_info.lfb_height = temp;
+		screen_info.lfb_linelength = 4 * screen_info.lfb_width;
+	}
 }


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 03/83] mmc: mmc_spi: Enable stable writes
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 01/83] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 02/83] x86/sysfb_efi: Add quirks for some devices with swapped width and height Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 04/83] ALSA: compress: Fix regression on compressed capture streams Ben Hutchings
                   ` (80 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, ShihPo Hung, Ulf Hansson, Paul Walmsley,
	Andreas Koop

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Koop <andreas.koop@zf.com>

commit 3a6ffb3c8c3274a39dc8f2514526e645c5d21753 upstream.

While using the mmc_spi driver occasionally errors like this popped up:

mmcblk0: error -84 transferring data end_request: I/O error, dev mmcblk0, sector 581756

I looked on the Internet for occurrences of the same problem and came
across a helpful post [1]. It includes source code to reproduce the bug.
There is also an analysis about the cause. During transmission data in the
supplied buffer is being modified. Thus the previously calculated checksum
is not correct anymore.

After some digging I found out that device drivers are supposed to report
they need stable writes. To fix this I set the appropriate flag at queue
initialization if CRC checksumming is enabled for that SPI host.

[1]
https://groups.google.com/forum/#!msg/sim1/gLlzWeXGFr8/KevXinUXfc8J

Signed-off-by: Andreas Koop <andreas.koop@zf.com>
[shihpo: Rebase on top of v5.3-rc1]
Signed-off-by: ShihPo Hung <shihpo.hung@sifive.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16:
 - request_queue::backing_dev_info is a struct not a pointer
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/card/queue.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/mmc/card/queue.c
+++ b/drivers/mmc/card/queue.c
@@ -16,6 +16,7 @@
 #include <linux/kthread.h>
 #include <linux/scatterlist.h>
 #include <linux/dma-mapping.h>
+#include <linux/backing-dev.h>
 
 #include <linux/mmc/card.h>
 #include <linux/mmc/host.h>
@@ -204,6 +205,10 @@ int mmc_init_queue(struct mmc_queue *mq,
 	if (!mq->queue)
 		return -ENOMEM;
 
+	if (mmc_host_is_spi(host) && host->use_spi_crc)
+		mq->queue->backing_dev_info.capabilities |=
+			BDI_CAP_STABLE_WRITES;
+
 	mq->mqrq_cur = mqrq_cur;
 	mq->mqrq_prev = mqrq_prev;
 	mq->queue->queuedata = mq;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 04/83] ALSA: compress: Fix regression on compressed capture streams
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 03/83] mmc: mmc_spi: Enable stable writes Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 05/83] can: peak_usb: fix potential double kfree_skb() Ben Hutchings
                   ` (79 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Charles Keepax, Takashi Iwai, Vinod Koul

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Charles Keepax <ckeepax@opensource.cirrus.com>

commit 4475f8c4ab7b248991a60d9c02808dbb813d6be8 upstream.

A previous fix to the stop handling on compressed capture streams causes
some knock on issues. The previous fix updated snd_compr_drain_notify to
set the state back to PREPARED for capture streams. This causes some
issues however as the handling for snd_compr_poll differs between the
two states and some user-space applications were relying on the poll
failing after the stream had been stopped.

To correct this regression whilst still fixing the original problem the
patch was addressing, update the capture handling to skip the PREPARED
state rather than skipping the SETUP state as it has done until now.

Fixes: 4f2ab5e1d13d ("ALSA: compress: Fix stop handling on compressed capture streams")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/sound/compress_driver.h |  5 +----
 sound/core/compress_offload.c   | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 9 deletions(-)

--- a/include/sound/compress_driver.h
+++ b/include/sound/compress_driver.h
@@ -176,10 +176,7 @@ static inline void snd_compr_drain_notif
 	if (snd_BUG_ON(!stream))
 		return;
 
-	if (stream->direction == SND_COMPRESS_PLAYBACK)
-		stream->runtime->state = SNDRV_PCM_STATE_SETUP;
-	else
-		stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
+	stream->runtime->state = SNDRV_PCM_STATE_SETUP;
 
 	wake_up(&stream->runtime->sleep);
 }
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -549,10 +549,7 @@ snd_compr_set_params(struct snd_compr_st
 		stream->metadata_set = false;
 		stream->next_track = false;
 
-		if (stream->direction == SND_COMPRESS_PLAYBACK)
-			stream->runtime->state = SNDRV_PCM_STATE_SETUP;
-		else
-			stream->runtime->state = SNDRV_PCM_STATE_PREPARED;
+		stream->runtime->state = SNDRV_PCM_STATE_SETUP;
 	} else {
 		return -EPERM;
 	}
@@ -668,8 +665,17 @@ static int snd_compr_start(struct snd_co
 {
 	int retval;
 
-	if (stream->runtime->state != SNDRV_PCM_STATE_PREPARED)
+	switch (stream->runtime->state) {
+	case SNDRV_PCM_STATE_SETUP:
+		if (stream->direction != SND_COMPRESS_CAPTURE)
+			return -EPERM;
+		break;
+	case SNDRV_PCM_STATE_PREPARED:
+		break;
+	default:
 		return -EPERM;
+	}
+
 	retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_START);
 	if (!retval)
 		stream->runtime->state = SNDRV_PCM_STATE_RUNNING;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 05/83] can: peak_usb: fix potential double kfree_skb()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 04/83] ALSA: compress: Fix regression on compressed capture streams Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 06/83] usb: pci-quirks: Correct AMD PLL quirk detection Ben Hutchings
                   ` (78 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Stephane Grosjean, Marc Kleine-Budde

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephane Grosjean <s.grosjean@peak-system.com>

commit fee6a8923ae0d318a7f7950c6c6c28a96cea099b upstream.

When closing the CAN device while tx skbs are inflight, echo skb could
be released twice. By calling close_candev() before unlinking all
pending tx urbs, then the internal echo_skb[] array is fully and
correctly cleared before the USB write callback and, therefore,
can_get_echo_skb() are called, for each aborted URB.

Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/peak_usb/pcan_usb_core.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
@@ -572,16 +572,16 @@ static int peak_usb_ndo_stop(struct net_
 	dev->state &= ~PCAN_USB_STATE_STARTED;
 	netif_stop_queue(netdev);
 
+	close_candev(netdev);
+
+	dev->can.state = CAN_STATE_STOPPED;
+
 	/* unlink all pending urbs and free used memory */
 	peak_usb_unlink_all_urbs(dev);
 
 	if (dev->adapter->dev_stop)
 		dev->adapter->dev_stop(dev);
 
-	close_candev(netdev);
-
-	dev->can.state = CAN_STATE_STOPPED;
-
 	/* can set bus off now */
 	if (dev->adapter->dev_set_bus) {
 		int err = dev->adapter->dev_set_bus(dev, 0);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 06/83] usb: pci-quirks: Correct AMD PLL quirk detection
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 05/83] can: peak_usb: fix potential double kfree_skb() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 07/83] usb: wusbcore: fix unbalanced get/put cluster_id Ben Hutchings
                   ` (77 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Ryan Kennedy, Alan Stern

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ryan Kennedy <ryan5544@gmail.com>

commit f3dccdaade4118070a3a47bef6b18321431f9ac6 upstream.

The AMD PLL USB quirk is incorrectly enabled on newer Ryzen
chipsets. The logic in usb_amd_find_chipset_info currently checks
for unaffected chipsets rather than affected ones. This broke
once a new chipset was added in e788787ef. It makes more sense
to reverse the logic so it won't need to be updated as new
chipsets are added. Note that the core of the workaround in
usb_amd_quirk_pll does correctly check the chipset.

Signed-off-by: Ryan Kennedy <ryan5544@gmail.com>
Fixes: e788787ef4f9 ("usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume")
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20190704153529.9429-2-ryan5544@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/pci-quirks.c | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

--- a/drivers/usb/host/pci-quirks.c
+++ b/drivers/usb/host/pci-quirks.c
@@ -188,7 +188,7 @@ int usb_amd_find_chipset_info(void)
 {
 	unsigned long flags;
 	struct amd_chipset_info info;
-	int ret;
+	int need_pll_quirk = 0;
 
 	spin_lock_irqsave(&amd_lock, flags);
 
@@ -202,21 +202,28 @@ int usb_amd_find_chipset_info(void)
 	spin_unlock_irqrestore(&amd_lock, flags);
 
 	if (!amd_chipset_sb_type_init(&info)) {
-		ret = 0;
 		goto commit;
 	}
 
-	/* Below chipset generations needn't enable AMD PLL quirk */
-	if (info.sb_type.gen == AMD_CHIPSET_UNKNOWN ||
-			info.sb_type.gen == AMD_CHIPSET_SB600 ||
-			info.sb_type.gen == AMD_CHIPSET_YANGTZE ||
-			(info.sb_type.gen == AMD_CHIPSET_SB700 &&
-			info.sb_type.rev > 0x3b)) {
+	switch (info.sb_type.gen) {
+	case AMD_CHIPSET_SB700:
+		need_pll_quirk = info.sb_type.rev <= 0x3B;
+		break;
+	case AMD_CHIPSET_SB800:
+	case AMD_CHIPSET_HUDSON2:
+	case AMD_CHIPSET_BOLTON:
+		need_pll_quirk = 1;
+		break;
+	default:
+		need_pll_quirk = 0;
+		break;
+	}
+
+	if (!need_pll_quirk) {
 		if (info.smbus_dev) {
 			pci_dev_put(info.smbus_dev);
 			info.smbus_dev = NULL;
 		}
-		ret = 0;
 		goto commit;
 	}
 
@@ -235,7 +242,7 @@ int usb_amd_find_chipset_info(void)
 		}
 	}
 
-	ret = info.probe_result = 1;
+	need_pll_quirk = info.probe_result = 1;
 	printk(KERN_DEBUG "QUIRK: Enable AMD PLL fix\n");
 
 commit:
@@ -246,7 +253,7 @@ commit:
 
 		/* Mark that we where here */
 		amd_chipset.probe_count++;
-		ret = amd_chipset.probe_result;
+		need_pll_quirk = amd_chipset.probe_result;
 
 		spin_unlock_irqrestore(&amd_lock, flags);
 
@@ -262,7 +269,7 @@ commit:
 		spin_unlock_irqrestore(&amd_lock, flags);
 	}
 
-	return ret;
+	return need_pll_quirk;
 }
 EXPORT_SYMBOL_GPL(usb_amd_find_chipset_info);
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 07/83] usb: wusbcore: fix unbalanced get/put cluster_id
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 06/83] usb: pci-quirks: Correct AMD PLL quirk detection Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 08/83] x86/speculation/mds: Apply more accurate check on hypervisor platform Ben Hutchings
                   ` (76 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+fd2bd7df88c606eea4ef, Phong Tran,
	Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Phong Tran <tranmanphong@gmail.com>

commit f90bf1ece48a736097ea224430578fe586a9544c upstream.

syzboot reported that
https://syzkaller.appspot.com/bug?extid=fd2bd7df88c606eea4ef

There is not consitency parameter in cluste_id_get/put calling.
In case of getting the id with result is failure, the wusbhc->cluster_id
will not be updated and this can not be used for wusb_cluster_id_put().

Tested report
https://groups.google.com/d/msg/syzkaller-bugs/0znZopp3-9k/oxOrhLkLEgAJ

Reproduce and gdb got the details:

139		addr = wusb_cluster_id_get();
(gdb) n
140		if (addr == 0)
(gdb) print addr
$1 = 254 '\376'
(gdb) n
142		result = __hwahc_set_cluster_id(hwahc, addr);
(gdb) print result
$2 = -71
(gdb) break wusb_cluster_id_put
Breakpoint 3 at 0xffffffff836e3f20: file drivers/usb/wusbcore/wusbhc.c, line 384.
(gdb) s
Thread 2 hit Breakpoint 3, wusb_cluster_id_put (id=0 '\000') at drivers/usb/wusbcore/wusbhc.c:384
384		id = 0xff - id;
(gdb) n
385		BUG_ON(id >= CLUSTER_IDS);
(gdb) print id
$3 = 255 '\377'

Reported-by: syzbot+fd2bd7df88c606eea4ef@syzkaller.appspotmail.com
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Link: https://lore.kernel.org/r/20190724020601.15257-1-tranmanphong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/hwa-hc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/hwa-hc.c
+++ b/drivers/usb/host/hwa-hc.c
@@ -173,7 +173,7 @@ out:
 	return result;
 
 error_set_cluster_id:
-	wusb_cluster_id_put(wusbhc->cluster_id);
+	wusb_cluster_id_put(addr);
 error_cluster_id_get:
 	goto out;
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 08/83] x86/speculation/mds: Apply more accurate check on hypervisor platform
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 07/83] usb: wusbcore: fix unbalanced get/put cluster_id Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 09/83] hpet: Fix division by zero in hpet_time_div() Ben Hutchings
                   ` (75 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Zhenzhong Duan, Thomas Gleixner

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Zhenzhong Duan <zhenzhong.duan@oracle.com>

commit 517c3ba00916383af6411aec99442c307c23f684 upstream.

X86_HYPER_NATIVE isn't accurate for checking if running on native platform,
e.g. CONFIG_HYPERVISOR_GUEST isn't set or "nopv" is enabled.

Checking the CPU feature bit X86_FEATURE_HYPERVISOR to determine if it's
running on native platform is more accurate.

This still doesn't cover the platforms on which X86_FEATURE_HYPERVISOR is
unsupported, e.g. VMware, but there is nothing which can be done about this
scenario.

Fixes: 8a4b06d391b0 ("x86/speculation/mds: Add sysfs reporting for MDS")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/1564022349-17338-1-git-send-email-zhenzhong.duan@oracle.com
[bwh: Backported to 3.16: The old hypervisor check looked a bit different
 here.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1349,12 +1349,10 @@ static ssize_t itlb_multihit_show_state(
 
 static ssize_t mds_show_state(char *buf)
 {
-#ifdef CONFIG_HYPERVISOR_GUEST
-	if (x86_hyper) {
+	if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) {
 		return sprintf(buf, "%s; SMT Host state unknown\n",
 			       mds_strings[mds_mitigation]);
 	}
-#endif
 
 	if (boot_cpu_has(X86_BUG_MSBDS_ONLY)) {
 		return sprintf(buf, "%s; SMT %s\n", mds_strings[mds_mitigation],


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 09/83] hpet: Fix division by zero in hpet_time_div()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 08/83] x86/speculation/mds: Apply more accurate check on hypervisor platform Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 10/83] sched/fair: Don't free p->numa_faults with concurrent readers Ben Hutchings
                   ` (74 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kefeng Wang, Zhang HongJun, Arnd Bergmann,
	Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kefeng Wang <wangkefeng.wang@huawei.com>

commit 0c7d37f4d9b8446956e97b7c5e61173cdb7c8522 upstream.

The base value in do_div() called by hpet_time_div() is truncated from
unsigned long to uint32_t, resulting in a divide-by-zero exception.

UBSAN: Undefined behaviour in ../drivers/char/hpet.c:572:2
division by zero
CPU: 1 PID: 23682 Comm: syz-executor.3 Not tainted 4.4.184.x86_64+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
 0000000000000000 b573382df1853d00 ffff8800a3287b98 ffffffff81ad7561
 ffff8800a3287c00 ffffffff838b35b0 ffffffff838b3860 ffff8800a3287c20
 0000000000000000 ffff8800a3287bb0 ffffffff81b8f25e ffffffff838b35a0
Call Trace:
 [<ffffffff81ad7561>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81ad7561>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81b8f25e>] ubsan_epilogue+0x12/0x8d lib/ubsan.c:166
 [<ffffffff81b900cb>] __ubsan_handle_divrem_overflow+0x282/0x2c8 lib/ubsan.c:262
 [<ffffffff823560dd>] hpet_time_div drivers/char/hpet.c:572 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common drivers/char/hpet.c:663 [inline]
 [<ffffffff823560dd>] hpet_ioctl_common.cold+0xa8/0xad drivers/char/hpet.c:577
 [<ffffffff81e63d56>] hpet_ioctl+0xc6/0x180 drivers/char/hpet.c:676
 [<ffffffff81711590>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff81711590>] file_ioctl fs/ioctl.c:470 [inline]
 [<ffffffff81711590>] do_vfs_ioctl+0x6e0/0xf70 fs/ioctl.c:605
 [<ffffffff81711eb4>] SYSC_ioctl fs/ioctl.c:622 [inline]
 [<ffffffff81711eb4>] SyS_ioctl+0x94/0xc0 fs/ioctl.c:613
 [<ffffffff82846003>] tracesys_phase2+0x90/0x95

The main C reproducer autogenerated by syzkaller,

  syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
  memcpy((void*)0x20000100, "/dev/hpet\000", 10);
  syscall(__NR_openat, 0xffffffffffffff9c, 0x20000100, 0, 0);
  syscall(__NR_ioctl, r[0], 0x40086806, 0x40000000000000);

Fix it by using div64_ul().

Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Zhang HongJun <zhanghongjun2@huawei.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20190711132757.130092-1-wangkefeng.wang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/hpet.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/char/hpet.c
+++ b/drivers/char/hpet.c
@@ -570,8 +570,7 @@ static inline unsigned long hpet_time_di
 	unsigned long long m;
 
 	m = hpets->hp_tick_freq + (dis >> 1);
-	do_div(m, dis);
-	return (unsigned long)m;
+	return div64_ul(m, dis);
 }
 
 static int


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 10/83] sched/fair: Don't free p->numa_faults with concurrent readers
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 09/83] hpet: Fix division by zero in hpet_time_div() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 11/83] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Ben Hutchings
                   ` (73 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Peter Zijlstra (Intel),
	Will Deacon, Petr Mladek, Jann Horn, Ingo Molnar,
	Sergey Senozhatsky, Thomas Gleixner, Linus Torvalds

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 16d51a590a8ce3befb1308e0e7ab77f3b661af33 upstream.

When going through execve(), zero out the NUMA fault statistics instead of
freeing them.

During execve, the task is reachable through procfs and the scheduler. A
concurrent /proc/*/sched reader can read data from a freed ->numa_faults
allocation (confirmed by KASAN) and write it back to userspace.
I believe that it would also be possible for a use-after-free read to occur
through a race between a NUMA fault and execve(): task_numa_fault() can
lead to task_numa_compare(), which invokes task_weight() on the currently
running task of a different CPU.

Another way to fix this would be to make ->numa_faults RCU-managed or add
extra locking, but it seems easier to wipe the NUMA fault statistics on
execve.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Fixes: 82727018b0d3 ("sched/numa: Call task_numa_free() from do_execve()")
Link: https://lkml.kernel.org/r/20190716152047.14424-1-jannh@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1589,7 +1589,7 @@ static int do_execve_common(struct filen
 	current->fs->in_exec = 0;
 	current->in_execve = 0;
 	acct_update_integrals(current);
-	task_numa_free(current);
+	task_numa_free(current, false);
 	free_bprm(bprm);
 	putname(filename);
 	if (displaced)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1671,7 +1671,7 @@ struct task_struct {
 extern void task_numa_fault(int last_node, int node, int pages, int flags);
 extern pid_t task_numa_group_id(struct task_struct *p);
 extern void set_numabalancing_state(bool enabled);
-extern void task_numa_free(struct task_struct *p);
+extern void task_numa_free(struct task_struct *p, bool final);
 extern bool should_numa_migrate_memory(struct task_struct *p, struct page *page,
 					int src_nid, int dst_cpu);
 #else
@@ -1686,7 +1686,7 @@ static inline pid_t task_numa_group_id(s
 static inline void set_numabalancing_state(bool enabled)
 {
 }
-static inline void task_numa_free(struct task_struct *p)
+static inline void task_numa_free(struct task_struct *p, bool final)
 {
 }
 static inline bool should_numa_migrate_memory(struct task_struct *p,
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -242,7 +242,7 @@ void __put_task_struct(struct task_struc
 	WARN_ON(atomic_read(&tsk->usage));
 	WARN_ON(tsk == current);
 
-	task_numa_free(tsk);
+	task_numa_free(tsk, true);
 	security_task_free(tsk);
 	exit_creds(tsk);
 	delayacct_tsk_free(tsk);
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -1747,13 +1747,23 @@ no_join:
 	return;
 }
 
-void task_numa_free(struct task_struct *p)
+/*
+ * Get rid of NUMA staticstics associated with a task (either current or dead).
+ * If @final is set, the task is dead and has reached refcount zero, so we can
+ * safely free all relevant data structures. Otherwise, there might be
+ * concurrent reads from places like load balancing and procfs, and we should
+ * reset the data back to default state without freeing ->numa_faults.
+ */
+void task_numa_free(struct task_struct *p, bool final)
 {
 	struct numa_group *grp = p->numa_group;
-	void *numa_faults = p->numa_faults_memory;
+	unsigned long *numa_faults = p->numa_faults_memory;
 	unsigned long flags;
 	int i;
 
+	if (!numa_faults)
+		return;
+
 	if (grp) {
 		spin_lock_irqsave(&grp->lock, flags);
 		for (i = 0; i < NR_NUMA_HINT_FAULT_STATS * nr_node_ids; i++)
@@ -1767,11 +1777,17 @@ void task_numa_free(struct task_struct *
 		put_numa_group(grp);
 	}
 
-	p->numa_faults_memory = NULL;
-	p->numa_faults_buffer_memory = NULL;
-	p->numa_faults_cpu= NULL;
-	p->numa_faults_buffer_cpu = NULL;
-	kfree(numa_faults);
+	if (final) {
+		p->numa_faults_memory = NULL;
+		p->numa_faults_buffer_memory = NULL;
+		p->numa_faults_cpu = NULL;
+		p->numa_faults_buffer_cpu = NULL;
+		kfree(numa_faults);
+	} else {
+		p->total_numa_faults = 0;
+		for (i = 0; i < NR_NUMA_HINT_FAULT_STATS * nr_node_ids; i++)
+			numa_faults[i] = 0;
+	}
 }
 
 /*


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 11/83] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 10/83] sched/fair: Don't free p->numa_faults with concurrent readers Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 12/83] bnx2x: Disable multi-cos feature Ben Hutchings
                   ` (72 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Peter Zijlstra, Will Deacon, Ingo Molnar,
	Peter Hurley, Linus Torvalds, Thomas Gleixner

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>

commit 952041a8639a7a3a73a2b6573cb8aa8518bc39f8 upstream.

While reviewing rwsem down_slowpath, Will noticed ldsem had a copy of
a bug we just found for rwsem.

  X = 0;

  CPU0			CPU1

  rwsem_down_read()
    for (;;) {
      set_current_state(TASK_UNINTERRUPTIBLE);

                        X = 1;
                        rwsem_up_write();
                          rwsem_mark_wake()
                            atomic_long_add(adjustment, &sem->count);
                            smp_store_release(&waiter->task, NULL);

      if (!waiter.task)
        break;

      ...
    }

  r = X;

Allows 'r == 0'.

Reported-by: Will Deacon <will@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Will Deacon <will@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Hurley <peter@hurleysoftware.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 4898e640caf0 ("tty: Add timed, writer-prioritized rw semaphore")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/tty_ldsem.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/tty/tty_ldsem.c
+++ b/drivers/tty/tty_ldsem.c
@@ -137,8 +137,7 @@ static void __ldsem_wake_readers(struct
 
 	list_for_each_entry_safe(waiter, next, &sem->read_wait, list) {
 		tsk = waiter->task;
-		smp_mb();
-		waiter->task = NULL;
+		smp_store_release(&waiter->task, NULL);
 		wake_up_process(tsk);
 		put_task_struct(tsk);
 	}
@@ -234,7 +233,7 @@ down_read_failed(struct ld_semaphore *se
 	for (;;) {
 		set_task_state(tsk, TASK_UNINTERRUPTIBLE);
 
-		if (!waiter.task)
+		if (!smp_load_acquire(&waiter.task))
 			break;
 		if (!timeout)
 			break;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 12/83] bnx2x: Disable multi-cos feature.
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 11/83] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 13/83] arm64: compat: Allow single-byte watchpoints on all addresses Ben Hutchings
                   ` (71 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Manish Chopra, Sudarsana Reddy Kalluru,
	David S. Miller

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sudarsana Reddy Kalluru <skalluru@marvell.com>

commit d1f0b5dce8fda09a7f5f04c1878f181d548e42f5 upstream.

Commit 3968d38917eb ("bnx2x: Fix Multi-Cos.") which enabled multi-cos
feature after prolonged time in driver added some regression causing
numerous issues (sudden reboots, tx timeout etc.) reported by customers.
We plan to backout this commit and submit proper fix once we have root
cause of issues reported with this feature enabled.

Fixes: 3968d38917eb ("bnx2x: Fix Multi-Cos.")
Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -1914,7 +1914,7 @@ u16 bnx2x_select_queue(struct net_device
 	}
 
 	/* select a non-FCoE queue */
-	return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos);
+	return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp));
 }
 
 void bnx2x_set_num_queues(struct bnx2x *bp)


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 13/83] arm64: compat: Allow single-byte watchpoints on all addresses
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 12/83] bnx2x: Disable multi-cos feature Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 14/83] net: sched: Fix a possible null-pointer dereference in dequeue_func() Ben Hutchings
                   ` (70 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Will Deacon

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will@kernel.org>

commit 849adec41203ac5837c40c2d7e08490ffdef3c2c upstream.

