[PATCH 3.19.y-ckt 136/196] KVM: arm/arm64: vgic: Ensure bitmaps are long enough

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Mark Rutland 

commit 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 upstream.

When we allocate bitmaps in vgic_vcpu_init_maps, we divide the number of
bits we need by 8 to figure out how many bytes to allocate. However,
bitmap elements are always accessed as unsigned longs, and if we didn't
happen to allocate a size such that size % sizeof(unsigned long) == 0,
bitmap accesses may go past the end of the allocation.

When using KASAN (which does byte-granular access checks), this results
in a continuous stream of BUGs whenever these bitmaps are accessed:

=
BUG kmalloc-128 (Tainted: GB  ): kasan: bad access detected
-

INFO: Allocated in vgic_init.part.25+0x55c/0x990 age=7493 cpu=3 pid=1730
INFO: Slab 0xffbde6d5da40 objects=16 used=15 fp=0xffc935769700 
flags=0x4080
INFO: Object 0xffc935769500 @offset=1280 fp=0x  (null)

Bytes b4 ffc9357694f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Object ffc935769570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Padding ffc9357695b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Padding ffc9357695c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Padding ffc9357695d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Padding ffc9357695e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

Padding ffc9357695f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  

CPU: 3 PID: 1740 Comm: kvm-vcpu-0 Tainted: GB   4.4.0+ #17
Hardware name: ARM Juno development board (r1) (DT)
Call trace:
[] dump_backtrace+0x0/0x280
[] show_stack+0x14/0x20
[] dump_stack+0x100/0x188
[] print_trailer+0xfc/0x168
[] object_err+0x3c/0x50
[] kasan_report_error+0x244/0x558
[] __asan_report_load8_noabort+0x48/0x50
[] __bitmap_or+0xc0/0xc8
[] kvm_vgic_flush_hwstate+0x1bc/0x650
[] kvm_arch_vcpu_ioctl_run+0x2ec/0xa60
[] kvm_vcpu_ioctl+0x474/0xa68
[] do_vfs_ioctl+0x5b8/0xcb0
[] SyS_ioctl+0x8c/0xa0
[] el0_svc_naked+0x24/0x28
Memory state around the buggy address:
 ffc935769400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffc935769480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffc935769500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ^
 ffc935769580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffc935769600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
==

Fix the issue by always allocating a multiple of sizeof(unsigned long),
as we do elsewhere in the vgic code.

Fixes: c1bfb577a ("arm/arm64: KVM: vgic: switch to dynamic allocation")
Acked-by: Marc Zyngier 
Acked-by: Christoffer Dall 
Signed-off-by: Mark Rutland 
Signed-off-by: Marc Zyngier 
Signed-off-by: Kamal Mostafa 
---
 virt/kvm/arm/vgic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/arm/vgic.c b/virt/kvm/arm/vgic.c
index 6bc5e2a..e88de55 100644
--- a/virt/kvm/arm/vgic.c
+++ b/virt/kvm/arm/vgic.c
@@ -1759,8 +1759,8 @@ void kvm_vgic_vcpu_destroy(struct kvm_vcpu *vcpu)
 static int vgic_vcpu_init_maps(struct kvm_vcpu *vcpu, int nr_irqs)
 {
struct vgic_cpu *vgic_cpu = >arch.vgic_cpu;
-
-   int sz = (nr_irqs - VGIC_NR_PRIVATE_IRQS) / 8;
+   int nr_longs = BITS_TO_LONGS(nr_irqs - VGIC_NR_PRIVATE_IRQS);
+   int sz = nr_longs * sizeof(unsigned long);
vgic_cpu->pending_shared = kzalloc(sz, GFP_KERNEL);
vgic_cpu->vgic_irq_lr_map = kmalloc(nr_irqs, GFP_KERNEL);
 
-- 
2.7.0

[PATCH 3.19.y-ckt 147/196] do_last(): don't let a bogus return value from ->open() et.al. to confuse us

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Al Viro 

commit c80567c82ae4814a41287618e315a60ecf513be6 upstream.

... into returning a positive to path_openat(), which would interpret that
as "symlink had been encountered" and proceed to corrupt memory, etc.
It can only happen due to a bug in some ->open() instance or in some LSM
hook, etc., so we report any such event *and* make sure it doesn't trick
us into further unpleasantness.

Signed-off-by: Al Viro 
Signed-off-by: Kamal Mostafa 
---
 fs/namei.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/fs/namei.c b/fs/namei.c
index f38cb09..6c363c9 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3124,6 +3124,10 @@ opened:
goto exit_fput;
}
 out:
+   if (unlikely(error > 0)) {
+   WARN_ON(1);
+   error = -EINVAL;
+   }
if (got_write)
mnt_drop_write(nd->path.mnt);
path_put(_parent);
-- 
2.7.0

[PATCH 3.19.y-ckt 161/196] net/ipv6: add sysctl option accept_ra_min_hop_limit

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Hangbin Liu 

[ Upstream commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 ]

Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface")
disabled accept hop limit from RA if it is smaller than the current hop
limit for security stuff. But this behavior kind of break the RFC definition.

RFC 4861, 6.3.4.  Processing Received Router Advertisements
   A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time,
   and Retrans Timer) may contain a value denoting that it is
   unspecified.  In such cases, the parameter should be ignored and the
   host should continue using whatever value it is already using.

   If the received Cur Hop Limit value is non-zero, the host SHOULD set
   its CurHopLimit variable to the received value.

So add sysctl option accept_ra_min_hop_limit to let user choose the minimum
hop limit value they can accept from RA. And set default to 1 to meet RFC
standards.

Signed-off-by: Hangbin Liu 
Acked-by: YOSHIFUJI Hideaki 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 Documentation/networking/ip-sysctl.txt |  8 
 include/linux/ipv6.h   |  1 +
 include/uapi/linux/ipv6.h  |  2 ++
 net/ipv6/addrconf.c| 10 ++
 net/ipv6/ndisc.c   | 16 +++-
 5 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt 
b/Documentation/networking/ip-sysctl.txt
index 85b0221..e8649ba 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1266,6 +1266,14 @@ accept_ra_from_local - BOOLEAN
   disabled if accept_ra_from_local is disabled
on a specific interface.
 
+accept_ra_min_hop_limit - INTEGER
+   Minimum hop limit Information in Router Advertisement.
+
+   Hop limit Information in Router Advertisement less than this
+   variable shall be ignored.
+
+   Default: 1
+
 accept_ra_pinfo - BOOLEAN
Learn Prefix Information in Router Advertisement.
 
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index c694e7b..6eeeaf1 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -29,6 +29,7 @@ struct ipv6_devconf {
__s32   max_desync_factor;
__s32   max_addresses;
__s32   accept_ra_defrtr;
+   __s32   accept_ra_min_hop_limit;
__s32   accept_ra_pinfo;
 #ifdef CONFIG_IPV6_ROUTER_PREF
__s32   accept_ra_rtr_pref;
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index e863d08..55bb269 100644
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -165,6 +165,8 @@ enum {
DEVCONF_SUPPRESS_FRAG_NDISC,
DEVCONF_ACCEPT_RA_FROM_LOCAL,
DEVCONF_USE_OPTIMISTIC,
+   DEVCONF_USE_OIF_ADDRS_ONLY,
+   DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
DEVCONF_MAX
 };
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 06b8921..ece842c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -188,6 +188,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
.max_addresses  = IPV6_MAX_ADDRESSES,
.accept_ra_defrtr   = 1,
.accept_ra_from_local   = 0,
+   .accept_ra_min_hop_limit= 1,
.accept_ra_pinfo= 1,
 #ifdef CONFIG_IPV6_ROUTER_PREF
.accept_ra_rtr_pref = 1,
@@ -225,6 +226,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly 
= {
.max_addresses  = IPV6_MAX_ADDRESSES,
.accept_ra_defrtr   = 1,
.accept_ra_from_local   = 0,
+   .accept_ra_min_hop_limit= 1,
.accept_ra_pinfo= 1,
 #ifdef CONFIG_IPV6_ROUTER_PREF
.accept_ra_rtr_pref = 1,
@@ -4353,6 +4355,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf 
*cnf,
array[DEVCONF_MAX_DESYNC_FACTOR] = cnf->max_desync_factor;
array[DEVCONF_MAX_ADDRESSES] = cnf->max_addresses;
array[DEVCONF_ACCEPT_RA_DEFRTR] = cnf->accept_ra_defrtr;
+   array[DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT] = cnf->accept_ra_min_hop_limit;
array[DEVCONF_ACCEPT_RA_PINFO] = cnf->accept_ra_pinfo;
 #ifdef CONFIG_IPV6_ROUTER_PREF
array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref;
@@ -5170,6 +5173,13 @@ static struct addrconf_sysctl_table
.proc_handler   = proc_dointvec,
},
{
+   .procname   = "accept_ra_min_hop_limit",
+   .data   = _devconf.accept_ra_min_hop_limit,
+   .maxlen = sizeof(int),
+   .mode   = 0644,
+   .proc_handler   = 

[PATCH 3.19.y-ckt 149/196] target: Remove first argument of target_{get,put}_sess_cmd()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Bart Van Assche 

commit afc16604c06414223478df3e42301ab630b9960a upstream.

The first argument of these two functions is always identical
to se_cmd->se_sess. Hence remove the first argument.

Signed-off-by: Bart Van Assche 
Reviewed-by: Sagi Grimberg 
Reviewed-by: Christoph Hellwig 
Cc: Andy Grover 
Cc: 
Cc: Felipe Balbi 
Cc: Michael S. Tsirkin 
Signed-off-by: Nicholas Bellinger 
Signed-off-by: Kamal Mostafa 
---
 drivers/infiniband/ulp/isert/ib_isert.c  |  6 +++---
 drivers/infiniband/ulp/srpt/ib_srpt.c| 10 +-
 drivers/scsi/qla2xxx/tcm_qla2xxx.c   |  2 +-
 drivers/target/iscsi/iscsi_target.c  | 15 +++
 drivers/target/iscsi/iscsi_target_configfs.c |  2 +-
 drivers/target/iscsi/iscsi_target_util.c |  4 ++--
 drivers/target/target_core_tmr.c |  2 +-
 drivers/target/target_core_transport.c   | 20 ++--
 drivers/vhost/scsi.c |  2 +-
 include/target/target_core_fabric.h  |  4 ++--
 10 files changed, 33 insertions(+), 34 deletions(-)

diff --git a/drivers/infiniband/ulp/isert/ib_isert.c 
b/drivers/infiniband/ulp/isert/ib_isert.c
index 46563f1..0ef089e 100644
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1284,7 +1284,7 @@ sequence_cmd:
if (!rc && dump_payload == false && unsol_data)
iscsit_set_unsoliticed_dataout(cmd);
else if (dump_payload && imm_data)
-   target_put_sess_cmd(conn->sess->se_sess, >se_cmd);
+   target_put_sess_cmd(>se_cmd);
 
return 0;
 }
@@ -1701,7 +1701,7 @@ isert_put_cmd(struct isert_cmd *isert_cmd, bool comp_err)
cmd->se_cmd.t_state == TRANSPORT_WRITE_PENDING) {
struct se_cmd *se_cmd = >se_cmd;
 
-   target_put_sess_cmd(se_cmd->se_sess, se_cmd);
+   target_put_sess_cmd(se_cmd);
}
}
 
@@ -1870,7 +1870,7 @@ isert_completion_rdma_read(struct iser_tx_desc *tx_desc,
spin_unlock_bh(>istate_lock);
 
if (ret) {
-   target_put_sess_cmd(se_cmd->se_sess, se_cmd);
+   target_put_sess_cmd(se_cmd);
transport_send_check_condition_and_sense(se_cmd,
 se_cmd->pi_err, 0);
} else {
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c 
b/drivers/infiniband/ulp/srpt/ib_srpt.c
index eb694dd..9abc363 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1335,7 +1335,7 @@ static int srpt_abort_cmd(struct srpt_send_ioctx *ioctx)
 
BUG_ON(ch->sess == NULL);
 
-   target_put_sess_cmd(ch->sess, >cmd);
+   target_put_sess_cmd(>cmd);
goto out;
}
 
@@ -1366,11 +1366,11 @@ static int srpt_abort_cmd(struct srpt_send_ioctx *ioctx)
 * not been received in time.
 */
srpt_unmap_sg_to_ib_sge(ioctx->ch, ioctx);
-   target_put_sess_cmd(ioctx->ch->sess, >cmd);
+   target_put_sess_cmd(>cmd);
break;
case SRPT_STATE_MGMT_RSP_SENT:
srpt_set_cmd_state(ioctx, SRPT_STATE_DONE);
-   target_put_sess_cmd(ioctx->ch->sess, >cmd);
+   target_put_sess_cmd(>cmd);
break;
default:
WARN(1, "Unexpected command state (%d)", state);
@@ -1682,7 +1682,7 @@ static int srpt_check_stop_free(struct se_cmd *cmd)
struct srpt_send_ioctx *ioctx = container_of(cmd,
struct srpt_send_ioctx, cmd);
 
-   return target_put_sess_cmd(ioctx->ch->sess, >cmd);
+   return target_put_sess_cmd(>cmd);
 }
 
 /**
@@ -3079,7 +3079,7 @@ static void srpt_queue_response(struct se_cmd *cmd)
   ioctx->tag);
srpt_unmap_sg_to_ib_sge(ch, ioctx);
srpt_set_cmd_state(ioctx, SRPT_STATE_DONE);
-   target_put_sess_cmd(ioctx->ch->sess, >cmd);
+   target_put_sess_cmd(>cmd);
}
 }
 
diff --git a/drivers/scsi/qla2xxx/tcm_qla2xxx.c 
b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
index a82db70..c763ca5 100644
--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
@@ -422,7 +422,7 @@ static int tcm_qla2xxx_check_stop_free(struct se_cmd 
*se_cmd)
cmd->cmd_flags |= BIT_14;
}
 
-   return target_put_sess_cmd(se_cmd->se_sess, se_cmd);
+   return target_put_sess_cmd(se_cmd);
 }
 
 /* 

[PATCH 3.19.y-ckt 151/196] target: Fix TAS handling for multi-session se_node_acls

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Nicholas Bellinger 

commit ebde1ca5a908b10312db4ecd7553e3ba039319ab upstream.

This patch fixes a bug in TMR task aborted status (TAS)
handling when multiple sessions are connected to the
same target WWPN endpoint and se_node_acl descriptor,
resulting in TASK_ABORTED status to not be generated
for aborted se_cmds on the remote port.

This is due to core_tmr_handle_tas_abort() incorrectly
comparing se_node_acl instead of se_session, for which
the multi-session case is expected to be sharing the
same se_node_acl.

Instead, go ahead and update core_tmr_handle_tas_abort()
to compare tmr_sess + cmd->se_sess in order to determine
if the LUN_RESET was received on a different I_T nexus,
and TASK_ABORTED status response needs to be generated.

Reviewed-by: Christoph Hellwig 
Cc: Quinn Tran 
Cc: Himanshu Madhani 
Cc: Sagi Grimberg 
Cc: Hannes Reinecke 
Cc: Andy Grover 
Cc: Mike Christie 
Signed-off-by: Nicholas Bellinger 
Signed-off-by: Kamal Mostafa 
---
 drivers/target/target_core_tmr.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 546e8ce..19ef5e2 100644
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -79,7 +79,7 @@ void core_tmr_release_req(struct se_tmr_req *tmr)
 }
 
 static void core_tmr_handle_tas_abort(
-   struct se_node_acl *tmr_nacl,
+   struct se_session *tmr_sess,
struct se_cmd *cmd,
int tas)
 {
@@ -87,7 +87,7 @@ static void core_tmr_handle_tas_abort(
/*
 * TASK ABORTED status (TAS) bit support
 */
-   if ((tmr_nacl && (tmr_nacl != cmd->se_sess->se_node_acl)) && tas) {
+   if (tmr_sess && tmr_sess != cmd->se_sess && tas) {
remove = false;
transport_send_task_abort(cmd);
}
@@ -277,7 +277,7 @@ static void core_tmr_drain_tmr_list(
 static void core_tmr_drain_state_list(
struct se_device *dev,
struct se_cmd *prout_cmd,
-   struct se_node_acl *tmr_nacl,
+   struct se_session *tmr_sess,
int tas,
struct list_head *preempt_and_abort_list)
 {
@@ -368,7 +368,7 @@ static void core_tmr_drain_state_list(
cancel_work_sync(>work);
transport_wait_for_tasks(cmd);
 
-   core_tmr_handle_tas_abort(tmr_nacl, cmd, tas);
+   core_tmr_handle_tas_abort(tmr_sess, cmd, tas);
target_put_sess_cmd(cmd);
}
 }
@@ -381,6 +381,7 @@ int core_tmr_lun_reset(
 {
struct se_node_acl *tmr_nacl = NULL;
struct se_portal_group *tmr_tpg = NULL;
+   struct se_session *tmr_sess = NULL;
int tas;
 /*
 * TASK_ABORTED status bit, this is configurable via ConfigFS
@@ -399,8 +400,9 @@ int core_tmr_lun_reset(
 * or struct se_device passthrough..
 */
if (tmr && tmr->task_cmd && tmr->task_cmd->se_sess) {
-   tmr_nacl = tmr->task_cmd->se_sess->se_node_acl;
-   tmr_tpg = tmr->task_cmd->se_sess->se_tpg;
+   tmr_sess = tmr->task_cmd->se_sess;
+   tmr_nacl = tmr_sess->se_node_acl;
+   tmr_tpg = tmr_sess->se_tpg;
if (tmr_nacl && tmr_tpg) {
pr_debug("LUN_RESET: TMR caller fabric: %s"
" initiator port %s\n",
@@ -413,7 +415,7 @@ int core_tmr_lun_reset(
dev->transport->name, tas);
 
core_tmr_drain_tmr_list(dev, tmr, preempt_and_abort_list);
-   core_tmr_drain_state_list(dev, prout_cmd, tmr_nacl, tas,
+   core_tmr_drain_state_list(dev, prout_cmd, tmr_sess, tas,
preempt_and_abort_list);
 
/*
-- 
2.7.0

[PATCH 3.19.y-ckt 139/196] libceph: don't bail early from try_read() when skipping a message

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Ilya Dryomov 

commit e7a88e82fe380459b864e05b372638aeacb0f52d upstream.

The contract between try_read() and try_write() is that when called
each processes as much data as possible.  When instructed by osd_client
to skip a message, try_read() is violating this contract by returning
after receiving and discarding a single message instead of checking for
more.  try_write() then gets a chance to write out more requests,
generating more replies/skips for try_read() to handle, forcing the
messenger into a starvation loop.

Reported-by: Varada Kari 
Signed-off-by: Ilya Dryomov 
Tested-by: Varada Kari 
Reviewed-by: Alex Elder 
Signed-off-by: Kamal Mostafa 
---
 net/ceph/messenger.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 74d30ec..e1b9ca1 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2298,7 +2298,7 @@ static int read_partial_message(struct ceph_connection 
*con)
con->in_base_pos = -front_len - middle_len - data_len -
sizeof(m->footer);
con->in_tag = CEPH_MSGR_TAG_READY;
-   return 0;
+   return 1;
} else if ((s64)seq - (s64)con->in_seq > 1) {
pr_err("read_partial_message bad seq %lld expected %lld\n",
   seq, con->in_seq + 1);
@@ -2331,7 +2331,7 @@ static int read_partial_message(struct ceph_connection 
*con)
sizeof(m->footer);
con->in_tag = CEPH_MSGR_TAG_READY;
con->in_seq++;
-   return 0;
+   return 1;
}
 
BUG_ON(!con->in_msg);
-- 
2.7.0

Re: [PATCH V2] acpi, pci, irq: account for early penalty assignment

[Sinan Kaya]

Hi Bjorn,

On 3/8/2016 2:04 PM, Sinan Kaya wrote:
>>> The point here is that a PCI Interrupt Link can only use an IRQ that
>>> >> is level-triggered, active low.  If an IRQ is already set to any other
>>> >> state, whether for an ISA device or for an active-high SCI, we can't
>>> >> use it for a PCI Interrupt Link.
> Unfortunately, this still doesn't hold. 
> 
> A patch is long overdue for this series. I'll post v3. We can go from there.

I just posted a new series and changed the title. Let's continue the discussion 
there.

[PATCH 1/4] acpi,pci,irq: reduce resource requirements
...

-- 
Sinan Kaya
Qualcomm Technologies, Inc. on behalf of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux 
Foundation Collaborative Project

[PATCH 3.19.y-ckt 150/196] target: Fix LUN_RESET active I/O handling for ACK_KREF

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Nicholas Bellinger 

commit febe562c20dfa8f33bee7d419c6b517986a5aa33 upstream.

This patch fixes a NULL pointer se_cmd->cmd_kref < 0
refcount bug during TMR LUN_RESET with active se_cmd
I/O, that can be triggered during se_cmd descriptor
shutdown + release via core_tmr_drain_state_list() code.

To address this bug, add common __target_check_io_state()
helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
both cases ahead of last target_put_sess_cmd() after
TFO->aborted_task() -> transport_cmd_finish_abort()
callback has completed.

It also introduces SCF_ACK_KREF to determine when
transport_cmd_finish_abort() needs to drop the second
extra reference, ahead of calling target_put_sess_cmd()
for the final kref_put(_cmd->cmd_kref).

It also updates transport_cmd_check_stop() to avoid
holding se_cmd->t_state_lock while dropping se_cmd
device state via target_remove_from_state_list(), now
that core_tmr_drain_state_list() is holding the
se_device lock while checking se_cmd state from
within TMR logic.

Finally, move transport_put_cmd() release of SGL +
TMR + extended CDB memory into target_free_cmd_mem()
in order to avoid potential resource leaks in TMR
ABORT_TASK + LUN_RESET code-paths.  Also update
target_release_cmd_kref() accordingly.

Reviewed-by: Quinn Tran 
Cc: Himanshu Madhani 
Cc: Sagi Grimberg 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Andy Grover 
Cc: Mike Christie 
Signed-off-by: Nicholas Bellinger 
Signed-off-by: Kamal Mostafa 
---
 drivers/target/target_core_tmr.c   | 64 +++-
 drivers/target/target_core_transport.c | 67 +++---
 include/target/target_core_base.h  |  1 +
 3 files changed, 77 insertions(+), 55 deletions(-)

diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 3830747..546e8ce 100644
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -110,6 +110,34 @@ static int target_check_cdb_and_preempt(struct list_head 
*list,
return 1;
 }
 
+static bool __target_check_io_state(struct se_cmd *se_cmd)
+{
+   struct se_session *sess = se_cmd->se_sess;
+
+   assert_spin_locked(>sess_cmd_lock);
+   WARN_ON_ONCE(!irqs_disabled());
+   /*
+* If command already reached CMD_T_COMPLETE state within
+* target_complete_cmd(), this se_cmd has been passed to
+* fabric driver and will not be aborted.
+*
+* Otherwise, obtain a local se_cmd->cmd_kref now for TMR
+* ABORT_TASK + LUN_RESET for CMD_T_ABORTED processing as
+* long as se_cmd->cmd_kref is still active unless zero.
+*/
+   spin_lock(_cmd->t_state_lock);
+   if (se_cmd->transport_state & CMD_T_COMPLETE) {
+   pr_debug("Attempted to abort io tag: %u already complete,"
+   " skipping\n", se_cmd->se_tfo->get_task_tag(se_cmd));
+   spin_unlock(_cmd->t_state_lock);
+   return false;
+   }
+   se_cmd->transport_state |= CMD_T_ABORTED;
+   spin_unlock(_cmd->t_state_lock);
+
+   return kref_get_unless_zero(_cmd->cmd_kref);
+}
+
 void core_tmr_abort_task(
struct se_device *dev,
struct se_tmr_req *tmr,
@@ -136,25 +164,20 @@ void core_tmr_abort_task(
printk("ABORT_TASK: Found referenced %s task_tag: %u\n",
se_cmd->se_tfo->get_fabric_name(), ref_tag);
 
-   spin_lock(_cmd->t_state_lock);
-   if (se_cmd->transport_state & CMD_T_COMPLETE) {
-   printk("ABORT_TASK: ref_tag: %u already complete, 
skipping\n", ref_tag);
-   spin_unlock(_cmd->t_state_lock);
+   if (!__target_check_io_state(se_cmd)) {
spin_unlock_irqrestore(_sess->sess_cmd_lock, flags);
+   target_put_sess_cmd(se_cmd);
goto out;
}
-   se_cmd->transport_state |= CMD_T_ABORTED;
-   spin_unlock(_cmd->t_state_lock);
 
list_del_init(_cmd->se_cmd_list);
-   kref_get(_cmd->cmd_kref);
spin_unlock_irqrestore(_sess->sess_cmd_lock, flags);
 
cancel_work_sync(_cmd->work);
transport_wait_for_tasks(se_cmd);
 
-   target_put_sess_cmd(se_cmd);
transport_cmd_finish_abort(se_cmd, true);
+   target_put_sess_cmd(se_cmd);
 
printk("ABORT_TASK: Sending TMR_FUNCTION_COMPLETE for"
" ref_tag: %d\n", ref_tag);
@@ -259,8 +282,10 

[PATCH 3.19.y-ckt 163/196] ipv6: fix a lockdep splat

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Eric Dumazet 

[ Upstream commit 44c3d0c1c0a880354e9de5d94175742e2c7c9683 ]

Silence lockdep false positive about rcu_dereference() being
used in the wrong context.

First one should use rcu_dereference_protected() as we own the spinlock.

Second one should be a normal assignation, as no barrier is needed.

Fixes: 18367681a10bd ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.")
Reported-by: Dave Jones 
Signed-off-by: Eric Dumazet 
Acked-by: Hannes Frederic Sowa 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 net/ipv6/ip6_flowlabel.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 2f780cb..8cf8d72 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -541,12 +541,13 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user 
*optval, int optlen)
}
spin_lock_bh(_sk_fl_lock);
for (sflp = >ipv6_fl_list;
-(sfl = rcu_dereference(*sflp)) != NULL;
+(sfl = rcu_dereference_protected(*sflp,
+ 
lockdep_is_held(_sk_fl_lock))) != NULL;
 sflp = >next) {
if (sfl->fl->label == freq.flr_label) {
if (freq.flr_label == 
(np->flow_label_FLOWLABEL_MASK))
np->flow_label &= ~IPV6_FLOWLABEL_MASK;
-   *sflp = rcu_dereference(sfl->next);
+   *sflp = sfl->next;
spin_unlock_bh(_sk_fl_lock);
fl_release(sfl->fl);
kfree_rcu(sfl, rcu);
-- 
2.7.0

[PATCH 3.19.y-ckt 160/196] ipv6/udp: use sticky pktinfo egress ifindex on connect()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Paolo Abeni 

[ Upstream commit 1cdda91871470f15e79375991bd2eddc6e86ddb1 ]

Currently, the egress interface index specified via IPV6_PKTINFO
is ignored by __ip6_datagram_connect(), so that RFC 3542 section 6.7
can be subverted when the user space application calls connect()
before sendmsg().
Fix it by initializing properly flowi6_oif in connect() before
performing the route lookup.

Signed-off-by: Paolo Abeni 
Acked-by: Hannes Frederic Sowa 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 net/ipv6/datagram.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 31fb5da..da71cd7 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -162,6 +162,9 @@ ipv4_connected:
fl6.fl6_dport = inet->inet_dport;
fl6.fl6_sport = inet->inet_sport;
 
+   if (!fl6.flowi6_oif)
+   fl6.flowi6_oif = np->sticky_pktinfo.ipi6_ifindex;
+
if (!fl6.flowi6_oif && (addr_type_ADDR_MULTICAST))
fl6.flowi6_oif = np->mcast_oif;
 
-- 
2.7.0

[PATCH 3.19.y-ckt 152/196] target: Fix remote-port TMR ABORT + se_cmd fabric stop

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Nicholas Bellinger 

commit 0f4a943168f31d29a1701908931acaba518b131a upstream.

To address the bug where fabric driver level shutdown
of se_cmd occurs at the same time when TMR CMD_T_ABORTED
is happening resulting in a -1 ->cmd_kref, this patch
adds a CMD_T_FABRIC_STOP bit that is used to determine
when TMR + driver I_T nexus shutdown is happening
concurrently.

It changes target_sess_cmd_list_set_waiting() to obtain
se_cmd->cmd_kref + set CMD_T_FABRIC_STOP, and drop local
reference in target_wait_for_sess_cmds() and invoke extra
target_put_sess_cmd() during Task Aborted Status (TAS)
when necessary.

Also, it adds a new target_wait_free_cmd() wrapper around
transport_wait_for_tasks() for the special case within
transport_generic_free_cmd() to set CMD_T_FABRIC_STOP,
and is now aware of CMD_T_ABORTED + CMD_T_TAS status
bits to know when an extra transport_put_cmd() during
TAS is required.

Note transport_generic_free_cmd() is expected to block on
cmd->cmd_wait_comp in order to follow what iscsi-target
expects during iscsi_conn context se_cmd shutdown.

Cc: Quinn Tran 
Cc: Himanshu Madhani 
Cc: Sagi Grimberg 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Andy Grover 
Cc: Mike Christie 
Signed-off-by: Nicholas Bellinger 
Signed-off-by: Kamal Mostafa 
---
 drivers/target/target_core_tmr.c   |  55 +
 drivers/target/target_core_transport.c | 137 +
 include/target/target_core_base.h  |   2 +
 3 files changed, 147 insertions(+), 47 deletions(-)

diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
index 19ef5e2..a5c2b3c 100644
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -78,16 +78,18 @@ void core_tmr_release_req(struct se_tmr_req *tmr)
kfree(tmr);
 }
 
-static void core_tmr_handle_tas_abort(
-   struct se_session *tmr_sess,
-   struct se_cmd *cmd,
-   int tas)
+static void core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas)
 {
-   bool remove = true;
+   unsigned long flags;
+   bool remove = true, send_tas;
/*
 * TASK ABORTED status (TAS) bit support
 */
-   if (tmr_sess && tmr_sess != cmd->se_sess && tas) {
+   spin_lock_irqsave(>t_state_lock, flags);
+   send_tas = (cmd->transport_state & CMD_T_TAS);
+   spin_unlock_irqrestore(>t_state_lock, flags);
+
+   if (send_tas) {
remove = false;
transport_send_task_abort(cmd);
}
@@ -110,7 +112,8 @@ static int target_check_cdb_and_preempt(struct list_head 
*list,
return 1;
 }
 
-static bool __target_check_io_state(struct se_cmd *se_cmd)
+static bool __target_check_io_state(struct se_cmd *se_cmd,
+   struct se_session *tmr_sess, int tas)
 {
struct se_session *sess = se_cmd->se_sess;
 
@@ -118,21 +121,33 @@ static bool __target_check_io_state(struct se_cmd *se_cmd)
WARN_ON_ONCE(!irqs_disabled());
/*
 * If command already reached CMD_T_COMPLETE state within
-* target_complete_cmd(), this se_cmd has been passed to
-* fabric driver and will not be aborted.
+* target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown,
+* this se_cmd has been passed to fabric driver and will
+* not be aborted.
 *
 * Otherwise, obtain a local se_cmd->cmd_kref now for TMR
 * ABORT_TASK + LUN_RESET for CMD_T_ABORTED processing as
 * long as se_cmd->cmd_kref is still active unless zero.
 */
spin_lock(_cmd->t_state_lock);
-   if (se_cmd->transport_state & CMD_T_COMPLETE) {
-   pr_debug("Attempted to abort io tag: %u already complete,"
+   if (se_cmd->transport_state & (CMD_T_COMPLETE | CMD_T_FABRIC_STOP)) {
+   pr_debug("Attempted to abort io tag: %u already complete or"
+   " fabric stop, skipping\n",
+   se_cmd->se_tfo->get_task_tag(se_cmd));
+   spin_unlock(_cmd->t_state_lock);
+   return false;
+   }
+   if (sess->sess_tearing_down || se_cmd->cmd_wait_set) {
+   pr_debug("Attempted to abort io tag: %u already shutdown,"
" skipping\n", se_cmd->se_tfo->get_task_tag(se_cmd));
spin_unlock(_cmd->t_state_lock);
return false;
}
se_cmd->transport_state |= CMD_T_ABORTED;
+
+   if ((tmr_sess != se_cmd->se_sess) && tas)
+   se_cmd->transport_state |= CMD_T_TAS;
+
spin_unlock(_cmd->t_state_lock);
 
return kref_get_unless_zero(_cmd->cmd_kref);

Re: [RESEND PATCH v2 5/5] clk: rockchip: add clock controller for the RK3399

[Jianqun Xu]

Hi Doug:

在 09/03/2016 07:34, Doug Anderson 写道:

Xing Zheng,

On Tue, Mar 1, 2016 at 2:15 AM, Xing Zheng  wrote:

+   MMC(SCLK_SDMMC_DRV, "emmc_drv","clk_sdmmc", RK3399_SDMMC_CON0, 
1),
+   MMC(SCLK_SDMMC_SAMPLE,  "emmc_sample", "clk_sdmmc", RK3399_SDMMC_CON1, 
1),


Can you and Jianqun Xu please coordinate?  Though I don't have a TRM
for rk3399 and I haven't looked through this whole patch, I know for
sure there's a problem when I pick the latest patch series from both
of you it doesn't compile.

