[PATCH] staging: ade7759: Fix open parenthesis alignment

[rodrigosiqueira]

This patch fixes the CHECKs reported by checkpatch.pl for "alignment
should match open parenthesis"

Signed-off-by: rodrigosiqueira 
---
 drivers/staging/iio/meter/ade7759.c | 80 ++---
 1 file changed, 38 insertions(+), 42 deletions(-)

diff --git a/drivers/staging/iio/meter/ade7759.c 
b/drivers/staging/iio/meter/ade7759.c
index d99cf508d8d0..1decb2b8afab 100644
--- a/drivers/staging/iio/meter/ade7759.c
+++ b/drivers/staging/iio/meter/ade7759.c
@@ -72,8 +72,8 @@ struct ade7759_state {
 };
 
 static int ade7759_spi_write_reg_8(struct device *dev,
-   u8 reg_address,
-   u8 val)
+  u8 reg_address,
+  u8 val)
 {
int ret;
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
@@ -91,8 +91,8 @@ static int ade7759_spi_write_reg_8(struct device *dev,
 
 /*Unlocked version of ade7759_spi_write_reg_16 function */
 static int __ade7759_spi_write_reg_16(struct device *dev,
-   u8 reg_address,
-   u16 value)
+ u8 reg_address,
+ u16 value)
 {
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ade7759_state *st = iio_priv(indio_dev);
@@ -104,8 +104,8 @@ static int __ade7759_spi_write_reg_16(struct device *dev,
 }
 
 static int ade7759_spi_write_reg_16(struct device *dev,
-   u8 reg_address,
-   u16 value)
+   u8 reg_address,
+   u16 value)
 {
int ret;
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
@@ -119,8 +119,8 @@ static int ade7759_spi_write_reg_16(struct device *dev,
 }
 
 static int ade7759_spi_read_reg_8(struct device *dev,
-   u8 reg_address,
-   u8 *val)
+ u8 reg_address,
+ u8 *val)
 {
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ade7759_state *st = iio_priv(indio_dev);
@@ -128,8 +128,9 @@ static int ade7759_spi_read_reg_8(struct device *dev,
 
ret = spi_w8r8(st->us, ADE7759_READ_REG(reg_address));
if (ret < 0) {
-   dev_err(>us->dev, "problem when reading 8 bit register 
0x%02X",
-   reg_address);
+   dev_err(>us->dev,
+   "problem when reading 8 bit register 0x%02X",
+   reg_address);
return ret;
}
*val = ret;
@@ -138,8 +139,8 @@ static int ade7759_spi_read_reg_8(struct device *dev,
 }
 
 static int ade7759_spi_read_reg_16(struct device *dev,
-   u8 reg_address,
-   u16 *val)
+  u8 reg_address,
+  u16 *val)
 {
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ade7759_state *st = iio_priv(indio_dev);
@@ -158,8 +159,8 @@ static int ade7759_spi_read_reg_16(struct device *dev,
 }
 
 static int ade7759_spi_read_reg_40(struct device *dev,
-   u8 reg_address,
-   u64 *val)
+  u8 reg_address,
+  u64 *val)
 {
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ade7759_state *st = iio_priv(indio_dev);
@@ -179,8 +180,9 @@ static int ade7759_spi_read_reg_40(struct device *dev,
 
ret = spi_sync_transfer(st->us, xfers, ARRAY_SIZE(xfers));
if (ret) {
-   dev_err(>us->dev, "problem when reading 40 bit register 
0x%02X",
-   reg_address);
+   dev_err(>us->dev,
+   "problem when reading 40 bit register 0x%02X",
+   reg_address);
goto error_ret;
}
*val = ((u64)st->rx[1] << 32) | ((u64)st->rx[2] << 24) |
@@ -192,8 +194,8 @@ static int ade7759_spi_read_reg_40(struct device *dev,
 }
 
 static ssize_t ade7759_read_8bit(struct device *dev,
-   struct device_attribute *attr,
-   char *buf)
+struct device_attribute *attr,
+char *buf)
 {
int ret;
u8 val = 0;
@@ -207,8 +209,8 @@ static ssize_t ade7759_read_8bit(struct device *dev,
 }
 
 static ssize_t ade7759_read_16bit(struct device *dev,
-   struct device_attribute *attr,
-   char *buf)
+ struct device_attribute *attr,
+ char *buf)
 {
int ret;
u16 val = 0;
@@ -222,8 +224,8 @@ static ssize_t ade7759_read_16bit(struct device *dev,
 }
 
 static ssize_t ade7759_read_40bit(struct device *dev,
-   struct device_attribute *attr,
-   char *buf)
+ struct device_attribute *attr,
+ char *buf)
 {
int ret;
u64 

[PATCH 2/4] watchdog: omap_wdt: change order for setting default timeout

[Marcus Folkesson]

watchdog_init_timeout() will preserve wdd->timeout value if
no parameter nor timeout-secs dt property is set.

Signed-off-by: Marcus Folkesson 
---
 drivers/watchdog/omap_wdt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/watchdog/omap_wdt.c b/drivers/watchdog/omap_wdt.c
index 1b02bfa81b29..ae77112ce97f 100644
--- a/drivers/watchdog/omap_wdt.c
+++ b/drivers/watchdog/omap_wdt.c
@@ -253,10 +253,10 @@ static int omap_wdt_probe(struct platform_device *pdev)
wdev->wdog.ops = _wdt_ops;
wdev->wdog.min_timeout = TIMER_MARGIN_MIN;
wdev->wdog.max_timeout = TIMER_MARGIN_MAX;
+   wdev->wdog.timeout = TIMER_MARGIN_DEFAULT;
wdev->wdog.parent = >dev;
 
-   if (watchdog_init_timeout(>wdog, timer_margin, >dev) < 0)
-   wdev->wdog.timeout = TIMER_MARGIN_DEFAULT;
+   watchdog_init_timeout(>wdog, timer_margin, >dev);
 
watchdog_set_nowayout(>wdog, nowayout);
 
-- 
2.15.1

[PATCH 4/4] watchdog: lpc18xx: remove assignment of unused ret-value

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 drivers/watchdog/lpc18xx_wdt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c
index b4221f43cd94..331cadb459ac 100644
--- a/drivers/watchdog/lpc18xx_wdt.c
+++ b/drivers/watchdog/lpc18xx_wdt.c
@@ -265,7 +265,7 @@ static int lpc18xx_wdt_probe(struct platform_device *pdev)
lpc18xx_wdt->wdt_dev.parent = dev;
watchdog_set_drvdata(_wdt->wdt_dev, lpc18xx_wdt);
 
-   ret = watchdog_init_timeout(_wdt->wdt_dev, heartbeat, dev);
+   watchdog_init_timeout(_wdt->wdt_dev, heartbeat, dev);
 
__lpc18xx_wdt_set_timeout(lpc18xx_wdt);
 
-- 
2.15.1

[PATCH 3/4] watchdog: gpio: change order for setting default timeout

[Marcus Folkesson]

watchdog_init_timeout() will preserve wdd->timeout value if
no parameter nor timeout-secs dt property is set.

Signed-off-by: Marcus Folkesson 
---
 drivers/watchdog/gpio_wdt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/watchdog/gpio_wdt.c b/drivers/watchdog/gpio_wdt.c
index cb66c2f99ff1..d0e8203f7a60 100644
--- a/drivers/watchdog/gpio_wdt.c
+++ b/drivers/watchdog/gpio_wdt.c
@@ -156,9 +156,9 @@ static int gpio_wdt_probe(struct platform_device *pdev)
priv->wdd.min_timeout   = SOFT_TIMEOUT_MIN;
priv->wdd.max_hw_heartbeat_ms = hw_margin;
priv->wdd.parent= >dev;
+   priv->wdd.timeout = SOFT_TIMEOUT_DEF;
 
-   if (watchdog_init_timeout(>wdd, 0, >dev) < 0)
-   priv->wdd.timeout = SOFT_TIMEOUT_DEF;
+   watchdog_init_timeout(>wdd, 0, >dev);
 
watchdog_stop_on_reboot(>wdd);
 
-- 
2.15.1

[PATCH v2 4/6] X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs

[David Woodhouse]

From: KarimAllah Ahmed 

These two variables should check whether SPEC_CTRL and PRED_CMD are
supposed to be passed through to L2 guests or not. While
msr_write_intercepted_l01 would return 'true' if it is not passed through.

So just invert the result of msr_write_intercepted_l01 to implement the
correct semantics.

Fixes: 086e7d4118cc ("KVM: VMX: Allow direct access to MSR_IA32_SPEC_CTRL")
Signed-off-by: KarimAllah Ahmed 
Signed-off-by: David Woodhouse 
Reviewed-by: Jim Mattson 
Cc: Paolo Bonzini 
Cc: Radim Krčmář 
Cc: k...@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
 arch/x86/kvm/vmx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index bee4c49..599179b 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -10219,8 +10219,8 @@ static inline bool nested_vmx_merge_msr_bitmap(struct 
kvm_vcpu *vcpu,
 *updated to reflect this when L1 (or its L2s) actually write to
 *the MSR.
 */
-   bool pred_cmd = msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD);
-   bool spec_ctrl = msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL);
+   bool pred_cmd = !msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD);
+   bool spec_ctrl = !msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL);
 
if (!nested_cpu_has_virt_x2apic_mode(vmcs12) &&
!pred_cmd && !spec_ctrl)
-- 
2.7.4

[PATCH v2 2/6] Revert "x86/speculation: Simplify indirect_branch_prediction_barrier()"

[David Woodhouse]

This reverts commit 64e16720ea0879f8ab4547e3b9758936d483909b.

We cannot call C functions like that, without marking all the
call-clobbered registers as, well, clobbered. We might have got away
with it for now because the __ibp_barrier() function was *fairly*
unlikely to actually use any other registers. But no. Just no.

Signed-off-by: David Woodhouse 
---
 arch/x86/include/asm/nospec-branch.h | 13 +
 arch/x86/include/asm/processor.h |  3 ---
 arch/x86/kernel/cpu/bugs.c   |  6 --
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/arch/x86/include/asm/nospec-branch.h 
b/arch/x86/include/asm/nospec-branch.h
index 4d57894..300cc15 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -164,10 +164,15 @@ static inline void vmexit_fill_RSB(void)
 
 static inline void indirect_branch_prediction_barrier(void)
 {
-   alternative_input("",
- "call __ibp_barrier",
- X86_FEATURE_USE_IBPB,
- ASM_NO_INPUT_CLOBBER("eax", "ecx", "edx", "memory"));
+   asm volatile(ALTERNATIVE("",
+"movl %[msr], %%ecx\n\t"
+"movl %[val], %%eax\n\t"
+"movl $0, %%edx\n\t"
+"wrmsr",
+X86_FEATURE_USE_IBPB)
+: : [msr] "i" (MSR_IA32_PRED_CMD),
+[val] "i" (PRED_CMD_IBPB)
+: "eax", "ecx", "edx", "memory");
 }
 
 #endif /* __ASSEMBLY__ */
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 513f960..99799fb 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -969,7 +969,4 @@ bool xen_set_default_idle(void);
 
 void stop_this_cpu(void *dummy);
 void df_debug(struct pt_regs *regs, long error_code);
-
-void __ibp_barrier(void);
-
 #endif /* _ASM_X86_PROCESSOR_H */
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 71949bf..61152aa 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -337,9 +337,3 @@ ssize_t cpu_show_spectre_v2(struct device *dev,
   spectre_v2_module_string());
 }
 #endif
-
-void __ibp_barrier(void)
-{
-   __wrmsr(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, 0);
-}
-EXPORT_SYMBOL_GPL(__ibp_barrier);
-- 
2.7.4

[PATCH v2 0/6] Spectre v2 updates

[David Woodhouse]

Using retpoline ensures the kernel is safe because it doesn't contain
any indirect branches, but firmware still can — and we make calls into
firmware at runtime. Where the IBRS microcode support is available, use
that before calling into firmware.

While doing that, I noticed that we were calling C functions without
telling the compiler about the call-clobbered registers. Stop that.

This also contains the always_inline fix for the performance problem
introduced by retpoline in KVM code, and fixes some other issues with
the per-vCPU KVM handling for the SPEC_CTRL MSR.

Finally, update the microcode blacklist to reflect the latest
information from Intel.

v2: Drop IBRS_ALL patch for the time being
Add KVM MSR fixes (karahmed)
Update microcode blacklist



David Woodhouse (4):
  x86/speculation: Update Speculation Control microcode blacklist
  Revert "x86/speculation: Simplify
indirect_branch_prediction_barrier()"
  KVM: x86: Reduce retpoline performance impact in
slot_handle_level_range()
  x86/speculation: Use IBRS if available before calling into firmware

KarimAllah Ahmed (2):
  X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
  KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02 MSR
bitmap

 arch/x86/include/asm/apm.h   |  6 ++
 arch/x86/include/asm/cpufeatures.h   |  1 +
 arch/x86/include/asm/efi.h   | 17 +++--
 arch/x86/include/asm/nospec-branch.h | 32 
 arch/x86/include/asm/processor.h |  3 ---
 arch/x86/kernel/cpu/bugs.c   | 18 +++---
 arch/x86/kernel/cpu/intel.c  |  4 
 arch/x86/kvm/mmu.c   | 10 +-
 arch/x86/kvm/vmx.c   |  7 ---
 drivers/watchdog/hpwdt.c |  3 +++
 10 files changed, 73 insertions(+), 28 deletions(-)

-- 
2.7.4

[PATCH v2 1/6] x86/speculation: Update Speculation Control microcode blacklist

[David Woodhouse]

Intel have retroactively blessed the 0xc2 microcode on Skylake mobile
and desktop parts, and the Gemini Lake 0x22 microcode is apparently fine
too. We blacklisted the latter purely because it was present with all
the other problematic ones in the 2018-01-08 release, but now it's
explicitly listed as OK.

We still list 0x84 for the various Kaby Lake / Coffee Lake parts, as
that appeared in one version of the blacklist and then reverted to
0x80 again. We can change it if 0x84 is actually announced to be safe.

Signed-off-by: David Woodhouse 
---
 arch/x86/kernel/cpu/intel.c | 4 
 1 file changed, 4 deletions(-)

diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index 319bf98..f73b814 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -123,8 +123,6 @@ static const struct sku_microcode spectre_bad_microcodes[] 
= {
{ INTEL_FAM6_KABYLAKE_MOBILE,   0x09,   0x84 },
{ INTEL_FAM6_SKYLAKE_X, 0x03,   0x0100013e },
{ INTEL_FAM6_SKYLAKE_X, 0x04,   0x023c },
-   { INTEL_FAM6_SKYLAKE_MOBILE,0x03,   0xc2 },
-   { INTEL_FAM6_SKYLAKE_DESKTOP,   0x03,   0xc2 },
{ INTEL_FAM6_BROADWELL_CORE,0x04,   0x28 },
{ INTEL_FAM6_BROADWELL_GT3E,0x01,   0x1b },
{ INTEL_FAM6_BROADWELL_XEON_D,  0x02,   0x14 },
@@ -136,8 +134,6 @@ static const struct sku_microcode spectre_bad_microcodes[] 
= {
{ INTEL_FAM6_HASWELL_X, 0x02,   0x3b },
{ INTEL_FAM6_HASWELL_X, 0x04,   0x10 },
{ INTEL_FAM6_IVYBRIDGE_X,   0x04,   0x42a },
-   /* Updated in the 20180108 release; blacklist until we know otherwise */
-   { INTEL_FAM6_ATOM_GEMINI_LAKE,  0x01,   0x22 },
/* Observed in the wild */
{ INTEL_FAM6_SANDYBRIDGE_X, 0x06,   0x61b },
{ INTEL_FAM6_SANDYBRIDGE_X, 0x07,   0x712 },
-- 
2.7.4

Re: [PATCH] seq_file: remove redundant assignment of index to m->index

[Matthew Wilcox]

On Sat, Feb 10, 2018 at 10:04:23AM -0800, Joe Perches wrote:
> > @@ -120,14 +120,12 @@ static int traverse(struct seq_file *m, loff_t offset)
> >  if (pos + m->count > offset) {
> >  m->from = offset - pos;
> >  m->count -= m->from;
> > -m->index = index;
> >  break;
> >  }
> >  pos += m->count;
> >  m->count = 0;
> >  if (pos == offset) {
> >  index++;
> > -m->index = index;
> >  break;
> >  }
> >  p = m->op->next(m, p, );
> 
> Of course this looks correct, but how
> are you _absolutely sure_ about this?
> 
> Perhaps the m->op->stop(m, p) call below
> the break, which takes m as an argument,
> needs an updated m->index.

Not only that, but ->next might also look at m->index.
This is not performance critical; don't try to optimise it.

  Programmers waste enormous amounts of time thinking about, or worrying
  about, the speed of noncritical parts of their programs, and these
  attempts at efficiency actually have a strong negative impact when
  debugging and maintenance are considered. We should forget about small
  efficiencies, say about 97% of the time: premature optimization is the
  root of all evil. Yet we should not pass up our opportunities in that
  critical 3%.  -- Donald Knuth

[PATCH v3 1/3] KVM: Introduce dedicated vCPUs hint KVM_HINTS_DEDICATED

[Wanpeng Li]

From: Wanpeng Li 

This patch introduces dedicated vCPUs hint KVM_HINTS_DEDICATED,  
guest checks this feature bit to determine if they run on dedicated
vCPUs, allowing optimizations.