Commit d968d2b801d8 ("ARM: 7497/1: hw_breakpoint: allow single-byte
watchpoints on all addresses") changed the validation requirements for
hardware watchpoints on arch/arm/. Update our compat layer to implement
the same relaxation.

Signed-off-by: Will Deacon <will@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kernel/hw_breakpoint.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -501,13 +501,14 @@ int arch_validate_hwbkpt_settings(struct
 			/* Aligned */
 			break;
 		case 1:
-			/* Allow single byte watchpoint. */
-			if (info->ctrl.len == ARM_BREAKPOINT_LEN_1)
-				break;
 		case 2:
 			/* Allow halfword watchpoints and breakpoints. */
 			if (info->ctrl.len == ARM_BREAKPOINT_LEN_2)
 				break;
+		case 3:
+			/* Allow single byte watchpoint. */
+			if (info->ctrl.len == ARM_BREAKPOINT_LEN_1)
+				break;
 		default:
 			return -EINVAL;
 		}


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 14/83] net: sched: Fix a possible null-pointer dereference in dequeue_func()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 13/83] arm64: compat: Allow single-byte watchpoints on all addresses Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 15/83] net: fix ifindex collision during namespace removal Ben Hutchings
                   ` (69 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jia-Ju Bai, Jiri Pirko, David S. Miller

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jia-Ju Bai <baijiaju1990@gmail.com>

commit 051c7b39be4a91f6b7d8c4548444e4b850f1f56c upstream.

In dequeue_func(), there is an if statement on line 74 to check whether
skb is NULL:
    if (skb)

When skb is NULL, it is used on line 77:
    prefetch(&skb->end);

Thus, a possible null-pointer dereference may occur.

To fix this bug, skb->end is used when skb is not NULL.

This bug is found by a static analysis tool STCheck written by us.

Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -68,7 +68,8 @@ static struct sk_buff *dequeue(struct co
 {
 	struct sk_buff *skb = __skb_dequeue(&sch->q);
 
-	prefetch(&skb->end); /* we'll need skb_shinfo() */
+	if (skb)
+		prefetch(&skb->end); /* we'll need skb_shinfo() */
 	return skb;
 }
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 15/83] net: fix ifindex collision during namespace removal
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 14/83] net: sched: Fix a possible null-pointer dereference in dequeue_func() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 16/83] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Ben Hutchings
                   ` (68 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jiri Pirko, David S. Miller

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Pirko <jiri@mellanox.com>

commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df upstream.

Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions
on net_ns stop.") introduced a possibility to hit a BUG in case device
is returning back to init_net and two following conditions are met:
1) dev->ifindex value is used in a name of another "dev%d"
   device in init_net.
2) dev->name is used by another device in init_net.

Under real life circumstances this is hard to get. Therefore this has
been present happily for over 10 years. To reproduce:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip netns add ns1
$ ip -n ns1 link add dummy1ns1 type dummy
$ ip -n ns1 link add dummy2ns1 type dummy
$ ip link set enp0s2 netns ns1
$ ip -n ns1 link set enp0s2 name dummy0
[  100.858894] virtio_net virtio0 dummy0: renamed from enp0s2
$ ip link add dev4 type dummy
$ ip -n ns1 a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff
3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff
4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff
$ ip netns del ns1
[  158.717795] default_device_exit: failed to move dummy0 to init_net: -17
[  158.719316] ------------[ cut here ]------------
[  158.720591] kernel BUG at net/core/dev.c:9824!
[  158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI
[  158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18
[  158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
[  158.727508] Workqueue: netns cleanup_net
[  158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[  158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[  158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[  158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[  158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[  158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[  158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[  158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[  158.750638] FS:  0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[  158.752944] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[  158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  158.762758] Call Trace:
[  158.763882]  ? dev_change_net_namespace+0xbb0/0xbb0
[  158.766148]  ? devlink_nl_cmd_set_doit+0x520/0x520
[  158.768034]  ? dev_change_net_namespace+0xbb0/0xbb0
[  158.769870]  ops_exit_list.isra.0+0xa8/0x150
[  158.771544]  cleanup_net+0x446/0x8f0
[  158.772945]  ? unregister_pernet_operations+0x4a0/0x4a0
[  158.775294]  process_one_work+0xa1a/0x1740
[  158.776896]  ? pwq_dec_nr_in_flight+0x310/0x310
[  158.779143]  ? do_raw_spin_lock+0x11b/0x280
[  158.780848]  worker_thread+0x9e/0x1060
[  158.782500]  ? process_one_work+0x1740/0x1740
[  158.784454]  kthread+0x31b/0x420
[  158.786082]  ? __kthread_create_on_node+0x3f0/0x3f0
[  158.788286]  ret_from_fork+0x3a/0x50
[  158.789871] ---[ end trace defd6c657c71f936 ]---
[  158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f
[  158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
[  158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
[  158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
[  158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
[  158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
[  158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
[  158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
[  158.829899] FS:  0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
[  158.834923] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
[  158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix this by checking if a device with the same name exists in init_net
and fallback to original code - dev%d to allocate name - in case it does.

This was found using syzkaller.

Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/dev.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7207,6 +7207,8 @@ static void __net_exit default_device_ex
 
 		/* Push remaining network devices to init_net */
 		snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
+		if (__dev_get_by_name(&init_net, fb_name))
+			snprintf(fb_name, IFNAMSIZ, "dev%%d");
 		err = dev_change_net_namespace(dev, &init_net, fb_name);
 		if (err) {
 			pr_emerg("%s: failed to move %s to init_net: %d\n",


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 16/83] libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 15/83] net: fix ifindex collision during namespace removal Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 17/83] selinux: fix memory leak in policydb_init() Ben Hutchings
                   ` (67 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kees Cook, Jeffrin Jose T,
	Nick Desaulniers, Jens Axboe

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@chromium.org>

commit 71d6c505b4d9e6f76586350450e785e3d452b346 upstream.

Jeffrin reported a KASAN issue:

  BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
  Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
  ...
  The buggy address belongs to the variable:
    cdb.48319+0x0/0x40

Much like commit 18c9a99bce2a ("libata: zpodd: small read overflow in
eject_tray()"), this fixes a cdb[] buffer length, this time in
zpodd_get_mech_type():

We read from the cdb[] buffer in ata_exec_internal_sg(). It has to be
ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.

Reported-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Fixes: afe759511808c ("libata: identify and init ZPODD devices")
Link: https://lore.kernel.org/lkml/201907181423.E808958@keescook/
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/ata/libata-zpodd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/ata/libata-zpodd.c
+++ b/drivers/ata/libata-zpodd.c
@@ -55,7 +55,7 @@ static enum odd_mech_type zpodd_get_mech
 	unsigned int ret;
 	struct rm_feature_desc *desc = (void *)(buf + 8);
 	struct ata_taskfile tf;
-	static const char cdb[] = {  GPCMD_GET_CONFIGURATION,
+	static const char cdb[ATAPI_CDB_LEN] = {  GPCMD_GET_CONFIGURATION,
 			2,      /* only 1 feature descriptor requested */
 			0, 3,   /* 3, removable medium feature */
 			0, 0, 0,/* reserved */


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 17/83] selinux: fix memory leak in policydb_init()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 16/83] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 18/83] net: bridge: mcast: don't delete permanent entries when fast leave is enabled Ben Hutchings
                   ` (66 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ondrej Mosnacek,
	syzbot+fee3a14d4cdf92646287, Paul Moore

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ondrej Mosnacek <omosnace@redhat.com>

commit 45385237f65aeee73641f1ef737d7273905a233f upstream.

Since roles_init() adds some entries to the role hash table, we need to
destroy also its keys/values on error, otherwise we get a memory leak in
the error path.

Reported-by: syzbot+fee3a14d4cdf92646287@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 security/selinux/ss/policydb.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -261,6 +261,8 @@ static int rangetr_cmp(struct hashtab *h
 	return v;
 }
 
+static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap);
+
 /*
  * Initialize a policy database structure.
  */
@@ -304,8 +306,10 @@ static int policydb_init(struct policydb
 out:
 	hashtab_destroy(p->filename_trans);
 	hashtab_destroy(p->range_tr);
-	for (i = 0; i < SYM_NUM; i++)
+	for (i = 0; i < SYM_NUM; i++) {
+		hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
 		hashtab_destroy(p->symtab[i].table);
+	}
 	return rc;
 }
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 18/83] net: bridge: mcast: don't delete permanent entries when fast leave is enabled
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 17/83] selinux: fix memory leak in policydb_init() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 19/83] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() Ben Hutchings
                   ` (65 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Nikolay Aleksandrov

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit 5c725b6b65067909548ac9ca9bc777098ec9883d upstream.

When permanent entries were introduced by the commit below, they were
exempt from timing out and thus igmp leave wouldn't affect them unless
fast leave was enabled on the port which was added before permanent
entries existed. It shouldn't matter if fast leave is enabled or not
if the user added a permanent entry it shouldn't be deleted on igmp
leave.

Before:
$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave
$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent
$ bridge mdb show
dev br0 port eth4 grp 229.1.1.1 permanent

< join and leave 229.1.1.1 on eth4 >

$ bridge mdb show
$

After:
$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave
$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent
$ bridge mdb show
dev br0 port eth4 grp 229.1.1.1 permanent

< join and leave 229.1.1.1 on eth4 >

$ bridge mdb show
dev br0 port eth4 grp 229.1.1.1 permanent

Fixes: ccb1c31a7a87 ("bridge: add flags to distinguish permanent mdb entires")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Check PERMANENT flag in net_bridge_port_group::state,
 not net_bridge_port_group::flags.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/bridge/br_multicast.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1471,6 +1471,9 @@ br_multicast_leave_group(struct net_brid
 			if (p->port != port)
 				continue;
 
+			if (p->state & MDB_PERMANENT)
+				break;
+
 			rcu_assign_pointer(*pp, p->next);
 			hlist_del_init(&p->mglist);
 			del_timer(&p->timer);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 19/83] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 18/83] net: bridge: mcast: don't delete permanent entries when fast leave is enabled Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 20/83] s390/dasd: fix endless loop after read unit address configuration Ben Hutchings
                   ` (64 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Konrad Rzeszutek Wilk, Jan Beulich,
	Boris Ostrovsky, Juergen Gross

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit 50f6393f9654c561df4cdcf8e6cfba7260143601 upstream.

The condition in xen_swiotlb_free_coherent() for deciding whether to
call xen_destroy_contiguous_region() is wrong: in case the region to
be freed is not contiguous calling xen_destroy_contiguous_region() is
the wrong thing to do: it would result in inconsistent mappings of
multiple PFNs to the same MFN. This will lead to various strange
crashes or data corruption.

Instead of calling xen_destroy_contiguous_region() in that case a
warning should be issued as that situation should never occur.

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/xen/swiotlb-xen.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -372,8 +372,8 @@ xen_swiotlb_free_coherent(struct device
 	/* Convert the size to actually allocated. */
 	size = 1UL << (order + PAGE_SHIFT);
 
-	if (((dev_addr + size - 1 <= dma_mask)) ||
-	    range_straddles_page_boundary(phys, size))
+	if (!WARN_ON((dev_addr + size - 1 > dma_mask) ||
+		     range_straddles_page_boundary(phys, size)))
 		xen_destroy_contiguous_region(phys, order);
 
 	xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 20/83] s390/dasd: fix endless loop after read unit address configuration
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 19/83] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 21/83] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Ben Hutchings
                   ` (63 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jens Axboe, Jan Hoeppner, Stefan Haberland

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Haberland <sth@linux.ibm.com>

commit 41995342b40c418a47603e1321256d2c4a2ed0fb upstream.

After getting a storage server event that causes the DASD device driver
to update its unit address configuration during a device shutdown there is
the possibility of an endless loop in the device driver.

In the system log there will be ongoing DASD error messages with RC: -19.

The reason is that the loop starting the ruac request only terminates when
the retry counter is decreased to 0. But in the sleep_on function there are
early exit paths that do not decrease the retry counter.

Prevent an endless loop by handling those cases separately.

Remove the unnecessary do..while loop since the sleep_on function takes
care of retries by itself.

Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1")
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/block/dasd_alias.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

--- a/drivers/s390/block/dasd_alias.c
+++ b/drivers/s390/block/dasd_alias.c
@@ -396,6 +396,20 @@ suborder_not_supported(struct dasd_ccw_r
 	char msg_format;
 	char msg_no;
 
+	/*
+	 * intrc values ENODEV, ENOLINK and EPERM
+	 * will be optained from sleep_on to indicate that no
+	 * IO operation can be started
+	 */
+	if (cqr->intrc == -ENODEV)
+		return 1;
+
+	if (cqr->intrc == -ENOLINK)
+		return 1;
+
+	if (cqr->intrc == -EPERM)
+		return 1;
+
 	sense = dasd_get_sense(&cqr->irb);
 	if (!sense)
 		return 0;
@@ -460,12 +474,8 @@ static int read_unit_address_configurati
 	lcu->flags &= ~NEED_UAC_UPDATE;
 	spin_unlock_irqrestore(&lcu->lock, flags);
 
-	do {
-		rc = dasd_sleep_on(cqr);
-		if (rc && suborder_not_supported(cqr))
-			return -EOPNOTSUPP;
-	} while (rc && (cqr->retries > 0));
-	if (rc) {
+	rc = dasd_sleep_on(cqr);
+	if (rc && !suborder_not_supported(cqr)) {
 		spin_lock_irqsave(&lcu->lock, flags);
 		lcu->flags |= NEED_UAC_UPDATE;
 		spin_unlock_irqrestore(&lcu->lock, flags);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 21/83] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 20/83] s390/dasd: fix endless loop after read unit address configuration Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 22/83] asm-generic: fix -Wtype-limits compiler warnings Ben Hutchings
                   ` (62 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tomas Bortoli, syzbot+d6a5a1a3657b596ef132,
	Marc Kleine-Budde

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tomas Bortoli <tomasbortoli@gmail.com>

commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream.

Uninitialized Kernel memory can leak to USB devices.

Fix by using kzalloc() instead of kmalloc() on the affected buffers.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com
Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
@@ -508,7 +508,7 @@ static int pcan_usb_pro_drv_loaded(struc
 	u8 *buffer;
 	int err;
 
-	buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
+	buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
 	if (!buffer)
 		return -ENOMEM;
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 22/83] asm-generic: fix -Wtype-limits compiler warnings
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 21/83] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 23/83] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Ben Hutchings
                   ` (61 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nick Desaulniers, James Y Knight,
	Nathan Chancellor, Arnd Bergmann, Bill Wendling, Linus Torvalds,
	Jakub Jelinek, David Howells, Qian Cai, David S. Miller

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Qian Cai <cai@lca.pw>

commit cbedfe11347fe418621bd188d58a206beb676218 upstream.

Commit d66acc39c7ce ("bitops: Optimise get_order()") introduced a
compilation warning because "rx_frag_size" is an "ushort" while
PAGE_SHIFT here is 16.

The commit changed the get_order() to be a multi-line macro where
compilers insist to check all statements in the macro even when
__builtin_constant_p(rx_frag_size) will return false as "rx_frag_size"
is a module parameter.

In file included from ./arch/powerpc/include/asm/page_64.h:107,
                 from ./arch/powerpc/include/asm/page.h:242,
                 from ./arch/powerpc/include/asm/mmu.h:132,
                 from ./arch/powerpc/include/asm/lppaca.h:47,
                 from ./arch/powerpc/include/asm/paca.h:17,
                 from ./arch/powerpc/include/asm/current.h:13,
                 from ./include/linux/thread_info.h:21,
                 from ./arch/powerpc/include/asm/processor.h:39,
                 from ./include/linux/prefetch.h:15,
                 from drivers/net/ethernet/emulex/benet/be_main.c:14:
drivers/net/ethernet/emulex/benet/be_main.c: In function 'be_rx_cqs_create':
./include/asm-generic/getorder.h:54:9: warning: comparison is always
true due to limited range of data type [-Wtype-limits]
   (((n) < (1UL << PAGE_SHIFT)) ? 0 :  \
         ^
drivers/net/ethernet/emulex/benet/be_main.c:3138:33: note: in expansion
of macro 'get_order'
  adapter->big_page_size = (1 << get_order(rx_frag_size)) * PAGE_SIZE;
                                 ^~~~~~~~~

Fix it by moving all of this multi-line macro into a proper function,
and killing __get_order() off.

[akpm@linux-foundation.org: remove __get_order() altogether]
[cai@lca.pw: v2]
  Link: http://lkml.kernel.org/r/1564000166-31428-1-git-send-email-cai@lca.pw
Link: http://lkml.kernel.org/r/1563914986-26502-1-git-send-email-cai@lca.pw
Fixes: d66acc39c7ce ("bitops: Optimise get_order()")
Signed-off-by: Qian Cai <cai@lca.pw>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: David Howells <dhowells@redhat.com>
Cc: Jakub Jelinek <jakub@redhat.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Bill Wendling <morbo@google.com>
Cc: James Y Knight <jyknight@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/asm-generic/getorder.h | 50 ++++++++++++++--------------------
 1 file changed, 20 insertions(+), 30 deletions(-)

--- a/include/asm-generic/getorder.h
+++ b/include/asm-generic/getorder.h
@@ -6,24 +6,6 @@
 #include <linux/compiler.h>
 #include <linux/log2.h>
 
-/*
- * Runtime evaluation of get_order()
- */
-static inline __attribute_const__
-int __get_order(unsigned long size)
-{
-	int order;
-
-	size--;
-	size >>= PAGE_SHIFT;
-#if BITS_PER_LONG == 32
-	order = fls(size);
-#else
-	order = fls64(size);
-#endif
-	return order;
-}
-
 /**
  * get_order - Determine the allocation order of a memory size
  * @size: The size for which to get the order
@@ -42,19 +24,27 @@ int __get_order(unsigned long size)
  * to hold an object of the specified size.
  *
  * The result is undefined if the size is 0.
- *
- * This function may be used to initialise variables with compile time
- * evaluations of constants.
  */
-#define get_order(n)						\
-(								\
-	__builtin_constant_p(n) ? (				\
-		((n) == 0UL) ? BITS_PER_LONG - PAGE_SHIFT :	\
-		(((n) < (1UL << PAGE_SHIFT)) ? 0 :		\
-		 ilog2((n) - 1) - PAGE_SHIFT + 1)		\
-	) :							\
-	__get_order(n)						\
-)
+static inline __attribute_const__ int get_order(unsigned long size)
+{
+	if (__builtin_constant_p(size)) {
+		if (!size)
+			return BITS_PER_LONG - PAGE_SHIFT;
+
+		if (size < (1UL << PAGE_SHIFT))
+			return 0;
+
+		return ilog2((size) - 1) - PAGE_SHIFT + 1;
+	}
+
+	size--;
+	size >>= PAGE_SHIFT;
+#if BITS_PER_LONG == 32
+	return fls(size);
+#else
+	return fls64(size);
+#endif
+}
 
 #endif	/* __ASSEMBLY__ */
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 23/83] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 22/83] asm-generic: fix -Wtype-limits compiler warnings Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 24/83] USB: serial: option: Add support for ZTE MF871A Ben Hutchings
                   ` (60 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Trond Myklebust, John Hubbard

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@hammerspace.com>

commit c77e22834ae9a11891cb613bd9a551be1b94f2bc upstream.

John Hubbard reports seeing the following stack trace:

nfs4_do_reclaim
   rcu_read_lock /* we are now in_atomic() and must not sleep */
       nfs4_purge_state_owners
           nfs4_free_state_owner
               nfs4_destroy_seqid_counter
                   rpc_destroy_wait_queue
                       cancel_delayed_work_sync
                           __cancel_work_timer
                               __flush_work
                                   start_flush_work
                                       might_sleep:
                                        (kernel/workqueue.c:2975: BUG)

The solution is to separate out the freeing of the state owners
from nfs4_purge_state_owners(), and perform that outside the atomic
context.

Reported-by: John Hubbard <jhubbard@nvidia.com>
Fixes: 0aaaf5c424c7f ("NFS: Cache state owners after files are closed")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/nfs/nfs4_fs.h    |  3 ++-
 fs/nfs/nfs4client.c |  5 ++++-
 fs/nfs/nfs4state.c  | 27 ++++++++++++++++++++++-----
 3 files changed, 28 insertions(+), 7 deletions(-)

--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -419,7 +419,8 @@ static inline void nfs4_schedule_session
 
 extern struct nfs4_state_owner *nfs4_get_state_owner(struct nfs_server *, struct rpc_cred *, gfp_t);
 extern void nfs4_put_state_owner(struct nfs4_state_owner *);
-extern void nfs4_purge_state_owners(struct nfs_server *);
+extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *);
+extern void nfs4_free_state_owners(struct list_head *head);
 extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *);
 extern void nfs4_put_open_state(struct nfs4_state *);
 extern void nfs4_close_state(struct nfs4_state *, fmode_t);
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -682,9 +682,12 @@ int nfs41_walk_client_list(struct nfs_cl
 
 static void nfs4_destroy_server(struct nfs_server *server)
 {
+	LIST_HEAD(freeme);
+
 	nfs_server_return_all_delegations(server);
 	unset_pnfs_layoutdriver(server);
-	nfs4_purge_state_owners(server);
+	nfs4_purge_state_owners(server, &freeme);
+	nfs4_free_state_owners(&freeme);
 }
 
 /*
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -598,24 +598,39 @@ void nfs4_put_state_owner(struct nfs4_st
 /**
  * nfs4_purge_state_owners - Release all cached state owners
  * @server: nfs_server with cached state owners to release
+ * @head: resulting list of state owners
  *
  * Called at umount time.  Remaining state owners will be on
  * the LRU with ref count of zero.
+ * Note that the state owners are not freed, but are added
+ * to the list @head, which can later be used as an argument
+ * to nfs4_free_state_owners.
  */
-void nfs4_purge_state_owners(struct nfs_server *server)
+void nfs4_purge_state_owners(struct nfs_server *server, struct list_head *head)
 {
 	struct nfs_client *clp = server->nfs_client;
 	struct nfs4_state_owner *sp, *tmp;
-	LIST_HEAD(doomed);
 
 	spin_lock(&clp->cl_lock);
 	list_for_each_entry_safe(sp, tmp, &server->state_owners_lru, so_lru) {
-		list_move(&sp->so_lru, &doomed);
+		list_move(&sp->so_lru, head);
 		nfs4_remove_state_owner_locked(sp);
 	}
 	spin_unlock(&clp->cl_lock);
+}
+
+/**
+ * nfs4_purge_state_owners - Release all cached state owners
+ * @head: resulting list of state owners
+ *
+ * Frees a list of state owners that was generated by
+ * nfs4_purge_state_owners
+ */
+void nfs4_free_state_owners(struct list_head *head)
+{
+	struct nfs4_state_owner *sp, *tmp;
 
-	list_for_each_entry_safe(sp, tmp, &doomed, so_lru) {
+	list_for_each_entry_safe(sp, tmp, head, so_lru) {
 		list_del(&sp->so_lru);
 		nfs4_free_state_owner(sp);
 	}
@@ -1719,12 +1734,13 @@ static int nfs4_do_reclaim(struct nfs_cl
 	struct nfs4_state_owner *sp;
 	struct nfs_server *server;
 	struct rb_node *pos;
+	LIST_HEAD(freeme);
 	int status = 0;
 
 restart:
 	rcu_read_lock();
 	list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link) {
-		nfs4_purge_state_owners(server);
+		nfs4_purge_state_owners(server, &freeme);
 		spin_lock(&clp->cl_lock);
 		for (pos = rb_first(&server->state_owners);
 		     pos != NULL;
@@ -1752,6 +1768,7 @@ restart:
 		spin_unlock(&clp->cl_lock);
 	}
 	rcu_read_unlock();
+	nfs4_free_state_owners(&freeme);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 24/83] USB: serial: option: Add support for ZTE MF871A
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 23/83] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 25/83] usb: yurex: Fix use-after-free in yurex_delete Ben Hutchings
                   ` (59 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hiroyuki Yamamoto, Johan Hovold, Yoshiaki Okamoto

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshiaki Okamoto <yokamoto@allied-telesis.co.jp>

commit 7e7ae38bf928c5cfa6dd6e9a2cf8b42c84a27c92 upstream.

This patch adds support for MF871A USB modem (aka Speed USB STICK U03)
to option driver. This modem is manufactured by ZTE corporation, and
sold by KDDI.

