[RFC PATCH] mtd: spi-nor: rockchip_sfc_runtime_suspend() can be static

[kbuild test robot]

Fixes: dbc2d867929a ("mtd: spi-nor: add rockchip serial flash controller 
driver")
Signed-off-by: Fengguang Wu 
---
 rockchip-sfc.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mtd/spi-nor/rockchip-sfc.c 
b/drivers/mtd/spi-nor/rockchip-sfc.c
index 60371011..e38d79d 100644
--- a/drivers/mtd/spi-nor/rockchip-sfc.c
+++ b/drivers/mtd/spi-nor/rockchip-sfc.c
@@ -896,7 +896,7 @@ static int rockchip_sfc_remove(struct platform_device *pdev)
 }
 
 #ifdef CONFIG_PM
-int rockchip_sfc_runtime_suspend(struct device *dev)
+static int rockchip_sfc_runtime_suspend(struct device *dev)
 {
struct rockchip_sfc *sfc = dev_get_drvdata(dev);
 
@@ -904,7 +904,7 @@ int rockchip_sfc_runtime_suspend(struct device *dev)
return 0;
 }
 
-int rockchip_sfc_runtime_resume(struct device *dev)
+static int rockchip_sfc_runtime_resume(struct device *dev)
 {
struct rockchip_sfc *sfc = dev_get_drvdata(dev);
 

Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators

[Sergey Suloev]

On 02/11/2018 01:07 AM, Philipp Rossak wrote:



On 10.02.2018 22:08, Sergey Suloev wrote:

On 02/11/2018 12:01 AM, Philipp Rossak wrote:

Hey Sergey,

Thanks for mentioning, but I think the problem has nothing to do 
with those patches. I tested them with the v4.15.0 Kernel since this 
is the last stable release and we are right now in the merging window.


I tested the latest mainline, without those patches and the kernel 
is not booting (I can't see any uart output).


Thanks,
Philipp

On 10.02.2018 14:56, Sergey Suloev wrote:

On 02/09/2018 08:52 PM, Philipp Rossak wrote:
This patchseries fixes the bananapi m1 devicetree, to be able to 
boot again.
The first two patches update/improve the devicetree and the last 
patch adds

all missing regulators.

Regards,
Philipp

Philipp Rossak (3):
   arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes
   arm: dts: sun6i: a31s: bpi-m2: improve pmic properties
   arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators

  arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 
+++-

  1 file changed, 67 insertions(+), 3 deletions(-)


patches are not working

Thanks


same problem, but after applying the patches my device is till hanging.


Can you please share a bootlog? Here is mine [1]. As you can see I'm 
able to boot.
I build it with this branch [2]. For testing you should replace the 
dtb and the uImage/zImage


Philipp


[1]: https://pastebin.com/mVjv3LDf
[2]: 
https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2


My dmesg is very similar to yours unless it hangs on the last line [1]. 
For this test I used kernel from tag v4.15 with no additional patching.


[1] https://pastebin.com/3a6bk5Dk

[RFC PATCH] mtd: spi-nor: rockchip_sfc_runtime_suspend() can be static

[kbuild test robot]

Fixes: dbc2d867929a ("mtd: spi-nor: add rockchip serial flash controller 
driver")
Signed-off-by: Fengguang Wu 
---
 rockchip-sfc.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mtd/spi-nor/rockchip-sfc.c 
b/drivers/mtd/spi-nor/rockchip-sfc.c
index 60371011..e38d79d 100644
--- a/drivers/mtd/spi-nor/rockchip-sfc.c
+++ b/drivers/mtd/spi-nor/rockchip-sfc.c
@@ -896,7 +896,7 @@ static int rockchip_sfc_remove(struct platform_device *pdev)
 }
 
 #ifdef CONFIG_PM
-int rockchip_sfc_runtime_suspend(struct device *dev)
+static int rockchip_sfc_runtime_suspend(struct device *dev)
 {
struct rockchip_sfc *sfc = dev_get_drvdata(dev);
 
@@ -904,7 +904,7 @@ int rockchip_sfc_runtime_suspend(struct device *dev)
return 0;
 }
 
-int rockchip_sfc_runtime_resume(struct device *dev)
+static int rockchip_sfc_runtime_resume(struct device *dev)
 {
struct rockchip_sfc *sfc = dev_get_drvdata(dev);
 

Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators

[Sergey Suloev]

On 02/11/2018 01:07 AM, Philipp Rossak wrote:



On 10.02.2018 22:08, Sergey Suloev wrote:

On 02/11/2018 12:01 AM, Philipp Rossak wrote:

Hey Sergey,

Thanks for mentioning, but I think the problem has nothing to do 
with those patches. I tested them with the v4.15.0 Kernel since this 
is the last stable release and we are right now in the merging window.


I tested the latest mainline, without those patches and the kernel 
is not booting (I can't see any uart output).


Thanks,
Philipp

On 10.02.2018 14:56, Sergey Suloev wrote:

On 02/09/2018 08:52 PM, Philipp Rossak wrote:
This patchseries fixes the bananapi m1 devicetree, to be able to 
boot again.
The first two patches update/improve the devicetree and the last 
patch adds

all missing regulators.

Regards,
Philipp

Philipp Rossak (3):
   arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes
   arm: dts: sun6i: a31s: bpi-m2: improve pmic properties
   arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators

  arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 
+++-

  1 file changed, 67 insertions(+), 3 deletions(-)


patches are not working

Thanks


same problem, but after applying the patches my device is till hanging.


Can you please share a bootlog? Here is mine [1]. As you can see I'm 
able to boot.
I build it with this branch [2]. For testing you should replace the 
dtb and the uImage/zImage


Philipp


[1]: https://pastebin.com/mVjv3LDf
[2]: 
https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2


My dmesg is very similar to yours unless it hangs on the last line [1]. 
For this test I used kernel from tag v4.15 with no additional patching.


[1] https://pastebin.com/3a6bk5Dk

Re: [PATCH v8 2/3] mtd: spi-nor: add rockchip serial flash controller driver

[kbuild test robot]

Hi Shawn,

I love your patch! Perhaps something to improve:

[auto build test WARNING on robh/for-next]
[also build test WARNING on v4.15 next-20180209]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Andy-Yan/Add-Rockchip-SFC-serial-flash-controller-support/20180211-135616
base:   https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git for-next
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF=-D__CHECK_ENDIAN__


sparse warnings: (new ones prefixed by >>)

>> drivers/mtd/spi-nor/rockchip-sfc.c:899:5: sparse: symbol 
>> 'rockchip_sfc_runtime_suspend' was not declared. Should it be
>> drivers/mtd/spi-nor/rockchip-sfc.c:907:5: sparse: symbol 
>> 'rockchip_sfc_runtime_resume' was not declared. Should it be

Please review and possibly fold the followup patch.

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation

Re: [PATCH v8 2/3] mtd: spi-nor: add rockchip serial flash controller driver

[kbuild test robot]

Hi Shawn,

I love your patch! Perhaps something to improve:

[auto build test WARNING on robh/for-next]
[also build test WARNING on v4.15 next-20180209]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Andy-Yan/Add-Rockchip-SFC-serial-flash-controller-support/20180211-135616
base:   https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git for-next
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF=-D__CHECK_ENDIAN__


sparse warnings: (new ones prefixed by >>)

>> drivers/mtd/spi-nor/rockchip-sfc.c:899:5: sparse: symbol 
>> 'rockchip_sfc_runtime_suspend' was not declared. Should it be
>> drivers/mtd/spi-nor/rockchip-sfc.c:907:5: sparse: symbol 
>> 'rockchip_sfc_runtime_resume' was not declared. Should it be

Please review and possibly fold the followup patch.

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation

Re: [PATCH v2 5/7] watchdog: mtk: allow setting timeout in devicetree

[Sean Wang]

On Sat, 2018-02-10 at 17:52 -0800, Guenter Roeck wrote:
> On 02/10/2018 12:12 PM, Marcus Folkesson wrote:
> > Hello Sean,
> > 
> > On Sat, Feb 10, 2018 at 01:43:28PM +0100, Marcus Folkesson wrote:
> >> Hello Sean,
> >>
> >> On Sat, Feb 10, 2018 at 07:10:02PM +0800, Sean Wang wrote:
> >>>
> >>> Hi, Marcus
> >>>
> >>> The changes you made for dt-bindings and driver should be put into
> >>> separate patches.
> >>
> >> I actually thought about it but chose to have it in the same patch because 
> >> I
> >> did not see any direct advantage to separating them.
> >>
> >> But I can do that.
> >> I will come up with a v3 with this change if no one thinks differently.
> >>
> > 
> > When looking at the git log, I'm not that convinced it should be
> > separate patches.
> > 
> > For example, I found a4f741e3e157c3a5c8aea5f2ea62b692fbf17338 that is
> > doing the exact same thing as this patch.
> > 
> > There is plenty of patches that mixes the code change and dt bindings
> > updates.
> > Could it not be useful to overview both the implementation and
> > dt-mapping change in one view?
> > 
> > If you or anyone else still think it should be separated, please let me 
> > know and I will
> > come up with a v3.
> > 
> 
> If we were talking about something new, specifically new and unapproved DT 
> bindings,
> it should be separate patches. However, that is not the case here. The DT 
> bindings
> are well established. Sure, we could be pedantic and request a split into two
> patches. However, the only benefit of that would be more work for the 
> maintainers,
> ie Wim and myself (including me having to send this e-mail). I don't really 
> see
> the point of that.
> 
> I have already sent my Reviewed-by:, and I don't intend to withdraw it.
> 
Hi, both

Sorry for that if I caused any inconvenience to you. I didn't really
insist on if the patch is needed to split into two, which totally
depends on whether dt maintainers like it.

The change for dt-binding is usually added as a split patch with
dt-bindings as a prefix. This way I thought dt maintainers is not
easy to miss those patches and also can give some useful feedback
for them.

Sean

> Thanks,
> Guenter
> 

Re: [PATCH v2 5/7] watchdog: mtk: allow setting timeout in devicetree

[Sean Wang]

On Sat, 2018-02-10 at 17:52 -0800, Guenter Roeck wrote:
> On 02/10/2018 12:12 PM, Marcus Folkesson wrote:
> > Hello Sean,
> > 
> > On Sat, Feb 10, 2018 at 01:43:28PM +0100, Marcus Folkesson wrote:
> >> Hello Sean,
> >>
> >> On Sat, Feb 10, 2018 at 07:10:02PM +0800, Sean Wang wrote:
> >>>
> >>> Hi, Marcus
> >>>
> >>> The changes you made for dt-bindings and driver should be put into
> >>> separate patches.
> >>
> >> I actually thought about it but chose to have it in the same patch because 
> >> I
> >> did not see any direct advantage to separating them.
> >>
> >> But I can do that.
> >> I will come up with a v3 with this change if no one thinks differently.
> >>
> > 
> > When looking at the git log, I'm not that convinced it should be
> > separate patches.
> > 
> > For example, I found a4f741e3e157c3a5c8aea5f2ea62b692fbf17338 that is
> > doing the exact same thing as this patch.
> > 
> > There is plenty of patches that mixes the code change and dt bindings
> > updates.
> > Could it not be useful to overview both the implementation and
> > dt-mapping change in one view?
> > 
> > If you or anyone else still think it should be separated, please let me 
> > know and I will
> > come up with a v3.
> > 
> 
> If we were talking about something new, specifically new and unapproved DT 
> bindings,
> it should be separate patches. However, that is not the case here. The DT 
> bindings
> are well established. Sure, we could be pedantic and request a split into two
> patches. However, the only benefit of that would be more work for the 
> maintainers,
> ie Wim and myself (including me having to send this e-mail). I don't really 
> see
> the point of that.
> 
> I have already sent my Reviewed-by:, and I don't intend to withdraw it.
> 
Hi, both

Sorry for that if I caused any inconvenience to you. I didn't really
insist on if the patch is needed to split into two, which totally
depends on whether dt maintainers like it.

The change for dt-binding is usually added as a split patch with
dt-bindings as a prefix. This way I thought dt maintainers is not
easy to miss those patches and also can give some useful feedback
for them.

Sean

> Thanks,
> Guenter
> 

Re: [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr()

[alex chen]

Hi Ben,

ocfs2_dio_end_io_write() was introduced in 4.6 and the problem this patch
fixes is only exist in the kernel 4.6 and above 4.6.

Thanks,
Alex

On 2018/2/11 12:20, Ben Hutchings wrote:
> 3.2.99-rc1 review patch.  If anyone has any objections, please let me know.
> 
> --
> 
> From: alex chen 
> 
> commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream.
> 
> we should wait dio requests to finish before inode lock in
> ocfs2_setattr(), otherwise the following deadlock will happen:
> 
> process 1  process 2process 3
> truncate file 'A'  end_io of writing file 'A'   receiving the bast 
> messages
> ocfs2_setattr
>  ocfs2_inode_lock_tracker
>   ocfs2_inode_lock_full
>  inode_dio_wait
>   __inode_dio_wait
>   -->waiting for all dio
>   requests finish
> dlm_proxy_ast_handler
>  dlm_do_local_bast
>   ocfs2_blocking_ast
>
> ocfs2_generic_handle_bast
> set 
> OCFS2_LOCK_BLOCKED flag
> dio_end_io
>  dio_bio_end_aio
>   dio_complete
>ocfs2_dio_end_io
> ocfs2_dio_end_io_write
>  ocfs2_inode_lock
>   __ocfs2_cluster_lock
>ocfs2_wait_for_mask
>-->waiting for OCFS2_LOCK_BLOCKED
>flag to be cleared, that is waiting
>for 'process 1' unlocking the inode lock
>inode_dio_end
>-->here dec the i_dio_count, but will never
>be called, so a deadlock happened.
> 
> Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com
> Signed-off-by: Alex Chen 
> Reviewed-by: Jun Piao 
> Reviewed-by: Joseph Qi 
> Acked-by: Changwei Ge 
> Cc: Mark Fasheh 
> Cc: Joel Becker 
> Cc: Junxiao Bi 
> Signed-off-by: Andrew Morton 
> Signed-off-by: Linus Torvalds 
> Signed-off-by: Ben Hutchings 
> ---
>  fs/ocfs2/file.c | 9 +++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -1130,6 +1130,13 @@ int ocfs2_setattr(struct dentry *dentry,
>   dquot_initialize(inode);
>   size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE;
>   if (size_change) {
> + /*
> +  * Here we should wait dio to finish before inode lock
> +  * to avoid a deadlock between ocfs2_setattr() and
> +  * ocfs2_dio_end_io_write()
> +  */
> + inode_dio_wait(inode);
> +
>   status = ocfs2_rw_lock(inode, 1);
>   if (status < 0) {
>   mlog_errno(status);
> @@ -1149,8 +1156,6 @@ int ocfs2_setattr(struct dentry *dentry,
>   if (status)
>   goto bail_unlock;
>  
> - inode_dio_wait(inode);
> -
>   if (i_size_read(inode) >= attr->ia_size) {
>   if (ocfs2_should_order_data(inode)) {
>   status = ocfs2_begin_ordered_truncate(inode,
> 
> 
> .
> 

Re: [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr()

[alex chen]

Hi Ben,

ocfs2_dio_end_io_write() was introduced in 4.6 and the problem this patch
fixes is only exist in the kernel 4.6 and above 4.6.

Thanks,
Alex

On 2018/2/11 12:20, Ben Hutchings wrote:
> 3.2.99-rc1 review patch.  If anyone has any objections, please let me know.
> 
> --
> 
> From: alex chen 
> 
> commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream.
> 
> we should wait dio requests to finish before inode lock in
> ocfs2_setattr(), otherwise the following deadlock will happen:
> 
> process 1  process 2process 3
> truncate file 'A'  end_io of writing file 'A'   receiving the bast 
> messages
> ocfs2_setattr
>  ocfs2_inode_lock_tracker
>   ocfs2_inode_lock_full
>  inode_dio_wait
>   __inode_dio_wait
>   -->waiting for all dio
>   requests finish
> dlm_proxy_ast_handler
>  dlm_do_local_bast
>   ocfs2_blocking_ast
>
> ocfs2_generic_handle_bast
> set 
> OCFS2_LOCK_BLOCKED flag
> dio_end_io
>  dio_bio_end_aio
>   dio_complete
>ocfs2_dio_end_io
> ocfs2_dio_end_io_write
>  ocfs2_inode_lock
>   __ocfs2_cluster_lock
>ocfs2_wait_for_mask
>-->waiting for OCFS2_LOCK_BLOCKED
>flag to be cleared, that is waiting
>for 'process 1' unlocking the inode lock
>inode_dio_end
>-->here dec the i_dio_count, but will never
>be called, so a deadlock happened.
> 
> Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com
> Signed-off-by: Alex Chen 
> Reviewed-by: Jun Piao 
> Reviewed-by: Joseph Qi 
> Acked-by: Changwei Ge 
> Cc: Mark Fasheh 
> Cc: Joel Becker 
> Cc: Junxiao Bi 
> Signed-off-by: Andrew Morton 
> Signed-off-by: Linus Torvalds 
> Signed-off-by: Ben Hutchings 
> ---
>  fs/ocfs2/file.c | 9 +++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -1130,6 +1130,13 @@ int ocfs2_setattr(struct dentry *dentry,
>   dquot_initialize(inode);
>   size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE;
>   if (size_change) {
> + /*
> +  * Here we should wait dio to finish before inode lock
> +  * to avoid a deadlock between ocfs2_setattr() and
> +  * ocfs2_dio_end_io_write()
> +  */
> + inode_dio_wait(inode);
> +
>   status = ocfs2_rw_lock(inode, 1);
>   if (status < 0) {
>   mlog_errno(status);
> @@ -1149,8 +1156,6 @@ int ocfs2_setattr(struct dentry *dentry,
>   if (status)
>   goto bail_unlock;
>  
> - inode_dio_wait(inode);
> -
>   if (i_size_read(inode) >= attr->ia_size) {
>   if (ocfs2_should_order_data(inode)) {
>   status = ocfs2_begin_ordered_truncate(inode,
> 
> 
> .
> 

Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators

[Sergey Suloev]

On 02/11/2018 01:07 AM, Philipp Rossak wrote:



On 10.02.2018 22:08, Sergey Suloev wrote:

On 02/11/2018 12:01 AM, Philipp Rossak wrote:

Hey Sergey,

Thanks for mentioning, but I think the problem has nothing to do 
with those patches. I tested them with the v4.15.0 Kernel since this 
is the last stable release and we are right now in the merging window.


I tested the latest mainline, without those patches and the kernel 
is not booting (I can't see any uart output).


Thanks,
Philipp

On 10.02.2018 14:56, Sergey Suloev wrote:

On 02/09/2018 08:52 PM, Philipp Rossak wrote:
This patchseries fixes the bananapi m1 devicetree, to be able to 
boot again.
The first two patches update/improve the devicetree and the last 
patch adds

all missing regulators.

Regards,
Philipp

Philipp Rossak (3):
   arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes
   arm: dts: sun6i: a31s: bpi-m2: improve pmic properties
   arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators

  arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 
+++-

  1 file changed, 67 insertions(+), 3 deletions(-)


patches are not working

Thanks


same problem, but after applying the patches my device is till hanging.


Can you please share a bootlog? Here is mine [1]. As you can see I'm 
able to boot.
I build it with this branch [2]. For testing you should replace the 
dtb and the uImage/zImage


Philipp


[1]: https://pastebin.com/mVjv3LDf
[2]: 
https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2


I am going to test it and come back with outcome

Thanks

Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators

[Sergey Suloev]

On 02/11/2018 01:07 AM, Philipp Rossak wrote:



On 10.02.2018 22:08, Sergey Suloev wrote:

On 02/11/2018 12:01 AM, Philipp Rossak wrote:

Hey Sergey,

Thanks for mentioning, but I think the problem has nothing to do 
with those patches. I tested them with the v4.15.0 Kernel since this 
is the last stable release and we are right now in the merging window.


I tested the latest mainline, without those patches and the kernel 
is not booting (I can't see any uart output).


Thanks,
Philipp

On 10.02.2018 14:56, Sergey Suloev wrote:

On 02/09/2018 08:52 PM, Philipp Rossak wrote:
This patchseries fixes the bananapi m1 devicetree, to be able to 
boot again.
The first two patches update/improve the devicetree and the last 
patch adds

all missing regulators.

Regards,
Philipp

Philipp Rossak (3):
   arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes
   arm: dts: sun6i: a31s: bpi-m2: improve pmic properties
   arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators

  arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 
+++-

  1 file changed, 67 insertions(+), 3 deletions(-)


patches are not working

Thanks


same problem, but after applying the patches my device is till hanging.


Can you please share a bootlog? Here is mine [1]. As you can see I'm 
able to boot.
I build it with this branch [2]. For testing you should replace the 
dtb and the uImage/zImage


Philipp


[1]: https://pastebin.com/mVjv3LDf
[2]: 
https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2


I am going to test it and come back with outcome

Thanks

Re: [RFC PATCH 4/7] kconfig: support new special property shell=

[Linus Torvalds]

On Sat, Feb 10, 2018 at 8:46 PM, Linus Torvalds
 wrote:
>
> Argh. I wanted to get rid of all that entirely, and simplify this all.
> The mentioned script (and bugzilla) was from 2006, I assumed this was
> all historical.
>
> But if it has broken again since, I guess we need to have a silly script. Grr.

Ok, so this really ended up bothering me.

I was hoping to really just unify all the stupid compiler flag testing
in just the Kconfig files and hoping we could really just use

config CC_xyz
bool
option cc_option "-fwhatever-xyz"

to set them, and then build Kconfig rules from that:

config USE_xyz
bool "Some question that needs xyz"
depends on CC_xyz

and have a nice simple

ccflags-$(CONFIG_USE_xyz) += -fwhataver-xyz

in the Makefiles.

And one thought I had was "hey, if we need a script for
-fstack-protector, maybe we can simply standardize on _everything_
using a script".

But doing the stats, we test about two _hundred_  different compiler
options, and it really looks like -fstack-protector is the _only_ one
that uses a dedicated script. Everything else is just using the "see
if the compiler accepts the flag". So no, we wouldn't want to
standardize around a script.

We do have a script for some other build options related to gcc
breakage, but not command line flags per se: both 'asm goto' and for
gcc version generation. And gcc plugin compatibility checking.

Oh well. It looks like we really have to have those nasty exceptions
from the normal rules.

 Linus

Re: [RFC PATCH 4/7] kconfig: support new special property shell=

[Linus Torvalds]

On Sat, Feb 10, 2018 at 8:46 PM, Linus Torvalds
 wrote:
>
> Argh. I wanted to get rid of all that entirely, and simplify this all.
> The mentioned script (and bugzilla) was from 2006, I assumed this was
> all historical.
>
> But if it has broken again since, I guess we need to have a silly script. Grr.

Ok, so this really ended up bothering me.

I was hoping to really just unify all the stupid compiler flag testing
in just the Kconfig files and hoping we could really just use

config CC_xyz
bool
option cc_option "-fwhatever-xyz"

to set them, and then build Kconfig rules from that:

config USE_xyz
bool "Some question that needs xyz"
depends on CC_xyz

and have a nice simple

ccflags-$(CONFIG_USE_xyz) += -fwhataver-xyz

in the Makefiles.

And one thought I had was "hey, if we need a script for
-fstack-protector, maybe we can simply standardize on _everything_
using a script".

But doing the stats, we test about two _hundred_  different compiler
options, and it really looks like -fstack-protector is the _only_ one
that uses a dedicated script. Everything else is just using the "see
if the compiler accepts the flag". So no, we wouldn't want to
standardize around a script.

We do have a script for some other build options related to gcc
breakage, but not command line flags per se: both 'asm goto' and for
gcc version generation. And gcc plugin compatibility checking.

Oh well. It looks like we really have to have those nasty exceptions
from the normal rules.

 Linus

/kbuild/src/consumer/include/linux/kasan.h:28:41: error: 'KASAN_SHADOW_SCALE_SHIFT' undeclared; did you mean 'KASAN_SHADOW_START'?

[kbuild test robot]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 917538e212a2c080af95ccb4376c5387fac08176 kasan: clean up 
KASAN_SHADOW_SCALE_SHIFT usage
date:   4 days ago
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 7.2.0
reproduce:
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 917538e212a2c080af95ccb4376c5387fac08176
# save the attached .config to linux build tree
make.cross ARCH=xtensa 

All errors (new ones prefixed by >>):

   In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from 
/kbuild/src/consumer/drivers//w1/masters/matrox_w1.c:30:
   /kbuild/src/consumer/include/linux/kasan.h: In function 
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: 
>> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you 
>> mean 'KASAN_SHADOW_START'?
 return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT)
^~~~
KASAN_SHADOW_START
   /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared 
identifier is reported only once for each function it appears in
--
   In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:45,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
   /kbuild/src/consumer/include/linux/kasan.h: In function 
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: 
>> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you 
>> mean 'KASAN_SHADOW_START'?
 return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT)
^~~~
KASAN_SHADOW_START
   /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared 
identifier is reported only once for each function it appears in
   In file included from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:64:0,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
   /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h: At top level:
   /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h:109:0: warning: 
"WSR" redefined
 #define   WSR 0x01  /* sta: wide scsi received   [W]*/

   In file included from 
/kbuild/src/consumer/arch/xtensa/include/asm/bitops.h:22:0,
from /kbuild/src/consumer/include/linux/bitops.h:38,
from /kbuild/src/consumer/include/linux/kernel.h:11,
from /kbuild/src/consumer/include/linux/list.h:9,
from /kbuild/src/consumer/include/linux/wait.h:7,
from /kbuild/src/consumer/include/linux/completion.h:12,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:43,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
   /kbuild/src/consumer/arch/xtensa/include/asm/processor.h:220:0: note: this 
is the location of the previous definition
#define WSR(v,sr) __asm__ __volatile__ ("wsr %0,"__stringify(sr) :: "a"(v));

--
   In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from 
/kbuild/src/consumer/drivers/infiniband/hw/bnxt_re/ib_verbs.c:39:
   /kbuild/src/consumer/include/linux/kasan.h: In function 
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: 
>> 'KASAN_SHADOW_SCALE_SHIFT' 

/kbuild/src/consumer/include/linux/kasan.h:28:41: error: 'KASAN_SHADOW_SCALE_SHIFT' undeclared; did you mean 'KASAN_SHADOW_START'?