Cc: Paolo Bonzini 
Cc: Radim Krčmář 
Cc: Eduardo Habkost 
Signed-off-by: Wanpeng Li 
---
 Documentation/virtual/kvm/cpuid.txt  | 12 +++-
 arch/mips/include/asm/kvm_para.h |  5 +
 arch/powerpc/include/asm/kvm_para.h  |  5 +
 arch/s390/include/asm/kvm_para.h |  5 +
 arch/x86/include/asm/kvm_para.h  |  6 ++
 arch/x86/include/uapi/asm/kvm_para.h |  8 ++--
 arch/x86/kernel/kvm.c|  5 +
 include/asm-generic/kvm_para.h   |  5 +
 include/linux/kvm_para.h |  5 +
 9 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/Documentation/virtual/kvm/cpuid.txt 
b/Documentation/virtual/kvm/cpuid.txt
index dcab6dc..e283b88 100644
--- a/Documentation/virtual/kvm/cpuid.txt
+++ b/Documentation/virtual/kvm/cpuid.txt
@@ -23,7 +23,7 @@ This function queries the presence of KVM cpuid leafs.
 
 
 function: define KVM_CPUID_FEATURES (0x4001)
-returns : ebx, ecx, edx = 0
+returns : ebx, ecx
   eax = and OR'ed group of (1 << flag), where each flags is:
 
 
@@ -62,3 +62,13 @@ KVM_FEATURE_CLOCKSOURCE_STABLE_BIT ||24 || host will 
warn if no guest-side
||   || per-cpu warps are expected in
||   || kvmclock.
 --
+
+  edx = and OR'ed group of (1 << flag), where each flags is:
+
+
+flag   || value || meaning
+
+KVM_HINTS_DEDICATED|| 0 || guest checks this feature bit
+   ||   || to determine if they run on 
dedicated
+   ||   || vCPUs, allowing optimizations
+-
diff --git a/arch/mips/include/asm/kvm_para.h b/arch/mips/include/asm/kvm_para.h
index 60b1aa0..bd1f4ee 100644
--- a/arch/mips/include/asm/kvm_para.h
+++ b/arch/mips/include/asm/kvm_para.h
@@ -94,6 +94,11 @@ static inline unsigned int kvm_arch_para_features(void)
return 0;
 }
 
+static inline unsigned int kvm_arch_hint_features(void)
+{
+   return 0;
+}
+
 #ifdef CONFIG_MIPS_PARAVIRT
 static inline bool kvm_para_available(void)
 {
diff --git a/arch/powerpc/include/asm/kvm_para.h 
b/arch/powerpc/include/asm/kvm_para.h
index 336a91a..8e58c00 100644
--- a/arch/powerpc/include/asm/kvm_para.h
+++ b/arch/powerpc/include/asm/kvm_para.h
@@ -61,6 +61,11 @@ static inline unsigned int kvm_arch_para_features(void)
return r;
 }
 
+static inline unsigned int kvm_arch_hint_features(void)
+{
+   return 0;
+}
+
 static inline bool kvm_check_and_clear_guest_paused(void)
 {
return false;
diff --git a/arch/s390/include/asm/kvm_para.h b/arch/s390/include/asm/kvm_para.h
index 74eeec9..b2c935c 100644
--- a/arch/s390/include/asm/kvm_para.h
+++ b/arch/s390/include/asm/kvm_para.h
@@ -193,6 +193,11 @@ static inline unsigned int kvm_arch_para_features(void)
return 0;
 }
 
+static inline unsigned int kvm_arch_hint_features(void)
+{
+   return 0;
+}
+
 static inline bool kvm_check_and_clear_guest_paused(void)
 {
return false;
diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h
index 7b407dd..2c7d368 100644
--- a/arch/x86/include/asm/kvm_para.h
+++ b/arch/x86/include/asm/kvm_para.h
@@ -88,6 +88,7 @@ static inline long kvm_hypercall4(unsigned int nr, unsigned 
long p1,
 #ifdef CONFIG_KVM_GUEST
 bool kvm_para_available(void);
 unsigned int kvm_arch_para_features(void);
+unsigned int kvm_arch_hint_features(void);
 void kvm_async_pf_task_wait(u32 token, int interrupt_kernel);
 void kvm_async_pf_task_wake(u32 token);
 u32 kvm_read_and_reset_pf_reason(void);
@@ -115,6 +116,11 @@ static inline unsigned int kvm_arch_para_features(void)
return 0;
 }
 
+static inline unsigned int kvm_arch_hint_features(void)
+{
+   return 0;
+}
+
 static inline u32 kvm_read_and_reset_pf_reason(void)
 {
return 0;
diff --git a/arch/x86/include/uapi/asm/kvm_para.h 
b/arch/x86/include/uapi/asm/kvm_para.h
index 7a2ade4..e8f5dfb 100644
--- a/arch/x86/include/uapi/asm/kvm_para.h
+++ b/arch/x86/include/uapi/asm/kvm_para.h
@@ -10,8 +10,10 @@
  */
 #define KVM_CPUID_SIGNATURE0x4000
 
-/* This CPUID returns a feature bitmap in eax.  Before enabling a particular
- * paravirtualization, the appropriate feature bit should be checked.
+/* This CPUID returns two feature bitmaps in eax, edx. Before enabling
+ * a particular paravirtualization, the appropriate feature bit should
+ * be checked in eax. The performance hint 

[PATCH v3 3/3] KVM: X86: Don't use PV TLB flush with dedicated vCPUs and steal time disabled

[Wanpeng Li]

From: Wanpeng Li 

vCPUs are very unlikely to get preempted when they are the only task
running on a CPU.  PV TLB flush is slower that the native flush in that
case. In addition, avoid traversing all the cpus for pv tlb flush when 
steal time is disabled since pv tlb flush depends on the field in steal 
time for shared data.

Cc: Paolo Bonzini 
Cc: Radim Krčmář 
Cc: Eduardo Habkost 
Signed-off-by: Wanpeng Li 
---
 arch/x86/kernel/kvm.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
index c5566d9..285822f 100644
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -545,7 +545,9 @@ static void __init kvm_guest_init(void)
pv_time_ops.steal_clock = kvm_steal_clock;
}
 
-   if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH))
+   if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH) &&
+   !kvm_para_has_feature(KVM_HINTS_DEDICATED) &&
+   !kvm_para_has_feature(KVM_FEATURE_STEAL_TIME))
pv_mmu_ops.flush_tlb_others = kvm_flush_tlb_others;
 
if (kvm_para_has_feature(KVM_FEATURE_PV_EOI))
@@ -638,7 +640,9 @@ static __init int kvm_setup_pv_tlb_flush(void)
 {
int cpu;
 
-   if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH)) {
+   if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH) &&
+   !kvm_para_has_feature(KVM_HINTS_DEDICATED) &&
+   !kvm_para_has_feature(KVM_FEATURE_STEAL_TIME)) {
for_each_possible_cpu(cpu) {
zalloc_cpumask_var_node(per_cpu_ptr(&__pv_tlb_mask, 
cpu),
GFP_KERNEL, cpu_to_node(cpu));
-- 
2.7.4

[PATCH v3 2/3] KVM: X86: Choose qspinlock when dedicated vCPUs available

[Wanpeng Li]

From: Wanpeng Li 

Waiman Long mentioned that:

 Generally speaking, unfair lock performs well for VMs with a small
 number of vCPUs. Native qspinlock may perform better than pvqspinlock
 if there is vCPU pinning and there is no vCPU over-commitment.

This patch uses a KVM_HINTS_DEDICATED performance hint to allow 
hypervisor admin to choose the qspinlock to be used when a dedicated 
vCPU is available.

PV_DEDICATED = 1, PV_UNHALT = anything: default is qspinlock
PV_DEDICATED = 0, PV_UNHALT = 1: default is Hybrid PV queued/unfair lock
PV_DEDICATED = 0, PV_UNHALT = 0: default is tas

Cc: Paolo Bonzini 
Cc: Radim Krčmář 
Cc: Eduardo Habkost 
Signed-off-by: Wanpeng Li 
---
 arch/x86/kernel/kvm.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
index 77a0723..c5566d9 100644
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -733,6 +733,11 @@ void __init kvm_spinlock_init(void)
if (!kvm_para_has_feature(KVM_FEATURE_PV_UNHALT))
return;
 
+   if (kvm_hint_has_feature(KVM_HINTS_DEDICATED)) {
+   static_branch_disable(_spin_lock_key);
+   return;
+   }
+
__pv_init_lock_hash();
pv_lock_ops.queued_spin_lock_slowpath = __pv_queued_spin_lock_slowpath;
pv_lock_ops.queued_spin_unlock = 
PV_CALLEE_SAVE(__pv_queued_spin_unlock);
-- 
2.7.4

Re: Kconfig:12: can't open file "arch/powerpc64/Kconfig"

[Masahiro Yamada]

Hi test robot,


2018-02-11 12:41 GMT+09:00 kbuild test robot :
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
> master
> head:   d48fcbd864a008802a90c58a9ceddd9436d11a49
> commit: 9e3e10c725360b9d07018cfcd5b7b6b7d325fae5 kconfig: send error messages 
> to stderr
> date:   2 days ago
> config: powerpc64-defconfig
> compiler: powerpc64-linux-gcc (GCC) 7.2.0
> reproduce:
> wget 
> https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
> ~/bin/make.cross
> chmod +x ~/bin/make.cross
> git checkout 9e3e10c725360b9d07018cfcd5b7b6b7d325fae5
> make.cross ARCH=powerpc64  defconfig
> make.cross ARCH=powerpc64


I think this test setting is weird.

With the following error, it is pointless to test this.

>   Makefile:499: arch/powerpc64/Makefile: No such file or directory


arch/powerpc64/ does not exist in the first place.


If you really want to give ARCH=powerpc64,
you need to add something like follows in the top Makefile
(but I doubt this is the right thing to do)

ifeq ($(ARCH),powerpc64)
   SRCARCH := powerpc
endif


Could you check your test setting, please?






> All errors (new ones prefixed by >>):
>
>Makefile:499: arch/powerpc64/Makefile: No such file or directory
>make[1]: *** No rule to make target 'arch/powerpc64/Makefile'.
>make[1]: Failed to remake makefile 'arch/powerpc64/Makefile'.
>>> Kconfig:12: can't open file "arch/powerpc64/Kconfig"
>make[2]: *** [defconfig] Error 1
>make[1]: *** [defconfig] Error 2
>make: *** [sub-make] Error 2
> --
>Makefile:499: arch/powerpc64/Makefile: No such file or directory
>make[1]: *** No rule to make target 'arch/powerpc64/Makefile'.
>make[1]: Failed to remake makefile 'arch/powerpc64/Makefile'.
>>> Kconfig:12: can't open file "arch/powerpc64/Kconfig"
>make[2]: *** [oldconfig] Error 1
>make[1]: *** [oldconfig] Error 2
>make: *** [sub-make] Error 2
> --
>Makefile:499: arch/powerpc64/Makefile: No such file or directory
>make[1]: *** No rule to make target 'arch/powerpc64/Makefile'.
>make[1]: Failed to remake makefile 'arch/powerpc64/Makefile'.
>>> Kconfig:12: can't open file "arch/powerpc64/Kconfig"
>make[2]: *** [olddefconfig] Error 1
>make[2]: Target 'oldnoconfig' not remade because of errors.
>make[1]: *** [oldnoconfig] Error 2
>make: *** [sub-make] Error 2
>
> vim +12 Kconfig
>
> 838a2e55 Arnaud Lacombe 2010-09-04   7
> 838a2e55 Arnaud Lacombe 2010-09-04   8  config SRCARCH
> 838a2e55 Arnaud Lacombe 2010-09-04   9  string
> 838a2e55 Arnaud Lacombe 2010-09-04  10  option env="SRCARCH"
> 838a2e55 Arnaud Lacombe 2010-09-04  11
> 838a2e55 Arnaud Lacombe 2010-09-04 @12  source "arch/$SRCARCH/Kconfig"
>
> :: The code at line 12 was first introduced by commit
> :: 838a2e55e6a4e9e8a10451ed2ef0f7a08dabdb04 kbuild: migrate all arch to 
> the kconfig mainmenu upgrade
>
> :: TO: Arnaud Lacombe 
> :: CC: Arnaud Lacombe 
>
> ---
> 0-DAY kernel test infrastructureOpen Source Technology Center
> https://lists.01.org/pipermail/kbuild-all   Intel Corporation



-- 
Best Regards
Masahiro Yamada

[PATCH 3.16 083/136] sctp: Fixup v4mapped behaviour to comply with Sock API

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jason Gunthorpe 

commit 299ee123e19889d511092347f5fc14db0f10e3a6 upstream.

The SCTP socket extensions API document describes the v4mapping option as
follows:

8.1.15.  Set/Clear IPv4 Mapped Addresses (SCTP_I_WANT_MAPPED_V4_ADDR)

   This socket option is a Boolean flag which turns on or off the
   mapping of IPv4 addresses.  If this option is turned on, then IPv4
   addresses will be mapped to V6 representation.  If this option is
   turned off, then no mapping will be done of V4 addresses and a user
   will receive both PF_INET6 and PF_INET type addresses on the socket.
   See [RFC3542] for more details on mapped V6 addresses.

This description isn't really in line with what the code does though.

Introduce addr_to_user (renamed addr_v4map), which should be called
before any sockaddr is passed back to user space. The new function
places the sockaddr into the correct format depending on the
SCTP_I_WANT_MAPPED_V4_ADDR option.

Audit all places that touched v4mapped and either sanely construct
a v4 or v6 address then call addr_to_user, or drop the
unnecessary v4mapped check entirely.

Audit all places that call addr_to_user and verify they are on a sycall
return path.

Add a custom getname that formats the address properly.

Several bugs are addressed:
 - SCTP_I_WANT_MAPPED_V4_ADDR=0 often returned garbage for
   addresses to user space
 - The addr_len returned from recvmsg was not correct when
   returning AF_INET on a v6 socket
 - flowlabel and scope_id were not zerod when promoting
   a v4 to v6
 - Some syscalls like bind and connect behaved differently
   depending on v4mapped

Tested bind, getpeername, getsockname, connect, and recvmsg for proper
behaviour in v4mapped = 1 and 0 cases.

Signed-off-by: Neil Horman 
Tested-by: Jason Gunthorpe 
Signed-off-by: Jason Gunthorpe 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 include/net/sctp/sctp.h|   2 +
 include/net/sctp/structs.h |   8 +--
 net/sctp/ipv6.c| 156 -
 net/sctp/protocol.c|  12 ++--
 net/sctp/socket.c  |  33 +-
 net/sctp/transport.c   |   4 +-
 net/sctp/ulpevent.c|   2 +-
 7 files changed, 112 insertions(+), 105 deletions(-)

--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -583,6 +583,8 @@ static inline void sctp_v6_map_v4(union
 static inline void sctp_v4_map_v6(union sctp_addr *addr)
 {
addr->v6.sin6_family = AF_INET6;
+   addr->v6.sin6_flowinfo = 0;
+   addr->v6.sin6_scope_id = 0;
addr->v6.sin6_port = addr->v4.sin_port;
addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
addr->v6.sin6_addr.s6_addr32[0] = 0;
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -465,10 +465,6 @@ struct sctp_af {
 int saddr);
void(*from_sk)  (union sctp_addr *,
 struct sock *sk);
-   void(*to_sk_saddr)  (union sctp_addr *,
-struct sock *sk);
-   void(*to_sk_daddr)  (union sctp_addr *,
-struct sock *sk);
void(*from_addr_param) (union sctp_addr *,
union sctp_addr_param *,
__be16 port, int iif);
@@ -509,7 +505,9 @@ struct sctp_pf {
int  (*supported_addrs)(const struct sctp_sock *, __be16 *);
struct sock *(*create_accept_sk) (struct sock *sk,
  struct sctp_association *asoc);
-   void (*addr_v4map) (struct sctp_sock *, union sctp_addr *);
+   int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
+   void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
+   void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
struct sctp_af *af;
 };
 
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -434,7 +434,7 @@ static void sctp_v6_from_sk(union sctp_a
 /* Initialize sk->sk_rcv_saddr from sctp_addr. */
 static void sctp_v6_to_sk_saddr(union sctp_addr *addr, struct sock *sk)
 {
-   if (addr->sa.sa_family == AF_INET && sctp_sk(sk)->v4mapped) {
+   if (addr->sa.sa_family == AF_INET) {
sk->sk_v6_rcv_saddr.s6_addr32[0] = 0;
sk->sk_v6_rcv_saddr.s6_addr32[1] = 0;
sk->sk_v6_rcv_saddr.s6_addr32[2] = htonl(0x);
@@ -448,7 +448,7 @@ static void sctp_v6_to_sk_saddr(union sc
 /* Initialize sk->sk_daddr from sctp_addr. */
 static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
 {
-   if (addr->sa.sa_family == AF_INET && 

[PATCH 3.16 088/136] KVM: vmx: Inject #GP on invalid PAT CR

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Nadav Amit 

commit 4566654bb9be9e8864df417bb72ceee5136b6a6a upstream.

Guest which sets the PAT CR to invalid value should get a #GP.  Currently, if
vmx supports loading PAT CR during entry, then the value is not checked.  This
patch makes the required check in that case.

Signed-off-by: Nadav Amit 
Signed-off-by: Paolo Bonzini 
Signed-off-by: Ben Hutchings 
---
 arch/x86/kvm/vmx.c | 2 ++
 arch/x86/kvm/x86.c | 5 +++--
 arch/x86/kvm/x86.h | 2 ++
 3 files changed, 7 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2599,6 +2599,8 @@ static int vmx_set_msr(struct kvm_vcpu *
break;
case MSR_IA32_CR_PAT:
if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
+   if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
+   return 1;
vmcs_write64(GUEST_IA32_PAT, data);
vcpu->arch.pat = data;
break;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1742,7 +1742,7 @@ static bool valid_mtrr_type(unsigned t)
return t < 8 && (1 << t) & 0x73; /* 0, 1, 4, 5, 6 */
 }
 
-static bool mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+bool kvm_mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 {
int i;
 
@@ -1768,12 +1768,13 @@ static bool mtrr_valid(struct kvm_vcpu *
/* variable MTRRs */
return valid_mtrr_type(data & 0xff);
 }
+EXPORT_SYMBOL_GPL(kvm_mtrr_valid);
 
 static int set_msr_mtrr(struct kvm_vcpu *vcpu, u32 msr, u64 data)
 {
u64 *p = (u64 *)>arch.mtrr_state.fixed_ranges;
 
-   if (!mtrr_valid(vcpu, msr, data))
+   if (!kvm_mtrr_valid(vcpu, msr, data))
return 1;
 
if (msr == MSR_MTRRdefType) {
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -132,6 +132,8 @@ int kvm_write_guest_virt_system(struct x
gva_t addr, void *val, unsigned int bytes,
struct x86_exception *exception);
 
+bool kvm_mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data);
+
 #define KVM_SUPPORTED_XCR0 (XSTATE_FP | XSTATE_SSE | XSTATE_YMM \
| XSTATE_BNDREGS | XSTATE_BNDCSR)
 extern u64 host_xcr0;

[PATCH 3.16 073/136] s390: fix transactional execution control register handling

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Heiko Carstens 

commit a1c5befc1c24eb9c1ee83f711e0f21ee79cbb556 upstream.