I believe this is the latest from each of you in patchwork:

8462411   [v3,1/3] dt-bindings: add bindings for rk3399 clock controller
8462431   [v3,2/3] clk: rockchip: add dt-binding header for rk3399
8462441   [v3,3/3] ARM64: dts: rockchip: add core dtsi file for rk3399

8463741   [RESEND,v2,1/5] clk: rockchip: add more mux parameters for
new pll sources
8463801   [RESEND,v2,2/5] clk: rockchip: Add support for multiple
clock providers
8463771   [RESEND,v2,3/5] clk: rockchip: add new pll-type for rk3399
and similar socs
8463781   [RESEND,v2,4/5] clk: rockchip: add a COMPOSITE_FRACMUX_NOGATE type
8463831   [RESEND,v2,5/5] clk: rockchip: add clock controller for the RK3399


Specifically your patch from March 1st refers to SCLK_SDMMC_DRV and
SCLK_SDMMC_SAMPLE.  Those defines existed in Jianqun Xu's patch back
on Feb 19th , but his
latest patch series from March 1st
 no longer has those
#defines.

Can you two resolve this so I can pick both patch series and see that
they compile?  ...or let me know where I messed up, of course.


ok, we will upload dtsi later after the clk-rk3399 driver been applied.
xing will send the patches for rk3399 together.

We hope the dtsi could be applied first but depends on clk driver, but 
it seems

not a good idea, we will resend dtsi patch after more drivers are applied.

Thanks Doug.


Thanks!

-Doug

[PATCH 3.19.y-ckt 146/196] hpfs: don't truncate the file when delete fails

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Mikulas Patocka 

commit b6853f78e763d42c7a158d8de3549c9827c604ab upstream.

The delete opration can allocate additional space on the HPFS filesystem
due to btree split. The HPFS driver checks in advance if there is
available space, so that it won't corrupt the btree if we run out of space
during splitting.

If there is not enough available space, the HPFS driver attempted to
truncate the file, but this results in a deadlock since the commit
7dd29d8d865efdb00c0542a5d2c87af8c52ea6c7 ("HPFS: Introduce a global mutex
and lock it on every callback from VFS").

This patch removes the code that tries to truncate the file and -ENOSPC is
returned instead. If the user hits -ENOSPC on delete, he should try to
delete other files (that are stored in a leaf btree node), so that the
delete operation will make some space for deleting the file stored in
non-leaf btree node.

Reported-by: Al Viro 
Signed-off-by: Mikulas Patocka 
Signed-off-by: Al Viro 
Signed-off-by: Kamal Mostafa 
---
 fs/hpfs/namei.c | 31 +++
 1 file changed, 3 insertions(+), 28 deletions(-)

diff --git a/fs/hpfs/namei.c b/fs/hpfs/namei.c
index 0642caf..12da295 100644
--- a/fs/hpfs/namei.c
+++ b/fs/hpfs/namei.c
@@ -377,12 +377,11 @@ static int hpfs_unlink(struct inode *dir, struct dentry 
*dentry)
struct inode *inode = dentry->d_inode;
dnode_secno dno;
int r;
-   int rep = 0;
int err;
 
hpfs_lock(dir->i_sb);
hpfs_adjust_length(name, );
-again:
+
err = -ENOENT;
de = map_dirent(dir, hpfs_i(dir)->i_dno, name, len, , );
if (!de)
@@ -402,33 +401,9 @@ again:
hpfs_error(dir->i_sb, "there was error when removing dirent");
err = -EFSERROR;
break;
-   case 2: /* no space for deleting, try to truncate file */
-
+   case 2: /* no space for deleting */
err = -ENOSPC;
-   if (rep++)
-   break;
-
-   dentry_unhash(dentry);
-   if (!d_unhashed(dentry)) {
-   hpfs_unlock(dir->i_sb);
-   return -ENOSPC;
-   }
-   if (generic_permission(inode, MAY_WRITE) ||
-   !S_ISREG(inode->i_mode) ||
-   get_write_access(inode)) {
-   d_rehash(dentry);
-   } else {
-   struct iattr newattrs;
-   /*pr_info("truncating file before delete.\n");*/
-   newattrs.ia_size = 0;
-   newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
-   err = notify_change(dentry, , NULL);
-   put_write_access(inode);
-   if (!err)
-   goto again;
-   }
-   hpfs_unlock(dir->i_sb);
-   return -ENOSPC;
+   break;
default:
drop_nlink(inode);
err = 0;
-- 
2.7.0

[PATCH 3.19.y-ckt 140/196] libceph: use the right footer size when skipping a message

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Ilya Dryomov 

commit dbc0d3caff5b7591e0cf8e34ca686ca6f4479ee1 upstream.

ceph_msg_footer is 21 bytes long, while ceph_msg_footer_old is only 13.
Don't skip too much when CEPH_FEATURE_MSG_AUTH isn't negotiated.

Signed-off-by: Ilya Dryomov 
Reviewed-by: Alex Elder 
Signed-off-by: Kamal Mostafa 
---
 net/ceph/messenger.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index e1b9ca1..3e64c03 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1170,6 +1170,13 @@ static bool ceph_msg_data_advance(struct 
ceph_msg_data_cursor *cursor,
return new_piece;
 }
 
+static size_t sizeof_footer(struct ceph_connection *con)
+{
+   return (con->peer_features & CEPH_FEATURE_MSG_AUTH) ?
+   sizeof(struct ceph_msg_footer) :
+   sizeof(struct ceph_msg_footer_old);
+}
+
 static void prepare_message_data(struct ceph_msg *msg, u32 data_len)
 {
BUG_ON(!msg);
@@ -2296,7 +2303,7 @@ static int read_partial_message(struct ceph_connection 
*con)
ceph_pr_addr(>peer_addr.in_addr),
seq, con->in_seq + 1);
con->in_base_pos = -front_len - middle_len - data_len -
-   sizeof(m->footer);
+   sizeof_footer(con);
con->in_tag = CEPH_MSGR_TAG_READY;
return 1;
} else if ((s64)seq - (s64)con->in_seq > 1) {
@@ -2328,7 +2335,7 @@ static int read_partial_message(struct ceph_connection 
*con)
/* skip this message */
dout("alloc_msg said skip message\n");
con->in_base_pos = -front_len - middle_len - data_len -
-   sizeof(m->footer);
+   sizeof_footer(con);
con->in_tag = CEPH_MSGR_TAG_READY;
con->in_seq++;
return 1;
-- 
2.7.0

[PATCH 3.19.y-ckt 154/196] af_iucv: Validate socket address length in iucv_sock_bind()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Ursula Braun 

[ Upstream commit 52a82e23b9f2a9e1d429c5207f8575784290d008 ]

Signed-off-by: Ursula Braun 
Reported-by: Dmitry Vyukov 
Reviewed-by: Evgeny Cherkashin 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 net/iucv/af_iucv.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 2e9953b..6fec9f0 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -709,6 +709,9 @@ static int iucv_sock_bind(struct socket *sock, struct 
sockaddr *addr,
if (!addr || addr->sa_family != AF_IUCV)
return -EINVAL;
 
+   if (addr_len < sizeof(struct sockaddr_iucv))
+   return -EINVAL;
+
lock_sock(sk);
if (sk->sk_state != IUCV_OPEN) {
err = -EBADFD;
-- 
2.7.0

[PATCH 3.19.y-ckt 155/196] net: dp83640: Fix tx timestamp overflow handling.

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Manfred Rudigier 

[ Upstream commit 81e8f2e930fe76b9814c71b9d87c30760b5eb705 ]

PHY status frames are not reliable, the PHY may not be able to send them
during heavy receive traffic. This overflow condition is signaled by the
PHY in the next status frame, but the driver did not make use of it.
Instead it always reported wrong tx timestamps to user space after an
overflow happened because it assigned newly received tx timestamps to old
packets in the queue.

This commit fixes this issue by clearing the tx timestamp queue every time
an overflow happens, so that no timestamps are delivered for overflow
packets. This way time stamping will continue correctly after an overflow.

Signed-off-by: Manfred Rudigier 
Acked-by: Richard Cochran 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 drivers/net/phy/dp83640.c | 17 +
 1 file changed, 17 insertions(+)

diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
index c5789cd..6307304 100644
--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -832,6 +832,11 @@ static void decode_rxts(struct dp83640_private *dp83640,
struct skb_shared_hwtstamps *shhwtstamps = NULL;
struct sk_buff *skb;
unsigned long flags;
+   u8 overflow;
+
+   overflow = (phy_rxts->ns_hi >> 14) & 0x3;
+   if (overflow)
+   pr_debug("rx timestamp queue overflow, count %d\n", overflow);
 
spin_lock_irqsave(>rx_lock, flags);
 
@@ -874,6 +879,7 @@ static void decode_txts(struct dp83640_private *dp83640,
struct skb_shared_hwtstamps shhwtstamps;
struct sk_buff *skb;
u64 ns;
+   u8 overflow;
 
/* We must already have the skb that triggered this. */
 
@@ -883,6 +889,17 @@ static void decode_txts(struct dp83640_private *dp83640,
pr_debug("have timestamp but tx_queue empty\n");
return;
}
+
+   overflow = (phy_txts->ns_hi >> 14) & 0x3;
+   if (overflow) {
+   pr_debug("tx timestamp queue overflow, count %d\n", overflow);
+   while (skb) {
+   skb_complete_tx_timestamp(skb, NULL);
+   skb = skb_dequeue(>tx_queue);
+   }
+   return;
+   }
+
ns = phy2txts(phy_txts);
memset(, 0, sizeof(shhwtstamps));
shhwtstamps.hwtstamp = ns_to_ktime(ns);
-- 
2.7.0

[PATCH 3.19.y-ckt 142/196] KVM: x86: MMU: fix ubsan index-out-of-range warning

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Mike Krinkin 

commit 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 upstream.

Ubsan reports the following warning due to a typo in
update_accessed_dirty_bits template, the patch fixes
the typo:

[  168.791851] 

[  168.791862] UBSAN: Undefined behaviour in arch/x86/kvm/paging_tmpl.h:252:15
[  168.791866] index 4 is out of range for type 'u64 [4]'
[  168.791871] CPU: 0 PID: 2950 Comm: qemu-system-x86 Tainted: G   O L  
4.5.0-rc5-next-20160222 #7
[  168.791873] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 
07/09/2013
[  168.791876]   8801cfcaf208 81c9f780 
41b58ab3
[  168.791882]  82eb2cc1 81c9f6b4 8801cfcaf230 
8801cfcaf1e0
[  168.791886]  0004 0001  
a1981600
[  168.791891] Call Trace:
[  168.791899]  [] dump_stack+0xcc/0x12c
[  168.791904]  [] ? _atomic_dec_and_lock+0xc4/0xc4
[  168.791910]  [] ubsan_epilogue+0xd/0x8a
[  168.791914]  [] __ubsan_handle_out_of_bounds+0x15c/0x1a3
[  168.791918]  [] ? 
__ubsan_handle_shift_out_of_bounds+0x2bd/0x2bd
[  168.791922]  [] ? get_user_pages_fast+0x2bf/0x360
[  168.791954]  [] ? kvm_largepages_enabled+0x30/0x30 [kvm]
[  168.791958]  [] ? __get_user_pages_fast+0x360/0x360
[  168.791987]  [] paging64_walk_addr_generic+0x1b28/0x2600 
[kvm]
[  168.792014]  [] ? init_kvm_mmu+0x1100/0x1100 [kvm]
[  168.792019]  [] ? debug_check_no_locks_freed+0x350/0x350
[  168.792044]  [] ? init_kvm_mmu+0x1100/0x1100 [kvm]
[  168.792076]  [] paging64_gva_to_gpa+0x7d/0x110 [kvm]
[  168.792121]  [] ? paging64_walk_addr_generic+0x2600/0x2600 
[kvm]
[  168.792130]  [] ? debug_lockdep_rcu_enabled+0x7b/0x90
[  168.792178]  [] emulator_read_write_onepage+0x27a/0x1150 
[kvm]
[  168.792208]  [] ? __kvm_read_guest_page+0x54/0x70 [kvm]
[  168.792234]  [] ? kvm_task_switch+0x160/0x160 [kvm]
[  168.792238]  [] ? debug_lockdep_rcu_enabled+0x7b/0x90
[  168.792263]  [] emulator_read_write+0xe7/0x6d0 [kvm]
[  168.792290]  [] ? em_cr_write+0x230/0x230 [kvm]
[  168.792314]  [] emulator_write_emulated+0x15/0x20 [kvm]
[  168.792340]  [] segmented_write+0xf8/0x130 [kvm]
[  168.792367]  [] ? em_lgdt+0x20/0x20 [kvm]
[  168.792374]  [] ? vmx_read_guest_seg_ar+0x42/0x1e0 
[kvm_intel]
[  168.792400]  [] writeback+0x3f2/0x700 [kvm]
[  168.792424]  [] ? em_sidt+0xa0/0xa0 [kvm]
[  168.792449]  [] ? x86_decode_insn+0x1b3d/0x4f70 [kvm]
[  168.792474]  [] x86_emulate_insn+0x572/0x3010 [kvm]
[  168.792499]  [] x86_emulate_instruction+0x3bd/0x2110 [kvm]
[  168.792524]  [] ? 
reexecute_instruction.part.110+0x2e0/0x2e0 [kvm]
[  168.792532]  [] handle_ept_misconfig+0x61/0x460 [kvm_intel]
[  168.792539]  [] ? handle_pause+0x450/0x450 [kvm_intel]
[  168.792546]  [] vmx_handle_exit+0xd6a/0x1ad0 [kvm_intel]
[  168.792572]  [] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 
[kvm]
[  168.792597]  [] kvm_arch_vcpu_ioctl_run+0xd3d/0x6090 [kvm]
[  168.792621]  [] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 
[kvm]
[  168.792627]  [] ? 
__ww_mutex_lock_interruptible+0x1630/0x1630
[  168.792651]  [] ? kvm_arch_vcpu_runnable+0x4f0/0x4f0 [kvm]
[  168.792656]  [] ? preempt_notifier_unregister+0x190/0x190
[  168.792681]  [] ? kvm_arch_vcpu_load+0x127/0x650 [kvm]
[  168.792704]  [] kvm_vcpu_ioctl+0x553/0xda0 [kvm]
[  168.792727]  [] ? vcpu_put+0x40/0x40 [kvm]
[  168.792732]  [] ? debug_check_no_locks_freed+0x350/0x350
[  168.792735]  [] ? _raw_spin_unlock+0x27/0x40
[  168.792740]  [] ? handle_mm_fault+0x1673/0x2e40
[  168.792744]  [] ? trace_hardirqs_on_caller+0x478/0x6c0
[  168.792747]  [] ? trace_hardirqs_on+0xd/0x10
[  168.792751]  [] ? debug_lockdep_rcu_enabled+0x7b/0x90
[  168.792756]  [] do_vfs_ioctl+0x1b0/0x12b0
[  168.792759]  [] ? ioctl_preallocate+0x210/0x210
[  168.792763]  [] ? __fget+0x273/0x4a0
[  168.792766]  [] ? __fget+0x50/0x4a0
[  168.792770]  [] ? __fget_light+0x96/0x2b0
[  168.792773]  [] SyS_ioctl+0x79/0x90
[  168.792777]  [] entry_SYSCALL_64_fastpath+0x23/0xc1
[  168.792780] 


Signed-off-by: Mike Krinkin 
Reviewed-by: Xiao Guangrong 
Signed-off-by: Paolo Bonzini 
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques 
Signed-off-by: Kamal Mostafa 
---
 arch/x86/kvm/paging_tmpl.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
index 6e6d115..d537c9b 100644
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -257,7 +257,7 @@ static int FNAME(update_accessed_dirty_bits)(struct 
kvm_vcpu *vcpu,
return ret;
 
   

[PATCH 3.19.y-ckt 158/196] pptp: fix illegal memory access caused by multiple bind()s

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Hannes Frederic Sowa 

[ Upstream commit 9a368aff9cb370298fa02feeffa861f2db497c18 ]

Several times already this has been reported as kasan reports caused by
syzkaller and trinity and people always looked at RCU races, but it is
much more simple. :)

In case we bind a pptp socket multiple times, we simply add it to
the callid_sock list but don't remove the old binding. Thus the old
socket stays in the bucket with unused call_id indexes and doesn't get
cleaned up. This causes various forms of kasan reports which were hard
to pinpoint.

Simply don't allow multiple binds and correct error handling in
pptp_bind. Also keep sk_state bits in place in pptp_connect.

Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling 
Protocol)")
Cc: Dmitry Kozlov 
Cc: Sasha Levin 
Cc: Dmitry Vyukov 
Reported-by: Dmitry Vyukov 
Cc: Dave Jones 
Reported-by: Dave Jones 
Signed-off-by: Hannes Frederic Sowa 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 drivers/net/ppp/pptp.c | 34 --
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 0710214..bb1ab1f 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -131,24 +131,27 @@ static int lookup_chan_dst(u16 call_id, __be32 d_addr)
return i < MAX_CALLID;
 }
 
-static int add_chan(struct pppox_sock *sock)
+static int add_chan(struct pppox_sock *sock,
+   struct pptp_addr *sa)
 {
static int call_id;
 
spin_lock(_lock);
-   if (!sock->proto.pptp.src_addr.call_id) {
+   if (!sa->call_id)   {
call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, call_id 
+ 1);
if (call_id == MAX_CALLID) {
call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, 
1);
if (call_id == MAX_CALLID)
goto out_err;
}
-   sock->proto.pptp.src_addr.call_id = call_id;
-   } else if (test_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap))
+   sa->call_id = call_id;
+   } else if (test_bit(sa->call_id, callid_bitmap)) {
goto out_err;
+   }
 
-   set_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap);
-   rcu_assign_pointer(callid_sock[sock->proto.pptp.src_addr.call_id], 
sock);
+   sock->proto.pptp.src_addr = *sa;
+   set_bit(sa->call_id, callid_bitmap);
+   rcu_assign_pointer(callid_sock[sa->call_id], sock);
spin_unlock(_lock);
 
return 0;
@@ -417,7 +420,6 @@ static int pptp_bind(struct socket *sock, struct sockaddr 
*uservaddr,
struct sock *sk = sock->sk;
struct sockaddr_pppox *sp = (struct sockaddr_pppox *) uservaddr;
struct pppox_sock *po = pppox_sk(sk);
-   struct pptp_opt *opt = >proto.pptp;
int error = 0;
 
if (sockaddr_len < sizeof(struct sockaddr_pppox))
@@ -425,10 +427,22 @@ static int pptp_bind(struct socket *sock, struct sockaddr 
*uservaddr,
 
lock_sock(sk);
 
-   opt->src_addr = sp->sa_addr.pptp;
-   if (add_chan(po))
+   if (sk->sk_state & PPPOX_DEAD) {
+   error = -EALREADY;
+   goto out;
+   }
+
+   if (sk->sk_state & PPPOX_BOUND) {
error = -EBUSY;
+   goto out;
+   }
+
+   if (add_chan(po, >sa_addr.pptp))
+   error = -EBUSY;
+   else
+   sk->sk_state |= PPPOX_BOUND;
 
+out:
release_sock(sk);
return error;
 }
@@ -499,7 +513,7 @@ static int pptp_connect(struct socket *sock, struct 
sockaddr *uservaddr,
}
 
opt->dst_addr = sp->sa_addr.pptp;
-   sk->sk_state = PPPOX_CONNECTED;
+   sk->sk_state |= PPPOX_CONNECTED;
 
  end:
release_sock(sk);
-- 
2.7.0

[PATCH 3.19.y-ckt 143/196] ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Takashi Iwai 

commit f883982dc1b117f04579f0896821cd9f2e397f94 upstream.

HP EliteBook 755 G2 with ALC3228 (ALC280) codec [103c:221c] requires
the known fixup (ALC269_FIXUP_HEADSET_MIC) for making the headset mic
working.  Also, it suffers from the loopback noise problem, so we
should disable aamix path as well.

Reported-by: Derick Eddington 
Signed-off-by: Takashi Iwai 
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques 
Signed-off-by: Kamal Mostafa 
---
 sound/pci/hda/patch_realtek.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 6bfe710..012e092 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4380,6 +4380,7 @@ enum {
ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE,
ALC293_FIXUP_LENOVO_SPK_NOISE,
ALC255_FIXUP_DELL_SPK_NOISE,
+   ALC280_FIXUP_HP_HEADSET_MIC,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -4925,6 +4926,12 @@ static const struct hda_fixup alc269_fixups[] = {
.chained = true,
.chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
},
+   [ALC280_FIXUP_HP_HEADSET_MIC] = {
+   .type = HDA_FIXUP_FUNC,
+   .v.func = alc_fixup_disable_aamix,
+   .chained = true,
+   .chain_id = ALC269_FIXUP_HEADSET_MIC,
+   },
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -5012,6 +5019,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x2335, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
SND_PCI_QUIRK(0x103c, 0x2336, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
SND_PCI_QUIRK(0x103c, 0x2337, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+   SND_PCI_QUIRK(0x103c, 0x221c, "HP EliteBook 755 G2", 
ALC280_FIXUP_HP_HEADSET_MIC),
SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", 
ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", 
ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
-- 
2.7.0

[PATCH 3.19.y-ckt 135/196] sunrpc/cache: fix off-by-one in qword_get()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Stefan Hajnoczi 

commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.

The qword_get() function NUL-terminates its output buffer.  If the input
string is in hex format \x... and the same length as the output
buffer, there is an off-by-one:

  int qword_get(char **bpp, char *dest, int bufsize)
  {
  ...
  while (len < bufsize) {
  ...
  *dest++ = (h << 4) | l;
  len++;
  }
  ...
  *dest = '\0';
  return len;
  }

This patch ensures the NUL terminator doesn't fall outside the output
buffer.

Signed-off-by: Stefan Hajnoczi 
Signed-off-by: J. Bruce Fields 
Signed-off-by: Kamal Mostafa 
---
 net/sunrpc/cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 5199bb1..b28fbc8 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1216,7 +1216,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
if (bp[0] == '\\' && bp[1] == 'x') {
/* HEX STRING */
bp += 2;
-   while (len < bufsize) {
+   while (len < bufsize - 1) {
int h, l;
 
h = hex_to_bin(bp[0]);
-- 
2.7.0

[PATCH 3.19.y-ckt 156/196] tcp: fix NULL deref in tcp_v4_send_ack()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Eric Dumazet 

[ Upstream commit e62a123b8ef7c5dc4db2c16383d506860ad21b47 ]

Neal reported crashes with this stack trace :

 RIP: 0010:[] tcp_v4_send_ack+0x41/0x20f
...
 CR2: 0018 CR3: 00044005c000 CR4: 001427e0
...
  [] tcp_v4_reqsk_send_ack+0xa5/0xb4
  [] tcp_check_req+0x2ea/0x3e0
  [] tcp_rcv_state_process+0x850/0x2500
  [] tcp_v4_do_rcv+0x141/0x330
  [] sk_backlog_rcv+0x21/0x30
  [] tcp_recvmsg+0x75d/0xf90
  [] inet_recvmsg+0x80/0xa0
  [] sock_aio_read+0xee/0x110
  [] do_sync_read+0x6f/0xa0
  [] SyS_read+0x1e1/0x290
  [] system_call_fastpath+0x16/0x1b

The problem here is the skb we provide to tcp_v4_send_ack() had to
be parked in the backlog of a new TCP fastopen child because this child
was owned by the user at the time an out of window packet arrived.

Before queuing a packet, TCP has to set skb->dev to NULL as the device
could disappear before packet is removed from the queue.

Fix this issue by using the net pointer provided by the socket (being a
timewait or a request socket).

IPv6 is immune to the bug : tcp_v6_send_response() already gets the net
pointer from the socket if provided.

Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Reported-by: Neal Cardwell 
Signed-off-by: Eric Dumazet 
Cc: Jerry Chu 
Cc: Yuchung Cheng 
Acked-by: Neal Cardwell 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 net/ipv4/tcp_ipv4.c | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 7a8a674..c338598 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -704,7 +704,8 @@ release_sk1:
outside socket context is ugly, certainly. What can I do?
  */
 
-static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
+static void tcp_v4_send_ack(struct net *net,
+   struct sk_buff *skb, u32 seq, u32 ack,
u32 win, u32 tsval, u32 tsecr, int oif,
struct tcp_md5sig_key *key,
int reply_flags, u8 tos)
@@ -719,7 +720,6 @@ static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, 
u32 ack,
];
} rep;
struct ip_reply_arg arg;
-   struct net *net = dev_net(skb_dst(skb)->dev);
 
memset(, 0, sizeof(struct tcphdr));
memset(, 0, sizeof(arg));
@@ -781,7 +781,8 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct 
sk_buff *skb)
struct inet_timewait_sock *tw = inet_twsk(sk);
struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
 
-   tcp_v4_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
+   tcp_v4_send_ack(sock_net(sk), skb,
+   tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
tcp_time_stamp + tcptw->tw_ts_offset,
tcptw->tw_ts_recent,
@@ -800,8 +801,10 @@ static void tcp_v4_reqsk_send_ack(struct sock *sk, struct 
sk_buff *skb,
/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.
 */
-   tcp_v4_send_ack(skb, (sk->sk_state == TCP_LISTEN) ?
-   tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
+   u32 seq = (sk->sk_state == TCP_LISTEN) ? tcp_rsk(req)->snt_isn + 1 :
+tcp_sk(sk)->snd_nxt;
+
+   tcp_v4_send_ack(sock_net(sk), skb, seq,
tcp_rsk(req)->rcv_nxt, req->rcv_wnd,
tcp_time_stamp,
req->ts_recent,
-- 
2.7.0

[PATCH 3.19.y-ckt 138/196] tracing: Fix showing function event in available_events

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: "Steven Rostedt (Red Hat)" 

commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream.

The ftrace:function event is only displayed for parsing the function tracer
data. It is not used to enable function tracing, and does not include an
"enable" file in its event directory.

Originally, this event was kept separate from other events because it did
not have a ->reg parameter. But perf added a "reg" parameter for its use
which caused issues, because it made the event available to functions where
it was not compatible for.

Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable"
added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event
from being enabled by normal trace events. But this commit missed keeping
the function event from being displayed by the "available_events" directory,
which is used to show what events can be enabled by set_event.

One documented way to enable all events is to:

 cat available_events > set_event

But because the function event is displayed in the available_events, this
now causes an INVALID error:

 cat: write error: Invalid argument

Reported-by: Chunyu Hu 
Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable"
Signed-off-by: Steven Rostedt 
Signed-off-by: Kamal Mostafa 
---
 kernel/trace/trace_events.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 6f7e40d..5377441 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -683,7 +683,8 @@ t_next(struct seq_file *m, void *v, loff_t *pos)
 * The ftrace subsystem is for showing formats only.
 * They can not be enabled or disabled via the event files.
 */
-   if (call->class && call->class->reg)
+   if (call->class && call->class->reg &&
+   !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE))
return file;
}
 
-- 
2.7.0

[PATCH 3.19.y-ckt 134/196] drm/radeon/pm: adjust display configuration after powerstate

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Alex Deucher 

commit 39d4275058baf53e89203407bf3841ff2c74fa32 upstream.

set_power_state defaults to no displays, so we need to update
the display configuration after setting up the powerstate on the
first call. In most cases this is not an issue since ends up
getting called multiple times at any given modeset and the proper
order is achieved in the display changed handling at the top of
the function.

Reviewed-by: Christian König 
Acked-by: Jordan Lazare 
Signed-off-by: Alex Deucher 
Signed-off-by: Kamal Mostafa 
---
 drivers/gpu/drm/radeon/radeon_pm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_pm.c 
b/drivers/gpu/drm/radeon/radeon_pm.c
index 5fc27e9..4001692 100644
--- a/drivers/gpu/drm/radeon/radeon_pm.c
+++ b/drivers/gpu/drm/radeon/radeon_pm.c
@@ -936,8 +936,6 @@ force:
 
/* update display watermarks based on new power state */
radeon_bandwidth_update(rdev);
-   /* update displays */
-   radeon_dpm_display_configuration_changed(rdev);
 
rdev->pm.dpm.current_active_crtcs = rdev->pm.dpm.new_active_crtcs;
rdev->pm.dpm.current_active_crtc_count = 
rdev->pm.dpm.new_active_crtc_count;
@@ -958,6 +956,9 @@ force:
 
radeon_dpm_post_set_power_state(rdev);
 
+   /* update displays */
+   radeon_dpm_display_configuration_changed(rdev);
+
if (rdev->asic->dpm.force_performance_level) {
if (rdev->pm.dpm.thermal_active) {
enum radeon_dpm_forced_level level = 
rdev->pm.dpm.forced_level;
-- 
2.7.0

[PATCH 3.19.y-ckt 153/196] target: Fix race with SCF_SEND_DELAYED_TAS handling

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Nicholas Bellinger 

commit 310d3d314be7f0a84011ebdc4bdccbcae9755a87 upstream.

This patch fixes a race between setting of SCF_SEND_DELAYED_TAS
in transport_send_task_abort(), and check of the same bit in
transport_check_aborted_status().

It adds a __transport_check_aborted_status() version that is
used by target_execute_cmd() when se_cmd->t_state_lock is
held, and a transport_check_aborted_status() wrapper for
all other existing callers.

