linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 3.16 000/148] 3.16.82-rc1 review
@ 2020-02-08 18:18 Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 001/148] ALSA: line6: Drop superfluous snd_device for PCM Ben Hutchings
                   ` (148 more replies)
  0 siblings, 149 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:18 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm, Denis Kirjanov

This is the start of the stable review cycle for the 3.16.82 release.
There are 148 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Feb 11 20:00:00 UTC 2020.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

Aaro Koskinen (2):
      net: stmmac: don't stop NAPI processing when dropping a packet
         [07b3975352374c3f5ebb4a42ef0b253fe370542d]
      net: stmmac: use correct DMA buffer size in the RX descriptor
         [583e6361414903c5206258a30e5bd88cb03c0254]

Akinobu Mita (1):
      blk-mq: fix deadlock when reading cpu_list
         [60de074ba1e8f327db19bc33d8530131ac01695d]

Alan Stern (2):
      media: usbvision: Fix invalid accesses after device disconnect
         [c7a191464078262bf799136317c95824e26a222b]
      media: usbvision: Fix races among open, close, and disconnect
         [9e08117c9d4efc1e1bc6fce83dab856d9fd284b6]

Alastair D'Silva (2):
      powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB
         [f9ec11165301982585e5e5f606739b5bae5331f3]
      powerpc: Allow flush_icache_range to work across ranges >4GB
         [29430fae82073d39b1b881a3cd507416a56a363f]

Aleksandr Yashkin (1):
      pstore/ram: Write new dumps to start of recycled zones
         [9e5f1c19800b808a37fb9815a26d382132c26c3d]

Alex Deucher (1):
      drm/radeon: fix r1xx/r2xx register checker for POT textures
         [008037d4d972c9c47b273e40e52ae34f9d9e33e7]

Alexandru Ardelean (1):
      iio: imu: adis16480: assign bias value only if operation succeeded
         [9b742763d9d4195e823ae6ece760c9ed0500c1dc]

Arnaldo Carvalho de Melo (1):
      perf regs: Make perf_reg_name() return "unknown" instead of NULL
         [5b596e0ff0e1852197d4c82d3314db5e43126bf7]

Arnd Bergmann (3):
      ARM: ux500: remove unused regulator data
         [37dc78d9b17c971479f742d6d08f38d8f2beb688]
      compat_ioctl: handle SIOCOUTQNSD
         [9d7bf41fafa5b5ddd4c13eb39446b0045f0a8167]
      net: davinci_cpdma: use dma_addr_t for DMA address
         [84092996673211f16ef3b942a191d7952e9dfea9]

Asbjoern Sloth Toennesen (1):
      deb-pkg: remove obsolete -isp option to dpkg-gencontrol
         [4204111c028d492019e4440d12e9e3d062db4283]

Bart Van Assche (3):
      RDMA/srpt: Report the SCSI residual to the initiator
         [e88982ad1bb12db699de96fbc07096359ef6176c]
      scsi: core: scsi_trace: Use get_unaligned_be*()
         [b1335f5b0486f61fb66b123b40f8e7a98e49605d]
      scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6)
         [f6b8540f40201bff91062dd64db8e29e4ddaaa9d]

Ben Hutchings (1):
      s390: Fix unmatched preempt_disable() on exit
         [8d9047f8b967ce6181fd824ae922978e1b055cc0]

Chengguang Xu (1):
      ext2: check err when partial != NULL
         [e705f4b8aa27a59f8933e8f384e9752f052c469c]

Chris Wilson (1):
      drm/i915/userptr: Try to acquire the page lock around set_page_dirty()
         [0d4bbe3d407f79438dc4f87943db21f7134cfc65]

Chuhong Yuan (1):
      serial: ifx6x60: add missed pm_runtime_disable
         [50b2b571c5f3df721fc81bf9a12c521dfbe019ba]

Colin Ian King (1):
      ALSA: cs4236: fix error return comparison of an unsigned integer
         [d60229d84846a8399257006af9c5444599f64361]

Dan Carpenter (6):
      Bluetooth: delete a stray unlock
         [df66499a1fab340c167250a5743931dc50d5f0fa]
      [media] usbvision-video: two use after frees
         [470a9147899500eb4898f77816520c4b4aa1a698]
      cw1200: Fix a signedness bug in cw1200_load_firmware()
         [4a50d454502f1401171ff061a5424583f91266db]
      drm/i810: Prevent underflow in ioctl
         [4f69851fbaa26b155330be35ce8ac393e93e7442]
      scsi: csiostor: Don't enable IRQs too early
         [d6c9b31ac3064fbedf8961f120a4c117daa59932]
      scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
         [906ca6353ac09696c1bf0892513c8edffff5e0a6]

Dave Wysochanski (1):
      cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
         [d46b0da7a33dd8c99d969834f682267a45444ab3]

Denis Efremov (2):
      ar5523: check NULL before memcpy() in ar5523_cmd()
         [315cee426f87658a6799815845788fde965ddaad]
      ath9k_hw: fix uninitialized variable data
         [80e84f36412e0c5172447b6947068dca0d04ee82]

Dmitry Monakhov (2):
      quota: Check that quota is not dirty before release
         [df4bb5d128e2c44848aeb36b7ceceba3ac85080d]
      quota: fix livelock in dquot_writeback_dquots
         [6ff33d99fc5c96797103b48b7b0902c296f09c05]

Dmitry Osipenko (1):
      ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume()
         [d70f7d31a9e2088e8a507194354d41ea10062994]

Dmitry Torokhov (1):
      tty: vt: keyboard: reject invalid keycodes
         [b2b2dd71e0859436d4e05b2f61f86140250ed3f8]

Eric Dumazet (4):
      inet: protect against too small mtu values.
         [501a90c945103e8627406763dac418f20f3837b2]
      inetpeer: fix data-race in inet_putpeer / inet_putpeer
         [71685eb4ce80ae9c49eff82ca4dd15acab215de9]
      tcp: md5: fix potential overestimation of TCP option space
         [9424e2e7ad93ffffa88f882c9bc5023570904b55]
      tcp: syncookies: extend validity range
         [264ea103a7473f51aced838e68ed384ea2c759f5]

Fabio D'Urso (1):
      USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
         [c1a1f273d0825774c80896b8deb1c9ea1d0b91e3]

Filipe Manana (1):
      Btrfs: fix negative subv_writers counter and data space leak after buffered write
         [a0e248bb502d5165b3314ac3819e888fdcdf7d9f]

Francesco Ruggeri (1):
      ACPI: OSL: only free map once in osl.c
         [833a426cc471b6088011b3d67f1dc4e147614647]

Giuseppe CAVALLARO (1):
      stmmac: fix oversized frame reception
         [e527c4a769d375ac0472450c52bde29087f49cd9]

Greg Kroah-Hartman (1):
      usb-serial: cp201x: support Mark-10 digital force gauge
         [347bc8cb26388791c5881a3775cb14a3f765a674]

Guillaume Nault (2):
      tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
         [721c8dafad26ccfa90ff659ee19755e3377b829d]
      tcp: fix rejected syncookies due to stale timestamps
         [04d26e7b159a396372646a480f4caa166d1b6720]

Gustavo A. R. Silva (1):
      usb: gadget: pch_udc: fix use after free
         [66d1b0c0580b7f1b1850ee4423f32ac42afa2e92]

H.J. Lu (1):
      x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
         [b21ebf2fb4cde1618915a97cc773e287ff49173e]

Hans Verkuil (2):
      [media] usbvision: fix locking error
         [e2c84ccb0fbe5e524d15bb09c042a6ca634adaed]
      [media] usbvision: remove power_on_at_open and timed power off
         [62e259493d779b0e2c1a675ab733136511310821]

Hans de Goede (2):
      platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
         [f3e4f3fc8ee9729c4b1b27a478c68b713df53c0c]
      platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
         [16245db1489cd9aa579506f64afeeeb13d825a93]

Hewenliang (1):
      libtraceevent: Fix memory leakage in copy_filter_type
         [10992af6bf46a2048ad964985a5b77464e5563b1]

Insu Yun (1):
      [media] usbvision: fix locking error
         [5ce625a42d6206d5a18222c6475f6b866ef68569]

James Smart (1):
      scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
         [6c6d59e0fe5b86cf273d6d744a6a9768c4ecc756]

Jan Kara (2):
      jbd2: Fix possible overflow in jbd2_log_space_left()
         [add3efdd78b8a0478ce423bb9d4df6bd95e8b335]
      xfs: Sanity check flags of Q_XQUOTARM call
         [3dd4d40b420846dd35869ccc8f8627feef2cff32]

Jann Horn (1):
      binder: Handle start==NULL in binder_update_page_range()
         [2a9edd056ed4fbf9d2e797c3fc06335af35bccc4]

Janusz Krzysztofik (2):
      media: ov6650: Fix incorrect use of JPEG colorspace
         [12500731895ef09afc5b66b86b76c0884fb9c7bf]
      media: ov6650: Fix stored frame format not in sync with hardware
         [3143b459de4cdcce67b36827476c966e93c1cf01]

Jeffrey Hugo (1):
      tty: serial: msm_serial: Fix flow control
         [b027ce258369cbfa88401a691c23dad01deb9f9b]

Jian-Hong Pan (1):
      PCI/MSI: Fix incorrect MSI-X masking on resume
         [e045fa29e89383c717e308609edd19d2fd29e1be]

Jiangfeng Xiao (1):
      serial: serial_core: Perform NULL checks for break_ctl ops
         [7d73170e1c282576419f8b50a771f1fcd2b81a94]

Johan Hovold (3):
      USB: serial: mos7720: fix remote wakeup
         [ea422312a462696093b5db59d294439796cba4ad]
      USB: serial: mos7840: fix remote wakeup
         [92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815]
      media: radio: wl1273: fix interrupt masking on release
         [1091eb830627625dcf79958d99353c2391f41708]

Johannes Berg (1):
      iwlwifi: check kasprintf() return value
         [5974fbb5e10b018fdbe3c3b81cb4cc54e1105ab9]

Josef Bacik (1):
      btrfs: check page->mapping when loading free space cache
         [3797136b626ad4b6582223660c041efdea8f26b2]

Kai-Heng Feng (2):
      usb: Allow USB device to be warm reset in suspended state
         [e76b3bf7654c3c94554c24ba15a3d105f4006c80]
      x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
         [7e8ce0e2b036dbc6617184317983aea4f2c52099]

Kars de Jong (1):
      rtc: msm6242: Fix reading of 10-hour digit
         [e34494c8df0cd96fc432efae121db3212c46ae48]

Konstantin Khlebnikov (1):
      ACPI / osl: speedup grace period in acpi_os_map_cleanup
         [74b51ee152b6d99e61ba329799a039453fb9438f]

Krzysztof Kozlowski (2):
      pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init
         [6fbbcb050802d6ea109f387e961b1dbcc3a80c96]
      pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init
         [7f028caadf6c37580d0f59c6c094ed09afc04062]

Leonard Crestez (1):
      PM / devfreq: Lock devfreq in trans_stat_show
         [2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4]

Lihua Yao (1):
      ARM: dts: s3c64xx: Fix init order of clock providers
         [d60d0cff4ab01255b25375425745c3cff69558ad]

Mans Rullgard (1):
      spi: atmel: fix handling of cs_change set on non-last xfer
         [fed8d8c7a6dc2a76d7764842853d81c770b0788e]

Marian Mihailescu (1):
      clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume
         [e21be0d1d7bd7f78a77613f6bcb6965e72b22fc1]

Mark Brown (1):
      mmc: sdhci-s3c: Check if clk_set_rate() succeeds
         [cd0cfdd2485e6252b3c69284bf09d06c4d303116]

Masami Hiramatsu (15):
      perf probe: Filter out instances except for inlined subroutine and subprogram
         [da6cb952a89efe24bb76c4971370d485737a2d85]
      perf probe: Fix to add missed brace around if block
         [86a76027457633488b0a83d5e2bb944159885605]
      perf probe: Fix to find range-only function instance
         [b77afa1f810f37bd8a36cb1318178dfe2d7af6b6]
      perf probe: Fix to handle optimized not-inlined functions
         [e1ecbbc3fa834cc6b4b344edb1968e734d57189b]
      perf probe: Fix to list probe event with correct line number
         [3895534dd78f0fd4d3f9e05ee52b9cdd444a743e]
      perf probe: Fix to probe a function which has no entry pc
         [5d16dbcc311d91267ddb45c6da4f187be320ecee]
      perf probe: Fix to probe an inline function which has no entry pc
         [eb6933b29d20bf2c3053883d409a53f462c1a3ac]
      perf probe: Fix to show calling lines of inlined functions
         [86c0bf8539e7f46d91bd105e55eda96e0064caef]
      perf probe: Fix to show function entry line as probe-able
         [91e2f539eeda26ab00bd03fae8dc434c128c85ed]
      perf probe: Fix to show inlined function callsite without entry_pc
         [18e21eb671dc87a4f0546ba505a89ea93598a634]
      perf probe: Fix to show lines of sys_ functions correctly
         [75186a9b09e47072f442f43e292cd47180b67b5c]
      perf probe: Fix wrong address verification
         [07d369857808b7e8e471bbbbb0074a6718f89b31]
      perf probe: Skip end-of-sequence and non statement lines
         [f4d99bdfd124823a81878b44b5e8750b97f73902]
      perf probe: Skip if the function address is 0
         [0ad45b33c58dca60dec7e1fb44766753bc4a7a38]
      perf probe: Skip overlapped location on searching variables
         [dee36a2abb67c175265d49b9a8c7dfa564463d9a]

Mattijs Korpershoek (1):
      Bluetooth: hci_core: fix init for HCI_USER_CHANNEL
         [eb8c101e28496888a0dcfe16ab86a1bee369e820]

Max Filippov (1):
      xtensa: fix TLB sanity checker
         [36de10c4788efc6efe6ff9aa10d38cb7eea4c818]

Menglong Dong (1):
      macvlan: schedule bc_work even if error
         [1d7ea55668878bb350979c377fc72509dd6f5b21]

Michał Mirosław (1):
      usb: gadget: u_serial: add missing port entry locking
         [daf82bd24e308c5a83758047aff1bd81edda4f11]

Miklos Szeredi (2):
      fuse: verify attributes
         [eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5]
      fuse: verify nlink
         [c634da718db9b2fac201df2ae1b1b095344ce5eb]

Ming Lei (2):
      blk-mq: avoid sysfs buffer overflow with too many CPU cores
         [8962842ca5abdcf98e22ab3b2b45a103f0408b95]
      blk-mq: make sure that line break can be printed
         [d2c9be89f8ebe7ebcc97676ac40f8dec1cf9b43a]

Miquel Raynal (1):
      mtd: spear_smi: Fix Write Burst mode
         [69c7f4618c16b4678f8a4949b6bb5ace259c0033]

Nathan Chancellor (1):
      tools/power/cpupower: Fix initializer override in hsw_ext_cstates
         [7e5705c635ecfccde559ebbbe1eaf05b5cc60529]

Nikolay Aleksandrov (1):
      net: bridge: deny dev_set_mac_address() when unregistering
         [c4b4c421857dc7b1cf0dccbd738472360ff2cd70]

Nuno Sá (1):
      iio: adis16480: Add debugfs_reg_access entry
         [4c35b7a51e2f291471f7221d112c6a45c63e83bc]

Oliver Neukum (4):
      USB: documentation: flags on usb-storage versus UAS
         [65cc8bf99349f651a0a2cee69333525fe581f306]
      USB: uas: heed CAPACITY_HEURISTICS
         [335cbbd5762d5e5c67a8ddd6e6362c2aa42a328f]
      USB: uas: honor flag to avoid CAPACITY16
         [bff000cae1eec750d62e265c4ba2db9af57b17e1]
      appledisplay: fix error handling in the scheduled work
         [91feb01596e5efc0cc922cc73f5583114dccf4d2]

Pan Bian (3):
      scsi: bnx2i: fix potential use after free
         [29d28f2b8d3736ac61c28ef7e20fda63795b74d9]
      scsi: qla4xxx: fix double free bug
         [3fe3d2428b62822b7b030577cd612790bdd8c941]
      staging: rtl8192e: fix potential use after free
         [b7aa39a2ed0112d07fc277ebd24a08a7b2368ab9]

Paolo Abeni (2):
      openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
         [8ffeb03fbba3b599690b361467bfd2373e8c450f]
      openvswitch: remove another BUG_ON()
         [8a574f86652a4540a2433946ba826ccb87f398cc]

Paolo Bonzini (2):
      KVM: x86: do not modify masked bits of shared MSRs
         [de1fca5d6e0105c9d33924e1247e2f386efc3ece]
      KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
         [cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b]

Paul Osmialowski (1):
      mmc: sdhci-s3c: solve problem with sleeping in atomic context
         [017210d1c0dc2e2d3b142985cb31d90b98dc0f0f]

Pavel Löbl (1):
      USB: serial: mos7840: add USB ID to support Moxa UPort 2210
         [e696d00e65e81d46e911f24b12e441037bf11b38]

Pavel Shilovsky (3):
      CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
         [6f582b273ec23332074d970a7fb25bef835df71f]
      CIFS: Fix SMB2 oplock break processing
         [fa9c2362497fbd64788063288dc4e74daf977ebb]
      CIFS: Respect O_SYNC and O_DIRECT flags during reconnect
         [44805b0e62f15e90d233485420e1847133716bdc]

Pavel Tikhomirov (1):
      sunrpc: fix crash when cache_head become valid before update
         [5fcaf6982d1167f1cd9b264704f6d1ef4c505d54]

Pawel Harlozinski (1):
      ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
         [8f157d4ff039e03e2ed4cb602eeed2fd4687a58f]

Peng Fan (2):
      tty: serial: imx: use the sg count from dma_map_sg
         [596fd8dffb745afcebc0ec6968e17fe29f02044c]
      tty: serial: pch_uart: correct usage of dma_unmap_sg
         [74887542fdcc92ad06a48c0cca17cdf09fc8aa00]

Sam Bobroff (1):
      drm/radeon: fix bad DMA from INTERRUPT_CNTL2
         [62d91dd2851e8ae2ca552f1b090a3575a4edf759]

SeongJae Park (1):
      xen/blkback: Avoid unmapping unmapped grant pages
         [f9bd84a8a845d82f9b5a081a7ae68c98a11d2e84]

Seung-Woo Kim (1):
      media: exynos4-is: Fix recursive locking in isp_video_release()
         [704c6c80fb471d1bb0ef0d61a94617d1d55743cd]

Steffen Liebergeld (1):
      PCI: Fix Intel ACS quirk UPDCR register address
         [d8558ac8c93d429d65d7490b512a3a67e559d0d4]

Steffen Maier (1):
      scsi: zfcp: trace channel log even for FCP command responses
         [100843f176109af94600e500da0428e21030ca7f]

Stephan Gerhold (2):
      regulator: ab8500: Remove AB8505 USB regulator
         [99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c]
      regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
         [458ea3ad033fc86e291712ce50cbe60c3428cf30]

Sudarsana Reddy Kalluru (1):
      bnx2x: Enable Multi-Cos feature.
         [069e47823fff2c634b2d46a328b5096fdc8c2a0c]

Takashi Iwai (3):
      ALSA: line6: Drop superfluous snd_device for PCM
         [b45a7c565473d29bd7e02ac8ca86232a24ca247f]
      ALSA: line6: Fix memory leak at line6_init_pcm() error path
         [1bc8d18c75fef3b478dbdfef722aae09e2a9fde7]
      ALSA: pcm: oss: Avoid potential buffer overflows
         [4cc8d6505ab82db3357613d36e6c58a297f57f7c]

Tejun Heo (1):
      workqueue: Fix spurious sanity check failures in destroy_workqueue()
         [def98c84b6cdf2eeea19ec5736e90e316df5206b]

Theodore Ts'o (1):
      ext4: work around deleting a file with i_nlink == 0 safely
         [c7df4a1ecb8579838ec8c56b2bb6a6716e974f37]

Thomas Gleixner (2):
      hrtimer: Get rid of the resolution field in hrtimer_clock_base
         [398ca17fb54b212cdc9da7ff4a17a35c48dd2103]
      x86/ioapic: Prevent inconsistent state when moving an interrupt
         [df4393424af3fbdcd5c404077176082a8ce459c4]

Tony Lindgren (1):
      hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled
         [eaecce12f5f0d2c35d278e41e1bc4522393861ab]

Vamshi K Sthambamkadi (1):
      ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
         [627ead724eff33673597216f5020b72118827de4]

Vincenzo Frascino (1):
      powerpc: Fix vDSO clock_getres()
         [552263456215ada7ee8700ce022d12b0cffe4802]

Waiman Long (1):
      x86/speculation: Fix incorrect MDS/TAA mitigation status
         [64870ed1b12e235cfca3f6c6da75b542c973ff78]

Yang Tao (1):
      futex: Prevent robust futex exit race
         [ca16d5bee59807bf04deaab0a8eccecd5061528c]

Zhenzhong Duan (1):
      cpuidle: Do not unset the driver if it is there already
         [918c1fe9fbbe46fcf56837ff21f0ef96424e8b29]

 Documentation/hw-vuln/mds.rst                      |   7 +-
 Documentation/hw-vuln/tsx_async_abort.rst          |   5 +-
 Documentation/kernel-parameters.txt                |  30 +-
 Makefile                                           |   4 +-
 arch/arm/boot/dts/s3c6410-mini6410.dts             |   4 +
 arch/arm/boot/dts/s3c6410-smdk6410.dts             |   4 +
 arch/arm/mach-tegra/reset-handler.S                |   6 +-
 arch/arm/mach-ux500/board-mop500-regulators.c      | 600 ---------------------
 arch/arm/mach-ux500/board-mop500-regulators.h      |   8 -
 arch/powerpc/include/asm/vdso_datapage.h           |   2 +
 arch/powerpc/kernel/asm-offsets.c                  |   2 +-
 arch/powerpc/kernel/misc_64.S                      |   4 +-
 arch/powerpc/kernel/time.c                         |   1 +
 arch/powerpc/kernel/vdso32/gettimeofday.S          |   7 +-
 arch/powerpc/kernel/vdso64/cacheflush.S            |   4 +-
 arch/powerpc/kernel/vdso64/gettimeofday.S          |   7 +-
 arch/s390/kernel/runtime_instr.c                   |   2 +-
 arch/x86/kernel/apic/io_apic.c                     |   9 +-
 arch/x86/kernel/cpu/bugs.c                         |  17 +-
 arch/x86/kernel/module.c                           |   1 +
 arch/x86/kvm/x86.c                                 |  14 +-
 arch/x86/pci/fixup.c                               |  11 +
 arch/x86/tools/relocs.c                            |   1 +
 arch/xtensa/mm/tlb.c                               |   4 +-
 block/blk-mq-sysfs.c                               |  19 +-
 block/blk-mq.c                                     |   7 +
 drivers/acpi/bus.c                                 |   2 +-
 drivers/acpi/osl.c                                 |  28 +-
 drivers/block/xen-blkback/blkback.c                |   2 +
 drivers/char/hw_random/omap3-rom-rng.c             |   3 +-
 drivers/clk/samsung/clk-exynos5420.c               |   2 +
 drivers/cpuidle/driver.c                           |  15 +-
 drivers/devfreq/devfreq.c                          |   7 +-
 drivers/gpu/drm/i810/i810_dma.c                    |   4 +-
 drivers/gpu/drm/i915/i915_gem_userptr.c            |  22 +-
 drivers/gpu/drm/radeon/cik.c                       |   4 +-
 drivers/gpu/drm/radeon/r100.c                      |   4 +-
 drivers/gpu/drm/radeon/r200.c                      |   4 +-
 drivers/gpu/drm/radeon/r600.c                      |   4 +-
 drivers/gpu/drm/radeon/si.c                        |   4 +-
 drivers/iio/imu/adis16480.c                        |   7 +-
 drivers/infiniband/ulp/srpt/ib_srpt.c              |  24 +
 drivers/media/i2c/soc_camera/ov6650.c              |  21 +-
 drivers/media/platform/exynos4-is/fimc-isp-video.c |   2 +-
 drivers/media/radio/radio-wl1273.c                 |   3 +-
 drivers/media/usb/usbvision/usbvision-core.c       |  50 --
 drivers/media/usb/usbvision/usbvision-video.c      | 107 ++--
 drivers/media/usb/usbvision/usbvision.h            |   5 -
 drivers/mmc/host/sdhci-s3c.c                       |  16 +-
 drivers/mtd/devices/spear_smi.c                    |  38 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c    |   3 +-
 drivers/net/ethernet/stmicro/stmmac/common.h       |   2 +-
 drivers/net/ethernet/stmicro/stmmac/descs_com.h    |  14 +-
 drivers/net/ethernet/stmicro/stmmac/enh_desc.c     |  10 +-
 drivers/net/ethernet/stmicro/stmmac/norm_desc.c    |  10 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c  |  20 +-
 drivers/net/ethernet/ti/davinci_cpdma.c            |  12 +-
 drivers/net/macvlan.c                              |   3 +-
 drivers/net/wireless/ath/ar5523/ar5523.c           |   3 +-
 drivers/net/wireless/ath/ath9k/ar9003_eeprom.c     |   2 +-
 drivers/net/wireless/cw1200/fwio.c                 |   6 +-
 drivers/net/wireless/iwlwifi/dvm/led.c             |   3 +
 drivers/net/wireless/iwlwifi/mvm/led.c             |   3 +
 drivers/pci/msi.c                                  |   3 +-
 drivers/pci/quirks.c                               |   2 +-
 drivers/pinctrl/pinctrl-s3c24xx.c                  |   6 +-
 drivers/pinctrl/pinctrl-s3c64xx.c                  |   3 +
 drivers/platform/x86/hp-wmi.c                      |  10 +-
 drivers/regulator/ab8500.c                         |  17 -
 drivers/rtc/rtc-msm6242.c                          |   3 +-
 drivers/s390/scsi/zfcp_dbf.c                       |   8 +-
 drivers/scsi/bnx2i/bnx2i_iscsi.c                   |   2 +-
 drivers/scsi/csiostor/csio_lnode.c                 |  15 +-
 drivers/scsi/esas2r/esas2r_flash.c                 |   1 +
 drivers/scsi/lpfc/lpfc_els.c                       |   2 +-
 drivers/scsi/qla4xxx/ql4_mbx.c                     |   3 -
 drivers/scsi/scsi_trace.c                          | 125 ++---
 drivers/spi/spi-atmel.c                            |  10 +-
 drivers/staging/android/binder.c                   |   6 +-
 drivers/staging/line6/pcm.c                        |  61 +--
 drivers/staging/rtl8192e/rtl8192e/rtl_core.c       |   5 +-
 drivers/tty/serial/ifx6x60.c                       |   3 +
 drivers/tty/serial/imx.c                           |   2 +-
 drivers/tty/serial/msm_serial.c                    |   6 +-
 drivers/tty/serial/pch_uart.c                      |   5 +-
 drivers/tty/serial/serial_core.c                   |   2 +-
 drivers/tty/vt/keyboard.c                          |   2 +-
 drivers/usb/core/hub.c                             |   5 +-
 drivers/usb/gadget/pch_udc.c                       |   1 -
 drivers/usb/gadget/u_serial.c                      |   2 +
 drivers/usb/misc/appledisplay.c                    |   8 +-
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/ftdi_sio.c                      |   3 +
 drivers/usb/serial/ftdi_sio_ids.h                  |   7 +
 drivers/usb/serial/mos7720.c                       |   4 -
 drivers/usb/serial/mos7840.c                       |  16 +-
 drivers/usb/storage/uas.c                          |  10 +
 fs/btrfs/file.c                                    |   2 +-
 fs/btrfs/free-space-cache.c                        |   6 +
 fs/cifs/cifsglob.h                                 |   5 +
 fs/cifs/cifsproto.h                                |   1 +
 fs/cifs/file.c                                     |  35 +-
 fs/cifs/smb2file.c                                 |   2 +-
 fs/cifs/smb2misc.c                                 |   7 +-
 fs/ext2/inode.c                                    |   7 +-
 fs/ext4/namei.c                                    |  13 +-
 fs/fuse/dir.c                                      |  27 +-
 fs/fuse/fuse_i.h                                   |   2 +
 fs/ocfs2/quota_global.c                            |   2 +-
 fs/pstore/ram.c                                    |  11 +
 fs/quota/dquot.c                                   |  11 +-
 fs/xfs/xfs_quotaops.c                              |   3 +
 include/linux/futex.h                              |   7 +-
 include/linux/hrtimer.h                            |   6 +-
 include/linux/jbd2.h                               |   4 +-
 include/linux/netdevice.h                          |   5 +
 include/linux/quotaops.h                           |  10 +
 include/linux/regulator/ab8500.h                   |   3 -
 include/linux/time.h                               |  12 +
 include/net/ip.h                                   |   5 +
 include/net/tcp.h                                  |  38 +-
 kernel/futex.c                                     |  49 +-
 kernel/futex_compat.c                              |   5 +-
 kernel/hrtimer.c                                   |  26 +-
 kernel/time/timer_list.c                           |   8 +-
 kernel/workqueue.c                                 |  28 +-
 net/bluetooth/hci_core.c                           |  11 +-
 net/bluetooth/l2cap_core.c                         |   4 +-
 net/bridge/br_device.c                             |   6 +
 net/core/dev.c                                     |   3 +-
 net/ipv4/devinet.c                                 |   5 -
 net/ipv4/inetpeer.c                                |  12 +-
 net/ipv4/ip_output.c                               |  14 +-
 net/ipv4/tcp_output.c                              |   5 +-
 net/openvswitch/datapath.c                         |  11 +-
 net/socket.c                                       |   1 +
 net/sunrpc/cache.c                                 |   5 -
 scripts/package/builddeb                           |   2 +-
 sound/core/oss/linear.c                            |   2 +
 sound/core/oss/mulaw.c                             |   2 +
 sound/core/oss/route.c                             |   2 +
 sound/isa/cs423x/cs4236.c                          |   3 +-
 sound/soc/soc-jack.c                               |   3 +-
 tools/lib/traceevent/parse-filter.c                |   9 +-
 tools/perf/util/dwarf-aux.c                        |  88 ++-
 tools/perf/util/dwarf-aux.h                        |   6 +
 tools/perf/util/perf_regs.h                        |   2 +-
 tools/perf/util/probe-finder.c                     |  70 ++-
 .../cpupower/utils/idle_monitor/hsw_ext_idle.c     |   1 -
 149 files changed, 988 insertions(+), 1227 deletions(-)

-- 
Ben Hutchings
It's easier to fight for one's principles than to live up to them.


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 001/148] ALSA: line6: Drop superfluous snd_device for PCM
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 002/148] ALSA: line6: Fix memory leak at line6_init_pcm() error path Ben Hutchings
                   ` (147 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Chris Rorvick

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit b45a7c565473d29bd7e02ac8ca86232a24ca247f upstream.

Instead of handling the card-specific resource in snd_device, attach
it into pcm->private_data and release it directly in private_free.
This simplifies the code and structure.

Tested-by: Chris Rorvick <chris@rorvick.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16 as dependency of commit 1bc8d18c75fe
 "ALSA: line6: Fix memory leak at line6_init_pcm() error path"]
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/line6/pcm.c | 53 ++++++++++++++++---------------------------
 1 file changed, 19 insertions(+), 34 deletions(-)

--- a/drivers/staging/line6/pcm.c
+++ b/drivers/staging/line6/pcm.c
@@ -345,24 +345,21 @@ static void line6_cleanup_pcm(struct snd
 			usb_free_urb(line6pcm->urb_audio_in[i]);
 		}
 	}
+	kfree(line6pcm);
 }
 
 /* create a PCM device */
-static int snd_line6_new_pcm(struct snd_line6_pcm *line6pcm)
+static int snd_line6_new_pcm(struct usb_line6 *line6, struct snd_pcm **pcm_ret)
 {
 	struct snd_pcm *pcm;
 	int err;
 
-	err = snd_pcm_new(line6pcm->line6->card,
-			  (char *)line6pcm->line6->properties->name,
-			  0, 1, 1, &pcm);
+	err = snd_pcm_new(line6->card, (char *)line6->properties->name,
+			  0, 1, 1, pcm_ret);
 	if (err < 0)
 		return err;
-
-	pcm->private_data = line6pcm;
-	pcm->private_free = line6_cleanup_pcm;
-	line6pcm->pcm = pcm;
-	strcpy(pcm->name, line6pcm->line6->properties->name);
+	pcm = *pcm_ret;
+	strcpy(pcm->name, line6->properties->name);
 
 	/* set operators */
 	snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK,
@@ -374,13 +371,6 @@ static int snd_line6_new_pcm(struct snd_
 					      snd_dma_continuous_data
 					      (GFP_KERNEL), 64 * 1024,
 					      128 * 1024);
-
-	return 0;
-}
-
-/* PCM device destructor */
-static int snd_line6_pcm_free(struct snd_device *device)
-{
 	return 0;
 }
 
@@ -416,12 +406,9 @@ void line6_pcm_disconnect(struct snd_lin
 int line6_init_pcm(struct usb_line6 *line6,
 		   struct line6_pcm_properties *properties)
 {
-	static struct snd_device_ops pcm_ops = {
-		.dev_free = snd_line6_pcm_free,
-	};
-
 	int err;
 	int ep_read = 0, ep_write = 0;
+	struct snd_pcm *pcm;
 	struct snd_line6_pcm *line6pcm;
 
 	if (!(line6->properties->capabilities & LINE6_BIT_PCM))
@@ -475,11 +462,16 @@ int line6_init_pcm(struct usb_line6 *lin
 		MISSING_CASE;
 	}
 
-	line6pcm = kzalloc(sizeof(*line6pcm), GFP_KERNEL);
+	err = snd_line6_new_pcm(line6, &pcm);
+	if (err < 0)
+		return err;
 
-	if (line6pcm == NULL)
+	line6pcm = kzalloc(sizeof(*line6pcm), GFP_KERNEL);
+	if (!line6pcm)
 		return -ENOMEM;
 
+	line6pcm->pcm = pcm;
+	line6pcm->properties = properties;
 	line6pcm->volume_playback[0] = line6pcm->volume_playback[1] = 255;
 	line6pcm->volume_monitor = 255;
 	line6pcm->line6 = line6;
@@ -498,22 +490,15 @@ int line6_init_pcm(struct usb_line6 *lin
 		return -EINVAL;
 	}
 
-	line6pcm->properties = properties;
-	line6->line6pcm = line6pcm;
-
-	/* PCM device: */
-	err = snd_device_new(line6->card, SNDRV_DEV_PCM, line6, &pcm_ops);
-	if (err < 0)
-		return err;
-
-	err = snd_line6_new_pcm(line6pcm);
-	if (err < 0)
-		return err;
-
 	spin_lock_init(&line6pcm->lock_audio_out);
 	spin_lock_init(&line6pcm->lock_audio_in);
 	spin_lock_init(&line6pcm->lock_trigger);
 
+	line6->line6pcm = line6pcm;
+
+	pcm->private_data = line6pcm;
+	pcm->private_free = line6_cleanup_pcm;
+
 	err = line6_create_audio_out_urbs(line6pcm);
 	if (err < 0)
 		return err;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 002/148] ALSA: line6: Fix memory leak at line6_init_pcm() error path
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 001/148] ALSA: line6: Drop superfluous snd_device for PCM Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 003/148] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 Ben Hutchings
                   ` (146 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream.

I forgot to release the allocated object at the early error path in
line6_init_pcm().  For addressing it, slightly shuffle the code so
that the PCM destructor (pcm->private_free) is assigned properly
before all error paths.

Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/line6/pcm.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/staging/line6/pcm.c
+++ b/drivers/staging/line6/pcm.c
@@ -478,6 +478,15 @@ int line6_init_pcm(struct usb_line6 *lin
 	line6pcm->ep_audio_read = ep_read;
 	line6pcm->ep_audio_write = ep_write;
 
+	spin_lock_init(&line6pcm->lock_audio_out);
+	spin_lock_init(&line6pcm->lock_audio_in);
+	spin_lock_init(&line6pcm->lock_trigger);
+
+	line6->line6pcm = line6pcm;
+
+	pcm->private_data = line6pcm;
+	pcm->private_free = line6_cleanup_pcm;
+
 	/* Read and write buffers are sized identically, so choose minimum */
 	line6pcm->max_packet_size = min(
 			usb_maxpacket(line6->usbdev,
@@ -490,15 +499,6 @@ int line6_init_pcm(struct usb_line6 *lin
 		return -EINVAL;
 	}
 
-	spin_lock_init(&line6pcm->lock_audio_out);
-	spin_lock_init(&line6pcm->lock_audio_in);
-	spin_lock_init(&line6pcm->lock_trigger);
-
-	line6->line6pcm = line6pcm;
-
-	pcm->private_data = line6pcm;
-	pcm->private_free = line6_cleanup_pcm;
-
 	err = line6_create_audio_out_urbs(line6pcm);
 	if (err < 0)
 		return err;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 003/148] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 001/148] ALSA: line6: Drop superfluous snd_device for PCM Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 002/148] ALSA: line6: Fix memory leak at line6_init_pcm() error path Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 004/148] pstore/ram: Write new dumps to start of recycled zones Ben Hutchings
                   ` (145 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Torvalds, H.J. Lu, Woody Suwalski

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "H.J. Lu" <hjl.tools@gmail.com>

commit b21ebf2fb4cde1618915a97cc773e287ff49173e upstream.

On i386, there are 2 types of PLTs, PIC and non-PIC.  PIE and shared
objects must use PIC PLT.  To use PIC PLT, you need to load
_GLOBAL_OFFSET_TABLE_ into EBX first.  There is no need for that on
x86-64 since x86-64 uses PC-relative PLT.

On x86-64, for 32-bit PC-relative branches, we can generate PLT32
relocation, instead of PC32 relocation, which can also be used as
a marker for 32-bit PC-relative branches.  Linker can always reduce
PLT32 relocation to PC32 if function is defined locally.   Local
functions should use PC32 relocation.  As far as Linux kernel is
concerned, R_X86_64_PLT32 can be treated the same as R_X86_64_PC32
since Linux kernel doesn't use PLT.

R_X86_64_PLT32 for 32-bit PC-relative branches has been enabled in
binutils master branch which will become binutils 2.31.

[ hjl is working on having better documentation on this all, but a few
  more notes from him:

   "PLT32 relocation is used as marker for PC-relative branches. Because
    of EBX, it looks odd to generate PLT32 relocation on i386 when EBX
    doesn't have GOT.

    As for symbol resolution, PLT32 and PC32 relocations are almost
    interchangeable. But when linker sees PLT32 relocation against a
    protected symbol, it can resolved locally at link-time since it is
    used on a branch instruction. Linker can't do that for PC32
    relocation"

  but for the kernel use, the two are basically the same, and this
  commit gets things building and working with the current binutils
  master   - Linus ]

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[Woody Suwalski: Backported to 3.16]
Signed-off-by: Woody Suwalski <terraluna977@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/module.c
+++ b/arch/x86/kernel/module.c
@@ -180,6 +180,7 @@ int apply_relocate_add(Elf64_Shdr *sechd
 				goto overflow;
 			break;
 		case R_X86_64_PC32:
+		case R_X86_64_PLT32:
 			val -= (u64)loc;
 			*(u32 *)loc = val;
 #if 0
--- a/arch/x86/tools/relocs.c
+++ b/arch/x86/tools/relocs.c
@@ -763,6 +763,7 @@ static int do_reloc64(struct section *se
 	switch (r_type) {
 	case R_X86_64_NONE:
 	case R_X86_64_PC32:
+	case R_X86_64_PLT32:
 		/*
 		 * NONE can be ignored and PC relative relocations don't
 		 * need to be adjusted.


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 004/148] pstore/ram: Write new dumps to start of recycled zones
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 003/148] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 005/148] net: davinci_cpdma: use dma_addr_t for DMA address Ben Hutchings
                   ` (144 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kees Cook, Ariel Gilman, Aleksandr Yashkin,
	Nikolay Merinov

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aleksandr Yashkin <a.yashkin@inango-systems.com>

commit 9e5f1c19800b808a37fb9815a26d382132c26c3d upstream.

The ram_core.c routines treat przs as circular buffers. When writing a
new crash dump, the old buffer needs to be cleared so that the new dump
doesn't end up in the wrong place (i.e. at the end).

The solution to this problem is to reset the circular buffer state before
writing a new Oops dump.

Signed-off-by: Aleksandr Yashkin <a.yashkin@inango-systems.com>
Signed-off-by: Nikolay Merinov <n.merinov@inango-systems.com>
Signed-off-by: Ariel Gilman <a.gilman@inango-systems.com>
Link: https://lore.kernel.org/r/20191223133816.28155-1-n.merinov@inango-systems.com
Fixes: 896fc1f0c4c6 ("pstore/ram: Switch to persistent_ram routines")
[kees: backport to v4.9]
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/pstore/ram.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -273,6 +273,17 @@ static int notrace ramoops_pstore_write_
 
 	prz = cxt->przs[cxt->dump_write_cnt];
 
+	/*
+	 * Since this is a new crash dump, we need to reset the buffer in
+	 * case it still has an old dump present. Without this, the new dump
+	 * will get appended, which would seriously confuse anything trying
+	 * to check dump file contents. Specifically, ramoops_read_kmsg_hdr()
+	 * expects to find a dump header in the beginning of buffer data, so
+	 * we must to reset the buffer values, in order to ensure that the
+	 * header will be written to the beginning of the buffer.
+	 */
+	persistent_ram_zap(prz);
+
 	hlen = ramoops_write_kmsg_hdr(prz, compressed);
 	if (size + hlen > prz->buffer_size)
 		size = prz->buffer_size - hlen;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 005/148] net: davinci_cpdma: use dma_addr_t for DMA address
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 004/148] pstore/ram: Write new dumps to start of recycled zones Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 006/148] stmmac: fix oversized frame reception Ben Hutchings
                   ` (143 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Pavel Machek, Daniel Wagner,
	David S. Miller

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 84092996673211f16ef3b942a191d7952e9dfea9 upstream.

The davinci_cpdma mixes up physical addresses as seen from the CPU
and DMA addresses as seen from a DMA master, since it can operate
on both normal memory or an on-chip buffer. If dma_addr_t is
different from phys_addr_t, this means we get a compile-time warning
about the type mismatch:

ethernet/ti/davinci_cpdma.c: In function 'cpdma_desc_pool_create':
ethernet/ti/davinci_cpdma.c:182:48: error: passing argument 3 of 'dma_alloc_coherent' from incompatible pointer type [-Werror=incompatible-pointer-types]
   pool->cpumap = dma_alloc_coherent(dev, size, &pool->phys,
In file included from ethernet/ti/davinci_cpdma.c:21:0:
dma-mapping.h:398:21: note: expected 'dma_addr_t * {aka long long unsigned int *}' but argument is of type 'phys_addr_t * {aka unsigned int *}'
 static inline void *dma_alloc_coherent(struct device *dev, size_t size,

This slightly restructures the code so the address we use for
mapping RAM into a DMA address is always a dma_addr_t, avoiding
the warning. The code is correct even if both types are 32-bit
because the DMA master in this device only supports 32-bit addressing
anyway, independent of the types that are used.

We still assign this value to pool->phys, and that is wrong if
the driver is ever used with an IOMMU, but that value appears to
be never used, so there is no problem really. I've added a couple
of comments about where we do things that are slightly violating
the API.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Daniel Wagner <dwagner@suse.de>
Cc: Pavel Machek <pavel@denx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/ti/davinci_cpdma.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/net/ethernet/ti/davinci_cpdma.c
+++ b/drivers/net/ethernet/ti/davinci_cpdma.c
@@ -82,7 +82,7 @@ struct cpdma_desc {
 
 struct cpdma_desc_pool {
 	phys_addr_t		phys;
-	u32			hw_addr;
+	dma_addr_t		hw_addr;
 	void __iomem		*iomap;		/* ioremap map */
 	void			*cpumap;	/* dma_alloc map */
 	int			desc_size, mem_size;
@@ -152,7 +152,7 @@ struct cpdma_chan {
  * abstract out these details
  */
 static struct cpdma_desc_pool *
-cpdma_desc_pool_create(struct device *dev, u32 phys, u32 hw_addr,
+cpdma_desc_pool_create(struct device *dev, u32 phys, dma_addr_t hw_addr,
 				int size, int align)
 {
 	int bitmap_size;
@@ -176,13 +176,13 @@ cpdma_desc_pool_create(struct device *de
 
 	if (phys) {
 		pool->phys  = phys;
-		pool->iomap = ioremap(phys, size);
+		pool->iomap = ioremap(phys, size); /* should be memremap? */
 		pool->hw_addr = hw_addr;
 	} else {
-		pool->cpumap = dma_alloc_coherent(dev, size, &pool->phys,
+		pool->cpumap = dma_alloc_coherent(dev, size, &pool->hw_addr,
 						  GFP_KERNEL);
-		pool->iomap = pool->cpumap;
-		pool->hw_addr = pool->phys;
+		pool->iomap = (void __iomem __force *)pool->cpumap;
+		pool->phys = pool->hw_addr; /* assumes no IOMMU, don't use this value */
 	}
 
 	if (pool->iomap)


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 006/148] stmmac: fix oversized frame reception
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 005/148] net: davinci_cpdma: use dma_addr_t for DMA address Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 007/148] net: stmmac: use correct DMA buffer size in the RX descriptor Ben Hutchings
                   ` (142 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Giuseppe CAVALLARO, David S. Miller,
	Alexandre TORGUE

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Giuseppe CAVALLARO <peppe.cavallaro@st.com>

commit e527c4a769d375ac0472450c52bde29087f49cd9 upstream.

The receive skb buffers can be preallocated when the link is opened
according to mtu size.
While testing on a network environment with not standard MTU (e.g. 3000),
a panic occurred if an incoming packet had a length greater than rx skb
buffer size. This is because the HW is programmed to copy, from the DMA,
an Jumbo frame and the Sw must check if the allocated buffer is enough to
store the frame.

Signed-off-by: Alexandre TORGUE <alexandre.torgue@st.com>
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2120,6 +2120,12 @@ static int stmmac_rx(struct stmmac_priv
 
 			frame_len = priv->hw->desc->get_rx_frame_len(p, coe);
 
+			/*  check if frame_len fits the preallocated memory */
+			if (frame_len > priv->dma_buf_sz) {
+				priv->dev->stats.rx_length_errors++;
+				break;
+			}
+
 			/* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3
 			 * Type frames (LLC/LLC-SNAP)
 			 */


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 007/148] net: stmmac: use correct DMA buffer size in the RX descriptor
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 006/148] stmmac: fix oversized frame reception Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 008/148] net: stmmac: don't stop NAPI processing when dropping a packet Ben Hutchings
                   ` (141 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Aaro Koskinen, Aviraj CJ, David S. Miller

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@nokia.com>

commit 583e6361414903c5206258a30e5bd88cb03c0254 upstream.

We always program the maximum DMA buffer size into the receive descriptor,
although the allocated size may be less. E.g. with the default MTU size
we allocate only 1536 bytes. If somebody sends us a bigger frame, then
memory may get corrupted.

Fix by using exact buffer sizes.

Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[acj: backport to v4.4 -stable :
- Modified patch since v4.4 driver has no support for Big endian
- Skipped the section modifying non-existent functions in dwmac4_descs.c and
dwxgmac2_descs.c ]
Signed-off-by: Aviraj CJ <acj@cisco.com>
[bwh: For 3.16, don't subtract 1 from BUF_SIZE_8KiB because I already
 backported commit 8137b6ef0ce4 "net: stmmac: Fix RX packet size > 8191".
 Also fold in commit f87db4dbd52f "net: stmmac: Use bfsize1 in
 ndesc_init_rx_desc".]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/stmicro/stmmac/common.h      |  2 +-
 drivers/net/ethernet/stmicro/stmmac/descs_com.h   | 14 ++++++++++----
 drivers/net/ethernet/stmicro/stmmac/enh_desc.c    | 10 +++++++---
 drivers/net/ethernet/stmicro/stmmac/norm_desc.c   | 10 +++++++---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |  4 ++--
 5 files changed, 27 insertions(+), 13 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -298,7 +298,7 @@ struct dma_features {
 struct stmmac_desc_ops {
 	/* DMA RX descriptor ring initialization */
 	void (*init_rx_desc) (struct dma_desc *p, int disable_rx_ic, int mode,
-			      int end);
+			      int end, int bfsize);
 	/* DMA TX descriptor ring initialization */
 	void (*init_tx_desc) (struct dma_desc *p, int mode, int end);
 
--- a/drivers/net/ethernet/stmicro/stmmac/descs_com.h
+++ b/drivers/net/ethernet/stmicro/stmmac/descs_com.h
@@ -33,9 +33,10 @@
 /* Specific functions used for Ring mode */
 
 /* Enhanced descriptors */
-static inline void ehn_desc_rx_set_on_ring(struct dma_desc *p, int end)
+static inline void ehn_desc_rx_set_on_ring(struct dma_desc *p, int end, int bfsize)
 {
-	p->des01.erx.buffer2_size = BUF_SIZE_8KiB;
+	if (bfsize == BUF_SIZE_16KiB)
+		p->des01.erx.buffer2_size = BUF_SIZE_8KiB;
 	if (end)
 		p->des01.erx.end_ring = 1;
 }
@@ -61,9 +62,14 @@ static inline void enh_set_tx_desc_len_o
 }
 
 /* Normal descriptors */
-static inline void ndesc_rx_set_on_ring(struct dma_desc *p, int end)
+static inline void ndesc_rx_set_on_ring(struct dma_desc *p, int end, int bfsize)
 {
-	p->des01.rx.buffer2_size = BUF_SIZE_2KiB - 1;
+	int size;
+
+	if (bfsize >= BUF_SIZE_2KiB) {
+		size = min(bfsize - BUF_SIZE_2KiB + 1, BUF_SIZE_2KiB - 1);
+		p->des01.rx.buffer2_size = size;
+	}
 	if (end)
 		p->des01.rx.end_ring = 1;
 }
--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
@@ -238,16 +238,20 @@ static int enh_desc_get_rx_status(void *
 }
 
 static void enh_desc_init_rx_desc(struct dma_desc *p, int disable_rx_ic,
-				  int mode, int end)
+				  int mode, int end, int bfsize)
 {
+	int bfsize1;
+
 	p->des01.all_flags = 0;
 	p->des01.erx.own = 1;
-	p->des01.erx.buffer1_size = BUF_SIZE_8KiB;
+
+	bfsize1 = min(bfsize, BUF_SIZE_8KiB);
+	p->des01.erx.buffer1_size = bfsize1;
 
 	if (mode == STMMAC_CHAIN_MODE)
 		ehn_desc_rx_set_on_chain(p, end);
 	else
-		ehn_desc_rx_set_on_ring(p, end);
+		ehn_desc_rx_set_on_ring(p, end, bfsize);
 
 	if (disable_rx_ic)
 		p->des01.erx.disable_ic = 1;
--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
@@ -121,16 +121,20 @@ static int ndesc_get_rx_status(void *dat
 }
 
 static void ndesc_init_rx_desc(struct dma_desc *p, int disable_rx_ic, int mode,
-			       int end)
+			       int end, int bfsize)
 {
+	int bfsize1;
+
 	p->des01.all_flags = 0;
 	p->des01.rx.own = 1;
-	p->des01.rx.buffer1_size = BUF_SIZE_2KiB - 1;
+
+	bfsize1 = min(bfsize, (BUF_SIZE_2KiB - 1));
+	p->des01.rx.buffer1_size = bfsize1;
 
 	if (mode == STMMAC_CHAIN_MODE)
 		ndesc_rx_set_on_chain(p, end);
 	else
-		ndesc_rx_set_on_ring(p, end);
+		ndesc_rx_set_on_ring(p, end, bfsize);
 
 	if (disable_rx_ic)
 		p->des01.rx.disable_ic = 1;
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -933,11 +933,11 @@ static void stmmac_clear_descriptors(str
 		if (priv->extend_desc)
 			priv->hw->desc->init_rx_desc(&priv->dma_erx[i].basic,
 						     priv->use_riwt, priv->mode,
-						     (i == rxsize - 1));
+						     (i == rxsize - 1), priv->dma_buf_sz);
 		else
 			priv->hw->desc->init_rx_desc(&priv->dma_rx[i],
 						     priv->use_riwt, priv->mode,
-						     (i == rxsize - 1));
+						     (i == rxsize - 1), priv->dma_buf_sz);
 	for (i = 0; i < txsize; i++)
 		if (priv->extend_desc)
 			priv->hw->desc->init_tx_desc(&priv->dma_etx[i].basic,


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 008/148] net: stmmac: don't stop NAPI processing when dropping a packet
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 007/148] net: stmmac: use correct DMA buffer size in the RX descriptor Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 009/148] workqueue: Fix spurious sanity check failures in destroy_workqueue() Ben Hutchings
                   ` (140 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Aviraj CJ, Aaro Koskinen, David S. Miller

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@nokia.com>

commit 07b3975352374c3f5ebb4a42ef0b253fe370542d upstream.

Currently, if we drop a packet, we exit from NAPI loop before the budget
is consumed. In some situations this will make the RX processing stall
e.g. when flood pinging the system with oversized packets, as the
errorneous packets are not dropped efficiently.

If we drop a packet, we should just continue to the next one as long as
the budget allows.

Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[acj: backport v4.4 -stable
-adjust context]
Signed-off-by: Aviraj CJ <acj@cisco.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2060,8 +2060,7 @@ static inline void stmmac_rx_refill(stru
 static int stmmac_rx(struct stmmac_priv *priv, int limit)
 {
 	unsigned int rxsize = priv->dma_rx_size;
-	unsigned int entry = priv->cur_rx % rxsize;
-	unsigned int next_entry;
+	unsigned int next_entry = priv->cur_rx % rxsize;
 	unsigned int count = 0;
 	int coe = priv->plat->rx_coe;
 
@@ -2073,9 +2072,11 @@ static int stmmac_rx(struct stmmac_priv
 			stmmac_display_ring((void *)priv->dma_rx, rxsize, 0);
 	}
 	while (count < limit) {
-		int status;
+		int status, entry;
 		struct dma_desc *p;
 
+		entry = next_entry;
+
 		if (priv->extend_desc)
 			p = (struct dma_desc *)(priv->dma_erx + entry);
 		else
@@ -2123,7 +2124,7 @@ static int stmmac_rx(struct stmmac_priv
 			/*  check if frame_len fits the preallocated memory */
 			if (frame_len > priv->dma_buf_sz) {
 				priv->dev->stats.rx_length_errors++;
-				break;
+				continue;
 			}
 
 			/* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3
@@ -2144,7 +2145,7 @@ static int stmmac_rx(struct stmmac_priv
 				pr_err("%s: Inconsistent Rx descriptor chain\n",
 				       priv->dev->name);
 				priv->dev->stats.rx_dropped++;
-				break;
+				continue;
 			}
 			prefetch(skb->data - NET_IP_ALIGN);
 			priv->rx_skbuff[entry] = NULL;
@@ -2175,7 +2176,6 @@ static int stmmac_rx(struct stmmac_priv
 			priv->dev->stats.rx_packets++;
 			priv->dev->stats.rx_bytes += frame_len;
 		}
-		entry = next_entry;
 	}
 
 	stmmac_rx_refill(priv);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 009/148] workqueue: Fix spurious sanity check failures in destroy_workqueue()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 008/148] net: stmmac: don't stop NAPI processing when dropping a packet Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 010/148] ath9k_hw: fix uninitialized variable data Ben Hutchings
                   ` (139 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Tejun Heo, Williams, Gerald S, Marcin Pawlowski

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit def98c84b6cdf2eeea19ec5736e90e316df5206b upstream.