Dan Horák reported the following crash related to transactional execution:

User process fault: interruption code 0013 ilc:3 in 
libpthread-2.26.so[3ff93c0+1b000]
CPU: 2 PID: 1 Comm: /init Not tainted 4.13.4-300.fc27.s390x #1
Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
task: fafc8000 task.stack: fafc4000
User PSW : 070520018000 03ff93c14e70
   R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:2 PM:0 RI:0 EA:3
User GPRS: 0077 03ff 03ff93144d48 03ff93144d5e
    0002  03ff
    0418  03ffcc9fe770
   03ff93d28f50 03ff9310acf0 03ff92b0319a 03ffcc9fe6d0
User Code: 03ff93c14e62: 60e0b030std %f14,48(%r11)
   03ff93c14e66: 60f0b038std %f15,56(%r11)
  #03ff93c14e6a: e560ff0etbegin  0,65294
  >03ff93c14e70: a7740006brc 7,3ff93c14e7c
   03ff93c14e74: a708lhi %r0,0
   03ff93c14e78: a7f40023brc 15,3ff93c14ebe
   03ff93c14e7c: b222ipm %r0
   03ff93c14e80: 881csrl %r0,28

There are several bugs with control register handling with respect to
transactional execution:

- on task switch update_per_regs() is only called if the next task has
  an mm (is not a kernel thread). This however is incorrect. This
  breaks e.g. for user mode helper handling, where the kernel creates
  a kernel thread and then execve's a user space program. Control
  register contents related to transactional execution won't be
  updated on execve. If the previous task ran with transactional
  execution disabled then the new task will also run with
  transactional execution disabled, which is incorrect. Therefore call
  update_per_regs() unconditionally within switch_to().

- on startup the transactional execution facility is not enabled for
  the idle thread. This is not really a bug, but an inconsistency to
  other facilities. Therefore enable the facility if it is available.

- on fork the new thread's per_flags field is not cleared. This means
  that a child process inherits the PER_FLAG_NO_TE flag. This flag can
  be set with a ptrace request to disable transactional execution for
  the current process. It should not be inherited by new child
  processes in order to be consistent with the handling of all other
  PER related debugging options. Therefore clear the per_flags field in
  copy_thread_tls().

Reported-and-tested-by: Dan Horák 
Fixes: d35339a42dd1 ("s390: add support for transactional memory")
Cc: Martin Schwidefsky 
Reviewed-by: Christian Borntraeger 
Reviewed-by: Hendrik Brueckner 
Signed-off-by: Heiko Carstens 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 arch/s390/include/asm/switch_to.h | 2 +-
 arch/s390/kernel/early.c  | 4 +++-
 arch/s390/kernel/process.c| 1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

--- a/arch/s390/include/asm/switch_to.h
+++ b/arch/s390/include/asm/switch_to.h
@@ -124,12 +124,12 @@ static inline void restore_access_regs(u
save_access_regs(>thread.acrs[0]);\
save_ri_cb(prev->thread.ri_cb); \
}   \
+   update_cr_regs(next);   \
if (next->mm) { \
restore_fp_ctl(>thread.fp_regs.fpc);  \
restore_fp_regs(next->thread.fp_regs.fprs); \
restore_access_regs(>thread.acrs[0]); \
restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb);  \
-   update_cr_regs(next);   \
}   \
prev = __switch_to(prev,next);  \
 } while (0)
--- a/arch/s390/kernel/early.c
+++ b/arch/s390/kernel/early.c
@@ -388,8 +388,10 @@ static __init void detect_machine_facili
S390_lowcore.machine_flags |= MACHINE_FLAG_IDTE;
if (test_facility(40))
S390_lowcore.machine_flags |= MACHINE_FLAG_LPP;
-   if (test_facility(50) && test_facility(73))
+   if (test_facility(50) && test_facility(73)) {
S390_lowcore.machine_flags |= MACHINE_FLAG_TE;
+   __ctl_set_bit(0, 55);
+   }
if 

Re: [RFC PATCH 4/7] kconfig: support new special property shell=

[Linus Torvalds]

On Sat, Feb 10, 2018 at 8:13 PM, Kees Cook  wrote:
>
> It's been there since the very beginning when Arjan added it to
> validate that the compiler actually produces a stack protector when
> you give it -fstack-protector. Older gccs broke this entirely, more
> recent misconfigurations (as seen with some of Arnd's local gcc
> builds) did similar, and there have been regressions in some versions
> where gcc's x86 support flipped to the global canary instead of the
> %gs-offset canary.

Argh. I wanted to get rid of all that entirely, and simplify this all.
The mentioned script (and bugzilla) was from 2006, I assumed this was
all historical.

But if it has broken again since, I guess we need to have a silly script. Grr.

But yes, I also reacted to your earlier " It can't silently rewrite it
to _REGULAR because the compiler support for _STRONG regressed."
Because it damn well can. If the compiler doesn't support
-fstack-protector-strong, we can just fall back on -fstack-protector.
Silently. No extra crazy complex logic for that either.

 Linus

[PATCH 3.16 086/136] dm: discard support requires all targets in a table support discards

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Mike Snitzer 

commit 8a74d29d541cd86569139c6f3f44b2d210458071 upstream.

A DM device with a mix of discard capabilities (due to some underlying
devices not having discard support) _should_ just return -EOPNOTSUPP for
the region of the device that doesn't support discards (even if only by
way of the underlying driver formally not supporting discards).  BUT,
that does ask the underlying driver to handle something that it never
advertised support for.  In doing so we're exposing users to the
potential for a underlying disk driver hanging if/when a discard is
issued a the device that is incapable and never claimed to support
discards.

Fix this by requiring that each DM target in a DM table provide discard
support as a prereq for a DM device to advertise support for discards.

This may cause some configurations that were happily supporting discards
(even in the face of a mix of discard support) to stop supporting
discards -- but the risk of users hitting driver hangs, and forced
reboots, outweighs supporting those fringe mixed discard
configurations.

Signed-off-by: Mike Snitzer 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 drivers/md/dm-table.c | 33 ++---
 1 file changed, 14 insertions(+), 19 deletions(-)

--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -1643,12 +1643,12 @@ void dm_table_run_md_queue_async(struct
 }
 EXPORT_SYMBOL(dm_table_run_md_queue_async);
 
-static int device_discard_capable(struct dm_target *ti, struct dm_dev *dev,
- sector_t start, sector_t len, void *data)
+static int device_not_discard_capable(struct dm_target *ti, struct dm_dev *dev,
+ sector_t start, sector_t len, void *data)
 {
struct request_queue *q = bdev_get_queue(dev->bdev);
 
-   return q && blk_queue_discard(q);
+   return q && !blk_queue_discard(q);
 }
 
 bool dm_table_supports_discards(struct dm_table *t)
@@ -1656,26 +1656,22 @@ bool dm_table_supports_discards(struct d
struct dm_target *ti;
unsigned i = 0;
 
-   /*
-* Unless any target used by the table set discards_supported,
-* require at least one underlying device to support discards.
-* t->devices includes internal dm devices such as mirror logs
-* so we need to use iterate_devices here, which targets
-* supporting discard selectively must provide.
-*/
while (i < dm_table_get_num_targets(t)) {
ti = dm_table_get_target(t, i++);
 
if (!ti->num_discard_bios)
-   continue;
+   return false;
 
-   if (ti->discards_supported)
-   return 1;
-
-   if (ti->type->iterate_devices &&
-   ti->type->iterate_devices(ti, device_discard_capable, NULL))
-   return 1;
+   /*
+* Either the target provides discard support (as implied by 
setting
+* 'discards_supported') or it relies on _all_ data devices 
having
+* discard support.
+*/
+   if (!ti->discards_supported &&
+   (!ti->type->iterate_devices ||
+ti->type->iterate_devices(ti, device_not_discard_capable, 
NULL)))
+   return false;
}
 
-   return 0;
+   return true;
 }

[PATCH 3.16 102/136] ARM: 8721/1: mm: dump: check hardware RO bit for LPAE

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Philip Derrin 

commit 3b0c0c922ff4be275a8beb87ce5657d16f355b54 upstream.

When CONFIG_ARM_LPAE is set, the PMD dump relies on the software
read-only bit to determine whether a page is writable. This
concealed a bug which left the kernel text section writable
(AP2=0) while marked read-only in the software bit.

In a kernel with the AP2 bug, the dump looks like this:

---[ Kernel Mapping ]---
0xc000-0xc020   2M RW NX SHD
0xc020-0xc060   4M ro x  SHD
0xc060-0xc080   2M ro NX SHD
0xc080-0xc480  64M RW NX SHD

The fix is to check that the software and hardware bits are both
set before displaying "ro". The dump then shows the true perms:

---[ Kernel Mapping ]---
0xc000-0xc020   2M RW NX SHD
0xc020-0xc060   4M RW x  SHD
0xc060-0xc080   2M RW NX SHD
0xc080-0xc480  64M RW NX SHD

Fixes: ded947798469 ("ARM: 8109/1: mm: Modify pte_write and pmd_write logic for 
LPAE")
Signed-off-by: Philip Derrin 
Tested-by: Neil Dick 
Reviewed-by: Kees Cook 
Signed-off-by: Russell King 
Signed-off-by: Ben Hutchings 
---
 arch/arm/mm/dump.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/mm/dump.c
+++ b/arch/arm/mm/dump.c
@@ -126,8 +126,8 @@ static const struct prot_bits section_bi
.val= PMD_SECT_USER,
.set= "USR",
}, {
-   .mask   = L_PMD_SECT_RDONLY,
-   .val= L_PMD_SECT_RDONLY,
+   .mask   = L_PMD_SECT_RDONLY | PMD_SECT_AP2,
+   .val= L_PMD_SECT_RDONLY | PMD_SECT_AP2,
.set= "ro",
.clear  = "RW",
 #elif __LINUX_ARM_ARCH__ >= 6

[PATCH 3.16 081/136] ocfs2: should wait dio before inode lock in ocfs2_setattr()

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: alex chen 

commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream.

we should wait dio requests to finish before inode lock in
ocfs2_setattr(), otherwise the following deadlock will happen:

process 1  process 2process 3
truncate file 'A'  end_io of writing file 'A'   receiving the bast 
messages
ocfs2_setattr
 ocfs2_inode_lock_tracker
  ocfs2_inode_lock_full
 inode_dio_wait
  __inode_dio_wait
  -->waiting for all dio
  requests finish
dlm_proxy_ast_handler
 dlm_do_local_bast
  ocfs2_blocking_ast
   
ocfs2_generic_handle_bast
set 
OCFS2_LOCK_BLOCKED flag
dio_end_io
 dio_bio_end_aio
  dio_complete
   ocfs2_dio_end_io
ocfs2_dio_end_io_write
 ocfs2_inode_lock
  __ocfs2_cluster_lock
   ocfs2_wait_for_mask
   -->waiting for OCFS2_LOCK_BLOCKED
   flag to be cleared, that is waiting
   for 'process 1' unlocking the inode lock
   inode_dio_end
   -->here dec the i_dio_count, but will never
   be called, so a deadlock happened.

Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com
Signed-off-by: Alex Chen 
Reviewed-by: Jun Piao 
Reviewed-by: Joseph Qi 
Acked-by: Changwei Ge 
Cc: Mark Fasheh 
Cc: Joel Becker 
Cc: Junxiao Bi 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Ben Hutchings 
---
 fs/ocfs2/file.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1152,6 +1152,13 @@ int ocfs2_setattr(struct dentry *dentry,
dquot_initialize(inode);
size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE;
if (size_change) {
+   /*
+* Here we should wait dio to finish before inode lock
+* to avoid a deadlock between ocfs2_setattr() and
+* ocfs2_dio_end_io_write()
+*/
+   inode_dio_wait(inode);
+
status = ocfs2_rw_lock(inode, 1);
if (status < 0) {
mlog_errno(status);
@@ -1171,8 +1178,6 @@ int ocfs2_setattr(struct dentry *dentry,
if (status)
goto bail_unlock;
 
-   inode_dio_wait(inode);
-
if (i_size_read(inode) >= attr->ia_size) {
if (ocfs2_should_order_data(inode)) {
status = ocfs2_begin_ordered_truncate(inode,

[PATCH 3.16 004/136] ipmi: fix unsigned long underflow

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Corey Minyard 

commit 392a17b10ec4320d3c0e96e2a23ebaad1123b989 upstream.

When I set the timeout to a specific value such as 500ms, the timeout
event will not happen in time due to the overflow in function
check_msg_timeout:
...
ent->timeout -= timeout_period;
if (ent->timeout > 0)
return;
...

The type of timeout_period is long, but ent->timeout is unsigned long.
This patch makes the type consistent.

Reported-by: Weilong Chen 
Signed-off-by: Corey Minyard 
Tested-by: Weilong Chen 
Signed-off-by: Ben Hutchings 
---
 drivers/char/ipmi/ipmi_msghandler.c | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -4007,7 +4007,8 @@ smi_from_recv_msg(ipmi_smi_t intf, struc
 }
 
 static void check_msg_timeout(ipmi_smi_t intf, struct seq_table *ent,
- struct list_head *timeouts, long timeout_period,
+ struct list_head *timeouts,
+ unsigned long timeout_period,
  int slot, unsigned long *flags,
  unsigned int *waiting_msgs)
 {
@@ -4020,8 +4021,8 @@ static void check_msg_timeout(ipmi_smi_t
if (!ent->inuse)
return;
 
-   ent->timeout -= timeout_period;
-   if (ent->timeout > 0) {
+   if (timeout_period < ent->timeout) {
+   ent->timeout -= timeout_period;
(*waiting_msgs)++;
return;
}
@@ -4088,7 +4089,8 @@ static void check_msg_timeout(ipmi_smi_t
}
 }
 
-static unsigned int ipmi_timeout_handler(ipmi_smi_t intf, long timeout_period)
+static unsigned int ipmi_timeout_handler(ipmi_smi_t intf,
+unsigned long timeout_period)
 {
struct list_head timeouts;
struct ipmi_recv_msg *msg, *msg2;

[PATCH 3.16 121/136] ALSA: seq: Make ioctls race-free

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Takashi Iwai 

commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream.

The ALSA sequencer ioctls have no protection against racy calls while
the concurrent operations may lead to interfere with each other.  As
reported recently, for example, the concurrent calls of setting client
pool with a combination of write calls may lead to either the
unkillable dead-lock or UAF.

As a slightly big hammer solution, this patch introduces the mutex to
make each ioctl exclusive.  Although this may reduce performance via
parallel ioctl calls, usually it's not demanded for sequencer usages,
hence it should be negligible.

Reported-by: Luo Quan 
Reviewed-by: Kees Cook 
Reviewed-by: Greg Kroah-Hartman 
Signed-off-by: Takashi Iwai 
[bwh: Backported to 3.16: ioctl dispatch is done from snd_seq_do_ioctl();
 take the mutex and add ret variable there.]
Signed-off-by: Ben Hutchings 
---
 sound/core/seq/seq_clientmgr.c |   10 --
 sound/core/seq/seq_clientmgr.h |1 +
 2 files changed, 9 insertions(+), 2 deletions(-)

--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create
rwlock_init(>ports_lock);
mutex_init(>ports_mutex);
INIT_LIST_HEAD(>ports_list_head);
+   mutex_init(>ioctl_mutex);
 
/* find free slot in the client table */
spin_lock_irqsave(_lock, flags);
@@ -2200,6 +2201,7 @@ static int snd_seq_do_ioctl(struct snd_s
void __user *arg)
 {
struct seq_ioctl_table *p;
+   int ret;
 
switch (cmd) {
case SNDRV_SEQ_IOCTL_PVERSION:
@@ -2213,8 +2215,12 @@ static int snd_seq_do_ioctl(struct snd_s
if (! arg)
return -EFAULT;
for (p = ioctl_tables; p->cmd; p++) {
-   if (p->cmd == cmd)
-   return p->func(client, arg);
+   if (p->cmd == cmd) {
+   mutex_lock(>ioctl_mutex);
+   ret = p->func(client, arg);
+   mutex_unlock(>ioctl_mutex);
+   return ret;
+   }
}
pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
   cmd, _IOC_TYPE(cmd), _IOC_NR(cmd));
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -59,6 +59,7 @@ struct snd_seq_client {
struct list_head ports_list_head;
rwlock_t ports_lock;
struct mutex ports_mutex;
+   struct mutex ioctl_mutex;
int convert32;  /* convert 32->64bit */
 
/* output pool */

[PATCH 3.16 011/136] iommu/vt-d: Don't register bus-notifier under dmar_global_lock

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Joerg Roedel 

commit ec154bf56b276a0bb36079a5d22a267b5f417801 upstream.

The notifier function will take the dmar_global_lock too, so
lockdep complains about inverse locking order when the
notifier is registered under the dmar_global_lock.

