[PATCH 3.16 233/366] tracing: Fix bad use of igrab in trace_uprobe.c

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Song Liu commit 0c92c7a3c5d416f47b32c5f20a611dfeca5d5f2e upstream. As Miklos reported and suggested: This pattern repeats two times in trace_uprobe.c and in kernel/events/core.c as well:

[PATCH 3.16 164/366] x86/acpi: Prevent X2APIC id 0xffffffff from being accounted

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dou Liyang commit 10daf10ab154e31237a8c07242be3063fb6a9bf4 upstream. RongQing reported that there are some X2APIC id 0x in his machine's ACPI MADT table, which makes the number of

[PATCH 3.16 235/366] RDMA/mlx5: Protect from shift operand overflow

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Leon Romanovsky commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream. Ensure that user didn't supply values too large that can cause overflow. UBSAN: Undefined behaviour in

[PATCH 3.16 215/366] ALSA: hda: Hardening for potential Spectre v1

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 69fa6f19b95597618ab30438a27b67ad93daa7c7 upstream. As recently Smatch suggested, one place in HD-audio hwdep ioctl codes may expand the array directly from the user-space

[PATCH 3.16 230/366] tracing/uprobe: Drop isdigit() check in create_trace_uprobe

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dmitry Safonov commit 5ba8a4a96f6eaa6af88e24c7794f142217aa3b6f upstream. It's useless. Before: [tracing]# echo 'p:test /a:0x0' >> uprobe_events [tracing]# echo 'p:test a:0x0' >>

[PATCH 3.16 232/366] tracing: Deletion of an unnecessary check before iput()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Markus Elfring commit 16a8ef2751801346f1f76a18685b2beb63cd170f upstream. The iput() function tests whether its argument is NULL and then returns immediately. Thus the test around the call is

[PATCH 3.16 235/366] RDMA/mlx5: Protect from shift operand overflow

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Leon Romanovsky commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream. Ensure that user didn't supply values too large that can cause overflow. UBSAN: Undefined behaviour in

[PATCH 3.16 215/366] ALSA: hda: Hardening for potential Spectre v1

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 69fa6f19b95597618ab30438a27b67ad93daa7c7 upstream. As recently Smatch suggested, one place in HD-audio hwdep ioctl codes may expand the array directly from the user-space

[PATCH 3.16 230/366] tracing/uprobe: Drop isdigit() check in create_trace_uprobe

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dmitry Safonov commit 5ba8a4a96f6eaa6af88e24c7794f142217aa3b6f upstream. It's useless. Before: [tracing]# echo 'p:test /a:0x0' >> uprobe_events [tracing]# echo 'p:test a:0x0' >>

[PATCH 3.16 232/366] tracing: Deletion of an unnecessary check before iput()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Markus Elfring commit 16a8ef2751801346f1f76a18685b2beb63cd170f upstream. The iput() function tests whether its argument is NULL and then returns immediately. Thus the test around the call is

[PATCH 3.16 231/366] uprobe: Find last occurrence of ':' when parsing uprobe PATH:OFFSET

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Kenny Yu commit 6496bb72bf20c1c7e4d6be44dfa663163e709116 upstream. Previously, `create_trace_uprobe` found the *first* occurence of the ':' character when parsing `PATH:OFFSET` for a uprobe.

[PATCH 3.16 231/366] uprobe: Find last occurrence of ':' when parsing uprobe PATH:OFFSET

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Kenny Yu commit 6496bb72bf20c1c7e4d6be44dfa663163e709116 upstream. Previously, `create_trace_uprobe` found the *first* occurence of the ':' character when parsing `PATH:OFFSET` for a uprobe.

[PATCH 3.16 228/366] x86/smpboot: Don't use mwait_play_dead() on AMD systems

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Yazen Ghannam commit da6fa7ef67f07108a1b0cb9fd9e7fcaabd39c051 upstream. Recent AMD systems support using MWAIT for C1 state. However, MWAIT will not allow deeper cstates than C1 on current

[PATCH 3.16 221/366] tty: Use __GFP_NOFAIL for tty_ldisc_get()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tetsuo Handa commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20 upstream. syzbot is reporting crashes triggered by memory allocation fault injection at tty_ldisc_get() [1]. As an attempt to

[PATCH 3.16 278/366] smb3: directory sync should not return an error

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Steve French commit 6e70c267e68d77679534dcf4aaf84e66f2cf1425 upstream. As with NFS, which ignores sync on directory handles, fsync on a directory handle is a noop for CIFS/SMB3. Do not return

[PATCH 3.16 304/366] net/mlx4_core: Fix error handling in mlx4_init_port_info.