Interface layout:
0: AT
1: MODEM

usb-devices output:
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  9 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=19d2 ProdID=1481 Rev=52.87
S:  Manufacturer=ZTE,Incorporated
S:  Product=ZTE Technologies MSM
S:  SerialNumber=1234567890ABCDEF
C:  #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option

Co-developed-by: Hiroyuki Yamamoto <hyamamo@allied-telesis.co.jp>
Signed-off-by: Hiroyuki Yamamoto <hyamamo@allied-telesis.co.jp>
Signed-off-by: Yoshiaki Okamoto <yokamoto@allied-telesis.co.jp>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1672,6 +1672,7 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff, 0xff),  /* Telewell TW-LTE 4G v2 */
 		.driver_info = (kernel_ulong_t)&net_intf2_blacklist },
 	{ USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) },	/* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
+	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1481, 0xff, 0x00, 0x00) }, /* ZTE MF871A */
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 25/83] usb: yurex: Fix use-after-free in yurex_delete
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 24/83] USB: serial: option: Add support for ZTE MF871A Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 26/83] SMB3: Fix deadlock in validate negotiate hits reconnect Ben Hutchings
                   ` (58 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, gregkh, syzkaller-bugs, Alan Stern, dtor,
	Suzuki K Poulose, andreyknvl, Jiri Kosina, Tomoki Sekiyama,
	Oliver Neukum, syzbot+d1fedb1c1fdb07fca507

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit fc05481b2fcabaaeccf63e32ac1baab54e5b6963 upstream.

syzbot reported the following crash [0]:

BUG: KASAN: use-after-free in usb_free_coherent+0x79/0x80
drivers/usb/core/usb.c:928
Read of size 8 at addr ffff8881b18599c8 by task syz-executor.4/16007

CPU: 0 PID: 16007 Comm: syz-executor.4 Not tainted 5.3.0-rc2+ #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0xca/0x13e lib/dump_stack.c:113
  print_address_description+0x6a/0x32c mm/kasan/report.c:351
  __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
  kasan_report+0xe/0x12 mm/kasan/common.c:612
  usb_free_coherent+0x79/0x80 drivers/usb/core/usb.c:928
  yurex_delete+0x138/0x330 drivers/usb/misc/yurex.c:100
  kref_put include/linux/kref.h:65 [inline]
  yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
  __fput+0x2d7/0x840 fs/file_table.c:280
  task_work_run+0x13f/0x1c0 kernel/task_work.c:113
  tracehook_notify_resume include/linux/tracehook.h:188 [inline]
  exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
  syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
  do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x413511
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffc424ea2e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000413511
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000001 R08: 0000000029a2fc22 R09: 0000000029a2fc26
R10: 00007ffc424ea3c0 R11: 0000000000000293 R12: 000000000075c9a0
R13: 000000000075c9a0 R14: 0000000000761938 R15: ffffffffffffffff

Allocated by task 2776:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_kmalloc mm/kasan/common.c:487 [inline]
  __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:460
  kmalloc include/linux/slab.h:552 [inline]
  kzalloc include/linux/slab.h:748 [inline]
  usb_alloc_dev+0x51/0xf95 drivers/usb/core/usb.c:583
  hub_port_connect drivers/usb/core/hub.c:5004 [inline]
  hub_port_connect_change drivers/usb/core/hub.c:5213 [inline]
  port_event drivers/usb/core/hub.c:5359 [inline]
  hub_event+0x15c0/0x3640 drivers/usb/core/hub.c:5441
  process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
  worker_thread+0x96/0xe20 kernel/workqueue.c:2415
  kthread+0x318/0x420 kernel/kthread.c:255
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 16007:
  save_stack+0x1b/0x80 mm/kasan/common.c:69
  set_track mm/kasan/common.c:77 [inline]
  __kasan_slab_free+0x130/0x180 mm/kasan/common.c:449
  slab_free_hook mm/slub.c:1423 [inline]
  slab_free_freelist_hook mm/slub.c:1470 [inline]
  slab_free mm/slub.c:3012 [inline]
  kfree+0xe4/0x2f0 mm/slub.c:3953
  device_release+0x71/0x200 drivers/base/core.c:1064
  kobject_cleanup lib/kobject.c:693 [inline]
  kobject_release lib/kobject.c:722 [inline]
  kref_put include/linux/kref.h:65 [inline]
  kobject_put+0x171/0x280 lib/kobject.c:739
  put_device+0x1b/0x30 drivers/base/core.c:2213
  usb_put_dev+0x1f/0x30 drivers/usb/core/usb.c:725
  yurex_delete+0x40/0x330 drivers/usb/misc/yurex.c:95
  kref_put include/linux/kref.h:65 [inline]
  yurex_release+0x66/0x90 drivers/usb/misc/yurex.c:392
  __fput+0x2d7/0x840 fs/file_table.c:280
  task_work_run+0x13f/0x1c0 kernel/task_work.c:113
  tracehook_notify_resume include/linux/tracehook.h:188 [inline]
  exit_to_usermode_loop+0x1d2/0x200 arch/x86/entry/common.c:163
  prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
  syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
  do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:299
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881b1859980
  which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 72 bytes inside of
  2048-byte region [ffff8881b1859980, ffff8881b185a180)
The buggy address belongs to the page:
page:ffffea0006c61600 refcount:1 mapcount:0 mapping:ffff8881da00c000
index:0x0 compound_mapcount: 0
flags: 0x200000000010200(slab|head)
raw: 0200000000010200 0000000000000000 0000000100000001 ffff8881da00c000
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8881b1859880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8881b1859900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8881b1859980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                               ^
  ffff8881b1859a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8881b1859a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

A quick look at the yurex_delete() shows that we drop the reference
to the usb_device before releasing any buffers associated with the
device. Delay the reference drop until we have finished the cleanup.

[0] https://lore.kernel.org/lkml/0000000000003f86d8058f0bd671@google.com/

Fixes: 6bc235a2e24a5e ("USB: add driver for Meywa-Denki & Kayac YUREX")
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: andreyknvl@google.com
Cc: gregkh@linuxfoundation.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: syzkaller-bugs@googlegroups.com
Cc: dtor@chromium.org
Reported-by: syzbot+d1fedb1c1fdb07fca507@syzkaller.appspotmail.com
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20190805111528.6758-1-suzuki.poulose@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/misc/yurex.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -96,7 +96,6 @@ static void yurex_delete(struct kref *kr
 
 	dev_dbg(&dev->interface->dev, "%s\n", __func__);
 
-	usb_put_dev(dev->udev);
 	if (dev->cntl_urb) {
 		usb_kill_urb(dev->cntl_urb);
 		kfree(dev->cntl_req);
@@ -112,6 +111,7 @@ static void yurex_delete(struct kref *kr
 				dev->int_buffer, dev->urb->transfer_dma);
 		usb_free_urb(dev->urb);
 	}
+	usb_put_dev(dev->udev);
 	kfree(dev);
 }
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 26/83] SMB3: Fix deadlock in validate negotiate hits reconnect
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 25/83] usb: yurex: Fix use-after-free in yurex_delete Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 27/83] smb3: send CAP_DFS capability during session setup Ben Hutchings
                   ` (57 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steve French, Ronnie Sahlberg, Pavel Shilovsky

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <pshilov@microsoft.com>

commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream.

Currently we skip SMB2_TREE_CONNECT command when checking during
reconnect because Tree Connect happens when establishing
an SMB session. For SMB 3.0 protocol version the code also calls
validate negotiate which results in SMB2_IOCL command being sent
over the wire. This may deadlock on trying to acquire a mutex when
checking for reconnect. Fix this by skipping SMB2_IOCL command
when doing the reconnect check.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/smb2pdu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -171,7 +171,7 @@ smb2_reconnect(__le16 smb2_command, stru
 	if (tcon == NULL)
 		return 0;
 
-	if (smb2_command == SMB2_TREE_CONNECT)
+	if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL)
 		return 0;
 
 	if (tcon->tidStatus == CifsExiting) {


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 27/83] smb3: send CAP_DFS capability during session setup
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 26/83] SMB3: Fix deadlock in validate negotiate hits reconnect Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 28/83] sound: fix a memory leak bug Ben Hutchings
                   ` (56 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pavel Shilovsky, Steve French

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steve French <stfrench@microsoft.com>

commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream.

We had a report of a server which did not do a DFS referral
because the session setup Capabilities field was set to 0
(unlike negotiate protocol where we set CAP_DFS).  Better to
send it session setup in the capabilities as well (this also
more closely matches Windows client behavior).

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/smb2pdu.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -646,7 +646,12 @@ ssetup_ntlmssp_authenticate:
 	else
 		req->SecurityMode = 0;
 
+#ifdef CONFIG_CIFS_DFS_UPCALL
+	req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS);
+#else
 	req->Capabilities = 0;
+#endif /* DFS_UPCALL */
+
 	req->Channel = 0; /* MBZ */
 
 	iov[0].iov_base = (char *)req;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 28/83] sound: fix a memory leak bug
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 27/83] smb3: send CAP_DFS capability during session setup Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 29/83] ALSA: firewire: " Ben Hutchings
                   ` (55 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Wenwen Wang

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wenwen@cs.uga.edu>

commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream.

In sound_insert_unit(), the controlling structure 's' is allocated through
kmalloc(). Then it is added to the sound driver list by invoking
__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
removed from the list through __sound_remove_unit(). If 'index' is not less
than 0, -EBUSY is returned to indicate the error. However, 's' is not
deallocated on this execution path, leading to a memory leak bug.

To fix the above issue, free 's' before -EBUSY is returned.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/sound_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/sound_core.c
+++ b/sound/sound_core.c
@@ -287,7 +287,8 @@ retry:
 				goto retry;
 			}
 			spin_unlock(&sound_loader_lock);
-			return -EBUSY;
+			r = -EBUSY;
+			goto fail;
 		}
 	}
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 29/83] ALSA: firewire: fix a memory leak bug
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 28/83] sound: fix a memory leak bug Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 30/83] ALSA: hda - Fix " Ben Hutchings
                   ` (54 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Takashi Sakamoto, Wenwen Wang, Takashi Iwai

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wenwen@cs.uga.edu>

commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream.

In iso_packets_buffer_init(), 'b->packets' is allocated through
kmalloc_array(). Then, the aligned packet size is checked. If it is
larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
However, the allocated 'b->packets' is not deallocated on this path,
leading to a memory leak.

To fix the above issue, free 'b->packets' before returning the error code.

Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver")
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/firewire/packets-buffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/firewire/packets-buffer.c
+++ b/sound/firewire/packets-buffer.c
@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p
 	packets_per_page = PAGE_SIZE / packet_size;
 	if (WARN_ON(!packets_per_page)) {
 		err = -EINVAL;
-		goto error;
+		goto err_packets;
 	}
 	pages = DIV_ROUND_UP(count, packets_per_page);
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 30/83] ALSA: hda - Fix a memory leak bug
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 29/83] ALSA: firewire: " Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 31/83] sh: kernel: hw_breakpoint: Fix missing break in switch statement Ben Hutchings
                   ` (53 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Wenwen Wang, Takashi Iwai

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wenwen Wang <wenwen@cs.uga.edu>

commit cfef67f016e4c00a2f423256fc678a6967a9fc09 upstream.

In snd_hda_parse_generic_codec(), 'spec' is allocated through kzalloc().
Then, the pin widgets in 'codec' are parsed. However, if the parsing
process fails, 'spec' is not deallocated, leading to a memory leak.

To fix the above issue, free 'spec' before returning the error.

Fixes: 352f7f914ebb ("ALSA: hda - Merge Realtek parser code to generic parser")
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/hda_generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/hda/hda_generic.c
+++ b/sound/pci/hda/hda_generic.c
@@ -5431,7 +5431,7 @@ int snd_hda_parse_generic_codec(struct h
 
 	err = snd_hda_parse_pin_defcfg(codec, &spec->autocfg, NULL, 0);
 	if (err < 0)
-		return err;
+		goto error;
 
 	err = snd_hda_gen_parse_auto_config(codec, &spec->autocfg);
 	if (err < 0)


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 31/83] sh: kernel: hw_breakpoint: Fix missing break in switch statement
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 30/83] ALSA: hda - Fix " Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 32/83] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Ben Hutchings
                   ` (52 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gustavo A. R. Silva, Geert Uytterhoeven,
	Guenter Roeck

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit 1ee1119d184bb06af921b48c3021d921bbd85bac upstream.

Add missing break statement in order to prevent the code from falling
through to case SH_BREAKPOINT_WRITE.

Fixes: 09a072947791 ("sh: hw-breakpoints: Add preliminary support for SH-4A UBC.")
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/sh/kernel/hw_breakpoint.c | 1 +
 1 file changed, 1 insertion(+)

--- a/arch/sh/kernel/hw_breakpoint.c
+++ b/arch/sh/kernel/hw_breakpoint.c
@@ -160,6 +160,7 @@ int arch_bp_generic_fields(int sh_len, i
 	switch (sh_type) {
 	case SH_BREAKPOINT_READ:
 		*gen_type = HW_BREAKPOINT_R;
+		break;
 	case SH_BREAKPOINT_WRITE:
 		*gen_type = HW_BREAKPOINT_W;
 		break;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 32/83] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 31/83] sh: kernel: hw_breakpoint: Fix missing break in switch statement Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 33/83] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' Ben Hutchings
                   ` (51 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Nathan Chancellor

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

commit 125b7e0949d4e72b15c2b1a1590f8cece985a918 upstream.

clang warns:

drivers/net/ethernet/toshiba/tc35815.c:1507:30: warning: use of logical
'&&' with constant operand [-Wconstant-logical-operand]
                        if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                  ^  ~~~~~~~~~~~~
drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: use '&' for a
bitwise operation
                        if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                  ^~
                                                  &
drivers/net/ethernet/toshiba/tc35815.c:1507:30: note: remove constant to
silence this warning
                        if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
                                                 ~^~~~~~~~~~~~~~~
1 warning generated.

Explicitly check that NET_IP_ALIGN is not zero, which matches how this
is checked in other parts of the tree. Because NET_IP_ALIGN is a build
time constant, this check will be constant folded away during
optimization.

Fixes: 82a9928db560 ("tc35815: Enable StripCRC feature")
Link: https://github.com/ClangBuiltLinux/linux/issues/608
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/toshiba/tc35815.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/toshiba/tc35815.c
+++ b/drivers/net/ethernet/toshiba/tc35815.c
@@ -1528,7 +1528,7 @@ tc35815_rx(struct net_device *dev, int l
 			pci_unmap_single(lp->pci_dev,
 					 lp->rx_skbs[cur_bd].skb_dma,
 					 RX_BUF_SIZE, PCI_DMA_FROMDEVICE);
-			if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN)
+			if (!HAVE_DMA_RXALIGN(lp) && NET_IP_ALIGN != 0)
 				memmove(skb->data, skb->data - NET_IP_ALIGN,
 					pkt_len);
 			data = skb_put(skb, pkt_len);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 33/83] staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 32/83] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 34/83] staging: comedi: dt3000: Fix rounding up of timer divisor Ben Hutchings
                   ` (50 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Binderman, Ian Abbott, Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit b4d98bc3fc93ec3a58459948a2c0e0c9b501cd88 upstream.

In `dt3k_ns_to_timer()` the following lines near the end of the function
result in a signed integer overflow:

	prescale = 15;
	base = timer_base * (1 << prescale);
	divider = 65535;
	*nanosec = divider * base;

(`divider`, `base` and `prescale` are type `int`, `timer_base` and
`*nanosec` are type `unsigned int`.  The value of `timer_base` will be
either 50 or 100.)

The main reason for the overflow is that the calculation for `base` is
completely wrong.  It should be:

	base = timer_base * (prescale + 1);

which matches an earlier instance of this calculation in the same
function.

Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20190812111517.26803-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/comedi/drivers/dt3000.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/comedi/drivers/dt3000.c
+++ b/drivers/staging/comedi/drivers/dt3000.c
@@ -405,7 +405,7 @@ static int dt3k_ns_to_timer(unsigned int
 	}
 
 	prescale = 15;
-	base = timer_base * (1 << prescale);
+	base = timer_base * (prescale + 1);
 	divider = 65535;
 	*nanosec = divider * base;
 	return (prescale << 16) | (divider);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 34/83] staging: comedi: dt3000: Fix rounding up of timer divisor
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 33/83] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 35/83] USB: core: Fix races in character device registration and deregistraion Ben Hutchings
                   ` (49 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ian Abbott, Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit 8e2a589a3fc36ce858d42e767c3bcd8fc62a512b upstream.

`dt3k_ns_to_timer()` determines the prescaler and divisor to use to
produce a desired timing period.  It is influenced by a rounding mode
and can round the divisor up, down, or to the nearest value.  However,
the code for rounding up currently does the same as rounding down!  Fix
ir by using the `DIV_ROUND_UP()` macro to calculate the divisor when
rounding up.

Also, change the types of the `divider`, `base` and `prescale` variables
from `int` to `unsigned int` to avoid mixing signed and unsigned types
in the calculations.

Also fix a typo in a nearby comment: "improvment" => "improvement".

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20190812120814.21188-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/comedi/drivers/dt3000.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/staging/comedi/drivers/dt3000.c
+++ b/drivers/staging/comedi/drivers/dt3000.c
@@ -379,9 +379,9 @@ static irqreturn_t dt3k_interrupt(int ir
 static int dt3k_ns_to_timer(unsigned int timer_base, unsigned int *nanosec,
 			    unsigned int round_mode)
 {
-	int divider, base, prescale;
+	unsigned int divider, base, prescale;
 
-	/* This function needs improvment */
+	/* This function needs improvement */
 	/* Don't know if divider==0 works. */
 
 	for (prescale = 0; prescale < 16; prescale++) {
@@ -395,7 +395,7 @@ static int dt3k_ns_to_timer(unsigned int
 			divider = (*nanosec) / base;
 			break;
 		case TRIG_ROUND_UP:
-			divider = (*nanosec) / base;
+			divider = DIV_ROUND_UP(*nanosec, base);
 			break;
 		}
 		if (divider < 65536) {


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 35/83] USB: core: Fix races in character device registration and deregistraion
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 34/83] staging: comedi: dt3000: Fix rounding up of timer divisor Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 36/83] netfilter: conntrack: Use consistent ct id hash calculation Ben Hutchings
                   ` (48 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Alan Stern, Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 303911cfc5b95d33687d9046133ff184cf5043ff upstream.

The syzbot fuzzer has found two (!) races in the USB character device
registration and deregistration routines.  This patch fixes the races.

The first race results from the fact that usb_deregister_dev() sets
usb_minors[intf->minor] to NULL before calling device_destroy() on the
class device.  This leaves a window during which another thread can
allocate the same minor number but will encounter a duplicate name
error when it tries to register its own class device.  A typical error
message in the system log would look like:

    sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'

The patch fixes this race by destroying the class device first.

The second race is in usb_register_dev().  When that routine runs, it
first allocates a minor number, then drops minor_rwsem, and then
creates the class device.  If the device creation fails, the minor
number is deallocated and the whole routine returns an error.  But
during the time while minor_rwsem was dropped, there is a window in
which the minor number is allocated and so another thread can
successfully open the device file.  Typically this results in
use-after-free errors or invalid accesses when the other thread closes
its open file reference, because the kernel then tries to release
resources that were already deallocated when usb_register_dev()
failed.  The patch fixes this race by keeping minor_rwsem locked
throughout the entire routine.

Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/file.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/file.c
+++ b/drivers/usb/core/file.c
@@ -191,9 +191,10 @@ int usb_register_dev(struct usb_interfac
 		intf->minor = minor;
 		break;
 	}
-	up_write(&minor_rwsem);
-	if (intf->minor < 0)
+	if (intf->minor < 0) {
+		up_write(&minor_rwsem);
 		return -EXFULL;
+	}
 
 	/* create a usb class device for this usb interface */
 	snprintf(name, sizeof(name), class_driver->name, minor - minor_base);
@@ -206,12 +207,11 @@ int usb_register_dev(struct usb_interfac
 				      MKDEV(USB_MAJOR, minor), class_driver,
 				      "%s", temp);
 	if (IS_ERR(intf->usb_dev)) {
-		down_write(&minor_rwsem);
 		usb_minors[minor] = NULL;
 		intf->minor = -1;
-		up_write(&minor_rwsem);
 		retval = PTR_ERR(intf->usb_dev);
 	}
+	up_write(&minor_rwsem);
 	return retval;
 }
 EXPORT_SYMBOL_GPL(usb_register_dev);
@@ -237,12 +237,12 @@ void usb_deregister_dev(struct usb_inter
 		return;
 
 	dev_dbg(&intf->dev, "removing %d minor\n", intf->minor);
+	device_destroy(usb_class->class, MKDEV(USB_MAJOR, intf->minor));
 
 	down_write(&minor_rwsem);
 	usb_minors[intf->minor] = NULL;
 	up_write(&minor_rwsem);
 
-	device_destroy(usb_class->class, MKDEV(USB_MAJOR, intf->minor));
 	intf->usb_dev = NULL;
 	intf->minor = -1;
 	destroy_usb_class();


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 36/83] netfilter: conntrack: Use consistent ct id hash calculation
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 35/83] USB: core: Fix races in character device registration and deregistraion Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 37/83] sctp: fix the transport error_count check Ben Hutchings
                   ` (47 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dirk Morris, Pablo Neira Ayuso, Florian Westphal

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dirk Morris <dmorris@metaloft.com>

commit 656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a upstream.

Change ct id hash calculation to only use invariants.

Currently the ct id hash calculation is based on some fields that can
change in the lifetime on a conntrack entry in some corner cases. The
current hash uses the whole tuple which contains an hlist pointer which
will change when the conntrack is placed on the dying list resulting in
a ct id change.

This patch also removes the reply-side tuple and extension pointer from
the hash calculation so that the ct id will will not change from
initialization until confirmation.

Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
Signed-off-by: Dirk Morris <dmorris@metaloft.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netfilter/nf_conntrack_core.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -240,13 +240,12 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
  * table location, we assume id gets exposed to userspace.
  *
  * Following nf_conn items do not change throughout lifetime
- * of the nf_conn after it has been committed to main hash table:
+ * of the nf_conn:
  *
  * 1. nf_conn address
- * 2. nf_conn->ext address
- * 3. nf_conn->master address (normally NULL)
- * 4. tuple
- * 5. the associated net namespace
+ * 2. nf_conn->master address (normally NULL)
+ * 3. the associated net namespace
+ * 4. the original direction tuple
  */
 u32 nf_ct_get_id(const struct nf_conn *ct)
 {
@@ -256,9 +255,10 @@ u32 nf_ct_get_id(const struct nf_conn *c
 	net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
 
 	a = (unsigned long)ct;
-	b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
-	c = (unsigned long)ct->ext;
-	d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
+	b = (unsigned long)ct->master;
+	c = (unsigned long)nf_ct_net(ct);
+	d = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+				   sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple),
 				   &ct_id_seed);
 #ifdef CONFIG_64BIT
 	return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 37/83] sctp: fix the transport error_count check
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 36/83] netfilter: conntrack: Use consistent ct id hash calculation Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 38/83] USB: serial: option: Add Motorola modem UARTs Ben Hutchings
                   ` (46 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marcelo Ricardo Leitner, Xin Long, Jakub Kicinski

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit a1794de8b92ea6bc2037f445b296814ac826693e upstream.

As the annotation says in sctp_do_8_2_transport_strike():

  "If the transport error count is greater than the pf_retrans
   threshold, and less than pathmaxrtx ..."

It should be transport->error_count checked with pathmaxrxt,
instead of asoc->pf_retrans.

Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/sm_sideeffect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -504,7 +504,7 @@ static void sctp_do_8_2_transport_strike
 	 * see SCTP Quick Failover Draft, section 5.1
 	 */
 	if ((transport->state == SCTP_ACTIVE) &&
-	   (asoc->pf_retrans < transport->pathmaxrxt) &&
+	   (transport->error_count < transport->pathmaxrxt) &&
 	   (transport->error_count > asoc->pf_retrans)) {
 
 		sctp_assoc_control_transport(asoc, transport,


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 38/83] USB: serial: option: Add Motorola modem UARTs
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 37/83] sctp: fix the transport error_count check Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 39/83] usb: cdc-acm: make sure a refcount is taken early enough Ben Hutchings
                   ` (45 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Pavel Machek,
	Sebastian Reichel, Michael Scott, Marcel Partap, Merlijn Wajer,
	Bjørn Mork, Lars Melin, Dan Williams, Tony Lindgren, NeKit

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Lindgren <tony@atomide.com>

commit 6caf0be40a707689e8ff8824fdb96ef77685b1ba upstream.

On Motorola Mapphone devices such as Droid 4 there are five USB ports
that do not use the same layout as Gobi 1K/2K/etc devices listed in
qcserial.c. So we should use qcaux.c or option.c as noted by
Dan Williams <dan.j.williams@intel.com>.

As the Motorola USB serial ports have an interrupt endpoint as shown
with lsusb -v, we should use option.c instead of qcaux.c as pointed out
by Johan Hovold <johan@kernel.org>.

The ff/ff/ff interfaces seem to always be UARTs on Motorola devices.
For the other interfaces, class 0x0a (CDC Data) should not in general
be added as they are typically part of a multi-interface function as
noted earlier by Bjørn Mork <bjorn@mork.no>.

However, looking at the Motorola mapphone kernel code, the mdm6600 0x0a
class is only used for flashing the modem firmware, and there are no
other interfaces. So I've added that too with more details below as it
works just fine.

The ttyUSB ports on Droid 4 are:

ttyUSB0 DIAG, CQDM-capable
ttyUSB1 MUX or NMEA, no response
ttyUSB2 MUX or NMEA, no response
ttyUSB3 TCMD
ttyUSB4 AT-capable

The ttyUSB0 is detected as QCDM capable by ModemManager. I think
it's only used for debugging with ModemManager --debug for sending
custom AT commands though. ModemManager already can manage data
connection using the USB QMI ports that are already handled by the
qmi_wwan.c driver.

To enable the MUX or NMEA ports, it seems that something needs to be
done additionally to enable them, maybe via the DIAG or TCMD port.
It might be just a NVRAM setting somewhere, but I have no idea what
NVRAM settings may need changing for that.

The TCMD port seems to be a Motorola custom protocol for testing
the modem and to configure it's NVRAM and seems to work just fine
based on a quick test with a minimal tcmdrw tool I wrote.

