[PATCH 8/8] staging: rts5208: fix style warnings in xd.c

[Sergio Paracuellos]

This patch fixes the following checkpatch.pl warning in xd.c:
WARNING: else is not generally useful after a break or return

It also makes code more uniform with the new changes

Signed-off-by: Sergio Paracuellos 
---
 drivers/staging/rts5208/xd.c | 38 ++
 1 file changed, 14 insertions(+), 24 deletions(-)

diff --git a/drivers/staging/rts5208/xd.c b/drivers/staging/rts5208/xd.c
index ff423fa..1de02bb 100644
--- a/drivers/staging/rts5208/xd.c
+++ b/drivers/staging/rts5208/xd.c
@@ -1622,10 +1622,8 @@ static int xd_read_multiple_pages(struct rtsx_chip 
*chip, u32 phy_blk,
u8 reg_val, page_cnt;
int zone_no, retval, i;
 
-   if (start_page > end_page) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (start_page > end_page)
+   goto Status_Fail;
 
page_cnt = end_page - start_page;
zone_no = (int)(log_blk / 1000);
@@ -1641,8 +1639,7 @@ static int xd_read_multiple_pages(struct rtsx_chip *chip, 
u32 phy_blk,
 
if (detect_card_cd(chip, XD_CARD) != STATUS_SUCCESS) {
xd_set_err_code(chip, XD_NO_CARD);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
}
}
}
@@ -1677,8 +1674,7 @@ static int xd_read_multiple_pages(struct rtsx_chip *chip, 
u32 phy_blk,
 
if (retval == -ETIMEDOUT) {
xd_set_err_code(chip, XD_TO_ERROR);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
} else {
rtsx_trace(chip);
goto Fail;
@@ -1711,8 +1707,7 @@ static int xd_read_multiple_pages(struct rtsx_chip *chip, 
u32 phy_blk,
 
if (detect_card_cd(chip, XD_CARD) != STATUS_SUCCESS) {
xd_set_err_code(chip, XD_NO_CARD);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
}
 
xd_set_err_code(chip, XD_ECC_ERROR);
@@ -1720,8 +1715,7 @@ static int xd_read_multiple_pages(struct rtsx_chip *chip, 
u32 phy_blk,
new_blk = xd_get_unused_block(chip, zone_no);
if (new_blk == NO_NEW_BLK) {
XD_CLR_BAD_OLDBLK(xd_card);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
}
 
retval = xd_copy_page(chip, phy_blk, new_blk, 0,
@@ -1735,8 +1729,7 @@ static int xd_read_multiple_pages(struct rtsx_chip *chip, 
u32 phy_blk,
XD_CLR_BAD_NEWBLK(xd_card);
}
XD_CLR_BAD_OLDBLK(xd_card);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
}
xd_set_l2p_tbl(chip, zone_no, log_off, (u16)(new_blk & 0x3FF));
xd_erase_block(chip, phy_blk);
@@ -1744,6 +1737,7 @@ static int xd_read_multiple_pages(struct rtsx_chip *chip, 
u32 phy_blk,
XD_CLR_BAD_OLDBLK(xd_card);
}
 
+Status_Fail:
rtsx_trace(chip);
return STATUS_FAIL;
 }
@@ -1842,10 +1836,8 @@ static int xd_write_multiple_pages(struct rtsx_chip 
*chip, u32 old_blk,
dev_dbg(rtsx_dev(chip), "%s, old_blk = 0x%x, new_blk = 0x%x, log_blk = 
0x%x\n",
__func__, old_blk, new_blk, log_blk);
 
-   if (start_page > end_page) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (start_page > end_page)
+   goto Status_Fail;
 
page_cnt = end_page - start_page;
zone_no = (int)(log_blk / 1000);
@@ -1854,10 +1846,8 @@ static int xd_write_multiple_pages(struct rtsx_chip 
*chip, u32 old_blk,
page_addr = (new_blk << xd_card->block_shift) + start_page;
 
retval = xd_send_cmd(chip, READ1_1);
-   if (retval != STATUS_SUCCESS) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (retval != STATUS_SUCCESS)
+   goto Status_Fail;
 
rtsx_init_cmd(chip);
 
@@ -1892,8 +1882,7 @@ static int xd_write_multiple_pages(struct rtsx_chip 
*chip, u32 old_blk,
 
if (retval == -ETIMEDOUT) {
xd_set_err_code(chip, XD_TO_ERROR);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
} else {
rtsx_trace(chip);
goto Fail;
@@ -1933,6 +1922,7 @@ static int xd_write_multiple_pages(struct rtsx_chip 
*chip, u32 old_blk,
xd_mark_bad_block(chip, new_blk);
 

[PATCH 6/8] staging: rts5208: fix style warnings in spi.c

[Sergio Paracuellos]

 This patch fixes the following checkpatch.pl warning in spi.c:
 WARNING: line over 80 characters

Signed-off-by: Sergio Paracuellos 
---
 drivers/staging/rts5208/spi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rts5208/spi.c b/drivers/staging/rts5208/spi.c
index 26eb2a1..13c539c 100644
--- a/drivers/staging/rts5208/spi.c
+++ b/drivers/staging/rts5208/spi.c
@@ -39,7 +39,8 @@ static int spi_init(struct rtsx_chip *chip)
int retval;
 
retval = rtsx_write_register(chip, SPI_CONTROL, 0xFF,
-CS_POLARITY_LOW | DTO_MSB_FIRST | 
SPI_MASTER | SPI_MODE0 | SPI_AUTO);
+CS_POLARITY_LOW | DTO_MSB_FIRST
+| SPI_MASTER | SPI_MODE0 | SPI_AUTO);
if (retval) {
rtsx_trace(chip);
return retval;
-- 
1.9.1

[PATCH] Bluetooth: btwilink: Save the packet type before sending

[Laura Abbott]

Running with KASAN produces some messages:

BUG: KASAN: use-after-free in ti_st_send_frame+0x9c/0x16c at addr
ffc064868fe8
Read of size 1 by task kworker/u17:1/1266



Hardware name: HiKey Development Board (DT)
Workqueue: hci0 hci_cmd_work
Call trace:
[] dump_backtrace+0x0/0x178
[] show_stack+0x20/0x28
[] dump_stack+0xa8/0xe0
[] print_trailer+0x110/0x174
[] object_err+0x4c/0x5c
[] kasan_report_error+0x254/0x54c
[] kasan_report+0x64/0x70
[] __asan_load1+0x4c/0x54
[] ti_st_send_frame+0x9c/0x16c
[] hci_send_frame+0xb4/0x118
[] hci_cmd_work+0xcc/0x154
[] process_one_work+0x26c/0x7a4
[] worker_thread+0x9c/0x73c
[] kthread+0x138/0x154
[] ret_from_fork+0x10/0x40

The packet is being accessed for statistics after it has been freed.
Save the packet type before sending for statistics afterwards.

Signed-off-by: Laura Abbott 
---
Originally found and tested on 4.4 based branch.
---
 drivers/bluetooth/btwilink.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c
index 485281b..ef51c9c 100644
--- a/drivers/bluetooth/btwilink.c
+++ b/drivers/bluetooth/btwilink.c
@@ -245,6 +245,7 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct 
sk_buff *skb)
 {
struct ti_st *hst;
long len;
+   int pkt_type;
 
hst = hci_get_drvdata(hdev);
 
@@ -258,6 +259,7 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct 
sk_buff *skb)
 * Freeing skb memory is taken care in shared transport layer,
 * so don't free skb memory here.
 */
+   pkt_type = hci_skb_pkt_type(skb);
len = hst->st_write(skb);
if (len < 0) {
kfree_skb(skb);
@@ -268,7 +270,7 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct 
sk_buff *skb)
 
/* ST accepted our skb. So, Go ahead and do rest */
hdev->stat.byte_tx += len;
-   ti_st_tx_complete(hst, hci_skb_pkt_type(skb));
+   ti_st_tx_complete(hst, pkt_type);
 
return 0;
 }
-- 
2.7.4

[PATCH 5/8] staging: rts5208: fix style warnings in rtsx_sys.h

[Sergio Paracuellos]

This patch fixes the following checkpatch.pl warning in rtsx_sys.h:
WARNING: do not add new typedefs

Signed-off-by: Sergio Paracuellos 
---
 drivers/staging/rts5208/rtsx_sys.h | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/staging/rts5208/rtsx_sys.h 
b/drivers/staging/rts5208/rtsx_sys.h
index 0b6b4d4..f49bed9 100644
--- a/drivers/staging/rts5208/rtsx_sys.h
+++ b/drivers/staging/rts5208/rtsx_sys.h
@@ -28,8 +28,6 @@
 #include "rtsx_chip.h"
 #include "rtsx_card.h"
 
-typedef dma_addr_t ULONG_PTR;
-
 static inline void rtsx_exclusive_enter_ss(struct rtsx_chip *chip)
 {
struct rtsx_dev *dev = chip->rtsx;
-- 
1.9.1

[PATCH 7/8] staging: rts5208: fix style warnings in sd.c

[Sergio Paracuellos]

This patch fixes the following checkpatch.pl warning in sd.c:
WARNING: else is not generally useful after a break or return

It also makes code more uniform with the new changes

Signed-off-by: Sergio Paracuellos 
---
 drivers/staging/rts5208/sd.c | 173 +++
 1 file changed, 61 insertions(+), 112 deletions(-)

diff --git a/drivers/staging/rts5208/sd.c b/drivers/staging/rts5208/sd.c
index e72c432..b0bbb36 100644
--- a/drivers/staging/rts5208/sd.c
+++ b/drivers/staging/rts5208/sd.c
@@ -2588,16 +2588,12 @@ static int reset_sd(struct rtsx_chip *chip)
 #endif
 
retval = sd_prepare_reset(chip);
-   if (retval != STATUS_SUCCESS) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (retval != STATUS_SUCCESS)
+   goto Status_Fail;
 
retval = sd_dummy_clock(chip);
-   if (retval != STATUS_SUCCESS) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (retval != STATUS_SUCCESS)
+   goto Status_Fail;
 
if (CHK_SDIO_EXIST(chip) && !CHK_SDIO_IGNORED(chip) && try_sdio) {
int rty_cnt = 0;
@@ -2605,8 +2601,7 @@ static int reset_sd(struct rtsx_chip *chip)
for (; rty_cnt < chip->sdio_retry_cnt; rty_cnt++) {
if (detect_card_cd(chip, SD_CARD) != STATUS_SUCCESS) {
sd_set_err_code(chip, SD_NO_CARD);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
}
 
retval = sd_send_cmd_get_rsp(chip, IO_SEND_OP_COND, 0,
@@ -2618,8 +2613,7 @@ static int reset_sd(struct rtsx_chip *chip)
dev_dbg(rtsx_dev(chip), "SD_IO card 
(Function number: %d)!\n",
func_num);
chip->sd_io = 1;
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
}
 
break;
@@ -2637,10 +2631,8 @@ static int reset_sd(struct rtsx_chip *chip)
 RTY_SD_RST:
retval = sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0, SD_RSP_TYPE_R0,
NULL, 0);
-   if (retval != STATUS_SUCCESS) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (retval != STATUS_SUCCESS)
+   goto Status_Fail;
 
wait_timeout(20);
 
@@ -2658,10 +2650,8 @@ static int reset_sd(struct rtsx_chip *chip)
 
retval = sd_send_cmd_get_rsp(chip, GO_IDLE_STATE, 0,
SD_RSP_TYPE_R0, NULL, 0);
-   if (retval != STATUS_SUCCESS) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (retval != STATUS_SUCCESS)
+   goto Status_Fail;
 
wait_timeout(20);
}
@@ -2672,39 +2662,32 @@ static int reset_sd(struct rtsx_chip *chip)
if (retval != STATUS_SUCCESS) {
if (detect_card_cd(chip, SD_CARD) != STATUS_SUCCESS) {
sd_set_err_code(chip, SD_NO_CARD);
-   rtsx_trace(chip);
-   return STATUS_FAIL;
+   goto Status_Fail;
}
 
j++;
-   if (j < 3) {
+   if (j < 3)
goto RTY_SD_RST;
-   } else {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   else
+   goto Status_Fail;
}
 
retval = sd_send_cmd_get_rsp(chip, SD_APP_OP_COND, voltage,
SD_RSP_TYPE_R3, rsp, 5);
if (retval != STATUS_SUCCESS) {
k++;
-   if (k < 3) {
+   if (k < 3)
goto RTY_SD_RST;
-   } else {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   else
+   goto Status_Fail;
}
 
i++;
wait_timeout(20);
} while (!(rsp[1] & 0x80) && (i < 255));
 
-   if (i == 255) {
-   rtsx_trace(chip);
-   return STATUS_FAIL;
-   }
+   if (i == 255)
+   goto Status_Fail;
 
if (hi_cap_flow) {
if (rsp[1] & 0x40)
@@ -2721,26 +2704,20 

[PATCH 2/8] staging: rts5208: fix style warnings in rtsx.c

[Sergio Paracuellos]

This patch fixes the following checkpatch.pl warning in rtsx.c:
WARNING: Symbolic permissions are not preferred.

Signed-off-by: Sergio Paracuellos 
---
 drivers/staging/rts5208/rtsx.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/rts5208/rtsx.c b/drivers/staging/rts5208/rtsx.c
index d7554f4..5d65a5c 100644
--- a/drivers/staging/rts5208/rtsx.c
+++ b/drivers/staging/rts5208/rtsx.c
@@ -34,27 +34,27 @@
 MODULE_LICENSE("GPL");
 
 static unsigned int delay_use = 1;
-module_param(delay_use, uint, S_IRUGO | S_IWUSR);
+module_param(delay_use, uint, 0644);
 MODULE_PARM_DESC(delay_use, "seconds to delay before using a new device");
 
 static int ss_en;
-module_param(ss_en, int, S_IRUGO | S_IWUSR);
+module_param(ss_en, int, 0644);
 MODULE_PARM_DESC(ss_en, "enable selective suspend");
 
 static int ss_interval = 50;
-module_param(ss_interval, int, S_IRUGO | S_IWUSR);
+module_param(ss_interval, int, 0644);
 MODULE_PARM_DESC(ss_interval, "Interval to enter ss state in seconds");
 
 static int auto_delink_en;
-module_param(auto_delink_en, int, S_IRUGO | S_IWUSR);
+module_param(auto_delink_en, int, 0644);
 MODULE_PARM_DESC(auto_delink_en, "enable auto delink");
 
 static unsigned char aspm_l0s_l1_en;
-module_param(aspm_l0s_l1_en, byte, S_IRUGO | S_IWUSR);
+module_param(aspm_l0s_l1_en, byte, 0644);
 MODULE_PARM_DESC(aspm_l0s_l1_en, "enable device aspm");
 
 static int msi_en;
-module_param(msi_en, int, S_IRUGO | S_IWUSR);
+module_param(msi_en, int, 0644);
 MODULE_PARM_DESC(msi_en, "enable msi");
 
 static irqreturn_t rtsx_interrupt(int irq, void *dev_id);
-- 
1.9.1

Re: [PATCH v2 3/4] i2c: i801: Do not create iTCO watchdog when WDAT table exists

[Wolfram Sang]

On Tue, Sep 20, 2016 at 03:30:53PM +0300, Mika Westerberg wrote:
> ACPI WDAT table is the preferred way to use hardware watchdog over the
> native iTCO_wdt. Windows only uses this table for its hardware watchdog
> implementation so we should be relatively safe to trust it has been
> validated by OEMs
> 
> Prevent iTCO watchdog creation if we detect that there is ACPI WDAT table.
> 
> Signed-off-by: Mika Westerberg 
> Reviewed-by: Guenter Roeck 

Acked-by: Wolfram Sang 



signature.asc
Description: PGP signature

[PATCH 4.7 132/184] Revert "wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel"

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Johannes Berg 

commit 4d0bd46a4d55383f7b925e6cf7865a77e0f0e020 upstream.

This reverts commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724.

Ben Hutchings pointed out that the commit isn't safe since it assumes
that the structure used by the driver is iw_point, when in fact there's
no way to know about that.

Fortunately, the only driver in the tree that ever runs this code path
is the wilc1000 staging driver, so it doesn't really matter.

Clearly I should have investigated this better before applying, sorry.

Reported-by: Ben Hutchings 
Fixes: 3d5fdff46c4b ("wext: Fix 32 bit iwpriv compatibility issue with 64 bit 
Kernel")
Signed-off-by: Johannes Berg 
Signed-off-by: Greg Kroah-Hartman 

---
 net/wireless/wext-core.c |   25 ++---
 1 file changed, 2 insertions(+), 23 deletions(-)

--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -958,29 +958,8 @@ static int wireless_process_ioctl(struct
return private(dev, iwr, cmd, info, handler);
}
/* Old driver API : call driver ioctl handler */
-   if (dev->netdev_ops->ndo_do_ioctl) {
-#ifdef CONFIG_COMPAT
-   if (info->flags & IW_REQUEST_FLAG_COMPAT) {
-   int ret = 0;
-   struct iwreq iwr_lcl;
-   struct compat_iw_point *iwp_compat = (void *) 
>u.data;
-
-   memcpy(_lcl, iwr, sizeof(struct iwreq));
-   iwr_lcl.u.data.pointer = 
compat_ptr(iwp_compat->pointer);
-   iwr_lcl.u.data.length = iwp_compat->length;
-   iwr_lcl.u.data.flags = iwp_compat->flags;
-
-   ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) 
_lcl, cmd);
-
-   iwp_compat->pointer = 
ptr_to_compat(iwr_lcl.u.data.pointer);
-   iwp_compat->length = iwr_lcl.u.data.length;
-   iwp_compat->flags = iwr_lcl.u.data.flags;
-
-   return ret;
-   } else
-#endif
-   return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
-   }
+   if (dev->netdev_ops->ndo_do_ioctl)
+   return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
return -EOPNOTSUPP;
 }
 

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

[Paolo Bonzini]

On 22/09/2016 19:46, Tom Lendacky wrote:
>> > Do you mean, it is encrypted here because we're in the guest kernel?
> Yes, the idea is that the SEV guest will be running encrypted from the
> start, including the BIOS/UEFI, and so all of the EFI related data will
> be encrypted.

Unless this is part of some spec, it's easier if things are the same in
SME and SEV.

Paolo

[PATCH 4.7 077/184] iio: accel: bmc150: reset chip at init time

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Olof Johansson 

commit 1c500840934a138bd6b13556c210516e9301fbee upstream.

In at least one known setup, the chip comes up in a state where reading
the chip ID returns garbage unless it's been reset, due to noise on the
wires during system boot.

All supported chips have the same reset method, and based on the
datasheets they all need 1.3 or 1.8ms to recover after reset. So, do
the conservative thing here and always reset the chip.

Signed-off-by: Olof Johansson 
Reviewed-by: Srinivas Pandruvada 
Signed-off-by: Jonathan Cameron 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/iio/accel/bmc150-accel-core.c |   11 +++
 1 file changed, 11 insertions(+)

--- a/drivers/iio/accel/bmc150-accel-core.c
+++ b/drivers/iio/accel/bmc150-accel-core.c
@@ -67,6 +67,9 @@
 #define BMC150_ACCEL_REG_PMU_BW0x10
 #define BMC150_ACCEL_DEF_BW125
 
+#define BMC150_ACCEL_REG_RESET 0x14
+#define BMC150_ACCEL_RESET_VAL 0xB6
+
 #define BMC150_ACCEL_REG_INT_MAP_0 0x19
 #define BMC150_ACCEL_INT_MAP_0_BIT_SLOPE   BIT(2)
 
@@ -1497,6 +1500,14 @@ static int bmc150_accel_chip_init(struct
int ret, i;
unsigned int val;
 
+   /*
+* Reset chip to get it in a known good state. A delay of 1.8ms after
+* reset is required according to the data sheets of supported chips.
+*/
+   regmap_write(data->regmap, BMC150_ACCEL_REG_RESET,
+BMC150_ACCEL_RESET_VAL);
+   usleep_range(1800, 2500);
+
ret = regmap_read(data->regmap, BMC150_ACCEL_REG_CHIP_ID, );
if (ret < 0) {
dev_err(dev, "Error: Reading chip id\n");

[PATCH 4.7 103/184] ARM: dts: armada-388-clearfog: number LAN ports properly

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Russell King 

commit d9fd3c918114cfd3995947339549c7341181efb0 upstream.

Currently, the ports as seen from the rear number as:

eth0 sfp lan5 lan4 lan3 lan2 lan1 lan6

which is illogical - this came about because the rev 2.0 boards have the
LEDs on the front for the DSA switch (lan5-1) reversed.  Rev 2.1 boards
fixed the LED issue, and the Clearfog case numbers the lan ports
increasing from left to right.

Maintaining this illogical numbering causes confusion, with reports that
"my link isn't coming up" and "my connection negotiates 10base-Half"
both of which are due to people thinking that the port next to the SFP
is lan1.

Fix this by renumbering the ports to match people's expectations.

[gregory.clem...@free-electrons.com: added the Fixes and stable tags]

Fixes: 4c945e8556ec ("ARM: dts: Add SolidRun Armada 388 Clearfog A1 DT
file")
Signed-off-by: Russell King 
Reviewed-by: Andrew Lunn 
Signed-off-by: Gregory CLEMENT 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/boot/dts/armada-388-clearfog.dts |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/boot/dts/armada-388-clearfog.dts
+++ b/arch/arm/boot/dts/armada-388-clearfog.dts
@@ -406,12 +406,12 @@
 
port@0 {
reg = <0>;
-   label = "lan1";
+   label = "lan5";
};
 
port@1 {
reg = <1>;
-   label = "lan2";
+   label = "lan4";
};
 
port@2 {
@@ -421,12 +421,12 @@
 
port@3 {
reg = <3>;
-   label = "lan4";
+   label = "lan2";
};
 
port@4 {
reg = <4>;
-   label = "lan5";
+   label = "lan1";
};
 
port@5 {

[PATCH 4.7 098/184] ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Anson Huang 

commit 8aade778f787305fdbfd3c1d54e6b583601b5902 upstream.

i.MX6SX has bypass PMIC ready function, as this function
is normally NOT enabled on the board design, so we need
to bypass the PMIC ready pin check during DSM mode resume
flow, otherwise, the internal DSM resume logic will be
waiting for this signal to be ready forever and cause
resume fail.

Signed-off-by: Anson Huang 
Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx")
Tested-by: Peter Chen 
Signed-off-by: Shawn Guo 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/mach-imx/pm-imx6.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/mach-imx/pm-imx6.c
+++ b/arch/arm/mach-imx/pm-imx6.c
@@ -310,7 +310,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
val |= 0x3 << BP_CLPCR_STBY_COUNT;
val |= BM_CLPCR_VSTBY;
val |= BM_CLPCR_SBYOS;
-   if (cpu_is_imx6sl())
+   if (cpu_is_imx6sl() || cpu_is_imx6sx())
val |= BM_CLPCR_BYPASS_PMIC_READY;
if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;

[PATCH 4.7 100/184] ARM: OMAP3: hwmod data: Add sysc information for DSI

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Sebastian Reichel 

commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.