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tarick Bedeir commit 57f6f99fdad9984801cde05c1db68fe39b474a10 upstream. Avoid exiting the function with a lingering sysfs file (if the first call to device_create_file() fails while the

[PATCH 3.16 234/366] libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Hans de Goede commit 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 upstream. Richard Jones has reported that using med_power_with_dipm on a T450s with a Sandisk SD7UB3Q256G1001 SSD (firmware

[PATCH 3.16 304/366] net/mlx4_core: Fix error handling in mlx4_init_port_info.

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tarick Bedeir commit 57f6f99fdad9984801cde05c1db68fe39b474a10 upstream. Avoid exiting the function with a lingering sysfs file (if the first call to device_create_file() fails while the

[PATCH 3.16 234/366] libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Hans de Goede commit 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 upstream. Richard Jones has reported that using med_power_with_dipm on a T450s with a Sandisk SD7UB3Q256G1001 SSD (firmware

[PATCH 3.16 228/366] x86/smpboot: Don't use mwait_play_dead() on AMD systems

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Yazen Ghannam commit da6fa7ef67f07108a1b0cb9fd9e7fcaabd39c051 upstream. Recent AMD systems support using MWAIT for C1 state. However, MWAIT will not allow deeper cstates than C1 on current

[PATCH 3.16 221/366] tty: Use __GFP_NOFAIL for tty_ldisc_get()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tetsuo Handa commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20 upstream. syzbot is reporting crashes triggered by memory allocation fault injection at tty_ldisc_get() [1]. As an attempt to

[PATCH 3.16 278/366] smb3: directory sync should not return an error

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Steve French commit 6e70c267e68d77679534dcf4aaf84e66f2cf1425 upstream. As with NFS, which ignores sync on directory handles, fsync on a directory handle is a noop for CIFS/SMB3. Do not return

[PATCH 3.16 309/366] VMXNET3: Check for map error in vmxnet3_set_mc

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy King commit 4ad9a64f53c619969dede1143d56ccda1a453c39 upstream. We should check if the map of the table actually succeeds, and also free resources accordingly. Version bumped to 1.2.1.0

[PATCH 3.16 305/366] tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all}

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit 45dd9b0666a162f8e4be76096716670cf1741f0e upstream. Doing an audit of trace events, I discovered two trace events in the xen subsystem that use a hack to

[PATCH 3.16 306/366] MIPS: ptrace: Expose FIR register through FP regset

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki" commit 71e909c0cdad28a1df1fa14442929e68615dee45 upstream. Correct commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") and expose the FIR register using the

[PATCH 3.16 309/366] VMXNET3: Check for map error in vmxnet3_set_mc

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy King commit 4ad9a64f53c619969dede1143d56ccda1a453c39 upstream. We should check if the map of the table actually succeeds, and also free resources accordingly. Version bumped to 1.2.1.0

[PATCH 3.16 305/366] tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all}

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit 45dd9b0666a162f8e4be76096716670cf1741f0e upstream. Doing an audit of trace events, I discovered two trace events in the xen subsystem that use a hack to

[PATCH 3.16 306/366] MIPS: ptrace: Expose FIR register through FP regset

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki" commit 71e909c0cdad28a1df1fa14442929e68615dee45 upstream. Correct commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") and expose the FIR register using the

[PATCH 3.16 279/366] tracing: Fix regex_match_front() to not over compare the test string

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream. The regex match function regex_match_front() in the tracing filter logic, was fixed to test just the

[PATCH 3.16 277/366] net/mlx4_en: Verify coalescing parameters are in range

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Moshe Shemesh commit 6ad4e91c6d796b38a7f0e724db1de28eeb122bad upstream. Add check of coalescing parameters received through ethtool are within range of values supported by the HW. Driver gets

[PATCH 3.16 279/366] tracing: Fix regex_match_front() to not over compare the test string

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream. The regex match function regex_match_front() in the tracing filter logic, was fixed to test just the

[PATCH 3.16 277/366] net/mlx4_en: Verify coalescing parameters are in range

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Moshe Shemesh commit 6ad4e91c6d796b38a7f0e724db1de28eeb122bad upstream. Add check of coalescing parameters received through ethtool are within range of values supported by the HW. Driver gets