Reported-by: Jan Kiszka 
Fixes: 59ce0515cdaf ('iommu/vt-d: Update DRHD/RMRR/ATSR device scope caches 
when PCI hotplug happens')
Signed-off-by: Joerg Roedel 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 drivers/iommu/dmar.c|  7 +--
 drivers/iommu/intel-iommu.c | 10 ++
 include/linux/dmar.h|  1 +
 3 files changed, 16 insertions(+), 2 deletions(-)

--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -718,13 +718,16 @@ int __init dmar_dev_scope_init(void)
dmar_free_pci_notify_info(info);
}
}
-
-   bus_register_notifier(_bus_type, _pci_bus_nb);
}
 
return dmar_dev_scope_status;
 }
 
+void dmar_register_bus_notifier(void)
+{
+   bus_register_notifier(_bus_type, _pci_bus_nb);
+}
+
 
 int __init dmar_table_init(void)
 {
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -4044,6 +4044,16 @@ int __init intel_iommu_init(void)
goto out_free_dmar;
}
 
+   up_write(_global_lock);
+
+   /*
+* The bus notifier takes the dmar_global_lock, so lockdep will
+* complain later when we register it under the lock.
+*/
+   dmar_register_bus_notifier();
+
+   down_write(_global_lock);
+
if (no_iommu || dmar_disabled)
goto out_free_dmar;
 
--- a/include/linux/dmar.h
+++ b/include/linux/dmar.h
@@ -100,6 +100,7 @@ static inline bool dmar_rcu_check(void)
 
 extern int dmar_table_init(void);
 extern int dmar_dev_scope_init(void);
+extern void dmar_register_bus_notifier(void);
 extern int dmar_parse_dev_scope(void *start, void *end, int *cnt,
struct dmar_dev_scope **devices, u16 segment);
 extern void *dmar_alloc_dev_scope(void *start, void *end, int *cnt);

[PATCH 3.16 136/136] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Lepton Wu 

This finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed
out that the reason of that crash is that NX bit get set for page tables.
It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map

Link: https://www.spinics.net/lists/kernel/msg2689835.html

Reviewed-by: Guenter Roeck 
Signed-off-by: Lepton Wu 
Signed-off-by: Greg Kroah-Hartman 
(backported from Greg K-H's 4.4 stable-queue)
Signed-off-by: Juerg Haefliger 
Signed-off-by: Ben Hutchings 
---
 arch/x86/mm/kaiser.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c
index 2d5ac54dbcee..7cb57d14ddc0 100644
--- a/arch/x86/mm/kaiser.c
+++ b/arch/x86/mm/kaiser.c
@@ -195,6 +195,8 @@ static int kaiser_add_user_map(const void *__start_addr, 
unsigned long size,
 * requires that not to be #defined to 0): so mask it off here.
 */
flags &= ~_PAGE_GLOBAL;
+   if (!(__supported_pte_mask & _PAGE_NX))
+   flags &= ~_PAGE_NX;
 
for (; address < end_addr; address += PAGE_SIZE) {
target_address = get_pa_from_mapping(address);

[PATCH 3.2 28/79] media: Don't do DMA on stack for firmware upload in the AS102 driver

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Michele Baldessari 

commit b3120d2cc447ee77b9d69bf4ad7b452c9adb4d39 upstream.

Firmware load on AS102 is using the stack which is not allowed any
longer. We currently fail with:

kernel: transfer buffer not dma capable
kernel: [ cut here ]
kernel: WARNING: CPU: 0 PID: 598 at drivers/usb/core/hcd.c:1595 
usb_hcd_map_urb_for_dma+0x41d/0x620
kernel: Modules linked in: amd64_edac_mod(-) edac_mce_amd as102_fe dvb_as102(+) 
kvm_amd kvm snd_hda_codec_realtek dvb_core snd_hda_codec_generic 
snd_hda_codec_hdmi snd_hda_intel snd_hda_codec irqbypass crct10dif_pclmul 
crc32_pclmul snd_hda_core snd_hwdep snd_seq ghash_clmulni_intel sp5100_tco 
fam15h_power wmi k10temp i2c_piix4 snd_seq_device snd_pcm snd_timer parport_pc 
parport tpm_infineon snd tpm_tis soundcore tpm_tis_core tpm shpchp acpi_cpufreq 
xfs libcrc32c amdgpu amdkfd amd_iommu_v2 radeon hid_logitech_hidpp i2c_algo_bit 
drm_kms_helper crc32c_intel ttm drm r8169 mii hid_logitech_dj
kernel: CPU: 0 PID: 598 Comm: systemd-udevd Not tainted 4.13.10-200.fc26.x86_64 
#1
kernel: Hardware name: ASUS All Series/AM1I-A, BIOS 0505 03/13/2014
kernel: task: 979933b24c80 task.stack: af83413a4000
kernel: RIP: 0010:usb_hcd_map_urb_for_dma+0x41d/0x620
systemd-fsck[659]: /dev/sda2: clean, 49/128016 files, 268609/512000 blocks
kernel: RSP: 0018:af83413a7728 EFLAGS: 00010282
systemd-udevd[604]: link_config: autonegotiation is unset or enabled, the speed 
and duplex are not writable.
kernel: RAX: 001f RBX: 979930bce780 RCX: 
kernel: RDX:  RSI: 97993ec0e118 RDI: 97993ec0e118
kernel: RBP: af83413a7768 R08: 039a R09: 
kernel: R10: 0001 R11:  R12: fff5
kernel: R13: 0140 R14: 0001 R15: 979930806800
kernel: FS:  7effaca5c8c0() GS:97993ec0() 
knlGS:
kernel: CS:  0010 DS:  ES:  CR0: 80050033
kernel: CR2: 7effa9fca962 CR3: 000233089000 CR4: 000406f0
kernel: Call Trace:
kernel:  usb_hcd_submit_urb+0x493/0xb40
kernel:  ? page_cache_tree_insert+0x100/0x100
kernel:  ? xfs_iunlock+0xd5/0x100 [xfs]
kernel:  ? xfs_file_buffered_aio_read+0x57/0xc0 [xfs]
kernel:  usb_submit_urb+0x22d/0x560
kernel:  usb_start_wait_urb+0x6e/0x180
kernel:  usb_bulk_msg+0xb8/0x160
kernel:  as102_send_ep1+0x49/0xe0 [dvb_as102]
kernel:  ? devres_add+0x3f/0x50
kernel:  as102_firmware_upload.isra.0+0x1dc/0x210 [dvb_as102]
kernel:  as102_fw_upload+0xb6/0x1f0 [dvb_as102]
kernel:  as102_dvb_register+0x2af/0x2d0 [dvb_as102]
kernel:  as102_usb_probe+0x1f3/0x260 [dvb_as102]
kernel:  usb_probe_interface+0x124/0x300
kernel:  driver_probe_device+0x2ff/0x450
kernel:  __driver_attach+0xa4/0xe0
kernel:  ? driver_probe_device+0x450/0x450
kernel:  bus_for_each_dev+0x6e/0xb0
kernel:  driver_attach+0x1e/0x20
kernel:  bus_add_driver+0x1c7/0x270
kernel:  driver_register+0x60/0xe0
kernel:  usb_register_driver+0x81/0x150
kernel:  ? 0xc0807000
kernel:  as102_usb_driver_init+0x1e/0x1000 [dvb_as102]
kernel:  do_one_initcall+0x50/0x190
kernel:  ? __vunmap+0x81/0xb0
kernel:  ? kfree+0x154/0x170
kernel:  ? kmem_cache_alloc_trace+0x15f/0x1c0
kernel:  ? do_init_module+0x27/0x1e9
kernel:  do_init_module+0x5f/0x1e9
kernel:  load_module+0x2602/0x2c30
kernel:  SYSC_init_module+0x170/0x1a0
kernel:  ? SYSC_init_module+0x170/0x1a0
kernel:  SyS_init_module+0xe/0x10
kernel:  do_syscall_64+0x67/0x140
kernel:  entry_SYSCALL64_slow_path+0x25/0x25
kernel: RIP: 0033:0x7effab6cf3ea
kernel: RSP: 002b:7fff5cfcbbc8 EFLAGS: 0246 ORIG_RAX: 00af
kernel: RAX: ffda RBX: 5569e0b83760 RCX: 7effab6cf3ea
kernel: RDX: 7effac2099c5 RSI: 9a13 RDI: 5569e0b98c50
kernel: RBP: 7effac2099c5 R08: 5569e0b83ed0 R09: 1d80
kernel: R10: 7effab98db00 R11: 0246 R12: 5569e0b98c50
kernel: R13: 5569e0b81c60 R14: 0002 R15: 5569dfadfdf7
kernel: Code: 48 39 c8 73 30 80 3d 59 60 9d 00 00 41 bc f5 ff ff ff 0f 85 26 ff 
ff ff 48 c7 c7 b8 6b d0 92 c6 05 3f 60 9d 00 01 e8 24 3d ad ff <0f> ff 8b 53 64 
e9 09 ff ff ff 65 48 8b 0c 25 00 d3 00 00 48 8b
kernel: ---[ end trace c4cae366180e70ec ]---
kernel: as10x_usb: error during firmware upload part1

Let's allocate the the structure dynamically so we can get the firmware
loaded correctly:
[   14.243057] as10x_usb: firmware: as102_data1_st.hex loaded with success
[   14.500777] as10x_usb: firmware: as102_data2_st.hex loaded with success

Signed-off-by: Michele Baldessari 
Signed-off-by: Mauro Carvalho Chehab 
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings 
---
 drivers/staging/media/as102/as102_fw.c | 28 +---
 1 file changed, 17 

[PATCH 3.2 48/79] nfs: Fix ugly referral attributes

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Chuck Lever 

commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream.

Before traversing a referral and performing a mount, the mounted-on
directory looks strange:

dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31  1969 dir.0

nfs4_get_referral is wiping out any cached attributes with what was
returned via GETATTR(fs_locations), but the bit mask for that
operation does not request any file attributes.

Retrieve owner and timestamp information so that the memcpy in
nfs4_get_referral fills in more attributes.

Changes since v1:
- Don't request attributes that the client unconditionally replaces
- Request only MOUNTED_ON_FILEID or FILEID attribute, not both
- encode_fs_locations() doesn't use the third bitmask word

Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral")
Suggested-by: Pradeep Thomas 
Signed-off-by: Chuck Lever 
Signed-off-by: Anna Schumaker 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 fs/nfs/nfs4proc.c | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -151,15 +151,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT
 };
 
 const u32 nfs4_fs_locations_bitmap[2] = {
-   FATTR4_WORD0_TYPE
-   | FATTR4_WORD0_CHANGE
+   FATTR4_WORD0_CHANGE
| FATTR4_WORD0_SIZE
| FATTR4_WORD0_FSID
| FATTR4_WORD0_FILEID
| FATTR4_WORD0_FS_LOCATIONS,
-   FATTR4_WORD1_MODE
-   | FATTR4_WORD1_NUMLINKS
-   | FATTR4_WORD1_OWNER
+   FATTR4_WORD1_OWNER
| FATTR4_WORD1_OWNER_GROUP
| FATTR4_WORD1_RAWDEV
| FATTR4_WORD1_SPACE_USED
@@ -4805,9 +4802,7 @@ int nfs4_proc_fs_locations(struct inode
struct nfs4_fs_locations *fs_locations, struct page *page)
 {
struct nfs_server *server = NFS_SERVER(dir);
-   u32 bitmask[2] = {
-   [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
-   };
+   u32 bitmask[2];
struct nfs4_fs_locations_arg args = {
.dir_fh = NFS_FH(dir),
.name = name,
@@ -4826,12 +4821,15 @@ int nfs4_proc_fs_locations(struct inode
 
dprintk("%s: start\n", __func__);
 
+   bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS;
+   bitmask[1] = nfs4_fattr_bitmap[1];
+
/* Ask for the fileid of the absent filesystem if mounted_on_fileid
 * is not supported */
if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)
-   bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID;
+   bitmask[0] &= ~FATTR4_WORD0_FILEID;
else
-   bitmask[0] |= FATTR4_WORD0_FILEID;
+   bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;
 
nfs_fattr_init(_locations->fattr);
fs_locations->server = server;

[PATCH 3.2 27/79] eCryptfs: use after free in ecryptfs_release_messaging()

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 

commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream.

We're freeing the list iterator so we should be using the _safe()
version of hlist_for_each_entry().

Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism")
Signed-off-by: Dan Carpenter 
Signed-off-by: Tyler Hicks 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -550,17 +550,17 @@ void ecryptfs_release_messaging(void)
mutex_unlock(_msg_ctx_lists_mux);
}
if (ecryptfs_daemon_hash) {
-   struct hlist_node *elem;
struct ecryptfs_daemon *daemon;
+   struct hlist_node *elem, *n;
int i;
 
mutex_lock(_daemon_hash_mux);
for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
int rc;
 
-   hlist_for_each_entry(daemon, elem,
-_daemon_hash[i],
-euid_chain) {
+   hlist_for_each_entry_safe(daemon, elem, n,
+ _daemon_hash[i],
+ euid_chain) {
rc = ecryptfs_exorcise_daemon(daemon);
if (rc)
printk(KERN_ERR "%s: Error whilst "

[PATCH 3.2 40/79] s390/disassembler: increase show_code buffer size

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Vasily Gorbik 

commit b192571d1ae375e0bbe0aa3ccfa1a3c3704454b9 upstream.

Current buffer size of 64 is too small. objdump shows that there are
instructions which would require up to 75 bytes buffer (with current
formating). 128 bytes "ought to be enough for anybody".

Also replaces 8 spaces with a single tab to reduce the memory footprint.

Fixes the following KASAN finding:

BUG: KASAN: stack-out-of-bounds in number+0x3fe/0x538
Write of size 1 at addr 5a4a75a0 by task bash/1282

CPU: 1 PID: 1282 Comm: bash Not tainted 4.14.0+ #215
Hardware name: IBM 2964 N96 702 (z/VM 6.4.0)
Call Trace:
([<0011eeb6>] show_stack+0x56/0x88)
 [<00e1ce1a>] dump_stack+0x15a/0x1b0
 [<004e2994>] print_address_description+0xf4/0x288
 [<004e2cf2>] kasan_report+0x13a/0x230
 [<00e38ae6>] number+0x3fe/0x538
 [<00e3dfe4>] vsnprintf+0x194/0x948
 [<00e3ea42>] sprintf+0xa2/0xb8
 [<001198dc>] print_insn+0x374/0x500
 [<00119346>] show_code+0x4ee/0x538
 [<0011f234>] show_registers+0x34c/0x388
 [<0011f2ae>] show_regs+0x3e/0xa8
 [<0011f502>] die+0x1ea/0x2e8
 [<00138f0e>] do_no_context+0x106/0x168
 [<00139a1a>] do_protection_exception+0x4da/0x7d0
 [<00e55914>] pgm_check_handler+0x16c/0x1c0
 [<0090639e>] sysrq_handle_crash+0x46/0x58
([<0007>] 0x7)
 [<009073fa>] __handle_sysrq+0x102/0x218
 [<00907c06>] write_sysrq_trigger+0xd6/0x100
 [<0061d67a>] proc_reg_write+0xb2/0x128
 [<00520be6>] __vfs_write+0xee/0x368
 [<00521222>] vfs_write+0x21a/0x278
 [<0052156a>] SyS_write+0xda/0x178
 [<00e555cc>] system_call+0xc4/0x270

The buggy address belongs to the page:
page:03d1016929c0 count:0 mapcount:0 mapping:  (null) index:0x0
flags: 0x0()
raw:    
raw: 0100 0200  
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 5a4a7480: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 5a4a7500: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
>5a4a7580: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
   ^
 5a4a7600: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8
 5a4a7680: f2 f2 f2 f2 f2 f2 f8 f8 f2 f2 f3 f3 f3 f3 00 00
==

Signed-off-by: Vasily Gorbik 
Signed-off-by: Martin Schwidefsky 
Signed-off-by: Ben Hutchings 
---
 arch/s390/kernel/dis.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/s390/kernel/dis.c
+++ b/arch/s390/kernel/dis.c
@@ -1542,7 +1542,7 @@ void show_code(struct pt_regs *regs)
 {
char *mode = (regs->psw.mask & PSW_MASK_PSTATE) ? "User" : "Krnl";
unsigned char code[64];
-   char buffer[64], *ptr;
+   char buffer[128], *ptr;
mm_segment_t old_fs;
unsigned long addr;
int start, end, opsize, hops, i;
@@ -1600,7 +1600,7 @@ void show_code(struct pt_regs *regs)
start += opsize;
printk(buffer);
ptr = buffer;
-   ptr += sprintf(ptr, "\n  ");
+   ptr += sprintf(ptr, "\n\t  ");
hops++;
}
printk("\n");

[PATCH 3.2 34/79] dm: fix race between dm_get_from_kobject() and __dm_destroy()

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Hou Tao 

commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream.

The following BUG_ON was hit when testing repeat creation and removal of
DM devices:

kernel BUG at drivers/md/dm.c:2919!
CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44
Call Trace:
 [] dm_get_from_kobject+0x34/0x3a
 [] dm_attr_show+0x2b/0x5e
 [] ? mutex_lock+0x26/0x44
 [] sysfs_kf_seq_show+0x83/0xcf
 [] kernfs_seq_show+0x23/0x25
 [] seq_read+0x16f/0x325
 [] kernfs_fop_read+0x3a/0x13f
 [] __vfs_read+0x26/0x9d
 [] ? security_file_permission+0x3c/0x44
 [] ? rw_verify_area+0x83/0xd9
 [] vfs_read+0x8f/0xcf
 [] ? __fdget_pos+0x12/0x41
 [] SyS_read+0x4b/0x76
 [] system_call_fastpath+0x12/0x71

The bug can be easily triggered, if an extra delay (e.g. 10ms) is added
between the test of DMF_FREEING & DMF_DELETING and dm_get() in
dm_get_from_kobject().

To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and
dm_get() are done in an atomic way, so _minor_lock is used.

The other callers of dm_get() have also been checked to be OK: some
callers invoke dm_get() under _minor_lock, some callers invoke it under
_hash_lock, and dm_start_request() invoke it after increasing
md->open_count.