Also, it handles the case where the check happens before
transport_send_task_abort() gets called.  For this, go
ahead and set SCF_SEND_DELAYED_TAS early when necessary,
and have transport_send_task_abort() send the abort.

Cc: Quinn Tran 
Cc: Himanshu Madhani 
Cc: Sagi Grimberg 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Andy Grover 
Cc: Mike Christie 
Signed-off-by: Nicholas Bellinger 
Signed-off-by: Kamal Mostafa 
---
 drivers/target/target_core_transport.c | 53 +++---
 1 file changed, 42 insertions(+), 11 deletions(-)

diff --git a/drivers/target/target_core_transport.c 
b/drivers/target/target_core_transport.c
index ddd4837..6dedba7 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1758,19 +1758,21 @@ static bool target_handle_task_attr(struct se_cmd *cmd)
return true;
 }
 
+static int __transport_check_aborted_status(struct se_cmd *, int);
+
 void target_execute_cmd(struct se_cmd *cmd)
 {
/*
-* If the received CDB has aleady been aborted stop processing it here.
-*/
-   if (transport_check_aborted_status(cmd, 1))
-   return;
-
-   /*
 * Determine if frontend context caller is requesting the stopping of
 * this command for frontend exceptions.
+*
+* If the received CDB has aleady been aborted stop processing it here.
 */
spin_lock_irq(>t_state_lock);
+   if (__transport_check_aborted_status(cmd, 1)) {
+   spin_unlock_irq(>t_state_lock);
+   return;
+   }
if (cmd->transport_state & CMD_T_STOP) {
pr_debug("%s:%d CMD_T_STOP for ITT: 0x%08x\n",
__func__, __LINE__,
@@ -2946,8 +2948,13 @@ after_reason:
 }
 EXPORT_SYMBOL(transport_send_check_condition_and_sense);
 
-int transport_check_aborted_status(struct se_cmd *cmd, int send_status)
+static int __transport_check_aborted_status(struct se_cmd *cmd, int 
send_status)
+   __releases(>t_state_lock)
+   __acquires(>t_state_lock)
 {
+   assert_spin_locked(>t_state_lock);
+   WARN_ON_ONCE(!irqs_disabled());
+
if (!(cmd->transport_state & CMD_T_ABORTED))
return 0;
 
@@ -2955,19 +2962,37 @@ int transport_check_aborted_status(struct se_cmd *cmd, 
int send_status)
 * If cmd has been aborted but either no status is to be sent or it has
 * already been sent, just return
 */
-   if (!send_status || !(cmd->se_cmd_flags & SCF_SEND_DELAYED_TAS))
+   if (!send_status || !(cmd->se_cmd_flags & SCF_SEND_DELAYED_TAS)) {
+   if (send_status)
+   cmd->se_cmd_flags |= SCF_SEND_DELAYED_TAS;
return 1;
+   }
 
-   pr_debug("Sending delayed SAM_STAT_TASK_ABORTED status for CDB: 0x%02x 
ITT: 0x%08x\n",
-cmd->t_task_cdb[0], cmd->se_tfo->get_task_tag(cmd));
+   pr_debug("Sending delayed SAM_STAT_TASK_ABORTED status for CDB:"
+   " 0x%02x ITT: 0x%08x\n", cmd->t_task_cdb[0],
+   cmd->se_tfo->get_task_tag(cmd));
 
cmd->se_cmd_flags &= ~SCF_SEND_DELAYED_TAS;
cmd->scsi_status = SAM_STAT_TASK_ABORTED;
trace_target_cmd_complete(cmd);
+
+   spin_unlock_irq(>t_state_lock);
cmd->se_tfo->queue_status(cmd);
+   spin_lock_irq(>t_state_lock);
 
return 1;
 }
+
+int transport_check_aborted_status(struct se_cmd *cmd, int send_status)
+{
+   int ret;
+
+   spin_lock_irq(>t_state_lock);
+   ret = __transport_check_aborted_status(cmd, send_status);
+   spin_unlock_irq(>t_state_lock);
+
+   return ret;
+}
 EXPORT_SYMBOL(transport_check_aborted_status);
 
 void transport_send_task_abort(struct se_cmd *cmd)
@@ -2989,11 +3014,17 @@ void transport_send_task_abort(struct se_cmd *cmd)
 */
if (cmd->data_direction == DMA_TO_DEVICE) {
if (cmd->se_tfo->write_pending_status(cmd) != 0) {
-   cmd->transport_state |= CMD_T_ABORTED;
+   spin_lock_irqsave(>t_state_lock, flags);
+   if (cmd->se_cmd_flags & SCF_SEND_DELAYED_TAS) {
+  

[PATCH 3.19.y-ckt 159/196] sctp: allow setting SCTP_SACK_IMMEDIATELY by the application

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Marcelo Ricardo Leitner 

[ Upstream commit 27f7ed2b11d42ab6d796e96533c2076ec220affc ]

This patch extends commit b93d6471748d ("sctp: implement the sender side
for SACK-IMMEDIATELY extension") as it didn't white list
SCTP_SACK_IMMEDIATELY on sctp_msghdr_parse(), causing it to be
understood as an invalid flag and returning -EINVAL to the application.

Note that the actual handling of the flag is already there in
sctp_datamsg_from_user().

https://tools.ietf.org/html/rfc7053#section-7

Fixes: b93d6471748d ("sctp: implement the sender side for SACK-IMMEDIATELY 
extension")
Signed-off-by: Marcelo Ricardo Leitner 
Acked-by: Vlad Yasevich 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 net/sctp/socket.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 8164bbe..ffb97da 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6660,6 +6660,7 @@ static int sctp_msghdr_parse(const struct msghdr *msg, 
sctp_cmsgs_t *cmsgs)
 
if (cmsgs->srinfo->sinfo_flags &
~(SCTP_UNORDERED | SCTP_ADDR_OVER |
+ SCTP_SACK_IMMEDIATELY |
  SCTP_ABORT | SCTP_EOF))
return -EINVAL;
break;
@@ -6683,6 +6684,7 @@ static int sctp_msghdr_parse(const struct msghdr *msg, 
sctp_cmsgs_t *cmsgs)
 
if (cmsgs->sinfo->snd_flags &
~(SCTP_UNORDERED | SCTP_ADDR_OVER |
+ SCTP_SACK_IMMEDIATELY |
  SCTP_ABORT | SCTP_EOF))
return -EINVAL;
break;
-- 
2.7.0

[PATCH 3.19.y-ckt 157/196] af_unix: fix struct pid memory leak

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Eric Dumazet 

commit fa0dc04df259ba2df3ce1920e9690c7842f8fa4b upstream.

Dmitry reported a struct pid leak detected by a syzkaller program.

Bug happens in unix_stream_recvmsg() when we break the loop when a
signal is pending, without properly releasing scm.

Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv 
routines")
Reported-by: Dmitry Vyukov 
Signed-off-by: Eric Dumazet 
Cc: Rainer Weikusat 
Signed-off-by: David S. Miller 
[ luis: backported to 3.16:
  - use siocb->scm instead of  ]
Signed-off-by: Luis Henriques 

Signed-off-by: Kamal Mostafa 
---
 net/unix/af_unix.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 59797d8..3a27d4c 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2154,6 +2154,7 @@ again:
 
if (signal_pending(current)) {
err = sock_intr_errno(timeo);
+   scm_destroy(siocb->scm);
goto out;
}
 
-- 
2.7.0

[PATCH 3.19.y-ckt 081/196] drm/i915/dsi: don't pass arbitrary data to sideband

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Jani Nikula 

commit 26f6f2d301c1fb46acb1138ee155125815239b0d upstream.

Since sequence block v2 the second byte contains flags other than just
pull up/down. Don't pass arbitrary data to the sideband interface.

The rest may or may not work for sequence block v2, but there should be
no harm done.

Reviewed-by: Ville Syrjälä 
Signed-off-by: Jani Nikula 
Link: 
http://patchwork.freedesktop.org/patch/msgid/ebe3c2eee623afc4b3a134533b01f8d591d13f32.1454582914.git.jani.nik...@intel.com
(cherry picked from commit 4e1c63e3761b84ec7d87c75b58bbc8bcf18e98ee)
Signed-off-by: Jani Nikula 
Signed-off-by: Kamal Mostafa 
---
 drivers/gpu/drm/i915/intel_dsi_panel_vbt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c 
b/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c
index bd73e50..6ea603a 100644
--- a/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c
+++ b/drivers/gpu/drm/i915/intel_dsi_panel_vbt.c
@@ -171,7 +171,7 @@ static u8 *mipi_exec_gpio(struct intel_dsi *intel_dsi, u8 
*data)
gpio = *data++;
 
/* pull up/down */
-   action = *data++;
+   action = *data++ & 1;
 
if (gpio >= ARRAY_SIZE(gtable)) {
DRM_DEBUG_KMS("unknown gpio %u\n", gpio);
-- 
2.7.0

[PATCH 3.19.y-ckt 092/196] drm/i915/skl: Don't skip mst encoders in skl_ddi_pll_select()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Lyude 

commit 3d849b02336be103d312c1574d6f7314d5c0bc9f upstream.

We don't actually check for INTEL_OUTPUT_DP_MST at all in here, as a
result we skip assigning a DPLL to any DP MST ports, which makes link
training fail:

[ 1442.933896] [drm:intel_power_well_enable] enabling DDI D power well
[ 1442.933905] [drm:skl_set_power_well] Enabling DDI D power well
[ 1442.933957] [drm:intel_mst_pre_enable_dp] 0
[ 1442.935474] [drm:intel_dp_set_signal_levels] Using signal levels 
[ 1442.935477] [drm:intel_dp_set_signal_levels] Using vswing level 0
[ 1442.935480] [drm:intel_dp_set_signal_levels] Using pre-emphasis level 0
[ 1442.936190] [drm:intel_dp_set_signal_levels] Using signal levels 0500
[ 1442.936193] [drm:intel_dp_set_signal_levels] Using vswing level 1
[ 1442.936195] [drm:intel_dp_set_signal_levels] Using pre-emphasis level 1
[ 1442.936858] [drm:intel_dp_set_signal_levels] Using signal levels 0800
[ 1442.936862] [drm:intel_dp_set_signal_levels] Using vswing level 2
…
[ 1442.998253] [drm:intel_dp_link_training_clock_recovery [i915]] *ERROR* too 
many full retries, give up
[ 1442.998512] [drm:intel_dp_start_link_train [i915]] *ERROR* failed to train 
DP, aborting

After which the pipe state goes completely out of sync:

[   70.075596] [drm:check_crtc_state] [CRTC:25]
[   70.075696] [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in 
ddi_pll_sel (expected 0x, found 0x0001)
[   70.075747] [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in 
shared_dpll (expected -1, found 0)
[   70.075798] [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in 
dpll_hw_state.ctrl1 (expected 0x, found 0x0021)
[   70.075840] [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in 
dpll_hw_state.cfgcr1 (expected 0x, found 0x80400173)
[   70.075884] [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in 
dpll_hw_state.cfgcr2 (expected 0x, found 0x03a5)
[   70.075954] [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in 
base.adjusted_mode.crtc_clock (expected 262750, found 72256)
[   70.075999] [drm:intel_pipe_config_compare [i915]] *ERROR* mismatch in 
port_clock (expected 54, found 148500)

And if you're especially lucky, it keeps going downhill:

[   83.309256] Kernel panic - not syncing: Timeout: Not all CPUs entered 
broadcast exception handler
[   83.309265]
[   83.309265] =
[   83.309266] [ INFO: inconsistent lock state ]
[   83.309267] 4.5.0-rc1Lyude-Test #265 Not tainted
[   83.309267] -
[   83.309268] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
[   83.309270] Xorg/1194 [HC0[1]:SC0[0]:HE1:SE1] takes:
[   83.309293]  (&(_priv->uncore.lock)->rlock){?.-...}, at: 
[] gen9_write32+0x63/0x400 [i915]
[   83.309293] {IN-HARDIRQ-W} state was registered at:
[   83.309297]   [] __lock_acquire+0x9c4/0x1d00
[   83.309299]   [] lock_acquire+0xce/0x1c0
[   83.309302]   [] _raw_spin_lock_irqsave+0x56/0x90
[   83.309321]   [] gen9_read32+0x52/0x3d0 [i915]
[   83.309332]   [] gen8_irq_handler+0x27a/0x6a0 [i915]
[   83.309337]   [] handle_irq_event_percpu+0x41/0x300
[   83.309339]   [] handle_irq_event+0x39/0x60
[   83.309341]   [] handle_edge_irq+0x74/0x130
[   83.309344]   [] handle_irq+0x73/0x120
[   83.309346]   [] do_IRQ+0x61/0x120
[   83.309348]   [] ret_from_intr+0x0/0x20
[   83.309351]   [] cpuidle_enter_state+0x105/0x330
[   83.309353]   [] cpuidle_enter+0x17/0x20
[   83.309356]   [] call_cpuidle+0x2a/0x50
[   83.309358]   [] cpu_startup_entry+0x26d/0x3a0
[   83.309360]   [] rest_init+0x13a/0x140
[   83.309363]   [] start_kernel+0x475/0x482
[   83.309365]   [] x86_64_start_reservations+0x2a/0x2c
[   83.309367]   [] x86_64_start_kernel+0x13b/0x14a

Fixes: 82d354370189 ("drm/i915/skl: Implementation of SKL DPLL programming")
Signed-off-by: Lyude 
Signed-off-by: Daniel Vetter 
Link: 
http://patchwork.freedesktop.org/patch/msgid/1454428183-994-1-git-send-email-cp...@redhat.com
(cherry picked from commit 78385cb398748debb7ea2e36d6d2001830c172bc)
Signed-off-by: Jani Nikula 
Signed-off-by: Kamal Mostafa 
---
 drivers/gpu/drm/i915/intel_ddi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c
index e6b45cd..41f76ed 100644
--- a/drivers/gpu/drm/i915/intel_ddi.c
+++ b/drivers/gpu/drm/i915/intel_ddi.c
@@ -1119,7 +1119,8 @@ skl_ddi_pll_select(struct intel_crtc *intel_crtc,
 DPLL_CFGCR2_KDIV(wrpll_params.kdiv) |
 DPLL_CFGCR2_PDIV(wrpll_params.pdiv) |
 wrpll_params.central_freq;
-   } else if (intel_encoder->type == INTEL_OUTPUT_DISPLAYPORT) {
+   } else if 

[PATCH 3.19.y-ckt 067/196] ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: xuejiufei 

commit c95a51807b730e4681e2ecbdfd669ca52601959e upstream.

When recovery master down, dlm_do_local_recovery_cleanup() only remove
the $RECOVERY lock owned by dead node, but do not clear the refmap bit.
Which will make umount thread falling in dead loop migrating $RECOVERY
to the dead node.

Signed-off-by: xuejiufei 
Reviewed-by: Joseph Qi 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Junxiao Bi 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Kamal Mostafa 
---
 fs/ocfs2/dlm/dlmrecovery.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c
index f4b4c78..27cc796 100644
--- a/fs/ocfs2/dlm/dlmrecovery.c
+++ b/fs/ocfs2/dlm/dlmrecovery.c
@@ -2353,6 +2353,8 @@ static void dlm_do_local_recovery_cleanup(struct dlm_ctxt 
*dlm, u8 dead_node)
break;
}
}
+   dlm_lockres_clear_refmap_bit(dlm, res,
+   dead_node);
spin_unlock(>spinlock);
continue;
}
-- 
2.7.0

[PATCH 3.19.y-ckt 086/196] nfs: fix nfs_size_to_loff_t

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Christoph Hellwig 

commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream.

See http: //www.infradead.org/rpr.html
X-Evolution-Source: 1451162204.2173...@leira.trondhjem.org
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0

We support OFFSET_MAX just fine, so don't round down below it.  Also
switch to using min_t to make the helper more readable.

Signed-off-by: Christoph Hellwig 
Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()")
Signed-off-by: Trond Myklebust 
Signed-off-by: Kamal Mostafa 
---
 include/linux/nfs_fs.h | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 6d627b9..eeed6d1 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -538,9 +538,7 @@ extern int  nfs_readpage_async(struct nfs_open_context *, 
struct inode *,
 
 static inline loff_t nfs_size_to_loff_t(__u64 size)
 {
-   if (size > (__u64) OFFSET_MAX - 1)
-   return OFFSET_MAX - 1;
-   return (loff_t) size;
+   return min_t(u64, size, OFFSET_MAX);
 }
 
 static inline ino_t
-- 
2.7.0

[PATCH 3.19.y-ckt 079/196] ALSA: dummy: Implement timer backend switching more safely

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Takashi Iwai 

commit ddce57a6f0a2d8d1bfacfa77f06043bc760403c2 upstream.

Currently the selected timer backend is referred at any moment from
the running PCM callbacks.  When the backend is switched, it's
possible to lead to inconsistency from the running backend.  This was
pointed by syzkaller fuzzer, and the commit [7ee96216c31a: ALSA:
dummy: Disable switching timer backend via sysfs] disabled the dynamic
switching for avoiding the crash.

This patch improves the handling of timer backend switching.  It keeps
the reference to the selected backend during the whole operation of an
opened stream so that it won't be changed by other streams.

Together with this change, the hrtimer parameter is reenabled as
writable now.

NOTE: this patch also turned out to fix the still remaining race.
Namely, ops was still replaced dynamically at dummy_pcm_open:

  static int dummy_pcm_open(struct snd_pcm_substream *substream)
  {
  
  dummy->timer_ops = _systimer_ops;
  if (hrtimer)
  dummy->timer_ops = _hrtimer_ops;

Since dummy->timer_ops is common among all streams, and when the
replacement happens during accesses of other streams, it may lead to a
crash.  This was actually triggered by syzkaller fuzzer and KASAN.

This patch rewrites the code not to use the ops shared by all streams
any longer, too.

BugLink: 
http://lkml.kernel.org/r/cact4y+az+xisrpum6coxbl21dum0yvxpyxf4cd4md9uw0c3...@mail.gmail.com
Reported-by: Dmitry Vyukov 
Signed-off-by: Takashi Iwai 
Signed-off-by: Kamal Mostafa 
---
 sound/drivers/dummy.c | 37 +++--
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c
index fc041fc..d976744 100644
--- a/sound/drivers/dummy.c
+++ b/sound/drivers/dummy.c
@@ -87,7 +87,7 @@ MODULE_PARM_DESC(pcm_substreams, "PCM substreams # (1-128) 
for dummy driver.");
 module_param(fake_buffer, bool, 0444);
 MODULE_PARM_DESC(fake_buffer, "Fake buffer allocations.");
 #ifdef CONFIG_HIGH_RES_TIMERS
-module_param(hrtimer, bool, 0444);
+module_param(hrtimer, bool, 0644);
 MODULE_PARM_DESC(hrtimer, "Use hrtimer as the timer source.");
 #endif
 
@@ -109,6 +109,9 @@ struct dummy_timer_ops {
snd_pcm_uframes_t (*pointer)(struct snd_pcm_substream *);
 };
 
+#define get_dummy_ops(substream) \
+   (*(const struct dummy_timer_ops **)(substream)->runtime->private_data)
+
 struct dummy_model {
const char *name;
int (*playback_constraints)(struct snd_pcm_runtime *runtime);
@@ -137,7 +140,6 @@ struct snd_dummy {
int iobox;
struct snd_kcontrol *cd_volume_ctl;
struct snd_kcontrol *cd_switch_ctl;
-   const struct dummy_timer_ops *timer_ops;
 };
 
 /*
@@ -231,6 +233,8 @@ struct dummy_model *dummy_models[] = {
  */
 
 struct dummy_systimer_pcm {
+   /* ops must be the first item */
+   const struct dummy_timer_ops *timer_ops;
spinlock_t lock;
struct timer_list timer;
unsigned long base_time;
@@ -368,6 +372,8 @@ static struct dummy_timer_ops dummy_systimer_ops = {
  */
 
 struct dummy_hrtimer_pcm {
+   /* ops must be the first item */
+   const struct dummy_timer_ops *timer_ops;
ktime_t base_time;
ktime_t period_time;
atomic_t running;
@@ -494,31 +500,25 @@ static struct dummy_timer_ops dummy_hrtimer_ops = {
 
 static int dummy_pcm_trigger(struct snd_pcm_substream *substream, int cmd)
 {
-   struct snd_dummy *dummy = snd_pcm_substream_chip(substream);
-
switch (cmd) {
case SNDRV_PCM_TRIGGER_START:
case SNDRV_PCM_TRIGGER_RESUME:
-   return dummy->timer_ops->start(substream);
+   return get_dummy_ops(substream)->start(substream);
case SNDRV_PCM_TRIGGER_STOP:
case SNDRV_PCM_TRIGGER_SUSPEND:
-   return dummy->timer_ops->stop(substream);
+   return get_dummy_ops(substream)->stop(substream);
}
return -EINVAL;
 }
 
 static int dummy_pcm_prepare(struct snd_pcm_substream *substream)
 {
-   struct snd_dummy *dummy = snd_pcm_substream_chip(substream);
-
-   return dummy->timer_ops->prepare(substream);
+   return get_dummy_ops(substream)->prepare(substream);
 }
 
 static snd_pcm_uframes_t dummy_pcm_pointer(struct snd_pcm_substream *substream)
 {
-   struct snd_dummy *dummy = snd_pcm_substream_chip(substream);
-
-   return dummy->timer_ops->pointer(substream);
+   return get_dummy_ops(substream)->pointer(substream);
 }
 
 static struct snd_pcm_hardware dummy_pcm_hardware = {
@@ -564,17 +564,19 @@ static int dummy_pcm_open(struct snd_pcm_substream 
*substream)
struct snd_dummy *dummy = snd_pcm_substream_chip(substream);
struct dummy_model *model = 

[PATCH 3.19.y-ckt 091/196] phy: twl4030-usb: Relase usb phy on unload

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Tony Lindgren 

commit b241d31ef2f6a289d33dcaa004714b26e06f476f upstream.

Otherwise rmmod omap2430; rmmod phy-twl4030-usb; modprobe omap2430
will try to use a non-existing phy and oops:

Unable to handle kernel paging request at virtual address b6f7c1f0
...
[] (devm_usb_get_phy_by_node) from []
(omap2430_musb_init+0x44/0x2b4 [omap2430])
[] (omap2430_musb_init [omap2430]) from []
(musb_init_controller+0x194/0x878 [musb_hdrc])

Cc: Bin Liu 
Cc: Felipe Balbi 
Cc: Kishon Vijay Abraham I 
Cc: NeilBrown 
Signed-off-by: Tony Lindgren 
Signed-off-by: Kishon Vijay Abraham I 
Signed-off-by: Kamal Mostafa 
---
 drivers/phy/phy-twl4030-usb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/phy/phy-twl4030-usb.c b/drivers/phy/phy-twl4030-usb.c
index 37eb93c..f8e67a8 100644
--- a/drivers/phy/phy-twl4030-usb.c
+++ b/drivers/phy/phy-twl4030-usb.c
@@ -747,6 +747,7 @@ static int twl4030_usb_remove(struct platform_device *pdev)
struct twl4030_usb *twl = platform_get_drvdata(pdev);
int val;
 
+   usb_remove_phy(>phy);
pm_runtime_get_sync(twl->dev);
cancel_delayed_work(>id_workaround_work);
device_remove_file(twl->dev, _attr_vbus);
-- 
2.7.0

[PATCH 3.19.y-ckt 084/196] ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Linus Walleij 

commit 5070fb14a0154f075c8b418e5bc58a620ae85a45 upstream.

When trying to set the ICST 307 clock to 25174000 Hz I ran into
this arithmetic error: the icst_hz_to_vco() correctly figure out
DIVIDE=2, RDW=100 and VDW=99 yielding a frequency of
25174000 Hz out of the VCO. (I replicated the icst_hz() function
in a spreadsheet to verify this.)

However, when I called icst_hz() on these VCO settings it would
instead return 4122709 Hz. This causes an error in the common
clock driver for ICST as the common clock framework will call
.round_rate() on the clock which will utilize icst_hz_to_vco()
followed by icst_hz() suggesting the erroneous frequency, and
then the clock gets set to this.

The error did not manifest in the old clock framework since
this high frequency was only used by the CLCD, which calls
clk_set_rate() without first calling clk_round_rate() and since
the old clock framework would not call clk_round_rate() before
setting the frequency, the correct values propagated into
the VCO.

After some experimenting I figured out that it was due to a simple
arithmetic overflow: the divisor for 24Mhz reference frequency
as reference becomes 2400*2*(99+8)=0x132212400 and the "1"
in bit 32 overflows and is lost.

But introducing an explicit 64-by-32 bit do_div() and casting
the divisor into (u64) we get the right frequency back, and the
right frequency gets set.

Tested on the ARM Versatile.

Cc: linux-...@vger.kernel.org
Cc: Pawel Moll 
Signed-off-by: Linus Walleij 
Signed-off-by: Russell King 
Signed-off-by: Kamal Mostafa 
---
 arch/arm/common/icst.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/arm/common/icst.c b/arch/arm/common/icst.c
index 2dc6da70..d3c0e69 100644
--- a/arch/arm/common/icst.c
+++ b/arch/arm/common/icst.c
@@ -16,7 +16,7 @@
  */
 #include 
 #include 
-
+#include 
 #include 
 
 /*
@@ -29,7 +29,11 @@ EXPORT_SYMBOL(icst525_s2div);
 
 unsigned long icst_hz(const struct icst_params *p, struct icst_vco vco)
 {
-   return p->ref * 2 * (vco.v + 8) / ((vco.r + 2) * p->s2div[vco.s]);
+   u64 dividend = p->ref * 2 * (u64)(vco.v + 8);
+   u32 divisor = (vco.r + 2) * p->s2div[vco.s];
+
+   do_div(dividend, divisor);
+   return (unsigned long)dividend;
 }
 
 EXPORT_SYMBOL(icst_hz);
-- 
2.7.0

[PATCH 3.19.y-ckt 093/196] drm/i915: fix error path in intel_setup_gmbus()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Rasmus Villemoes 

commit ed3f9fd1e865975ceefdb2a43b453e090b1fd787 upstream.

This fails to undo the setup for pin==0; moreover, something
interesting happens if the setup failed already at pin==0.

Signed-off-by: Rasmus Villemoes 
Fixes: f899fc64cda8 ("drm/i915: use GMBUS to manage i2c links")
Signed-off-by: Jani Nikula 
Link: 
http://patchwork.freedesktop.org/patch/msgid/1455048677-19882-3-git-send-email-li...@rasmusvillemoes.dk
(cherry picked from commit 2417c8c03f508841b85bf61acc91836b7b0e2560)
Signed-off-by: Jani Nikula 
[ luis: backported to 3.16:
  - use 'i' instead of 'pin'
  - adjusted context ]
Signed-off-by: Luis Henriques 

Signed-off-by: Kamal Mostafa 
---
 drivers/gpu/drm/i915/intel_i2c.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_i2c.c b/drivers/gpu/drm/i915/intel_i2c.c
index ae62800..0b885d0 100644
--- a/drivers/gpu/drm/i915/intel_i2c.c
+++ b/drivers/gpu/drm/i915/intel_i2c.c
@@ -626,7 +626,7 @@ int intel_setup_gmbus(struct drm_device *dev)
return 0;
 
 err:
-   while (--i) {
+   while (i--) {
struct intel_gmbus *bus = _priv->gmbus[i];
i2c_del_adapter(>adapter);
}
-- 
2.7.0

[PATCH 3.19.y-ckt 097/196] cifs: fix erroneous return value

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Anton Protopopov 

commit 4b550af519854421dfec9f7732cdddeb057134b2 upstream.

The setup_ntlmv2_rsp() function may return positive value ENOMEM instead
of -ENOMEM in case of kmalloc failure.

Signed-off-by: Anton Protopopov 
Signed-off-by: Steve French 
Signed-off-by: Kamal Mostafa 
---
 fs/cifs/cifsencrypt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index da7fbfa..cee9889 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -710,7 +710,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct 
nls_table *nls_cp)
 
ses->auth_key.response = kmalloc(baselen + tilen, GFP_KERNEL);
if (!ses->auth_key.response) {
-   rc = ENOMEM;
+   rc = -ENOMEM;
ses->auth_key.len = 0;
goto setup_ntlmv2_rsp_ret;
}
-- 
2.7.0

Re: [PATCH v2 1/2] ACPI, APEI: Fix leaked resources

[Chen, Gong]

On Tue, Mar 08, 2016 at 10:52:11AM -0500, Joshua Hunt wrote:
> Date: Tue,  8 Mar 2016 10:52:11 -0500
> From: Joshua Hunt 
> To: gong.c...@intel.com, linux-a...@vger.kernel.org, r...@rjwysocki.net,
>  l...@kernel.org, ying.hu...@intel.com
> Cc: tony.l...@intel.com, linux-kernel@vger.kernel.org, Joshua Hunt
>  
> Subject: [PATCH v2 1/2] ACPI, APEI: Fix leaked resources
> X-Mailer: git-send-email 1.7.9.5
> 
> We leak the NVS and arch resources (if used), in apei_resources_request.
> They are allocated to make sure we exclude them from the APEI resources,
> but they are never freed at the end of the function. Free them now.
> 
> Signed-off-by: Josh Hunt 
>
Reviewed-by: Chen, Gong 


signature.asc
Description: Digital signature

[PATCH 3.19.y-ckt 033/196] ALSA: timer: Fix link corruption due to double start or stop

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Takashi Iwai 

commit f784beb75ce82f4136f8a0960d3ee872f7109e09 upstream.

Although ALSA timer code got hardening for races, it still causes
use-after-free error.  This is however rather a corrupted linked list,
not actually the concurrent accesses.  Namely, when timer start is
triggered twice, list_add_tail() is called twice, too.  This ends
up with the link corruption and triggers KASAN error.

The simplest fix would be replacing list_add_tail() with
list_move_tail(), but fundamentally it's the problem that we don't
check the double start/stop correctly.  So, the right fix here is to
add the proper checks to snd_timer_start() and snd_timer_stop() (and
their variants).