The voice modem AT-capable port seems to provide only partial
support, and no PM support compared to the TS 27.010 based UART
wired directly to the modem.

The UARTs added with this change are the same product IDs as the
Motorola Mapphone Android Linux kernel mdm6600_id_table. I don't
have any mdm9600 based devices, so I have only tested these on
mdm6600 based droid 4.

Then for the class 0x0a (CDC Data) mode, the Motorola Mapphone Android
Linux kernel driver moto_flashqsc.c just seems to change the
port->bulk_out_size to 8K from the default. And is only used for
flashing the modem firmware it seems.

I've verified that flashing the modem with signed firmware works just
fine with the option driver after manually toggling the GPIO pins, so
I've added droid 4 modem flashing mode to the option driver. I've not
added the other devices listed in moto_flashqsc.c in case they really
need different port->bulk_out_size. Those can be added as they get
tested to work for flashing the modem.

After this patch the output of /sys/kernel/debug/usb/devices has
the following for normal 22b8:2a70 mode including the related qmi_wwan
interfaces:

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=22b8 ProdID=2a70 Rev= 0.00
S:  Manufacturer=Motorola, Incorporated
S:  Product=Flash MZ600
C:* #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=83(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=84(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
E:  Ad=86(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
E:  Ad=88(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=06(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
E:  Ad=8a(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=07(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 7 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
E:  Ad=8b(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
E:  Ad=8c(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=08(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fb Prot=ff Driver=qmi_wwan
E:  Ad=8d(I) Atr=03(Int.) MxPS=  64 Ivl=5ms
E:  Ad=8e(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=09(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms

In 22b8:900e "qc_dload" mode the device shows up as:

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=22b8 ProdID=900e Rev= 0.00
S:  Manufacturer=Motorola, Incorporated
S:  Product=Flash MZ600
C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms

And in 22b8:4281 "ram_downloader" mode the device shows up as:

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=22b8 ProdID=4281 Rev= 0.00
S:  Manufacturer=Motorola, Incorporated
S:  Product=Flash MZ600
C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=fc Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms

Cc: Bjørn Mork <bjorn@mork.no>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Lars Melin <larsm17@gmail.com>
Cc: Marcel Partap <mpartap@gmx.net>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Michael Scott <hashcode0f@gmail.com>
Cc: NeKit <nekit1000@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Tested-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/option.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1109,6 +1109,11 @@ static const struct usb_device_id option
 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7B) },
 	{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7C) },
 
+	/* Motorola devices */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x22b8, 0x2a70, 0xff, 0xff, 0xff) },	/* mdm6600 */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x22b8, 0x2e0a, 0xff, 0xff, 0xff) },	/* mdm9600 */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x22b8, 0x4281, 0x0a, 0x00, 0xfc) },	/* mdm ram dl */
+	{ USB_DEVICE_AND_INTERFACE_INFO(0x22b8, 0x900e, 0xff, 0xff, 0xff) },	/* mdm qc dl */
 
 	{ USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) },
 	{ USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V620) },


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 39/83] usb: cdc-acm: make sure a refcount is taken early enough
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 38/83] USB: serial: option: Add Motorola modem UARTs Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 40/83] net/packet: fix race in tpacket_snd() Ben Hutchings
                   ` (44 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Oliver Neukum, Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit c52873e5a1ef72f845526d9f6a50704433f9c625 upstream.

destroy() will decrement the refcount on the interface, so that
it needs to be taken so early that it never undercounts.

Fixes: 7fb57a019f94e ("USB: cdc-acm: Fix potential deadlock (lockdep warning)")
Reported-and-tested-by: syzbot+1b2449b7b5dc240d107a@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20190808142119.7998-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-acm.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1371,13 +1371,6 @@ made_compressed_probe:
 		goto alloc_fail;
 	}
 
-	minor = acm_alloc_minor(acm);
-	if (minor == ACM_TTY_MINORS) {
-		dev_err(&intf->dev, "no more free acm devices\n");
-		kfree(acm);
-		return -ENODEV;
-	}
-
 	ctrlsize = usb_endpoint_maxp(epctrl);
 	readsize = usb_endpoint_maxp(epread) *
 				(quirks == SINGLE_RX_URB ? 1 : 2);
@@ -1385,6 +1378,16 @@ made_compressed_probe:
 	acm->writesize = usb_endpoint_maxp(epwrite) * 20;
 	acm->control = control_interface;
 	acm->data = data_interface;
+
+	usb_get_intf(acm->control); /* undone in destruct() */
+
+	minor = acm_alloc_minor(acm);
+	if (minor < 0) {
+		dev_err(&intf->dev, "no more free acm devices\n");
+		kfree(acm);
+		return -ENODEV;
+	}
+
 	acm->minor = minor;
 	acm->dev = usb_dev;
 	acm->ctrl_caps = ac_management_function;
@@ -1540,7 +1543,6 @@ skip_countries:
 	usb_driver_claim_interface(&acm_driver, data_interface, acm);
 	usb_set_intfdata(data_interface, acm);
 
-	usb_get_intf(control_interface);
 	tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
 			&control_interface->dev);
 	if (IS_ERR(tty_dev)) {


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 40/83] net/packet: fix race in tpacket_snd()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 39/83] usb: cdc-acm: make sure a refcount is taken early enough Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 41/83] Revert "cfg80211: fix processing world regdomain when non modular" Ben Hutchings
                   ` (43 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, syzbot, David S. Miller

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f upstream.

packet_sendmsg() checks tx_ring.pg_vec to decide
if it must call tpacket_snd().

Problem is that the check is lockless, meaning another thread
can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
tx_ring.pg_vec back to NULL.

Given that tpacket_snd() grabs pg_vec_lock mutex, we can
perform the check again to solve the race.

syzbot reported :

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 packet_current_frame net/packet/af_packet.c:487 [inline]
 tpacket_snd net/packet/af_packet.c:2667 [inline]
 packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:657
 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg net/socket.c:2439 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/packet/af_packet.c | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2286,6 +2286,13 @@ static int tpacket_snd(struct packet_soc
 
 	mutex_lock(&po->pg_vec_lock);
 
+	/* packet_sendmsg() check on tx_ring.pg_vec was lockless,
+	 * we need to confirm it under protection of pg_vec_lock.
+	 */
+	if (unlikely(!po->tx_ring.pg_vec)) {
+		err = -EBUSY;
+		goto out;
+	}
 	if (likely(saddr == NULL)) {
 		dev	= packet_cached_dev_get(po);
 		proto	= po->num;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 41/83] Revert "cfg80211: fix processing world regdomain when non modular"
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 40/83] net/packet: fix race in tpacket_snd() Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 42/83] usb-storage: Add new JMS567 revision to unusual_devs Ben Hutchings
                   ` (42 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Robert Hodaszi, Hodaszi, Robert, Johannes Berg

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Hodaszi, Robert" <Robert.Hodaszi@digi.com>

commit 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb upstream.

This reverts commit 96cce12ff6e0 ("cfg80211: fix processing world
regdomain when non modular").

Re-triggering a reg_process_hint with the last request on all events,
can make the regulatory domain fail in case of multiple WiFi modules. On
slower boards (espacially with mdev), enumeration of the WiFi modules
can end up in an intersected regulatory domain, and user cannot set it
with 'iw reg set' anymore.

This is happening, because:
- 1st module enumerates, queues up a regulatory request
- request gets processed by __reg_process_hint_driver():
  - checks if previous was set by CORE -> yes
    - checks if regulator domain changed -> yes, from '00' to e.g. 'US'
      -> sends request to the 'crda'
- 2nd module enumerates, queues up a regulator request (which triggers
  the reg_todo() work)
- reg_todo() -> reg_process_pending_hints() sees, that the last request
  is not processed yet, so it tries to process it again.
  __reg_process_hint driver() will run again, and:
  - checks if the last request's initiator was the core -> no, it was
    the driver (1st WiFi module)
  - checks, if the previous initiator was the driver -> yes
    - checks if the regulator domain changed -> yes, it was '00' (set by
      core, and crda call did not return yet), and should be changed to 'US'

------> __reg_process_hint_driver calls an intersect

Besides, the reg_process_hint call with the last request is meaningless
since the crda call has a timeout work. If that timeout expires, the
first module's request will lost.

Fixes: 96cce12ff6e0 ("cfg80211: fix processing world regdomain when non modular")
Signed-off-by: Robert Hodaszi <robert.hodaszi@digi.com>
Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hr
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/wireless/reg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1913,7 +1913,7 @@ static void reg_process_pending_hints(vo
 
 	/* When last_request->processed becomes true this will be rescheduled */
 	if (lr && !lr->processed) {
-		reg_process_hint(lr);
+		pr_debug("Pending regulatory request, waiting for it to be processed...\n");
 		return;
 	}
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 42/83] usb-storage: Add new JMS567 revision to unusual_devs
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 41/83] Revert "cfg80211: fix processing world regdomain when non modular" Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 43/83] dm btree: fix order of block initialization in btree_split_beneath Ben Hutchings
                   ` (41 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Henk van der Laan

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Henk van der Laan <opensource@henkvdlaan.com>

commit 08d676d1685c2a29e4d0e1b0242324e564d4589e upstream.

Revision 0x0117 suffers from an identical issue to earlier revisions,
therefore it should be added to the quirks list.

Signed-off-by: Henk van der Laan <opensource@henkvdlaan.com>
Link: https://lore.kernel.org/r/20190816200847.21366-1-opensource@henkvdlaan.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/unusual_devs.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1987,7 +1987,7 @@ UNUSUAL_DEV(  0x14cd, 0x6600, 0x0201, 0x
 		US_FL_IGNORE_RESIDUE ),
 
 /* Reported by Michael Büsch <m@bues.ch> */
-UNUSUAL_DEV(  0x152d, 0x0567, 0x0114, 0x0116,
+UNUSUAL_DEV(  0x152d, 0x0567, 0x0114, 0x0117,
 		"JMicron",
 		"USB to ATA/ATAPI Bridge",
 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 43/83] dm btree: fix order of block initialization in btree_split_beneath
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 42/83] usb-storage: Add new JMS567 revision to unusual_devs Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 44/83] dm space map metadata: fix missing store of apply_bops() return value Ben Hutchings
                   ` (40 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mike Snitzer, ZhangXiaoxu

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>

commit e4f9d6013820d1eba1432d51dd1c5795759aa77f upstream.

When btree_split_beneath() splits a node to two new children, it will
allocate two blocks: left and right.  If right block's allocation
failed, the left block will be unlocked and marked dirty.  If this
happened, the left block'ss content is zero, because it wasn't
initialized with the btree struct before the attempot to allocate the
right block.  Upon return, when flushing the left block to disk, the
validator will fail when check this block.  Then a BUG_ON is raised.

Fix this by completely initializing the left block before allocating and
initializing the right block.

Fixes: 4dcb8b57df359 ("dm btree: fix leak of bufio-backed block in btree_split_beneath error path")
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/persistent-data/dm-btree.c | 31 ++++++++++++++-------------
 1 file changed, 16 insertions(+), 15 deletions(-)

--- a/drivers/md/persistent-data/dm-btree.c
+++ b/drivers/md/persistent-data/dm-btree.c
@@ -533,39 +533,40 @@ static int btree_split_beneath(struct sh
 
 	new_parent = shadow_current(s);
 
+	pn = dm_block_data(new_parent);
+	size = le32_to_cpu(pn->header.flags) & INTERNAL_NODE ?
+		sizeof(__le64) : s->info->value_type.size;
+
+	/* create & init the left block */
 	r = new_block(s->info, &left);
 	if (r < 0)
 		return r;
 
+	ln = dm_block_data(left);
+	nr_left = le32_to_cpu(pn->header.nr_entries) / 2;
+
+	ln->header.flags = pn->header.flags;
+	ln->header.nr_entries = cpu_to_le32(nr_left);
+	ln->header.max_entries = pn->header.max_entries;
+	ln->header.value_size = pn->header.value_size;
+	memcpy(ln->keys, pn->keys, nr_left * sizeof(pn->keys[0]));
+	memcpy(value_ptr(ln, 0), value_ptr(pn, 0), nr_left * size);
+
+	/* create & init the right block */
 	r = new_block(s->info, &right);
 	if (r < 0) {
 		unlock_block(s->info, left);
 		return r;
 	}
 
-	pn = dm_block_data(new_parent);
-	ln = dm_block_data(left);
 	rn = dm_block_data(right);
-
-	nr_left = le32_to_cpu(pn->header.nr_entries) / 2;
 	nr_right = le32_to_cpu(pn->header.nr_entries) - nr_left;
 
-	ln->header.flags = pn->header.flags;
-	ln->header.nr_entries = cpu_to_le32(nr_left);
-	ln->header.max_entries = pn->header.max_entries;
-	ln->header.value_size = pn->header.value_size;
-
 	rn->header.flags = pn->header.flags;
 	rn->header.nr_entries = cpu_to_le32(nr_right);
 	rn->header.max_entries = pn->header.max_entries;
 	rn->header.value_size = pn->header.value_size;
-
-	memcpy(ln->keys, pn->keys, nr_left * sizeof(pn->keys[0]));
 	memcpy(rn->keys, pn->keys + nr_left, nr_right * sizeof(pn->keys[0]));
-
-	size = le32_to_cpu(pn->header.flags) & INTERNAL_NODE ?
-		sizeof(__le64) : s->info->value_type.size;
-	memcpy(value_ptr(ln, 0), value_ptr(pn, 0), nr_left * size);
 	memcpy(value_ptr(rn, 0), value_ptr(pn, nr_left),
 	       nr_right * size);
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 44/83] dm space map metadata: fix missing store of apply_bops() return value
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 43/83] dm btree: fix order of block initialization in btree_split_beneath Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 45/83] dm table: fix invalid memory accesses with too high sector number Ben Hutchings
                   ` (39 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Mike Snitzer, ZhangXiaoxu

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>

commit ae148243d3f0816b37477106c05a2ec7d5f32614 upstream.

In commit 6096d91af0b6 ("dm space map metadata: fix occasional leak
of a metadata block on resize"), we refactor the commit logic to a new
function 'apply_bops'.  But when that logic was replaced in out() the
return value was not stored.  This may lead out() returning a wrong
value to the caller.

Fixes: 6096d91af0b6 ("dm space map metadata: fix occasional leak of a metadata block on resize")
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/persistent-data/dm-space-map-metadata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/persistent-data/dm-space-map-metadata.c
+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
@@ -248,7 +248,7 @@ static int out(struct sm_metadata *smm)
 	}
 
 	if (smm->recursion_count == 1)
-		apply_bops(smm);
+		r = apply_bops(smm);
 
 	smm->recursion_count--;
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 45/83] dm table: fix invalid memory accesses with too high sector number
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 44/83] dm space map metadata: fix missing store of apply_bops() return value Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 46/83] x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 Ben Hutchings
                   ` (38 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Zhang Tao, Mike Snitzer, Mikulas Patocka

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 1cfd5d3399e87167b7f9157ef99daa0e959f395d upstream.

If the sector number is too high, dm_table_find_target() should return a
pointer to a zeroed dm_target structure (the caller should test it with
dm_target_is_valid).

However, for some table sizes, the code in dm_table_find_target() that
performs btree lookup will access out of bound memory structures.

Fix this bug by testing the sector number at the beginning of
dm_table_find_target(). Also, add an "inline" keyword to the function
dm_table_get_size() because this is a hot path.

Fixes: 512875bd9661 ("dm: table detect io beyond device")
Reported-by: Zhang Tao <kontais@zoho.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/dm-table.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -1158,7 +1158,7 @@ void dm_table_event(struct dm_table *t)
 }
 EXPORT_SYMBOL(dm_table_event);
 
-sector_t dm_table_get_size(struct dm_table *t)
+inline sector_t dm_table_get_size(struct dm_table *t)
 {
 	return t->num_targets ? (t->highs[t->num_targets - 1] + 1) : 0;
 }
@@ -1183,6 +1183,9 @@ struct dm_target *dm_table_find_target(s
 	unsigned int l, n = 0, k = 0;
 	sector_t *node;
 
+	if (unlikely(sector >= dm_table_get_size(t)))
+		return &t->targets[t->num_targets];
+
 	for (l = 0; l < t->depth; l++) {
 		n = get_child(n, k);
 		node = get_node(t, l, n);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 46/83] x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 45/83] dm table: fix invalid memory accesses with too high sector number Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 47/83] batman-adv: Only read OGM tvlv_len after buffer len check Ben Hutchings
                   ` (37 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Gleixner, Peter Zijlstra (Intel),
	Sean Christopherson

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit b63f20a778c88b6a04458ed6ffc69da953d3a109 upstream.

Use 'lea' instead of 'add' when adjusting %rsp in CALL_NOSPEC so as to
avoid clobbering flags.

KVM's emulator makes indirect calls into a jump table of sorts, where
the destination of the CALL_NOSPEC is a small blob of code that performs
fast emulation by executing the target instruction with fixed operands.

  adcb_al_dl:
     0x000339f8 <+0>:   adc    %dl,%al
     0x000339fa <+2>:   ret

A major motiviation for doing fast emulation is to leverage the CPU to
handle consumption and manipulation of arithmetic flags, i.e. RFLAGS is
both an input and output to the target of CALL_NOSPEC.  Clobbering flags
results in all sorts of incorrect emulation, e.g. Jcc instructions often
take the wrong path.  Sans the nops...

  asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
     0x0003595a <+58>:  mov    0xc0(%ebx),%eax
     0x00035960 <+64>:  mov    0x60(%ebx),%edx
     0x00035963 <+67>:  mov    0x90(%ebx),%ecx
     0x00035969 <+73>:  push   %edi
     0x0003596a <+74>:  popf
     0x0003596b <+75>:  call   *%esi
     0x000359a0 <+128>: pushf
     0x000359a1 <+129>: pop    %edi
     0x000359a2 <+130>: mov    %eax,0xc0(%ebx)
     0x000359b1 <+145>: mov    %edx,0x60(%ebx)

  ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
     0x000359a8 <+136>: mov    -0x10(%ebp),%eax
     0x000359ab <+139>: and    $0x8d5,%edi
     0x000359b4 <+148>: and    $0xfffff72a,%eax
     0x000359b9 <+153>: or     %eax,%edi
     0x000359bd <+157>: mov    %edi,0x4(%ebx)

For the most part this has gone unnoticed as emulation of guest code
that can trigger fast emulation is effectively limited to MMIO when
running on modern hardware, and MMIO is rarely, if ever, accessed by
instructions that affect or consume flags.

Breakage is almost instantaneous when running with unrestricted guest
disabled, in which case KVM must emulate all instructions when the guest
has invalid state, e.g. when the guest is in Big Real Mode during early
BIOS.

Fixes: 776b043848fd2 ("x86/retpoline: Add initial retpoline support")
Fixes: 1a29b5b7f347a ("KVM: x86: Make indirect calls in emulator speculation safe")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20190822211122.27579-1-sean.j.christopherson@intel.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/nospec-branch.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -151,7 +151,7 @@
 	"    	lfence;\n"					\
 	"       jmp    902b;\n"					\
 	"       .align 16\n"					\
-	"903:	addl   $4, %%esp;\n"				\
+	"903:	lea    4(%%esp), %%esp;\n"			\
 	"       pushl  %[thunk_target];\n"			\
 	"       ret;\n"						\
 	"       .align 16\n"					\


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 47/83] batman-adv: Only read OGM tvlv_len after buffer len check
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 46/83] x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 48/83] ALSA: seq: Fix potential concurrent access to the deleted pool Ben Hutchings
                   ` (36 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+355cab184197dbbfa384,
	Sven Eckelmann, Antonio Quartulli, Simon Wunderlich

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit a15d56a60760aa9dbe26343b9a0ac5228f35d445 upstream.

Multiple batadv_ogm_packet can be stored in an skbuff. The functions
batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use
batadv_iv_ogm_aggr_packet() to check if there is another additional
batadv_ogm_packet in the skb or not before they continue processing the
packet.

The length for such an OGM is BATADV_OGM_HLEN +
batadv_ogm_packet->tvlv_len. The check must first check that at least
BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is
part of the header. Otherwise it might try read outside of the currently
available skbuff to get the content of tvlv_len.

Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
 - Drop kernel-doc change
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -395,13 +395,19 @@ static uint8_t batadv_hop_penalty(uint8_
 }
 
 /* is there another aggregated packet here? */
-static int batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
-				     __be16 tvlv_len)
+static bool
+batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
+			  const struct batadv_ogm_packet *ogm_packet)
 {
 	int next_buff_pos = 0;
 
-	next_buff_pos += buff_pos + BATADV_OGM_HLEN;
-	next_buff_pos += ntohs(tvlv_len);
+	/* check if there is enough space for the header */
+	next_buff_pos += buff_pos + sizeof(*ogm_packet);
+	if (next_buff_pos > packet_len)
+		return false;
+
+	/* check if there is enough space for the optional TVLV */
+	next_buff_pos += ntohs(ogm_packet->tvlv_len);
 
 	return (next_buff_pos <= packet_len) &&
 	       (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
@@ -429,7 +435,7 @@ static void batadv_iv_ogm_send_to_if(str
 
 	/* adjust all flags and log packets */
 	while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
-					 batadv_ogm_packet->tvlv_len)) {
+					 batadv_ogm_packet)) {
 		/* we might have aggregated direct link packets with an
 		 * ordinary base packet
 		 */
@@ -1745,7 +1751,7 @@ static int batadv_iv_ogm_receive(struct
 
 	/* unpack the aggregated packets and process them one by one */
 	while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
-					 ogm_packet->tvlv_len)) {
+					 ogm_packet)) {
 		batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
 
 		ogm_offset += BATADV_OGM_HLEN;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 48/83] ALSA: seq: Fix potential concurrent access to the deleted pool
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 47/83] batman-adv: Only read OGM tvlv_len after buffer len check Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:37 ` [PATCH 3.16 49/83] ptrace,x86: Make user_64bit_mode() available to 32-bit builds Ben Hutchings
                   ` (35 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Takashi Iwai, syzbot+4a75454b9ca2777f35c7

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 75545304eba6a3d282f923b96a466dc25a81e359 upstream.

The input pool of a client might be deleted via the resize ioctl, the
the access to it should be covered by the proper locks.  Currently the
only missing place is the call in snd_seq_ioctl_get_client_pool(), and
this patch papers over it.

Reported-by: syzbot+4a75454b9ca2777f35c7@syzkaller.appspotmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/seq/seq_clientmgr.c |  3 +--
 sound/core/seq/seq_fifo.c      | 17 +++++++++++++++++
 sound/core/seq/seq_fifo.h      |  2 ++
 3 files changed, 20 insertions(+), 2 deletions(-)

--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1911,8 +1911,7 @@ static int snd_seq_ioctl_get_client_pool
 	if (cptr->type == USER_CLIENT) {
 		info.input_pool = cptr->data.user.fifo_pool_size;
 		info.input_free = info.input_pool;
-		if (cptr->data.user.fifo)
-			info.input_free = snd_seq_unused_cells(cptr->data.user.fifo->pool);
+		info.input_free = snd_seq_fifo_unused_cells(cptr->data.user.fifo);
 	} else {
 		info.input_pool = 0;
 		info.input_free = 0;
--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -278,3 +278,20 @@ int snd_seq_fifo_resize(struct snd_seq_f
 
 	return 0;
 }
+
+/* get the number of unused cells safely */
+int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f)
+{
+	unsigned long flags;
+	int cells;
+
+	if (!f)
+		return 0;
+
+	snd_use_lock_use(&f->use_lock);
+	spin_lock_irqsave(&f->lock, flags);
+	cells = snd_seq_unused_cells(f->pool);
+	spin_unlock_irqrestore(&f->lock, flags);
+	snd_use_lock_free(&f->use_lock);
+	return cells;
+}
--- a/sound/core/seq/seq_fifo.h
+++ b/sound/core/seq/seq_fifo.h
@@ -68,5 +68,7 @@ int snd_seq_fifo_poll_wait(struct snd_se
 /* resize pool in fifo */
 int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize);
 
+/* get the number of unused cells safely */
+int snd_seq_fifo_unused_cells(struct snd_seq_fifo *f);
 
 #endif


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 49/83] ptrace,x86: Make user_64bit_mode() available to 32-bit builds
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 48/83] ALSA: seq: Fix potential concurrent access to the deleted pool Ben Hutchings
@ 2019-11-20 15:37 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 50/83] uprobes/x86: Fix detection of 32-bit user mode Ben Hutchings
                   ` (34 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:37 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Garnier, Dmitry Vyukov,
	Paul Gortmaker, Michael S. Tsirkin, Chen Yucong,
	Masami Hiramatsu, Jonathan Corbet, Shuah Khan, Chris Metcalf,
	Ricardo Neri, Arnaldo Carvalho de Melo, ricardo.neri, Kees Cook,
	Adam Buchbinder, Colin Ian King, Vlastimil Babka, Dave Hansen,
	Paolo Bonzini, Peter Zijlstra, Qiaowei Ren, Brian Gerst,
	Andy Lutomirski, Huang Rui, Lorenzo Stoakes, Thomas Gleixner,
	Borislav Petkov, Adrian Hunter, Jiri Slaby, Ravi V. Shankar

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>

commit e27c310af5c05cf876d9cad006928076c27f54d4 upstream.