Add missing sysconfig/sysstatus information
to OMAP3 hwmod. The information has been
checked against OMAP34xx and OMAP36xx TRM.

Without this change DSI block is not reset
during boot, which is required for working
Nokia N950 display.

Signed-off-by: Sebastian Reichel 
Signed-off-by: Tony Lindgren 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/mach-omap2/omap_hwmod_3xxx_data.c |   12 
 1 file changed, 12 insertions(+)

--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -722,8 +722,20 @@ static struct omap_hwmod omap3xxx_dss_di
  * display serial interface controller
  */
 
+static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
+   .rev_offs   = 0x,
+   .sysc_offs  = 0x0010,
+   .syss_offs  = 0x0014,
+   .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
+  SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
+  SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
+   .idlemodes  = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+   .sysc_fields= _hwmod_sysc_type1,
+};
+
 static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
.name = "dsi",
+   .sysc   = _dsi_sysc,
 };
 
 static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {

Re: [PATCH] ARM: dts: exynos: Add reboot reason support for Trats2

[Krzysztof Kozlowski]

Hi,

Thanks for the patch, it is nice that someone did this! When I saw the
syscon reboot mode driver, I though about such feature but never had
time or will to implement it. Great job!

Few comments below.

On Thu, Sep 22, 2016 at 06:48:35PM +0200, Wolfgang Wiedmeyer wrote:
> This allows to reboot the device into recovery mode and into the download
> mode of the bootloader.

Which bootloader? Probably UBoot... or Samsung stock one? Could you put
that information here?

> 
> Signed-off-by: Wolfgang Wiedmeyer 
> ---
>  arch/arm/boot/dts/exynos4412-trats2.dts | 14 ++
>  arch/arm/boot/dts/exynos4x12.dtsi   |  2 +-
>  2 files changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/arm/boot/dts/exynos4412-trats2.dts 
> b/arch/arm/boot/dts/exynos4412-trats2.dts
> index 129e973..a38d1e3 100644
> --- a/arch/arm/boot/dts/exynos4412-trats2.dts
> +++ b/arch/arm/boot/dts/exynos4412-trats2.dts
> @@ -1294,3 +1294,17 @@
>   vtmu-supply = <_reg>;
>   status = "okay";
>  };
> +
> + {
> + compatible = "syscon", "simple-mfd";
> +
> + reboot-mode {
> + compatible = "syscon-reboot-mode";
> + offset = <0x80c>;
> +
> + mode-normal = <0x12345670>;
> + mode-bootloader = <0x12345671>;
> + mode-download   = <0x12345671>;
> + mode-recovery   = <0x12345674>;

Hmmm, how did you get these values? Are they already supported?

It would be nice to document them:
1. In Documentation/arm/Samsung/Bootloader-interface.txt
2. In header. I hate such magic numbers... you could add new header next
   to existing rockchip one:
   include/dt-bindings/soc/samsung,boot-mode.h
   (and update maintainers entry :) )


Best regards,
Krzysztof


> + };
> +};
> diff --git a/arch/arm/boot/dts/exynos4x12.dtsi 
> b/arch/arm/boot/dts/exynos4x12.dtsi
> index c452499..b58c14e 100644
> --- a/arch/arm/boot/dts/exynos4x12.dtsi
> +++ b/arch/arm/boot/dts/exynos4x12.dtsi
> @@ -179,7 +179,7 @@
>   ranges;
>   status = "disabled";
>  
> - pmu@1002 {
> + pmu: pmu@1002 {
>   reg = <0x1002 0x3000>;
>   };
>  
> -- 
> Website: https://fossencdi.org
> OpenPGP: 0F30 D1A0 2F73 F70A 6FEE  048E 5816 A24C 1075 7FC4
> Key download: https://wiedmeyer.de/keys/ww.asc
> 

Re: [PATCH v2] i2c / ACPI: Do not touch an I2C device if it belongs to another adapter

[Wolfram Sang]

On Tue, Sep 20, 2016 at 04:59:25PM +0300, Mika Westerberg wrote:
> When enumerating I2C devices connected to an I2C adapter we scan the whole
> namespace (as it is possible to have devices anywhere in that namespace,
> not just below the I2C adapter device) and add each found device to the I2C
> bus in question.
> 
> Now after commit 525e6fabeae2 ("i2c / ACPI: add support for ACPI
> reconfigure notifications") checking of the adapter handle to the one found
> in the I2cSerialBus() resource was moved to happen after resources of the
> I2C device has been parsed. This means that if the I2cSerialBus() resource
> points to an adapter that does not exists in the system we still parse
> those resources. This is problematic in particular because
> acpi_dev_resource_interrupt() tries to configure GSI if the device also has
> an Interrupt() resource. Failing to do that results errrors like this to be
> printed on the console:
> 
>   [   10.409490] ERROR: Unable to locate IOAPIC for GSI 37
> 
> To fix this we pass the I2C adapter to i2c_acpi_get_info() and make sure
> the handle matches the one in the I2cSerialBus() resource before doing
> anything else to the device.
> 
> Reported-and-tested-by: Nicolai Stange 
> Signed-off-by: Mika Westerberg 

Applied to for-next, thanks!



signature.asc
Description: PGP signature

[PATCH 4.7 105/184] ARM: dts: overo: fix gpmc nand on boards with ethernet

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Johan Hovold 

commit 153b58ea932b2d0642fa5cd41c93bb0555f3f09b upstream.

The gpmc ranges property for NAND at CS0 was being overridden by later
includes that defined gpmc ethernet nodes, effectively breaking NAND on
these systems:

omap-gpmc 6e00.gpmc: /ocp/gpmc@6e00/nand@0,0 has
malformed 'reg' property

Instead of redefining the NAND range in every such dtsi, define all
currently used ranges in omap3-overo-base.dtsi.

Fixes: 98ce6007efb4 ("ARM: dts: overo: Support PoP NAND")
Signed-off-by: Johan Hovold 
Signed-off-by: Tony Lindgren 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/boot/dts/omap3-overo-base.dtsi  |4 +++-
 arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi |2 --
 arch/arm/boot/dts/omap3-overo-tobi-common.dtsi   |2 --
 arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi|3 ---
 4 files changed, 3 insertions(+), 8 deletions(-)

--- a/arch/arm/boot/dts/omap3-overo-base.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-base.dtsi
@@ -223,7 +223,9 @@
 };
 
  {
-   ranges = <0 0 0x3000 0x100>;/* CS0 */
+   ranges = <0 0 0x3000 0x100>,/* CS0 */
+<4 0 0x2b00 0x100>,/* CS4 */
+<5 0 0x2c00 0x100>;/* CS5 */
 
nand@0,0 {
compatible = "ti,omap2-nand";
--- a/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-chestnut43-common.dtsi
@@ -55,8 +55,6 @@
 #include "omap-gpmc-smsc9221.dtsi"
 
  {
-   ranges = <5 0 0x2c00 0x100>;/* CS5 */
-
ethernet@gpmc {
reg = <5 0 0xff>;
interrupt-parent = <>;
--- a/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-tobi-common.dtsi
@@ -27,8 +27,6 @@
 #include "omap-gpmc-smsc9221.dtsi"
 
  {
-   ranges = <5 0 0x2c00 0x100>;/* CS5 */
-
ethernet@gpmc {
reg = <5 0 0xff>;
interrupt-parent = <>;
--- a/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
+++ b/arch/arm/boot/dts/omap3-overo-tobiduo-common.dtsi
@@ -15,9 +15,6 @@
 #include "omap-gpmc-smsc9221.dtsi"
 
  {
-   ranges = <4 0 0x2b00 0x100>,/* CS4 */
-<5 0 0x2c00 0x100>;/* CS5 */
-
smsc1: ethernet@gpmc {
reg = <5 0 0xff>;
interrupt-parent = <>;

[PATCH 4.7 097/184] ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Peter Chen 

commit f5a49057c71433e35a4712ab8d8f00641b3e1ec0 upstream.

There is a missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul,
without it, the "standby" mode can't work well, the system can't be
resumed.

With this commit, the "standby" mode works well.

Signed-off-by: Peter Chen 
Cc: Anson Huang 
Fixes: ee4a5f838c84 ("ARM: imx: add suspend/resume support for i.mx6ul")
Signed-off-by: Shawn Guo 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/mach-imx/pm-imx6.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/mach-imx/pm-imx6.c
+++ b/arch/arm/mach-imx/pm-imx6.c
@@ -295,7 +295,7 @@ int imx6_set_lpm(enum mxc_cpu_pwr_mode m
val &= ~BM_CLPCR_SBYOS;
if (cpu_is_imx6sl())
val |= BM_CLPCR_BYPASS_PMIC_READY;
-   if (cpu_is_imx6sl() || cpu_is_imx6sx())
+   if (cpu_is_imx6sl() || cpu_is_imx6sx() || cpu_is_imx6ul())
val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
else
val |= BM_CLPCR_BYP_MMDC_CH1_LPM_HS;

[PATCH 4.7 099/184] ARM: kirkwood: ib62x0: fix size of u-boot environment partition

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Simon Baatz 

commit a77893767aac17a33887d1c429120790fbc2 upstream.

Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment
partition") split the "u-boot" partition into "u-boot" and "u-boot
environment".  However, instead of the size of the environment, an offset
was given, resulting in overlapping partitions.

Signed-off-by: Simon Baatz 
Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition")
Cc: Jason Cooper 
Cc: Andrew Lunn 
Cc: Gregory Clement 
Cc: Sebastian Hesselbarth 
Cc: Luka Perkov 
Reviewed-by: Andrew Lunn 
Signed-off-by: Gregory CLEMENT 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/boot/dts/kirkwood-ib62x0.dts |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
+++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
@@ -113,7 +113,7 @@
 
partition@e {
label = "u-boot environment";
-   reg = <0xe 0x10>;
+   reg = <0xe 0x2>;
};
 
partition@10 {

[PATCH 14/14] GPU-DRM-TTM: Mark an array of text strings as "const" in ttm_dma_pool_init()

[SF Markus Elfring]

From: Markus Elfring 
Date: Thu, 22 Sep 2016 18:46:01 +0200

The local variable "n" was not modified after it was initialized with
a few text strings.
Thus express this detail also by the data type qualifier "const".

Signed-off-by: Markus Elfring 
---
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c 
b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
index aa1679d..e21c1b3 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
@@ -574,7 +574,7 @@ static int ttm_dma_pool_match(struct device *dev, void 
*res, void *match_data)
 static struct dma_pool *ttm_dma_pool_init(struct device *dev, gfp_t flags,
  enum pool_type type)
 {
-   char *n[] = {"wc", "uc", "cached", " dma32", "unknown",};
+   char const * const n[] = {"wc", "uc", "cached", " dma32", "unknown",};
enum pool_type t[] = {IS_WC, IS_UC, IS_CACHED, IS_DMA32, IS_UNDEFINED};
struct device_pools *sec_pool;
struct dma_pool *pool, **ptr;
-- 
2.10.0

[PATCH 4.7 102/184] ARM: dts: imx6qdl: Fix SPDIF regression

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Fabio Estevam 

commit f065e9e4addd75c21bb976bb2558648bf4f61de6 upstream.

Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
changed many more clocks than only the SPDIF core clock as stated in
the commit message.

The MLB clock has been added and this causes SPDIF regression as
reported by Xavi Drudis Ferran and also in this forum post:
https://forum.digikey.com/thread/34240

The MX6Q Reference Manual does not mention that MLB is a clock related
to SPDIF, so change it back to a dummy clock to restore SPDIF
functionality.

Thanks to Ambika for providing the fix at:
https://community.nxp.com/thread/387131

Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif")
Reported-by: Xavi Drudis Ferran 
Signed-off-by: Fabio Estevam 
Tested-by:  Xavi Drudis Ferran 
Signed-off-by: Shawn Guo 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arm/boot/dts/imx6qdl.dtsi |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/imx6qdl.dtsi
+++ b/arch/arm/boot/dts/imx6qdl.dtsi
@@ -242,7 +242,7 @@
clocks = < 
IMX6QDL_CLK_SPDIF_GCLK>, < IMX6QDL_CLK_OSC>,
 < IMX6QDL_CLK_SPDIF>, 
< IMX6QDL_CLK_ASRC>,
 < IMX6QDL_CLK_DUMMY>, 
< IMX6QDL_CLK_ESAI_EXTAL>,
-< IMX6QDL_CLK_IPG>, 
< IMX6QDL_CLK_MLB>,
+< IMX6QDL_CLK_IPG>, 
< IMX6QDL_CLK_DUMMY>,
 < IMX6QDL_CLK_DUMMY>, 
< IMX6QDL_CLK_SPBA>;
clock-names = "core",  "rxtx0",
  "rxtx1", "rxtx2",

Re: [tip:sched/core] sched/core: Avoid _cond_resched() for PREEMPT=y

[Paul E. McKenney]

On Thu, Sep 22, 2016 at 02:25:01PM -0400, Mikulas Patocka wrote:
> I've found a document that says that cond_resched() is needed on
> preemptible kernels to mark RCU quiescent states:
> 
> https://lwn.net/Articles/603252/
> 
> Paul, is cond_resched() still needed on current RCU implementation? Or not?

It can be if you loop in the kernel for a very long time.

But cond_resched_rcu_qs() is instead needed in cases where there is only
one runnable non-idle non-nohz task on a given CPU.

Thanx, Paul

> Mikulas
> 
> 
> 
> On Thu, 22 Sep 2016, tip-bot for Peter Zijlstra wrote:
> 
> > Commit-ID:  35a773a07926a22bf19d77ee00024522279c4e68
> > Gitweb: 
> > http://git.kernel.org/tip/35a773a07926a22bf19d77ee00024522279c4e68
> > Author: Peter Zijlstra 
> > AuthorDate: Mon, 19 Sep 2016 12:57:53 +0200
> > Committer:  Ingo Molnar 
> > CommitDate: Thu, 22 Sep 2016 14:53:46 +0200
> > 
> > sched/core: Avoid _cond_resched() for PREEMPT=y
> > 
> > On fully preemptible kernels _cond_resched() is pointless, so avoid
> > emitting any code for it.
> > 
> > Signed-off-by: Peter Zijlstra (Intel) 
> > Cc: Linus Torvalds 
> > Cc: Mikulas Patocka 
> > Cc: Oleg Nesterov 
> > Cc: Peter Zijlstra 
> > Cc: Thomas Gleixner 
> > Cc: linux-kernel@vger.kernel.org
> > Signed-off-by: Ingo Molnar 
> > ---
> >  include/linux/sched.h | 4 
> >  kernel/sched/core.c   | 2 ++
> >  2 files changed, 6 insertions(+)
> > 
> > diff --git a/include/linux/sched.h b/include/linux/sched.h
> > index f00ee8e..b99fcd1 100644
> > --- a/include/linux/sched.h
> > +++ b/include/linux/sched.h
> > @@ -3209,7 +3209,11 @@ static inline int signal_pending_state(long state, 
> > struct task_struct *p)
> >   * cond_resched_lock() will drop the spinlock before scheduling,
> >   * cond_resched_softirq() will enable bhs before scheduling.
> >   */
> > +#ifndef CONFIG_PREEMPT
> >  extern int _cond_resched(void);
> > +#else
> > +static inline int _cond_resched(void) { return 0; }
> > +#endif
> >  
> >  #define cond_resched() ({  \
> > ___might_sleep(__FILE__, __LINE__, 0);  \
> > diff --git a/kernel/sched/core.c b/kernel/sched/core.c
> > index b2ec53c..d7babcc 100644
> > --- a/kernel/sched/core.c
> > +++ b/kernel/sched/core.c
> > @@ -4883,6 +4883,7 @@ SYSCALL_DEFINE0(sched_yield)
> > return 0;
> >  }
> >  
> > +#ifndef CONFIG_PREEMPT
> >  int __sched _cond_resched(void)
> >  {
> > if (should_resched(0)) {
> > @@ -4892,6 +4893,7 @@ int __sched _cond_resched(void)
> > return 0;
> >  }
> >  EXPORT_SYMBOL(_cond_resched);
> > +#endif
> >  
> >  /*
> >   * __cond_resched_lock() - if a reschedule is pending, drop the given lock,
> > 
> 

[PATCH 4.7 108/184] bus: arm-ccn: Do not attempt to configure XPs for cycle counter

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Pawel Moll 

commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 upstream.

Fuzzing the CCN perf driver revealed a small but definitely dangerous
mistake in the event setup code. When a cycle counter is requested, the
driver should not reconfigure the events bus at all, otherwise it will
corrupt (in most but the simplest cases) its configuration and may end
up accessing XP array out of its bounds and corrupting control
registers.

Reported-by: Mark Rutland 
Reviewed-by: Mark Rutland 
Tested-by: Mark Rutland 
Signed-off-by: Pawel Moll 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/bus/arm-ccn.c |4 
 1 file changed, 4 insertions(+)

--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -895,6 +895,10 @@ static void arm_ccn_pmu_xp_dt_config(str
struct arm_ccn_component *xp;
u32 val, dt_cfg;
 
+   /* Nothing to do for cycle counter */
+   if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER)
+   return;
+
if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP)
xp = >xp[CCN_CONFIG_XP(event->attr.config)];
else

[PATCH 4.7 042/184] pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 upstream.

If the attempt to connect to a DS fails inside ff_layout_pg_init_read or
ff_layout_pg_init_write, then we currently end up clearing the layout
segment carried by the struct nfs_pageio_descriptor, causing an Oops
when we later call into ff_layout_read_pagelist/ff_layout_write_pagelist.

The fix is to ensure we return the layout and then retry.

Fixes: 446ca2195303 ("pNFS/flexfiles: When initing reads or writes, we...")
Signed-off-by: Trond Myklebust 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfs/flexfilelayout/flexfilelayout.c|   37 ++
 fs/nfs/flexfilelayout/flexfilelayoutdev.c |   19 ---
 2 files changed, 28 insertions(+), 28 deletions(-)

--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -806,11 +806,14 @@ ff_layout_choose_best_ds_for_read(struct
 {
struct nfs4_ff_layout_segment *fls = FF_LAYOUT_LSEG(lseg);
struct nfs4_pnfs_ds *ds;
+   bool fail_return = false;
int idx;
 
/* mirrors are sorted by efficiency */
for (idx = start_idx; idx < fls->mirror_array_cnt; idx++) {
-   ds = nfs4_ff_layout_prepare_ds(lseg, idx, false);
+   if (idx+1 == fls->mirror_array_cnt)
+   fail_return = true;
+   ds = nfs4_ff_layout_prepare_ds(lseg, idx, fail_return);
if (ds) {
*best_idx = idx;
return ds;
@@ -859,6 +862,7 @@ ff_layout_pg_init_read(struct nfs_pageio
struct nfs4_pnfs_ds *ds;
int ds_idx;
 
+retry:
/* Use full layout for now */
if (!pgio->pg_lseg)
ff_layout_pg_get_read(pgio, req, false);
@@ -871,10 +875,13 @@ ff_layout_pg_init_read(struct nfs_pageio
 
ds = ff_layout_choose_best_ds_for_read(pgio->pg_lseg, 0, _idx);
if (!ds) {
-   if (ff_layout_no_fallback_to_mds(pgio->pg_lseg))
-   goto out_pnfs;
-   else
+   if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg))
goto out_mds;
+   pnfs_put_lseg(pgio->pg_lseg);
+   pgio->pg_lseg = NULL;
+   /* Sleep for 1 second before retrying */
+   ssleep(1);
+   goto retry;
}
 
mirror = FF_LAYOUT_COMP(pgio->pg_lseg, ds_idx);
@@ -890,12 +897,6 @@ out_mds:
pnfs_put_lseg(pgio->pg_lseg);
pgio->pg_lseg = NULL;
nfs_pageio_reset_read_mds(pgio);
-   return;
-
-out_pnfs:
-   pnfs_set_lo_fail(pgio->pg_lseg);
-   pnfs_put_lseg(pgio->pg_lseg);
-   pgio->pg_lseg = NULL;
 }
 
 static void
@@ -909,6 +910,7 @@ ff_layout_pg_init_write(struct nfs_pagei
int i;
int status;
 
+retry:
if (!pgio->pg_lseg) {
pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode,
   req->wb_context,
@@ -940,10 +942,13 @@ ff_layout_pg_init_write(struct nfs_pagei
for (i = 0; i < pgio->pg_mirror_count; i++) {
ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, i, true);
if (!ds) {
-   if (ff_layout_no_fallback_to_mds(pgio->pg_lseg))
-   goto out_pnfs;
-   else
+   if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg))
goto out_mds;
+   pnfs_put_lseg(pgio->pg_lseg);
+   pgio->pg_lseg = NULL;
+   /* Sleep for 1 second before retrying */
+   ssleep(1);
+   goto retry;
}
pgm = >pg_mirrors[i];
mirror = FF_LAYOUT_COMP(pgio->pg_lseg, i);
@@ -956,12 +961,6 @@ out_mds:
pnfs_put_lseg(pgio->pg_lseg);
pgio->pg_lseg = NULL;
nfs_pageio_reset_write_mds(pgio);
-   return;
-
-out_pnfs:
-   pnfs_set_lo_fail(pgio->pg_lseg);
-   pnfs_put_lseg(pgio->pg_lseg);
-   pgio->pg_lseg = NULL;
 }
 
 static unsigned int
--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
@@ -379,7 +379,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
 
devid = >mirror_ds->id_node;
if (ff_layout_test_devid_unavailable(devid))
-   goto out;
+   goto out_fail;
 
ds = mirror->mirror_ds->ds;
/* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */
@@ -405,15 +405,16 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
mirror->mirror_ds->ds_versions[0].rsize = max_payload;
if (mirror->mirror_ds->ds_versions[0].wsize > max_payload)

[PATCH 4.7 041/184] kernfs: dont depend on d_find_any_alias() when generating notifications

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Tejun Heo 

commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream.

kernfs_notify_workfn() sends out file modified events for the
scheduled kernfs_nodes.  Because the modifications aren't from
userland, it doesn't have the matching file struct at hand and can't
use fsnotify_modify().  Instead, it looked up the inode and then used
d_find_any_alias() to find the dentry and used fsnotify_parent() and
fsnotify() directly to generate notifications.

The assumption was that the relevant dentries would have been pinned
if there are listeners, which isn't true as inotify doesn't pin
dentries at all and watching the parent doesn't pin the child dentries
even for dnotify.  This led to, for example, inotify watchers not
getting notifications if the system is under memory pressure and the
matching dentries got reclaimed.  It can also be triggered through
/proc/sys/vm/drop_caches or a remount attempt which involves shrinking
dcache.

fsnotify_parent() only uses the dentry to access the parent inode,
which kernfs can do easily.  Update kernfs_notify_workfn() so that it
uses fsnotify() directly for both the parent and target inodes without
going through d_find_any_alias().  While at it, supply the target file
name to fsnotify() from kernfs_node->name.