BugLink: 
http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eokf5esk8k...@mail.gmail.com
Reported-by: Dmitry Vyukov 
Signed-off-by: Takashi Iwai 
Signed-off-by: Kamal Mostafa 
---
 sound/core/timer.c | 30 --
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index 0447565..e1d5a10 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -451,6 +451,10 @@ static int snd_timer_start_slave(struct snd_timer_instance 
*timeri)
unsigned long flags;
 
spin_lock_irqsave(_active_lock, flags);
+   if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) {
+   spin_unlock_irqrestore(_active_lock, flags);
+   return -EBUSY;
+   }
timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
if (timeri->master && timeri->timer) {
spin_lock(>timer->lock);
@@ -475,7 +479,8 @@ int snd_timer_start(struct snd_timer_instance *timeri, 
unsigned int ticks)
return -EINVAL;
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
result = snd_timer_start_slave(timeri);
-   snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
+   if (result >= 0)
+   snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
return result;
}
timer = timeri->timer;
@@ -484,11 +489,18 @@ int snd_timer_start(struct snd_timer_instance *timeri, 
unsigned int ticks)
if (timer->card && timer->card->shutdown)
return -ENODEV;
spin_lock_irqsave(>lock, flags);
+   if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
+SNDRV_TIMER_IFLG_START)) {
+   result = -EBUSY;
+   goto unlock;
+   }
timeri->ticks = timeri->cticks = ticks;
timeri->pticks = 0;
result = snd_timer_start1(timer, timeri, ticks);
+ unlock:
spin_unlock_irqrestore(>lock, flags);
-   snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
+   if (result >= 0)
+   snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
return result;
 }
 
@@ -502,6 +514,10 @@ static int _snd_timer_stop(struct snd_timer_instance 
*timeri, int event)
 
if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
spin_lock_irqsave(_active_lock, flags);
+   if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
+   spin_unlock_irqrestore(_active_lock, flags);
+   return -EBUSY;
+   }
timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
list_del_init(>ack_list);
list_del_init(>active_list);
@@ -512,6 +528,11 @@ static int _snd_timer_stop(struct snd_timer_instance 
*timeri, int event)
if (!timer)
return -EINVAL;
spin_lock_irqsave(>lock, flags);
+   if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
+  SNDRV_TIMER_IFLG_START))) {
+   spin_unlock_irqrestore(>lock, flags);
+   return -EBUSY;
+   }
list_del_init(>ack_list);
list_del_init(>active_list);
if (timer->card && timer->card->shutdown) {
@@ -581,10 +602,15 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
if (timer->card && timer->card->shutdown)
return -ENODEV;
spin_lock_irqsave(>lock, flags);
+   if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) {
+   result = -EBUSY;
+   goto unlock;
+   }
if (!timeri->cticks)
timeri->cticks = 1;
timeri->pticks = 0;
result = snd_timer_start1(timer, timeri, timer->sticks);
+ unlock:
spin_unlock_irqrestore(>lock, flags);
snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE);
return result;
-- 
2.7.0

[PATCH 3.19.y-ckt 008/196] x86/entry/compat: Add missing CLAC to entry_INT80_32

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Andy Lutomirski 

commit 3d44d51bd339766f0178f0cf2e8d048b4a4872aa upstream.

This doesn't seem to fix a regression -- I don't think the CLAC was
ever there.

I double-checked in a debugger: entries through the int80 gate do
not automatically clear AC.

Stable maintainers: I can provide a backport to 4.3 and earlier if
needed.  This needs to be backported all the way to 3.10.

Reported-by: Brian Gerst 
Signed-off-by: Andy Lutomirski 
Cc: Andy Lutomirski 
Cc: Borislav Petkov 
Cc: Denys Vlasenko 
Cc: H. Peter Anvin 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Fixes: 63bcff2a307b ("x86, smap: Add STAC and CLAC instructions to control user 
space access")
Link: 
http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.l...@kernel.org
Signed-off-by: Ingo Molnar 
[ kamal: backport to 3.10 through 3.19-stable: file rename; context ]
Signed-off-by: Kamal Mostafa 
---
 arch/x86/ia32/ia32entry.S | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 82e8a1d..164f541 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -422,6 +422,7 @@ ENTRY(ia32_syscall)
/*CFI_REL_OFFSETcs,CS-RIP*/
CFI_REL_OFFSET  rip,RIP-RIP
PARAVIRT_ADJUST_EXCEPTION_FRAME
+   ASM_CLAC/* Do this early to minimize exposure */
SWAPGS
/*
 * No need to follow this irqs on/off section: the syscall
-- 
2.7.0

[PATCH 3.19.y-ckt 037/196] drm: add helper to check for wc memory support

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Dave Airlie 

commit 4b0e4e4af6c6dc8354dcb72182d52c1bc55f12fc upstream.

Reviewed-by: Christian König 
Reviewed-by: Michel Dänzer 
Signed-off-by: Dave Airlie 
Signed-off-by: Oded Gabbay 
Signed-off-by: Alex Deucher 
Signed-off-by: Kamal Mostafa 
---
 include/drm/drm_cache.h | 9 +
 1 file changed, 9 insertions(+)

diff --git a/include/drm/drm_cache.h b/include/drm/drm_cache.h
index 7bfb063..461a055 100644
--- a/include/drm/drm_cache.h
+++ b/include/drm/drm_cache.h
@@ -35,4 +35,13 @@
 
 void drm_clflush_pages(struct page *pages[], unsigned long num_pages);
 
+static inline bool drm_arch_can_wc_memory(void)
+{
+#if defined(CONFIG_PPC) && !defined(CONFIG_NOT_COHERENT_CACHE)
+   return false;
+#else
+   return true;
+#endif
+}
+
 #endif
-- 
2.7.0

[PATCH 3.19.y-ckt 036/196] cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: zengtao 

commit 0f26922fe5dc5724b1adbbd54b21bad03590b4f3 upstream.

The datatype __kernel_time_t is u32 on 32bit platform, so its subject to
overflows in the timeval/timespec to cputime conversion.

Currently the following functions are affected:
1. setitimer()
2. timer_create/timer_settime()
3. sys_clock_nanosleep

This can happen on MIPS32 and ARM32 with "Full dynticks CPU time accounting"
enabled, which is required for CONFIG_NO_HZ_FULL.

Enforce u64 conversion to prevent the overflow.

Fixes: 31c1fc818715 ("ARM: Kconfig: allow full nohz CPU accounting")
Signed-off-by: zengtao 
Reviewed-by: Arnd Bergmann 
Cc: 
Link: 
http://lkml.kernel.org/r/1454384314-154784-1-git-send-email-prime.z...@huawei.com
Signed-off-by: Thomas Gleixner 
Signed-off-by: Kamal Mostafa 
---
 include/asm-generic/cputime_nsecs.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/asm-generic/cputime_nsecs.h 
b/include/asm-generic/cputime_nsecs.h
index 0419485..0f1c6f3 100644
--- a/include/asm-generic/cputime_nsecs.h
+++ b/include/asm-generic/cputime_nsecs.h
@@ -75,7 +75,7 @@ typedef u64 __nocast cputime64_t;
  */
 static inline cputime_t timespec_to_cputime(const struct timespec *val)
 {
-   u64 ret = val->tv_sec * NSEC_PER_SEC + val->tv_nsec;
+   u64 ret = (u64)val->tv_sec * NSEC_PER_SEC + val->tv_nsec;
return (__force cputime_t) ret;
 }
 static inline void cputime_to_timespec(const cputime_t ct, struct timespec 
*val)
@@ -91,7 +91,8 @@ static inline void cputime_to_timespec(const cputime_t ct, 
struct timespec *val)
  */
 static inline cputime_t timeval_to_cputime(const struct timeval *val)
 {
-   u64 ret = val->tv_sec * NSEC_PER_SEC + val->tv_usec * NSEC_PER_USEC;
+   u64 ret = (u64)val->tv_sec * NSEC_PER_SEC +
+   val->tv_usec * NSEC_PER_USEC;
return (__force cputime_t) ret;
 }
 static inline void cputime_to_timeval(const cputime_t ct, struct timeval *val)
-- 
2.7.0

[PATCH 3.19.y-ckt 005/196] EVM: Use crypto_memneq() for digest comparisons

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Ryan Ware 

commit 613317bd212c585c20796c10afe5daaa95d4b0a1 upstream.

This patch fixes vulnerability CVE-2016-2085.  The problem exists
because the vm_verify_hmac() function includes a use of memcmp().
Unfortunately, this allows timing side channel attacks; specifically
a MAC forgery complexity drop from 2^128 to 2^12.  This patch changes
the memcmp() to the cryptographically safe crypto_memneq().

Reported-by: Xiaofei Rex Guo 
Signed-off-by: Ryan Ware 
Signed-off-by: Mimi Zohar 
Signed-off-by: James Morris 
Signed-off-by: Kamal Mostafa 
---
 security/integrity/evm/evm_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/evm/evm_main.c 
b/security/integrity/evm/evm_main.c
index 02c6e4d..6c9c11d 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -23,6 +23,7 @@
 #include 
 #include 
 #include 
+#include 
 #include "evm.h"
 
 int evm_initialized;
@@ -148,7 +149,7 @@ static enum integrity_status evm_verify_hmac(struct dentry 
*dentry,
   xattr_value_len, calc.digest);
if (rc)
break;
-   rc = memcmp(xattr_data->digest, calc.digest,
+   rc = crypto_memneq(xattr_data->digest, calc.digest,
sizeof(calc.digest));
if (rc)
rc = -EINVAL;
-- 
2.7.0

[PATCH 3.19.y-ckt 014/196] PCI/AER: Flush workqueue on device remove to avoid use-after-free

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Sebastian Andrzej Siewior 

commit 4ae2182b1e3407de369f8c5d799543b7db74221b upstream.

A Root Port's AER structure (rpc) contains a queue of events.  aer_irq()
enqueues AER status information and schedules aer_isr() to dequeue and
process it.  When we remove a device, aer_remove() waits for the queue to
be empty, then frees the rpc struct.

But aer_isr() references the rpc struct after dequeueing and possibly
emptying the queue, which can cause a use-after-free error as in the
following scenario with two threads, aer_isr() on the left and a
concurrent aer_remove() on the right:

  Thread A  Thread B
    
  aer_irq():
rpc->prod_idx++
aer_remove():
  wait_event(rpc->prod_idx == rpc->cons_idx)
  # now blocked until queue becomes empty
  aer_isr():  # ...
rpc->cons_idx++   # unblocked because queue is now empty
...   kfree(rpc)
mutex_unlock(>rpc_mutex)

To prevent this problem, use flush_work() to wait until the last scheduled
instance of aer_isr() has completed before freeing the rpc struct in
aer_remove().

I reproduced this use-after-free by flashing a device FPGA and
re-enumerating the bus to find the new device.  With SLUB debug, this
crashes with 0x6b bytes (POISON_FREE, the use-after-free magic number) in
GPR25:

  pcieport :00:00.0: AER: Multiple Corrected error received: id=
  Unable to handle kernel paging request for data at address 0x27ef9e3e
  Workqueue: events aer_isr
  GPR24: dd6aa000 6b6b6b6b 605f8378 605f8360 d99b12c0 604fc674 606b1704 d99b12c0
  NIP [602f5328] pci_walk_bus+0xd4/0x104

[bhelgaas: changelog, stable tag]
Signed-off-by: Sebastian Andrzej Siewior 
Signed-off-by: Bjorn Helgaas 
Signed-off-by: Kamal Mostafa 
---
 drivers/pci/pcie/aer/aerdrv.c  | 4 +---
 drivers/pci/pcie/aer/aerdrv.h  | 1 -
 drivers/pci/pcie/aer/aerdrv_core.c | 2 --
 3 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/drivers/pci/pcie/aer/aerdrv.c b/drivers/pci/pcie/aer/aerdrv.c
index 0bf82a2..48d21e0 100644
--- a/drivers/pci/pcie/aer/aerdrv.c
+++ b/drivers/pci/pcie/aer/aerdrv.c
@@ -262,7 +262,6 @@ static struct aer_rpc *aer_alloc_rpc(struct pcie_device 
*dev)
rpc->rpd = dev;
INIT_WORK(>dpc_handler, aer_isr);
mutex_init(>rpc_mutex);
-   init_waitqueue_head(>wait_release);
 
/* Use PCIe bus function to store rpc into PCIe device */
set_service_data(dev, rpc);
@@ -285,8 +284,7 @@ static void aer_remove(struct pcie_device *dev)
if (rpc->isr)
free_irq(dev->irq, dev);
 
-   wait_event(rpc->wait_release, rpc->prod_idx == rpc->cons_idx);
-
+   flush_work(>dpc_handler);
aer_disable_rootport(rpc);
kfree(rpc);
set_service_data(dev, NULL);
diff --git a/drivers/pci/pcie/aer/aerdrv.h b/drivers/pci/pcie/aer/aerdrv.h
index 84420b7..945c939 100644
--- a/drivers/pci/pcie/aer/aerdrv.h
+++ b/drivers/pci/pcie/aer/aerdrv.h
@@ -72,7 +72,6 @@ struct aer_rpc {
 * recovery on the same
 * root port hierarchy
 */
-   wait_queue_head_t wait_release;
 };
 
 struct aer_broadcast_data {
diff --git a/drivers/pci/pcie/aer/aerdrv_core.c 
b/drivers/pci/pcie/aer/aerdrv_core.c
index 5653ea9..b60a325 100644
--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -784,8 +784,6 @@ void aer_isr(struct work_struct *work)
while (get_e_source(rpc, _src))
aer_isr_one_error(p_device, _src);
mutex_unlock(>rpc_mutex);
-
-   wake_up(>wait_release);
 }
 
 /**
-- 
2.7.0

[PATCH] mm: Refactor find_get_pages() & friends

[Kent Overstreet]

Collapse redundant implementations of various gang pagecache lookup - this is
also prep work for pagecache iterator work

Signed-off-by: Kent Overstreet 
Cc: Al Viro 
---
 include/linux/pagemap.h| 142 +--
 include/linux/radix-tree.h |  49 ++-
 mm/filemap.c   | 331 +
 3 files changed, 174 insertions(+), 348 deletions(-)

diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index 92395a0a7d..12cb653423 100644
--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -352,18 +352,136 @@ static inline struct page *grab_cache_page_nowait(struct 
address_space *mapping,
 
 struct page *find_get_entry(struct address_space *mapping, pgoff_t offset);
 struct page *find_lock_entry(struct address_space *mapping, pgoff_t offset);
-unsigned find_get_entries(struct address_space *mapping, pgoff_t start,
- unsigned int nr_entries, struct page **entries,
- pgoff_t *indices);
-unsigned find_get_pages(struct address_space *mapping, pgoff_t start,
-   unsigned int nr_pages, struct page **pages);
-unsigned find_get_pages_contig(struct address_space *mapping, pgoff_t start,
-  unsigned int nr_pages, struct page **pages);
-unsigned find_get_pages_tag(struct address_space *mapping, pgoff_t *index,
-   int tag, unsigned int nr_pages, struct page **pages);
-unsigned find_get_entries_tag(struct address_space *mapping, pgoff_t start,
-   int tag, unsigned int nr_entries,
-   struct page **entries, pgoff_t *indices);
+
+unsigned __find_get_pages(struct address_space *mapping,
+ pgoff_t start, pgoff_t end,
+ unsigned nr_entries, struct page **entries,
+ pgoff_t *indices, unsigned flags);
+
+/**
+ * find_get_entries - gang pagecache lookup
+ * @mapping:   The address_space to search
+ * @start: The starting page cache index
+ * @nr_entries:The maximum number of entries
+ * @entries:   Where the resulting entries are placed
+ * @indices:   The cache indices corresponding to the entries in @entries
+ *
+ * find_get_entries() will search for and return a group of up to
+ * @nr_entries entries in the mapping.  The entries are placed at
+ * @entries.  find_get_entries() takes a reference against any actual
+ * pages it returns.
+ *
+ * The search returns a group of mapping-contiguous page cache entries
+ * with ascending indexes.  There may be holes in the indices due to
+ * not-present pages.
+ *
+ * Any shadow entries of evicted pages, or swap entries from
+ * shmem/tmpfs, are included in the returned array.
+ *
+ * find_get_entries() returns the number of pages and shadow entries
+ * which were found.
+ */
+static inline unsigned find_get_entries(struct address_space *mapping,
+   pgoff_t start, unsigned nr_entries,
+   struct page **entries, pgoff_t *indices)
+{
+   return __find_get_pages(mapping, start, ULONG_MAX,
+   nr_entries, entries, indices,
+   RADIX_TREE_ITER_EXCEPTIONAL);
+}
+
+/**
+ * find_get_pages - gang pagecache lookup
+ * @mapping:   The address_space to search
+ * @start: The starting page index
+ * @nr_pages:  The maximum number of pages
+ * @pages: Where the resulting pages are placed
+ *
+ * find_get_pages() will search for and return a group of up to
+ * @nr_pages pages in the mapping.  The pages are placed at @pages.
+ * find_get_pages() takes a reference against the returned pages.
+ *
+ * The search returns a group of mapping-contiguous pages with ascending
+ * indexes.  There may be holes in the indices due to not-present pages.
+ *
+ * find_get_pages() returns the number of pages which were found.
+ */
+static inline unsigned find_get_pages(struct address_space *mapping,
+   pgoff_t start, unsigned nr_pages,
+   struct page **pages)
+{
+   return __find_get_pages(mapping, start, ULONG_MAX,
+   nr_pages, pages, NULL, 0);
+}
+
+/**
+ * find_get_pages_contig - gang contiguous pagecache lookup
+ * @mapping:   The address_space to search
+ * @start: The starting page index
+ * @nr_pages:  The maximum number of pages
+ * @pages: Where the resulting pages are placed
+ *
+ * find_get_pages_contig() works exactly like find_get_pages(), except
+ * that the returned number of pages are guaranteed to be contiguous.
+ *
+ * find_get_pages_contig() returns the number of pages which were found.
+ */
+static inline unsigned find_get_pages_contig(struct address_space *mapping,
+   pgoff_t start, unsigned nr_pages,
+   struct page **pages)
+{
+   return __find_get_pages(mapping, start, ULONG_MAX,
+   

[PATCH] irqchip/mxs: fix error check of of_io_request_and_map()

[Vladimir Zapolskiy]

The of_io_request_and_map() returns a valid pointer in iomem region or
ERR_PTR(), check for NULL always fails and may cause a NULL pointer
dereference on error path.

Fixes: 25e34b44313b ("irqchip/mxs: Prepare driver for hardware with different 
offsets")
Signed-off-by: Vladimir Zapolskiy 
---
 drivers/irqchip/irq-mxs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/irqchip/irq-mxs.c b/drivers/irqchip/irq-mxs.c
index c22e2d4..5bec700 100644
--- a/drivers/irqchip/irq-mxs.c
+++ b/drivers/irqchip/irq-mxs.c
@@ -183,7 +183,7 @@ static void __iomem * __init icoll_init_iobase(struct 
device_node *np)
void __iomem *icoll_base;
 
icoll_base = of_io_request_and_map(np, 0, np->name);
-   if (!icoll_base)
+   if (IS_ERR(icoll_base))
panic("%s: unable to map resource", np->full_name);
return icoll_base;
 }
-- 
2.1.4

[PATCH 3.19.y-ckt 015/196] libata: disable forced PORTS_IMPL for >= AHCI 1.3

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Tejun Heo 

commit 566d1827df2ef0cbe921d3d6946ac3007b1a6938 upstream.

Some early controllers incorrectly reported zero ports in PORTS_IMPL
register and the ahci driver fabricates PORTS_IMPL from the number of
ports in those cases.  This hasn't mattered but with the new nvme
controllers there are cases where zero PORTS_IMPL is valid and should
be honored.

Disable the workaround for >= AHCI 1.3.

Signed-off-by: Tejun Heo 
Reported-by: Andy Lutomirski 
Link: 
http://lkml.kernel.org/g/calcetru7ymvxedhjaushohehdwifjgapdw--bkxsp0jmjkg...@mail.gmail.com
Cc: Sergei Shtylyov 
Signed-off-by: Kamal Mostafa 
---
 drivers/ata/libahci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
index 902dcfa..b0144e9 100644
--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -495,8 +495,8 @@ void ahci_save_initial_config(struct device *dev, struct 
ahci_host_priv *hpriv)
}
}
 
-   /* fabricate port_map from cap.nr_ports */
-   if (!port_map) {
+   /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */
+   if (!port_map && vers < 0x10300) {
port_map = (1 << ahci_nr_ports(cap)) - 1;
dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map);
 
-- 
2.7.0

[PATCH 3.19.y-ckt 025/196] iio: inkern: fix a NULL dereference on error

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Dan Carpenter 

commit d81dac3c1c5295c61b15293074ac2bd3254e1875 upstream.

In twl4030_bci_probe() there are some failure paths where we call
iio_channel_release() with a NULL pointer.  (Apparently, that driver can
opperate without a valid channel pointer).  Let's fix it by adding a
NULL check in iio_channel_release().

Fixes: 2202e1fc5a29 ('drivers: power: twl4030_charger: fix link problems when 
building as module')
Signed-off-by: Dan Carpenter 
Signed-off-by: Jonathan Cameron 
Signed-off-by: Kamal Mostafa 
---
 drivers/iio/inkern.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index 90c8cb7..1bbb7f4 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -348,6 +348,8 @@ EXPORT_SYMBOL_GPL(iio_channel_get);
 
 void iio_channel_release(struct iio_channel *channel)
 {
+   if (!channel)
+   return;
iio_device_put(channel->indio_dev);
kfree(channel);
 }
-- 
2.7.0

[PATCH 3.19.y-ckt 026/196] iio: pressure: mpl115: fix temperature offset sign

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Akinobu Mita 

commit 431386e783a3a6c8b7707bee32d18c353b8688b2 upstream.

According to the datasheet, the resolusion of temperature sensor is
-5.35 counts/C. Temperature ADC is 472 counts at 25C.
(https://www.sparkfun.com/datasheets/Sensors/Pressure/MPL115A1.pdf
NOTE: This is older revision, but this information is removed from the
latest datasheet from nxp somehow)

Temp [C] = (Tadc - 472) / -5.35 + 25
 = (Tadc - 605.75) * -0.186915888

So the correct offset is -605.75.

Signed-off-by: Akinobu Mita 
Acked-by: Peter Meerwald-Stadler 
Signed-off-by: Jonathan Cameron 
Signed-off-by: Kamal Mostafa 
---
 drivers/iio/pressure/mpl115.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iio/pressure/mpl115.c b/drivers/iio/pressure/mpl115.c
index f5ecd6e..a0d7dee 100644
--- a/drivers/iio/pressure/mpl115.c
+++ b/drivers/iio/pressure/mpl115.c
@@ -117,7 +117,7 @@ static int mpl115_read_raw(struct iio_dev *indio_dev,
*val = ret >> 6;
return IIO_VAL_INT;
case IIO_CHAN_INFO_OFFSET:
-   *val = 605;
+   *val = -605;
*val2 = 75;
return IIO_VAL_INT_PLUS_MICRO;
case IIO_CHAN_INFO_SCALE:
-- 
2.7.0

[PATCH 3.19.y-ckt 013/196] cgroup: make sure a parent css isn't offlined before its children

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Tejun Heo 

commit aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 upstream.

There are three subsystem callbacks in css shutdown path -
css_offline(), css_released() and css_free().  Except for
css_released(), cgroup core didn't guarantee the order of invocation.
css_offline() or css_free() could be called on a parent css before its
children.  This behavior is unexpected and led to bugs in cpu and
memory controller.

This patch updates offline path so that a parent css is never offlined
before its children.  Each css keeps online_cnt which reaches zero iff
itself and all its children are offline and offline_css() is invoked
only after online_cnt reaches zero.

This fixes the memory controller bug and allows the fix for cpu
controller.

Signed-off-by: Tejun Heo 
Reported-and-tested-by: Christian Borntraeger 
Reported-by: Brian Christiansen 
Link: http://lkml.kernel.org/g/5698a023.9070...@de.ibm.com
Link: 
http://lkml.kernel.org/g/cakb58ikdkzc8ret31wbkd99+hxnzjk4+fbmhkgs+nvrc9vj...@mail.gmail.com
Cc: Heiko Carstens 
Cc: Peter Zijlstra 
[ luis: backported to 3.16:
  - file rename: cgroup-defs.h -> cgroup.h
  - adjusted context ]
Signed-off-by: Luis Henriques 

Signed-off-by: Kamal Mostafa 
---
 include/linux/cgroup.h |  6 ++
 kernel/cgroup.c| 22 +-
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index da0dae0..4501945 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -88,6 +88,12 @@ struct cgroup_subsys_state {
 */
u64 serial_nr;
 
+   /*
+* Incremented by online self and children.  Used to guarantee that
+* parents are not offlined before their children.
+*/
+   atomic_t online_cnt;
+
/* percpu_ref killing and RCU release */
struct rcu_head rcu_head;
struct work_struct destroy_work;
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 87deef1..8f1bde6 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4478,6 +4478,7 @@ static void init_and_link_css(struct cgroup_subsys_state 
*css,
INIT_LIST_HEAD(>sibling);
INIT_LIST_HEAD(>children);
css->serial_nr = css_serial_nr_next++;
+   atomic_set(>online_cnt, 0);
 
if (cgroup_parent(cgrp)) {
css->parent = cgroup_css(cgroup_parent(cgrp), ss);
@@ -4500,6 +4501,10 @@ static int online_css(struct cgroup_subsys_state *css)
if (!ret) {
css->flags |= CSS_ONLINE;
rcu_assign_pointer(css->cgroup->subsys[ss->id], css);
+
+   atomic_inc(>online_cnt);
+   if (css->parent)
+   atomic_inc(>parent->online_cnt);
}
return ret;
 }
@@ -4737,10 +4742,15 @@ static void css_killed_work_fn(struct work_struct *work)
container_of(work, struct cgroup_subsys_state, destroy_work);
 
mutex_lock(_mutex);
-   offline_css(css);
-   mutex_unlock(_mutex);
 
-   css_put(css);
+   do {
+   offline_css(css);
+   css_put(css);
+   /* @css can't go away while we're holding cgroup_mutex */
+   css = css->parent;
+   } while (css && atomic_dec_and_test(>online_cnt));
+
+   mutex_unlock(_mutex);
 }
 
 /* css kill confirmation processing requires process context, bounce */
@@ -4749,8 +4759,10 @@ static void css_killed_ref_fn(struct percpu_ref *ref)
struct cgroup_subsys_state *css =
container_of(ref, struct cgroup_subsys_state, refcnt);
 
-   INIT_WORK(>destroy_work, css_killed_work_fn);
-   queue_work(cgroup_destroy_wq, >destroy_work);
+   if (atomic_dec_and_test(>online_cnt)) {
+   INIT_WORK(>destroy_work, css_killed_work_fn);
+   queue_work(cgroup_destroy_wq, >destroy_work);
+   }
 }
 
 /**
-- 
2.7.0

Re: [PATCH v2 2/2] ACPI, APEI, ERST: Fixed leaked resources in erst_init

[Chen, Gong]

On Tue, Mar 08, 2016 at 10:52:12AM -0500, Joshua Hunt wrote:
> Date: Tue,  8 Mar 2016 10:52:12 -0500
> From: Joshua Hunt 
> To: gong.c...@intel.com, linux-a...@vger.kernel.org, r...@rjwysocki.net,
>  l...@kernel.org, ying.hu...@intel.com
> Cc: tony.l...@intel.com, linux-kernel@vger.kernel.org, Joshua Hunt
>  
> Subject: [PATCH v2 2/2] ACPI, APEI, ERST: Fixed leaked resources in
>  erst_init
> X-Mailer: git-send-email 1.7.9.5
> 
> erst_init currently leaks resources allocated from its call to
> apei_resources_init(). The data allocated there gets copied
> into apei_resources_all and can be freed when we're done with it.
> 
> Signed-off-by: Josh Hunt 

Reviewed-by: Chen, Gong 



signature.asc
Description: Digital signature

[PATCH] hid: sony: Add power supply support for PS3 remote

[Frederic Jacob]

Add power supply support for the PS3 remote controller

Signed-off-by: Frederic Jacob 

---
 drivers/hid/hid-sony.c | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
index 9b8db0e..b78e149 100644
--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -61,7 +61,8 @@
DUALSHOCK4_CONTROLLER | MOTION_CONTROLLER |\
NAVIGATION_CONTROLLER)
 #define SONY_BATTERY_SUPPORT (SIXAXIS_CONTROLLER | DUALSHOCK4_CONTROLLER |\
-   MOTION_CONTROLLER_BT | NAVIGATION_CONTROLLER)
+   MOTION_CONTROLLER_BT | NAVIGATION_CONTROLLER |\
+   PS3REMOTE)
 #define SONY_FF_SUPPORT (SIXAXIS_CONTROLLER | DUALSHOCK4_CONTROLLER |\
MOTION_CONTROLLER)

@@ -1177,7 +1178,12 @@ static void sixaxis_parse_report(struct sony_sc *sc, 
__u8 *rd, int size)
 * It does not report the actual level while charging so it
 * is set to 100% while charging is in progress.
 */
-   offset = (sc->quirks & MOTION_CONTROLLER) ? 12 : 30;
+   if (sc->quirks & MOTION_CONTROLLER)
+   offset = 12;
+   else if (sc->quirks & PS3REMOTE)
+   offset = 11;
+   else
+   offset = 30;

if (rd[offset] >= 0xee) {
battery_capacity = 100;
@@ -1301,6 +1307,9 @@ static int sony_raw_event(struct hid_device *hdev, struct 
hid_report *report,
} else if ((sc->quirks & NAVIGATION_CONTROLLER) && rd[0] == 0x01 &&
size == 49) {
sixaxis_parse_report(sc, rd, size);
+   } else if ((sc->quirks & PS3REMOTE) && rd[0] == 0x01 &&
+   size == 12) {
+   sixaxis_parse_report(sc, rd, size);
} else if (((sc->quirks & DUALSHOCK4_CONTROLLER_USB) && rd[0] == 0x01 &&
size == 64) || ((sc->quirks & DUALSHOCK4_CONTROLLER_BT)
&& rd[0] == 0x11 && size == 78)) {
--
2.5.0

Re: [PATCH] scsi: storvsc: fix SRB_STATUS_ABORTED handling

[Martin K. Petersen]

> "Vitaly" == Vitaly Kuznetsov  writes:

Vitaly> Commit 3209f9d780d1 ("scsi: storvsc: Fix a bug in the handling
Vitaly> of SRB status flags") filtered SRB_STATUS_AUTOSENSE_VALID out
Vitaly> effectively making the (SRB_STATUS_ABORTED |
Vitaly> SRB_STATUS_AUTOSENSE_VALID) case a dead code. The logic from
Vitaly> this branch (e.g. storvsc_device_scan() call) is still required,
Vitaly> fix the check.

Applied to 4.5/scsi-fixes.

-- 
Martin K. Petersen  Oracle Linux Engineering

Re: [PATCH 4.4 00/74] 4.4.5-stable review

[Greg Kroah-Hartman]

On Tue, Mar 08, 2016 at 09:24:17AM -0700, Shuah Khan wrote:
> On 03/07/2016 05:02 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.4.5 release.
> > There are 74 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu Mar 10 00:02:56 UTC 2016.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.5-rc1.gz
> > and the diffstat can be found below.
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.

Thanks for testing all of these and letting me know.

greg k-h

[PATCH] pinctrl: pxa2xx: export symbols

[Linus Walleij]

The pxa2xxx fails some automated builds because of unexported
symbols.

Reported-by: kbuild test robot 
Signed-off-by: Linus Walleij 
---
 drivers/pinctrl/pxa/pinctrl-pxa2xx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/pinctrl/pxa/pinctrl-pxa2xx.c 
b/drivers/pinctrl/pxa/pinctrl-pxa2xx.c
index d90e205cf809..f553313bc2ef 100644
--- a/drivers/pinctrl/pxa/pinctrl-pxa2xx.c
+++ b/drivers/pinctrl/pxa/pinctrl-pxa2xx.c
@@ -426,6 +426,7 @@ int pxa2xx_pinctrl_init(struct platform_device *pdev,
 
return 0;
 }
+EXPORT_SYMBOL_GPL(pxa2xx_pinctrl_init);
 
 int pxa2xx_pinctrl_exit(struct platform_device *pdev)
 {
@@ -434,3 +435,4 @@ int pxa2xx_pinctrl_exit(struct platform_device *pdev)
pinctrl_unregister(pctl->pctl_dev);
return 0;
 }
+EXPORT_SYMBOL_GPL(pxa2xx_pinctrl_exit);
-- 
2.4.3

[PATCH v3 0/7] Add more clock compatible features and support the RK3399 clock

[Xing Zheng]

Hi,
  The patch series add support more mux parameters and multiple
clock providers for the rockchip features of the clock framework,
and support the clock controller for the RK3399.