Signed-off-by: Hou Tao 
Signed-off-by: Mike Snitzer 
Signed-off-by: Ben Hutchings 
---
 drivers/md/dm.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2685,11 +2685,15 @@ struct mapped_device *dm_get_from_kobjec
 
md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
 
-   if (test_bit(DMF_FREEING, >flags) ||
-   dm_deleting_md(md))
-   return NULL;
-
+   spin_lock(&_minor_lock);
+   if (test_bit(DMF_FREEING, >flags) || dm_deleting_md(md)) {
+   md = NULL;
+   goto out;
+   }
dm_get(md);
+out:
+   spin_unlock(&_minor_lock);
+
return md;
 }
 

[PATCH 3.2 32/79] video: udlfb: Fix read EDID timeout

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Ladislav Michl 

commit c98769475575c8a585f5b3952f4b5f90266f699b upstream.

While usb_control_msg function expects timeout in miliseconds, a value
of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error
message which looks like:
udlfb: Read EDID byte 78 failed err ff92
as error is either negative errno or number of bytes transferred use %d
format specifier.

Returned EDID is in second byte, so return error when less than two bytes
are received.

Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support")
Signed-off-by: Ladislav Michl 
Cc: Bernie Thompson 
Signed-off-by: Bartlomiej Zolnierkiewicz 
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings 
---
 drivers/video/udlfb.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/video/udlfb.c
+++ b/drivers/video/udlfb.c
@@ -765,11 +765,11 @@ static int dlfb_get_edid(struct dlfb_dat
 
for (i = 0; i < len; i++) {
ret = usb_control_msg(dev->udev,
-   usb_rcvctrlpipe(dev->udev, 0), (0x02),
-   (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2,
-   HZ);
-   if (ret < 1) {
-   pr_err("Read EDID byte %d failed err %x\n", i, ret);
+ usb_rcvctrlpipe(dev->udev, 0), 0x02,
+ (0x80 | (0x02 << 5)), i << 8, 0xA1,
+ rbuf, 2, USB_CTRL_GET_TIMEOUT);
+   if (ret < 2) {
+   pr_err("Read EDID byte %d failed: %d\n", i, ret);
i--;
break;
}

[PATCH 3.2 71/79] usbip: Fix sscanf handling

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alan 

commit 2d32927127f44d755780aa5fa88c8c34e72558f8 upstream.

Scan only to the length permitted by the buffer

One of a set of sscanf problems noted by Jackie Chang

Signed-off-by: Alan Cox 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Ben Hutchings 
---
 drivers/staging/usbip/userspace/libsrc/usbip_common.c | 2 +-
 drivers/staging/usbip/userspace/libsrc/vhci_driver.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/usbip/userspace/libsrc/usbip_common.c
+++ b/drivers/staging/usbip/userspace/libsrc/usbip_common.c
@@ -164,7 +164,7 @@ int read_attr_speed(struct sysfs_device
goto err;
}
 
-   ret = sscanf(attr->value, "%s\n", speed);
+   ret = sscanf(attr->value, "%99s\n", speed);
if (ret < 1) {
dbg("sscanf failed");
goto err;
--- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
+++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
@@ -66,7 +66,7 @@ static int parse_status(char *value)
unsigned long socket;
char lbusid[SYSFS_BUS_ID_SIZE];
 
-   ret = sscanf(c, "%d %d %d %x %lx %s\n",
+   ret = sscanf(c, "%d %d %d %x %lx %31s\n",
, , ,
, , lbusid);
 

[PATCH 3.2 42/79] sctp: fully initialize the IPv6 address in sctp_v6_to_addr()

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alexander Potapenko 

commit 15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d upstream.

KMSAN reported use of uninitialized sctp_addr->v4.sin_addr.s_addr and
sctp_addr->v6.sin6_scope_id in sctp_v6_cmp_addr() (see below).
Make sure all fields of an IPv6 address are initialized, which
guarantees that the IPv4 fields are also initialized.

==
 BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
 net/sctp/ipv6.c:517
 CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
 01/01/2011
 Call Trace:
  dump_stack+0x172/0x1c0 lib/dump_stack.c:42
  is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
  kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
  native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
  arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
  arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
  __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
  sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
  sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
  sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
  sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
  sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
  inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
  sock_sendmsg_nosec net/socket.c:633 [inline]
  sock_sendmsg net/socket.c:643 [inline]
  SYSC_sendto+0x608/0x710 net/socket.c:1696
  SyS_sendto+0x8a/0xb0 net/socket.c:1664
  entry_SYSCALL_64_fastpath+0x13/0x94
 RIP: 0033:0x44b479
 RSP: 002b:7f6213f21c08 EFLAGS: 0286 ORIG_RAX: 002c
 RAX: ffda RBX: 2000 RCX: 0044b479
 RDX: 0041 RSI: 20edd000 RDI: 0006
 RBP: 007080a8 R08: 20b85fe4 R09: 001c
 R10: 00040005 R11: 0286 R12: 
 R13: 3760 R14: 006e5820 R15: 00ff8000
 origin description: dst_saddr@sctp_v6_get_dst
 local variable created at:
  sk_fullsock include/net/sock.h:2321 [inline]
  inet6_sk include/linux/ipv6.h:309 [inline]
  sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
  sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
==
 BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
 net/sctp/ipv6.c:517
 CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
 01/01/2011
 Call Trace:
  dump_stack+0x172/0x1c0 lib/dump_stack.c:42
  is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
  kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
  native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
  arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
  arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
  __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
  sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
  sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
  sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
  sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
  sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
  inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
  sock_sendmsg_nosec net/socket.c:633 [inline]
  sock_sendmsg net/socket.c:643 [inline]
  SYSC_sendto+0x608/0x710 net/socket.c:1696
  SyS_sendto+0x8a/0xb0 net/socket.c:1664
  entry_SYSCALL_64_fastpath+0x13/0x94
 RIP: 0033:0x44b479
 RSP: 002b:7f6213f21c08 EFLAGS: 0286 ORIG_RAX: 002c
 RAX: ffda RBX: 2000 RCX: 0044b479
 RDX: 0041 RSI: 20edd000 RDI: 0006
 RBP: 007080a8 R08: 20b85fe4 R09: 001c
 R10: 00040005 R11: 0286 R12: 
 R13: 3760 R14: 006e5820 R15: 00ff8000
 origin description: dst_saddr@sctp_v6_get_dst
 local variable created at:
  sk_fullsock include/net/sock.h:2321 [inline]
  inet6_sk include/linux/ipv6.h:309 [inline]
  sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
  sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
==

Signed-off-by: Alexander Potapenko 
Reviewed-by: Xin Long 
Acked-by: Marcelo Ricardo Leitner 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/sctp/ipv6.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -487,7 +487,9 @@ static void sctp_v6_to_addr(union sctp_a
 {
addr->sa.sa_family = AF_INET6;
addr->v6.sin6_port = port;
+  

[PATCH 3.2 36/79] blktrace: fix unlocked access to init/start-stop/teardown

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jens Axboe 

commit 1f2cac107c591c24b60b115d6050adc213d10fc0 upstream.

sg.c calls into the blktrace functions without holding the proper queue
mutex for doing setup, start/stop, or teardown.

Add internal unlocked variants, and export the ones that do the proper
locking.

Fixes: 6da127ad0918 ("blktrace: Add blktrace ioctls to SCSI generic devices")
Tested-by: Dmitry Vyukov 
Signed-off-by: Jens Axboe 
Signed-off-by: Ben Hutchings 
---
 kernel/trace/blktrace.c | 58 -
 1 file changed, 48 insertions(+), 10 deletions(-)

--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -296,7 +296,7 @@ static void blk_trace_cleanup(struct blk
blk_unregister_tracepoints();
 }
 
-int blk_trace_remove(struct request_queue *q)
+static int __blk_trace_remove(struct request_queue *q)
 {
struct blk_trace *bt;
 
@@ -309,6 +309,17 @@ int blk_trace_remove(struct request_queu
 
return 0;
 }
+
+int blk_trace_remove(struct request_queue *q)
+{
+   int ret;
+
+   mutex_lock(>blk_trace_mutex);
+   ret = __blk_trace_remove(q);
+   mutex_unlock(>blk_trace_mutex);
+
+   return ret;
+}
 EXPORT_SYMBOL_GPL(blk_trace_remove);
 
 static int blk_dropped_open(struct inode *inode, struct file *filp)
@@ -538,9 +549,8 @@ err:
return ret;
 }
 
-int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
-   struct block_device *bdev,
-   char __user *arg)
+static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+struct block_device *bdev, char __user *arg)
 {
struct blk_user_trace_setup buts;
int ret;
@@ -559,6 +569,19 @@ int blk_trace_setup(struct request_queue
}
return 0;
 }
+
+int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+   struct block_device *bdev,
+   char __user *arg)
+{
+   int ret;
+
+   mutex_lock(>blk_trace_mutex);
+   ret = __blk_trace_setup(q, name, dev, bdev, arg);
+   mutex_unlock(>blk_trace_mutex);
+
+   return ret;
+}
 EXPORT_SYMBOL_GPL(blk_trace_setup);
 
 #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
@@ -596,7 +619,7 @@ static int compat_blk_trace_setup(struct
 }
 #endif
 
-int blk_trace_startstop(struct request_queue *q, int start)
+static int __blk_trace_startstop(struct request_queue *q, int start)
 {
int ret;
struct blk_trace *bt = q->blk_trace;
@@ -629,6 +652,17 @@ int blk_trace_startstop(struct request_q
 
return ret;
 }
+
+int blk_trace_startstop(struct request_queue *q, int start)
+{
+   int ret;
+
+   mutex_lock(>blk_trace_mutex);
+   ret = __blk_trace_startstop(q, start);
+   mutex_unlock(>blk_trace_mutex);
+
+   return ret;
+}
 EXPORT_SYMBOL_GPL(blk_trace_startstop);
 
 /*
@@ -659,7 +693,7 @@ int blk_trace_ioctl(struct block_device
switch (cmd) {
case BLKTRACESETUP:
bdevname(bdev, b);
-   ret = blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
+   ret = __blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
break;
 #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
case BLKTRACESETUP32:
@@ -670,10 +704,10 @@ int blk_trace_ioctl(struct block_device
case BLKTRACESTART:
start = 1;
case BLKTRACESTOP:
-   ret = blk_trace_startstop(q, start);
+   ret = __blk_trace_startstop(q, start);
break;
case BLKTRACETEARDOWN:
-   ret = blk_trace_remove(q);
+   ret = __blk_trace_remove(q);
break;
default:
ret = -ENOTTY;
@@ -691,10 +725,14 @@ int blk_trace_ioctl(struct block_device
  **/
 void blk_trace_shutdown(struct request_queue *q)
 {
+   mutex_lock(>blk_trace_mutex);
+
if (q->blk_trace) {
-   blk_trace_startstop(q, 0);
-   blk_trace_remove(q);
+   __blk_trace_startstop(q, 0);
+   __blk_trace_remove(q);
}
+
+   mutex_unlock(>blk_trace_mutex);
 }
 
 /*

[PATCH 3.2 54/79] ALSA: timer: Remove kernel warning at compat ioctl error paths

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Takashi Iwai 

commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream.

Some timer compat ioctls have NULL checks of timer instance with
snd_BUG_ON() that bring up WARN_ON() when the debug option is set.
Actually the condition can be met in the normal situation and it's
confusing and bad to spew kernel warnings with stack trace there.
Let's remove snd_BUG_ON() invocation and replace with the simple
checks.  Also, correct the error code to EBADFD to follow the native
ioctl error handling.

Reported-by: syzbot 
Signed-off-by: Takashi Iwai 
Signed-off-by: Ben Hutchings 
---
 sound/core/timer_compat.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/sound/core/timer_compat.c
+++ b/sound/core/timer_compat.c
@@ -40,11 +40,11 @@ static int snd_timer_user_info_compat(st
struct snd_timer *t;
 
tu = file->private_data;
-   if (snd_BUG_ON(!tu->timeri))
-   return -ENXIO;
+   if (!tu->timeri)
+   return -EBADFD;
t = tu->timeri->timer;
-   if (snd_BUG_ON(!t))
-   return -ENXIO;
+   if (!t)
+   return -EBADFD;
memset(, 0, sizeof(info));
info.card = t->card ? t->card->number : -1;
if (t->hw.flags & SNDRV_TIMER_HW_SLAVE)
@@ -73,8 +73,8 @@ static int snd_timer_user_status_compat(
struct snd_timer_status32 status;

tu = file->private_data;
-   if (snd_BUG_ON(!tu->timeri))
-   return -ENXIO;
+   if (!tu->timeri)
+   return -EBADFD;
memset(, 0, sizeof(status));
status.tstamp.tv_sec = tu->tstamp.tv_sec;
status.tstamp.tv_nsec = tu->tstamp.tv_nsec;

[PATCH 3.2 00/79] 3.2.99-rc1 review

[Ben Hutchings]

This is the start of the stable review cycle for the 3.2.99 release.
There are 79 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Feb 13 12:00:00 UTC 2018.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.2.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-

Al Viro (2):
  autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race
 [4041bcdc7bef06a2fb29c57394c713a74bd13b08]
  autofs4: catatonic_mode vs. notify_daemon race
 [875266be67ff3a984ac1f6566d31c260bee4]

Alan (1):
  usbip: Fix sscanf handling
 [2d32927127f44d755780aa5fa88c8c34e72558f8]

Alan Stern (1):
  USB: usbfs: compute urb->actual_length for isochronous
 [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54]

Alex Chen (1):
  ocfs2: should wait dio before inode lock in ocfs2_setattr()
 [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300]

Alexander Potapenko (1):
  sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
 [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d]

Alexander Steffen (1):
  tpm-dev-common: Reject too short writes
 [ee70bc1e7b63ac8023c9ff9475d8741e397316e7]

Alexandre Belloni (1):
  rtc: set the alarm to the next expiring timer
 [74717b28cb32e1ad3c1042cafd76b264c8c0f68d]

Andreas Rohner (1):
  nilfs2: fix race condition that causes file system corruption
 [31ccb1f7ba3cfe29631587d451cf5bb8ab593550]

Arnd Bergmann (2):
  Input: adxl34x - do not treat FIFO_MODE() as boolean
 [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d]
  isofs: fix timestamps beyond 2027
 [34be4dbf87fc3e474a842305394534216d428f5d]

Bart Van Assche (1):
  IB/srp: Avoid that a cable pull can trigger a kernel crash
 [8a0d18c62121d3c554a83eb96e2752861d84d937]

Bart Westgeest (1):
  staging: usbip: removed #if 0'd out code
 [34c09578179f5838e5958c45e8aed4edc9c6c3b8]

Bernhard Rosenkraenzer (1):
  USB: Add delay-init quirk for Corsair K70 LUX keyboards
 [a0fea6027f19c62727315aba1a7fae75a9caa842]

Brent Taylor (1):
  mtd: nand: Fix writing mtdoops to nand flash.
 [30863e38ebeb500a31cecee8096fb5002677dd9b]

Chuck Lever (1):
  nfs: Fix ugly referral attributes
 [c05cefcc72416a37eba5a2b35f0704ed758a9145]

Colin Ian King (1):
  rtc: interface: ignore expired timers when enqueuing new timers
 [2b2f5ff00f63847d95adad6289bd8b05f5983dd5]

Dan Carpenter (2):
  eCryptfs: use after free in ecryptfs_release_messaging()
 [db86be3a12d0b6e5c5b51c2ab2a48f06329cb590]
  scsi: bfa: integer overflow in debugfs
 [3e351275655d3c84dc28abf170def9786db5176d]

Eric Biggers (1):
  dm bufio: fix integer overflow when limiting maximum cache size
 [74d4108d9e681dbbe4a2940ed8fdff1f6868184c]

Eric Dumazet (1):
  netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
 [2638fd0f92d4397884fd991d8f4925cb3f081901]

Eric W. Biederman (1):
  net/sctp: Always set scope_id in sctp_inet6_skb_msgname
 [7c8a61d9ee1df0fb4747879fa67a99614eb62fec]

Felipe Balbi (1):
  usb: add helper to extract bits 12:11 of wMaxPacketSize
 [541b6fe63023f3059cf85d47ff2767a3e42a8e44]

Gabriele Paoloni (1):
  PCI/AER: Report non-fatal errors only to the affected endpoint
 [86acc790717fb60fb51ea3095084e331d8711c74]

Guenter Roeck (1):
  kaiser: Set _PAGE_NX only if supported
 [61e9b3671007a5da8127955a1a3bda7e0d5f42e8]

Guillaume Nault (5):
  l2tp: don't register sessions in l2tp_session_create()
 [3953ae7b218df4d1e544b98a393666f9ae58a78c]
  l2tp: ensure sessions are freed after their PPPOL2TP socket
 [cdd10c9627496ad25c87ce6394e29752253c69d3]
  l2tp: initialise PPP sessions before registering them
 [f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c]
  l2tp: initialise l2tp_eth sessions before registering them
 [ee28de6bbd78c2e18111a0aef43ea746f28d2073]
  l2tp: protect sock pointer of struct pppol2tp_session with RCU
 [ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741]

Hou Tao (1):
  dm: fix race between dm_get_from_kobject() and __dm_destroy()
 [b9a41d21dceadf8104812626ef85dc56ee8a60ed]

Jan Harkes (1):
  coda: fix 'kernel memory exposure attempt' in fsync
 [d337b66a4c52c7b04eec661d86c2ef6e168965a2]

Jason Gunthorpe (1):
  sctp: Fixup v4mapped behaviour to comply with Sock API
 [299ee123e19889d511092347f5fc14db0f10e3a6]

Jens Axboe (1):
  blktrace: fix unlocked access to init/start-stop/teardown
 [1f2cac107c591c24b60b115d6050adc213d10fc0]

Johan Hovold (2):
  USB: serial: garmin_gps: fix I/O after failed probe and remove
 [19a565d9af6e0d828bd0d521d3bafd5017f4ce52]
 

[PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alexandre Belloni 

commit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d upstream.