In its current form, user_64bit_mode() can only be used when CONFIG_X86_64
is selected. This implies that code built with CONFIG_X86_64=n cannot use
it. If a piece of code needs to be built for both CONFIG_X86_64=y and
CONFIG_X86_64=n and wants to use this function, it needs to wrap it in
an #ifdef/#endif; potentially, in multiple places.

This can be easily avoided with a single #ifdef/#endif pair within
user_64bit_mode() itself.

Suggested-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: ricardo.neri@intel.com
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Cc: Huang Rui <ray.huang@amd.com>
Cc: Qiaowei Ren <qiaowei.ren@intel.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: "Ravi V. Shankar" <ravi.v.shankar@intel.com>
Cc: Chris Metcalf <cmetcalf@mellanox.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Chen Yucong <slaoub@gmail.com>
Cc: Adam Buchbinder <adam.buchbinder@gmail.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Thomas Garnier <thgarnie@google.com>
Link: https://lkml.kernel.org/r/1509135945-13762-4-git-send-email-ricardo.neri-calderon@linux.intel.com
[bwh: Backported to 3.16 as dependency of "uprobes/x86: Fix detection of
 32-bit user mode":
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/ptrace.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -118,9 +118,9 @@ static inline int v8086_mode(struct pt_r
 #endif
 }
 
-#ifdef CONFIG_X86_64
 static inline bool user_64bit_mode(struct pt_regs *regs)
 {
+#ifdef CONFIG_X86_64
 #ifndef CONFIG_PARAVIRT
 	/*
 	 * On non-paravirt systems, this is the only long mode CPL 3
@@ -131,8 +131,12 @@ static inline bool user_64bit_mode(struc
 	/* Headers are too twisted for this to go in paravirt.h. */
 	return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs;
 #endif
+#else /* !CONFIG_X86_64 */
+	return false;
+#endif
 }
 
+#ifdef CONFIG_X86_64
 #define current_user_stack_pointer()	this_cpu_read(old_rsp)
 /* ia32 vs. x32 difference */
 #define compat_user_stack_pointer()	\


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 50/83] uprobes/x86: Fix detection of 32-bit user mode
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2019-11-20 15:37 ` [PATCH 3.16 49/83] ptrace,x86: Make user_64bit_mode() available to 32-bit builds Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 51/83] x86/apic: Do not initialize LDR and DFR for bigsmp Ben Hutchings
                   ` (33 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dmitry Safonov, Oleg Nesterov,
	Srikar Dronamraju, Masami Hiramatsu, Sebastian Mayr,
	Thomas Gleixner

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Mayr <me@sam.st>

commit 9212ec7d8357ea630031e89d0d399c761421c83b upstream.

32-bit processes running on a 64-bit kernel are not always detected
correctly, causing the process to crash when uretprobes are installed.

The reason for the crash is that in_ia32_syscall() is used to determine the
process's mode, which only works correctly when called from a syscall.

In the case of uretprobes, however, the function is called from a exception
and always returns 'false' on a 64-bit kernel. In consequence this leads to
corruption of the process's return address.

Fix this by using user_64bit_mode() instead of in_ia32_syscall(), which
is correct in any situation.

[ tglx: Add a comment and the following historical info ]

This should have been detected by the rename which happened in commit

  abfb9498ee13 ("x86/entry: Rename is_{ia32,x32}_task() to in_{ia32,x32}_syscall()")

which states in the changelog:

    The is_ia32_task()/is_x32_task() function names are a big misnomer: they
    suggests that the compat-ness of a system call is a task property, which
    is not true, the compatness of a system call purely depends on how it
    was invoked through the system call layer.
    .....

and then it went and blindly renamed every call site.

Sadly enough this was already mentioned here:

   8faaed1b9f50 ("uprobes/x86: Introduce sizeof_long(), cleanup adjust_ret_addr() and
arch_uretprobe_hijack_return_addr()")

where the changelog says:

    TODO: is_ia32_task() is not what we actually want, TS_COMPAT does
    not necessarily mean 32bit. Fortunately syscall-like insns can't be
    probed so it actually works, but it would be better to rename and
    use is_ia32_frame().

and goes all the way back to:

    0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions")

Oh well. 7+ years until someone actually tried a uretprobe on a 32bit
process on a 64bit kernel....

Fixes: 0326f5a94dde ("uprobes/core: Handle breakpoint and singlestep exceptions")
Signed-off-by: Sebastian Mayr <me@sam.st>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Dmitry Safonov <dsafonov@virtuozzo.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Link: https://lkml.kernel.org/r/20190728152617.7308-1-me@sam.st
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/uprobes.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -455,9 +455,12 @@ struct uprobe_xol_ops {
 	void	(*abort)(struct arch_uprobe *, struct pt_regs *);
 };
 
-static inline int sizeof_long(void)
+static inline int sizeof_long(struct pt_regs *regs)
 {
-	return is_ia32_task() ? 4 : 8;
+	/*
+	 * Check registers for mode as in_xxx_syscall() does not apply here.
+	 */
+	return user_64bit_mode(regs) ? 8 : 4;
 }
 
 static int default_pre_xol_op(struct arch_uprobe *auprobe, struct pt_regs *regs)
@@ -468,9 +471,9 @@ static int default_pre_xol_op(struct arc
 
 static int push_ret_address(struct pt_regs *regs, unsigned long ip)
 {
-	unsigned long new_sp = regs->sp - sizeof_long();
+	unsigned long new_sp = regs->sp - sizeof_long(regs);
 
-	if (copy_to_user((void __user *)new_sp, &ip, sizeof_long()))
+	if (copy_to_user((void __user *)new_sp, &ip, sizeof_long(regs)))
 		return -EFAULT;
 
 	regs->sp = new_sp;
@@ -503,7 +506,7 @@ static int default_post_xol_op(struct ar
 		long correction = utask->vaddr - utask->xol_vaddr;
 		regs->ip += correction;
 	} else if (auprobe->defparam.fixups & UPROBE_FIX_CALL) {
-		regs->sp += sizeof_long(); /* Pop incorrect return address */
+		regs->sp += sizeof_long(regs); /* Pop incorrect return address */
 		if (push_ret_address(regs, utask->vaddr + auprobe->defparam.ilen))
 			return -ERESTART;
 	}
@@ -612,7 +615,7 @@ static int branch_post_xol_op(struct arc
 	 * "call" insn was executed out-of-line. Just restore ->sp and restart.
 	 * We could also restore ->ip and try to call branch_emulate_op() again.
 	 */
-	regs->sp += sizeof_long();
+	regs->sp += sizeof_long(regs);
 	return -ERESTART;
 }
 
@@ -903,7 +906,7 @@ bool arch_uprobe_skip_sstep(struct arch_
 unsigned long
 arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs *regs)
 {
-	int rasize = sizeof_long(), nleft;
+	int rasize = sizeof_long(regs), nleft;
 	unsigned long orig_ret_vaddr = 0; /* clear high bits for 32-bit apps */
 
 	if (copy_from_user(&orig_ret_vaddr, (void __user *)regs->sp, rasize))


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 51/83] x86/apic: Do not initialize LDR and DFR for bigsmp
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 50/83] uprobes/x86: Fix detection of 32-bit user mode Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 52/83] x86/apic: Drop logical_smp_processor_id() inline Ben Hutchings
                   ` (32 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Thomas Gleixner, Bandan Das

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bandan Das <bsd@redhat.com>

commit bae3a8d3308ee69a7dbdf145911b18dfda8ade0d upstream.

Legacy apic init uses bigsmp for smp systems with 8 and more CPUs. The
bigsmp APIC implementation uses physical destination mode, but it
nevertheless initializes LDR and DFR. The LDR even ends up incorrectly with
multiple bit being set.

This does not cause a functional problem because LDR and DFR are ignored
when physical destination mode is active, but it triggered a problem on a
32-bit KVM guest which jumps into a kdump kernel.

The multiple bits set unearthed a bug in the KVM APIC implementation. The
code which creates the logical destination map for VCPUs ignores the
disabled state of the APIC and ends up overwriting an existing valid entry
and as a result, APIC calibration hangs in the guest during kdump
initialization.

Remove the bogus LDR/DFR initialization.

This is not intended to work around the KVM APIC bug. The LDR/DFR
ininitalization is wrong on its own.

The issue goes back into the pre git history. The fixes tag is the commit
in the bitkeeper import which introduced bigsmp support in 2003.

  git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git

Fixes: db7b9e9f26b8 ("[PATCH] Clustered APIC setup for >8 CPU systems")
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190826101513.5080-2-bsd@redhat.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/apic/bigsmp_32.c | 24 ++----------------------
 1 file changed, 2 insertions(+), 22 deletions(-)

--- a/arch/x86/kernel/apic/bigsmp_32.c
+++ b/arch/x86/kernel/apic/bigsmp_32.c
@@ -42,32 +42,12 @@ static int bigsmp_early_logical_apicid(i
 	return early_per_cpu(x86_cpu_to_apicid, cpu);
 }
 
-static inline unsigned long calculate_ldr(int cpu)
-{
-	unsigned long val, id;
-
-	val = apic_read(APIC_LDR) & ~APIC_LDR_MASK;
-	id = per_cpu(x86_bios_cpu_apicid, cpu);
-	val |= SET_APIC_LOGICAL_ID(id);
-
-	return val;
-}
-
 /*
- * Set up the logical destination ID.
- *
- * Intel recommends to set DFR, LDR and TPR before enabling
- * an APIC.  See e.g. "AP-388 82489DX User's Manual" (Intel
- * document number 292116).  So here it goes...
+ * bigsmp enables physical destination mode
+ * and doesn't use LDR and DFR
  */
 static void bigsmp_init_apic_ldr(void)
 {
-	unsigned long val;
-	int cpu = smp_processor_id();
-
-	apic_write(APIC_DFR, APIC_DFR_FLAT);
-	val = calculate_ldr(cpu);
-	apic_write(APIC_LDR, val);
 }
 
 static void bigsmp_setup_apic_routing(void)


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 52/83] x86/apic: Drop logical_smp_processor_id() inline
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 51/83] x86/apic: Do not initialize LDR and DFR for bigsmp Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 53/83] x86/apic/32: Avoid bogus LDR warnings Ben Hutchings
                   ` (31 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, ebiederm, andy.shevchenko, Dou Liyang,
	Thomas Gleixner, bhe

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dou Liyang <douly.fnst@cn.fujitsu.com>

commit 8f1561680f42a5491b371b513f1ab8197f31fd62 upstream.

The logical_smp_processor_id() inline which is only called in
setup_local_APIC() on x86_32 systems has no real value.

Drop it and directly use GET_APIC_LOGICAL_ID() at the call site and use a
more suitable variable name for readability

Signed-off-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: andy.shevchenko@gmail.com
Cc: bhe@redhat.com
Cc: ebiederm@xmission.com
Link: https://lkml.kernel.org/r/20180301055930.2396-4-douly.fnst@cn.fujitsu.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/smp.h
+++ b/arch/x86/include/asm/smp.h
@@ -203,16 +203,6 @@ extern int safe_smp_processor_id(void);
 #endif
 
 #ifdef CONFIG_X86_LOCAL_APIC
-
-#ifndef CONFIG_X86_64
-static inline int logical_smp_processor_id(void)
-{
-	/* we don't want to mark this access volatile - bad code generation */
-	return GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
-}
-
-#endif
-
 extern int hard_smp_processor_id(void);
 
 #else /* CONFIG_X86_LOCAL_APIC */
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1305,6 +1305,9 @@ void setup_local_APIC(void)
 	int i, j, acked = 0;
 	unsigned long long tsc = 0, ntsc;
 	long long max_loops = cpu_khz ? cpu_khz : 1000000;
+#ifdef CONFIG_X86_32
+	int logical_apicid, ldr_apicid;
+#endif
 
 	if (cpu_has_tsc)
 		rdtscll(tsc);
@@ -1344,11 +1347,11 @@ void setup_local_APIC(void)
 	 * initialized during get_smp_config(), make sure it matches the
 	 * actual value.
 	 */
-	i = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
-	WARN_ON(i != BAD_APICID && i != logical_smp_processor_id());
+	logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
+	ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
+	WARN_ON(logical_apicid != BAD_APICID && logical_apicid != ldr_apicid);
 	/* always use the value from LDR */
-	early_per_cpu(x86_cpu_to_logical_apicid, cpu) =
-		logical_smp_processor_id();
+	early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid;
 
 	/*
 	 * Some NUMA implementations (NUMAQ) don't initialize apicid to


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 53/83] x86/apic/32: Avoid bogus LDR warnings
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 52/83] x86/apic: Drop logical_smp_processor_id() inline Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 54/83] usb: host: ohci: fix a race condition between shutdown and irq Ben Hutchings
                   ` (30 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jan Beulich, Thomas Gleixner

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Beulich <jbeulich@suse.com>

commit fe6f85ca121e9c74e7490fe66b0c5aae38e332c3 upstream.

The removal of the LDR initialization in the bigsmp_32 APIC code unearthed
a problem in setup_local_APIC().

The code checks unconditionally for a mismatch of the logical APIC id by
comparing the early APIC id which was initialized in get_smp_config() with
the actual LDR value in the APIC.

Due to the removal of the bogus LDR initialization the check now can
trigger on bigsmp_32 APIC systems emitting a warning for every booting
CPU. This is of course a false positive because the APIC is not using
logical destination mode.

Restrict the check and the possibly resulting fixup to systems which are
actually using the APIC in logical destination mode.

[ tglx: Massaged changelog and added Cc stable ]

Fixes: bae3a8d3308 ("x86/apic: Do not initialize LDR and DFR for bigsmp")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/666d8f91-b5a8-1afd-7add-821e72a35f03@suse.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/apic/apic.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1305,9 +1305,6 @@ void setup_local_APIC(void)
 	int i, j, acked = 0;
 	unsigned long long tsc = 0, ntsc;
 	long long max_loops = cpu_khz ? cpu_khz : 1000000;
-#ifdef CONFIG_X86_32
-	int logical_apicid, ldr_apicid;
-#endif
 
 	if (cpu_has_tsc)
 		rdtscll(tsc);
@@ -1342,16 +1339,21 @@ void setup_local_APIC(void)
 	apic->init_apic_ldr();
 
 #ifdef CONFIG_X86_32
-	/*
-	 * APIC LDR is initialized.  If logical_apicid mapping was
-	 * initialized during get_smp_config(), make sure it matches the
-	 * actual value.
-	 */
-	logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
-	ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
-	WARN_ON(logical_apicid != BAD_APICID && logical_apicid != ldr_apicid);
-	/* always use the value from LDR */
-	early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid;
+	if (apic->dest_logical) {
+		int logical_apicid, ldr_apicid;
+
+		/*
+		 * APIC LDR is initialized.  If logical_apicid mapping was
+		 * initialized during get_smp_config(), make sure it matches
+		 * the actual value.
+		 */
+		logical_apicid = early_per_cpu(x86_cpu_to_logical_apicid, cpu);
+		ldr_apicid = GET_APIC_LOGICAL_ID(apic_read(APIC_LDR));
+		if (logical_apicid != BAD_APICID)
+			WARN_ON(logical_apicid != ldr_apicid);
+		/* Always use the value from LDR. */
+		early_per_cpu(x86_cpu_to_logical_apicid, cpu) = ldr_apicid;
+	}
 
 	/*
 	 * Some NUMA implementations (NUMAQ) don't initialize apicid to


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 54/83] usb: host: ohci: fix a race condition between shutdown and irq
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 53/83] x86/apic/32: Avoid bogus LDR warnings Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 55/83] USB: storage: ums-realtek: Update module parameter description for auto_delink_en Ben Hutchings
                   ` (29 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alan Stern, Yoshihiro Shimoda, Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit a349b95d7ca0cea71be4a7dac29830703de7eb62 upstream.

This patch fixes an issue that the following error is
possible to happen when ohci hardware causes an interruption
and the system is shutting down at the same time.

[   34.851754] usb 2-1: USB disconnect, device number 2
[   35.166658] irq 156: nobody cared (try booting with the "irqpoll" option)
[   35.173445] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 5.3.0-rc5 #85
[   35.179964] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
[   35.187886] Workqueue: usb_hub_wq hub_event
[   35.192063] Call trace:
[   35.194509]  dump_backtrace+0x0/0x150
[   35.198165]  show_stack+0x14/0x20
[   35.201475]  dump_stack+0xa0/0xc4
[   35.204785]  __report_bad_irq+0x34/0xe8
[   35.208614]  note_interrupt+0x2cc/0x318
[   35.212446]  handle_irq_event_percpu+0x5c/0x88
[   35.216883]  handle_irq_event+0x48/0x78
[   35.220712]  handle_fasteoi_irq+0xb4/0x188
[   35.224802]  generic_handle_irq+0x24/0x38
[   35.228804]  __handle_domain_irq+0x5c/0xb0
[   35.232893]  gic_handle_irq+0x58/0xa8
[   35.236548]  el1_irq+0xb8/0x180
[   35.239681]  __do_softirq+0x94/0x23c
[   35.243253]  irq_exit+0xd0/0xd8
[   35.246387]  __handle_domain_irq+0x60/0xb0
[   35.250475]  gic_handle_irq+0x58/0xa8
[   35.254130]  el1_irq+0xb8/0x180
[   35.257268]  kernfs_find_ns+0x5c/0x120
[   35.261010]  kernfs_find_and_get_ns+0x3c/0x60
[   35.265361]  sysfs_unmerge_group+0x20/0x68
[   35.269454]  dpm_sysfs_remove+0x2c/0x68
[   35.273284]  device_del+0x80/0x370
[   35.276683]  hid_destroy_device+0x28/0x60
[   35.280686]  usbhid_disconnect+0x4c/0x80
[   35.284602]  usb_unbind_interface+0x6c/0x268
[   35.288867]  device_release_driver_internal+0xe4/0x1b0
[   35.293998]  device_release_driver+0x14/0x20
[   35.298261]  bus_remove_device+0x110/0x128
[   35.302350]  device_del+0x148/0x370
[   35.305832]  usb_disable_device+0x8c/0x1d0
[   35.309921]  usb_disconnect+0xc8/0x2d0
[   35.313663]  hub_event+0x6e0/0x1128
[   35.317146]  process_one_work+0x1e0/0x320
[   35.321148]  worker_thread+0x40/0x450
[   35.324805]  kthread+0x124/0x128
[   35.328027]  ret_from_fork+0x10/0x18
[   35.331594] handlers:
[   35.333862] [<0000000079300c1d>] usb_hcd_irq
[   35.338126] [<0000000079300c1d>] usb_hcd_irq
[   35.342389] Disabling IRQ #156

ohci_shutdown() disables all the interrupt and rh_state is set to
OHCI_RH_HALTED. In other hand, ohci_irq() is possible to enable
OHCI_INTR_SF and OHCI_INTR_MIE on ohci_irq(). Note that OHCI_INTR_SF
is possible to be set by start_ed_unlink() which is called:
 ohci_irq()
  -> process_done_list()
   -> takeback_td()
    -> start_ed_unlink()

So, ohci_irq() has the following condition, the issue happens by
&ohci->regs->intrenable = OHCI_INTR_MIE | OHCI_INTR_SF and
ohci->rh_state = OHCI_RH_HALTED:

	/* interrupt for some other device? */
	if (ints == 0 || unlikely(ohci->rh_state == OHCI_RH_HALTED))
		return IRQ_NOTMINE;

To fix the issue, ohci_shutdown() holds the spin lock while disabling
the interruption and changing the rh_state flag to prevent reenable
the OHCI_INTR_MIE unexpectedly. Note that io_watchdog_func() also
calls the ohci_shutdown() and it already held the spin lock, so that
the patch makes a new function as _ohci_shutdown().

This patch is inspired by a Renesas R-Car Gen3 BSP patch
from Tho Vu.

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/1566877910-6020-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Drop change in io_watchdog_func()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/host/ohci-hcd.c
+++ b/drivers/usb/host/ohci-hcd.c
@@ -392,8 +392,7 @@ static void ohci_usb_reset (struct ohci_
  * other cases where the next software may expect clean state from the
  * "firmware".  this is bus-neutral, unlike shutdown() methods.
  */
-static void
-ohci_shutdown (struct usb_hcd *hcd)
+static void _ohci_shutdown(struct usb_hcd *hcd)
 {
 	struct ohci_hcd *ohci;
 
@@ -408,6 +407,16 @@ ohci_shutdown (struct usb_hcd *hcd)
 	ohci_writel(ohci, ohci->fminterval, &ohci->regs->fminterval);
 }
 
+static void ohci_shutdown(struct usb_hcd *hcd)
+{
+	struct ohci_hcd	*ohci = hcd_to_ohci(hcd);
+	unsigned long flags;
+
+	spin_lock_irqsave(&ohci->lock, flags);
+	_ohci_shutdown(hcd);
+	spin_unlock_irqrestore(&ohci->lock, flags);
+}
+
 static int check_ed(struct ohci_hcd *ohci, struct ed *ed)
 {
 	return (hc32_to_cpu(ohci, ed->hwINFO) & ED_IN) != 0


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 55/83] USB: storage: ums-realtek: Update module parameter description for auto_delink_en
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 54/83] usb: host: ohci: fix a race condition between shutdown and irq Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 56/83] USB: storage: ums-realtek: Whitelist auto-delink support Ben Hutchings
                   ` (28 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kai-Heng Feng, Greg Kroah-Hartman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit f6445b6b2f2bb1745080af4a0926049e8bca2617 upstream.

The option named "auto_delink_en" is a bit misleading, as setting it to
false doesn't really disable auto-delink but let auto-delink be firmware
controlled.

Update the description to reflect the real usage of this parameter.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Link: https://lore.kernel.org/r/20190827173450.13572-1-kai.heng.feng@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/realtek_cr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/storage/realtek_cr.c
+++ b/drivers/usb/storage/realtek_cr.c
@@ -47,7 +47,7 @@ MODULE_VERSION("1.03");
 
 static int auto_delink_en = 1;
 module_param(auto_delink_en, int, S_IRUGO | S_IWUSR);
-MODULE_PARM_DESC(auto_delink_en, "enable auto delink");
+MODULE_PARM_DESC(auto_delink_en, "auto delink mode (0=firmware, 1=software [default])");
 
 #ifdef CONFIG_REALTEK_AUTOPM
 static int ss_en = 1;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 56/83] USB: storage: ums-realtek: Whitelist auto-delink support
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 55/83] USB: storage: ums-realtek: Update module parameter description for auto_delink_en Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 57/83] USB: cdc-wdm: fix race between write and disconnect due to flag abuse Ben Hutchings
                   ` (27 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alan Stern, Greg Kroah-Hartman, Kai-Heng Feng

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 1902a01e2bcc3abd7c9a18dc05e78c7ab4a53c54 upstream.

Auto-delink requires writing special registers to ums-realtek devices.
Unconditionally enable auto-delink may break newer devices.

So only enable auto-delink by default for the original three IDs,
0x0138, 0x0158 and 0x0159.

Realtek is working on a patch to properly support auto-delink for other
IDs.

BugLink: https://bugs.launchpad.net/bugs/1838886
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20190827173450.13572-2-kai.heng.feng@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/realtek_cr.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/usb/storage/realtek_cr.c
+++ b/drivers/usb/storage/realtek_cr.c
@@ -1001,12 +1001,15 @@ static int init_realtek_cr(struct us_dat
 			goto INIT_FAIL;
 	}
 
-	if (CHECK_FW_VER(chip, 0x5888) || CHECK_FW_VER(chip, 0x5889) ||
-	    CHECK_FW_VER(chip, 0x5901))
-		SET_AUTO_DELINK(chip);
-	if (STATUS_LEN(chip) == 16) {
-		if (SUPPORT_AUTO_DELINK(chip))
+	if (CHECK_PID(chip, 0x0138) || CHECK_PID(chip, 0x0158) ||
+	    CHECK_PID(chip, 0x0159)) {
+		if (CHECK_FW_VER(chip, 0x5888) || CHECK_FW_VER(chip, 0x5889) ||
+				CHECK_FW_VER(chip, 0x5901))
 			SET_AUTO_DELINK(chip);
+		if (STATUS_LEN(chip) == 16) {
+			if (SUPPORT_AUTO_DELINK(chip))
+				SET_AUTO_DELINK(chip);
+		}
 	}
 #ifdef CONFIG_REALTEK_AUTOPM
 	if (ss_en)


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 57/83] USB: cdc-wdm: fix race between write and disconnect due to flag abuse
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 56/83] USB: storage: ums-realtek: Whitelist auto-delink support Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 58/83] VMCI: Release resource if the work is already queued Ben Hutchings
                   ` (26 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Oliver Neukum, Greg Kroah-Hartman,
	syzbot+d232cca6ec42c2edb3fc

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e upstream.

In case of a disconnect an ongoing flush() has to be made fail.
Nevertheless we cannot be sure that any pending URB has already
finished, so although they will never succeed, they still must
not be touched.
The clean solution for this is to check for WDM_IN_USE
and WDM_DISCONNECTED in flush(). There is no point in ever
clearing WDM_IN_USE, as no further writes make sense.

The issue is as old as the driver.