Changes in v3:
- rename pclkin_cif to pclkin_cifmux, add diagram and comment for
  pclkin_cifmux
- add the clk_test node
- modify the cif_testout path
- include two new patches that dt-bindings and header file from
  Jianqun's patch series

Changes in v2:
- rename the aplll/apllb to lpll/bpll
- add drv/sample clock nodes for sdmmc/sdio

Xing Zheng (7):
  dt-bindings: add bindings for rk3399 clock controller
  clk: rockchip: add dt-binding header for rk3399
  clk: rockchip: add more mux parameters for new pll sources
  clk: rockchip: Add support for multiple clock providers
  clk: rockchip: add new pll-type for rk3399 and similar socs
  clk: rockchip: add a COMPOSITE_FRACMUX_NOGATE type
  clk: rockchip: add clock controller for the RK3399

 .../bindings/clock/rockchip,rk3399-cru.txt |   82 +
 drivers/clk/rockchip/Makefile  |1 +
 drivers/clk/rockchip/clk-cpu.c |   14 +-
 drivers/clk/rockchip/clk-pll.c |  309 +++-
 drivers/clk/rockchip/clk-rk3036.c  |   20 +-
 drivers/clk/rockchip/clk-rk3188.c  |   54 +-
 drivers/clk/rockchip/clk-rk3228.c  |   20 +-
 drivers/clk/rockchip/clk-rk3288.c  |   22 +-
 drivers/clk/rockchip/clk-rk3368.c  |   27 +-
 drivers/clk/rockchip/clk-rk3399.c  | 1567 
 drivers/clk/rockchip/clk.c |  148 +-
 drivers/clk/rockchip/clk.h |   98 +-
 include/dt-bindings/clock/rk3399-cru.h |  720 +
 13 files changed, 2957 insertions(+), 125 deletions(-)
 create mode 100644 
Documentation/devicetree/bindings/clock/rockchip,rk3399-cru.txt
 create mode 100644 drivers/clk/rockchip/clk-rk3399.c
 create mode 100644 include/dt-bindings/clock/rk3399-cru.h

-- 
1.7.9.5

Re: [PATCH] staging/android: change IOCTLs opcode after ABI change

[Greg Hackmann]

On 03/03/2016 02:42 PM, Gustavo Padovan wrote:

From: Gustavo Padovan 

Burn the old opcode to avoid any potential old userspace running the old
API to get weird errors. Changing the opcodes will make them fail right
away.

This is just a precaution, there no upstream users of these interfaces
yet and the only user is Android, but we don't expect anyone trying to
run android userspace and all it dependencies on top of upstream kernels.

Moreover Android should be converted to use upstream sync_files.

Suggested-by: Rob Clark 
Signed-off-by: Gustavo Padovan 


Acked-by: Greg Hackmann 

Re: [PATCH v3 2/9] clocksource: arm_arch_timer: Extend arch_timer_kvm_info to get the virtual IRQ

[Christoffer Dall]

On Tue, Mar 08, 2016 at 11:29:26AM +, Julien Grall wrote:
> Currently, the firmware table is parsed by the virtual timer code in
> order to retrieve the virtual timer interrupt. However, this is already
> done by the arch timer driver.
> 
> To avoid code duplication, extend arch_timer_kvm_info to get the virtual
> IRQ.
> 
> Note that the KVM code will be modified in a subsequent patch.
> 
> Signed-off-by: Julien Grall 
> 
> ---
> Cc: Daniel Lezcano 
> Cc: Thomas Gleixner 
> Cc: Marc Zyngier 
> 
> Changes in v3:
> - Move the KVM changes in a separate patch and rename the patch
> - Move the initialization of the virtual_irq to
> arch_timer_common_init
> ---
>  drivers/clocksource/arm_arch_timer.c | 2 ++
>  include/clocksource/arm_arch_timer.h | 1 +
>  2 files changed, 3 insertions(+)
> 
> diff --git a/drivers/clocksource/arm_arch_timer.c 
> b/drivers/clocksource/arm_arch_timer.c
> index b7ab588..d8887f3 100644
> --- a/drivers/clocksource/arm_arch_timer.c
> +++ b/drivers/clocksource/arm_arch_timer.c
> @@ -701,6 +701,8 @@ static void __init arch_timer_common_init(void)
>   arch_timer_banner(arch_timers_present);
>   arch_counter_register(arch_timers_present);
>   arch_timer_arch_init();
> +
> + arch_timer_kvm_info.virtual_irq = arch_timer_ppi[VIRT_PPI];

why is this in common_init and not just in init?

>  }
>  
>  static void __init arch_timer_init(void)
> diff --git a/include/clocksource/arm_arch_timer.h 
> b/include/clocksource/arm_arch_timer.h
> index 9101ed6b..9dd996a 100644
> --- a/include/clocksource/arm_arch_timer.h
> +++ b/include/clocksource/arm_arch_timer.h
> @@ -51,6 +51,7 @@ enum arch_timer_reg {
>  
>  struct arch_timer_kvm_info {
>   struct timecounter timecounter;
> + int virtual_irq;
>  };
>  
>  #ifdef CONFIG_ARM_ARCH_TIMER
> -- 
> 1.9.1
> 

Re: [PATCH 7/8] drivers/pinctrl: make sunxi/pinctrl-sun9i-a80-r.c explicitly non-modular

[Linus Walleij]

On Tue, Mar 1, 2016 at 3:48 AM, Paul Gortmaker
 wrote:

> The Kconfig currently controlling compilation of this code is:
>
> drivers/pinctrl/sunxi/Kconfig:config PINCTRL_SUN9I_A80_R
> drivers/pinctrl/sunxi/Kconfig:  def_bool MACH_SUN9I
>
> ...meaning that it currently is not being built as a module by anyone.
>
> Lets remove the modular code that is essentially orphaned, so that
> when reading the driver there is no doubt it is builtin-only.
>
> Since module_platform_driver() uses the same init level priority as
> builtin_platform_driver() the init ordering remains unchanged with
> this commit.
>
> Also note that MODULE_DEVICE_TABLE is a no-op for non-modular code.
>
> We also delete the MODULE_LICENSE tag etc. since all that information
> is already contained at the top of the file in the comments.
>
> Cc: Linus Walleij 
> Cc: Maxime Ripard 
> Cc: Chen-Yu Tsai 
> Cc: linux-g...@vger.kernel.org
> Cc: linux-arm-ker...@lists.infradead.org
> Signed-off-by: Paul Gortmaker 

Patch applied with Maxime's ACK.

Yours,
Linus Walleij

Re: [RESEND PATCH v7] mtd: spi-nor: add hisilicon spi-nor flash controller driver

[Jiancheng Xue]

Hi Boris,

On 2016/3/8 17:46, Boris Brezillon wrote:
>> [...]
 +static int hisi_spi_nor_read_reg(struct spi_nor *nor, u8 opcode, u8 *buf,
 +  int len)
 +{
 +  struct hifmc_priv *priv = nor->priv;
 +  struct hifmc_host *host = priv->host;
 +  int ret;
 +
 +  ret = hisi_spi_nor_send_cmd(nor, opcode, len);
 +  if (ret)
 +  return ret;
 +
 +  memcpy(buf, host->iobase, len);
>>>
>>> sparse doesn't like any of these memcpy()'s, since that's __iomem. Are
>>> you sure you want a regular memcpy here, and elsewhere?
>>>
>> It's not a must to use memcpy though host->iobase represents a segment of 
>> inner memory
>> which stores data from flash device byte by byte.  I will give up using 
>> memcpy here and
>> hisi_spi_nor_write_reg() in next version. Thank you!
> 
> Or you can use memcpy_fromio(), which should give you better perfs than
> using readX() accessors in a loop.
> 

Thank you very much for your suggestion. I'll look into sparse and this 
function.

Regards,
Jiancheng

Re: [PATCH] pinctrl: uniphier: rename CONFIG options and file names

[Linus Walleij]

On Wed, Mar 2, 2016 at 1:14 PM, Masahiro Yamada
 wrote:

> The current "CONFIG_PINCTRL_UNIPHIER_PH1_*" is too long.  It would
> not hurt to drop "PH1_" because "UNIPHIER_" already well specifies
> the SoC family.  Also, rename files for consistency.
>
> Signed-off-by: Masahiro Yamada 

Patch applied.

Yours,
Linus Walleij

[PATCH] pmem: don't allocate unused major device number

[NeilBrown]

When alloc_disk(0) or alloc_disk-node(0, XX) is used, the ->major
number is completely ignored:  all devices are allocated with a
major of BLOCK_EXT_MAJOR.

So there is no point allocating pmem_major.

Signed-off-by: NeilBrown 
---
 drivers/nvdimm/pmem.c | 19 +--
 1 file changed, 1 insertion(+), 18 deletions(-)

Hi Dan et al,
 I was recently educating myself about the behavior of alloc_disk(0).
 As I understand it, the ->major is ignored and all device numbers for all
 partitions (including '0') are allocated on demand with major number of
 BLOCK_EXT_MAJOR.

 So I was a little surprised to find that pmem.c allocated a major
 number which is never used - historical anomaly I suspect.
 I was a bit more surprised at the comment in:

  Commit: 9f53f9fa4ad1 ("libnvdimm, pmem: add libnvdimm support to the pmem 
driver")

 "The minor numbers are also more predictable by passing 0 to alloc_disk()."

 How can they possibly be more predictable given that they are allocated
 on-demand?  Maybe discovery order is very predictable???

 In any case, I propose this patch but cannot test it (beyond compiling)
 as I don't have relevant hardware.  And maybe some user-space code greps
 /proc/devices for "pmem" to determine if "pmem" is compiled in (though
 I sincerely hope not).
 So I cannot be certain that this patch won't break anything, but am
 hoping that if you like it you might test it.

 If it does prove acceptable, then similar changes would be appropriate
 for btt.c and blk.c.   And drivers/memstick/core/ms_block.c and
 drivers/nvme/host/core.c. (gotta stamp out this cargo cult)

 drivers/lightnvm/core.c is the only driver which uses alloc_disk(0) and
 doesn't provide a 'major' number. :-(

Thanks,
NeilBrown


diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c
index 8d0b54670184..ec7e9e6a768e 100644
--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
@@ -47,8 +47,6 @@ struct pmem_device {
struct badblocksbb;
 };
 
-static int pmem_major;
-
 static bool is_bad_pmem(struct badblocks *bb, sector_t sector, unsigned int 
len)
 {
if (bb->count) {
@@ -228,8 +226,6 @@ static int pmem_attach_disk(struct device *dev,
return -ENOMEM;
}
 
-   disk->major = pmem_major;
-   disk->first_minor   = 0;
disk->fops  = _fops;
disk->private_data  = pmem;
disk->queue = pmem->pmem_queue;
@@ -502,26 +498,13 @@ static struct nd_device_driver nd_pmem_driver = {
 
 static int __init pmem_init(void)
 {
-   int error;
-
-   pmem_major = register_blkdev(0, "pmem");
-   if (pmem_major < 0)
-   return pmem_major;
-
-   error = nd_driver_register(_pmem_driver);
-   if (error) {
-   unregister_blkdev(pmem_major, "pmem");
-   return error;
-   }
-
-   return 0;
+   return nd_driver_register(_pmem_driver);
 }
 module_init(pmem_init);
 
 static void pmem_exit(void)
 {
driver_unregister(_pmem_driver.drv);
-   unregister_blkdev(pmem_major, "pmem");
 }
 module_exit(pmem_exit);
 
-- 
2.7.2



signature.asc
Description: PGP signature

Re: [PATCH v2-UPDATE2 3/4] resource: Add device-managed insert/remove_resource()

[Toshi Kani]

On Tue, 2016-03-08 at 14:44 -0800, Dan Williams wrote:
> On Tue, Mar 8, 2016 at 2:23 PM, Linus Torvalds
>  wrote:
> > On Tue, Mar 8, 2016 at 12:59 PM, Dan Williams  > > wrote:
> > > 
> > > Here's the usage patch from Toshi [1] (copied below).  It is indeed a
> > > resource injected by nfit / nvdimm bus implementation.  We just
> > > happen
> > > to support nfit and libnvdimm as modules.
> > > 
> > > The goal of these patches is to use the ACPI NFIT data to create a
> > > "Persistent Memory" rather than "reserved" resource.  This is for
> > > platform-firmware implementations that use E820-Type2 rather than
> > > E820-Type7 to describe pmem.
> > 
> > So my worry is that there is likely exactly one or two of these kinds
> > of sites.
> > 
> > Why couldn't they just use insert_resource() and then remove it
> > manually?
> 
> You mean instead of introducing a devm_insert_resource() as a helpful
> first-class-citizen api, just arrange for the resource to be inserted
> locally?  Sure.
> 
> I assume Toshi was looking to keep the devm semantics like the rest of
> the nfit driver, but we can do that locally with devm_add_action() and
> skip the new general purpose api.

Yes, I prefer the devm semantics.  insert_resource() and remove_resource()
are not exported interfaces.  So, with devm_add_action(), we still need to
introduce built-in exported wrappers for insert/remove_resource(), unless
we change to export them directly.  Since we need to export "something", I
think it is better to export their devm interfaces.

Thanks,
-Toshi

Re: [PATCH v2-UPDATE2 3/4] resource: Add device-managed insert/remove_resource()

[Toshi Kani]

On Tue, 2016-03-08 at 15:31 -0800, Linus Torvalds wrote:
> On Tue, Mar 8, 2016 at 4:04 PM, Toshi Kani  wrote:
> > 
> > Yes, I prefer the devm semantics.  insert_resource() and
> > remove_resource() are not exported interfaces.  So, with
> > devm_add_action(), we still need to introduce built-in exported
> > wrappers for insert/remove_resource(), unless we change to export them
> > directly.  Since we need to export "something", I think it is better to
> > export their devm interfaces.
> 
> So I'm coming from the background that
> 
>  (a) less code is better
> 
>  (b) the "devm_" interface may be convenient, but it has also
> traditionally also been a cause of problems and limitations.
> 
> Now, the main problems with the devm interface has been either
> ordering (which just isn't an issue with resource allocation - it's
> been an issue with irqs) or the fact that it can't always be used if
> you're not in the right context. So it's "convenient but potentially
> inflexible".
> 
> And the thing is, I think convenience functions mainly make sense for
> places where there are multiple users. If there really is just one or
> two (number completely pulled out of my ass), I don't see the point of
> a "convenience" function, when we've had the main actual _code_
> functionality for over a decade.
> 
> So unless there are more users, I'd suggest just exporting the
> insert_resource function.
> 
> We already export allocate_resource and adjust_resource.
> 
> Now, the _one_ argument for devm_insert_resource() is that we do have
> "devm_request_resource()".
> 
> But quite frankly, just counting the number of devm_request_resource()
> calls weakens that argument. There's 7 callers in the whole kernel.
> The regular "request_resource()" has 200+ callers.
> 
> That may be due to historical reasons, but it may also be at least
> partially due to (b) above - there are a number of cases where the
> "devm_xyz()" model doesn't work well.
> 
> So I think we should see the "devm_xyz()" forms as being a "let's make
> things easy for driver writers". I do _not_ think it makes sense for
> one-off users.
> 
> Now, if it turns out that there are lots of other potential users of
> devm_insert_resource(), that would maks all of my arguments go away.

I agree that there won't be many users of devm_insert_resource().  So, I am
going to export insert_resource() and remove_resource() as you suggested,
and let the NFIT driver to call them using devm_add_action() as a one-off
solution.

Thanks!
-Toshi

[PATCH 3.19.y-ckt 020/196] drm/i915/dp: fall back to 18 bpp when sink capability is unknown

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Jani Nikula 

commit 5efd407674068dede403551bea3b0b134c32513a upstream.

Per DP spec, the source device should fall back to 18 bpp, VESA range
RGB when the sink capability is unknown. Fix the color depth
clamping. 18 bpp color depth should ensure full color range in automatic
mode.

The clamping has been HDMI specific since its introduction in

commit 996a2239f93b03c5972923f04b097f65565c5bed
Author: Daniel Vetter 
Date:   Fri Apr 19 11:24:34 2013 +0200

drm/i915: Disable high-bpc on pre-1.4 EDID screens

Reported-and-tested-by: Dihan Wickremasuriya 
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105331
Reviewed-by: Ville Syrjälä 
Signed-off-by: Jani Nikula 
Link: 
http://patchwork.freedesktop.org/patch/msgid/1452695720-7076-1-git-send-email-jani.nik...@intel.com
(cherry picked from commit 013dd9e038723bbd2aa67be51847384b75be8253)
Signed-off-by: Kamal Mostafa 
---
 drivers/gpu/drm/i915/intel_display.c | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_display.c 
b/drivers/gpu/drm/i915/intel_display.c
index 9198724..3aae172 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -9984,11 +9984,21 @@ connected_sink_compute_bpp(struct intel_connector 
*connector,
pipe_config->pipe_bpp = connector->base.display_info.bpc*3;
}
 
-   /* Clamp bpp to 8 on screens without EDID 1.4 */
-   if (connector->base.display_info.bpc == 0 && bpp > 24) {
-   DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit 
of 24\n",
- bpp);
-   pipe_config->pipe_bpp = 24;
+   /* Clamp bpp to default limit on screens without EDID 1.4 */
+   if (connector->base.display_info.bpc == 0) {
+   int type = connector->base.connector_type;
+   int clamp_bpp = 24;
+
+   /* Fall back to 18 bpp when DP sink capability is unknown. */
+   if (type == DRM_MODE_CONNECTOR_DisplayPort ||
+   type == DRM_MODE_CONNECTOR_eDP)
+   clamp_bpp = 18;
+
+   if (bpp > clamp_bpp) {
+   DRM_DEBUG_KMS("clamping display bpp (was %d) to default 
limit of %d\n",
+ bpp, clamp_bpp);
+   pipe_config->pipe_bpp = clamp_bpp;
+   }
}
 }
 
-- 
2.7.0

[PATCH 3.19.y-ckt 003/196] Revert "workqueue: make sure delayed work run in local cpu"

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Tejun Heo 

commit 041bd12e272c53a35c54c13875839bcb98c999ce upstream.

This reverts commit 874bbfe600a660cba9c776b3957b1ce393151b76.

Workqueue used to implicity guarantee that work items queued without
explicit CPU specified are put on the local CPU.  Recent changes in
timer broke the guarantee and led to vmstat breakage which was fixed
by 176bed1de5bf ("vmstat: explicitly schedule per-cpu work on the CPU
we need it to run on").

vmstat is the most likely to expose the issue and it's quite possible
that there are other similar problems which are a lot more difficult
to trigger.  As a preventive measure, 874bbfe600a6 ("workqueue: make
sure delayed work run in local cpu") was applied to restore the local
CPU guarnatee.  Unfortunately, the change exposed a bug in timer code
which got fixed by 22b886dd1018 ("timers: Use proper base migration in
add_timer_on()").  Due to code restructuring, the commit couldn't be
backported beyond certain point and stable kernels which only had
874bbfe600a6 started crashing.

The local CPU guarantee was accidental more than anything else and we
want to get rid of it anyway.  As, with the vmstat case fixed,
874bbfe600a6 is causing more problems than it's fixing, it has been
decided to take the chance and officially break the guarantee by
reverting the commit.  A debug feature will be added to force foreign
CPU assignment to expose cases relying on the guarantee and fixes for
the individual cases will be backported to stable as necessary.

Signed-off-by: Tejun Heo 
Fixes: 874bbfe600a6 ("workqueue: make sure delayed work run in local cpu")
Link: http://lkml.kernel.org/g/20160120211926.gj10...@quack.suse.cz
Cc: Mike Galbraith 
Cc: Henrique de Moraes Holschuh 
Cc: Daniel Bilik 
Cc: Jan Kara 
Cc: Shaohua Li 
Cc: Sasha Levin 
Cc: Ben Hutchings 
Cc: Thomas Gleixner 
Cc: Daniel Bilik 
Cc: Jiri Slaby 
Cc: Michal Hocko 
Signed-off-by: Kamal Mostafa 
---
 kernel/workqueue.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index e80693f..82d0c8d 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -1442,13 +1442,13 @@ static void __queue_delayed_work(int cpu, struct 
workqueue_struct *wq,
timer_stats_timer_set_start_info(>timer);
 
dwork->wq = wq;
-   /* timer isn't guaranteed to run in this cpu, record earlier */
-   if (cpu == WORK_CPU_UNBOUND)
-   cpu = raw_smp_processor_id();
dwork->cpu = cpu;
timer->expires = jiffies + delay;
 
-   add_timer_on(timer, cpu);
+   if (unlikely(cpu != WORK_CPU_UNBOUND))
+   add_timer_on(timer, cpu);
+   else
+   add_timer(timer);
 }
 
 /**
-- 
2.7.0

[PATCH 3.19.y-ckt 021/196] ALSA: usb-audio: Fix OPPO HA-1 vendor ID

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Jurgen Kramer 

commit 5327d6ba975042fd3da50ac6e94d1e9551ebeaec upstream.

In my patch adding native DSD support for the Oppo HA-1, the wrong vendor ID got
through. This patch fixes the vendor ID and aligns the comment.

Fixes: a4eae3a506ea ('ALSA: usb: Add native DSD support for Oppo HA-1')
Signed-off-by: Jurgen Kramer 
Signed-off-by: Takashi Iwai 
Signed-off-by: Kamal Mostafa 
---
 sound/usb/quirks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 73d7a0e..99aa94d 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1263,7 +1263,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct 
snd_usb_audio *chip,
case USB_ID(0x20b1, 0x3008): /* iFi Audio micro/nano iDSD */
case USB_ID(0x20b1, 0x2008): /* Matrix Audio X-Sabre */
case USB_ID(0x20b1, 0x300a): /* Matrix Audio Mini-i Pro */
-   case USB_ID(0x22d8, 0x0416): /* OPPO HA-1*/
+   case USB_ID(0x22d9, 0x0416): /* OPPO HA-1 */
if (fp->altsetting == 2)
return SNDRV_PCM_FMTBIT_DSD_U32_BE;
break;
-- 
2.7.0

[PATCH 3.19.y-ckt 001/196] qeth: initialize net_device with carrier off

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Ursula Braun 

commit e5ebe63214d44d4dcf43df02edf3613e04d671b9 upstream.

/sys/class/net//operstate for an active qeth network
interface offen shows "unknown", which translates to "state UNKNOWN
in output of "ip link show". It is caused by a missing initialization
of the __LINK_STATE_NOCARRIER bit in the net_device state field.
This patch adds a netif_carrier_off() invocation when creating the
net_device for a qeth device.

Signed-off-by: Ursula Braun 
Acked-by: Hendrik Brueckner 
Reference-ID: Bugzilla 133209
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 drivers/s390/net/qeth_l2_main.c | 1 +
 drivers/s390/net/qeth_l3_main.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
index ce87ae7..15ce694 100644
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -971,6 +971,7 @@ static int qeth_l2_setup_netdev(struct qeth_card *card)
qeth_l2_request_initial_mac(card);
SET_NETDEV_DEV(card->dev, >gdev->dev);
netif_napi_add(card->dev, >napi, qeth_l2_poll, QETH_NAPI_WEIGHT);
+   netif_carrier_off(card->dev);
return register_netdev(card->dev);
 }
 
diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
index e2a0ee8..b32ec85 100644
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3339,6 +3339,7 @@ static int qeth_l3_setup_netdev(struct qeth_card *card)
 
SET_NETDEV_DEV(card->dev, >gdev->dev);
netif_napi_add(card->dev, >napi, qeth_l3_poll, QETH_NAPI_WEIGHT);
+   netif_carrier_off(card->dev);
return register_netdev(card->dev);
 }
 
-- 
2.7.0

[PATCH 3.19.y-ckt 002/196] vmstat: explicitly schedule per-cpu work on the CPU we need it to run on

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Linus Torvalds 

commit 176bed1de5bf977938cad26551969eca8f0883b1 upstream.

The vmstat code uses "schedule_delayed_work_on()" to do the initial
startup of the delayed work on the right CPU, but then once it was
started it would use the non-cpu-specific "schedule_delayed_work()" to
re-schedule it on that CPU.

That just happened to schedule it on the same CPU historically (well, in
almost all situations), but the code _requires_ this work to be per-cpu,
and should say so explicitly rather than depend on the non-cpu-specific
scheduling to schedule on the current CPU.

The timer code is being changed to not be as single-minded in always
running things on the calling CPU.

See also commit 874bbfe600a6 ("workqueue: make sure delayed work run in
local cpu") that for now maintains the local CPU guarantees just in case
there are other broken users that depended on the accidental behavior.

Cc: Christoph Lameter 
Cc: Tejun Heo 
Signed-off-by: Linus Torvalds 
[ kamal: backport to 3.19-stable: use queue_delayed_work_on() ]
Signed-off-by: Kamal Mostafa 
---
 mm/vmstat.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mm/vmstat.c b/mm/vmstat.c
index 8bf4322..19a4268 100644
--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -1364,16 +1364,16 @@ static cpumask_var_t cpu_stat_off;
 
 static void vmstat_update(struct work_struct *w)
 {
-   if (refresh_cpu_vm_stats(true))
+   if (refresh_cpu_vm_stats(true)) {
/*
 * Counters were updated so we expect more updates
 * to occur in the future. Keep on running the
 * update worker thread.
 */
-   queue_delayed_work(vmstat_wq,
+   queue_delayed_work_on(smp_processor_id(), vmstat_wq,
this_cpu_ptr(_work),
round_jiffies_relative(sysctl_stat_interval));
-   else {
+   } else {
/*
 * We did not update any counters so the app may be in
 * a mode where it does not cause counter updates.
-- 
2.7.0

[PATCH 3.19.y-ckt 012/196] ASoC: rt5645: fix the shift bit of IN1 boost

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Bard Liao 

commit b28785fa9cede0d4f47310ca0dd2a4e1d50478b5 upstream.

The shift bit of IN1 boost gain control is 12.

Signed-off-by: Bard Liao 
Signed-off-by: Mark Brown 
Signed-off-by: Kamal Mostafa 
---
 sound/soc/codecs/rt5645.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c
index a9d7348..f7e92af 100644
--- a/sound/soc/codecs/rt5645.c
+++ b/sound/soc/codecs/rt5645.c
@@ -474,7 +474,7 @@ static const struct snd_kcontrol_new rt5645_snd_controls[] 
= {
 
/* IN1/IN2 Control */
SOC_SINGLE_TLV("IN1 Boost", RT5645_IN1_CTRL1,
-   RT5645_BST_SFT1, 8, 0, bst_tlv),
+   RT5645_BST_SFT1, 12, 0, bst_tlv),
SOC_SINGLE_TLV("IN2 Boost", RT5645_IN2_CTRL,
RT5645_BST_SFT2, 8, 0, bst_tlv),
 
-- 
2.7.0

[PATCH 3.19.y-ckt 016/196] mac80211: Requeue work after scan complete for all VIF types.

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Sachin Kulkarni 

commit 4fa11ec726a32ea6dd768dbb2e2af3453a98ec0a upstream.

During a sw scan ieee80211_iface_work ignores work items for all vifs.
However after the scan complete work is requeued only for STA, ADHOC
and MESH iftypes.

This occasionally results in event processing getting delayed/not
processed for iftype AP when it coexists with a STA. This can result
in data halt and eventually disconnection on the AP interface.

Signed-off-by: Sachin Kulkarni 
Signed-off-by: Johannes Berg 
Signed-off-by: Kamal Mostafa 
---
 net/mac80211/ibss.c |  1 -
 net/mac80211/mesh.c | 11 ---
 net/mac80211/mesh.h |  4 
 net/mac80211/mlme.c |  2 --
 net/mac80211/scan.c | 12 +++-
 5 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 53b419b..6e56d45 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1621,7 +1621,6 @@ void ieee80211_ibss_notify_scan_completed(struct 
ieee80211_local *local)
if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
continue;
sdata->u.ibss.last_scan_completed = jiffies;
-   ieee80211_queue_work(>hw, >work);
}
mutex_unlock(>iflist_mtx);
 }
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index eff8ac2..026ecf4 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -1298,17 +1298,6 @@ out:
sdata_unlock(sdata);
 }
 
-void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local)
-{
-   struct ieee80211_sub_if_data *sdata;
-
-   rcu_read_lock();
-   list_for_each_entry_rcu(sdata, >interfaces, list)
-   if (ieee80211_vif_is_mesh(>vif) &&
-   ieee80211_sdata_running(sdata))
-   ieee80211_queue_work(>hw, >work);
-   rcu_read_unlock();
-}
 
 void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata)
 {
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index 50c8473..472bdc7 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -358,14 +358,10 @@ static inline bool mesh_path_sel_is_hwmp(struct 
ieee80211_sub_if_data *sdata)
return sdata->u.mesh.mesh_pp_id == IEEE80211_PATH_PROTOCOL_HWMP;
 }
 
-void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local);
-
 void mesh_path_flush_by_iface(struct ieee80211_sub_if_data *sdata);
 void mesh_sync_adjust_tbtt(struct ieee80211_sub_if_data *sdata);
 void ieee80211s_stop(void);
 #else
-static inline void
-ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local) {}
 static inline bool mesh_path_sel_is_hwmp(struct ieee80211_sub_if_data *sdata)
 { return false; }
 static inline void mesh_path_flush_by_iface(struct ieee80211_sub_if_data 
*sdata)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 66acc4b..de4fa35 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3914,8 +3914,6 @@ static void ieee80211_restart_sta_timer(struct 
ieee80211_sub_if_data *sdata)
if (!(flags & IEEE80211_HW_CONNECTION_MONITOR))
ieee80211_queue_work(>local->hw,
 >u.mgd.monitor_work);
-   /* and do all the other regular work too */
-   ieee80211_queue_work(>local->hw, >work);
}
 }
 
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 34b4050..b39b488 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -310,6 +310,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw 
*hw, bool aborted)
bool was_scanning = local->scanning;
struct cfg80211_scan_request *scan_req;
struct ieee80211_sub_if_data *scan_sdata;
+   struct ieee80211_sub_if_data *sdata;
 
lockdep_assert_held(>mtx);
 
@@ -369,7 +370,16 @@ static void __ieee80211_scan_completed(struct ieee80211_hw 
*hw, bool aborted)
 
ieee80211_mlme_notify_scan_completed(local);
ieee80211_ibss_notify_scan_completed(local);
-   ieee80211_mesh_notify_scan_completed(local);
+
+   /* Requeue all the work that might have been ignored while
+* the scan was in progress; if there was none this will
+* just be a no-op for the particular interface.
+*/
+   list_for_each_entry_rcu(sdata, >interfaces, list) {
+   if (ieee80211_sdata_running(sdata))
+   ieee80211_queue_work(>local->hw, >work);
+   }
+
if (was_scanning)
ieee80211_start_next_roc(local);
 }
-- 
2.7.0

[PATCH 3.19.y-ckt 009/196] iio: add HAS_IOMEM dependency to VF610_ADC

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Vegard Nossum 

commit 005ce0713006a76d2b0c924ce0e2629e5d8510c3 upstream.