Before actually destrying a workqueue, destroy_workqueue() checks
whether it's actually idle.  If it isn't, it prints out a bunch of
warning messages and leaves the workqueue dangling.  It unfortunately
has a couple issues.

* Mayday list queueing increments pwq's refcnts which gets detected as
  busy and fails the sanity checks.  However, because mayday list
  queueing is asynchronous, this condition can happen without any
  actual work items left in the workqueue.

* Sanity check failure leaves the sysfs interface behind too which can
  lead to init failure of newer instances of the workqueue.

This patch fixes the above two by

* If a workqueue has a rescuer, disable and kill the rescuer before
  sanity checks.  Disabling and killing is guaranteed to flush the
  existing mayday list.

* Remove sysfs interface before sanity checks.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Marcin Pawlowski <mpawlowski@fb.com>
Reported-by: "Williams, Gerald S" <gerald.s.williams@intel.com>
[bwh: Backported to 3.16: destroy_workqueue() also freed wq->rescuer itself]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4266,9 +4266,29 @@ void destroy_workqueue(struct workqueue_
 	struct pool_workqueue *pwq;
 	int node;
 
+	/*
+	 * Remove it from sysfs first so that sanity check failure doesn't
+	 * lead to sysfs name conflicts.
+	 */
+	workqueue_sysfs_unregister(wq);
+
 	/* drain it before proceeding with destruction */
 	drain_workqueue(wq);
 
+	/* kill rescuer, if sanity checks fail, leave it w/o rescuer */
+	if (wq->rescuer) {
+		struct worker *rescuer = wq->rescuer;
+
+		/* this prevents new queueing */
+		spin_lock_irq(&wq_mayday_lock);
+		wq->rescuer = NULL;
+		spin_unlock_irq(&wq_mayday_lock);
+
+		/* rescuer will empty maydays list before exiting */
+		kthread_stop(rescuer->task);
+		kfree(rescuer);
+	}
+
 	/* sanity checks */
 	mutex_lock(&wq->mutex);
 	for_each_pwq(pwq, wq) {
@@ -4298,14 +4318,6 @@ void destroy_workqueue(struct workqueue_
 	list_del_init(&wq->list);
 	mutex_unlock(&wq_pool_mutex);
 
-	workqueue_sysfs_unregister(wq);
-
-	if (wq->rescuer) {
-		kthread_stop(wq->rescuer->task);
-		kfree(wq->rescuer);
-		wq->rescuer = NULL;
-	}
-
 	if (!(wq->flags & WQ_UNBOUND)) {
 		/*
 		 * The base ref is never dropped on per-cpu pwqs.  Directly


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 010/148] ath9k_hw: fix uninitialized variable data
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 009/148] workqueue: Fix spurious sanity check failures in destroy_workqueue() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 011/148] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init Ben Hutchings
                   ` (138 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, John W. Linville,
	Denis Efremov, Kalle Valo, Rajkumar Manoharan

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Denis Efremov <efremov@linux.com>

commit 80e84f36412e0c5172447b6947068dca0d04ee82 upstream.

Currently, data variable in ar9003_hw_thermo_cal_apply() could be
uninitialized if ar9300_otp_read_word() will fail to read the value.
Initialize data variable with 0 to prevent an undefined behavior. This
will be enough to handle error case when ar9300_otp_read_word() fails.

Fixes: 80fe43f2bbd5 ("ath9k_hw: Read and configure thermocal for AR9462")
Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Cc: John W. Linville <linville@tuxdriver.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -4107,7 +4107,7 @@ static void ar9003_hw_thermometer_apply(
 
 static void ar9003_hw_thermo_cal_apply(struct ath_hw *ah)
 {
-	u32 data, ko, kg;
+	u32 data = 0, ko, kg;
 
 	if (!AR_SREV_9462_20_OR_LATER(ah))
 		return;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 011/148] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 010/148] ath9k_hw: fix uninitialized variable data Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 012/148] pinctrl: samsung: Fix device node refcount leaks in S3C64xx " Ben Hutchings
                   ` (137 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Krzysztof Kozlowski

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <krzk@kernel.org>

commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream.

In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a
break to find a matching child node.  Although each iteration of
for_each_child_of_node puts the previous node, but early exit from loop
misses it.  This leads to leak of device node.

Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pinctrl/pinctrl-s3c24xx.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/pinctrl/pinctrl-s3c24xx.c
+++ b/drivers/pinctrl/pinctrl-s3c24xx.c
@@ -497,8 +497,10 @@ static int s3c24xx_eint_init(struct sams
 		return -ENODEV;
 
 	eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL);
-	if (!eint_data)
+	if (!eint_data) {
+		of_node_put(eint_np);
 		return -ENOMEM;
+	}
 
 	eint_data->drvdata = d;
 
@@ -510,6 +512,7 @@ static int s3c24xx_eint_init(struct sams
 		irq = irq_of_parse_and_map(eint_np, i);
 		if (!irq) {
 			dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i);
+			of_node_put(eint_np);
 			return -ENXIO;
 		}
 
@@ -517,6 +520,7 @@ static int s3c24xx_eint_init(struct sams
 		irq_set_chained_handler(irq, handlers[i]);
 		irq_set_handler_data(irq, eint_data);
 	}
+	of_node_put(eint_np);
 
 	bank = d->ctrl->pin_banks;
 	for (i = 0; i < d->ctrl->nr_banks; ++i, ++bank) {


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 012/148] pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 011/148] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 013/148] media: ov6650: Fix incorrect use of JPEG colorspace Ben Hutchings
                   ` (136 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Krzysztof Kozlowski

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <krzk@kernel.org>

commit 7f028caadf6c37580d0f59c6c094ed09afc04062 upstream.

In s3c64xx_eint_eint0_init() the for_each_child_of_node() loop is used
with a break to find a matching child node.  Although each iteration of
for_each_child_of_node puts the previous node, but early exit from loop
misses it.  This leads to leak of device node.

Fixes: 61dd72613177 ("pinctrl: Add pinctrl-s3c64xx driver")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/pinctrl/pinctrl-s3c64xx.c
+++ b/drivers/pinctrl/pinctrl-s3c64xx.c
@@ -718,6 +718,7 @@ static int s3c64xx_eint_eint0_init(struc
 	data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL);
 	if (!data) {
 		dev_err(dev, "could not allocate memory for wkup eint data\n");
+		of_node_put(eint0_np);
 		return -ENOMEM;
 	}
 	data->drvdata = d;
@@ -728,12 +729,14 @@ static int s3c64xx_eint_eint0_init(struc
 		irq = irq_of_parse_and_map(eint0_np, i);
 		if (!irq) {
 			dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i);
+			of_node_put(eint0_np);
 			return -ENXIO;
 		}
 
 		irq_set_chained_handler(irq, s3c64xx_eint0_handlers[i]);
 		irq_set_handler_data(irq, data);
 	}
+	of_node_put(eint0_np);
 
 	bank = d->ctrl->pin_banks;
 	for (i = 0; i < d->ctrl->nr_banks; ++i, ++bank) {


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 013/148] media: ov6650: Fix incorrect use of JPEG colorspace
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 012/148] pinctrl: samsung: Fix device node refcount leaks in S3C64xx " Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 014/148] media: ov6650: Fix stored frame format not in sync with hardware Ben Hutchings
                   ` (135 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Janusz Krzysztofik, Sakari Ailus,
	Mauro Carvalho Chehab

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Janusz Krzysztofik <jmkrzyszt@gmail.com>

commit 12500731895ef09afc5b66b86b76c0884fb9c7bf upstream.

Since its initial submission, the driver selects V4L2_COLORSPACE_JPEG
for supported formats other than V4L2_MBUS_FMT_SBGGR8_1X8.  According
to v4l2-compliance test program, V4L2_COLORSPACE_JPEG applies
exclusively to V4L2_PIX_FMT_JPEG.  Since the sensor does not support
JPEG format, fix it to always select V4L2_COLORSPACE_SRGB.

Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/i2c/soc_camera/ov6650.c | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

--- a/drivers/media/i2c/soc_camera/ov6650.c
+++ b/drivers/media/i2c/soc_camera/ov6650.c
@@ -203,7 +203,6 @@ struct ov6650 {
 	unsigned long		pclk_max;	/* from resolution and format */
 	struct v4l2_fract	tpf;		/* as requested with s_parm */
 	enum v4l2_mbus_pixelcode code;
-	enum v4l2_colorspace	colorspace;
 };
 
 
@@ -508,7 +507,7 @@ static int ov6650_g_fmt(struct v4l2_subd
 	mf->width	= priv->rect.width >> priv->half_scale;
 	mf->height	= priv->rect.height >> priv->half_scale;
 	mf->code	= priv->code;
-	mf->colorspace	= priv->colorspace;
+	mf->colorspace	= V4L2_COLORSPACE_SRGB;
 	mf->field	= V4L2_FIELD_NONE;
 
 	return 0;
@@ -619,11 +618,6 @@ static int ov6650_s_fmt(struct v4l2_subd
 		priv->pclk_max = 8000000;
 	}
 
-	if (code == V4L2_MBUS_FMT_SBGGR8_1X8)
-		priv->colorspace = V4L2_COLORSPACE_SRGB;
-	else if (code != 0)
-		priv->colorspace = V4L2_COLORSPACE_JPEG;
-
 	if (half_scale) {
 		dev_dbg(&client->dev, "max resolution: QCIF\n");
 		coma_set |= COMA_QCIF;
@@ -676,7 +670,6 @@ static int ov6650_s_fmt(struct v4l2_subd
 		ret = ov6650_reg_rmw(client, REG_COML, coml_set, coml_mask);
 
 	if (!ret) {
-		mf->colorspace	= priv->colorspace;
 		mf->width = priv->rect.width >> half_scale;
 		mf->height = priv->rect.height >> half_scale;
 	}
@@ -695,6 +688,7 @@ static int ov6650_try_fmt(struct v4l2_su
 				&mf->height, 2, H_CIF, 1, 0);
 
 	mf->field = V4L2_FIELD_NONE;
+	mf->colorspace = V4L2_COLORSPACE_SRGB;
 
 	switch (mf->code) {
 	case V4L2_MBUS_FMT_Y10_1X10:
@@ -704,12 +698,10 @@ static int ov6650_try_fmt(struct v4l2_su
 	case V4L2_MBUS_FMT_YUYV8_2X8:
 	case V4L2_MBUS_FMT_VYUY8_2X8:
 	case V4L2_MBUS_FMT_UYVY8_2X8:
-		mf->colorspace = V4L2_COLORSPACE_JPEG;
 		break;
 	default:
 		mf->code = V4L2_MBUS_FMT_SBGGR8_1X8;
 	case V4L2_MBUS_FMT_SBGGR8_1X8:
-		mf->colorspace = V4L2_COLORSPACE_SRGB;
 		break;
 	}
 
@@ -1016,7 +1008,6 @@ static int ov6650_probe(struct i2c_clien
 	priv->rect.height = H_CIF;
 	priv->half_scale  = false;
 	priv->code	  = V4L2_MBUS_FMT_YUYV8_2X8;
-	priv->colorspace  = V4L2_COLORSPACE_JPEG;
 
 	priv->clk = v4l2_clk_get(&client->dev, "mclk");
 	if (IS_ERR(priv->clk)) {


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 014/148] media: ov6650: Fix stored frame format not in sync with hardware
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 013/148] media: ov6650: Fix incorrect use of JPEG colorspace Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 015/148] tools/power/cpupower: Fix initializer override in hsw_ext_cstates Ben Hutchings
                   ` (134 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Sakari Ailus,
	Janusz Krzysztofik

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Janusz Krzysztofik <jmkrzyszt@gmail.com>

commit 3143b459de4cdcce67b36827476c966e93c1cf01 upstream.

The driver stores frame format settings supposed to be in line with
hardware state in a device private structure.  Since the driver initial
submission, those settings are updated before they are actually applied
on hardware.  If an error occurs on device update, the stored settings
my not reflect hardware state anymore and consecutive calls to
.get_fmt() may return incorrect information.  That in turn may affect
ability of a bridge device to use correct DMA transfer settings if such
incorrect informmation on active frame format returned by .get_fmt() is
used.

Assuming a failed device update means its state hasn't changed, update
frame format related settings stored in the device private structure
only after they are successfully applied so the stored values always
reflect hardware state as closely as possible.

Fixes: 2f6e2404799a ("[media] SoC Camera: add driver for OV6650 sensor")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/i2c/soc_camera/ov6650.c
+++ b/drivers/media/i2c/soc_camera/ov6650.c
@@ -605,7 +605,6 @@ static int ov6650_s_fmt(struct v4l2_subd
 		dev_err(&client->dev, "Pixel format not handled: 0x%x\n", code);
 		return -EINVAL;
 	}
-	priv->code = code;
 
 	if (code == V4L2_MBUS_FMT_Y8_1X8 ||
 			code == V4L2_MBUS_FMT_SBGGR8_1X8) {
@@ -626,7 +625,6 @@ static int ov6650_s_fmt(struct v4l2_subd
 		dev_dbg(&client->dev, "max resolution: CIF\n");
 		coma_mask |= COMA_QCIF;
 	}
-	priv->half_scale = half_scale;
 
 	if (sense) {
 		if (sense->master_clock == 8000000) {
@@ -666,10 +664,14 @@ static int ov6650_s_fmt(struct v4l2_subd
 		ret = ov6650_reg_rmw(client, REG_COMA, coma_set, coma_mask);
 	if (!ret)
 		ret = ov6650_reg_write(client, REG_CLKRC, clkrc);
-	if (!ret)
+	if (!ret) {
+		priv->half_scale = half_scale;
+
 		ret = ov6650_reg_rmw(client, REG_COML, coml_set, coml_mask);
+	}
 
 	if (!ret) {
+		priv->code = code;
 		mf->width = priv->rect.width >> half_scale;
 		mf->height = priv->rect.height >> half_scale;
 	}


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 015/148] tools/power/cpupower: Fix initializer override in hsw_ext_cstates
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 014/148] media: ov6650: Fix stored frame format not in sync with hardware Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 016/148] cw1200: Fix a signedness bug in cw1200_load_firmware() Ben Hutchings
                   ` (133 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Nathan Chancellor, Shuah Khan

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nathan Chancellor <natechancellor@gmail.com>

commit 7e5705c635ecfccde559ebbbe1eaf05b5cc60529 upstream.

When building cpupower with clang, the following warning appears:

 utils/idle_monitor/hsw_ext_idle.c:42:16: warning: initializer overrides
 prior initialization of this subobject [-Winitializer-overrides]
                 .desc                   = N_("Processor Package C2"),
                                              ^~~~~~~~~~~~~~~~~~~~~~
 ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_'
 #define N_(String) gettext_noop(String)
                                 ^~~~~~
 ./utils/helpers/helpers.h:23:30: note: expanded from macro
 'gettext_noop'
 #define gettext_noop(String) String
                              ^~~~~~
 utils/idle_monitor/hsw_ext_idle.c:41:16: note: previous initialization
 is here
                 .desc                   = N_("Processor Package C9"),
                                              ^~~~~~~~~~~~~~~~~~~~~~
 ./utils/helpers/helpers.h:25:33: note: expanded from macro 'N_'
 #define N_(String) gettext_noop(String)
                                 ^~~~~~
 ./utils/helpers/helpers.h:23:30: note: expanded from macro
 'gettext_noop'
 #define gettext_noop(String) String
                             ^~~~~~
 1 warning generated.

This appears to be a copy and paste or merge mistake because the name
and id fields both have PC9 in them, not PC2. Remove the second
assignment to fix the warning.

Fixes: 7ee767b69b68 ("cpupower: Add Haswell family 0x45 specific idle monitor to show PC8,9,10 states")
Link: https://github.com/ClangBuiltLinux/linux/issues/718
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c | 1 -
 1 file changed, 1 deletion(-)

--- a/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c
+++ b/tools/power/cpupower/utils/idle_monitor/hsw_ext_idle.c
@@ -40,7 +40,6 @@ static cstate_t hsw_ext_cstates[HSW_EXT_
 	{
 		.name			= "PC9",
 		.desc			= N_("Processor Package C9"),
-		.desc			= N_("Processor Package C2"),
 		.id			= PC9,
 		.range			= RANGE_PACKAGE,
 		.get_count_percent	= hsw_ext_get_count_percent,


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 016/148] cw1200: Fix a signedness bug in cw1200_load_firmware()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 015/148] tools/power/cpupower: Fix initializer override in hsw_ext_cstates Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 017/148] ar5523: check NULL before memcpy() in ar5523_cmd() Ben Hutchings
                   ` (132 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dan Carpenter, Kalle Valo

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4a50d454502f1401171ff061a5424583f91266db upstream.

The "priv->hw_type" is an enum and in this context GCC will treat it
as an unsigned int so the error handling will never trigger.

Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/cw1200/fwio.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/cw1200/fwio.c
+++ b/drivers/net/wireless/cw1200/fwio.c
@@ -316,12 +316,12 @@ int cw1200_load_firmware(struct cw1200_c
 		goto out;
 	}
 
-	priv->hw_type = cw1200_get_hw_type(val32, &major_revision);
-	if (priv->hw_type < 0) {
+	ret = cw1200_get_hw_type(val32, &major_revision);
+	if (ret < 0) {
 		pr_err("Can't deduce hardware type.\n");
-		ret = -ENOTSUPP;
 		goto out;
 	}
+	priv->hw_type = ret;
 
 	/* Set DPLL Reg value, and read back to confirm writes work */
 	ret = cw1200_reg_write_32(priv, ST90TDS_TSET_GEN_R_W_REG_ID,


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 017/148] ar5523: check NULL before memcpy() in ar5523_cmd()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 016/148] cw1200: Fix a signedness bug in cw1200_load_firmware() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 018/148] hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled Ben Hutchings
                   ` (131 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David Laight, David S. Miller,
	Denis Efremov, Pontus Fuchs, Kalle Valo

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Denis Efremov <efremov@linux.com>

commit 315cee426f87658a6799815845788fde965ddaad upstream.

memcpy() call with "idata == NULL && ilen == 0" results in undefined
behavior in ar5523_cmd(). For example, NULL is passed in callchain
"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
adds ilen check before memcpy() call in ar5523_cmd() to prevent an
undefined behavior.

Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar,
 
 	if (flags & AR5523_CMD_FLAG_MAGIC)
 		hdr->magic = cpu_to_be32(1 << 24);
-	memcpy(hdr + 1, idata, ilen);
+	if (ilen)
+		memcpy(hdr + 1, idata, ilen);
 
 	cmd->odata = odata;
 	cmd->olen = olen;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 018/148] hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 017/148] ar5523: check NULL before memcpy() in ar5523_cmd() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 019/148] drm/i810: Prevent underflow in ioctl Ben Hutchings
                   ` (130 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Adam Ford, Pali Rohár, Tero Kristo,
	Aaro Koskinen, Tony Lindgren, Herbert Xu, Sebastian Reichel

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Lindgren <tony@atomide.com>

commit eaecce12f5f0d2c35d278e41e1bc4522393861ab upstream.

When unloading omap3-rom-rng, we'll get the following:

WARNING: CPU: 0 PID: 100 at drivers/clk/clk.c:948 clk_core_disable

This is because the clock may be already disabled by omap3_rom_rng_idle().
Let's fix the issue by checking for rng_idle on exit.

Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: Adam Ford <aford173@gmail.com>
Cc: Pali Rohár <pali.rohar@gmail.com>
Cc: Sebastian Reichel <sre@kernel.org>
Cc: Tero Kristo <t-kristo@ti.com>
Fixes: 1c6b7c2108bd ("hwrng: OMAP3 ROM Random Number Generator support")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/char/hw_random/omap3-rom-rng.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/char/hw_random/omap3-rom-rng.c
+++ b/drivers/char/hw_random/omap3-rom-rng.c
@@ -119,7 +119,8 @@ static int omap3_rom_rng_probe(struct pl
 static int omap3_rom_rng_remove(struct platform_device *pdev)
 {
 	hwrng_unregister(&omap3_rom_rng_ops);
-	clk_disable_unprepare(rng_clk);
+	if (!rng_idle)
+		clk_disable_unprepare(rng_clk);
 	return 0;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 019/148] drm/i810: Prevent underflow in ioctl
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 018/148] hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 020/148] ARM: dts: s3c64xx: Fix init order of clock providers Ben Hutchings
                   ` (129 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dan Carpenter, Chris Wilson

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream.

The "used" variables here come from the user in the ioctl and it can be
negative.  It could result in an out of bounds write.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/i810/i810_dma.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i810/i810_dma.c
+++ b/drivers/gpu/drm/i810/i810_dma.c
@@ -724,7 +724,7 @@ static void i810_dma_dispatch_vertex(str
 	if (nbox > I810_NR_SAREA_CLIPRECTS)
 		nbox = I810_NR_SAREA_CLIPRECTS;
 
-	if (used > 4 * 1024)
+	if (used < 0 || used > 4 * 1024)
 		used = 0;
 
 	if (sarea_priv->dirty)
@@ -1044,7 +1044,7 @@ static void i810_dma_dispatch_mc(struct
 	if (u != I810_BUF_CLIENT)
 		DRM_DEBUG("MC found buffer that isn't mine!\n");
 
-	if (used > 4 * 1024)
+	if (used < 0 || used > 4 * 1024)
 		used = 0;
 
 	sarea_priv->dirty = 0x7f;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 020/148] ARM: dts: s3c64xx: Fix init order of clock providers
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 019/148] drm/i810: Prevent underflow in ioctl Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 021/148] [media] usbvision: remove power_on_at_open and timed power off Ben Hutchings
                   ` (128 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Lihua Yao, Krzysztof Kozlowski, Sylwester Nawrocki

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lihua Yao <ylhuajnu@outlook.com>

commit d60d0cff4ab01255b25375425745c3cff69558ad upstream.

fin_pll is the parent of clock-controller@7e00f000, specify
the dependency to ensure proper initialization order of clock
providers.

without this patch:
[    0.000000] S3C6410 clocks: apll = 0, mpll = 0
[    0.000000]  epll = 0, arm_clk = 0

with this patch:
[    0.000000] S3C6410 clocks: apll = 532000000, mpll = 532000000
[    0.000000]  epll = 24000000, arm_clk = 532000000

Fixes: 3f6d439f2022 ("clk: reverse default clk provider initialization order in of_clk_init()")
Signed-off-by: Lihua Yao <ylhuajnu@outlook.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/boot/dts/s3c6410-mini6410.dts | 4 ++++
 arch/arm/boot/dts/s3c6410-smdk6410.dts | 4 ++++
 2 files changed, 8 insertions(+)

--- a/arch/arm/boot/dts/s3c6410-mini6410.dts
+++ b/arch/arm/boot/dts/s3c6410-mini6410.dts
@@ -167,6 +167,10 @@
 	};
 };
 
+&clocks {
+	clocks = <&fin_pll>;
+};
+
 &sdhci0 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>;
--- a/arch/arm/boot/dts/s3c6410-smdk6410.dts
+++ b/arch/arm/boot/dts/s3c6410-smdk6410.dts
@@ -71,6 +71,10 @@
 	};
 };
 
+&clocks {
+	clocks = <&fin_pll>;
+};
+
 &sdhci0 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&sd0_clk>, <&sd0_cmd>, <&sd0_cd>, <&sd0_bus4>;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 021/148] [media] usbvision: remove power_on_at_open and timed power off
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 020/148] ARM: dts: s3c64xx: Fix init order of clock providers Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 022/148] [media] usbvision-video: two use after frees Ben Hutchings
                   ` (127 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans Verkuil, Mauro Carvalho Chehab

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit 62e259493d779b0e2c1a675ab733136511310821 upstream.

This causes lots of problems and is *very* slow as well.

One of the main problems is that this prohibits the use of the control
framework since subdevs will be unloaded on power off which is not allowed
as long as they are used by a usb device.

Apparently the reason for doing this is to turn off a noisy tuner. My hardware
has no problem with that, and I wonder whether the hardware with that noisy
tuner wasn't just functioning improperly as I have never heard of noisy tuners.

Contact me if you have one of those devices and I can take a look whether the
tuner can't be powered off if necessary by letting the tuner subdevice go
into standby mode. Unloading the tuner module is just evil and is not the
right approach.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
[bwh: Backported to 3.16 as dependency of locking fixes. Our version of
 usbvision_init_power_off_timer() was slightly different.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/usb/usbvision/usbvision-core.c
+++ b/drivers/media/usb/usbvision/usbvision-core.c
@@ -2167,56 +2167,6 @@ int usbvision_power_on(struct usb_usbvis
 
 
 /*
- * usbvision timer stuff
- */
-
-/* to call usbvision_power_off from task queue */
-static void call_usbvision_power_off(struct work_struct *work)
-{
-	struct usb_usbvision *usbvision = container_of(work, struct usb_usbvision, power_off_work);
-
-	PDEBUG(DBG_FUNC, "");
-	if (mutex_lock_interruptible(&usbvision->v4l2_lock))
-		return;
-
-	if (usbvision->user == 0) {
-		usbvision_i2c_unregister(usbvision);
-
-		usbvision_power_off(usbvision);
-		usbvision->initialized = 0;
-	}
-	mutex_unlock(&usbvision->v4l2_lock);
-}
-
-static void usbvision_power_off_timer(unsigned long data)
-{
-	struct usb_usbvision *usbvision = (void *)data;
-
-	PDEBUG(DBG_FUNC, "");
-	del_timer(&usbvision->power_off_timer);
-	INIT_WORK(&usbvision->power_off_work, call_usbvision_power_off);
-	(void) schedule_work(&usbvision->power_off_work);
-}
-
-void usbvision_init_power_off_timer(struct usb_usbvision *usbvision)
-{
-	init_timer(&usbvision->power_off_timer);
-	usbvision->power_off_timer.data = (long)usbvision;
-	usbvision->power_off_timer.function = usbvision_power_off_timer;
-}
-
-void usbvision_set_power_off_timer(struct usb_usbvision *usbvision)
-{
-	mod_timer(&usbvision->power_off_timer, jiffies + USBVISION_POWEROFF_TIME);
-}
-
-void usbvision_reset_power_off_timer(struct usb_usbvision *usbvision)
-{
-	if (timer_pending(&usbvision->power_off_timer))
-		del_timer(&usbvision->power_off_timer);
-}
-
-/*
  * usbvision_begin_streaming()
  * Sure you have to put bit 7 to 0, if not incoming frames are droped, but no
  * idea about the rest
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -122,8 +122,6 @@ static void usbvision_release(struct usb
 static int isoc_mode = ISOC_MODE_COMPRESS;
 /* Set the default Debug Mode of the device driver */
 static int video_debug;
-/* Set the default device to power on at startup */
-static int power_on_at_open = 1;
 /* Sequential Number of Video Device */
 static int video_nr = -1;
 /* Sequential Number of Radio Device */
@@ -134,13 +132,11 @@ static int radio_nr = -1;
 /* Showing parameters under SYSFS */
 module_param(isoc_mode, int, 0444);
 module_param(video_debug, int, 0444);
-module_param(power_on_at_open, int, 0444);
 module_param(video_nr, int, 0444);
 module_param(radio_nr, int, 0444);
 
 MODULE_PARM_DESC(isoc_mode, " Set the default format for ISOC endpoint.  Default: 0x60 (Compression On)");
 MODULE_PARM_DESC(video_debug, " Set the default Debug Mode of the device driver.  Default: 0 (Off)");
-MODULE_PARM_DESC(power_on_at_open, " Set the default device to power on when device is opened.  Default: 1 (On)");
 MODULE_PARM_DESC(video_nr, "Set video device number (/dev/videoX).  Default: -1 (autodetect)");
 MODULE_PARM_DESC(radio_nr, "Set radio device number (/dev/radioX).  Default: -1 (autodetect)");
 
@@ -351,11 +347,10 @@ static int usbvision_v4l2_open(struct fi
 
 	if (mutex_lock_interruptible(&usbvision->v4l2_lock))
 		return -ERESTARTSYS;
-	usbvision_reset_power_off_timer(usbvision);
 
-	if (usbvision->user)
+	if (usbvision->user) {
 		err_code = -EBUSY;
-	else {
+	} else {
 		/* Allocate memory for the scratch ring buffer */
 		err_code = usbvision_scratch_alloc(usbvision);
 		if (isoc_mode == ISOC_MODE_COMPRESS) {
@@ -372,11 +367,6 @@ static int usbvision_v4l2_open(struct fi
 
 	/* If so far no errors then we shall start the camera */
 	if (!err_code) {
-		if (usbvision->power == 0) {
-			usbvision_power_on(usbvision);
-			usbvision_i2c_register(usbvision);
-		}
-
 		/* Send init sequence only once, it's large! */
 		if (!usbvision->initialized) {
 			int setup_ok = 0;
@@ -392,18 +382,13 @@ static int usbvision_v4l2_open(struct fi
 			err_code = usbvision_init_isoc(usbvision);
 			/* device must be initialized before isoc transfer */
 			usbvision_muxsel(usbvision, 0);
+
+			/* prepare queues */
+			usbvision_empty_framequeues(usbvision);
 			usbvision->user++;
-		} else {
-			if (power_on_at_open) {
-				usbvision_i2c_unregister(usbvision);
-				usbvision_power_off(usbvision);
-				usbvision->initialized = 0;
-			}
 		}
 	}
 
-	/* prepare queues */
-	usbvision_empty_framequeues(usbvision);
 	mutex_unlock(&usbvision->v4l2_lock);
 
 	PDEBUG(DBG_IO, "success");
@@ -436,13 +421,6 @@ static int usbvision_v4l2_close(struct f
 
 	usbvision->user--;
 
-	if (power_on_at_open) {
-		/* power off in a little while
-		   to avoid off/on every close/open short sequences */
-		usbvision_set_power_off_timer(usbvision);
-		usbvision->initialized = 0;
-	}
-
 	if (usbvision->remove_pending) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
@@ -1160,14 +1138,6 @@ static int usbvision_radio_open(struct f
 				__func__);
 		err_code = -EBUSY;
 	} else {
-		if (power_on_at_open) {
-			usbvision_reset_power_off_timer(usbvision);
-			if (usbvision->power == 0) {
-				usbvision_power_on(usbvision);
-				usbvision_i2c_register(usbvision);
-			}
-		}
-
 		/* Alternate interface 1 is is the biggest frame size */
 		err_code = usbvision_set_alternate(usbvision);
 		if (err_code < 0) {
@@ -1182,14 +1152,6 @@ static int usbvision_radio_open(struct f
 		usbvision_set_audio(usbvision, USBVISION_AUDIO_RADIO);
 		usbvision->user++;
 	}
-
-	if (err_code) {
-		if (power_on_at_open) {
-			usbvision_i2c_unregister(usbvision);
-			usbvision_power_off(usbvision);
-			usbvision->initialized = 0;
-		}
-	}
 out:
 	mutex_unlock(&usbvision->v4l2_lock);
 	return err_code;
@@ -1213,11 +1175,6 @@ static int usbvision_radio_close(struct
 	usbvision->radio = 0;
 	usbvision->user--;
 
-	if (power_on_at_open) {
-		usbvision_set_power_off_timer(usbvision);
-		usbvision->initialized = 0;
-	}
-
 	if (usbvision->remove_pending) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
@@ -1432,8 +1389,6 @@ static struct usb_usbvision *usbvision_a
 		goto err_unreg;
 	init_waitqueue_head(&usbvision->ctrl_urb_wq);
 
-	usbvision_init_power_off_timer(usbvision);
-
 	return usbvision;
 
 err_unreg:
@@ -1454,8 +1409,6 @@ static void usbvision_release(struct usb
 {
 	PDEBUG(DBG_PROBE, "");
 
-	usbvision_reset_power_off_timer(usbvision);
-
 	usbvision->initialized = 0;
 
 	usbvision_remove_sysfs(usbvision->vdev);
@@ -1499,11 +1452,9 @@ static void usbvision_configure_video(st
 	/* first switch off audio */
 	if (usbvision_device_data[model].audio_channels > 0)
 		usbvision_audio_off(usbvision);
-	if (!power_on_at_open) {
-		/* and then power up the noisy tuner */
-		usbvision_power_on(usbvision);
-		usbvision_i2c_register(usbvision);
-	}
+	/* and then power up the tuner */
+	usbvision_power_on(usbvision);
+	usbvision_i2c_register(usbvision);
 }
 
 /*
@@ -1671,11 +1622,7 @@ static void usbvision_disconnect(struct
 	usbvision_stop_isoc(usbvision);
 
 	v4l2_device_disconnect(&usbvision->v4l2_dev);
-
-	if (usbvision->power) {
-		usbvision_i2c_unregister(usbvision);
-		usbvision_power_off(usbvision);
-	}
+	usbvision_i2c_unregister(usbvision);
 	usbvision->remove_pending = 1;	/* Now all ISO data will be ignored */
 
 	usb_put_dev(usbvision->dev);
--- a/drivers/media/usb/usbvision/usbvision.h
+++ b/drivers/media/usb/usbvision/usbvision.h
@@ -391,8 +391,6 @@ struct usb_usbvision {
 	unsigned char iface_alt;					/* Alt settings */
 	unsigned char vin_reg2_preset;
 	struct mutex v4l2_lock;
-	struct timer_list power_off_timer;
-	struct work_struct power_off_work;
 	int power;							/* is the device powered on? */
 	int user;							/* user count for exclusive use */
 	int initialized;						/* Had we already sent init sequence? */
@@ -510,9 +508,6 @@ int usbvision_muxsel(struct usb_usbvisio
 int usbvision_set_input(struct usb_usbvision *usbvision);
 int usbvision_set_output(struct usb_usbvision *usbvision, int width, int height);
 
-void usbvision_init_power_off_timer(struct usb_usbvision *usbvision);
-void usbvision_set_power_off_timer(struct usb_usbvision *usbvision);
-void usbvision_reset_power_off_timer(struct usb_usbvision *usbvision);
 int usbvision_power_off(struct usb_usbvision *usbvision);
 int usbvision_power_on(struct usb_usbvision *usbvision);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 022/148] [media] usbvision-video: two use after frees
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 021/148] [media] usbvision: remove power_on_at_open and timed power off Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 023/148] [media] usbvision: fix locking error Ben Hutchings
                   ` (126 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mauro Carvalho Chehab, Hans Verkuil, Dan Carpenter

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 470a9147899500eb4898f77816520c4b4aa1a698 upstream.

The lock has been freed in usbvision_release() so there is no need to
call mutex_unlock() here.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/usbvision/usbvision-video.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -424,6 +424,7 @@ static int usbvision_v4l2_close(struct f
 	if (usbvision->remove_pending) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
+		return 0;
 	}
 	mutex_unlock(&usbvision->v4l2_lock);
 
@@ -1178,6 +1179,7 @@ static int usbvision_radio_close(struct
 	if (usbvision->remove_pending) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
+		return err_code;
 	}
 
 	mutex_unlock(&usbvision->v4l2_lock);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 023/148] [media] usbvision: fix locking error
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 022/148] [media] usbvision-video: two use after frees Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 024/148] " Ben Hutchings
                   ` (125 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans Verkuil, Mauro Carvalho Chehab

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hans.verkuil@cisco.com>

commit e2c84ccb0fbe5e524d15bb09c042a6ca634adaed upstream.

If remove_pending is non-zero, then the v4l2_lock is never unlocked.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/usbvision/usbvision-video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -420,13 +420,13 @@ static int usbvision_v4l2_close(struct f
 	usbvision_scratch_free(usbvision);
 
 	usbvision->user--;
+	mutex_unlock(&usbvision->v4l2_lock);
 
 	if (usbvision->remove_pending) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
 		return 0;
 	}
-	mutex_unlock(&usbvision->v4l2_lock);
 
 	PDEBUG(DBG_IO, "success");
 	return 0;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 024/148] [media] usbvision: fix locking error
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 023/148] [media] usbvision: fix locking error Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 025/148] media: usbvision: Fix invalid accesses after device disconnect Ben Hutchings
                   ` (124 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Insu Yun, Mauro Carvalho Chehab

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Insu Yun <wuninsu@gmail.com>

commit 5ce625a42d6206d5a18222c6475f6b866ef68569 upstream.

When remove_pending is non-zero, v4l2_lock is never unlocked.

Signed-off-by: Insu Yun <wuninsu@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/usbvision/usbvision-video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1175,6 +1175,7 @@ static int usbvision_radio_close(struct
 	usbvision_audio_off(usbvision);
 	usbvision->radio = 0;
 	usbvision->user--;
+	mutex_unlock(&usbvision->v4l2_lock);
 
 	if (usbvision->remove_pending) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
@@ -1182,7 +1183,6 @@ static int usbvision_radio_close(struct
 		return err_code;
 	}
 
-	mutex_unlock(&usbvision->v4l2_lock);
 	PDEBUG(DBG_IO, "success");
 	return err_code;
 }


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 025/148] media: usbvision: Fix invalid accesses after device disconnect
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 024/148] " Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 026/148] media: usbvision: Fix races among open, close, and disconnect Ben Hutchings
                   ` (123 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alan Stern, Mauro Carvalho Chehab, Hans Verkuil

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit c7a191464078262bf799136317c95824e26a222b upstream.

The syzbot fuzzer found two invalid-access bugs in the usbvision
driver.  These bugs occur when userspace keeps the device file open
after the device has been disconnected and usbvision_disconnect() has
set usbvision->dev to NULL:

	When the device file is closed, usbvision_radio_close() tries
	to issue a usb_set_interface() call, passing the NULL pointer
	as its first argument.

	If userspace performs a querycap ioctl call, vidioc_querycap()
	calls usb_make_path() with the same NULL pointer.

This patch fixes the problems by making the appropriate tests
beforehand.  Note that vidioc_querycap() is protected by
usbvision->v4l2_lock, acquired in a higher layer of the V4L2
subsystem.

Reported-and-tested-by: syzbot+7fa38a608b1075dfd634@syzkaller.appspotmail.com

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/usbvision/usbvision-video.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -482,6 +482,9 @@ static int vidioc_querycap(struct file *
 {
 	struct usb_usbvision *usbvision = video_drvdata(file);
 
+	if (!usbvision->dev)
+		return -ENODEV;
+
 	strlcpy(vc->driver, "USBVision", sizeof(vc->driver));
 	strlcpy(vc->card,
 		usbvision_device_data[usbvision->dev_model].model_string,
@@ -1169,8 +1172,9 @@ static int usbvision_radio_close(struct
 	mutex_lock(&usbvision->v4l2_lock);
 	/* Set packet size to 0 */
 	usbvision->iface_alt = 0;
-	err_code = usb_set_interface(usbvision->dev, usbvision->iface,
-				    usbvision->iface_alt);
+	if (usbvision->dev)
+		err_code = usb_set_interface(usbvision->dev, usbvision->iface,
+					     usbvision->iface_alt);
 
 	usbvision_audio_off(usbvision);
 	usbvision->radio = 0;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 026/148] media: usbvision: Fix races among open, close, and disconnect
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 025/148] media: usbvision: Fix invalid accesses after device disconnect Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 027/148] sunrpc: fix crash when cache_head become valid before update Ben Hutchings
                   ` (122 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alan Stern, Hans Verkuil, Mauro Carvalho Chehab

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 9e08117c9d4efc1e1bc6fce83dab856d9fd284b6 upstream.

Visual inspection of the usbvision driver shows that it suffers from
three races between its open, close, and disconnect handlers.  In
particular, the driver is careful to update its usbvision->user and
usbvision->remove_pending flags while holding the private mutex, but:

	usbvision_v4l2_close() and usbvision_radio_close() don't hold
	the mutex while they check the value of
	usbvision->remove_pending;

	usbvision_disconnect() doesn't hold the mutex while checking
	the value of usbvision->user; and

	also, usbvision_v4l2_open() and usbvision_radio_open() don't
	check whether the device has been unplugged before allowing
	the user to open the device files.

Each of these can potentially lead to usbvision_release() being called
twice and use-after-free errors.

This patch fixes the races by reading the flags while the mutex is
still held and checking for pending removes before allowing an open to
succeed.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
[bwh: Backported to 3.16:
 - Add unlock label in usbvision_v4l2_open()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -348,6 +348,10 @@ static int usbvision_v4l2_open(struct fi
 	if (mutex_lock_interruptible(&usbvision->v4l2_lock))
 		return -ERESTARTSYS;
 
+	if (usbvision->remove_pending) {
+		err_code = -ENODEV;
+		goto unlock;
+	}
 	if (usbvision->user) {
 		err_code = -EBUSY;
 	} else {
@@ -389,6 +393,7 @@ static int usbvision_v4l2_open(struct fi
 		}
 	}
 
+unlock:
 	mutex_unlock(&usbvision->v4l2_lock);
 
 	PDEBUG(DBG_IO, "success");
@@ -406,6 +411,7 @@ static int usbvision_v4l2_open(struct fi
 static int usbvision_v4l2_close(struct file *file)
 {
 	struct usb_usbvision *usbvision = video_drvdata(file);
+	int r;
 
 	PDEBUG(DBG_IO, "close");
 
@@ -420,9 +426,10 @@ static int usbvision_v4l2_close(struct f
 	usbvision_scratch_free(usbvision);
 
 	usbvision->user--;
+	r = usbvision->remove_pending;
 	mutex_unlock(&usbvision->v4l2_lock);
 
-	if (usbvision->remove_pending) {
+	if (r) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
 		return 0;
@@ -1136,6 +1143,11 @@ static int usbvision_radio_open(struct f
 
 	if (mutex_lock_interruptible(&usbvision->v4l2_lock))
 		return -ERESTARTSYS;
+
+	if (usbvision->remove_pending) {
+		err_code = -ENODEV;
+		goto out;
+	}
 	if (usbvision->user) {
 		dev_err(&usbvision->rdev->dev,
 			"%s: Someone tried to open an already opened USBVision Radio!\n",
@@ -1166,6 +1178,7 @@ static int usbvision_radio_close(struct
 {
 	struct usb_usbvision *usbvision = video_drvdata(file);
 	int err_code = 0;
+	int r;
 
 	PDEBUG(DBG_IO, "");
 
@@ -1179,9 +1192,10 @@ static int usbvision_radio_close(struct
 	usbvision_audio_off(usbvision);
 	usbvision->radio = 0;
 	usbvision->user--;
+	r = usbvision->remove_pending;
 	mutex_unlock(&usbvision->v4l2_lock);
 
-	if (usbvision->remove_pending) {
+	if (r) {
 		printk(KERN_INFO "%s: Final disconnect\n", __func__);
 		usbvision_release(usbvision);
 		return err_code;
@@ -1614,6 +1628,7 @@ err_usb:
 static void usbvision_disconnect(struct usb_interface *intf)
 {
 	struct usb_usbvision *usbvision = to_usbvision(usb_get_intfdata(intf));
+	int u;
 
 	PDEBUG(DBG_PROBE, "");
 
@@ -1630,13 +1645,14 @@ static void usbvision_disconnect(struct
 	v4l2_device_disconnect(&usbvision->v4l2_dev);
 	usbvision_i2c_unregister(usbvision);
 	usbvision->remove_pending = 1;	/* Now all ISO data will be ignored */
+	u = usbvision->user;
 
 	usb_put_dev(usbvision->dev);
 	usbvision->dev = NULL;	/* USB device is no more */
 
 	mutex_unlock(&usbvision->v4l2_lock);
 
-	if (usbvision->user) {
+	if (u) {
 		printk(KERN_INFO "%s: In use, disconnect pending\n",
 		       __func__);
 		wake_up_interruptible(&usbvision->wait_frame);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 027/148] sunrpc: fix crash when cache_head become valid before update
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 026/148] media: usbvision: Fix races among open, close, and disconnect Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 028/148] PCI: Fix Intel ACS quirk UPDCR register address Ben Hutchings
                   ` (121 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pavel Tikhomirov, J. Bruce Fields, NeilBrown

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>

commit 5fcaf6982d1167f1cd9b264704f6d1ef4c505d54 upstream.

I was investigating a crash in our Virtuozzo7 kernel which happened in
in svcauth_unix_set_client. I found out that we access m_client field
in ip_map structure, which was received from sunrpc_cache_lookup (we
have a bit older kernel, now the code is in sunrpc_cache_add_entry), and
these field looks uninitialized (m_client == 0x74 don't look like a
pointer) but in the cache_head in flags we see 0x1 which is CACHE_VALID.

It looks like the problem appeared from our previous fix to sunrpc (1):
commit 4ecd55ea0742 ("sunrpc: fix cache_head leak due to queued
request")

And we've also found a patch already fixing our patch (2):
commit d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.")

Though the crash is eliminated, I think the core of the problem is not
completely fixed:

Neil in the patch (2) makes cache_head CACHE_NEGATIVE, before
cache_fresh_locked which was added in (1) to fix crash. These way
cache_is_valid won't say the cache is valid anymore and in
svcauth_unix_set_client the function cache_check will return error
instead of 0, and we don't count entry as initialized.

But it looks like we need to remove cache_fresh_locked completely in
sunrpc_cache_lookup:

In (1) we've only wanted to make cache_fresh_unlocked->cache_dequeue so
that cache_requests with no readers also release corresponding
cache_head, to fix their leak.  We with Vasily were not sure if
cache_fresh_locked and cache_fresh_unlocked should be used in pair or
not, so we've guessed to use them in pair.

Now we see that we don't want the CACHE_VALID bit set here by
cache_fresh_locked, as "valid" means "initialized" and there is no
initialization in sunrpc_cache_add_entry. Both expiry_time and
last_refresh are not used in cache_fresh_unlocked code-path and also not
required for the initial fix.

So to conclude cache_fresh_locked was called by mistake, and we can just
safely remove it instead of crutching it with CACHE_NEGATIVE. It looks
ideologically better for me. Hope I don't miss something here.

Here is our crash backtrace:
[13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
[13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
[13108726.326448] PGD 0
[13108726.326468] Oops: 0002 [#1] SMP
[13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
[13108726.327173]  dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
[13108726.327817]  ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
[13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G        W  O   ------------   3.10.0-862.20.2.vz7.73.29 #1 73.29
[13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
[13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
[13108726.328610] RIP: 0010:[<ffffffffc01f79eb>]  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
[13108726.328706] RSP: 0018:ffffa0c2a74bfd80  EFLAGS: 00010246
[13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
[13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
[13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
[13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
[13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
[13108726.329022] FS:  0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
[13108726.329081] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
[13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[13108726.338908] PKRU: 00000000
[13108726.341047] Call Trace:
[13108726.343074]  [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
[13108726.344837]  [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
[13108726.346631]  [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
[13108726.348332]  [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
[13108726.350016]  [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
[13108726.351735]  [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
[13108726.353459]  [<ffffffff8a2bf741>] kthread+0xd1/0xe0
[13108726.355195]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
[13108726.356896]  [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
[13108726.358577]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
[13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
[13108726.363769] RIP  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
[13108726.365530]  RSP <ffffa0c2a74bfd80>
[13108726.367179] CR2: 0000000000000074

Fixes: d58431eacb22 ("sunrpc: don't mark uninitialised items as VALID.")
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Acked-by: NeilBrown <neilb@suse.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[bwh: Backported to 3.16: cache_fresh_locked() had only 2 parameters here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/sunrpc/cache.c | 6 ------
 1 file changed, 6 deletions(-)

--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -50,8 +50,6 @@ static void cache_init(struct cache_head
 	h->last_refresh = now;
 }
 
-static inline int cache_is_valid(struct cache_head *h);
-static void cache_fresh_locked(struct cache_head *head, time_t expiry);
 static void cache_fresh_unlocked(struct cache_head *head,
 				struct cache_detail *detail);
 
@@ -99,9 +97,6 @@ struct cache_head *sunrpc_cache_lookup(s
 				*hp = tmp->next;
 				tmp->next = NULL;
 				detail->entries --;
-				if (cache_is_valid(tmp) == -EAGAIN)
-					set_bit(CACHE_NEGATIVE, &tmp->flags);
-				cache_fresh_locked(tmp, 0);
 				freeme = tmp;
 				break;
 			}


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 028/148] PCI: Fix Intel ACS quirk UPDCR register address
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 027/148] sunrpc: fix crash when cache_head become valid before update Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 029/148] Bluetooth: hci_core: fix init for HCI_USER_CHANNEL Ben Hutchings
                   ` (120 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andrew Murray, Ashok Raj, Bjorn Helgaas,
	Steffen Liebergeld

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com>

commit d8558ac8c93d429d65d7490b512a3a67e559d0d4 upstream.

According to documentation [0] the correct offset for the Upstream Peer
Decode Configuration Register (UPDCR) is 0x1014.  It was previously defined
as 0x1114.

d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports")
intended to enforce isolation between PCI devices allowing them to be put
into separate IOMMU groups.  Due to the wrong register offset the intended
isolation was not fully enforced.  This is fixed with this patch.

Please note that I did not test this patch because I have no hardware that
implements this register.

[0] https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/4th-gen-core-family-mobile-i-o-datasheet.pdf (page 325)
Fixes: d99321b63b1f ("PCI: Enable quirks for PCIe ACS on Intel PCH root ports")
Link: https://lore.kernel.org/r/7a3505df-79ba-8a28-464c-88b83eefffa6@kernkonzept.com
Signed-off-by: Steffen Liebergeld <steffen.liebergeld@kernkonzept.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Andrew Murray <andrew.murray@arm.com>
Acked-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/quirks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3787,7 +3787,7 @@ int pci_dev_specific_acs_enabled(struct
 #define INTEL_BSPR_REG_BPPD  (1 << 9)
 
 /* Upstream Peer Decode Configuration Register */
-#define INTEL_UPDCR_REG 0x1114
+#define INTEL_UPDCR_REG 0x1014
 /* 5:0 Peer Decode Enable bits */
 #define INTEL_UPDCR_REG_MASK 0x3f
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 029/148] Bluetooth: hci_core: fix init for HCI_USER_CHANNEL
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 028/148] PCI: Fix Intel ACS quirk UPDCR register address Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 030/148] spi: atmel: fix handling of cs_change set on non-last xfer Ben Hutchings
                   ` (119 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Marcel Holtmann, Mattijs Korpershoek

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mattijs Korpershoek <mkorpershoek@baylibre.com>

commit eb8c101e28496888a0dcfe16ab86a1bee369e820 upstream.

During the setup() stage, HCI device drivers expect the chip to
acknowledge its setup() completion via vendor specific frames.

If userspace opens() such HCI device in HCI_USER_CHANNEL [1] mode,
the vendor specific frames are never tranmitted to the driver, as
they are filtered in hci_rx_work().

Allow HCI devices which operate in HCI_USER_CHANNEL mode to receive
frames if the HCI device is is HCI_INIT state.

[1] https://www.spinics.net/lists/linux-bluetooth/msg37345.html

Fixes: 23500189d7e0 ("Bluetooth: Introduce new HCI socket channel for user operation")
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
[bwh: Backported to 3.16: Keep checking both HCI_RAW and HCI_USER_CHANNEL
 bits here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -5226,8 +5226,15 @@ static void hci_rx_work(struct work_stru
 			hci_send_to_sock(hdev, skb);
 		}
 
-		if (test_bit(HCI_RAW, &hdev->flags) ||
-		    test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) {
+		/* If the device has been opened in HCI_USER_CHANNEL,
+		 * the userspace has exclusive access to device.
+		 * When device is HCI_INIT, we still need to process
+		 * the data packets to the driver in order
+		 * to complete its setup().
+		 */
+		if ((test_bit(HCI_RAW, &hdev->flags) ||
+		     test_bit(HCI_USER_CHANNEL, &hdev->dev_flags)) &&
+		    !test_bit(HCI_INIT, &hdev->flags)) {
 			kfree_skb(skb);
 			continue;
 		}


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 030/148] spi: atmel: fix handling of cs_change set on non-last xfer
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 029/148] Bluetooth: hci_core: fix init for HCI_USER_CHANNEL Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 031/148] usb: gadget: u_serial: add missing port entry locking Ben Hutchings
                   ` (118 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mark Brown, Nicolas Ferre, Mans Rullgard,
	Gregory CLEMENT

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mans Rullgard <mans@mansr.com>

commit fed8d8c7a6dc2a76d7764842853d81c770b0788e upstream.

The driver does the wrong thing when cs_change is set on a non-last
xfer in a message.  When cs_change is set, the driver deactivates the
CS and leaves it off until a later xfer again has cs_change set whereas
it should be briefly toggling CS off and on again.

This patch brings the behaviour of the driver back in line with the
documentation and common sense.  The delay of 10 us is the same as is
used by the default spi_transfer_one_message() function in spi.c.
[gregory: rebased on for-5.5 from spi tree]
Fixes: 8090d6d1a415 ("spi: atmel: Refactor spi-atmel to use SPI framework queue")
Signed-off-by: Mans Rullgard <mans@mansr.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Link: https://lore.kernel.org/r/20191018153504.4249-1-gregory.clement@bootlin.com
Signed-off-by: Mark Brown <broonie@kernel.org>
[bwhh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/spi/spi-atmel.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -242,7 +242,6 @@ struct atmel_spi {
 	struct atmel_spi_dma	dma;
 
 	bool			keep_cs;
-	bool			cs_active;
 };
 
 /* Controller-specific per-slave state */
@@ -1190,11 +1189,9 @@ static int atmel_spi_one_transfer(struct
 				 &msg->transfers)) {
 			as->keep_cs = true;
 		} else {
-			as->cs_active = !as->cs_active;
-			if (as->cs_active)
-				cs_activate(as, msg->spi);
-			else
-				cs_deactivate(as, msg->spi);
+			cs_deactivate(as, msg->spi);
+			udelay(10);
+			cs_activate(as, msg->spi);
 		}
 	}
 
@@ -1217,7 +1214,6 @@ static int atmel_spi_transfer_one_messag
 	atmel_spi_lock(as);
 	cs_activate(as, spi);
 
-	as->cs_active = true;
 	as->keep_cs = false;
 
 	msg->status = 0;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 031/148] usb: gadget: u_serial: add missing port entry locking
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 030/148] spi: atmel: fix handling of cs_change set on non-last xfer Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 032/148] compat_ioctl: handle SIOCOUTQNSD Ben Hutchings
                   ` (117 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ladislav Michl, Felipe Balbi,
	Greg Kroah-Hartman, Michał Mirosław

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michał Mirosław <mirq-linux@rere.qmqm.pl>

commit daf82bd24e308c5a83758047aff1bd81edda4f11 upstream.

gserial_alloc_line() misses locking (for a release barrier) while
resetting port entry on TTY allocation failure. Fix this.

Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tested-by: Ladislav Michl <ladis@linux-mips.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/u_serial.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/gadget/u_serial.c
+++ b/drivers/usb/gadget/u_serial.c
@@ -1140,8 +1140,10 @@ int gserial_alloc_line(unsigned char *li
 				__func__, port_num, PTR_ERR(tty_dev));
 
 		ret = PTR_ERR(tty_dev);
+		mutex_lock(&ports[port_num].lock);
 		port = ports[port_num].port;
 		ports[port_num].port = NULL;
+		mutex_unlock(&ports[port_num].lock);
 		gserial_free_port(port);
 		goto err;
 	}


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 032/148] compat_ioctl: handle SIOCOUTQNSD
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 031/148] usb: gadget: u_serial: add missing port entry locking Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 033/148] x86/ioapic: Prevent inconsistent state when moving an interrupt Ben Hutchings
                   ` (116 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, David S. Miller, netdev,
	Eric Dumazet

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 9d7bf41fafa5b5ddd4c13eb39446b0045f0a8167 upstream.

Unlike the normal SIOCOUTQ, SIOCOUTQNSD was never handled in compat
mode. Add it to the common socket compat handler along with similar
ones.

Fixes: 2f4e1b397097 ("tcp: ioctl type SIOCOUTQNSD returns amount of data not sent")
Cc: Eric Dumazet <edumazet@google.com>
Cc: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/socket.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/socket.c
+++ b/net/socket.c
@@ -3311,6 +3311,7 @@ static int compat_sock_ioctl_trans(struc
 	case SIOCSARP:
 	case SIOCGARP:
 	case SIOCDARP:
+	case SIOCOUTQNSD:
 	case SIOCATMARK:
 		return sock_do_ioctl(net, sock, cmd, arg);
 	}


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 033/148] x86/ioapic: Prevent inconsistent state when moving an interrupt
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 032/148] compat_ioctl: handle SIOCOUTQNSD Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 034/148] xfs: Sanity check flags of Q_XQUOTARM call Ben Hutchings
                   ` (115 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andy Shevchenko, Ingo Molnar,
	Linus Torvalds, Thomas Gleixner, Peter Zijlstra,
	Sebastian Siewior

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit df4393424af3fbdcd5c404077176082a8ce459c4 upstream.

There is an issue with threaded interrupts which are marked ONESHOT
and using the fasteoi handler:

  if (IS_ONESHOT())
    mask_irq();
  ....
  cond_unmask_eoi_irq()
    chip->irq_eoi();
      if (setaffinity_pending) {
         mask_ioapic();
         ...
	 move_affinity();
	 unmask_ioapic();
      }

So if setaffinity is pending the interrupt will be moved and then
unconditionally unmasked at the ioapic level, which is wrong in two
aspects:

 1) It should be kept masked up to the point where the threaded handler
    finished.

 2) The physical chip state and the software masked state are inconsistent

Guard both the mask and the unmask with a check for the software masked
state. If the line is marked masked then the ioapic line is also masked, so
both mask_ioapic() and unmask_ioapic() can be skipped safely.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Siewior <bigeasy@linutronix.de>
Fixes: 3aa551c9b4c4 ("genirq: add threaded interrupt handler support")
Link: https://lkml.kernel.org/r/20191017101938.321393687@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: Keep using {,un}mask_iopaic_irq()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kernel/apic/io_apic.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/apic/io_apic.c
+++ b/arch/x86/kernel/apic/io_apic.c
@@ -2377,9 +2377,10 @@ static bool io_apic_level_ack_pending(st
 
 static inline bool ioapic_irqd_mask(struct irq_data *data, struct irq_cfg *cfg)
 {
-	/* If we are moving the irq we need to mask it */
+	/* If we are moving the IRQ we need to mask it */
 	if (unlikely(irqd_is_setaffinity_pending(data))) {
-		mask_ioapic(cfg);
+		if (!irqd_irq_masked(data))
+			mask_ioapic(cfg);
 		return true;
 	}
 	return false;
@@ -2417,7 +2418,9 @@ static inline void ioapic_irqd_unmask(st
 		 */
 		if (!io_apic_level_ack_pending(cfg))
 			irq_move_masked_irq(data);
-		unmask_ioapic(cfg);
+		/* If the IRQ is masked in the core, leave it: */
+		if (!irqd_irq_masked(data))
+			unmask_ioapic(cfg);
 	}
 }
 #else


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 034/148] xfs: Sanity check flags of Q_XQUOTARM call
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 033/148] x86/ioapic: Prevent inconsistent state when moving an interrupt Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 035/148] cpuidle: Do not unset the driver if it is there already Ben Hutchings
                   ` (114 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Yang Xu, Eric Sandeen, Darrick J. Wong, Jan Kara

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 3dd4d40b420846dd35869ccc8f8627feef2cff32 upstream.

Flags passed to Q_XQUOTARM were not sanity checked for invalid values.
Fix that.

Fixes: 9da93f9b7cdf ("xfs: fix Q_XQUOTARM ioctl")
Reported-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/xfs/xfs_quotaops.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/fs/xfs/xfs_quotaops.c
+++ b/fs/xfs/xfs_quotaops.c
@@ -119,6 +119,9 @@ xfs_fs_rm_xquota(
 	if (XFS_IS_QUOTA_ON(mp))
 		return -EINVAL;
 
+	if (uflags & ~(FS_USER_QUOTA | FS_GROUP_QUOTA | FS_PROJ_QUOTA))
+		return -EINVAL;
+
 	if (uflags & FS_USER_QUOTA)
 		flags |= XFS_DQ_USER;
 	if (uflags & FS_GROUP_QUOTA)


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 035/148] cpuidle: Do not unset the driver if it is there already
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 034/148] xfs: Sanity check flags of Q_XQUOTARM call Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 036/148] scsi: csiostor: Don't enable IRQs too early Ben Hutchings
                   ` (113 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Rafael J. Wysocki, Zhenzhong Duan

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Zhenzhong Duan <zhenzhong.duan@oracle.com>

commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream.

Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has
a driver different from drv already and, if so, return -EBUSY before
updating any cpuidle_drivers per-CPU pointers.

Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support")
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/cpuidle/driver.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

--- a/drivers/cpuidle/driver.c
+++ b/drivers/cpuidle/driver.c
@@ -60,24 +60,23 @@ static inline void __cpuidle_unset_drive
  * __cpuidle_set_driver - set per CPU driver variables for the given driver.
  * @drv: a valid pointer to a struct cpuidle_driver
  *
- * For each CPU in the driver's cpumask, unset the registered driver per CPU
- * to @drv.
- *
- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already.
+ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver
+ * different from drv already.
  */
 static inline int __cpuidle_set_driver(struct cpuidle_driver *drv)
 {
 	int cpu;
 
 	for_each_cpu(cpu, drv->cpumask) {
+		struct cpuidle_driver *old_drv;
 
-		if (__cpuidle_get_cpu_driver(cpu)) {
-			__cpuidle_unset_driver(drv);
+		old_drv = __cpuidle_get_cpu_driver(cpu);
+		if (old_drv && old_drv != drv)
 			return -EBUSY;
-		}
+	}
 
+	for_each_cpu(cpu, drv->cpumask)
 		per_cpu(cpuidle_drivers, cpu) = drv;
-	}
 
 	return 0;
 }


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 036/148] scsi: csiostor: Don't enable IRQs too early
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 035/148] cpuidle: Do not unset the driver if it is there already Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 037/148] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Ben Hutchings
                   ` (112 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dan Carpenter, Martin K. Petersen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit d6c9b31ac3064fbedf8961f120a4c117daa59932 upstream.

These are called with IRQs disabled from csio_mgmt_tmo_handler() so we
can't call spin_unlock_irq() or it will enable IRQs prematurely.

Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver")
Link: https://lore.kernel.org/r/20191019085913.GA14245@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/csiostor/csio_lnode.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/scsi/csiostor/csio_lnode.c
+++ b/drivers/scsi/csiostor/csio_lnode.c
@@ -292,6 +292,7 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h
 	struct fc_fdmi_port_name *port_name;
 	uint8_t buf[64];
 	uint8_t *fc4_type;
+	unsigned long flags;
 
 	if (fdmi_req->wr_status != FW_SUCCESS) {
 		csio_ln_dbg(ln, "WR error:%x in processing fdmi rhba cmd\n",
@@ -369,13 +370,13 @@ csio_ln_fdmi_rhba_cbfn(struct csio_hw *h
 	len = (uint32_t)(pld - (uint8_t *)cmd);
 
 	/* Submit FDMI RPA request */
-	spin_lock_irq(&hw->lock);
+	spin_lock_irqsave(&hw->lock, flags);
 	if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_done,
 				FCOE_CT, &fdmi_req->dma_buf, len)) {
 		CSIO_INC_STATS(ln, n_fdmi_err);
 		csio_ln_dbg(ln, "Failed to issue fdmi rpa req\n");
 	}
-	spin_unlock_irq(&hw->lock);
+	spin_unlock_irqrestore(&hw->lock, flags);
 }
 
 /*
@@ -396,6 +397,7 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *h
 	struct fc_fdmi_rpl *reg_pl;
 	struct fs_fdmi_attrs *attrib_blk;
 	uint8_t buf[64];
+	unsigned long flags;
 
 	if (fdmi_req->wr_status != FW_SUCCESS) {
 		csio_ln_dbg(ln, "WR error:%x in processing fdmi dprt cmd\n",
@@ -476,13 +478,13 @@ csio_ln_fdmi_dprt_cbfn(struct csio_hw *h
 	attrib_blk->numattrs = htonl(numattrs);
 
 	/* Submit FDMI RHBA request */
-	spin_lock_irq(&hw->lock);
+	spin_lock_irqsave(&hw->lock, flags);
 	if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_rhba_cbfn,
 				FCOE_CT, &fdmi_req->dma_buf, len)) {
 		CSIO_INC_STATS(ln, n_fdmi_err);
 		csio_ln_dbg(ln, "Failed to issue fdmi rhba req\n");
 	}
-	spin_unlock_irq(&hw->lock);
+	spin_unlock_irqrestore(&hw->lock, flags);
 }
 
 /*
@@ -497,6 +499,7 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *h
 	void *cmd;
 	struct fc_fdmi_port_name *port_name;
 	uint32_t len;
+	unsigned long flags;
 
 	if (fdmi_req->wr_status != FW_SUCCESS) {
 		csio_ln_dbg(ln, "WR error:%x in processing fdmi dhba cmd\n",
@@ -527,13 +530,13 @@ csio_ln_fdmi_dhba_cbfn(struct csio_hw *h
 	len += sizeof(*port_name);
 
 	/* Submit FDMI request */
-	spin_lock_irq(&hw->lock);
+	spin_lock_irqsave(&hw->lock, flags);
 	if (csio_ln_mgmt_submit_req(fdmi_req, csio_ln_fdmi_dprt_cbfn,
 				FCOE_CT, &fdmi_req->dma_buf, len)) {
 		CSIO_INC_STATS(ln, n_fdmi_err);
 		csio_ln_dbg(ln, "Failed to issue fdmi dprt req\n");
 	}
-	spin_unlock_irq(&hw->lock);
+	spin_unlock_irqrestore(&hw->lock, flags);
 }
 
 /**


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 037/148] scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 036/148] scsi: csiostor: Don't enable IRQs too early Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 038/148] scsi: zfcp: trace channel log even for FCP command responses Ben Hutchings
                   ` (111 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dan Carpenter, Martin K. Petersen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 906ca6353ac09696c1bf0892513c8edffff5e0a6 upstream.

This error path is missing an unlock.

Fixes: 26780d9e12ed ("[SCSI] esas2r: ATTO Technology ExpressSAS 6G SAS/SATA RAID Adapter Driver")
Link: https://lore.kernel.org/r/20191022102324.GA27540@mwanda
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/esas2r/esas2r_flash.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/esas2r/esas2r_flash.c
+++ b/drivers/scsi/esas2r/esas2r_flash.c
@@ -1197,6 +1197,7 @@ bool esas2r_nvram_read_direct(struct esa
 	if (!esas2r_read_flash_block(a, a->nvram, FLS_OFFSET_NVR,
 				     sizeof(struct esas2r_sas_nvram))) {
 		esas2r_hdebug("NVRAM read failed, using defaults");
+		up(&a->nvram_semaphore);
 		return false;
 	}
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 038/148] scsi: zfcp: trace channel log even for FCP command responses
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 037/148] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 039/148] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Ben Hutchings
                   ` (110 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steffen Maier, Benjamin Block, Martin K. Petersen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Maier <maier@linux.ibm.com>

commit 100843f176109af94600e500da0428e21030ca7f upstream.

While v2.6.26 commit b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug
trace") is right that we don't want to flood the (payload) trace ring
buffer, we don't trace successful FCP command responses by default.  So we
can include the channel log for problem determination with failed responses
of any FSF request type.

Fixes: b75db73159cc ("[SCSI] zfcp: Add qtcb dump to hba debug trace")
Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
Link: https://lore.kernel.org/r/e37597b5c4ae123aaa85fd86c23a9f71e994e4a9.1572018132.git.bblock@linux.ibm.com
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Signed-off-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: Deleted condition is slightly different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/s390/scsi/zfcp_dbf.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -93,11 +93,9 @@ void zfcp_dbf_hba_fsf_res(char *tag, int
 	memcpy(rec->u.res.fsf_status_qual, &q_head->fsf_status_qual,
 	       FSF_STATUS_QUALIFIER_SIZE);
 
-	if (req->fsf_command != FSF_QTCB_FCP_CMND) {
-		rec->pl_len = q_head->log_length;
-		zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start,
-				  rec->pl_len, "fsf_res", req->req_id);
-	}
+	rec->pl_len = q_head->log_length;
+	zfcp_dbf_pl_write(dbf, (char *)q_pref + q_head->log_start,
+			  rec->pl_len, "fsf_res", req->req_id);
 
 	debug_event(dbf->hba, level, rec, sizeof(*rec));
 	spin_unlock_irqrestore(&dbf->hba_lock, flags);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 039/148] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 038/148] scsi: zfcp: trace channel log even for FCP command responses Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 040/148] mtd: spear_smi: Fix Write Burst mode Ben Hutchings
                   ` (109 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Sylwester Nawrocki, Marian Mihailescu

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Marian Mihailescu <mihailescu2m@gmail.com>

commit e21be0d1d7bd7f78a77613f6bcb6965e72b22fc1 upstream.

Save and restore top PLL related configuration registers for big (APLL)
and LITTLE (KPLL) cores during suspend/resume cycle. So far, CPU clocks
were reset to default values after suspend/resume cycle and performance
after system resume was affected when performance governor has been selected.

Fixes: 773424326b51 ("clk: samsung: exynos5420: add more registers to restore list")
Signed-off-by: Marian Mihailescu <mihailescu2m@gmail.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/clk/samsung/clk-exynos5420.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/clk/samsung/clk-exynos5420.c
+++ b/drivers/clk/samsung/clk-exynos5420.c
@@ -162,6 +162,8 @@ static unsigned long exynos5x_clk_regs[]
 	GATE_BUS_CPU,
 	GATE_SCLK_CPU,
 	CLKOUT_CMU_CPU,
+	APLL_CON0,
+	KPLL_CON0,
 	CPLL_CON0,
 	DPLL_CON0,
 	EPLL_CON0,


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 040/148] mtd: spear_smi: Fix Write Burst mode
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 039/148] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 041/148] ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume() Ben Hutchings
                   ` (108 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Boris Brezillon, Russell King,
	Russell King, Miquel Raynal

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miquel Raynal <miquel.raynal@bootlin.com>

commit 69c7f4618c16b4678f8a4949b6bb5ace259c0033 upstream.

Any write with either dd or flashcp to a device driven by the
spear_smi.c driver will pass through the spear_smi_cpy_toio()
function. This function will get called for chunks of up to 256 bytes.
If the amount of data is smaller, we may have a problem if the data
length is not 4-byte aligned. In this situation, the kernel panics
during the memcpy:

    # dd if=/dev/urandom bs=1001 count=1 of=/dev/mtd6
    spear_smi_cpy_toio [620] dest c9070000, src c7be8800, len 256
    spear_smi_cpy_toio [620] dest c9070100, src c7be8900, len 256
    spear_smi_cpy_toio [620] dest c9070200, src c7be8a00, len 256
    spear_smi_cpy_toio [620] dest c9070300, src c7be8b00, len 233
    Unhandled fault: external abort on non-linefetch (0x808) at 0xc90703e8
    [...]
    PC is at memcpy+0xcc/0x330

The above error occurs because the implementation of memcpy_toio()
tries to optimize the number of I/O by writing 4 bytes at a time as
much as possible, until there are less than 4 bytes left and then
switches to word or byte writes.

Unfortunately, the specification states about the Write Burst mode:

        "the next AHB Write request should point to the next
	incremented address and should have the same size (byte,
	half-word or word)"

This means ARM architecture implementation of memcpy_toio() cannot
reliably be used blindly here. Workaround this situation by update the
write path to stick to byte access when the burst length is not
multiple of 4.

Fixes: f18dbbb1bfe0 ("mtd: ST SPEAr: Add SMI driver for serial NOR flash")
Cc: Russell King <linux@armlinux.org.uk>
Cc: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mtd/devices/spear_smi.c | 38 ++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

--- a/drivers/mtd/devices/spear_smi.c
+++ b/drivers/mtd/devices/spear_smi.c
@@ -595,6 +595,26 @@ static int spear_mtd_read(struct mtd_inf
 	return 0;
 }
 
+/*
+ * The purpose of this function is to ensure a memcpy_toio() with byte writes
+ * only. Its structure is inspired from the ARM implementation of _memcpy_toio()
+ * which also does single byte writes but cannot be used here as this is just an
+ * implementation detail and not part of the API. Not mentioning the comment
+ * stating that _memcpy_toio() should be optimized.
+ */
+static void spear_smi_memcpy_toio_b(volatile void __iomem *dest,
+				    const void *src, size_t len)
+{
+	const unsigned char *from = src;
+
+	while (len) {
+		len--;
+		writeb(*from, dest);
+		from++;
+		dest++;
+	}
+}
+
 static inline int spear_smi_cpy_toio(struct spear_smi *dev, u32 bank,
 		void __iomem *dest, const void *src, size_t len)
 {
@@ -617,7 +637,23 @@ static inline int spear_smi_cpy_toio(str
 	ctrlreg1 = readl(dev->io_base + SMI_CR1);
 	writel((ctrlreg1 | WB_MODE) & ~SW_MODE, dev->io_base + SMI_CR1);
 
-	memcpy_toio(dest, src, len);
+	/*
+	 * In Write Burst mode (WB_MODE), the specs states that writes must be:
+	 * - incremental
+	 * - of the same size
+	 * The ARM implementation of memcpy_toio() will optimize the number of
+	 * I/O by using as much 4-byte writes as possible, surrounded by
+	 * 2-byte/1-byte access if:
+	 * - the destination is not 4-byte aligned
+	 * - the length is not a multiple of 4-byte.
+	 * Avoid this alternance of write access size by using our own 'byte
+	 * access' helper if at least one of the two conditions above is true.
+	 */
+	if (IS_ALIGNED(len, sizeof(u32)) &&
+	    IS_ALIGNED((uintptr_t)dest, sizeof(u32)))
+		memcpy_toio(dest, src, len);
+	else
+		spear_smi_memcpy_toio_b(dest, src, len);
 
 	writel(ctrlreg1, dev->io_base + SMI_CR1);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 041/148] ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 040/148] mtd: spear_smi: Fix Write Burst mode Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 042/148] quota: fix livelock in dquot_writeback_dquots Ben Hutchings
                   ` (107 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Peter De Schrijver, Thierry Reding,
	Dmitry Osipenko

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Osipenko <digetx@gmail.com>

commit d70f7d31a9e2088e8a507194354d41ea10062994 upstream.

There is an unfortunate typo in the code that results in writing to
FLOW_CTLR_HALT instead of FLOW_CTLR_CSR.

Acked-by: Peter De Schrijver <pdeschrijver@nvidia.com>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-tegra/reset-handler.S | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/arm/mach-tegra/reset-handler.S
+++ b/arch/arm/mach-tegra/reset-handler.S
@@ -55,16 +55,16 @@ ENTRY(tegra_resume)
 	cmp	r6, #TEGRA20
 	beq	1f				@ Yes
 	/* Clear the flow controller flags for this CPU. */
-	cpu_to_csr_reg r1, r0
+	cpu_to_csr_reg r3, r0
 	mov32	r2, TEGRA_FLOW_CTRL_BASE
-	ldr	r1, [r2, r1]
+	ldr	r1, [r2, r3]
 	/* Clear event & intr flag */
 	orr	r1, r1, \
 		#FLOW_CTRL_CSR_INTR_FLAG | FLOW_CTRL_CSR_EVENT_FLAG
 	movw	r0, #0x3FFD	@ enable, cluster_switch, immed, bitmaps
 				@ & ext flags for CPU power mgnt
 	bic	r1, r1, r0
-	str	r1, [r2]
+	str	r1, [r2, r3]
 1:
 
 	mov32	r9, 0xc09


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 042/148] quota: fix livelock in dquot_writeback_dquots
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 041/148] ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 043/148] quota: Check that quota is not dirty before release Ben Hutchings
                   ` (106 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jan Kara, Dmitry Monakhov, Konstantin Khlebnikov

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>

commit 6ff33d99fc5c96797103b48b7b0902c296f09c05 upstream.

Write only quotas which are dirty at entry.

XFSTEST: https://github.com/dmonakhov/xfstests/commit/b10ad23566a5bf75832a6f500e1236084083cddc

Link: https://lore.kernel.org/r/20191031103920.3919-1-dmonakhov@openvz.org
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/quota/dquot.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -607,7 +607,7 @@ EXPORT_SYMBOL(dquot_scan_active);
 /* Write all dquot structures to quota files */
 int dquot_writeback_dquots(struct super_block *sb, int type)
 {
-	struct list_head *dirty;
+	struct list_head dirty;
 	struct dquot *dquot;
 	struct quota_info *dqopt = sb_dqopt(sb);
 	int cnt;
@@ -620,9 +620,10 @@ int dquot_writeback_dquots(struct super_
 		if (!sb_has_quota_active(sb, cnt))
 			continue;
 		spin_lock(&dq_list_lock);
-		dirty = &dqopt->info[cnt].dqi_dirty_list;
-		while (!list_empty(dirty)) {
-			dquot = list_first_entry(dirty, struct dquot,
+		/* Move list away to avoid livelock. */
+		list_replace_init(&dqopt->info[cnt].dqi_dirty_list, &dirty);
+		while (!list_empty(&dirty)) {
+			dquot = list_first_entry(&dirty, struct dquot,
 						 dq_dirty);
 			/* Dirty and inactive can be only bad dquot... */
 			if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) {


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 043/148] quota: Check that quota is not dirty before release
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 042/148] quota: fix livelock in dquot_writeback_dquots Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 044/148] scsi: core: scsi_trace: Use get_unaligned_be*() Ben Hutchings
                   ` (105 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dmitry Monakhov, Jan Kara

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>

commit df4bb5d128e2c44848aeb36b7ceceba3ac85080d upstream.

There is a race window where quota was redirted once we drop dq_list_lock inside dqput(),
but before we grab dquot->dq_lock inside dquot_release()

TASK1                                                       TASK2 (chowner)
->dqput()
  we_slept:
    spin_lock(&dq_list_lock)
    if (dquot_dirty(dquot)) {
          spin_unlock(&dq_list_lock);
          dquot->dq_sb->dq_op->write_dquot(dquot);
          goto we_slept
    if (test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) {
          spin_unlock(&dq_list_lock);
          dquot->dq_sb->dq_op->release_dquot(dquot);
                                                            dqget()
							    mark_dquot_dirty()
							    dqput()
          goto we_slept;
        }
So dquot dirty quota will be released by TASK1, but on next we_sleept loop
we detect this and call ->write_dquot() for it.
XFSTEST: https://github.com/dmonakhov/xfstests/commit/440a80d4cbb39e9234df4d7240aee1d551c36107

Link: https://lore.kernel.org/r/20191031103920.3919-2-dmonakhov@openvz.org
Signed-off-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ocfs2/quota_global.c  |  2 +-
 fs/quota/dquot.c         |  2 +-
 include/linux/quotaops.h | 10 ++++++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -714,7 +714,7 @@ static int ocfs2_release_dquot(struct dq
 
 	mutex_lock(&dquot->dq_lock);
 	/* Check whether we are not racing with some other dqget() */
-	if (atomic_read(&dquot->dq_count) > 1)
+	if (dquot_is_busy(dquot))
 		goto out;
 	/* Running from downconvert thread? Postpone quota processing to wq */
 	if (current == osb->dc_task) {
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -475,7 +475,7 @@ int dquot_release(struct dquot *dquot)
 
 	mutex_lock(&dquot->dq_lock);
 	/* Check whether we are not racing with some other dqget() */
-	if (atomic_read(&dquot->dq_count) > 1)
+	if (dquot_is_busy(dquot))
 		goto out_dqlock;
 	mutex_lock(&dqopt->dqio_mutex);
 	if (dqopt->ops[dquot->dq_id.type]->release_dqblk) {
--- a/include/linux/quotaops.h
+++ b/include/linux/quotaops.h
@@ -54,6 +54,16 @@ static inline struct dquot *dqgrab(struc
 	atomic_inc(&dquot->dq_count);
 	return dquot;
 }
+
+static inline bool dquot_is_busy(struct dquot *dquot)
+{
+	if (test_bit(DQ_MOD_B, &dquot->dq_flags))
+		return true;
+	if (atomic_read(&dquot->dq_count) > 1)
+		return true;
+	return false;
+}
+
 void dqput(struct dquot *dquot);
 int dquot_scan_active(struct super_block *sb,
 		      int (*fn)(struct dquot *dquot, unsigned long priv),


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 044/148] scsi: core: scsi_trace: Use get_unaligned_be*()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 043/148] quota: Check that quota is not dirty before release Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 045/148] blk-mq: fix deadlock when reading cpu_list Ben Hutchings
                   ` (104 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Bart Van Assche, Martin K. Petersen,
	Hannes Reinecke, Greg Kroah-Hartman, Christoph Hellwig,
	Douglas Gilbert, Colin Ian King

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bvanassche@acm.org>

commit b1335f5b0486f61fb66b123b40f8e7a98e49605d upstream.

This patch fixes an unintended sign extension on left shifts. From Colin
King: "Shifting a u8 left will cause the value to be promoted to an
integer. If the top bit of the u8 is set then the following conversion to
an u64 will sign extend the value causing the upper 32 bits to be set in
the result."

Fix this by using get_unaligned_be*() instead.

Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points")
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Link: https://lore.kernel.org/r/20191101211447.187151-1-bvanassche@acm.org
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/scsi_trace.c | 114 ++++++++++++--------------------------
 1 file changed, 34 insertions(+), 80 deletions(-)

--- a/drivers/scsi/scsi_trace.c
+++ b/drivers/scsi/scsi_trace.c
@@ -17,10 +17,11 @@
  */
 #include <linux/kernel.h>
 #include <linux/trace_seq.h>
+#include <asm/unaligned.h>
 #include <trace/events/scsi.h>
 
 #define SERVICE_ACTION16(cdb) (cdb[1] & 0x1f)
-#define SERVICE_ACTION32(cdb) ((cdb[8] << 8) | cdb[9])
+#define SERVICE_ACTION32(cdb) (get_unaligned_be16(&cdb[8]))
 
 static const char *
 scsi_trace_misc(struct trace_seq *, unsigned char *, int);
@@ -47,17 +48,12 @@ static const char *
 scsi_trace_rw10(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = p->buffer + p->len;
-	sector_t lba = 0, txlen = 0;
+	u32 lba, txlen;
 
-	lba |= (cdb[2] << 24);
-	lba |= (cdb[3] << 16);
-	lba |= (cdb[4] << 8);
-	lba |=  cdb[5];
-	txlen |= (cdb[7] << 8);
-	txlen |=  cdb[8];
+	lba = get_unaligned_be32(&cdb[2]);
+	txlen = get_unaligned_be16(&cdb[7]);
 
-	trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u",
-			 (unsigned long long)lba, (unsigned long long)txlen,
+	trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen,
 			 cdb[1] >> 5);
 
 	if (cdb[0] == WRITE_SAME)
@@ -72,19 +68,12 @@ static const char *
 scsi_trace_rw12(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = p->buffer + p->len;
-	sector_t lba = 0, txlen = 0;
+	u32 lba, txlen;
 
-	lba |= (cdb[2] << 24);
-	lba |= (cdb[3] << 16);
-	lba |= (cdb[4] << 8);
-	lba |=  cdb[5];
-	txlen |= (cdb[6] << 24);
-	txlen |= (cdb[7] << 16);
-	txlen |= (cdb[8] << 8);
-	txlen |=  cdb[9];
+	lba = get_unaligned_be32(&cdb[2]);
+	txlen = get_unaligned_be32(&cdb[6]);
 
-	trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u",
-			 (unsigned long long)lba, (unsigned long long)txlen,
+	trace_seq_printf(p, "lba=%u txlen=%u protect=%u", lba, txlen,
 			 cdb[1] >> 5);
 	trace_seq_putc(p, 0);
 
@@ -95,23 +84,13 @@ static const char *
 scsi_trace_rw16(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = p->buffer + p->len;
-	sector_t lba = 0, txlen = 0;
+	u64 lba;
+	u32 txlen;
 
-	lba |= ((u64)cdb[2] << 56);
-	lba |= ((u64)cdb[3] << 48);
-	lba |= ((u64)cdb[4] << 40);
-	lba |= ((u64)cdb[5] << 32);
-	lba |= (cdb[6] << 24);
-	lba |= (cdb[7] << 16);
-	lba |= (cdb[8] << 8);
-	lba |=  cdb[9];
-	txlen |= (cdb[10] << 24);
-	txlen |= (cdb[11] << 16);
-	txlen |= (cdb[12] << 8);
-	txlen |=  cdb[13];
+	lba = get_unaligned_be64(&cdb[2]);
+	txlen = get_unaligned_be32(&cdb[10]);
 
-	trace_seq_printf(p, "lba=%llu txlen=%llu protect=%u",
-			 (unsigned long long)lba, (unsigned long long)txlen,
+	trace_seq_printf(p, "lba=%llu txlen=%u protect=%u", lba, txlen,
 			 cdb[1] >> 5);
 
 	if (cdb[0] == WRITE_SAME_16)
@@ -126,8 +105,8 @@ static const char *
 scsi_trace_rw32(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = p->buffer + p->len, *cmd;
-	sector_t lba = 0, txlen = 0;
-	u32 ei_lbrt = 0;
+	u64 lba;
+	u32 ei_lbrt, txlen;
 
 	switch (SERVICE_ACTION32(cdb)) {
 	case READ_32:
@@ -147,26 +126,12 @@ scsi_trace_rw32(struct trace_seq *p, uns
 		goto out;
 	}
 
-	lba |= ((u64)cdb[12] << 56);
-	lba |= ((u64)cdb[13] << 48);
-	lba |= ((u64)cdb[14] << 40);
-	lba |= ((u64)cdb[15] << 32);
-	lba |= (cdb[16] << 24);
-	lba |= (cdb[17] << 16);
-	lba |= (cdb[18] << 8);
-	lba |=  cdb[19];
-	ei_lbrt |= (cdb[20] << 24);
-	ei_lbrt |= (cdb[21] << 16);
-	ei_lbrt |= (cdb[22] << 8);
-	ei_lbrt |=  cdb[23];
-	txlen |= (cdb[28] << 24);
-	txlen |= (cdb[29] << 16);
-	txlen |= (cdb[30] << 8);
-	txlen |=  cdb[31];
-
-	trace_seq_printf(p, "%s_32 lba=%llu txlen=%llu protect=%u ei_lbrt=%u",
-			 cmd, (unsigned long long)lba,
-			 (unsigned long long)txlen, cdb[10] >> 5, ei_lbrt);
+	lba = get_unaligned_be64(&cdb[12]);
+	ei_lbrt = get_unaligned_be32(&cdb[20]);
+	txlen = get_unaligned_be32(&cdb[28]);
+
+	trace_seq_printf(p, "%s_32 lba=%llu txlen=%u protect=%u ei_lbrt=%u",
+			 cmd, lba, txlen, cdb[10] >> 5, ei_lbrt);
 
 	if (SERVICE_ACTION32(cdb) == WRITE_SAME_32)
 		trace_seq_printf(p, " unmap=%u", cdb[10] >> 3 & 1);
@@ -181,7 +146,7 @@ static const char *
 scsi_trace_unmap(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = p->buffer + p->len;
-	unsigned int regions = cdb[7] << 8 | cdb[8];
+	unsigned int regions = get_unaligned_be16(&cdb[7]);
 
 	trace_seq_printf(p, "regions=%u", (regions - 8) / 16);
 	trace_seq_putc(p, 0);
@@ -193,8 +158,8 @@ static const char *
 scsi_trace_service_action_in(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = p->buffer + p->len, *cmd;
-	sector_t lba = 0;
-	u32 alloc_len = 0;
+	u64 lba;
+	u32 alloc_len;
 
 	switch (SERVICE_ACTION16(cdb)) {
 	case SAI_READ_CAPACITY_16:
@@ -208,21 +173,10 @@ scsi_trace_service_action_in(struct trac
 		goto out;
 	}
 
-	lba |= ((u64)cdb[2] << 56);
-	lba |= ((u64)cdb[3] << 48);
-	lba |= ((u64)cdb[4] << 40);
-	lba |= ((u64)cdb[5] << 32);
-	lba |= (cdb[6] << 24);
-	lba |= (cdb[7] << 16);
-	lba |= (cdb[8] << 8);
-	lba |=  cdb[9];
-	alloc_len |= (cdb[10] << 24);
-	alloc_len |= (cdb[11] << 16);
-	alloc_len |= (cdb[12] << 8);
-	alloc_len |=  cdb[13];
+	lba = get_unaligned_be64(&cdb[2]);
+	alloc_len = get_unaligned_be32(&cdb[10]);
 
-	trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd,
-			 (unsigned long long)lba, alloc_len);
+	trace_seq_printf(p, "%s lba=%llu alloc_len=%u", cmd, lba, alloc_len);
 
 out:
 	trace_seq_putc(p, 0);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 045/148] blk-mq: fix deadlock when reading cpu_list
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 044/148] scsi: core: scsi_trace: Use get_unaligned_be*() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 046/148] blk-mq: avoid sysfs buffer overflow with too many CPU cores Ben Hutchings
                   ` (103 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jens Axboe, Ming Lei, Akinobu Mita,
	Christoph Hellwig, Wanpeng Li

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Akinobu Mita <akinobu.mita@gmail.com>

commit 60de074ba1e8f327db19bc33d8530131ac01695d upstream.

CPU hotplug handling for blk-mq (blk_mq_queue_reinit) acquires
all_q_mutex in blk_mq_queue_reinit_notify() and then removes sysfs
entries by blk_mq_sysfs_unregister().  Removing sysfs entry needs to
be blocked until the active reference of the kernfs_node to be zero.

On the other hand, reading blk_mq_hw_sysfs_cpu sysfs entry (e.g.
/sys/block/nullb0/mq/0/cpu_list) acquires all_q_mutex in
blk_mq_hw_sysfs_cpus_show().

If these happen at the same time, a deadlock can happen.  Because one
can wait for the active reference to be zero with holding all_q_mutex,
and the other tries to acquire all_q_mutex with holding the active
reference.

The reason that all_q_mutex is acquired in blk_mq_hw_sysfs_cpus_show()
is to avoid reading an imcomplete hctx->cpumask.  Since reading sysfs
entry for blk-mq needs to acquire q->sysfs_lock, we can avoid deadlock
and reading an imcomplete hctx->cpumask by protecting q->sysfs_lock
while hctx->cpumask is being updated.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reviewed-by: Ming Lei <tom.leiming@gmail.com>
Cc: Ming Lei <tom.leiming@gmail.com>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/blk-mq-sysfs.c | 4 ----
 block/blk-mq.c       | 7 +++++++
 2 files changed, 7 insertions(+), 4 deletions(-)

--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -229,8 +229,6 @@ static ssize_t blk_mq_hw_sysfs_cpus_show
 	unsigned int i, first = 1;
 	ssize_t ret = 0;
 
-	blk_mq_disable_hotplug();
-
 	for_each_cpu(i, hctx->cpumask) {
 		if (first)
 			ret += sprintf(ret + page, "%u", i);
@@ -240,8 +238,6 @@ static ssize_t blk_mq_hw_sysfs_cpus_show
 		first = 0;
 	}
 
-	blk_mq_enable_hotplug();
-
 	ret += sprintf(ret + page, "\n");
 	return ret;
 }
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1645,6 +1645,11 @@ static void blk_mq_map_swqueue(struct re
 	struct blk_mq_ctx *ctx;
 	struct blk_mq_tag_set *set = q->tag_set;
 
+	/*
+	 * Avoid others reading imcomplete hctx->cpumask through sysfs
+	 */
+	mutex_lock(&q->sysfs_lock);
+
 	queue_for_each_hw_ctx(q, hctx, i) {
 		cpumask_clear(hctx->cpumask);
 		hctx->nr_ctx = 0;
@@ -1664,6 +1669,8 @@ static void blk_mq_map_swqueue(struct re
 		hctx->ctxs[hctx->nr_ctx++] = ctx;
 	}
 
+	mutex_unlock(&q->sysfs_lock);
+
 	queue_for_each_hw_ctx(q, hctx, i) {
 		/*
 		 * If not software queues are mapped to this hardware queue,


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 046/148] blk-mq: avoid sysfs buffer overflow with too many CPU cores
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 045/148] blk-mq: fix deadlock when reading cpu_list Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 047/148] iio: imu: adis16480: assign bias value only if operation succeeded Ben Hutchings
                   ` (102 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Ming Lei, Jens Axboe

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ming Lei <ming.lei@redhat.com>

commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream.

It is reported that sysfs buffer overflow can be triggered if the system
has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of
hctx via /sys/block/$DEV/mq/$N/cpu_list.

Use snprintf to avoid the potential buffer overflow.

This version doesn't change the attribute format, and simply stops
showing CPU numbers if the buffer is going to overflow.

Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/blk-mq-sysfs.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -226,20 +226,25 @@ static ssize_t blk_mq_hw_sysfs_active_sh
 
 static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page)
 {
+	const size_t size = PAGE_SIZE - 1;
 	unsigned int i, first = 1;
-	ssize_t ret = 0;
+	int ret = 0, pos = 0;
 
 	for_each_cpu(i, hctx->cpumask) {
 		if (first)
-			ret += sprintf(ret + page, "%u", i);
+			ret = snprintf(pos + page, size - pos, "%u", i);
 		else
-			ret += sprintf(ret + page, ", %u", i);
+			ret = snprintf(pos + page, size - pos, ", %u", i);
+
+		if (ret >= size - pos)
+			break;
 
 		first = 0;
+		pos += ret;
 	}
 
-	ret += sprintf(ret + page, "\n");
-	return ret;
+	ret = snprintf(pos + page, size - pos, "\n");
+	return pos + ret;
 }
 
 static struct blk_mq_ctx_sysfs_entry blk_mq_sysfs_dispatched = {


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 047/148] iio: imu: adis16480: assign bias value only if operation succeeded
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 046/148] blk-mq: avoid sysfs buffer overflow with too many CPU cores Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 048/148] blk-mq: make sure that line break can be printed Ben Hutchings
                   ` (101 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jonathan Cameron, Alexandru Ardelean

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alexandru Ardelean <alexandru.ardelean@analog.com>

commit 9b742763d9d4195e823ae6ece760c9ed0500c1dc upstream.

This was found only after the whole thing with the inline functions, but
the compiler actually found something. The value of the `bias` (in
adis16480_get_calibbias()) should only be set if the read operation was
successful.

No actual known problem occurs as users of this function all
ultimately check the return value.  Hence probably not stable material.

Fixes: 2f3abe6cbb6c9 ("iio:imu: Add support for the ADIS16480 and similar IMUs")
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/imu/adis16480.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/iio/imu/adis16480.c
+++ b/drivers/iio/imu/adis16480.c
@@ -405,12 +405,14 @@ static int adis16480_get_calibbias(struc
 	case IIO_MAGN:
 	case IIO_PRESSURE:
 		ret = adis_read_reg_16(&st->adis, reg, &val16);
-		*bias = sign_extend32(val16, 15);
+		if (ret == 0)
+			*bias = sign_extend32(val16, 15);
 		break;
 	case IIO_ANGL_VEL:
 	case IIO_ACCEL:
 		ret = adis_read_reg_32(&st->adis, reg, &val32);
-		*bias = sign_extend32(val32, 31);
+		if (ret == 0)
+			*bias = sign_extend32(val32, 31);
 		break;
 	default:
 			ret = -EINVAL;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 048/148] blk-mq: make sure that line break can be printed
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 047/148] iio: imu: adis16480: assign bias value only if operation succeeded Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 049/148] tty: serial: msm_serial: Fix flow control Ben Hutchings
                   ` (100 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jens Axboe, Ming Lei

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ming Lei <ming.lei@redhat.com>

commit d2c9be89f8ebe7ebcc97676ac40f8dec1cf9b43a upstream.

8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores")
avoids sysfs buffer overflow, and reserves one character for line break.
However, the last snprintf() doesn't get correct 'size' parameter passed
in, so fixed it.

Fixes: 8962842ca5ab ("blk-mq: avoid sysfs buffer overflow with too many CPU cores")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 block/blk-mq-sysfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -243,7 +243,7 @@ static ssize_t blk_mq_hw_sysfs_cpus_show
 		pos += ret;
 	}
 
-	ret = snprintf(pos + page, size - pos, "\n");
+	ret = snprintf(pos + page, size + 1 - pos, "\n");
 	return pos + ret;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 049/148] tty: serial: msm_serial: Fix flow control
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 048/148] blk-mq: make sure that line break can be printed Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 050/148] ext2: check err when partial != NULL Ben Hutchings
                   ` (99 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Jeffrey Hugo,
	Bjorn Andersson, Andy Gross

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>

commit b027ce258369cbfa88401a691c23dad01deb9f9b upstream.

hci_qca interfaces to the wcn3990 via a uart_dm on the msm8998 mtp and
Lenovo Miix 630 laptop.  As part of initializing the wcn3990, hci_qca
disables flow, configures the uart baudrate, and then reenables flow - at
which point an event is expected to be received over the uart from the
wcn3990.  It is observed that this event comes after the baudrate change
but before hci_qca re-enables flow. This is unexpected, and is a result of
msm_reset() being broken.

According to the uart_dm hardware documentation, it is recommended that
automatic hardware flow control be enabled by setting RX_RDY_CTL.  Auto
hw flow control will manage RFR based on the configured watermark.  When
there is space to receive data, the hw will assert RFR.  When the watermark
is hit, the hw will de-assert RFR.

The hardware documentation indicates that RFR can me manually managed via
CR when RX_RDY_CTL is not set.  SET_RFR asserts RFR, and RESET_RFR
de-asserts RFR.

msm_reset() is broken because after resetting the hardware, it
unconditionally asserts RFR via SET_RFR.  This enables flow regardless of
the current configuration, and would undo a previous flow disable
operation.  It should instead de-assert RFR via RESET_RFR to block flow
until the hardware is reconfigured.  msm_serial should rely on the client
to specify that flow should be enabled, either via mctrl() or the termios
structure, and only assert RFR in response to those triggers.

Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Reviewed-by: Andy Gross <agross@kernel.org>
Link: https://lore.kernel.org/r/20191021154616.25457-1-jeffrey.l.hugo@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/msm_serial.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/msm_serial.c
+++ b/drivers/tty/serial/msm_serial.c
@@ -316,6 +316,7 @@ static unsigned int msm_get_mctrl(struct
 static void msm_reset(struct uart_port *port)
 {
 	struct msm_port *msm_port = UART_TO_MSM(port);
+	unsigned int mr;
 
 	/* reset everything */
 	msm_write(port, UART_CR_CMD_RESET_RX, UART_CR);
@@ -323,7 +324,10 @@ static void msm_reset(struct uart_port *
 	msm_write(port, UART_CR_CMD_RESET_ERR, UART_CR);
 	msm_write(port, UART_CR_CMD_RESET_BREAK_INT, UART_CR);
 	msm_write(port, UART_CR_CMD_RESET_CTS, UART_CR);
-	msm_write(port, UART_CR_CMD_SET_RFR, UART_CR);
+	msm_write(port, UART_CR_CMD_RESET_RFR, UART_CR);
+	mr = msm_read(port, UART_MR1);
+	mr &= ~UART_MR1_RX_RDY_CTL;
+	msm_write(port, mr, UART_MR1);
 
 	/* Disable DM modes */
 	if (msm_port->is_uartdm)


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 050/148] ext2: check err when partial != NULL
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 049/148] tty: serial: msm_serial: Fix flow control Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 051/148] media: radio: wl1273: fix interrupt masking on release Ben Hutchings
                   ` (98 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Chengguang Xu, Jan Kara

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chengguang Xu <cgxu519@mykernel.net>

commit e705f4b8aa27a59f8933e8f384e9752f052c469c upstream.

Check err when partial == NULL is meaningless because
partial == NULL means getting branch successfully without
error.

Link: https://lore.kernel.org/r/20191105045100.7104-1-cgxu519@mykernel.net
Signed-off-by: Chengguang Xu <cgxu519@mykernel.net>
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext2/inode.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -696,11 +696,14 @@ static int ext2_get_blocks(struct inode
 		if (!partial) {
 			count++;
 			mutex_unlock(&ei->truncate_mutex);
-			if (err)
-				goto cleanup;
 			clear_buffer_new(bh_result);
 			goto got_it;
 		}
+
+		if (err) {
+			mutex_unlock(&ei->truncate_mutex);
+			goto cleanup;
+		}
 	}
 
 	/*


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 051/148] media: radio: wl1273: fix interrupt masking on release
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 050/148] ext2: check err when partial != NULL Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 052/148] media: exynos4-is: Fix recursive locking in isp_video_release() Ben Hutchings
                   ` (97 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Mauro Carvalho Chehab,
	Hans Verkuil, Matti Aaltonen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 1091eb830627625dcf79958d99353c2391f41708 upstream.

If a process is interrupted while accessing the radio device and the
core lock is contended, release() could return early and fail to update
the interrupt mask.

Note that the return value of the v4l2 release file operation is
ignored.

Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver")
Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/radio/radio-wl1273.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/media/radio/radio-wl1273.c
+++ b/drivers/media/radio/radio-wl1273.c
@@ -1142,8 +1142,7 @@ static int wl1273_fm_fops_release(struct
 	if (radio->rds_users > 0) {
 		radio->rds_users--;
 		if (radio->rds_users == 0) {
-			if (mutex_lock_interruptible(&core->lock))
-				return -EINTR;
+			mutex_lock(&core->lock);
 
 			radio->irq_flags &= ~WL1273_RDS_EVENT;
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 052/148] media: exynos4-is: Fix recursive locking in isp_video_release()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 051/148] media: radio: wl1273: fix interrupt masking on release Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 053/148] staging: rtl8192e: fix potential use after free Ben Hutchings
                   ` (96 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Seung-Woo Kim, Sylwester Nawrocki,
	Mauro Carvalho Chehab, Hans Verkuil

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Seung-Woo Kim <sw0312.kim@samsung.com>

commit 704c6c80fb471d1bb0ef0d61a94617d1d55743cd upstream.

>From isp_video_release(), &isp->video_lock is held and subsequent
vb2_fop_release() tries to lock vdev->lock which is same with the
previous one. Replace vb2_fop_release() with _vb2_fop_release() to
fix the recursive locking.

Fixes: 1380f5754cb0 ("[media] videobuf2: Add missing lock held on vb2_fop_release")
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/platform/exynos4-is/fimc-isp-video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
+++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
@@ -322,7 +322,7 @@ static int isp_video_release(struct file
 		ivc->streaming = 0;
 	}
 
-	vb2_fop_release(file);
+	_vb2_fop_release(file, NULL);
 
 	if (v4l2_fh_is_singular_file(file)) {
 		fimc_pipeline_call(&ivc->ve, close);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 053/148] staging: rtl8192e: fix potential use after free
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 052/148] media: exynos4-is: Fix recursive locking in isp_video_release() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 054/148] jbd2: Fix possible overflow in jbd2_log_space_left() Ben Hutchings
                   ` (95 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Dan Carpenter, Pan Bian

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit b7aa39a2ed0112d07fc277ebd24a08a7b2368ab9 upstream.

The variable skb is released via kfree_skb() when the return value of
_rtl92e_tx is not zero. However, after that, skb is accessed again to
read its length, which may result in a use after free bug. This patch
fixes the bug by moving the release operation to where skb is never
used later.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/1572965351-6745-1-git-send-email-bianpan2016@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
+++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
@@ -1884,8 +1884,6 @@ void rtl8192_hard_data_xmit(struct sk_bu
 	memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev));
 	skb_push(skb, priv->rtllib->tx_headroom);
 	ret = rtl8192_tx(dev, skb);
-	if (ret != 0)
-		kfree_skb(skb);
 
 	if (queue_index != MGNT_QUEUE) {
 		priv->rtllib->stats.tx_bytes += (skb->len -
@@ -1893,6 +1891,9 @@ void rtl8192_hard_data_xmit(struct sk_bu
 		priv->rtllib->stats.tx_packets++;
 	}
 
+	if (ret != 0)
+		kfree_skb(skb);
+
 	return;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 054/148] jbd2: Fix possible overflow in jbd2_log_space_left()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 053/148] staging: rtl8192e: fix potential use after free Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 055/148] bnx2x: Enable Multi-Cos feature Ben Hutchings
                   ` (94 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Theodore Ts'o, Jan Kara

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream.

When number of free space in the journal is very low, the arithmetic in
jbd2_log_space_left() could underflow resulting in very high number of
free blocks and thus triggering assertion failure in transaction commit
code complaining there's not enough space in the journal:

J_ASSERT(journal->j_free > 1);

Properly check for the low number of free blocks.

Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/jbd2.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/include/linux/jbd2.h
+++ b/include/linux/jbd2.h
@@ -1340,7 +1340,7 @@ static inline int jbd2_space_needed(jour
 static inline unsigned long jbd2_log_space_left(journal_t *journal)
 {
 	/* Allow for rounding errors */
-	unsigned long free = journal->j_free - 32;
+	long free = journal->j_free - 32;
 
 	if (journal->j_committing_transaction) {
 		unsigned long committing = atomic_read(&journal->
@@ -1349,7 +1349,7 @@ static inline unsigned long jbd2_log_spa
 		/* Transaction + control blocks */
 		free -= committing + (committing >> JBD2_CONTROL_BLOCKS_SHIFT);
 	}
-	return free;
+	return max_t(long, free, 0);
 }
 
 /*


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 055/148] bnx2x: Enable Multi-Cos feature.
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 054/148] jbd2: Fix possible overflow in jbd2_log_space_left() Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 056/148] PM / devfreq: Lock devfreq in trans_stat_show Ben Hutchings
                   ` (93 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Ariel Elior,
	Sudarsana Reddy Kalluru

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sudarsana Reddy Kalluru <skalluru@marvell.com>

commit 069e47823fff2c634b2d46a328b5096fdc8c2a0c upstream.

FW version 7.13.15 addresses the issue in Multi-cos implementation.
This patch re-enables the Multi-Cos support in the driver.

Fixes: d1f0b5dce8fd ("bnx2x: Disable multi-cos feature.")
Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
Signed-off-by: Ariel Elior <aelior@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Keep calling fallback()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -1914,7 +1914,8 @@ u16 bnx2x_select_queue(struct net_device
 	}
 
 	/* select a non-FCoE queue */
-	return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp));
+	return fallback(dev, skb) %
+			(BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos);
 }
 
 void bnx2x_set_num_queues(struct bnx2x *bp)


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 056/148] PM / devfreq: Lock devfreq in trans_stat_show
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 055/148] bnx2x: Enable Multi-Cos feature Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 057/148] scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) Ben Hutchings
                   ` (92 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Chanwoo Choi, Leonard Crestez, Matthias Kaehlcke

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Leonard Crestez <leonard.crestez@nxp.com>

commit 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 upstream.

There is no locking in this sysfs show function so stats printing can
race with a devfreq_update_status called as part of freq switching or
with initialization.

Also add an assert in devfreq_update_status to make it clear that lock
must be held by caller.

Fixes: 39688ce6facd ("PM / devfreq: account suspend/resume for stats")
Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -95,6 +95,7 @@ static int devfreq_update_status(struct
 	int lev, prev_lev, ret = 0;
 	unsigned long cur_time;
 
+	lockdep_assert_held(&devfreq->lock);
 	cur_time = jiffies;
 
 	prev_lev = devfreq_get_freq_level(devfreq, devfreq->previous_freq);
@@ -1054,9 +1055,13 @@ static ssize_t trans_stat_show(struct de
 	int i, j;
 	unsigned int max_state = devfreq->profile->max_state;
 
+	mutex_lock(&devfreq->lock);
 	if (!devfreq->stop_polling &&
-			devfreq_update_status(devfreq, devfreq->previous_freq))
+			devfreq_update_status(devfreq, devfreq->previous_freq)) {
+		mutex_unlock(&devfreq->lock);
 		return 0;
+	}
+	mutex_unlock(&devfreq->lock);
 
 	len = sprintf(buf, "   From  :   To\n");
 	len += sprintf(buf + len, "         :");


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 057/148] scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6)
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 056/148] PM / devfreq: Lock devfreq in trans_stat_show Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 058/148] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Ben Hutchings
                   ` (91 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Christoph Hellwig, Douglas Gilbert,
	Hannes Reinecke, Bart Van Assche, Martin K. Petersen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bvanassche@acm.org>

commit f6b8540f40201bff91062dd64db8e29e4ddaaa9d upstream.

According to SBC-2 a TRANSFER LENGTH field of zero means that 256 logical
blocks must be transferred. Make the SCSI tracing code follow SBC-2.