[PATCH 3.16 301/366] drm/i915/userptr: reject zero user_size

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Matthew Auld commit 20943f984967477c906522112d2b6b5a29f94684 upstream. Operating on a zero sized GEM userptr object will lead to explosions. Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping

[PATCH 3.16 314/366] drm: set FMODE_UNSIGNED_OFFSET for drm files

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dave Airlie commit 76ef6b28ea4f81c3d511866a9b31392caa833126 upstream. Since we have the ttm and gem vma managers using a subset of the file address space for objects, and these start at

[PATCH 3.16 308/366] MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki" commit 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 upstream. Check the TIF_32BIT_FPREGS task setting of the tracee rather than the tracer in determining the layout of

[PATCH 3.16 303/366] ARM: keystone: fix platform_domain_notifier array overrun

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Russell King commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa upstream. platform_domain_notifier contains a variable sized array, which the pm_clk_notify() notifier treats as a NULL terminated

[PATCH 3.16 298/366] x86/kexec: Avoid double free_page() upon do_kexec_load() failure

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tetsuo Handa commit a466ef76b815b86748d9870ef2a430af7b39c710 upstream. >From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Wed, 9 May 2018

[PATCH 3.16 301/366] drm/i915/userptr: reject zero user_size

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Matthew Auld commit 20943f984967477c906522112d2b6b5a29f94684 upstream. Operating on a zero sized GEM userptr object will lead to explosions. Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping

[PATCH 3.16 314/366] drm: set FMODE_UNSIGNED_OFFSET for drm files

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dave Airlie commit 76ef6b28ea4f81c3d511866a9b31392caa833126 upstream. Since we have the ttm and gem vma managers using a subset of the file address space for objects, and these start at

[PATCH 3.16 308/366] MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki" commit 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 upstream. Check the TIF_32BIT_FPREGS task setting of the tracee rather than the tracer in determining the layout of

[PATCH 3.16 303/366] ARM: keystone: fix platform_domain_notifier array overrun

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Russell King commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa upstream. platform_domain_notifier contains a variable sized array, which the pm_clk_notify() notifier treats as a NULL terminated

[PATCH 3.16 298/366] x86/kexec: Avoid double free_page() upon do_kexec_load() failure

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tetsuo Handa commit a466ef76b815b86748d9870ef2a430af7b39c710 upstream. >From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Wed, 9 May 2018

[PATCH 3.16 311/366] vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexey Khoroshilov commit fb5c6cfaec126d9a96b9dd471d4711bf4c737a6f upstream. vmxnet3_set_mc() checks new_table_pa returned by dma_map_single() with dma_mapping_error(), but even there it

[PATCH 3.16 311/366] vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexey Khoroshilov commit fb5c6cfaec126d9a96b9dd471d4711bf4c737a6f upstream. vmxnet3_set_mc() checks new_table_pa returned by dma_map_single() with dma_mapping_error(), but even there it

[PATCH 3.16 282/366] Btrfs: use insert_inode_locked4 for inode creation

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Chris Mason commit b0d5d10f41a0f1cd839408dd94427f2db3553bca upstream. Btrfs was inserting inodes into the hash table before we had fully set the inode up on disk. This leaves us open to rare

[PATCH 3.16 342/366] aio: fix io_destroy(2) vs. lookup_ioctx() race

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Al Viro commit baf10564fbb66ea222cae66fbff11c444590ffd9 upstream. kill_ioctx() used to have an explicit RCU delay between removing the reference from ->ioctx_table and percpu_ref_kill()

[PATCH 3.16 302/366] Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Robbie Ko commit 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2 upstream. [BUG] btrfs incremental send BUG happens when creating a snapshot of snapshot that is being used by send. [REASON] The

[PATCH 3.16 344/366] net/mlx4: Fix irq-unsafe spinlock usage

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Jack Morgenstein commit d546b67cda015fb92bfee93d5dc0ceadb91deaee upstream. spin_lock/unlock was used instead of spin_un/lock_irq in a procedure used in process space, on a spinlock which can

[PATCH 3.16 310/366] vmxnet3: fix checks for dma mapping errors

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexey Khoroshilov commit 5738a09d58d5ad2871f1f9a42bf6a3aa9ece5b3c upstream. vmxnet3_drv does not check dma_addr with dma_mapping_error() after mapping dma memory. The patch adds the checks