Ran into this on UML:

drivers/built-in.o: In function `vf610_adc_probe':
drivers/iio/adc/vf610_adc.c:744: undefined reference to `devm_ioremap_resource'

devm_ioremap_resource() is defined only when HAS_IOMEM is selected.

Signed-off-by: Vegard Nossum 
Signed-off-by: Jonathan Cameron 
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques 

Signed-off-by: Kamal Mostafa 
---
 drivers/iio/adc/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig
index 0f79e47..f138df5 100644
--- a/drivers/iio/adc/Kconfig
+++ b/drivers/iio/adc/Kconfig
@@ -294,6 +294,7 @@ config TWL6030_GPADC
 config VF610_ADC
tristate "Freescale vf610 ADC driver"
depends on OF
+   depends on HAS_IOMEM
help
  Say yes here to support for Vybrid board analog-to-digital converter.
  Since the IP is used for i.MX6SLX, the driver also support i.MX6SLX.
-- 
2.7.0

[PATCH 3.19.y-ckt 017/196] rfkill: fix rfkill_fop_read wait_event usage

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Johannes Berg 

commit 6736fde9672ff6717ac576e9bba2fd5f3dfec822 upstream.

The code within wait_event_interruptible() is called with
!TASK_RUNNING, so mustn't call any functions that can sleep,
like mutex_lock().

Since we re-check the list_empty() in a loop after the wait,
it's safe to simply use list_empty() without locking.

This bug has existed forever, but was only discovered now
because all userspace implementations, including the default
'rfkill' tool, use poll() or select() to get a readable fd
before attempting to read.

Fixes: c64fb01627e24 ("rfkill: create useful userspace interface")
Reported-by: Dmitry Vyukov 
Signed-off-by: Johannes Berg 
Signed-off-by: Kamal Mostafa 
---
 net/rfkill/core.c | 16 
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 4b333ed..11c5d22 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -1081,17 +1081,6 @@ static unsigned int rfkill_fop_poll(struct file *file, 
poll_table *wait)
return res;
 }
 
-static bool rfkill_readable(struct rfkill_data *data)
-{
-   bool r;
-
-   mutex_lock(>mtx);
-   r = !list_empty(>events);
-   mutex_unlock(>mtx);
-
-   return r;
-}
-
 static ssize_t rfkill_fop_read(struct file *file, char __user *buf,
   size_t count, loff_t *pos)
 {
@@ -1108,8 +1097,11 @@ static ssize_t rfkill_fop_read(struct file *file, char 
__user *buf,
goto out;
}
mutex_unlock(>mtx);
+   /* since we re-check and it just compares pointers,
+* using !list_empty() without locking isn't a problem
+*/
ret = wait_event_interruptible(data->read_wait,
-  rfkill_readable(data));
+  !list_empty(>events));
mutex_lock(>mtx);
 
if (ret)
-- 
2.7.0

[PATCH 3.19.y-ckt 126/196] USB: option: add "4G LTE usb-modem U901"

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= 

commit d061c1caa31d4d9792cfe48a2c6b309a0e01ef46 upstream.

Thomas reports:

T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=05c6 ProdID=6001 Rev=00.00
S:  Manufacturer=USB Modem
S:  Product=USB Modem
S:  SerialNumber=1234567890ABCDEF
C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:  If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage

Reported-by: Thomas Schäfer 
Signed-off-by: Bjørn Mork 
Signed-off-by: Johan Hovold 
Signed-off-by: Kamal Mostafa 
---
 drivers/usb/serial/option.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 354f496..e3d4c45 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1143,6 +1143,8 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC650) },
{ USB_DEVICE(KYOCERA_VENDOR_ID, KYOCERA_PRODUCT_KPC680) },
{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6000)}, /* ZTE AC8700 */
+   { USB_DEVICE_AND_INTERFACE_INFO(QUALCOMM_VENDOR_ID, 0x6001, 0xff, 0xff, 
0xff), /* 4G LTE usb-modem U901 */
+ .driver_info = (kernel_ulong_t)_intf3_blacklist },
{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
-- 
2.7.0

[PATCH 3.19.y-ckt 123/196] ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Takashi Iwai 

commit 67ec1072b053c15564e6090ab30127895dc77a89 upstream.

A non-atomic PCM stream may take snd_pcm_link_rwsem rw semaphore twice
in the same code path, e.g. one in snd_pcm_action_nonatomic() and
another in snd_pcm_stream_lock().  Usually this is OK, but when a
write lock is issued between these two read locks, the problem
happens: the write lock is blocked due to the first reade lock, and
the second read lock is also blocked by the write lock.  This
eventually deadlocks.

The reason is the way rwsem manages waiters; it's queued like FIFO, so
even if the writer itself doesn't take the lock yet, it blocks all the
waiters (including reads) queued after it.

As a workaround, in this patch, we replace the standard down_write()
with an spinning loop.  This is far from optimal, but it's good
enough, as the spinning time is supposed to be relatively short for
normal PCM operations, and the code paths requiring the write lock
aren't called so often.

Reported-by: Vinod Koul 
Tested-by: Ramesh Babu 
Signed-off-by: Takashi Iwai 
Signed-off-by: Kamal Mostafa 
---
 sound/core/pcm_native.c | 16 ++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 3f2ac8d..8798790 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -74,6 +74,18 @@ static int snd_pcm_open(struct file *file, struct snd_pcm 
*pcm, int stream);
 static DEFINE_RWLOCK(snd_pcm_link_rwlock);
 static DECLARE_RWSEM(snd_pcm_link_rwsem);
 
+/* Writer in rwsem may block readers even during its waiting in queue,
+ * and this may lead to a deadlock when the code path takes read sem
+ * twice (e.g. one in snd_pcm_action_nonatomic() and another in
+ * snd_pcm_stream_lock()).  As a (suboptimal) workaround, let writer to
+ * spin until it gets the lock.
+ */
+static inline void down_write_nonblock(struct rw_semaphore *lock)
+{
+   while (!down_write_trylock(lock))
+   cond_resched();
+}
+
 /**
  * snd_pcm_stream_lock - Lock the PCM stream
  * @substream: PCM substream
@@ -1770,7 +1782,7 @@ static int snd_pcm_link(struct snd_pcm_substream 
*substream, int fd)
res = -ENOMEM;
goto _nolock;
}
-   down_write(_pcm_link_rwsem);
+   down_write_nonblock(_pcm_link_rwsem);
write_lock_irq(_pcm_link_rwlock);
if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN ||
substream->runtime->status->state != 
substream1->runtime->status->state ||
@@ -1817,7 +1829,7 @@ static int snd_pcm_unlink(struct snd_pcm_substream 
*substream)
struct snd_pcm_substream *s;
int res = 0;
 
-   down_write(_pcm_link_rwsem);
+   down_write_nonblock(_pcm_link_rwsem);
write_lock_irq(_pcm_link_rwlock);
if (!snd_pcm_stream_linked(substream)) {
res = -EALREADY;
-- 
2.7.0

[PATCH 3.19.y-ckt 190/196] net: phy: bcm7xxx: Fix 40nm EPHY features

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Florian Fainelli 

commit c6dd213abe40132f83e6ee569d70f3d60aa8b257 upstream.

The PHY entries for BCM7425/29/35 declare the 40nm Ethernet PHY as being
10/100/1000 capable, while this is just a 10/100 capable PHY device, fix that.

Fixes: d068b02cfdfc2 ("net: phy: add BCM7425 and BCM7429 PHYs")
Fixes: 9458ceab4917 ("net: phy: bcm7xxx: Add entry for BCM7435")
Signed-off-by: Florian Fainelli 
Signed-off-by: David S. Miller 
[ kamal: backport to 4.2-stable: no BCM7435 ]
Signed-off-by: Kamal Mostafa 
---
 drivers/net/phy/bcm7xxx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c
index 88d7858..d905df6 100644
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -397,7 +397,7 @@ static struct phy_driver bcm7xxx_driver[] = {
.phy_id = PHY_ID_BCM7425,
.phy_id_mask= 0xfff0,
.name   = "Broadcom BCM7425",
-   .features   = PHY_GBIT_FEATURES |
+   .features   = PHY_BASIC_FEATURES |
  SUPPORTED_Pause | SUPPORTED_Asym_Pause,
.flags  = PHY_IS_INTERNAL,
.config_init= bcm7xxx_config_init,
@@ -410,7 +410,7 @@ static struct phy_driver bcm7xxx_driver[] = {
.phy_id = PHY_ID_BCM7429,
.phy_id_mask= 0xfff0,
.name   = "Broadcom BCM7429",
-   .features   = PHY_GBIT_FEATURES |
+   .features   = PHY_BASIC_FEATURES |
  SUPPORTED_Pause | SUPPORTED_Asym_Pause,
.flags  = PHY_IS_INTERNAL,
.config_init= bcm7xxx_config_init,
-- 
2.7.0

[PATCH 3.19.y-ckt 196/196] pipe: limit the per-user amount of pages allocated in pipes

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Willy Tarreau 

commit 759c01142a5d0f364a462346168a56de28a80f52 upstream.

On no-so-small systems, it is possible for a single process to cause an
OOM condition by filling large pipes with data that are never read. A
typical process filling 4000 pipes with 1 MB of data will use 4 GB of
memory. On small systems it may be tricky to set the pipe max size to
prevent this from happening.

This patch makes it possible to enforce a per-user soft limit above
which new pipes will be limited to a single page, effectively limiting
them to 4 kB each, as well as a hard limit above which no new pipes may
be created for this user. This has the effect of protecting the system
against memory abuse without hurting other users, and still allowing
pipes to work correctly though with less data at once.

The limit are controlled by two new sysctls : pipe-user-pages-soft, and
pipe-user-pages-hard. Both may be disabled by setting them to zero. The
default soft limit allows the default number of FDs per process (1024)
to create pipes of the default size (64kB), thus reaching a limit of 64MB
before starting to create only smaller pipes. With 256 processes limited
to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
1084 MB of memory allocated for a user. The hard limit is disabled by
default to avoid breaking existing applications that make intensive use
of pipes (eg: for splicing).

Reported-by: socketp...@gmail.com
Reported-by: Tetsuo Handa 
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds 
Signed-off-by: Willy Tarreau 
Signed-off-by: Al Viro 
Signed-off-by: Kamal Mostafa 
---
 Documentation/sysctl/fs.txt | 23 ++
 fs/pipe.c   | 47 +++--
 include/linux/pipe_fs_i.h   |  4 
 include/linux/sched.h   |  1 +
 kernel/sysctl.c | 14 ++
 5 files changed, 87 insertions(+), 2 deletions(-)

diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
index 88152f2..302b5ed 100644
--- a/Documentation/sysctl/fs.txt
+++ b/Documentation/sysctl/fs.txt
@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs:
 - nr_open
 - overflowuid
 - overflowgid
+- pipe-user-pages-hard
+- pipe-user-pages-soft
 - protected_hardlinks
 - protected_symlinks
 - suid_dumpable
@@ -159,6 +161,27 @@ The default is 65534.
 
 ==
 
+pipe-user-pages-hard:
+
+Maximum total number of pages a non-privileged user may allocate for pipes.
+Once this limit is reached, no new pipes may be allocated until usage goes
+below the limit again. When set to 0, no limit is applied, which is the default
+setting.
+
+==
+
+pipe-user-pages-soft:
+
+Maximum total number of pages a non-privileged user may allocate for pipes
+before the pipe size gets limited to a single page. Once this limit is reached,
+new pipes will be limited to a single page in size for this user in order to
+limit total memory usage, and trying to increase them using fcntl() will be
+denied until usage goes below the limit again. The default value allows to
+allocate up to 1024 pipes at their default size. When set to 0, no limit is
+applied.
+
+==
+
 protected_hardlinks:
 
 A long-standing class of security issues is the hardlink-based
diff --git a/fs/pipe.c b/fs/pipe.c
index 6c856a1..ca7d71a 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -39,6 +39,12 @@ unsigned int pipe_max_size = 1048576;
  */
 unsigned int pipe_min_size = PAGE_SIZE;
 
+/* Maximum allocatable pages per user. Hard limit is unset by default, soft
+ * matches default values.
+ */
+unsigned long pipe_user_pages_hard;
+unsigned long pipe_user_pages_soft = PIPE_DEF_BUFFERS * INR_OPEN_CUR;
+
 /*
  * We use a start+len construction, which provides full use of the 
  * allocated memory.
@@ -584,20 +590,49 @@ pipe_fasync(int fd, struct file *filp, int on)
return retval;
 }
 
+static void account_pipe_buffers(struct pipe_inode_info *pipe,
+ unsigned long old, unsigned long new)
+{
+   atomic_long_add(new - old, >user->pipe_bufs);
+}
+
+static bool too_many_pipe_buffers_soft(struct user_struct *user)
+{
+   return pipe_user_pages_soft &&
+  atomic_long_read(>pipe_bufs) >= pipe_user_pages_soft;
+}
+
+static bool too_many_pipe_buffers_hard(struct user_struct *user)
+{
+   return pipe_user_pages_hard &&
+  atomic_long_read(>pipe_bufs) >= pipe_user_pages_hard;
+}
+
 struct pipe_inode_info *alloc_pipe_info(void)
 {
struct pipe_inode_info *pipe;
 
pipe = 

[PATCH 3.19.y-ckt 195/196] [media] exynos4-is: fix a format string bug

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Rasmus Villemoes 

commit 76a563675485849f6f9ad5b30df220438b3628c1 upstream.

Ironically, 7d4020c3c400 ("[media] exynos4-is: fix some warnings when
compiling on arm64") fixed some format string bugs but introduced a
new one. buf_index is a simple int, so it should be printed with %d,
not %pad (which is correctly used for dma_addr_t).

Fixes: 7d4020c3c400 ("[media] exynos4-is: fix some warnings when compiling on 
arm64")

Signed-off-by: Rasmus Villemoes 
Signed-off-by: Mauro Carvalho Chehab 
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa 
---
 drivers/media/platform/exynos4-is/fimc-isp-video.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c 
b/drivers/media/platform/exynos4-is/fimc-isp-video.c
index 76b6b4d..ebb063e 100644
--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
+++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
@@ -219,8 +219,8 @@ static void isp_video_capture_buffer_queue(struct 
vb2_buffer *vb)
ivb->dma_addr[i];
 
isp_dbg(2, >ve.vdev,
-   "dma_buf %pad (%d/%d/%d) addr: %pad\n",
-   _index, ivb->index, i, vb->v4l2_buf.index,
+   "dma_buf %d (%d/%d/%d) addr: %pad\n",
+   buf_index, ivb->index, i, vb->v4l2_buf.index,
>dma_addr[i]);
}
 
-- 
2.7.0

[PATCH 3.19.y-ckt 191/196] netlink: not trim skb for mmaped socket when dump

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Ken-ichirou MATSUZAWA 

commit aa3a022094fac7f6e48050e139fa8a5a2e3265ce upstream.

We should not trim skb for mmaped socket since its buf size is fixed
and userspace will read as frame which data equals head. mmaped
socket will not call recvmsg, means max_recvmsg_len is 0,
skb_reserve was not called before commit: db65a3aaf29e.

Fixes: db65a3aaf29e (netlink: Trim skb to alloc size to avoid MSG_TRUNC)
Signed-off-by: Ken-ichirou MATSUZAWA 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 net/netlink/af_netlink.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index d78848d..71c03e3 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2703,7 +2703,8 @@ static int netlink_dump(struct sock *sk)
 * reasonable static buffer based on the expected largest dump of a
 * single netdev. The outcome is MSG_TRUNC error.
 */
-   skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+   if (!netlink_rx_is_mmaped(sk))
+   skb_reserve(skb, skb_tailroom(skb) - alloc_size);
netlink_skb_set_owner_r(skb, sk);
 
len = cb->dump(skb, cb);
-- 
2.7.0

[PATCH 3.19.y-ckt 173/196] qmi_wwan: add "4G LTE usb-modem U901"

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= 

[ Upstream commit aac8d3c282e024c344c5b86dc1eab7af88bb9716 ]

Thomas reports:

T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=05c6 ProdID=6001 Rev=00.00
S:  Manufacturer=USB Modem
S:  Product=USB Modem
S:  SerialNumber=1234567890ABCDEF
C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:  If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage

Reported-by: Thomas Schäfer 
Signed-off-by: Bjørn Mork 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 drivers/net/usb/qmi_wwan.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 75aa421..71f5521 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -546,6 +546,7 @@ static const struct usb_device_id products[] = {
 
/* 3. Combined interface devices matching on interface number */
{QMI_FIXED_INTF(0x0408, 0xea42, 4)},/* Yota / Megafon M100-1 */
+   {QMI_FIXED_INTF(0x05c6, 0x6001, 3)},/* 4G LTE usb-modem U901 */
{QMI_FIXED_INTF(0x05c6, 0x7000, 0)},
{QMI_FIXED_INTF(0x05c6, 0x7001, 1)},
{QMI_FIXED_INTF(0x05c6, 0x7002, 1)},
-- 
2.7.0

[PATCH 3.19.y-ckt 145/196] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Andrea Arcangeli 

commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream.

pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were
introduced to locklessy (but atomically) detect when a pmd is a regular
(stable) pmd or when the pmd is unstable and can infinitely transition
from pmd_none() and pmd_trans_huge() from under us, while only holding
the mmap_sem for reading (for writing not).

While holding the mmap_sem only for reading, MADV_DONTNEED can run from
under us and so before we can assume the pmd to be a regular stable pmd
we need to compare it against pmd_none() and pmd_trans_huge() in an
atomic way, with pmd_trans_unstable().  The old pmd_trans_huge() left a
tiny window for a race.

Useful applications are unlikely to notice the difference as doing
MADV_DONTNEED concurrently with a page fault would lead to undefined
behavior.

[a...@linux-foundation.org: tidy up comment grammar/layout]
Signed-off-by: Andrea Arcangeli 
Reported-by: Kirill A. Shutemov 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
[ kamal: backport to 4.2-stable: context ]
Signed-off-by: Kamal Mostafa 
---
 mm/memory.c | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index f5d0e3d..69831fe 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3338,8 +3338,18 @@ static int __handle_mm_fault(struct mm_struct *mm, 
struct vm_area_struct *vma,
if (unlikely(pmd_none(*pmd)) &&
unlikely(__pte_alloc(mm, vma, pmd, address)))
return VM_FAULT_OOM;
-   /* if an huge pmd materialized from under us just retry later */
-   if (unlikely(pmd_trans_huge(*pmd)))
+   /*
+* If a huge pmd materialized under us just retry later.  Use
+* pmd_trans_unstable() instead of pmd_trans_huge() to ensure the pmd
+* didn't become pmd_trans_huge under us and then back to pmd_none, as
+* a result of MADV_DONTNEED running immediately after a huge pmd fault
+* in a different thread of this mm, in turn leading to a misleading
+* pmd_trans_huge() retval.  All we have to ensure is that it is a
+* regular pmd that we can walk with pte_offset_map() and we can do that
+* through an atomic read in C, which is what pmd_trans_unstable()
+* provides.
+*/
+   if (unlikely(pmd_trans_unstable(pmd)))
return 0;
/*
 * A regular pmd is established and it can't morph into a huge pmd
-- 
2.7.0

[PATCH 3.19.y-ckt 062/196] drm/dp/mst: deallocate payload on port destruction

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Mykola Lysenko 

commit 91a25e463130c8e19bdb42f2d827836c7937992e upstream.

This is needed to properly deallocate port payload
after downstream branch get unplugged.

In order to do this unplugged MST topology should
be preserved, to find first alive port on path to
unplugged MST topology, and send payload deallocation
request to branch device of found port.

For this mstb and port kref's are used in reversed
order to track when port and branch memory could be
freed.

Added additional functions to find appropriate mstb
as described above.

Signed-off-by: Mykola Lysenko 
Reviewed-by: Harry Wentland 
Signed-off-by: Dave Airlie 
Signed-off-by: Kamal Mostafa 
---
 drivers/gpu/drm/drm_dp_mst_topology.c | 91 ---
 1 file changed, 83 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c 
b/drivers/gpu/drm/drm_dp_mst_topology.c
index 45b2f76..aafd687 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -794,6 +794,18 @@ static struct drm_dp_mst_branch 
*drm_dp_add_mst_branch_device(u8 lct, u8 *rad)
return mstb;
 }
 
+static void drm_dp_free_mst_port(struct kref *kref);
+
+static void drm_dp_free_mst_branch_device(struct kref *kref)
+{
+   struct drm_dp_mst_branch *mstb = container_of(kref, struct 
drm_dp_mst_branch, kref);
+   if (mstb->port_parent) {
+   if (list_empty(>port_parent->next))
+   kref_put(>port_parent->kref, 
drm_dp_free_mst_port);
+   }
+   kfree(mstb);
+}
+
 static void drm_dp_destroy_mst_branch_device(struct kref *kref)
 {
struct drm_dp_mst_branch *mstb = container_of(kref, struct 
drm_dp_mst_branch, kref);
@@ -801,6 +813,15 @@ static void drm_dp_destroy_mst_branch_device(struct kref 
*kref)
bool wake_tx = false;
 
/*
+* init kref again to be used by ports to remove mst branch when it is
+* not needed anymore
+*/
+   kref_init(kref);
+
+   if (mstb->port_parent && list_empty(>port_parent->next))
+   kref_get(>port_parent->kref);
+
+   /*
 * destroy all ports - don't need lock
 * as there are no more references to the mst branch
 * device at this point.
@@ -826,7 +847,8 @@ static void drm_dp_destroy_mst_branch_device(struct kref 
*kref)
 
if (wake_tx)
wake_up(>mgr->tx_waitq);
-   kfree(mstb);
+
+   kref_put(kref, drm_dp_free_mst_branch_device);
 }
 
 static void drm_dp_put_mst_branch_device(struct drm_dp_mst_branch *mstb)
@@ -874,6 +896,7 @@ static void drm_dp_destroy_port(struct kref *kref)
 * from an EDID retrieval */
 
mutex_lock(>destroy_connector_lock);
+   kref_get(>parent->kref);
list_add(>next, >destroy_connector_list);
mutex_unlock(>destroy_connector_lock);
schedule_work(>destroy_connector_work);
@@ -1590,6 +1613,37 @@ static int drm_dp_send_enum_path_resources(struct 
drm_dp_mst_topology_mgr *mgr,
return 0;
 }
 
+static struct drm_dp_mst_port *drm_dp_get_last_connected_port_to_mstb(struct 
drm_dp_mst_branch *mstb)
+{
+   if (!mstb->port_parent)
+   return NULL;
+
+   if (mstb->port_parent->mstb != mstb)
+   return mstb->port_parent;
+
+   return 
drm_dp_get_last_connected_port_to_mstb(mstb->port_parent->parent);
+}
+
+static struct drm_dp_mst_branch 
*drm_dp_get_last_connected_port_and_mstb(struct drm_dp_mst_topology_mgr *mgr,
+struct 
drm_dp_mst_branch *mstb,
+int 
*port_num)
+{
+   struct drm_dp_mst_branch *rmstb = NULL;
+   struct drm_dp_mst_port *found_port;
+   mutex_lock(>lock);
+   if (mgr->mst_primary) {
+   found_port = drm_dp_get_last_connected_port_to_mstb(mstb);
+
+   if (found_port) {
+   rmstb = found_port->parent;
+   kref_get(>kref);
+   *port_num = found_port->port_num;
+   }
+   }
+   mutex_unlock(>lock);
+   return rmstb;
+}
+
 static int drm_dp_payload_send_msg(struct drm_dp_mst_topology_mgr *mgr,
   struct drm_dp_mst_port *port,
   int id,
@@ -1597,11 +1651,16 @@ static int drm_dp_payload_send_msg(struct 
drm_dp_mst_topology_mgr *mgr,
 {
struct drm_dp_sideband_msg_tx *txmsg;
struct drm_dp_mst_branch *mstb;
-   int len, ret;
+   int len, ret, port_num;
 
+   port_num = 

[PATCH 3.19.y-ckt 043/196] ALSA: rawmidi: Fix race at copying & updating the position

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Takashi Iwai 

commit 81f577542af15640cbcb6ef68baa4caa610cbbfc upstream.

The rawmidi read and write functions manage runtime stream status
such as runtime->appl_ptr and runtime->avail.  These point where to
copy the new data and how many bytes have been copied (or to be
read).  The problem is that rawmidi read/write call copy_from_user()
or copy_to_user(), and the runtime spinlock is temporarily unlocked
and relocked while copying user-space.  Since the current code
advances and updates the runtime status after the spin unlock/relock,
the copy and the update may be asynchronous, and eventually
runtime->avail might go to a negative value when many concurrent
accesses are done.  This may lead to memory corruption in the end.

For fixing this race, in this patch, the status update code is
performed in the same lock before the temporary unlock.  Also, the
spinlock is now taken more widely in snd_rawmidi_kernel_read1() for
protecting more properly during the whole operation.

BugLink: 
http://lkml.kernel.org/r/cact4y+b-dcmnf1gpgpkfdo0ih+uzcl2jv4__j-r1kdhplsg...@mail.gmail.com
Reported-by: Dmitry Vyukov 
Tested-by: Dmitry Vyukov 
Signed-off-by: Takashi Iwai 
Signed-off-by: Kamal Mostafa 
---
 sound/core/rawmidi.c | 34 ++
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index 4a41334..8577414 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -952,31 +952,36 @@ static long snd_rawmidi_kernel_read1(struct 
snd_rawmidi_substream *substream,
unsigned long flags;
long result = 0, count1;
struct snd_rawmidi_runtime *runtime = substream->runtime;
+   unsigned long appl_ptr;
 
+   spin_lock_irqsave(>lock, flags);
while (count > 0 && runtime->avail) {
count1 = runtime->buffer_size - runtime->appl_ptr;
if (count1 > count)
count1 = count;
-   spin_lock_irqsave(>lock, flags);
if (count1 > (int)runtime->avail)
count1 = runtime->avail;
+
+   /* update runtime->appl_ptr before unlocking for userbuf */
+   appl_ptr = runtime->appl_ptr;
+   runtime->appl_ptr += count1;
+   runtime->appl_ptr %= runtime->buffer_size;
+   runtime->avail -= count1;
+
if (kernelbuf)
-   memcpy(kernelbuf + result, runtime->buffer + 
runtime->appl_ptr, count1);
+   memcpy(kernelbuf + result, runtime->buffer + appl_ptr, 
count1);
if (userbuf) {
spin_unlock_irqrestore(>lock, flags);
if (copy_to_user(userbuf + result,
-runtime->buffer + runtime->appl_ptr, 
count1)) {
+runtime->buffer + appl_ptr, count1)) {
return result > 0 ? result : -EFAULT;
}
spin_lock_irqsave(>lock, flags);
}
-   runtime->appl_ptr += count1;
-   runtime->appl_ptr %= runtime->buffer_size;
-   runtime->avail -= count1;
-   spin_unlock_irqrestore(>lock, flags);
result += count1;
count -= count1;
}
+   spin_unlock_irqrestore(>lock, flags);
return result;
 }
 
@@ -1233,6 +1238,7 @@ static long snd_rawmidi_kernel_write1(struct 
snd_rawmidi_substream *substream,
unsigned long flags;
long count1, result;
struct snd_rawmidi_runtime *runtime = substream->runtime;
+   unsigned long appl_ptr;
 
if (!kernelbuf && !userbuf)
return -EINVAL;
@@ -1253,12 +1259,19 @@ static long snd_rawmidi_kernel_write1(struct 
snd_rawmidi_substream *substream,
count1 = count;
if (count1 > (long)runtime->avail)
count1 = runtime->avail;
+
+   /* update runtime->appl_ptr before unlocking for userbuf */
+   appl_ptr = runtime->appl_ptr;
+   runtime->appl_ptr += count1;
+   runtime->appl_ptr %= runtime->buffer_size;
+   runtime->avail -= count1;
+
if (kernelbuf)
-   memcpy(runtime->buffer + runtime->appl_ptr,
+   memcpy(runtime->buffer + appl_ptr,
   kernelbuf + result, count1);
else if (userbuf) {
spin_unlock_irqrestore(>lock, flags);
-   if (copy_from_user(runtime->buffer + runtime->appl_ptr,
+   if (copy_from_user(runtime->buffer + appl_ptr,

[PATCH 3.19.y-ckt 073/196] serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Peter Hurley 

commit 308bbc9ab838d0ace0298268c7970ba9513e2c65 upstream.

The omap-serial driver emulates RS485 delays using software timers,
but neglects to clamp the input values from the unprivileged
ioctl(TIOCSRS485). Because the software implementation busy-waits,
malicious userspace could stall the cpu for ~49 days.

Clamp the input values to < 100ms.

Fixes: 4a0ac0f55b18 ("OMAP: add RS485 support")
Signed-off-by: Peter Hurley 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Kamal Mostafa 
---
 drivers/tty/serial/omap-serial.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/serial/omap-serial.c b/drivers/tty/serial/omap-serial.c
index 2e1073d..49aa57b5 100644
--- a/drivers/tty/serial/omap-serial.c
+++ b/drivers/tty/serial/omap-serial.c
@@ -1357,7 +1357,7 @@ static inline void serial_omap_add_console_port(struct 
uart_omap_port *up)
 
 /* Enable or disable the rs485 support */
 static int
-serial_omap_config_rs485(struct uart_port *port, struct serial_rs485 
*rs485conf)
+serial_omap_config_rs485(struct uart_port *port, struct serial_rs485 *rs485)
 {
struct uart_omap_port *up = to_uart_omap_port(port);
unsigned int mode;
@@ -1370,8 +1370,12 @@ serial_omap_config_rs485(struct uart_port *port, struct 
serial_rs485 *rs485conf)
up->ier = 0;
serial_out(up, UART_IER, 0);
 
+   /* Clamp the delays to [0, 100ms] */
+   rs485->delay_rts_before_send = min(rs485->delay_rts_before_send, 100U);
+   rs485->delay_rts_after_send  = min(rs485->delay_rts_after_send, 100U);
+
/* store new config */
-   port->rs485 = *rs485conf;
+   port->rs485 = *rs485;
 
/*
 * Just as a precaution, only allow rs485
-- 
2.7.0

[PATCH 3.19.y-ckt 074/196] tty: Add support for PCIe WCH382 2S multi-IO card

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Jeremy McNicoll 

commit 7dde55787b43a8f2b4021916db38d90c03a2ec64 upstream.