[kbuild test robot]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 917538e212a2c080af95ccb4376c5387fac08176 kasan: clean up 
KASAN_SHADOW_SCALE_SHIFT usage
date:   4 days ago
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 7.2.0
reproduce:
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 917538e212a2c080af95ccb4376c5387fac08176
# save the attached .config to linux build tree
make.cross ARCH=xtensa 

All errors (new ones prefixed by >>):

   In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from 
/kbuild/src/consumer/drivers//w1/masters/matrox_w1.c:30:
   /kbuild/src/consumer/include/linux/kasan.h: In function 
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: 
>> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you 
>> mean 'KASAN_SHADOW_START'?
 return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT)
^~~~
KASAN_SHADOW_START
   /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared 
identifier is reported only once for each function it appears in
--
   In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:45,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
   /kbuild/src/consumer/include/linux/kasan.h: In function 
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: 
>> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you 
>> mean 'KASAN_SHADOW_START'?
 return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT)
^~~~
KASAN_SHADOW_START
   /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared 
identifier is reported only once for each function it appears in
   In file included from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:64:0,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
   /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h: At top level:
   /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h:109:0: warning: 
"WSR" redefined
 #define   WSR 0x01  /* sta: wide scsi received   [W]*/

   In file included from 
/kbuild/src/consumer/arch/xtensa/include/asm/bitops.h:22:0,
from /kbuild/src/consumer/include/linux/bitops.h:38,
from /kbuild/src/consumer/include/linux/kernel.h:11,
from /kbuild/src/consumer/include/linux/list.h:9,
from /kbuild/src/consumer/include/linux/wait.h:7,
from /kbuild/src/consumer/include/linux/completion.h:12,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:43,
from 
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
   /kbuild/src/consumer/arch/xtensa/include/asm/processor.h:220:0: note: this 
is the location of the previous definition
#define WSR(v,sr) __asm__ __volatile__ ("wsr %0,"__stringify(sr) :: "a"(v));

--
   In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from 
/kbuild/src/consumer/drivers/infiniband/hw/bnxt_re/ib_verbs.c:39:
   /kbuild/src/consumer/include/linux/kasan.h: In function 
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: 
>> 'KASAN_SHADOW_SCALE_SHIFT' 

Re: [PATCHv2 1/2] zsmalloc: introduce zs_huge_object() function

[Mike Rapoport]

Some more nitpicks :)

On Sat, Feb 10, 2018 at 05:23:21PM +0900, Sergey Senozhatsky wrote:
> Not every object can be share its zspage with other objects, e.g.
> when the object is as big as zspage or nearly as big a zspage.
> For such objects zsmalloc has a so called huge class - every object
> which belongs to huge class consumes the entire zspage (which
> consists of a physical page). On x86_64, PAGE_SHIFT 12 box, the
> first non-huge class size is 3264, so starting down from size 3264,
> objects can share page(-s) and thus minimize memory wastage.
> 
> ZRAM, however, has its own statically defined watermark for huge
> objects - "3 * PAGE_SIZE / 4 = 3072", and forcibly stores every
> object larger than this watermark (3072) as a PAGE_SIZE object,
> in other words, to a huge class, while zsmalloc can keep some of
> those objects in non-huge classes. This results in increased
> memory consumption.
> 
> zsmalloc knows better if the object is huge or not. Introduce
> zs_huge_object() function which tells if the given object can be
> stored in one of non-huge classes or not. This will let us to drop
> ZRAM's huge object watermark and fully rely on zsmalloc when we
> decide if the object is huge.
> 
> Signed-off-by: Sergey Senozhatsky 
> ---
>  include/linux/zsmalloc.h |  2 ++
>  mm/zsmalloc.c| 26 ++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/include/linux/zsmalloc.h b/include/linux/zsmalloc.h
> index 57a8e98f2708..9a1baf673cc1 100644
> --- a/include/linux/zsmalloc.h
> +++ b/include/linux/zsmalloc.h
> @@ -47,6 +47,8 @@ void zs_destroy_pool(struct zs_pool *pool);
>  unsigned long zs_malloc(struct zs_pool *pool, size_t size, gfp_t flags);
>  void zs_free(struct zs_pool *pool, unsigned long obj);
> 
> +bool zs_huge_object(size_t sz);
> +
>  void *zs_map_object(struct zs_pool *pool, unsigned long handle,
>   enum zs_mapmode mm);
>  void zs_unmap_object(struct zs_pool *pool, unsigned long handle);
> diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
> index c3013505c305..922180183ca3 100644
> --- a/mm/zsmalloc.c
> +++ b/mm/zsmalloc.c
> @@ -192,6 +192,7 @@ static struct vfsmount *zsmalloc_mnt;
>   * (see: fix_fullness_group())
>   */
>  static const int fullness_threshold_frac = 4;
> +static size_t zs_huge_class_size;
> 
>  struct size_class {
>   spinlock_t lock;
> @@ -1417,6 +1418,28 @@ void zs_unmap_object(struct zs_pool *pool, unsigned 
> long handle)
>  }
>  EXPORT_SYMBOL_GPL(zs_unmap_object);
> 
> +/**
> + * zs_huge_object() - Test if a compressed object's size is too big for 
> normal
> + *zspool classes and it shall be stored in a huge class.

I think "is should be stored" is more appropriate

> + * @sz: Size of the compressed object (in bytes).
> + *
> + * The function checks if the object's size falls into huge_class
> + * area. We must take handle size into account and test the actual
> + * size we are going to use, because zs_malloc() unconditionally
> + * adds %ZS_HANDLE_SIZE before it performs %size_class lookup.

^ _class ;-)

> + *
> + * Context: Any context.
> + *
> + * Return:
> + * * true  - The object's size is too big, it will be stored in a huge class.
> + * * false - The object will be store in normal zspool classes.
> + */
> +bool zs_huge_object(size_t sz)
> +{
> + return sz + ZS_HANDLE_SIZE >= zs_huge_class_size;
> +}
> +EXPORT_SYMBOL_GPL(zs_huge_object);
> +
>  static unsigned long obj_malloc(struct size_class *class,
>   struct zspage *zspage, unsigned long handle)
>  {
> @@ -2404,6 +2427,9 @@ struct zs_pool *zs_create_pool(const char *name)
>   INIT_LIST_HEAD(>fullness_list[fullness]);
> 
>   prev_class = class;
> + if (pages_per_zspage == 1 && objs_per_zspage == 1
> + && !zs_huge_class_size)
> + zs_huge_class_size = size;
>   }
> 
>   /* debug only, don't abort if it fails */
> -- 
> 2.16.1
> 

-- 
Sincerely yours,
Mike.

Re: [PATCHv2 1/2] zsmalloc: introduce zs_huge_object() function

[Mike Rapoport]

Some more nitpicks :)

On Sat, Feb 10, 2018 at 05:23:21PM +0900, Sergey Senozhatsky wrote:
> Not every object can be share its zspage with other objects, e.g.
> when the object is as big as zspage or nearly as big a zspage.
> For such objects zsmalloc has a so called huge class - every object
> which belongs to huge class consumes the entire zspage (which
> consists of a physical page). On x86_64, PAGE_SHIFT 12 box, the
> first non-huge class size is 3264, so starting down from size 3264,
> objects can share page(-s) and thus minimize memory wastage.
> 
> ZRAM, however, has its own statically defined watermark for huge
> objects - "3 * PAGE_SIZE / 4 = 3072", and forcibly stores every
> object larger than this watermark (3072) as a PAGE_SIZE object,
> in other words, to a huge class, while zsmalloc can keep some of
> those objects in non-huge classes. This results in increased
> memory consumption.
> 
> zsmalloc knows better if the object is huge or not. Introduce
> zs_huge_object() function which tells if the given object can be
> stored in one of non-huge classes or not. This will let us to drop
> ZRAM's huge object watermark and fully rely on zsmalloc when we
> decide if the object is huge.
> 
> Signed-off-by: Sergey Senozhatsky 
> ---
>  include/linux/zsmalloc.h |  2 ++
>  mm/zsmalloc.c| 26 ++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/include/linux/zsmalloc.h b/include/linux/zsmalloc.h
> index 57a8e98f2708..9a1baf673cc1 100644
> --- a/include/linux/zsmalloc.h
> +++ b/include/linux/zsmalloc.h
> @@ -47,6 +47,8 @@ void zs_destroy_pool(struct zs_pool *pool);
>  unsigned long zs_malloc(struct zs_pool *pool, size_t size, gfp_t flags);
>  void zs_free(struct zs_pool *pool, unsigned long obj);
> 
> +bool zs_huge_object(size_t sz);
> +
>  void *zs_map_object(struct zs_pool *pool, unsigned long handle,
>   enum zs_mapmode mm);
>  void zs_unmap_object(struct zs_pool *pool, unsigned long handle);
> diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
> index c3013505c305..922180183ca3 100644
> --- a/mm/zsmalloc.c
> +++ b/mm/zsmalloc.c
> @@ -192,6 +192,7 @@ static struct vfsmount *zsmalloc_mnt;
>   * (see: fix_fullness_group())
>   */
>  static const int fullness_threshold_frac = 4;
> +static size_t zs_huge_class_size;
> 
>  struct size_class {
>   spinlock_t lock;
> @@ -1417,6 +1418,28 @@ void zs_unmap_object(struct zs_pool *pool, unsigned 
> long handle)
>  }
>  EXPORT_SYMBOL_GPL(zs_unmap_object);
> 
> +/**
> + * zs_huge_object() - Test if a compressed object's size is too big for 
> normal
> + *zspool classes and it shall be stored in a huge class.

I think "is should be stored" is more appropriate

> + * @sz: Size of the compressed object (in bytes).
> + *
> + * The function checks if the object's size falls into huge_class
> + * area. We must take handle size into account and test the actual
> + * size we are going to use, because zs_malloc() unconditionally
> + * adds %ZS_HANDLE_SIZE before it performs %size_class lookup.

^ _class ;-)

> + *
> + * Context: Any context.
> + *
> + * Return:
> + * * true  - The object's size is too big, it will be stored in a huge class.
> + * * false - The object will be store in normal zspool classes.
> + */
> +bool zs_huge_object(size_t sz)
> +{
> + return sz + ZS_HANDLE_SIZE >= zs_huge_class_size;
> +}
> +EXPORT_SYMBOL_GPL(zs_huge_object);
> +
>  static unsigned long obj_malloc(struct size_class *class,
>   struct zspage *zspage, unsigned long handle)
>  {
> @@ -2404,6 +2427,9 @@ struct zs_pool *zs_create_pool(const char *name)
>   INIT_LIST_HEAD(>fullness_list[fullness]);
> 
>   prev_class = class;
> + if (pages_per_zspage == 1 && objs_per_zspage == 1
> + && !zs_huge_class_size)
> + zs_huge_class_size = size;
>   }
> 
>   /* debug only, don't abort if it fails */
> -- 
> 2.16.1
> 

-- 
Sincerely yours,
Mike.

[PATCH v2] Input: gpio_keys: Add level trigger support for GPIO keys

[Baolin Wang]

On some platforms (such as Spreadtrum platform), the GPIO keys can only
be triggered by level type. So this patch introduces one property to
indicate if the GPIO trigger type is level trigger or edge trigger.

Signed-off-by: Baolin Wang 
---
Changes since v1:
 - Diable the GPIO irq until reversing the GPIO level type.
---
 .../devicetree/bindings/input/gpio-keys.txt|2 ++
 drivers/input/keyboard/gpio_keys.c |   26 +++-
 include/linux/gpio_keys.h  |1 +
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/Documentation/devicetree/bindings/input/gpio-keys.txt 
b/Documentation/devicetree/bindings/input/gpio-keys.txt
index a949404..e3104bd 100644
--- a/Documentation/devicetree/bindings/input/gpio-keys.txt
+++ b/Documentation/devicetree/bindings/input/gpio-keys.txt
@@ -29,6 +29,8 @@ Optional subnode-properties:
- linux,can-disable: Boolean, indicates that button is connected
  to dedicated (not shared) interrupt which can be disabled to
  suppress events from the button.
+   - gpio-key,level-trigger: Boolean, indicates that button's interrupt
+ type is level trigger. Otherwise it is edge trigger as default.
 
 Example nodes:
 
diff --git a/drivers/input/keyboard/gpio_keys.c 
b/drivers/input/keyboard/gpio_keys.c
index 87e613d..218698a 100644
--- a/drivers/input/keyboard/gpio_keys.c
+++ b/drivers/input/keyboard/gpio_keys.c
@@ -385,6 +385,20 @@ static void gpio_keys_gpio_work_func(struct work_struct 
*work)
struct gpio_button_data *bdata =
container_of(work, struct gpio_button_data, work.work);
 
+   if (bdata->button->level_trigger) {
+   unsigned int trigger =
+   irq_get_trigger_type(bdata->irq) & ~IRQF_TRIGGER_MASK;
+   int state = gpiod_get_raw_value_cansleep(bdata->gpiod);
+
+   if (state)
+   trigger |= IRQF_TRIGGER_LOW;
+   else
+   trigger |= IRQF_TRIGGER_HIGH;
+
+   irq_set_irq_type(bdata->irq, trigger);
+   enable_irq(bdata->irq);
+   }
+
gpio_keys_gpio_report_event(bdata);
 
if (bdata->button->wakeup)
@@ -397,6 +411,9 @@ static irqreturn_t gpio_keys_gpio_isr(int irq, void *dev_id)
 
BUG_ON(irq != bdata->irq);
 
+   if (bdata->button->level_trigger)
+   disable_irq_nosync(bdata->irq);
+
if (bdata->button->wakeup) {
const struct gpio_keys_button *button = bdata->button;
 
@@ -566,7 +583,11 @@ static int gpio_keys_setup_key(struct platform_device 
*pdev,
INIT_DELAYED_WORK(>work, gpio_keys_gpio_work_func);
 
isr = gpio_keys_gpio_isr;
-   irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
+   if (button->level_trigger)
+   irqflags = gpiod_is_active_low(bdata->gpiod) ?
+   IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH;
+   else
+   irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
 
} else {
if (!button->irq) {
@@ -721,6 +742,9 @@ static void gpio_keys_close(struct input_dev *input)
button->can_disable =
fwnode_property_read_bool(child, "linux,can-disable");
 
+   button->level_trigger =
+   fwnode_property_read_bool(child, 
"gpio-key,level-trigger");
+
if (fwnode_property_read_u32(child, "debounce-interval",
 >debounce_interval))
button->debounce_interval = 5;
diff --git a/include/linux/gpio_keys.h b/include/linux/gpio_keys.h
index d06bf77..5095645 100644
--- a/include/linux/gpio_keys.h
+++ b/include/linux/gpio_keys.h
@@ -28,6 +28,7 @@ struct gpio_keys_button {
int wakeup;
int debounce_interval;
bool can_disable;
+   bool level_trigger;
int value;
unsigned int irq;
 };
-- 
1.7.9.5

[PATCH v2] Input: gpio_keys: Add level trigger support for GPIO keys

[Baolin Wang]

On some platforms (such as Spreadtrum platform), the GPIO keys can only
be triggered by level type. So this patch introduces one property to
indicate if the GPIO trigger type is level trigger or edge trigger.

Signed-off-by: Baolin Wang 
---
Changes since v1:
 - Diable the GPIO irq until reversing the GPIO level type.
---
 .../devicetree/bindings/input/gpio-keys.txt|2 ++
 drivers/input/keyboard/gpio_keys.c |   26 +++-
 include/linux/gpio_keys.h  |1 +
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/Documentation/devicetree/bindings/input/gpio-keys.txt 
b/Documentation/devicetree/bindings/input/gpio-keys.txt
index a949404..e3104bd 100644
--- a/Documentation/devicetree/bindings/input/gpio-keys.txt
+++ b/Documentation/devicetree/bindings/input/gpio-keys.txt
@@ -29,6 +29,8 @@ Optional subnode-properties:
- linux,can-disable: Boolean, indicates that button is connected
  to dedicated (not shared) interrupt which can be disabled to
  suppress events from the button.
+   - gpio-key,level-trigger: Boolean, indicates that button's interrupt
+ type is level trigger. Otherwise it is edge trigger as default.
 
 Example nodes:
 
diff --git a/drivers/input/keyboard/gpio_keys.c 
b/drivers/input/keyboard/gpio_keys.c
index 87e613d..218698a 100644
--- a/drivers/input/keyboard/gpio_keys.c
+++ b/drivers/input/keyboard/gpio_keys.c
@@ -385,6 +385,20 @@ static void gpio_keys_gpio_work_func(struct work_struct 
*work)
struct gpio_button_data *bdata =
container_of(work, struct gpio_button_data, work.work);
 
+   if (bdata->button->level_trigger) {
+   unsigned int trigger =
+   irq_get_trigger_type(bdata->irq) & ~IRQF_TRIGGER_MASK;
+   int state = gpiod_get_raw_value_cansleep(bdata->gpiod);
+
+   if (state)
+   trigger |= IRQF_TRIGGER_LOW;
+   else
+   trigger |= IRQF_TRIGGER_HIGH;
+
+   irq_set_irq_type(bdata->irq, trigger);
+   enable_irq(bdata->irq);
+   }
+
gpio_keys_gpio_report_event(bdata);
 
if (bdata->button->wakeup)
@@ -397,6 +411,9 @@ static irqreturn_t gpio_keys_gpio_isr(int irq, void *dev_id)
 
BUG_ON(irq != bdata->irq);
 
+   if (bdata->button->level_trigger)
+   disable_irq_nosync(bdata->irq);
+
if (bdata->button->wakeup) {
const struct gpio_keys_button *button = bdata->button;
 
@@ -566,7 +583,11 @@ static int gpio_keys_setup_key(struct platform_device 
*pdev,
INIT_DELAYED_WORK(>work, gpio_keys_gpio_work_func);
 
isr = gpio_keys_gpio_isr;
-   irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
+   if (button->level_trigger)
+   irqflags = gpiod_is_active_low(bdata->gpiod) ?
+   IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH;
+   else
+   irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
 
} else {
if (!button->irq) {
@@ -721,6 +742,9 @@ static void gpio_keys_close(struct input_dev *input)
button->can_disable =
fwnode_property_read_bool(child, "linux,can-disable");
 
+   button->level_trigger =
+   fwnode_property_read_bool(child, 
"gpio-key,level-trigger");
+
if (fwnode_property_read_u32(child, "debounce-interval",
 >debounce_interval))
button->debounce_interval = 5;
diff --git a/include/linux/gpio_keys.h b/include/linux/gpio_keys.h
index d06bf77..5095645 100644
--- a/include/linux/gpio_keys.h
+++ b/include/linux/gpio_keys.h
@@ -28,6 +28,7 @@ struct gpio_keys_button {
int wakeup;
int debounce_interval;
bool can_disable;
+   bool level_trigger;
int value;
unsigned int irq;
 };
-- 
1.7.9.5

The usage of page_mapping() in architecture code

[Huang, Ying]

Sorry for bothering, forget to Cc LKML in the original email.

Hi, All,

To optimize the scalability of swap cache, it is made more dynamic
than before.  That is, after being swapped off, the address space of
the swap device will be freed too.  So the usage of page_mapping()
need to be audited to make sure the address space of the swap device
will not be used after it is freed.  For most cases it is OK, because
to call page_mapping(), the page, page table, or LRU list will be
locked.  But I found at least one usage isn't safe.  When
page_mapping() is called in architecture specific code to flush dcache
or sync between dcache and icache.

The typical usage models are,


1) Check whether page_mapping() is NULL, which is safe

2) Call mapping_mapped() to check whether the backing file is mapped
   to user space.

3) Iterate all vmas via the interval tree (mapping->i_mmap) to flush dcache


2) and 3) isn't safe, because no lock to prevent swap device from
swapping off is held.  But I found the code is for file address space
only, not for swap cache.  For example, for flush_dcache_page() in
arch/parisc/kernel/cache.c,


void flush_dcache_page(struct page *page)
{
struct address_space *mapping = page_mapping(page);
struct vm_area_struct *mpnt;
unsigned long offset;
unsigned long addr, old_addr = 0;
pgoff_t pgoff;

if (mapping && !mapping_mapped(mapping)) {
set_bit(PG_dcache_dirty, >flags);
return;
}

flush_kernel_dcache_page(page);

if (!mapping)
return;

pgoff = page->index;

/* We have carefully arranged in arch_get_unmapped_area() that
 * *any* mappings of a file are always congruently mapped (whether
 * declared as MAP_PRIVATE or MAP_SHARED), so we only need
 * to flush one address here for them all to become coherent */

flush_dcache_mmap_lock(mapping);
vma_interval_tree_foreach(mpnt, >i_mmap, pgoff, pgoff) {
offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT;
addr = mpnt->vm_start + offset;

/* The TLB is the engine of coherence on parisc: The
 * CPU is entitled to speculate any page with a TLB
 * mapping, so here we kill the mapping then flush the
 * page along a special flush only alias mapping.
 * This guarantees that the page is no-longer in the
 * cache for any process and nor may it be
 * speculatively read in (until the user or kernel
 * specifically accesses it, of course) */

flush_tlb_page(mpnt, addr);
if (old_addr == 0 || (old_addr & (SHM_COLOUR - 1))
  != (addr & (SHM_COLOUR - 1))) {
__flush_cache_page(mpnt, addr, page_to_phys(page));
if (old_addr)
printk(KERN_ERR "INEQUIVALENT ALIASES 0x%lx and 
0x%lx in file %pD\n", old_addr, addr, mpnt->vm_file);
old_addr = addr;
}
}
flush_dcache_mmap_unlock(mapping);
}


if page is an anonymous page in swap cache, "mapping &&
!mapping_mapped()" will be true, so we will delay flushing.  But if my
understanding of the code were correct, we should call
flush_kernel_dcache() because the kernel may access the page during
swapping in/out.

The code in other architectures follow the similar logic.  Would it be
better for page_mapping() here to return NULL for anonymous pages even
if they are in swap cache?  Of course we need to change the function
name.  page_file_mapping() appears a good name, but that has been used
already.  Any suggestion?

Is my understanding correct?  Could you help me on this?

Best Regards,
Huang, Ying

The usage of page_mapping() in architecture code

[Huang, Ying]

Sorry for bothering, forget to Cc LKML in the original email.

Hi, All,

To optimize the scalability of swap cache, it is made more dynamic
than before.  That is, after being swapped off, the address space of
the swap device will be freed too.  So the usage of page_mapping()
need to be audited to make sure the address space of the swap device
will not be used after it is freed.  For most cases it is OK, because
to call page_mapping(), the page, page table, or LRU list will be
locked.  But I found at least one usage isn't safe.  When
page_mapping() is called in architecture specific code to flush dcache
or sync between dcache and icache.

The typical usage models are,


1) Check whether page_mapping() is NULL, which is safe

2) Call mapping_mapped() to check whether the backing file is mapped
   to user space.

3) Iterate all vmas via the interval tree (mapping->i_mmap) to flush dcache


2) and 3) isn't safe, because no lock to prevent swap device from
swapping off is held.  But I found the code is for file address space
only, not for swap cache.  For example, for flush_dcache_page() in
arch/parisc/kernel/cache.c,


void flush_dcache_page(struct page *page)
{
struct address_space *mapping = page_mapping(page);
struct vm_area_struct *mpnt;
unsigned long offset;
unsigned long addr, old_addr = 0;
pgoff_t pgoff;

if (mapping && !mapping_mapped(mapping)) {
set_bit(PG_dcache_dirty, >flags);
return;
}

flush_kernel_dcache_page(page);

if (!mapping)
return;

pgoff = page->index;

/* We have carefully arranged in arch_get_unmapped_area() that
 * *any* mappings of a file are always congruently mapped (whether
 * declared as MAP_PRIVATE or MAP_SHARED), so we only need
 * to flush one address here for them all to become coherent */

flush_dcache_mmap_lock(mapping);
vma_interval_tree_foreach(mpnt, >i_mmap, pgoff, pgoff) {
offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT;
addr = mpnt->vm_start + offset;

/* The TLB is the engine of coherence on parisc: The
 * CPU is entitled to speculate any page with a TLB
 * mapping, so here we kill the mapping then flush the
 * page along a special flush only alias mapping.
 * This guarantees that the page is no-longer in the
 * cache for any process and nor may it be
 * speculatively read in (until the user or kernel
 * specifically accesses it, of course) */

flush_tlb_page(mpnt, addr);
if (old_addr == 0 || (old_addr & (SHM_COLOUR - 1))
  != (addr & (SHM_COLOUR - 1))) {
__flush_cache_page(mpnt, addr, page_to_phys(page));
if (old_addr)
printk(KERN_ERR "INEQUIVALENT ALIASES 0x%lx and 
0x%lx in file %pD\n", old_addr, addr, mpnt->vm_file);
old_addr = addr;
}
}
flush_dcache_mmap_unlock(mapping);
}


if page is an anonymous page in swap cache, "mapping &&
!mapping_mapped()" will be true, so we will delay flushing.  But if my
understanding of the code were correct, we should call
flush_kernel_dcache() because the kernel may access the page during
swapping in/out.