If there is any non expired timer in the queue, the RTC alarm is never set.
This is an issue when adding a timer that expires before the next non
expired timer.

Ensure the RTC alarm is set in that case.

Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new 
timers")
Signed-off-by: Alexandre Belloni 
[bwh: Backported to 3.2: open-code ktime_before()]
Signed-off-by: Ben Hutchings 
---
 drivers/rtc/interface.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -765,7 +765,7 @@ static int rtc_timer_enqueue(struct rtc_
}
 
timerqueue_add(>timerqueue, >node);
-   if (!next) {
+   if (!next || timer->node.expires.tv64 < next->expires.tv64) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);

[PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream.

This patch fixes a RTC wakealarm issue, namely, the event fires during
hibernate and is not cleared from the list, causing hwclock to block.

The current enqueuing does not trigger an alarm if any expired timers
already exist on the timerqueue. This can occur when a RTC wake alarm
is used to wake a machine out of hibernate and the resumed state has
old expired timers that have not been removed from the timer queue.
This fix skips over any expired timers and triggers an alarm if there
are no pending timers on the timerqueue. Note that the skipped expired
timer will get reaped later on, so there is no need to clean it up
immediately.

The issue can be reproduced by putting a machine into hibernate and
waking it with the RTC wakealarm.  Running the example RTC test program
from tools/testing/selftests/timers/rtctest.c after the hibernate will
block indefinitely.  With the fix, it no longer blocks after the
hibernate resume.

BugLink: http://bugs.launchpad.net/bugs/1333569

Signed-off-by: Colin Ian King 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Ben Hutchings 
---
 drivers/rtc/interface.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -749,9 +749,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq);
  */
 static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
 {
+   struct timerqueue_node *next = timerqueue_getnext(>timerqueue);
+   struct rtc_time tm;
+   ktime_t now;
+
timer->enabled = 1;
+   __rtc_read_time(rtc, );
+   now = rtc_tm_to_ktime(tm);
+
+   /* Skip over expired timers */
+   while (next) {
+   if (next->expires.tv64 >= now.tv64)
+   break;
+   next = timerqueue_iterate_next(next);
+   }
+
timerqueue_add(>timerqueue, >node);
-   if (>node == timerqueue_getnext(>timerqueue)) {
+   if (!next) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);

[PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Mohamed Ghannam 

commit 7d11f77f84b27cef452cee332f4e469503084737 upstream.

set rm->atomic.op_active to 0 when rds_pin_pages() fails
or the user supplied address is invalid,
this prevents a NULL pointer usage in rds_atomic_free_op()

Signed-off-by: Mohamed Ghannam 
Acked-by: Santosh Shilimkar 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/rds/rdma.c | 1 +
 1 file changed, 1 insertion(+)

--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -855,6 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs,
 err:
if (page)
put_page(page);
+   rm->atomic.op_active = 0;
kfree(rm->atomic.op_notifier);
 
return ret;

[PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

This resolves a crash if loaded under qemu + haxm under windows.
See https://www.spinics.net/lists/kernel/msg2689835.html for details.
Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that
the same log is also seen with vanilla v4.4.110-rc1).

[0.712750] Freeing unused kernel memory: 552K
[0.721821] init: Corrupted page table at address 57b029b332e0
[0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067
[0.722761] Bad pagetable: 000b [#1] PREEMPT SMP
[0.722761] Modules linked in:
[0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 
8800bc28c000
[0.722761] RIP: 0010:[]  [] 
__clear_user+0x42/0x67
[0.722761] RSP: :8800bc28fcf8  EFLAGS: 00010202
[0.722761] RAX:  RBX: 01a4 RCX: 01a4
[0.722761] RDX:  RSI: 0008 RDI: 57b029b332e0
[0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000
[0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0
[0.722761] R13:  R14: 57b029b33340 R15: 8800bb1e2a00
[0.722761] FS:  () GS:8800bfb0() 
knlGS:
[0.722761] CS:  0010 DS:  ES:  CR0: 8005003b
[0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0
[0.722761] Stack:
[0.722761]  57b029b332e0 8800bb95fa80 8800bc28fd18 
83f4120c
[0.722761]  8800bc28fe18 83e9e7a1 8800bc28fd68 

[0.722761]  8800bc29 8800bc29 8800bc29 
8800bc29
[0.722761] Call Trace:
[0.722761]  [] clear_user+0x2e/0x30
[0.722761]  [] load_elf_binary+0xa7f/0x18f7
[0.722761]  [] search_binary_handler+0x86/0x19c
[0.722761]  [] do_execveat_common.isra.26+0x909/0xf98
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761]  [] do_execve+0x23/0x25
[0.722761]  [] run_init_process+0x2b/0x2d
[0.722761]  [] kernel_init+0x6d/0xda
[0.722761]  [] ret_from_fork+0x3f/0x70
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1
eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17
48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff
[0.722761] RIP  [] __clear_user+0x42/0x67
[0.722761]  RSP 
[0.722761] ---[ end trace def703879b4ff090 ]---
[0.722761] BUG: sleeping function called from invalid context at 
/mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21
[0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init
[0.722761] CPU: 1 PID: 1 Comm: init Tainted: G  D 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761]  0086 dcb5d76098c89836 8800bc28fa30 
83f34004
[0.722761]  84839dc2 0015 8800bc28fa40 
83d57dc9
[0.722761]  8800bc28fa68 83d57e6a 84a53640 

[0.722761] Call Trace:
[0.722761]  [] dump_stack+0x4d/0x63
[0.722761]  [] ___might_sleep+0x13a/0x13c
[0.722761]  [] __might_sleep+0x9f/0xa6
[0.722761]  [] down_read+0x20/0x31
[0.722761]  [] __blocking_notifier_call_chain+0x35/0x63
[0.722761]  [] blocking_notifier_call_chain+0x14/0x16
[0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd
[0.722761]  [] profile_task_exit+0x1a/0x1c
[0.802309]  [] do_exit+0x39/0xe7f
[0.802309]  [] ? vprintk_default+0x1d/0x1f
[0.802309]  [] ? printk+0x57/0x73
[0.802309]  [] oops_end+0x80/0x85
[0.802309]  [] pgtable_bad+0x8a/0x95
[0.802309]  [] __do_page_fault+0x8c/0x352
[0.802309]  [] ? file_has_perm+0xc4/0xe5
[0.802309]  [] do_page_fault+0xc/0xe
[0.802309]  [] page_fault+0x22/0x30
[0.802309]  [] ? __clear_user+0x42/0x67
[0.802309]  [] ? __clear_user+0x23/0x67
[0.802309]  [] clear_user+0x2e/0x30
[0.802309]  [] load_elf_binary+0xa7f/0x18f7
[0.802309]  [] search_binary_handler+0x86/0x19c
[0.802309]  [] do_execveat_common.isra.26+0x909/0xf98
[0.802309]  [] ? rest_init+0x87/0x87
[0.802309]  [] do_execve+0x23/0x25
[0.802309]  [] run_init_process+0x2b/0x2d
[0.802309]  [] kernel_init+0x6d/0xda
[0.802309]  [] ret_from_fork+0x3f/0x70
[0.802309]  [] ? rest_init+0x87/0x87
[0.830559] Kernel panic - not syncing: Attempted to kill init!  
exitcode=0x0009
[0.830559]
[0.831305] Kernel Offset: 

[PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream.

This patch fixes the following kernel crash:

general protection fault:  [#1] PREEMPT SMP
Workqueue: ib_mad2 timeout_sends [ib_core]
Call Trace:
 ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core]
 send_handler+0xb2/0xd0 [ib_core]
 timeout_sends+0x14d/0x220 [ib_core]
 process_one_work+0x200/0x630
 worker_thread+0x4e/0x3b0
 kthread+0x113/0x150

Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Signed-off-by: Bart Van Assche 
Reviewed-by: Sagi Grimberg 
Signed-off-by: Doug Ledford 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -310,10 +310,19 @@ static void srp_path_rec_completion(int
 
 static int srp_lookup_path(struct srp_target_port *target)
 {
+   int ret = -ENODEV;
+
target->path.numb_path = 1;
 
init_completion(>done);
 
+   /*
+* Avoid that the SCSI host can be removed by srp_remove_target()
+* before srp_path_rec_completion() is called.
+*/
+   if (!scsi_host_get(target->scsi_host))
+   goto out;
+
target->path_query_id = ib_sa_path_rec_get(_sa_client,
   
target->srp_host->srp_dev->dev,
   target->srp_host->port,
@@ -327,16 +336,22 @@ static int srp_lookup_path(struct srp_ta
   GFP_KERNEL,
   srp_path_rec_completion,
   target, >path_query);
-   if (target->path_query_id < 0)
-   return target->path_query_id;
+   ret = target->path_query_id;
+   if (ret < 0)
+   goto put;
 
wait_for_completion(>done);
 
-   if (target->status < 0)
+   ret = target->status;
+   if (ret < 0)
shost_printk(KERN_WARNING, target->scsi_host,
 PFX "Path record query failed\n");
 
-   return target->status;
+put:
+   scsi_host_put(target->scsi_host);
+
+out:
+   return ret;
 }
 
 static int srp_send_req(struct srp_target_port *target)

[PATCH 3.16 028/136] net/9p: Switch to wait_event_killable()

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tuomas Tynkkynen 

commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream.

Because userspace gets Very Unhappy when calls like stat() and execve()
return -EINTR on 9p filesystem mounts. For instance, when bash is
looking in PATH for things to execute and some SIGCHLD interrupts
stat(), bash can throw a spurious 'command not found' since it doesn't
retry the stat().

In practice, hitting the problem is rare and needs a really
slow/bogged down 9p server.

Signed-off-by: Tuomas Tynkkynen 
Signed-off-by: Al Viro 
[bwh: Backported to 3.16: drop changes in trans_xen.c]
Signed-off-by: Ben Hutchings 
---
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -753,8 +753,7 @@ p9_client_rpc(struct p9_client *c, int8_
}
 again:
/* Wait for the response */
-   err = wait_event_interruptible(*req->wq,
-  req->status >= REQ_STATUS_RCVD);
+   err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
 
/*
 * Make sure our req is coherent with regard to updates in other
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -292,8 +292,8 @@ req_retry:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(>lock, flags);
-   err = wait_event_interruptible(*chan->vc_wq,
-   chan->ring_bufs_avail);
+   err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err  == -ERESTARTSYS)
return err;
 
@@ -324,7 +324,7 @@ static int p9_get_mapped_pages(struct vi
 * Other zc request to finish here
 */
if (atomic_read(_pinned) >= chan->p9_max_pages) {
-   err = wait_event_interruptible(vp_wq,
+   err = wait_event_killable(vp_wq,
  (atomic_read(_pinned) < chan->p9_max_pages));
if (err == -ERESTARTSYS)
return err;
@@ -454,8 +454,8 @@ req_retry_pinned:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(>lock, flags);
-   err = wait_event_interruptible(*chan->vc_wq,
-  chan->ring_bufs_avail);
+   err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err  == -ERESTARTSYS)
goto err_out;
 
@@ -472,8 +472,7 @@ req_retry_pinned:
virtqueue_kick(chan->vq);
spin_unlock_irqrestore(>lock, flags);
p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n");
-   err = wait_event_interruptible(*req->wq,
-  req->status >= REQ_STATUS_RCVD);
+   err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
/*
 * Non kernel buffers are pinned, unpin them
 */

[PATCH 3.16 034/136] l2tp: initialise l2tp_eth sessions before registering them

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream.

Sessions must be initialised before being made externally visible by
l2tp_session_register(). Otherwise the session may be concurrently
deleted before being initialised, which can confuse the deletion path
and eventually lead to kernel oops.

Therefore, we need to move l2tp_session_register() down in
l2tp_eth_create(), but also handle the intermediate step where only the
session or the netdevice has been registered.

We can't just call l2tp_session_register() in ->ndo_init() because
we'd have no way to properly undo this operation in ->ndo_uninit().
Instead, let's register the session and the netdevice in two different
steps and protect the session's device pointer with RCU.

And now that we allow the session's .dev field to be NULL, we don't
need to prevent the netdevice from being removed anymore. So we can
drop the dev_hold() and dev_put() calls in l2tp_eth_create() and
l2tp_eth_dev_uninit().

Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16:
 - Update another 'goto out' in l2tp_eth_create()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -51,7 +51,7 @@ struct l2tp_eth {
 
 /* via l2tp_session_priv() */
 struct l2tp_eth_sess {
-   struct net_device   *dev;
+   struct net_device __rcu *dev;
 };
 
 
@@ -69,7 +69,14 @@ static int l2tp_eth_dev_init(struct net_
 
 static void l2tp_eth_dev_uninit(struct net_device *dev)
 {
-   dev_put(dev);
+   struct l2tp_eth *priv = netdev_priv(dev);
+   struct l2tp_eth_sess *spriv;
+
+   spriv = l2tp_session_priv(priv->session);
+   RCU_INIT_POINTER(spriv->dev, NULL);
+   /* No need for synchronize_net() here. We're called by
+* unregister_netdev*(), which does the synchronisation for us.
+*/
 }
 
 static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
@@ -123,8 +130,8 @@ static void l2tp_eth_dev_setup(struct ne
 static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff 
*skb, int data_len)
 {
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-   struct net_device *dev = spriv->dev;
-   struct l2tp_eth *priv = netdev_priv(dev);
+   struct net_device *dev;
+   struct l2tp_eth *priv;
 
if (session->debug & L2TP_MSG_DATA) {
unsigned int length;
@@ -148,16 +155,25 @@ static void l2tp_eth_dev_recv(struct l2t
skb_dst_drop(skb);
nf_reset(skb);
 
+   rcu_read_lock();
+   dev = rcu_dereference(spriv->dev);
+   if (!dev)
+   goto error_rcu;
+
+   priv = netdev_priv(dev);
if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
atomic_long_inc(>rx_packets);
atomic_long_add(data_len, >rx_bytes);
} else {
atomic_long_inc(>rx_errors);
}
+   rcu_read_unlock();
+
return;
 
+error_rcu:
+   rcu_read_unlock();
 error:
-   atomic_long_inc(>rx_errors);
kfree_skb(skb);
 }
 
@@ -168,11 +184,15 @@ static void l2tp_eth_delete(struct l2tp_
 
if (session) {
spriv = l2tp_session_priv(session);
-   dev = spriv->dev;
+
+   rtnl_lock();
+   dev = rtnl_dereference(spriv->dev);
if (dev) {
-   unregister_netdev(dev);
-   spriv->dev = NULL;
+   unregister_netdevice(dev);
+   rtnl_unlock();
module_put(THIS_MODULE);
+   } else {
+   rtnl_unlock();
}
}
 }
@@ -182,9 +202,20 @@ static void l2tp_eth_show(struct seq_fil
 {
struct l2tp_session *session = arg;
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
-   struct net_device *dev = spriv->dev;
+   struct net_device *dev;
+
+   rcu_read_lock();
+   dev = rcu_dereference(spriv->dev);
+   if (!dev) {
+   rcu_read_unlock();
+   return;
+   }
+   dev_hold(dev);
+   rcu_read_unlock();
 
seq_printf(m, "   interface %s\n", dev->name);
+
+   dev_put(dev);
 }
 #endif
 
@@ -204,7 +235,7 @@ static int l2tp_eth_create(struct net *n
if (dev) {
dev_put(dev);
rc = -EEXIST;
-   goto out;
+   goto err;
}
strlcpy(name, cfg->ifname, IFNAMSIZ);
} else
@@ -214,20 +245,13 @@ static int l2tp_eth_create(struct net *n
  peer_session_id, cfg);
if (IS_ERR(session)) {
   

[PATCH 3.16 020/136] elf_fdpic: fix unused variable warning

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 11e3e8d6d9274bf630859b4c47bc4e4d76f289db upstream.

The elf_fdpic code shows a harmless warning when built with MMU disabled,
I ran into this now that fdpic is available on ARM randconfig builds
since commit 50b2b2e691cd ("ARM: add ELF_FDPIC support").

fs/binfmt_elf_fdpic.c: In function 'elf_fdpic_dump_segments':
fs/binfmt_elf_fdpic.c:1501:17: error: unused variable 'addr' 
[-Werror=unused-variable]

This adds another #ifdef around the variable declaration to shut up
the warning.

Fixes: e6c1baa9b562 ("convert the rest of binfmt_elf_fdpic to dump_emit()")
Acked-by: Nicolas Pitre 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Al Viro 
Signed-off-by: Ben Hutchings 
---
 fs/binfmt_elf_fdpic.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -1487,7 +1487,9 @@ static bool elf_fdpic_dump_segments(stru
struct vm_area_struct *vma;
 
for (vma = current->mm->mmap; vma; vma = vma->vm_next) {
+#ifdef CONFIG_MMU
unsigned long addr;
+#endif
 
if (!maydump(vma, cprm->mm_flags))
continue;

[PATCH 3.16 060/136] ACPI / APEI: Replace ioremap_page_range() with fixmap

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: James Morse 

commit 4f89fa286f6729312e227e7c2d764e8e7b9d340e upstream.

Replace ghes_io{re,un}map_pfn_{nmi,irq}()s use of ioremap_page_range()
with __set_fixmap() as ioremap_page_range() may sleep to allocate a new
level of page-table, even if its passed an existing final-address to
use in the mapping.

The GHES driver can only be enabled for architectures that select
HAVE_ACPI_APEI: Add fixmap entries to both x86 and arm64.

clear_fixmap() does the TLB invalidation in __set_fixmap() for arm64
and __set_pte_vaddr() for x86. In each case its the same as the
respective arch_apei_flush_tlb_one().