Fixes: afba937e540c9 ("USB: CDC WDM driver")
Reported-by: syzbot+d232cca6ec42c2edb3fc@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20190827103436.21143-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/class/cdc-wdm.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -576,10 +576,20 @@ static int wdm_flush(struct file *file,
 {
 	struct wdm_device *desc = file->private_data;
 
-	wait_event(desc->wait, !test_bit(WDM_IN_USE, &desc->flags));
+	wait_event(desc->wait,
+			/*
+			 * needs both flags. We cannot do with one
+			 * because resetting it would cause a race
+			 * with write() yet we need to signal
+			 * a disconnect
+			 */
+			!test_bit(WDM_IN_USE, &desc->flags) ||
+			test_bit(WDM_DISCONNECTING, &desc->flags));
 
 	/* cannot dereference desc->intf if WDM_DISCONNECTING */
-	if (desc->werr < 0 && !test_bit(WDM_DISCONNECTING, &desc->flags))
+	if (test_bit(WDM_DISCONNECTING, &desc->flags))
+		return -ENODEV;
+	if (desc->werr < 0)
 		dev_err(&desc->intf->dev, "Error in flush path: %d\n",
 			desc->werr);
 
@@ -967,8 +977,6 @@ static void wdm_disconnect(struct usb_in
 	spin_lock_irqsave(&desc->iuspin, flags);
 	set_bit(WDM_DISCONNECTING, &desc->flags);
 	set_bit(WDM_READ, &desc->flags);
-	/* to terminate pending flushes */
-	clear_bit(WDM_IN_USE, &desc->flags);
 	spin_unlock_irqrestore(&desc->iuspin, flags);
 	wake_up_all(&desc->wait);
 	mutex_lock(&desc->rlock);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 58/83] VMCI: Release resource if the work is already queued
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 57/83] USB: cdc-wdm: fix race between write and disconnect due to flag abuse Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 59/83] mld: fix memory leak in mld_del_delrec() Ben Hutchings
                   ` (25 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nadav Amit, Francois Rigault, Vishnu DASA,
	Alexios Zavras, Greg Kroah-Hartman, Adit Ranadive, Jorgen Hansen

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nadav Amit <namit@vmware.com>

commit ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 upstream.

Francois reported that VMware balloon gets stuck after a balloon reset,
when the VMCI doorbell is removed. A similar error can occur when the
balloon driver is removed with the following splat:

[ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds.
[ 1088.622035]       Tainted: G        W         5.2.0 #4
[ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1088.622205] modprobe        D    0  3565   1450 0x00000000
[ 1088.622210] Call Trace:
[ 1088.622246]  __schedule+0x2a8/0x690
[ 1088.622248]  schedule+0x2d/0x90
[ 1088.622250]  schedule_timeout+0x1d3/0x2f0
[ 1088.622252]  wait_for_completion+0xba/0x140
[ 1088.622320]  ? wake_up_q+0x80/0x80
[ 1088.622370]  vmci_resource_remove+0xb9/0xc0 [vmw_vmci]
[ 1088.622373]  vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci]
[ 1088.622379]  vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon]
[ 1088.622381]  vmballoon_exit+0x18/0xcc8 [vmw_balloon]
[ 1088.622394]  __x64_sys_delete_module+0x146/0x280
[ 1088.622408]  do_syscall_64+0x5a/0x130
[ 1088.622410]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1088.622415] RIP: 0033:0x7f54f62791b7
[ 1088.622421] Code: Bad RIP value.
[ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7
[ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68
[ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000
[ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68
[ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0

The cause for the bug is that when the "delayed" doorbell is invoked, it
takes a reference on the doorbell entry and schedules work that is
supposed to run the appropriate code and drop the doorbell entry
reference. The code ignores the fact that if the work is already queued,
it will not be scheduled to run one more time. As a result one of the
references would not be dropped. When the code waits for the reference
to get to zero, during balloon reset or module removal, it gets stuck.

Fix it. Drop the reference if schedule_work() indicates that the work is
already queued.

Note that this bug got more apparent (or apparent at all) due to
commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status").

Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.")
Reported-by: Francois Rigault <rigault.francois@gmail.com>
Cc: Jorgen Hansen <jhansen@vmware.com>
Cc: Adit Ranadive <aditr@vmware.com>
Cc: Alexios Zavras <alexios.zavras@intel.com>
Cc: Vishnu DASA <vdasa@vmware.com>
Signed-off-by: Nadav Amit <namit@vmware.com>
Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/misc/vmw_vmci/vmci_doorbell.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/misc/vmw_vmci/vmci_doorbell.c
+++ b/drivers/misc/vmw_vmci/vmci_doorbell.c
@@ -318,7 +318,8 @@ int vmci_dbell_host_context_notify(u32 s
 
 	entry = container_of(resource, struct dbell_entry, resource);
 	if (entry->run_delayed) {
-		schedule_work(&entry->work);
+		if (!schedule_work(&entry->work))
+			vmci_resource_put(resource);
 	} else {
 		entry->notify_cb(entry->client_data);
 		vmci_resource_put(resource);
@@ -366,7 +367,8 @@ static void dbell_fire_entries(u32 notif
 		    atomic_read(&dbell->active) == 1) {
 			if (dbell->run_delayed) {
 				vmci_resource_get(&dbell->resource);
-				schedule_work(&dbell->work);
+				if (!schedule_work(&dbell->work))
+					vmci_resource_put(&dbell->resource);
 			} else {
 				dbell->notify_cb(dbell->client_data);
 			}


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 59/83] mld: fix memory leak in mld_del_delrec()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 58/83] VMCI: Release resource if the work is already queued Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 60/83] ALSA: hda - Fix potential endless loop at applying quirks Ben Hutchings
                   ` (24 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, syzbot, Eric Dumazet

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit a84d016479896b5526a2cc54784e6ffc41c9d6f6 upstream.

Similar to the fix done for IPv4 in commit e5b1c6c6277d
("igmp: fix memory leak in igmpv3_del_delrec()"), we need to
make sure mca_tomb and mca_sources are not blindly overwritten.

Using swap() then a call to ip6_mc_clear_src() will take care
of the missing free.

BUG: memory leak
unreferenced object 0xffff888117d9db00 (size 64):
  comm "syz-executor247", pid 6918, jiffies 4294943989 (age 25.350s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 fe 88 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000005b463030>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000005b463030>] slab_post_alloc_hook mm/slab.h:522 [inline]
    [<000000005b463030>] slab_alloc mm/slab.c:3319 [inline]
    [<000000005b463030>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
    [<00000000939cbf94>] kmalloc include/linux/slab.h:552 [inline]
    [<00000000939cbf94>] kzalloc include/linux/slab.h:748 [inline]
    [<00000000939cbf94>] ip6_mc_add1_src net/ipv6/mcast.c:2236 [inline]
    [<00000000939cbf94>] ip6_mc_add_src+0x31f/0x420 net/ipv6/mcast.c:2356
    [<00000000d8972221>] ip6_mc_source+0x4a8/0x600 net/ipv6/mcast.c:449
    [<000000002b203d0d>] do_ipv6_setsockopt.isra.0+0x1b92/0x1dd0 net/ipv6/ipv6_sockglue.c:748
    [<000000001f1e2d54>] ipv6_setsockopt+0x89/0xd0 net/ipv6/ipv6_sockglue.c:944
    [<00000000c8f7bdf9>] udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1558
    [<000000005a9a0c5e>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3139
    [<00000000910b37b2>] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
    [<00000000e9108023>] __do_sys_setsockopt net/socket.c:2100 [inline]
    [<00000000e9108023>] __se_sys_setsockopt net/socket.c:2097 [inline]
    [<00000000e9108023>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2097
    [<00000000f4818160>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
    [<000000008d367e8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/mcast.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -807,12 +807,13 @@ static void mld_del_delrec(struct inet6_
 		im->idev = pmc->idev;
 		im->mca_crcount = idev->mc_qrv;
 		if (im->mca_sfmode == MCAST_INCLUDE) {
-			im->mca_tomb = pmc->mca_tomb;
-			im->mca_sources = pmc->mca_sources;
+			swap(im->mca_tomb, pmc->mca_tomb);
+			swap(im->mca_sources, pmc->mca_sources);
 			for (psf = im->mca_sources; psf; psf = psf->sf_next)
 				psf->sf_crcount = im->mca_crcount;
 		}
 		in6_dev_put(pmc->idev);
+		ip6_mc_clear_src(pmc);
 		kfree(pmc);
 	}
 	spin_unlock_bh(&im->mca_lock);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 60/83] ALSA: hda - Fix potential endless loop at applying quirks
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 59/83] mld: fix memory leak in mld_del_delrec() Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 61/83] mmc: core: Fix init of SD cards reporting an invalid VDD range Ben Hutchings
                   ` (23 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 333f31436d3db19f4286f8862a00ea1d8d8420a1 upstream.

Since the chained quirks via chained_before flag is applied before the
depth check, it may lead to the endless recursive calls, when the
chain were set up incorrectly.  Fix it by moving the depth check at
the beginning of the loop.

Fixes: 1f57825077dc ("ALSA: hda - Add chained_before flag to the fixup entry")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/pci/hda/hda_auto_parser.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/hda_auto_parser.c
+++ b/sound/pci/hda/hda_auto_parser.c
@@ -787,6 +787,8 @@ static void apply_fixup(struct hda_codec
 	while (id >= 0) {
 		const struct hda_fixup *fix = codec->fixup_list + id;
 
+		if (++depth > 10)
+			break;
 		if (fix->chained_before)
 			apply_fixup(codec, fix->chain_id, action, depth + 1);
 
@@ -826,8 +828,6 @@ static void apply_fixup(struct hda_codec
 		}
 		if (!fix->chained || fix->chained_before)
 			break;
-		if (++depth > 10)
-			break;
 		id = fix->chain_id;
 	}
 }


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 61/83] mmc: core: Fix init of SD cards reporting an invalid VDD range
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 60/83] ALSA: hda - Fix potential endless loop at applying quirks Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 62/83] net: seeq: Fix the function used to release some memory in an error handling path Ben Hutchings
                   ` (22 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ulf Hansson, Manuel Presnitz, Philip Langdale

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ulf Hansson <ulf.hansson@linaro.org>

commit 72741084d903e65e121c27bd29494d941729d4a1 upstream.

The OCR register defines the supported range of VDD voltages for SD cards.
However, it has turned out that some SD cards reports an invalid voltage
range, for example having bit7 set.

When a host supports MMC_CAP2_FULL_PWR_CYCLE and some of the voltages from
the invalid VDD range, this triggers the core to run a power cycle of the
card to try to initialize it at the lowest common supported voltage.
Obviously this fails, since the card can't support it.

Let's fix this problem, by clearing invalid bits from the read OCR register
for SD cards, before proceeding with the VDD voltage negotiation.

Reported-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Philip Langdale <philipl@overt.org>
Tested-by: Philip Langdale <philipl@overt.org>
Tested-by: Manuel Presnitz <mail@mpy.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/core/sd.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/mmc/core/sd.c
+++ b/drivers/mmc/core/sd.c
@@ -1242,6 +1242,12 @@ int mmc_attach_sd(struct mmc_host *host)
 			goto err;
 	}
 
+	/*
+	 * Some SD cards claims an out of spec VDD voltage range. Let's treat
+	 * these bits as being in-valid and especially also bit7.
+	 */
+	ocr &= ~0x7FFF;
+
 	rocr = mmc_select_voltage(host, ocr);
 
 	/*


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 62/83] net: seeq: Fix the function used to release some memory in an error handling path
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 61/83] mmc: core: Fix init of SD cards reporting an invalid VDD range Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 63/83] sched/fair: Don't assign runtime for throttled cfs_rq Ben Hutchings
                   ` (21 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Thomas Bogendoerfer, David S. Miller,
	Christophe JAILLET

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 upstream.

In commit 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv"),
a call to 'get_zeroed_page()' has been turned into a call to
'dma_alloc_coherent()'. Only the remove function has been updated to turn
the corresponding 'free_page()' into 'dma_free_attrs()'.
The error hndling path of the probe function has not been updated.

Fix it now.

Rename the corresponding label to something more in line.

Fixes: 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/seeq/sgiseeq.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/seeq/sgiseeq.c
+++ b/drivers/net/ethernet/seeq/sgiseeq.c
@@ -792,15 +792,16 @@ static int sgiseeq_probe(struct platform
 		printk(KERN_ERR "Sgiseeq: Cannot register net device, "
 		       "aborting.\n");
 		err = -ENODEV;
-		goto err_out_free_page;
+		goto err_out_free_attrs;
 	}
 
 	printk(KERN_INFO "%s: %s %pM\n", dev->name, sgiseeqstr, dev->dev_addr);
 
 	return 0;
 
-err_out_free_page:
-	free_page((unsigned long) sp->srings);
+err_out_free_attrs:
+	dma_free_attrs(&pdev->dev, sizeof(*sp->srings), sp->srings,
+		       sp->srings_dma, DMA_ATTR_NON_CONSISTENT);
 err_out_free_dev:
 	free_netdev(dev);
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 63/83] sched/fair: Don't assign runtime for throttled cfs_rq
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 62/83] net: seeq: Fix the function used to release some memory in an error handling path Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 64/83] vhost/test: fix build for vhost test Ben Hutchings
                   ` (20 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, xlpang, shanpeic, Ben Segall,
	Thomas Gleixner, Valentin Schneider, Ingo Molnar, Liangyan,
	Linus Torvalds, Peter Zijlstra (Intel)

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Liangyan <liangyan.peng@linux.alibaba.com>

commit 5e2d2cc2588bd3307ce3937acbc2ed03c830a861 upstream.

do_sched_cfs_period_timer() will refill cfs_b runtime and call
distribute_cfs_runtime to unthrottle cfs_rq, sometimes cfs_b->runtime
will allocate all quota to one cfs_rq incorrectly, then other cfs_rqs
attached to this cfs_b can't get runtime and will be throttled.

We find that one throttled cfs_rq has non-negative
cfs_rq->runtime_remaining and cause an unexpetced cast from s64 to u64
in snippet:

  distribute_cfs_runtime() {
    runtime = -cfs_rq->runtime_remaining + 1;
  }

The runtime here will change to a large number and consume all
cfs_b->runtime in this cfs_b period.

According to Ben Segall, the throttled cfs_rq can have
account_cfs_rq_runtime called on it because it is throttled before
idle_balance, and the idle_balance calls update_rq_clock to add time
that is accounted to the task.

This commit prevents cfs_rq to be assgined new runtime if it has been
throttled until that distribute_cfs_runtime is called.

Signed-off-by: Liangyan <liangyan.peng@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
Reviewed-by: Ben Segall <bsegall@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: shanpeic@linux.alibaba.com
Cc: xlpang@linux.alibaba.com
Fixes: d3d9dc330236 ("sched: Throttle entities exceeding their allowed bandwidth")
Link: https://lkml.kernel.org/r/20190826121633.6538-1-liangyan.peng@linux.alibaba.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: Open-code SCHED_WARN_ON().]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3271,6 +3271,8 @@ static void __account_cfs_rq_runtime(str
 	if (likely(cfs_rq->runtime_remaining > 0))
 		return;
 
+	if (cfs_rq->throttled)
+		return;
 	/*
 	 * if we're unable to extend our runtime we resched so that the active
 	 * hierarchy can be throttled
@@ -3450,6 +3452,11 @@ static u64 distribute_cfs_runtime(struct
 		if (!cfs_rq_throttled(cfs_rq))
 			goto next;
 
+		/* By the above check, this should never be true */
+#ifdef CONFIG_SCHED_DEBUG
+		WARN_ON_ONCE(cfs_rq->runtime_remaining > 0);
+#endif
+
 		runtime = -cfs_rq->runtime_remaining + 1;
 		if (runtime > remaining)
 			runtime = remaining;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 64/83] vhost/test: fix build for vhost test
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 63/83] sched/fair: Don't assign runtime for throttled cfs_rq Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 65/83] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Ben Hutchings
                   ` (19 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michael S. Tsirkin, Tiwei Bie, Jason Wang

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tiwei Bie <tiwei.bie@intel.com>

commit 264b563b8675771834419057cbe076c1a41fb666 upstream.

Since vhost_exceeds_weight() was introduced, callers need to specify
the packet weight and byte weight in vhost_dev_init(). Note that, the
packet weight isn't counted in this patch to keep the original behavior
unchanged.

Fixes: e82b9b0727ff ("vhost: introduce vhost_exceeds_weight()")
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
[bwh: Backported to 3.16: vhost_dev_init() still doesn't take an iov_limit
 parameter.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/vhost/test.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/vhost/test.c
+++ b/drivers/vhost/test.c
@@ -23,6 +23,12 @@
  * Using this limit prevents one virtqueue from starving others. */
 #define VHOST_TEST_WEIGHT 0x80000
 
+/* Max number of packets transferred before requeueing the job.
+ * Using this limit prevents one virtqueue from starving others with
+ * pkts.
+ */
+#define VHOST_TEST_PKT_WEIGHT 256
+
 enum {
 	VHOST_TEST_VQ = 0,
 	VHOST_TEST_VQ_MAX = 1,
@@ -81,10 +87,8 @@ static void handle_vq(struct vhost_test
 		}
 		vhost_add_used_and_signal(&n->dev, vq, head, 0);
 		total_len += len;
-		if (unlikely(total_len >= VHOST_TEST_WEIGHT)) {
-			vhost_poll_queue(&vq->poll);
+		if (unlikely(vhost_exceeds_weight(vq, 0, total_len)))
 			break;
-		}
 	}
 
 	mutex_unlock(&vq->mutex);
@@ -116,7 +120,8 @@ static int vhost_test_open(struct inode
 	dev = &n->dev;
 	vqs[VHOST_TEST_VQ] = &n->vqs[VHOST_TEST_VQ];
 	n->vqs[VHOST_TEST_VQ].handle_kick = handle_vq_kick;
-	vhost_dev_init(dev, vqs, VHOST_TEST_VQ_MAX);
+	vhost_dev_init(dev, vqs, VHOST_TEST_VQ_MAX,
+		       VHOST_TEST_PKT_WEIGHT, VHOST_TEST_WEIGHT);
 
 	f->private_data = n;
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 65/83] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 64/83] vhost/test: fix build for vhost test Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 66/83] genirq: Prevent NULL pointer dereference in resend_irqs() Ben Hutchings
                   ` (18 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Marcelo Ricardo Leitner,
	Xin Long, Neil Horman

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit 10eb56c582c557c629271f1ee31e15e7a9b2558b upstream.

Transport should use its own pf_retrans to do the error_count
check, instead of asoc's. Otherwise, it's meaningless to make
pf_retrans per transport.

Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/sm_sideeffect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -505,7 +505,7 @@ static void sctp_do_8_2_transport_strike
 	 */
 	if ((transport->state == SCTP_ACTIVE) &&
 	   (transport->error_count < transport->pathmaxrxt) &&
-	   (transport->error_count > asoc->pf_retrans)) {
+	   (transport->error_count > transport->pf_retrans)) {
 
 		sctp_assoc_control_transport(asoc, transport,
 					     SCTP_TRANSPORT_PF,


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 66/83] genirq: Prevent NULL pointer dereference in resend_irqs()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 65/83] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 67/83] keys: Fix missing null pointer check in request_key_auth_describe() Ben Hutchings
                   ` (17 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Zhiqiang Liu, Thomas Gleixner, Yunfeng Ye

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yunfeng Ye <yeyunfeng@huawei.com>

commit eddf3e9c7c7e4d0707c68d1bb22cc6ec8aef7d4a upstream.

The following crash was observed:

  Unable to handle kernel NULL pointer dereference at 0000000000000158
  Internal error: Oops: 96000004 [#1] SMP
  pc : resend_irqs+0x68/0xb0
  lr : resend_irqs+0x64/0xb0
  ...
  Call trace:
   resend_irqs+0x68/0xb0
   tasklet_action_common.isra.6+0x84/0x138
   tasklet_action+0x2c/0x38
   __do_softirq+0x120/0x324
   run_ksoftirqd+0x44/0x60
   smpboot_thread_fn+0x1ac/0x1e8
   kthread+0x134/0x138
   ret_from_fork+0x10/0x18

The reason for this is that the interrupt resend mechanism happens in soft
interrupt context, which is a asynchronous mechanism versus other
operations on interrupts. free_irq() does not take resend handling into
account. Thus, the irq descriptor might be already freed before the resend
tasklet is executed. resend_irqs() does not check the return value of the
interrupt descriptor lookup and derefences the return value
unconditionally.

  1):
  __setup_irq
    irq_startup
      check_irq_resend  // activate softirq to handle resend irq
  2):
  irq_domain_free_irqs
    irq_free_descs
      free_desc
        call_rcu(&desc->rcu, delayed_free_desc)
  3):
  __do_softirq
    tasklet_action
      resend_irqs
        desc = irq_to_desc(irq)
        desc->handle_irq(desc)  // desc is NULL --> Ooops

Fix this by adding a NULL pointer check in resend_irqs() before derefencing
the irq descriptor.

Fixes: a4633adcdbc1 ("[PATCH] genirq: add genirq sw IRQ-retrigger")
Signed-off-by: Yunfeng Ye <yeyunfeng@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Link: https://lkml.kernel.org/r/1630ae13-5c8e-901e-de09-e740b6a426a7@huawei.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/irq/resend.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/kernel/irq/resend.c
+++ b/kernel/irq/resend.c
@@ -37,6 +37,8 @@ static void resend_irqs(unsigned long ar
 		irq = find_first_bit(irqs_resend, nr_irqs);
 		clear_bit(irq, irqs_resend);
 		desc = irq_to_desc(irq);
+		if (!desc)
+			continue;
 		local_irq_disable();
 		desc->handle_irq(irq, desc);
 		local_irq_enable();


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 67/83] keys: Fix missing null pointer check in request_key_auth_describe()
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 66/83] genirq: Prevent NULL pointer dereference in resend_irqs() Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 68/83] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Ben Hutchings
                   ` (16 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Howells, Linus Torvalds,
	Hillf Danton, Sachin Sant

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hillf Danton <hdanton@sina.com>

commit d41a3effbb53b1bcea41e328d16a4d046a508381 upstream.

If a request_key authentication token key gets revoked, there's a window in
which request_key_auth_describe() can see it with a NULL payload - but it
makes no check for this and something like the following oops may occur:

	BUG: Kernel NULL pointer dereference at 0x00000038
	Faulting instruction address: 0xc0000000004ddf30
	Oops: Kernel access of bad area, sig: 11 [#1]
	...
	NIP [...] request_key_auth_describe+0x90/0xd0
	LR [...] request_key_auth_describe+0x54/0xd0
	Call Trace:
	[...] request_key_auth_describe+0x54/0xd0 (unreliable)
	[...] proc_keys_show+0x308/0x4c0
	[...] seq_read+0x3d0/0x540
	[...] proc_reg_read+0x90/0x110
	[...] __vfs_read+0x3c/0x70
	[...] vfs_read+0xb4/0x1b0
	[...] ksys_read+0x7c/0x130
	[...] system_call+0x5c/0x70

Fix this by checking for a NULL pointer when describing such a key.

Also make the read routine check for a NULL pointer to be on the safe side.

[DH: Modified to not take already-held rcu lock and modified to also check
 in the read routine]

Fixes: 04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key")
Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 security/keys/request_key_auth.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -58,6 +58,9 @@ static void request_key_auth_describe(co
 {
 	struct request_key_auth *rka = key->payload.data;
 
+	if (!rka)
+		return;
+
 	seq_puts(m, "key:");
 	seq_puts(m, key->description);
 	if (key_is_instantiated(key))
@@ -75,6 +78,9 @@ static long request_key_auth_read(const
 	size_t datalen;
 	long ret;
 
+	if (!rka)
+		return -EKEYREVOKED;
+
 	datalen = rka->callout_len;
 	ret = datalen;
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 68/83] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 67/83] keys: Fix missing null pointer check in request_key_auth_describe() Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 69/83] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Ben Hutchings
                   ` (15 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+55be5f513bed37fc4367,
	David S. Miller, Terry Lam, Cong Wang,
	syzbot+041483004a7f45f1f20a, Jiri Pirko,
	syzbot+bc6297c11f19ee807dc2, Jamal Hadi Salim

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Cong Wang <xiyou.wangcong@gmail.com>

commit d4d6ec6dac07f263f06d847d6f732d6855522845 upstream.

In case of TCA_HHF_NON_HH_WEIGHT or TCA_HHF_QUANTUM is zero,
it would make no progress inside the loop in hhf_dequeue() thus
kernel would get stuck.

Fix this by checking this corner case in hhf_change().

Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
Reported-by: syzbot+bc6297c11f19ee807dc2@syzkaller.appspotmail.com
Reported-by: syzbot+041483004a7f45f1f20a@syzkaller.appspotmail.com
Reported-by: syzbot+55be5f513bed37fc4367@syzkaller.appspotmail.com
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: Terry Lam <vtlam@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sched/sch_hhf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -560,7 +560,7 @@ static int hhf_change(struct Qdisc *sch,
 		new_hhf_non_hh_weight = nla_get_u32(tb[TCA_HHF_NON_HH_WEIGHT]);
 
 	non_hh_quantum = (u64)new_quantum * new_hhf_non_hh_weight;
-	if (non_hh_quantum > INT_MAX)
+	if (non_hh_quantum == 0 || non_hh_quantum > INT_MAX)
 		return -EINVAL;
 
 	sch_tree_lock(sch);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 69/83] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 68/83] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 70/83] tun: fix use-after-free when register netdev failed Ben Hutchings
                   ` (14 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, Soheil Hassas Yeganeh,
	Neal Cardwell, Yuchung Cheng, David S. Miller

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Neal Cardwell <ncardwell@google.com>

commit af38d07ed391b21f7405fa1f936ca9686787d6d2 upstream.