The code in other architectures follow the similar logic.  Would it be
better for page_mapping() here to return NULL for anonymous pages even
if they are in swap cache?  Of course we need to change the function
name.  page_file_mapping() appears a good name, but that has been used
already.  Any suggestion?

Is my understanding correct?  Could you help me on this?

Best Regards,
Huang, Ying

drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?

[kbuild test robot]

Hi Alice,

FYI, the error/warning still remains.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 60f481b9703867330dc6010868054f68f6d52f7a i40e: change flags to use 64 
bits
date:   2 weeks ago
config: mips-allyesconfig (attached as .config)
compiler: mips-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 60f481b9703867330dc6010868054f68f6d52f7a
# save the attached .config to linux build tree
make.cross ARCH=mips 

All errors (new ones prefixed by >>):

   drivers/net/ethernet/intel/i40e/i40e_ethtool.c: In function 
'i40e_set_priv_flags':
>> drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit 
>> declaration of function 'cmpxchg64'; did you mean 'cmpxchg'? 
>> [-Werror=implicit-function-declaration]
 if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) {
 ^
 cmpxchg
   cc1: some warnings being treated as errors

vim +4326 drivers/net/ethernet/intel/i40e/i40e_ethtool.c

  4258  
  4259  /**
  4260   * i40e_set_priv_flags - set private flags
  4261   * @dev: network interface device structure
  4262   * @flags: bit flags to be set
  4263   **/
  4264  static int i40e_set_priv_flags(struct net_device *dev, u32 flags)
  4265  {
  4266  struct i40e_netdev_priv *np = netdev_priv(dev);
  4267  struct i40e_vsi *vsi = np->vsi;
  4268  struct i40e_pf *pf = vsi->back;
  4269  u64 orig_flags, new_flags, changed_flags;
  4270  u32 i, j;
  4271  
  4272  orig_flags = READ_ONCE(pf->flags);
  4273  new_flags = orig_flags;
  4274  
  4275  for (i = 0; i < I40E_PRIV_FLAGS_STR_LEN; i++) {
  4276  const struct i40e_priv_flags *priv_flags;
  4277  
  4278  priv_flags = _gstrings_priv_flags[i];
  4279  
  4280  if (flags & BIT(i))
  4281  new_flags |= priv_flags->flag;
  4282  else
  4283  new_flags &= ~(priv_flags->flag);
  4284  
  4285  /* If this is a read-only flag, it can't be changed */
  4286  if (priv_flags->read_only &&
  4287  ((orig_flags ^ new_flags) & ~BIT(i)))
  4288  return -EOPNOTSUPP;
  4289  }
  4290  
  4291  if (pf->hw.pf_id != 0)
  4292  goto flags_complete;
  4293  
  4294  for (j = 0; j < I40E_GL_PRIV_FLAGS_STR_LEN; j++) {
  4295  const struct i40e_priv_flags *priv_flags;
  4296  
  4297  priv_flags = _gl_gstrings_priv_flags[j];
  4298  
  4299  if (flags & BIT(i + j))
  4300  new_flags |= priv_flags->flag;
  4301  else
  4302  new_flags &= ~(priv_flags->flag);
  4303  
  4304  /* If this is a read-only flag, it can't be changed */
  4305  if (priv_flags->read_only &&
  4306  ((orig_flags ^ new_flags) & ~BIT(i)))
  4307  return -EOPNOTSUPP;
  4308  }
  4309  
  4310  flags_complete:
  4311  /* Before we finalize any flag changes, we need to perform some
  4312   * checks to ensure that the changes are supported and safe.
  4313   */
  4314  
  4315  /* ATR eviction is not supported on all devices */
  4316  if ((new_flags & I40E_FLAG_HW_ATR_EVICT_ENABLED) &&
  4317  !(pf->hw_features & I40E_HW_ATR_EVICT_CAPABLE))
  4318  return -EOPNOTSUPP;
  4319  
  4320  /* Compare and exchange the new flags into place. If we failed, 
that
  4321   * is if cmpxchg returns anything but the old value, this means 
that
  4322   * something else has modified the flags variable since we 
copied it
  4323   * originally. We'll just punt with an error and log something 
in the
  4324   * message buffer.
  4325   */
> 4326  if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) 
> {
  4327  dev_warn(>pdev->dev,
  4328   "Unable to update pf->flags as it was modified 
by another thread...\n");
  4329  return -EAGAIN;
  4330  }
  4331  
  4332  changed_flags = orig_flags ^ new_flags;
  4333  
  4334  /* Process any additional changes needed as a result of flag 
changes.
  4335   * The changed_flags value reflects the list of bits that were
  4336   * changed in the code above.
  4337   */
  4338  
  4339  /* Flush current ATR settings if ATR was disabled */
  4340  if ((changed_flags & I40E_FLAG_FD_ATR_ENABLED) &&
  4341  !(pf->flags & I40E_FLAG_FD_ATR_ENABLED)) {
  4342 

drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?

[kbuild test robot]

Hi Alice,

FYI, the error/warning still remains.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 60f481b9703867330dc6010868054f68f6d52f7a i40e: change flags to use 64 
bits
date:   2 weeks ago
config: mips-allyesconfig (attached as .config)
compiler: mips-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 60f481b9703867330dc6010868054f68f6d52f7a
# save the attached .config to linux build tree
make.cross ARCH=mips 

All errors (new ones prefixed by >>):

   drivers/net/ethernet/intel/i40e/i40e_ethtool.c: In function 
'i40e_set_priv_flags':
>> drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit 
>> declaration of function 'cmpxchg64'; did you mean 'cmpxchg'? 
>> [-Werror=implicit-function-declaration]
 if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) {
 ^
 cmpxchg
   cc1: some warnings being treated as errors

vim +4326 drivers/net/ethernet/intel/i40e/i40e_ethtool.c

  4258  
  4259  /**
  4260   * i40e_set_priv_flags - set private flags
  4261   * @dev: network interface device structure
  4262   * @flags: bit flags to be set
  4263   **/
  4264  static int i40e_set_priv_flags(struct net_device *dev, u32 flags)
  4265  {
  4266  struct i40e_netdev_priv *np = netdev_priv(dev);
  4267  struct i40e_vsi *vsi = np->vsi;
  4268  struct i40e_pf *pf = vsi->back;
  4269  u64 orig_flags, new_flags, changed_flags;
  4270  u32 i, j;
  4271  
  4272  orig_flags = READ_ONCE(pf->flags);
  4273  new_flags = orig_flags;
  4274  
  4275  for (i = 0; i < I40E_PRIV_FLAGS_STR_LEN; i++) {
  4276  const struct i40e_priv_flags *priv_flags;
  4277  
  4278  priv_flags = _gstrings_priv_flags[i];
  4279  
  4280  if (flags & BIT(i))
  4281  new_flags |= priv_flags->flag;
  4282  else
  4283  new_flags &= ~(priv_flags->flag);
  4284  
  4285  /* If this is a read-only flag, it can't be changed */
  4286  if (priv_flags->read_only &&
  4287  ((orig_flags ^ new_flags) & ~BIT(i)))
  4288  return -EOPNOTSUPP;
  4289  }
  4290  
  4291  if (pf->hw.pf_id != 0)
  4292  goto flags_complete;
  4293  
  4294  for (j = 0; j < I40E_GL_PRIV_FLAGS_STR_LEN; j++) {
  4295  const struct i40e_priv_flags *priv_flags;
  4296  
  4297  priv_flags = _gl_gstrings_priv_flags[j];
  4298  
  4299  if (flags & BIT(i + j))
  4300  new_flags |= priv_flags->flag;
  4301  else
  4302  new_flags &= ~(priv_flags->flag);
  4303  
  4304  /* If this is a read-only flag, it can't be changed */
  4305  if (priv_flags->read_only &&
  4306  ((orig_flags ^ new_flags) & ~BIT(i)))
  4307  return -EOPNOTSUPP;
  4308  }
  4309  
  4310  flags_complete:
  4311  /* Before we finalize any flag changes, we need to perform some
  4312   * checks to ensure that the changes are supported and safe.
  4313   */
  4314  
  4315  /* ATR eviction is not supported on all devices */
  4316  if ((new_flags & I40E_FLAG_HW_ATR_EVICT_ENABLED) &&
  4317  !(pf->hw_features & I40E_HW_ATR_EVICT_CAPABLE))
  4318  return -EOPNOTSUPP;
  4319  
  4320  /* Compare and exchange the new flags into place. If we failed, 
that
  4321   * is if cmpxchg returns anything but the old value, this means 
that
  4322   * something else has modified the flags variable since we 
copied it
  4323   * originally. We'll just punt with an error and log something 
in the
  4324   * message buffer.
  4325   */
> 4326  if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) 
> {
  4327  dev_warn(>pdev->dev,
  4328   "Unable to update pf->flags as it was modified 
by another thread...\n");
  4329  return -EAGAIN;
  4330  }
  4331  
  4332  changed_flags = orig_flags ^ new_flags;
  4333  
  4334  /* Process any additional changes needed as a result of flag 
changes.
  4335   * The changed_flags value reflects the list of bits that were
  4336   * changed in the code above.
  4337   */
  4338  
  4339  /* Flush current ATR settings if ATR was disabled */
  4340  if ((changed_flags & I40E_FLAG_FD_ATR_ENABLED) &&
  4341  !(pf->flags & I40E_FLAG_FD_ATR_ENABLED)) {
  4342 

Re: [PATCH] f2fs: set_code_data in move_data_block

[Yunlong Song]

OK, Got it.

On 2018/2/11 11:50, Chao Yu wrote:

On 2018/2/11 11:34, Yunlong Song wrote:

Ping...

move_data_block misses set_cold_data, then the F2FS_WB_CP_DATA will
lack these data pages in move_data_block, and write_checkpoint can
not make sure this pages committed to the flash.


Hmm.. data block migration is running based on meta inode, so it will
be safe since checkpoint will flush all meta pages including encrypted
pages cached in meta inode?

Thanks,



On 2018/2/8 20:33, Yunlong Song wrote:

Signed-off-by: Yunlong Song 
---
   fs/f2fs/gc.c | 1 +
   1 file changed, 1 insertion(+)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index b9d93fd..2095630 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -692,6 +692,7 @@ static void move_data_block(struct inode *inode, block_t 
bidx,
fio.op = REQ_OP_WRITE;
fio.op_flags = REQ_SYNC;
fio.new_blkaddr = newaddr;
+   set_cold_data(fio.page);
err = f2fs_submit_page_write();
if (err) {
if (PageWriteback(fio.encrypted_page))






.



--
Thanks,
Yunlong Song

Re: [PATCH] f2fs: set_code_data in move_data_block

[Yunlong Song]

OK, Got it.

On 2018/2/11 11:50, Chao Yu wrote:

On 2018/2/11 11:34, Yunlong Song wrote:

Ping...

move_data_block misses set_cold_data, then the F2FS_WB_CP_DATA will
lack these data pages in move_data_block, and write_checkpoint can
not make sure this pages committed to the flash.


Hmm.. data block migration is running based on meta inode, so it will
be safe since checkpoint will flush all meta pages including encrypted
pages cached in meta inode?

Thanks,



On 2018/2/8 20:33, Yunlong Song wrote:

Signed-off-by: Yunlong Song 
---
   fs/f2fs/gc.c | 1 +
   1 file changed, 1 insertion(+)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index b9d93fd..2095630 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -692,6 +692,7 @@ static void move_data_block(struct inode *inode, block_t 
bidx,
fio.op = REQ_OP_WRITE;
fio.op_flags = REQ_SYNC;
fio.new_blkaddr = newaddr;
+   set_cold_data(fio.page);
err = f2fs_submit_page_write();
if (err) {
if (PageWriteback(fio.encrypted_page))






.



--
Thanks,
Yunlong Song

Re: [PATCH] seq_file: remove redundant assignment of index to m->index

[Donglin Peng]

On Sun, Feb 11, 2018 at 9:02 AM, Matthew Wilcox  wrote:
> On Sat, Feb 10, 2018 at 10:04:23AM -0800, Joe Perches wrote:
>> > @@ -120,14 +120,12 @@ static int traverse(struct seq_file *m, loff_t 
>> > offset)
>> >  if (pos + m->count > offset) {
>> >  m->from = offset - pos;
>> >  m->count -= m->from;
>> > -m->index = index;
>> >  break;
>> >  }
>> >  pos += m->count;
>> >  m->count = 0;
>> >  if (pos == offset) {
>> >  index++;
>> > -m->index = index;
>> >  break;
>> >  }
>> >  p = m->op->next(m, p, );
>>
>> Of course this looks correct, but how
>> are you _absolutely sure_ about this?
>>
>> Perhaps the m->op->stop(m, p) call below
>> the break, which takes m as an argument,
>> needs an updated m->index.
>
> Not only that, but ->next might also look at m->index.
I think there is no chance to call op->next, because the loop will
break immediately
after the assignment.

Re: [PATCH] seq_file: remove redundant assignment of index to m->index

[Donglin Peng]

On Sun, Feb 11, 2018 at 9:02 AM, Matthew Wilcox  wrote:
> On Sat, Feb 10, 2018 at 10:04:23AM -0800, Joe Perches wrote:
>> > @@ -120,14 +120,12 @@ static int traverse(struct seq_file *m, loff_t 
>> > offset)
>> >  if (pos + m->count > offset) {
>> >  m->from = offset - pos;
>> >  m->count -= m->from;
>> > -m->index = index;
>> >  break;
>> >  }
>> >  pos += m->count;
>> >  m->count = 0;
>> >  if (pos == offset) {
>> >  index++;
>> > -m->index = index;
>> >  break;
>> >  }
>> >  p = m->op->next(m, p, );
>>
>> Of course this looks correct, but how
>> are you _absolutely sure_ about this?
>>
>> Perhaps the m->op->stop(m, p) call below
>> the break, which takes m as an argument,
>> needs an updated m->index.
>
> Not only that, but ->next might also look at m->index.
I think there is no chance to call op->next, because the loop will
break immediately
after the assignment.

Re: [kselftests] compaction_test is blocked

[Li Zhijian]

On 02/10/2018 05:11 AM, Dan Rue wrote:

On Fri, Feb 09, 2018 at 03:53:59PM +0800, Li Zhijian wrote:

Hi

kselftests is integrated Intel 0Day project.
Sometimes we found compaction_test is blocked for more than 1 hours until i 
kill it.

Try to figure out where it is running, i added some log to this case.

the test log is like:
---
  [  111.750543] main: 248
  [  111.750544]-
  [ 111.750821] check_compaction: 98
  [  111.750822]-
  [  111.751102] check_compaction: 105
  [  111.751103]-
  [  111.751362] check_compaction: 111
  [  111.751363]-
  [  111.751621] check_compaction: 118
  [  111.751622]-
  [  111.751879] check_compaction: 123
  [  111.751880]-
---
118 fprintf(stderr, "%s: %d\n", __func__, __LINE__);
119 lseek(fd, 0, SEEK_SET);
120
121 /* Request a large number of huge pages. The Kernel will allocate
122as much as it can */
123 fprintf(stderr, "%s: %d\n", __func__, __LINE__); 
<<< the last line we can catch.
124 if (write(fd, "10", (6*sizeof(char))) != (6*sizeof(char))) {
 blocking position
125 perror("Failed to write 10 to 
/proc/sys/vm/nr_hugepages\n");
126 goto close_fd;
127 }
128
129 lseek(fd, 0, SEEK_SET);
130
131 fprintf(stderr, "%s: %d\n", __func__, __LINE__);
132 if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) {
133 perror("Failed to re-read from 
/proc/sys/vm/nr_hugepages\n");
134 goto close_fd;
135 }
---

According to above log and code, it most likely it is blocking at the writing 
operation.

my environment is like:
OS: debian
kernel: v4.15
model: Ivytown Ivy Bridge-EP
nr_cpu: 48
memory: 64G

Hi Zhijian,

Please try this patch in mainline:

 4c1baad22390 kselftest: fix OOM in memory compaction test


Hi Dan

Thanks for your replies.

I run this case on v4.15, looks this patch is already merged to v4.15.
lizhijian@inn:~/linux$ git describe 4c1baad
v4.15-rc2-2-g4c1baad223906

Thanks


Dan



NOTE: 0Day can reproduce this issue in 20% on 0Day.

Anybody can help have a look?

Thanks
Zhjian



--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


.



--
Best regards.
Li Zhijian (8528)

Re: [kselftests] compaction_test is blocked

[Li Zhijian]

On 02/10/2018 05:11 AM, Dan Rue wrote:

On Fri, Feb 09, 2018 at 03:53:59PM +0800, Li Zhijian wrote:

Hi

kselftests is integrated Intel 0Day project.
Sometimes we found compaction_test is blocked for more than 1 hours until i 
kill it.

Try to figure out where it is running, i added some log to this case.

the test log is like:
---
  [  111.750543] main: 248
  [  111.750544]-
  [ 111.750821] check_compaction: 98
  [  111.750822]-
  [  111.751102] check_compaction: 105
  [  111.751103]-
  [  111.751362] check_compaction: 111
  [  111.751363]-
  [  111.751621] check_compaction: 118
  [  111.751622]-
  [  111.751879] check_compaction: 123
  [  111.751880]-
---
118 fprintf(stderr, "%s: %d\n", __func__, __LINE__);
119 lseek(fd, 0, SEEK_SET);
120
121 /* Request a large number of huge pages. The Kernel will allocate
122as much as it can */
123 fprintf(stderr, "%s: %d\n", __func__, __LINE__); 
<<< the last line we can catch.
124 if (write(fd, "10", (6*sizeof(char))) != (6*sizeof(char))) {
 blocking position
125 perror("Failed to write 10 to 
/proc/sys/vm/nr_hugepages\n");
126 goto close_fd;
127 }
128
129 lseek(fd, 0, SEEK_SET);
130
131 fprintf(stderr, "%s: %d\n", __func__, __LINE__);
132 if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) {
133 perror("Failed to re-read from 
/proc/sys/vm/nr_hugepages\n");
134 goto close_fd;
135 }
---

According to above log and code, it most likely it is blocking at the writing 
operation.

my environment is like:
OS: debian
kernel: v4.15
model: Ivytown Ivy Bridge-EP
nr_cpu: 48
memory: 64G

Hi Zhijian,

Please try this patch in mainline:

 4c1baad22390 kselftest: fix OOM in memory compaction test


Hi Dan

Thanks for your replies.

I run this case on v4.15, looks this patch is already merged to v4.15.
lizhijian@inn:~/linux$ git describe 4c1baad
v4.15-rc2-2-g4c1baad223906

Thanks


Dan



NOTE: 0Day can reproduce this issue in 20% on 0Day.

Anybody can help have a look?

Thanks
Zhjian



--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


.



--
Best regards.
Li Zhijian (8528)

Re: [PATCH] KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use

[Peter Xu]

On Fri, Feb 09, 2018 at 02:01:33PM +0100, Vitaly Kuznetsov wrote:
> Devices which use level-triggered interrupts under Windows 2016 with
> Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
> unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
> version which has no EOI register so EOI never happens.
> 
> The issue was discovered and discussed a while ago:
> https://www.spinics.net/lists/kvm/msg148098.html
> 
> While this is a guest OS bug (it should check that IOAPIC has the required
> capabilities before disabling EOI broadcast) we can workaround it in KVM:
> advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
> 
> Signed-off-by: Vitaly Kuznetsov 
> ---
> - Radim's suggestion was to disable DIRECTED_EOI unconditionally but I'm not
>   that radical :-) In theory, we may have multiple IOAPICs in userspace in
>   future and DIRECTED_EOI can be leveraged.

I sort of agree on this, especially considering that we already have
IOAPIC version 0x20 support in QEMU already.

> ---
>  arch/x86/kvm/lapic.c | 10 +-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> index 924ac8ce9d50..5339287fee63 100644
> --- a/arch/x86/kvm/lapic.c
> +++ b/arch/x86/kvm/lapic.c
> @@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu)
>   if (!lapic_in_kernel(vcpu))
>   return;
>  
> + /*
> +  * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation)
> +  * which doesn't have EOI register; Some buggy OSes (e.g. Windows with
> +  * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC
> +  * version first and level-triggered interrupts never get EOIed in
> +  * IOAPIC.
> +  */
>   feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0);
> - if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31
> + if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) &&
> + !ioapic_in_kernel(vcpu->kvm))
>   v |= APIC_LVR_DIRECTED_EOI;
>   kvm_lapic_set_reg(apic, APIC_LVR, v);
>  }
> -- 
> 2.14.3
> 

Does this mean that we can avoid the migration problem that Radim
raised in previous discussion?  Basically the OSs should only probe
this version once for each boot, if so I think it should be fine.  But
since you didn't mention that in either commit message and comment, I
would like to ask and confirm.

For the change itself, it looks sane to me.

Thanks,

-- 
Peter Xu

Re: [PATCH] KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use

[Peter Xu]

On Fri, Feb 09, 2018 at 02:01:33PM +0100, Vitaly Kuznetsov wrote:
> Devices which use level-triggered interrupts under Windows 2016 with
> Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
> unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
> version which has no EOI register so EOI never happens.
> 
> The issue was discovered and discussed a while ago:
> https://www.spinics.net/lists/kvm/msg148098.html
> 
> While this is a guest OS bug (it should check that IOAPIC has the required
> capabilities before disabling EOI broadcast) we can workaround it in KVM:
> advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
> 
> Signed-off-by: Vitaly Kuznetsov 
> ---
> - Radim's suggestion was to disable DIRECTED_EOI unconditionally but I'm not
>   that radical :-) In theory, we may have multiple IOAPICs in userspace in
>   future and DIRECTED_EOI can be leveraged.

I sort of agree on this, especially considering that we already have
IOAPIC version 0x20 support in QEMU already.

> ---
>  arch/x86/kvm/lapic.c | 10 +-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> index 924ac8ce9d50..5339287fee63 100644
> --- a/arch/x86/kvm/lapic.c
> +++ b/arch/x86/kvm/lapic.c
> @@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu)
>   if (!lapic_in_kernel(vcpu))
>   return;
>  
> + /*
> +  * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation)
> +  * which doesn't have EOI register; Some buggy OSes (e.g. Windows with
> +  * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC
> +  * version first and level-triggered interrupts never get EOIed in
> +  * IOAPIC.
> +  */
>   feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0);
> - if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31
> + if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) &&
> + !ioapic_in_kernel(vcpu->kvm))
>   v |= APIC_LVR_DIRECTED_EOI;
>   kvm_lapic_set_reg(apic, APIC_LVR, v);
>  }
> -- 
> 2.14.3
> 

Does this mean that we can avoid the migration problem that Radim
raised in previous discussion?  Basically the OSs should only probe
this version once for each boot, if so I think it should be fine.  But
since you didn't mention that in either commit message and comment, I
would like to ask and confirm.

For the change itself, it looks sane to me.

Thanks,

-- 
Peter Xu

[PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Ladi Prosek 

commit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream.

Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers:

"The GDTR and IDTR limits are each set to H."

Signed-off-by: Ladi Prosek 
Signed-off-by: Paolo Bonzini 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 arch/x86/kvm/vmx.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7076,6 +7076,8 @@ void load_vmcs12_host_state(struct kvm_v
vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip);
vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base);
vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base);
+   vmcs_write32(GUEST_IDTR_LIMIT, 0x);
+   vmcs_write32(GUEST_GDTR_LIMIT, 0x);
vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base);
vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base);
vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);

[PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Gabriele Paoloni 

commit 86acc790717fb60fb51ea3095084e331d8711c74 upstream.

Previously, if an non-fatal error was reported by an endpoint, we
called report_error_detected() for the endpoint, every sibling on the
bus, and their descendents.  If any of them did not implement the
.error_detected() method, do_recovery() failed, leaving all these
devices unrecovered.

For example, the system described in the bugzilla below has two devices:

  :74:02.0 [19e5:a230] SAS controller, driver has .error_detected()
  :74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected()

When a device such as 74:02.0 reported a non-fatal error, do_recovery()
failed because 74:03.0 lacked an .error_detected() method.  But per PCIe
r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and
does not affect 74:03.0:

  Non-fatal errors are uncorrectable errors which cause a particular
  transaction to be unreliable but the Link is otherwise fully functional.
  Isolating Non-fatal from Fatal errors provides Requester/Receiver logic
  in a device or system management software the opportunity to recover from
  the error without resetting the components on the Link and disturbing
  other transactions in progress.  Devices not associated with the
  transaction in error are not impacted by the error.