Signed-off-by: Tejun Heo 
Reported-by: Evgeny Vereshchagin 
Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too")
Cc: John McCutchan 
Cc: Robert Love 
Cc: Eric Paris 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/kernfs/file.c |   28 +---
 1 file changed, 21 insertions(+), 7 deletions(-)

--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -840,21 +840,35 @@ repeat:
mutex_lock(_mutex);
 
list_for_each_entry(info, _root(kn)->supers, node) {
+   struct kernfs_node *parent;
struct inode *inode;
-   struct dentry *dentry;
 
+   /*
+* We want fsnotify_modify() on @kn but as the
+* modifications aren't originating from userland don't
+* have the matching @file available.  Look up the inodes
+* and generate the events manually.
+*/
inode = ilookup(info->sb, kn->ino);
if (!inode)
continue;
 
-   dentry = d_find_any_alias(inode);
-   if (dentry) {
-   fsnotify_parent(NULL, dentry, FS_MODIFY);
-   fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
-NULL, 0);
-   dput(dentry);
+   parent = kernfs_get_parent(kn);
+   if (parent) {
+   struct inode *p_inode;
+
+   p_inode = ilookup(info->sb, parent->ino);
+   if (p_inode) {
+   fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD,
+inode, FSNOTIFY_EVENT_INODE, kn->name, 
0);
+   iput(p_inode);
+   }
+
+   kernfs_put(parent);
}
 
+   fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
+kn->name, 0);
iput(inode);
}
 

[PATCH 4.7 039/184] powerpc/mm: Dont alias user region to other regions below PAGE_OFFSET

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Paul Mackerras 

commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream.

In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13)
we lost a check on the region number (the top four bits of the effective
address) for addresses below PAGE_OFFSET.  That commit replaced a check
that the top 18 bits were all zero with a check that bits 46 - 59 were
zero (performed for all addresses, not just user addresses).

This means that userspace can access an address like 0x1000_0xxx__
and we will insert a valid SLB entry for it.  The VSID used will be the
same as if the top 4 bits were 0, but the page size will be some random
value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
array in the paca.  If that page size is the same as would be used for
region 0, then userspace just has an alias of the region 0 space.  If the
page size is different, then no HPTE will be found for the access, and
the process will get a SIGSEGV (since hash_page_mm() will refuse to create
a HPTE for the bogus address).

The access beyond the end of the mm_ctx_high_slices_psize can be at most
5.5MB past the array, and so will be in RAM somewhere.  Since the access
is a load performed in real mode, it won't fault or crash the kernel.
At most this bug could perhaps leak a little bit of information about
blocks of 32 bytes of memory located at offsets of i * 512kB past the
paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.

Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range")
Signed-off-by: Paul Mackerras 
Reviewed-by: Aneesh Kumar K.V 
Signed-off-by: Michael Ellerman 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/mm/slb_low.S |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/arch/powerpc/mm/slb_low.S
+++ b/arch/powerpc/mm/slb_low.S
@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION
 END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
b   slb_finish_load_1T
 
-0:
+0: /*
+* For userspace addresses, make sure this is region 0.
+*/
+   cmpdi   r9, 0
+   bne 8f
+
/* when using slices, we extract the psize off the slice bitmaps
 * and then we need to get the sllp encoding off the mmu_psize_defs
 * array.

[PATCH 4.7 053/184] rapidio/tsi721: fix incorrect detection of address translation condition

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Alexandre Bounine 

commit b30069291dc7f9b9a073c33d619818fe4a8e50de upstream.

Fix incorrect condition to identify involvment of a address translation
mechanism.

This bug results in NULL pointer kernel crash dump in cases when mapping
of inbound RapidIO address range is requested within existing aprture.

Link: http://lkml.kernel.org/r/20160901173144.2983-1-alexandre.boun...@idt.com
Signed-off-by: Alexandre Bounine 
Cc: Matt Porter 
Cc: Andre van Herk 
Cc: Barry Wood 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/rapidio/devices/tsi721.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/rapidio/devices/tsi721.c
+++ b/drivers/rapidio/devices/tsi721.c
@@ -1148,7 +1148,7 @@ static int tsi721_rio_map_inb_mem(struct
} else if (ibw_start < (ib_win->rstart + ib_win->size) &&
   (ibw_start + ibw_size) > ib_win->rstart) {
/* Return error if address translation involved */
-   if (direct && ib_win->xlat) {
+   if (!direct || ib_win->xlat) {
ret = -EFAULT;
break;
}

[PATCH 12/14] GPU-DRM-TTM: Less function calls in ttm_dma_pool_init() after error detection

[SF Markus Elfring]

From: Markus Elfring 
Date: Thu, 22 Sep 2016 17:30:52 +0200

The kfree() function was called in up to two cases
by the ttm_dma_pool_init() function during error handling
even if the passed variable contained a null pointer.

Adjust jump targets according to the Linux coding style convention.

Signed-off-by: Markus Elfring 
---
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c 
b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
index d5f41ed..4c50196 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
@@ -591,12 +591,12 @@ static struct dma_pool *ttm_dma_pool_init(struct device 
*dev, gfp_t flags,
pool = kmalloc_node(sizeof(struct dma_pool), GFP_KERNEL,
dev_to_node(dev));
if (!pool)
-   goto err_mem;
+   goto free_devres;
 
sec_pool = kmalloc_node(sizeof(struct device_pools), GFP_KERNEL,
dev_to_node(dev));
if (!sec_pool)
-   goto err_mem;
+   goto free_pool;
 
INIT_LIST_HEAD(_pool->pools);
sec_pool->dev = dev;
@@ -637,10 +637,10 @@ static struct dma_pool *ttm_dma_pool_init(struct device 
*dev, gfp_t flags,
devres_add(dev, ptr);
 
return pool;
-err_mem:
-   devres_free(ptr);
-   kfree(sec_pool);
+ free_pool:
kfree(pool);
+ free_devres:
+   devres_free(ptr);
return ERR_PTR(-ENOMEM);
 }
 
-- 
2.10.0

[PATCH 4.7 037/184] powerpc/powernv : Drop reference added by kset_find_obj()

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Mukesh Ojha 

commit a9cbf0b2195b695cbcaa4e2770948c212e9a upstream.

In a situation, where Linux kernel gets notified about duplicate error log
from OPAL, it is been observed that kernel fails to remove sysfs entries
(/sys/firmware/opal/elog/0x) of such error logs. This is because,
we currently search the error log/dump kobject in the kset list via
'kset_find_obj()' routine. Which eventually increment the reference count
by one, once it founds the kobject.

So, unless we decrement the reference count by one after it found the kobject,
we would not be able to release the kobject properly later.

This patch adds the 'kobject_put()' which was missing earlier.

Signed-off-by: Mukesh Ojha 
Reviewed-by: Vasant Hegde 
Signed-off-by: Benjamin Herrenschmidt 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/platforms/powernv/opal-dump.c |7 ++-
 arch/powerpc/platforms/powernv/opal-elog.c |7 ++-
 2 files changed, 12 insertions(+), 2 deletions(-)

--- a/arch/powerpc/platforms/powernv/opal-dump.c
+++ b/arch/powerpc/platforms/powernv/opal-dump.c
@@ -370,6 +370,7 @@ static irqreturn_t process_dump(int irq,
uint32_t dump_id, dump_size, dump_type;
struct dump_obj *dump;
char name[22];
+   struct kobject *kobj;
 
rc = dump_read_info(_id, _size, _type);
if (rc != OPAL_SUCCESS)
@@ -381,8 +382,12 @@ static irqreturn_t process_dump(int irq,
 * that gracefully and not create two conflicting
 * entries.
 */
-   if (kset_find_obj(dump_kset, name))
+   kobj = kset_find_obj(dump_kset, name);
+   if (kobj) {
+   /* Drop reference added by kset_find_obj() */
+   kobject_put(kobj);
return 0;
+   }
 
dump = create_dump_obj(dump_id, dump_size, dump_type);
if (!dump)
--- a/arch/powerpc/platforms/powernv/opal-elog.c
+++ b/arch/powerpc/platforms/powernv/opal-elog.c
@@ -247,6 +247,7 @@ static irqreturn_t elog_event(int irq, v
uint64_t elog_type;
int rc;
char name[2+16+1];
+   struct kobject *kobj;
 
rc = opal_get_elog_size(, , );
if (rc != OPAL_SUCCESS) {
@@ -269,8 +270,12 @@ static irqreturn_t elog_event(int irq, v
 * that gracefully and not create two conflicting
 * entries.
 */
-   if (kset_find_obj(elog_kset, name))
+   kobj = kset_find_obj(elog_kset, name);
+   if (kobj) {
+   /* Drop reference added by kset_find_obj() */
+   kobject_put(kobj);
return IRQ_HANDLED;
+   }
 
create_elog_obj(log_id, elog_size, elog_type);
 

[PATCH 4.7 054/184] mm: introduce get_task_exe_file

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Mateusz Guzik 

commit cd81a9170e69e018bbaba547c1fd85a585f5697a upstream.

For more convenient access if one has a pointer to the task.

As a minor nit take advantage of the fact that only task lock + rcu are
needed to safely grab ->exe_file. This saves mm refcount dance.

Use the helper in proc_exe_link.

Signed-off-by: Mateusz Guzik 
Acked-by: Konstantin Khlebnikov 
Acked-by: Richard Guy Briggs 
Signed-off-by: Paul Moore 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/proc/base.c |7 +--
 include/linux/mm.h |1 +
 kernel/fork.c  |   23 +++
 3 files changed, 25 insertions(+), 6 deletions(-)

--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1552,18 +1552,13 @@ static const struct file_operations proc
 static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
 {
struct task_struct *task;
-   struct mm_struct *mm;
struct file *exe_file;
 
task = get_proc_task(d_inode(dentry));
if (!task)
return -ENOENT;
-   mm = get_task_mm(task);
+   exe_file = get_task_exe_file(task);
put_task_struct(task);
-   if (!mm)
-   return -ENOENT;
-   exe_file = get_mm_exe_file(mm);
-   mmput(mm);
if (exe_file) {
*exe_path = exe_file->f_path;
path_get(_file->f_path);
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1975,6 +1975,7 @@ extern void mm_drop_all_locks(struct mm_
 
 extern void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file);
 extern struct file *get_mm_exe_file(struct mm_struct *mm);
+extern struct file *get_task_exe_file(struct task_struct *task);
 
 extern bool may_expand_vm(struct mm_struct *, vm_flags_t, unsigned long 
npages);
 extern void vm_stat_account(struct mm_struct *, vm_flags_t, long npages);
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -801,6 +801,29 @@ struct file *get_mm_exe_file(struct mm_s
 EXPORT_SYMBOL(get_mm_exe_file);
 
 /**
+ * get_task_exe_file - acquire a reference to the task's executable file
+ *
+ * Returns %NULL if task's mm (if any) has no associated executable file or
+ * this is a kernel thread with borrowed mm (see the comment above 
get_task_mm).
+ * User must release file via fput().
+ */
+struct file *get_task_exe_file(struct task_struct *task)
+{
+   struct file *exe_file = NULL;
+   struct mm_struct *mm;
+
+   task_lock(task);
+   mm = task->mm;
+   if (mm) {
+   if (!(task->flags & PF_KTHREAD))
+   exe_file = get_mm_exe_file(mm);
+   }
+   task_unlock(task);
+   return exe_file;
+}
+EXPORT_SYMBOL(get_task_exe_file);
+
+/**
  * get_task_mm - acquire a reference to the task's mm
  *
  * Returns %NULL if the task has no mm.  Checks PF_KTHREAD (meaning

[PATCH 4.7 049/184] kexec: fix double-free when failing to relocate the purgatory

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Thiago Jung Bauermann 

commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream.

If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs
and pi->purgatory_buf.  This is redundant, because in case of error
kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which
will also free those buffers.

This causes two warnings like the following, one for pi->sechdrs and the
other for pi->purgatory_buf:

  kexec-bzImage64: Loading purgatory failed
  [ cut here ]
  WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0
  Trying to vfree() nonexistent vm area (c9e91000)
  Modules linked in:
  CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Call Trace:
dump_stack+0x4d/0x65
__warn+0xcb/0xf0
warn_slowpath_fmt+0x4f/0x60
? find_vmap_area+0x19/0x70
? kimage_file_post_load_cleanup+0x47/0xb0
__vunmap+0xc1/0xd0
vfree+0x2e/0x70
kimage_file_post_load_cleanup+0x5e/0xb0
SyS_kexec_file_load+0x448/0x680
? putname+0x54/0x60
? do_sys_open+0x190/0x1f0
entry_SYSCALL_64_fastpath+0x13/0x8f
  ---[ end trace 158bb74f5950ca2b ]---

Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree
won't try to free a NULL pointer.

Link: 
http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauer...@linux.vnet.ibm.com
Signed-off-by: Thiago Jung Bauermann 
Acked-by: Baoquan He 
Cc: "Eric W. Biederman" 
Cc: Vivek Goyal 
Cc: Dave Young 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/kexec_file.c |3 +++
 1 file changed, 3 insertions(+)

--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -887,7 +887,10 @@ int kexec_load_purgatory(struct kimage *
return 0;
 out:
vfree(pi->sechdrs);
+   pi->sechdrs = NULL;
+
vfree(pi->purgatory_buf);
+   pi->purgatory_buf = NULL;
return ret;
 }
 

[PATCH 4.7 047/184] pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 upstream.

According to RFC5661, the client is responsible for serialising
LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case
where we send both in parallel.

Client  Server
==  ==
LAYOUTGET(seqid=X)
LAYOUTRETURN(seqid=X)
LAYOUTGET return seqid=X+1
LAYOUTRETURN return seqid=X+2
Process LAYOUTRETURN
  Forget layout stateid
Process LAYOUTGET
  Set seqid=X+1

The client processes the layoutget/layoutreturn in the wrong order,
and since the result of the layoutreturn was to clear the only
existing layout segment, the client forgets the layout stateid.

When the LAYOUTGET comes in, it is treated as having a completely
new stateid, and so the client sets the wrong sequence id...

Fix is to check if there are outstanding LAYOUTGET requests
before we send the LAYOUTRETURN (note that LAYOUGET will already
wait if it sees an outstanding LAYOUTRETURN).

Signed-off-by: Trond Myklebust 
Signed-off-by: Trond Myklebust 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfs/pnfs.c |3 +++
 1 file changed, 3 insertions(+)

--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -876,6 +876,9 @@ void pnfs_clear_layoutreturn_waitbit(str
 static bool
 pnfs_prepare_layoutreturn(struct pnfs_layout_hdr *lo)
 {
+   /* Serialise LAYOUTGET/LAYOUTRETURN */
+   if (atomic_read(>plh_outstanding) != 0)
+   return false;
if (test_and_set_bit(NFS_LAYOUT_RETURN, >plh_flags))
return false;
lo->plh_return_iomode = 0;

[PATCH 4.7 052/184] ahci: disable correct irq for dummy ports

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Christoph Hellwig 

commit 9b4b3f6a062b22550e62523efe5213776cdd426b upstream.

irq already contains the interrupt number for the port, don't add the
port index to it.

Signed-off-by: Christoph Hellwig 
Signed-off-by: Tejun Heo 
Fixes: d684a90d38e2 ("ahci: per-port msix support")
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/ata/libahci.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -2516,7 +2516,7 @@ static int ahci_host_activate_multi_irqs
 
/* Do not receive interrupts sent by dummy ports */
if (!pp) {
-   disable_irq(irq + i);
+   disable_irq(irq);
continue;
}
 

[PATCH 4.7 059/184] IB/hfi1: Reset QSFP on every run through channel tuning

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Easwar Hariharan 

commit b5e710195492f682d93097cddac13e594d39a946 upstream.

Active QSFP cables were reset only every alternate iteration of the
channel tuning algorithm instead of every iteration due to incorrect
reset of the flag that controlled QSFP reset, resulting in using stale
QSFP status in the channel tuning algorithm.

Fixes: 8ebd4cf1852a ("Add active and optical cable support")
Reviewed-by: Dean Luick 
Signed-off-by: Easwar Hariharan 
Signed-off-by: Dennis Dalessandro 
Signed-off-by: Doug Ledford 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/hw/hfi1/platform.c |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/hw/hfi1/platform.c
+++ b/drivers/infiniband/hw/hfi1/platform.c
@@ -638,9 +638,13 @@ static int tune_active_qsfp(struct hfi1_
if (ret)
return ret;
 
+   /*
+* We'll change the QSFP memory contents from here on out, thus we set a
+* flag here to remind ourselves to reset the QSFP module. This prevents
+* reuse of stale settings established in our previous pass through.
+*/
if (ppd->qsfp_info.reset_needed) {
reset_qsfp(ppd);
-   ppd->qsfp_info.reset_needed = 0;
refresh_qsfp_cache(ppd, >qsfp_info);
} else {
ppd->qsfp_info.reset_needed = 1;

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

[Borislav Petkov]

On Thu, Sep 22, 2016 at 08:23:36PM +0200, Paolo Bonzini wrote:
> Unless this is part of some spec, it's easier if things are the same in
> SME and SEV.

Yeah, I was pondering over how sprinkling sev_active checks might not be
so clean.

I'm wondering if we could make the EFI regions presented to the guest
unencrypted too, as part of some SEV-specific init routine so that the
guest kernel doesn't need to do anything different.

-- 
Regards/Gruss,
Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 
(AG Nürnberg)
-- 

Re: GPU-DRM-TILCDC: Less function calls in tilcdc_convert_slave_node() after error detection

[SF Markus Elfring]

>> The of_node_put() function was called in some cases
>> by the tilcdc_convert_slave_node() function during error handling
>> even if the passed variable contained a null pointer.
>>
>> * Adjust jump targets according to the Linux coding style convention.
>>
>> * Split a condition check for resource detection failures so that
>>   each pointer from these function calls will be checked immediately.
>>
>>   See also background information:
>>   Topic "CWE-754: Improper check for unusual or exceptional conditions"
>>   Link: https://cwe.mitre.org/data/definitions/754.html
>>
> 
> I don't really agree with this patch.

This kind of feedback can be fine at first glance.


> There is no harm in calling of_node_put() with NULL as an argument

The cost of additional function calls will be eventually not noticed
just because they belong to an exception handling implementation so far.


> and because of that there is no point in making the function more complex

There is inherent software complexity involved.


> and harder to maintain.

How do you think about to discuss this aspect a bit more?


I suggest to reconsider this design detail if it is really acceptable
for the safe implementation of such a software module.

* How much will it matter in general that one function call was performed
  in this use case without checking its return value immediately?

* Should it usually be determined quicker if a required resource
  could be acquired before trying the next allocation?

Regards,
Markus

[PATCH 4.7 050/184] mm, oom: prevent premature OOM killer invocation for high order request

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Michal Hocko 

commit 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f upstream.

There have been several reports about pre-mature OOM killer invocation
in 4.7 kernel when order-2 allocation request (for the kernel stack)
invoked OOM killer even during basic workloads (light IO or even kernel
compile on some filesystems).  In all reported cases the memory is
fragmented and there are no order-2+ pages available.  There is usually
a large amount of slab memory (usually dentries/inodes) and further
debugging has shown that there are way too many unmovable blocks which
are skipped during the compaction.  Multiple reporters have confirmed
that the current linux-next which includes [1] and [2] helped and OOMs
are not reproducible anymore.

A simpler fix for the late rc and stable is to simply ignore the
compaction feedback and retry as long as there is a reclaim progress and
we are not getting OOM for order-0 pages.  We already do that for
CONFING_COMPACTION=n so let's reuse the same code when compaction is
enabled as well.

[1] http://lkml.kernel.org/r/20160810091226.6709-1-vba...@suse.cz
[2] http://lkml.kernel.org/r/f7a9ea9d-bb88-bfd6-e340-3a9335593...@suse.cz

Fixes: 0a0337e0d1d1 ("mm, oom: rework oom detection")
Link: http://lkml.kernel.org/r/20160823074339.gb23...@dhcp22.suse.cz
Signed-off-by: Michal Hocko 
Tested-by: Olaf Hering 
Tested-by: Ralf-Peter Rohbeck 
Cc: Markus Trippelsdorf 
Cc: Arkadiusz Miskiewicz 
Cc: Ralf-Peter Rohbeck 
Cc: Jiri Slaby 
Cc: Vlastimil Babka 
Cc: Joonsoo Kim 
Cc: Tetsuo Handa 
Cc: David Rientjes 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 mm/page_alloc.c |   50 ++
 1 file changed, 2 insertions(+), 48 deletions(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -3254,53 +3254,6 @@ __alloc_pages_direct_compact(gfp_t gfp_m
return NULL;
 }
 
-static inline bool
-should_compact_retry(struct alloc_context *ac, int order, int alloc_flags,
-enum compact_result compact_result, enum migrate_mode 
*migrate_mode,
-int compaction_retries)
-{
-   int max_retries = MAX_COMPACT_RETRIES;
-
-   if (!order)
-   return false;
-
-   /*
-* compaction considers all the zone as desperately out of memory
-* so it doesn't really make much sense to retry except when the
-* failure could be caused by weak migration mode.
-*/
-   if (compaction_failed(compact_result)) {
-   if (*migrate_mode == MIGRATE_ASYNC) {
-   *migrate_mode = MIGRATE_SYNC_LIGHT;
-   return true;
-   }
-   return false;
-   }
-
-   /*
-* make sure the compaction wasn't deferred or didn't bail out early
-* due to locks contention before we declare that we should give up.
-* But do not retry if the given zonelist is not suitable for
-* compaction.
-*/
-   if (compaction_withdrawn(compact_result))
-   return compaction_zonelist_suitable(ac, order, alloc_flags);
-
-   /*
-* !costly requests are much more important than __GFP_REPEAT
-* costly ones because they are de facto nofail and invoke OOM
-* killer to move on while costly can fail and users are ready
-* to cope with that. 1/4 retries is rather arbitrary but we
-* would need much more detailed feedback from compaction to
-* make a better decision.
-*/
-   if (order > PAGE_ALLOC_COSTLY_ORDER)
-   max_retries /= 4;
-   if (compaction_retries <= max_retries)
-   return true;
-
-   return false;
-}
 #else
 static inline struct page *
 __alloc_pages_direct_compact(gfp_t gfp_mask, unsigned int order,
@@ -3311,6 +3264,8 @@ __alloc_pages_direct_compact(gfp_t gfp_m
return NULL;
 }
 
+#endif /* CONFIG_COMPACTION */
+
 static inline bool
 should_compact_retry(struct alloc_context *ac, unsigned int order, int 
alloc_flags,
 enum compact_result compact_result,
@@ -3337,7 +3292,6 @@ should_compact_retry(struct alloc_contex
}
return false;
 }
-#endif /* CONFIG_COMPACTION */
 
 /* Perform direct synchronous page reclaim */
 static int

[PATCH 4.7 055/184] audit: fix exe_file access in audit_exe_compare

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Mateusz Guzik 

commit 5efc244346f9f338765da3d592f7947b0afdc4b5 upstream.