Reported-by: Fengguang Wu 
Suggested-by: Linus Torvalds 
Signed-off-by: James Morse 
Reviewed-by: Borislav Petkov 
Tested-by: Tyler Baicar 
Tested-by: Toshi Kani 
[ For the arm64 bits: ]
Acked-by: Will Deacon 
[ For the x86 bits: ]
Acked-by: Ingo Molnar 
Signed-off-by: Rafael J. Wysocki 
[bwh: Backported to 3.16:
 - Drop arm64 changes; ghes is x86-only here
 - Don't use page or prot variables in ghes_ioremap_fn_{nmi,irq}()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -103,6 +103,12 @@ enum fixed_addresses {
 #ifdef CONFIG_X86_INTEL_MID
FIX_LNW_VRTC,
 #endif
+#ifdef CONFIG_ACPI_APEI_GHES
+   /* Used for GHES mapping from assorted contexts */
+   FIX_APEI_GHES_IRQ,
+   FIX_APEI_GHES_NMI,
+#endif
+
__end_of_permanent_fixed_addresses,
 
/*
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -49,6 +49,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -110,7 +111,7 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
  * Because the memory area used to transfer hardware error information
  * from BIOS to Linux can be determined only in NMI, IRQ or timer
  * handler, but general ioremap can not be used in atomic context, so
- * a special version of atomic ioremap is implemented for that.
+ * the fixmap is used instead.
  */
 
 /*
@@ -124,8 +125,8 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
 /* virtual memory area for atomic ioremap */
 static struct vm_struct *ghes_ioremap_area;
 /*
- * These 2 spinlock is used to prevent atomic ioremap virtual memory
- * area from being mapped simultaneously.
+ * These 2 spinlocks are used to prevent the fixmap entries from being used
+ * simultaneously.
  */
 static DEFINE_RAW_SPINLOCK(ghes_ioremap_lock_nmi);
 static DEFINE_SPINLOCK(ghes_ioremap_lock_irq);
@@ -165,44 +166,26 @@ static void ghes_ioremap_exit(void)
 
 static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn)
 {
-   unsigned long vaddr;
+   __set_fixmap(FIX_APEI_GHES_NMI, pfn << PAGE_SHIFT, PAGE_KERNEL);
 
-   vaddr = (unsigned long)GHES_IOREMAP_NMI_PAGE(ghes_ioremap_area->addr);
-   ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
-  pfn << PAGE_SHIFT, PAGE_KERNEL);
-
-   return (void __iomem *)vaddr;
+   return (void __iomem *) fix_to_virt(FIX_APEI_GHES_NMI);
 }
 
 static void __iomem *ghes_ioremap_pfn_irq(u64 pfn)
 {
-   unsigned long vaddr;
-
-   vaddr = (unsigned long)GHES_IOREMAP_IRQ_PAGE(ghes_ioremap_area->addr);
-   ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
-  pfn << PAGE_SHIFT, PAGE_KERNEL);
+   __set_fixmap(FIX_APEI_GHES_IRQ, pfn << PAGE_SHIFT, PAGE_KERNEL);
 
-   return (void __iomem *)vaddr;
+   return (void __iomem *) fix_to_virt(FIX_APEI_GHES_IRQ);
 }
 
-static void ghes_iounmap_nmi(void __iomem *vaddr_ptr)
+static void ghes_iounmap_nmi(void)
 {
-   unsigned long vaddr = (unsigned long __force)vaddr_ptr;
-   void *base = ghes_ioremap_area->addr;
-
-   BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_NMI_PAGE(base));
-   unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
-   __flush_tlb_one(vaddr);
+   clear_fixmap(FIX_APEI_GHES_NMI);
 }
 
-static void ghes_iounmap_irq(void __iomem *vaddr_ptr)
+static void ghes_iounmap_irq(void)
 {
-   unsigned long vaddr = (unsigned long __force)vaddr_ptr;
-   void *base = ghes_ioremap_area->addr;
-
-   BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_IRQ_PAGE(base));
-   unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
-   __flush_tlb_one(vaddr);
+   clear_fixmap(FIX_APEI_GHES_IRQ);
 }
 
 static int ghes_estatus_pool_init(void)
@@ -341,10 +324,10 @@ static void ghes_copy_tofrom_phys(void *
paddr += trunk;
buffer += trunk;
if (in_nmi) {
-   ghes_iounmap_nmi(vaddr);
+   ghes_iounmap_nmi();
raw_spin_unlock(_ioremap_lock_nmi);
} else {
- 

[PATCH 3.16 067/136] ima: fix hash algorithm initialization

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Boshi Wang 

commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee upstream.

The hash_setup function always sets the hash_setup_done flag, even
when the hash algorithm is invalid.  This prevents the default hash
algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used.

This patch sets hash_setup_done flag only for valid hash algorithms.

Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash
algorithms"
Signed-off-by: Boshi Wang 
Signed-off-by: Mimi Zohar 
Signed-off-by: Ben Hutchings 
---
 security/integrity/ima/ima_main.c | 4 
 1 file changed, 4 insertions(+)

--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -52,6 +52,8 @@ static int __init hash_setup(char *str)
ima_hash_algo = HASH_ALGO_SHA1;
else if (strncmp(str, "md5", 3) == 0)
ima_hash_algo = HASH_ALGO_MD5;
+   else
+   return 1;
goto out;
}
 
@@ -61,6 +63,8 @@ static int __init hash_setup(char *str)
break;
}
}
+   if (i == HASH_ALGO__LAST)
+   return 1;
 out:
hash_setup_done = 1;
return 1;

[PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tom Parkin 

commit cf2f5c886a209377daefd5d2ba0bcd49c3887813 upstream.

If userspace deletes a ppp pseudowire using the netlink API, either by
directly deleting the session or by deleting the tunnel that contains the
session, we need to tear down the corresponding pppox channel.

Rather than trying to manage two pppox unbind codepaths, switch the netlink
and l2tp_core session_close handlers to close via. the l2tp_ppp socket
.release handler.

Signed-off-by: Tom Parkin 
Signed-off-by: James Chapman 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 53 ++---
 1 file changed, 10 insertions(+), 43 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -95,6 +95,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include 
 #include 
@@ -460,34 +461,16 @@ static void pppol2tp_session_close(struc
 {
struct pppol2tp_session *ps = l2tp_session_priv(session);
struct sock *sk = ps->sock;
-   struct sk_buff *skb;
+   struct socket *sock = sk->sk_socket;
 
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
 
-   if (session->session_id == 0)
-   goto out;
-
-   if (sk != NULL) {
-   lock_sock(sk);
-
-   if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) {
-   pppox_unbind_sock(sk);
-   sk->sk_state = PPPOX_DEAD;
-   sk->sk_state_change(sk);
-   }
-
-   /* Purge any queued data */
-   skb_queue_purge(>sk_receive_queue);
-   skb_queue_purge(>sk_write_queue);
-   while ((skb = skb_dequeue(>reorder_q))) {
-   kfree_skb(skb);
-   sock_put(sk);
-   }
 
-   release_sock(sk);
+   if (sock) {
+   inet_shutdown(sock, 2);
+   /* Don't let the session go away before our socket does */
+   l2tp_session_inc_refcount(session);
}
-
-out:
return;
 }
 
@@ -538,16 +521,12 @@ static int pppol2tp_release(struct socke
session = pppol2tp_sock_to_session(sk);
 
/* Purge any queued data */
-   skb_queue_purge(>sk_receive_queue);
-   skb_queue_purge(>sk_write_queue);
if (session != NULL) {
-   struct sk_buff *skb;
-   while ((skb = skb_dequeue(>reorder_q))) {
-   kfree_skb(skb);
-   sock_put(sk);
-   }
+   l2tp_session_queue_purge(session);
sock_put(sk);
}
+   skb_queue_purge(>sk_receive_queue);
+   skb_queue_purge(>sk_write_queue);
 
release_sock(sk);
 
@@ -872,18 +851,6 @@ out:
return error;
 }
 
-/* Called when deleting sessions via the netlink interface.
- */
-static int pppol2tp_session_delete(struct l2tp_session *session)
-{
-   struct pppol2tp_session *ps = l2tp_session_priv(session);
-
-   if (ps->sock == NULL)
-   l2tp_session_dec_refcount(session);
-
-   return 0;
-}
-
 #endif /* CONFIG_L2TP_V3 */
 
 /* getname() support.
@@ -1801,7 +1768,7 @@ static const struct pppox_proto pppol2tp
 
 static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
.session_create = pppol2tp_session_create,
-   .session_delete = pppol2tp_session_delete,
+   .session_delete = l2tp_session_delete,
 };
 
 #endif /* CONFIG_L2TP_V3 */

[PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream.

If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session
right after pppol2tp_release() orphaned its socket, then the 'sock'
variable of the pppol2tp_session_close() callback is NULL. Yet the
session is still used by pppol2tp_release().

Therefore we need to take an extra reference in any case, to prevent
l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session.

Since the pppol2tp_session_close() callback is only set if the session
is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete()
and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling
pppol2tp_session_close(), we're sure that pppol2tp_session_close() and
pppol2tp_session_destruct() are paired and called in the right order.
So the reference taken by the former will be released by the later.

Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -466,11 +466,11 @@ static void pppol2tp_session_close(struc
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
 
 
-   if (sock) {
+   if (sock)
inet_shutdown(sock, 2);
-   /* Don't let the session go away before our socket does */
-   l2tp_session_inc_refcount(session);
-   }
+
+   /* Don't let the session go away before our socket does */
+   l2tp_session_inc_refcount(session);
return;
 }
 

[PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Tom Parkin 

commit 48f72f92b31431c40279b0fba6c5588e07e67d95 upstream.

If an l2tp session is deleted, it is necessary to delete skbs in-flight
on the session's reorder queue before taking it down.

Rather than having each pseudowire implementation reaching into the
l2tp_session struct to handle this itself, provide a function in l2tp_core to
purge the session queue.

Signed-off-by: Tom Parkin 
Signed-off-by: James Chapman 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: use non-atomic increment on rx_errors]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_core.c | 17 +
 net/l2tp/l2tp_core.h |  1 +
 2 files changed, 18 insertions(+)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -830,6 +830,23 @@ discard:
 }
 EXPORT_SYMBOL(l2tp_recv_common);
 
+/* Drop skbs from the session's reorder_q
+ */
+int l2tp_session_queue_purge(struct l2tp_session *session)
+{
+   struct sk_buff *skb = NULL;
+   BUG_ON(!session);
+   BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+   while ((skb = skb_dequeue(>reorder_q))) {
+   session->stats.rx_errors++;
+   kfree_skb(skb);
+   if (session->deref)
+   (*session->deref)(session);
+   }
+   return 0;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
+
 /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
  * here. The skb is not on a list when we get here.
  * Returns 0 if the packet was a data packet and was successfully passed on.
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -249,6 +249,7 @@ extern struct l2tp_session *l2tp_session
 extern int l2tp_session_delete(struct l2tp_session *session);
 extern void l2tp_session_free(struct l2tp_session *session);
 extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff 
*skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int 
(*payload_hook)(struct sk_buff *skb));
+extern int l2tp_session_queue_purge(struct l2tp_session *session);
 extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
 
 extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, 
int hdr_len);

drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?

[kbuild test robot]

Hi Alice,

FYI, the error/warning still remains.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 60f481b9703867330dc6010868054f68f6d52f7a i40e: change flags to use 64 
bits
date:   2 weeks ago
config: mips-allyesconfig (attached as .config)
compiler: mips-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 60f481b9703867330dc6010868054f68f6d52f7a
# save the attached .config to linux build tree
make.cross ARCH=mips 

All errors (new ones prefixed by >>):

   drivers/net/ethernet/intel/i40e/i40e_ethtool.c: In function 
'i40e_set_priv_flags':
>> drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit 
>> declaration of function 'cmpxchg64'; did you mean 'cmpxchg'? 
>> [-Werror=implicit-function-declaration]
 if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) {
 ^
 cmpxchg
   cc1: some warnings being treated as errors

vim +4326 drivers/net/ethernet/intel/i40e/i40e_ethtool.c

  4258  
  4259  /**
  4260   * i40e_set_priv_flags - set private flags
  4261   * @dev: network interface device structure
  4262   * @flags: bit flags to be set
  4263   **/
  4264  static int i40e_set_priv_flags(struct net_device *dev, u32 flags)
  4265  {
  4266  struct i40e_netdev_priv *np = netdev_priv(dev);
  4267  struct i40e_vsi *vsi = np->vsi;
  4268  struct i40e_pf *pf = vsi->back;
  4269  u64 orig_flags, new_flags, changed_flags;
  4270  u32 i, j;
  4271  
  4272  orig_flags = READ_ONCE(pf->flags);
  4273  new_flags = orig_flags;
  4274  
  4275  for (i = 0; i < I40E_PRIV_FLAGS_STR_LEN; i++) {
  4276  const struct i40e_priv_flags *priv_flags;
  4277  
  4278  priv_flags = _gstrings_priv_flags[i];
  4279  
  4280  if (flags & BIT(i))
  4281  new_flags |= priv_flags->flag;
  4282  else
  4283  new_flags &= ~(priv_flags->flag);
  4284  
  4285  /* If this is a read-only flag, it can't be changed */
  4286  if (priv_flags->read_only &&
  4287  ((orig_flags ^ new_flags) & ~BIT(i)))
  4288  return -EOPNOTSUPP;
  4289  }
  4290  
  4291  if (pf->hw.pf_id != 0)
  4292  goto flags_complete;
  4293  
  4294  for (j = 0; j < I40E_GL_PRIV_FLAGS_STR_LEN; j++) {
  4295  const struct i40e_priv_flags *priv_flags;
  4296  
  4297  priv_flags = _gl_gstrings_priv_flags[j];
  4298  
  4299  if (flags & BIT(i + j))
  4300  new_flags |= priv_flags->flag;
  4301  else
  4302  new_flags &= ~(priv_flags->flag);
  4303  
  4304  /* If this is a read-only flag, it can't be changed */
  4305  if (priv_flags->read_only &&
  4306  ((orig_flags ^ new_flags) & ~BIT(i)))
  4307  return -EOPNOTSUPP;
  4308  }
  4309  
  4310  flags_complete:
  4311  /* Before we finalize any flag changes, we need to perform some
  4312   * checks to ensure that the changes are supported and safe.
  4313   */
  4314  
  4315  /* ATR eviction is not supported on all devices */
  4316  if ((new_flags & I40E_FLAG_HW_ATR_EVICT_ENABLED) &&
  4317  !(pf->hw_features & I40E_HW_ATR_EVICT_CAPABLE))
  4318  return -EOPNOTSUPP;
  4319  
  4320  /* Compare and exchange the new flags into place. If we failed, 
that
  4321   * is if cmpxchg returns anything but the old value, this means 
that
  4322   * something else has modified the flags variable since we 
copied it
  4323   * originally. We'll just punt with an error and log something 
in the
  4324   * message buffer.
  4325   */
> 4326  if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) 
> {
  4327  dev_warn(>pdev->dev,
  4328   "Unable to update pf->flags as it was modified 
by another thread...\n");
  4329  return -EAGAIN;
  4330  }
  4331  
  4332  changed_flags = orig_flags ^ new_flags;
  4333  
  4334  /* Process any additional changes needed as a result of flag 
changes.
  4335   * The changed_flags value reflects the list of bits that were
  4336   * changed in the code above.
  4337   */
  4338  
  4339  /* Flush current ATR settings if ATR was disabled */
  4340  if ((changed_flags & I40E_FLAG_FD_ATR_ENABLED) &&
  4341  !(pf->flags & I40E_FLAG_FD_ATR_ENABLED)) {
  4342 

Re: [PATCH 2/2] xen: xenbus: WARN_ON XS_TRANSACTION_{START,END} misuse

[Simon Gaiser]

Boris Ostrovsky:
> On 02/07/2018 05:22 PM, Simon Gaiser wrote:
>> +users_old = xs_state_users;
>>   xs_state_users--;
>>   if ((req->type == XS_TRANSACTION_START && req->msg.type == XS_ERROR) ||
>>   req->type == XS_TRANSACTION_END)
>>   xs_state_users--;
>> +if (WARN_ON(xs_state_users > users_old))
> 
> 
> WARN_ON_ONCE()?

Since we "fix" the wrong decrement by clamping at zero it should not
happen immediately again. But if you prefer _ONCE I can change it.



signature.asc
Description: OpenPGP digital signature

[RFC PATCH v15 0/6] mm: security: ro protection for dynamic data

[Igor Stoppa]

This patch-set introduces the possibility of protecting memory that has
been allocated dynamically.

The memory is managed in pools: when a memory pool is turned into R/O,
all the memory that is part of it, will become R/O.

A R/O pool can be destroyed, to recover its memory, but it cannot be
turned back into R/W mode.

This is intentional. This feature is meant for data that doesn't need
further modifications after initialization.

However the data might need to be released, for example as part of module
unloading.
To do this, the memory must first be freed, then the pool can be destroyed.

An example is provided, in the form of self-testing.

Changes since v14:
[http://www.openwall.com/lists/kernel-hardening/2018/02/04/2]

- fix various warnings from sparse
- multiline comments
- fix naming of headers guards
- fix compilation of individual patches, for bisect
- split genalloc documentation about bitmap for allocation
- fix headers to match kerneldoc format for "Return:" field
- fix variable naming according to coding guidelines
- fix wrong default value for pmalloc Kconfig option
- refreshed integration of pmalloc with hardened usercopy
- removed unnecessary include that was causing compilation failures
- changed license of pmalloc documentation from GPL 2.0 to CC-BY-SA-4.0

Igor Stoppa (6):
  genalloc: track beginning of allocations
  genalloc: selftest
  struct page: add field for vm_struct
  Protectable Memory
  Pmalloc: self-test
  Documentation for Pmalloc

 Documentation/core-api/index.rst   |   1 +
 Documentation/core-api/pmalloc.rst | 114 
 include/linux/genalloc-selftest.h  |  26 ++
 include/linux/genalloc.h   |   7 +-
 include/linux/mm_types.h   |   1 +
 include/linux/pmalloc.h| 222 +++
 include/linux/vmalloc.h|   1 +
 init/main.c|   2 +
 lib/Kconfig|  15 +
 lib/Makefile   |   1 +
 lib/genalloc-selftest.c| 400 ++
 lib/genalloc.c | 554 +++--
 mm/Kconfig |  15 +
 mm/Makefile|   2 +
 mm/pmalloc-selftest.c  |  63 +
 mm/pmalloc-selftest.h  |  24 ++
 mm/pmalloc.c   | 499 +
 mm/usercopy.c  |  33 +++
 mm/vmalloc.c   |  18 +-
 19 files changed, 1852 insertions(+), 146 deletions(-)
 create mode 100644 Documentation/core-api/pmalloc.rst
 create mode 100644 include/linux/genalloc-selftest.h
 create mode 100644 include/linux/pmalloc.h
 create mode 100644 lib/genalloc-selftest.c
 create mode 100644 mm/pmalloc-selftest.c
 create mode 100644 mm/pmalloc-selftest.h
 create mode 100644 mm/pmalloc.c

-- 
2.14.1

arch/microblaze/lib/fastcopy.S:33:2: error: #error Microblaze LE not support ASM optimized lib func. Disable OPT_LIB_ASM.