Report non-fatal errors only to the endpoint that reported them.  We really
want to check for AER_NONFATAL here, but the current code structure doesn't
allow that.  Looking for pci_channel_io_normal is the best we can do now.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055
Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver")
Signed-off-by: Gabriele Paoloni 
Signed-off-by: Dongdong Liu 
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas 
Signed-off-by: Ben Hutchings 
---
 drivers/pci/pcie/aer/aerdrv_core.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -367,7 +367,14 @@ static pci_ers_result_t broadcast_error_
 * If the error is reported by an end point, we think this
 * error is related to the upstream link of the end point.
 */
-   pci_walk_bus(dev->bus, cb, _data);
+   if (state == pci_channel_io_normal)
+   /*
+* the error is non fatal so the bus is ok, just invoke
+* the callback for the function that logged the error.
+*/
+   cb(dev, _data);
+   else
+   pci_walk_bus(dev->bus, cb, _data);
}
 
return result_data.result;

[PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Lepton Wu 

This finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed
out that the reason of that crash is that NX bit get set for page tables.
It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map

Link: https://www.spinics.net/lists/kernel/msg2689835.html

Reviewed-by: Guenter Roeck 
Signed-off-by: Lepton Wu 
Signed-off-by: Greg Kroah-Hartman 
(backported from Greg K-H's 4.4 stable-queue)
Signed-off-by: Juerg Haefliger 
Signed-off-by: Ben Hutchings 
---
 arch/x86/mm/kaiser.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/mm/kaiser.c
+++ b/arch/x86/mm/kaiser.c
@@ -189,6 +189,8 @@ static int kaiser_add_user_map(const voi
 * requires that not to be #defined to 0): so mask it off here.
 */
flags &= ~_PAGE_GLOBAL;
+   if (!(__supported_pte_mask & _PAGE_NX))
+   flags &= ~_PAGE_NX;
 
if (flags & _PAGE_USER)
BUG_ON(address < FIXADDR_START || end_addr >= FIXADDR_TOP);

[PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Ladi Prosek 

commit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream.

Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers:

"The GDTR and IDTR limits are each set to H."

Signed-off-by: Ladi Prosek 
Signed-off-by: Paolo Bonzini 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 arch/x86/kvm/vmx.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7076,6 +7076,8 @@ void load_vmcs12_host_state(struct kvm_v
vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip);
vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base);
vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base);
+   vmcs_write32(GUEST_IDTR_LIMIT, 0x);
+   vmcs_write32(GUEST_GDTR_LIMIT, 0x);
vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base);
vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base);
vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);

[PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Gabriele Paoloni 

commit 86acc790717fb60fb51ea3095084e331d8711c74 upstream.

Previously, if an non-fatal error was reported by an endpoint, we
called report_error_detected() for the endpoint, every sibling on the
bus, and their descendents.  If any of them did not implement the
.error_detected() method, do_recovery() failed, leaving all these
devices unrecovered.

For example, the system described in the bugzilla below has two devices:

  :74:02.0 [19e5:a230] SAS controller, driver has .error_detected()
  :74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected()

When a device such as 74:02.0 reported a non-fatal error, do_recovery()
failed because 74:03.0 lacked an .error_detected() method.  But per PCIe
r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and
does not affect 74:03.0:

  Non-fatal errors are uncorrectable errors which cause a particular
  transaction to be unreliable but the Link is otherwise fully functional.
  Isolating Non-fatal from Fatal errors provides Requester/Receiver logic
  in a device or system management software the opportunity to recover from
  the error without resetting the components on the Link and disturbing
  other transactions in progress.  Devices not associated with the
  transaction in error are not impacted by the error.

Report non-fatal errors only to the endpoint that reported them.  We really
want to check for AER_NONFATAL here, but the current code structure doesn't
allow that.  Looking for pci_channel_io_normal is the best we can do now.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055
Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver")
Signed-off-by: Gabriele Paoloni 
Signed-off-by: Dongdong Liu 
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas 
Signed-off-by: Ben Hutchings 
---
 drivers/pci/pcie/aer/aerdrv_core.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -367,7 +367,14 @@ static pci_ers_result_t broadcast_error_
 * If the error is reported by an end point, we think this
 * error is related to the upstream link of the end point.
 */
-   pci_walk_bus(dev->bus, cb, _data);
+   if (state == pci_channel_io_normal)
+   /*
+* the error is non fatal so the bus is ok, just invoke
+* the callback for the function that logged the error.
+*/
+   cb(dev, _data);
+   else
+   pci_walk_bus(dev->bus, cb, _data);
}
 
return result_data.result;

[PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Lepton Wu 

This finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed
out that the reason of that crash is that NX bit get set for page tables.
It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map

Link: https://www.spinics.net/lists/kernel/msg2689835.html

Reviewed-by: Guenter Roeck 
Signed-off-by: Lepton Wu 
Signed-off-by: Greg Kroah-Hartman 
(backported from Greg K-H's 4.4 stable-queue)
Signed-off-by: Juerg Haefliger 
Signed-off-by: Ben Hutchings 
---
 arch/x86/mm/kaiser.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/mm/kaiser.c
+++ b/arch/x86/mm/kaiser.c
@@ -189,6 +189,8 @@ static int kaiser_add_user_map(const voi
 * requires that not to be #defined to 0): so mask it off here.
 */
flags &= ~_PAGE_GLOBAL;
+   if (!(__supported_pte_mask & _PAGE_NX))
+   flags &= ~_PAGE_NX;
 
if (flags & _PAGE_USER)
BUG_ON(address < FIXADDR_START || end_addr >= FIXADDR_TOP);

[PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Johan Hovold 

commit 74d471b598444b7f2d964930f7234779c80960a0 upstream.

Make sure to free the port private data before returning after a failed
probe attempt.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman 
Signed-off-by: Johan Hovold 
Signed-off-by: Ben Hutchings 
---
 drivers/usb/serial/garmin_gps.c | 6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1476,6 +1476,12 @@ static int garmin_attach(struct usb_seri
usb_set_serial_port_data(port, garmin_data_p);
 
status = garmin_init_session(port);
+   if (status)
+   goto err_free;
+
+   return 0;
+err_free:
+   kfree(garmin_data_p);
 
return status;
 }

[PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d upstream.

FIFO_MODE() is a macro expression with a '<<' operator, which gcc points
out could be misread as a '<':

drivers/input/misc/adxl34x.c: In function 'adxl34x_probe':
drivers/input/misc/adxl34x.c:799:36: error: '<<' in boolean context, did you 
mean '<' ? [-Werror=int-in-bool-context]

While utility of this warning is being disputed (Chief Penguin: "This
warning is clearly pure garbage.") FIFO_MODE() extracts range of values,
with 0 being FIFO_BYPASS, and not something that is logically boolean.

This converts the test to an explicit comparison with FIFO_BYPASS,
making it clearer to gcc and the reader what is intended.

Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers")
Signed-off-by: Arnd Bergmann 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Ben Hutchings 
---
 drivers/input/misc/adxl34x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/misc/adxl34x.c
+++ b/drivers/input/misc/adxl34x.c
@@ -797,7 +797,7 @@ struct adxl34x *adxl34x_probe(struct dev
 
if (pdata->watermark) {
ac->int_mask |= WATERMARK;
-   if (!FIFO_MODE(pdata->fifo_mode))
+   if (FIFO_MODE(pdata->fifo_mode) == FIFO_BYPASS)
ac->pdata.fifo_mode |= FIFO_STREAM;
} else {
ac->int_mask |= DATA_READY;

[PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Johan Hovold 

commit 74d471b598444b7f2d964930f7234779c80960a0 upstream.

Make sure to free the port private data before returning after a failed
probe attempt.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman 
Signed-off-by: Johan Hovold 
Signed-off-by: Ben Hutchings 
---
 drivers/usb/serial/garmin_gps.c | 6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1476,6 +1476,12 @@ static int garmin_attach(struct usb_seri
usb_set_serial_port_data(port, garmin_data_p);
 
status = garmin_init_session(port);
+   if (status)
+   goto err_free;
+
+   return 0;
+err_free:
+   kfree(garmin_data_p);
 
return status;
 }

[PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d upstream.

FIFO_MODE() is a macro expression with a '<<' operator, which gcc points
out could be misread as a '<':

drivers/input/misc/adxl34x.c: In function 'adxl34x_probe':
drivers/input/misc/adxl34x.c:799:36: error: '<<' in boolean context, did you 
mean '<' ? [-Werror=int-in-bool-context]

While utility of this warning is being disputed (Chief Penguin: "This
warning is clearly pure garbage.") FIFO_MODE() extracts range of values,
with 0 being FIFO_BYPASS, and not something that is logically boolean.

This converts the test to an explicit comparison with FIFO_BYPASS,
making it clearer to gcc and the reader what is intended.

Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers")
Signed-off-by: Arnd Bergmann 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Ben Hutchings 
---
 drivers/input/misc/adxl34x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/misc/adxl34x.c
+++ b/drivers/input/misc/adxl34x.c
@@ -797,7 +797,7 @@ struct adxl34x *adxl34x_probe(struct dev
 
if (pdata->watermark) {
ac->int_mask |= WATERMARK;
-   if (!FIFO_MODE(pdata->fifo_mode))
+   if (FIFO_MODE(pdata->fifo_mode) == FIFO_BYPASS)
ac->pdata.fifo_mode |= FIFO_STREAM;
} else {
ac->int_mask |= DATA_READY;

[PATCH 3.2 00/79] 3.2.99-rc1 review

[Ben Hutchings]

This is the start of the stable review cycle for the 3.2.99 release.
There are 79 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Feb 13 12:00:00 UTC 2018.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.2.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-

Al Viro (2):
  autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race
 [4041bcdc7bef06a2fb29c57394c713a74bd13b08]
  autofs4: catatonic_mode vs. notify_daemon race
 [875266be67ff3a984ac1f6566d31c260bee4]

Alan (1):
  usbip: Fix sscanf handling
 [2d32927127f44d755780aa5fa88c8c34e72558f8]

Alan Stern (1):
  USB: usbfs: compute urb->actual_length for isochronous
 [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54]

Alex Chen (1):
  ocfs2: should wait dio before inode lock in ocfs2_setattr()
 [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300]

Alexander Potapenko (1):
  sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
 [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d]

Alexander Steffen (1):
  tpm-dev-common: Reject too short writes
 [ee70bc1e7b63ac8023c9ff9475d8741e397316e7]

Alexandre Belloni (1):
  rtc: set the alarm to the next expiring timer
 [74717b28cb32e1ad3c1042cafd76b264c8c0f68d]

Andreas Rohner (1):
  nilfs2: fix race condition that causes file system corruption
 [31ccb1f7ba3cfe29631587d451cf5bb8ab593550]

Arnd Bergmann (2):
  Input: adxl34x - do not treat FIFO_MODE() as boolean
 [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d]
  isofs: fix timestamps beyond 2027
 [34be4dbf87fc3e474a842305394534216d428f5d]

Bart Van Assche (1):
  IB/srp: Avoid that a cable pull can trigger a kernel crash
 [8a0d18c62121d3c554a83eb96e2752861d84d937]

Bart Westgeest (1):
  staging: usbip: removed #if 0'd out code
 [34c09578179f5838e5958c45e8aed4edc9c6c3b8]

Bernhard Rosenkraenzer (1):
  USB: Add delay-init quirk for Corsair K70 LUX keyboards
 [a0fea6027f19c62727315aba1a7fae75a9caa842]

Brent Taylor (1):
  mtd: nand: Fix writing mtdoops to nand flash.
 [30863e38ebeb500a31cecee8096fb5002677dd9b]

Chuck Lever (1):
  nfs: Fix ugly referral attributes
 [c05cefcc72416a37eba5a2b35f0704ed758a9145]

Colin Ian King (1):
  rtc: interface: ignore expired timers when enqueuing new timers
 [2b2f5ff00f63847d95adad6289bd8b05f5983dd5]

Dan Carpenter (2):
  eCryptfs: use after free in ecryptfs_release_messaging()
 [db86be3a12d0b6e5c5b51c2ab2a48f06329cb590]
  scsi: bfa: integer overflow in debugfs
 [3e351275655d3c84dc28abf170def9786db5176d]

Eric Biggers (1):
  dm bufio: fix integer overflow when limiting maximum cache size
 [74d4108d9e681dbbe4a2940ed8fdff1f6868184c]

Eric Dumazet (1):
  netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
 [2638fd0f92d4397884fd991d8f4925cb3f081901]

Eric W. Biederman (1):
  net/sctp: Always set scope_id in sctp_inet6_skb_msgname
 [7c8a61d9ee1df0fb4747879fa67a99614eb62fec]

Felipe Balbi (1):
  usb: add helper to extract bits 12:11 of wMaxPacketSize
 [541b6fe63023f3059cf85d47ff2767a3e42a8e44]

Gabriele Paoloni (1):
  PCI/AER: Report non-fatal errors only to the affected endpoint
 [86acc790717fb60fb51ea3095084e331d8711c74]

Guenter Roeck (1):
  kaiser: Set _PAGE_NX only if supported
 [61e9b3671007a5da8127955a1a3bda7e0d5f42e8]

Guillaume Nault (5):
  l2tp: don't register sessions in l2tp_session_create()
 [3953ae7b218df4d1e544b98a393666f9ae58a78c]
  l2tp: ensure sessions are freed after their PPPOL2TP socket
 [cdd10c9627496ad25c87ce6394e29752253c69d3]
  l2tp: initialise PPP sessions before registering them
 [f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c]
  l2tp: initialise l2tp_eth sessions before registering them
 [ee28de6bbd78c2e18111a0aef43ea746f28d2073]
  l2tp: protect sock pointer of struct pppol2tp_session with RCU
 [ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741]

Hou Tao (1):
  dm: fix race between dm_get_from_kobject() and __dm_destroy()
 [b9a41d21dceadf8104812626ef85dc56ee8a60ed]

Jan Harkes (1):
  coda: fix 'kernel memory exposure attempt' in fsync
 [d337b66a4c52c7b04eec661d86c2ef6e168965a2]

Jason Gunthorpe (1):
  sctp: Fixup v4mapped behaviour to comply with Sock API
 [299ee123e19889d511092347f5fc14db0f10e3a6]

Jens Axboe (1):
  blktrace: fix unlocked access to init/start-stop/teardown
 [1f2cac107c591c24b60b115d6050adc213d10fc0]

Johan Hovold (2):
  USB: serial: garmin_gps: fix I/O after failed probe and remove
 [19a565d9af6e0d828bd0d521d3bafd5017f4ce52]
 

[PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alexandre Belloni 

commit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d upstream.

If there is any non expired timer in the queue, the RTC alarm is never set.
This is an issue when adding a timer that expires before the next non
expired timer.

Ensure the RTC alarm is set in that case.

Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new 
timers")
Signed-off-by: Alexandre Belloni 
[bwh: Backported to 3.2: open-code ktime_before()]
Signed-off-by: Ben Hutchings 
---
 drivers/rtc/interface.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -765,7 +765,7 @@ static int rtc_timer_enqueue(struct rtc_
}
 
timerqueue_add(>timerqueue, >node);
-   if (!next) {
+   if (!next || timer->node.expires.tv64 < next->expires.tv64) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);

[PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream.

This patch fixes a RTC wakealarm issue, namely, the event fires during
hibernate and is not cleared from the list, causing hwclock to block.

The current enqueuing does not trigger an alarm if any expired timers
already exist on the timerqueue. This can occur when a RTC wake alarm
is used to wake a machine out of hibernate and the resumed state has
old expired timers that have not been removed from the timer queue.
This fix skips over any expired timers and triggers an alarm if there
are no pending timers on the timerqueue. Note that the skipped expired
timer will get reaped later on, so there is no need to clean it up
immediately.

The issue can be reproduced by putting a machine into hibernate and
waking it with the RTC wakealarm.  Running the example RTC test program
from tools/testing/selftests/timers/rtctest.c after the hibernate will
block indefinitely.  With the fix, it no longer blocks after the
hibernate resume.

BugLink: http://bugs.launchpad.net/bugs/1333569

Signed-off-by: Colin Ian King 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Ben Hutchings 
---
 drivers/rtc/interface.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -749,9 +749,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq);
  */
 static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
 {
+   struct timerqueue_node *next = timerqueue_getnext(>timerqueue);
+   struct rtc_time tm;
+   ktime_t now;
+
timer->enabled = 1;
+   __rtc_read_time(rtc, );
+   now = rtc_tm_to_ktime(tm);
+
+   /* Skip over expired timers */
+   while (next) {
+   if (next->expires.tv64 >= now.tv64)
+   break;
+   next = timerqueue_iterate_next(next);
+   }
+
timerqueue_add(>timerqueue, >node);
-   if (>node == timerqueue_getnext(>timerqueue)) {
+   if (!next) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);

[PATCH 3.2 00/79] 3.2.99-rc1 review

[Ben Hutchings]

This is the start of the stable review cycle for the 3.2.99 release.
There are 79 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Feb 13 12:00:00 UTC 2018.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.2.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-

Al Viro (2):
  autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race
 [4041bcdc7bef06a2fb29c57394c713a74bd13b08]
  autofs4: catatonic_mode vs. notify_daemon race
 [875266be67ff3a984ac1f6566d31c260bee4]

Alan (1):
  usbip: Fix sscanf handling
 [2d32927127f44d755780aa5fa88c8c34e72558f8]

Alan Stern (1):
  USB: usbfs: compute urb->actual_length for isochronous
 [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54]

Alex Chen (1):
  ocfs2: should wait dio before inode lock in ocfs2_setattr()
 [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300]

Alexander Potapenko (1):
  sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
 [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d]

Alexander Steffen (1):
  tpm-dev-common: Reject too short writes
 [ee70bc1e7b63ac8023c9ff9475d8741e397316e7]

Alexandre Belloni (1):
  rtc: set the alarm to the next expiring timer
 [74717b28cb32e1ad3c1042cafd76b264c8c0f68d]

Andreas Rohner (1):
  nilfs2: fix race condition that causes file system corruption
 [31ccb1f7ba3cfe29631587d451cf5bb8ab593550]

Arnd Bergmann (2):
  Input: adxl34x - do not treat FIFO_MODE() as boolean
 [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d]
  isofs: fix timestamps beyond 2027
 [34be4dbf87fc3e474a842305394534216d428f5d]

Bart Van Assche (1):
  IB/srp: Avoid that a cable pull can trigger a kernel crash
 [8a0d18c62121d3c554a83eb96e2752861d84d937]

Bart Westgeest (1):
  staging: usbip: removed #if 0'd out code
 [34c09578179f5838e5958c45e8aed4edc9c6c3b8]

Bernhard Rosenkraenzer (1):
  USB: Add delay-init quirk for Corsair K70 LUX keyboards
 [a0fea6027f19c62727315aba1a7fae75a9caa842]

Brent Taylor (1):
  mtd: nand: Fix writing mtdoops to nand flash.
 [30863e38ebeb500a31cecee8096fb5002677dd9b]

Chuck Lever (1):
  nfs: Fix ugly referral attributes
 [c05cefcc72416a37eba5a2b35f0704ed758a9145]

Colin Ian King (1):
  rtc: interface: ignore expired timers when enqueuing new timers
 [2b2f5ff00f63847d95adad6289bd8b05f5983dd5]

Dan Carpenter (2):
  eCryptfs: use after free in ecryptfs_release_messaging()
 [db86be3a12d0b6e5c5b51c2ab2a48f06329cb590]
  scsi: bfa: integer overflow in debugfs
 [3e351275655d3c84dc28abf170def9786db5176d]

Eric Biggers (1):
  dm bufio: fix integer overflow when limiting maximum cache size
 [74d4108d9e681dbbe4a2940ed8fdff1f6868184c]

Eric Dumazet (1):
  netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
 [2638fd0f92d4397884fd991d8f4925cb3f081901]

Eric W. Biederman (1):
  net/sctp: Always set scope_id in sctp_inet6_skb_msgname
 [7c8a61d9ee1df0fb4747879fa67a99614eb62fec]

Felipe Balbi (1):
  usb: add helper to extract bits 12:11 of wMaxPacketSize
 [541b6fe63023f3059cf85d47ff2767a3e42a8e44]

Gabriele Paoloni (1):
  PCI/AER: Report non-fatal errors only to the affected endpoint
 [86acc790717fb60fb51ea3095084e331d8711c74]

Guenter Roeck (1):
  kaiser: Set _PAGE_NX only if supported
 [61e9b3671007a5da8127955a1a3bda7e0d5f42e8]

Guillaume Nault (5):
  l2tp: don't register sessions in l2tp_session_create()
 [3953ae7b218df4d1e544b98a393666f9ae58a78c]
  l2tp: ensure sessions are freed after their PPPOL2TP socket
 [cdd10c9627496ad25c87ce6394e29752253c69d3]
  l2tp: initialise PPP sessions before registering them
 [f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c]
  l2tp: initialise l2tp_eth sessions before registering them
 [ee28de6bbd78c2e18111a0aef43ea746f28d2073]
  l2tp: protect sock pointer of struct pppol2tp_session with RCU
 [ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741]

Hou Tao (1):
  dm: fix race between dm_get_from_kobject() and __dm_destroy()
 [b9a41d21dceadf8104812626ef85dc56ee8a60ed]

Jan Harkes (1):
  coda: fix 'kernel memory exposure attempt' in fsync
 [d337b66a4c52c7b04eec661d86c2ef6e168965a2]

Jason Gunthorpe (1):
  sctp: Fixup v4mapped behaviour to comply with Sock API
 [299ee123e19889d511092347f5fc14db0f10e3a6]

Jens Axboe (1):
  blktrace: fix unlocked access to init/start-stop/teardown
 [1f2cac107c591c24b60b115d6050adc213d10fc0]

Johan Hovold (2):
  USB: serial: garmin_gps: fix I/O after failed probe and remove
 [19a565d9af6e0d828bd0d521d3bafd5017f4ce52]
 

[PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alexandre Belloni 

commit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d upstream.

If there is any non expired timer in the queue, the RTC alarm is never set.
This is an issue when adding a timer that expires before the next non
expired timer.

Ensure the RTC alarm is set in that case.

Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new 
timers")
Signed-off-by: Alexandre Belloni 
[bwh: Backported to 3.2: open-code ktime_before()]
Signed-off-by: Ben Hutchings 
---
 drivers/rtc/interface.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -765,7 +765,7 @@ static int rtc_timer_enqueue(struct rtc_
}
 
timerqueue_add(>timerqueue, >node);
-   if (!next) {
+   if (!next || timer->node.expires.tv64 < next->expires.tv64) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);

[PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream.

This patch fixes a RTC wakealarm issue, namely, the event fires during
hibernate and is not cleared from the list, causing hwclock to block.

The current enqueuing does not trigger an alarm if any expired timers
already exist on the timerqueue. This can occur when a RTC wake alarm
is used to wake a machine out of hibernate and the resumed state has
old expired timers that have not been removed from the timer queue.
This fix skips over any expired timers and triggers an alarm if there
are no pending timers on the timerqueue. Note that the skipped expired
timer will get reaped later on, so there is no need to clean it up
immediately.

The issue can be reproduced by putting a machine into hibernate and
waking it with the RTC wakealarm.  Running the example RTC test program
from tools/testing/selftests/timers/rtctest.c after the hibernate will
block indefinitely.  With the fix, it no longer blocks after the
hibernate resume.

BugLink: http://bugs.launchpad.net/bugs/1333569

Signed-off-by: Colin Ian King 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Ben Hutchings 
---
 drivers/rtc/interface.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -749,9 +749,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq);
  */
 static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
 {
+   struct timerqueue_node *next = timerqueue_getnext(>timerqueue);
+   struct rtc_time tm;
+   ktime_t now;
+
timer->enabled = 1;
+   __rtc_read_time(rtc, );
+   now = rtc_tm_to_ktime(tm);
+
+   /* Skip over expired timers */
+   while (next) {
+   if (next->expires.tv64 >= now.tv64)
+   break;
+   next = timerqueue_iterate_next(next);
+   }
+
timerqueue_add(>timerqueue, >node);
-   if (>node == timerqueue_getnext(>timerqueue)) {
+   if (!next) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);

[PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream.

If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session
right after pppol2tp_release() orphaned its socket, then the 'sock'
variable of the pppol2tp_session_close() callback is NULL. Yet the
session is still used by pppol2tp_release().

Therefore we need to take an extra reference in any case, to prevent
l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session.

Since the pppol2tp_session_close() callback is only set if the session
is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete()
and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling
pppol2tp_session_close(), we're sure that pppol2tp_session_close() and
pppol2tp_session_destruct() are paired and called in the right order.
So the reference taken by the former will be released by the later.

Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -466,11 +466,11 @@ static void pppol2tp_session_close(struc
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
 
 
-   if (sock) {
+   if (sock)
inet_shutdown(sock, 2);
-   /* Don't let the session go away before our socket does */
-   l2tp_session_inc_refcount(session);
-   }
+
+   /* Don't let the session go away before our socket does */
+   l2tp_session_inc_refcount(session);
return;
 }
 

[PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream.

If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session
right after pppol2tp_release() orphaned its socket, then the 'sock'
variable of the pppol2tp_session_close() callback is NULL. Yet the
session is still used by pppol2tp_release().

Therefore we need to take an extra reference in any case, to prevent
l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session.

Since the pppol2tp_session_close() callback is only set if the session
is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete()
and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling
pppol2tp_session_close(), we're sure that pppol2tp_session_close() and
pppol2tp_session_destruct() are paired and called in the right order.
So the reference taken by the former will be released by the later.

Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -466,11 +466,11 @@ static void pppol2tp_session_close(struc
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
 
 
-   if (sock) {
+   if (sock)
inet_shutdown(sock, 2);
-   /* Don't let the session go away before our socket does */
-   l2tp_session_inc_refcount(session);
-   }
+
+   /* Don't let the session go away before our socket does */
+   l2tp_session_inc_refcount(session);
return;
 }
 

[PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tom Parkin 

commit cf2f5c886a209377daefd5d2ba0bcd49c3887813 upstream.