Prior to the change the function would blindly deference mm, exe_file
and exe_file->f_inode, each of which could have been NULL or freed.

Use get_task_exe_file to safely obtain stable exe_file.

Signed-off-by: Mateusz Guzik 
Acked-by: Konstantin Khlebnikov 
Acked-by: Richard Guy Briggs 
Signed-off-by: Paul Moore 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/audit_watch.c |8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -19,6 +19,7 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include 
 #include 
 #include 
 #include 
@@ -544,10 +545,11 @@ int audit_exe_compare(struct task_struct
unsigned long ino;
dev_t dev;
 
-   rcu_read_lock();
-   exe_file = rcu_dereference(tsk->mm->exe_file);
+   exe_file = get_task_exe_file(tsk);
+   if (!exe_file)
+   return 0;
ino = exe_file->f_inode->i_ino;
dev = exe_file->f_inode->i_sb->s_dev;
-   rcu_read_unlock();
+   fput(exe_file);
return audit_mark_compare(mark, ino, dev);
 }

Re: [tip:sched/core] sched/core: Avoid _cond_resched() for PREEMPT=y

[Peter Zijlstra]

On Thu, Sep 22, 2016 at 02:25:01PM -0400, Mikulas Patocka wrote:
> I've found a document that says that cond_resched() is needed on
> preemptible kernels to mark RCU quiescent states:
> 
> https://lwn.net/Articles/603252/
> 
> Paul, is cond_resched() still needed on current RCU implementation? Or not?

No, we ripped that out. See 4a81e8328d37 ("rcu: Reduce overhead of
cond_resched() checks for RCU")

[PATCH 0/2] Ajust lockdep static allocations

[Babu Moger]

These patches adjust the static allocations for lockdep
data structures used for debugging locking correctness. The current
code reserves about 4MB extra space for these data structures. Most
of the configurations do not need these many data structures. While
testing, I have not seen it go beyond 20% of already reserved entries.

$grep "lock-classes" /proc/lockdep_stats
lock-classes:  1560 [max: 8191]

Reserving even more space seems unreasonable. So, keeping the default
entries small as before the Commit 1413c0389333 ("lockdep: Increase static
allocations"). Added new CONFIG_PROVE_LOCKING_PLUS in case someone
needs more entries to debug their large configuration.

Patch 1 : Adjusts the sizes based on the new config parameter
patch 2 : Adds new config parameter

Babu Moger (2):
  lockdep: Keep the default static allocations small
  config: Add new CONFIG_PROVE_LOCKING_PLUS

 kernel/locking/lockdep_internals.h |   14 +++---
 lib/Kconfig.debug  |   10 ++
 2 files changed, 21 insertions(+), 3 deletions(-)

[PATCH 4.7 032/184] ipv6: addrconf: fix dev refcont leak when DAD failed

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Wei Yongjun 


[ Upstream commit 751eb6b6042a596b0080967c1a529a9fe98dac1d ]

In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:

ndisc_recv_ns
  -> addrconf_dad_failure<- missing ifp put
 -> addrconf_mod_dad_work
   -> schedule addrconf_dad_work()
 -> addrconf_dad_stop()  <- missing ifp hold before call it

addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.

But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:

IPv6: eth0: IPv6 duplicate address fe80::XX:::XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1

Cc: sta...@vger.kernel.org
Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv6/addrconf.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1906,6 +1906,7 @@ errdad:
spin_unlock_bh(>lock);
 
addrconf_mod_dad_work(ifp, 0);
+   in6_ifa_put(ifp);
 }
 
 /* Join to solicited addr multicast group.
@@ -3771,6 +3772,7 @@ static void addrconf_dad_work(struct wor
addrconf_dad_begin(ifp);
goto out;
} else if (action == DAD_ABORT) {
+   in6_ifa_hold(ifp);
addrconf_dad_stop(ifp, 1);
goto out;
}

Re: [PATCH] smp: smp_call_on_cpu(): use INIT_WORK_ONSTACK() for automatic work_struct

[Peter Zijlstra]

On Thu, Sep 22, 2016 at 08:17:58PM +0200, Nicolai Stange wrote:
> This new warning
> 
>   INFO: trying to register non-static key.
>   the code is fine but needs lockdep annotation.
>   turning off the locking correctness validator.
>   CPU: 0 PID: 82 Comm: kworker/0:1 Not tainted 4.8.0-rc6+ #360
>   Hardware name: Dell Inc. Latitude E6540/0725FP, BIOS A10 06/26/2014
>   Workqueue: events smp_call_on_cpu_callback

https://lkml.kernel.org/r/tip-8db549491c4a3ce9e1d509b75f78516e497f4...@git.kernel.org

[PATCH 4.7 004/184] drm/msm: protect against faults from copy_from_user() in submit ioctl

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Rob Clark 

commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.

An evil userspace could try to cause deadlock by passing an unfaulted-in
GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
msm_gem_fault() while we already hold struct_mutex.  See:

https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c

Signed-off-by: Rob Clark 
Signed-off-by: Greg Kroah-Hartman 


---
 drivers/gpu/drm/msm/msm_drv.h|6 ++
 drivers/gpu/drm/msm/msm_gem.c|9 +
 drivers/gpu/drm/msm/msm_gem_submit.c |2 ++
 3 files changed, 17 insertions(+)

--- a/drivers/gpu/drm/msm/msm_drv.h
+++ b/drivers/gpu/drm/msm/msm_drv.h
@@ -148,6 +148,12 @@ struct msm_drm_private {
} vram;
 
struct msm_vblank_ctrl vblank_ctrl;
+
+   /* task holding struct_mutex.. currently only used in submit path
+* to detect and reject faults from copy_from_user() for submit
+* ioctl.
+*/
+   struct task_struct *struct_mutex_task;
 };
 
 struct msm_format {
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -196,11 +196,20 @@ int msm_gem_fault(struct vm_area_struct
 {
struct drm_gem_object *obj = vma->vm_private_data;
struct drm_device *dev = obj->dev;
+   struct msm_drm_private *priv = dev->dev_private;
struct page **pages;
unsigned long pfn;
pgoff_t pgoff;
int ret;
 
+   /* This should only happen if userspace tries to pass a mmap'd
+* but unfaulted gem bo vaddr into submit ioctl, triggering
+* a page fault while struct_mutex is already held.  This is
+* not a valid use-case so just bail.
+*/
+   if (priv->struct_mutex_task == current)
+   return VM_FAULT_SIGBUS;
+
/* Make sure we don't parallel update on a fault, nor move or remove
 * something from beneath our feet
 */
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -394,6 +394,7 @@ int msm_ioctl_gem_submit(struct drm_devi
return -ENOMEM;
 
mutex_lock(>struct_mutex);
+   priv->struct_mutex_task = current;
 
ret = submit_lookup_objects(submit, args, file);
if (ret)
@@ -479,6 +480,7 @@ out:
submit_cleanup(submit);
if (ret)
msm_gem_submit_free(submit);
+   priv->struct_mutex_task = NULL;
mutex_unlock(>struct_mutex);
return ret;
 }

[PATCH 4.7 008/184] bpf: fix write helpers with regards to non-linear parts

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniel Borkmann 


[ Upstream commit 0ed661d5a48fa6df0b50ae64d27fe759a3ce42cf ]

Fix the bpf_try_make_writable() helper and all call sites we have in BPF,
it's currently defect with regards to skbs when the write_len spans into
non-linear parts, no matter if cloned or not.

There are multiple issues at once. First, using skb_store_bits() is not
correct since even if we have a cloned skb, page frags can still be shared.
To really make them private, we need to pull them in via __pskb_pull_tail()
first, which also gets us a private head via pskb_expand_head() implicitly.

This is for helpers like bpf_skb_store_bytes(), bpf_l3_csum_replace(),
bpf_l4_csum_replace(). Really, the only thing reasonable and working here
is to call skb_ensure_writable() before any write operation. Meaning, via
pskb_may_pull() it makes sure that parts we want to access are pulled in and
if not does so plus unclones the skb implicitly. If our write_len still fits
the headlen and we're cloned and our header of the clone is not writable,
then we need to make a private copy via pskb_expand_head(). skb_store_bits()
is a bit misleading and only safe to store into non-linear data in different
contexts such as 357b40a18b04 ("[IPV6]: IPV6_CHECKSUM socket option can
corrupt kernel memory").

For above BPF helper functions, it means after fixed bpf_try_make_writable(),
we've pulled in enough, so that we operate always based on skb->data. Thus,
the call to skb_header_pointer() and skb_store_bits() becomes superfluous.
In bpf_skb_store_bytes(), the len check is unnecessary too since it can
only pass in maximum of BPF stack size, so adding offset is guaranteed to
never overflow. Also bpf_l3/4_csum_replace() helpers must test for proper
offset alignment since they use __sum16 pointer for writing resulting csum.

The remaining helpers that change skb data not discussed here yet are
bpf_skb_vlan_push(), bpf_skb_vlan_pop() and bpf_skb_change_proto(). The
vlan helpers internally call either skb_ensure_writable() (pop case) and
skb_cow_head() (push case, for head expansion), respectively. Similarly,
bpf_skb_proto_xlat() takes care to not mangle page frags.

Fixes: 608cd71a9c7c ("tc: bpf: generalize pedit action")
Fixes: 91bc4822c3d6 ("tc: bpf: add checksum helpers")
Fixes: 3697649ff29e ("bpf: try harder on clones when writing into skb")
Signed-off-by: Daniel Borkmann 
Acked-by: Alexei Starovoitov 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/core/filter.c |   70 +-
 1 file changed, 18 insertions(+), 52 deletions(-)

--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1353,54 +1353,33 @@ static inline int bpf_try_make_writable(
 {
int err;
 
-   if (!skb_cloned(skb))
-   return 0;
-   if (skb_clone_writable(skb, write_len))
-   return 0;
-   err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
-   if (!err)
-   bpf_compute_data_end(skb);
+   err = skb_ensure_writable(skb, write_len);
+   bpf_compute_data_end(skb);
+
return err;
 }
 
 static u64 bpf_skb_store_bytes(u64 r1, u64 r2, u64 r3, u64 r4, u64 flags)
 {
-   struct bpf_scratchpad *sp = this_cpu_ptr(_sp);
struct sk_buff *skb = (struct sk_buff *) (long) r1;
-   int offset = (int) r2;
+   unsigned int offset = (unsigned int) r2;
void *from = (void *) (long) r3;
unsigned int len = (unsigned int) r4;
void *ptr;
 
if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
return -EINVAL;
-
-   /* bpf verifier guarantees that:
-* 'from' pointer points to bpf program stack
-* 'len' bytes of it were initialized
-* 'len' > 0
-* 'skb' is a valid pointer to 'struct sk_buff'
-*
-* so check for invalid 'offset' and too large 'len'
-*/
-   if (unlikely((u32) offset > 0x || len > sizeof(sp->buff)))
+   if (unlikely(offset > 0x))
return -EFAULT;
if (unlikely(bpf_try_make_writable(skb, offset + len)))
return -EFAULT;
 
-   ptr = skb_header_pointer(skb, offset, len, sp->buff);
-   if (unlikely(!ptr))
-   return -EFAULT;
-
+   ptr = skb->data + offset;
if (flags & BPF_F_RECOMPUTE_CSUM)
skb_postpull_rcsum(skb, ptr, len);
 
memcpy(ptr, from, len);
 
-   if (ptr == sp->buff)
-   /* skb_store_bits cannot return -EFAULT here */
-   skb_store_bits(skb, offset, ptr, len);
-
if (flags & BPF_F_RECOMPUTE_CSUM)
skb_postpush_rcsum(skb, ptr, len);
if (flags & BPF_F_INVALIDATE_HASH)
@@ -1423,12 +1402,12 @@ static const struct bpf_func_proto bpf_s
 static u64 

[PATCH 1/2] lockdep: Keep the default static allocations small

[Babu Moger]

The Commit 1413c0389333 ("lockdep: Increase static allocations")
doubled the static allocation for lockdep. The size is unusually
high and not required for majority of the configurations. This
could cause problems to some environments with limited memory
configurations. We are already seeing issues on our sparc
configuration where kernel fails to boot when lockdep feature
is enabled. This patch keeps the default size to same as before
Commit 1413c0389333 ("lockdep: Increase static allocations").
Adding the new config parameter CONFIG_PROVE_LOCKING_PLUS in case
someone needs to enable more static space for lockdep entries,
lock chains and stack traces to debug large configurations.

Signed-off-by: Babu Moger 
---
 kernel/locking/lockdep_internals.h |   14 +++---
 1 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/kernel/locking/lockdep_internals.h 
b/kernel/locking/lockdep_internals.h
index 51c4b24..47336a6 100644
--- a/kernel/locking/lockdep_internals.h
+++ b/kernel/locking/lockdep_internals.h
@@ -54,18 +54,26 @@ enum {
  * table (if it's not there yet), and we check it for lock order
  * conflicts and deadlocks.
  */
+#ifdef CONFIG_PROVE_LOCKING_PLUS
 #define MAX_LOCKDEP_ENTRIES32768UL
 
 #define MAX_LOCKDEP_CHAINS_BITS16
-#define MAX_LOCKDEP_CHAINS (1UL << MAX_LOCKDEP_CHAINS_BITS)
-
-#define MAX_LOCKDEP_CHAIN_HLOCKS (MAX_LOCKDEP_CHAINS*5)
 
 /*
  * Stack-trace: tightly packed array of stack backtrace
  * addresses. Protected by the hash_lock.
  */
 #define MAX_STACK_TRACE_ENTRIES524288UL
+#else
+#define MAX_LOCKDEP_ENTRIES16384UL
+#define MAX_LOCKDEP_CHAINS_BITS15
+#define MAX_STACK_TRACE_ENTRIES262144UL
+#endif
+
+#define MAX_LOCKDEP_CHAINS (1UL << MAX_LOCKDEP_CHAINS_BITS)
+
+#define MAX_LOCKDEP_CHAIN_HLOCKS (MAX_LOCKDEP_CHAINS*5)
+
 
 extern struct list_head all_lock_classes;
 extern struct lock_chain lock_chains[];
-- 
1.7.1

[PATCH 4.7 045/184] NFSv4.x: Fix a refcount leak in nfs_callback_up_net

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit 98b0f80c2396224bbbed81792b526e6c72ba9efa upstream.

On error, the callers expect us to return without bumping
nn->cb_users[].

Signed-off-by: Trond Myklebust 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfs/callback.c |1 +
 1 file changed, 1 insertion(+)

--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -275,6 +275,7 @@ static int nfs_callback_up_net(int minor
 err_socks:
svc_rpcb_cleanup(serv, net);
 err_bind:
+   nn->cb_users[minorversion]--;
dprintk("NFS: Couldn't create callback socket: err = %d; "
"net = %p\n", ret, net);
return ret;

[PATCH 4.7 000/184] 4.7.5-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.7.5 release.
There are 184 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Sep 24 17:40:23 UTC 2016.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.7.5-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.7.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.7.5-rc1

Linus Torvalds 
Add braces to avoid "ambiguous ‘else’" compiler warnings

Thomas Gleixner 
genirq/msi: Fix broken debug output

Arnd Bergmann 
iwlegacy: avoid warning about missing braces

Al Viro 
ia64: copy_from_user() should zero the destination on access_ok() failure

Al Viro 
ppc32: fix copy_from_user()

Al Viro 
sparc32: fix copy_from_user()

Al Viro 
mn10300: copy_from_user() should zero on access_ok() failure...

Al Viro 
nios2: copy_from_user() should zero the tail of destination

Al Viro 
openrisc: fix copy_from_user()

Al Viro 
parisc: fix copy_from_user()

Al Viro 
metag: copy_from_user() should zero the destination on access_ok() failure

Al Viro 
alpha: fix copy_from_user()

Al Viro 
asm-generic: make copy_from_user() zero the destination properly

Al Viro 
mips: copy_from_user() must zero the destination on access_ok() failure

Al Viro 
hexagon: fix strncpy_from_user() error return

Pan Xinhui 
sh: cmpxchg: fix a bit shift bug in big_endian os

Al Viro 
sh: fix copy_from_user()

Al Viro 
score: fix copy_from_user() and friends

Al Viro 
blackfin: fix copy_from_user()

Al Viro 
cris: buggered copy_from_user/copy_to_user/clear_user

Al Viro 
frv: fix clear_user()

Al Viro 
asm-generic: make get_user() clear the destination on errors

Vineet Gupta 
ARC: uaccess: get_user to zero out dest in cause of fault

Al Viro 
s390: get_user() should zero on failure

Al Viro 
score: fix __get_user/get_user

Al Viro 
nios2: fix __get_user()

Al Viro 
sh64: failing __get_user() should zero

Al Viro 
m32r: fix __get_user()

Al Viro 
mn10300: failing __get_user() and get_user() should zero

Al Viro 
fix minor infoleak in get_user_ex()

Al Viro 
microblaze: fix copy_from_user()

Al Viro 
avr32: fix copy_from_user()

Al Viro 
microblaze: fix __get_user()

Al Viro 
fix iov_iter_fault_in_readable()

Boris Brezillon 
irqchip/atmel-aic: Fix potential deadlock in ->xlate()

Boris Brezillon 
genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers

Lee Jones 
mmc: sdhci-st: Handle interconnect clock

Chuck Lever 
svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation")

Kristian H. Kristensen 
drm: Only use compat ioctl for addfb2 on X86/IA64

Ville Syrjälä 
drm/i915: Ignore OpRegion panel type except on select machines

Jan Leupold 
drm: atmel-hlcdc: Fix vertical scaling

Arnd Bergmann 
kconfig: tinyconfig: provide whole choice blocks to avoid warnings

Mike Danese 
mpssd: fix buffer overflow warning

Christophe Leroy 
powerpc/32: Fix again csum_partial_copy_generic()

Christophe Leroy 
powerpc/32: Fix csum_partial_copy_generic()

Jeffrey Hugo 
x86/efi: Use efi_exit_boot_services()

Jeffrey Hugo 
efi/libstub: Use efi_exit_boot_services() in FDT

Jeffrey Hugo 
efi/libstub: Introduce ExitBootServices helper

Jeffrey Hugo 
efi/libstub: Allocate headspace in 

[PATCH 4.7 009/184] net/irda: handle iriap_register_lsap() allocation failure

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Vegard Nossum 


[ Upstream commit 5ba092efc7ddff040777ae7162f1d195f513571b ]

If iriap_register_lsap() fails to allocate memory, self->lsap is
set to NULL. However, none of the callers handle the failure and
irlmp_connect_request() will happily dereference it:

iriap_register_lsap: Unable to allocated LSAP!


UBSAN: Undefined behaviour in net/irda/irlmp.c:378:2
member access within null pointer of type 'struct lsap_cb'
CPU: 1 PID: 15403 Comm: trinity-c0 Not tainted 4.8.0-rc1+ #81
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org
04/01/2014
  88010c7e78a8 82344f40 41b58ab3
 84f98000 82344e94 88010c7e78d0 88010c7e7880
 88010630ad00 84a5fae0 84d3f5c0 017a
Call Trace:
 [] dump_stack+0xac/0xfc
 [] ubsan_epilogue+0xd/0x8a
 [] __ubsan_handle_type_mismatch+0x157/0x411
 [] irlmp_connect_request+0x7ac/0x970
 [] iriap_connect_request+0xa0/0x160
 [] state_s_disconnect+0x88/0xd0
 [] iriap_do_client_event+0x94/0x120
 [] iriap_getvaluebyclass_request+0x3e0/0x6d0
 [] irda_find_lsap_sel+0x1eb/0x630
 [] irda_connect+0x828/0x12d0
 [] SYSC_connect+0x22b/0x340
 [] SyS_connect+0x9/0x10
 [] do_syscall_64+0x1b3/0x4b0
 [] entry_SYSCALL64_slow_path+0x25/0x25



The bug seems to have been around since forever.

There's more problems with missing error checks in iriap_init() (and
indeed all of irda_init()), but that's a bigger problem that needs
very careful review and testing. This patch will fix the most serious
bug (as it's easily reached from unprivileged userspace).

I have tested my patch with a reproducer.

Signed-off-by: Vegard Nossum 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/irda/iriap.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -185,8 +185,12 @@ struct iriap_cb *iriap_open(__u8 slsap_s
 
self->magic = IAS_MAGIC;
self->mode = mode;
-   if (mode == IAS_CLIENT)
-   iriap_register_lsap(self, slsap_sel, mode);
+   if (mode == IAS_CLIENT) {
+   if (iriap_register_lsap(self, slsap_sel, mode)) {
+   kfree(self);
+   return NULL;
+   }
+   }
 
self->confirm = callback;
self->priv = priv;

[PATCH 4.7 005/184] bpf: fix method of PTR_TO_PACKET reg id generation

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Jakub Kicinski 


[ Upstream commit 1f415a74b0ca64b5bfacbb12d71ed2ec050a8cfb ]

Using per-register incrementing ID can lead to
find_good_pkt_pointers() confusing registers which
have completely different values.  Consider example:

0: (bf) r6 = r1
1: (61) r8 = *(u32 *)(r6 +76)
2: (61) r0 = *(u32 *)(r6 +80)
3: (bf) r7 = r8
4: (07) r8 += 32
5: (2d) if r8 > r0 goto pc+9
 R0=pkt_end R1=ctx R6=ctx R7=pkt(id=0,off=0,r=32) R8=pkt(id=0,off=32,r=32) 
R10=fp
6: (bf) r8 = r7
7: (bf) r9 = r7
8: (71) r1 = *(u8 *)(r7 +0)
9: (0f) r8 += r1
10: (71) r1 = *(u8 *)(r7 +1)
11: (0f) r9 += r1
12: (07) r8 += 32
13: (2d) if r8 > r0 goto pc+1
 R0=pkt_end R1=inv56 R6=ctx R7=pkt(id=0,off=0,r=32) R8=pkt(id=1,off=32,r=32) 
R9=pkt(id=1,off=0,r=32) R10=fp
14: (71) r1 = *(u8 *)(r9 +16)
15: (b7) r7 = 0
16: (bf) r0 = r7
17: (95) exit

We need to get a UNKNOWN_VALUE with imm to force id
generation so lines 0-5 make r7 a valid packet pointer.
We then read two different bytes from the packet and
add them to copies of the constructed packet pointer.
r8 (line 9) and r9 (line 11) will get the same id of 1,
independently.  When either of them is validated (line
13) - find_good_pkt_pointers() will also mark the other
as safe.  This leads to access on line 14 being mistakenly
considered safe.