[PATCH 3.16 282/366] Btrfs: use insert_inode_locked4 for inode creation

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Chris Mason commit b0d5d10f41a0f1cd839408dd94427f2db3553bca upstream. Btrfs was inserting inodes into the hash table before we had fully set the inode up on disk. This leaves us open to rare

[PATCH 3.16 342/366] aio: fix io_destroy(2) vs. lookup_ioctx() race

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Al Viro commit baf10564fbb66ea222cae66fbff11c444590ffd9 upstream. kill_ioctx() used to have an explicit RCU delay between removing the reference from ->ioctx_table and percpu_ref_kill()

[PATCH 3.16 302/366] Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Robbie Ko commit 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2 upstream. [BUG] btrfs incremental send BUG happens when creating a snapshot of snapshot that is being used by send. [REASON] The

[PATCH 3.16 344/366] net/mlx4: Fix irq-unsafe spinlock usage

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Jack Morgenstein commit d546b67cda015fb92bfee93d5dc0ceadb91deaee upstream. spin_lock/unlock was used instead of spin_un/lock_irq in a procedure used in process space, on a spinlock which can

[PATCH 3.16 310/366] vmxnet3: fix checks for dma mapping errors

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexey Khoroshilov commit 5738a09d58d5ad2871f1f9a42bf6a3aa9ece5b3c upstream. vmxnet3_drv does not check dma_addr with dma_mapping_error() after mapping dma memory. The patch adds the checks

[PATCH 3.16 366/366] give up on gcc ilog2() constant optimizations

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Linus Torvalds commit 474c90156c8dcc2fa815e6716cc9394d7930cb9c upstream. gcc-7 has an "optimization" pass that completely screws up, and generates the code expansion for the (impossible) case

[PATCH 3.16 366/366] give up on gcc ilog2() constant optimizations

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Linus Torvalds commit 474c90156c8dcc2fa815e6716cc9394d7930cb9c upstream. gcc-7 has an "optimization" pass that completely screws up, and generates the code expansion for the (impossible) case

[PATCH 3.16 307/366] KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit ba3696e94d9d590d9a7e55f68e81c25dba515191 upstream. Trivial fix to spelling mistake in debugfs_entries text. Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs

[PATCH 3.16 343/366] ipvs: fix buffer overflow with sync daemon and service

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Julian Anastasov commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a upstream. syzkaller reports for buffer overflow for interface name when starting sync daemons [1] What we do is that we copy

[PATCH 3.16 313/366] mmap: introduce sane default mmap limits

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Linus Torvalds commit be83bbf806822b1b89e0a0f23cd87cddc409e429 upstream. The internal VM "mmap()" interfaces are based on the mmap target doing everything using page indexes rather than byte

[PATCH 3.16 312/366] vmxnet3: set the DMA mask before the first DMA map operation

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "hp...@vmware.com" commit 61aeecea40afb2b89933e27cd4adb10fc2e75cfd upstream. The DMA mask must be set before, not after, the first DMA map operation, or the first DMA map operation could in

[PATCH 3.16 365/366] ip_tunnel: restore binding to ifaces with a large mtu

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Nicolas Dichtel commit 82612de1c98e610d194e34178bde3cca7dedce41 upstream. After commit f6cc9c054e77, the following conf is broken (note that the default loopback mtu is 65536, ie IP_MAX_MTU +

[PATCH 3.16 307/366] KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit ba3696e94d9d590d9a7e55f68e81c25dba515191 upstream. Trivial fix to spelling mistake in debugfs_entries text. Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs

[PATCH 3.16 343/366] ipvs: fix buffer overflow with sync daemon and service

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Julian Anastasov commit 52f96757905bbf0edef47f3ee6c7c784e7f8ff8a upstream. syzkaller reports for buffer overflow for interface name when starting sync daemons [1] What we do is that we copy

[PATCH 3.16 313/366] mmap: introduce sane default mmap limits

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Linus Torvalds commit be83bbf806822b1b89e0a0f23cd87cddc409e429 upstream. The internal VM "mmap()" interfaces are based on the mmap target doing everything using page indexes rather than byte

[PATCH 3.16 312/366] vmxnet3: set the DMA mask before the first DMA map operation

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "hp...@vmware.com" commit 61aeecea40afb2b89933e27cd4adb10fc2e75cfd upstream. The DMA mask must be set before, not after, the first DMA map operation, or the first DMA map operation could in

[PATCH 3.16 365/366] ip_tunnel: restore binding to ifaces with a large mtu

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Nicolas Dichtel commit 82612de1c98e610d194e34178bde3cca7dedce41 upstream. After commit f6cc9c054e77, the following conf is broken (note that the default loopback mtu is 65536, ie IP_MAX_MTU +

[PATCH 3.16 354/366] ppp: remove the PPPIOCDETACH ioctl

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit af8d3c7c001ae7df1ed2b2715f058113efc86187 upstream. The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file before f_count has reached 0, which is

[PATCH 3.16 359/366] tracing: Fix crash when freeing instances with event triggers

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 upstream. If a instance has an event trigger enabled when it is freed, it could cause an access of free memory.