If userspace deletes a ppp pseudowire using the netlink API, either by
directly deleting the session or by deleting the tunnel that contains the
session, we need to tear down the corresponding pppox channel.

Rather than trying to manage two pppox unbind codepaths, switch the netlink
and l2tp_core session_close handlers to close via. the l2tp_ppp socket
.release handler.

Signed-off-by: Tom Parkin 
Signed-off-by: James Chapman 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 53 ++---
 1 file changed, 10 insertions(+), 43 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -95,6 +95,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -460,34 +461,16 @@ static void pppol2tp_session_close(struc
 {
struct pppol2tp_session *ps = l2tp_session_priv(session);
struct sock *sk = ps->sock;
-   struct sk_buff *skb;
+   struct socket *sock = sk->sk_socket;
 
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
 
-   if (session->session_id == 0)
-   goto out;
-
-   if (sk != NULL) {
-   lock_sock(sk);
-
-   if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) {
-   pppox_unbind_sock(sk);
-   sk->sk_state = PPPOX_DEAD;
-   sk->sk_state_change(sk);
-   }
-
-   /* Purge any queued data */
-   skb_queue_purge(>sk_receive_queue);
-   skb_queue_purge(>sk_write_queue);
-   while ((skb = skb_dequeue(>reorder_q))) {
-   kfree_skb(skb);
-   sock_put(sk);
-   }
 
-   release_sock(sk);
+   if (sock) {
+   inet_shutdown(sock, 2);
+   /* Don't let the session go away before our socket does */
+   l2tp_session_inc_refcount(session);
}
-
-out:
return;
 }
 
@@ -538,16 +521,12 @@ static int pppol2tp_release(struct socke
session = pppol2tp_sock_to_session(sk);
 
/* Purge any queued data */
-   skb_queue_purge(>sk_receive_queue);
-   skb_queue_purge(>sk_write_queue);
if (session != NULL) {
-   struct sk_buff *skb;
-   while ((skb = skb_dequeue(>reorder_q))) {
-   kfree_skb(skb);
-   sock_put(sk);
-   }
+   l2tp_session_queue_purge(session);
sock_put(sk);
}
+   skb_queue_purge(>sk_receive_queue);
+   skb_queue_purge(>sk_write_queue);
 
release_sock(sk);
 
@@ -872,18 +851,6 @@ out:
return error;
 }
 
-/* Called when deleting sessions via the netlink interface.
- */
-static int pppol2tp_session_delete(struct l2tp_session *session)
-{
-   struct pppol2tp_session *ps = l2tp_session_priv(session);
-
-   if (ps->sock == NULL)
-   l2tp_session_dec_refcount(session);
-
-   return 0;
-}
-
 #endif /* CONFIG_L2TP_V3 */
 
 /* getname() support.
@@ -1801,7 +1768,7 @@ static const struct pppox_proto pppol2tp
 
 static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
.session_create = pppol2tp_session_create,
-   .session_delete = pppol2tp_session_delete,
+   .session_delete = l2tp_session_delete,
 };
 
 #endif /* CONFIG_L2TP_V3 */

[PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tom Parkin 

commit cf2f5c886a209377daefd5d2ba0bcd49c3887813 upstream.

If userspace deletes a ppp pseudowire using the netlink API, either by
directly deleting the session or by deleting the tunnel that contains the
session, we need to tear down the corresponding pppox channel.

Rather than trying to manage two pppox unbind codepaths, switch the netlink
and l2tp_core session_close handlers to close via. the l2tp_ppp socket
.release handler.

Signed-off-by: Tom Parkin 
Signed-off-by: James Chapman 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 53 ++---
 1 file changed, 10 insertions(+), 43 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -95,6 +95,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -460,34 +461,16 @@ static void pppol2tp_session_close(struc
 {
struct pppol2tp_session *ps = l2tp_session_priv(session);
struct sock *sk = ps->sock;
-   struct sk_buff *skb;
+   struct socket *sock = sk->sk_socket;
 
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
 
-   if (session->session_id == 0)
-   goto out;
-
-   if (sk != NULL) {
-   lock_sock(sk);
-
-   if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) {
-   pppox_unbind_sock(sk);
-   sk->sk_state = PPPOX_DEAD;
-   sk->sk_state_change(sk);
-   }
-
-   /* Purge any queued data */
-   skb_queue_purge(>sk_receive_queue);
-   skb_queue_purge(>sk_write_queue);
-   while ((skb = skb_dequeue(>reorder_q))) {
-   kfree_skb(skb);
-   sock_put(sk);
-   }
 
-   release_sock(sk);
+   if (sock) {
+   inet_shutdown(sock, 2);
+   /* Don't let the session go away before our socket does */
+   l2tp_session_inc_refcount(session);
}
-
-out:
return;
 }
 
@@ -538,16 +521,12 @@ static int pppol2tp_release(struct socke
session = pppol2tp_sock_to_session(sk);
 
/* Purge any queued data */
-   skb_queue_purge(>sk_receive_queue);
-   skb_queue_purge(>sk_write_queue);
if (session != NULL) {
-   struct sk_buff *skb;
-   while ((skb = skb_dequeue(>reorder_q))) {
-   kfree_skb(skb);
-   sock_put(sk);
-   }
+   l2tp_session_queue_purge(session);
sock_put(sk);
}
+   skb_queue_purge(>sk_receive_queue);
+   skb_queue_purge(>sk_write_queue);
 
release_sock(sk);
 
@@ -872,18 +851,6 @@ out:
return error;
 }
 
-/* Called when deleting sessions via the netlink interface.
- */
-static int pppol2tp_session_delete(struct l2tp_session *session)
-{
-   struct pppol2tp_session *ps = l2tp_session_priv(session);
-
-   if (ps->sock == NULL)
-   l2tp_session_dec_refcount(session);
-
-   return 0;
-}
-
 #endif /* CONFIG_L2TP_V3 */
 
 /* getname() support.
@@ -1801,7 +1768,7 @@ static const struct pppox_proto pppol2tp
 
 static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
.session_create = pppol2tp_session_create,
-   .session_delete = pppol2tp_session_delete,
+   .session_delete = l2tp_session_delete,
 };
 
 #endif /* CONFIG_L2TP_V3 */

[PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Mohamed Ghannam 

commit 7d11f77f84b27cef452cee332f4e469503084737 upstream.

set rm->atomic.op_active to 0 when rds_pin_pages() fails
or the user supplied address is invalid,
this prevents a NULL pointer usage in rds_atomic_free_op()

Signed-off-by: Mohamed Ghannam 
Acked-by: Santosh Shilimkar 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/rds/rdma.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -855,6 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs,
 err:
if (page)
put_page(page);
+   rm->atomic.op_active = 0;
kfree(rm->atomic.op_notifier);
 
return ret;

[PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

This resolves a crash if loaded under qemu + haxm under windows.
See https://www.spinics.net/lists/kernel/msg2689835.html for details.
Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that
the same log is also seen with vanilla v4.4.110-rc1).

[0.712750] Freeing unused kernel memory: 552K
[0.721821] init: Corrupted page table at address 57b029b332e0
[0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067
[0.722761] Bad pagetable: 000b [#1] PREEMPT SMP
[0.722761] Modules linked in:
[0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 
8800bc28c000
[0.722761] RIP: 0010:[]  [] 
__clear_user+0x42/0x67
[0.722761] RSP: :8800bc28fcf8  EFLAGS: 00010202
[0.722761] RAX:  RBX: 01a4 RCX: 01a4
[0.722761] RDX:  RSI: 0008 RDI: 57b029b332e0
[0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000
[0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0
[0.722761] R13:  R14: 57b029b33340 R15: 8800bb1e2a00
[0.722761] FS:  () GS:8800bfb0() 
knlGS:
[0.722761] CS:  0010 DS:  ES:  CR0: 8005003b
[0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0
[0.722761] Stack:
[0.722761]  57b029b332e0 8800bb95fa80 8800bc28fd18 
83f4120c
[0.722761]  8800bc28fe18 83e9e7a1 8800bc28fd68 

[0.722761]  8800bc29 8800bc29 8800bc29 
8800bc29
[0.722761] Call Trace:
[0.722761]  [] clear_user+0x2e/0x30
[0.722761]  [] load_elf_binary+0xa7f/0x18f7
[0.722761]  [] search_binary_handler+0x86/0x19c
[0.722761]  [] do_execveat_common.isra.26+0x909/0xf98
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761]  [] do_execve+0x23/0x25
[0.722761]  [] run_init_process+0x2b/0x2d
[0.722761]  [] kernel_init+0x6d/0xda
[0.722761]  [] ret_from_fork+0x3f/0x70
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1
eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17
48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff
[0.722761] RIP  [] __clear_user+0x42/0x67
[0.722761]  RSP 
[0.722761] ---[ end trace def703879b4ff090 ]---
[0.722761] BUG: sleeping function called from invalid context at 
/mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21
[0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init
[0.722761] CPU: 1 PID: 1 Comm: init Tainted: G  D 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761]  0086 dcb5d76098c89836 8800bc28fa30 
83f34004
[0.722761]  84839dc2 0015 8800bc28fa40 
83d57dc9
[0.722761]  8800bc28fa68 83d57e6a 84a53640 

[0.722761] Call Trace:
[0.722761]  [] dump_stack+0x4d/0x63
[0.722761]  [] ___might_sleep+0x13a/0x13c
[0.722761]  [] __might_sleep+0x9f/0xa6
[0.722761]  [] down_read+0x20/0x31
[0.722761]  [] __blocking_notifier_call_chain+0x35/0x63
[0.722761]  [] blocking_notifier_call_chain+0x14/0x16
[0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd
[0.722761]  [] profile_task_exit+0x1a/0x1c
[0.802309]  [] do_exit+0x39/0xe7f
[0.802309]  [] ? vprintk_default+0x1d/0x1f
[0.802309]  [] ? printk+0x57/0x73
[0.802309]  [] oops_end+0x80/0x85
[0.802309]  [] pgtable_bad+0x8a/0x95
[0.802309]  [] __do_page_fault+0x8c/0x352
[0.802309]  [] ? file_has_perm+0xc4/0xe5
[0.802309]  [] do_page_fault+0xc/0xe
[0.802309]  [] page_fault+0x22/0x30
[0.802309]  [] ? __clear_user+0x42/0x67
[0.802309]  [] ? __clear_user+0x23/0x67
[0.802309]  [] clear_user+0x2e/0x30
[0.802309]  [] load_elf_binary+0xa7f/0x18f7
[0.802309]  [] search_binary_handler+0x86/0x19c
[0.802309]  [] do_execveat_common.isra.26+0x909/0xf98
[0.802309]  [] ? rest_init+0x87/0x87
[0.802309]  [] do_execve+0x23/0x25
[0.802309]  [] run_init_process+0x2b/0x2d
[0.802309]  [] kernel_init+0x6d/0xda
[0.802309]  [] ret_from_fork+0x3f/0x70
[0.802309]  [] ? rest_init+0x87/0x87
[0.830559] Kernel panic - not syncing: Attempted to kill init!  
exitcode=0x0009
[0.830559]
[0.831305] Kernel Offset: 

[PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream.

This patch fixes the following kernel crash:

general protection fault:  [#1] PREEMPT SMP
Workqueue: ib_mad2 timeout_sends [ib_core]
Call Trace:
 ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core]
 send_handler+0xb2/0xd0 [ib_core]
 timeout_sends+0x14d/0x220 [ib_core]
 process_one_work+0x200/0x630
 worker_thread+0x4e/0x3b0
 kthread+0x113/0x150

Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Signed-off-by: Bart Van Assche 
Reviewed-by: Sagi Grimberg 
Signed-off-by: Doug Ledford 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -310,10 +310,19 @@ static void srp_path_rec_completion(int
 
 static int srp_lookup_path(struct srp_target_port *target)
 {
+   int ret = -ENODEV;
+
target->path.numb_path = 1;
 
init_completion(>done);
 
+   /*
+* Avoid that the SCSI host can be removed by srp_remove_target()
+* before srp_path_rec_completion() is called.
+*/
+   if (!scsi_host_get(target->scsi_host))
+   goto out;
+
target->path_query_id = ib_sa_path_rec_get(_sa_client,
   
target->srp_host->srp_dev->dev,
   target->srp_host->port,
@@ -327,16 +336,22 @@ static int srp_lookup_path(struct srp_ta
   GFP_KERNEL,
   srp_path_rec_completion,
   target, >path_query);
-   if (target->path_query_id < 0)
-   return target->path_query_id;
+   ret = target->path_query_id;
+   if (ret < 0)
+   goto put;
 
wait_for_completion(>done);
 
-   if (target->status < 0)
+   ret = target->status;
+   if (ret < 0)
shost_printk(KERN_WARNING, target->scsi_host,
 PFX "Path record query failed\n");
 
-   return target->status;
+put:
+   scsi_host_put(target->scsi_host);
+
+out:
+   return ret;
 }
 
 static int srp_send_req(struct srp_target_port *target)

[PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Mohamed Ghannam 

commit 7d11f77f84b27cef452cee332f4e469503084737 upstream.

set rm->atomic.op_active to 0 when rds_pin_pages() fails
or the user supplied address is invalid,
this prevents a NULL pointer usage in rds_atomic_free_op()

Signed-off-by: Mohamed Ghannam 
Acked-by: Santosh Shilimkar 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/rds/rdma.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -855,6 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs,
 err:
if (page)
put_page(page);
+   rm->atomic.op_active = 0;
kfree(rm->atomic.op_notifier);
 
return ret;

[PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

This resolves a crash if loaded under qemu + haxm under windows.
See https://www.spinics.net/lists/kernel/msg2689835.html for details.
Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that
the same log is also seen with vanilla v4.4.110-rc1).

[0.712750] Freeing unused kernel memory: 552K
[0.721821] init: Corrupted page table at address 57b029b332e0
[0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067
[0.722761] Bad pagetable: 000b [#1] PREEMPT SMP
[0.722761] Modules linked in:
[0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 
8800bc28c000
[0.722761] RIP: 0010:[]  [] 
__clear_user+0x42/0x67
[0.722761] RSP: :8800bc28fcf8  EFLAGS: 00010202
[0.722761] RAX:  RBX: 01a4 RCX: 01a4
[0.722761] RDX:  RSI: 0008 RDI: 57b029b332e0
[0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000
[0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0
[0.722761] R13:  R14: 57b029b33340 R15: 8800bb1e2a00
[0.722761] FS:  () GS:8800bfb0() 
knlGS:
[0.722761] CS:  0010 DS:  ES:  CR0: 8005003b
[0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0
[0.722761] Stack:
[0.722761]  57b029b332e0 8800bb95fa80 8800bc28fd18 
83f4120c
[0.722761]  8800bc28fe18 83e9e7a1 8800bc28fd68 

[0.722761]  8800bc29 8800bc29 8800bc29 
8800bc29
[0.722761] Call Trace:
[0.722761]  [] clear_user+0x2e/0x30
[0.722761]  [] load_elf_binary+0xa7f/0x18f7
[0.722761]  [] search_binary_handler+0x86/0x19c
[0.722761]  [] do_execveat_common.isra.26+0x909/0xf98
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761]  [] do_execve+0x23/0x25
[0.722761]  [] run_init_process+0x2b/0x2d
[0.722761]  [] kernel_init+0x6d/0xda
[0.722761]  [] ret_from_fork+0x3f/0x70
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1
eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17
48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff
[0.722761] RIP  [] __clear_user+0x42/0x67
[0.722761]  RSP 
[0.722761] ---[ end trace def703879b4ff090 ]---
[0.722761] BUG: sleeping function called from invalid context at 
/mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21
[0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init
[0.722761] CPU: 1 PID: 1 Comm: init Tainted: G  D 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761]  0086 dcb5d76098c89836 8800bc28fa30 
83f34004
[0.722761]  84839dc2 0015 8800bc28fa40 
83d57dc9
[0.722761]  8800bc28fa68 83d57e6a 84a53640 

[0.722761] Call Trace:
[0.722761]  [] dump_stack+0x4d/0x63
[0.722761]  [] ___might_sleep+0x13a/0x13c
[0.722761]  [] __might_sleep+0x9f/0xa6
[0.722761]  [] down_read+0x20/0x31
[0.722761]  [] __blocking_notifier_call_chain+0x35/0x63
[0.722761]  [] blocking_notifier_call_chain+0x14/0x16
[0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd
[0.722761]  [] profile_task_exit+0x1a/0x1c
[0.802309]  [] do_exit+0x39/0xe7f
[0.802309]  [] ? vprintk_default+0x1d/0x1f
[0.802309]  [] ? printk+0x57/0x73
[0.802309]  [] oops_end+0x80/0x85
[0.802309]  [] pgtable_bad+0x8a/0x95
[0.802309]  [] __do_page_fault+0x8c/0x352
[0.802309]  [] ? file_has_perm+0xc4/0xe5
[0.802309]  [] do_page_fault+0xc/0xe
[0.802309]  [] page_fault+0x22/0x30
[0.802309]  [] ? __clear_user+0x42/0x67
[0.802309]  [] ? __clear_user+0x23/0x67
[0.802309]  [] clear_user+0x2e/0x30
[0.802309]  [] load_elf_binary+0xa7f/0x18f7
[0.802309]  [] search_binary_handler+0x86/0x19c
[0.802309]  [] do_execveat_common.isra.26+0x909/0xf98
[0.802309]  [] ? rest_init+0x87/0x87
[0.802309]  [] do_execve+0x23/0x25
[0.802309]  [] run_init_process+0x2b/0x2d
[0.802309]  [] kernel_init+0x6d/0xda
[0.802309]  [] ret_from_fork+0x3f/0x70
[0.802309]  [] ? rest_init+0x87/0x87
[0.830559] Kernel panic - not syncing: Attempted to kill init!  
exitcode=0x0009
[0.830559]
[0.831305] Kernel Offset: 0x2c0 from 

[PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream.

This patch fixes the following kernel crash:

general protection fault:  [#1] PREEMPT SMP
Workqueue: ib_mad2 timeout_sends [ib_core]
Call Trace:
 ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core]
 send_handler+0xb2/0xd0 [ib_core]
 timeout_sends+0x14d/0x220 [ib_core]
 process_one_work+0x200/0x630
 worker_thread+0x4e/0x3b0
 kthread+0x113/0x150

Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Signed-off-by: Bart Van Assche 
Reviewed-by: Sagi Grimberg 
Signed-off-by: Doug Ledford 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -310,10 +310,19 @@ static void srp_path_rec_completion(int
 
 static int srp_lookup_path(struct srp_target_port *target)
 {
+   int ret = -ENODEV;
+
target->path.numb_path = 1;
 
init_completion(>done);
 
+   /*
+* Avoid that the SCSI host can be removed by srp_remove_target()
+* before srp_path_rec_completion() is called.
+*/
+   if (!scsi_host_get(target->scsi_host))
+   goto out;
+
target->path_query_id = ib_sa_path_rec_get(_sa_client,
   
target->srp_host->srp_dev->dev,
   target->srp_host->port,
@@ -327,16 +336,22 @@ static int srp_lookup_path(struct srp_ta
   GFP_KERNEL,
   srp_path_rec_completion,
   target, >path_query);
-   if (target->path_query_id < 0)
-   return target->path_query_id;
+   ret = target->path_query_id;
+   if (ret < 0)
+   goto put;
 
wait_for_completion(>done);
 
-   if (target->status < 0)
+   ret = target->status;
+   if (ret < 0)
shost_printk(KERN_WARNING, target->scsi_host,
 PFX "Path record query failed\n");
 
-   return target->status;
+put:
+   scsi_host_put(target->scsi_host);
+
+out:
+   return ret;
 }
 
 static int srp_send_req(struct srp_target_port *target)

[PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tom Parkin 

commit 48f72f92b31431c40279b0fba6c5588e07e67d95 upstream.

If an l2tp session is deleted, it is necessary to delete skbs in-flight
on the session's reorder queue before taking it down.

Rather than having each pseudowire implementation reaching into the
l2tp_session struct to handle this itself, provide a function in l2tp_core to
purge the session queue.

Signed-off-by: Tom Parkin 
Signed-off-by: James Chapman 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: use non-atomic increment on rx_errors]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_core.c | 17 +
 net/l2tp/l2tp_core.h |  1 +
 2 files changed, 18 insertions(+)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -830,6 +830,23 @@ discard:
 }
 EXPORT_SYMBOL(l2tp_recv_common);
 
+/* Drop skbs from the session's reorder_q
+ */
+int l2tp_session_queue_purge(struct l2tp_session *session)
+{
+   struct sk_buff *skb = NULL;
+   BUG_ON(!session);
+   BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+   while ((skb = skb_dequeue(>reorder_q))) {
+   session->stats.rx_errors++;
+   kfree_skb(skb);
+   if (session->deref)
+   (*session->deref)(session);
+   }
+   return 0;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
+
 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
  * here. The skb is not on a list when we get here.
  * Returns 0 if the packet was a data packet and was successfully passed on.
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -249,6 +249,7 @@ extern struct l2tp_session *l2tp_session
 extern int l2tp_session_delete(struct l2tp_session *session);
 extern void l2tp_session_free(struct l2tp_session *session);
 extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff 
*skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int 
(*payload_hook)(struct sk_buff *skb));
+extern int l2tp_session_queue_purge(struct l2tp_session *session);
 extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
 
 extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, 
int hdr_len);

[PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tom Parkin 

commit 48f72f92b31431c40279b0fba6c5588e07e67d95 upstream.

If an l2tp session is deleted, it is necessary to delete skbs in-flight
on the session's reorder queue before taking it down.

Rather than having each pseudowire implementation reaching into the
l2tp_session struct to handle this itself, provide a function in l2tp_core to
purge the session queue.

Signed-off-by: Tom Parkin 
Signed-off-by: James Chapman 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: use non-atomic increment on rx_errors]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_core.c | 17 +
 net/l2tp/l2tp_core.h |  1 +
 2 files changed, 18 insertions(+)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -830,6 +830,23 @@ discard:
 }
 EXPORT_SYMBOL(l2tp_recv_common);
 
+/* Drop skbs from the session's reorder_q
+ */
+int l2tp_session_queue_purge(struct l2tp_session *session)
+{
+   struct sk_buff *skb = NULL;
+   BUG_ON(!session);
+   BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+   while ((skb = skb_dequeue(>reorder_q))) {
+   session->stats.rx_errors++;
+   kfree_skb(skb);
+   if (session->deref)
+   (*session->deref)(session);
+   }
+   return 0;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
+
 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
  * here. The skb is not on a list when we get here.
  * Returns 0 if the packet was a data packet and was successfully passed on.
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -249,6 +249,7 @@ extern struct l2tp_session *l2tp_session
 extern int l2tp_session_delete(struct l2tp_session *session);
 extern void l2tp_session_free(struct l2tp_session *session);
 extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff 
*skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int 
(*payload_hook)(struct sk_buff *skb));
+extern int l2tp_session_queue_purge(struct l2tp_session *session);
 extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
 
 extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, 
int hdr_len);

[PATCH 3.16 020/136] elf_fdpic: fix unused variable warning

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 11e3e8d6d9274bf630859b4c47bc4e4d76f289db upstream.

The elf_fdpic code shows a harmless warning when built with MMU disabled,
I ran into this now that fdpic is available on ARM randconfig builds
since commit 50b2b2e691cd ("ARM: add ELF_FDPIC support").

fs/binfmt_elf_fdpic.c: In function 'elf_fdpic_dump_segments':
fs/binfmt_elf_fdpic.c:1501:17: error: unused variable 'addr' 
[-Werror=unused-variable]

This adds another #ifdef around the variable declaration to shut up
the warning.

Fixes: e6c1baa9b562 ("convert the rest of binfmt_elf_fdpic to dump_emit()")
Acked-by: Nicolas Pitre 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Al Viro 
Signed-off-by: Ben Hutchings 
---
 fs/binfmt_elf_fdpic.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -1487,7 +1487,9 @@ static bool elf_fdpic_dump_segments(stru
struct vm_area_struct *vma;
 
for (vma = current->mm->mmap; vma; vma = vma->vm_next) {
+#ifdef CONFIG_MMU
unsigned long addr;
+#endif
 
if (!maydump(vma, cprm->mm_flags))
continue;

[PATCH 3.16 060/136] ACPI / APEI: Replace ioremap_page_range() with fixmap

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: James Morse 

commit 4f89fa286f6729312e227e7c2d764e8e7b9d340e upstream.

Replace ghes_io{re,un}map_pfn_{nmi,irq}()s use of ioremap_page_range()
with __set_fixmap() as ioremap_page_range() may sleep to allocate a new
level of page-table, even if its passed an existing final-address to
use in the mapping.

The GHES driver can only be enabled for architectures that select
HAVE_ACPI_APEI: Add fixmap entries to both x86 and arm64.

clear_fixmap() does the TLB invalidation in __set_fixmap() for arm64
and __set_pte_vaddr() for x86. In each case its the same as the
respective arch_apei_flush_tlb_one().