Fixes: bf8162354233 ("[SCSI] add scsi trace core functions and put trace points")
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Douglas Gilbert <dgilbert@interlog.com>
Link: https://lore.kernel.org/r/20191105215553.185018-1-bvanassche@acm.org
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/scsi_trace.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/scsi/scsi_trace.c
+++ b/drivers/scsi/scsi_trace.c
@@ -30,15 +30,18 @@ static const char *
 scsi_trace_rw6(struct trace_seq *p, unsigned char *cdb, int len)
 {
 	const char *ret = p->buffer + p->len;
-	sector_t lba = 0, txlen = 0;
+	u32 lba = 0, txlen;
 
 	lba |= ((cdb[1] & 0x1F) << 16);
 	lba |=  (cdb[2] << 8);
 	lba |=   cdb[3];
-	txlen = cdb[4];
+	/*
+	 * From SBC-2: a TRANSFER LENGTH field set to zero specifies that 256
+	 * logical blocks shall be read (READ(6)) or written (WRITE(6)).
+	 */
+	txlen = cdb[4] ? cdb[4] : 256;
 
-	trace_seq_printf(p, "lba=%llu txlen=%llu",
-			 (unsigned long long)lba, (unsigned long long)txlen);
+	trace_seq_printf(p, "lba=%u txlen=%u", lba, txlen);
 	trace_seq_putc(p, 0);
 
 	return ret;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 058/148] USB: serial: mos7840: add USB ID to support Moxa UPort 2210
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 057/148] scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 059/148] perf probe: Fix to handle optimized not-inlined functions Ben Hutchings
                   ` (90 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johan Hovold, Pavel Löbl

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Löbl <pavel@loebl.cz>

commit e696d00e65e81d46e911f24b12e441037bf11b38 upstream.

Add USB ID for MOXA UPort 2210. This device contains mos7820 but
it passes GPIO0 check implemented by driver and it's detected as
mos7840. Hence product id check is added to force mos7820 mode.

Signed-off-by: Pavel Löbl <pavel@loebl.cz>
[ johan: rename id defines and add vendor-id check ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/mos7840.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -131,11 +131,15 @@
 /* This driver also supports
  * ATEN UC2324 device using Moschip MCS7840
  * ATEN UC2322 device using Moschip MCS7820
+ * MOXA UPort 2210 device using Moschip MCS7820
  */
 #define USB_VENDOR_ID_ATENINTL		0x0557
 #define ATENINTL_DEVICE_ID_UC2324	0x2011
 #define ATENINTL_DEVICE_ID_UC2322	0x7820
 
+#define USB_VENDOR_ID_MOXA		0x110a
+#define MOXA_DEVICE_ID_2210		0x2210
+
 /* Interrupt Routine Defines    */
 
 #define SERIAL_IIR_RLS      0x06
@@ -206,6 +210,7 @@ static const struct usb_device_id id_tab
 	{USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL2_4)},
 	{USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2324)},
 	{USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2322)},
+	{USB_DEVICE(USB_VENDOR_ID_MOXA, MOXA_DEVICE_ID_2210)},
 	{}			/* terminating entry */
 };
 MODULE_DEVICE_TABLE(usb, id_table);
@@ -2139,6 +2144,7 @@ static int mos7840_probe(struct usb_seri
 				const struct usb_device_id *id)
 {
 	u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
+	u16 vid = le16_to_cpu(serial->dev->descriptor.idVendor);
 	u8 *buf;
 	int device_type;
 
@@ -2148,6 +2154,11 @@ static int mos7840_probe(struct usb_seri
 		goto out;
 	}
 
+	if (vid == USB_VENDOR_ID_MOXA && product == MOXA_DEVICE_ID_2210) {
+		device_type = MOSCHIP_DEVICE_ID_7820;
+		goto out;
+	}
+
 	buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 059/148] perf probe: Fix to handle optimized not-inlined functions
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 058/148] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:19 ` [PATCH 3.16 060/148] perf probe: Fix to show lines of sys_ functions correctly Ben Hutchings
                   ` (89 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Masami Hiramatsu, Peter Zijlstra,
	Arnaldo Carvalho de Melo, Namhyung Kim

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>

commit e1ecbbc3fa834cc6b4b344edb1968e734d57189b upstream.

Fix to handle optimized no-inline functions which have only function
definition but no actual instance at that point.

To fix this problem, we need to find actual instance of the function.

Without this patch:
  ----
  # perf probe -a __up
  Failed to get entry address of __up.
    Error: Failed to add events.
  # perf probe -L __up
  Specified source line is not found.
    Error: Failed to show lines.
  ----

With this patch:
  ----
  # perf probe -a __up
  Added new event:
    probe:__up           (on __up)

  You can now use it in all perf tools, such as:

          perf record -e probe:__up -aR sleep 1

  # perf probe -L __up
  <__up@/home/fedora/ksrc/linux-3/kernel/locking/semaphore.c:0>
        0  static noinline void __sched __up(struct semaphore *sem)
           {
                  struct semaphore_waiter *waiter = list_first_entry(&sem->wait_
                                                          struct semaphore_waite
        4         list_del(&waiter->list);
        5         waiter->up = true;
        6         wake_up_process(waiter->task);
        7  }
  ----

Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20150130093744.30575.43290.stgit@localhost.localdomain
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c    | 15 +++++++++++++++
 tools/perf/util/dwarf-aux.h    |  3 +++
 tools/perf/util/probe-finder.c | 12 ++++--------
 3 files changed, 22 insertions(+), 8 deletions(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -278,6 +278,21 @@ bool die_is_func_def(Dwarf_Die *dw_die)
 }
 
 /**
+ * die_is_func_instance - Ensure that this DIE is an instance of a subprogram
+ * @dw_die: a DIE
+ *
+ * Ensure that this DIE is an instance (which has an entry address).
+ * This returns true if @dw_die is a function instance. If not, you need to
+ * call die_walk_instances() to find actual instances.
+ **/
+bool die_is_func_instance(Dwarf_Die *dw_die)
+{
+	Dwarf_Addr tmp;
+
+	/* Actually gcc optimizes non-inline as like as inlined */
+	return !dwarf_func_inline(dw_die) && dwarf_entrypc(dw_die, &tmp) == 0;
+}
+/**
  * die_get_data_member_location - Get the data-member offset
  * @mb_die: a DIE of a member of a data structure
  * @offs: The offset of the member in the data structure
--- a/tools/perf/util/dwarf-aux.h
+++ b/tools/perf/util/dwarf-aux.h
@@ -41,6 +41,9 @@ extern int cu_walk_functions_at(Dwarf_Di
 /* Ensure that this DIE is a subprogram and definition (not declaration) */
 extern bool die_is_func_def(Dwarf_Die *dw_die);
 
+/* Ensure that this DIE is an instance of a subprogram */
+extern bool die_is_func_instance(Dwarf_Die *dw_die);
+
 /* Compare diename and tname */
 extern bool die_compare_name(Dwarf_Die *dw_die, const char *tname);
 
--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -909,17 +909,13 @@ static int probe_point_search_cb(Dwarf_D
 		dwarf_decl_line(sp_die, &pf->lno);
 		pf->lno += pp->line;
 		param->retval = find_probe_point_by_line(pf);
-	} else if (!dwarf_func_inline(sp_die)) {
+	} else if (die_is_func_instance(sp_die)) {
+		/* Instances always have the entry address */
+		dwarf_entrypc(sp_die, &pf->addr);
 		/* Real function */
 		if (pp->lazy_line)
 			param->retval = find_probe_point_lazy(sp_die, pf);
 		else {
-			if (dwarf_entrypc(sp_die, &pf->addr) != 0) {
-				pr_warning("Failed to get entry address of "
-					   "%s.\n", dwarf_diename(sp_die));
-				param->retval = -ENOENT;
-				return DWARF_CB_ABORT;
-			}
 			pf->addr += pp->offset;
 			/* TODO: Check the address in this function */
 			param->retval = call_probe_finder(sp_die, pf);
@@ -1514,7 +1510,7 @@ static int line_range_search_cb(Dwarf_Di
 		pr_debug("New line range: %d to %d\n", lf->lno_s, lf->lno_e);
 		lr->start = lf->lno_s;
 		lr->end = lf->lno_e;
-		if (dwarf_func_inline(sp_die))
+		if (!die_is_func_instance(sp_die))
 			param->retval = die_walk_instances(sp_die,
 						line_range_inline_cb, lf);
 		else


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 060/148] perf probe: Fix to show lines of sys_ functions correctly
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 059/148] perf probe: Fix to handle optimized not-inlined functions Ben Hutchings
@ 2020-02-08 18:19 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 061/148] perf probe: Fix to add missed brace around if block Ben Hutchings
                   ` (88 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:19 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Masami Hiramatsu, Jiri Olsa, David Ahern,
	Arnaldo Carvalho de Melo, Arnaldo Carvalho de Melo, Namhyung Kim

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>

commit 75186a9b09e47072f442f43e292cd47180b67b5c upstream.

"perf probe --lines sys_poll" shows only the first line of sys_poll,
because the SYSCALL_DEFINE macro:

  ----
  SYSCALL_DEFINE*(foo,...)
  {
    body;
  }
  ----

  is expanded as below (on debuginfo)

  ----

  static inline int SYSC_foo(...)
  {
    body;
  }
  int SyS_foo(...) <- is an alias of sys_foo.
  {
    return SYSC_foo(...);
  }
  ----

So, "perf probe --lines sys_foo" decodes SyS_foo function and it also skips
inlined functions(SYSC_foo) inside the target function because those functions
are usually defined somewhere else.

To fix this issue, this fix checks whether the inlined function is defined at
the same point of the target function, and if so, it doesn't skip the inline
function.

Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lkml.kernel.org/r/20150812012406.11811.94691.stgit@localhost.localdomain
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -681,15 +681,18 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 	Dwarf_Lines *lines;
 	Dwarf_Line *line;
 	Dwarf_Addr addr;
-	const char *fname;
+	const char *fname, *decf = NULL;
 	int lineno, ret = 0;
+	int decl = 0, inl;
 	Dwarf_Die die_mem, *cu_die;
 	size_t nlines, i;
 
 	/* Get the CU die */
-	if (dwarf_tag(rt_die) != DW_TAG_compile_unit)
+	if (dwarf_tag(rt_die) != DW_TAG_compile_unit) {
 		cu_die = dwarf_diecu(rt_die, &die_mem, NULL, NULL);
-	else
+		dwarf_decl_line(rt_die, &decl);
+		decf = dwarf_decl_file(rt_die);
+	} else
 		cu_die = rt_die;
 	if (!cu_die) {
 		pr_debug2("Failed to get CU from given DIE.\n");
@@ -720,9 +723,14 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 			 * The line is included in given function, and
 			 * no inline block includes it.
 			 */
-			if (!dwarf_haspc(rt_die, addr) ||
-			    die_find_inlinefunc(rt_die, addr, &die_mem))
+			if (!dwarf_haspc(rt_die, addr))
 				continue;
+			if (die_find_inlinefunc(rt_die, addr, &die_mem)) {
+				dwarf_decl_line(&die_mem, &inl);
+				if (inl != decl ||
+				    decf != dwarf_decl_file(&die_mem))
+					continue;
+			}
 		/* Get source line */
 		fname = dwarf_linesrc(line, NULL, NULL);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 061/148] perf probe: Fix to add missed brace around if block
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2020-02-08 18:19 ` [PATCH 3.16 060/148] perf probe: Fix to show lines of sys_ functions correctly Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 062/148] perf probe: Skip if the function address is 0 Ben Hutchings
                   ` (87 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, David Ahern,
	Masami Hiramatsu, Jiri Olsa, Arnaldo Carvalho de Melo

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>

commit 86a76027457633488b0a83d5e2bb944159885605 upstream.

The commit 75186a9b09e4 (perf probe: Fix to show lines of sys_ functions
correctly) introduced a bug by a missed brace around if block. This
fixes to add it.

Signed-off-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Fixes: 75186a9b09e4 ("perf probe: Fix to show lines of sys_ functions correctly")
Link: http://lkml.kernel.org/r/20150812215541.9088.62425.stgit@localhost.localdomain
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -717,7 +717,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 			continue;
 		}
 		/* Filter lines based on address */
-		if (rt_die != cu_die)
+		if (rt_die != cu_die) {
 			/*
 			 * Address filtering
 			 * The line is included in given function, and
@@ -731,6 +731,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 				    decf != dwarf_decl_file(&die_mem))
 					continue;
 			}
+		}
 		/* Get source line */
 		fname = dwarf_linesrc(line, NULL, NULL);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 062/148] perf probe: Skip if the function address is 0
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 061/148] perf probe: Fix to add missed brace around if block Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 063/148] perf probe: Fix to find range-only function instance Ben Hutchings
                   ` (86 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Thomas Gleixner, Jiri Olsa,
	Masami Hiramatsu, Arnaldo Carvalho de Melo, David Ahern,
	Peter Zijlstra

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 0ad45b33c58dca60dec7e1fb44766753bc4a7a38 upstream.

Skip probes if the entry address of the target function is 0.  This can
happen when we're handling C++ debuginfo files.

E.g. without this fix, below case still fail.
  ----
  $ ./perf probe -x /usr/lib64/libstdc++.so.6 -vD is_open
  probe-definition(0): is_open
  symbol:is_open file:(null) line:0 offset:0 return:0 lazy:(null)
  0 arguments
  symbol:catch file:(null) line:0 offset:0 return:0 lazy:(null)
  symbol:throw file:(null) line:0 offset:0 return:0 lazy:(null)
  symbol:rethrow file:(null) line:0 offset:0 return:0 lazy:(null)
  Open Debuginfo file: /usr/lib/debug/usr/lib64/libstdc++.so.6.0.22.debug
  Try to find probe point from debuginfo.
  Matched function: is_open [295df]
  found inline addr: 0x8ca80
  Probe point found: is_open+0
  found inline addr: 0x8ca70
  Probe point found: is_open+0
  found inline addr: 0x8ca60
  Probe point found: is_open+0
  Matched function: is_open [6527f]
  Matched function: is_open [9fe8a]
  Probe point found: is_open+0
  Matched function: is_open [19710b]
  found inline addr: 0xecca9
  Probe point found: stdio_filebuf+57
  found inline addr: 0x0
  Probe point found: swap+0
  Matched function: is_open [19fc9d]
  Probe point found: is_open+0
  Found 7 probe_trace_events.
  p:probe_libstdc++/is_open /usr/lib64/libstdc++.so.6.0.22:0x8ca80
  p:probe_libstdc++/is_open_1 /usr/lib64/libstdc++.so.6.0.22:0x8ca70
  p:probe_libstdc++/is_open_2 /usr/lib64/libstdc++.so.6.0.22:0x8ca60
  p:probe_libstdc++/is_open_3 /usr/lib64/libstdc++.so.6.0.22:0xb0ad0
  p:probe_libstdc++/is_open_4 /usr/lib64/libstdc++.so.6.0.22:0xecca9
  Failed to synthesize probe trace event.
    Error: Failed to add events. Reason: Invalid argument (Code: -22)
  ----
This is because some instances have entry_pc == 0 (see 19710b and
19fc9d). With this fix, those are skipped.

  ----
  $ ./perf probe -x /usr/lib64/libstdc++.so.6 -D is_open
  p:probe_libstdc++/is_open /usr/lib64/libstdc++.so.6.0.22:0x8ca80
  p:probe_libstdc++/is_open_1 /usr/lib64/libstdc++.so.6.0.22:0x8ca70
  p:probe_libstdc++/is_open_2 /usr/lib64/libstdc++.so.6.0.22:0x8ca60
  p:probe_libstdc++/is_open_3 /usr/lib64/libstdc++.so.6.0.22:0xb0ad0
  p:probe_libstdc++/is_open_4 /usr/lib64/libstdc++.so.6.0.22:0xecca9
  ----

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Tested-by: Jiri Olsa <jolsa@kernel.org>
Cc: David Ahern <dsahern@gmail.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/147464490707.29804.14277897643725143867.stgit@devbox
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/probe-finder.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -871,6 +871,11 @@ static int probe_point_inline_cb(Dwarf_D
 				   dwarf_diename(in_die));
 			return -ENOENT;
 		}
+		if (addr == 0) {
+			pr_debug("%s has no valid entry address. skipped.\n",
+				 dwarf_diename(in_die));
+			return -ENOENT;
+		}
 		pf->addr = addr;
 		pf->addr += pp->offset;
 		pr_debug("found inline addr: 0x%jx\n",
@@ -912,8 +917,13 @@ static int probe_point_search_cb(Dwarf_D
 	} else if (die_is_func_instance(sp_die)) {
 		/* Instances always have the entry address */
 		dwarf_entrypc(sp_die, &pf->addr);
+		/* But in some case the entry address is 0 */
+		if (pf->addr == 0) {
+			pr_debug("%s has no entry PC. Skipped\n",
+				 dwarf_diename(sp_die));
+			param->retval = 0;
 		/* Real function */
-		if (pp->lazy_line)
+		} else if (pp->lazy_line)
 			param->retval = find_probe_point_lazy(sp_die, pf);
 		else {
 			pf->addr += pp->offset;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 063/148] perf probe: Fix to find range-only function instance
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 062/148] perf probe: Skip if the function address is 0 Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 064/148] perf probe: Fix to show function entry line as probe-able Ben Hutchings
                   ` (85 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Jiri Olsa, Masami Hiramatsu,
	Arnaldo Carvalho de Melo

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit b77afa1f810f37bd8a36cb1318178dfe2d7af6b6 upstream.

Fix die_is_func_instance() to find range-only function instance.

In some case, a function instance can be made without any low PC or
entry PC, but only with address ranges by optimization.  (e.g. cold text
partially in "text.unlikely" section) To find such function instance, we
have to check the range attribute too.

Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157190835669.1859.8368628035930950596.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -288,10 +288,14 @@ bool die_is_func_def(Dwarf_Die *dw_die)
 bool die_is_func_instance(Dwarf_Die *dw_die)
 {
 	Dwarf_Addr tmp;
+	Dwarf_Attribute attr_mem;
 
 	/* Actually gcc optimizes non-inline as like as inlined */
-	return !dwarf_func_inline(dw_die) && dwarf_entrypc(dw_die, &tmp) == 0;
+	return !dwarf_func_inline(dw_die) &&
+	       (dwarf_entrypc(dw_die, &tmp) == 0 ||
+		dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL);
 }
+
 /**
  * die_get_data_member_location - Get the data-member offset
  * @mb_die: a DIE of a member of a data structure


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 064/148] perf probe: Fix to show function entry line as probe-able
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 063/148] perf probe: Fix to find range-only function instance Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 065/148] perf probe: Fix wrong address verification Ben Hutchings
                   ` (84 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Masami Hiramatsu,
	Arnaldo Carvalho de Melo, Jiri Olsa

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 91e2f539eeda26ab00bd03fae8dc434c128c85ed upstream.

Fix die_walk_lines() to list the function entry line correctly.  Since
the dwarf_entrypc() does not return the entry pc if the DIE has only
range attribute, __die_walk_funclines() fails to list the declaration
line (entry line) in that case.

To solve this issue, this introduces die_entrypc() which correctly
returns the entry PC (the first address range) even if the DIE has only
range attribute. With this fix die_walk_lines() shows the function entry
line is able to probe correctly.

Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157190837419.1859.4619125803596816752.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 24 +++++++++++++++++++++++-
 tools/perf/util/dwarf-aux.h |  3 +++
 2 files changed, 26 insertions(+), 1 deletion(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -278,6 +278,28 @@ bool die_is_func_def(Dwarf_Die *dw_die)
 }
 
 /**
+ * die_entrypc - Returns entry PC (the lowest address) of a DIE
+ * @dw_die: a DIE
+ * @addr: where to store entry PC
+ *
+ * Since dwarf_entrypc() does not return entry PC if the DIE has only address
+ * range, we have to use this to retrieve the lowest address from the address
+ * range attribute.
+ */
+int die_entrypc(Dwarf_Die *dw_die, Dwarf_Addr *addr)
+{
+	Dwarf_Addr base, end;
+
+	if (!addr)
+		return -EINVAL;
+
+	if (dwarf_entrypc(dw_die, addr) == 0)
+		return 0;
+
+	return dwarf_ranges(dw_die, 0, &base, addr, &end) < 0 ? -ENOENT : 0;
+}
+
+/**
  * die_is_func_instance - Ensure that this DIE is an instance of a subprogram
  * @dw_die: a DIE
  *
@@ -647,7 +669,7 @@ static int __die_walk_funclines(Dwarf_Di
 	/* Handle function declaration line */
 	fname = dwarf_decl_file(sp_die);
 	if (fname && dwarf_decl_line(sp_die, &lineno) == 0 &&
-	    dwarf_entrypc(sp_die, &addr) == 0) {
+	    die_entrypc(sp_die, &addr) == 0) {
 		lw.retval = callback(fname, lineno, addr, data);
 		if (lw.retval != 0)
 			goto done;
--- a/tools/perf/util/dwarf-aux.h
+++ b/tools/perf/util/dwarf-aux.h
@@ -38,6 +38,9 @@ extern int cu_find_lineinfo(Dwarf_Die *c
 extern int cu_walk_functions_at(Dwarf_Die *cu_die, Dwarf_Addr addr,
 			int (*callback)(Dwarf_Die *, void *), void *data);
 
+/* Get the lowest PC in DIE (including range list) */
+int die_entrypc(Dwarf_Die *dw_die, Dwarf_Addr *addr);
+
 /* Ensure that this DIE is a subprogram and definition (not declaration) */
 extern bool die_is_func_def(Dwarf_Die *dw_die);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 065/148] perf probe: Fix wrong address verification
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (63 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 064/148] perf probe: Fix to show function entry line as probe-able Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 066/148] perf probe: Fix to probe a function which has no entry pc Ben Hutchings
                   ` (83 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnaldo Carvalho de Melo, Namhyung Kim,
	Jiri Olsa, Arnaldo Carvalho de Melo, Masami Hiramatsu

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 07d369857808b7e8e471bbbbb0074a6718f89b31 upstream.

Since there are some DIE which has only ranges instead of the
combination of entrypc/highpc, address verification must use
dwarf_haspc() instead of dwarf_entrypc/dwarf_highpc.

Also, the ranges only DIE will have a partial code in different section
(e.g. unlikely code will be in text.unlikely as "FUNC.cold" symbol). In
that case, we can not use dwarf_entrypc() or die_entrypc(), because the
offset from original DIE can be a minus value.

Instead, this simply gets the symbol and offset from symtab.

Without this patch;

  # perf probe -D clear_tasks_mm_cpumask:1
  Failed to get entry address of clear_tasks_mm_cpumask
    Error: Failed to add events.

And with this patch:

  # perf probe -D clear_tasks_mm_cpumask:1
  p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0
  p:probe/clear_tasks_mm_cpumask_1 clear_tasks_mm_cpumask+5
  p:probe/clear_tasks_mm_cpumask_2 clear_tasks_mm_cpumask+8
  p:probe/clear_tasks_mm_cpumask_3 clear_tasks_mm_cpumask+16
  p:probe/clear_tasks_mm_cpumask_4 clear_tasks_mm_cpumask+82

Committer testing:

I managed to reproduce the above:

  [root@quaco ~]# perf probe -D clear_tasks_mm_cpumask:1
  p:probe/clear_tasks_mm_cpumask _text+919968
  p:probe/clear_tasks_mm_cpumask_1 _text+919973
  p:probe/clear_tasks_mm_cpumask_2 _text+919976
  [root@quaco ~]#

But then when trying to actually put the probe in place, it fails if I
use :0 as the offset:

  [root@quaco ~]# perf probe -L clear_tasks_mm_cpumask | head -5
  <clear_tasks_mm_cpumask@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/kernel/cpu.c:0>
        0  void clear_tasks_mm_cpumask(int cpu)
        1  {
        2  	struct task_struct *p;

  [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0
  Probe point 'clear_tasks_mm_cpumask' not found.
    Error: Failed to add events.
  [root@quaco

The next patch is needed to fix this case.

Fixes: 576b523721b7 ("perf probe: Fix probing symbols with optimization suffix")
Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157199318513.8075.10463906803299647907.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -588,34 +588,26 @@ static int convert_to_trace_point(Dwarf_
 				  Dwarf_Addr paddr, bool retprobe,
 				  struct probe_trace_point *tp)
 {
-	Dwarf_Addr eaddr, highaddr;
+	Dwarf_Addr eaddr;
 	GElf_Sym sym;
 	const char *symbol;
 
 	/* Verify the address is correct */
-	if (dwarf_entrypc(sp_die, &eaddr) != 0) {
-		pr_warning("Failed to get entry address of %s\n",
-			   dwarf_diename(sp_die));
-		return -ENOENT;
-	}
-	if (dwarf_highpc(sp_die, &highaddr) != 0) {
-		pr_warning("Failed to get end address of %s\n",
-			   dwarf_diename(sp_die));
-		return -ENOENT;
-	}
-	if (paddr > highaddr) {
-		pr_warning("Offset specified is greater than size of %s\n",
+	if (!dwarf_haspc(sp_die, paddr)) {
+		pr_warning("Specified offset is out of %s\n",
 			   dwarf_diename(sp_die));
 		return -EINVAL;
 	}
 
-	/* Get an appropriate symbol from symtab */
+	/* Try to get actual symbol name from symtab */
 	symbol = dwfl_module_addrsym(mod, paddr, &sym, NULL);
 	if (!symbol) {
 		pr_warning("Failed to find symbol at 0x%lx\n",
 			   (unsigned long)paddr);
 		return -ENOENT;
 	}
+	eaddr = sym.st_value;
+
 	tp->offset = (unsigned long)(paddr - sym.st_value);
 	tp->address = (unsigned long)paddr;
 	tp->symbol = strdup(symbol);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 066/148] perf probe: Fix to probe a function which has no entry pc
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (64 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 065/148] perf probe: Fix wrong address verification Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 067/148] perf probe: Fix to probe an inline " Ben Hutchings
                   ` (82 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jiri Olsa, Masami Hiramatsu,
	Arnaldo Carvalho de Melo, Namhyung Kim, Arnaldo Carvalho de Melo

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 5d16dbcc311d91267ddb45c6da4f187be320ecee upstream.

Fix 'perf probe' to probe a function which has no entry pc or low pc but
only has ranges attribute.

probe_point_search_cb() uses dwarf_entrypc() to get the probe address,
but that doesn't work for the function DIE which has only ranges
attribute. Use die_entrypc() instead.

Without this fix:

  # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0
  Probe point 'clear_tasks_mm_cpumask' not found.
    Error: Failed to add events.

With this:

  # perf probe -k ../build-x86_64/vmlinux -D clear_tasks_mm_cpumask:0
  p:probe/clear_tasks_mm_cpumask clear_tasks_mm_cpumask+0

Committer testing:

Before:

  [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0
  Probe point 'clear_tasks_mm_cpumask' not found.
    Error: Failed to add events.
  [root@quaco ~]#

After:

  [root@quaco ~]# perf probe clear_tasks_mm_cpumask:0
  Added new event:
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask)

  You can now use it in all perf tools, such as:

  	perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1

  [root@quaco ~]#

Using it with 'perf trace':

  [root@quaco ~]# perf trace -e probe:clear_tasks_mm_cpumask

Doesn't seem to be used in x86_64:

  $ find . -name "*.c" | xargs grep clear_tasks_mm_cpumask
  ./kernel/cpu.c: * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
  ./kernel/cpu.c:void clear_tasks_mm_cpumask(int cpu)
  ./arch/xtensa/kernel/smp.c:	clear_tasks_mm_cpumask(cpu);
  ./arch/csky/kernel/smp.c:	clear_tasks_mm_cpumask(cpu);
  ./arch/sh/kernel/smp.c:	clear_tasks_mm_cpumask(cpu);
  ./arch/arm/kernel/smp.c:	clear_tasks_mm_cpumask(cpu);
  ./arch/powerpc/mm/nohash/mmu_context.c:	clear_tasks_mm_cpumask(cpu);
  $ find . -name "*.h" | xargs grep clear_tasks_mm_cpumask
  ./include/linux/cpu.h:void clear_tasks_mm_cpumask(int cpu);
  $ find . -name "*.S" | xargs grep clear_tasks_mm_cpumask
  $

Fixes: e1ecbbc3fa83 ("perf probe: Fix to handle optimized not-inlined functions")
Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157199319438.8075.4695576954550638618.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/probe-finder.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -908,7 +908,7 @@ static int probe_point_search_cb(Dwarf_D
 		param->retval = find_probe_point_by_line(pf);
 	} else if (die_is_func_instance(sp_die)) {
 		/* Instances always have the entry address */
-		dwarf_entrypc(sp_die, &pf->addr);
+		die_entrypc(sp_die, &pf->addr);
 		/* But in some case the entry address is 0 */
 		if (pf->addr == 0) {
 			pr_debug("%s has no entry PC. Skipped\n",


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 067/148] perf probe: Fix to probe an inline function which has no entry pc
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (65 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 066/148] perf probe: Fix to probe a function which has no entry pc Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 068/148] perf probe: Fix to list probe event with correct line number Ben Hutchings
                   ` (81 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Arnaldo Carvalho de Melo,
	Masami Hiramatsu, Jiri Olsa

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit eb6933b29d20bf2c3053883d409a53f462c1a3ac upstream.

Fix perf probe to probe an inlne function which has no entry pc
or low pc but only has ranges attribute.

This seems very rare case, but I could find a few examples, as
same as probe_point_search_cb(), use die_entrypc() to get the
entry address in probe_point_inline_cb() too.

Without this patch:

  # perf probe -D __amd_put_nb_event_constraints
  Failed to get entry address of __amd_put_nb_event_constraints.
  Probe point '__amd_put_nb_event_constraints' not found.
    Error: Failed to add events.

With this patch:

  # perf probe -D __amd_put_nb_event_constraints
  p:probe/__amd_put_nb_event_constraints amd_put_event_constraints+43

Committer testing:

Before:

  [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints
  Failed to get entry address of __amd_put_nb_event_constraints.
  Probe point '__amd_put_nb_event_constraints' not found.
    Error: Failed to add events.
  [root@quaco ~]#

After:

  [root@quaco ~]# perf probe -D __amd_put_nb_event_constraints
  p:probe/__amd_put_nb_event_constraints _text+33789
  [root@quaco ~]#

Fixes: 4ea42b181434 ("perf: Add perf probe subcommand, a kprobe-event setup helper")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157199320336.8075.16189530425277588587.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/probe-finder.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -858,7 +858,7 @@ static int probe_point_inline_cb(Dwarf_D
 		ret = find_probe_point_lazy(in_die, pf);
 	else {
 		/* Get probe address */
-		if (dwarf_entrypc(in_die, &addr) != 0) {
+		if (die_entrypc(in_die, &addr) != 0) {
 			pr_warning("Failed to get entry address of %s.\n",
 				   dwarf_diename(in_die));
 			return -ENOENT;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 068/148] perf probe: Fix to list probe event with correct line number
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (66 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 067/148] perf probe: Fix to probe an inline " Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 069/148] perf probe: Fix to show inlined function callsite without entry_pc Ben Hutchings
                   ` (80 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Masami Hiramatsu,
	Arnaldo Carvalho de Melo, Jiri Olsa

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 3895534dd78f0fd4d3f9e05ee52b9cdd444a743e upstream.

Since debuginfo__find_probe_point() uses dwarf_entrypc() for finding the
entry address of the function on which a probe is, it will fail when the
function DIE has only ranges attribute.

To fix this issue, use die_entrypc() instead of dwarf_entrypc().

Without this fix, perf probe -l shows incorrect offset:

  # perf probe -l
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579263632@work/linux/linux/kernel/cpu.c)
    probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask+18446744071579263752@work/linux/linux/kernel/cpu.c)

With this:

  # perf probe -l
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@work/linux/linux/kernel/cpu.c)
    probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:21@work/linux/linux/kernel/cpu.c)

Committer testing:

Before:

  [root@quaco ~]# perf probe -l
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask+18446744071579765152@kernel/cpu.c)
  [root@quaco ~]#

After:

  [root@quaco ~]# perf probe -l
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c)
  [root@quaco ~]#

Fixes: 1d46ea2a6a40 ("perf probe: Fix listing incorrect line number with inline function")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157199321227.8075.14655572419136993015.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/probe-finder.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -1345,7 +1345,7 @@ int debuginfo__find_probe_point(struct d
 		/* Get function entry information */
 		func = basefunc = dwarf_diename(&spdie);
 		if (!func ||
-		    dwarf_entrypc(&spdie, &baseaddr) != 0 ||
+		    die_entrypc(&spdie, &baseaddr) != 0 ||
 		    dwarf_decl_line(&spdie, &baseline) != 0) {
 			lineno = 0;
 			goto post;
@@ -1362,7 +1362,7 @@ int debuginfo__find_probe_point(struct d
 		while (die_find_top_inlinefunc(&spdie, (Dwarf_Addr)addr,
 						&indie)) {
 			/* There is an inline function */
-			if (dwarf_entrypc(&indie, &_addr) == 0 &&
+			if (die_entrypc(&indie, &_addr) == 0 &&
 			    _addr == addr) {
 				/*
 				 * addr is at an inline function entry.


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 069/148] perf probe: Fix to show inlined function callsite without entry_pc
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (67 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 068/148] perf probe: Fix to list probe event with correct line number Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 070/148] usb: gadget: pch_udc: fix use after free Ben Hutchings
                   ` (79 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Arnaldo Carvalho de Melo,
	Masami Hiramatsu, Jiri Olsa

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 18e21eb671dc87a4f0546ba505a89ea93598a634 upstream.

Fix 'perf probe --line' option to show inlined function callsite lines
even if the function DIE has only ranges.

Without this:

  # perf probe -L amd_put_event_constraints
  ...
      2  {
      3         if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
                        __amd_put_nb_event_constraints(cpuc, event);
      5  }

With this patch:

  # perf probe -L amd_put_event_constraints
  ...
      2  {
      3         if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
      4                 __amd_put_nb_event_constraints(cpuc, event);
      5  }

Committer testing:

Before:

  [root@quaco ~]# perf probe -L amd_put_event_constraints
  <amd_put_event_constraints@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/arch/x86/events/amd/core.c:0>
        0  static void amd_put_event_constraints(struct cpu_hw_events *cpuc,
                                                struct perf_event *event)
        2  {
        3         if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
                          __amd_put_nb_event_constraints(cpuc, event);
        5  }

           PMU_FORMAT_ATTR(event, "config:0-7,32-35");
           PMU_FORMAT_ATTR(umask, "config:8-15"   );

  [root@quaco ~]#

After:

  [root@quaco ~]# perf probe -L amd_put_event_constraints
  <amd_put_event_constraints@/usr/src/debug/kernel-5.2.fc30/linux-5.2.18-200.fc30.x86_64/arch/x86/events/amd/core.c:0>
        0  static void amd_put_event_constraints(struct cpu_hw_events *cpuc,
                                                struct perf_event *event)
        2  {
        3         if (amd_has_nb(cpuc) && amd_is_nb_event(&event->hw))
        4                 __amd_put_nb_event_constraints(cpuc, event);
        5  }

           PMU_FORMAT_ATTR(event, "config:0-7,32-35");
           PMU_FORMAT_ATTR(umask, "config:8-15"   );

  [root@quaco ~]# perf probe amd_put_event_constraints:4
  Added new event:
    probe:amd_put_event_constraints (on amd_put_event_constraints:4)

  You can now use it in all perf tools, such as:

  	perf record -e probe:amd_put_event_constraints -aR sleep 1

  [root@quaco ~]#

  [root@quaco ~]# perf probe -l
    probe:amd_put_event_constraints (on amd_put_event_constraints:4@arch/x86/events/amd/core.c)
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c)
  [root@quaco ~]#

Using it:

  [root@quaco ~]# perf trace -e probe:*
  ^C[root@quaco ~]#

Ok, Intel system here... :-)

Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157199322107.8075.12659099000567865708.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -628,7 +628,7 @@ static int __die_walk_funclines_cb(Dwarf
 	if (dwarf_tag(in_die) == DW_TAG_inlined_subroutine) {
 		fname = die_get_call_file(in_die);
 		lineno = die_get_call_lineno(in_die);
-		if (fname && lineno > 0 && dwarf_entrypc(in_die, &addr) == 0) {
+		if (fname && lineno > 0 && die_entrypc(in_die, &addr) == 0) {
 			lw->retval = lw->callback(fname, lineno, addr, lw->data);
 			if (lw->retval != 0)
 				return DIE_FIND_CB_END;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 070/148] usb: gadget: pch_udc: fix use after free
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (68 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 069/148] perf probe: Fix to show inlined function callsite without entry_pc Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 071/148] usb: Allow USB device to be warm reset in suspended state Ben Hutchings
                   ` (78 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Gustavo A. R. Silva, Greg Kroah-Hartman,
	Michal Nazarewicz

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

commit 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 upstream.

Remove pointer dereference after free.

pci_pool_free doesn't care about contents of td.
It's just a void* for it

Addresses-Coverity-ID: 1091173 ("Use after free")
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Link: https://lore.kernel.org/r/20191106202821.GA20347@embeddedor
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/pch_udc.c | 1 -
 1 file changed, 1 deletion(-)

--- a/drivers/usb/gadget/pch_udc.c
+++ b/drivers/usb/gadget/pch_udc.c
@@ -1533,7 +1533,6 @@ static void pch_udc_free_dma_chain(struc
 		td = phys_to_virt(addr);
 		addr2 = (dma_addr_t)td->next;
 		pci_pool_free(dev->data_requests, td, addr);
-		td->next = 0x00;
 		addr = addr2;
 	}
 	req->chain_len = 1;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 071/148] usb: Allow USB device to be warm reset in suspended state
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (69 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 070/148] usb: gadget: pch_udc: fix use after free Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 072/148] appledisplay: fix error handling in the scheduled work Ben Hutchings
                   ` (77 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Kai-Heng Feng, Alan Stern

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit e76b3bf7654c3c94554c24ba15a3d105f4006c80 upstream.

On Dell WD15 dock, sometimes USB ethernet cannot be detected after plugging
cable to the ethernet port, the hub and roothub get runtime resumed and
runtime suspended immediately:
...
[  433.315169] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0
[  433.315204] usb usb4: usb auto-resume
[  433.315226] hub 4-0:1.0: hub_resume
[  433.315239] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10202e2, return 0x10343
[  433.315264] usb usb4-port1: status 0343 change 0001
[  433.315279] xhci_hcd 0000:3a:00.0: clear port1 connect change, portsc: 0x10002e2
[  433.315293] xhci_hcd 0000:3a:00.0: Get port status 4-2 read: 0x2a0, return 0x2a0
[  433.317012] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.422282] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343
[  433.422307] usb usb4-port1: do warm reset
[  433.422311] usb 4-1: device reset not allowed in state 8
[  433.422339] hub 4-0:1.0: state 7 ports 2 chg 0002 evt 0000
[  433.422346] xhci_hcd 0000:3a:00.0: Get port status 4-1 read: 0x10002e2, return 0x343
[  433.422356] usb usb4-port1: do warm reset
[  433.422358] usb 4-1: device reset not allowed in state 8
[  433.422428] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 0 status  = 0xf0002e2
[  433.422455] xhci_hcd 0000:3a:00.0: set port remote wake mask, actual port 1 status  = 0xe0002a0
[  433.422465] hub 4-0:1.0: hub_suspend
[  433.422475] usb usb4: bus auto-suspend, wakeup 1
[  433.426161] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.466209] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.510204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.554051] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.598235] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.642154] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.686204] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.730205] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.774203] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.818207] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.862040] xhci_hcd 0000:3a:00.0: port 0 polling in bus suspend, waiting
[  433.862053] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.862077] xhci_hcd 0000:3a:00.0: xhci_suspend: stopping port polling.
[  433.862096] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001
[  433.862312] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_suspend: 0
[  433.862445] xhci_hcd 0000:3a:00.0: PME# enabled
[  433.902376] xhci_hcd 0000:3a:00.0: restoring config space at offset 0xc (was 0x0, writing 0x20)
[  433.902395] xhci_hcd 0000:3a:00.0: restoring config space at offset 0x4 (was 0x100000, writing 0x100403)
[  433.902490] xhci_hcd 0000:3a:00.0: PME# disabled
[  433.902504] xhci_hcd 0000:3a:00.0: enabling bus mastering
[  433.902547] xhci_hcd 0000:3a:00.0: // Setting command ring address to 0x8578fc001
[  433.902649] pcieport 0000:00:1b.0: PME: Spurious native interrupt!
[  433.902839] xhci_hcd 0000:3a:00.0: Port change event, 4-1, id 3, portsc: 0xb0202e2
[  433.902842] xhci_hcd 0000:3a:00.0: resume root hub
[  433.902845] xhci_hcd 0000:3a:00.0: handle_port_status: starting port polling.
[  433.902877] xhci_hcd 0000:3a:00.0: xhci_resume: starting port polling.
[  433.902889] xhci_hcd 0000:3a:00.0: xhci_hub_status_data: stopping port polling.
[  433.902891] xhci_hcd 0000:3a:00.0: hcd_pci_runtime_resume: 0
[  433.902919] usb usb4: usb wakeup-resume
[  433.902942] usb usb4: usb auto-resume
[  433.902966] hub 4-0:1.0: hub_resume
...

As Mathias pointed out, the hub enters Cold Attach Status state and
requires a warm reset. However usb_reset_device() bails out early when
the device is in suspended state, as its callers port_event() and
hub_event() don't always resume the device.

Since there's nothing wrong to reset a suspended device, allow
usb_reset_device() to do so to solve the issue.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20191106062710.29880-1-kai.heng.feng@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/core/hub.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5535,7 +5535,7 @@ re_enumerate_no_bos:
 
 /**
  * usb_reset_device - warn interface drivers and perform a USB port reset
- * @udev: device to reset (not in SUSPENDED or NOTATTACHED state)
+ * @udev: device to reset (not in NOTATTACHED state)
  *
  * Warns all drivers bound to registered interfaces (using their pre_reset
  * method), performs the port reset, and then lets the drivers know that
@@ -5563,8 +5563,7 @@ int usb_reset_device(struct usb_device *
 	struct usb_host_config *config = udev->actconfig;
 	struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
 
-	if (udev->state == USB_STATE_NOTATTACHED ||
-			udev->state == USB_STATE_SUSPENDED) {
+	if (udev->state == USB_STATE_NOTATTACHED) {
 		dev_dbg(&udev->dev, "device reset not allowed in state %d\n",
 				udev->state);
 		return -EINVAL;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 072/148] appledisplay: fix error handling in the scheduled work
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (70 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 071/148] usb: Allow USB device to be warm reset in suspended state Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 073/148] perf probe: Skip end-of-sequence and non statement lines Ben Hutchings
                   ` (76 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Oliver Neukum

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream.

The work item can operate on

1. stale memory left over from the last transfer
the actual length of the data transfered needs to be checked
2. memory already freed
the error handling in appledisplay_probe() needs
to cancel the work in that case

Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/misc/appledisplay.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/misc/appledisplay.c
+++ b/drivers/usb/misc/appledisplay.c
@@ -180,7 +180,12 @@ static int appledisplay_bl_get_brightnes
 		0,
 		pdata->msgdata, 2,
 		ACD_USB_TIMEOUT);
-	brightness = pdata->msgdata[1];
+	if (retval < 2) {
+		if (retval >= 0)
+			retval = -EMSGSIZE;
+	} else {
+		brightness = pdata->msgdata[1];
+	}
 	mutex_unlock(&pdata->sysfslock);
 
 	if (retval < 0)
@@ -326,6 +331,7 @@ error:
 	if (pdata) {
 		if (pdata->urb) {
 			usb_kill_urb(pdata->urb);
+			cancel_delayed_work_sync(&pdata->work);
 			if (pdata->urbdata)
 				usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
 					pdata->urbdata, pdata->urb->transfer_dma);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 073/148] perf probe: Skip end-of-sequence and non statement lines
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (71 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 072/148] appledisplay: fix error handling in the scheduled work Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 074/148] perf probe: Filter out instances except for inlined subroutine and subprogram Ben Hutchings
                   ` (75 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Arnaldo Carvalho de Melo,
	Masami Hiramatsu, Jiri Olsa

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit f4d99bdfd124823a81878b44b5e8750b97f73902 upstream.

Skip end-of-sequence and non-statement lines while walking through lines
list.

The "end-of-sequence" line information means:

 "the current address is that of the first byte after the
  end of a sequence of target machine instructions."
 (DWARF version 4 spec 6.2.2)

This actually means out of scope and we can not probe on it.

On the other hand, the statement lines (is_stmt) means:

 "the current instruction is a recommended breakpoint location.
  A recommended breakpoint location is intended to “represent”
  a line, a statement and/or a semantically distinct subpart
  of a statement."

 (DWARF version 4 spec 6.2.2)

So, non-statement line info also should be skipped.

These can reduce unneeded probe points and also avoid an error.

E.g. without this patch:

  # perf probe -a "clear_tasks_mm_cpumask:1"
  Added new events:
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)
    probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1)
    probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1)
    probe:clear_tasks_mm_cpumask_3 (on clear_tasks_mm_cpumask:1)
    probe:clear_tasks_mm_cpumask_4 (on clear_tasks_mm_cpumask:1)

  You can now use it in all perf tools, such as:

  	perf record -e probe:clear_tasks_mm_cpumask_4 -aR sleep 1

  #

This puts 5 probes on one line, but acutally it's not inlined function.
This is because there are many non statement instructions at the
function prologue.

With this patch:

  # perf probe -a "clear_tasks_mm_cpumask:1"
  Added new event:
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)

  You can now use it in all perf tools, such as:

  	perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1

  #

Now perf-probe skips unneeded addresses.

Committer testing:

Slightly different results, but similar:

Before:

  # uname -a
  Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  #
  # perf probe -a "clear_tasks_mm_cpumask:1"
  Added new events:
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)
    probe:clear_tasks_mm_cpumask_1 (on clear_tasks_mm_cpumask:1)
    probe:clear_tasks_mm_cpumask_2 (on clear_tasks_mm_cpumask:1)

  You can now use it in all perf tools, such as:

  	perf record -e probe:clear_tasks_mm_cpumask_2 -aR sleep 1

  #

After:

  # perf probe -a "clear_tasks_mm_cpumask:1"
  Added new event:
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask:1)

  You can now use it in all perf tools, such as:

  	perf record -e probe:clear_tasks_mm_cpumask -aR sleep 1

  # perf probe -l
    probe:clear_tasks_mm_cpumask (on clear_tasks_mm_cpumask@kernel/cpu.c)
  #

Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157241936090.32002.12156347518596111660.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -712,6 +712,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 	int decl = 0, inl;
 	Dwarf_Die die_mem, *cu_die;
 	size_t nlines, i;
+	bool flag;
 
 	/* Get the CU die */
 	if (dwarf_tag(rt_die) != DW_TAG_compile_unit) {
@@ -742,6 +743,12 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 				  "Possible error in debuginfo.\n");
 			continue;
 		}
+		/* Skip end-of-sequence */
+		if (dwarf_lineendsequence(line, &flag) != 0 || flag)
+			continue;
+		/* Skip Non statement line-info */
+		if (dwarf_linebeginstatement(line, &flag) != 0 || !flag)
+			continue;
 		/* Filter lines based on address */
 		if (rt_die != cu_die) {
 			/*


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 074/148] perf probe: Filter out instances except for inlined subroutine and subprogram
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (72 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 073/148] perf probe: Skip end-of-sequence and non statement lines Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 075/148] perf probe: Fix to show calling lines of inlined functions Ben Hutchings
                   ` (74 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Namhyung Kim, Jiri Olsa, Masami Hiramatsu,
	Arnaldo Carvalho de Melo

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit da6cb952a89efe24bb76c4971370d485737a2d85 upstream.

Filter out instances except for inlined_subroutine and subprogram DIE in
die_walk_instances() and die_is_func_instance().

This fixes an issue that perf probe sets some probes on calling address
instead of a target function itself.

When perf probe walks on instances of an abstruct origin (a kind of
function prototype of inlined function), die_walk_instances() can also
pass a GNU_call_site (a GNU extension for call site) to callback. Since
it is not an inlined instance of target function, we have to filter out
when searching a probe point.

Without this patch, perf probe sets probes on call site address too.This
can happen on some function which is marked "inlined", but has actual
symbol. (I'm not sure why GCC mark it "inlined"):

  # perf probe -D vfs_read
  p:probe/vfs_read _text+2500017
  p:probe/vfs_read_1 _text+2499468
  p:probe/vfs_read_2 _text+2499563
  p:probe/vfs_read_3 _text+2498876
  p:probe/vfs_read_4 _text+2498512
  p:probe/vfs_read_5 _text+2498627

With this patch:

Slightly different results, similar tho:

  # perf probe -D vfs_read
  p:probe/vfs_read _text+2498512

Committer testing:

  # uname -a
  Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Before:

  # perf probe -D vfs_read
  p:probe/vfs_read _text+3131557
  p:probe/vfs_read_1 _text+3130975
  p:probe/vfs_read_2 _text+3131047
  p:probe/vfs_read_3 _text+3130380
  p:probe/vfs_read_4 _text+3130000
  # uname -a
  Linux quaco 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  #

After:

  # perf probe -D vfs_read
  p:probe/vfs_read _text+3130000
  #

Fixes: db0d2c6420ee ("perf probe: Search concrete out-of-line instances")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157241937063.32002.11024544873990816590.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -304,18 +304,22 @@ int die_entrypc(Dwarf_Die *dw_die, Dwarf
  * @dw_die: a DIE
  *
  * Ensure that this DIE is an instance (which has an entry address).
- * This returns true if @dw_die is a function instance. If not, you need to
- * call die_walk_instances() to find actual instances.
+ * This returns true if @dw_die is a function instance. If not, the @dw_die
+ * must be a prototype. You can use die_walk_instances() to find actual
+ * instances.
  **/
 bool die_is_func_instance(Dwarf_Die *dw_die)
 {
 	Dwarf_Addr tmp;
 	Dwarf_Attribute attr_mem;
+	int tag = dwarf_tag(dw_die);
 
-	/* Actually gcc optimizes non-inline as like as inlined */
-	return !dwarf_func_inline(dw_die) &&
-	       (dwarf_entrypc(dw_die, &tmp) == 0 ||
-		dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL);
+	if (tag != DW_TAG_subprogram &&
+	    tag != DW_TAG_inlined_subroutine)
+		return false;
+
+	return dwarf_entrypc(dw_die, &tmp) == 0 ||
+		dwarf_attr(dw_die, DW_AT_ranges, &attr_mem) != NULL;
 }
 
 /**
@@ -557,6 +561,9 @@ static int __die_walk_instances_cb(Dwarf
 	Dwarf_Die *origin;
 	int tmp;
 
+	if (!die_is_func_instance(inst))
+		return DIE_FIND_CB_CONTINUE;
+
 	attr = dwarf_attr(inst, DW_AT_abstract_origin, &attr_mem);
 	if (attr == NULL)
 		return DIE_FIND_CB_CONTINUE;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 075/148] perf probe: Fix to show calling lines of inlined functions
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (73 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 074/148] perf probe: Filter out instances except for inlined subroutine and subprogram Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 076/148] perf probe: Skip overlapped location on searching variables Ben Hutchings
                   ` (73 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jiri Olsa, Masami Hiramatsu,
	Arnaldo Carvalho de Melo, Namhyung Kim

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 86c0bf8539e7f46d91bd105e55eda96e0064caef upstream.

Fix to show calling lines of inlined functions (where an inline function
is called).

die_walk_lines() filtered out the lines inside inlined functions based
on the address. However this also filtered out the lines which call
those inlined functions from the target function.

To solve this issue, check the call_file and call_line attributes and do
not filter out if it matches to the line information.

Without this fix, perf probe -L doesn't show some lines correctly.
(don't see the lines after 17)

  # perf probe -L vfs_read
  <vfs_read@/home/mhiramat/ksrc/linux/fs/read_write.c:0>
        0  ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
        1  {
        2         ssize_t ret;

        4         if (!(file->f_mode & FMODE_READ))
                          return -EBADF;
        6         if (!(file->f_mode & FMODE_CAN_READ))
                          return -EINVAL;
        8         if (unlikely(!access_ok(buf, count)))
                          return -EFAULT;

       11         ret = rw_verify_area(READ, file, pos, count);
       12         if (!ret) {
       13                 if (count > MAX_RW_COUNT)
                                  count =  MAX_RW_COUNT;
       15                 ret = __vfs_read(file, buf, count, pos);
       16                 if (ret > 0) {
                                  fsnotify_access(file);
                                  add_rchar(current, ret);
                          }

With this fix:

  # perf probe -L vfs_read
  <vfs_read@/home/mhiramat/ksrc/linux/fs/read_write.c:0>
        0  ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
        1  {
        2         ssize_t ret;

        4         if (!(file->f_mode & FMODE_READ))
                          return -EBADF;
        6         if (!(file->f_mode & FMODE_CAN_READ))
                          return -EINVAL;
        8         if (unlikely(!access_ok(buf, count)))
                          return -EFAULT;

       11         ret = rw_verify_area(READ, file, pos, count);
       12         if (!ret) {
       13                 if (count > MAX_RW_COUNT)
                                  count =  MAX_RW_COUNT;
       15                 ret = __vfs_read(file, buf, count, pos);
       16                 if (ret > 0) {
       17                         fsnotify_access(file);
       18                         add_rchar(current, ret);
                          }
       20                 inc_syscr(current);
                  }

Fixes: 4cc9cec636e7 ("perf probe: Introduce lines walker interface")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157241937995.32002.17899884017011512577.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/dwarf-aux.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -714,7 +714,7 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 	Dwarf_Lines *lines;
 	Dwarf_Line *line;
 	Dwarf_Addr addr;
-	const char *fname, *decf = NULL;
+	const char *fname, *decf = NULL, *inf = NULL;
 	int lineno, ret = 0;
 	int decl = 0, inl;
 	Dwarf_Die die_mem, *cu_die;
@@ -765,13 +765,21 @@ int die_walk_lines(Dwarf_Die *rt_die, li
 			 */
 			if (!dwarf_haspc(rt_die, addr))
 				continue;
+
 			if (die_find_inlinefunc(rt_die, addr, &die_mem)) {
+				/* Call-site check */
+				inf = die_get_call_file(&die_mem);
+				if ((inf && !strcmp(inf, decf)) &&
+				    die_get_call_lineno(&die_mem) == lineno)
+					goto found;
+
 				dwarf_decl_line(&die_mem, &inl);
 				if (inl != decl ||
 				    decf != dwarf_decl_file(&die_mem))
 					continue;
 			}
 		}
+found:
 		/* Get source line */
 		fname = dwarf_linesrc(line, NULL, NULL);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 076/148] perf probe: Skip overlapped location on searching variables
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (74 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 075/148] perf probe: Fix to show calling lines of inlined functions Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 077/148] powerpc: Allow flush_icache_range to work across ranges >4GB Ben Hutchings
                   ` (72 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnaldo Carvalho de Melo, Masami Hiramatsu,
	Jiri Olsa, Namhyung Kim

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Masami Hiramatsu <mhiramat@kernel.org>

commit dee36a2abb67c175265d49b9a8c7dfa564463d9a upstream.