Fixes: 969bf05eb3ce ("bpf: direct packet access")
Signed-off-by: Jakub Kicinski 
Acked-by: Alexei Starovoitov 
Acked-by: Daniel Borkmann 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 kernel/bpf/verifier.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -194,6 +194,7 @@ struct verifier_env {
struct verifier_state_list **explored_states; /* search pruning 
optimization */
struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by 
eBPF program */
u32 used_map_cnt;   /* number of used maps */
+   u32 id_gen; /* used to generate unique reg IDs */
bool allow_ptr_leaks;
 };
 
@@ -1277,7 +1278,7 @@ add_imm:
/* dst_reg stays as pkt_ptr type and since some positive
 * integer value was added to the pointer, increment its 'id'
 */
-   dst_reg->id++;
+   dst_reg->id = ++env->id_gen;
 
/* something was added to pkt_ptr, set range and off to zero */
dst_reg->off = 0;

[PATCH 4.7 007/184] vti: flush x-netns xfrm cache when vti interface is removed

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Lance Richardson 


[ Upstream commit a5d0dc810abf3d6b241777467ee1d6efb02575fc ]

When executing the script included below, the netns delete operation
hangs with the following message (repeated at 10 second intervals):

  kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1

This occurs because a reference to the lo interface in the "secure" netns
is still held by a dst entry in the xfrm bundle cache in the init netns.

Address this problem by garbage collecting the tunnel netns flow cache
when a cross-namespace vti interface receives a NETDEV_DOWN notification.

A more detailed description of the problem scenario (referencing commands
in the script below):

(1) ip link add vti_test type vti local 1.1.1.1 remote 1.1.1.2 key 1

  The vti_test interface is created in the init namespace. vti_tunnel_init()
  attaches a struct ip_tunnel to the vti interface's netdev_priv(dev),
  setting the tunnel net to _net.

(2) ip link set vti_test netns secure

  The vti_test interface is moved to the "secure" netns. Note that
  the associated struct ip_tunnel still has tunnel->net set to _net.

(3) ip netns exec secure ping -c 4 -i 0.02 -I 192.168.100.1 192.168.200.1

  The first packet sent using the vti device causes xfrm_lookup() to be
  called as follows:

  dst = xfrm_lookup(tunnel->net, skb_dst(skb), fl, NULL, 0);

  Note that tunnel->net is the init namespace, while skb_dst(skb) references
  the vti_test interface in the "secure" namespace. The returned dst
  references an interface in the init namespace.

  Also note that the first parameter to xfrm_lookup() determines which flow
  cache is used to store the computed xfrm bundle, so after xfrm_lookup()
  returns there will be a cached bundle in the init namespace flow cache
  with a dst referencing a device in the "secure" namespace.

(4) ip netns del secure

  Kernel begins to delete the "secure" namespace.  At some point the
  vti_test interface is deleted, at which point dst_ifdown() changes
  the dst->dev in the cached xfrm bundle flow from vti_test to lo (still
  in the "secure" namespace however).
  Since nothing has happened to cause the init namespace's flow cache
  to be garbage collected, this dst remains attached to the flow cache,
  so the kernel loops waiting for the last reference to lo to go away.


ip link add br1 type bridge
ip link set dev br1 up
ip addr add dev br1 1.1.1.1/8

ip netns add secure
ip link add vti_test type vti local 1.1.1.1 remote 1.1.1.2 key 1
ip link set vti_test netns secure
ip netns exec secure ip link set vti_test up
ip netns exec secure ip link s lo up
ip netns exec secure ip addr add dev lo 192.168.100.1/24
ip netns exec secure ip route add 192.168.200.0/24 dev vti_test
ip xfrm policy flush
ip xfrm state flush
ip xfrm policy add dir out tmpl src 1.1.1.1 dst 1.1.1.2 \
   proto esp mode tunnel mark 1
ip xfrm policy add dir in tmpl src 1.1.1.2 dst 1.1.1.1 \
   proto esp mode tunnel mark 1
ip xfrm state add src 1.1.1.1 dst 1.1.1.2 proto esp spi 1 \
   mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788
ip xfrm state add src 1.1.1.2 dst 1.1.1.1 proto esp spi 1 \
   mode tunnel enc des3_ede 0x112233445566778811223344556677881122334455667788

ip netns exec secure ping -c 4 -i 0.02 -I 192.168.100.1 192.168.200.1

ip netns del secure


Reported-by: Hangbin Liu 
Reported-by: Jan Tluka 
Signed-off-by: Lance Richardson 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/ip_vti.c |   31 +++
 1 file changed, 31 insertions(+)

--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -557,6 +557,33 @@ static struct rtnl_link_ops vti_link_ops
.get_link_net   = ip_tunnel_get_link_net,
 };
 
+static bool is_vti_tunnel(const struct net_device *dev)
+{
+   return dev->netdev_ops == _netdev_ops;
+}
+
+static int vti_device_event(struct notifier_block *unused,
+   unsigned long event, void *ptr)
+{
+   struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+   struct ip_tunnel *tunnel = netdev_priv(dev);
+
+   if (!is_vti_tunnel(dev))
+   return NOTIFY_DONE;
+
+   switch (event) {
+   case NETDEV_DOWN:
+   if (!net_eq(tunnel->net, dev_net(dev)))
+   xfrm_garbage_collect(tunnel->net);
+   break;
+   }
+   return NOTIFY_DONE;
+}
+
+static struct notifier_block vti_notifier_block __read_mostly = {
+   .notifier_call = vti_device_event,
+};
+
 static int __init vti_init(void)
 {
const char *msg;
@@ -564,6 +591,8 @@ static int __init vti_init(void)
 
pr_info("IPv4 over IPsec tunneling driver\n");
 
+   register_netdevice_notifier(_notifier_block);
+
msg = "tunnel 

[PATCH 2/2] config: Add new CONFIG_PROVE_LOCKING_PLUS

[Babu Moger]

Adding the new config parameter CONFIG_PROVE_LOCKING_PLUS in case
someone needs to enable more static space for lockdep entries,
lock chains and stack traces to debug large configurations.
The default size is kept small to cover majority of the configs.

Signed-off-by: Babu Moger 
---
 lib/Kconfig.debug |   10 ++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index b9cfdbf..d5d995e 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1070,6 +1070,16 @@ config PROVE_LOCKING
 
 For more details, see Documentation/locking/lockdep-design.txt.
 
+config PROVE_LOCKING_PLUS
+   bool "Reserve extra space for prove locking correctness"
+   depends on PROVE_LOCKING
+   default n
+   help
+This feature reserves more space for lockdep entries, lock chains
+and stack traces to debug large configurations. This could add
+about additional 4MB static memory to kernel size. This is not
+suitable for embedded or other limited memory configurations.
+
 config LOCKDEP
bool
depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT 
&& LOCKDEP_SUPPORT
-- 
1.7.1

[PATCH 4.4 084/118] drm: atmel-hlcdc: Fix vertical scaling

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jan Leupold 

commit d31ed3f05763644840c654a384eaefa94c097ba2 upstream.

The code is applying the same scaling for the X and Y components,
thus making the scaling feature only functional when both components
have the same scaling factor.

Do the s/_w/_h/ replacement where appropriate to fix vertical scaling.

Signed-off-by: Jan Leupold 
Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support")
Signed-off-by: Boris Brezillon 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
@@ -316,19 +316,19 @@ atmel_hlcdc_plane_update_pos_and_size(st
u32 *coeff_tab = heo_upscaling_ycoef;
u32 max_memsize;
 
-   if (state->crtc_w < state->src_w)
+   if (state->crtc_h < state->src_h)
coeff_tab = heo_downscaling_ycoef;
for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++)
atmel_hlcdc_layer_update_cfg(>layer,
 33 + i,
 0x,
 coeff_tab[i]);
-   factor = ((8 * 256 * state->src_w) - (256 * 4)) /
-state->crtc_w;
+   factor = ((8 * 256 * state->src_h) - (256 * 4)) /
+state->crtc_h;
factor++;
-   max_memsize = ((factor * state->crtc_w) + (256 * 4)) /
+   max_memsize = ((factor * state->crtc_h) + (256 * 4)) /
  2048;
-   if (max_memsize > state->src_w)
+   if (max_memsize > state->src_h)
factor--;
factor_reg |= (factor << 16) | 0x8000;
}

[PATCH 4.4 116/118] ppc32: fix copy_from_user()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit 224264657b8b228f949b42346e09ed8c90136a8e upstream.

should clear on access_ok() failures.  Also remove the useless
range truncation logics.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/include/asm/uaccess.h |   21 ++---
 1 file changed, 2 insertions(+), 19 deletions(-)

--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -323,30 +323,17 @@ extern unsigned long __copy_tofrom_user(
 static inline unsigned long copy_from_user(void *to,
const void __user *from, unsigned long n)
 {
-   unsigned long over;
-
-   if (access_ok(VERIFY_READ, from, n))
+   if (likely(access_ok(VERIFY_READ, from, n)))
return __copy_tofrom_user((__force void __user *)to, from, n);
-   if ((unsigned long)from < TASK_SIZE) {
-   over = (unsigned long)from + n - TASK_SIZE;
-   return __copy_tofrom_user((__force void __user *)to, from,
-   n - over) + over;
-   }
++  memset(to, 0, n);
return n;
 }
 
 static inline unsigned long copy_to_user(void __user *to,
const void *from, unsigned long n)
 {
-   unsigned long over;
-
if (access_ok(VERIFY_WRITE, to, n))
return __copy_tofrom_user(to, (__force void __user *)from, n);
-   if ((unsigned long)to < TASK_SIZE) {
-   over = (unsigned long)to + n - TASK_SIZE;
-   return __copy_tofrom_user(to, (__force void __user *)from,
-   n - over) + over;
-   }
return n;
 }
 
@@ -437,10 +424,6 @@ static inline unsigned long clear_user(v
might_fault();
if (likely(access_ok(VERIFY_WRITE, addr, size)))
return __clear_user(addr, size);
-   if ((unsigned long)addr < TASK_SIZE) {
-   unsigned long over = (unsigned long)addr + size - TASK_SIZE;
-   return __clear_user(addr, size - over) + over;
-   }
return size;
 }
 

Re: [PATCH 2/2] net: thunderx: Support for byte queue limits

[Florian Fainelli]

On 09/22/2016 02:05 AM, sunil.kovv...@gmail.com wrote:
> From: Sunil Goutham 
> 
> This patch adds support for byte queue limits
> 
> Signed-off-by: Sunil Goutham 

Where is the code that calls netdev_tx_reset_queue()? This is needed in
the function that brings down the interface, did your test survive a
up/down/up sequence?

> ---
>  drivers/net/ethernet/cavium/thunder/nicvf_main.c   | 11 ++--
>  drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 30 
> ++
>  2 files changed, 29 insertions(+), 12 deletions(-)
> 
> diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c 
> b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
> index 7d00162..453e3a0 100644
> --- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
> +++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
> @@ -516,7 +516,8 @@ static int nicvf_init_resources(struct nicvf *nic)
>  static void nicvf_snd_pkt_handler(struct net_device *netdev,
> struct cmp_queue *cq,
> struct cqe_send_t *cqe_tx,
> -   int cqe_type, int budget)
> +   int cqe_type, int budget,
> +   unsigned int *tx_pkts, unsigned int *tx_bytes)
>  {
>   struct sk_buff *skb = NULL;
>   struct nicvf *nic = netdev_priv(netdev);
> @@ -547,6 +548,8 @@ static void nicvf_snd_pkt_handler(struct net_device 
> *netdev,
>   }
>   nicvf_put_sq_desc(sq, hdr->subdesc_cnt + 1);
>   prefetch(skb);
> + (*tx_pkts)++;
> + *tx_bytes += skb->len;
>   napi_consume_skb(skb, budget);
>   sq->skbuff[cqe_tx->sqe_ptr] = (u64)NULL;
>   } else {
> @@ -662,6 +665,7 @@ static int nicvf_cq_intr_handler(struct net_device 
> *netdev, u8 cq_idx,
>   struct cmp_queue *cq = >cq[cq_idx];
>   struct cqe_rx_t *cq_desc;
>   struct netdev_queue *txq;
> + unsigned int tx_pkts = 0, tx_bytes = 0;
>  
>   spin_lock_bh(>lock);
>  loop:
> @@ -701,7 +705,7 @@ loop:
>   case CQE_TYPE_SEND:
>   nicvf_snd_pkt_handler(netdev, cq,
> (void *)cq_desc, CQE_TYPE_SEND,
> -   budget);
> +   budget, _pkts, _bytes);
>   tx_done++;
>   break;
>   case CQE_TYPE_INVALID:
> @@ -730,6 +734,9 @@ done:
>   netdev = nic->pnicvf->netdev;
>   txq = netdev_get_tx_queue(netdev,
> nicvf_netdev_qidx(nic, cq_idx));
> + if (tx_pkts)
> + netdev_tx_completed_queue(txq, tx_pkts, tx_bytes);
> +
>   nic = nic->pnicvf;
>   if (netif_tx_queue_stopped(txq) && netif_carrier_ok(netdev)) {
>   netif_tx_start_queue(txq);
> diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c 
> b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
> index 178c5c7..a4fc501 100644
> --- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
> +++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
> @@ -1082,6 +1082,24 @@ static inline void nicvf_sq_add_cqe_subdesc(struct 
> snd_queue *sq, int qentry,
>   imm->len = 1;
>  }
>  
> +static inline void nicvf_sq_doorbell(struct nicvf *nic, struct sk_buff *skb,
> +  int sq_num, int desc_cnt)
> +{
> + struct netdev_queue *txq;
> +
> + txq = netdev_get_tx_queue(nic->pnicvf->netdev,
> +   skb_get_queue_mapping(skb));
> +
> + netdev_tx_sent_queue(txq, skb->len);
> +
> + /* make sure all memory stores are done before ringing doorbell */
> + smp_wmb();
> +
> + /* Inform HW to xmit all TSO segments */
> + nicvf_queue_reg_write(nic, NIC_QSET_SQ_0_7_DOOR,
> +   sq_num, desc_cnt);
> +}
> +
>  /* Segment a TSO packet into 'gso_size' segments and append
>   * them to SQ for transfer
>   */
> @@ -1141,12 +1159,8 @@ static int nicvf_sq_append_tso(struct nicvf *nic, 
> struct snd_queue *sq,
>   /* Save SKB in the last segment for freeing */
>   sq->skbuff[hdr_qentry] = (u64)skb;
>  
> - /* make sure all memory stores are done before ringing doorbell */
> - smp_wmb();
> + nicvf_sq_doorbell(nic, skb, sq_num, desc_cnt);
>  
> - /* Inform HW to xmit all TSO segments */
> - nicvf_queue_reg_write(nic, NIC_QSET_SQ_0_7_DOOR,
> -   sq_num, desc_cnt);
>   nic->drv_stats.tx_tso++;
>   return 1;
>  }
> @@ -1219,12 +1233,8 @@ doorbell:
>   nicvf_sq_add_cqe_subdesc(sq, qentry, tso_sqe, skb);
>   }
>  
> - /* make sure all memory stores are done before ringing doorbell */
> - smp_wmb();
> + nicvf_sq_doorbell(nic, skb, sq_num, subdesc_cnt);
>  
> - /* Inform HW to xmit new packet */
> - 

[PATCH v3] dmaengine: s3c24xx: Add dma_slave_map for s3c2440 devices

[Sam Van Den Berge]

This patch updates the s3c24xx dma driver to be able to pass a
dma_slave_map array via the platform data. This is needed to
be able to use the new, simpler dmaengine API [1].
I used the virtual DMA channels as a parameter for the dma_filter
function. By doing that, I could reuse the existing filter function in
drivers/dma/s3c24xx-dma.c.

I have tested this on my mini2440 board with the audio driver.
According to my observations, dma_request_slave_channel in the
function dmaengine_pcm_new in the file
sound/soc/soc-generic-dmaengine-pcm.c now returns a valid DMA channel
whereas before no DMA channel was returned at that point.

Entries for DMACH_XD0, DMACH_XD1 and DMACH_TIMER are missing because I
don't realy know which driver to use for these.

[1]
http://lists.infradead.org/pipermail/linux-arm-kernel/2015-December/393635.html

Signed-off-by: Sam Van Den Berge 
Reviewed-by: Sylwester Nawrocki 
Acked-by: Arnd Bergmann 
Acked-by: Krzysztof Kozlowski 
---
This patch depends on the audio fixes from Sylwester Nawrocki
(http://www.spinics.net/lists/arm-kernel/msg521918.html)

Changes since v2:
- s/3c2440-sdi/s3c2440-sdi/
- Removed reference to the audio fixes of Sylwester from the commit message
  because I don't think it belongs in the commit message itself.

Changes since v1:
- rename arm into dmaengine in title
- one channel for s3c2440-sdi named "rx-tx"

 arch/arm/mach-s3c24xx/common.c| 35 +++
 drivers/dma/s3c24xx-dma.c |  3 +++
 include/linux/platform_data/dma-s3c24xx.h |  6 ++
 3 files changed, 44 insertions(+)

diff --git a/arch/arm/mach-s3c24xx/common.c b/arch/arm/mach-s3c24xx/common.c
index fe7485d..f6c3f15 100644
--- a/arch/arm/mach-s3c24xx/common.c
+++ b/arch/arm/mach-s3c24xx/common.c
@@ -33,6 +33,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -445,10 +446,44 @@ static struct s3c24xx_dma_channel 
s3c2440_dma_channels[DMACH_MAX] = {
[DMACH_USB_EP4] = { S3C24XX_DMA_APB, true, S3C24XX_DMA_CHANREQ(4, 3), },
 };
 
+static const struct dma_slave_map s3c2440_dma_slave_map[] = {
+   /* TODO: DMACH_XD0 */
+   /* TODO: DMACH_XD1 */
+   { "s3c2440-sdi", "rx-tx", (void *)DMACH_SDI },
+   { "s3c2410-spi.0", "rx", (void *)DMACH_SPI0 },
+   { "s3c2410-spi.0", "tx", (void *)DMACH_SPI0 },
+   { "s3c2410-spi.1", "rx", (void *)DMACH_SPI1 },
+   { "s3c2410-spi.1", "tx", (void *)DMACH_SPI1 },
+   { "s3c2440-uart.0", "rx", (void *)DMACH_UART0 },
+   { "s3c2440-uart.0", "tx", (void *)DMACH_UART0 },
+   { "s3c2440-uart.1", "rx", (void *)DMACH_UART1 },
+   { "s3c2440-uart.1", "tx", (void *)DMACH_UART1 },
+   { "s3c2440-uart.2", "rx", (void *)DMACH_UART2 },
+   { "s3c2440-uart.2", "tx", (void *)DMACH_UART2 },
+   { "s3c2440-uart.3", "rx", (void *)DMACH_UART3 },
+   { "s3c2440-uart.3", "tx", (void *)DMACH_UART3 },
+   /* TODO: DMACH_TIMER */
+   { "s3c24xx-iis", "rx", (void *)DMACH_I2S_IN },
+   { "s3c24xx-iis", "tx", (void *)DMACH_I2S_OUT },
+   { "samsung-ac97", "rx", (void *)DMACH_PCM_IN },
+   { "samsung-ac97", "tx", (void *)DMACH_PCM_OUT },
+   { "samsung-ac97", "rx", (void *)DMACH_MIC_IN },
+   { "s3c-hsudc", "rx0", (void *)DMACH_USB_EP1 },
+   { "s3c-hsudc", "rx1", (void *)DMACH_USB_EP2 },
+   { "s3c-hsudc", "rx2", (void *)DMACH_USB_EP3 },
+   { "s3c-hsudc", "rx3", (void *)DMACH_USB_EP4 },
+   { "s3c-hsudc", "tx0", (void *)DMACH_USB_EP1 },
+   { "s3c-hsudc", "tx1", (void *)DMACH_USB_EP2 },
+   { "s3c-hsudc", "tx2", (void *)DMACH_USB_EP3 },
+   { "s3c-hsudc", "tx3", (void *)DMACH_USB_EP4 }
+};
+
 static struct s3c24xx_dma_platdata s3c2440_dma_platdata = {
.num_phy_channels = 4,
.channels = s3c2440_dma_channels,
.num_channels = DMACH_MAX,
+   .slave_map = s3c2440_dma_slave_map,
+   .slavecnt = ARRAY_SIZE(s3c2440_dma_slave_map),
 };
 
 struct platform_device s3c2440_device_dma = {
diff --git a/drivers/dma/s3c24xx-dma.c b/drivers/dma/s3c24xx-dma.c
index ce67075..d5c85e7 100644
--- a/drivers/dma/s3c24xx-dma.c
+++ b/drivers/dma/s3c24xx-dma.c
@@ -1301,6 +1301,9 @@ static int s3c24xx_dma_probe(struct platform_device *pdev)
s3cdma->slave.device_prep_dma_cyclic = s3c24xx_dma_prep_dma_cyclic;
s3cdma->slave.device_config = s3c24xx_dma_set_runtime_config;
s3cdma->slave.device_terminate_all = s3c24xx_dma_terminate_all;
+   s3cdma->slave.filter.map = pdata->slave_map;
+   s3cdma->slave.filter.mapcnt = pdata->slavecnt;
+   s3cdma->slave.filter.fn = s3c24xx_dma_filter;
 
/* Register as many memcpy channels as there are physical channels */
ret = s3c24xx_dma_init_virtual_channels(s3cdma, >memcpy,
diff --git a/include/linux/platform_data/dma-s3c24xx.h 
b/include/linux/platform_data/dma-s3c24xx.h
index 89ba1b0..4f9aba4 100644
--- 

Re: [PATCH v4 10/10] cpufreq: intel_pstate: Use CPPC to get max performance

[Tim Chen]

On Wed, 2016-09-21 at 22:30 +0200, Rafael J. Wysocki wrote:
> On Wed, Sep 21, 2016 at 9:19 PM, Srinivas Pandruvada
>  wrote:
> > 
> > 
> > +
> > +static void intel_pstate_check_and_enable_itmt(int cpu)
> > +{
> > +   /*
> > +* For checking whether there is any difference in the maximum
> > +* performance for each CPU, need to wait till we have CPPC
> > +* data from all CPUs called from the cpufreq core. If there is a
> > +* difference in the maximum performance, then we have ITMT support.
> > +* If ITMT is supported, update the scheduler core priority for each
> > +* CPU and call to enable the ITMT feature.
> > +*/
> > +   if (cpumask_subset(topology_core_cpumask(cpu), 
> > _read_cpu_mask)) {
> > +   int cpu_index;
> > +   int max_prio;
> > +   struct cpudata *cpu;
> > +   bool itmt_support = false;
> > +
> > +   cpu = all_cpu_data[cpumask_first(_read_cpu_mask)];
> > +   max_prio = cpu->cppc_perf->highest_perf;
> > +   for_each_cpu(cpu_index, _read_cpu_mask) {
> > +   cpu = all_cpu_data[cpu_index];
> > +   if (max_prio != cpu->cppc_perf->highest_perf) {
> > +   itmt_support = true;
> > +   break;
> > +   }
> > +   }
> > +
> > +   if (!itmt_support)
> > +   return;
> > +
> > +   for_each_cpu(cpu_index, _read_cpu_mask) {
> > +   cpu = all_cpu_data[cpu_index];
> > +   
> > sched_set_itmt_core_prio(cpu->cppc_perf->highest_perf,
> > +cpu_index);
> > +   }
> My current understanding is that we need to rebuild sched domains
> after setting the priorities, 

No, that's not true.  We need to rebuild the sched domains only
when the sched domain flags are changed, not when we are changing
the priorities.  Only the sched domain flag is a property of
the sched domain. CPU priority values are not part of sched domain.