Reported-by: Fengguang Wu 
Suggested-by: Linus Torvalds 
Signed-off-by: James Morse 
Reviewed-by: Borislav Petkov 
Tested-by: Tyler Baicar 
Tested-by: Toshi Kani 
[ For the arm64 bits: ]
Acked-by: Will Deacon 
[ For the x86 bits: ]
Acked-by: Ingo Molnar 
Signed-off-by: Rafael J. Wysocki 
[bwh: Backported to 3.16:
 - Drop arm64 changes; ghes is x86-only here
 - Don't use page or prot variables in ghes_ioremap_fn_{nmi,irq}()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -103,6 +103,12 @@ enum fixed_addresses {
 #ifdef CONFIG_X86_INTEL_MID
FIX_LNW_VRTC,
 #endif
+#ifdef CONFIG_ACPI_APEI_GHES
+   /* Used for GHES mapping from assorted contexts */
+   FIX_APEI_GHES_IRQ,
+   FIX_APEI_GHES_NMI,
+#endif
+
__end_of_permanent_fixed_addresses,
 
/*
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -49,6 +49,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -110,7 +111,7 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
  * Because the memory area used to transfer hardware error information
  * from BIOS to Linux can be determined only in NMI, IRQ or timer
  * handler, but general ioremap can not be used in atomic context, so
- * a special version of atomic ioremap is implemented for that.
+ * the fixmap is used instead.
  */
 
 /*
@@ -124,8 +125,8 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
 /* virtual memory area for atomic ioremap */
 static struct vm_struct *ghes_ioremap_area;
 /*
- * These 2 spinlock is used to prevent atomic ioremap virtual memory
- * area from being mapped simultaneously.
+ * These 2 spinlocks are used to prevent the fixmap entries from being used
+ * simultaneously.
  */
 static DEFINE_RAW_SPINLOCK(ghes_ioremap_lock_nmi);
 static DEFINE_SPINLOCK(ghes_ioremap_lock_irq);
@@ -165,44 +166,26 @@ static void ghes_ioremap_exit(void)
 
 static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn)
 {
-   unsigned long vaddr;
+   __set_fixmap(FIX_APEI_GHES_NMI, pfn << PAGE_SHIFT, PAGE_KERNEL);
 
-   vaddr = (unsigned long)GHES_IOREMAP_NMI_PAGE(ghes_ioremap_area->addr);
-   ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
-  pfn << PAGE_SHIFT, PAGE_KERNEL);
-
-   return (void __iomem *)vaddr;
+   return (void __iomem *) fix_to_virt(FIX_APEI_GHES_NMI);
 }
 
 static void __iomem *ghes_ioremap_pfn_irq(u64 pfn)
 {
-   unsigned long vaddr;
-
-   vaddr = (unsigned long)GHES_IOREMAP_IRQ_PAGE(ghes_ioremap_area->addr);
-   ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
-  pfn << PAGE_SHIFT, PAGE_KERNEL);
+   __set_fixmap(FIX_APEI_GHES_IRQ, pfn << PAGE_SHIFT, PAGE_KERNEL);
 
-   return (void __iomem *)vaddr;
+   return (void __iomem *) fix_to_virt(FIX_APEI_GHES_IRQ);
 }
 
-static void ghes_iounmap_nmi(void __iomem *vaddr_ptr)
+static void ghes_iounmap_nmi(void)
 {
-   unsigned long vaddr = (unsigned long __force)vaddr_ptr;
-   void *base = ghes_ioremap_area->addr;
-
-   BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_NMI_PAGE(base));
-   unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
-   __flush_tlb_one(vaddr);
+   clear_fixmap(FIX_APEI_GHES_NMI);
 }
 
-static void ghes_iounmap_irq(void __iomem *vaddr_ptr)
+static void ghes_iounmap_irq(void)
 {
-   unsigned long vaddr = (unsigned long __force)vaddr_ptr;
-   void *base = ghes_ioremap_area->addr;
-
-   BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_IRQ_PAGE(base));
-   unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
-   __flush_tlb_one(vaddr);
+   clear_fixmap(FIX_APEI_GHES_IRQ);
 }
 
 static int ghes_estatus_pool_init(void)
@@ -341,10 +324,10 @@ static void ghes_copy_tofrom_phys(void *
paddr += trunk;
buffer += trunk;
if (in_nmi) {
-   ghes_iounmap_nmi(vaddr);
+   ghes_iounmap_nmi();
raw_spin_unlock(_ioremap_lock_nmi);
} else {
- 

[PATCH 3.16 067/136] ima: fix hash algorithm initialization

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Boshi Wang 

commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee upstream.

The hash_setup function always sets the hash_setup_done flag, even
when the hash algorithm is invalid.  This prevents the default hash
algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used.

This patch sets hash_setup_done flag only for valid hash algorithms.

Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash
algorithms"
Signed-off-by: Boshi Wang 
Signed-off-by: Mimi Zohar 
Signed-off-by: Ben Hutchings 
---
 security/integrity/ima/ima_main.c | 4 
 1 file changed, 4 insertions(+)

--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -52,6 +52,8 @@ static int __init hash_setup(char *str)
ima_hash_algo = HASH_ALGO_SHA1;
else if (strncmp(str, "md5", 3) == 0)
ima_hash_algo = HASH_ALGO_MD5;
+   else
+   return 1;
goto out;
}
 
@@ -61,6 +63,8 @@ static int __init hash_setup(char *str)
break;
}
}
+   if (i == HASH_ALGO__LAST)
+   return 1;
 out:
hash_setup_done = 1;
return 1;

[PATCH 3.16 020/136] elf_fdpic: fix unused variable warning

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 11e3e8d6d9274bf630859b4c47bc4e4d76f289db upstream.

The elf_fdpic code shows a harmless warning when built with MMU disabled,
I ran into this now that fdpic is available on ARM randconfig builds
since commit 50b2b2e691cd ("ARM: add ELF_FDPIC support").

fs/binfmt_elf_fdpic.c: In function 'elf_fdpic_dump_segments':
fs/binfmt_elf_fdpic.c:1501:17: error: unused variable 'addr' 
[-Werror=unused-variable]

This adds another #ifdef around the variable declaration to shut up
the warning.

Fixes: e6c1baa9b562 ("convert the rest of binfmt_elf_fdpic to dump_emit()")
Acked-by: Nicolas Pitre 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Al Viro 
Signed-off-by: Ben Hutchings 
---
 fs/binfmt_elf_fdpic.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -1487,7 +1487,9 @@ static bool elf_fdpic_dump_segments(stru
struct vm_area_struct *vma;
 
for (vma = current->mm->mmap; vma; vma = vma->vm_next) {
+#ifdef CONFIG_MMU
unsigned long addr;
+#endif
 
if (!maydump(vma, cprm->mm_flags))
continue;

[PATCH 3.16 060/136] ACPI / APEI: Replace ioremap_page_range() with fixmap

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: James Morse 

commit 4f89fa286f6729312e227e7c2d764e8e7b9d340e upstream.

Replace ghes_io{re,un}map_pfn_{nmi,irq}()s use of ioremap_page_range()
with __set_fixmap() as ioremap_page_range() may sleep to allocate a new
level of page-table, even if its passed an existing final-address to
use in the mapping.

The GHES driver can only be enabled for architectures that select
HAVE_ACPI_APEI: Add fixmap entries to both x86 and arm64.

clear_fixmap() does the TLB invalidation in __set_fixmap() for arm64
and __set_pte_vaddr() for x86. In each case its the same as the
respective arch_apei_flush_tlb_one().

Reported-by: Fengguang Wu 
Suggested-by: Linus Torvalds 
Signed-off-by: James Morse 
Reviewed-by: Borislav Petkov 
Tested-by: Tyler Baicar 
Tested-by: Toshi Kani 
[ For the arm64 bits: ]
Acked-by: Will Deacon 
[ For the x86 bits: ]
Acked-by: Ingo Molnar 
Signed-off-by: Rafael J. Wysocki 
[bwh: Backported to 3.16:
 - Drop arm64 changes; ghes is x86-only here
 - Don't use page or prot variables in ghes_ioremap_fn_{nmi,irq}()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -103,6 +103,12 @@ enum fixed_addresses {
 #ifdef CONFIG_X86_INTEL_MID
FIX_LNW_VRTC,
 #endif
+#ifdef CONFIG_ACPI_APEI_GHES
+   /* Used for GHES mapping from assorted contexts */
+   FIX_APEI_GHES_IRQ,
+   FIX_APEI_GHES_NMI,
+#endif
+
__end_of_permanent_fixed_addresses,
 
/*
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -49,6 +49,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -110,7 +111,7 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
  * Because the memory area used to transfer hardware error information
  * from BIOS to Linux can be determined only in NMI, IRQ or timer
  * handler, but general ioremap can not be used in atomic context, so
- * a special version of atomic ioremap is implemented for that.
+ * the fixmap is used instead.
  */
 
 /*
@@ -124,8 +125,8 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
 /* virtual memory area for atomic ioremap */
 static struct vm_struct *ghes_ioremap_area;
 /*
- * These 2 spinlock is used to prevent atomic ioremap virtual memory
- * area from being mapped simultaneously.
+ * These 2 spinlocks are used to prevent the fixmap entries from being used
+ * simultaneously.
  */
 static DEFINE_RAW_SPINLOCK(ghes_ioremap_lock_nmi);
 static DEFINE_SPINLOCK(ghes_ioremap_lock_irq);
@@ -165,44 +166,26 @@ static void ghes_ioremap_exit(void)
 
 static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn)
 {
-   unsigned long vaddr;
+   __set_fixmap(FIX_APEI_GHES_NMI, pfn << PAGE_SHIFT, PAGE_KERNEL);
 
-   vaddr = (unsigned long)GHES_IOREMAP_NMI_PAGE(ghes_ioremap_area->addr);
-   ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
-  pfn << PAGE_SHIFT, PAGE_KERNEL);
-
-   return (void __iomem *)vaddr;
+   return (void __iomem *) fix_to_virt(FIX_APEI_GHES_NMI);
 }
 
 static void __iomem *ghes_ioremap_pfn_irq(u64 pfn)
 {
-   unsigned long vaddr;
-
-   vaddr = (unsigned long)GHES_IOREMAP_IRQ_PAGE(ghes_ioremap_area->addr);
-   ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
-  pfn << PAGE_SHIFT, PAGE_KERNEL);
+   __set_fixmap(FIX_APEI_GHES_IRQ, pfn << PAGE_SHIFT, PAGE_KERNEL);
 
-   return (void __iomem *)vaddr;
+   return (void __iomem *) fix_to_virt(FIX_APEI_GHES_IRQ);
 }
 
-static void ghes_iounmap_nmi(void __iomem *vaddr_ptr)
+static void ghes_iounmap_nmi(void)
 {
-   unsigned long vaddr = (unsigned long __force)vaddr_ptr;
-   void *base = ghes_ioremap_area->addr;
-
-   BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_NMI_PAGE(base));
-   unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
-   __flush_tlb_one(vaddr);
+   clear_fixmap(FIX_APEI_GHES_NMI);
 }
 
-static void ghes_iounmap_irq(void __iomem *vaddr_ptr)
+static void ghes_iounmap_irq(void)
 {
-   unsigned long vaddr = (unsigned long __force)vaddr_ptr;
-   void *base = ghes_ioremap_area->addr;
-
-   BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_IRQ_PAGE(base));
-   unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
-   __flush_tlb_one(vaddr);
+   clear_fixmap(FIX_APEI_GHES_IRQ);
 }
 
 static int ghes_estatus_pool_init(void)
@@ -341,10 +324,10 @@ static void ghes_copy_tofrom_phys(void *
paddr += trunk;
buffer += trunk;
if (in_nmi) {
-   ghes_iounmap_nmi(vaddr);
+   ghes_iounmap_nmi();
raw_spin_unlock(_ioremap_lock_nmi);
} else {
-   ghes_iounmap_irq(vaddr);
+   ghes_iounmap_irq();
spin_unlock_irqrestore(_ioremap_lock_irq, flags);
}
}

[PATCH 3.16 067/136] ima: fix hash algorithm initialization

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Boshi Wang 

commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee upstream.

The hash_setup function always sets the hash_setup_done flag, even
when the hash algorithm is invalid.  This prevents the default hash
algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used.

This patch sets hash_setup_done flag only for valid hash algorithms.

Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash
algorithms"
Signed-off-by: Boshi Wang 
Signed-off-by: Mimi Zohar 
Signed-off-by: Ben Hutchings 
---
 security/integrity/ima/ima_main.c | 4 
 1 file changed, 4 insertions(+)

--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -52,6 +52,8 @@ static int __init hash_setup(char *str)
ima_hash_algo = HASH_ALGO_SHA1;
else if (strncmp(str, "md5", 3) == 0)
ima_hash_algo = HASH_ALGO_MD5;
+   else
+   return 1;
goto out;
}
 
@@ -61,6 +63,8 @@ static int __init hash_setup(char *str)
break;
}
}
+   if (i == HASH_ALGO__LAST)
+   return 1;
 out:
hash_setup_done = 1;
return 1;

[PATCH 3.16 028/136] net/9p: Switch to wait_event_killable()

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tuomas Tynkkynen 

commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream.

Because userspace gets Very Unhappy when calls like stat() and execve()
return -EINTR on 9p filesystem mounts. For instance, when bash is
looking in PATH for things to execute and some SIGCHLD interrupts
stat(), bash can throw a spurious 'command not found' since it doesn't
retry the stat().

In practice, hitting the problem is rare and needs a really
slow/bogged down 9p server.

Signed-off-by: Tuomas Tynkkynen 
Signed-off-by: Al Viro 
[bwh: Backported to 3.16: drop changes in trans_xen.c]
Signed-off-by: Ben Hutchings 
---
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -753,8 +753,7 @@ p9_client_rpc(struct p9_client *c, int8_
}
 again:
/* Wait for the response */
-   err = wait_event_interruptible(*req->wq,
-  req->status >= REQ_STATUS_RCVD);
+   err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
 
/*
 * Make sure our req is coherent with regard to updates in other
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -292,8 +292,8 @@ req_retry:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(>lock, flags);
-   err = wait_event_interruptible(*chan->vc_wq,
-   chan->ring_bufs_avail);
+   err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err  == -ERESTARTSYS)
return err;
 
@@ -324,7 +324,7 @@ static int p9_get_mapped_pages(struct vi
 * Other zc request to finish here
 */
if (atomic_read(_pinned) >= chan->p9_max_pages) {
-   err = wait_event_interruptible(vp_wq,
+   err = wait_event_killable(vp_wq,
  (atomic_read(_pinned) < chan->p9_max_pages));
if (err == -ERESTARTSYS)
return err;
@@ -454,8 +454,8 @@ req_retry_pinned:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(>lock, flags);
-   err = wait_event_interruptible(*chan->vc_wq,
-  chan->ring_bufs_avail);
+   err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err  == -ERESTARTSYS)
goto err_out;
 
@@ -472,8 +472,7 @@ req_retry_pinned:
virtqueue_kick(chan->vq);
spin_unlock_irqrestore(>lock, flags);
p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n");
-   err = wait_event_interruptible(*req->wq,
-  req->status >= REQ_STATUS_RCVD);
+   err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
/*
 * Non kernel buffers are pinned, unpin them
 */

[PATCH 3.16 028/136] net/9p: Switch to wait_event_killable()

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tuomas Tynkkynen 

commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream.

Because userspace gets Very Unhappy when calls like stat() and execve()
return -EINTR on 9p filesystem mounts. For instance, when bash is
looking in PATH for things to execute and some SIGCHLD interrupts
stat(), bash can throw a spurious 'command not found' since it doesn't
retry the stat().

In practice, hitting the problem is rare and needs a really
slow/bogged down 9p server.

Signed-off-by: Tuomas Tynkkynen 
Signed-off-by: Al Viro 
[bwh: Backported to 3.16: drop changes in trans_xen.c]
Signed-off-by: Ben Hutchings 
---
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -753,8 +753,7 @@ p9_client_rpc(struct p9_client *c, int8_
}
 again:
/* Wait for the response */
-   err = wait_event_interruptible(*req->wq,
-  req->status >= REQ_STATUS_RCVD);
+   err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
 
/*
 * Make sure our req is coherent with regard to updates in other
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -292,8 +292,8 @@ req_retry:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(>lock, flags);
-   err = wait_event_interruptible(*chan->vc_wq,
-   chan->ring_bufs_avail);
+   err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err  == -ERESTARTSYS)
return err;
 
@@ -324,7 +324,7 @@ static int p9_get_mapped_pages(struct vi
 * Other zc request to finish here
 */
if (atomic_read(_pinned) >= chan->p9_max_pages) {
-   err = wait_event_interruptible(vp_wq,
+   err = wait_event_killable(vp_wq,
  (atomic_read(_pinned) < chan->p9_max_pages));
if (err == -ERESTARTSYS)
return err;
@@ -454,8 +454,8 @@ req_retry_pinned:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(>lock, flags);
-   err = wait_event_interruptible(*chan->vc_wq,
-  chan->ring_bufs_avail);
+   err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err  == -ERESTARTSYS)
goto err_out;
 
@@ -472,8 +472,7 @@ req_retry_pinned:
virtqueue_kick(chan->vq);
spin_unlock_irqrestore(>lock, flags);
p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n");
-   err = wait_event_interruptible(*req->wq,
-  req->status >= REQ_STATUS_RCVD);
+   err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
/*
 * Non kernel buffers are pinned, unpin them
 */

[PATCH 3.16 034/136] l2tp: initialise l2tp_eth sessions before registering them

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream.

Sessions must be initialised before being made externally visible by
l2tp_session_register(). Otherwise the session may be concurrently
deleted before being initialised, which can confuse the deletion path
and eventually lead to kernel oops.

Therefore, we need to move l2tp_session_register() down in
l2tp_eth_create(), but also handle the intermediate step where only the
session or the netdevice has been registered.

We can't just call l2tp_session_register() in ->ndo_init() because
we'd have no way to properly undo this operation in ->ndo_uninit().
Instead, let's register the session and the netdevice in two different
steps and protect the session's device pointer with RCU.

And now that we allow the session's .dev field to be NULL, we don't
need to prevent the netdevice from being removed anymore. So we can
drop the dev_hold() and dev_put() calls in l2tp_eth_create() and
l2tp_eth_dev_uninit().

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16:
 - Update another 'goto out' in l2tp_eth_create()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -51,7 +51,7 @@ struct l2tp_eth {
 
 /* via l2tp_session_priv() */
 struct l2tp_eth_sess {
-   struct net_device   *dev;
+   struct net_device __rcu *dev;
 };
 
 
@@ -69,7 +69,14 @@ static int l2tp_eth_dev_init(struct net_
 
 static void l2tp_eth_dev_uninit(struct net_device *dev)
 {
-   dev_put(dev);
+   struct l2tp_eth *priv = netdev_priv(dev);
+   struct l2tp_eth_sess *spriv;
+
+   spriv = l2tp_session_priv(priv->session);
+   RCU_INIT_POINTER(spriv->dev, NULL);
+   /* No need for synchronize_net() here. We're called by
+* unregister_netdev*(), which does the synchronisation for us.
+*/
 }
 
 static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
@@ -123,8 +130,8 @@ static void l2tp_eth_dev_setup(struct ne
 static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff 
*skb, int data_len)
 {
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-   struct net_device *dev = spriv->dev;
-   struct l2tp_eth *priv = netdev_priv(dev);
+   struct net_device *dev;
+   struct l2tp_eth *priv;
 
if (session->debug & L2TP_MSG_DATA) {
unsigned int length;
@@ -148,16 +155,25 @@ static void l2tp_eth_dev_recv(struct l2t
skb_dst_drop(skb);
nf_reset(skb);
 
+   rcu_read_lock();
+   dev = rcu_dereference(spriv->dev);
+   if (!dev)
+   goto error_rcu;
+
+   priv = netdev_priv(dev);
if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
atomic_long_inc(>rx_packets);
atomic_long_add(data_len, >rx_bytes);
} else {
atomic_long_inc(>rx_errors);
}
+   rcu_read_unlock();
+
return;
 
+error_rcu:
+   rcu_read_unlock();
 error:
-   atomic_long_inc(>rx_errors);
kfree_skb(skb);
 }
 
@@ -168,11 +184,15 @@ static void l2tp_eth_delete(struct l2tp_
 
if (session) {
spriv = l2tp_session_priv(session);
-   dev = spriv->dev;
+
+   rtnl_lock();
+   dev = rtnl_dereference(spriv->dev);
if (dev) {
-   unregister_netdev(dev);
-   spriv->dev = NULL;
+   unregister_netdevice(dev);
+   rtnl_unlock();
module_put(THIS_MODULE);
+   } else {
+   rtnl_unlock();
}
}
 }
@@ -182,9 +202,20 @@ static void l2tp_eth_show(struct seq_fil
 {
struct l2tp_session *session = arg;
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-   struct net_device *dev = spriv->dev;
+   struct net_device *dev;
+
+   rcu_read_lock();
+   dev = rcu_dereference(spriv->dev);
+   if (!dev) {
+   rcu_read_unlock();
+   return;
+   }
+   dev_hold(dev);
+   rcu_read_unlock();
 
seq_printf(m, "   interface %s\n", dev->name);
+
+   dev_put(dev);
 }
 #endif
 
@@ -204,7 +235,7 @@ static int l2tp_eth_create(struct net *n
if (dev) {
dev_put(dev);
rc = -EEXIST;
-   goto out;
+   goto err;
}
strlcpy(name, cfg->ifname, IFNAMSIZ);
} else
@@ -214,20 +245,13 @@ static int l2tp_eth_create(struct net *n
  peer_session_id, cfg);
if (IS_ERR(session)) {
   

[PATCH 3.16 062/136] kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Zhou Chengming 

commit e846d13958066828a9483d862cc8370a72fadbb6 upstream.

We use alternatives_text_reserved() to check if the address is in
the fixed pieces of alternative reserved, but the problem is that
we don't hold the smp_alt mutex when call this function. So the list
traversal may encounter a deleted list_head if another path is doing
alternatives_smp_module_del().

One solution is that we can hold smp_alt mutex before call this
function, but the difficult point is that the callers of this
functions, arch_prepare_kprobe() and arch_prepare_optimized_kprobe(),
are called inside the text_mutex. So we must hold smp_alt mutex
before we go into these arch dependent code. But we can't now,
the smp_alt mutex is the arch dependent part, only x86 has it.
Maybe we can export another arch dependent callback to solve this.

But there is a simpler way to handle this problem. We can reuse the
text_mutex to protect smp_alt_modules instead of using another mutex.
And all the arch dependent checks of kprobes are inside the text_mutex,
so it's safe now.

Signed-off-by: Zhou Chengming 
Reviewed-by: Masami Hiramatsu 
Acked-by: Steven Rostedt (VMware) 
Cc: Andy Lutomirski 
Cc: Borislav Petkov 
Cc: Brian Gerst 
Cc: Denys Vlasenko 
Cc: H. Peter Anvin 
Cc: Josh Poimboeuf 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: b...@suse.de
Fixes: 2cfa197 "ftrace/alternatives: Introducing *_text_reserved functions"
Link: 
http://lkml.kernel.org/r/1509585501-79466-1-git-send-email-zhouchengmi...@huawei.com
Signed-off-by: Ingo Molnar 
Signed-off-by: Ben Hutchings 
---
 arch/x86/kernel/alternative.c | 26 +-
 kernel/extable.c  |  2 ++
 2 files changed, 15 insertions(+), 13 deletions(-)

--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -409,7 +409,6 @@ static void alternatives_smp_lock(const
 {
const s32 *poff;
 
-   mutex_lock(_mutex);
for (poff = start; poff < end; poff++) {
u8 *ptr = (u8 *)poff + *poff;
 
@@ -419,7 +418,6 @@ static void alternatives_smp_lock(const
if (*ptr == 0x3e)
text_poke(ptr, ((unsigned char []){0xf0}), 1);
}
-   mutex_unlock(_mutex);
 }
 
 static void alternatives_smp_unlock(const s32 *start, const s32 *end,
@@ -427,7 +425,6 @@ static void alternatives_smp_unlock(cons
 {
const s32 *poff;
 
-   mutex_lock(_mutex);
for (poff = start; poff < end; poff++) {
u8 *ptr = (u8 *)poff + *poff;
 
@@ -437,7 +434,6 @@ static void alternatives_smp_unlock(cons
if (*ptr == 0xf0)
text_poke(ptr, ((unsigned char []){0x3E}), 1);
}
-   mutex_unlock(_mutex);
 }
 
 struct smp_alt_module {
@@ -456,8 +452,7 @@ struct smp_alt_module {
struct list_head next;
 };
 static LIST_HEAD(smp_alt_modules);
-static DEFINE_MUTEX(smp_alt);
-static bool uniproc_patched = false;   /* protected by smp_alt */
+static bool uniproc_patched = false;   /* protected by text_mutex */
 
 void __init_or_module alternatives_smp_module_add(struct module *mod,
  char *name,
@@ -466,7 +461,7 @@ void __init_or_module alternatives_smp_m
 {
struct smp_alt_module *smp;
 
-   mutex_lock(_alt);
+   mutex_lock(_mutex);
if (!uniproc_patched)
goto unlock;
 
@@ -493,14 +488,14 @@ void __init_or_module alternatives_smp_m
 smp_unlock:
alternatives_smp_unlock(locks, locks_end, text, text_end);
 unlock:
-   mutex_unlock(_alt);
+   mutex_unlock(_mutex);
 }
 
 void __init_or_module alternatives_smp_module_del(struct module *mod)
 {
struct smp_alt_module *item;
 
-   mutex_lock(_alt);
+   mutex_lock(_mutex);
list_for_each_entry(item, _alt_modules, next) {
if (mod != item->mod)
continue;
@@ -508,7 +503,7 @@ void __init_or_module alternatives_smp_m
kfree(item);
break;
}
-   mutex_unlock(_alt);
+   mutex_unlock(_mutex);
 }
 
 void alternatives_enable_smp(void)
@@ -518,7 +513,7 @@ void alternatives_enable_smp(void)
/* Why bother if there are no other CPUs? */
BUG_ON(num_possible_cpus() == 1);
 
-   mutex_lock(_alt);
+   mutex_lock(_mutex);
 
if (uniproc_patched) {
pr_info("switching to SMP code\n");
@@ -530,10 +525,13 @@ void alternatives_enable_smp(void)
  mod->text, mod->text_end);

[PATCH 3.16 062/136] kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Zhou Chengming 

commit e846d13958066828a9483d862cc8370a72fadbb6 upstream.