[PATCH 3.16 364/366] net: ethernet: davinci_emac: fix error handling in probe()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter commit 8005b09d99fac78e6f5fb9da30b5ae94840af03b upstream. The current error handling code has an issue where it does: if (priv->txchan)

[PATCH 3.16 362/366] net: ethernet: ti: cpdma: correct error handling for chan create

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Ivan Khoronzhuk commit 8a83c5d7969b8433584e3cf658a8d76c4dc37f4d upstream. It's not correct to return NULL when that is actually an error and function returns errors in any other wrong case.

[PATCH 3.16 359/366] tracing: Fix crash when freeing instances with event triggers

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit 86b389ff22bd6ad8fd3cb98e41cd271886c6d023 upstream. If a instance has an event trigger enabled when it is freed, it could cause an access of free memory.

[PATCH 3.16 364/366] net: ethernet: davinci_emac: fix error handling in probe()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter commit 8005b09d99fac78e6f5fb9da30b5ae94840af03b upstream. The current error handling code has an issue where it does: if (priv->txchan)

[PATCH 3.16 354/366] ppp: remove the PPPIOCDETACH ioctl

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit af8d3c7c001ae7df1ed2b2715f058113efc86187 upstream. The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file before f_count has reached 0, which is

[PATCH 3.16 362/366] net: ethernet: ti: cpdma: correct error handling for chan create

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Ivan Khoronzhuk commit 8a83c5d7969b8433584e3cf658a8d76c4dc37f4d upstream. It's not correct to return NULL when that is actually an error and function returns errors in any other wrong case.

[PATCH 3.16 352/366] ppp: Fix null pointer dereference on registration failure

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings register_netdevice() will call the device's ndo_uninit operation if registration fails after it calls the ndo_init operation. However ppp_dev_uninit() uses ppp->ppp_net which is

[PATCH 3.16 352/366] ppp: Fix null pointer dereference on registration failure

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings register_netdevice() will call the device's ndo_uninit operation if registration fails after it calls the ndo_init operation. However ppp_dev_uninit() uses ppp->ppp_net which is

[PATCH 3.16 361/366] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Sachin Grover commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream. Call trace: [] dump_backtrace+0x0/0x428 [] show_stack+0x28/0x38 [] dump_stack+0xd4/0x124 []

[PATCH 3.16 355/366] enic: set DMA mask to 47 bit

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Govindarajulu Varadarajan commit 322eaa06d55ebc1402a4a8d140945cff536638b4 upstream. In commit 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then failover to DMA") DMA mask was changed

[PATCH 3.16 356/366] Revert "ipc/shm: Fix shmat mmap nil-page protection"

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Davidlohr Bueso commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 upstream. Patch series "ipc/shm: shmat() fixes around nil-page". These patches fix two issues reported[1] a while back by Joe

[PATCH 3.16 358/366] kernel/sys.c: fix potential Spectre v1 issue

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Gustavo A. R. Silva" commit 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 upstream. `resource' can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1

[PATCH 3.16 357/366] ipc/shm: fix shmat() nil address after round-down when remapping

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Davidlohr Bueso commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream. shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for.

[PATCH 3.16 351/366] ppp: fix race in ppp device destruction

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 6151b8b37b119e8e3a8401b080d532520c95faf4 upstream. ppp_release() tries to ensure that netdevices are unregistered before decrementing the unit refcount and running

[PATCH 3.16 347/366] ahci: Add PCI ID for Cannon Lake PCH-LP AHCI

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Mika Westerberg commit 4544e403eb25552aed7f0ee181a7a506b8800403 upstream. This one should be using the default LPM policy for mobile chipsets so add the PCI ID to the driver list of supported

[PATCH 3.16 361/366] selinux: KASAN: slab-out-of-bounds in xattr_getsecurity

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Sachin Grover commit efe3de79e0b52ca281ef6691480c8c68c82a4657 upstream. Call trace: [] dump_backtrace+0x0/0x428 [] show_stack+0x28/0x38 [] dump_stack+0xd4/0x124 []