WCH382 2S board is a PCIe card with 2 DB9 COM ports detected as
Serial controller: Device 1c00:3253 (rev 10) (prog-if 05 [16850])

Signed-off-by: Jeremy McNicoll 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Kamal Mostafa 
---
 drivers/tty/serial/8250/8250_pci.c | 21 +
 1 file changed, 21 insertions(+)

diff --git a/drivers/tty/serial/8250/8250_pci.c 
b/drivers/tty/serial/8250/8250_pci.c
index 1ec0cdb..21586e7 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1886,6 +1886,7 @@ pci_wch_ch38x_setup(struct serial_private *priv,
 #define PCIE_VENDOR_ID_WCH 0x1c00
 #define PCIE_DEVICE_ID_WCH_CH382_2S1P  0x3250
 #define PCIE_DEVICE_ID_WCH_CH384_4S0x3470
+#define PCIE_DEVICE_ID_WCH_CH382_2S0x3253
 
 #define PCI_VENDOR_ID_PERICOM  0x12D8
 #define PCI_DEVICE_ID_PERICOM_PI7C9X7951   0x7951
@@ -2582,6 +2583,14 @@ static struct pci_serial_quirk pci_serial_quirks[] 
__refdata = {
.subdevice  = PCI_ANY_ID,
.setup  = pci_wch_ch353_setup,
},
+   /* WCH CH382 2S card (16850 clone) */
+   {
+   .vendor = PCIE_VENDOR_ID_WCH,
+   .device = PCIE_DEVICE_ID_WCH_CH382_2S,
+   .subvendor  = PCI_ANY_ID,
+   .subdevice  = PCI_ANY_ID,
+   .setup  = pci_wch_ch38x_setup,
+   },
/* WCH CH382 2S1P card (16850 clone) */
{
.vendor = PCIE_VENDOR_ID_WCH,
@@ -2895,6 +2904,7 @@ enum pci_board_num_t {
pbn_fintek_4,
pbn_fintek_8,
pbn_fintek_12,
+   pbn_wch382_2,
pbn_wch384_4,
pbn_pericom_PI7C9X7951,
pbn_pericom_PI7C9X7952,
@@ -3699,6 +3709,13 @@ static struct pciserial_board pci_boards[] = {
.base_baud  = 115200,
.first_offset   = 0x40,
},
+   [pbn_wch382_2] = {
+   .flags  = FL_BASE0,
+   .num_ports  = 2,
+   .base_baud  = 115200,
+   .uart_offset= 8,
+   .first_offset   = 0xC0,
+   },
[pbn_wch384_4] = {
.flags  = FL_BASE0,
.num_ports  = 4,
@@ -5488,6 +5505,10 @@ static struct pci_device_id serial_pci_tbl[] = {
PCI_ANY_ID, PCI_ANY_ID,
0, 0, pbn_b0_bt_2_115200 },
 
+   {   PCIE_VENDOR_ID_WCH, PCIE_DEVICE_ID_WCH_CH382_2S,
+   PCI_ANY_ID, PCI_ANY_ID,
+   0, 0, pbn_wch382_2 },
+
{   PCIE_VENDOR_ID_WCH, PCIE_DEVICE_ID_WCH_CH384_4S,
PCI_ANY_ID, PCI_ANY_ID,
0, 0, pbn_wch384_4 },
-- 
2.7.0

Re: Suspicious error for CMA stress test

[Leizhen (ThunderTown)]

On 2016/3/8 9:54, Leizhen (ThunderTown) wrote:
> 
> 
> On 2016/3/8 2:42, Laura Abbott wrote:
>> On 03/07/2016 12:16 AM, Leizhen (ThunderTown) wrote:
>>>
>>>
>>> On 2016/3/7 12:34, Joonsoo Kim wrote:
 On Fri, Mar 04, 2016 at 03:35:26PM +0800, Hanjun Guo wrote:
> On 2016/3/4 14:38, Joonsoo Kim wrote:
>> On Fri, Mar 04, 2016 at 02:05:09PM +0800, Hanjun Guo wrote:
>>> On 2016/3/4 12:32, Joonsoo Kim wrote:
 On Fri, Mar 04, 2016 at 11:02:33AM +0900, Joonsoo Kim wrote:
> On Thu, Mar 03, 2016 at 08:49:01PM +0800, Hanjun Guo wrote:
>> On 2016/3/3 15:42, Joonsoo Kim wrote:
>>> 2016-03-03 10:25 GMT+09:00 Laura Abbott :
 (cc -mm and Joonsoo Kim)


 On 03/02/2016 05:52 AM, Hanjun Guo wrote:
> Hi,
>
> I came across a suspicious error for CMA stress test:
>
> Before the test, I got:
> -bash-4.3# cat /proc/meminfo | grep Cma
> CmaTotal: 204800 kB
> CmaFree:  195044 kB
>
>
> After running the test:
> -bash-4.3# cat /proc/meminfo | grep Cma
> CmaTotal: 204800 kB
> CmaFree: 6602584 kB
>
> So the freed CMA memory is more than total..
>
> Also the the MemFree is more than mem total:
>
> -bash-4.3# cat /proc/meminfo
> MemTotal:   16342016 kB
> MemFree:22367268 kB
> MemAvailable:   22370528 kB
>> [...]
 I played with this a bit and can see the same problem. The sanity
 check of CmaFree < CmaTotal generally triggers in
 __move_zone_freepage_state in unset_migratetype_isolate.
 This also seems to be present as far back as v4.0 which was the
 first version to have the updated accounting from Joonsoo.
 Were there known limitations with the new freepage accounting,
 Joonsoo?
>>> I don't know. I also played with this and looks like there is
>>> accounting problem, however, for my case, number of free page is 
>>> slightly less
>>> than total. I will take a look.
>>>
>>> Hanjun, could you tell me your malloc_size? I tested with 1 and it 
>>> doesn't
>>> look like your case.
>> I tested with malloc_size with 2M, and it grows much bigger than 1M, 
>> also I
>> did some other test:
> Thanks! Now, I can re-generate erronous situation you mentioned.
>
>>   - run with single thread with 10 times, everything is fine.
>>
>>   - I hack the cam_alloc() and free as below [1] to see if it's lock 
>> issue, with
>> the same test with 100 multi-thread, then I got:
> [1] would not be sufficient to close this race.
>
> Try following things [A]. And, for more accurate test, I changed code 
> a bit more
> to prevent kernel page allocation from cma area [B]. This will 
> prevent kernel
> page allocation from cma area completely so we can focus 
> cma_alloc/release race.
>
> Although, this is not correct fix, it could help that we can guess
> where the problem is.
 More correct fix is something like below.
 Please test it.
>>> Hmm, this is not working:
>> Sad to hear that.
>>
>> Could you tell me your system's MAX_ORDER and pageblock_order?
>>
>
> MAX_ORDER is 11, pageblock_order is 9, thanks for your help!

 Hmm... that's same with me.

 Below is similar fix that prevents buddy merging when one of buddy's
 migrate type, but, not both, is MIGRATE_ISOLATE. In fact, I have
 no idea why previous fix (more correct fix) doesn't work for you.
 (It works for me.) But, maybe there is a bug on the fix
 so I make new one which is more general form. Please test it.
>>>
>>> Hi,
>>> Hanjun Guo has gone to Tailand on business, so I help him to run this 
>>> patch. The result
>>> shows that the count of "CmaFree:" is OK now. But sometimes printed some 
>>> information as below:
>>>
>>> alloc_contig_range: [28500, 28600) PFNs busy
>>> alloc_contig_range: [28300, 28380) PFNs busy
>>>
>>
>> Those messages aren't necessarily a problem. Those messages indicate that
> OK.
> 
>> those pages weren't able to be isolated. Given the test here is a
>> concurrency test, I suspect some concurrent allocation or free prevented
>> isolation which is to be expected some times. I'd only be concerned if
>> seeing those messages cause allocation failure or some other notable impact.
> I chose memory block size: 512K, 1M, 2M ran serveral times, there was no 
> memory allocation failure.

Hi, Joonsoo:
This new patch worked well. Do you plan to 

Re: [RESEND PATCH v2 3/5] clk: rockchip: add new pll-type for rk3399 and similar socs

[Heiko Stuebner]

Am Dienstag, 1. März 2016, 18:14:33 schrieb Xing Zheng:
> The rk3399's pll and clock are similar with rk3036's, it different
> with base on the rk3066(rk3188, rk3288, rk3368 use it), there are
> different adjust foctors and control registers, so these should be
> independent and separate from the series of rk3066s.
> 
> Signed-off-by: Xing Zheng 

[...]

> +static int rockchip_rk3399_pll_set_params(struct rockchip_clk_pll *pll,
> + const struct rockchip_pll_rate_table *rate)
> +{
> + const struct clk_ops *pll_mux_ops = pll->pll_mux_ops;
> + struct clk_mux *pll_mux = >pll_mux;
> + struct rockchip_pll_rate_table cur;
> + u32 pllcon;
> + int rate_change_remuxed = 0;
> + int cur_parent;
> + int ret;
> +
> + pr_debug("%s: rate settings for %lu fbdiv: %d, postdiv1: %d, refdiv: %d,
> postdiv2: %d, dsmpd: %d, frac: %d\n", +   __func__, rate->rate,
> rate->fbdiv, rate->postdiv1, rate->refdiv, +  rate->postdiv2,
> rate->dsmpd, rate->frac);
> +
> + rockchip_rk3399_pll_get_params(pll, );
> + cur.rate = 0;
> +
> + cur_parent = pll_mux_ops->get_parent(_mux->hw);
> + if (cur_parent == PLL_MODE_NORM) {
> + pll_mux_ops->set_parent(_mux->hw, PLL_MODE_SLOW);
> + rate_change_remuxed = 1;
> + }
> +
> + /* update pll values */
> + writel_relaxed(HIWORD_UPDATE(rate->fbdiv, RK3399_PLLCON0_FBDIV_MASK,
> +   RK3399_PLLCON0_FBDIV_SHIFT),

indentation is strange ... I guess the plan was to move 
RK3399_PLLCON0_FBDIV_SHIFT under RK3399_PLLCON0_FBDIV_MASK, currently it's 
having tabs + spaces but has no alignment whatsoever

> +pll->reg_base + RK3399_PLLCON(0));
> +
> + writel_relaxed(HIWORD_UPDATE(rate->refdiv, RK3399_PLLCON1_REFDIV_MASK,
> +RK3399_PLLCON1_REFDIV_SHIFT) 
> |
> +HIWORD_UPDATE(rate->postdiv1, 
> RK3399_PLLCON1_POSTDIV1_MASK,
> +  RK3399_PLLCON1_POSTDIV1_SHIFT) |

same for postdiv1

> +HIWORD_UPDATE(rate->postdiv2, 
> RK3399_PLLCON1_POSTDIV2_MASK,
> +  
> RK3399_PLLCON1_POSTDIV2_SHIFT),
> +pll->reg_base + RK3399_PLLCON(1));


rest looks nice


Heiko

[RFC PATCH] x86/vdso/32: Add AT_SYSINFO cancellation helpers

[Andy Lutomirski]

musl implements system call cancellation in an unusual but clever way.
When a thread issues a cancellable syscall, musl issues the syscall
through a special thunk that looks roughly like this:

cancellable_syscall:
test whether a cancel is queued
jnz cancel_me
int $0x80
end_cancellable_syscall:

If a pthread cancellation signal hits with
cancellable_syscall <= EIP < end_cancellable_syscall, then the
signal interrupted a cancellation point before the syscall in
question started.  If so, it rewrites the calling context to skip
the syscall and simulate a -EINTR return.  The caller will detect
this simulated -EINTR or an actual -EINTR and handle a possible
cancellation event.

This technique doesn't work if int $0x80 is replaced by a call to
AT_SYSINFO: the signal handler can no longer tell whether it's
interrupting a call to AT_SYSINFO or, if it is, where AT_SYSINFO was
called from.

Add minimal helpers so that musl's signal handler can learn the
status of a possible pending AT_SYSINFO invocation and, if it hasn't
entered the kernel yet, abort it without needing to parse the vdso
DWARF unwind data.

Signed-off-by: Andy Lutomirski 
---

musl people-

Does this solve your AT_SYSINFO cancellation problem?  I'd like to
make sure it survives an actual implementation before I commit to the ABI.

x86 people-

Are you okay with this idea?


 arch/x86/entry/vdso/Makefile  |   3 +-
 arch/x86/entry/vdso/vdso32/cancellation_helpers.c | 116 ++
 arch/x86/entry/vdso/vdso32/vdso32.lds.S   |   2 +
 tools/testing/selftests/x86/unwind_vdso.c |  57 +--
 4 files changed, 171 insertions(+), 7 deletions(-)
 create mode 100644 arch/x86/entry/vdso/vdso32/cancellation_helpers.c

diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
index b88846471247..465052b49603 100644
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -130,7 +130,7 @@ override obj-dirs = $(dir $(obj)) $(obj)/vdso32/
 
 targets += vdso32/vdso32.lds
 targets += vdso32/note.o vdso32/system_call.o vdso32/sigreturn.o
-targets += vdso32/vclock_gettime.o
+targets += vdso32/vclock_gettime.o vdso32/cancellation_helpers.o
 
 KBUILD_AFLAGS_32 := $(filter-out -m64,$(KBUILD_AFLAGS)) -DBUILD_VDSO
 $(obj)/vdso32.so.dbg: KBUILD_AFLAGS = $(KBUILD_AFLAGS_32)
@@ -150,6 +150,7 @@ $(obj)/vdso32.so.dbg: KBUILD_CFLAGS = $(KBUILD_CFLAGS_32)
 $(obj)/vdso32.so.dbg: FORCE \
  $(obj)/vdso32/vdso32.lds \
  $(obj)/vdso32/vclock_gettime.o \
+ $(obj)/vdso32/cancellation_helpers.o \
  $(obj)/vdso32/note.o \
  $(obj)/vdso32/system_call.o \
  $(obj)/vdso32/sigreturn.o
diff --git a/arch/x86/entry/vdso/vdso32/cancellation_helpers.c 
b/arch/x86/entry/vdso/vdso32/cancellation_helpers.c
new file mode 100644
index ..3cb2e88baec6
--- /dev/null
+++ b/arch/x86/entry/vdso/vdso32/cancellation_helpers.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2016 Andrew Lutomirski
+ * Subject to the GNU Public License, v.2
+ *
+ * This provides helpers to enable libc implementations to cancel
+ * interrupted AT_SYSINFO invocations without needing to parse the
+ * DWARF unwinding instructions.
+ */
+
+#include 
+#include 
+
+extern char __kernel_vsyscall[] __attribute__((visibility("hidden")));
+extern char int80_landing_pad[] __attribute__((visibility("hidden")));
+
+static unsigned long *pending_syscall_retaddr_ptr(const void *context)
+{
+   const struct ucontext_ia32 *uc = context;
+   unsigned long ctx_eip = uc->uc_mcontext.ip;
+   unsigned long offset_into_vsyscall;
+   unsigned long *retaddr;
+
+   /*
+* An AT_SYSINFO system call is pending if and only if we're in
+* __kernel_vsyscall before int80_landing_pad.  If we're at
+* int80_landing_pad or beyond, we've finished the system call
+* and are on our way out.
+*
+* If we're at int80_landing_pad-2, then either we're using the
+* int $0x80 slow path because we have no fast system call
+* support or we are restarting a fast system call.  Either way,
+* the system call is still pending.
+*/
+
+   if (ctx_eip < (unsigned long)__kernel_vsyscall ||
+   ctx_eip >= (unsigned long)int80_landing_pad)
+   return NULL;
+
+   /*
+* The first three instructions of __kernel_vsyscall are one-byte
+* pushes.
+*/
+   offset_into_vsyscall = (ctx_eip - (unsigned long)__kernel_vsyscall);
+   retaddr = (unsigned long *)uc->uc_mcontext.sp;
+   if (offset_into_vsyscall < 3)
+   retaddr += offset_into_vsyscall;
+   else
+   retaddr += 3;
+
+   /*
+* GCC (correctly) fails to deduce out that retaddr can't be NULL
+* in the success path.  Helping it out reduces code size.
+*/
+   if (!retaddr)
+  

[PATCH v5 2/7] QE: Add ucc hdlc document to bindings

[Zhao Qiang]

Add ucc hdlc document to
Documentation/devicetree/bindings/powerpc/fsl/cpm_qe/network.txt

Signed-off-by: Zhao Qiang 
Acked-by: Rob Herring 
---
Changes for v2
- use ucc-hdlc instead of ucc_hdlc
- add more information to properties.
Changes for v3
- use fsl,tx-timeslot-mask instead of fsl,tx-timeslot 
- use fsl,rx-timeslot-mask instead of fsl,rx-timeslot 
- add more info
Changes for v4
- NA 
Changes for v5
- NA 

 .../bindings/powerpc/fsl/cpm_qe/network.txt| 81 ++
 1 file changed, 81 insertions(+)

diff --git a/Documentation/devicetree/bindings/powerpc/fsl/cpm_qe/network.txt 
b/Documentation/devicetree/bindings/powerpc/fsl/cpm_qe/network.txt
index 29b28b8..03c7416 100644
--- a/Documentation/devicetree/bindings/powerpc/fsl/cpm_qe/network.txt
+++ b/Documentation/devicetree/bindings/powerpc/fsl/cpm_qe/network.txt
@@ -41,3 +41,84 @@ Example:
fsl,mdio-pin = <12>;
fsl,mdc-pin = <13>;
};
+
+* HDLC
+
+Currently defined compatibles:
+- fsl,ucc-hdlc
+
+Properties for fsl,ucc-hdlc:
+- rx-clock-name
+- tx-clock-name
+   Usage: required
+   Value type: 
+   Definition : Must be "brg1"-"brg16" for internal clock source,
+Must be "clk1"-"clk24" for external clock source.
+
+- fsl,tdm-interface
+   Usage: optional
+   Value type: 
+   Definition : Specify that hdlc is based on tdm-interface
+
+The property below is dependent on fsl,tdm-interface:
+- fsl,rx-sync-clock
+   Usage: required
+   Value type: 
+   Definition : Must be "none", "rsync_pin", "brg9-11" and "brg13-15".
+
+- fsl,tx-sync-clock
+   Usage: required
+   Value type: 
+   Definition : Must be "none", "tsync_pin", "brg9-11" and "brg13-15".
+
+- fsl,tdm-framer-type
+   Usage: required for tdm interface
+   Value type: 
+   Definition : "e1" or "t1".Now e1 and t1 are used, other framer types
+are not supported.
+
+- fsl,tdm-id
+   Usage: required for tdm interface
+   Value type: 
+   Definition : number of TDM ID
+
+- fsl,tx-timeslot-mask
+- fsl,rx-timeslot-mask
+   Usage: required for tdm interface
+   Value type: 
+   Definition : time slot mask for TDM operation. Indicates which time
+slots used for transmitting and receiving.
+
+- fsl,siram-entry-id
+   Usage: required for tdm interface
+   Value type: 
+   Definition : Must be 0,2,4...64. the number of TDM entry.
+
+- fsl,tdm-internal-loopback
+   usage: optional for tdm interface
+   value type: 
+   Definition : Internal loopback connecting on TDM layer.
+
+Example for tdm interface:
+
+   ucc@2000 {
+   compatible = "fsl,ucc-hdlc";
+   rx-clock-name = "clk8";
+   tx-clock-name = "clk9";
+   fsl,rx-sync-clock = "rsync_pin";
+   fsl,tx-sync-clock = "tsync_pin";
+   fsl,tx-timeslot-mask = <0xfffe>;
+   fsl,rx-timeslot-mask = <0xfffe>;
+   fsl,tdm-framer-type = "e1";
+   fsl,tdm-id = <0>;
+   fsl,siram-entry-id = <0>;
+   fsl,tdm-interface;
+   };
+
+Example for hdlc without tdm interface:
+
+   ucc@2000 {
+   compatible = "fsl,ucc-hdlc";
+   rx-clock-name = "brg1";
+   tx-clock-name = "brg1";
+   };
-- 
2.1.0.27.g96db324

[PATCH v5 5/7] T104xD4RDB: Add qe node to t104xd4rdb

[Zhao Qiang]

add qe node to t104xd4rdb.dtsi and t1040si-post.dtsi.

Signed-off-by: Zhao Qiang 
---
Changes for v2
- rebase
Changes for v3
- rebase
Changes for v4
- rebase
Changes for v5
- rebase

 arch/powerpc/boot/dts/fsl/t1040si-post.dtsi | 45 +
 arch/powerpc/boot/dts/fsl/t104xd4rdb.dtsi   | 38 
 2 files changed, 83 insertions(+)

diff --git a/arch/powerpc/boot/dts/fsl/t1040si-post.dtsi 
b/arch/powerpc/boot/dts/fsl/t1040si-post.dtsi
index e0f4da5..012f813 100644
--- a/arch/powerpc/boot/dts/fsl/t1040si-post.dtsi
+++ b/arch/powerpc/boot/dts/fsl/t1040si-post.dtsi
@@ -673,3 +673,48 @@
};
};
 };
+
+ {
+   #address-cells = <1>;
+   #size-cells = <1>;
+   device_type = "qe";
+   compatible = "fsl,qe";
+   fsl,qe-num-riscs = <1>;
+   fsl,qe-num-snums = <28>;
+
+   qeic: interrupt-controller@80 {
+   interrupt-controller;
+   compatible = "fsl,qe-ic";
+   #address-cells = <0>;
+   #interrupt-cells = <1>;
+   reg = <0x80 0x80>;
+   interrupts = <95 2 0 0  94 2 0 0>; //high:79 low:78
+   };
+
+   ucc@2000 {
+   cell-index = <1>;
+   reg = <0x2000 0x200>;
+   interrupts = <32>;
+   interrupt-parent = <>;
+   };
+
+   ucc@2200 {
+   cell-index = <3>;
+   reg = <0x2200 0x200>;
+   interrupts = <34>;
+   interrupt-parent = <>;
+   };
+
+   muram@1 {
+   #address-cells = <1>;
+   #size-cells = <1>;
+   compatible = "fsl,qe-muram", "fsl,cpm-muram";
+   ranges = <0x0 0x1 0x6000>;
+
+   data-only@0 {
+   compatible = "fsl,qe-muram-data",
+   "fsl,cpm-muram-data";
+   reg = <0x0 0x6000>;
+   };
+   };
+};
diff --git a/arch/powerpc/boot/dts/fsl/t104xd4rdb.dtsi 
b/arch/powerpc/boot/dts/fsl/t104xd4rdb.dtsi
index 3f6d7c6..7cc3596 100644
--- a/arch/powerpc/boot/dts/fsl/t104xd4rdb.dtsi
+++ b/arch/powerpc/boot/dts/fsl/t104xd4rdb.dtsi
@@ -212,4 +212,42 @@
  0 0x0001>;
};
};
+
+   qe: qe@ffe14 {
+   ranges = <0x0 0xf 0xfe14 0x4>;
+   reg = <0xf 0xfe14 0 0x480>;
+   brg-frequency = <0>;
+   bus-frequency = <0>;
+
+   si1: si@700 {
+   compatible = "fsl,t1040-qe-si";
+   reg = <0x700 0x80>;
+   };
+
+   siram1: siram@1000 {
+   compatible = "fsl,t1040-qe-siram";
+   reg = <0x1000 0x800>;
+   };
+
+   ucc_hdlc: ucc@2000 {
+   compatible = "fsl,ucc-hdlc";
+   rx-clock-name = "clk8";
+   tx-clock-name = "clk9";
+   fsl,rx-sync-clock = "rsync_pin";
+   fsl,tx-sync-clock = "tsync_pin";
+   fsl,tx-timeslot-mask = <0xfffe>;
+   fsl,rx-timeslot-mask = <0xfffe>;
+   fsl,tdm-framer-type = "e1";
+   fsl,tdm-id = <0>;
+   fsl,siram-entry-id = <0>;
+   fsl,tdm-interface;
+   };
+
+   ucc_serial: ucc@2200 {
+   compatible = "fsl,t1040-ucc-uart";
+   port-number = <0>;
+   rx-clock-name = "brg2";
+   tx-clock-name = "brg2";
+   };
+   };
 };
-- 
2.1.0.27.g96db324

[PATCH v3 4/7] clk: rockchip: Add support for multiple clock providers

[Xing Zheng]

There are need to support Multi-CRUs probability in future, but
it is not supported on the current Rockchip Clock Framework.

Therefore, this patch add support a provider as the parameter
handler when we call the clock register functions for per CRU.

Signed-off-by: Xing Zheng 
---

Changes in v3: None
Changes in v2: None

 drivers/clk/rockchip/clk-pll.c|   30 
 drivers/clk/rockchip/clk-rk3036.c |   17 +++--
 drivers/clk/rockchip/clk-rk3188.c |   48 
 drivers/clk/rockchip/clk-rk3228.c |   17 +++--
 drivers/clk/rockchip/clk-rk3288.c |   19 +++--
 drivers/clk/rockchip/clk-rk3368.c |   21 --
 drivers/clk/rockchip/clk.c|  148 +++--
 drivers/clk/rockchip/clk.h|   49 
 8 files changed, 231 insertions(+), 118 deletions(-)

diff --git a/drivers/clk/rockchip/clk-pll.c b/drivers/clk/rockchip/clk-pll.c
index 5de797e..27be66a 100644
--- a/drivers/clk/rockchip/clk-pll.c
+++ b/drivers/clk/rockchip/clk-pll.c
@@ -46,6 +46,8 @@ struct rockchip_clk_pll {
const struct rockchip_pll_rate_table *rate_table;
unsigned intrate_count;
spinlock_t  *lock;
+
+   struct rockchip_clk_provider *ctx;
 };
 
 #define to_rockchip_clk_pll(_hw) container_of(_hw, struct rockchip_clk_pll, hw)
@@ -90,7 +92,7 @@ static long rockchip_pll_round_rate(struct clk_hw *hw,
  */
 static int rockchip_pll_wait_lock(struct rockchip_clk_pll *pll)
 {
-   struct regmap *grf = rockchip_clk_get_grf();
+   struct regmap *grf = rockchip_clk_get_grf(pll->ctx);
unsigned int val;
int delay = 2400, ret;
 
@@ -251,7 +253,7 @@ static int rockchip_rk3036_pll_set_rate(struct clk_hw *hw, 
unsigned long drate,
struct rockchip_clk_pll *pll = to_rockchip_clk_pll(hw);
const struct rockchip_pll_rate_table *rate;
unsigned long old_rate = rockchip_rk3036_pll_recalc_rate(hw, prate);
-   struct regmap *grf = rockchip_clk_get_grf();
+   struct regmap *grf = rockchip_clk_get_grf(pll->ctx);
 
if (IS_ERR(grf)) {
pr_debug("%s: grf regmap not available, aborting rate change\n",
@@ -490,7 +492,7 @@ static int rockchip_rk3066_pll_set_rate(struct clk_hw *hw, 
unsigned long drate,
struct rockchip_clk_pll *pll = to_rockchip_clk_pll(hw);
const struct rockchip_pll_rate_table *rate;
unsigned long old_rate = rockchip_rk3066_pll_recalc_rate(hw, prate);
-   struct regmap *grf = rockchip_clk_get_grf();
+   struct regmap *grf = rockchip_clk_get_grf(pll->ctx);
 
if (IS_ERR(grf)) {
pr_debug("%s: grf regmap not available, aborting rate change\n",
@@ -563,7 +565,7 @@ static void rockchip_rk3066_pll_init(struct clk_hw *hw)
 rate->no, cur.no, rate->nf, cur.nf, rate->nb, cur.nb);
if (rate->nr != cur.nr || rate->no != cur.no || rate->nf != cur.nf
 || rate->nb != cur.nb) {
-   struct regmap *grf = rockchip_clk_get_grf();
+   struct regmap *grf = rockchip_clk_get_grf(pll->ctx);
 
if (IS_ERR(grf))
return;
@@ -595,12 +597,13 @@ static const struct clk_ops rockchip_rk3066_pll_clk_ops = 
{
  * Common registering of pll clocks
  */
 
-struct clk *rockchip_clk_register_pll(enum rockchip_pll_type pll_type,
+struct clk *rockchip_clk_register_pll(struct rockchip_clk_provider *ctx,
+   enum rockchip_pll_type pll_type,
const char *name, const char *const *parent_names,
-   u8 num_parents, void __iomem *base, int con_offset,
-   int grf_lock_offset, int lock_shift, int mode_offset,
-   int mode_shift, struct rockchip_pll_rate_table *rate_table,
-   u8 clk_pll_flags, spinlock_t *lock)
+   u8 num_parents, int con_offset, int grf_lock_offset,
+   int lock_shift, int mode_offset, int mode_shift,
+   struct rockchip_pll_rate_table *rate_table,
+   u8 clk_pll_flags)
 {
const char *pll_parents[3];
struct clk_init_data init;
@@ -624,11 +627,11 @@ struct clk *rockchip_clk_register_pll(enum 
rockchip_pll_type pll_type,
/* create the mux on top of the real pll */
pll->pll_mux_ops = _mux_ops;
pll_mux = >pll_mux;
-   pll_mux->reg = base + mode_offset;
+   pll_mux->reg = ctx->reg_base + mode_offset;
pll_mux->shift = mode_shift;
pll_mux->mask = PLL_MODE_MASK;
pll_mux->flags = 0;
-   pll_mux->lock = lock;
+   pll_mux->lock = >lock;
pll_mux->hw.init = 
 
if (pll_type == pll_rk3036 || pll_type == pll_rk3066)
@@ -695,11 +698,12 @@ struct clk *rockchip_clk_register_pll(enum 
rockchip_pll_type pll_type,
 
pll->hw.init = 
pll->type = pll_type;
-   pll->reg_base = base + con_offset;
+   pll->reg_base = ctx->reg_base + con_offset;
pll->lock_offset = 

[PATCH v3 3/7] clk: rockchip: add more mux parameters for new pll sources

[Xing Zheng]

Thers are only two parent PLLs that APLL and GPLL for core on the
previous SoCs (RK3066/RK3188/RK3288/RK3368). Hence, we set fixed
GPLL as alternate parent when core is switching freq.

Since RK3399 big.LITTLE architecture, we need to select and adapt
more PLLs (ALPLL/ABPLL/DPLL/GPLL) sources.