We use alternatives_text_reserved() to check if the address is in
the fixed pieces of alternative reserved, but the problem is that
we don't hold the smp_alt mutex when call this function. So the list
traversal may encounter a deleted list_head if another path is doing
alternatives_smp_module_del().

One solution is that we can hold smp_alt mutex before call this
function, but the difficult point is that the callers of this
functions, arch_prepare_kprobe() and arch_prepare_optimized_kprobe(),
are called inside the text_mutex. So we must hold smp_alt mutex
before we go into these arch dependent code. But we can't now,
the smp_alt mutex is the arch dependent part, only x86 has it.
Maybe we can export another arch dependent callback to solve this.

But there is a simpler way to handle this problem. We can reuse the
text_mutex to protect smp_alt_modules instead of using another mutex.
And all the arch dependent checks of kprobes are inside the text_mutex,
so it's safe now.

Signed-off-by: Zhou Chengming 
Reviewed-by: Masami Hiramatsu 
Acked-by: Steven Rostedt (VMware) 
Cc: Andy Lutomirski 
Cc: Borislav Petkov 
Cc: Brian Gerst 
Cc: Denys Vlasenko 
Cc: H. Peter Anvin 
Cc: Josh Poimboeuf 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: b...@suse.de
Fixes: 2cfa197 "ftrace/alternatives: Introducing *_text_reserved functions"
Link: 
http://lkml.kernel.org/r/1509585501-79466-1-git-send-email-zhouchengmi...@huawei.com
Signed-off-by: Ingo Molnar 
Signed-off-by: Ben Hutchings 
---
 arch/x86/kernel/alternative.c | 26 +-
 kernel/extable.c  |  2 ++
 2 files changed, 15 insertions(+), 13 deletions(-)

--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -409,7 +409,6 @@ static void alternatives_smp_lock(const
 {
const s32 *poff;
 
-   mutex_lock(_mutex);
for (poff = start; poff < end; poff++) {
u8 *ptr = (u8 *)poff + *poff;
 
@@ -419,7 +418,6 @@ static void alternatives_smp_lock(const
if (*ptr == 0x3e)
text_poke(ptr, ((unsigned char []){0xf0}), 1);
}
-   mutex_unlock(_mutex);
 }
 
 static void alternatives_smp_unlock(const s32 *start, const s32 *end,
@@ -427,7 +425,6 @@ static void alternatives_smp_unlock(cons
 {
const s32 *poff;
 
-   mutex_lock(_mutex);
for (poff = start; poff < end; poff++) {
u8 *ptr = (u8 *)poff + *poff;
 
@@ -437,7 +434,6 @@ static void alternatives_smp_unlock(cons
if (*ptr == 0xf0)
text_poke(ptr, ((unsigned char []){0x3E}), 1);
}
-   mutex_unlock(_mutex);
 }
 
 struct smp_alt_module {
@@ -456,8 +452,7 @@ struct smp_alt_module {
struct list_head next;
 };
 static LIST_HEAD(smp_alt_modules);
-static DEFINE_MUTEX(smp_alt);
-static bool uniproc_patched = false;   /* protected by smp_alt */
+static bool uniproc_patched = false;   /* protected by text_mutex */
 
 void __init_or_module alternatives_smp_module_add(struct module *mod,
  char *name,
@@ -466,7 +461,7 @@ void __init_or_module alternatives_smp_m
 {
struct smp_alt_module *smp;
 
-   mutex_lock(_alt);
+   mutex_lock(_mutex);
if (!uniproc_patched)
goto unlock;
 
@@ -493,14 +488,14 @@ void __init_or_module alternatives_smp_m
 smp_unlock:
alternatives_smp_unlock(locks, locks_end, text, text_end);
 unlock:
-   mutex_unlock(_alt);
+   mutex_unlock(_mutex);
 }
 
 void __init_or_module alternatives_smp_module_del(struct module *mod)
 {
struct smp_alt_module *item;
 
-   mutex_lock(_alt);
+   mutex_lock(_mutex);
list_for_each_entry(item, _alt_modules, next) {
if (mod != item->mod)
continue;
@@ -508,7 +503,7 @@ void __init_or_module alternatives_smp_m
kfree(item);
break;
}
-   mutex_unlock(_alt);
+   mutex_unlock(_mutex);
 }
 
 void alternatives_enable_smp(void)
@@ -518,7 +513,7 @@ void alternatives_enable_smp(void)
/* Why bother if there are no other CPUs? */
BUG_ON(num_possible_cpus() == 1);
 
-   mutex_lock(_alt);
+   mutex_lock(_mutex);
 
if (uniproc_patched) {
pr_info("switching to SMP code\n");
@@ -530,10 +525,13 @@ void alternatives_enable_smp(void)
  mod->text, mod->text_end);
uniproc_patched = false;
}
-   mutex_unlock(_alt);
+   mutex_unlock(_mutex);
 }
 
-/* Return 1 if the address range is reserved for smp-alternatives */
+/*
+ * Return 1 if the address range is reserved for SMP-alternatives.
+ * Must hold text_mutex.
+ */
 int alternatives_text_reserved(void *start, void *end)
 {
 

[PATCH 3.16 034/136] l2tp: initialise l2tp_eth sessions before registering them

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream.

Sessions must be initialised before being made externally visible by
l2tp_session_register(). Otherwise the session may be concurrently
deleted before being initialised, which can confuse the deletion path
and eventually lead to kernel oops.

Therefore, we need to move l2tp_session_register() down in
l2tp_eth_create(), but also handle the intermediate step where only the
session or the netdevice has been registered.

We can't just call l2tp_session_register() in ->ndo_init() because
we'd have no way to properly undo this operation in ->ndo_uninit().
Instead, let's register the session and the netdevice in two different
steps and protect the session's device pointer with RCU.

And now that we allow the session's .dev field to be NULL, we don't
need to prevent the netdevice from being removed anymore. So we can
drop the dev_hold() and dev_put() calls in l2tp_eth_create() and
l2tp_eth_dev_uninit().

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16:
 - Update another 'goto out' in l2tp_eth_create()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -51,7 +51,7 @@ struct l2tp_eth {
 
 /* via l2tp_session_priv() */
 struct l2tp_eth_sess {
-   struct net_device   *dev;
+   struct net_device __rcu *dev;
 };
 
 
@@ -69,7 +69,14 @@ static int l2tp_eth_dev_init(struct net_
 
 static void l2tp_eth_dev_uninit(struct net_device *dev)
 {
-   dev_put(dev);
+   struct l2tp_eth *priv = netdev_priv(dev);
+   struct l2tp_eth_sess *spriv;
+
+   spriv = l2tp_session_priv(priv->session);
+   RCU_INIT_POINTER(spriv->dev, NULL);
+   /* No need for synchronize_net() here. We're called by
+* unregister_netdev*(), which does the synchronisation for us.
+*/
 }
 
 static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
@@ -123,8 +130,8 @@ static void l2tp_eth_dev_setup(struct ne
 static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff 
*skb, int data_len)
 {
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-   struct net_device *dev = spriv->dev;
-   struct l2tp_eth *priv = netdev_priv(dev);
+   struct net_device *dev;
+   struct l2tp_eth *priv;
 
if (session->debug & L2TP_MSG_DATA) {
unsigned int length;
@@ -148,16 +155,25 @@ static void l2tp_eth_dev_recv(struct l2t
skb_dst_drop(skb);
nf_reset(skb);
 
+   rcu_read_lock();
+   dev = rcu_dereference(spriv->dev);
+   if (!dev)
+   goto error_rcu;
+
+   priv = netdev_priv(dev);
if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
atomic_long_inc(>rx_packets);
atomic_long_add(data_len, >rx_bytes);
} else {
atomic_long_inc(>rx_errors);
}
+   rcu_read_unlock();
+
return;
 
+error_rcu:
+   rcu_read_unlock();
 error:
-   atomic_long_inc(>rx_errors);
kfree_skb(skb);
 }
 
@@ -168,11 +184,15 @@ static void l2tp_eth_delete(struct l2tp_
 
if (session) {
spriv = l2tp_session_priv(session);
-   dev = spriv->dev;
+
+   rtnl_lock();
+   dev = rtnl_dereference(spriv->dev);
if (dev) {
-   unregister_netdev(dev);
-   spriv->dev = NULL;
+   unregister_netdevice(dev);
+   rtnl_unlock();
module_put(THIS_MODULE);
+   } else {
+   rtnl_unlock();
}
}
 }
@@ -182,9 +202,20 @@ static void l2tp_eth_show(struct seq_fil
 {
struct l2tp_session *session = arg;
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-   struct net_device *dev = spriv->dev;
+   struct net_device *dev;
+
+   rcu_read_lock();
+   dev = rcu_dereference(spriv->dev);
+   if (!dev) {
+   rcu_read_unlock();
+   return;
+   }
+   dev_hold(dev);
+   rcu_read_unlock();
 
seq_printf(m, "   interface %s\n", dev->name);
+
+   dev_put(dev);
 }
 #endif
 
@@ -204,7 +235,7 @@ static int l2tp_eth_create(struct net *n
if (dev) {
dev_put(dev);
rc = -EEXIST;
-   goto out;
+   goto err;
}
strlcpy(name, cfg->ifname, IFNAMSIZ);
} else
@@ -214,20 +245,13 @@ static int l2tp_eth_create(struct net *n
  peer_session_id, cfg);
if (IS_ERR(session)) {
rc = PTR_ERR(session);
-   goto out;
-   }
-
-   

[PATCH 3.16 025/136] IB/srp: Avoid that a cable pull can trigger a kernel crash

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream.

This patch fixes the following kernel crash:

general protection fault:  [#1] PREEMPT SMP
Workqueue: ib_mad2 timeout_sends [ib_core]
Call Trace:
 ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core]
 send_handler+0xb2/0xd0 [ib_core]
 timeout_sends+0x14d/0x220 [ib_core]
 process_one_work+0x200/0x630
 worker_thread+0x4e/0x3b0
 kthread+0x113/0x150

Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Signed-off-by: Bart Van Assche 
Reviewed-by: Sagi Grimberg 
Signed-off-by: Doug Ledford 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -600,12 +600,19 @@ static void srp_path_rec_completion(int
 
 static int srp_lookup_path(struct srp_target_port *target)
 {
-   int ret;
+   int ret = -ENODEV;
 
target->path.numb_path = 1;
 
init_completion(>done);
 
+   /*
+* Avoid that the SCSI host can be removed by srp_remove_target()
+* before srp_path_rec_completion() is called.
+*/
+   if (!scsi_host_get(target->scsi_host))
+   goto out;
+
target->path_query_id = ib_sa_path_rec_get(_sa_client,
   
target->srp_host->srp_dev->dev,
   target->srp_host->port,
@@ -619,18 +626,24 @@ static int srp_lookup_path(struct srp_ta
   GFP_KERNEL,
   srp_path_rec_completion,
   target, >path_query);
-   if (target->path_query_id < 0)
-   return target->path_query_id;
+   ret = target->path_query_id;
+   if (ret < 0)
+   goto put;
 
ret = wait_for_completion_interruptible(>done);
if (ret < 0)
return ret;
 
-   if (target->status < 0)
+   ret = target->status;
+   if (ret < 0)
shost_printk(KERN_WARNING, target->scsi_host,
 PFX "Path record query failed\n");
 
-   return target->status;
+put:
+   scsi_host_put(target->scsi_host);
+
+out:
+   return ret;
 }
 
 static int srp_send_req(struct srp_target_port *target)

[PATCH 3.16 025/136] IB/srp: Avoid that a cable pull can trigger a kernel crash

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream.

This patch fixes the following kernel crash:

general protection fault:  [#1] PREEMPT SMP
Workqueue: ib_mad2 timeout_sends [ib_core]
Call Trace:
 ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core]
 send_handler+0xb2/0xd0 [ib_core]
 timeout_sends+0x14d/0x220 [ib_core]
 process_one_work+0x200/0x630
 worker_thread+0x4e/0x3b0
 kthread+0x113/0x150

Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Signed-off-by: Bart Van Assche 
Reviewed-by: Sagi Grimberg 
Signed-off-by: Doug Ledford 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -600,12 +600,19 @@ static void srp_path_rec_completion(int
 
 static int srp_lookup_path(struct srp_target_port *target)
 {
-   int ret;
+   int ret = -ENODEV;
 
target->path.numb_path = 1;
 
init_completion(>done);
 
+   /*
+* Avoid that the SCSI host can be removed by srp_remove_target()
+* before srp_path_rec_completion() is called.
+*/
+   if (!scsi_host_get(target->scsi_host))
+   goto out;
+
target->path_query_id = ib_sa_path_rec_get(_sa_client,
   
target->srp_host->srp_dev->dev,
   target->srp_host->port,
@@ -619,18 +626,24 @@ static int srp_lookup_path(struct srp_ta
   GFP_KERNEL,
   srp_path_rec_completion,
   target, >path_query);
-   if (target->path_query_id < 0)
-   return target->path_query_id;
+   ret = target->path_query_id;
+   if (ret < 0)
+   goto put;
 
ret = wait_for_completion_interruptible(>done);
if (ret < 0)
return ret;
 
-   if (target->status < 0)
+   ret = target->status;
+   if (ret < 0)
shost_printk(KERN_WARNING, target->scsi_host,
 PFX "Path record query failed\n");
 
-   return target->status;
+put:
+   scsi_host_put(target->scsi_host);
+
+out:
+   return ret;
 }
 
 static int srp_send_req(struct srp_target_port *target)

[PATCH 3.16 030/136] f2fs: expose some sectors to user in inline data or dentry case

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jaegeuk Kim 

commit 5b4267d195dd887c4412e34b5a7365baa741b679 upstream.

If there's some data written through inline data or dentry, we need to shouw
st_blocks. This fixes reporting zero blocks even though there is small written
data.

Reviewed-by: Chao Yu 
[Jaegeuk Kim: avoid link file for quotacheck]
Signed-off-by: Jaegeuk Kim 
[bwh: Backported to 3.16:
 - Inline dentries are not supported
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -460,6 +460,11 @@ int f2fs_getattr(struct vfsmount *mnt,
struct inode *inode = dentry->d_inode;
generic_fillattr(inode, stat);
stat->blocks <<= 3;
+
+   /* we need to show initial sectors used for inline_data/dentries */
+   if (S_ISREG(inode->i_mode) && f2fs_has_inline_data(inode))
+   stat->blocks += (stat->size + 511) >> 9;
+
return 0;
 }
 

[PATCH 3.16 030/136] f2fs: expose some sectors to user in inline data or dentry case

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jaegeuk Kim 

commit 5b4267d195dd887c4412e34b5a7365baa741b679 upstream.

If there's some data written through inline data or dentry, we need to shouw
st_blocks. This fixes reporting zero blocks even though there is small written
data.

Reviewed-by: Chao Yu 
[Jaegeuk Kim: avoid link file for quotacheck]
Signed-off-by: Jaegeuk Kim 
[bwh: Backported to 3.16:
 - Inline dentries are not supported
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -460,6 +460,11 @@ int f2fs_getattr(struct vfsmount *mnt,
struct inode *inode = dentry->d_inode;
generic_fillattr(inode, stat);
stat->blocks <<= 3;
+
+   /* we need to show initial sectors used for inline_data/dentries */
+   if (S_ISREG(inode->i_mode) && f2fs_has_inline_data(inode))
+   stat->blocks += (stat->size + 511) >> 9;
+
return 0;
 }
 

[PATCH 3.16 024/136] IB/srpt: Do not accept invalid initiator port names

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit c70ca38960399a63d5c048b7b700612ea321d17e upstream.

Make srpt_parse_i_port_id() return a negative value if hex2bin()
fails.

Fixes: commit a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
Signed-off-by: Bart Van Assche 
Signed-off-by: Doug Ledford 
Signed-off-by: Ben Hutchings 
---
 drivers/infiniband/ulp/srpt/ib_srpt.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -3521,7 +3521,7 @@ static int srpt_parse_i_port_id(u8 i_por
 {
const char *p;
unsigned len, count, leading_zero_bytes;
-   int ret, rc;
+   int ret;
 
p = name;
if (strnicmp(p, "0x", 2) == 0)
@@ -3533,10 +3533,9 @@ static int srpt_parse_i_port_id(u8 i_por
count = min(len / 2, 16U);
leading_zero_bytes = 16 - count;
memset(i_port_id, 0, leading_zero_bytes);
-   rc = hex2bin(i_port_id + leading_zero_bytes, p, count);
-   if (rc < 0)
-   pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc);
-   ret = 0;
+   ret = hex2bin(i_port_id + leading_zero_bytes, p, count);
+   if (ret < 0)
+   pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret);
 out:
return ret;
 }

[PATCH 3.16 024/136] IB/srpt: Do not accept invalid initiator port names

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit c70ca38960399a63d5c048b7b700612ea321d17e upstream.

Make srpt_parse_i_port_id() return a negative value if hex2bin()
fails.

Fixes: commit a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
Signed-off-by: Bart Van Assche 
Signed-off-by: Doug Ledford 
Signed-off-by: Ben Hutchings 
---
 drivers/infiniband/ulp/srpt/ib_srpt.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -3521,7 +3521,7 @@ static int srpt_parse_i_port_id(u8 i_por
 {
const char *p;
unsigned len, count, leading_zero_bytes;
-   int ret, rc;
+   int ret;
 
p = name;
if (strnicmp(p, "0x", 2) == 0)
@@ -3533,10 +3533,9 @@ static int srpt_parse_i_port_id(u8 i_por
count = min(len / 2, 16U);
leading_zero_bytes = 16 - count;
memset(i_port_id, 0, leading_zero_bytes);
-   rc = hex2bin(i_port_id + leading_zero_bytes, p, count);
-   if (rc < 0)
-   pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc);
-   ret = 0;
+   ret = hex2bin(i_port_id + leading_zero_bytes, p, count);
+   if (ret < 0)
+   pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret);
 out:
return ret;
 }

[PATCH 3.16 036/136] l2tp: initialise PPP sessions before registering them

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream.

pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.

This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.

The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.

Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.

When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp 
parts")
Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 69 +
 1 file changed, 38 insertions(+), 31 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -468,9 +468,6 @@ static void pppol2tp_session_close(struc
inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
sock_put(sk);
}
-
-   /* Don't let the session go away before our socket does */
-   l2tp_session_inc_refcount(session);
 }
 
 /* Really kill the session socket. (Called from sock_put() if
@@ -526,8 +523,7 @@ static int pppol2tp_release(struct socke
if (session != NULL) {
struct pppol2tp_session *ps;
 
-   __l2tp_session_unhash(session);
-   l2tp_session_queue_purge(session);
+   l2tp_session_delete(session);
 
ps = l2tp_session_priv(session);
mutex_lock(>sk_lock);
@@ -619,6 +615,35 @@ static void pppol2tp_show(struct seq_fil
 }
 #endif
 
+static void pppol2tp_session_init(struct l2tp_session *session)
+{
+   struct pppol2tp_session *ps;
+   struct dst_entry *dst;
+
+   session->recv_skb = pppol2tp_recv;
+   session->session_close = pppol2tp_session_close;
+#if IS_ENABLED(CONFIG_L2TP_DEBUGFS)
+   session->show = pppol2tp_show;
+#endif
+
+   ps = l2tp_session_priv(session);
+   mutex_init(>sk_lock);
+   ps->tunnel_sock = session->tunnel->sock;
+   ps->owner = current->pid;
+
+   /* If PMTU discovery was enabled, use the MTU that was discovered */
+   dst = sk_dst_get(session->tunnel->sock);
+   if (dst) {
+   u32 pmtu = dst_mtu(dst);
+
+   if (pmtu) {
+   session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+   session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+   }
+   dst_release(dst);
+   }
+}
+
 /* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
  */
 static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
@@ -630,7 +655,6 @@ static int pppol2tp_connect(struct socke
struct l2tp_session *session = NULL;
struct l2tp_tunnel *tunnel;
struct pppol2tp_session *ps;
-   struct dst_entry *dst;
struct l2tp_session_cfg cfg = { 0, };
int error = 0;
u32 tunnel_id, peer_tunnel_id;
@@ -775,8 +799,8 @@ static int pppol2tp_connect(struct socke
goto end;
}
 
+   

[PATCH 3.16 036/136] l2tp: initialise PPP sessions before registering them

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream.

pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.

This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.

The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.

Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.

When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp 
parts")
Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 69 +
 1 file changed, 38 insertions(+), 31 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -468,9 +468,6 @@ static void pppol2tp_session_close(struc
inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
sock_put(sk);
}
-
-   /* Don't let the session go away before our socket does */
-   l2tp_session_inc_refcount(session);
 }
 
 /* Really kill the session socket. (Called from sock_put() if
@@ -526,8 +523,7 @@ static int pppol2tp_release(struct socke
if (session != NULL) {
struct pppol2tp_session *ps;
 
-   __l2tp_session_unhash(session);
-   l2tp_session_queue_purge(session);
+   l2tp_session_delete(session);
 
ps = l2tp_session_priv(session);
mutex_lock(>sk_lock);
@@ -619,6 +615,35 @@ static void pppol2tp_show(struct seq_fil
 }
 #endif
 
+static void pppol2tp_session_init(struct l2tp_session *session)
+{
+   struct pppol2tp_session *ps;
+   struct dst_entry *dst;
+
+   session->recv_skb = pppol2tp_recv;
+   session->session_close = pppol2tp_session_close;
+#if IS_ENABLED(CONFIG_L2TP_DEBUGFS)
+   session->show = pppol2tp_show;
+#endif
+
+   ps = l2tp_session_priv(session);
+   mutex_init(>sk_lock);
+   ps->tunnel_sock = session->tunnel->sock;
+   ps->owner = current->pid;
+
+   /* If PMTU discovery was enabled, use the MTU that was discovered */
+   dst = sk_dst_get(session->tunnel->sock);
+   if (dst) {
+   u32 pmtu = dst_mtu(dst);
+
+   if (pmtu) {
+   session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+   session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+   }
+   dst_release(dst);
+   }
+}
+
 /* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
  */
 static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
@@ -630,7 +655,6 @@ static int pppol2tp_connect(struct socke
struct l2tp_session *session = NULL;
struct l2tp_tunnel *tunnel;
struct pppol2tp_session *ps;
-   struct dst_entry *dst;
struct l2tp_session_cfg cfg = { 0, };
int error = 0;
u32 tunnel_id, peer_tunnel_id;
@@ -775,8 +799,8 @@ static int pppol2tp_connect(struct socke
goto end;
}
 
+   pppol2tp_session_init(session);
ps = l2tp_session_priv(session);
-   

[PATCH 3.16 021/136] USB: serial: metro-usb: stop I/O after failed open

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Johan Hovold 

commit 2339536d229df25c71c0900fc619289229bfecf6 upstream.

Make sure to kill the interrupt-in URB after a failed open request.
Apart from saving power (and avoiding stale input after a later
successful open), this also prevents a NULL-deref in the completion
handler if the port is manually unbound.

Reviewed-by: Greg Kroah-Hartman 
Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in 
Uni-Directional mode.")
Signed-off-by: Johan Hovold 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 drivers/usb/serial/metro-usb.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/usb/serial/metro-usb.c
+++ b/drivers/usb/serial/metro-usb.c
@@ -217,7 +217,7 @@ static int metrousb_open(struct tty_stru
dev_err(>dev,
"%s - failed submitting interrupt in urb, error 
code=%d\n",
__func__, result);
-   goto exit;
+   return result;
}
 
/* Send activate cmd to device */
@@ -226,11 +226,16 @@ static int metrousb_open(struct tty_stru
dev_err(>dev,
"%s - failed to configure device, error code=%d\n",
__func__, result);
-   goto exit;
+   goto err_kill_urb;
}
 
dev_dbg(>dev, "%s - port open\n", __func__);
-exit:
+
+   return 0;
+
+err_kill_urb:
+   usb_kill_urb(port->interrupt_in_urb);
+
return result;
 }
 

[PATCH 3.16 021/136] USB: serial: metro-usb: stop I/O after failed open

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Johan Hovold 

commit 2339536d229df25c71c0900fc619289229bfecf6 upstream.

Make sure to kill the interrupt-in URB after a failed open request.
Apart from saving power (and avoiding stale input after a later
successful open), this also prevents a NULL-deref in the completion
handler if the port is manually unbound.