Fix tcp_ecn_withdraw_cwr() to clear the correct bit:
TCP_ECN_QUEUE_CWR.

Rationale: basically, TCP_ECN_DEMAND_CWR is a bit that is purely about
the behavior of data receivers, and deciding whether to reflect
incoming IP ECN CE marks as outgoing TCP th->ece marks. The
TCP_ECN_QUEUE_CWR bit is purely about the behavior of data senders,
and deciding whether to send CWR. The tcp_ecn_withdraw_cwr() function
is only called from tcp_undo_cwnd_reduction() by data senders during
an undo, so it should zero the sender-side state,
TCP_ECN_QUEUE_CWR. It does not make sense to stop the reflection of
incoming CE bits on incoming data packets just because outgoing
packets were spuriously retransmitted.

The bug has been reproduced with packetdrill to manifest in a scenario
with RFC3168 ECN, with an incoming data packet with CE bit set and
carrying a TCP timestamp value that causes cwnd undo. Before this fix,
the IP CE bit was ignored and not reflected in the TCP ECE header bit,
and sender sent a TCP CWR ('W') bit on the next outgoing data packet,
even though the cwnd reduction had been undone.  After this fix, the
sender properly reflects the CE bit and does not set the W bit.

Note: the bug actually predates 2005 git history; this Fixes footer is
chosen to be the oldest SHA1 I have tested (from Sep 2007) for which
the patch applies cleanly (since before this commit the code was in a
.h file).

Fixes: bdf1ee5d3bd3 ("[TCP]: Move code from tcp_ecn.h to tcp*.c and tcp.h & remove it")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/tcp_input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -214,7 +214,7 @@ static inline void TCP_ECN_accept_cwr(st
 
 static inline void TCP_ECN_withdraw_cwr(struct tcp_sock *tp)
 {
-	tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;
+	tp->ecn_flags &= ~TCP_ECN_QUEUE_CWR;
 }
 
 static inline void TCP_ECN_check_ce(struct tcp_sock *tp, const struct sk_buff *skb)


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 70/83] tun: fix use-after-free when register netdev failed
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 69/83] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 71/83] ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' Ben Hutchings
                   ` (13 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hulk Robot, Jason Wang, David S. Miller,
	Yang Yingliang

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yang Yingliang <yangyingliang@huawei.com>

commit 77f22f92dff8e7b45c7786a430626d38071d4670 upstream.

I got a UAF repport in tun driver when doing fuzzy test:

[  466.269490] ==================================================================
[  466.271792] BUG: KASAN: use-after-free in tun_chr_read_iter+0x2ca/0x2d0
[  466.271806] Read of size 8 at addr ffff888372139250 by task tun-test/2699
[  466.271810]
[  466.271824] CPU: 1 PID: 2699 Comm: tun-test Not tainted 5.3.0-rc1-00001-g5a9433db2614-dirty #427
[  466.271833] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[  466.271838] Call Trace:
[  466.271858]  dump_stack+0xca/0x13e
[  466.271871]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271890]  print_address_description+0x79/0x440
[  466.271906]  ? vprintk_func+0x5e/0xf0
[  466.271920]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271935]  __kasan_report+0x15c/0x1df
[  466.271958]  ? tun_chr_read_iter+0x2ca/0x2d0
[  466.271976]  kasan_report+0xe/0x20
[  466.271987]  tun_chr_read_iter+0x2ca/0x2d0
[  466.272013]  do_iter_readv_writev+0x4b7/0x740
[  466.272032]  ? default_llseek+0x2d0/0x2d0
[  466.272072]  do_iter_read+0x1c5/0x5e0
[  466.272110]  vfs_readv+0x108/0x180
[  466.299007]  ? compat_rw_copy_check_uvector+0x440/0x440
[  466.299020]  ? fsnotify+0x888/0xd50
[  466.299040]  ? __fsnotify_parent+0xd0/0x350
[  466.299064]  ? fsnotify_first_mark+0x1e0/0x1e0
[  466.304548]  ? vfs_write+0x264/0x510
[  466.304569]  ? ksys_write+0x101/0x210
[  466.304591]  ? do_preadv+0x116/0x1a0
[  466.304609]  do_preadv+0x116/0x1a0
[  466.309829]  do_syscall_64+0xc8/0x600
[  466.309849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.309861] RIP: 0033:0x4560f9
[  466.309875] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  466.309889] RSP: 002b:00007ffffa5166e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000127
[  466.322992] RAX: ffffffffffffffda RBX: 0000000000400460 RCX: 00000000004560f9
[  466.322999] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
[  466.323007] RBP: 00007ffffa516700 R08: 0000000000000004 R09: 0000000000000000
[  466.323014] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000040cb10
[  466.323021] R13: 0000000000000000 R14: 00000000006d7018 R15: 0000000000000000
[  466.323057]
[  466.323064] Allocated by task 2605:
[  466.335165]  save_stack+0x19/0x80
[  466.336240]  __kasan_kmalloc.constprop.8+0xa0/0xd0
[  466.337755]  kmem_cache_alloc+0xe8/0x320
[  466.339050]  getname_flags+0xca/0x560
[  466.340229]  user_path_at_empty+0x2c/0x50
[  466.341508]  vfs_statx+0xe6/0x190
[  466.342619]  __do_sys_newstat+0x81/0x100
[  466.343908]  do_syscall_64+0xc8/0x600
[  466.345303]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.347034]
[  466.347517] Freed by task 2605:
[  466.348471]  save_stack+0x19/0x80
[  466.349476]  __kasan_slab_free+0x12e/0x180
[  466.350726]  kmem_cache_free+0xc8/0x430
[  466.351874]  putname+0xe2/0x120
[  466.352921]  filename_lookup+0x257/0x3e0
[  466.354319]  vfs_statx+0xe6/0x190
[  466.355498]  __do_sys_newstat+0x81/0x100
[  466.356889]  do_syscall_64+0xc8/0x600
[  466.358037]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  466.359567]
[  466.360050] The buggy address belongs to the object at ffff888372139100
[  466.360050]  which belongs to the cache names_cache of size 4096
[  466.363735] The buggy address is located 336 bytes inside of
[  466.363735]  4096-byte region [ffff888372139100, ffff88837213a100)
[  466.367179] The buggy address belongs to the page:
[  466.368604] page:ffffea000dc84e00 refcount:1 mapcount:0 mapping:ffff8883df1b4f00 index:0x0 compound_mapcount: 0
[  466.371582] flags: 0x2fffff80010200(slab|head)
[  466.372910] raw: 002fffff80010200 dead000000000100 dead000000000122 ffff8883df1b4f00
[  466.375209] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
[  466.377778] page dumped because: kasan: bad access detected
[  466.379730]
[  466.380288] Memory state around the buggy address:
[  466.381844]  ffff888372139100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.384009]  ffff888372139180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.386131] >ffff888372139200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.388257]                                                  ^
[  466.390234]  ffff888372139280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.392512]  ffff888372139300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  466.394667] ==================================================================

tun_chr_read_iter() accessed the memory which freed by free_netdev()
called by tun_set_iff():

        CPUA                                           CPUB
  tun_set_iff()
    alloc_netdev_mqs()
    tun_attach()
                                                  tun_chr_read_iter()
                                                    tun_get()
                                                    tun_do_read()
                                                      tun_ring_recv()
    register_netdevice() <-- inject error
    goto err_detach
    tun_detach_all() <-- set RCV_SHUTDOWN
    free_netdev() <-- called from
                     err_free_dev path
      netdev_freemem() <-- free the memory
                        without check refcount
      (In this path, the refcount cannot prevent
       freeing the memory of dev, and the memory
       will be used by dev_put() called by
       tun_chr_read_iter() on CPUB.)
                                                     (Break from tun_ring_recv(),
                                                     because RCV_SHUTDOWN is set)
                                                   tun_put()
                                                     dev_put() <-- use the memory
                                                                   freed by netdev_freemem()

Put the publishing of tfile->tun after register_netdevice(),
so tun_get() won't get the tun pointer that freed by
err_detach path if register_netdevice() failed.

Fixes: eb0fb363f920 ("tuntap: attach queue 0 before registering netdevice")
Reported-by: Hulk Robot <hulkci@huawei.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/tun.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -528,7 +528,8 @@ static void tun_detach_all(struct net_de
 		module_put(THIS_MODULE);
 }
 
-static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filter)
+static int tun_attach(struct tun_struct *tun, struct file *file,
+		      bool skip_filter, bool publish_tun)
 {
 	struct tun_file *tfile = file->private_data;
 	int err;
@@ -561,7 +562,8 @@ static int tun_attach(struct tun_struct
 	}
 	tfile->queue_index = tun->numqueues;
 	tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
-	rcu_assign_pointer(tfile->tun, tun);
+	if (publish_tun)
+		rcu_assign_pointer(tfile->tun, tun);
 	rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
 	tun->numqueues++;
 
@@ -1599,7 +1601,8 @@ static int tun_set_iff(struct net *net,
 		if (err < 0)
 			return err;
 
-		err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER);
+		err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER,
+				 true);
 		if (err < 0)
 			return err;
 
@@ -1678,13 +1681,17 @@ static int tun_set_iff(struct net *net,
 				       NETIF_F_HW_VLAN_STAG_TX);
 
 		INIT_LIST_HEAD(&tun->disabled);
-		err = tun_attach(tun, file, false);
+		err = tun_attach(tun, file, false, false);
 		if (err < 0)
 			goto err_free_flow;
 
 		err = register_netdevice(tun->dev);
 		if (err < 0)
 			goto err_detach;
+		/* free_netdev() won't check refcnt, to aovid race
+		 * with dev_put() we need publish tun after registration.
+		 */
+		rcu_assign_pointer(tfile->tun, tun);
 
 		if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) ||
 		    device_create_file(&tun->dev->dev, &dev_attr_owner) ||
@@ -1848,7 +1855,7 @@ static int tun_set_queue(struct file *fi
 		ret = security_tun_dev_attach_queue(tun->security);
 		if (ret < 0)
 			goto unlock;
-		ret = tun_attach(tun, file, false);
+		ret = tun_attach(tun, file, false, true);
 	} else if (ifr->ifr_flags & IFF_DETACH_QUEUE) {
 		tun = rtnl_dereference(tfile->tun);
 		if (!tun || !(tun->flags & TUN_TAP_MQ) || tfile->detached)


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 71/83] ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 70/83] tun: fix use-after-free when register netdev failed Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 72/83] net: Fix null de-reference of device refcount Ben Hutchings
                   ` (12 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Christophe JAILLET

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit d23dbc479a8e813db4161a695d67da0e36557846 upstream.

The '.exit' functions from 'pernet_operations' structure should be marked
as __net_exit, not __net_init.

Fixes: d862e5461423 ("net: ipv6: Implement /proc/net/icmp6.")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv6/ping.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -230,7 +230,7 @@ static int __net_init ping_v6_proc_init_
 	return ping_proc_register(net, &ping_v6_seq_afinfo);
 }
 
-static void __net_init ping_v6_proc_exit_net(struct net *net)
+static void __net_exit ping_v6_proc_exit_net(struct net *net)
 {
 	return ping_proc_unregister(net, &ping_v6_seq_afinfo);
 }


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 72/83] net: Fix null de-reference of device refcount
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 71/83] ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 73/83] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' Ben Hutchings
                   ` (11 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Subash Abhinov Kasiviswanathan,
	Sean Tranchetti, David S. Miller

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

commit 10cc514f451a0f239aa34f91bc9dc954a9397840 upstream.

In event of failure during register_netdevice, free_netdev is
invoked immediately. free_netdev assumes that all the netdevice
refcounts have been dropped prior to it being called and as a
result frees and clears out the refcount pointer.

However, this is not necessarily true as some of the operations
in the NETDEV_UNREGISTER notifier handlers queue RCU callbacks for
invocation after a grace period. The IPv4 callback in_dev_rcu_put
tries to access the refcount after free_netdev is called which
leads to a null de-reference-

44837.761523:   <6> Unable to handle kernel paging request at
                    virtual address 0000004a88287000
44837.761651:   <2> pc : in_dev_finish_destroy+0x4c/0xc8
44837.761654:   <2> lr : in_dev_finish_destroy+0x2c/0xc8
44837.762393:   <2> Call trace:
44837.762398:   <2>  in_dev_finish_destroy+0x4c/0xc8
44837.762404:   <2>  in_dev_rcu_put+0x24/0x30
44837.762412:   <2>  rcu_nocb_kthread+0x43c/0x468
44837.762418:   <2>  kthread+0x118/0x128
44837.762424:   <2>  ret_from_fork+0x10/0x1c

Fix this by waiting for the completion of the call_rcu() in
case of register_netdevice errors.

Fixes: 93ee31f14f6f ("[NET]: Fix free_netdev on register_netdev failure.")
Cc: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/core/dev.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6278,6 +6278,8 @@ int register_netdevice(struct net_device
 	ret = notifier_to_errno(ret);
 	if (ret) {
 		rollback_registered(dev);
+		rcu_barrier();
+
 		dev->reg_state = NETREG_UNREGISTERED;
 	}
 	/*


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 73/83] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 72/83] net: Fix null de-reference of device refcount Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 74/83] KVM: nVMX: handle page fault in vmread Ben Hutchings
                   ` (10 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Christophe JAILLET,
	Marcelo Ricardo Leitner

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit b456d72412ca8797234449c25815e82f4e1426c0 upstream.

The '.exit' functions from 'pernet_operations' structure should be marked
as __net_exit, not __net_init.

Fixes: 8e2d61e0aed2 ("sctp: fix race on protocol/netns initialization")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sctp/protocol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -1314,7 +1314,7 @@ static int __net_init sctp_ctrlsock_init
 	return status;
 }
 
-static void __net_init sctp_ctrlsock_exit(struct net *net)
+static void __net_exit sctp_ctrlsock_exit(struct net *net)
 {
 	/* Free the control endpoint.  */
 	inet_ctl_sock_destroy(net->sctp.ctl_sock);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 74/83] KVM: nVMX: handle page fault in vmread
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 73/83] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 75/83] KVM: x86: work around leak of uninitialized stack contents Ben Hutchings
                   ` (9 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paolo Bonzini

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit f7eea636c3d505fe6f1d1066234f1aaf7171b681 upstream.

The implementation of vmread to memory is still incomplete, as it
lacks the ability to do vmread to I/O memory just like vmptrst.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/vmx.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -6426,6 +6426,7 @@ static int handle_vmread(struct kvm_vcpu
 	unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION);
 	u32 vmx_instruction_info = vmcs_read32(VMX_INSTRUCTION_INFO);
 	gva_t gva = 0;
+	struct x86_exception e;
 
 	if (!nested_vmx_check_permission(vcpu) ||
 	    !nested_vmx_check_vmcs12(vcpu))
@@ -6452,8 +6453,10 @@ static int handle_vmread(struct kvm_vcpu
 				vmx_instruction_info, &gva))
 			return 1;
 		/* _system ok, as nested_vmx_check_permission verified cpl=0 */
-		kvm_write_guest_virt_system(vcpu, gva, &field_value,
-					    (is_long_mode(vcpu) ? 8 : 4), NULL);
+		if (kvm_write_guest_virt_system(vcpu, gva, &field_value,
+						(is_long_mode(vcpu) ? 8 : 4),
+						&e))
+			kvm_inject_page_fault(vcpu, &e);
 	}
 
 	nested_vmx_succeed(vcpu);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 75/83] KVM: x86: work around leak of uninitialized stack contents
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 74/83] KVM: nVMX: handle page fault in vmread Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 76/83] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Ben Hutchings
                   ` (8 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Fuqian Huang, Paolo Bonzini

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Fuqian Huang <huangfq.daxian@gmail.com>

commit 541ab2aeb28251bf7135c7961f3a6080eebcc705 upstream.

Emulation of VMPTRST can incorrectly inject a page fault
when passed an operand that points to an MMIO address.
The page fault will use uninitialized kernel stack memory
as the CR2 and error code.

The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
exit to userspace; however, it is not an easy fix, so for now just ensure
that the error code and CR2 are zero.

Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
[add comment]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4329,6 +4329,13 @@ static int emulator_write_std(struct x86
 int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val,
 				unsigned int bytes, struct x86_exception *exception)
 {
+	/*
+	 * FIXME: this should call handle_emulation_failure if X86EMUL_IO_NEEDED
+	 * is returned, but our callers are not ready for that and they blindly
+	 * call kvm_inject_page_fault.  Ensure that they at least do not leak
+	 * uninitialized kernel stack memory into cr2 and error code.
+	 */
+	memset(exception, 0, sizeof(*exception));
 	return kvm_write_guest_virt_helper(addr, val, bytes, vcpu,
 					   PFERR_WRITE_MASK, exception);
 }


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 76/83] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 75/83] KVM: x86: work around leak of uninitialized stack contents Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 77/83] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP Ben Hutchings
                   ` (7 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vidya Sagar, Thierry Reding, Lorenzo Pieralisi

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vidya Sagar <vidyas@nvidia.com>

commit 7be142caabc4780b13a522c485abc806de5c4114 upstream.

The PCI Tegra controller conversion to a device tree configurable
driver in commit d1523b52bff3 ("PCI: tegra: Move PCIe driver
to drivers/pci/host") implied that code for the driver can be
compiled in for a kernel supporting multiple platforms.

Unfortunately, a blind move of the code did not check that some of the
quirks that were applied in arch/arm (eg enabling Relaxed Ordering on
all PCI devices - since the quirk hook erroneously matches PCI_ANY_ID
for both Vendor-ID and Device-ID) are now applied in all kernels that
compile the PCI Tegra controlled driver, DT and ACPI alike.

This is completely wrong, in that enablement of Relaxed Ordering is only
required by default in Tegra20 platforms as described in the Tegra20
Technical Reference Manual (available at
https://developer.nvidia.com/embedded/downloads#?search=tegra%202 in
Section 34.1, where it is mentioned that Relaxed Ordering bit needs to
be enabled in its root ports to avoid deadlock in hardware) and in the
Tegra30 platforms for the same reasons (unfortunately not documented
in the TRM).

There is no other strict requirement on PCI devices Relaxed Ordering
enablement on any other Tegra platforms or PCI host bridge driver.

Fix this quite upsetting situation by limiting the vendor and device IDs
to which the Relaxed Ordering quirk applies to the root ports in
question, reported above.

Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
[lorenzo.pieralisi@arm.com: completely rewrote the commit log/fixes tag]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/host/pci-tegra.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/pci/host/pci-tegra.c
+++ b/drivers/pci/host/pci-tegra.c
@@ -615,12 +615,15 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_NV
 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_NVIDIA, 0x0e1c, tegra_pcie_fixup_class);
 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_NVIDIA, 0x0e1d, tegra_pcie_fixup_class);
 
-/* Tegra PCIE requires relaxed ordering */
+/* Tegra20 and Tegra30 PCIE requires relaxed ordering */
 static void tegra_pcie_relax_enable(struct pci_dev *dev)
 {
 	pcie_capability_set_word(dev, PCI_EXP_DEVCTL, PCI_EXP_DEVCTL_RELAX_EN);
 }
-DECLARE_PCI_FIXUP_FINAL(PCI_ANY_ID, PCI_ANY_ID, tegra_pcie_relax_enable);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NVIDIA, 0x0bf0, tegra_pcie_relax_enable);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NVIDIA, 0x0bf1, tegra_pcie_relax_enable);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NVIDIA, 0x0e1c, tegra_pcie_relax_enable);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NVIDIA, 0x0e1d, tegra_pcie_relax_enable);
 
 static int tegra_pcie_setup(int nr, struct pci_sys_data *sys)
 {


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 77/83] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 76/83] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 78/83] cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic Ben Hutchings
                   ` (6 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Petr Vorel, Thadeu Lima de Souza Cascardo,
	Thomas Gleixner

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit f18ddc13af981ce3c7b7f26925f099e7c6929aba upstream.

ENOTSUPP is not supposed to be returned to userspace. This was found on an
OpenPower machine, where the RTC does not support set_alarm.

On that system, a clock_nanosleep(CLOCK_REALTIME_ALARM, ...) results in
"524 Unknown error 524"

Replace it with EOPNOTSUPP which results in the expected "95 Operation not
supported" error.

Fixes: 1c6b39ad3f01 (alarmtimers: Return -ENOTSUPP if no RTC device is present)
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190903171802.28314-1-cascardo@canonical.com
[ pvorel: backport for v3.16, changes also in alarm_timer_{del,set}(), which
were removed in f2c45807d3992fe0f173f34af9c347d907c31686 in v4.13-rc1 ]
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/time/alarmtimer.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -533,7 +533,7 @@ static int alarm_timer_create(struct k_i
 	struct alarm_base *base;
 
 	if (!alarmtimer_get_rtcdev())
-		return -ENOTSUPP;
+		return -EOPNOTSUPP;
 
 	if (!capable(CAP_WAKE_ALARM))
 		return -EPERM;
@@ -576,7 +576,7 @@ static void alarm_timer_get(struct k_iti
 static int alarm_timer_del(struct k_itimer *timr)
 {
 	if (!rtcdev)
-		return -ENOTSUPP;
+		return -EOPNOTSUPP;
 
 	if (alarm_try_to_cancel(&timr->it.alarm.alarmtimer) < 0)
 		return TIMER_RETRY;
@@ -600,7 +600,7 @@ static int alarm_timer_set(struct k_itim
 	ktime_t exp;
 
 	if (!rtcdev)
-		return -ENOTSUPP;
+		return -EOPNOTSUPP;
 
 	if (flags & ~TIMER_ABSTIME)
 		return -EINVAL;
@@ -761,7 +761,7 @@ static int alarm_timer_nsleep(const cloc
 	struct restart_block *restart;
 
 	if (!alarmtimer_get_rtcdev())
-		return -ENOTSUPP;
+		return -EOPNOTSUPP;
 
 	if (flags & ~TIMER_ABSTIME)
 		return -EINVAL;


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 78/83] cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 77/83] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 79/83] CIFS: Fix use after free of file info structures Ben Hutchings
                   ` (5 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dave Wysochanski, Ronnie Sahlberg,
	Pavel Shilovskiy, Steve French

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Wysochanski <dwysocha@redhat.com>

commit cb248819d209d113e45fed459773991518e8e80b upstream.

Commit 487317c99477 ("cifs: add spinlock for the openFileList to
cifsInodeInfo") added cifsInodeInfo->open_file_lock spin_lock to protect
the openFileList, but missed a few places where cifs_inode->openFileList
was enumerated.  Change these remaining tcon->open_file_lock to
cifsInodeInfo->open_file_lock to avoid panic in is_size_safe_to_change.