[PATCH 3.16 355/366] enic: set DMA mask to 47 bit

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Govindarajulu Varadarajan commit 322eaa06d55ebc1402a4a8d140945cff536638b4 upstream. In commit 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then failover to DMA") DMA mask was changed

[PATCH 3.16 356/366] Revert "ipc/shm: Fix shmat mmap nil-page protection"

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Davidlohr Bueso commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 upstream. Patch series "ipc/shm: shmat() fixes around nil-page". These patches fix two issues reported[1] a while back by Joe

[PATCH 3.16 358/366] kernel/sys.c: fix potential Spectre v1 issue

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Gustavo A. R. Silva" commit 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 upstream. `resource' can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1

[PATCH 3.16 357/366] ipc/shm: fix shmat() nil address after round-down when remapping

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Davidlohr Bueso commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream. shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for.

[PATCH 3.16 351/366] ppp: fix race in ppp device destruction

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 6151b8b37b119e8e3a8401b080d532520c95faf4 upstream. ppp_release() tries to ensure that netdevices are unregistered before decrementing the unit refcount and running

[PATCH 3.16 347/366] ahci: Add PCI ID for Cannon Lake PCH-LP AHCI

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Mika Westerberg commit 4544e403eb25552aed7f0ee181a7a506b8800403 upstream. This one should be using the default LPM policy for mobile chipsets so add the PCI ID to the driver list of supported

[PATCH 3.16 360/366] drm/i915: Disable LVDS on Radiant P845

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Ondrej Zary commit b3fb22733ae61050f8d10a1d6a8af176c5c5db1a upstream. Radiant P845 does not have LVDS, only VGA. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105468 Signed-off-by:

[PATCH 3.16 348/366] KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Wei Huang commit c4d2188206bafa177ea58e9a25b952baa0bf7712 upstream. The CPUID bits of OSXSAVE (function=0x1) and OSPKE (func=0x7, leaf=0x0) allows user apps to detect if OS has set

[PATCH 3.16 360/366] drm/i915: Disable LVDS on Radiant P845

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Ondrej Zary commit b3fb22733ae61050f8d10a1d6a8af176c5c5db1a upstream. Radiant P845 does not have LVDS, only VGA. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105468 Signed-off-by:

[PATCH 3.16 348/366] KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Wei Huang commit c4d2188206bafa177ea58e9a25b952baa0bf7712 upstream. The CPUID bits of OSXSAVE (function=0x1) and OSPKE (func=0x7, leaf=0x0) allows user apps to detect if OS has set

[PATCH 3.16 169/366] ext4: set h_journal if there is a failure starting a reserved handle

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Theodore Ts'o commit b2569260d55228b617bd82aba6d0db2faeeb4116 upstream. If ext4 tries to start a reserved handle via jbd2_journal_start_reserved(), and the journal has been aborted, this can

[PATCH 3.16 349/366] ppp: fix device unregistration upon netns deletion

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 8cb775bc0a34dc596837e7da03fd22c747be618b upstream. PPP devices may get automatically unregistered when their network namespace is getting removed. This happens if the

[PATCH 3.16 115/366] ocfs2/dlm: wait for dlm recovery done when migrating all lock resources

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: piaojun commit 60c7ec9ee4a3410c2cb08850102d363c7e207f48 upstream. Wait for dlm recovery done when migrating all lock resources in case that new lock resource left after leaving dlm domain.

[PATCH 3.16 091/366] ALSA: pcm: Fix UAF at PCM release via PCM timer access

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b upstream. The PCM runtime object is created and freed dynamically at PCM stream open / close time. This is tracked via

[PATCH 3.16 353/366] ppp: unlock all_ppp_mutex before registering device

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 0171c41835591e9aa2e384b703ef9a6ae367c610 upstream. ppp_dev_uninit(), which is the .ndo_uninit() handler of PPP devices, needs to lock pn->all_ppp_mutex. Therefore we

[PATCH 3.16 029/366] net: core: dst: Add kernel-doc for 'net' parameter

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Jonathan Neuschäfer commit 8eb1a8590f5ca114fabf16ebb26a4bce0255ace9 upstream. This fixes the following kernel-doc warning: ./include/net/dst.h:366: warning: Function parameter or member

<    1   2   3   4   5   6   7   8   9   10   >