Reviewed-by: Greg Kroah-Hartman 
Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in 
Uni-Directional mode.")
Signed-off-by: Johan Hovold 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 drivers/usb/serial/metro-usb.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/usb/serial/metro-usb.c
+++ b/drivers/usb/serial/metro-usb.c
@@ -217,7 +217,7 @@ static int metrousb_open(struct tty_stru
dev_err(>dev,
"%s - failed submitting interrupt in urb, error 
code=%d\n",
__func__, result);
-   goto exit;
+   return result;
}
 
/* Send activate cmd to device */
@@ -226,11 +226,16 @@ static int metrousb_open(struct tty_stru
dev_err(>dev,
"%s - failed to configure device, error code=%d\n",
__func__, result);
-   goto exit;
+   goto err_kill_urb;
}
 
dev_dbg(>dev, "%s - port open\n", __func__);
-exit:
+
+   return 0;
+
+err_kill_urb:
+   usb_kill_urb(port->interrupt_in_urb);
+
return result;
 }
 

[PATCH 3.16 059/136] powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Shriya 

commit cd77b5ce208c153260ed7882d8910f2395bfaabd upstream.

The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which
returns the last frequency requested by the kernel, but may not
reflect the actual frequency the processor is running at. This patch
makes a call to cpufreq_get() instead which returns the current
frequency reported by the hardware.

Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()")
Signed-off-by: Shriya 
Signed-off-by: Michael Ellerman 
Signed-off-by: Ben Hutchings 
---
 arch/powerpc/platforms/powernv/setup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -309,7 +309,7 @@ unsigned long pnv_get_proc_freq(unsigned
 {
unsigned long ret_freq;
 
-   ret_freq = cpufreq_quick_get(cpu) * 1000ul;
+   ret_freq = cpufreq_get(cpu) * 1000ul;
 
/*
 * If the backend cpufreq driver does not exist,

[PATCH 3.16 027/136] fs/9p: Compare qid.path in v9fs_test_inode

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tuomas Tynkkynen 

commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.

Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
instead of iget_locked(). However, the test() callback is not checking
fid.path at all, which means that a lookup in the inode cache can now
accidentally locate a completely wrong inode from the same inode hash
bucket if the other fields (qid.type and qid.version) match.

Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and 
inode mode bits.")
Reviewed-by: Latchesar Ionkov 
Signed-off-by: Tuomas Tynkkynen 
Signed-off-by: Al Viro 
Signed-off-by: Ben Hutchings 
---
 fs/9p/vfs_inode.c  | 3 +++
 fs/9p/vfs_inode_dotl.c | 3 +++
 2 files changed, 6 insertions(+)

--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode
 
if (v9inode->qid.type != st->qid.type)
return 0;
+
+   if (v9inode->qid.path != st->qid.path)
+   return 0;
return 1;
 }
 
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i
 
if (v9inode->qid.type != st->qid.type)
return 0;
+
+   if (v9inode->qid.path != st->qid.path)
+   return 0;
return 1;
 }
 

[PATCH 3.16 059/136] powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Shriya 

commit cd77b5ce208c153260ed7882d8910f2395bfaabd upstream.

The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which
returns the last frequency requested by the kernel, but may not
reflect the actual frequency the processor is running at. This patch
makes a call to cpufreq_get() instead which returns the current
frequency reported by the hardware.

Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()")
Signed-off-by: Shriya 
Signed-off-by: Michael Ellerman 
Signed-off-by: Ben Hutchings 
---
 arch/powerpc/platforms/powernv/setup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -309,7 +309,7 @@ unsigned long pnv_get_proc_freq(unsigned
 {
unsigned long ret_freq;
 
-   ret_freq = cpufreq_quick_get(cpu) * 1000ul;
+   ret_freq = cpufreq_get(cpu) * 1000ul;
 
/*
 * If the backend cpufreq driver does not exist,

[PATCH 3.16 027/136] fs/9p: Compare qid.path in v9fs_test_inode

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tuomas Tynkkynen 

commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.

Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
instead of iget_locked(). However, the test() callback is not checking
fid.path at all, which means that a lookup in the inode cache can now
accidentally locate a completely wrong inode from the same inode hash
bucket if the other fields (qid.type and qid.version) match.

Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and 
inode mode bits.")
Reviewed-by: Latchesar Ionkov 
Signed-off-by: Tuomas Tynkkynen 
Signed-off-by: Al Viro 
Signed-off-by: Ben Hutchings 
---
 fs/9p/vfs_inode.c  | 3 +++
 fs/9p/vfs_inode_dotl.c | 3 +++
 2 files changed, 6 insertions(+)

--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode
 
if (v9inode->qid.type != st->qid.type)
return 0;
+
+   if (v9inode->qid.path != st->qid.path)
+   return 0;
return 1;
 }
 
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i
 
if (v9inode->qid.type != st->qid.type)
return 0;
+
+   if (v9inode->qid.path != st->qid.path)
+   return 0;
return 1;
 }
 

[PATCH 3.16 056/136] powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tyrel Datwyler 

commit b8f89fea599d91e674497aad572613eb63181f31 upstream.

When a vdevice is DLPAR removed from the system the vio subsystem
doesn't bother unmapping the virq from the irq_domain. As a result we
have a virq mapped to a hardware irq that is no longer valid for the
irq_domain. A side effect is that we are left with /proc/irq/
affinity entries, and attempts to modify the smp_affinity of the irq
will fail.

In the following observed example the kernel log is spammed by
ics_rtas_set_affinity errors after the removal of a VSCSI adapter.
This is a result of irqbalance trying to adjust the affinity every 10
seconds.

  rpadlpar_io: slot U8408.E8E.10A7ACV-V5-C25 removed
  ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3
  ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3

This patch fixes the issue by calling irq_dispose_mapping() on the
virq of the viodev on unregister.

Fixes: f2ab6219969f ("powerpc/pseries: Add PFO support to the VIO bus")
Signed-off-by: Tyrel Datwyler 
Signed-off-by: Michael Ellerman 
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings 
---
 arch/powerpc/kernel/vio.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/kernel/vio.c
+++ b/arch/powerpc/kernel/vio.c
@@ -1572,6 +1572,8 @@ static struct device_attribute vio_dev_a
 void vio_unregister_device(struct vio_dev *viodev)
 {
device_unregister(>dev);
+   if (viodev->family == VDEVICE)
+   irq_dispose_mapping(viodev->irq);
 }
 EXPORT_SYMBOL(vio_unregister_device);
 

[PATCH 3.16 056/136] powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tyrel Datwyler 

commit b8f89fea599d91e674497aad572613eb63181f31 upstream.

When a vdevice is DLPAR removed from the system the vio subsystem
doesn't bother unmapping the virq from the irq_domain. As a result we
have a virq mapped to a hardware irq that is no longer valid for the
irq_domain. A side effect is that we are left with /proc/irq/
affinity entries, and attempts to modify the smp_affinity of the irq
will fail.

In the following observed example the kernel log is spammed by
ics_rtas_set_affinity errors after the removal of a VSCSI adapter.
This is a result of irqbalance trying to adjust the affinity every 10
seconds.

  rpadlpar_io: slot U8408.E8E.10A7ACV-V5-C25 removed
  ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3
  ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3

This patch fixes the issue by calling irq_dispose_mapping() on the
virq of the viodev on unregister.

Fixes: f2ab6219969f ("powerpc/pseries: Add PFO support to the VIO bus")
Signed-off-by: Tyrel Datwyler 
Signed-off-by: Michael Ellerman 
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings 
---
 arch/powerpc/kernel/vio.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/kernel/vio.c
+++ b/arch/powerpc/kernel/vio.c
@@ -1572,6 +1572,8 @@ static struct device_attribute vio_dev_a
 void vio_unregister_device(struct vio_dev *viodev)
 {
device_unregister(>dev);
+   if (viodev->family == VDEVICE)
+   irq_dispose_mapping(viodev->irq);
 }
 EXPORT_SYMBOL(vio_unregister_device);
 

[PATCH 3.16 038/136] bcache: only permit to recovery read error when cache device is clean

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Coly Li 

commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream.

When bcache does read I/Os, for example in writeback or writethrough mode,
if a read request on cache device is failed, bcache will try to recovery
the request by reading from cached device. If the data on cached device is
not synced with cache device, then requester will get a stale data.

For critical storage system like database, providing stale data from
recovery may result an application level data corruption, which is
unacceptible.

With this patch, for a failed read request in writeback or writethrough
mode, recovery a recoverable read request only happens when cache device
is clean. That is to say, all data on cached device is up to update.

For other cache modes in bcache, read request will never hit
cached_dev_read_error(), they don't need this patch.

Please note, because cache mode can be switched arbitrarily in run time, a
writethrough mode might be switched from a writeback mode. Therefore
checking dc->has_data in writethrough mode still makes sense.

Changelog:
V4: Fix parens error pointed by Michael Lyle.
v3: By response from Kent Oversteet, he thinks recovering stale data is a
bug to fix, and option to permit it is unnecessary. So this version
the sysfs file is removed.
v2: rename sysfs entry from allow_stale_data_on_failure  to
allow_stale_data_on_failure, and fix the confusing commit log.
v1: initial patch posted.

[small change to patch comment spelling by mlyle]

Signed-off-by: Coly Li 
Signed-off-by: Michael Lyle 
Reported-by: Arne Wolf 
Reviewed-by: Michael Lyle 
Cc: Kent Overstreet 
Cc: Nix 
Cc: Kai Krakow 
Cc: Eric Wheeler 
Cc: Junhui Tang 
Signed-off-by: Jens Axboe 
Signed-off-by: Ben Hutchings 
---
 drivers/md/bcache/request.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -698,8 +698,16 @@ static void cached_dev_read_error(struct
 {
struct search *s = container_of(cl, struct search, cl);
struct bio *bio = >bio.bio;
+   struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
 
-   if (s->recoverable) {
+   /*
+* If cache device is dirty (dc->has_dirty is non-zero), then
+* recovery a failed read request from cached device may get a
+* stale data back. So read failure recovery is only permitted
+* when cache device is clean.
+*/
+   if (s->recoverable &&
+   (dc && !atomic_read(>has_dirty))) {
/* Retry from the backing device: */
trace_bcache_read_retry(s->orig_bio);
 

[PATCH 3.16 038/136] bcache: only permit to recovery read error when cache device is clean

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Coly Li 

commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream.

When bcache does read I/Os, for example in writeback or writethrough mode,
if a read request on cache device is failed, bcache will try to recovery
the request by reading from cached device. If the data on cached device is
not synced with cache device, then requester will get a stale data.

For critical storage system like database, providing stale data from
recovery may result an application level data corruption, which is
unacceptible.

With this patch, for a failed read request in writeback or writethrough
mode, recovery a recoverable read request only happens when cache device
is clean. That is to say, all data on cached device is up to update.

For other cache modes in bcache, read request will never hit
cached_dev_read_error(), they don't need this patch.

Please note, because cache mode can be switched arbitrarily in run time, a
writethrough mode might be switched from a writeback mode. Therefore
checking dc->has_data in writethrough mode still makes sense.

Changelog:
V4: Fix parens error pointed by Michael Lyle.
v3: By response from Kent Oversteet, he thinks recovering stale data is a
bug to fix, and option to permit it is unnecessary. So this version
the sysfs file is removed.
v2: rename sysfs entry from allow_stale_data_on_failure  to
allow_stale_data_on_failure, and fix the confusing commit log.
v1: initial patch posted.

[small change to patch comment spelling by mlyle]

Signed-off-by: Coly Li 
Signed-off-by: Michael Lyle 
Reported-by: Arne Wolf 
Reviewed-by: Michael Lyle 
Cc: Kent Overstreet 
Cc: Nix 
Cc: Kai Krakow 
Cc: Eric Wheeler 
Cc: Junhui Tang 
Signed-off-by: Jens Axboe 
Signed-off-by: Ben Hutchings 
---
 drivers/md/bcache/request.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -698,8 +698,16 @@ static void cached_dev_read_error(struct
 {
struct search *s = container_of(cl, struct search, cl);
struct bio *bio = >bio.bio;
+   struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
 
-   if (s->recoverable) {
+   /*
+* If cache device is dirty (dc->has_dirty is non-zero), then
+* recovery a failed read request from cached device may get a
+* stale data back. So read failure recovery is only permitted
+* when cache device is clean.
+*/
+   if (s->recoverable &&
+   (dc && !atomic_read(>has_dirty))) {
/* Retry from the backing device: */
trace_bcache_read_retry(s->orig_bio);
 

[PATCH 3.16 026/136] tpm-dev-common: Reject too short writes

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alexander Steffen 

commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream.

tpm_transmit() does not offer an explicit interface to indicate the number
of valid bytes in the communication buffer. Instead, it relies on the
commandSize field in the TPM header that is encoded within the buffer.
Therefore, ensure that a) enough data has been written to the buffer, so
that the commandSize field is present and b) the commandSize field does not
announce more data than has been written to the buffer.

This should have been fixed with CVE-2011-1161 long ago, but apparently
a correct version of that patch never made it into the kernel.

Signed-off-by: Alexander Steffen 
Reviewed-by: Jarkko Sakkinen 
Tested-by: Jarkko Sakkinen 
Signed-off-by: Jarkko Sakkinen 
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings 
---
 drivers/char/tpm/tpm-dev.c | 6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/char/tpm/tpm-dev.c
+++ b/drivers/char/tpm/tpm-dev.c
@@ -139,6 +139,12 @@ static ssize_t tpm_write(struct file *fi
return -EFAULT;
}
 
+   if (in_size < 6 ||
+   in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2 {
+   mutex_unlock(>buffer_mutex);
+   return -EINVAL;
+   }
+
/* atomic tpm command send and result receive */
out_size = tpm_transmit(priv->chip, priv->data_buffer,
sizeof(priv->data_buffer));

[PATCH 3.16 026/136] tpm-dev-common: Reject too short writes

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alexander Steffen 

commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream.

tpm_transmit() does not offer an explicit interface to indicate the number
of valid bytes in the communication buffer. Instead, it relies on the
commandSize field in the TPM header that is encoded within the buffer.
Therefore, ensure that a) enough data has been written to the buffer, so
that the commandSize field is present and b) the commandSize field does not
announce more data than has been written to the buffer.

This should have been fixed with CVE-2011-1161 long ago, but apparently
a correct version of that patch never made it into the kernel.

Signed-off-by: Alexander Steffen 
Reviewed-by: Jarkko Sakkinen 
Tested-by: Jarkko Sakkinen 
Signed-off-by: Jarkko Sakkinen 
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings 
---
 drivers/char/tpm/tpm-dev.c | 6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/char/tpm/tpm-dev.c
+++ b/drivers/char/tpm/tpm-dev.c
@@ -139,6 +139,12 @@ static ssize_t tpm_write(struct file *fi
return -EFAULT;
}
 
+   if (in_size < 6 ||
+   in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2 {
+   mutex_unlock(>buffer_mutex);
+   return -EINVAL;
+   }
+
/* atomic tpm command send and result receive */
out_size = tpm_transmit(priv->chip, priv->data_buffer,
sizeof(priv->data_buffer));

[PATCH 3.16 022/136] bcache: check ca->alloc_thread initialized before wake up it

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Coly Li 

commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream.

In bcache code, sysfs entries are created before all resources get
allocated, e.g. allocation thread of a cache set.

There is posibility for NULL pointer deference if a resource is accessed
but which is not initialized yet. Indeed Jorg Bornschein catches one on
cache set allocation thread and gets a kernel oops.

The reason for this bug is, when bch_bucket_alloc() is called during
cache set registration and attaching, ca->alloc_thread is not properly
allocated and initialized yet, call wake_up_process() on ca->alloc_thread
triggers NULL pointer deference failure. A simple and fast fix is, before
waking up ca->alloc_thread, checking whether it is allocated, and only
wake up ca->alloc_thread when it is not NULL.

Signed-off-by: Coly Li 
Reported-by: Jorg Bornschein 
Cc: Kent Overstreet 
Reviewed-by: Michael Lyle 
Signed-off-by: Jens Axboe 
Signed-off-by: Ben Hutchings 
---
 drivers/md/bcache/alloc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/alloc.c
+++ b/drivers/md/bcache/alloc.c
@@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca,
 
finish_wait(>set->bucket_wait, );
 out:
-   wake_up_process(ca->alloc_thread);
+   if (ca->alloc_thread)
+   wake_up_process(ca->alloc_thread);
 
trace_bcache_alloc(ca, reserve);
 

[PATCH 3.16 022/136] bcache: check ca->alloc_thread initialized before wake up it

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Coly Li 

commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream.

In bcache code, sysfs entries are created before all resources get
allocated, e.g. allocation thread of a cache set.

There is posibility for NULL pointer deference if a resource is accessed
but which is not initialized yet. Indeed Jorg Bornschein catches one on
cache set allocation thread and gets a kernel oops.

The reason for this bug is, when bch_bucket_alloc() is called during
cache set registration and attaching, ca->alloc_thread is not properly
allocated and initialized yet, call wake_up_process() on ca->alloc_thread
triggers NULL pointer deference failure. A simple and fast fix is, before
waking up ca->alloc_thread, checking whether it is allocated, and only
wake up ca->alloc_thread when it is not NULL.

Signed-off-by: Coly Li 
Reported-by: Jorg Bornschein 
Cc: Kent Overstreet 
Reviewed-by: Michael Lyle 
Signed-off-by: Jens Axboe 
Signed-off-by: Ben Hutchings 
---
 drivers/md/bcache/alloc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/alloc.c
+++ b/drivers/md/bcache/alloc.c
@@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca,
 
finish_wait(>set->bucket_wait, );
 out:
-   wake_up_process(ca->alloc_thread);
+   if (ca->alloc_thread)
+   wake_up_process(ca->alloc_thread);
 
trace_bcache_alloc(ca, reserve);
 

[PATCH 3.16 052/136] coda: fix 'kernel memory exposure attempt' in fsync

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jan Harkes 

commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream.

When an application called fsync on a file in Coda a small request with
just the file identifier was allocated, but the declared length was set
to the size of union of all possible upcall requests.

This bug has been around for a very long time and is now caught by the
extra checking in usercopy that was introduced in Linux-4.8.

The exposure happens when the Coda cache manager process reads the fsync
upcall request at which point it is killed. As a result there is nobody
servicing any further upcalls, trapping any processes that try to access
the mounted Coda filesystem.

Signed-off-by: Jan Harkes 
Signed-off-by: Al Viro 
Signed-off-by: Ben Hutchings 
---
 fs/coda/upcall.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/coda/upcall.c
+++ b/fs/coda/upcall.c
@@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb,
UPARG(CODA_FSYNC);
 
inp->coda_fsync.VFid = *fid;
-   error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs),
-   , inp);
+   error = coda_upcall(coda_vcp(sb), insize, , inp);
 
CODA_FREE(inp, insize);
return error;

[PATCH 3.16 070/136] MIPS: Fix an n32 core file generation regset support regression

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: "Maciej W. Rozycki" 

commit 547da673173de51f73887377eb275304775064ad upstream.

Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF
core dumper to use regsets.)", that caused n32 processes to dump o32
core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file
header's `e_flags' member:

$ file tls-core
tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), 
[...]
$ ./tls-core
Aborted (core dumped)
$ file core
core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style
$

Previously the flag was set as the result of a:

statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the
regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is
no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the
`->e_flags' member of the regset view chosen is.  We have the views
defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64
one, and the latter is used for n32 as well.  Consequently an o32 core
file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class
is chosen elsewhere, and the 32-bit one is correctly selected for n32).

Correct the issue then by defining an n32 regset view and using it as
appropriate.  Issue discovered in GDB testing.

Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
Signed-off-by: Maciej W. Rozycki 
Cc: Ralf Baechle 
Cc: Djordje Todorovic 
Cc: linux-m...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/17617/
Signed-off-by: James Hogan 
Signed-off-by: Ben Hutchings 
---
 arch/mips/kernel/ptrace.c | 17 +
 1 file changed, 17 insertions(+)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -522,6 +522,19 @@ static const struct user_regset_view use
.n  = ARRAY_SIZE(mips64_regsets),
 };
 
+#ifdef CONFIG_MIPS32_N32
+
+static const struct user_regset_view user_mipsn32_view = {
+   .name   = "mipsn32",
+   .e_flags= EF_MIPS_ABI2,
+   .e_machine  = ELF_ARCH,
+   .ei_osabi   = ELF_OSABI,
+   .regsets= mips64_regsets,
+   .n  = ARRAY_SIZE(mips64_regsets),
+};
+
+#endif /* CONFIG_MIPS32_N32 */
+
 #endif /* CONFIG_64BIT */
 
 const struct user_regset_view *task_user_regset_view(struct task_struct *task)
@@ -533,6 +546,10 @@ const struct user_regset_view *task_user
if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
return _mips_view;
 #endif
+#ifdef CONFIG_MIPS32_N32
+   if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
+   return _mipsn32_view;
+#endif
return _mips64_view;
 #endif
 }

[PATCH 3.16 052/136] coda: fix 'kernel memory exposure attempt' in fsync

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jan Harkes 

commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream.

When an application called fsync on a file in Coda a small request with
just the file identifier was allocated, but the declared length was set
to the size of union of all possible upcall requests.

This bug has been around for a very long time and is now caught by the
extra checking in usercopy that was introduced in Linux-4.8.

The exposure happens when the Coda cache manager process reads the fsync
upcall request at which point it is killed. As a result there is nobody
servicing any further upcalls, trapping any processes that try to access
the mounted Coda filesystem.

Signed-off-by: Jan Harkes 
Signed-off-by: Al Viro 
Signed-off-by: Ben Hutchings 
---
 fs/coda/upcall.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/coda/upcall.c
+++ b/fs/coda/upcall.c
@@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb,
UPARG(CODA_FSYNC);
 
inp->coda_fsync.VFid = *fid;
-   error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs),
-   , inp);
+   error = coda_upcall(coda_vcp(sb), insize, , inp);
 
CODA_FREE(inp, insize);
return error;

[PATCH 3.16 070/136] MIPS: Fix an n32 core file generation regset support regression

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: "Maciej W. Rozycki" 

commit 547da673173de51f73887377eb275304775064ad upstream.

Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF
core dumper to use regsets.)", that caused n32 processes to dump o32
core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file
header's `e_flags' member:

$ file tls-core
tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), 
[...]
$ ./tls-core
Aborted (core dumped)
$ file core
core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style
$

Previously the flag was set as the result of a:

statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the
regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is
no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the
`->e_flags' member of the regset view chosen is.  We have the views
defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64
one, and the latter is used for n32 as well.  Consequently an o32 core
file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class
is chosen elsewhere, and the 32-bit one is correctly selected for n32).

Correct the issue then by defining an n32 regset view and using it as
appropriate.  Issue discovered in GDB testing.

Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
Signed-off-by: Maciej W. Rozycki 
Cc: Ralf Baechle 
Cc: Djordje Todorovic 
Cc: linux-m...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/17617/
Signed-off-by: James Hogan 
Signed-off-by: Ben Hutchings 
---
 arch/mips/kernel/ptrace.c | 17 +
 1 file changed, 17 insertions(+)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -522,6 +522,19 @@ static const struct user_regset_view use
.n  = ARRAY_SIZE(mips64_regsets),
 };
 
+#ifdef CONFIG_MIPS32_N32
+
+static const struct user_regset_view user_mipsn32_view = {
+   .name   = "mipsn32",
+   .e_flags= EF_MIPS_ABI2,
+   .e_machine  = ELF_ARCH,
+   .ei_osabi   = ELF_OSABI,
+   .regsets= mips64_regsets,
+   .n  = ARRAY_SIZE(mips64_regsets),
+};
+
+#endif /* CONFIG_MIPS32_N32 */
+
 #endif /* CONFIG_64BIT */
 
 const struct user_regset_view *task_user_regset_view(struct task_struct *task)
@@ -533,6 +546,10 @@ const struct user_regset_view *task_user
if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
return _mips_view;
 #endif
+#ifdef CONFIG_MIPS32_N32
+   if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
+   return _mipsn32_view;
+#endif
return _mips64_view;
 #endif
 }

[PATCH 3.2 67/79] RDS: Heap OOB write in rds_message_alloc_sgs()

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Mohamed Ghannam 

commit c095508770aebf1b9218e77026e48345d719b17c upstream.

When args->nr_local is 0, nr_pages gets also 0 due some size
calculation via rds_rm_size(), which is later used to allocate
pages for DMA, this bug produces a heap Out-Of-Bound write access
to a specific memory region.

Signed-off-by: Mohamed Ghannam 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/rds/rdma.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_
 
local_vec = (struct rds_iovec __user *)(unsigned long) 
args->local_vec_addr;
 
+   if (args->nr_local == 0)
+   return -EINVAL;
+
/* figure out the number of pages in the vector */
for (i = 0; i < args->nr_local; i++) {
if (copy_from_user(, _vec[i],

[PATCH 3.2 67/79] RDS: Heap OOB write in rds_message_alloc_sgs()

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Mohamed Ghannam 

commit c095508770aebf1b9218e77026e48345d719b17c upstream.

When args->nr_local is 0, nr_pages gets also 0 due some size
calculation via rds_rm_size(), which is later used to allocate
pages for DMA, this bug produces a heap Out-Of-Bound write access
to a specific memory region.

Signed-off-by: Mohamed Ghannam 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/rds/rdma.c | 3 +++
 1 file changed, 3 insertions(+)

--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_
 
local_vec = (struct rds_iovec __user *)(unsigned long) 
args->local_vec_addr;
 
+   if (args->nr_local == 0)
+   return -EINVAL;
+
/* figure out the number of pages in the vector */
for (i = 0; i < args->nr_local; i++) {
if (copy_from_user(, _vec[i],