[17313.245641] RIP: 0010:is_size_safe_to_change+0x57/0xb0 [cifs]
[17313.245645] Code: 68 40 48 89 ef e8 19 67 b7 f1 48 8b 43 40 48 8d 4b 40 48 8d 50 f0 48 39 c1 75 0f eb 47 48 8b 42 10 48 8d 50 f0 48 39 c1 74 3a <8b> 80 88 00 00 00 83 c0 01 a8 02 74 e6 48 89 ef c6 07 00 0f 1f 40
[17313.245649] RSP: 0018:ffff94ae1baefa30 EFLAGS: 00010202
[17313.245654] RAX: dead000000000100 RBX: ffff88dc72243300 RCX: ffff88dc72243340
[17313.245657] RDX: dead0000000000f0 RSI: 00000000098f7940 RDI: ffff88dd3102f040
[17313.245659] RBP: ffff88dd3102f040 R08: 0000000000000000 R09: ffff94ae1baefc40
[17313.245661] R10: ffffcdc8bb1c4e80 R11: ffffcdc8b50adb08 R12: 00000000098f7940
[17313.245663] R13: ffff88dc72243300 R14: ffff88dbc8f19600 R15: ffff88dc72243428
[17313.245667] FS:  00007fb145485700(0000) GS:ffff88dd3e000000(0000) knlGS:0000000000000000
[17313.245670] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17313.245672] CR2: 0000026bb46c6000 CR3: 0000004edb110003 CR4: 00000000007606e0
[17313.245753] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[17313.245756] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[17313.245759] PKRU: 55555554
[17313.245761] Call Trace:
[17313.245803]  cifs_fattr_to_inode+0x16b/0x580 [cifs]
[17313.245838]  cifs_get_inode_info+0x35c/0xa60 [cifs]
[17313.245852]  ? kmem_cache_alloc_trace+0x151/0x1d0
[17313.245885]  cifs_open+0x38f/0x990 [cifs]
[17313.245921]  ? cifs_revalidate_dentry_attr+0x3e/0x350 [cifs]
[17313.245953]  ? cifsFileInfo_get+0x30/0x30 [cifs]
[17313.245960]  ? do_dentry_open+0x132/0x330
[17313.245963]  do_dentry_open+0x132/0x330
[17313.245969]  path_openat+0x573/0x14d0
[17313.245974]  do_filp_open+0x93/0x100
[17313.245979]  ? __check_object_size+0xa3/0x181
[17313.245986]  ? audit_alloc_name+0x7e/0xd0
[17313.245992]  do_sys_open+0x184/0x220
[17313.245999]  do_syscall_64+0x5b/0x1b0

Fixes: 487317c99477 ("cifs: add spinlock for the openFileList to cifsInodeInfo")

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Pavel Shilovskiy <pshilov@microsoft.com>
---
 fs/cifs/file.c | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1756,13 +1756,12 @@ struct cifsFileInfo *find_readable_file(
 {
 	struct cifsFileInfo *open_file = NULL;
 	struct cifs_sb_info *cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb);
-	struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
 
 	/* only filter by fsuid on multiuser mounts */
 	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER))
 		fsuid_only = false;
 
-	spin_lock(&tcon->open_file_lock);
+	spin_lock(&cifs_inode->open_file_lock);
 	/* we could simply get the first_list_entry since write-only entries
 	   are always at the end of the list but since the first entry might
 	   have a close pending, we go through the whole list */
@@ -1774,7 +1773,7 @@ struct cifsFileInfo *find_readable_file(
 				/* found a good file */
 				/* lock it so it will not be closed on us */
 				cifsFileInfo_get(open_file);
-				spin_unlock(&tcon->open_file_lock);
+				spin_unlock(&cifs_inode->open_file_lock);
 				return open_file;
 			} /* else might as well continue, and look for
 			     another, or simply have the caller reopen it
@@ -1782,7 +1781,7 @@ struct cifsFileInfo *find_readable_file(
 		} else /* write only file */
 			break; /* write only files are last so must be done */
 	}
-	spin_unlock(&tcon->open_file_lock);
+	spin_unlock(&cifs_inode->open_file_lock);
 	return NULL;
 }
 
@@ -1791,7 +1790,6 @@ struct cifsFileInfo *find_writable_file(
 {
 	struct cifsFileInfo *open_file, *inv_file = NULL;
 	struct cifs_sb_info *cifs_sb;
-	struct cifs_tcon *tcon;
 	bool any_available = false;
 	int rc;
 	unsigned int refind = 0;
@@ -1807,16 +1805,15 @@ struct cifsFileInfo *find_writable_file(
 	}
 
 	cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb);
-	tcon = cifs_sb_master_tcon(cifs_sb);
 
 	/* only filter by fsuid on multiuser mounts */
 	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER))
 		fsuid_only = false;
 
-	spin_lock(&tcon->open_file_lock);
+	spin_lock(&cifs_inode->open_file_lock);
 refind_writable:
 	if (refind > MAX_REOPEN_ATT) {
-		spin_unlock(&tcon->open_file_lock);
+		spin_unlock(&cifs_inode->open_file_lock);
 		return NULL;
 	}
 	list_for_each_entry(open_file, &cifs_inode->openFileList, flist) {
@@ -1828,7 +1825,7 @@ refind_writable:
 			if (!open_file->invalidHandle) {
 				/* found a good writable file */
 				cifsFileInfo_get(open_file);
-				spin_unlock(&tcon->open_file_lock);
+				spin_unlock(&cifs_inode->open_file_lock);
 				return open_file;
 			} else {
 				if (!inv_file)
@@ -1847,7 +1844,7 @@ refind_writable:
 		cifsFileInfo_get(inv_file);
 	}
 
-	spin_unlock(&tcon->open_file_lock);
+	spin_unlock(&cifs_inode->open_file_lock);
 
 	if (inv_file) {
 		rc = cifs_reopen_file(inv_file, false);
@@ -1861,7 +1858,7 @@ refind_writable:
 			cifsFileInfo_put(inv_file);
 			++refind;
 			inv_file = NULL;
-			spin_lock(&tcon->open_file_lock);
+			spin_lock(&cifs_inode->open_file_lock);
 			goto refind_writable;
 		}
 	}
@@ -3508,17 +3505,15 @@ static int cifs_readpage(struct file *fi
 static int is_inode_writable(struct cifsInodeInfo *cifs_inode)
 {
 	struct cifsFileInfo *open_file;
-	struct cifs_tcon *tcon =
-		cifs_sb_master_tcon(CIFS_SB(cifs_inode->vfs_inode.i_sb));
 
-	spin_lock(&tcon->open_file_lock);
+	spin_lock(&cifs_inode->open_file_lock);
 	list_for_each_entry(open_file, &cifs_inode->openFileList, flist) {
 		if (OPEN_FMODE(open_file->f_flags) & FMODE_WRITE) {
-			spin_unlock(&tcon->open_file_lock);
+			spin_unlock(&cifs_inode->open_file_lock);
 			return 1;
 		}
 	}
-	spin_unlock(&tcon->open_file_lock);
+	spin_unlock(&cifs_inode->open_file_lock);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 79/83] CIFS: Fix use after free of file info structures
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 78/83] cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 80/83] md/raid: raid5 preserve the writeback action after the parity check Ben Hutchings
                   ` (4 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ronnie Sahlberg, Steve French, Pavel Shilovsky

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <pshilov@microsoft.com>

commit 1a67c415965752879e2e9fad407bc44fc7f25f23 upstream.

Currently the code assumes that if a file info entry belongs
to lists of open file handles of an inode and a tcon then
it has non-zero reference. The recent changes broke that
assumption when putting the last reference of the file info.
There may be a situation when a file is being deleted but
nothing prevents another thread to reference it again
and start using it. This happens because we do not hold
the inode list lock while checking the number of references
of the file info structure. Fix this by doing the proper
locking when doing the check.

Fixes: 487317c99477d ("cifs: add spinlock for the openFileList to cifsInodeInfo")
Fixes: cb248819d209d ("cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic")
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/file.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -398,10 +398,11 @@ void _cifsFileInfo_put(struct cifsFileIn
 	bool oplock_break_cancelled;
 
 	spin_lock(&tcon->open_file_lock);
-
+	spin_lock(&cifsi->open_file_lock);
 	spin_lock(&cifs_file->file_info_lock);
 	if (--cifs_file->count > 0) {
 		spin_unlock(&cifs_file->file_info_lock);
+		spin_unlock(&cifsi->open_file_lock);
 		spin_unlock(&tcon->open_file_lock);
 		return;
 	}
@@ -414,9 +415,7 @@ void _cifsFileInfo_put(struct cifsFileIn
 	cifs_add_pending_open_locked(&fid, cifs_file->tlink, &open);
 
 	/* remove it from the lists */
-	spin_lock(&cifsi->open_file_lock);
 	list_del(&cifs_file->flist);
-	spin_unlock(&cifsi->open_file_lock);
 	list_del(&cifs_file->tlist);
 
 	if (list_empty(&cifsi->openFileList)) {
@@ -432,6 +431,7 @@ void _cifsFileInfo_put(struct cifsFileIn
 		cifs_set_oplock_level(cifsi, 0);
 	}
 
+	spin_unlock(&cifsi->open_file_lock);
 	spin_unlock(&tcon->open_file_lock);
 
 	oplock_break_cancelled = wait_oplock_handler ?


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 80/83] md/raid: raid5 preserve the writeback action after the parity check
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 79/83] CIFS: Fix use after free of file info structures Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 81/83] btrfs: partially apply b8b93addde Ben Hutchings
                   ` (3 subsequent siblings)
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dan Williams, Song Liu, Nigel Croxon

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nigel Croxon <ncroxon@redhat.com>

commit b2176a1dfb518d870ee073445d27055fea64dfb8 upstream.

The problem is that any 'uptodate' vs 'disks' check is not precise
in this path. Put a "WARN_ON(!test_bit(R5_UPTODATE, &dev->flags)" on the
device that might try to kick off writes and then skip the action.
Better to prevent the raid driver from taking unexpected action *and* keep
the system alive vs killing the machine with BUG_ON.

Note: fixed warning reported by kbuild test robot <lkp@intel.com>

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Nigel Croxon <ncroxon@redhat.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/md/raid5.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -3385,7 +3385,7 @@ static void handle_parity_checks6(struct
 		/* now write out any block on a failed drive,
 		 * or P or Q if they were recomputed
 		 */
-		BUG_ON(s->uptodate < disks - 1); /* We don't need Q to recover */
+		dev = NULL;
 		if (s->failed == 2) {
 			dev = &sh->dev[s->failed_num[1]];
 			s->locked++;
@@ -3410,6 +3410,14 @@ static void handle_parity_checks6(struct
 			set_bit(R5_LOCKED, &dev->flags);
 			set_bit(R5_Wantwrite, &dev->flags);
 		}
+		if (WARN_ONCE(dev && !test_bit(R5_UPTODATE, &dev->flags),
+			      "%s: disk%td not up to date\n",
+			      mdname(conf->mddev),
+			      dev - (struct r5dev *) &sh->dev)) {
+			clear_bit(R5_LOCKED, &dev->flags);
+			clear_bit(R5_Wantwrite, &dev->flags);
+			s->locked--;
+		}
 		clear_bit(STRIPE_DEGRADED, &sh->state);
 
 		set_bit(STRIPE_INSYNC, &sh->state);


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 81/83] btrfs: partially apply b8b93addde
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 80/83] md/raid: raid5 preserve the writeback action after the parity check Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:56   ` Hans van Kranenburg
  2019-11-20 15:38 ` [PATCH 3.16 82/83] btrfs: volumes: Cleanup stripe size calculation Ben Hutchings
                   ` (2 subsequent siblings)
  83 siblings, 1 reply; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Hans van Kranenburg

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans van Kranenburg <hans@knorrie.org>

Extracted from commit b8b93addde "btrfs: cleanup 64bit/32bit divs,
provably bounded values", to allow commits 793ff2c88c6 "btrfs:
volumes: Cleanup stripe size calculation" and baf92114c7 "btrfs:
alloc_chunk: fix more DUP stripe size handling" to apply cleanly.

[bwh: Add patch description]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/volumes.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 4aa1a20fc5d7..b4b98a75ca8b 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -4274,8 +4274,8 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
 	 */
 	if (stripe_size * data_stripes > max_chunk_size) {
 		u64 mask = (1ULL << 24) - 1;
-		stripe_size = max_chunk_size;
-		do_div(stripe_size, data_stripes);
+
+		stripe_size = div_u64(max_chunk_size, data_stripes);
 
 		/* bump the answer up to a 16MB boundary */
 		stripe_size = (stripe_size + mask) & ~mask;


^ permalink raw reply related	[flat|nested] 88+ messages in thread

* [PATCH 3.16 82/83] btrfs: volumes: Cleanup stripe size calculation
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 81/83] btrfs: partially apply b8b93addde Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:38 ` [PATCH 3.16 83/83] btrfs: alloc_chunk: fix more DUP stripe size handling Ben Hutchings
  2019-11-20 15:46 ` [PATCH 3.16 00/83] 3.16.78-rc1 review Guenter Roeck
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Sterba, Qu Wenruo,
	Hans van Kranenburg, Gu Jinxiang, Nikolay Borisov

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Qu Wenruo <wqu@suse.com>

commit 793ff2c88c6397b3531c08cc4f920619b56a9def upstream.

Cleanup the following things:
1) open coded SZ_16M round up
2) use min() to replace open-coded size comparison
3) code style

Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Gu Jinxiang <gujx@cn.fujitsu.com>
[ reformat comment ]
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16 as dependency of commit baf92114c7
 "btrfs: alloc_chunk: fix more DUP stripe size handling":
 - Add #include <linux/sizes.h> for definition of SZ_16M]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Hans van Kranenburg <Hans.van.Kranenburg@mendix.com>
---
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -27,6 +27,7 @@
 #include <linux/kthread.h>
 #include <linux/raid/pq.h>
 #include <linux/semaphore.h>
+#include <linux/sizes.h>
 #include <asm/div64.h>
 #include "ctree.h"
 #include "extent_map.h"
@@ -4273,18 +4274,17 @@ static int __btrfs_alloc_chunk(struct bt
 	 * and compare that answer with the max chunk size
 	 */
 	if (stripe_size * data_stripes > max_chunk_size) {
-		u64 mask = (1ULL << 24) - 1;
-
 		stripe_size = div_u64(max_chunk_size, data_stripes);
 
 		/* bump the answer up to a 16MB boundary */
-		stripe_size = (stripe_size + mask) & ~mask;
+		stripe_size = round_up(stripe_size, SZ_16M);
 
-		/* but don't go higher than the limits we found
-		 * while searching for free extents
+		/*
+		 * But don't go higher than the limits we found while searching
+		 * for free extents
 		 */
-		if (stripe_size > devices_info[ndevs-1].max_avail)
-			stripe_size = devices_info[ndevs-1].max_avail;
+		stripe_size = min(devices_info[ndevs - 1].max_avail,
+				  stripe_size);
 	}
 
 	/* align to BTRFS_STRIPE_LEN */


^ permalink raw reply	[flat|nested] 88+ messages in thread

* [PATCH 3.16 83/83] btrfs: alloc_chunk: fix more DUP stripe size handling
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 82/83] btrfs: volumes: Cleanup stripe size calculation Ben Hutchings
@ 2019-11-20 15:38 ` Ben Hutchings
  2019-11-20 15:46 ` [PATCH 3.16 00/83] 3.16.78-rc1 review Guenter Roeck
  83 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:38 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Sterba, Hans van Kranenburg

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans van Kranenburg <hans.van.kranenburg@mendix.com>

commit baf92114c7e6dd6124aa3d506e4bc4b694da3bc3 upstream.

Commit 92e222df7b "btrfs: alloc_chunk: fix DUP stripe size handling"
fixed calculating the stripe_size for a new DUP chunk.

However, the same calculation reappears a bit later, and that one was
not changed yet. The resulting bug that is exposed is that the newly
allocated device extents ('stripes') can have a few MiB overlap with the
next thing stored after them, which is another device extent or the end
of the disk.

The scenario in which this can happen is:
* The block device for the filesystem is less than 10GiB in size.
* The amount of contiguous free unallocated disk space chosen to use for
  chunk allocation is 20% of the total device size, or a few MiB more or
  less.

An example:
- The filesystem device is 7880MiB (max_chunk_size gets set to 788MiB)
- There's 1578MiB unallocated raw disk space left in one contiguous
  piece.

In this case stripe_size is first calculated as 789MiB, (half of
1578MiB).

Since 789MiB (stripe_size * data_stripes) > 788MiB (max_chunk_size), we
enter the if block. Now stripe_size value is immediately overwritten
while calculating an adjusted value based on max_chunk_size, which ends
up as 788MiB.

Next, the value is rounded up to a 16MiB boundary, 800MiB, which is
actually more than the value we had before. However, the last comparison
fails to detect this, because it's comparing the value with the total
amount of free space, which is about twice the size of stripe_size.

In the example above, this means that the resulting raw disk space being
allocated is 1600MiB, while only a gap of 1578MiB has been found. The
second device extent object for this DUP chunk will overlap for 22MiB
with whatever comes next.

The underlying problem here is that the stripe_size is reused all the
time for different things. So, when entering the code in the if block,
stripe_size is immediately overwritten with something else. If later we
decide we want to have the previous value back, then the logic to
compute it was copy pasted in again.

With this change, the value in stripe_size is not unnecessarily
destroyed, so the duplicated calculation is not needed any more.

Signed-off-by: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/volumes.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -4271,19 +4271,17 @@ static int __btrfs_alloc_chunk(struct bt
 	/*
 	 * Use the number of data stripes to figure out how big this chunk
 	 * is really going to be in terms of logical address space,
-	 * and compare that answer with the max chunk size
+	 * and compare that answer with the max chunk size. If it's higher,
+	 * we try to reduce stripe_size.
 	 */
 	if (stripe_size * data_stripes > max_chunk_size) {
-		stripe_size = div_u64(max_chunk_size, data_stripes);
-
-		/* bump the answer up to a 16MB boundary */
-		stripe_size = round_up(stripe_size, SZ_16M);
-
 		/*
-		 * But don't go higher than the limits we found while searching
-		 * for free extents
+		 * Reduce stripe_size, round it up to a 16MB boundary again and
+		 * then use it, unless it ends up being even bigger than the
+		 * previous value we had already.
 		 */
-		stripe_size = min(devices_info[ndevs - 1].max_avail,
+		stripe_size = min(round_up(div_u64(max_chunk_size,
+						   data_stripes), SZ_16M),
 				  stripe_size);
 	}
 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* Re: [PATCH 3.16 00/83] 3.16.78-rc1 review
  2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2019-11-20 15:38 ` [PATCH 3.16 83/83] btrfs: alloc_chunk: fix more DUP stripe size handling Ben Hutchings
@ 2019-11-20 15:46 ` Guenter Roeck
  2019-11-20 15:50   ` Ben Hutchings
  83 siblings, 1 reply; 88+ messages in thread
From: Guenter Roeck @ 2019-11-20 15:46 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

On 11/20/19 7:37 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.78 release.
> There are 83 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Nov 22 15:37:10 UTC 2019.
> Anything received after that time might be too late.
> 

Build results:
	total: 136 pass: 136 fail: 0
Qemu test results:
	total: 229 pass: 229 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 88+ messages in thread

* Re: [PATCH 3.16 00/83] 3.16.78-rc1 review
  2019-11-20 15:46 ` [PATCH 3.16 00/83] 3.16.78-rc1 review Guenter Roeck
@ 2019-11-20 15:50   ` Ben Hutchings
  0 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-20 15:50 UTC (permalink / raw)
  To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 728 bytes --]

On Wed, 2019-11-20 at 07:46 -0800, Guenter Roeck wrote:
> On 11/20/19 7:37 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.78 release.
> > There are 83 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Nov 22 15:37:10 UTC 2019.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 136 pass: 136 fail: 0
> Qemu test results:
> 	total: 229 pass: 229 fail: 0

Great, thanks for testing,

Ben.

-- 
Ben Hutchings
Theory and practice are closer in theory than in practice - John Levine



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 88+ messages in thread

* Re: [PATCH 3.16 81/83] btrfs: partially apply b8b93addde
  2019-11-20 15:38 ` [PATCH 3.16 81/83] btrfs: partially apply b8b93addde Ben Hutchings
@ 2019-11-20 15:56   ` Hans van Kranenburg
  2019-11-21 21:42     ` Ben Hutchings
  0 siblings, 1 reply; 88+ messages in thread
From: Hans van Kranenburg @ 2019-11-20 15:56 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: akpm, Denis Kirjanov

On 11/20/19 4:38 PM, Ben Hutchings wrote:
> 3.16.78-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Hans van Kranenburg <hans@knorrie.org>

Thanks for picking this up!

Can you please use my work email, lowercase

  hans.van.kranenburg@mendix.com

for this one and for the Cc: line in the second one from Qu?

Thanks,
Hans

> 
> Extracted from commit b8b93addde "btrfs: cleanup 64bit/32bit divs,
> provably bounded values", to allow commits 793ff2c88c6 "btrfs:
> volumes: Cleanup stripe size calculation" and baf92114c7 "btrfs:
> alloc_chunk: fix more DUP stripe size handling" to apply cleanly.
> 
> [bwh: Add patch description]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  fs/btrfs/volumes.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
> index 4aa1a20fc5d7..b4b98a75ca8b 100644
> --- a/fs/btrfs/volumes.c
> +++ b/fs/btrfs/volumes.c
> @@ -4274,8 +4274,8 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
>  	 */
>  	if (stripe_size * data_stripes > max_chunk_size) {
>  		u64 mask = (1ULL << 24) - 1;
> -		stripe_size = max_chunk_size;
> -		do_div(stripe_size, data_stripes);
> +
> +		stripe_size = div_u64(max_chunk_size, data_stripes);
>  
>  		/* bump the answer up to a 16MB boundary */
>  		stripe_size = (stripe_size + mask) & ~mask;
> 


^ permalink raw reply	[flat|nested] 88+ messages in thread

* Re: [PATCH 3.16 81/83] btrfs: partially apply b8b93addde
  2019-11-20 15:56   ` Hans van Kranenburg
@ 2019-11-21 21:42     ` Ben Hutchings
  0 siblings, 0 replies; 88+ messages in thread
From: Ben Hutchings @ 2019-11-21 21:42 UTC (permalink / raw)
  To: Hans van Kranenburg, linux-kernel, stable; +Cc: akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 581 bytes --]

On Wed, 2019-11-20 at 16:56 +0100, Hans van Kranenburg wrote:
> On 11/20/19 4:38 PM, Ben Hutchings wrote:
> > 3.16.78-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Hans van Kranenburg <hans@knorrie.org>
> 
> Thanks for picking this up!
> 
> Can you please use my work email, lowercase
> 
>   hans.van.kranenburg@mendix.com
> 
> for this one and for the Cc: line in the second one from Qu?

OK, done.

Ben.

-- 
Ben Hutchings
Humans are not rational beings; they are rationalising beings.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 88+ messages in thread

end of thread, other threads:[~2019-11-21 21:42 UTC | newest]

Thread overview: 88+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 01/83] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 02/83] x86/sysfb_efi: Add quirks for some devices with swapped width and height Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 03/83] mmc: mmc_spi: Enable stable writes Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 04/83] ALSA: compress: Fix regression on compressed capture streams Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 05/83] can: peak_usb: fix potential double kfree_skb() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 06/83] usb: pci-quirks: Correct AMD PLL quirk detection Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 07/83] usb: wusbcore: fix unbalanced get/put cluster_id Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 08/83] x86/speculation/mds: Apply more accurate check on hypervisor platform Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 09/83] hpet: Fix division by zero in hpet_time_div() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 10/83] sched/fair: Don't free p->numa_faults with concurrent readers Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 11/83] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 12/83] bnx2x: Disable multi-cos feature Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 13/83] arm64: compat: Allow single-byte watchpoints on all addresses Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 14/83] net: sched: Fix a possible null-pointer dereference in dequeue_func() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 15/83] net: fix ifindex collision during namespace removal Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 16/83] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 17/83] selinux: fix memory leak in policydb_init() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 18/83] net: bridge: mcast: don't delete permanent entries when fast leave is enabled Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 19/83] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 20/83] s390/dasd: fix endless loop after read unit address configuration Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 21/83] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 22/83] asm-generic: fix -Wtype-limits compiler warnings Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 23/83] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 24/83] USB: serial: option: Add support for ZTE MF871A Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 25/83] usb: yurex: Fix use-after-free in yurex_delete Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 26/83] SMB3: Fix deadlock in validate negotiate hits reconnect Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 27/83] smb3: send CAP_DFS capability during session setup Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 28/83] sound: fix a memory leak bug Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 29/83] ALSA: firewire: " Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 30/83] ALSA: hda - Fix " Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 31/83] sh: kernel: hw_breakpoint: Fix missing break in switch statement Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 32/83] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 33/83] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 34/83] staging: comedi: dt3000: Fix rounding up of timer divisor Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 35/83] USB: core: Fix races in character device registration and deregistraion Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 36/83] netfilter: conntrack: Use consistent ct id hash calculation Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 37/83] sctp: fix the transport error_count check Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 38/83] USB: serial: option: Add Motorola modem UARTs Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 39/83] usb: cdc-acm: make sure a refcount is taken early enough Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 40/83] net/packet: fix race in tpacket_snd() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 41/83] Revert "cfg80211: fix processing world regdomain when non modular" Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 42/83] usb-storage: Add new JMS567 revision to unusual_devs Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 43/83] dm btree: fix order of block initialization in btree_split_beneath Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 44/83] dm space map metadata: fix missing store of apply_bops() return value Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 45/83] dm table: fix invalid memory accesses with too high sector number Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 46/83] x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 47/83] batman-adv: Only read OGM tvlv_len after buffer len check Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 48/83] ALSA: seq: Fix potential concurrent access to the deleted pool Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 49/83] ptrace,x86: Make user_64bit_mode() available to 32-bit builds Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 50/83] uprobes/x86: Fix detection of 32-bit user mode Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 51/83] x86/apic: Do not initialize LDR and DFR for bigsmp Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 52/83] x86/apic: Drop logical_smp_processor_id() inline Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 53/83] x86/apic/32: Avoid bogus LDR warnings Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 54/83] usb: host: ohci: fix a race condition between shutdown and irq Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 55/83] USB: storage: ums-realtek: Update module parameter description for auto_delink_en Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 56/83] USB: storage: ums-realtek: Whitelist auto-delink support Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 57/83] USB: cdc-wdm: fix race between write and disconnect due to flag abuse Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 58/83] VMCI: Release resource if the work is already queued Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 59/83] mld: fix memory leak in mld_del_delrec() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 60/83] ALSA: hda - Fix potential endless loop at applying quirks Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 61/83] mmc: core: Fix init of SD cards reporting an invalid VDD range Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 62/83] net: seeq: Fix the function used to release some memory in an error handling path Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 63/83] sched/fair: Don't assign runtime for throttled cfs_rq Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 64/83] vhost/test: fix build for vhost test Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 65/83] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 66/83] genirq: Prevent NULL pointer dereference in resend_irqs() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 67/83] keys: Fix missing null pointer check in request_key_auth_describe() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 68/83] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 69/83] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 70/83] tun: fix use-after-free when register netdev failed Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 71/83] ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 72/83] net: Fix null de-reference of device refcount Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 73/83] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 74/83] KVM: nVMX: handle page fault in vmread Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 75/83] KVM: x86: work around leak of uninitialized stack contents Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 76/83] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 77/83] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 78/83] cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 79/83] CIFS: Fix use after free of file info structures Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 80/83] md/raid: raid5 preserve the writeback action after the parity check Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 81/83] btrfs: partially apply b8b93addde Ben Hutchings
2019-11-20 15:56   ` Hans van Kranenburg
2019-11-21 21:42     ` Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 82/83] btrfs: volumes: Cleanup stripe size calculation Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 83/83] btrfs: alloc_chunk: fix more DUP stripe size handling Ben Hutchings
2019-11-20 15:46 ` [PATCH 3.16 00/83] 3.16.78-rc1 review Guenter Roeck
2019-11-20 15:50   ` Ben Hutchings

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).