Morten had similar question about whether we need to rebuild sched domain
when we change cpu priorities when we first post the patches. 
Peter has explained that it wasn't necessary.
http://lkml.iu.edu/hypermail/linux/kernel/1608.3/01753.html



> so what if there are two CPU packages
> and there are highest_perf differences in both, and we first enumerate
> the first package entirely before getting to the second one?
> 
> In that case we'll schedule the work item after enumerating the first
> package and it may rebuild the sched domains before all priorities are
> set for the second package, may it not?

That is not a problem.  For the second package, all the cpu priorities
are initialized to the same value.  So even if we start to do 
asym_packing in the scheduler for the whole system, 
on the second package, all the cpus are treated equally by the scheduler.
We will operate as if there is no favored core till we update the
priorities of the cpu on the second package.

That said, we don't enable ITMT automatically for 2 package system.
So the explicit sysctl command to enable ITMT and cause the sched domain
rebuild for 2 package system is most likely to come after
we have discovered and set all the cpu priorities.

> 
> This seems to require some more consideration.
> 
> > 
> > +   /*
> > +* Since this function is in the hotcpu notifier callback
> > +* path, submit a task to workqueue to call
> > +* sched_set_itmt_support().
> > +*/
> > +   schedule_work(_itmt_work);
> It doesn't make sense to do this more than once IMO and what if we
> attempt to schedule the work item again when it has been scheduled
> once already?  Don't we need any protection here?

It is not a problem for sched_set_itmt_support to be called more than
once.

First, we will ignore the second call if sched_itmt_capable has already
been set to the same value in the previous sched_set_itmt_support call.
Secondly, the call to update sched_itmt_capable
is protected by the itmt_update_mutex.

Thanks.

Tim

[PATCH 4.4 086/118] genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Boris Brezillon 

commit ebf9ff753c041b296241990aef76163bbb2cc9c8 upstream.

Some irqchip drivers need to take the generic chip lock outside of the
irq context.

Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow
one to disable irqs while entering a critical section protected by
gc->lock.

Note that we do not provide optimized version of these helpers for !SMP,
because they are not called from the hot-path.

[ tglx: Added a comment when these helpers should be [not] used ]

Signed-off-by: Boris Brezillon 
Cc: Jason Cooper 
Cc: Marc Zyngier 
Cc: Nicolas Ferre 
Cc: Alexandre Belloni 
Link: 
http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezil...@free-electrons.com
Signed-off-by: Thomas Gleixner 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/irq.h |   10 ++
 1 file changed, 10 insertions(+)

--- a/include/linux/irq.h
+++ b/include/linux/irq.h
@@ -916,6 +916,16 @@ static inline void irq_gc_lock(struct ir
 static inline void irq_gc_unlock(struct irq_chip_generic *gc) { }
 #endif
 
+/*
+ * The irqsave variants are for usage in non interrupt code. Do not use
+ * them in irq_chip callbacks. Use irq_gc_lock() instead.
+ */
+#define irq_gc_lock_irqsave(gc, flags) \
+   raw_spin_lock_irqsave(&(gc)->lock, flags)
+
+#define irq_gc_unlock_irqrestore(gc, flags)\
+   raw_spin_unlock_irqrestore(&(gc)->lock, flags)
+
 static inline void irq_reg_writel(struct irq_chip_generic *gc,
  u32 val, int reg_offset)
 {

[PATCH 4.4 114/118] mn10300: copy_from_user() should zero on access_ok() failure...

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mn10300/lib/usercopy.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/mn10300/lib/usercopy.c
+++ b/arch/mn10300/lib/usercopy.c
@@ -9,7 +9,7 @@
  * as published by the Free Software Foundation; either version
  * 2 of the Licence, or (at your option) any later version.
  */
-#include 
+#include 
 
 unsigned long
 __generic_copy_to_user(void *to, const void *from, unsigned long n)
@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const
 {
if (access_ok(VERIFY_READ, from, n))
__copy_user_zeroing(to, from, n);
+   else
+   memset(to, 0, n);
return n;
 }
 

[PATCH 4.7 010/184] net/sctp: always initialise sctp_ht_iter::start_fail

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Vegard Nossum 


[ Upstream commit 54236ab09e9696a27baaae693c288920a26e8588 ]

sctp_transport_seq_start() does not currently clear iter->start_fail on
success, but relies on it being zero when it is allocated (by
seq_open_net()).

This can be a problem in the following sequence:

open() // allocates iter (and implicitly sets iter->start_fail = 0)
read()
 - iter->start() // fails and sets iter->start_fail = 1
 - iter->stop() // doesn't call sctp_transport_walk_stop() (correct)
read() again
 - iter->start() // succeeds, but doesn't change iter->start_fail
 - iter->stop() // doesn't call sctp_transport_walk_stop() (wrong)

We should initialize sctp_ht_iter::start_fail to zero if ->start()
succeeds, otherwise it's possible that we leave an old value of 1 there,
which will cause ->stop() to not call sctp_transport_walk_stop(), which
causes all sorts of problems like not calling rcu_read_unlock() (and
preempt_enable()), eventually leading to more warnings like this:

BUG: sleeping function called from invalid context at mm/slab.h:388
in_atomic(): 0, irqs_disabled(): 0, pid: 16551, name: trinity-c2
Preemption disabled at:[] rhashtable_walk_start+0x46/0x150

 [] preempt_count_add+0x1fb/0x280
 [] _raw_spin_lock+0x12/0x40
 [] rhashtable_walk_start+0x46/0x150
 [] sctp_transport_walk_start+0x2f/0x60
 [] sctp_transport_seq_start+0x4d/0x150
 [] traverse+0x170/0x850
 [] seq_read+0x7cc/0x1180
 [] proc_reg_read+0xbc/0x180
 [] do_loop_readv_writev+0x134/0x210
 [] do_readv_writev+0x565/0x660
 [] vfs_readv+0x67/0xa0
 [] do_preadv+0x126/0x170
 [] SyS_preadv+0xc/0x10
 [] do_syscall_64+0x19c/0x410
 [] return_from_SYSCALL_64+0x0/0x6a
 [] 0x

Notice that this is a subtly different stacktrace from the one in commit
5fc382d875 ("net/sctp: terminate rhashtable walk correctly").

Cc: Xin Long 
Cc: Herbert Xu 
Cc: Eric W. Biederman 
Cc: Marcelo Ricardo Leitner 
Signed-off-by: Vegard Nossum 
Acked-By: Neil Horman 
Acked-by: Marcelo Ricardo Leitner 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/sctp/proc.c |1 +
 1 file changed, 1 insertion(+)

--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -293,6 +293,7 @@ static void *sctp_transport_seq_start(st
return ERR_PTR(err);
}
 
+   iter->start_fail = 0;
return sctp_transport_get_idx(seq_file_net(seq), >hti, *pos);
 }
 

Re: [RFC PATCH v1 09/28] x86/efi: Access EFI data as encrypted when SEV is active

[Paolo Bonzini]

On 22/09/2016 20:47, Tom Lendacky wrote:
> > Because the firmware volume is written to high memory in encrypted form,
> > and because the PEI phase runs in 32-bit mode, the firmware code will be
> > encrypted; on the other hand, data that is placed in low memory for the
> > kernel can be unencrypted, thus limiting differences between SME and SEV.
> 
> I like the idea of limiting the differences but it would leave the EFI
> data and ACPI tables exposed and able to be manipulated.

Hmm, that makes sense.  So I guess this has to stay, and Borislav's
proposal doesn't fly either.

Paolo

[PATCH 4.7 015/184] net/mlx5: Added missing check of msg length in verifying its signature

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Paul Blakey 


[ Upstream commit 2c0f8ce1b584a4d7b8ff53140d21dfed99834940 ]

Set and verify signature calculates the signature for each of the
mailbox nodes, even for those that are unused (from cache). Added
a missing length check to set and verify only those which are used.

While here, also moved the setting of msg's nodes token to where we
already go over them. This saves a pass because checksum is disabled,
and the only useful thing remaining that set signature does is setting
the token.

Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB
adapters')
Signed-off-by: Paul Blakey 

Signed-off-by: Saeed Mahameed 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/mellanox/mlx5/core/cmd.c |   83 --
 1 file changed, 53 insertions(+), 30 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -143,13 +143,14 @@ static struct mlx5_cmd_layout *get_inst(
return cmd->cmd_buf + (idx << cmd->log_stride);
 }
 
-static u8 xor8_buf(void *buf, int len)
+static u8 xor8_buf(void *buf, size_t offset, int len)
 {
u8 *ptr = buf;
u8 sum = 0;
int i;
+   int end = len + offset;
 
-   for (i = 0; i < len; i++)
+   for (i = offset; i < end; i++)
sum ^= ptr[i];
 
return sum;
@@ -157,41 +158,49 @@ static u8 xor8_buf(void *buf, int len)
 
 static int verify_block_sig(struct mlx5_cmd_prot_block *block)
 {
-   if (xor8_buf(block->rsvd0, sizeof(*block) - sizeof(block->data) - 1) != 
0xff)
+   size_t rsvd0_off = offsetof(struct mlx5_cmd_prot_block, rsvd0);
+   int xor_len = sizeof(*block) - sizeof(block->data) - 1;
+
+   if (xor8_buf(block, rsvd0_off, xor_len) != 0xff)
return -EINVAL;
 
-   if (xor8_buf(block, sizeof(*block)) != 0xff)
+   if (xor8_buf(block, 0, sizeof(*block)) != 0xff)
return -EINVAL;
 
return 0;
 }
 
-static void calc_block_sig(struct mlx5_cmd_prot_block *block, u8 token,
-  int csum)
+static void calc_block_sig(struct mlx5_cmd_prot_block *block)
 {
-   block->token = token;
-   if (csum) {
-   block->ctrl_sig = ~xor8_buf(block->rsvd0, sizeof(*block) -
-   sizeof(block->data) - 2);
-   block->sig = ~xor8_buf(block, sizeof(*block) - 1);
-   }
+   int ctrl_xor_len = sizeof(*block) - sizeof(block->data) - 2;
+   size_t rsvd0_off = offsetof(struct mlx5_cmd_prot_block, rsvd0);
+
+   block->ctrl_sig = ~xor8_buf(block, rsvd0_off, ctrl_xor_len);
+   block->sig = ~xor8_buf(block, 0, sizeof(*block) - 1);
 }
 
-static void calc_chain_sig(struct mlx5_cmd_msg *msg, u8 token, int csum)
+static void calc_chain_sig(struct mlx5_cmd_msg *msg)
 {
struct mlx5_cmd_mailbox *next = msg->next;
+   int size = msg->len;
+   int blen = size - min_t(int, sizeof(msg->first.data), size);
+   int n = (blen + MLX5_CMD_DATA_BLOCK_SIZE - 1)
+   / MLX5_CMD_DATA_BLOCK_SIZE;
+   int i = 0;
 
-   while (next) {
-   calc_block_sig(next->buf, token, csum);
+   for (i = 0; i < n && next; i++)  {
+   calc_block_sig(next->buf);
next = next->next;
}
 }
 
 static void set_signature(struct mlx5_cmd_work_ent *ent, int csum)
 {
-   ent->lay->sig = ~xor8_buf(ent->lay, sizeof(*ent->lay));
-   calc_chain_sig(ent->in, ent->token, csum);
-   calc_chain_sig(ent->out, ent->token, csum);
+   ent->lay->sig = ~xor8_buf(ent->lay, 0,  sizeof(*ent->lay));
+   if (csum) {
+   calc_chain_sig(ent->in);
+   calc_chain_sig(ent->out);
+   }
 }
 
 static void poll_timeout(struct mlx5_cmd_work_ent *ent)
@@ -222,12 +231,17 @@ static int verify_signature(struct mlx5_
struct mlx5_cmd_mailbox *next = ent->out->next;
int err;
u8 sig;
+   int size = ent->out->len;
+   int blen = size - min_t(int, sizeof(ent->out->first.data), size);
+   int n = (blen + MLX5_CMD_DATA_BLOCK_SIZE - 1)
+   / MLX5_CMD_DATA_BLOCK_SIZE;
+   int i = 0;
 
-   sig = xor8_buf(ent->lay, sizeof(*ent->lay));
+   sig = xor8_buf(ent->lay, 0, sizeof(*ent->lay));
if (sig != 0xff)
return -EINVAL;
 
-   while (next) {
+   for (i = 0; i < n && next; i++) {
err = verify_block_sig(next->buf);
if (err)
return err;
@@ -656,7 +670,6 @@ static void cmd_work_handler(struct work
spin_unlock_irqrestore(>alloc_lock, flags);
}
 
-   ent->token = alloc_token(cmd);
cmd->ent_arr[ent->idx] = ent;
lay = get_inst(cmd, 

[PATCH 4.7 012/184] tipc: fix NULL pointer dereference in shutdown()

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Vegard Nossum 


[ Upstream commit d2fbdf76b85bcdfe57b8ef2ba09d20e8ada79abd ]

tipc_msg_create() can return a NULL skb and if so, we shouldn't try to
call tipc_node_xmit_skb() on it.

general protection fault:  [#1] PREEMPT SMP KASAN
CPU: 3 PID: 30298 Comm: trinity-c0 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: 8800baf09980 ti: 8800595b8000 task.ti: 8800595b8000
RIP: 0010:[]  [] 
tipc_node_xmit_skb+0x6b/0x140
RSP: 0018:8800595bfce8  EFLAGS: 00010246
RAX:  RBX:  RCX: 3023b0e0
RDX:  RSI: dc00 RDI: 83d12580
RBP: 8800595bfd78 R08: ed000b2b7f32 R09: 
R10: fbfff0759725 R11:  R12: 11000b2b7f9f
R13: 8800595bfd58 R14: 83d12580 R15: dc00
FS:  7fcdde242700() GS:88011af8() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7fcddde1db10 CR3: 6874b000 CR4: 06e0
DR0: 7fcdde248000 DR1: 7fcddd73d000 DR2: 7fcdde248000
DR3:  DR6: 0ff0 DR7: 00090602
Stack:
 0018 0018 41b58ab3 83954208
 830bb400 8800595bfd30 8309d767 0018
 0018 8800595bfd78 8309da1a 810ee611
Call Trace:
 [] tipc_shutdown+0x553/0x880
 [] SyS_shutdown+0x14b/0x170
 [] do_syscall_64+0x19c/0x410
 [] entry_SYSCALL64_slow_path+0x25/0x25
Code: 90 00 b4 0b 83 c7 00 f1 f1 f1 f1 4c 8d 6d e0 c7 40 04 00 00 00 f4 c7 
40 08 f3 f3 f3 f3 48 89 d8 48 c1 e8 03 c7 45 b4 00 00 00 00 <80> 3c 30 00 75 78 
48 8d 7b 08 49 8d 75 c0 48 b8 00 00 00 00 00
RIP  [] tipc_node_xmit_skb+0x6b/0x140
 RSP 
---[ end trace 57b0484e351e71f1 ]---

I feel like we should maybe return -ENOMEM or -ENOBUFS, but I'm not sure
userspace is equipped to handle that. Anyway, this is better than a GPF
and looks somewhat consistent with other tipc_msg_create() callers.

Signed-off-by: Vegard Nossum 
Acked-by: Ying Xue 
Acked-by: Jon Maloy 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/tipc/socket.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2180,7 +2180,8 @@ restart:
  TIPC_CONN_MSG, SHORT_H_SIZE,
  0, dnode, onode, dport, oport,
  TIPC_CONN_SHUTDOWN);
-   tipc_node_xmit_skb(net, skb, dnode, tsk->portid);
+   if (skb)
+   tipc_node_xmit_skb(net, skb, dnode, 
tsk->portid);
}
tsk->connected = 0;
sock->state = SS_DISCONNECTING;

[PATCH 4.4 117/118] genirq/msi: Fix broken debug output

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Thomas Gleixner 

commit 4364e1a29be16b2783c0bcbc263f61236af64281 upstream.

virq is not required to be the same for all msi descs. Use the base irq number
from the desc in the debug printk.

Reported-by: Ingo Molnar 
Signed-off-by: Thomas Gleixner 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/irq/msi.c |1 +
 1 file changed, 1 insertion(+)

--- a/kernel/irq/msi.c
+++ b/kernel/irq/msi.c
@@ -298,6 +298,7 @@ int msi_domain_alloc_irqs(struct irq_dom
ops->msi_finish(, 0);
 
for_each_msi_entry(desc, dev) {
+   virq = desc->irq;
if (desc->nvec_used == 1)
dev_dbg(dev, "irq %d for MSI\n", virq);
else

[PATCH 10/14] GPU-DRM-TTM: Return directly after a failed kobject_init_and_add() in ttm_dma_page_alloc_init()

[SF Markus Elfring]

From: Markus Elfring 
Date: Thu, 22 Sep 2016 16:24:43 +0200

* Return directly after a call of the function "kobject_init_and_add"
  failed here.

* Delete the jump target "err" which became unnecessary with
  this refactoring.

Signed-off-by: Markus Elfring 
---
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c 
b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
index feba278..c21f45f 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
@@ -1102,12 +1102,10 @@ int ttm_dma_page_alloc_init(struct ttm_mem_global 
*glob, unsigned max_pages)
   >kobj, "dma_pool");
if (unlikely(ret != 0)) {
kobject_put(&_manager->kobj);
-   goto err;
+   return ret;
}
ttm_dma_pool_mm_shrink_init(_manager);
return 0;
-err:
-   return ret;
 }
 
 void ttm_dma_page_alloc_fini(void)
-- 
2.10.0

[PATCH 4.4 094/118] m32r: fix __get_user()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/m32r/include/asm/uaccess.h |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -219,7 +219,7 @@ extern int fixup_exception(struct pt_reg
 #define __get_user_nocheck(x, ptr, size)   \
 ({ \
long __gu_err = 0;  \
-   unsigned long __gu_val; \
+   unsigned long __gu_val = 0; \
might_fault();  \
__get_user_size(__gu_val, (ptr), (size), __gu_err); \
(x) = (__force __typeof__(*(ptr)))__gu_val; \

Re: [PATCH] iio: accel: sca3000_core: avoid potentially uninitialized variable

[Jonathan Cameron]

On 22/09/16 10:43, Arnd Bergmann wrote:
> The newly added __sca3000_get_base_freq function handles all valid
> modes of the SCA3000_REG_ADDR_MODE register, but gcc notices
> that any other value (i.e. 0x00) causes the base_freq variable to
> not get initialized:
> 
> drivers/staging/iio/accel/sca3000_core.c: In function 'sca3000_write_raw':
> drivers/staging/iio/accel/sca3000_core.c:527:23: error: 'base_freq' may be 
> used uninitialized in this function [-Werror=maybe-uninitialized]
> 
> This adds explicit error handling for unexpected register values,
> to ensure this cannot happen.
> 
> Fixes: e0f3fc9b47e6 ("iio: accel: sca3000_core: implemented 
> IIO_CHAN_INFO_SAMP_FREQ")
> Signed-off-by: Arnd Bergmann 
Applied to the togreg branch of iio.git. Initially pushed out as testing for the
autobuilders to play with it.

'Bug' has been there a long time.  The patch just move the code so I'm not
going to rush this one in. Worth hardening this corner though!

Thanks,

Jonathan
> ---
>  drivers/staging/iio/accel/sca3000_core.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/staging/iio/accel/sca3000_core.c 
> b/drivers/staging/iio/accel/sca3000_core.c
> index d626125d7af9..564b36d4f648 100644
> --- a/drivers/staging/iio/accel/sca3000_core.c
> +++ b/drivers/staging/iio/accel/sca3000_core.c
> @@ -468,6 +468,8 @@ static inline int __sca3000_get_base_freq(struct 
> sca3000_state *st,
>   case SCA3000_MEAS_MODE_OP_2:
>   *base_freq = info->option_mode_2_freq;
>   break;
> + default:
> + ret = -EINVAL;
>   }
>  error_ret:
>   return ret;
> 

[PATCH 08/14] GPU-DRM-TTM: Rename a jump label in ttm_dma_pool_shrink_scan()

[SF Markus Elfring]

From: Markus Elfring 
Date: Thu, 22 Sep 2016 16:02:36 +0200

Adjust a jump label according to the current Linux coding style convention.

Signed-off-by: Markus Elfring 
---
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c 
b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
index ce3d361..e3f5542 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
@@ -1025,7 +1025,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct 
shrink_control *sc)
if (!mutex_trylock(&_manager->lock))
return SHRINK_STOP;
if (!_manager->npools)
-   goto out;
+   goto unlock;
pool_offset = ++start_pool % _manager->npools;
list_for_each_entry(p, &_manager->pools, pools) {
unsigned nr_free;
@@ -1046,7 +1046,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct 
shrink_control *sc)
 p->pool->dev_name, p->pool->name, current->pid,
 nr_free, shrink_pages);
}
-out:
+ unlock:
mutex_unlock(&_manager->lock);
return freed;
 }
-- 
2.10.0

[PATCH 07/14] GPU-DRM-TTM: Rename jump labels in ttm_dma_page_pool_free()

[SF Markus Elfring]

From: Markus Elfring 
Date: Thu, 22 Sep 2016 15:32:32 +0200

Adjust jump labels according to the current Linux coding style convention.

Signed-off-by: Markus Elfring 
---
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c 
b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
index 9dc1632..ce3d361 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
@@ -449,7 +449,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool 
*pool, unsigned nr_free,
return 0;
}
INIT_LIST_HEAD(_pages);
-restart:
+ lock_restart:
spin_lock_irqsave(>lock, irq_flags);
 
/* We picking the oldest ones off the list */
@@ -489,14 +489,13 @@ restart:
 
/* free all so restart the processing */
if (nr_free)
-   goto restart;
+   goto lock_restart;
 
/* Not allowed to fall through or break because
 * following context is inside spinlock while we are
 * outside here.
 */
-   goto out;
-
+   goto check_pages_to_free;
}
}
 
@@ -510,7 +509,7 @@ restart:
 
if (freed_pages)
ttm_dma_pages_put(pool, _pages, pages_to_free, freed_pages);
-out:
+ check_pages_to_free:
if (pages_to_free != static_buf)
kfree(pages_to_free);
return nr_free;
-- 
2.10.0

[PATCH 4.4 089/118] microblaze: fix __get_user()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/microblaze/include/asm/uaccess.h |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -227,7 +227,7 @@ extern long __user_bad(void);
 
 #define __get_user(x, ptr) \
 ({ \
-   unsigned long __gu_val; \
+   unsigned long __gu_val = 0; \
/*unsigned long __gu_ptr = (unsigned long)(ptr);*/  \
long __gu_err;  \
switch (sizeof(*(ptr))) {   \

[PATCH] mm: delete unnecessary and unsafe init_tlb_ubc()

[Hugh Dickins]

init_tlb_ubc() looked unnecessary to me: tlb_ubc is statically initialized
with zeroes in the init_task, and copied from parent to child while it is
quiescent in arch_dup_task_struct(); so I went to delete it.