Signed-off-by: Xing Zheng 
---

Changes in v3: None
Changes in v2: None

 drivers/clk/rockchip/clk-cpu.c|   14 ++
 drivers/clk/rockchip/clk-rk3036.c |3 +++
 drivers/clk/rockchip/clk-rk3188.c |6 ++
 drivers/clk/rockchip/clk-rk3228.c |3 +++
 drivers/clk/rockchip/clk-rk3288.c |3 +++
 drivers/clk/rockchip/clk-rk3368.c |6 ++
 drivers/clk/rockchip/clk.h|6 ++
 7 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/drivers/clk/rockchip/clk-cpu.c b/drivers/clk/rockchip/clk-cpu.c
index 4e73ed5..5556849 100644
--- a/drivers/clk/rockchip/clk-cpu.c
+++ b/drivers/clk/rockchip/clk-cpu.c
@@ -158,12 +158,16 @@ static int rockchip_cpuclk_pre_rate_change(struct 
rockchip_cpuclk *cpuclk,
 
writel(HIWORD_UPDATE(alt_div, reg_data->div_core_mask,
  reg_data->div_core_shift) |
-  HIWORD_UPDATE(1, 1, reg_data->mux_core_shift),
+  HIWORD_UPDATE(reg_data->mux_core_alt,
+reg_data->mux_core_mask,
+reg_data->mux_core_shift),
   cpuclk->reg_base + reg_data->core_reg);
} else {
/* select alternate parent */
-   writel(HIWORD_UPDATE(1, 1, reg_data->mux_core_shift),
-   cpuclk->reg_base + reg_data->core_reg);
+   writel(HIWORD_UPDATE(reg_data->mux_core_alt,
+reg_data->mux_core_mask,
+reg_data->mux_core_shift),
+  cpuclk->reg_base + reg_data->core_reg);
}
 
spin_unlock_irqrestore(cpuclk->lock, flags);
@@ -198,7 +202,9 @@ static int rockchip_cpuclk_post_rate_change(struct 
rockchip_cpuclk *cpuclk,
 
writel(HIWORD_UPDATE(0, reg_data->div_core_mask,
reg_data->div_core_shift) |
-  HIWORD_UPDATE(0, 1, reg_data->mux_core_shift),
+  HIWORD_UPDATE(reg_data->mux_core_main,
+   reg_data->mux_core_mask,
+   reg_data->mux_core_shift),
   cpuclk->reg_base + reg_data->core_reg);
 
if (ndata->old_rate > ndata->new_rate)
diff --git a/drivers/clk/rockchip/clk-rk3036.c 
b/drivers/clk/rockchip/clk-rk3036.c
index 5759d75..1dae248 100644
--- a/drivers/clk/rockchip/clk-rk3036.c
+++ b/drivers/clk/rockchip/clk-rk3036.c
@@ -113,7 +113,10 @@ static const struct rockchip_cpuclk_reg_data 
rk3036_cpuclk_data = {
.core_reg = RK2928_CLKSEL_CON(0),
.div_core_shift = 0,
.div_core_mask = 0x1f,
+   .mux_core_alt = 1,
+   .mux_core_main = 0,
.mux_core_shift = 7,
+   .mux_core_mask = 0x1,
 };
 
 PNAME(mux_pll_p)   = { "xin24m", "xin24m" };
diff --git a/drivers/clk/rockchip/clk-rk3188.c 
b/drivers/clk/rockchip/clk-rk3188.c
index 40bab39..e832403 100644
--- a/drivers/clk/rockchip/clk-rk3188.c
+++ b/drivers/clk/rockchip/clk-rk3188.c
@@ -155,7 +155,10 @@ static const struct rockchip_cpuclk_reg_data 
rk3066_cpuclk_data = {
.core_reg = RK2928_CLKSEL_CON(0),
.div_core_shift = 0,
.div_core_mask = 0x1f,
+   .mux_core_alt = 1,
+   .mux_core_main = 0,
.mux_core_shift = 8,
+   .mux_core_mask = 0x1,
 };
 
 #define RK3188_DIV_ACLK_CORE_MASK  0x7
@@ -191,7 +194,10 @@ static const struct rockchip_cpuclk_reg_data 
rk3188_cpuclk_data = {
.core_reg = RK2928_CLKSEL_CON(0),
.div_core_shift = 9,
.div_core_mask = 0x1f,
+   .mux_core_alt = 1,
+   .mux_core_main = 0,
.mux_core_shift = 8,
+   .mux_core_mask = 0x1,
 };
 
 PNAME(mux_pll_p)   = { "xin24m", "xin32k" };
diff --git a/drivers/clk/rockchip/clk-rk3228.c 
b/drivers/clk/rockchip/clk-rk3228.c
index 7702d28..4b4137e 100644
--- a/drivers/clk/rockchip/clk-rk3228.c
+++ b/drivers/clk/rockchip/clk-rk3228.c
@@ -111,7 +111,10 @@ static const struct rockchip_cpuclk_reg_data 
rk3228_cpuclk_data = {
.core_reg = RK2928_CLKSEL_CON(0),
.div_core_shift = 0,
.div_core_mask = 0x1f,
+   .mux_core_alt = 1,
+   .mux_core_main = 0,
.mux_core_shift = 6,
+   .mux_core_mask = 0x1,
 };
 
 PNAME(mux_pll_p)   = { "clk_24m", "xin24m" };
diff --git a/drivers/clk/rockchip/clk-rk3288.c 
b/drivers/clk/rockchip/clk-rk3288.c
index 3cb7216..00faf3f 100644
--- a/drivers/clk/rockchip/clk-rk3288.c
+++ b/drivers/clk/rockchip/clk-rk3288.c
@@ -165,7 +165,10 @@ static const struct rockchip_cpuclk_reg_data 
rk3288_cpuclk_data = {
.core_reg = RK3288_CLKSEL_CON(0),
.div_core_shift 

[PATCH v3 2/7] clk: rockchip: add dt-binding header for rk3399

[Xing Zheng]

Add the dt-bindings header for the rk3399, that gets shared between
the clock controller and the clock references in the dts.

Signed-off-by: Xing Zheng 
Signed-off-by: Jianqun Xu 
Acked-by: Rob Herring 
---

Changes in v3: None
Changes in v2: None

 include/dt-bindings/clock/rk3399-cru.h |  720 
 1 file changed, 720 insertions(+)
 create mode 100644 include/dt-bindings/clock/rk3399-cru.h

diff --git a/include/dt-bindings/clock/rk3399-cru.h 
b/include/dt-bindings/clock/rk3399-cru.h
new file mode 100644
index 000..215e2a5
--- /dev/null
+++ b/include/dt-bindings/clock/rk3399-cru.h
@@ -0,0 +1,720 @@
+/*
+ * Copyright (c) 2015 Rockchip Electronics Co. Ltd.
+ * Author: Xing Zheng 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef _DT_BINDINGS_CLK_ROCKCHIP_RK3399_H
+#define _DT_BINDINGS_CLK_ROCKCHIP_RK3399_H
+
+/* core clocks */
+#define PLL_APLLL  1
+#define PLL_APLLB  2
+#define PLL_DPLL   3
+#define PLL_CPLL   4
+#define PLL_GPLL   5
+#define PLL_NPLL   6
+#define PLL_VPLL   7
+#define PLL_PPLL   8
+#define ARMCLKL9
+#define ARMCLKB10
+
+/* sclk gates (special clocks) */
+#define SCLK_I2C1  65
+#define SCLK_I2C2  66
+#define SCLK_I2C3  67
+#define SCLK_I2C5  68
+#define SCLK_I2C6  69
+#define SCLK_I2C7  70
+#define SCLK_SPI0  71
+#define SCLK_SPI1  72
+#define SCLK_SPI2  73
+#define SCLK_SPI4  74
+#define SCLK_SPI5  75
+#define SCLK_SDMMC 76
+#define SCLK_SDIO  77
+#define SCLK_EMMC  78
+#define SCLK_TSADC 79
+#define SCLK_SARADC80
+#define SCLK_UART0 81
+#define SCLK_UART1 82
+#define SCLK_UART2 83
+#define SCLK_UART3 84
+#define SCLK_SPDIF_8CH 85
+#define SCLK_I2S0_8CH  86
+#define SCLK_I2S1_8CH  87
+#define SCLK_I2S2_8CH  88
+#define SCLK_I2S_8CH_OUT   89
+#define SCLK_TIMER00   90
+#define SCLK_TIMER01   91
+#define SCLK_TIMER02   92
+#define SCLK_TIMER03   93
+#define SCLK_TIMER04   94
+#define SCLK_TIMER05   95
+#define SCLK_TIMER06   96
+#define SCLK_TIMER07   97
+#define SCLK_TIMER08   98
+#define SCLK_TIMER09   99
+#define SCLK_TIMER10   100
+#define SCLK_TIMER11   101
+#define SCLK_MACREF102
+#define SCLK_MAC_RX103
+#define SCLK_MAC_TX104
+#define SCLK_MAC   105
+#define SCLK_MACREF_OUT106
+#define SCLK_VOP0_PWM  107
+#define SCLK_VOP1_PWM  108
+#define SCLK_RGA   109
+#define SCLK_ISP0  110
+#define SCLK_ISP1  111
+#define SCLK_HDMI_CEC  112
+#define SCLK_HDMI_SFR  113
+#define SCLK_DP_CORE_SRC   114
+#define SCLK_PVTM_CORE_L   115
+#define SCLK_PVTM_CORE_B   116
+#define SCLK_PVTM_GPU  117
+#define SCLK_PVTM_DDR  118
+#define SCLK_MIPIDPHY_REF  119
+#define SCLK_MIPIDPHY_CFG  120
+#define SCLK_HSICPHY   121
+#define SCLK_USBPHY480M122
+#define SCLK_USB2PHY0_REF  123
+#define SCLK_USB2PHY1_REF  124
+#define SCLK_UPHY0_TCPDPHY_REF 125
+#define SCLK_UPHY0_TCPDCORE126
+#define SCLK_UPHY1_TCPDPHY_REF 127
+#define SCLK_UPHY1_TCPDCORE128
+#define SCLK_USB3OTG0_REF  129
+#define SCLK_USB3OTG1_REF  130
+#define SCLK_USB3OTG0_SUSPEND  131
+#define SCLK_USB3OTG1_SUSPEND  132
+#define SCLK_CRYPTO0   133
+#define SCLK_CRYPTO1   134
+#define 

[PATCH v3 1/7] dt-bindings: add bindings for rk3399 clock controller

[Xing Zheng]

Add devicetree bindings for Rockchip cru which found on
Rockchip SoCs.

Signed-off-by: Xing Zheng 
Signed-off-by: Jianqun Xu 
Acked-by: Rob Herring 
---

Changes in v3: None
Changes in v2: None

 .../bindings/clock/rockchip,rk3399-cru.txt |   82 
 1 file changed, 82 insertions(+)
 create mode 100644 
Documentation/devicetree/bindings/clock/rockchip,rk3399-cru.txt

diff --git a/Documentation/devicetree/bindings/clock/rockchip,rk3399-cru.txt 
b/Documentation/devicetree/bindings/clock/rockchip,rk3399-cru.txt
new file mode 100644
index 000..07bcc6e
--- /dev/null
+++ b/Documentation/devicetree/bindings/clock/rockchip,rk3399-cru.txt
@@ -0,0 +1,82 @@
+* Rockchip RK3399 Clock and Reset Unit
+
+The RK3399 clock controller generates and supplies clock to various
+controllers within the SoC and also implements a reset controller for SoC
+peripherals.
+
+Required Properties:
+
+- compatible: PMU for CRU should be "rockchip,rk3399-pmucru"
+- compatible: CRU should be "rockchip,rk3399-cru"
+- reg: physical base address of the controller and length of memory mapped
+  region.
+- #clock-cells: should be 1.
+- #reset-cells: should be 1.
+
+Optional Properties:
+
+- rockchip,grf: phandle to the syscon managing the "general register files"
+  If missing, pll rates are not changeable, due to the missing pll lock status.
+
+Each clock is assigned an identifier and client nodes can use this identifier
+to specify the clock which they consume. All available clocks are defined as
+preprocessor macros in the dt-bindings/clock/rk3399-cru.h headers and can be
+used in device tree sources. Similar macros exist for the reset sources in
+these files.
+
+External clocks:
+
+There are several clocks that are generated outside the SoC. It is expected
+that they are defined using standard clock bindings with following
+clock-output-names:
+ - "xin24m" - crystal input - required,
+ - "xin32k" - rtc clock - optional,
+ - "ext_i2s" - external I2S clock - optional,
+ - "ext_gmac" - external GMAC clock - optional
+ - "ext_hsadc" - external HSADC clock - optional,
+ - "ext_isp" - external ISP clock - optional,
+ - "ext_jtag" - external JTAG clock - optional
+ - "ext_vip" - external VIP clock - optional,
+ - "usbotg_out" - output clock of the pll in the otg phy
+
+Example: General Register Files
+
+   pmugrf: syscon@ff32 {
+   compatible = "rockchip,rk3399-pmugrf", "syscon";
+   reg = <0x0 0xff32 0x0 0x1000>;
+   };
+
+   grf: syscon@ff77 {
+   compatible = "rockchip,rk3399-grf", "syscon";
+   reg = <0x0 0xff77 0x0 0x1>;
+   };
+
+Example: Clock controller node:
+
+   pmucru: pmu-clock-controller@ff75 {
+   compatible = "rockchip,rk3399-pmucru";
+   reg = <0x0 0xff75 0x0 0x1000>;
+   #clock-cells = <1>;
+   #reset-cells = <1>;
+   };
+
+   cru: clock-controller@ff76 {
+   compatible = "rockchip,rk3399-cru";
+   reg = <0x0 0xff76 0x0 0x1000>;
+   rockchip,grf = <>;
+   #clock-cells = <1>;
+   #reset-cells = <1>;
+   };
+
+Example: UART controller node that consumes the clock generated by the clock
+  controller:
+
+   uart0: serial@ff1a {
+   compatible = "rockchip,rk3399-uart", "snps,dw-apb-uart";
+   reg = <0x0 0xff18 0x0 0x100>;
+   clocks = < SCLK_UART0>, < PCLK_UART0>;
+   clock-names = "baudclk", "apb_pclk";
+   interrupts = ;
+   reg-shift = <2>;
+   reg-io-width = <4>;
+   };
-- 
1.7.9.5

Re: [PATCH 2/8] drivers/pinctrl: make mediatek/pinctrl-mt6397 driver explicitly non-modular

[Linus Walleij]

On Tue, Mar 1, 2016 at 3:48 AM, Paul Gortmaker
 wrote:

> The Kconfig for this driver is currently:
>
> config PINCTRL_MT6397
> bool "Mediatek MT6397 pin control" if COMPILE_TEST && !MFD_MT6397
>
> ...meaning that it is currently not being built as a module by anyone.
> Lets remove the modular code that is essentially orphaned, so that
> when reading the driver there is no doubt it is builtin-only.
>
> Since module_init translates to device_initcall in the non-modular
> case, the init ordering remains unchanged with this commit.
>
> We also delete the MODULE_LICENSE tag etc. since all that information
> is already contained at the top of the file in the comments.
>
> Also note that MODULE_DEVICE_TABLE is a no-op for non-modular code.
>
> Cc: Linus Walleij 
> Cc: Matthias Brugger 
> Cc: Hongzhou Yang 
> Cc: linux-g...@vger.kernel.org
> Cc: linux-media...@lists.infradead.org
> Signed-off-by: Paul Gortmaker 

Patch applied with Honzhou's ACK.

Yours,
Linus Walleij

Re: [PATCH 01/11] rxrpc: Add a common object cache

[David Miller]

From: David Howells 
Date: Tue, 08 Mar 2016 21:11:09 +

> I can put in a limit per peer, where a 'peer' is either a particular remote
> UDP port or particulat remote host.  TCP has this by virtue of having a
> limited number of ports available per IP address.  But if I have 10 IP
> addresses available, I can attempt to set up half a million TCP connections to
> a server simultaneously.  If I have access to a box that has an NFS mount on
> it, I can potentially open sufficient TCP ports that the NFS mount can't make
> a connection if it's not allowed to use privileged ports.

You must hold onto and commit locally to state for each and every one
of those remote TCP connections you create and actually move to
established state.

It's completely different, both sides have to make a non-trivial
resource commitment.

For this RXRPC stuff, you don't.

That's the important and critical difference.

My core argument still stands that RXRPC is fundamental DoS'able, in a
way that is not matched by TCP or our routing code or similar
subsystems.

Re: [PATCH 5/8] drivers/pinctrl: make stm32/pinctrl-stm32f429.c explicitly non-modular

[Linus Walleij]

On Tue, Mar 1, 2016 at 3:48 AM, Paul Gortmaker
 wrote:

> The Kconfig currently controlling compilation of this code is:
>
> drivers/pinctrl/stm32/Kconfig:config PINCTRL_STM32F429
> drivers/pinctrl/stm32/Kconfig:  bool "STMicroelectronics STM32F429 pin 
> control" if COMPILE_TEST && !MACH_STM32F429
>
> ...meaning that it currently is not being built as a module by anyone.
>
> Lets remove the modular code that is essentially orphaned, so that
> when reading the driver there is no doubt it is builtin-only.
>
> Since module_init translates to device_initcall in the non-modular
> case, the init ordering remains unchanged with this commit.
>
> Also note that MODULE_DEVICE_TABLE is a no-op for non-modular code.
>
> We also delete the MODULE_LICENSE tag etc. since all that information
> is already contained at the top of the file in the comments.
>
> Cc: Linus Walleij 
> Cc: Maxime Coquelin 
> Cc: Patrice Chotard 
> Cc: linux-g...@vger.kernel.org
> Cc: linux-arm-ker...@lists.infradead.org
> Signed-off-by: Paul Gortmaker 

Patch applied with Maxime's ACK.

Yours,
Linus Walleij

[PATCH] Revert "[media] au0828: use v4l2_mc_create_media_graph()"

[Shuah Khan]

This reverts commit 9822f4173f84cb7c592edb5e1478b7903f69d018.
This commit breaks au0828_enable_handler() logic to find the tuner.
Audio, Video, and Digital applications are broken and fail to start
streaming with tuner busy error even when tuner is free.

Signed-off-by: Shuah Khan 
---
 drivers/media/usb/au0828/au0828-video.c | 103 ++--
 drivers/media/v4l2-core/v4l2-mc.c   |  21 +--
 2 files changed, 99 insertions(+), 25 deletions(-)

diff --git a/drivers/media/usb/au0828/au0828-video.c 
b/drivers/media/usb/au0828/au0828-video.c
index 13f6dab..5f7c8be 100644
--- a/drivers/media/usb/au0828/au0828-video.c
+++ b/drivers/media/usb/au0828/au0828-video.c
@@ -35,7 +35,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
@@ -653,6 +652,102 @@ void au0828_usb_v4l2_media_release(struct au0828_dev *dev)
 #endif
 }
 
+static int au0828_create_media_graph(struct au0828_dev *dev)
+{
+#ifdef CONFIG_MEDIA_CONTROLLER
+   struct media_device *mdev = dev->media_dev;
+   struct media_entity *entity;
+   struct media_entity *tuner = NULL, *decoder = NULL, *demod = NULL;
+   int i, ret;
+
+   if (!mdev)
+   return 0;
+
+   media_device_for_each_entity(entity, mdev) {
+   switch (entity->function) {
+   case MEDIA_ENT_F_TUNER:
+   tuner = entity;
+   break;
+   case MEDIA_ENT_F_ATV_DECODER:
+   decoder = entity;
+   break;
+   case MEDIA_ENT_F_DTV_DEMOD:
+   demod = entity;
+   break;
+   }
+   }
+
+   /* Analog setup, using tuner as a link */
+
+   /* Something bad happened! */
+   if (!decoder)
+   return -EINVAL;
+
+   if (tuner) {
+   dev->tuner = tuner;
+   ret = media_create_pad_link(tuner, TUNER_PAD_OUTPUT,
+   decoder, DEMOD_PAD_IF_INPUT, 0);
+   if (ret)
+   return ret;
+   }
+   ret = media_create_pad_link(decoder, DEMOD_PAD_VID_OUT,
+   >vdev.entity, 0,
+   MEDIA_LNK_FL_ENABLED);
+   if (ret)
+   return ret;
+   ret = media_create_pad_link(decoder, DEMOD_PAD_VBI_OUT,
+   >vbi_dev.entity, 0,
+   MEDIA_LNK_FL_ENABLED);
+   if (ret)
+   return ret;
+
+   for (i = 0; i < AU0828_MAX_INPUT; i++) {
+   struct media_entity *ent = >input_ent[i];
+
+   switch (AUVI_INPUT(i).type) {
+   case AU0828_VMUX_UNDEFINED:
+   break;
+   case AU0828_VMUX_CABLE:
+   case AU0828_VMUX_TELEVISION:
+   case AU0828_VMUX_DVB:
+   if (!tuner)
+   break;
+
+   ret = media_create_pad_link(ent, 0, tuner,
+   TUNER_PAD_RF_INPUT,
+   MEDIA_LNK_FL_ENABLED);
+   if (ret)
+   return ret;
+   break;
+   case AU0828_VMUX_COMPOSITE:
+   case AU0828_VMUX_SVIDEO:
+   /* FIXME: fix the decoder PAD */
+   ret = media_create_pad_link(ent, 0, decoder,
+   DEMOD_PAD_IF_INPUT, 0);
+   if (ret)
+   return ret;
+   break;
+   }
+   }
+
+   /*
+* Disable tuner to demod link to avoid disable step
+* when tuner is requested by video or audio
+   */
+   if (tuner && demod) {
+   struct media_link *link;
+
+   list_for_each_entry(link, >links, list) {
+   if (link->sink->entity == demod &&
+   link->source->entity == tuner) {
+   media_entity_setup_link(link, 0);
+   }
+   }
+   }
+#endif
+   return 0;
+}
+
 static void au0828_usb_v4l2_release(struct v4l2_device *v4l2_dev)
 {
struct au0828_dev *dev =
@@ -2039,16 +2134,14 @@ int au0828_analog_register(struct au0828_dev *dev,
ret = -ENODEV;
goto err_reg_vbi_dev;
}
-
-#ifdef CONFIG_MEDIA_CONTROLLER
-   retval = v4l2_mc_create_media_graph(dev->media_dev);
+   retval = au0828_create_media_graph(dev);
if (retval) {
pr_err("%s() au0282_dev_register failed to create graph\n",
__func__);
ret = -ENODEV;
goto err_reg_vbi_dev;
}
-#endif
+
 
dprintk(1, "%s completed!\n", __func__);
 
diff --git 

Re: [PATCH 4/8] drivers/pinctrl: make sh-pfc/core.c explicitly non-modular

[Linus Walleij]

On Tue, Mar 1, 2016 at 3:48 AM, Paul Gortmaker
 wrote:

> The Kconfig / Makefile currently controlling compilation of this code is:
>
> drivers/pinctrl/sh-pfc/Makefile:obj-$(CONFIG_PINCTRL_SH_PFC)+= sh-pfc.o
> drivers/pinctrl/sh-pfc/Makefile:sh-pfc-objs = core.o 
> pinctrl.o
>
> drivers/pinctrl/sh-pfc/Kconfig:config PINCTRL_SH_PFC
> drivers/pinctrl/sh-pfc/Kconfig: def_bool y
>
> ...meaning that it currently is not being built as a module by anyone.
>
> Lets remove the modular code that is essentially orphaned, so that
> when reading the driver there is no doubt it is builtin-only.
>
> Since module_init already wasn't being used in this code, the init
> ordering remains unchanged with this commit.
>
> Also note that MODULE_DEVICE_TABLE is a no-op for non-modular code.
>
> We also delete the MODULE_LICENSE tag etc. since all that information
> was (or is now) contained at the top of the file in the comments.
>
> Cc: Laurent Pinchart 
> Cc: Geert Uytterhoeven 
> Cc: Linus Walleij 
> Cc: linux-renesas-...@vger.kernel.org
> Cc: linux-g...@vger.kernel.org
> Signed-off-by: Paul Gortmaker 

Patch applied with Laurent's and Geert's ACKs.

Yours,
Linus Walleij

Re: [v5][PATCH] livepatch/ppc: Enable livepatching on powerpc

[Balbir Singh]

On 09/03/16 03:02, Petr Mladek wrote:
> On Tue 2016-03-08 18:33:57, Balbir Singh wrote:
>> Changelog v5:
>>  1. Removed the mini-stack frame created for klp_return_helper.
>> As a result of the mini-stack frame, function with > 8
>> arguments could not be patched
>>  2. Removed camel casing in the comments
> I tested this patch and it fails when I call a patched printk()
> from a module.
>
> You might try it with the test patch below. It is a bit twisted
> because it calls the patched printk from livepatch_cmdline_proc_show()
> that it added by the same patch module. Please, look at
> livepatch_cmdline_proc_show(), it does:
>
>   static int count;
>
>   if (!count++)
>   trace_printk("%s\n", "this has been live patched");
>   else
>   printk("%s\n", "this has been live patched");
>
>
> It means that calls only trace_printk() when called first time.
> It calls the patched printk when called second time.
>
>
> I have tested it the following way:
>
>
> # booted kernel with the changes below
> # applied the patch:
> $> modprobe livepatch-sample
>
> # trigger the pached printk()
> $>cat /sys/kernel/livepatch/livepatch_sample/enabled
> 1
>
> # look into both dmesg and trace buffer
> $> dmesg | tail -n 1
> [  727.537307] patch enabled: 1
> $> cat /sys/kernel/debug/tracing/trace | tail -n 1
>  cat-3588  [003]    727.537448: livepatch_printk: patch 
> enabled: 1
>
> # trigger livepatch_cmdline_proc_show() 1st time
> c79:~ # cat /proc/cmdline 
> this has been live patched
>
> # the message appeared only in trace buffer
> $> dmesg | tail -n 1
> [  727.537307] patch enabled: 1
> c79:~ # cat /sys/kernel/debug/tracing/trace | tail -n 1
>  cat-3511  [000] 862.958383:   
> livepatch_cmdline_proc_show: this has been live patched
>
>
> # trigger livepatch_cmdline_proc_show() 2nd time
> c79:~ # cat /proc/cmdline 
>
> !!! KABOOM !!!
>
> It is becaused it tried to call the patched printk()?
>
Yes, the situation is that we restored the r2 for the kernel (from 
ftrace_caller, it is now kernel_toc),
whereas the LR points to the module. The difference between r2 and r0 > 4GB.

Very good test case. Did it work with v4? I presume it did because we have 
enough space to save both

Thanks,
Balbir Singh

linux-next: manual merge of the gpio tree with the mfd tree

[Stephen Rothwell]

Hi Linus,

Today's linux-next merge of the gpio tree got a conflict in:

  drivers/gpio/gpio-tps65912.c

between commits:

  65b6555971d0 ("mfd: tps65912: Remove old driver in preparation for new 
driver")
  ca801a22f465 ("gpio: tps65912: Add GPIO driver for the TPS65912 PMIC")

from the mfd tree and commit:

  0964ac703edf ("gpio: tps65912: Use devm_gpiochip_add_data() for gpio 
registration")

from the gpio tree.

I fixed it up (see below) and can carry the fix as necessary (no action
is required).

-- 
Cheers,
Stephen Rothwell

diff --cc drivers/gpio/gpio-tps65912.c
index 3da3840201de,e72302d2461a..
--- a/drivers/gpio/gpio-tps65912.c
+++ b/drivers/gpio/gpio-tps65912.c
@@@ -105,54 -90,54 +105,44 @@@ static struct gpio_chip template_chip 
  
  static int tps65912_gpio_probe(struct platform_device *pdev)
  {
 -  struct tps65912 *tps65912 = dev_get_drvdata(pdev->dev.parent);
 -  struct tps65912_board *pdata = dev_get_platdata(tps65912->dev);
 -  struct tps65912_gpio_data *tps65912_gpio;
 +  struct tps65912 *tps = dev_get_drvdata(pdev->dev.parent);
 +  struct tps65912_gpio *gpio;
int ret;
  
 -  tps65912_gpio = devm_kzalloc(>dev, sizeof(*tps65912_gpio),
 -   GFP_KERNEL);
 -  if (tps65912_gpio == NULL)
 +  gpio = devm_kzalloc(>dev, sizeof(*gpio), GFP_KERNEL);
 +  if (!gpio)
return -ENOMEM;
  
 -  tps65912_gpio->tps65912 = tps65912;
 -  tps65912_gpio->gpio_chip = template_chip;
 -  tps65912_gpio->gpio_chip.parent = >dev;
 -  if (pdata && pdata->gpio_base)
 -  tps65912_gpio->gpio_chip.base = pdata->gpio_base;
 +  gpio->tps = dev_get_drvdata(pdev->dev.parent);
 +  gpio->gpio_chip = template_chip;
 +  gpio->gpio_chip.parent = tps->dev;
  
-   ret = gpiochip_add_data(>gpio_chip, gpio);
 -  ret = devm_gpiochip_add_data(>dev, _gpio->gpio_chip,
 -   tps65912_gpio);
++  ret = devm_gpiochip_add_data(>dev, >gpio_chip, gpio);
if (ret < 0) {
 -  dev_err(>dev, "Failed to register gpiochip, %d\n", ret);
 +  dev_err(>dev, "Could not register gpiochip, %d\n", ret);
return ret;
}
  
 -  platform_set_drvdata(pdev, tps65912_gpio);
 +  platform_set_drvdata(pdev, gpio);
  
 -  return ret;
 +  return 0;
  }
  
- static int tps65912_gpio_remove(struct platform_device *pdev)
- {
-   struct tps65912_gpio *gpio = platform_get_drvdata(pdev);
- 
-   gpiochip_remove(>gpio_chip);
- 
-   return 0;
- }
- 
 +static const struct platform_device_id tps65912_gpio_id_table[] = {
 +  { "tps65912-gpio", },
 +  { /* sentinel */ }
 +};
 +MODULE_DEVICE_TABLE(platform, tps65912_gpio_id_table);
 +
  static struct platform_driver tps65912_gpio_driver = {
.driver = {
.name = "tps65912-gpio",
},
.probe = tps65912_gpio_probe,
-   .remove = tps65912_gpio_remove,
 +  .id_table = tps65912_gpio_id_table,
  };
 +module_platform_driver(tps65912_gpio_driver);
  
 -static int __init tps65912_gpio_init(void)
 -{
 -  return platform_driver_register(_gpio_driver);
 -}
 -subsys_initcall(tps65912_gpio_init);
 -
 -static void __exit tps65912_gpio_exit(void)
 -{
 -  platform_driver_unregister(_gpio_driver);
 -}
 -module_exit(tps65912_gpio_exit);
 -
 -MODULE_AUTHOR("Margarita Olaya Cabrera ");
 -MODULE_DESCRIPTION("GPIO interface for TPS65912 PMICs");
 +MODULE_AUTHOR("Andrew F. Davis ");
 +MODULE_DESCRIPTION("TPS65912 GPIO driver");
  MODULE_LICENSE("GPL v2");
 -MODULE_ALIAS("platform:tps65912-gpio");

[PATCH 3.19.y-ckt 174/196] net/mlx4_en: Count HW buffer overrun only once

[Kamal Mostafa]

3.19.8-ckt16 -stable review patch.  If anyone has any objections, please let me 
know.

---8<

From: Amir Vadai 

[ Upstream commit 281e8b2fdf8e4ef366b899453cae50e09b577ada ]

RdropOvflw counts overrun of HW buffer, therefore should
be used for rx_fifo_errors only.

Currently RdropOvflw counter is mistakenly also set into
rx_missed_errors and rx_over_errors too, which makes the
device total dropped packets accounting to show wrong results.

Fix that. Use it for rx_fifo_errors only.

Fixes: c27a02cd94d6 ('mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC')
Signed-off-by: Amir Vadai 
Signed-off-by: Eugenia Emantayev 
Signed-off-by: Or Gerlitz 
Signed-off-by: David S. Miller 
Signed-off-by: Kamal Mostafa 
---
 drivers/net/ethernet/mellanox/mlx4/en_port.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/en_port.c 
b/drivers/net/ethernet/mellanox/mlx4/en_port.c
index 6cb8007..e6c6e72 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_port.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_port.c
@@ -200,11 +200,11 @@ int mlx4_en_DUMP_ETH_STATS(struct mlx4_en_dev *mdev, u8 
port, u8 reset)
   be64_to_cpu(mlx4_en_stats->MCAST_novlan);
stats->collisions = 0;
stats->rx_length_errors = be32_to_cpu(mlx4_en_stats->RdropLength);
-   stats->rx_over_errors = be32_to_cpu(mlx4_en_stats->RdropOvflw);
+   stats->rx_over_errors = 0;
stats->rx_crc_errors = be32_to_cpu(mlx4_en_stats->RCRC);
stats->rx_frame_errors = 0;
stats->rx_fifo_errors = be32_to_cpu(mlx4_en_stats->RdropOvflw);
-   stats->rx_missed_errors = be32_to_cpu(mlx4_en_stats->RdropOvflw);
+   stats->rx_missed_errors = 0;
stats->tx_aborted_errors = 0;
stats->tx_carrier_errors = 0;
stats->tx_fifo_errors = 0;
-- 
2.7.0