Since debuginfo__find_probes() callback function can be called with  the
location which already passed, the callback function must filter out
such overlapped locations.

add_probe_trace_event() has already done it by commit 1a375ae7659a
("perf probe: Skip same probe address for a given line"), but
add_available_vars() doesn't. Thus perf probe -v shows same address
repeatedly as below:

  # perf probe -V vfs_read:18
  Available variables at vfs_read:18
          @<vfs_read+217>
                  char*   buf
                  loff_t* pos
                  ssize_t ret
                  struct file*    file
          @<vfs_read+217>
                  char*   buf
                  loff_t* pos
                  ssize_t ret
                  struct file*    file
          @<vfs_read+226>
                  char*   buf
                  loff_t* pos
                  ssize_t ret
                  struct file*    file

With this fix, perf probe -V shows it correctly:

  # perf probe -V vfs_read:18
  Available variables at vfs_read:18
          @<vfs_read+217>
                  char*   buf
                  loff_t* pos
                  ssize_t ret
                  struct file*    file
          @<vfs_read+226>
                  char*   buf
                  loff_t* pos
                  ssize_t ret
                  struct file*    file

Fixes: cf6eb489e5c0 ("perf probe: Show accessible local variables")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/157241938927.32002.4026859017790562751.stgit@devnote2
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/probe-finder.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/tools/perf/util/probe-finder.c
+++ b/tools/perf/util/probe-finder.c
@@ -1230,6 +1230,18 @@ static int collect_variables_cb(Dwarf_Di
 		return DIE_FIND_CB_SIBLING;
 }
 
+static bool available_var_finder_overlap(struct available_var_finder *af)
+{
+	int i;
+
+	for (i = 0; i < af->nvls; i++) {
+		if (af->pf.addr == af->vls[i].point.address)
+			return true;
+	}
+	return false;
+
+}
+
 /* Add a found vars into available variables list */
 static int add_available_vars(Dwarf_Die *sc_die, struct probe_finder *pf)
 {
@@ -1239,6 +1251,14 @@ static int add_available_vars(Dwarf_Die
 	Dwarf_Die die_mem;
 	int ret;
 
+	/*
+	 * For some reason (e.g. different column assigned to same address),
+	 * this callback can be called with the address which already passed.
+	 * Ignore it first.
+	 */
+	if (available_var_finder_overlap(af))
+		return 0;
+
 	/* Check number of tevs */
 	if (af->nvls == af->max_vls) {
 		pr_warning("Too many( > %d) probe point found.\n", af->max_vls);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 077/148] powerpc: Allow flush_icache_range to work across ranges >4GB
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (75 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 076/148] perf probe: Skip overlapped location on searching variables Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 078/148] powerpc: Allow 64bit VDSO __kernel_sync_dicache " Ben Hutchings
                   ` (71 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alastair D'Silva, Michael Ellerman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alastair D'Silva <alastair@d-silva.org>

commit 29430fae82073d39b1b881a3cd507416a56a363f upstream.

When calling flush_icache_range with a size >4GB, we were masking
off the upper 32 bits, so we would incorrectly flush a range smaller
than intended.

This patch replaces the 32 bit shifts with 64 bit ones, so that
the full size is accounted for.

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191104023305.9581-2-alastair@au1.ibm.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/misc_64.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/misc_64.S
+++ b/arch/powerpc/kernel/misc_64.S
@@ -84,7 +84,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_I
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5		/* ensure we get enough */
 	lwz	r9,DCACHEL1LOGLINESIZE(r10)	/* Get log-2 of cache line size */
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	beqlr				/* nothing to do? */
 	mtctr	r8
 1:	dcbst	0,r6
@@ -100,7 +100,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_I
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5
 	lwz	r9,ICACHEL1LOGLINESIZE(r10)	/* Get log-2 of Icache line size */
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	beqlr				/* nothing to do? */
 	mtctr	r8
 2:	icbi	0,r6


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 078/148] powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (76 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 077/148] powerpc: Allow flush_icache_range to work across ranges >4GB Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 079/148] ARM: ux500: remove unused regulator data Ben Hutchings
                   ` (70 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Alastair D'Silva, Michael Ellerman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alastair D'Silva <alastair@d-silva.org>

commit f9ec11165301982585e5e5f606739b5bae5331f3 upstream.

When calling __kernel_sync_dicache with a size >4GB, we were masking
off the upper 32 bits, so we would incorrectly flush a range smaller
than intended.

This patch replaces the 32 bit shifts with 64 bit ones, so that
the full size is accounted for.

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191104023305.9581-3-alastair@au1.ibm.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/kernel/vdso64/cacheflush.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/vdso64/cacheflush.S
+++ b/arch/powerpc/kernel/vdso64/cacheflush.S
@@ -39,7 +39,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache)
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5		/* ensure we get enough */
 	lwz	r9,CFG_DCACHE_LOGBLOCKSZ(r10)
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	crclr	cr0*4+so
 	beqlr				/* nothing to do? */
 	mtctr	r8
@@ -56,7 +56,7 @@ V_FUNCTION_BEGIN(__kernel_sync_dicache)
 	subf	r8,r6,r4		/* compute length */
 	add	r8,r8,r5
 	lwz	r9,CFG_ICACHE_LOGBLOCKSZ(r10)
-	srw.	r8,r8,r9		/* compute line count */
+	srd.	r8,r8,r9		/* compute line count */
 	crclr	cr0*4+so
 	beqlr				/* nothing to do? */
 	mtctr	r8


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 079/148] ARM: ux500: remove unused regulator data
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (77 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 078/148] powerpc: Allow 64bit VDSO __kernel_sync_dicache " Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 080/148] regulator: ab8500: Remove AB8505 USB regulator Ben Hutchings
                   ` (69 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mark Brown, Linus Walleij, Arnd Bergmann

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 37dc78d9b17c971479f742d6d08f38d8f2beb688 upstream.

Most of the board-mop500-regulators.c file is never referenced and
can simply be removed.

Cc: Mark Brown <broonie@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
[bwh: Backported to 3.16 as dependency of commit 99c4f70df3a6
 "regulator: ab8500: Remove AB8505 USB regulator"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/mach-ux500/board-mop500-regulators.c | 600 ------------------
 arch/arm/mach-ux500/board-mop500-regulators.h |   8 -
 2 files changed, 608 deletions(-)

--- a/arch/arm/mach-ux500/board-mop500-regulators.c
+++ b/arch/arm/mach-ux500/board-mop500-regulators.c
@@ -13,46 +13,6 @@
 #include <linux/regulator/machine.h>
 #include <linux/regulator/ab8500.h>
 #include "board-mop500-regulators.h"
-#include "id.h"
-
-static struct regulator_consumer_supply gpio_en_3v3_consumers[] = {
-       REGULATOR_SUPPLY("vdd33a", "smsc911x.0"),
-};
-
-struct regulator_init_data gpio_en_3v3_regulator = {
-       .constraints = {
-               .name = "EN-3V3",
-               .min_uV = 3300000,
-               .max_uV = 3300000,
-               .valid_ops_mask = REGULATOR_CHANGE_STATUS,
-       },
-       .num_consumer_supplies = ARRAY_SIZE(gpio_en_3v3_consumers),
-       .consumer_supplies = gpio_en_3v3_consumers,
-};
-
-/*
- * TPS61052 regulator
- */
-static struct regulator_consumer_supply tps61052_vaudio_consumers[] = {
-	/*
-	 * Boost converter supply to raise voltage on audio speaker, this
-	 * is actually connected to three pins, VInVhfL (left amplifier)
-	 * VInVhfR (right amplifier) and VIntDClassInt - all three must
-	 * be connected to the same voltage.
-	 */
-	REGULATOR_SUPPLY("vintdclassint", "ab8500-codec.0"),
-};
-
-struct regulator_init_data tps61052_regulator = {
-	.constraints = {
-		.name = "vaudio-hf",
-		.min_uV = 4500000,
-		.max_uV = 4500000,
-		.valid_ops_mask = REGULATOR_CHANGE_STATUS,
-	},
-	.num_consumer_supplies = ARRAY_SIZE(tps61052_vaudio_consumers),
-	.consumer_supplies = tps61052_vaudio_consumers,
-};
 
 static struct regulator_consumer_supply ab8500_vaux1_consumers[] = {
 	/* Main display, u8500 R3 uib */
@@ -107,27 +67,6 @@ static struct regulator_consumer_supply
 	REGULATOR_SUPPLY("vmmc", "sdi0"),
 };
 
-static struct regulator_consumer_supply ab8505_vaux4_consumers[] = {
-};
-
-static struct regulator_consumer_supply ab8505_vaux5_consumers[] = {
-};
-
-static struct regulator_consumer_supply ab8505_vaux6_consumers[] = {
-};
-
-static struct regulator_consumer_supply ab8505_vaux8_consumers[] = {
-	/* AB8500 audio codec device */
-	REGULATOR_SUPPLY("v-aux8", NULL),
-};
-
-static struct regulator_consumer_supply ab8505_vadc_consumers[] = {
-	/* Internal general-purpose ADC */
-	REGULATOR_SUPPLY("vddadc", "ab8500-gpadc.0"),
-	/* ADC for charger */
-	REGULATOR_SUPPLY("vddadc", "ab8500-charger.0"),
-};
-
 static struct regulator_consumer_supply ab8500_vtvout_consumers[] = {
 	/* TV-out DENC supply */
 	REGULATOR_SUPPLY("vtvout", "ab8500-denc.0"),
@@ -168,11 +107,6 @@ static struct regulator_consumer_supply
 	REGULATOR_SUPPLY("v-intcore", "abx500-clk.0"),
 };
 
-static struct regulator_consumer_supply ab8505_usb_consumers[] = {
-	/* HS USB OTG physical interface */
-	REGULATOR_SUPPLY("v-ape", NULL),
-};
-
 static struct regulator_consumer_supply ab8500_vana_consumers[] = {
 	/* DB8500 DSI */
 	REGULATOR_SUPPLY("vdddsi1v2", "mcde"),
@@ -483,11 +417,6 @@ static struct regulator_consumer_supply
 	REGULATOR_SUPPLY("vinvsim", "sim-detect.0"),
 };
 
-/* extended configuration for VextSupply2, only used for HREFP_V20 boards */
-static struct ab8500_ext_regulator_cfg ab8500_ext_supply2 = {
-	.hwreq = true,
-};
-
 /*
  * AB8500 external regulators
  */
@@ -526,456 +455,6 @@ static struct regulator_init_data ab8500
 	},
 };
 
-/* ab8505 regulator register initialization */
-static struct ab8500_regulator_reg_init ab8505_reg_init[] = {
-	/*
-	 * VarmRequestCtrl
-	 * VsmpsCRequestCtrl
-	 * VsmpsARequestCtrl
-	 * VsmpsBRequestCtrl
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUREQUESTCTRL1,       0x00, 0x00),
-	/*
-	 * VsafeRequestCtrl
-	 * VpllRequestCtrl
-	 * VanaRequestCtrl          = HP/LP depending on VxRequest
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUREQUESTCTRL2,       0x30, 0x00),
-	/*
-	 * Vaux1RequestCtrl         = HP/LP depending on VxRequest
-	 * Vaux2RequestCtrl         = HP/LP depending on VxRequest
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUREQUESTCTRL3,       0xf0, 0x00),
-	/*
-	 * Vaux3RequestCtrl         = HP/LP depending on VxRequest
-	 * SwHPReq                  = Control through SWValid disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUREQUESTCTRL4,       0x07, 0x00),
-	/*
-	 * VsmpsASysClkReq1HPValid
-	 * VsmpsBSysClkReq1HPValid
-	 * VsafeSysClkReq1HPValid
-	 * VanaSysClkReq1HPValid    = disabled
-	 * VpllSysClkReq1HPValid
-	 * Vaux1SysClkReq1HPValid   = disabled
-	 * Vaux2SysClkReq1HPValid   = disabled
-	 * Vaux3SysClkReq1HPValid   = disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUSYSCLKREQ1HPVALID1, 0xe8, 0x00),
-	/*
-	 * VsmpsCSysClkReq1HPValid
-	 * VarmSysClkReq1HPValid
-	 * VbbSysClkReq1HPValid
-	 * VsmpsMSysClkReq1HPValid
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUSYSCLKREQ1HPVALID2, 0x00, 0x00),
-	/*
-	 * VsmpsAHwHPReq1Valid
-	 * VsmpsBHwHPReq1Valid
-	 * VsafeHwHPReq1Valid
-	 * VanaHwHPReq1Valid        = disabled
-	 * VpllHwHPReq1Valid
-	 * Vaux1HwHPreq1Valid       = disabled
-	 * Vaux2HwHPReq1Valid       = disabled
-	 * Vaux3HwHPReqValid        = disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUHWHPREQ1VALID1,     0xe8, 0x00),
-	/*
-	 * VsmpsMHwHPReq1Valid
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUHWHPREQ1VALID2,     0x00, 0x00),
-	/*
-	 * VsmpsAHwHPReq2Valid
-	 * VsmpsBHwHPReq2Valid
-	 * VsafeHwHPReq2Valid
-	 * VanaHwHPReq2Valid        = disabled
-	 * VpllHwHPReq2Valid
-	 * Vaux1HwHPReq2Valid       = disabled
-	 * Vaux2HwHPReq2Valid       = disabled
-	 * Vaux3HwHPReq2Valid       = disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUHWHPREQ2VALID1,     0xe8, 0x00),
-	/*
-	 * VsmpsMHwHPReq2Valid
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUHWHPREQ2VALID2,     0x00, 0x00),
-	/**
-	 * VsmpsCSwHPReqValid
-	 * VarmSwHPReqValid
-	 * VsmpsASwHPReqValid
-	 * VsmpsBSwHPReqValid
-	 * VsafeSwHPReqValid
-	 * VanaSwHPReqValid
-	 * VanaSwHPReqValid         = disabled
-	 * VpllSwHPReqValid
-	 * Vaux1SwHPReqValid        = disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUSWHPREQVALID1,      0xa0, 0x00),
-	/*
-	 * Vaux2SwHPReqValid        = disabled
-	 * Vaux3SwHPReqValid        = disabled
-	 * VsmpsMSwHPReqValid
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUSWHPREQVALID2,      0x03, 0x00),
-	/*
-	 * SysClkReq2Valid1         = SysClkReq2 controlled
-	 * SysClkReq3Valid1         = disabled
-	 * SysClkReq4Valid1         = SysClkReq4 controlled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUSYSCLKREQVALID1,    0x0e, 0x0a),
-	/*
-	 * SysClkReq2Valid2         = disabled
-	 * SysClkReq3Valid2         = disabled
-	 * SysClkReq4Valid2         = disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUSYSCLKREQVALID2,    0x0e, 0x00),
-	/*
-	 * Vaux4SwHPReqValid
-	 * Vaux4HwHPReq2Valid
-	 * Vaux4HwHPReq1Valid
-	 * Vaux4SysClkReq1HPValid
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUVAUX4REQVALID,    0x00, 0x00),
-	/*
-	 * VadcEna                  = disabled
-	 * VintCore12Ena            = disabled
-	 * VintCore12Sel            = 1.25 V
-	 * VintCore12LP             = inactive (HP)
-	 * VadcLP                   = inactive (HP)
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUMISC1,              0xfe, 0x10),
-	/*
-	 * VaudioEna                = disabled
-	 * Vaux8Ena                 = disabled
-	 * Vamic1Ena                = disabled
-	 * Vamic2Ena                = disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VAUDIOSUPPLY,           0x1e, 0x00),
-	/*
-	 * Vamic1_dzout             = high-Z when Vamic1 is disabled
-	 * Vamic2_dzout             = high-Z when Vamic2 is disabled
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUCTRL1VAMIC,         0x03, 0x00),
-	/*
-	 * VsmpsARegu
-	 * VsmpsASelCtrl
-	 * VsmpsAAutoMode
-	 * VsmpsAPWMMode
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSAREGU,    0x00, 0x00),
-	/*
-	 * VsmpsBRegu
-	 * VsmpsBSelCtrl
-	 * VsmpsBAutoMode
-	 * VsmpsBPWMMode
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSBREGU,    0x00, 0x00),
-	/*
-	 * VsafeRegu
-	 * VsafeSelCtrl
-	 * VsafeAutoMode
-	 * VsafePWMMode
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSAFEREGU,    0x00, 0x00),
-	/*
-	 * VPll                     = Hw controlled (NOTE! PRCMU bits)
-	 * VanaRegu                 = force off
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VPLLVANAREGU,           0x0f, 0x02),
-	/*
-	 * VextSupply1Regu          = force OFF (OTP_ExtSupply12LPnPolarity 1)
-	 * VextSupply2Regu          = force OFF (OTP_ExtSupply12LPnPolarity 1)
-	 * VextSupply3Regu          = force OFF (OTP_ExtSupply3LPnPolarity 0)
-	 * ExtSupply2Bypass         = ExtSupply12LPn ball is 0 when Ena is 0
-	 * ExtSupply3Bypass         = ExtSupply3LPn ball is 0 when Ena is 0
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_EXTSUPPLYREGU,          0xff, 0x30),
-	/*
-	 * Vaux1Regu                = force HP
-	 * Vaux2Regu                = force off
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VAUX12REGU,             0x0f, 0x01),
-	/*
-	 * Vaux3Regu                = force off
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VRF1VAUX3REGU,          0x03, 0x00),
-	/*
-	 * VsmpsASel1
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSASEL1,    0x00, 0x00),
-	/*
-	 * VsmpsASel2
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSASEL2,    0x00, 0x00),
-	/*
-	 * VsmpsASel3
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSASEL3,    0x00, 0x00),
-	/*
-	 * VsmpsBSel1
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSBSEL1,    0x00, 0x00),
-	/*
-	 * VsmpsBSel2
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSBSEL2,    0x00, 0x00),
-	/*
-	 * VsmpsBSel3
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSMPSBSEL3,    0x00, 0x00),
-	/*
-	 * VsafeSel1
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSAFESEL1,    0x00, 0x00),
-	/*
-	 * VsafeSel2
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSAFESEL2,    0x00, 0x00),
-	/*
-	 * VsafeSel3
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VSAFESEL3,    0x00, 0x00),
-	/*
-	 * Vaux1Sel                 = 2.8 V
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VAUX1SEL,               0x0f, 0x0C),
-	/*
-	 * Vaux2Sel                 = 2.9 V
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VAUX2SEL,               0x0f, 0x0d),
-	/*
-	 * Vaux3Sel                 = 2.91 V
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VRF1VAUX3SEL,           0x07, 0x07),
-	/*
-	 * Vaux4RequestCtrl
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VAUX4REQCTRL,    0x00, 0x00),
-	/*
-	 * Vaux4Regu
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VAUX4REGU,    0x00, 0x00),
-	/*
-	 * Vaux4Sel
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_VAUX4SEL,    0x00, 0x00),
-	/*
-	 * Vaux1Disch               = short discharge time
-	 * Vaux2Disch               = short discharge time
-	 * Vaux3Disch               = short discharge time
-	 * Vintcore12Disch          = short discharge time
-	 * VTVoutDisch              = short discharge time
-	 * VaudioDisch              = short discharge time
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUCTRLDISCH,          0xfc, 0x00),
-	/*
-	 * VanaDisch                = short discharge time
-	 * Vaux8PullDownEna         = pulldown disabled when Vaux8 is disabled
-	 * Vaux8Disch               = short discharge time
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUCTRLDISCH2,         0x16, 0x00),
-	/*
-	 * Vaux4Disch               = short discharge time
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_REGUCTRLDISCH3,         0x01, 0x00),
-	/*
-	 * Vaux5Sel
-	 * Vaux5LP
-	 * Vaux5Ena
-	 * Vaux5Disch
-	 * Vaux5DisSfst
-	 * Vaux5DisPulld
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_CTRLVAUX5,              0x00, 0x00),
-	/*
-	 * Vaux6Sel
-	 * Vaux6LP
-	 * Vaux6Ena
-	 * Vaux6DisPulld
-	 */
-	INIT_REGULATOR_REGISTER(AB8505_CTRLVAUX6,              0x00, 0x00),
-};
-
-struct regulator_init_data ab8505_regulators[AB8505_NUM_REGULATORS] = {
-	/* supplies to the display/camera */
-	[AB8505_LDO_AUX1] = {
-		.constraints = {
-			.name = "V-DISPLAY",
-			.min_uV = 2800000,
-			.max_uV = 3300000,
-			.valid_ops_mask = REGULATOR_CHANGE_VOLTAGE |
-					  REGULATOR_CHANGE_STATUS,
-			.boot_on = 1, /* display is on at boot */
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vaux1_consumers),
-		.consumer_supplies = ab8500_vaux1_consumers,
-	},
-	/* supplies to the on-board eMMC */
-	[AB8505_LDO_AUX2] = {
-		.constraints = {
-			.name = "V-eMMC1",
-			.min_uV = 1100000,
-			.max_uV = 3300000,
-			.valid_ops_mask = REGULATOR_CHANGE_VOLTAGE |
-					  REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vaux2_consumers),
-		.consumer_supplies = ab8500_vaux2_consumers,
-	},
-	/* supply for VAUX3, supplies to SDcard slots */
-	[AB8505_LDO_AUX3] = {
-		.constraints = {
-			.name = "V-MMC-SD",
-			.min_uV = 1100000,
-			.max_uV = 3300000,
-			.valid_ops_mask = REGULATOR_CHANGE_VOLTAGE |
-					  REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vaux3_consumers),
-		.consumer_supplies = ab8500_vaux3_consumers,
-	},
-	/* supply for VAUX4, supplies to NFC and standalone secure element */
-	[AB8505_LDO_AUX4] = {
-		.constraints = {
-			.name = "V-NFC-SE",
-			.min_uV = 1100000,
-			.max_uV = 3300000,
-			.valid_ops_mask = REGULATOR_CHANGE_VOLTAGE |
-					  REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8505_vaux4_consumers),
-		.consumer_supplies = ab8505_vaux4_consumers,
-	},
-	/* supply for VAUX5, supplies to TBD */
-	[AB8505_LDO_AUX5] = {
-		.constraints = {
-			.name = "V-AUX5",
-			.min_uV = 1050000,
-			.max_uV = 2790000,
-			.valid_ops_mask = REGULATOR_CHANGE_VOLTAGE |
-					  REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8505_vaux5_consumers),
-		.consumer_supplies = ab8505_vaux5_consumers,
-	},
-	/* supply for VAUX6, supplies to TBD */
-	[AB8505_LDO_AUX6] = {
-		.constraints = {
-			.name = "V-AUX6",
-			.min_uV = 1050000,
-			.max_uV = 2790000,
-			.valid_ops_mask = REGULATOR_CHANGE_VOLTAGE |
-					  REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8505_vaux6_consumers),
-		.consumer_supplies = ab8505_vaux6_consumers,
-	},
-	/* supply for gpadc, ADC LDO */
-	[AB8505_LDO_ADC] = {
-		.constraints = {
-			.name = "V-ADC",
-			.valid_ops_mask = REGULATOR_CHANGE_STATUS,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8505_vadc_consumers),
-		.consumer_supplies = ab8505_vadc_consumers,
-	},
-	/* supply for ab8500-vaudio, VAUDIO LDO */
-	[AB8505_LDO_AUDIO] = {
-		.constraints = {
-			.name = "V-AUD",
-			.valid_ops_mask = REGULATOR_CHANGE_STATUS,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vaud_consumers),
-		.consumer_supplies = ab8500_vaud_consumers,
-	},
-	/* supply for v-anamic1 VAMic1-LDO */
-	[AB8505_LDO_ANAMIC1] = {
-		.constraints = {
-			.name = "V-AMIC1",
-			.valid_ops_mask = REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vamic1_consumers),
-		.consumer_supplies = ab8500_vamic1_consumers,
-	},
-	/* supply for v-amic2, VAMIC2 LDO, reuse constants for AMIC1 */
-	[AB8505_LDO_ANAMIC2] = {
-		.constraints = {
-			.name = "V-AMIC2",
-			.valid_ops_mask = REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vamic2_consumers),
-		.consumer_supplies = ab8500_vamic2_consumers,
-	},
-	/* supply for v-aux8, VAUX8 LDO */
-	[AB8505_LDO_AUX8] = {
-		.constraints = {
-			.name = "V-AUX8",
-			.valid_ops_mask = REGULATOR_CHANGE_STATUS,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8505_vaux8_consumers),
-		.consumer_supplies = ab8505_vaux8_consumers,
-	},
-	/* supply for v-intcore12, VINTCORE12 LDO */
-	[AB8505_LDO_INTCORE] = {
-		.constraints = {
-			.name = "V-INTCORE",
-			.min_uV = 1250000,
-			.max_uV = 1350000,
-			.input_uV = 1800000,
-			.valid_ops_mask = REGULATOR_CHANGE_VOLTAGE |
-					  REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE |
-					  REGULATOR_CHANGE_DRMS,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vintcore_consumers),
-		.consumer_supplies = ab8500_vintcore_consumers,
-	},
-	/* supply for LDO USB */
-	[AB8505_LDO_USB] = {
-		.constraints = {
-			.name = "V-USB",
-			.valid_ops_mask = REGULATOR_CHANGE_STATUS |
-					  REGULATOR_CHANGE_MODE,
-			.valid_modes_mask = REGULATOR_MODE_NORMAL |
-					    REGULATOR_MODE_IDLE,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8505_usb_consumers),
-		.consumer_supplies = ab8505_usb_consumers,
-	},
-	/* supply for U8500 CSI-DSI, VANA LDO */
-	[AB8505_LDO_ANA] = {
-		.constraints = {
-			.name = "V-CSI-DSI",
-			.valid_ops_mask = REGULATOR_CHANGE_STATUS,
-		},
-		.num_consumer_supplies = ARRAY_SIZE(ab8500_vana_consumers),
-		.consumer_supplies = ab8500_vana_consumers,
-	},
-};
-
 struct ab8500_regulator_platform_data ab8500_regulator_plat_data = {
 	.reg_init               = ab8500_reg_init,
 	.num_reg_init           = ARRAY_SIZE(ab8500_reg_init),
@@ -984,82 +463,3 @@ struct ab8500_regulator_platform_data ab
 	.ext_regulator          = ab8500_ext_regulators,
 	.num_ext_regulator      = ARRAY_SIZE(ab8500_ext_regulators),
 };
-
-struct ab8500_regulator_platform_data ab8505_regulator_plat_data = {
-	.reg_init               = ab8505_reg_init,
-	.num_reg_init           = ARRAY_SIZE(ab8505_reg_init),
-	.regulator              = ab8505_regulators,
-	.num_regulator          = ARRAY_SIZE(ab8505_regulators),
-};
-
-static void ab8500_modify_reg_init(int id, u8 mask, u8 value)
-{
-	int i;
-
-	if (cpu_is_u8520()) {
-		for (i = ARRAY_SIZE(ab8505_reg_init) - 1; i >= 0; i--) {
-			if (ab8505_reg_init[i].id == id) {
-				u8 initval = ab8505_reg_init[i].value;
-				initval = (initval & ~mask) | (value & mask);
-				ab8505_reg_init[i].value = initval;
-
-				BUG_ON(mask & ~ab8505_reg_init[i].mask);
-				return;
-			}
-		}
-	} else {
-		for (i = ARRAY_SIZE(ab8500_reg_init) - 1; i >= 0; i--) {
-			if (ab8500_reg_init[i].id == id) {
-				u8 initval = ab8500_reg_init[i].value;
-				initval = (initval & ~mask) | (value & mask);
-				ab8500_reg_init[i].value = initval;
-
-				BUG_ON(mask & ~ab8500_reg_init[i].mask);
-				return;
-			}
-		}
-	}
-
-	BUG_ON(1);
-}
-
-void mop500_regulator_init(void)
-{
-	struct regulator_init_data *regulator;
-
-	/*
-	 * Temporarily turn on Vaux2 on 8520 machine
-	 */
-	if (cpu_is_u8520()) {
-		/* Vaux2 initialized to be on */
-		ab8500_modify_reg_init(AB8505_VAUX12REGU, 0x0f, 0x05);
-	}
-
-	/*
-	 * Handle AB8500_EXT_SUPPLY2 on HREFP_V20_V50 boards (do it for
-	 * all HREFP_V20 boards)
-	 */
-	if (cpu_is_u8500v20()) {
-		/* VextSupply2RequestCtrl =  HP/OFF depending on VxRequest */
-		ab8500_modify_reg_init(AB8500_REGUREQUESTCTRL3, 0x01, 0x01);
-
-		/* VextSupply2SysClkReq1HPValid = SysClkReq1 controlled */
-		ab8500_modify_reg_init(AB8500_REGUSYSCLKREQ1HPVALID2,
-			0x20, 0x20);
-
-		/* VextSupply2 = force HP at initialization */
-		ab8500_modify_reg_init(AB8500_EXTSUPPLYREGU, 0x0c, 0x04);
-
-		/* enable VextSupply2 during platform active */
-		regulator = &ab8500_ext_regulators[AB8500_EXT_SUPPLY2];
-		regulator->constraints.always_on = 1;
-
-		/* disable VextSupply2 in suspend */
-		regulator = &ab8500_ext_regulators[AB8500_EXT_SUPPLY2];
-		regulator->constraints.state_mem.disabled = 1;
-		regulator->constraints.state_standby.disabled = 1;
-
-		/* enable VextSupply2 HW control (used in suspend) */
-		regulator->driver_data = (void *)&ab8500_ext_supply2;
-	}
-}
--- a/arch/arm/mach-ux500/board-mop500-regulators.h
+++ b/arch/arm/mach-ux500/board-mop500-regulators.h
@@ -11,14 +11,6 @@
 #ifndef __BOARD_MOP500_REGULATORS_H
 #define __BOARD_MOP500_REGULATORS_H
 
-#include <linux/regulator/machine.h>
-#include <linux/regulator/ab8500.h>
-
 extern struct ab8500_regulator_platform_data ab8500_regulator_plat_data;
-extern struct ab8500_regulator_platform_data ab8505_regulator_plat_data;
-extern struct regulator_init_data tps61052_regulator;
-extern struct regulator_init_data gpio_en_3v3_regulator;
-
-void mop500_regulator_init(void);
 
 #endif


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 080/148] regulator: ab8500: Remove AB8505 USB regulator
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (78 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 079/148] ARM: ux500: remove unused regulator data Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 081/148] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Ben Hutchings
                   ` (68 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Walleij, Mark Brown, Stephan Gerhold

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Gerhold <stephan@gerhold.net>

commit 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c upstream.

The USB regulator was removed for AB8500 in
commit 41a06aa738ad ("regulator: ab8500: Remove USB regulator").
It was then added for AB8505 in
commit 547f384f33db ("regulator: ab8500: add support for ab8505").

However, there was never an entry added for it in
ab8505_regulator_match. This causes all regulators after it
to be initialized with the wrong device tree data, eventually
leading to an out-of-bounds array read.

Given that it is not used anywhere in the kernel, it seems
likely that similar arguments against supporting it exist for
AB8505 (it is controlled by hardware).

Therefore, simply remove it like for AB8500 instead of adding
an entry in ab8505_regulator_match.

Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505")
Cc: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20191106173125.14496-1-stephan@gerhold.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/regulator/ab8500.c       | 17 -----------------
 include/linux/regulator/ab8500.h |  1 -
 2 files changed, 18 deletions(-)

--- a/drivers/regulator/ab8500.c
+++ b/drivers/regulator/ab8500.c
@@ -1099,23 +1099,6 @@ static struct ab8500_regulator_info
 		.update_val_idle	= 0x82,
 		.update_val_normal	= 0x02,
 	},
-	[AB8505_LDO_USB] = {
-		.desc = {
-			.name           = "LDO-USB",
-			.ops            = &ab8500_regulator_mode_ops,
-			.type           = REGULATOR_VOLTAGE,
-			.id             = AB8505_LDO_USB,
-			.owner          = THIS_MODULE,
-			.n_voltages     = 1,
-			.volt_table	= fixed_3300000_voltage,
-		},
-		.update_bank            = 0x03,
-		.update_reg             = 0x82,
-		.update_mask            = 0x03,
-		.update_val		= 0x01,
-		.update_val_idle	= 0x03,
-		.update_val_normal	= 0x01,
-	},
 	[AB8505_LDO_AUDIO] = {
 		.desc = {
 			.name		= "LDO-AUDIO",
--- a/include/linux/regulator/ab8500.h
+++ b/include/linux/regulator/ab8500.h
@@ -38,7 +38,6 @@ enum ab8505_regulator_id {
 	AB8505_LDO_AUX6,
 	AB8505_LDO_INTCORE,
 	AB8505_LDO_ADC,
-	AB8505_LDO_USB,
 	AB8505_LDO_AUDIO,
 	AB8505_LDO_ANAMIC1,
 	AB8505_LDO_ANAMIC2,


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 081/148] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (79 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 080/148] regulator: ab8500: Remove AB8505 USB regulator Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 082/148] inetpeer: fix data-race in inet_putpeer / inet_putpeer Ben Hutchings
                   ` (67 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mark Brown, Stephan Gerhold, Linus Walleij

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Gerhold <stephan@gerhold.net>

commit 458ea3ad033fc86e291712ce50cbe60c3428cf30 upstream.

Those regulators are not actually supported by the AB8500 regulator
driver. There is no ab8500_regulator_info for them and no entry in
ab8505_regulator_match.

As such, they cannot be registered successfully, and looking them
up in ab8505_regulator_match causes an out-of-bounds array read.

Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505")
Cc: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20191106173125.14496-2-stephan@gerhold.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/regulator/ab8500.h | 2 --
 1 file changed, 2 deletions(-)

--- a/include/linux/regulator/ab8500.h
+++ b/include/linux/regulator/ab8500.h
@@ -43,8 +43,6 @@ enum ab8505_regulator_id {
 	AB8505_LDO_ANAMIC2,
 	AB8505_LDO_AUX8,
 	AB8505_LDO_ANA,
-	AB8505_SYSCLKREQ_2,
-	AB8505_SYSCLKREQ_4,
 	AB8505_NUM_REGULATORS,
 };
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 082/148] inetpeer: fix data-race in inet_putpeer / inet_putpeer
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (80 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 081/148] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 083/148] iio: adis16480: Add debugfs_reg_access entry Ben Hutchings
                   ` (66 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Eric Dumazet, syzbot, David S. Miller

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 71685eb4ce80ae9c49eff82ca4dd15acab215de9 upstream.

We need to explicitely forbid read/store tearing in inet_peer_gc()
and inet_putpeer().

The following syzbot report reminds us about inet_putpeer()
running without a lock held.

BUG: KCSAN: data-race in inet_putpeer / inet_putpeer

write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 0:
 inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
 ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
 inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
 rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
 rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0xbb/0xe0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
 native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
 arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
 default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x1af/0x280 kernel/sched/idle.c:263

write to 0xffff888121fb2ed0 of 4 bytes by interrupt on cpu 1:
 inet_putpeer+0x37/0xa0 net/ipv4/inetpeer.c:240
 ip4_frag_free+0x3d/0x50 net/ipv4/ip_fragment.c:102
 inet_frag_destroy_rcu+0x58/0x80 net/ipv4/inet_fragment.c:228
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x256/0x5b0 kernel/rcu/tree.c:2157
 rcu_core+0x369/0x4d0 kernel/rcu/tree.c:2377
 rcu_core_si+0x12/0x20 kernel/rcu/tree.c:2386
 __do_softirq+0x115/0x33f kernel/softirq.c:292
 run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
 smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: 4b9d9be839fd ("inetpeer: remove unused list")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
 - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()
 - Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/inetpeer.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -419,7 +419,12 @@ static int inet_peer_gc(struct inet_peer
 		p = rcu_deref_locked(**stackptr, base);
 		if (atomic_read(&p->refcnt) == 0) {
 			smp_rmb();
-			delta = (__u32)jiffies - p->dtime;
+
+			/* The ACCESS_ONCE() pairs with the ACCESS_ONCE()
+			 * in inet_putpeer()
+			 */
+			delta = (__u32)jiffies - ACCESS_ONCE(p->dtime);
+
 			if (delta >= ttl &&
 			    atomic_cmpxchg(&p->refcnt, 0, -1) == 0) {
 				p->gc_next = gchead;
@@ -504,7 +509,10 @@ EXPORT_SYMBOL_GPL(inet_getpeer);
 
 void inet_putpeer(struct inet_peer *p)
 {
-	p->dtime = (__u32)jiffies;
+	/* The ACCESS_ONCE() pairs with itself (we run lockless)
+	 * and the ACCESS_ONCE() in inet_peer_gc()
+	 */
+	ACCESS_ONCE(p->dtime) = (__u32)jiffies;
 	smp_mb__before_atomic();
 	atomic_dec(&p->refcnt);
 }


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 083/148] iio: adis16480: Add debugfs_reg_access entry
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (81 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 082/148] inetpeer: fix data-race in inet_putpeer / inet_putpeer Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 084/148] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Ben Hutchings
                   ` (65 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Nuno Sá, Jonathan Cameron

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nuno Sá <nuno.sa@analog.com>

commit 4c35b7a51e2f291471f7221d112c6a45c63e83bc upstream.

The driver is defining debugfs entries by calling
`adis16480_debugfs_init()`. However, those entries are attached to the
iio_dev debugfs entry which won't exist if no debugfs_reg_access
callback is provided.

Fixes: 2f3abe6cbb6c ("iio:imu: Add support for the ADIS16480 and similar IMUs")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/iio/imu/adis16480.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/iio/imu/adis16480.c
+++ b/drivers/iio/imu/adis16480.c
@@ -760,6 +760,7 @@ static const struct iio_info adis16480_i
 	.read_raw = &adis16480_read_raw,
 	.write_raw = &adis16480_write_raw,
 	.update_scan_mode = adis_update_scan_mode,
+	.debugfs_reg_access = adis_debugfs_reg_access,
 	.driver_module = THIS_MODULE,
 };
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 084/148] drm/i915/userptr: Try to acquire the page lock around set_page_dirty()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (82 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 083/148] iio: adis16480: Add debugfs_reg_access entry Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 085/148] USB: serial: mos7720: fix remote wakeup Ben Hutchings
                   ` (64 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Chris Wilson, Tvrtko Ursulin,
	Lionel Landwerlin, Joonas Lahtinen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit cee7fb437edcdb2f9f8affa959e274997f5dca4d upstream.

set_page_dirty says:

	For pages with a mapping this should be done under the page lock
	for the benefit of asynchronous memory errors who prefer a
	consistent dirty state. This rule can be broken in some special
	cases, but should be better not to.

Under those rules, it is only safe for us to use the plain set_page_dirty
calls for shmemfs/anonymous memory. Userptr may be used with real
mappings and so needs to use the locked version (set_page_dirty_lock).

However, following a try_to_unmap() we may want to remove the userptr and
so call put_pages(). However, try_to_unmap() acquires the page lock and
so we must avoid recursively locking the pages ourselves -- which means
that we cannot safely acquire the lock around set_page_dirty(). Since we
can't be sure of the lock, we have to risk skip dirtying the page, or
else risk calling set_page_dirty() without a lock and so risk fs
corruption.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203317
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=112012
Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl")
References: cb6d7c7dc7ff ("drm/i915/userptr: Acquire the page lock around set_page_dirty()")
References: 505a8ec7e11a ("Revert "drm/i915/userptr: Acquire the page lock around set_page_dirty()"")
References: 6dcc693bc57f ("ext4: warn when page is dirtied without buffers")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191111133205.11590-1-chris@chris-wilson.co.uk
(cherry picked from commit 0d4bbe3d407f79438dc4f87943db21f7134cfc65)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/i915/i915_gem_userptr.c | 22 ++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/i915_gem_userptr.c
@@ -569,8 +569,28 @@ i915_gem_userptr_put_pages(struct drm_i9
 	for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, 0) {
 		struct page *page = sg_page_iter_page(&sg_iter);
 
-		if (obj->dirty)
+		if (obj->dirty && trylock_page(page)) {
+			/*
+			 * As this may not be anonymous memory (e.g. shmem)
+			 * but exist on a real mapping, we have to lock
+			 * the page in order to dirty it -- holding
+			 * the page reference is not sufficient to
+			 * prevent the inode from being truncated.
+			 * Play safe and take the lock.
+			 *
+			 * However...!
+			 *
+			 * The mmu-notifier can be invalidated for a
+			 * migrate_page, that is alreadying holding the lock
+			 * on the page. Such a try_to_unmap() will result
+			 * in us calling put_pages() and so recursively try
+			 * to lock the page. We avoid that deadlock with
+			 * a trylock_page() and in exchange we risk missing
+			 * some page dirtying.
+			 */
 			set_page_dirty(page);
+			unlock_page(page);
+		}
 
 		mark_page_accessed(page);
 		page_cache_release(page);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 085/148] USB: serial: mos7720: fix remote wakeup
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (83 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 084/148] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 086/148] USB: serial: mos7840: " Ben Hutchings
                   ` (63 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Greg Kroah-Hartman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit ea422312a462696093b5db59d294439796cba4ad upstream.

The driver was setting the device remote-wakeup feature during probe in
violation of the USB specification (which says it should only be set
just prior to suspending the device). This could potentially waste
power during suspend as well as lead to spurious wakeups.

Note that USB core would clear the remote-wakeup feature at first
resume.

Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/mos7720.c | 4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1917,10 +1917,6 @@ static int mos7720_startup(struct usb_se
 		}
 	}
 
-	/* setting configuration feature to one */
-	usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
-			(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
-
 #ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
 	if (product == MOSCHIP_DEVICE_ID_7715) {
 		ret_val = mos7715_parport_init(serial);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 086/148] USB: serial: mos7840: fix remote wakeup
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (84 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 085/148] USB: serial: mos7720: fix remote wakeup Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 087/148] fuse: verify attributes Ben Hutchings
                   ` (62 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Greg Kroah-Hartman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815 upstream.

The driver was setting the device remote-wakeup feature during probe in
violation of the USB specification (which says it should only be set
just prior to suspending the device). This could potentially waste
power during suspend as well as lead to spurious wakeups.

Note that USB core would clear the remote-wakeup feature at first
resume.

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/mos7840.c | 5 -----
 1 file changed, 5 deletions(-)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2414,11 +2414,6 @@ out:
 			goto error;
 		} else
 			dev_dbg(&port->dev, "ZLP_REG5 Writing success status%d\n", status);
-
-		/* setting configuration feature to one */
-		usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
-				0x03, 0x00, 0x01, 0x00, NULL, 0x00,
-				MOS_WDR_TIMEOUT);
 	}
 	return 0;
 error:


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 087/148] fuse: verify attributes
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (85 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 086/148] USB: serial: mos7840: " Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 088/148] fuse: verify nlink Ben Hutchings
                   ` (61 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arijit Banerjee, Miklos Szeredi,
	Greg Kroah-Hartman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit eb59bd17d2fa6e5e84fba61a5ebdea984222e6d5 upstream.

If a filesystem returns negative inode sizes, future reads on the file were
causing the cpu to spin on truncate_pagecache.

Create a helper to validate the attributes.  This now does two things:

 - check the file mode
 - check if the file size fits in i_size without overflowing

Reported-by: Arijit Banerjee <arijit@rubrik.com>
Fixes: d8a5ba45457e ("[PATCH] FUSE - core")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/dir.c    | 24 +++++++++++++++++-------
 fs/fuse/fuse_i.h |  2 ++
 2 files changed, 19 insertions(+), 7 deletions(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -250,7 +250,8 @@ static int fuse_dentry_revalidate(struct
 			spin_unlock(&fc->lock);
 		}
 		kfree(forget);
-		if (err || (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
+		if (err || fuse_invalid_attr(&outarg.attr) ||
+		    (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
 			goto invalid;
 
 		fuse_change_attributes(inode, &outarg.attr,
@@ -295,6 +296,12 @@ int fuse_valid_type(int m)
 		S_ISBLK(m) || S_ISFIFO(m) || S_ISSOCK(m);
 }
 
+bool fuse_invalid_attr(struct fuse_attr *attr)
+{
+	return !fuse_valid_type(attr->mode) ||
+		attr->size > LLONG_MAX;
+}
+
 int fuse_lookup_name(struct super_block *sb, u64 nodeid, struct qstr *name,
 		     struct fuse_entry_out *outarg, struct inode **inode)
 {
@@ -334,7 +341,7 @@ int fuse_lookup_name(struct super_block
 	err = -EIO;
 	if (!outarg->nodeid)
 		goto out_put_forget;
-	if (!fuse_valid_type(outarg->attr.mode))
+	if (fuse_invalid_attr(&outarg->attr))
 		goto out_put_forget;
 
 	*inode = fuse_iget(sb, outarg->nodeid, outarg->generation,
@@ -464,7 +471,8 @@ static int fuse_create_open(struct inode
 		goto out_free_ff;
 
 	err = -EIO;
-	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid))
+	if (!S_ISREG(outentry.attr.mode) || invalid_nodeid(outentry.nodeid) ||
+	    fuse_invalid_attr(&outentry.attr))
 		goto out_free_ff;
 
 	fuse_put_request(fc, req);
@@ -580,7 +588,7 @@ static int create_new_entry(struct fuse_
 		goto out_put_forget_req;
 
 	err = -EIO;
-	if (invalid_nodeid(outarg.nodeid))
+	if (invalid_nodeid(outarg.nodeid) || fuse_invalid_attr(&outarg.attr))
 		goto out_put_forget_req;
 
 	if ((outarg.attr.mode ^ mode) & S_IFMT)
@@ -971,7 +979,8 @@ static int fuse_do_getattr(struct inode
 	err = req->out.h.error;
 	fuse_put_request(fc, req);
 	if (!err) {
-		if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
+		if (fuse_invalid_attr(&outarg.attr) ||
+		    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
 			make_bad_inode(inode);
 			err = -EIO;
 		} else {
@@ -1282,7 +1291,7 @@ static int fuse_direntplus_link(struct f
 
 	if (invalid_nodeid(o->nodeid))
 		return -EIO;
-	if (!fuse_valid_type(o->attr.mode))
+	if (fuse_invalid_attr(&o->attr))
 		return -EIO;
 
 	fc = get_fuse_conn(dir);
@@ -1794,7 +1803,8 @@ int fuse_do_setattr(struct dentry *dentr
 		goto error;
 	}
 
-	if ((inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
+	if (fuse_invalid_attr(&outarg.attr) ||
+	    (inode->i_mode ^ outarg.attr.mode) & S_IFMT) {
 		make_bad_inode(inode);
 		err = -EIO;
 		goto error;
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -828,6 +828,8 @@ void fuse_ctl_remove_conn(struct fuse_co
  */
 int fuse_valid_type(int m);
 
+bool fuse_invalid_attr(struct fuse_attr *attr);
+
 /**
  * Is current process allowed to perform filesystem operation?
  */


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 088/148] fuse: verify nlink
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (86 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 087/148] fuse: verify attributes Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 089/148] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report Ben Hutchings
                   ` (60 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Miklos Szeredi

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <mszeredi@redhat.com>

commit c634da718db9b2fac201df2ae1b1b095344ce5eb upstream.

When adding a new hard link, make sure that i_nlink doesn't overflow.

Fixes: ac45d61357e8 ("fuse: fix nlink after unlink")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/fuse/dir.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -890,7 +890,8 @@ static int fuse_link(struct dentry *entr
 
 		spin_lock(&fc->lock);
 		fi->attr_version = ++fc->attr_version;
-		inc_nlink(inode);
+		if (likely(inode->i_nlink < UINT_MAX))
+			inc_nlink(inode);
 		spin_unlock(&fc->lock);
 		fuse_invalidate_attr(inode);
 		fuse_update_ctime(inode);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 089/148] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (87 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 088/148] fuse: verify nlink Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 090/148] scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences Ben Hutchings
                   ` (59 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pawel Harlozinski, Mark Brown

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>

commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream.

Check for existance of jack before tracing.
NULL pointer dereference has been reported by KASAN while unloading
machine driver (snd_soc_cnl_rt274).

Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/soc/soc-jack.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/sound/soc/soc-jack.c
+++ b/sound/soc/soc-jack.c
@@ -69,10 +69,9 @@ void snd_soc_jack_report(struct snd_soc_
 	unsigned int sync = 0;
 	int enable;
 
-	trace_snd_soc_jack_report(jack, mask, status);
-
 	if (!jack)
 		return;
+	trace_snd_soc_jack_report(jack, mask, status);
 
 	codec = jack->codec;
 	dapm =  &codec->dapm;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 090/148] scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (88 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 089/148] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 091/148] tty: serial: imx: use the sg count from dma_map_sg Ben Hutchings
                   ` (58 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, linux-next, Dick Kennedy, James Bottomley,
	James Smart, coverity-bot, Gustavo A. R. Silva, Ewan D. Milne,
	Martin K. Petersen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Smart <jsmart2021@gmail.com>

commit 6c6d59e0fe5b86cf273d6d744a6a9768c4ecc756 upstream.

Coverity reported the following:

*** CID 101747:  Null pointer dereferences  (FORWARD_NULL)
/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp()
4433     			kfree(mp);
4434     		}
4435     		mempool_free(mbox, phba->mbox_mem_pool);
4436     	}
4437     out:
4438     	if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
vvv     CID 101747:  Null pointer dereferences  (FORWARD_NULL)
vvv     Dereferencing null pointer "shost".
4439     		spin_lock_irq(shost->host_lock);
4440     		ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
4441     		spin_unlock_irq(shost->host_lock);
4442
4443     		/* If the node is not being used by another discovery thread,
4444     		 * and we are sending a reject, we are done with it.

Fix by adding a check for non-null shost in line 4438.
The scenario when shost is set to null is when ndlp is null.
As such, the ndlp check present was sufficient. But better safe
than sorry so add the shost check.

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 101747 ("Null pointer dereferences")
Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports")

CC: James Bottomley <James.Bottomley@SteelEye.com>
CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
CC: linux-next@vger.kernel.org
Link: https://lore.kernel.org/r/20191111230401.12958-3-jsmart2021@gmail.com
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/lpfc/lpfc_els.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -3861,7 +3861,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba,
 		mempool_free(mbox, phba->mbox_mem_pool);
 	}
 out:
-	if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
+	if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) {
 		spin_lock_irq(shost->host_lock);
 		ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
 		spin_unlock_irq(shost->host_lock);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 091/148] tty: serial: imx: use the sg count from dma_map_sg
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (89 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 090/148] scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 092/148] tty: serial: pch_uart: correct usage of dma_unmap_sg Ben Hutchings
                   ` (57 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Peng Fan, Greg Kroah-Hartman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peng Fan <peng.fan@nxp.com>

commit 596fd8dffb745afcebc0ec6968e17fe29f02044c upstream.

The dmaengine_prep_slave_sg needs to use sg count returned
by dma_map_sg, not use sport->dma_tx_nents, because the return
value of dma_map_sg is not always same with "nents".

Fixes: b4cdc8f61beb ("serial: imx: add DMA support for imx6q")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/r/1573108875-26530-1-git-send-email-peng.fan@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/imx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/imx.c
+++ b/drivers/tty/serial/imx.c
@@ -541,7 +541,7 @@ static void imx_dma_tx(struct imx_port *
 		dev_err(dev, "DMA mapping error for TX.\n");
 		return;
 	}
-	desc = dmaengine_prep_slave_sg(chan, sgl, sport->dma_tx_nents,
+	desc = dmaengine_prep_slave_sg(chan, sgl, ret,
 					DMA_MEM_TO_DEV, DMA_PREP_INTERRUPT);
 	if (!desc) {
 		dev_err(dev, "We cannot prepare for the TX slave dma!\n");


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 092/148] tty: serial: pch_uart: correct usage of dma_unmap_sg
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (90 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 091/148] tty: serial: imx: use the sg count from dma_map_sg Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 093/148] RDMA/srpt: Report the SCSI residual to the initiator Ben Hutchings
                   ` (56 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Peng Fan, Greg Kroah-Hartman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peng Fan <peng.fan@nxp.com>

commit 74887542fdcc92ad06a48c0cca17cdf09fc8aa00 upstream.

Per Documentation/DMA-API-HOWTO.txt,
To unmap a scatterlist, just call:
	dma_unmap_sg(dev, sglist, nents, direction);

.. note::

	The 'nents' argument to the dma_unmap_sg call must be
	the _same_ one you passed into the dma_map_sg call,
	it should _NOT_ be the 'count' value _returned_ from the
	dma_map_sg call.

However in the driver, priv->nent is directly assigned with value
returned from dma_map_sg, and dma_unmap_sg use priv->nent for unmap,
this breaks the API usage.

So introduce a new entry orig_nent to remember 'nents'.

Fixes: da3564ee027e ("pch_uart: add multi-scatter processing")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Link: https://lore.kernel.org/r/1573623259-6339-1-git-send-email-peng.fan@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/pch_uart.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -251,6 +251,7 @@ struct eg20t_port {
 	struct dma_chan			*chan_rx;
 	struct scatterlist		*sg_tx_p;
 	int				nent;
+	int				orig_nent;
 	struct scatterlist		sg_rx;
 	int				tx_dma_use;
 	void				*rx_buf_virt;
@@ -803,9 +804,10 @@ static void pch_dma_tx_complete(void *ar
 	}
 	xmit->tail &= UART_XMIT_SIZE - 1;
 	async_tx_ack(priv->desc_tx);
-	dma_unmap_sg(port->dev, sg, priv->nent, DMA_TO_DEVICE);
+	dma_unmap_sg(port->dev, sg, priv->orig_nent, DMA_TO_DEVICE);
 	priv->tx_dma_use = 0;
 	priv->nent = 0;
+	priv->orig_nent = 0;
 	kfree(priv->sg_tx_p);
 	pch_uart_hal_enable_interrupt(priv, PCH_UART_HAL_TX_INT);
 }
@@ -1030,6 +1032,7 @@ static unsigned int dma_handle_tx(struct
 		dev_err(priv->port.dev, "%s:dma_map_sg Failed\n", __func__);
 		return 0;
 	}
+	priv->orig_nent = num;
 	priv->nent = nent;
 
 	for (i = 0; i < nent; i++, sg++) {


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 093/148] RDMA/srpt: Report the SCSI residual to the initiator
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (91 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 092/148] tty: serial: pch_uart: correct usage of dma_unmap_sg Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 094/148] binder: Handle start==NULL in binder_update_page_range() Ben Hutchings
                   ` (55 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Honggang Li, Jason Gunthorpe, Bart Van Assche

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bvanassche@acm.org>

commit e88982ad1bb12db699de96fbc07096359ef6176c upstream.