But inserted temporary debug WARN_ONs in place of init_tlb_ubc() to check
that it was always empty at that point, and found them firing: because
memcg reclaim can recurse into global reclaim (when allocating biosets
for swapout in my case), and arrive back at the init_tlb_ubc() in
shrink_node_memcg().

Resetting tlb_ubc.flush_required at that point is wrong: if the upper
level needs a deferred TLB flush, but the lower level turns out not to,
we miss a TLB flush.  But fortunately, that's the only part of the
protocol that does not nest: with the initialization removed, cpumask 
collects bits from upper and lower levels, and flushes TLB when needed.

Fixes: 72b252aed506 ("mm: send one IPI per CPU to TLB flush all entries after 
unmapping pages")
Signed-off-by: Hugh Dickins 
Cc: sta...@vger.kernel.org # 4.3+
---

 mm/vmscan.c |   19 ---
 1 file changed, 19 deletions(-)

--- 4.8-rc7/mm/vmscan.c 2016-09-05 16:42:52.496692429 -0700
+++ linux/mm/vmscan.c   2016-09-22 09:32:37.900894833 -0700
@@ -2303,23 +2303,6 @@ out:
}
 }
 
-#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
-static void init_tlb_ubc(void)
-{
-   /*
-* This deliberately does not clear the cpumask as it's expensive
-* and unnecessary. If there happens to be data in there then the
-* first SWAP_CLUSTER_MAX pages will send an unnecessary IPI and
-* then will be cleared.
-*/
-   current->tlb_ubc.flush_required = false;
-}
-#else
-static inline void init_tlb_ubc(void)
-{
-}
-#endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */
-
 /*
  * This is a basic per-node page freer.  Used by both kswapd and direct 
reclaim.
  */
@@ -2355,8 +2338,6 @@ static void shrink_node_memcg(struct pgl
scan_adjusted = (global_reclaim(sc) && !current_is_kswapd() &&
 sc->priority == DEF_PRIORITY);
 
-   init_tlb_ubc();
-
blk_start_plug();
while (nr[LRU_INACTIVE_ANON] || nr[LRU_ACTIVE_FILE] ||
nr[LRU_INACTIVE_FILE]) {

[PATCH 4.4 035/118] iio: fix pressure data output unit in hid-sensor-attributes

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Kweh, Hock Leong 

commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream.

According to IIO ABI definition, IIO_PRESSURE data output unit is
kilopascal:
http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio

This patch fix output unit of HID pressure sensor IIO driver from pascal to
kilopascal to follow IIO ABI definition.

Signed-off-by: Kweh, Hock Leong 
Reviewed-by: Srinivas Pandruvada 
Signed-off-by: Jonathan Cameron 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/iio/common/hid-sensors/hid-sensor-attributes.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
@@ -56,8 +56,8 @@ static struct {
{HID_USAGE_SENSOR_ALS, 0, 1, 0},
{HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0},
 
-   {HID_USAGE_SENSOR_PRESSURE, 0, 10, 0},
-   {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0},
+   {HID_USAGE_SENSOR_PRESSURE, 0, 100, 0},
+   {HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000},
 };
 
 static int pow_10(unsigned power)

[PATCH 4.7 014/184] net/mlx5: Fix pci error recovery flow

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Mohamad Haj Yahia 


[ Upstream commit 1061c90f524963a0a90e7d2f9a6bfa666458af51 ]

When PCI error is detected we should save the state of the pci prior to
disabling it.

Also when receiving pci slot reset call we need to verify that the
device is responsive.

Fixes: 89d44f0a6c73 ('net/mlx5_core: Add pci error handlers to mlx5_core
driver')
Signed-off-by: Mohamad Haj Yahia 

Signed-off-by: Saeed Mahameed 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/mellanox/mlx5/core/main.c |   59 -
 1 file changed, 29 insertions(+), 30 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -1392,36 +1392,12 @@ static pci_ers_result_t mlx5_pci_err_det
dev_info(>dev, "%s was called\n", __func__);
mlx5_enter_error_state(dev);
mlx5_unload_one(dev, priv);
+   pci_save_state(pdev);
mlx5_pci_disable_device(dev);
return state == pci_channel_io_perm_failure ?
PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_NEED_RESET;
 }
 
-static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev)
-{
-   struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
-   int err = 0;
-
-   dev_info(>dev, "%s was called\n", __func__);
-
-   err = mlx5_pci_enable_device(dev);
-   if (err) {
-   dev_err(>dev, "%s: mlx5_pci_enable_device failed with 
error code: %d\n"
-   , __func__, err);
-   return PCI_ERS_RESULT_DISCONNECT;
-   }
-   pci_set_master(pdev);
-   pci_set_power_state(pdev, PCI_D0);
-   pci_restore_state(pdev);
-
-   return err ? PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_RECOVERED;
-}
-
-void mlx5_disable_device(struct mlx5_core_dev *dev)
-{
-   mlx5_pci_err_detected(dev->pdev, 0);
-}
-
 /* wait for the device to show vital signs by waiting
  * for the health counter to start counting.
  */
@@ -1449,21 +1425,44 @@ static int wait_vital(struct pci_dev *pd
return -ETIMEDOUT;
 }
 
-static void mlx5_pci_resume(struct pci_dev *pdev)
+static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev)
 {
struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
-   struct mlx5_priv *priv = >priv;
int err;
 
dev_info(>dev, "%s was called\n", __func__);
 
-   pci_save_state(pdev);
-   err = wait_vital(pdev);
+   err = mlx5_pci_enable_device(dev);
if (err) {
+   dev_err(>dev, "%s: mlx5_pci_enable_device failed with 
error code: %d\n"
+   , __func__, err);
+   return PCI_ERS_RESULT_DISCONNECT;
+   }
+
+   pci_set_master(pdev);
+   pci_restore_state(pdev);
+
+   if (wait_vital(pdev)) {
dev_err(>dev, "%s: wait_vital timed out\n", __func__);
-   return;
+   return PCI_ERS_RESULT_DISCONNECT;
}
 
+   return PCI_ERS_RESULT_RECOVERED;
+}
+
+void mlx5_disable_device(struct mlx5_core_dev *dev)
+{
+   mlx5_pci_err_detected(dev->pdev, 0);
+}
+
+static void mlx5_pci_resume(struct pci_dev *pdev)
+{
+   struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
+   struct mlx5_priv *priv = >priv;
+   int err;
+
+   dev_info(>dev, "%s was called\n", __func__);
+
err = mlx5_load_one(dev, priv);
if (err)
dev_err(>dev, "%s: mlx5_load_one failed with error code: 
%d\n"

[PATCH 4.7 011/184] net: ipv6: Do not keep IPv6 addresses when IPv6 is disabled

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Mike Manning 


[ Upstream commit bc5616325af0cd919f01cbf6d553aa0a ]

If IPv6 is disabled when the option is set to keep IPv6
addresses on link down, userspace is unaware of this as
there is no such indication via netlink. The solution is to
remove the IPv6 addresses in this case, which results in
netlink messages indicating removal of addresses in the
usual manner. This fix also makes the behavior consistent
with the case of having IPv6 disabled first, which stops
IPv6 addresses from being added.

Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional")
Signed-off-by: Mike Manning 
Acked-by: David Ahern 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv6/addrconf.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3469,7 +3469,7 @@ static int addrconf_ifdown(struct net_de
/* combine the user config with event to determine if permanent
 * addresses are to be removed from address hash table
 */
-   keep_addr = !(how || _keep_addr <= 0);
+   keep_addr = !(how || _keep_addr <= 0 || idev->cnf.disable_ipv6);
 
/* Step 2: clear hash table */
for (i = 0; i < IN6_ADDR_HSIZE; i++) {
@@ -3525,7 +3525,7 @@ restart:
/* re-combine the user config with event to determine if permanent
 * addresses are to be removed from the interface list
 */
-   keep_addr = (!how && _keep_addr > 0);
+   keep_addr = (!how && _keep_addr > 0 && !idev->cnf.disable_ipv6);
 
INIT_LIST_HEAD(_list);
list_for_each_entry_safe(ifa, tmp, >addr_list, if_list) {

[PATCH 4.7 017/184] net sched: fix encoding to use real length

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Jamal Hadi Salim 


[ Upstream commit 28a10c426e81afc88514bca8e73affccf850fdf6 ]

Encoding of the metadata was using the padded length as opposed to
the real length of the data which is a bug per specification.
This has not been an issue todate because all metadatum specified
so far has been 32 bit where aligned and data length are the same width.
This also includes a bug fix for validating the length of a u16 field.
But since there is no metadata of size u16 yes we are fine to include it
here.

While at it get rid of magic numbers.

Fixes: ef6980b6becb ("net sched: introduce IFE action")
Signed-off-by: Jamal Hadi Salim 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/sched/act_ife.c |   18 ++
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -52,7 +52,7 @@ int ife_tlv_meta_encode(void *skbdata, u
u32 *tlv = (u32 *)(skbdata);
u16 totlen = nla_total_size(dlen);  /*alignment + hdr */
char *dptr = (char *)tlv + NLA_HDRLEN;
-   u32 htlv = attrtype << 16 | totlen;
+   u32 htlv = attrtype << 16 | dlen;
 
*tlv = htonl(htlv);
memset(dptr, 0, totlen - NLA_HDRLEN);
@@ -134,7 +134,7 @@ EXPORT_SYMBOL_GPL(ife_release_meta_gen);
 
 int ife_validate_meta_u32(void *val, int len)
 {
-   if (len == 4)
+   if (len == sizeof(u32))
return 0;
 
return -EINVAL;
@@ -143,8 +143,8 @@ EXPORT_SYMBOL_GPL(ife_validate_meta_u32)
 
 int ife_validate_meta_u16(void *val, int len)
 {
-   /* length will include padding */
-   if (len == NLA_ALIGN(2))
+   /* length will not include padding */
+   if (len == sizeof(u16))
return 0;
 
return -EINVAL;
@@ -652,12 +652,14 @@ static int tcf_ife_decode(struct sk_buff
u8 *tlvdata = (u8 *)tlv;
u16 mtype = tlv->type;
u16 mlen = tlv->len;
+   u16 alen;
 
mtype = ntohs(mtype);
mlen = ntohs(mlen);
+   alen = NLA_ALIGN(mlen);
 
-   if (find_decode_metaid(skb, ife, mtype, (mlen - 4),
-  (void *)(tlvdata + 4))) {
+   if (find_decode_metaid(skb, ife, mtype, (mlen - NLA_HDRLEN),
+  (void *)(tlvdata + NLA_HDRLEN))) {
/* abuse overlimits to count when we receive metadata
 * but dont have an ops for it
 */
@@ -666,8 +668,8 @@ static int tcf_ife_decode(struct sk_buff
ife->tcf_qstats.overlimits++;
}
 
-   tlvdata += mlen;
-   ifehdrln -= mlen;
+   tlvdata += alen;
+   ifehdrln -= alen;
tlv = (struct meta_tlvhdr *)tlvdata;
}
 

[PATCH 4.4 006/118] fscrypto: require write access to mount to set encryption policy

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Biggers 

commit ba63f23d69a3a10e7e527a02702023da68ef8a6d upstream.

Since setting an encryption policy requires writing metadata to the
filesystem, it should be guarded by mnt_want_write/mnt_drop_write.
Otherwise, a user could cause a write to a frozen or readonly
filesystem.  This was handled correctly by f2fs but not by ext4.  Make
fscrypt_process_policy() handle it rather than relying on the filesystem
to get it right.

Signed-off-by: Eric Biggers 
Cc: sta...@vger.kernel.org # 4.1+; check fs/{ext4,f2fs}
Signed-off-by: Theodore Ts'o 
Acked-by: Jaegeuk Kim 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/ext4/ioctl.c |6 ++
 1 file changed, 6 insertions(+)

--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -629,7 +629,13 @@ resizefs_out:
goto encryption_policy_out;
}
 
+   err = mnt_want_write_file(filp);
+   if (err)
+   goto encryption_policy_out;
+
err = ext4_process_policy(, inode);
+
+   mnt_drop_write_file(filp);
 encryption_policy_out:
return err;
 #else

[PATCH 4.7 019/184] tcp: properly scale window in tcp_v[46]_reqsk_send_ack()

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Eric Dumazet 


[ Upstream commit 20a2b49fc538540819a0c552877086548cff8d8d ]

When sending an ack in SYN_RECV state, we must scale the offered
window if wscale option was negotiated and accepted.

Tested:
 Following packetdrill test demonstrates the issue :

0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0

+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0

// Establish a connection.
+0 < S 0:0(0) win 2 
+0 > S. 0:0(0) ack 1 win 28960 

+0 < . 1:11(10) ack 1 win 156 
// check that window is properly scaled !
+0 > . 1:1(0) ack 1 win 226 

Signed-off-by: Eric Dumazet 
Cc: Yuchung Cheng 
Cc: Neal Cardwell 
Acked-by: Yuchung Cheng 
Acked-by: Neal Cardwell 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp_ipv4.c |8 +++-
 net/ipv6/tcp_ipv6.c |8 +++-
 2 files changed, 14 insertions(+), 2 deletions(-)

--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -814,8 +814,14 @@ static void tcp_v4_reqsk_send_ack(const
u32 seq = (sk->sk_state == TCP_LISTEN) ? tcp_rsk(req)->snt_isn + 1 :
 tcp_sk(sk)->snd_nxt;
 
+   /* RFC 7323 2.3
+* The window field (SEG.WND) of every outgoing segment, with the
+* exception of  segments, MUST be right-shifted by
+* Rcv.Wind.Shift bits:
+*/
tcp_v4_send_ack(sock_net(sk), skb, seq,
-   tcp_rsk(req)->rcv_nxt, req->rsk_rcv_wnd,
+   tcp_rsk(req)->rcv_nxt,
+   req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
tcp_time_stamp,
req->ts_recent,
0,
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -937,9 +937,15 @@ static void tcp_v6_reqsk_send_ack(const
/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.
 */
+   /* RFC 7323 2.3
+* The window field (SEG.WND) of every outgoing segment, with the
+* exception of  segments, MUST be right-shifted by
+* Rcv.Wind.Shift bits:
+*/
tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
-   tcp_rsk(req)->rcv_nxt, req->rsk_rcv_wnd,
+   tcp_rsk(req)->rcv_nxt,
+   req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if,
tcp_v6_md5_do_lookup(sk, _hdr(skb)->daddr),
0, 0);

[PATCH 4.7 001/184] clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Chen-Yu Tsai 

commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e upstream.

The bootloader (U-boot) sometimes uses this timer for various delays.
It uses it as a ongoing counter, and does comparisons on the current
counter value. The timer counter is never stopped.

In some cases when the user interacts with the bootloader, or lets
it idle for some time before loading Linux, the timer may expire,
and an interrupt will be pending. This results in an unexpected
interrupt when the timer interrupt is enabled by the kernel, at
which point the event_handler isn't set yet. This results in a NULL
pointer dereference exception, panic, and no way to reboot.

Clear any pending interrupts after we stop the timer in the probe
function to avoid this.

Signed-off-by: Chen-Yu Tsai 
Signed-off-by: Daniel Lezcano 
Acked-by: Maxime Ripard 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/clocksource/sun4i_timer.c |9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/clocksource/sun4i_timer.c
+++ b/drivers/clocksource/sun4i_timer.c
@@ -123,12 +123,16 @@ static struct clock_event_device sun4i_c
.set_next_event = sun4i_clkevt_next_event,
 };
 
+static void sun4i_timer_clear_interrupt(void)
+{
+   writel(TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_ST_REG);
+}
 
 static irqreturn_t sun4i_timer_interrupt(int irq, void *dev_id)
 {
struct clock_event_device *evt = (struct clock_event_device *)dev_id;
 
-   writel(0x1, timer_base + TIMER_IRQ_ST_REG);
+   sun4i_timer_clear_interrupt();
evt->event_handler(evt);
 
return IRQ_HANDLED;
@@ -193,6 +197,9 @@ static void __init sun4i_timer_init(stru
/* Make sure timer is stopped before playing with interrupts */
sun4i_clkevt_time_stop(0);
 
+   /* clear timer0 interrupt */
+   sun4i_timer_clear_interrupt();
+
sun4i_clockevent.cpumask = cpu_possible_mask;
sun4i_clockevent.irq = irq;
 

[PATCH 09/14] GPU-DRM-TTM: Return directly after a failed kzalloc() in ttm_dma_page_alloc_init()

[SF Markus Elfring]

From: Markus Elfring 
Date: Thu, 22 Sep 2016 16:16:36 +0200

* Return directly after a memory allocation failed in this function
  at the beginning.

* Delete the explicit initialisation for the local variable "ret"
  which became unnecessary with this refactoring.

Signed-off-by: Markus Elfring 
---
 drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c 
b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
index e3f5542..feba278 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
@@ -1080,7 +1080,7 @@ static void ttm_dma_pool_mm_shrink_fini(struct 
ttm_pool_manager *manager)
 
 int ttm_dma_page_alloc_init(struct ttm_mem_global *glob, unsigned max_pages)
 {
-   int ret = -ENOMEM;
+   int ret;
 
WARN_ON(_manager);
 
@@ -1088,7 +1088,7 @@ int ttm_dma_page_alloc_init(struct ttm_mem_global *glob, 
unsigned max_pages)
 
_manager = kzalloc(sizeof(*_manager), GFP_KERNEL);
if (!_manager)
-   goto err;
+   return -ENOMEM;
 
mutex_init(&_manager->lock);
INIT_LIST_HEAD(&_manager->pools);
-- 
2.10.0

Re: "CodingStyle: Clarify and complete chapter 7" in docs-next

[Joe Perches]

On Thu, 2016-09-22 at 13:57 +0200, Jean Delvare wrote:
> Sure. But I'm afraid you keep changing topics and I have no idea where
> you are going. We started with "should there be a space before jump
> labels", then out of nowhere we were discussing the wording of the
> output of checkpatch (how is that related?) and now you pull statistics
> out of your hat, like these numbers imply anything.

No, not out of a hat.  Those are the results of a silly script that
runs checkpatch on every .[ch] kernel file (but not tools/) with:

--show-types --terse --emacs --strict --no-summary --quiet -f

The magnitude of "ERRORS" is high and it's not necessary or useful
to modify old or obsolete code just to reduce that magnitude.

> checkpatch was called checkPATCH for a reason.

That's why I promote the --force option to limit using checkpatch on
files outside of staging.

https://patchwork.kernel.org/patch/9332205/

Andrew?  Are you going to apply that one day?

> ERROR means that the new code isn't allowed to do that. Period.

Disagree.  The compiler doesn't care.  The value of consistency in
reducing defects is very hard to quantify.

Re: [PATCH 1/1] cpufreq: pcc-cpufreq: Re-introduce deadband effect to reduce number of frequency changes

[Andreas Herrmann]

On Mon, Sep 19, 2016 at 10:39:18PM +0300, Stratos Karafotis wrote:
> On Mon, Sep 19, 2016 at 7:16 PM, Andreas Herrmann  wrote:
> > On Fri, Sep 16, 2016 at 09:58:42PM +0300, Stratos Karafotis wrote:
> >> Hi,
> >>
> >> [ I 'm resending this message, because I think some recipients didn't 
> >> receive
> >> it. ]
> >>
> >> On 16/09/2016 12:47 μμ, Andreas Herrmann wrote:
> >> > On Wed, Sep 07, 2016 at 10:32:01AM +0530, Viresh Kumar wrote:
> >> >> On 01-09-16, 15:21, Andreas Herrmann wrote:
> >> >>> On Mon, Aug 29, 2016 at 11:31:53AM +0530, Viresh Kumar wrote:

  ---8<---

> >> > It seems that the decision how to best map load values to target
> >> > frequencies is kind of hardware specific.
> >> >
> >> > Maybe a solution to this is that the cpufreq driver should be able to
> >> > provide a mapping function to overwrite the current default
> >> > calculation.

FYI, I've created new patches to address the issue.

First one will be to introduce a map_load_to_freq function. The
default being what commit 6393d6 introduced (no deadband).  Second
patch will than introduce a specific function for pcc-cpufreq to fall
back to what was used before commit 6393d6.

I just want to assemble gathered performance data and I am planning to
send those patches tomorrow.

> >> I'm not familiar with ppc-cpufreq drive but maybe patch 6393d6 just
> >> uncovered an "issue" that was already existed but only on higher loads.
> >>
> >> Because, with or without patch 6393d6, if the specific CPU doesn't
> >> use a frequency table, there will many frequency transitions in
> >> higher loads too. I believe, though, that the side effect it's smaller
> >> in higher frequencies because CPUs tend to work on lowest and highest
> >> frequencies.
> >
> > Might be. I didn't test this specifically.

Hopefully I'll also find time to gather some ftrace data wrt this.

> >> What about a patch in ppc-cpufreq driver that permits frequency
> >> changes only in specific steps and not in arbitrary values?
> >
> > Which steps would you use? What scheme would be universal usable for
> > all affected system using this driver?
> 
> Just an idea. I would split the frequency range (max_freq - min_freq)
> into ~10 steps. But I'm not familiar with the affected systems and
> of course I can't prove this is an ideal approach.

I've modified the pcc-cpufreq specific map_load_to_freq function to do
just that (map load values to 10 discrete frequency values) instead of
falling back to the deadband (pre-commit-6393d6-version).

Unfortunately this resulted in lower performance compared to
pre-commit-6393d6-version.

> > I had played with an approach to only make use of min_freq and
> > max_freq which eventually didn't result in better performance
> > in comparison to code before commit 6393d6.
> 
> Regards,
> Stratos


Regards,

Andreas

Re: [PATCH 0/2] Fix warnings for i2c-rk3x.c

[Wolfram Sang]

On Thu, Sep 22, 2016 at 07:29:22PM +0800, David Wu wrote:
> David Wu (2):
>   i2c: rk3x: Fix sparse warning
>   i2c: rk3x: fix variable 'min_total_ns' unused warning
> 

Applied to for-next, thanks!



signature.asc
Description: PGP signature

[PATCH 4.7 175/184] parisc: fix copy_from_user()

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit aace880feea38875fbc919761b77e5732a3659ef upstream.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/parisc/include/asm/uaccess.h |6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -10,6 +10,7 @@
 #include 
 
 #include 
+#include 
 
 #define VERIFY_READ 0
 #define VERIFY_WRITE 1
@@ -221,13 +222,14 @@ static inline unsigned long __must_check
   unsigned long n)
 {
 int sz = __compiletime_object_size(to);
-int ret = -EFAULT;
+unsigned long ret = n;
 
 if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
 ret = __copy_from_user(to, from, n);
 else
 copy_from_user_overflow();
-
+   if (unlikely(ret))
+   memset(to + (n - ret), 0, ret);
 return ret;
 }
 

[PATCH 4.7 157/184] m32r: fix __get_user()

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/m32r/include/asm/uaccess.h |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/m32r/include/asm/uaccess.h
+++ b/arch/m32r/include/asm/uaccess.h
@@ -219,7 +219,7 @@ extern int fixup_exception(struct pt_reg
 #define __get_user_nocheck(x, ptr, size)   \
 ({ \
long __gu_err = 0;  \
-   unsigned long __gu_val; \
+   unsigned long __gu_val = 0; \
might_fault();  \
__get_user_size(__gu_val, (ptr), (size), __gu_err); \
(x) = (__force __typeof__(*(ptr)))__gu_val; \

Re: [PATCH v2] fs/select: add vmalloc fallback for select(2)

[Vlastimil Babka]

On 09/22/2016 07:07 PM, Eric Dumazet wrote:

On Thu, 2016-09-22 at 18:56 +0200, Vlastimil Babka wrote:

On 09/22/2016 06:49 PM, Eric Dumazet wrote:
> On Thu, 2016-09-22 at 18:43 +0200, Vlastimil Babka wrote:
>> The select(2) syscall performs a kmalloc(size, GFP_KERNEL) where size grows
>> with the number of fds passed. We had a customer report page allocation
>> failures of order-4 for this allocation. This is a costly order, so it might
>> easily fail, as the VM expects such allocation to have a lower-order 
fallback.
>>
>> Such trivial fallback is vmalloc(), as the memory doesn't have to be
>> physically contiguous. Also the allocation is temporary for the duration of 
the
>> syscall, so it's unlikely to stress vmalloc too much.
>
> vmalloc() uses a vmap_area_lock spinlock, and TLB flushes.
>
> So I guess allowing vmalloc() being called from an innocent application
> doing a select() might be dangerous, especially if this select() happens
> thousands of time per second.

Isn't seq_buf_alloc() similarly exposed? And ipc_alloc()?


Possibly.

We don't have a library function (attempting kmalloc(), fallback to
vmalloc() presumably to avoid abuses, but I guess some patches were
accepted without thinking about this.


So in the case of select() it seems like the memory we need 6 bits per file 
descriptor, multiplied by the highest possible file descriptor (nfds) as passed 
to the syscall. According to the man page of select:


   EINVAL nfds is negative or exceeds the RLIMIT_NOFILE resource limit (see 
getrlimit(2)).


The code actually seems to silently cap the value instead of returning EINVAL 
though? (IIUC):


   /* max_fds can increase, so grab it once to avoid race */
rcu_read_lock();
fdt = files_fdtable(current->files);
max_fds = fdt->max_fds;
rcu_read_unlock();
if (n > max_fds)
n = max_fds;

The default for this cap seems to be 1024 where I checked (again, IIUC, it's 
what ulimit -n returns?). I wasn't able to change it to more than 2048, which 
makes the bitmaps still below PAGE_SIZE.


So if I get that right, the system admin would have to allow really large 
RLIMIT_NOFILE to even make vmalloc() possible here. So I don't see it as a large 
concern?


Vlastimil

[PATCH 4.7 156/184] mn10300: failing __get_user() and get_user() should zero

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mn10300/include/asm/uaccess.h |1 +
 1 file changed, 1 insertion(+)

--- a/arch/mn10300/include/asm/uaccess.h
+++ b/arch/mn10300/include/asm/uaccess.h
@@ -166,6 +166,7 @@ struct __large_struct { unsigned long bu
"2:\n"  \
"   .section.fixup,\"ax\"\n"\
"3:\n\t"\
+   "   mov 0,%1\n" \
"   mov %3,%0\n"\
"   jmp 2b\n"   \
"   .previous\n"\

[PATCH 4.7 170/184] hexagon: fix strncpy_from_user() error return

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.

It's -EFAULT, not -1 (and contrary to the comment in there,
__strnlen_user() can return 0 - on faults).

Acked-by: Richard Kuo 
Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/hexagon/include/asm/uaccess.h |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -103,7 +103,8 @@ static inline long hexagon_strncpy_from_
 {
long res = __strnlen_user(src, n);
 
-   /* return from strnlen can't be zero -- that would be rubbish. */
+   if (unlikely(!res))
+   return -EFAULT;
 
if (res > n) {
copy_from_user(dst, src, n);

[PATCH 4.7 179/184] sparc32: fix copy_from_user()

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit 917400cecb4b52b5cde5417348322bb9c8272fa6 upstream.

Acked-by: David S. Miller 
Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/sparc/include/asm/uaccess_32.h |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -263,8 +263,10 @@ static inline unsigned long copy_from_us
 {
if (n && __access_ok((unsigned long) from, n))
return __copy_user((__force void __user *) to, from, n);
-   else
+   else {
+   memset(to, 0, n);
return n;
+   }
 }
 
 static inline unsigned long __copy_from_user(void *to, const void __user 
*from, unsigned long n)

Re: "CodingStyle: Clarify and complete chapter 7" in docs-next

[Joe Perches]

On Thu, 2016-09-22 at 14:11 +0100, Al Viro wrote:
> The main intent of checkpatch these days appears to be providing an easy
> way of thoughtless inflation of commit counts, everything else be damned.

You've made this statement several times over many years.
I don't believe it's true.
I doubt anyone is getting paid per commit.
Who really cares enough to game some stupid little metric?

If it's really a big deal, name some names.  Otherwise please
stop with this dubious argument/point.

> Some of these checks are common-sense, some are
> absolutely arbitrary,

Essentially all of the checkpatch rules are arbitrary.
The compiler doesn't care one way or another.

All the checks exist just to make code appear more consistent.

The conceit being that more consistent code is easier for humans
to read and spot potential defects and possible reuse patterns.

[PATCH 4.7 183/184] genirq/msi: Fix broken debug output

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Thomas Gleixner 

commit 4364e1a29be16b2783c0bcbc263f61236af64281 upstream.

virq is not required to be the same for all msi descs. Use the base irq number
from the desc in the debug printk.

Reported-by: Ingo Molnar 
Signed-off-by: Thomas Gleixner 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/irq/msi.c |1 +
 1 file changed, 1 insertion(+)

--- a/kernel/irq/msi.c
+++ b/kernel/irq/msi.c
@@ -352,6 +352,7 @@ int msi_domain_alloc_irqs(struct irq_dom
ops->msi_finish(, 0);
 
for_each_msi_entry(desc, dev) {
+   virq = desc->irq;
if (desc->nvec_used == 1)
dev_dbg(dev, "irq %d for MSI\n", virq);
else

[PATCH] staging:android:io: Fix multiple styling issues

[Yannis Damigos]

This patch fixes 1 error, 1 warning and 14 checks found by
checkpatch.

Signed-off-by: Yannis Damigos 
---
 drivers/staging/android/ion/ion_of.c | 49 ++--
 1 file changed, 24 insertions(+), 25 deletions(-)

diff --git a/drivers/staging/android/ion/ion_of.c 
b/drivers/staging/android/ion/ion_of.c
index de0899a..c930416 100644
--- a/drivers/staging/android/ion/ion_of.c
+++ b/drivers/staging/android/ion/ion_of.c
@@ -26,17 +26,17 @@
 #include "ion_of.h"
 
 int ion_parse_dt_heap_common(struct device_node *heap_node,
-   struct ion_platform_heap *heap,
-   struct ion_of_heap *compatible)
+struct ion_platform_heap *heap,
+struct ion_of_heap *compatible)
 {
int i;
 
-   for (i = 0; compatible[i].name != NULL; i++) {
+   for (i = 0; compatible[i].name; i++) {
if (of_device_is_compatible(heap_node, compatible[i].compat))
break;
}
 
-   if (compatible[i].name == NULL)
+   if (!compatible[i].name)
return -ENODEV;
 
heap->id = compatible[i].heap_id;
@@ -47,33 +47,33 @@ int ion_parse_dt_heap_common(struct device_node *heap_node,
/* Some kind of callback function pointer? */
 
pr_info("%s: id %d type %d name %s align %lx\n", __func__,
-   heap->id, heap->type, heap->name, heap->align);
+   heap->id, heap->type, heap->name, heap->align);
return 0;
 }
 
 int ion_setup_heap_common(struct platform_device *parent,
-   struct device_node *heap_node,
-   struct ion_platform_heap *heap)
+ struct device_node *heap_node,
+ struct ion_platform_heap *heap)
 {
int ret = 0;
 
switch (heap->type) {
-   case ION_HEAP_TYPE_CARVEOUT:
-   case ION_HEAP_TYPE_CHUNK:
-   if (heap->base && heap->size)
-   return 0;
-
-   ret = of_reserved_mem_device_init(heap->priv);
-   break;
-   default:
-   break;
+   case ION_HEAP_TYPE_CARVEOUT:
+   case ION_HEAP_TYPE_CHUNK:
+   if (heap->base && heap->size)
+   return 0;
+
+   ret = of_reserved_mem_device_init(heap->priv);
+   break;
+   default:
+   break;
}
 
return ret;
 }
 
 struct ion_platform_data *ion_parse_dt(struct platform_device *pdev,
-   struct ion_of_heap *compatible)
+  struct ion_of_heap *compatible)
 {
int num_heaps, ret;
const struct device_node *dt_node = pdev->dev.of_node;
@@ -88,13 +88,13 @@ struct ion_platform_data *ion_parse_dt(struct 
platform_device *pdev,
return ERR_PTR(-EINVAL);
 
heaps = devm_kzalloc(>dev,
-   sizeof(struct ion_platform_heap)*num_heaps,
-   GFP_KERNEL);
+sizeof(struct ion_platform_heap) * num_heaps,
+GFP_KERNEL);
if (!heaps)
return ERR_PTR(-ENOMEM);
 
data = devm_kzalloc(>dev, sizeof(struct ion_platform_data),
-   GFP_KERNEL);
+   GFP_KERNEL);
if (!data)
return ERR_PTR(-ENOMEM);
 
@@ -106,7 +106,7 @@ struct ion_platform_data *ion_parse_dt(struct 
platform_device *pdev,
return ERR_PTR(ret);
 
heap_pdev = of_platform_device_create(node, heaps[i].name,
-   >dev);
+ >dev);
if (!pdev)
return ERR_PTR(-ENOMEM);
heap_pdev->dev.platform_data = [i];
@@ -119,7 +119,6 @@ struct ion_platform_data *ion_parse_dt(struct 
platform_device *pdev,
i++;
}
 
-
data->heaps = heaps;
data->nr = num_heaps;
return data;
@@ -155,14 +154,13 @@ static int rmem_ion_device_init(struct reserved_mem 
*rmem, struct device *dev)
heap->base = rmem->base;
heap->base = rmem->size;
pr_debug("%s: heap %s base %pa size %pa dev %p\n", __func__,
-   heap->name, >base, >size, dev);
+heap->name, >base, >size, dev);
return 0;
 }
 
 static void rmem_ion_device_release(struct reserved_mem *rmem,
-   struct device *dev)
+   struct device *dev)
 {
-   return;
 }
 
 static const struct reserved_mem_ops rmem_dma_ops = {
@@ -181,5 +179,6 @@ static int __init rmem_ion_setup(struct reserved_mem *rmem)
rmem->ops = _dma_ops;
return 0;
 }
+
 

[PATCH 4.7 159/184] nios2: fix __get_user()

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit 2e29f50ad5e23db37dde9be71410d95d50241ecd upstream.

a) should not leave crap on fault
b) should _not_ require access_ok() in any cases.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/nios2/include/asm/uaccess.h |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/nios2/include/asm/uaccess.h
+++ b/arch/nios2/include/asm/uaccess.h
@@ -139,7 +139,7 @@ extern long strnlen_user(const char __us
 
 #define __get_user_unknown(val, size, ptr, err) do {   \
err = 0;\
-   if (copy_from_user(&(val), ptr, size)) {\
+   if (__copy_from_user(&(val), ptr, size)) {  \
err = -EFAULT;  \
}   \
} while (0)
@@ -166,7 +166,7 @@ do {
\
({  \
long __gu_err = -EFAULT;\
const __typeof__(*(ptr)) __user *__gu_ptr = (ptr);  \
-   unsigned long __gu_val; \
+   unsigned long __gu_val = 0; \
__get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\
(x) = (__force __typeof__(x))__gu_val;  \
__gu_err;   \

Re: crash by cdc_acm driver in kernels 4.8-rc1/5

[Wim Osterholt]

> >Please look up the bConfigurationValue for your device
> >in sysfs.

I didn't explicitly say that this was done under kernel-4.7.4, otherwise
it may have been impossible under 4.8 .

On Thu, Sep 22, 2016 at 04:40:50PM +0200, Oliver Neukum wrote:
> 
> OK. Strange. Please do
> 
> dmesg -c
> echo 9 > /proc/sysrq-trigger
> modprobe cdc_acm
> echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> 
> [plug your device in]
> 
> and provide the full output of dmesg after that.

You don't state if this must be done in a safe 4.7.4 or a crashable 4.8.
(if I get that far to retrieve dmesg to a file).

Anyway, echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
results in 'No such file or directory' because there is no 'dynamic_debug'.

The kernel option DYNAMIC_DEBUG was not set.
A new kernel is compiling now..



Groeten, Wim.

[PATCH 4.7 161/184] s390: get_user() should zero on failure

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Al Viro 

commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.

Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/s390/include/asm/uaccess.h |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -209,28 +209,28 @@ int __put_user_bad(void) __attribute__((
__chk_user_ptr(ptr);\
switch (sizeof(*(ptr))) {   \
case 1: {   \
-   unsigned char __x;  \
+   unsigned char __x = 0;  \
__gu_err = __get_user_fn(&__x, ptr, \
 sizeof(*(ptr)));   \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break;  \
};  \
case 2: {   \
-   unsigned short __x; \
+   unsigned short __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
 sizeof(*(ptr)));   \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break;  \
};  \
case 4: {   \
-   unsigned int __x;   \
+   unsigned int __x = 0;   \
__gu_err = __get_user_fn(&__x, ptr, \
 sizeof(*(ptr)));   \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
break;  \
};  \
case 8: {   \
-   unsigned long long __x; \
+   unsigned long long __x = 0; \
__gu_err = __get_user_fn(&__x, ptr, \
 sizeof(*(ptr)));   \
(x) = *(__force __typeof__(*(ptr)) *) &__x; \

[PATCH 4.7 073/184] iio: ad799x: Fix buffered capture for ad7991/ad7995/ad7999

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Lars-Peter Clausen 

commit 7d3cc21dab5313a02f2f3ca8164529b828a030d1 upstream.

The data buffer for captured mode for the ad799x driver is allocated in the
update_scan_mode() callback. This callback is not set in the iio_info
struct for the ad7791/ad7995/ad7999, which means that the data buffer is
not allocated when a captured transfer is started. As a result the driver
crashes when the first sample is received. To fix this properly set the
update_scan_mode() callback.

Fixes: d8dca33027c1 ("staging:iio:ad799x: Preallocate sample buffer")
Signed-off-by: Lars-Peter Clausen 
Signed-off-by: Jonathan Cameron 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/iio/adc/ad799x.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/iio/adc/ad799x.c
+++ b/drivers/iio/adc/ad799x.c
@@ -533,6 +533,7 @@ static struct attribute_group ad799x_eve
 static const struct iio_info ad7991_info = {
.read_raw = _read_raw,
.driver_module = THIS_MODULE,
+   .update_scan_mode = ad799x_update_scan_mode,
 };
 
 static const struct iio_info ad7993_4_7_8_noirq_info = {

[PATCH 4.7 072/184] iio:ti-ads1015: fix a wrong pointer definition.

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Giorgio Dal Molin 

commit 522caebb2c3684f4a1d154526fb5e33f1381e92a upstream.

The call to i2c_get_clientdata(client) returns a struct iio_dev*, not
the needed struct ads1015_data*. We need here an intermediate step as
in the function: void ads1015_get_channels_config(struct i2c_client *client).

Signed-off-by: Giorgio Dal Molin 
Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support")
Signed-off-by: Jonathan Cameron 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/iio/adc/ti-ads1015.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/iio/adc/ti-ads1015.c
+++ b/drivers/iio/adc/ti-ads1015.c
@@ -403,7 +403,8 @@ static const struct iio_info ads1015_inf
 #ifdef CONFIG_OF
 static int ads1015_get_channels_config_of(struct i2c_client *client)
 {
-   struct ads1015_data *data = i2c_get_clientdata(client);
+   struct iio_dev *indio_dev = i2c_get_clientdata(client);
+   struct ads1015_data *data = iio_priv(indio_dev);
struct device_node *node;
 
if (!client->dev.of_node ||

[PATCH 4.7 035/184] tcp: cwnd does not increase in TCP YeAH

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Artem Germanov 


[ Upstream commit db7196a0d0984b933ccf2cd6a60e26abf466e8a3 ]

Commit 76174004a0f19785a328f40388e87e982bbf69b9
(tcp: do not slow start when cwnd equals ssthresh )
introduced regression in TCP YeAH. Using 100ms delay 1% loss virtual
ethernet link kernel 4.2 shows bandwidth ~500KB/s for single TCP
connection and kernel 4.3 and above (including 4.8-rc4) shows bandwidth
~100KB/s.
   That is caused by stalled cwnd when cwnd equals ssthresh. This patch
fixes it by proper increasing cwnd in this case.

Signed-off-by: Artem Germanov 
Acked-by: Dmitry Adamushko 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp_yeah.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp_yeah.c
+++ b/net/ipv4/tcp_yeah.c
@@ -76,7 +76,7 @@ static void tcp_yeah_cong_avoid(struct s
if (!tcp_is_cwnd_limited(sk))
return;
 
-   if (tp->snd_cwnd <= tp->snd_ssthresh)
+   if (tcp_in_slow_start(tp))
tcp_slow_start(tp, acked);
 
else if (!yeah->doing_reno_now) {

[PATCH 4.7 043/184] pNFS: The client must not do I/O to the DS if its lease has expired

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 upstream.

Ensure that the client conforms to the normative behaviour described in
RFC5661 Section 12.7.2: "If a client believes its lease has expired,
it MUST NOT send I/O to the storage device until it has validated its
lease."

So ensure that we wait for the lease to be validated before using
the layout.

Signed-off-by: Trond Myklebust 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfs/pnfs.c |1 +
 1 file changed, 1 insertion(+)

--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1527,6 +1527,7 @@ pnfs_update_layout(struct inode *ino,
}
 
 lookup_again:
+   nfs4_client_recover_expired_lease(clp);
first = false;
spin_lock(>i_lock);
lo = pnfs_find_alloc_layout(ino, ctx, gfp_flags);

[PATCH 4.7 084/184] USB: serial: simple: add support for another Infineon flashloader

[Greg Kroah-Hartman]

4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniele Palmas 

commit f190fd92458da3e869b4e2c6289e2c617490ae53 upstream.

This patch adds support for Infineon flashloader 0x8087/0x0801.

The flashloader is used in Telit LE940B modem family with Telit
flashing application.

Signed-off-by: Daniele Palmas 
Signed-off-by: Johan Hovold 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/usb/serial/usb-serial-simple.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
 /* Infineon Flashloader driver */
 #define FLASHLOADER_IDS()  \
{ USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
-   { USB_DEVICE(0x8087, 0x0716) }
+   { USB_DEVICE(0x8087, 0x0716) }, \
+   { USB_DEVICE(0x8087, 0x0801) }
 DEVICE(flashloader, FLASHLOADER_IDS);
 
 /* Google Serial USB SubClass */

[PATCH 4.4 036/118] iio: accel: kxsd9: Fix scaling bug

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Linus Walleij 

commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.

All the scaling of the KXSD9 involves multiplication with a
fraction number < 1.

However the scaling value returned from IIO_INFO_SCALE was
unpredictable as only the micros of the value was assigned, and
not the integer part, resulting in scaling like this:

$cat in_accel_scale
-1057462640.011978

Fix this by assigning zero to the integer part.

Tested-by: Jonathan Cameron 
Signed-off-by: Linus Walleij 
Signed-off-by: Jonathan Cameron 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/iio/accel/kxsd9.c |1 +
 1 file changed, 1 insertion(+)

--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
if (ret < 0)
goto error_ret;
+   *val = 0;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
break;

[PATCH 4.4 018/118] kexec: fix double-free when failing to relocate the purgatory

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Thiago Jung Bauermann 

commit 070c43eea5043e950daa423707ae3c77e2f48edb upstream.

If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs
and pi->purgatory_buf.  This is redundant, because in case of error
kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which
will also free those buffers.

This causes two warnings like the following, one for pi->sechdrs and the
other for pi->purgatory_buf:

  kexec-bzImage64: Loading purgatory failed
  [ cut here ]
  WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0
  Trying to vfree() nonexistent vm area (c9e91000)
  Modules linked in:
  CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Call Trace:
dump_stack+0x4d/0x65
__warn+0xcb/0xf0
warn_slowpath_fmt+0x4f/0x60
? find_vmap_area+0x19/0x70
? kimage_file_post_load_cleanup+0x47/0xb0
__vunmap+0xc1/0xd0
vfree+0x2e/0x70
kimage_file_post_load_cleanup+0x5e/0xb0
SyS_kexec_file_load+0x448/0x680
? putname+0x54/0x60
? do_sys_open+0x190/0x1f0
entry_SYSCALL_64_fastpath+0x13/0x8f
  ---[ end trace 158bb74f5950ca2b ]---

Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree
won't try to free a NULL pointer.

Link: 
http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauer...@linux.vnet.ibm.com
Signed-off-by: Thiago Jung Bauermann 
Acked-by: Baoquan He 
Cc: "Eric W. Biederman" 
Cc: Vivek Goyal 
Cc: Dave Young 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/kexec_file.c |3 +++
 1 file changed, 3 insertions(+)

--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -934,7 +934,10 @@ int kexec_load_purgatory(struct kimage *
return 0;
 out:
vfree(pi->sechdrs);
+   pi->sechdrs = NULL;
+
vfree(pi->purgatory_buf);
+   pi->purgatory_buf = NULL;
return ret;
 }
 

[PATCH 4.4 039/118] serial: 8250_mid: fix divide error bug if baud rate is 0

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Andy Shevchenko 

commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 upstream.

Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by
formula for Intel MID"), the 8250 driver crashes in the byt_set_termios()
function with a divide error. This is caused by the fact that a baud rate of 0
(B0) is not handled properly. Fix it by falling back to B9600 in this case.

Reported-by: "Mendez Salinas, Fernando" 
Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for 
Intel MID")
Signed-off-by: Andy Shevchenko 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/serial/8250/8250_mid.c |3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/tty/serial/8250/8250_mid.c
+++ b/drivers/tty/serial/8250/8250_mid.c
@@ -149,6 +149,9 @@ static void mid8250_set_termios(struct u
unsigned long w = BIT(24) - 1;
unsigned long mul, div;
 
+   /* Gracefully handle the B0 case: fall back to B9600 */
+   fuart = fuart ? fuart : 9600 * 16;
+
if (mid->board->freq < fuart) {
/* Find prescaler value that satisfies Fuart < Fref */
if (mid->board->freq > baud)