The code added by this patch is similar to the code that already exists in
ibmvscsis_determine_resid(). This patch has been tested by running the
following command:

strace sg_raw -r 1k /dev/sdb 12 00 00 00 60 00 -o inquiry.bin |&
    grep resid=

Link: https://lore.kernel.org/r/20191105214632.183302-1-bvanassche@acm.org
Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Acked-by: Honggang Li <honli@redhat.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/infiniband/ulp/srpt/ib_srpt.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1519,9 +1519,11 @@ static int srpt_build_cmd_rsp(struct srp
 			      struct srpt_send_ioctx *ioctx, u64 tag,
 			      int status)
 {
+	struct se_cmd *cmd = &ioctx->cmd;
 	struct srp_rsp *srp_rsp;
 	const u8 *sense_data;
 	int sense_data_len, max_sense_len;
+	u32 resid = cmd->residual_count;
 
 	/*
 	 * The lowest bit of all SAM-3 status codes is zero (see also
@@ -1543,6 +1545,28 @@ static int srpt_build_cmd_rsp(struct srp
 	srp_rsp->tag = tag;
 	srp_rsp->status = status;
 
+	if (cmd->se_cmd_flags & SCF_UNDERFLOW_BIT) {
+		if (cmd->data_direction == DMA_TO_DEVICE) {
+			/* residual data from an underflow write */
+			srp_rsp->flags = SRP_RSP_FLAG_DOUNDER;
+			srp_rsp->data_out_res_cnt = cpu_to_be32(resid);
+		} else if (cmd->data_direction == DMA_FROM_DEVICE) {
+			/* residual data from an underflow read */
+			srp_rsp->flags = SRP_RSP_FLAG_DIUNDER;
+			srp_rsp->data_in_res_cnt = cpu_to_be32(resid);
+		}
+	} else if (cmd->se_cmd_flags & SCF_OVERFLOW_BIT) {
+		if (cmd->data_direction == DMA_TO_DEVICE) {
+			/* residual data from an overflow write */
+			srp_rsp->flags = SRP_RSP_FLAG_DOOVER;
+			srp_rsp->data_out_res_cnt = cpu_to_be32(resid);
+		} else if (cmd->data_direction == DMA_FROM_DEVICE) {
+			/* residual data from an overflow read */
+			srp_rsp->flags = SRP_RSP_FLAG_DIOVER;
+			srp_rsp->data_in_res_cnt = cpu_to_be32(resid);
+		}
+	}
+
 	if (sense_data_len) {
 		BUILD_BUG_ON(MIN_MAX_RSP_SIZE <= sizeof(*srp_rsp));
 		max_sense_len = ch->max_ti_iu_len - sizeof(*srp_rsp);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 094/148] binder: Handle start==NULL in binder_update_page_range()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (92 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 093/148] RDMA/srpt: Report the SCSI residual to the initiator Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 095/148] USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P Ben Hutchings
                   ` (54 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jann Horn, Christian Brauner, Greg Kroah-Hartman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jannh@google.com>

commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream.

The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
continuing backwards to index -1 and crashing.

Luckily you need to be highly privileged to map things at NULL, so it's not
a big problem.

Fix it by adjusting the loop so that the loop variable is always in bounds.

This patch is deliberately minimal to simplify backporting, but IMO this
function could use a refactor. The jump labels in the second loop body are
horrible (the error gotos should be jumping to free_range instead), and
both loops would look nicer if they just iterated upwards through indices.
And the up_read()+mmput() shouldn't be duplicated like that.

Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: There is no continue statement in the loop,
 so we only need to check the exit condition at the bottom]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -624,8 +624,7 @@ static int binder_update_page_range(stru
 	return 0;
 
 free_range:
-	for (page_addr = end - PAGE_SIZE; page_addr >= start;
-	     page_addr -= PAGE_SIZE) {
+	for (page_addr = end - PAGE_SIZE; 1; page_addr -= PAGE_SIZE) {
 		page = &proc->pages[(page_addr - proc->buffer) / PAGE_SIZE];
 		if (vma)
 			zap_page_range(vma, (uintptr_t)page_addr +
@@ -636,7 +635,8 @@ err_map_kernel_failed:
 		__free_page(*page);
 		*page = NULL;
 err_alloc_page_failed:
-		;
+		if (page_addr == start)
+			break;
 	}
 err_no_vma:
 	if (mm) {


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 095/148] USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (93 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 094/148] binder: Handle start==NULL in binder_update_page_range() Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 096/148] futex: Prevent robust futex exit race Ben Hutchings
                   ` (53 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Fabio D'Urso, Johan Hovold

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Fabio D'Urso <fabiodurso@hotmail.it>

commit c1a1f273d0825774c80896b8deb1c9ea1d0b91e3 upstream.

This device presents itself as a USB hub with three attached devices:
 - An ACM serial port connected to the GPS module (not affected by this
   commit)
 - An FTDI serial port connected to the GPS module (1546:0502)
 - Another FTDI serial port connected to the ODIN-W2 radio module
   (1546:0503)

This commit registers U-Blox's VID and the PIDs of the second and third
devices.

Datasheet: https://www.u-blox.com/sites/default/files/C099-F9P-AppBoard-Mbed-OS3-FW_UserGuide_%28UBX-18063024%29.pdf

Signed-off-by: Fabio D'Urso <fabiodurso@hotmail.it>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/ftdi_sio.c     | 3 +++
 drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++
 2 files changed, 10 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1041,6 +1041,9 @@ static const struct usb_device_id id_tab
 	/* Sienna devices */
 	{ USB_DEVICE(FTDI_VID, FTDI_SIENNA_PID) },
 	{ USB_DEVICE(ECHELON_VID, ECHELON_U20_PID) },
+	/* U-Blox devices */
+	{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) },
+	{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
 	{ }					/* Terminating entry */
 };
 
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1557,3 +1557,10 @@
  */
 #define UNJO_VID			0x22B7
 #define UNJO_ISODEBUG_V1_PID		0x150D
+
+/*
+ * U-Blox products (http://www.u-blox.com).
+ */
+#define UBLOX_VID			0x1546
+#define UBLOX_C099F9P_ZED_PID		0x0502
+#define UBLOX_C099F9P_ODIN_PID		0x0503


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 096/148] futex: Prevent robust futex exit race
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (94 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 095/148] USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 097/148] x86/speculation: Fix incorrect MDS/TAA mitigation status Ben Hutchings
                   ` (52 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Yang Tao, Peter Zijlstra (Intel),
	Ingo Molnar, Thomas Gleixner, Yi Wang

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yang Tao <yang.tao172@zte.com.cn>

commit ca16d5bee59807bf04deaab0a8eccecd5061528c upstream.

Robust futexes utilize the robust_list mechanism to allow the kernel to
release futexes which are held when a task exits. The exit can be voluntary
or caused by a signal or fault. This prevents that waiters block forever.

The futex operations in user space store a pointer to the futex they are
either locking or unlocking in the op_pending member of the per task robust
list.

After a lock operation has succeeded the futex is queued in the robust list
linked list and the op_pending pointer is cleared.

After an unlock operation has succeeded the futex is removed from the
robust list linked list and the op_pending pointer is cleared.

The robust list exit code checks for the pending operation and any futex
which is queued in the linked list. It carefully checks whether the futex
value is the TID of the exiting task. If so, it sets the OWNER_DIED bit and
tries to wake up a potential waiter.

This is race free for the lock operation but unlock has two race scenarios
where waiters might not be woken up. These issues can be observed with
regular robust pthread mutexes. PI aware pthread mutexes are not affected.

(1) Unlocking task is killed after unlocking the futex value in user space
    before being able to wake a waiter.

        pthread_mutex_unlock()
                |
                V
        atomic_exchange_rel (&mutex->__data.__lock, 0)
                        <------------------------killed
            lll_futex_wake ()                   |
                                                |
                                                |(__lock = 0)
                                                |(enter kernel)
                                                |
                                                V
                                            do_exit()
                                            exit_mm()
                                          mm_release()
                                        exit_robust_list()
                                        handle_futex_death()
                                                |
                                                |(__lock = 0)
                                                |(uval = 0)
                                                |
                                                V
        if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                return 0;

    The sanity check which ensures that the user space futex is owned by
    the exiting task prevents the wakeup of waiters which in consequence
    block infinitely.

(2) Waiting task is killed after a wakeup and before it can acquire the
    futex in user space.

        OWNER                         WAITER
				futex_wait()
   pthread_mutex_unlock()               |
                |                       |
                |(__lock = 0)           |
                |                       |
                V                       |
         futex_wake() ------------>  wakeup()
                                        |
                                        |(return to userspace)
                                        |(__lock = 0)
                                        |
                                        V
                        oldval = mutex->__data.__lock
                                          <-----------------killed
    atomic_compare_and_exchange_val_acq (&mutex->__data.__lock,  |
                        id | assume_other_futex_waiters, 0)      |
                                                                 |
                                                                 |
                                                   (enter kernel)|
                                                                 |
                                                                 V
                                                         do_exit()
                                                        |
                                                        |
                                                        V
                                        handle_futex_death()
                                        |
                                        |(__lock = 0)
                                        |(uval = 0)
                                        |
                                        V
        if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
                return 0;

    The sanity check which ensures that the user space futex is owned
    by the exiting task prevents the wakeup of waiters, which seems to
    be correct as the exiting task does not own the futex value, but
    the consequence is that other waiters wont be woken up and block
    infinitely.

In both scenarios the following conditions are true:

   - task->robust_list->list_op_pending != NULL
   - user space futex value == 0
   - Regular futex (not PI)

If these conditions are met then it is reasonably safe to wake up a
potential waiter in order to prevent the above problems.

As this might be a false positive it can cause spurious wakeups, but the
waiter side has to handle other types of unrelated wakeups, e.g. signals
gracefully anyway. So such a spurious wakeup will not affect the
correctness of these operations.

This workaround must not touch the user space futex value and cannot set
the OWNER_DIED bit because the lock value is 0, i.e. uncontended. Setting
OWNER_DIED in this case would result in inconsistent state and subsequently
in malfunction of the owner died handling in user space.

The rest of the user space state is still consistent as no other task can
observe the list_op_pending entry in the exiting tasks robust list.

The eventually woken up waiter will observe the uncontended lock value and
take it over.

[ tglx: Massaged changelog and comment. Made the return explicit and not
  	depend on the subsequent check and added constants to hand into
  	handle_futex_death() instead of plain numbers. Fixed a few coding
	style issues. ]

Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core")
Signed-off-by: Yang Tao <yang.tao172@zte.com.cn>
Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/1573010582-35297-1-git-send-email-wang.yi59@zte.com.cn
Link: https://lkml.kernel.org/r/20191106224555.943191378@linutronix.de
[bwh: Backported to 3.16: Implementation is split between futex.c and
 futex_compat.c, with common definitions in <linux/futex.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2905,7 +2905,8 @@ err_unlock:
  * Process a futex-list entry, check whether it's owned by the
  * dying task, and do notification if so:
  */
-int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi)
+int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
+		       bool pi, bool pending_op)
 {
 	u32 uval, uninitialized_var(nval), mval;
 
@@ -2917,6 +2918,42 @@ retry:
 	if (get_user(uval, uaddr))
 		return -1;
 
+	/*
+	 * Special case for regular (non PI) futexes. The unlock path in
+	 * user space has two race scenarios:
+	 *
+	 * 1. The unlock path releases the user space futex value and
+	 *    before it can execute the futex() syscall to wake up
+	 *    waiters it is killed.
+	 *
+	 * 2. A woken up waiter is killed before it can acquire the
+	 *    futex in user space.
+	 *
+	 * In both cases the TID validation below prevents a wakeup of
+	 * potential waiters which can cause these waiters to block
+	 * forever.
+	 *
+	 * In both cases the following conditions are met:
+	 *
+	 *	1) task->robust_list->list_op_pending != NULL
+	 *	   @pending_op == true
+	 *	2) User space futex value == 0
+	 *	3) Regular futex: @pi == false
+	 *
+	 * If these conditions are met, it is safe to attempt waking up a
+	 * potential waiter without touching the user space futex value and
+	 * trying to set the OWNER_DIED bit. The user space futex value is
+	 * uncontended and the rest of the user space mutex state is
+	 * consistent, so a woken waiter will just take over the
+	 * uncontended futex. Setting the OWNER_DIED bit would create
+	 * inconsistent state and malfunction of the user space owner died
+	 * handling.
+	 */
+	if (pending_op && !pi && !uval) {
+		futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
+		return 0;
+	}
+
 	if ((uval & FUTEX_TID_MASK) == task_pid_vnr(curr)) {
 		/*
 		 * Ok, this dying thread is truly holding a futex
@@ -3021,10 +3058,11 @@ void exit_robust_list(struct task_struct
 		 * A pending lock might already be on the list, so
 		 * don't process it twice:
 		 */
-		if (entry != pending)
+		if (entry != pending) {
 			if (handle_futex_death((void __user *)entry + futex_offset,
-						curr, pi))
+						curr, pi, HANDLE_DEATH_LIST))
 				return;
+		}
 		if (rc)
 			return;
 		entry = next_entry;
@@ -3038,9 +3076,10 @@ void exit_robust_list(struct task_struct
 		cond_resched();
 	}
 
-	if (pending)
+	if (pending) {
 		handle_futex_death((void __user *)pending + futex_offset,
-				   curr, pip);
+				   curr, pip, HANDLE_DEATH_PENDING);
+	}
 }
 
 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -94,7 +94,8 @@ void compat_exit_robust_list(struct task
 		if (entry != pending) {
 			void __user *uaddr = futex_uaddr(entry, futex_offset);
 
-			if (handle_futex_death(uaddr, curr, pi))
+			if (handle_futex_death(uaddr, curr, pi,
+					       HANDLE_DEATH_LIST))
 				return;
 		}
 		if (rc)
@@ -113,7 +114,7 @@ void compat_exit_robust_list(struct task
 	if (pending) {
 		void __user *uaddr = futex_uaddr(pending, futex_offset);
 
-		handle_futex_death(uaddr, curr, pip);
+		handle_futex_death(uaddr, curr, pip, HANDLE_DEATH_PENDING);
 	}
 }
 
--- a/include/linux/futex.h
+++ b/include/linux/futex.h
@@ -11,8 +11,13 @@ union ktime;
 long do_futex(u32 __user *uaddr, int op, u32 val, union ktime *timeout,
 	      u32 __user *uaddr2, u32 val2, u32 val3);
 
+/* Constants for the pending_op argument of handle_futex_death */
+#define HANDLE_DEATH_PENDING	true
+#define HANDLE_DEATH_LIST	false
+
 extern int
-handle_futex_death(u32 __user *uaddr, struct task_struct *curr, int pi);
+handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
+		   bool pi, bool pending_op);
 
 /*
  * Futexes are matched on equal values of this key.


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 097/148] x86/speculation: Fix incorrect MDS/TAA mitigation status
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (95 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 096/148] futex: Prevent robust futex exit race Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 098/148] usb-serial: cp201x: support Mark-10 digital force gauge Ben Hutchings
                   ` (51 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ingo Molnar, Josh Poimboeuf,
	Borislav Petkov, x86-ml, H. Peter Anvin, Tyler Hicks,
	Greg Kroah-Hartman, Jiri Kosina, Thomas Gleixner, Tim Chen,
	Peter Zijlstra, Tony Luck, Mark Gross, linux-doc,
	Jonathan Corbet, Pawan Gupta, Waiman Long

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Waiman Long <longman@redhat.com>

commit 64870ed1b12e235cfca3f6c6da75b542c973ff78 upstream.

For MDS vulnerable processors with TSX support, enabling either MDS or
TAA mitigations will enable the use of VERW to flush internal processor
buffers at the right code path. IOW, they are either both mitigated
or both not. However, if the command line options are inconsistent,
the vulnerabilites sysfs files may not report the mitigation status
correctly.

For example, with only the "mds=off" option:

  vulnerabilities/mds:Vulnerable; SMT vulnerable
  vulnerabilities/tsx_async_abort:Mitigation: Clear CPU buffers; SMT vulnerable

The mds vulnerabilities file has wrong status in this case. Similarly,
the taa vulnerability file will be wrong with mds mitigation on, but
taa off.

Change taa_select_mitigation() to sync up the two mitigation status
and have them turned off if both "mds=off" and "tsx_async_abort=off"
are present.

Update documentation to emphasize the fact that both "mds=off" and
"tsx_async_abort=off" have to be specified together for processors that
are affected by both TAA and MDS to be effective.

 [ bp: Massage and add kernel-parameters.txt change too. ]

Fixes: 1b42f017415b ("x86/speculation/taa: Add mitigation for TSX Async Abort")
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: linux-doc@vger.kernel.org
Cc: Mark Gross <mgross@linux.intel.com>
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20191115161445.30809-2-longman@redhat.com
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 Documentation/hw-vuln/mds.rst             |  7 +++++--
 Documentation/hw-vuln/tsx_async_abort.rst |  5 ++++-
 Documentation/kernel-parameters.txt       | 11 +++++++++++
 arch/x86/kernel/cpu/bugs.c                | 17 +++++++++++++++--
 4 files changed, 35 insertions(+), 5 deletions(-)

--- a/Documentation/hw-vuln/mds.rst
+++ b/Documentation/hw-vuln/mds.rst
@@ -262,8 +262,11 @@ time with the option "mds=". The valid a
 
   ============  =============================================================
 
-Not specifying this option is equivalent to "mds=full".
-
+Not specifying this option is equivalent to "mds=full". For processors
+that are affected by both TAA (TSX Asynchronous Abort) and MDS,
+specifying just "mds=off" without an accompanying "tsx_async_abort=off"
+will have no effect as the same mitigation is used for both
+vulnerabilities.
 
 Mitigation selection guide
 --------------------------
--- a/Documentation/hw-vuln/tsx_async_abort.rst
+++ b/Documentation/hw-vuln/tsx_async_abort.rst
@@ -169,7 +169,10 @@ the option "tsx_async_abort=". The valid
                 systems will have no effect.
   ============  =============================================================
 
-Not specifying this option is equivalent to "tsx_async_abort=full".
+Not specifying this option is equivalent to "tsx_async_abort=full". For
+processors that are affected by both TAA and MDS, specifying just
+"tsx_async_abort=off" without an accompanying "mds=off" will have no
+effect as the same mitigation is used for both vulnerabilities.
 
 The kernel command line also allows to control the TSX feature using the
 parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1793,6 +1793,12 @@ bytes respectively. Such letter suffixes
 			full    - Enable MDS mitigation on vulnerable CPUs
 			off     - Unconditionally disable MDS mitigation
 
+			On TAA-affected machines, mds=off can be prevented by
+			an active TAA mitigation as both vulnerabilities are
+			mitigated with the same mechanism so in order to disable
+			this mitigation, you need to specify tsx_async_abort=off
+			too.
+
 			Not specifying this option is equivalent to
 			mds=full.
 
@@ -3634,6 +3640,11 @@ bytes respectively. Such letter suffixes
 
 			off        - Unconditionally disable TAA mitigation
 
+			On MDS-affected machines, tsx_async_abort=off can be
+			prevented by an active MDS mitigation as both vulnerabilities
+			are mitigated with the same mechanism so in order to disable
+			this mitigation, you need to specify mds=off too.
+
 			Not specifying this option is equivalent to
 			tsx_async_abort=full.  On CPUs which are MDS affected
 			and deploy MDS mitigation, TAA mitigation is not
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -349,8 +349,12 @@ static void __init taa_select_mitigation
 		return;
 	}
 
-	/* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */
-	if (taa_mitigation == TAA_MITIGATION_OFF)
+	/*
+	 * TAA mitigation via VERW is turned off if both
+	 * tsx_async_abort=off and mds=off are specified.
+	 */
+	if (taa_mitigation == TAA_MITIGATION_OFF &&
+	    mds_mitigation == MDS_MITIGATION_OFF)
 		goto out;
 
 	if (boot_cpu_has(X86_FEATURE_MD_CLEAR))
@@ -381,6 +385,15 @@ static void __init taa_select_mitigation
 	 */
 	static_branch_enable(&mds_user_clear);
 
+	/*
+	 * Update MDS mitigation, if necessary, as the mds_user_clear is
+	 * now enabled for TAA mitigation.
+	 */
+	if (mds_mitigation == MDS_MITIGATION_OFF &&
+	    boot_cpu_has_bug(X86_BUG_MDS)) {
+		mds_mitigation = MDS_MITIGATION_FULL;
+		mds_select_mitigation();
+	}
 out:
 	pr_info("%s\n", taa_strings[taa_mitigation]);
 }


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 098/148] usb-serial: cp201x: support Mark-10 digital force gauge
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (96 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 097/148] x86/speculation: Fix incorrect MDS/TAA mitigation status Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 099/148] USB: uas: honor flag to avoid CAPACITY16 Ben Hutchings
                   ` (50 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Johan Hovold, Greg Kroah-Hartman, Joel Jennings

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 347bc8cb26388791c5881a3775cb14a3f765a674 upstream.

Add support for the Mark-10 digital force gauge device to the cp201x
driver.

Based on a report and a larger patch from Joel Jennings

Reported-by: Joel Jennings <joel.jennings@makeitlabs.com>
Acked-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20191118092119.GA153852@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/serial/cp210x.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -121,6 +121,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
 	{ USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */
 	{ USB_DEVICE(0x10C4, 0x83A8) }, /* Amber Wireless AMB2560 */
+	{ USB_DEVICE(0x10C4, 0x83AA) }, /* Mark-10 Digital Force Gauge */
 	{ USB_DEVICE(0x10C4, 0x83D8) }, /* DekTec DTA Plus VHF/UHF Booster/Attenuator */
 	{ USB_DEVICE(0x10C4, 0x8411) }, /* Kyocera GPS Module */
 	{ USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 099/148] USB: uas: honor flag to avoid CAPACITY16
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (97 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 098/148] usb-serial: cp201x: support Mark-10 digital force gauge Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 100/148] USB: uas: heed CAPACITY_HEURISTICS Ben Hutchings
                   ` (49 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Oliver Neukum

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit bff000cae1eec750d62e265c4ba2db9af57b17e1 upstream.

Copy the support over from usb-storage to get feature parity

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20191114112758.32747-2-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/uas.c | 4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -991,6 +991,10 @@ static int uas_slave_configure(struct sc
 	if (devinfo->flags & US_FL_BROKEN_FUA)
 		sdev->broken_fua = 1;
 
+	/* Some disks cannot handle READ_CAPACITY_16 */
+	if (devinfo->flags & US_FL_NO_READ_CAPACITY_16)
+		sdev->no_read_capacity_16 = 1;
+
 	/*
 	 * Some disks return the total number of blocks in response
 	 * to READ CAPACITY rather than the highest block number.


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 100/148] USB: uas: heed CAPACITY_HEURISTICS
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (98 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 099/148] USB: uas: honor flag to avoid CAPACITY16 Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 101/148] USB: documentation: flags on usb-storage versus UAS Ben Hutchings
                   ` (48 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Oliver Neukum

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 335cbbd5762d5e5c67a8ddd6e6362c2aa42a328f upstream.

There is no need to ignore this flag. We should be as close
to storage in that regard as makes sense, so honor flags whose
cost is tiny.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20191114112758.32747-3-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/storage/uas.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -1004,6 +1004,12 @@ static int uas_slave_configure(struct sc
 		sdev->fix_capacity = 1;
 
 	/*
+	 * in some cases we have to guess
+	 */
+	if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
+		sdev->guess_capacity = 1;
+
+	/*
 	 * Some devices don't like MODE SENSE with page=0x3f,
 	 * which is the command used for checking if a device
 	 * is write-protected.  Now that we tell the sd driver


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 101/148] USB: documentation: flags on usb-storage versus UAS
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (99 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 100/148] USB: uas: heed CAPACITY_HEURISTICS Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 102/148] Btrfs: fix negative subv_writers counter and data space leak after buffered write Ben Hutchings
                   ` (47 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Oliver Neukum

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 65cc8bf99349f651a0a2cee69333525fe581f306 upstream.

Document which flags work storage, UAS or both

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20191114112758.32747-4-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: Drop change relating to ALWAYS_SYNC]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 .../kernel-parameters.txt         | 22 ++++++++++---------
 1 file changed, 12 insertions(+), 10 deletions(-)

--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -3730,13 +3730,13 @@ bytes respectively. Such letter suffixes
 			Flags is a set of characters, each corresponding
 			to a common usb-storage quirk flag as follows:
 				a = SANE_SENSE (collect more than 18 bytes
-					of sense data);
+					of sense data, not on uas);
 				b = BAD_SENSE (don't collect more than 18
-					bytes of sense data);
+					bytes of sense data, not on uas);
 				c = FIX_CAPACITY (decrease the reported
 					device capacity by one sector);
 				d = NO_READ_DISC_INFO (don't use
-					READ_DISC_INFO command);
+					READ_DISC_INFO command, not on uas);
 				e = NO_READ_CAPACITY_16 (don't use
 					READ_CAPACITY_16 command);
 				f = NO_REPORT_OPCODES (don't use report opcodes
@@ -3751,17 +3751,18 @@ bytes respectively. Such letter suffixes
 				j = NO_REPORT_LUNS (don't use report luns
 					command, uas only);
 				l = NOT_LOCKABLE (don't try to lock and
-					unlock ejectable media);
+					unlock ejectable media, not on uas);
 				m = MAX_SECTORS_64 (don't transfer more
-					than 64 sectors = 32 KB at a time);
+					than 64 sectors = 32 KB at a time,
+					not on uas);
 				n = INITIAL_READ10 (force a retry of the
-					initial READ(10) command);
+					initial READ(10) command, not on uas);
 				o = CAPACITY_OK (accept the capacity
-					reported by the device);
+					reported by the device, not on uas);
 				p = WRITE_CACHE (the device cache is ON
-					by default);
+					by default, not on uas);
 				r = IGNORE_RESIDUE (the device reports
-					bogus residue values);
+					bogus residue values, not on uas);
 				s = SINGLE_LUN (the device has only one
 					Logical Unit);
 				t = NO_ATA_1X (don't allow ATA(12) and ATA(16)


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 102/148] Btrfs: fix negative subv_writers counter and data space leak after buffered write
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (100 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 101/148] USB: documentation: flags on usb-storage versus UAS Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 103/148] btrfs: check page->mapping when loading free space cache Ben Hutchings
                   ` (46 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Josef Bacik, David Sterba, Filipe Manana

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit a0e248bb502d5165b3314ac3819e888fdcdf7d9f upstream.

When doing a buffered write it's possible to leave the subv_writers
counter of the root, used for synchronization between buffered nocow
writers and snapshotting. This happens in an exceptional case like the
following:

1) We fail to allocate data space for the write, since there's not
   enough available data space nor enough unallocated space for allocating
   a new data block group;

2) Because of that failure, we try to go to NOCOW mode, which succeeds
   and therefore we set the local variable 'only_release_metadata' to true
   and set the root's sub_writers counter to 1 through the call to
   btrfs_start_write_no_snapshotting() made by check_can_nocow();

3) The call to btrfs_copy_from_user() returns zero, which is very unlikely
   to happen but not impossible;

4) No pages are copied because btrfs_copy_from_user() returned zero;

5) We call btrfs_end_write_no_snapshotting() which decrements the root's
   subv_writers counter to 0;

6) We don't set 'only_release_metadata' back to 'false' because we do
   it only if 'copied', the value returned by btrfs_copy_from_user(), is
   greater than zero;

7) On the next iteration of the while loop, which processes the same
   page range, we are now able to allocate data space for the write (we
   got enough data space released in the meanwhile);

8) After this if we fail at btrfs_delalloc_reserve_metadata(), because
   now there isn't enough free metadata space, or in some other place
   further below (prepare_pages(), lock_and_cleanup_extent_if_need(),
   btrfs_dirty_pages()), we break out of the while loop with
   'only_release_metadata' having a value of 'true';

9) Because 'only_release_metadata' is 'true' we end up decrementing the
   root's subv_writers counter to -1 (through a call to
   btrfs_end_write_no_snapshotting()), and we also end up not releasing the
   data space previously reserved through btrfs_check_data_free_space().
   As a consequence the mechanism for synchronizing NOCOW buffered writes
   with snapshotting gets broken.

Fix this by always setting 'only_release_metadata' to false at the start
of each iteration.

Fixes: 8257b2dc3c1a ("Btrfs: introduce btrfs_{start, end}_nocow_write() for each subvolume")
Fixes: 7ee9e4405f26 ("Btrfs: check if we can nocow if we don't have data space")
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1540,6 +1540,7 @@ static noinline ssize_t __btrfs_buffered
 			break;
 		}
 
+		only_release_metadata = false;
 		reserve_bytes = num_pages << PAGE_CACHE_SHIFT;
 		ret = btrfs_check_data_free_space(inode, reserve_bytes);
 		if (ret == -ENOSPC &&
@@ -1671,7 +1672,6 @@ again:
 			set_extent_bit(&BTRFS_I(inode)->io_tree, lockstart,
 				       lockend, EXTENT_NORESERVE, NULL,
 				       NULL, GFP_NOFS);
-			only_release_metadata = false;
 		}
 
 		btrfs_drop_pages(pages, num_pages);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 103/148] btrfs: check page->mapping when loading free space cache
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (101 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 102/148] Btrfs: fix negative subv_writers counter and data space leak after buffered write Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 104/148] serial: ifx6x60: add missed pm_runtime_disable Ben Hutchings
                   ` (45 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nikolay Borisov, Josef Bacik,
	Filipe Manana, David Sterba

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Josef Bacik <josef@toxicpanda.com>

commit 3797136b626ad4b6582223660c041efdea8f26b2 upstream.

While testing 5.2 we ran into the following panic

[52238.017028] BUG: kernel NULL pointer dereference, address: 0000000000000001
[52238.105608] RIP: 0010:drop_buffers+0x3d/0x150
[52238.304051] Call Trace:
[52238.308958]  try_to_free_buffers+0x15b/0x1b0
[52238.317503]  shrink_page_list+0x1164/0x1780
[52238.325877]  shrink_inactive_list+0x18f/0x3b0
[52238.334596]  shrink_node_memcg+0x23e/0x7d0
[52238.342790]  ? do_shrink_slab+0x4f/0x290
[52238.350648]  shrink_node+0xce/0x4a0
[52238.357628]  balance_pgdat+0x2c7/0x510
[52238.365135]  kswapd+0x216/0x3e0
[52238.371425]  ? wait_woken+0x80/0x80
[52238.378412]  ? balance_pgdat+0x510/0x510
[52238.386265]  kthread+0x111/0x130
[52238.392727]  ? kthread_create_on_node+0x60/0x60
[52238.401782]  ret_from_fork+0x1f/0x30

The page we were trying to drop had a page->private, but had no
page->mapping and so called drop_buffers, assuming that we had a
buffer_head on the page, and then panic'ed trying to deref 1, which is
our page->private for data pages.

This is happening because we're truncating the free space cache while
we're trying to load the free space cache.  This isn't supposed to
happen, and I'll fix that in a followup patch.  However we still
shouldn't allow those sort of mistakes to result in messing with pages
that do not belong to us.  So add the page->mapping check to verify that
we still own this page after dropping and re-acquiring the page lock.

This page being unlocked as:
btrfs_readpage
  extent_read_full_page
    __extent_read_full_page
      __do_readpage
        if (!nr)
	   unlock_page  <-- nr can be 0 only if submit_extent_page
			    returns an error

Reviewed-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
[ add callchain ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/btrfs/free-space-cache.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -360,6 +360,12 @@ static int io_ctl_prepare_pages(struct i
 		if (uptodate && !PageUptodate(page)) {
 			btrfs_readpage(NULL, page);
 			lock_page(page);
+			if (page->mapping != inode->i_mapping) {
+				btrfs_err(BTRFS_I(inode)->root->fs_info,
+					  "free space cache page truncated");
+				io_ctl_drop_pages(io_ctl);
+				return -EIO;
+			}
 			if (!PageUptodate(page)) {
 				btrfs_err(BTRFS_I(inode)->root->fs_info,
 					   "error reading free space cache");


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 104/148] serial: ifx6x60: add missed pm_runtime_disable
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (102 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 103/148] btrfs: check page->mapping when loading free space cache Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 105/148] rtc: msm6242: Fix reading of 10-hour digit Ben Hutchings
                   ` (44 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Chuhong Yuan

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chuhong Yuan <hslester96@gmail.com>

commit 50b2b571c5f3df721fc81bf9a12c521dfbe019ba upstream.

The driver forgets to call pm_runtime_disable in remove.
Add the missed calls to fix it.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Link: https://lore.kernel.org/r/20191118024833.21587-1-hslester96@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/ifx6x60.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/tty/serial/ifx6x60.c
+++ b/drivers/tty/serial/ifx6x60.c
@@ -1242,6 +1242,9 @@ static int ifx_spi_spi_remove(struct spi
 	struct ifx_spi_device *ifx_dev = spi_get_drvdata(spi);
 	/* stop activity */
 	tasklet_kill(&ifx_dev->io_work_tasklet);
+
+	pm_runtime_disable(&spi->dev);
+
 	/* free irq */
 	free_irq(gpio_to_irq(ifx_dev->gpio.reset_out), (void *)ifx_dev);
 	free_irq(gpio_to_irq(ifx_dev->gpio.srdy), (void *)ifx_dev);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 105/148] rtc: msm6242: Fix reading of 10-hour digit
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (103 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 104/148] serial: ifx6x60: add missed pm_runtime_disable Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 106/148] Bluetooth: delete a stray unlock Ben Hutchings
                   ` (43 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kars de Jong, Alexandre Belloni,
	Geert Uytterhoeven

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kars de Jong <jongk@linux-m68k.org>

commit e34494c8df0cd96fc432efae121db3212c46ae48 upstream.

The driver was reading the wrong register as the 10-hour digit due to
a misplaced ')'. It was in fact reading the 1-second digit register due
to this bug.

Also remove the use of a magic number for the hour mask and use the define
for it which was already present.

Fixes: 4f9b9bba1dd1 ("rtc: Add an RTC driver for the Oki MSM6242")
Tested-by: Kars de Jong <jongk@linux-m68k.org>
Signed-off-by: Kars de Jong <jongk@linux-m68k.org>
Link: https://lore.kernel.org/r/20191116110548.8562-1-jongk@linux-m68k.org
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/rtc/rtc-msm6242.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/rtc/rtc-msm6242.c
+++ b/drivers/rtc/rtc-msm6242.c
@@ -130,7 +130,8 @@ static int msm6242_read_time(struct devi
 		      msm6242_read(priv, MSM6242_SECOND1);
 	tm->tm_min  = msm6242_read(priv, MSM6242_MINUTE10) * 10 +
 		      msm6242_read(priv, MSM6242_MINUTE1);
-	tm->tm_hour = (msm6242_read(priv, MSM6242_HOUR10 & 3)) * 10 +
+	tm->tm_hour = (msm6242_read(priv, MSM6242_HOUR10) &
+		       MSM6242_HOUR10_HR_MASK) * 10 +
 		      msm6242_read(priv, MSM6242_HOUR1);
 	tm->tm_mday = msm6242_read(priv, MSM6242_DAY10) * 10 +
 		      msm6242_read(priv, MSM6242_DAY1);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 106/148] Bluetooth: delete a stray unlock
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (104 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 105/148] rtc: msm6242: Fix reading of 10-hour digit Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 107/148] ext4: work around deleting a file with i_nlink == 0 safely Ben Hutchings
                   ` (42 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Dan Carpenter, Marcel Holtmann

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit df66499a1fab340c167250a5743931dc50d5f0fa upstream.

We used to take a lock in amp_physical_cfm() but then we moved it to
the caller function.  Unfortunately the unlock on this error path was
overlooked so it leads to a double unlock.

Fixes: a514b17fab51 ("Bluetooth: Refactor locking in amp_physical_cfm")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/bluetooth/l2cap_core.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4902,10 +4902,8 @@ void __l2cap_physical_cfm(struct l2cap_c
 	BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
 	       chan, result, local_amp_id, remote_amp_id);
 
-	if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
-		l2cap_chan_unlock(chan);
+	if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
 		return;
-	}
 
 	if (chan->state != BT_CONNECTED) {
 		l2cap_do_create(chan, result, local_amp_id, remote_amp_id);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 107/148] ext4: work around deleting a file with i_nlink == 0 safely
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (105 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 106/148] Bluetooth: delete a stray unlock Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 108/148] scsi: qla4xxx: fix double free bug Ben Hutchings
                   ` (41 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Andreas Dilger, Theodore Ts'o

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 upstream.

If the file system is corrupted such that a file's i_links_count is
too small, then it's possible that when unlinking that file, i_nlink
will already be zero.  Previously we were working around this kind of
corruption by forcing i_nlink to one; but we were doing this before
trying to delete the directory entry --- and if the file system is
corrupted enough that ext4_delete_entry() fails, then we exit with
i_nlink elevated, and this causes the orphan inode list handling to be
FUBAR'ed, such that when we unmount the file system, the orphan inode
list can get corrupted.

A better way to fix this is to simply skip trying to call drop_nlink()
if i_nlink is already zero, thus moving the check to the place where
it makes the most sense.

https://bugzilla.kernel.org/show_bug.cgi?id=205433

Link: https://lore.kernel.org/r/20191112032903.8828-1-tytso@mit.edu
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[bwh: Backported to 3.16: Log message and function are different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2830,19 +2830,18 @@ static int ext4_unlink(struct inode *dir
 	if (IS_DIRSYNC(dir))
 		ext4_handle_sync(handle);
 
-	if (!inode->i_nlink) {
-		ext4_warning(inode->i_sb,
-			     "Deleting nonexistent file (%lu), %d",
-			     inode->i_ino, inode->i_nlink);
-		set_nlink(inode, 1);
-	}
 	retval = ext4_delete_entry(handle, dir, de, bh);
 	if (retval)
 		goto end_unlink;
 	dir->i_ctime = dir->i_mtime = ext4_current_time(dir);
 	ext4_update_dx_flag(dir);
 	ext4_mark_inode_dirty(handle, dir);
-	drop_nlink(inode);
+	if (inode->i_nlink == 0)
+		ext4_warning(inode->i_sb,
+			     "Deleting nonexistent file (%lu), %d",
+			     inode->i_ino, inode->i_nlink);
+	else
+		drop_nlink(inode);
 	if (!inode->i_nlink)
 		ext4_orphan_add(handle, inode);
 	inode->i_ctime = ext4_current_time(inode);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 108/148] scsi: qla4xxx: fix double free bug
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (106 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 107/148] ext4: work around deleting a file with i_nlink == 0 safely Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 109/148] scsi: bnx2i: fix potential use after free Ben Hutchings
                   ` (40 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Manish Rangankar, Pan Bian, Martin K. Petersen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit 3fe3d2428b62822b7b030577cd612790bdd8c941 upstream.

The variable init_fw_cb is released twice, resulting in a double free
bug. The call to the function dma_free_coherent() before goto is removed to
get rid of potential double free.

Fixes: 2a49a78ed3c8 ("[SCSI] qla4xxx: added IPv6 support.")
Link: https://lore.kernel.org/r/1572945927-27796-1-git-send-email-bianpan2016@163.com
Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Manish Rangankar <mrangankar@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/qla4xxx/ql4_mbx.c | 3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/scsi/qla4xxx/ql4_mbx.c
+++ b/drivers/scsi/qla4xxx/ql4_mbx.c
@@ -641,9 +641,6 @@ int qla4xxx_initialize_fw_cb(struct scsi
 
 	if (qla4xxx_get_ifcb(ha, &mbox_cmd[0], &mbox_sts[0], init_fw_cb_dma) !=
 	    QLA_SUCCESS) {
-		dma_free_coherent(&ha->pdev->dev,
-				  sizeof(struct addr_ctrl_blk),
-				  init_fw_cb, init_fw_cb_dma);
 		goto exit_init_fw_cb;
 	}
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 109/148] scsi: bnx2i: fix potential use after free
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (107 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 108/148] scsi: qla4xxx: fix double free bug Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 110/148] iwlwifi: check kasprintf() return value Ben Hutchings
                   ` (39 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pan Bian, Martin K. Petersen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit 29d28f2b8d3736ac61c28ef7e20fda63795b74d9 upstream.

The member hba->pcidev may be used after its reference is dropped. Move the
put function to where it is never used to avoid potential use after free
issues.

Fixes: a77171806515 ("[SCSI] bnx2i: Removed the reference to the netdev->base_addr")
Link: https://lore.kernel.org/r/1573043541-19126-1-git-send-email-bianpan2016@163.com
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/bnx2i/bnx2i_iscsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c
+++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c
@@ -913,12 +913,12 @@ void bnx2i_free_hba(struct bnx2i_hba *hb
 	INIT_LIST_HEAD(&hba->ep_ofld_list);
 	INIT_LIST_HEAD(&hba->ep_active_list);
 	INIT_LIST_HEAD(&hba->ep_destroy_list);
-	pci_dev_put(hba->pcidev);
 
 	if (hba->regview) {
 		pci_iounmap(hba->pcidev, hba->regview);
 		hba->regview = NULL;
 	}
+	pci_dev_put(hba->pcidev);
 	bnx2i_free_mp_bdt(hba);
 	bnx2i_release_free_cid_que(hba);
 	iscsi_host_free(shost);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 110/148] iwlwifi: check kasprintf() return value
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (108 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 109/148] scsi: bnx2i: fix potential use after free Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 111/148] serial: serial_core: Perform NULL checks for break_ctl ops Ben Hutchings
                   ` (38 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johannes Berg, Luca Coelho

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 5974fbb5e10b018fdbe3c3b81cb4cc54e1105ab9 upstream.

kasprintf() can fail, we should check the return value.

Fixes: 5ed540aecc2a ("iwlwifi: use mac80211 throughput trigger")
Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/iwlwifi/dvm/led.c | 3 +++
 drivers/net/wireless/iwlwifi/mvm/led.c | 3 +++
 2 files changed, 6 insertions(+)

--- a/drivers/net/wireless/iwlwifi/dvm/led.c
+++ b/drivers/net/wireless/iwlwifi/dvm/led.c
@@ -184,6 +184,9 @@ void iwl_leds_init(struct iwl_priv *priv
 
 	priv->led.name = kasprintf(GFP_KERNEL, "%s-led",
 				   wiphy_name(priv->hw->wiphy));
+	if (!priv->led.name)
+		return;
+
 	priv->led.brightness_set = iwl_led_brightness_set;
 	priv->led.blink_set = iwl_led_blink_set;
 	priv->led.max_brightness = 1;
--- a/drivers/net/wireless/iwlwifi/mvm/led.c
+++ b/drivers/net/wireless/iwlwifi/mvm/led.c
@@ -109,6 +109,9 @@ int iwl_mvm_leds_init(struct iwl_mvm *mv
 
 	mvm->led.name = kasprintf(GFP_KERNEL, "%s-led",
 				   wiphy_name(mvm->hw->wiphy));
+	if (!mvm->led.name)
+		return -ENOMEM;
+
 	mvm->led.brightness_set = iwl_led_brightness_set;
 	mvm->led.max_brightness = 1;
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 111/148] serial: serial_core: Perform NULL checks for break_ctl ops
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (109 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 110/148] iwlwifi: check kasprintf() return value Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 112/148] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Ben Hutchings
                   ` (37 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jiangfeng Xiao, Greg Kroah-Hartman

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>

commit 7d73170e1c282576419f8b50a771f1fcd2b81a94 upstream.

Doing fuzz test on sbsa uart device, causes a kernel crash
due to NULL pointer dereference:

------------[ cut here ]------------
Unable to handle kernel paging request at virtual address fffffffffffffffc
pgd = ffffffe331723000
[fffffffffffffffc] *pgd=0000002333595003, *pud=0000002333595003, *pmd=00000
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in: ping(O) jffs2 rtos_snapshot(O) pramdisk(O) hisi_sfc(O)
Drv_Nandc_K(O) Drv_SysCtl_K(O) Drv_SysClk_K(O) bsp_reg(O) hns3(O)
hns3_uio_enet(O) hclgevf(O) hclge(O) hnae3(O) mdio_factory(O)
mdio_registry(O) mdio_dev(O) mdio(O) hns3_info(O) rtos_kbox_panic(O)
uart_suspend(O) rsm(O) stp llc tunnel4 xt_tcpudp ipt_REJECT nf_reject_ipv4
iptable_filter ip_tables x_tables sd_mod xhci_plat_hcd xhci_pci xhci_hcd
usbmon usbhid usb_storage ohci_platform ohci_pci ohci_hcd hid_generic hid
ehci_platform ehci_pci ehci_hcd vfat fat usbcore usb_common scsi_mod
yaffs2multi(O) ext4 jbd2 ext2 mbcache ofpart i2c_dev i2c_core uio ubi nand
nand_ecc nand_ids cfi_cmdset_0002 cfi_cmdset_0001 cfi_probe gen_probe
cmdlinepart chipreg mtdblock mtd_blkdevs mtd nfsd auth_rpcgss oid_registry
nfsv3 nfs nfs_acl lockd sunrpc grace autofs4
CPU: 2 PID: 2385 Comm: tty_fuzz_test Tainted: G           O    4.4.193 #1
task: ffffffe32b23f110 task.stack: ffffffe32bda4000
PC is at uart_break_ctl+0x44/0x84
LR is at uart_break_ctl+0x34/0x84
pc : [<ffffff8393196098>] lr : [<ffffff8393196088>] pstate: 80000005
sp : ffffffe32bda7cc0
x29: ffffffe32bda7cc0 x28: ffffffe32b23f110
x27: ffffff8393402000 x26: 0000000000000000
x25: ffffffe32b233f40 x24: ffffffc07a8ec680
x23: 0000000000005425 x22: 00000000ffffffff
x21: ffffffe33ed73c98 x20: 0000000000000000
x19: ffffffe33ed94168 x18: 0000000000000004
x17: 0000007f92ae9d30 x16: ffffff8392fa6064
x15: 0000000000000010 x14: 0000000000000000
x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000020 x10: 0000007ffdac1708
x9 : 0000000000000078 x8 : 000000000000001d
x7 : 0000000052a64887 x6 : ffffffe32bda7e08
x5 : ffffffe32b23c000 x4 : 0000005fbc5b0000
x3 : ffffff83938d5018 x2 : 0000000000000080
x1 : ffffffe32b23c040 x0 : ffffff83934428f8
virtual start addr offset is 38ac00000
module base offset is 2cd4cf1000
linear region base offset is : 0
Process tty_fuzz_test (pid: 2385, stack limit = 0xffffffe32bda4000)
Stack: (0xffffffe32bda7cc0 to 0xffffffe32bda8000)
7cc0: ffffffe32bda7cf0 ffffff8393177718 ffffffc07a8ec680 ffffff8393196054
7ce0: 000000001739f2e0 0000007ffdac1978 ffffffe32bda7d20 ffffff8393179a1c
7d00: 0000000000000000 ffffff8393c0a000 ffffffc07a8ec680 cb88537fdc8ba600
7d20: ffffffe32bda7df0 ffffff8392fa5a40 ffffff8393c0a000 0000000000005425
7d40: 0000007ffdac1978 ffffffe32b233f40 ffffff8393178dcc 0000000000000003
7d60: 000000000000011d 000000000000001d ffffffe32b23f110 000000000000029e
7d80: ffffffe34fe8d5d0 0000000000000000 ffffffe32bda7e14 cb88537fdc8ba600
7da0: ffffffe32bda7e30 ffffff8393042cfc ffffff8393c41720 ffffff8393c46410
7dc0: ffffff839304fa68 ffffffe32b233f40 0000000000005425 0000007ffdac1978
7de0: 000000000000011d cb88537fdc8ba600 ffffffe32bda7e70 ffffff8392fa60cc
7e00: 0000000000000000 ffffffe32b233f40 ffffffe32b233f40 0000000000000003
7e20: 0000000000005425 0000007ffdac1978 ffffffe32bda7e70 ffffff8392fa60b0
7e40: 0000000000000280 ffffffe32b233f40 ffffffe32b233f40 0000000000000003
7e60: 0000000000005425 cb88537fdc8ba600 0000000000000000 ffffff8392e02e78
7e80: 0000000000000280 0000005fbc5b0000 ffffffffffffffff 0000007f92ae9d3c
7ea0: 0000000060000000 0000000000000015 0000000000000003 0000000000005425
7ec0: 0000007ffdac1978 0000000000000000 00000000a54c910e 0000007f92b95014
7ee0: 0000007f92b95090 0000000052a64887 000000000000001d 0000000000000078
7f00: 0000007ffdac1708 0000000000000020 0000000000000000 0000000000000000
7f20: 0000000000000000 0000000000000010 000000556acf0090 0000007f92ae9d30
7f40: 0000000000000004 000000556acdef10 0000000000000000 000000556acdebd0
7f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
7f80: 0000000000000000 0000000000000000 0000000000000000 0000007ffdac1840
7fa0: 000000556acdedcc 0000007ffdac1840 0000007f92ae9d3c 0000000060000000
7fc0: 0000000000000000 0000000000000000 0000000000000003 000000000000001d
7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
Call trace:
Exception stack(0xffffffe32bda7ab0 to 0xffffffe32bda7bf0)
7aa0:                                   0000000000001000 0000007fffffffff
7ac0: ffffffe32bda7cc0 ffffff8393196098 0000000080000005 0000000000000025
7ae0: ffffffe32b233f40 ffffff83930d777c ffffffe32bda7b30 ffffff83930d777c
7b00: ffffffe32bda7be0 ffffff83938d5000 ffffffe32bda7be0 ffffffe32bda7c20
7b20: ffffffe32bda7b60 ffffff83930d777c ffffffe32bda7c10 ffffff83938d5000
7b40: ffffffe32bda7c10 ffffffe32bda7c50 ffffff8393c0a000 ffffffe32b23f110
7b60: ffffffe32bda7b70 ffffff8392e09df4 ffffffe32bda7bb0 cb88537fdc8ba600
7b80: ffffff83934428f8 ffffffe32b23c040 0000000000000080 ffffff83938d5018
7ba0: 0000005fbc5b0000 ffffffe32b23c000 ffffffe32bda7e08 0000000052a64887
7bc0: 000000000000001d 0000000000000078 0000007ffdac1708 0000000000000020
7be0: 0000000000000000 0000000000000000
[<ffffff8393196098>] uart_break_ctl+0x44/0x84
[<ffffff8393177718>] send_break+0xa0/0x114
[<ffffff8393179a1c>] tty_ioctl+0xc50/0xe84
[<ffffff8392fa5a40>] do_vfs_ioctl+0xc4/0x6e8
[<ffffff8392fa60cc>] SyS_ioctl+0x68/0x9c
[<ffffff8392e02e78>] __sys_trace_return+0x0/0x4
Code: b9410ea0 34000160 f9408aa0 f9402814 (b85fc280)
---[ end trace 8606094f1960c5e0 ]---
Kernel panic - not syncing: Fatal exception

Fix this problem by adding NULL checks prior to calling break_ctl ops.

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Link: https://lore.kernel.org/r/1574263133-28259-1-git-send-email-xiaojiangfeng@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/serial/serial_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1013,7 +1013,7 @@ static int uart_break_ctl(struct tty_str
 
 	mutex_lock(&port->mutex);
 
-	if (uport->type != PORT_UNKNOWN)
+	if (uport->type != PORT_UNKNOWN && uport->ops->break_ctl)
 		uport->ops->break_ctl(uport, break_state);
 
 	mutex_unlock(&port->mutex);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 112/148] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (110 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 111/148] serial: serial_core: Perform NULL checks for break_ctl ops Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 113/148] KVM: x86: do not modify masked bits of shared MSRs Ben Hutchings
                   ` (36 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paolo Bonzini, Jim Mattson

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream.

KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented
to the guests.  It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR &&
!RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not
hidden (it actually was), yet the value says that TSX is not vulnerable
to microarchitectural data sampling.  Fix both.

Tested-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -945,10 +945,15 @@ u64 kvm_get_arch_capabilities(void)
 	 * If TSX is disabled on the system, guests are also mitigated against
 	 * TAA and clear CPU buffer mitigation is not required for guests.
 	 */
-	if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
-	    (data & ARCH_CAP_TSX_CTRL_MSR))
+	if (!boot_cpu_has(X86_FEATURE_RTM))
+		data &= ~ARCH_CAP_TAA_NO;
+	else if (!boot_cpu_has_bug(X86_BUG_TAA))
+		data |= ARCH_CAP_TAA_NO;
+	else if (data & ARCH_CAP_TSX_CTRL_MSR)
 		data &= ~ARCH_CAP_MDS_NO;
 
+	/* KVM does not emulate MSR_IA32_TSX_CTRL.  */
+	data &= ~ARCH_CAP_TSX_CTRL_MSR;
 	return data;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 113/148] KVM: x86: do not modify masked bits of shared MSRs
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (111 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 112/148] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 114/148] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Ben Hutchings
                   ` (35 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Jim Mattson, Paolo Bonzini

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream.

"Shared MSRs" are guest MSRs that are written to the host MSRs but
keep their value until the next return to userspace.  They support
a mask, so that some bits keep the host value, but this mask is
only used to skip an unnecessary MSR write and the value written
to the MSR is always the guest MSR.

Fix this and, while at it, do not update smsr->values[slot].curr if
for whatever reason the wrmsr fails.  This should only happen due to
reserved bits, so the value written to smsr->values[slot].curr
will not match when the user-return notifier and the host value will
always be restored.  However, it is untidy and in rare cases this
can actually avoid spurious WRMSRs on return to userspace.

Reviewed-by: Jim Mattson <jmattson@google.com>
Tested-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/kvm/x86.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -242,13 +242,14 @@ int kvm_set_shared_msr(unsigned slot, u6
 	struct kvm_shared_msrs *smsr = per_cpu_ptr(shared_msrs, cpu);
 	int err;
 
-	if (((value ^ smsr->values[slot].curr) & mask) == 0)
+	value = (value & mask) | (smsr->values[slot].host & ~mask);
+	if (value == smsr->values[slot].curr)
 		return 0;
-	smsr->values[slot].curr = value;
 	err = wrmsrl_safe(shared_msrs_global.msrs[slot], value);
 	if (err)
 		return 1;
 
+	smsr->values[slot].curr = value;
 	if (!smsr->registered) {
 		smsr->urn.on_user_return = kvm_on_user_return;
 		user_return_notifier_register(&smsr->urn);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 114/148] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (112 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 113/148] KVM: x86: do not modify masked bits of shared MSRs Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 115/148] ALSA: cs4236: fix error return comparison of an unsigned integer Ben Hutchings
                   ` (34 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Kai-Heng Feng, Bjorn Helgaas

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream.

The AMD FCH USB XHCI Controller advertises support for generating PME#
while in D0.  When in D0, it does signal PME# for USB 3.0 connect events,
but not for USB 2.0 or USB 1.1 connect events, which means the controller
doesn't wake correctly for those events.

  00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI])
        Subsystem: Dell FCH USB XHCI Controller [1028:087e]
        Capabilities: [50] Power Management version 3
                Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)

Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not
assert PME# from D0 so we don't rely on it.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673
Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.com
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/pci/fixup.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -575,6 +575,17 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_IN
 DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_invalid_bar);
 
 /*
+ * Device [1022:7914]
+ * When in D0, PME# doesn't get asserted when plugging USB 2.0 device.
+ */
+static void pci_fixup_amd_fch_xhci_pme(struct pci_dev *dev)
+{
+	dev_info(&dev->dev, "PME# does not work under D0, disabling it\n");
+	dev->pme_support &= ~(PCI_PM_CAP_PME_D0 >> PCI_PM_CAP_PME_SHIFT);
+}
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x7914, pci_fixup_amd_fch_xhci_pme);
+
+/*
  * Apple MacBook Pro: Avoid [mem 0x7fa00000-0x7fbfffff]
  *
  * Using the [mem 0x7fa00000-0x7fbfffff] region, e.g., by assigning it to


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 115/148] ALSA: cs4236: fix error return comparison of an unsigned integer
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (113 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 114/148] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 116/148] libtraceevent: Fix memory leakage in copy_filter_type Ben Hutchings
                   ` (33 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Takashi Iwai, Colin Ian King

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>

commit d60229d84846a8399257006af9c5444599f64361 upstream.

The return from pnp_irq is an unsigned integer type resource_size_t
and hence the error check for a positive non-error code is always
going to be true.  A check for a non-failure return from pnp_irq
should in fact be for (resource_size_t)-1 rather than >= 0.

Addresses-Coverity: ("Unsigned compared against 0")
Fixes: a9824c868a2c ("[ALSA] Add CS4232 PnP BIOS support")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20191122131354.58042-1-colin.king@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/isa/cs423x/cs4236.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/isa/cs423x/cs4236.c
+++ b/sound/isa/cs423x/cs4236.c
@@ -293,7 +293,8 @@ static int snd_cs423x_pnp_init_mpu(int d
 	} else {
 		mpu_port[dev] = pnp_port_start(pdev, 0);
 		if (mpu_irq[dev] >= 0 &&
-		    pnp_irq_valid(pdev, 0) && pnp_irq(pdev, 0) >= 0) {
+		    pnp_irq_valid(pdev, 0) &&
+		    pnp_irq(pdev, 0) != (resource_size_t)-1) {
 			mpu_irq[dev] = pnp_irq(pdev, 0);
 		} else {
 			mpu_irq[dev] = -1;	/* disable interrupt */


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 116/148] libtraceevent: Fix memory leakage in copy_filter_type
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (114 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 115/148] ALSA: cs4236: fix error return comparison of an unsigned integer Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 117/148] drm/radeon: fix bad DMA from INTERRUPT_CNTL2 Ben Hutchings
                   ` (32 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Steven Rostedt (VMware),
	Arnaldo Carvalho de Melo, Tzvetomir Stoyanov, Hewenliang

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hewenliang <hewenliang4@huawei.com>

commit 10992af6bf46a2048ad964985a5b77464e5563b1 upstream.

It is necessary to free the memory that we have allocated when error occurs.

Fixes: ef3072cd1d5c ("tools lib traceevent: Get rid of die in add_filter_type()")
Signed-off-by: Hewenliang <hewenliang4@huawei.com>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
Link: http://lore.kernel.org/lkml/20191119014415.57210-1-hewenliang4@huawei.com
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/lib/traceevent/parse-filter.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/tools/lib/traceevent/parse-filter.c
+++ b/tools/lib/traceevent/parse-filter.c
@@ -1482,8 +1482,10 @@ static int copy_filter_type(struct event
 	if (strcmp(str, "TRUE") == 0 || strcmp(str, "FALSE") == 0) {
 		/* Add trivial event */
 		arg = allocate_arg();
-		if (arg == NULL)
+		if (arg == NULL) {
+			free(str);
 			return -1;
+		}
 
 		arg->type = FILTER_ARG_BOOLEAN;
 		if (strcmp(str, "TRUE") == 0)
@@ -1492,8 +1494,11 @@ static int copy_filter_type(struct event
 			arg->boolean.value = 0;
 
 		filter_type = add_filter_type(filter, event->id);
-		if (filter_type == NULL)
+		if (filter_type == NULL) {
+			free(str);
+			free_arg(arg);
 			return -1;
+		}
 
 		filter_type->filter = arg;
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 117/148] drm/radeon: fix bad DMA from INTERRUPT_CNTL2
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (115 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 116/148] libtraceevent: Fix memory leakage in copy_filter_type Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 118/148] tty: vt: keyboard: reject invalid keycodes Ben Hutchings
                   ` (31 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Alex Deucher, Sam Bobroff

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Sam Bobroff <sbobroff@linux.ibm.com>

commit 62d91dd2851e8ae2ca552f1b090a3575a4edf759 upstream.

The INTERRUPT_CNTL2 register expects a valid DMA address, but is
currently set with a GPU MC address.  This can cause problems on
systems that detect the resulting DMA read from an invalid address
(found on a Power8 guest).

Instead, use the DMA address of the dummy page because it will always
be safe.

Fixes: d8f60cfc9345 ("drm/radeon/kms: Add support for interrupts on r6xx/r7xx chips (v3)")
Fixes: 25a857fbe973 ("drm/radeon/kms: add support for interrupts on SI")
Fixes: a59781bbe528 ("drm/radeon: add support for interrupts on CIK (v5)")
Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/radeon/cik.c  | 4 ++--
 drivers/gpu/drm/radeon/r600.c | 4 ++--
 drivers/gpu/drm/radeon/si.c   | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/radeon/cik.c
+++ b/drivers/gpu/drm/radeon/cik.c
@@ -6875,8 +6875,8 @@ static int cik_irq_init(struct radeon_de
 	}
 
 	/* setup interrupt control */
-	/* XXX this should actually be a bus address, not an MC address. same on older asics */
-	WREG32(INTERRUPT_CNTL2, rdev->ih.gpu_addr >> 8);
+	/* set dummy read address to dummy page address */
+	WREG32(INTERRUPT_CNTL2, rdev->dummy_page.addr >> 8);
 	interrupt_cntl = RREG32(INTERRUPT_CNTL);
 	/* IH_DUMMY_RD_OVERRIDE=0 - dummy read disabled with msi, enabled without msi
 	 * IH_DUMMY_RD_OVERRIDE=1 - dummy read controlled by IH_DUMMY_RD_EN
--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -3427,8 +3427,8 @@ int r600_irq_init(struct radeon_device *
 	}
 
 	/* setup interrupt control */
-	/* set dummy read address to ring address */
-	WREG32(INTERRUPT_CNTL2, rdev->ih.gpu_addr >> 8);
+	/* set dummy read address to dummy page address */
+	WREG32(INTERRUPT_CNTL2, rdev->dummy_page.addr >> 8);
 	interrupt_cntl = RREG32(INTERRUPT_CNTL);
 	/* IH_DUMMY_RD_OVERRIDE=0 - dummy read disabled with msi, enabled without msi
 	 * IH_DUMMY_RD_OVERRIDE=1 - dummy read controlled by IH_DUMMY_RD_EN
--- a/drivers/gpu/drm/radeon/si.c
+++ b/drivers/gpu/drm/radeon/si.c
@@ -5749,8 +5749,8 @@ static int si_irq_init(struct radeon_dev
 	}
 
 	/* setup interrupt control */
-	/* set dummy read address to ring address */
-	WREG32(INTERRUPT_CNTL2, rdev->ih.gpu_addr >> 8);
+	/* set dummy read address to dummy page address */
+	WREG32(INTERRUPT_CNTL2, rdev->dummy_page.addr >> 8);
 	interrupt_cntl = RREG32(INTERRUPT_CNTL);
 	/* IH_DUMMY_RD_OVERRIDE=0 - dummy read disabled with msi, enabled without msi
 	 * IH_DUMMY_RD_OVERRIDE=1 - dummy read controlled by IH_DUMMY_RD_EN


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 118/148] tty: vt: keyboard: reject invalid keycodes
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (116 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 117/148] drm/radeon: fix bad DMA from INTERRUPT_CNTL2 Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 119/148] CIFS: Respect O_SYNC and O_DIRECT flags during reconnect Ben Hutchings
                   ` (30 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Dmitry Torokhov, Greg Kroah-Hartman,
	syzbot+19340dff067c2d3835c0

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.

Do not try to handle keycodes that are too big, otherwise we risk doing
out-of-bounds writes:

BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
...
 kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
 kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
 input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
 input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
 input_pass_values drivers/input/input.c:949 [inline]
 input_set_keycode+0x290/0x320 drivers/input/input.c:954
 evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
 evdev_do_ioctl drivers/input/evdev.c:1150 [inline]

In this case we were dealing with a fuzzed HID device that declared over
12K buttons, and while HID layer should not be reporting to us such big
keycodes, we should also be defensive and reject invalid data ourselves as
well.

Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-ws
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/tty/vt/keyboard.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1358,7 +1358,7 @@ static void kbd_event(struct input_handl
 
 	if (event_type == EV_MSC && event_code == MSC_RAW && HW_RAW(handle->dev))
 		kbd_rawcode(value);
-	if (event_type == EV_KEY)
+	if (event_type == EV_KEY && event_code <= KEY_MAX)
 		kbd_keycode(event_code, value, HW_RAW(handle->dev));
 
 	spin_unlock(&kbd_event_lock);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 119/148] CIFS: Respect O_SYNC and O_DIRECT flags during reconnect
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (117 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 118/148] tty: vt: keyboard: reject invalid keycodes Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:20 ` [PATCH 3.16 120/148] CIFS: Fix SMB2 oplock break processing Ben Hutchings
                   ` (29 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pavel Shilovsky, Steve French

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <pshilov@microsoft.com>

commit 44805b0e62f15e90d233485420e1847133716bdc upstream.

Currently the client translates O_SYNC and O_DIRECT flags
into corresponding SMB create options when openning a file.
The problem is that on reconnect when the file is being
re-opened the client doesn't set those flags and it causes
a server to reject re-open requests because create options
don't match. The latter means that any subsequent system
call against that open file fail until a share is re-mounted.

Fix this by properly setting SMB create options when
re-openning files after reconnects.

Fixes: 1013e760d10e6: ("SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags")
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/file.c | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -711,6 +711,13 @@ cifs_reopen_file(struct cifsFileInfo *cf
 	if (backup_cred(cifs_sb))
 		create_options |= CREATE_OPEN_BACKUP_INTENT;
 
+	/* O_SYNC also has bit for O_DSYNC so following check picks up either */
+	if (cfile->f_flags & O_SYNC)
+		create_options |= CREATE_WRITE_THROUGH;
+
+	if (cfile->f_flags & O_DIRECT)
+		create_options |= CREATE_NO_BUFFER;
+
 	if (server->ops->get_lease_key)
 		server->ops->get_lease_key(inode, &cfile->fid);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 120/148] CIFS: Fix SMB2 oplock break processing
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (118 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 119/148] CIFS: Respect O_SYNC and O_DIRECT flags during reconnect Ben Hutchings
@ 2020-02-08 18:20 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 121/148] platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer Ben Hutchings
                   ` (28 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:20 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Pavel Shilovsky, Steve French

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <pshilov@microsoft.com>

commit fa9c2362497fbd64788063288dc4e74daf977ebb upstream.

Even when mounting modern protocol version the server may be
configured without supporting SMB2.1 leases and the client
uses SMB2 oplock to optimize IO performance through local caching.

However there is a problem in oplock break handling that leads
to missing a break notification on the client who has a file
opened. It latter causes big latencies to other clients that
are trying to open the same file.

The problem reproduces when there are multiple shares from the
same server mounted on the client. The processing code tries to
match persistent and volatile file ids from the break notification
with an open file but it skips all share besides the first one.
Fix this by looking up in all shares belonging to the server that
issued the oplock break.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/smb2misc.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -563,10 +563,10 @@ smb2_is_valid_oplock_break(char *buffer,
 	spin_lock(&cifs_tcp_ses_lock);
 	list_for_each(tmp, &server->smb_ses_list) {
 		ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+
 		list_for_each(tmp1, &ses->tcon_list) {
 			tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
 
-			cifs_stats_inc(&tcon->stats.cifs_stats.num_oplock_brks);
 			spin_lock(&tcon->open_file_lock);
 			list_for_each(tmp2, &tcon->openFileList) {
 				cfile = list_entry(tmp2, struct cifsFileInfo,
@@ -578,6 +578,8 @@ smb2_is_valid_oplock_break(char *buffer,
 					continue;
 
 				cifs_dbg(FYI, "file id match, oplock break\n");
+				cifs_stats_inc(
+				    &tcon->stats.cifs_stats.num_oplock_brks);
 				cinode = CIFS_I(cfile->dentry->d_inode);
 				spin_lock(&cfile->file_info_lock);
 				if (!CIFS_CACHE_WRITE(cinode) &&
@@ -610,9 +612,6 @@ smb2_is_valid_oplock_break(char *buffer,
 				return true;
 			}
 			spin_unlock(&tcon->open_file_lock);
-			spin_unlock(&cifs_tcp_ses_lock);
-			cifs_dbg(FYI, "No matching file for oplock break\n");
-			return true;
 		}
 	}
 	spin_unlock(&cifs_tcp_ses_lock);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 121/148] platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (119 preceding siblings ...)
  2020-02-08 18:20 ` [PATCH 3.16 120/148] CIFS: Fix SMB2 oplock break processing Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 122/148] platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size Ben Hutchings
                   ` (27 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Hans de Goede, Andy Shevchenko

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 16245db1489cd9aa579506f64afeeeb13d825a93 upstream.

The HP WMI calls may take up to 128 bytes of data as input, and
the AML methods implementing the WMI calls, declare a couple of fields for
accessing input in different sizes, specifycally the HWMC method contains:

        CreateField (Arg1, 0x80, 0x0400, D128)

Even though we do not use any of the WMI command-types which need a buffer
of this size, the APCI interpreter still tries to create it as it is
declared in generoc code at the top of the HWMC method which runs before
the code looks at which command-type is requested.

This results in many of these errors on many different HP laptop models:

[   14.459261] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20170303/dsopcode-236)
[   14.459268] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8edcc61507f8), AE_AML_BUFFER_LIMIT (20170303/psparse-543)
[   14.459279] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8edcc61523c0), AE_AML_BUFFER_LIMIT (20170303/psparse-543)

This commit increases the size of the data element of the bios_args struct
to 128 bytes fixing these errors.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197007
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201981
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/platform/x86/hp-wmi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/platform/x86/hp-wmi.c
+++ b/drivers/platform/x86/hp-wmi.c
@@ -90,7 +90,7 @@ struct bios_args {
 	u32 command;
 	u32 commandtype;
 	u32 datasize;
-	u32 data;
+	u8 data[128];
 };
 
 struct bios_return {
@@ -199,7 +199,7 @@ static int hp_wmi_perform_query(int quer
 		.command = write ? 0x2 : 0x1,
 		.commandtype = query,
 		.datasize = insize,
-		.data = 0,
+		.data = { 0 },
 	};
 	struct acpi_buffer input = { sizeof(struct bios_args), &args };
 	struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
@@ -207,7 +207,7 @@ static int hp_wmi_perform_query(int quer
 
 	if (WARN_ON(insize > sizeof(args.data)))
 		return -EINVAL;
-	memcpy(&args.data, buffer, insize);
+	memcpy(&args.data[0], buffer, insize);
 
 	wmi_evaluate_method(HPWMI_BIOS_GUID, 0, 0x3, &input, &output);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 122/148] platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (120 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 121/148] platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 123/148] macvlan: schedule bc_work even if error Ben Hutchings
                   ` (26 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Hans de Goede, Andy Shevchenko

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit f3e4f3fc8ee9729c4b1b27a478c68b713df53c0c upstream.

The AML code implementing the WMI methods creates a variable length
field to hold the input data we pass like this:

        CreateDWordField (Arg1, 0x0C, DSZI)
        Local5 = DSZI /* \HWMC.DSZI */
        CreateField (Arg1, 0x80, (Local5 * 0x08), DAIN)

If we pass 0 as bios_args.datasize argument then (Local5 * 0x08)
is 0 which results in these errors:

[   71.973305] ACPI BIOS Error (bug): Attempt to CreateField of length zero (20190816/dsopcode-133)
[   71.973332] ACPI Error: Aborting method \HWMC due to previous error (AE_AML_OPERAND_VALUE) (20190816/psparse-529)
[   71.973413] ACPI Error: Aborting method \_SB.WMID.WMAA due to previous error (AE_AML_OPERAND_VALUE) (20190816/psparse-529)

And in our HPWMI_WIRELESS2_QUERY calls always failing. for read commands
like HPWMI_WIRELESS2_QUERY the DSZI value is not used / checked, except for
read commands where extra input is needed to specify exactly what to read.

So for HPWMI_WIRELESS2_QUERY we can safely pass the size of the expected
output as insize to hp_wmi_perform_query(), as we are already doing for all
other HPWMI_READ commands we send. Doing so fixes these errors.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197007
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=201981
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1520703
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/platform/x86/hp-wmi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/platform/x86/hp-wmi.c
+++ b/drivers/platform/x86/hp-wmi.c
@@ -400,7 +400,7 @@ static int hp_wmi_rfkill2_refresh(void)
 	struct bios_rfkill2_state state;
 
 	err = hp_wmi_perform_query(HPWMI_WIRELESS2_QUERY, 0, &state,
-				   0, sizeof(state));
+				   sizeof(state), sizeof(state));
 	if (err)
 		return err;
 
@@ -825,7 +825,7 @@ static int __init hp_wmi_rfkill2_setup(s
 	int err, i;
 	struct bios_rfkill2_state state;
 	err = hp_wmi_perform_query(HPWMI_WIRELESS2_QUERY, 0, &state,
-				   0, sizeof(state));
+				   sizeof(state), sizeof(state));
 	if (err)
 		return err;
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 123/148] macvlan: schedule bc_work even if error
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (121 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 122/148] platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 124/148] PCI/MSI: Fix incorrect MSI-X masking on resume Ben Hutchings
                   ` (25 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Menglong Dong, David S. Miller

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Menglong Dong <dong.menglong@zte.com.cn>

commit 1d7ea55668878bb350979c377fc72509dd6f5b21 upstream.

While enqueueing a broadcast skb to port->bc_queue, schedule_work()
is called to add port->bc_work, which processes the skbs in
bc_queue, to "events" work queue. If port->bc_queue is full, the
skb will be discarded and schedule_work(&port->bc_work) won't be
called. However, if port->bc_queue is full and port->bc_work is not
running or pending, port->bc_queue will keep full and schedule_work()
won't be called any more, and all broadcast skbs to macvlan will be
discarded. This case can happen:

macvlan_process_broadcast() is the pending function of port->bc_work,
it moves all the skbs in port->bc_queue to the queue "list", and
processes the skbs in "list". During this, new skbs will keep being
added to port->bc_queue in macvlan_broadcast_enqueue(), and
port->bc_queue may already full when macvlan_process_broadcast()
return. This may happen, especially when there are a lot of real-time
threads and the process is preempted.

Fix this by calling schedule_work(&port->bc_work) even if
port->bc_work is full in macvlan_broadcast_enqueue().

Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
Signed-off-by: Menglong Dong <dong.menglong@zte.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/macvlan.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -262,10 +262,11 @@ static void macvlan_broadcast_enqueue(st
 	}
 	spin_unlock(&port->bc_queue.lock);
 
+	schedule_work(&port->bc_work);
+
 	if (err)
 		goto free_nskb;
 
-	schedule_work(&port->bc_work);
 	return;
 
 free_nskb:


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 124/148] PCI/MSI: Fix incorrect MSI-X masking on resume
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (122 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 123/148] macvlan: schedule bc_work even if error Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 125/148] xtensa: fix TLB sanity checker Ben Hutchings
                   ` (24 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Bjorn Helgaas, Jian-Hong Pan

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jian-Hong Pan <jian-hong@endlessm.com>

commit e045fa29e89383c717e308609edd19d2fd29e1be upstream.

When a driver enables MSI-X, msix_program_entries() reads the MSI-X Vector
Control register for each vector and saves it in desc->masked.  Each
register is 32 bits and bit 0 is the actual Mask bit.

When we restored these registers during resume, we previously set the Mask
bit if *any* bit in desc->masked was set instead of when the Mask bit
itself was set:

  pci_restore_state
    pci_restore_msi_state
      __pci_restore_msix_state
        for_each_pci_msi_entry
          msix_mask_irq(entry, entry->masked)   <-- entire u32 word
            __pci_msix_desc_mask_irq(desc, flag)
              mask_bits = desc->masked & ~PCI_MSIX_ENTRY_CTRL_MASKBIT
              if (flag)       <-- testing entire u32, not just bit 0
                mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT
              writel(mask_bits, desc_addr + PCI_MSIX_ENTRY_VECTOR_CTRL)

This means that after resume, MSI-X vectors were masked when they shouldn't
be, which leads to timeouts like this:

  nvme nvme0: I/O 978 QID 3 timeout, completion polled

On resume, set the Mask bit only when the saved Mask bit from suspend was
set.

This should remove the need for 19ea025e1d28 ("nvme: Add quirk for Kingston
NVME SSD running FW E8FK11.T").

[bhelgaas: commit log, move fix to __pci_msix_desc_mask_irq()]
Link: https://bugzilla.kernel.org/show_bug.cgi?id=204887
Link: https://lore.kernel.org/r/20191008034238.2503-1-jian-hong@endlessm.com
Fixes: f2440d9acbe8 ("PCI MSI: Refactor interrupt masking code")
Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/pci/msi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/pci/msi.c
+++ b/drivers/pci/msi.c
@@ -220,8 +220,9 @@ u32 default_msix_mask_irq(struct msi_des
 	u32 mask_bits = desc->masked;
 	unsigned offset = desc->msi_attrib.entry_nr * PCI_MSIX_ENTRY_SIZE +
 						PCI_MSIX_ENTRY_VECTOR_CTRL;
+
 	mask_bits &= ~PCI_MSIX_ENTRY_CTRL_MASKBIT;
-	if (flag)
+	if (flag & PCI_MSIX_ENTRY_CTRL_MASKBIT)
 		mask_bits |= PCI_MSIX_ENTRY_CTRL_MASKBIT;
 	writel(mask_bits, desc->mask_base + offset);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 125/148] xtensa: fix TLB sanity checker
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (123 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 124/148] PCI/MSI: Fix incorrect MSI-X masking on resume Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 126/148] perf regs: Make perf_reg_name() return "unknown" instead of NULL Ben Hutchings
                   ` (23 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Max Filippov

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 36de10c4788efc6efe6ff9aa10d38cb7eea4c818 upstream.

Virtual and translated addresses retrieved by the xtensa TLB sanity
checker must be consistent, i.e. correspond to the same state of the
checked TLB entry. KASAN shadow memory is mapped dynamically using
auto-refill TLB entries and thus may change TLB state between the
virtual and translated address retrieval, resulting in false TLB
insanity report.
Move read_xtlb_translation close to read_xtlb_virtual to make sure that
read values are consistent.

Fixes: a99e07ee5e88 ("xtensa: check TLB sanity on return to userspace")
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/xtensa/mm/tlb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/xtensa/mm/tlb.c
+++ b/arch/xtensa/mm/tlb.c
@@ -218,6 +218,8 @@ static int check_tlb_entry(unsigned w, u
 	unsigned tlbidx = w | (e << PAGE_SHIFT);
 	unsigned r0 = dtlb ?
 		read_dtlb_virtual(tlbidx) : read_itlb_virtual(tlbidx);
+	unsigned r1 = dtlb ?
+		read_dtlb_translation(tlbidx) : read_itlb_translation(tlbidx);
 	unsigned vpn = (r0 & PAGE_MASK) | (e << PAGE_SHIFT);
 	unsigned pte = get_pte_for_vaddr(vpn);
 	unsigned mm_asid = (get_rasid_register() >> 8) & ASID_MASK;
@@ -233,8 +235,6 @@ static int check_tlb_entry(unsigned w, u
 	}
 
 	if (tlb_asid == mm_asid) {
-		unsigned r1 = dtlb ? read_dtlb_translation(tlbidx) :
-			read_itlb_translation(tlbidx);
 		if ((pte ^ r1) & PAGE_MASK) {
 			pr_err("%cTLB: way: %u, entry: %u, mapping: %08x->%08x, PTE: %08x\n",
 					dtlb ? 'D' : 'I', w, e, r0, r1, pte);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 126/148] perf regs: Make perf_reg_name() return "unknown" instead of NULL
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (124 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 125/148] xtensa: fix TLB sanity checker Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 127/148] ACPI / osl: speedup grace period in acpi_os_map_cleanup Ben Hutchings
                   ` (22 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnaldo Carvalho de Melo, Jiri Olsa,
	Namhyung Kim, Adrian Hunter

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <acme@redhat.com>

commit 5b596e0ff0e1852197d4c82d3314db5e43126bf7 upstream.

To avoid breaking the build on arches where this is not wired up, at
least all the other features should be made available and when using
this specific routine, the "unknown" should point the user/developer to
the need to wire this up on this particular hardware architecture.

Detected in a container mipsel debian cross build environment, where it
shows up as:

  In file included from /usr/mipsel-linux-gnu/include/stdio.h:867,
                   from /git/linux/tools/perf/lib/include/perf/cpumap.h:6,
                   from util/session.c:13:
  In function 'printf',
      inlined from 'regs_dump__printf' at util/session.c:1103:3,
      inlined from 'regs__printf' at util/session.c:1131:2:
  /usr/mipsel-linux-gnu/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
    107 |   return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
        |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

cross compiler details:

  mipsel-linux-gnu-gcc (Debian 9.2.1-8) 9.2.1 20190909

Also on mips64:

  In file included from /usr/mips64-linux-gnuabi64/include/stdio.h:867,
                   from /git/linux/tools/perf/lib/include/perf/cpumap.h:6,
                   from util/session.c:13:
  In function 'printf',
      inlined from 'regs_dump__printf' at util/session.c:1103:3,
      inlined from 'regs__printf' at util/session.c:1131:2,
      inlined from 'regs_user__printf' at util/session.c:1139:3,
      inlined from 'dump_sample' at util/session.c:1246:3,
      inlined from 'machines__deliver_event' at util/session.c:1421:3:
  /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
    107 |   return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
        |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  In function 'printf',
      inlined from 'regs_dump__printf' at util/session.c:1103:3,
      inlined from 'regs__printf' at util/session.c:1131:2,
      inlined from 'regs_intr__printf' at util/session.c:1147:3,
      inlined from 'dump_sample' at util/session.c:1249:3,
      inlined from 'machines__deliver_event' at util/session.c:1421:3:
  /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
    107 |   return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
        |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

cross compiler details:

  mips64-linux-gnuabi64-gcc (Debian 9.2.1-8) 9.2.1 20190909

Fixes: 2bcd355b71da ("perf tools: Add interface to arch registers sets")
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://lkml.kernel.org/n/tip-95wjyv4o65nuaeweq31t7l1s@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 tools/perf/util/perf_regs.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/perf_regs.h
+++ b/tools/perf/util/perf_regs.h
@@ -16,7 +16,7 @@ int perf_reg_value(u64 *valp, struct reg
 
 static inline const char *perf_reg_name(int id __maybe_unused)
 {
-	return NULL;
+	return "unknown";
 }
 
 static inline int perf_reg_value(u64 *valp __maybe_unused,


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 127/148] ACPI / osl: speedup grace period in acpi_os_map_cleanup
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (125 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 126/148] perf regs: Make perf_reg_name() return "unknown" instead of NULL Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 128/148] ACPI: OSL: only free map once in osl.c Ben Hutchings
                   ` (21 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paul E. McKenney, Rafael J. Wysocki,
	Konstantin Khlebnikov

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <koct9i@gmail.com>

commit 74b51ee152b6d99e61ba329799a039453fb9438f upstream.

ACPI maintains cache of ioremap regions to speed up operations and
access to them from irq context where ioremap() calls aren't allowed.
This code abuses synchronize_rcu() on unmap path for synchronization
with fast-path in acpi_os_read/write_memory which uses this cache.

Since v3.10 CPUs are allowed to enter idle state even if they have RCU
callbacks queued, see commit c0f4dfd4f90f1667d234d21f15153ea09a2eaa66
("rcu: Make RCU_FAST_NO_HZ take advantage of numbered callbacks").
That change caused problems with nvidia proprietary driver which calls
acpi_os_map/unmap_generic_address several times during initialization.
Each unmap calls synchronize_rcu and adds significant delay. Totally
initialization is slowed for a couple of seconds and that is enough to
trigger timeout in hardware, gpu decides to "fell off the bus". Widely
spread workaround is reducing "rcu_idle_gp_delay" from 4 to 1 jiffy.

This patch replaces synchronize_rcu() with synchronize_rcu_expedited()
which is much faster.

Link: https://devtalk.nvidia.com/default/topic/567297/linux/linux-3-10-driver-crash/
Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Reported-and-tested-by: Alexander Monakov <amonakov@gmail.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/osl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -425,7 +425,7 @@ static void acpi_os_drop_map_ref(struct
 static void acpi_os_map_cleanup(struct acpi_ioremap *map)
 {
 	if (!map->refcount) {
-		synchronize_rcu();
+		synchronize_rcu_expedited();
 		acpi_unmap(map->phys, map->virt);
 		kfree(map);
 	}


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 128/148] ACPI: OSL: only free map once in osl.c
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (126 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 127/148] ACPI / osl: speedup grace period in acpi_os_map_cleanup Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 129/148] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() Ben Hutchings
                   ` (20 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Rafael J. Wysocki, Dmitry Safonov,
	Francesco Ruggeri

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Francesco Ruggeri <fruggeri@arista.com>

commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream.

acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock
before freeing the map. This creates a race condition the can result
in the map being freed more than once.
A panic can be caused by running

for ((i=0; i<10; i++))
do
        for ((j=0; j<100000; j++))
        do
                cat /sys/firmware/acpi/tables/data/BERT >/dev/null
        done &
done

This patch makes sure that only the process that drops the reference
to 0 does the freeing.

Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c")
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/osl.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -416,24 +416,27 @@ acpi_os_map_memory(acpi_physical_address
 }
 EXPORT_SYMBOL_GPL(acpi_os_map_memory);
 
-static void acpi_os_drop_map_ref(struct acpi_ioremap *map)
+/* Must be called with mutex_lock(&acpi_ioremap_lock) */
+static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map)
 {
-	if (!--map->refcount)
+	unsigned long refcount = --map->refcount;
+
+	if (!refcount)
 		list_del_rcu(&map->list);
+	return refcount;
 }
 
 static void acpi_os_map_cleanup(struct acpi_ioremap *map)
 {
-	if (!map->refcount) {
-		synchronize_rcu_expedited();
-		acpi_unmap(map->phys, map->virt);
-		kfree(map);
-	}
+	synchronize_rcu_expedited();
+	acpi_unmap(map->phys, map->virt);
+	kfree(map);
 }
 
 void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size)
 {
 	struct acpi_ioremap *map;
+	unsigned long refcount;
 
 	if (!acpi_gbl_permanent_mmap) {
 		__acpi_unmap_table(virt, size);
@@ -447,10 +450,11 @@ void __ref acpi_os_unmap_iomem(void __io
 		WARN(true, PREFIX "%s: bad address %p\n", __func__, virt);
 		return;
 	}
-	acpi_os_drop_map_ref(map);
+	refcount = acpi_os_drop_map_ref(map);
 	mutex_unlock(&acpi_ioremap_lock);
 
-	acpi_os_map_cleanup(map);
+	if (!refcount)
+		acpi_os_map_cleanup(map);
 }
 EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem);
 
@@ -491,6 +495,7 @@ void acpi_os_unmap_generic_address(struc
 {
 	u64 addr;
 	struct acpi_ioremap *map;
+	unsigned long refcount;
 
 	if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY)
 		return;
@@ -506,10 +511,11 @@ void acpi_os_unmap_generic_address(struc
 		mutex_unlock(&acpi_ioremap_lock);
 		return;
 	}
-	acpi_os_drop_map_ref(map);
+	refcount = acpi_os_drop_map_ref(map);
 	mutex_unlock(&acpi_ioremap_lock);
 
-	acpi_os_map_cleanup(map);
+	if (!refcount)
+		acpi_os_map_cleanup(map);
 }
 EXPORT_SYMBOL(acpi_os_unmap_generic_address);
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 129/148] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (127 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 128/148] ACPI: OSL: only free map once in osl.c Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 130/148] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() Ben Hutchings
                   ` (19 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Vamshi K Sthambamkadi, Rafael J. Wysocki

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>

commit 627ead724eff33673597216f5020b72118827de4 upstream.

kmemleak reported backtrace:
    [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260
    [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0
    [<1180f4fc>] i2c_register_adapter+0x186/0x400
    [<6083baf7>] i2c_add_adapter+0x4e/0x70
    [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915]
    [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915]
    [<81911d4b>] i915_pci_probe+0x48/0x160 [i915]
    [<4b159af1>] pci_device_probe+0xdc/0x160
    [<b3c64704>] really_probe+0x1ee/0x450
    [<bc029f5a>] driver_probe_device+0x142/0x1b0
    [<d8829d20>] device_driver_attach+0x49/0x50
    [<de71f045>] __driver_attach+0xc9/0x150
    [<df33ac83>] bus_for_each_dev+0x56/0xa0
    [<80089bba>] driver_attach+0x19/0x20
    [<cc73f583>] bus_add_driver+0x177/0x220
    [<7b29d8c7>] driver_register+0x56/0xf0

In i2c_acpi_remove_space_handler(), a leak occurs whenever the
"data" parameter is initialized to 0 before being passed to
acpi_bus_get_private_data().

This is because the NULL pointer check in acpi_bus_get_private_data()
(condition->if(!*data)) returns EINVAL and, in consequence, memory is
never freed in i2c_acpi_remove_space_handler().

Fix the NULL pointer check in acpi_bus_get_private_data() to follow
the analogous check in acpi_get_data_full().

Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/acpi/bus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -154,7 +154,7 @@ int acpi_bus_get_private_data(acpi_handl
 {
 	acpi_status status;
 
-	if (!*data)
+	if (!data)
 		return -EINVAL;
 
 	status = acpi_get_data(handle, acpi_bus_private_data_handler, data);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 130/148] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (128 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 129/148] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 131/148] openvswitch: remove another BUG_ON() Ben Hutchings
                   ` (18 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David S. Miller, Paolo Abeni

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Abeni <pabeni@redhat.com>

commit 8ffeb03fbba3b599690b361467bfd2373e8c450f upstream.

All the callers of ovs_flow_cmd_build_info() already deal with
error return code correctly, so we can handle the error condition
in a more gracefull way. Still dump a warning to preserve
debuggability.

v1 -> v2:
 - clarify the commit message
 - clean the skb and report the error (DaveM)

Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/openvswitch/datapath.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -788,7 +788,10 @@ static struct sk_buff *ovs_flow_cmd_buil
 	retval = ovs_flow_cmd_fill_info(flow, dp_ifindex, skb,
 					info->snd_portid, info->snd_seq, 0,
 					cmd);
-	BUG_ON(retval < 0);
+	if (WARN_ON_ONCE(retval < 0)) {
+		kfree_skb(skb);
+		skb = ERR_PTR(retval);
+	}
 	return skb;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 131/148] openvswitch: remove another BUG_ON()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (129 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 130/148] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 132/148] cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs Ben Hutchings
                   ` (17 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Paolo Abeni, David S. Miller

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Abeni <pabeni@redhat.com>

commit 8a574f86652a4540a2433946ba826ccb87f398cc upstream.

If we can't build the flow del notification, we can simply delete
the flow, no need to crash the kernel. Still keep a WARN_ON to
preserve debuggability.

Note: the BUG_ON() predates the Fixes tag, but this change
can be applied only after the mentioned commit.

v1 -> v2:
 - do not leak an skb on error

Fixes: aed067783e50 ("openvswitch: Minimize ovs_flow_cmd_del critical section.")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/openvswitch/datapath.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1136,7 +1136,10 @@ static int ovs_flow_cmd_del(struct sk_bu
 						     info->snd_seq, 0,
 						     OVS_FLOW_CMD_DEL);
 			rcu_read_unlock();
-			BUG_ON(err < 0);
+			if (WARN_ON_ONCE(err < 0)) {
+				kfree_skb(reply);
+				goto out_free;
+			}
 
 			ovs_notify(&dp_flow_genl_family, reply, info);
 		} else {
@@ -1144,6 +1147,7 @@ static int ovs_flow_cmd_del(struct sk_bu
 		}
 	}
 
+out_free:
 	ovs_flow_free(flow, true);
 	return 0;
 unlock:


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 132/148] cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (130 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 131/148] openvswitch: remove another BUG_ON() Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 133/148] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Ben Hutchings
                   ` (16 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pavel Shilovsky, Dave Wysochanski, Ronnie Sahlberg

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Wysochanski <dwysocha@redhat.com>

commit d46b0da7a33dd8c99d969834f682267a45444ab3 upstream.

There's a deadlock that is possible and can easily be seen with
a test where multiple readers open/read/close of the same file
and a disruption occurs causing reconnect.  The deadlock is due
a reader thread inside cifs_strict_readv calling down_read and
obtaining lock_sem, and then after reconnect inside
cifs_reopen_file calling down_read a second time.  If in
between the two down_read calls, a down_write comes from
another process, deadlock occurs.

        CPU0                    CPU1
        ----                    ----
cifs_strict_readv()
 down_read(&cifsi->lock_sem);
                               _cifsFileInfo_put
                                  OR
                               cifs_new_fileinfo
                                down_write(&cifsi->lock_sem);
cifs_reopen_file()
 down_read(&cifsi->lock_sem);

Fix the above by changing all down_write(lock_sem) calls to
down_write_trylock(lock_sem)/msleep() loop, which in turn
makes the second down_read call benign since it will never
block behind the writer while holding lock_sem.

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Suggested-by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed--by: Ronnie Sahlberg <lsahlber@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/cifsglob.h  |  5 +++++
 fs/cifs/cifsproto.h |  1 +
 fs/cifs/file.c      | 23 +++++++++++++++--------
 fs/cifs/smb2file.c  |  2 +-
 4 files changed, 22 insertions(+), 9 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1113,6 +1113,11 @@ void cifsFileInfo_put(struct cifsFileInf
 struct cifsInodeInfo {
 	bool can_cache_brlcks;
 	struct list_head llist;	/* locks helb by this inode */
+	/*
+	 * NOTE: Some code paths call down_read(lock_sem) twice, so
+	 * we must always use use cifs_down_write() instead of down_write()
+	 * for this semaphore to avoid deadlocks.
+	 */
 	struct rw_semaphore lock_sem;	/* protect the fields above */
 	/* BB add in lists for dirty pages i.e. write caching info for oplock */
 	struct list_head openFileList;
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -137,6 +137,7 @@ extern int cifs_unlock_range(struct cifs
 			     struct file_lock *flock, const unsigned int xid);
 extern int cifs_push_mandatory_locks(struct cifsFileInfo *cfile);
 
+extern void cifs_down_write(struct rw_semaphore *sem);
 extern struct cifsFileInfo *cifs_new_fileinfo(struct cifs_fid *fid,
 					      struct file *file,
 					      struct tcon_link *tlink,
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -281,6 +281,13 @@ cifs_has_mand_locks(struct cifsInodeInfo
 	return has_locks;
 }
 
+void
+cifs_down_write(struct rw_semaphore *sem)
+{
+	while (!down_write_trylock(sem))
+		msleep(10);
+}
+
 struct cifsFileInfo *
 cifs_new_fileinfo(struct cifs_fid *fid, struct file *file,
 		  struct tcon_link *tlink, __u32 oplock)
@@ -306,7 +313,7 @@ cifs_new_fileinfo(struct cifs_fid *fid,
 	INIT_LIST_HEAD(&fdlocks->locks);
 	fdlocks->cfile = cfile;
 	cfile->llist = fdlocks;
-	down_write(&cinode->lock_sem);
+	cifs_down_write(&cinode->lock_sem);
 	list_add(&fdlocks->llist, &cinode->llist);
 	up_write(&cinode->lock_sem);
 
@@ -462,7 +469,7 @@ void _cifsFileInfo_put(struct cifsFileIn
 	 * Delete any outstanding lock records. We'll lose them when the file
 	 * is closed anyway.
 	 */
-	down_write(&cifsi->lock_sem);
+	cifs_down_write(&cifsi->lock_sem);
 	list_for_each_entry_safe(li, tmp, &cifs_file->llist->locks, llist) {
 		list_del(&li->llist);
 		cifs_del_lock_waiters(li);
@@ -970,7 +977,7 @@ static void
 cifs_lock_add(struct cifsFileInfo *cfile, struct cifsLockInfo *lock)
 {
 	struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode);
-	down_write(&cinode->lock_sem);
+	cifs_down_write(&cinode->lock_sem);
 	list_add_tail(&lock->llist, &cfile->llist->locks);
 	up_write(&cinode->lock_sem);
 }
@@ -992,7 +999,7 @@ cifs_lock_add_if(struct cifsFileInfo *cf
 
 try_again:
 	exist = false;
-	down_write(&cinode->lock_sem);
+	cifs_down_write(&cinode->lock_sem);
 
 	exist = cifs_find_lock_conflict(cfile, lock->offset, lock->length,
 					lock->type, &conf_lock, CIFS_LOCK_OP);
@@ -1014,7 +1021,7 @@ try_again:
 					(lock->blist.next == &lock->blist));
 		if (!rc)
 			goto try_again;
-		down_write(&cinode->lock_sem);
+		cifs_down_write(&cinode->lock_sem);
 		list_del_init(&lock->blist);
 	}
 
@@ -1067,7 +1074,7 @@ cifs_posix_lock_set(struct file *file, s
 		return rc;
 
 try_again:
-	down_write(&cinode->lock_sem);
+	cifs_down_write(&cinode->lock_sem);
 	if (!cinode->can_cache_brlcks) {
 		up_write(&cinode->lock_sem);
 		return rc;
@@ -1267,7 +1274,7 @@ cifs_push_locks(struct cifsFileInfo *cfi
 	int rc = 0;
 
 	/* we are going to update can_cache_brlcks here - need a write access */
-	down_write(&cinode->lock_sem);
+	cifs_down_write(&cinode->lock_sem);
 	if (!cinode->can_cache_brlcks) {
 		up_write(&cinode->lock_sem);
 		return rc;
@@ -1451,7 +1458,7 @@ cifs_unlock_range(struct cifsFileInfo *c
 	if (!buf)
 		return -ENOMEM;
 
-	down_write(&cinode->lock_sem);
+	cifs_down_write(&cinode->lock_sem);
 	for (i = 0; i < 2; i++) {
 		cur = buf;
 		num = 0;
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -114,7 +114,7 @@ smb2_unlock_range(struct cifsFileInfo *c
 
 	cur = buf;
 
-	down_write(&cinode->lock_sem);
+	cifs_down_write(&cinode->lock_sem);
 	list_for_each_entry_safe(li, tmp, &cfile->llist->locks, llist) {
 		if (flock->fl_start > li->offset ||
 		    (flock->fl_start + length) <


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 133/148] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (131 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 132/148] cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 134/148] net: bridge: deny dev_set_mac_address() when unregistering Ben Hutchings
                   ` (15 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pavel Shilovsky, Steve French, Aurelien Aptel

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <pshilov@microsoft.com>

commit 6f582b273ec23332074d970a7fb25bef835df71f upstream.

Currently when the client creates a cifsFileInfo structure for
a newly opened file, it allocates a list of byte-range locks
with a pointer to the new cfile and attaches this list to the
inode's lock list. The latter happens before initializing all
other fields, e.g. cfile->tlink. Thus a partially initialized
cifsFileInfo structure becomes available to other threads that
walk through the inode's lock list. One example of such a thread
may be an oplock break worker thread that tries to push all
cached byte-range locks. This causes NULL-pointer dereference
in smb2_push_mandatory_locks() when accessing cfile->tlink:

[598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038
...
[598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
[598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
...
[598428.945834] Call Trace:
[598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
[598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
[598428.945909]  process_one_work+0x1db/0x380
[598428.945914]  worker_thread+0x4d/0x400
[598428.945921]  kthread+0x104/0x140
[598428.945925]  ? process_one_work+0x380/0x380
[598428.945931]  ? kthread_park+0x80/0x80
[598428.945937]  ret_from_fork+0x35/0x40

Fix this by reordering initialization steps of the cifsFileInfo
structure: initialize all the fields first and then add the new
byte-range lock list to the inode's lock list.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/cifs/file.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -313,9 +313,6 @@ cifs_new_fileinfo(struct cifs_fid *fid,
 	INIT_LIST_HEAD(&fdlocks->locks);
 	fdlocks->cfile = cfile;
 	cfile->llist = fdlocks;
-	cifs_down_write(&cinode->lock_sem);
-	list_add(&fdlocks->llist, &cinode->llist);
-	up_write(&cinode->lock_sem);
 
 	cfile->count = 1;
 	cfile->pid = current->tgid;
@@ -339,6 +336,10 @@ cifs_new_fileinfo(struct cifs_fid *fid,
 		oplock = 0;
 	}
 
+	cifs_down_write(&cinode->lock_sem);
+	list_add(&fdlocks->llist, &cinode->llist);
+	up_write(&cinode->lock_sem);
+
 	spin_lock(&tcon->open_file_lock);
 	if (fid->pending_open->oplock != CIFS_OPLOCK_NO_CHANGE && oplock)
 		oplock = fid->pending_open->oplock;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 134/148] net: bridge: deny dev_set_mac_address() when unregistering
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (132 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 133/148] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 135/148] drm/radeon: fix r1xx/r2xx register checker for POT textures Ben Hutchings
                   ` (14 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+2add91c08eb181fea1bf,
	David S. Miller, Nikolay Aleksandrov

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

commit c4b4c421857dc7b1cf0dccbd738472360ff2cd70 upstream.

We have an interesting memory leak in the bridge when it is being
unregistered and is a slave to a master device which would change the
mac of its slaves on unregister (e.g. bond, team). This is a very
unusual setup but we do end up leaking 1 fdb entry because
dev_set_mac_address() would cause the bridge to insert the new mac address
into its table after all fdbs are flushed, i.e. after dellink() on the
bridge has finished and we call NETDEV_UNREGISTER the bond/team would
release it and will call dev_set_mac_address() to restore its original
address and that in turn will add an fdb in the bridge.
One fix is to check for the bridge dev's reg_state in its
ndo_set_mac_address callback and return an error if the bridge is not in
NETREG_REGISTERED.

Easy steps to reproduce:
 1. add bond in mode != A/B
 2. add any slave to the bond
 3. add bridge dev as a slave to the bond
 4. destroy the bridge device

Trace:
 unreferenced object 0xffff888035c4d080 (size 128):
   comm "ip", pid 4068, jiffies 4296209429 (age 1413.753s)
   hex dump (first 32 bytes):
     41 1d c9 36 80 88 ff ff 00 00 00 00 00 00 00 00  A..6............
     d2 19 c9 5e 3f d7 00 00 00 00 00 00 00 00 00 00  ...^?...........
   backtrace:
     [<00000000ddb525dc>] kmem_cache_alloc+0x155/0x26f
     [<00000000633ff1e0>] fdb_create+0x21/0x486 [bridge]
     [<0000000092b17e9c>] fdb_insert+0x91/0xdc [bridge]
     [<00000000f2a0f0ff>] br_fdb_change_mac_address+0xb3/0x175 [bridge]
     [<000000001de02dbd>] br_stp_change_bridge_id+0xf/0xff [bridge]
     [<00000000ac0e32b1>] br_set_mac_address+0x76/0x99 [bridge]
     [<000000006846a77f>] dev_set_mac_address+0x63/0x9b
     [<00000000d30738fc>] __bond_release_one+0x3f6/0x455 [bonding]
     [<00000000fc7ec01d>] bond_netdev_event+0x2f2/0x400 [bonding]
     [<00000000305d7795>] notifier_call_chain+0x38/0x56
     [<0000000028885d4a>] call_netdevice_notifiers+0x1e/0x23
     [<000000008279477b>] rollback_registered_many+0x353/0x6a4
     [<0000000018ef753a>] unregister_netdevice_many+0x17/0x6f
     [<00000000ba854b7a>] rtnl_delete_link+0x3c/0x43
     [<00000000adf8618d>] rtnl_dellink+0x1dc/0x20a
     [<000000009b6395fd>] rtnetlink_rcv_msg+0x23d/0x268

Fixes: 43598813386f ("bridge: add local MAC address to forwarding table (v2)")
Reported-by: syzbot+2add91c08eb181fea1bf@syzkaller.appspotmail.com
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/bridge/br_device.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -193,6 +193,12 @@ static int br_set_mac_address(struct net
 	if (!is_valid_ether_addr(addr->sa_data))
 		return -EADDRNOTAVAIL;
 
+	/* dev_set_mac_addr() can be called by a master device on bridge's
+	 * NETDEV_UNREGISTER, but since it's being destroyed do nothing
+	 */
+	if (dev->reg_state != NETREG_REGISTERED)
+		return -EBUSY;
+
 	spin_lock_bh(&br->lock);
 	if (!ether_addr_equal(dev->dev_addr, addr->sa_data)) {
 		/* Mac address will be changed in br_stp_change_bridge_id(). */


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 135/148] drm/radeon: fix r1xx/r2xx register checker for POT textures
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (133 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 134/148] net: bridge: deny dev_set_mac_address() when unregistering Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 136/148] xen/blkback: Avoid unmapping unmapped grant pages Ben Hutchings
                   ` (13 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Meelis Roos, Michel Dänzer, Alex Deucher

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 008037d4d972c9c47b273e40e52ae34f9d9e33e7 upstream.

Shift and mask were reversed.  Noticed by chance.

Tested-by: Meelis Roos <mroos@linux.ee>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/gpu/drm/radeon/r100.c | 4 ++--
 drivers/gpu/drm/radeon/r200.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/gpu/drm/radeon/r100.c
+++ b/drivers/gpu/drm/radeon/r100.c
@@ -1810,8 +1810,8 @@ static int r100_packet0_check(struct rad
 			track->textures[i].use_pitch = 1;
 		} else {
 			track->textures[i].use_pitch = 0;
-			track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK);
-			track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK);
+			track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT);
+			track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT);
 		}
 		if (idx_value & RADEON_TXFORMAT_CUBIC_MAP_ENABLE)
 			track->textures[i].tex_coord_type = 2;
--- a/drivers/gpu/drm/radeon/r200.c
+++ b/drivers/gpu/drm/radeon/r200.c
@@ -473,8 +473,8 @@ int r200_packet0_check(struct radeon_cs_
 			track->textures[i].use_pitch = 1;
 		} else {
 			track->textures[i].use_pitch = 0;
-			track->textures[i].width = 1 << ((idx_value >> RADEON_TXFORMAT_WIDTH_SHIFT) & RADEON_TXFORMAT_WIDTH_MASK);
-			track->textures[i].height = 1 << ((idx_value >> RADEON_TXFORMAT_HEIGHT_SHIFT) & RADEON_TXFORMAT_HEIGHT_MASK);
+			track->textures[i].width = 1 << ((idx_value & RADEON_TXFORMAT_WIDTH_MASK) >> RADEON_TXFORMAT_WIDTH_SHIFT);
+			track->textures[i].height = 1 << ((idx_value & RADEON_TXFORMAT_HEIGHT_MASK) >> RADEON_TXFORMAT_HEIGHT_SHIFT);
 		}
 		if (idx_value & R200_TXFORMAT_LOOKUP_DISABLE)
 			track->textures[i].lookup_disable = true;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 136/148] xen/blkback: Avoid unmapping unmapped grant pages
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (134 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 135/148] drm/radeon: fix r1xx/r2xx register checker for POT textures Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 137/148] hrtimer: Get rid of the resolution field in hrtimer_clock_base Ben Hutchings
                   ` (12 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Maximilian Heyne, Paul Durrant,
	David Woodhouse, Jens Axboe, Roger Pau Monné,
	SeongJae Park

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: SeongJae Park <sjpark@amazon.de>

commit f9bd84a8a845d82f9b5a081a7ae68c98a11d2e84 upstream.

For each I/O request, blkback first maps the foreign pages for the
request to its local pages.  If an allocation of a local page for the
mapping fails, it should unmap every mapping already made for the
request.

However, blkback's handling mechanism for the allocation failure does
not mark the remaining foreign pages as unmapped.  Therefore, the unmap
function merely tries to unmap every valid grant page for the request,
including the pages not mapped due to the allocation failure.  On a
system that fails the allocation frequently, this problem leads to
following kernel crash.

  [  372.012538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
  [  372.012546] IP: [<ffffffff814071ac>] gnttab_unmap_refs.part.7+0x1c/0x40
  [  372.012557] PGD 16f3e9067 PUD 16426e067 PMD 0
  [  372.012562] Oops: 0002 [#1] SMP
  [  372.012566] Modules linked in: act_police sch_ingress cls_u32
  ...
  [  372.012746] Call Trace:
  [  372.012752]  [<ffffffff81407204>] gnttab_unmap_refs+0x34/0x40
  [  372.012759]  [<ffffffffa0335ae3>] xen_blkbk_unmap+0x83/0x150 [xen_blkback]
  ...
  [  372.012802]  [<ffffffffa0336c50>] dispatch_rw_block_io+0x970/0x980 [xen_blkback]
  ...
  Decompressing Linux... Parsing ELF... done.
  Booting the kernel.
  [    0.000000] Initializing cgroup subsys cpuset

This commit fixes this problem by marking the grant pages of the given
request that didn't mapped due to the allocation failure as invalid.

Fixes: c6cc142dac52 ("xen-blkback: use balloon pages for all mappings")

Reviewed-by: David Woodhouse <dwmw@amazon.de>
Reviewed-by: Maximilian Heyne <mheyne@amazon.de>
Reviewed-by: Paul Durrant <pdurrant@amazon.co.uk>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: SeongJae Park <sjpark@amazon.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/block/xen-blkback/blkback.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -825,6 +825,8 @@ next:
 out_of_memory:
 	pr_alert(DRV_PFX "%s: out of memory\n", __func__);
 	put_free_pages(blkif, pages_to_gnt, segs_to_map);
+	for (i = last_map; i < num; i++)
+		pages[i]->handle = BLKBACK_INVALID_HANDLE;
 	return -ENOMEM;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 137/148] hrtimer: Get rid of the resolution field in hrtimer_clock_base
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (135 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 136/148] xen/blkback: Avoid unmapping unmapped grant pages Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 138/148] powerpc: Fix vDSO clock_getres() Ben Hutchings
                   ` (11 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Frederic Weisbecker, Viresh Kumar,
	Marcelo Tosatti, Preeti U Murthy, Thomas Gleixner,
	Peter Zijlstra

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 398ca17fb54b212cdc9da7ff4a17a35c48dd2103 upstream.

The field has no value because all clock bases have the same
resolution. The resolution only changes when we switch to high
resolution timer mode. We can evaluate that from a single static
variable as well. In the !HIGHRES case its simply a constant.

Export the variable, so we can simplify the usage sites.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Preeti U Murthy <preeti@linux.vnet.ibm.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Link: http://lkml.kernel.org/r/20150414203500.645454122@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 3.16 as dependency of commit 552263456215
 "powerpc: Fix vDSO clock_getres()":
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/hrtimer.h  |  6 ++++--
 kernel/hrtimer.c         | 26 +++++++++-----------------
 kernel/time/timer_list.c |  8 ++++----
 3 files changed, 17 insertions(+), 23 deletions(-)

--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -137,7 +137,6 @@ struct hrtimer_sleeper {
  *			timer to a base on another cpu.
  * @clockid:		clock id for per_cpu support
  * @active:		red black tree root node for the active timers
- * @resolution:		the resolution of the clock, in nanoseconds
  * @get_time:		function to retrieve the current time of the clock
  * @softirq_time:	the time when running the hrtimer queue in the softirq
  * @offset:		offset of this clock to the monotonic base
@@ -147,7 +146,6 @@ struct hrtimer_clock_base {
 	int			index;
 	clockid_t		clockid;
 	struct timerqueue_head	active;
-	ktime_t			resolution;
 	ktime_t			(*get_time)(void);
 	ktime_t			softirq_time;
 	ktime_t			offset;
@@ -293,11 +291,15 @@ extern void hrtimer_peek_ahead_timers(vo
 
 extern void clock_was_set_delayed(void);
 
+extern unsigned int hrtimer_resolution;
+
 #else
 
 # define MONOTONIC_RES_NSEC	LOW_RES_NSEC
 # define KTIME_MONOTONIC_RES	KTIME_LOW_RES
 
+#define hrtimer_resolution	LOW_RES_NSEC
+
 static inline void hrtimer_peek_ahead_timers(void) { }
 
 /*
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -64,7 +64,6 @@
  */
 DEFINE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases) =
 {
-
 	.lock = __RAW_SPIN_LOCK_UNLOCKED(hrtimer_bases.lock),
 	.clock_base =
 	{
@@ -72,25 +71,21 @@ DEFINE_PER_CPU(struct hrtimer_cpu_base,
 			.index = HRTIMER_BASE_MONOTONIC,
 			.clockid = CLOCK_MONOTONIC,
 			.get_time = &ktime_get,
-			.resolution = KTIME_LOW_RES,
 		},
 		{
 			.index = HRTIMER_BASE_REALTIME,
 			.clockid = CLOCK_REALTIME,
 			.get_time = &ktime_get_real,
-			.resolution = KTIME_LOW_RES,
 		},
 		{
 			.index = HRTIMER_BASE_BOOTTIME,
 			.clockid = CLOCK_BOOTTIME,
 			.get_time = &ktime_get_boottime,
-			.resolution = KTIME_LOW_RES,
 		},
 		{
 			.index = HRTIMER_BASE_TAI,
 			.clockid = CLOCK_TAI,
 			.get_time = &ktime_get_clocktai,
-			.resolution = KTIME_LOW_RES,
 		},
 	}
 };
@@ -501,6 +496,8 @@ static inline void debug_deactivate(stru
  * High resolution timer enabled ?
  */
 static int hrtimer_hres_enabled __read_mostly  = 1;
+unsigned int hrtimer_resolution __read_mostly = LOW_RES_NSEC;
+EXPORT_SYMBOL_GPL(hrtimer_resolution);
 
 /*
  * Enable / Disable high resolution mode
@@ -707,7 +704,7 @@ static void retrigger_next_event(void *a
  */
 static int hrtimer_switch_to_hres(void)
 {
-	int i, cpu = smp_processor_id();
+	int cpu = smp_processor_id();
 	struct hrtimer_cpu_base *base = &per_cpu(hrtimer_bases, cpu);
 	unsigned long flags;
 
@@ -723,8 +720,7 @@ static int hrtimer_switch_to_hres(void)
 		return 0;
 	}
 	base->hres_active = 1;
-	for (i = 0; i < HRTIMER_MAX_CLOCK_BASES; i++)
-		base->clock_base[i].resolution = KTIME_HIGH_RES;
+	hrtimer_resolution = HIGH_RES_NSEC;
 
 	tick_setup_sched_timer();
 	/* "Retrigger" the interrupt to get things going */
@@ -859,8 +855,8 @@ u64 hrtimer_forward(struct hrtimer *time
 	if (delta.tv64 < 0)
 		return 0;
 
-	if (interval.tv64 < timer->base->resolution.tv64)
-		interval.tv64 = timer->base->resolution.tv64;
+	if (interval.tv64 < hrtimer_resolution)
+		interval.tv64 = hrtimer_resolution;
 
 	if (unlikely(delta.tv64 >= interval.tv64)) {
 		s64 incr = ktime_to_ns(interval);
@@ -1001,7 +997,7 @@ int __hrtimer_start_range_ns(struct hrti
 		 * timeouts. This will go away with the GTOD framework.
 		 */
 #ifdef CONFIG_TIME_LOW_RES
-		tim = ktime_add_safe(tim, base->resolution);
+		tim = ktime_add_safe(tim, ktime_set(0, hrtimer_resolution));
 #endif
 	}
 
@@ -1240,12 +1236,8 @@ EXPORT_SYMBOL_GPL(hrtimer_init);
  */
 int hrtimer_get_res(const clockid_t which_clock, struct timespec *tp)
 {
-	struct hrtimer_cpu_base *cpu_base;
-	int base = hrtimer_clockid_to_base(which_clock);
-
-	cpu_base = &__raw_get_cpu_var(hrtimer_bases);
-	*tp = ktime_to_timespec(cpu_base->clock_base[base].resolution);
-
+	tp->tv_sec = 0;
+	tp->tv_nsec = hrtimer_resolution;
 	return 0;
 }
 EXPORT_SYMBOL_GPL(hrtimer_get_res);
--- a/kernel/time/timer_list.c
+++ b/kernel/time/timer_list.c
@@ -120,10 +120,10 @@ static void
 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
 {
 	SEQ_printf(m, "  .base:       %pK\n", base);
-	SEQ_printf(m, "  .index:      %d\n",
-			base->index);
-	SEQ_printf(m, "  .resolution: %Lu nsecs\n",
-			(unsigned long long)ktime_to_ns(base->resolution));
+	SEQ_printf(m, "  .index:      %d\n", base->index);
+
+	SEQ_printf(m, "  .resolution: %u nsecs\n", (unsigned) hrtimer_resolution);
+
 	SEQ_printf(m,   "  .get_time:   ");
 	print_name_offset(m, base->get_time);
 	SEQ_printf(m,   "\n");


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 138/148] powerpc: Fix vDSO clock_getres()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (136 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 137/148] hrtimer: Get rid of the resolution field in hrtimer_clock_base Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 139/148] ALSA: pcm: oss: Avoid potential buffer overflows Ben Hutchings
                   ` (10 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michael Ellerman, Christophe Leroy,
	Vincenzo Frascino, Shuah Khan

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Vincenzo Frascino <vincenzo.frascino@arm.com>

commit 552263456215ada7ee8700ce022d12b0cffe4802 upstream.

clock_getres in the vDSO library has to preserve the same behaviour
of posix_get_hrtimer_res().

In particular, posix_get_hrtimer_res() does:
    sec = 0;
    ns = hrtimer_resolution;
and hrtimer_resolution depends on the enablement of the high
resolution timers that can happen either at compile or at run time.

Fix the powerpc vdso implementation of clock_getres keeping a copy of
hrtimer_resolution in vdso data and using that directly.

Fixes: a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to 32 bits kernel")
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
[chleroy: changed CLOCK_REALTIME_RES to CLOCK_HRTIMER_RES]
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/a55eca3a5e85233838c2349783bcb5164dae1d09.1575273217.git.christophe.leroy@c-s.fr
[bwh: Backported to 3.16:
 - In asm-offsets.c, use DEFINE() instead of OFFSET()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/powerpc/include/asm/vdso_datapage.h  | 2 ++
 arch/powerpc/kernel/asm-offsets.c         | 2 +-
 arch/powerpc/kernel/time.c                | 1 +
 arch/powerpc/kernel/vdso32/gettimeofday.S | 7 +++++--
 arch/powerpc/kernel/vdso64/gettimeofday.S | 7 +++++--
 5 files changed, 14 insertions(+), 5 deletions(-)

--- a/arch/powerpc/include/asm/vdso_datapage.h
+++ b/arch/powerpc/include/asm/vdso_datapage.h
@@ -86,6 +86,7 @@ struct vdso_data {
 	__s32 wtom_clock_nsec;			/* Wall to monotonic clock nsec */
 	__s64 wtom_clock_sec;			/* Wall to monotonic clock sec */
 	struct timespec stamp_xtime;		/* xtime as at tb_orig_stamp */
+	__u32 hrtimer_res;			/* hrtimer resolution */
    	__u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls  */
    	__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
 };
@@ -107,6 +108,7 @@ struct vdso_data {
 	__s32 wtom_clock_nsec;
 	struct timespec stamp_xtime;	/* xtime as at tb_orig_stamp */
 	__u32 stamp_sec_fraction;	/* fractional seconds of stamp_xtime */
+	__u32 hrtimer_res;		/* hrtimer resolution */
    	__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
 	__u32 dcache_block_size;	/* L1 d-cache block size     */
 	__u32 icache_block_size;	/* L1 i-cache block size     */
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -397,6 +397,7 @@ int main(void)
 	DEFINE(WTOM_CLOCK_NSEC, offsetof(struct vdso_data, wtom_clock_nsec));
 	DEFINE(STAMP_XTIME, offsetof(struct vdso_data, stamp_xtime));
 	DEFINE(STAMP_SEC_FRAC, offsetof(struct vdso_data, stamp_sec_fraction));
+	DEFINE(CLOCK_HRTIMER_RES, offsetof(struct vdso_data, hrtimer_res));
 	DEFINE(CFG_ICACHE_BLOCKSZ, offsetof(struct vdso_data, icache_block_size));
 	DEFINE(CFG_DCACHE_BLOCKSZ, offsetof(struct vdso_data, dcache_block_size));
 	DEFINE(CFG_ICACHE_LOGBLOCKSZ, offsetof(struct vdso_data, icache_log_block_size));
@@ -425,7 +426,6 @@ int main(void)
 	DEFINE(CLOCK_REALTIME, CLOCK_REALTIME);
 	DEFINE(CLOCK_MONOTONIC, CLOCK_MONOTONIC);
 	DEFINE(NSEC_PER_SEC, NSEC_PER_SEC);
-	DEFINE(CLOCK_REALTIME_RES, MONOTONIC_RES_NSEC);
 
 #ifdef CONFIG_BUG
 	DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry));
--- a/arch/powerpc/kernel/time.c
+++ b/arch/powerpc/kernel/time.c
@@ -781,6 +781,7 @@ void update_vsyscall_old(struct timespec
 	vdso_data->wtom_clock_nsec = wtm->tv_nsec;
 	vdso_data->stamp_xtime = *wall_time;
 	vdso_data->stamp_sec_fraction = frac_sec;
+	vdso_data->hrtimer_res = hrtimer_resolution;
 	smp_wmb();
 	++(vdso_data->tb_update_count);
 }
--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
@@ -159,12 +159,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres)
 	cror	cr0*4+eq,cr0*4+eq,cr1*4+eq
 	bne	cr0,99f
 
+	mflr	r12
+  .cfi_register lr,r12
+	bl	__get_datapage@local	/* get data page */
+	lwz	r5, CLOCK_HRTIMER_RES(r3)
+	mtlr	r12
 	li	r3,0
 	cmpli	cr0,r4,0
 	crclr	cr0*4+so
 	beqlr
-	lis	r5,CLOCK_REALTIME_RES@h
-	ori	r5,r5,CLOCK_REALTIME_RES@l
 	stw	r3,TSPC32_TV_SEC(r4)
 	stw	r5,TSPC32_TV_NSEC(r4)
 	blr
--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
@@ -144,12 +144,15 @@ V_FUNCTION_BEGIN(__kernel_clock_getres)
 	cror	cr0*4+eq,cr0*4+eq,cr1*4+eq
 	bne	cr0,99f
 
+	mflr	r12
+  .cfi_register lr,r12
+	bl	V_LOCAL_FUNC(__get_datapage)
+	lwz	r5, CLOCK_HRTIMER_RES(r3)
+	mtlr	r12
 	li	r3,0
 	cmpldi	cr0,r4,0
 	crclr	cr0*4+so
 	beqlr
-	lis	r5,CLOCK_REALTIME_RES@h
-	ori	r5,r5,CLOCK_REALTIME_RES@l
 	std	r3,TSPC64_TV_SEC(r4)
 	std	r5,TSPC64_TV_NSEC(r4)
 	blr


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 139/148] ALSA: pcm: oss: Avoid potential buffer overflows
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (137 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 138/148] powerpc: Fix vDSO clock_getres() Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 140/148] tcp: md5: fix potential overestimation of TCP option space Ben Hutchings
                   ` (9 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+f153bde47a62e0b05f83, Takashi Iwai

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 4cc8d6505ab82db3357613d36e6c58a297f57f7c upstream.

syzkaller reported an invalid access in PCM OSS read, and this seems
to be an overflow of the internal buffer allocated for a plugin.
Since the rate plugin adjusts its transfer size dynamically, the
calculation for the chained plugin might be bigger than the given
buffer size in some extreme cases, which lead to such an buffer
overflow as caught by KASAN.

Fix it by limiting the max transfer size properly by checking against
the destination size in each plugin transfer callback.

Reported-by: syzbot+f153bde47a62e0b05f83@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20191204144824.17801-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/oss/linear.c | 2 ++
 sound/core/oss/mulaw.c  | 2 ++
 sound/core/oss/route.c  | 2 ++
 3 files changed, 6 insertions(+)

--- a/sound/core/oss/linear.c
+++ b/sound/core/oss/linear.c
@@ -107,6 +107,8 @@ static snd_pcm_sframes_t linear_transfer
 		}
 	}
 #endif
+	if (frames > dst_channels[0].frames)
+		frames = dst_channels[0].frames;
 	convert(plugin, src_channels, dst_channels, frames);
 	return frames;
 }
--- a/sound/core/oss/mulaw.c
+++ b/sound/core/oss/mulaw.c
@@ -269,6 +269,8 @@ static snd_pcm_sframes_t mulaw_transfer(
 		}
 	}
 #endif
+	if (frames > dst_channels[0].frames)
+		frames = dst_channels[0].frames;
 	data = (struct mulaw_priv *)plugin->extra_data;
 	data->func(plugin, src_channels, dst_channels, frames);
 	return frames;
--- a/sound/core/oss/route.c
+++ b/sound/core/oss/route.c
@@ -57,6 +57,8 @@ static snd_pcm_sframes_t route_transfer(
 		return -ENXIO;
 	if (frames == 0)
 		return 0;
+	if (frames > dst_channels[0].frames)
+		frames = dst_channels[0].frames;
 
 	nsrcs = plugin->src_format.channels;
 	ndsts = plugin->dst_format.channels;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 140/148] tcp: md5: fix potential overestimation of TCP option space
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (138 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 139/148] ALSA: pcm: oss: Avoid potential buffer overflows Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 141/148] tcp: syncookies: extend validity range Ben Hutchings
                   ` (8 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Neal Cardwell,
	Soheil Hassas Yeganeh, Eric Dumazet, syzbot

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 9424e2e7ad93ffffa88f882c9bc5023570904b55 upstream.

Back in 2008, Adam Langley fixed the corner case of packets for flows
having all of the following options : MD5 TS SACK

Since MD5 needs 20 bytes, and TS needs 12 bytes, no sack block
can be cooked from the remaining 8 bytes.

tcp_established_options() correctly sets opts->num_sack_blocks
to zero, but returns 36 instead of 32.

This means TCP cooks packets with 4 extra bytes at the end
of options, containing unitialized bytes.

Fixes: 33ad798c924b ("tcp: options clean up")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ipv4/tcp_output.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -680,8 +680,9 @@ static unsigned int tcp_established_opti
 			min_t(unsigned int, eff_sacks,
 			      (remaining - TCPOLEN_SACK_BASE_ALIGNED) /
 			      TCPOLEN_SACK_PERBLOCK);
-		size += TCPOLEN_SACK_BASE_ALIGNED +
-			opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
+		if (likely(opts->num_sack_blocks))
+			size += TCPOLEN_SACK_BASE_ALIGNED +
+				opts->num_sack_blocks * TCPOLEN_SACK_PERBLOCK;
 	}
 
 	return size;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 141/148] tcp: syncookies: extend validity range
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (139 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 140/148] tcp: md5: fix potential overestimation of TCP option space Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 142/148] tcp: fix rejected syncookies due to stale timestamps Ben Hutchings
                   ` (7 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Florian Westphal,
	Eric Dumazet, Yuchung Cheng

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 264ea103a7473f51aced838e68ed384ea2c759f5 upstream.

Now we allow storing more request socks per listener, we might
hit syncookie mode less often and hit following bug in our stack :

When we send a burst of syncookies, then exit this mode,
tcp_synq_no_recent_overflow() can return false if the ACK packets coming
from clients are coming three seconds after the end of syncookie
episode.

This is a way too strong requirement and conflicts with rest of
syncookie code which allows ACK to be aged up to 2 minutes.

Perfectly valid ACK packets are dropped just because clients might be
in a crowded wifi environment or on another planet.

So let's fix this, and also change tcp_synq_overflow() to not
dirty a cache line for every syncookie we send, as we are under attack.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Florian Westphal <fw@strlen.de>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/tcp.h | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -326,18 +326,6 @@ static inline bool tcp_too_many_orphans(
 
 bool tcp_check_oom(struct sock *sk, int shift);
 
-/* syncookies: remember time of last synqueue overflow */
-static inline void tcp_synq_overflow(struct sock *sk)
-{
-	tcp_sk(sk)->rx_opt.ts_recent_stamp = jiffies;
-}
-
-/* syncookies: no recent synqueue overflow on this listening socket? */
-static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
-{
-	unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
-	return time_after(jiffies, last_overflow + TCP_TIMEOUT_FALLBACK);
-}
 
 extern struct proto tcp_prot;
 
@@ -485,13 +473,35 @@ struct sock *cookie_v4_check(struct sock
  * i.e. a sent cookie is valid only at most for 2*60 seconds (or less if
  * the counter advances immediately after a cookie is generated).
  */
-#define MAX_SYNCOOKIE_AGE 2
+#define MAX_SYNCOOKIE_AGE	2
+#define TCP_SYNCOOKIE_PERIOD	(60 * HZ)
+#define TCP_SYNCOOKIE_VALID	(MAX_SYNCOOKIE_AGE * TCP_SYNCOOKIE_PERIOD)
+
+/* syncookies: remember time of last synqueue overflow
+ * But do not dirty this field too often (once per second is enough)
+ */
+static inline void tcp_synq_overflow(struct sock *sk)
+{
+	unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
+	unsigned long now = jiffies;
+
+	if (time_after(now, last_overflow + HZ))
+		tcp_sk(sk)->rx_opt.ts_recent_stamp = now;
+}
+
+/* syncookies: no recent synqueue overflow on this listening socket? */
+static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
+{
+	unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
+
+	return time_after(jiffies, last_overflow + TCP_SYNCOOKIE_VALID);
+}
 
 static inline u32 tcp_cookie_time(void)
 {
 	u64 val = get_jiffies_64();
 
-	do_div(val, 60 * HZ);
+	do_div(val, TCP_SYNCOOKIE_PERIOD);
 	return val;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 142/148] tcp: fix rejected syncookies due to stale timestamps
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (140 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 141/148] tcp: syncookies: extend validity range Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 143/148] tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() Ben Hutchings
                   ` (6 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Guillaume Nault,
	Greg Kroah-Hartman, Eric Dumazet

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <gnault@redhat.com>

commit 04d26e7b159a396372646a480f4caa166d1b6720 upstream.

If no synflood happens for a long enough period of time, then the
synflood timestamp isn't refreshed and jiffies can advance so much
that time_after32() can't accurately compare them any more.

Therefore, we can end up in a situation where time_after32(now,
last_overflow + HZ) returns false, just because these two values are
too far apart. In that case, the synflood timestamp isn't updated as
it should be, which can trick tcp_synq_no_recent_overflow() into
rejecting valid syncookies.

For example, let's consider the following scenario on a system
with HZ=1000:

  * The synflood timestamp is 0, either because that's the timestamp
    of the last synflood or, more commonly, because we're working with
    a freshly created socket.

  * We receive a new SYN, which triggers synflood protection. Let's say
    that this happens when jiffies == 2147484649 (that is,
    'synflood timestamp' + HZ + 2^31 + 1).

  * Then tcp_synq_overflow() doesn't update the synflood timestamp,
    because time_after32(2147484649, 1000) returns false.
    With:
      - 2147484649: the value of jiffies, aka. 'now'.
      - 1000: the value of 'last_overflow' + HZ.

  * A bit later, we receive the ACK completing the 3WHS. But
    cookie_v[46]_check() rejects it because tcp_synq_no_recent_overflow()
    says that we're not under synflood. That's because
    time_after32(2147484649, 120000) returns false.
    With:
      - 2147484649: the value of jiffies, aka. 'now'.
      - 120000: the value of 'last_overflow' + TCP_SYNCOOKIE_VALID.

    Of course, in reality jiffies would have increased a bit, but this
    condition will last for the next 119 seconds, which is far enough
    to accommodate for jiffie's growth.

Fix this by updating the overflow timestamp whenever jiffies isn't
within the [last_overflow, last_overflow + HZ] range. That shouldn't
have any performance impact since the update still happens at most once
per second.

Now we're guaranteed to have fresh timestamps while under synflood, so
tcp_synq_no_recent_overflow() can safely use it with time_after32() in
such situations.

Stale timestamps can still make tcp_synq_no_recent_overflow() return
the wrong verdict when not under synflood. This will be handled in the
next patch.

For 64 bits architectures, the problem was introduced with the
conversion of ->tw_ts_recent_stamp to 32 bits integer by commit
cca9bab1b72c ("tcp: use monotonic timestamps for PAWS").
The problem has always been there on 32 bits architectures.

Fixes: cca9bab1b72c ("tcp: use monotonic timestamps for PAWS")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/time.h | 12 ++++++++++++
 include/net/tcp.h    |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

--- a/include/linux/time.h
+++ b/include/linux/time.h
@@ -280,4 +280,16 @@ static __always_inline void timespec_add
 	a->tv_nsec = ns;
 }
 
+/**
+ * time_between32 - check if a 32-bit timestamp is within a given time range
+ * @t:	the time which may be within [l,h]
+ * @l:	the lower bound of the range
+ * @h:	the higher bound of the range
+ *
+ * time_before32(t, l, h) returns true if @l <= @t <= @h. All operands are
+ * treated as 32-bit integers.
+ *
+ * Equivalent to !(time_before32(@t, @l) || time_after32(@t, @h)).
+ */
+#define time_between32(t, l, h) ((u32)(h) - (u32)(l) >= (u32)(t) - (u32)(l))
 #endif
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -485,7 +485,7 @@ static inline void tcp_synq_overflow(str
 	unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
 	unsigned long now = jiffies;
 
-	if (time_after(now, last_overflow + HZ))
+	if (!time_between32(now, last_overflow, last_overflow + HZ))
 		tcp_sk(sk)->rx_opt.ts_recent_stamp = now;
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 143/148] tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (141 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 142/148] tcp: fix rejected syncookies due to stale timestamps Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 144/148] inet: protect against too small mtu values Ben Hutchings
                   ` (5 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Eric Dumazet,
	David S. Miller, Guillaume Nault

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <gnault@redhat.com>

commit 721c8dafad26ccfa90ff659ee19755e3377b829d upstream.

Syncookies borrow the ->rx_opt.ts_recent_stamp field to store the
timestamp of the last synflood. Protect them with READ_ONCE() and
WRITE_ONCE() since reads and writes aren't serialised.

Use of .rx_opt.ts_recent_stamp for storing the synflood timestamp was
introduced by a0f82f64e269 ("syncookies: remove last_synq_overflow from
struct tcp_sock"). But unprotected accesses were already there when
timestamp was stored in .last_synq_overflow.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/net/tcp.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -482,17 +482,17 @@ struct sock *cookie_v4_check(struct sock
  */
 static inline void tcp_synq_overflow(struct sock *sk)
 {
-	unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
+	unsigned long last_overflow = ACCESS_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp);
 	unsigned long now = jiffies;
 
 	if (!time_between32(now, last_overflow, last_overflow + HZ))
-		tcp_sk(sk)->rx_opt.ts_recent_stamp = now;
+		ACCESS_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp) = now;
 }
 
 /* syncookies: no recent synqueue overflow on this listening socket? */
 static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
 {
-	unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
+	unsigned long last_overflow = ACCESS_ONCE(tcp_sk(sk)->rx_opt.ts_recent_stamp);
 
 	return time_after(jiffies, last_overflow + TCP_SYNCOOKIE_VALID);
 }


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 144/148] inet: protect against too small mtu values.
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (142 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 143/148] tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 145/148] deb-pkg: remove obsolete -isp option to dpkg-gencontrol Ben Hutchings
                   ` (4 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Kroah-Hartman, Eric Dumazet, syzbot,
	David S. Miller

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 501a90c945103e8627406763dac418f20f3837b2 upstream.

syzbot was once again able to crash a host by setting a very small mtu
on loopback device.

Let's make inetdev_valid_mtu() available in include/net/ip.h,
and use it in ip_setup_cork(), so that we protect both ip_append_page()
and __ip_append_data()

Also add a READ_ONCE() when the device mtu is read.

Pairs this lockless read with one WRITE_ONCE() in __dev_set_mtu(),
even if other code paths might write over this field.

Add a big comment in include/linux/netdevice.h about dev->mtu
needing READ_ONCE()/WRITE_ONCE() annotations.

Hopefully we will add the missing ones in followup patches.

[1]

refcount_t: saturated; leaking memory.
WARNING: CPU: 0 PID: 9464 at lib/refcount.c:22 refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 9464 Comm: syz-executor850 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 panic+0x2e3/0x75c kernel/panic.c:221
 __warn.cold+0x2f/0x3e kernel/panic.c:582
 report_bug+0x289/0x300 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 fixup_bug arch/x86/kernel/traps.c:169 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x138/0x1f0 lib/refcount.c:22
Code: 06 31 ff 89 de e8 c8 f5 e6 fd 84 db 0f 85 6f ff ff ff e8 7b f4 e6 fd 48 c7 c7 e0 71 4f 88 c6 05 56 a6 a4 06 01 e8 c7 a8 b7 fd <0f> 0b e9 50 ff ff ff e8 5c f4 e6 fd 0f b6 1d 3d a6 a4 06 31 ff 89
RSP: 0018:ffff88809689f550 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815e4336 RDI: ffffed1012d13e9c
RBP: ffff88809689f560 R08: ffff88809c50a3c0 R09: fffffbfff15d31b1
R10: fffffbfff15d31b0 R11: ffffffff8ae98d87 R12: 0000000000000001
R13: 0000000000040100 R14: ffff888099041104 R15: ffff888218d96e40
 refcount_add include/linux/refcount.h:193 [inline]
 skb_set_owner_w+0x2b6/0x410 net/core/sock.c:1999
 sock_wmalloc+0xf1/0x120 net/core/sock.c:2096
 ip_append_page+0x7ef/0x1190 net/ipv4/ip_output.c:1383
 udp_sendpage+0x1c7/0x480 net/ipv4/udp.c:1276
 inet_sendpage+0xdb/0x150 net/ipv4/af_inet.c:821
 kernel_sendpage+0x92/0xf0 net/socket.c:3794
 sock_sendpage+0x8b/0xc0 net/socket.c:936
 pipe_to_sendpage+0x2da/0x3c0 fs/splice.c:458
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636
 splice_from_pipe+0x108/0x170 fs/splice.c:671
 generic_splice_sendpage+0x3c/0x50 fs/splice.c:842
 do_splice_from fs/splice.c:861 [inline]
 direct_splice_actor+0x123/0x190 fs/splice.c:1035
 splice_direct_to_actor+0x3b4/0xa30 fs/splice.c:990
 do_splice_direct+0x1da/0x2a0 fs/splice.c:1078
 do_sendfile+0x597/0xd00 fs/read_write.c:1464
 __do_sys_sendfile64 fs/read_write.c:1525 [inline]
 __se_sys_sendfile64 fs/read_write.c:1511 [inline]
 __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441409
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffb64c4f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441409
RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005
RBP: 0000000000073b8a R08: 0000000000000010 R09: 0000000000000010
R10: 0000000000010001 R11: 0000000000000246 R12: 0000000000402180
R13: 0000000000402210 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..

Fixes: 1470ddf7f8ce ("inet: Remove explicit write references to sk/inet in ip_append_data")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
 - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()
 - Keep using literal 68 instead of IPV4_MIN_MTU
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/netdevice.h |  5 +++++
 include/net/ip.h          |  5 +++++
 net/core/dev.c            |  3 ++-
 net/ipv4/devinet.c        |  5 -----
 net/ipv4/ip_output.c      | 14 +++++++++-----
 5 files changed, 21 insertions(+), 11 deletions(-)

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1345,6 +1345,11 @@ struct net_device {
 	unsigned char		if_port;	/* Selectable AUI, TP,..*/
 	unsigned char		dma;		/* DMA channel		*/
 
+	/* Note : dev->mtu is often read without holding a lock.
+	 * Writers usually hold RTNL.
+	 * It is recommended to use ACCESS_ONCE() to annotate the reads
+	 * and writes.
+	 */
 	unsigned int		mtu;	/* interface MTU value		*/
 	unsigned short		type;	/* interface hardware type	*/
 	unsigned short		hard_header_len;	/* hardware hdr length	*/
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -522,4 +522,9 @@ void ip_local_error(struct sock *sk, int
 int ip_misc_proc_init(void);
 #endif
 
+static inline bool inetdev_valid_mtu(unsigned int mtu)
+{
+	return likely(mtu >= 68);
+}
+
 #endif	/* _IP_H */
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -5680,7 +5680,8 @@ static int __dev_set_mtu(struct net_devi
 	if (ops->ndo_change_mtu)
 		return ops->ndo_change_mtu(dev, new_mtu);
 
-	dev->mtu = new_mtu;
+	/* Pairs with all the lockless reads of dev->mtu in the stack */
+	ACCESS_ONCE(dev->mtu) = new_mtu;
 	return 0;
 }
 
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1318,11 +1318,6 @@ skip:
 	}
 }
 
-static bool inetdev_valid_mtu(unsigned int mtu)
-{
-	return mtu >= 68;
-}
-
 static void inetdev_send_gratuitous_arp(struct net_device *dev,
 					struct in_device *in_dev)
 
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1106,13 +1106,17 @@ static int ip_setup_cork(struct sock *sk
 	rt = *rtp;
 	if (unlikely(!rt))
 		return -EFAULT;
-	/*
-	 * We steal reference to this route, caller should not release it
-	 */
-	*rtp = NULL;
+
 	cork->fragsize = ip_sk_use_pmtu(sk) ?
-			 dst_mtu(&rt->dst) : rt->dst.dev->mtu;
+			 dst_mtu(&rt->dst) : ACCESS_ONCE(rt->dst.dev->mtu);
+
+	if (!inetdev_valid_mtu(cork->fragsize))
+		return -ENETUNREACH;
+
 	cork->dst = &rt->dst;
+	/* We stole this route, caller should not release it. */
+	*rtp = NULL;
+
 	cork->length = 0;
 	cork->ttl = ipc->ttl;
 	cork->tos = ipc->tos;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 145/148] deb-pkg: remove obsolete -isp option to dpkg-gencontrol
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (143 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 144/148] inet: protect against too small mtu values Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 146/148] mmc: sdhci-s3c: Check if clk_set_rate() succeeds Ben Hutchings
                   ` (3 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Michal Marek, Asbjoern Sloth Toennesen

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Asbjoern Sloth Toennesen <asbjorn@asbjorn.biz>

commit 4204111c028d492019e4440d12e9e3d062db4283 upstream.

The -isp option has been deprecated, after it became the default
behaviour back in 2006.

Since dpkg 1.17.11, dpkg-gencontrol emits a warning on -isp usage.

References: https://bugs.debian.org/215233
Signed-off-by: Asbjoern Sloth Toennesen <asbjorn@asbjorn.biz>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/package/builddeb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -64,7 +64,7 @@ create_package() {
 	fi
 
 	# Create the package
-	dpkg-gencontrol -isp $forcearch -Vkernel:debarch="${debarch:-$(dpkg --print-architecture)}" -p$pname -P"$pdir"
+	dpkg-gencontrol $forcearch -Vkernel:debarch="${debarch:-$(dpkg --print-architecture)}" -p$pname -P"$pdir"
 	dpkg --build "$pdir" ..
 }
 


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 146/148] mmc: sdhci-s3c: Check if clk_set_rate() succeeds
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (144 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 145/148] deb-pkg: remove obsolete -isp option to dpkg-gencontrol Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 147/148] mmc: sdhci-s3c: solve problem with sleeping in atomic context Ben Hutchings
                   ` (2 subsequent siblings)
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ulf Hansson, Mark Brown, Jaehoon Chung

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Brown <broonie@linaro.org>

commit cd0cfdd2485e6252b3c69284bf09d06c4d303116 upstream.

It is possible that we may fail to set the clock rate, if we do so then
log the failure and don't bother reprogramming the IP.

Signed-off-by: Mark Brown <broonie@linaro.org>
Acked-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/host/sdhci-s3c.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/mmc/host/sdhci-s3c.c
+++ b/drivers/mmc/host/sdhci-s3c.c
@@ -300,6 +300,7 @@ static void sdhci_cmu_set_clock(struct s
 	struct device *dev = &ourhost->pdev->dev;
 	unsigned long timeout;
 	u16 clk = 0;
+	int ret;
 
 	host->mmc->actual_clock = 0;
 
@@ -311,7 +312,12 @@ static void sdhci_cmu_set_clock(struct s
 
 	sdhci_s3c_set_clock(host, clock);
 
-	clk_set_rate(ourhost->clk_bus[ourhost->cur_clk], clock);
+	ret = clk_set_rate(ourhost->clk_bus[ourhost->cur_clk], clock);
+	if (ret != 0) {
+		dev_err(dev, "%s: failed to set clock rate %uHz\n",
+			mmc_hostname(host->mmc), clock);
+		return;
+	}
 
 	clk = SDHCI_CLOCK_INT_EN;
 	sdhci_writew(host, clk, SDHCI_CLOCK_CONTROL);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 147/148] mmc: sdhci-s3c: solve problem with sleeping in atomic context
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (145 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 146/148] mmc: sdhci-s3c: Check if clk_set_rate() succeeds Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 18:21 ` [PATCH 3.16 148/148] s390: Fix unmatched preempt_disable() on exit Ben Hutchings
  2020-02-08 23:10 ` [PATCH 3.16 000/148] 3.16.82-rc1 review Guenter Roeck
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paul Osmialowski, Jaehoon Chung, Ulf Hansson

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Osmialowski <p.osmialowsk@samsung.com>

commit 017210d1c0dc2e2d3b142985cb31d90b98dc0f0f upstream.

This change addresses following problem:

[    2.560726] ------------[ cut here ]------------
[    2.565341] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:2744 lockdep_trace_alloc+0xec/0x118()
[    2.574439] DEBUG_LOCKS_WARN_ON(irqs_disabled_flags(flags))
[    2.579821] Modules linked in:
[    2.583038] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W      3.18.0-next-20141216-00002-g4ff197fc1902-dirty #1318
[    2.593796] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[    2.599892] [<c0014c44>] (unwind_backtrace) from [<c0011bbc>] (show_stack+0x10/0x14)
[    2.607612] [<c0011bbc>] (show_stack) from [<c04953b8>] (dump_stack+0x70/0xbc)
[    2.614822] [<c04953b8>] (dump_stack) from [<c0023444>] (warn_slowpath_common+0x74/0xb0)
[    2.622885] [<c0023444>] (warn_slowpath_common) from [<c0023514>] (warn_slowpath_fmt+0x30/0x40)
[    2.631569] [<c0023514>] (warn_slowpath_fmt) from [<c0063644>] (lockdep_trace_alloc+0xec/0x118)
[    2.640246] [<c0063644>] (lockdep_trace_alloc) from [<c00df52c>] (__kmalloc+0x3c/0x1cc)
[    2.648240] [<c00df52c>] (__kmalloc) from [<c0394970>] (clk_fetch_parent_index+0xb8/0xd4)
[    2.656390] [<c0394970>] (clk_fetch_parent_index) from [<c0394a6c>] (clk_calc_new_rates+0xe0/0x1fc)
[    2.665415] [<c0394a6c>] (clk_calc_new_rates) from [<c0394b40>] (clk_calc_new_rates+0x1b4/0x1fc)
[    2.674181] [<c0394b40>] (clk_calc_new_rates) from [<c0395408>] (clk_set_rate+0x50/0xc8)
[    2.682265] [<c0395408>] (clk_set_rate) from [<c0377708>] (sdhci_cmu_set_clock+0x68/0x16c)
[    2.690503] [<c0377708>] (sdhci_cmu_set_clock) from [<c03735cc>] (sdhci_do_set_ios+0xf0/0x64c)
[    2.699095] [<c03735cc>] (sdhci_do_set_ios) from [<c0373b48>] (sdhci_set_ios+0x20/0x2c)
[    2.707080] [<c0373b48>] (sdhci_set_ios) from [<c035ddf0>] (mmc_power_up+0x118/0x1fc)
[    2.714889] [<c035ddf0>] (mmc_power_up) from [<c035ecd0>] (mmc_start_host+0x44/0x6c)
[    2.722615] [<c035ecd0>] (mmc_start_host) from [<c035fd60>] (mmc_add_host+0x58/0x7c)
[    2.730341] [<c035fd60>] (mmc_add_host) from [<c037454c>] (sdhci_add_host+0x968/0xd94)
[    2.738240] [<c037454c>] (sdhci_add_host) from [<c0377b60>] (sdhci_s3c_probe+0x354/0x52c)
[    2.746406] [<c0377b60>] (sdhci_s3c_probe) from [<c0283b58>] (platform_drv_probe+0x48/0xa4)
[    2.754733] [<c0283b58>] (platform_drv_probe) from [<c02824e8>] (driver_probe_device+0x13c/0x37c)
[    2.763585] [<c02824e8>] (driver_probe_device) from [<c02827bc>] (__driver_attach+0x94/0x98)
[    2.772003] [<c02827bc>] (__driver_attach) from [<c0280a60>] (bus_for_each_dev+0x54/0x88)
[    2.780163] [<c0280a60>] (bus_for_each_dev) from [<c0281b48>] (bus_add_driver+0xe4/0x200)
[    2.788322] [<c0281b48>] (bus_add_driver) from [<c0282dfc>] (driver_register+0x78/0xf4)
[    2.796308] [<c0282dfc>] (driver_register) from [<c00089b0>] (do_one_initcall+0xac/0x1f0)
[    2.804473] [<c00089b0>] (do_one_initcall) from [<c0673d94>] (kernel_init_freeable+0x10c/0x1d8)
[    2.813153] [<c0673d94>] (kernel_init_freeable) from [<c0490058>] (kernel_init+0x28/0x108)
[    2.821398] [<c0490058>] (kernel_init) from [<c000f268>] (ret_from_fork+0x14/0x2c)
[    2.828939] ---[ end trace 03cc00e539849d1f ]---

clk_set_rate() tries to take clk's prepare_lock mutex while being in atomic
context entered in sdhci_do_set_ios().

The solution is inspired by similar situation in sdhci_set_power() also called
from sdhci_do_set_ios():

                spin_unlock_irq(&host->lock);
                mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd);
                spin_lock_irq(&host->lock);

Note that since sdhci_s3c_set_clock() sets SDHCI_CLOCK_CARD_EN, proposed change
first resets this bit. It is reset anyway (by setting SDHCI_CLOCK_INT_EN bit
only) after call to clk_set_rate() in order to wait for the clock to stabilize
and is set again as soon as the clock becomes stable.

Signed-off-by: Paul Osmialowski <p.osmialowsk@samsung.com>
Tested-by: Jaehoon Chung <jh80.chung@samsung.com>
Acked-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/host/sdhci-s3c.c | 8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/mmc/host/sdhci-s3c.c
+++ b/drivers/mmc/host/sdhci-s3c.c
@@ -12,6 +12,7 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/spinlock.h>
 #include <linux/delay.h>
 #include <linux/dma-mapping.h>
 #include <linux/platform_device.h>
@@ -312,7 +313,14 @@ static void sdhci_cmu_set_clock(struct s
 
 	sdhci_s3c_set_clock(host, clock);
 
+	/* Reset SD Clock Enable */
+	clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
+	clk &= ~SDHCI_CLOCK_CARD_EN;
+	sdhci_writew(host, clk, SDHCI_CLOCK_CONTROL);
+
+	spin_unlock_irq(&host->lock);
 	ret = clk_set_rate(ourhost->clk_bus[ourhost->cur_clk], clock);
+	spin_lock_irq(&host->lock);
 	if (ret != 0) {
 		dev_err(dev, "%s: failed to set clock rate %uHz\n",
 			mmc_hostname(host->mmc), clock);


^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 3.16 148/148] s390: Fix unmatched preempt_disable() on exit
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (146 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 147/148] mmc: sdhci-s3c: solve problem with sleeping in atomic context Ben Hutchings
@ 2020-02-08 18:21 ` Ben Hutchings
  2020-02-08 23:10 ` [PATCH 3.16 000/148] 3.16.82-rc1 review Guenter Roeck
  148 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-08 18:21 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Christian Borntraeger, Heiko Carstens,
	Vasily Gorbik

3.16.82-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

exit_thread_runtime_instr() may return with preemption disabled,
leading to the following lockdep splat:

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:586
in_atomic(): 1, irqs_disabled(): 0, pid: 565, name: kworker/u2:0
no locks held by kworker/u2:0/565.
CPU: 0 PID: 565 Comm: kworker/u2:0 Not tainted 3.16.81-00145-gafe1c874fa44 #1
       00000000025dbbd8 00000000025dbbe8 0000000000000002 0000000000000000 
       00000000025dbc78 00000000025dbbf0 00000000025dbbf0 000000000098c55c 
       0000000000000000 00000000025d05b8 00000000025d1590 0000000000000000 
       0000000000000000 000000000000000c 00000000025dbbd8 0000000000000070 
       00000000009b7220 000000000098c55c 00000000025dbbd8 00000000025dbc20 
Call Trace:
([<000000000098c4ce>] show_trace+0xb6/0xd8)
 [<000000000098c592>] show_stack+0xa2/0xd8
 [<0000000000992c04>] dump_stack+0xc4/0x118
 [<0000000000191e20>] __might_sleep+0x230/0x238
 [<000000000099fbb0>] mutex_lock_nested+0x48/0x3d8
 [<000000000025e33e>] perf_event_exit_task+0x36/0x398
 [<0000000000158536>] do_exit+0x3ae/0xca0
 [<0000000000175826>] ____call_usermodehelper+0x136/0x148
 [<00000000009a550a>] kernel_thread_starter+0x6/0xc
 [<00000000009a5504>] kernel_thread_starter+0x0/0xc

This was fixed by commit 8d9047f8b967 "s390/runtime instrumentation:
simplify task exit handling" upstream, but that won't apply here.

Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/s390/kernel/runtime_instr.c
+++ b/arch/s390/kernel/runtime_instr.c
@@ -53,9 +53,9 @@ void exit_thread_runtime_instr(void)
 {
 	struct task_struct *task = current;
 
-	preempt_disable();
 	if (!task->thread.ri_cb)
 		return;
+	preempt_disable();
 	disable_runtime_instr();
 	kfree(task->thread.ri_cb);
 	task->thread.ri_signum = 0;


^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 3.16 000/148] 3.16.82-rc1 review
  2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
                   ` (147 preceding siblings ...)
  2020-02-08 18:21 ` [PATCH 3.16 148/148] s390: Fix unmatched preempt_disable() on exit Ben Hutchings
@ 2020-02-08 23:10 ` Guenter Roeck
  2020-02-09 18:51   ` Ben Hutchings
  148 siblings, 1 reply; 151+ messages in thread
From: Guenter Roeck @ 2020-02-08 23:10 UTC (permalink / raw)
  To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

On 2/8/20 10:18 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.82 release.
> There are 148 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Feb 11 20:00:00 UTC 2020.
> Anything received after that time might be too late.
> 

Build results:
	total: 136 pass: 136 fail: 0
Qemu test results:
	total: 227 pass: 227 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 3.16 000/148] 3.16.82-rc1 review
  2020-02-08 23:10 ` [PATCH 3.16 000/148] 3.16.82-rc1 review Guenter Roeck
@ 2020-02-09 18:51   ` Ben Hutchings
  0 siblings, 0 replies; 151+ messages in thread
From: Ben Hutchings @ 2020-02-09 18:51 UTC (permalink / raw)
  To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 697 bytes --]

On Sat, 2020-02-08 at 15:10 -0800, Guenter Roeck wrote:
> On 2/8/20 10:18 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.82 release.
> > There are 148 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Tue Feb 11 20:00:00 UTC 2020.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 136 pass: 136 fail: 0
> Qemu test results:
> 	total: 227 pass: 227 fail: 0

Thanks for checking,

Ben.

-- 
Ben Hutchings
The world is coming to an end.	Please log off.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 151+ messages in thread

end of thread, other threads:[~2020-02-09 18:51 UTC | newest]

Thread overview: 151+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-08 18:18 [PATCH 3.16 000/148] 3.16.82-rc1 review Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 001/148] ALSA: line6: Drop superfluous snd_device for PCM Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 002/148] ALSA: line6: Fix memory leak at line6_init_pcm() error path Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 003/148] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 004/148] pstore/ram: Write new dumps to start of recycled zones Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 005/148] net: davinci_cpdma: use dma_addr_t for DMA address Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 006/148] stmmac: fix oversized frame reception Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 007/148] net: stmmac: use correct DMA buffer size in the RX descriptor Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 008/148] net: stmmac: don't stop NAPI processing when dropping a packet Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 009/148] workqueue: Fix spurious sanity check failures in destroy_workqueue() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 010/148] ath9k_hw: fix uninitialized variable data Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 011/148] pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 012/148] pinctrl: samsung: Fix device node refcount leaks in S3C64xx " Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 013/148] media: ov6650: Fix incorrect use of JPEG colorspace Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 014/148] media: ov6650: Fix stored frame format not in sync with hardware Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 015/148] tools/power/cpupower: Fix initializer override in hsw_ext_cstates Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 016/148] cw1200: Fix a signedness bug in cw1200_load_firmware() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 017/148] ar5523: check NULL before memcpy() in ar5523_cmd() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 018/148] hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 019/148] drm/i810: Prevent underflow in ioctl Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 020/148] ARM: dts: s3c64xx: Fix init order of clock providers Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 021/148] [media] usbvision: remove power_on_at_open and timed power off Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 022/148] [media] usbvision-video: two use after frees Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 023/148] [media] usbvision: fix locking error Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 024/148] " Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 025/148] media: usbvision: Fix invalid accesses after device disconnect Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 026/148] media: usbvision: Fix races among open, close, and disconnect Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 027/148] sunrpc: fix crash when cache_head become valid before update Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 028/148] PCI: Fix Intel ACS quirk UPDCR register address Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 029/148] Bluetooth: hci_core: fix init for HCI_USER_CHANNEL Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 030/148] spi: atmel: fix handling of cs_change set on non-last xfer Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 031/148] usb: gadget: u_serial: add missing port entry locking Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 032/148] compat_ioctl: handle SIOCOUTQNSD Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 033/148] x86/ioapic: Prevent inconsistent state when moving an interrupt Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 034/148] xfs: Sanity check flags of Q_XQUOTARM call Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 035/148] cpuidle: Do not unset the driver if it is there already Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 036/148] scsi: csiostor: Don't enable IRQs too early Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 037/148] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 038/148] scsi: zfcp: trace channel log even for FCP command responses Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 039/148] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 040/148] mtd: spear_smi: Fix Write Burst mode Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 041/148] ARM: tegra: Fix FLOW_CTLR_HALT register clobbering by tegra_resume() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 042/148] quota: fix livelock in dquot_writeback_dquots Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 043/148] quota: Check that quota is not dirty before release Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 044/148] scsi: core: scsi_trace: Use get_unaligned_be*() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 045/148] blk-mq: fix deadlock when reading cpu_list Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 046/148] blk-mq: avoid sysfs buffer overflow with too many CPU cores Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 047/148] iio: imu: adis16480: assign bias value only if operation succeeded Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 048/148] blk-mq: make sure that line break can be printed Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 049/148] tty: serial: msm_serial: Fix flow control Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 050/148] ext2: check err when partial != NULL Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 051/148] media: radio: wl1273: fix interrupt masking on release Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 052/148] media: exynos4-is: Fix recursive locking in isp_video_release() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 053/148] staging: rtl8192e: fix potential use after free Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 054/148] jbd2: Fix possible overflow in jbd2_log_space_left() Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 055/148] bnx2x: Enable Multi-Cos feature Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 056/148] PM / devfreq: Lock devfreq in trans_stat_show Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 057/148] scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 058/148] USB: serial: mos7840: add USB ID to support Moxa UPort 2210 Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 059/148] perf probe: Fix to handle optimized not-inlined functions Ben Hutchings
2020-02-08 18:19 ` [PATCH 3.16 060/148] perf probe: Fix to show lines of sys_ functions correctly Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 061/148] perf probe: Fix to add missed brace around if block Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 062/148] perf probe: Skip if the function address is 0 Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 063/148] perf probe: Fix to find range-only function instance Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 064/148] perf probe: Fix to show function entry line as probe-able Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 065/148] perf probe: Fix wrong address verification Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 066/148] perf probe: Fix to probe a function which has no entry pc Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 067/148] perf probe: Fix to probe an inline " Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 068/148] perf probe: Fix to list probe event with correct line number Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 069/148] perf probe: Fix to show inlined function callsite without entry_pc Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 070/148] usb: gadget: pch_udc: fix use after free Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 071/148] usb: Allow USB device to be warm reset in suspended state Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 072/148] appledisplay: fix error handling in the scheduled work Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 073/148] perf probe: Skip end-of-sequence and non statement lines Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 074/148] perf probe: Filter out instances except for inlined subroutine and subprogram Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 075/148] perf probe: Fix to show calling lines of inlined functions Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 076/148] perf probe: Skip overlapped location on searching variables Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 077/148] powerpc: Allow flush_icache_range to work across ranges >4GB Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 078/148] powerpc: Allow 64bit VDSO __kernel_sync_dicache " Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 079/148] ARM: ux500: remove unused regulator data Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 080/148] regulator: ab8500: Remove AB8505 USB regulator Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 081/148] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 082/148] inetpeer: fix data-race in inet_putpeer / inet_putpeer Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 083/148] iio: adis16480: Add debugfs_reg_access entry Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 084/148] drm/i915/userptr: Try to acquire the page lock around set_page_dirty() Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 085/148] USB: serial: mos7720: fix remote wakeup Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 086/148] USB: serial: mos7840: " Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 087/148] fuse: verify attributes Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 088/148] fuse: verify nlink Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 089/148] ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 090/148] scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 091/148] tty: serial: imx: use the sg count from dma_map_sg Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 092/148] tty: serial: pch_uart: correct usage of dma_unmap_sg Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 093/148] RDMA/srpt: Report the SCSI residual to the initiator Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 094/148] binder: Handle start==NULL in binder_update_page_range() Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 095/148] USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 096/148] futex: Prevent robust futex exit race Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 097/148] x86/speculation: Fix incorrect MDS/TAA mitigation status Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 098/148] usb-serial: cp201x: support Mark-10 digital force gauge Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 099/148] USB: uas: honor flag to avoid CAPACITY16 Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 100/148] USB: uas: heed CAPACITY_HEURISTICS Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 101/148] USB: documentation: flags on usb-storage versus UAS Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 102/148] Btrfs: fix negative subv_writers counter and data space leak after buffered write Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 103/148] btrfs: check page->mapping when loading free space cache Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 104/148] serial: ifx6x60: add missed pm_runtime_disable Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 105/148] rtc: msm6242: Fix reading of 10-hour digit Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 106/148] Bluetooth: delete a stray unlock Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 107/148] ext4: work around deleting a file with i_nlink == 0 safely Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 108/148] scsi: qla4xxx: fix double free bug Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 109/148] scsi: bnx2i: fix potential use after free Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 110/148] iwlwifi: check kasprintf() return value Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 111/148] serial: serial_core: Perform NULL checks for break_ctl ops Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 112/148] KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 113/148] KVM: x86: do not modify masked bits of shared MSRs Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 114/148] x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 115/148] ALSA: cs4236: fix error return comparison of an unsigned integer Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 116/148] libtraceevent: Fix memory leakage in copy_filter_type Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 117/148] drm/radeon: fix bad DMA from INTERRUPT_CNTL2 Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 118/148] tty: vt: keyboard: reject invalid keycodes Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 119/148] CIFS: Respect O_SYNC and O_DIRECT flags during reconnect Ben Hutchings
2020-02-08 18:20 ` [PATCH 3.16 120/148] CIFS: Fix SMB2 oplock break processing Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 121/148] platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 122/148] platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 123/148] macvlan: schedule bc_work even if error Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 124/148] PCI/MSI: Fix incorrect MSI-X masking on resume Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 125/148] xtensa: fix TLB sanity checker Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 126/148] perf regs: Make perf_reg_name() return "unknown" instead of NULL Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 127/148] ACPI / osl: speedup grace period in acpi_os_map_cleanup Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 128/148] ACPI: OSL: only free map once in osl.c Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 129/148] ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 130/148] openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 131/148] openvswitch: remove another BUG_ON() Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 132/148] cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 133/148] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 134/148] net: bridge: deny dev_set_mac_address() when unregistering Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 135/148] drm/radeon: fix r1xx/r2xx register checker for POT textures Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 136/148] xen/blkback: Avoid unmapping unmapped grant pages Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 137/148] hrtimer: Get rid of the resolution field in hrtimer_clock_base Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 138/148] powerpc: Fix vDSO clock_getres() Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 139/148] ALSA: pcm: oss: Avoid potential buffer overflows Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 140/148] tcp: md5: fix potential overestimation of TCP option space Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 141/148] tcp: syncookies: extend validity range Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 142/148] tcp: fix rejected syncookies due to stale timestamps Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 143/148] tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE() Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 144/148] inet: protect against too small mtu values Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 145/148] deb-pkg: remove obsolete -isp option to dpkg-gencontrol Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 146/148] mmc: sdhci-s3c: Check if clk_set_rate() succeeds Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 147/148] mmc: sdhci-s3c: solve problem with sleeping in atomic context Ben Hutchings
2020-02-08 18:21 ` [PATCH 3.16 148/148] s390: Fix unmatched preempt_disable() on exit Ben Hutchings
2020-02-08 23:10 ` [PATCH 3.16 000/148] 3.16.82-rc1 review Guenter Roeck
2020-02-09 18:51   ` Ben Hutchings

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).