[kbuild test robot]

Hi Arnd,

FYI, the error/warning still remains.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 71e7673dadfdae0605d4c1f66ecb4b045c79fe0f microblaze: fix endian handling
date:   4 weeks ago
config: microblaze-mmu_defconfig (attached as .config)
compiler: microblaze-linux-gcc (GCC) 7.2.0
reproduce:
wget 
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O 
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 71e7673dadfdae0605d4c1f66ecb4b045c79fe0f
# save the attached .config to linux build tree
make.cross ARCH=microblaze 

All errors (new ones prefixed by >>):

>> arch/microblaze/lib/fastcopy.S:33:2: error: #error Microblaze LE not support 
>> ASM optimized lib func. Disable OPT_LIB_ASM.
#error Microblaze LE not support ASM optimized lib func. Disable 
OPT_LIB_ASM.
 ^

vim +33 arch/microblaze/lib/fastcopy.S

de93c3c1 Michal Simek 2011-01-28 @33  #error Microblaze LE not support ASM 
optimized lib func. Disable OPT_LIB_ASM.
de93c3c1 Michal Simek 2011-01-28  34  #endif
de93c3c1 Michal Simek 2011-01-28  35  

:: The code at line 33 was first introduced by commit
:: de93c3c119382cb888ca8a94b642dbcf8035525e microblaze: Fix ASM optimized 
code for LE

:: TO: Michal Simek 
:: CC: Michal Simek 

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation


.config.gz
Description: application/gzip

[PATCH 3.16 074/136] dm: fix race between dm_get_from_kobject() and __dm_destroy()

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Hou Tao 

commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream.

The following BUG_ON was hit when testing repeat creation and removal of
DM devices:

kernel BUG at drivers/md/dm.c:2919!
CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44
Call Trace:
 [] dm_get_from_kobject+0x34/0x3a
 [] dm_attr_show+0x2b/0x5e
 [] ? mutex_lock+0x26/0x44
 [] sysfs_kf_seq_show+0x83/0xcf
 [] kernfs_seq_show+0x23/0x25
 [] seq_read+0x16f/0x325
 [] kernfs_fop_read+0x3a/0x13f
 [] __vfs_read+0x26/0x9d
 [] ? security_file_permission+0x3c/0x44
 [] ? rw_verify_area+0x83/0xd9
 [] vfs_read+0x8f/0xcf
 [] ? __fdget_pos+0x12/0x41
 [] SyS_read+0x4b/0x76
 [] system_call_fastpath+0x12/0x71

The bug can be easily triggered, if an extra delay (e.g. 10ms) is added
between the test of DMF_FREEING & DMF_DELETING and dm_get() in
dm_get_from_kobject().

To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and
dm_get() are done in an atomic way, so _minor_lock is used.

The other callers of dm_get() have also been checked to be OK: some
callers invoke dm_get() under _minor_lock, some callers invoke it under
_hash_lock, and dm_start_request() invoke it after increasing
md->open_count.

Signed-off-by: Hou Tao 
Signed-off-by: Mike Snitzer 
Signed-off-by: Ben Hutchings 
---
 drivers/md/dm.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2912,11 +2912,15 @@ struct mapped_device *dm_get_from_kobjec
 
md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
 
-   if (test_bit(DMF_FREEING, >flags) ||
-   dm_deleting_md(md))
-   return NULL;
-
+   spin_lock(&_minor_lock);
+   if (test_bit(DMF_FREEING, >flags) || dm_deleting_md(md)) {
+   md = NULL;
+   goto out;
+   }
dm_get(md);
+out:
+   spin_unlock(&_minor_lock);
+
return md;
 }
 

[PATCH 3.16 076/136] blktrace: fix unlocked access to init/start-stop/teardown

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jens Axboe 

commit 1f2cac107c591c24b60b115d6050adc213d10fc0 upstream.

sg.c calls into the blktrace functions without holding the proper queue
mutex for doing setup, start/stop, or teardown.

Add internal unlocked variants, and export the ones that do the proper
locking.

Fixes: 6da127ad0918 ("blktrace: Add blktrace ioctls to SCSI generic devices")
Tested-by: Dmitry Vyukov 
Signed-off-by: Jens Axboe 
Signed-off-by: Ben Hutchings 
---
 kernel/trace/blktrace.c | 58 -
 1 file changed, 48 insertions(+), 10 deletions(-)

--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -307,7 +307,7 @@ static void blk_trace_cleanup(struct blk
blk_unregister_tracepoints();
 }
 
-int blk_trace_remove(struct request_queue *q)
+static int __blk_trace_remove(struct request_queue *q)
 {
struct blk_trace *bt;
 
@@ -320,6 +320,17 @@ int blk_trace_remove(struct request_queu
 
return 0;
 }
+
+int blk_trace_remove(struct request_queue *q)
+{
+   int ret;
+
+   mutex_lock(>blk_trace_mutex);
+   ret = __blk_trace_remove(q);
+   mutex_unlock(>blk_trace_mutex);
+
+   return ret;
+}
 EXPORT_SYMBOL_GPL(blk_trace_remove);
 
 static ssize_t blk_dropped_read(struct file *filp, char __user *buffer,
@@ -536,9 +547,8 @@ err:
return ret;
 }
 
-int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
-   struct block_device *bdev,
-   char __user *arg)
+static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+struct block_device *bdev, char __user *arg)
 {
struct blk_user_trace_setup buts;
int ret;
@@ -557,6 +567,19 @@ int blk_trace_setup(struct request_queue
}
return 0;
 }
+
+int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+   struct block_device *bdev,
+   char __user *arg)
+{
+   int ret;
+
+   mutex_lock(>blk_trace_mutex);
+   ret = __blk_trace_setup(q, name, dev, bdev, arg);
+   mutex_unlock(>blk_trace_mutex);
+
+   return ret;
+}
 EXPORT_SYMBOL_GPL(blk_trace_setup);
 
 #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
@@ -593,7 +616,7 @@ static int compat_blk_trace_setup(struct
 }
 #endif
 
-int blk_trace_startstop(struct request_queue *q, int start)
+static int __blk_trace_startstop(struct request_queue *q, int start)
 {
int ret;
struct blk_trace *bt = q->blk_trace;
@@ -632,6 +655,17 @@ int blk_trace_startstop(struct request_q
 
return ret;
 }
+
+int blk_trace_startstop(struct request_queue *q, int start)
+{
+   int ret;
+
+   mutex_lock(>blk_trace_mutex);
+   ret = __blk_trace_startstop(q, start);
+   mutex_unlock(>blk_trace_mutex);
+
+   return ret;
+}
 EXPORT_SYMBOL_GPL(blk_trace_startstop);
 
 /*
@@ -662,7 +696,7 @@ int blk_trace_ioctl(struct block_device
switch (cmd) {
case BLKTRACESETUP:
bdevname(bdev, b);
-   ret = blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
+   ret = __blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
break;
 #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
case BLKTRACESETUP32:
@@ -673,10 +707,10 @@ int blk_trace_ioctl(struct block_device
case BLKTRACESTART:
start = 1;
case BLKTRACESTOP:
-   ret = blk_trace_startstop(q, start);
+   ret = __blk_trace_startstop(q, start);
break;
case BLKTRACETEARDOWN:
-   ret = blk_trace_remove(q);
+   ret = __blk_trace_remove(q);
break;
default:
ret = -ENOTTY;
@@ -694,10 +728,14 @@ int blk_trace_ioctl(struct block_device
  **/
 void blk_trace_shutdown(struct request_queue *q)
 {
+   mutex_lock(>blk_trace_mutex);
+
if (q->blk_trace) {
-   blk_trace_startstop(q, 0);
-   blk_trace_remove(q);
+   __blk_trace_startstop(q, 0);
+   __blk_trace_remove(q);
}
+
+   mutex_unlock(>blk_trace_mutex);
 }
 
 /*

[PATCH 3.16 069/136] USB: usbfs: compute urb->actual_length for isochronous

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alan Stern 

commit 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 upstream.

The USB kerneldoc says that the actual_length field "is read in
non-iso completion functions", but the usbfs driver uses it for all
URB types in processcompl().  Since not all of the host controller
drivers set actual_length for isochronous URBs, programs using usbfs
with some host controllers don't work properly.  For example, Minas
reports that a USB camera controlled by libusb doesn't work properly
with a dwc2 controller.

It doesn't seem worthwhile to change the HCDs and the documentation,
since the in-kernel USB class drivers evidently don't rely on
actual_length for isochronous transfers.  The easiest solution is for
usbfs to calculate the actual_length value for itself, by adding up
the lengths of the individual packets in an isochronous transfer.

Signed-off-by: Alan Stern 
CC: Minas Harutyunyan 
Reported-and-tested-by: wlf 
Signed-off-by: Greg Kroah-Hartman 
Signed-off-by: Ben Hutchings 
---
 drivers/usb/core/devio.c | 14 ++
 1 file changed, 14 insertions(+)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1650,6 +1650,18 @@ static int proc_unlinkurb(struct usb_dev
return 0;
 }
 
+static void compute_isochronous_actual_length(struct urb *urb)
+{
+   unsigned int i;
+
+   if (urb->number_of_packets > 0) {
+   urb->actual_length = 0;
+   for (i = 0; i < urb->number_of_packets; i++)
+   urb->actual_length +=
+   urb->iso_frame_desc[i].actual_length;
+   }
+}
+
 static int processcompl(struct async *as, void __user * __user *arg)
 {
struct urb *urb = as->urb;
@@ -1657,6 +1669,7 @@ static int processcompl(struct async *as
void __user *addr = as->userurb;
unsigned int i;
 
+   compute_isochronous_actual_length(urb);
if (as->userbuffer && urb->actual_length) {
if (copy_urb_data_to_user(as->userbuffer, urb))
goto err_out;
@@ -1826,6 +1839,7 @@ static int processcompl_compat(struct as
void __user *addr = as->userurb;
unsigned int i;
 
+   compute_isochronous_actual_length(urb);
if (as->userbuffer && urb->actual_length) {
if (copy_urb_data_to_user(as->userbuffer, urb))
return -EFAULT;

[PATCH 3.16 078/136] IB/mlx4: Increase maximal message size under UD QP

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Mark Bloch 

commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca upstream.

Maximal message should be used as a limit to the max message payload allowed,
without the headers. The ConnectX-3 check is done against this value includes
the headers. When the payload is 4K this will cause the NIC to drop packets.

Increase maximal message to 8K as workaround, this shouldn't change current
behaviour because we continue to set the MTU to 4k.

To reproduce;
set MTU to 4296 on the corresponding interface, for example:
ifconfig eth0 mtu 4296 (both server and client)

On server:
ib_send_bw -c UD -d mlx4_0 -s 4096 -n 100 -i1 -m 4096

On client:
ib_send_bw -d mlx4_0 -c UD  -s 4096 -n 100 -i 1 -m 4096

Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
Signed-off-by: Mark Bloch 
Reviewed-by: Majd Dibbiny 
Signed-off-by: Leon Romanovsky 
Signed-off-by: Doug Ledford 
Signed-off-by: Ben Hutchings 
---
 drivers/infiniband/hw/mlx4/qp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1468,7 +1468,7 @@ static int __mlx4_ib_modify_qp(struct ib
context->mtu_msgmax = (IB_MTU_4096 << 5) |
  ilog2(dev->dev->caps.max_gso_sz);
else
-   context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
+   context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
} else if (attr_mask & IB_QP_PATH_MTU) {
if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > 
IB_MTU_4096) {
pr_err("path MTU (%u) is invalid\n",

[PATCH 3.16 085/136] net/sctp: Always set scope_id in sctp_inet6_skb_msgname

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: "Eric W. Biederman" 

commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec upstream.

Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
discovered that in some configurations sctp would leak 4 bytes of
kernel stack.

Working with his reproducer I discovered that those 4 bytes that
are leaked is the scope id of an ipv6 address returned by recvmsg.

With a little code inspection and a shrewd guess I discovered that
sctp_inet6_skb_msgname only initializes the scope_id field for link
local ipv6 addresses to the interface index the link local address
pertains to instead of initializing the scope_id field for all ipv6
addresses.

That is almost reasonable as scope_id's are meaniningful only for link
local addresses.  Set the scope_id in all other cases to 0 which is
not a valid interface index to make it clear there is nothing useful
in the scope_id field.

There should be no danger of breaking userspace as the stack leak
guaranteed that previously meaningless random data was being returned.

Fixes: 372f525b495c ("SCTP:  Resync with LKSCTP tree.")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reported-by: Alexander Potapenko 
Tested-by: Alexander Potapenko 
Signed-off-by: "Eric W. Biederman" 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16: 
 - Adjust context
 - Add braces]
Signed-off-by: Ben Hutchings 
---
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -787,6 +787,8 @@ static void sctp_inet6_skb_msgname(struc
if (ipv6_addr_type(>v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
struct sctp_ulpevent *ev = sctp_skb2event(skb);
addr->v6.sin6_scope_id = ev->iif;
+   } else {
+   addr->v6.sin6_scope_id = 0;
}
}
 

[PATCH 3.16 045/136] drm/ttm: once more fix ttm_buffer_object_transfer

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Christian König 

commit 4d98e5ee6084f6d7bc578c5d5f86de7156aaa4cb upstream.

When the mutex is locked just in the moment we copy it we end up with a
warning that we release a locked mutex.

Fix this by properly reinitializing the mutex.

Signed-off-by: Christian König 
Reviewed-by: Alex Deucher 
Signed-off-by: Alex Deucher 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 drivers/gpu/drm/ttm/ttm_bo_util.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/ttm/ttm_bo_util.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_util.c
@@ -463,6 +463,7 @@ static int ttm_buffer_object_transfer(st
INIT_LIST_HEAD(>lru);
INIT_LIST_HEAD(>swap);
INIT_LIST_HEAD(>io_reserve_lru);
+   mutex_init(>wu_mutex);
drm_vma_node_reset(>vma_node);
atomic_set(>cpu_writers, 0);
 

[PATCH 3.16 040/136] arm64: vdso: minor ABI fix for clock_getres

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Nathan Lynch 

commit e1b6b6ce55a0a25c8aa8af019095253b2133a41a upstream.

The vdso implementation of clock_getres currently returns 0 (success)
whenever a null timespec is provided by the caller, regardless of the
clock id supplied.

This behavior is incorrect.  It should fall back to syscall when an
unrecognized clock id is passed, even when the timespec argument is
null.  This ensures that clock_getres always returns an error for
invalid clock ids.

Signed-off-by: Nathan Lynch 
Acked-by: Will Deacon 
Signed-off-by: Catalin Marinas 
Signed-off-by: Ben Hutchings 
---
 arch/arm64/kernel/vdso/gettimeofday.S | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm64/kernel/vdso/gettimeofday.S
+++ b/arch/arm64/kernel/vdso/gettimeofday.S
@@ -174,8 +174,6 @@ ENDPROC(__kernel_clock_gettime)
 /* int __kernel_clock_getres(clockid_t clock_id, struct timespec *res); */
 ENTRY(__kernel_clock_getres)
.cfi_startproc
-   cbz w1, 3f
-
cmp w0, #CLOCK_REALTIME
ccmpw0, #CLOCK_MONOTONIC, #0x4, ne
b.ne1f
@@ -188,6 +186,7 @@ ENTRY(__kernel_clock_getres)
b.ne4f
ldr x2, 6f
 2:
+   cbz w1, 3f
stp xzr, x2, [x1]
 
 3: /* res == NULL. */

[PATCH 3.16 072/136] rt2x00usb: mark device removed when get ENOENT usb error

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Stanislaw Gruszka 

commit bfa62a52cad93686bb8d8171ea5288813248a7c6 upstream.

ENOENT usb error mean "specified interface or endpoint does not exist or
is not enabled". Mark device not present when we encounter this error
similar like we do with ENODEV error.

Otherwise we can have infinite loop in rt2x00usb_work_rxdone(), because
we remove and put again RX entries to the queue infinitely.

We can have similar situation when submit urb will fail all the time
with other error, so we need consider to limit number of entries
processed by rxdone work. But for now, since the patch fixes
reproducible soft lockup issue on single processor systems
and taken ENOENT error meaning, let apply this fix.

Patch adds additional ENOENT check not only in rx kick routine, but
also on other places where we check for ENODEV error.

Reported-by: Richard Genoud 
Debugged-by: Richard Genoud 
Signed-off-by: Stanislaw Gruszka 
Tested-by: Richard Genoud 
Signed-off-by: Kalle Valo 
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings 
---
 drivers/net/wireless/rt2x00/rt2x00usb.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/rt2x00/rt2x00usb.c
+++ b/drivers/net/wireless/rt2x00/rt2x00usb.c
@@ -62,7 +62,7 @@ int rt2x00usb_vendor_request(struct rt2x
 * -ENODEV: Device has disappeared, no point continuing.
 * All other errors: Try again.
 */
-   else if (status == -ENODEV) {
+   else if (status == -ENODEV || status == -ENOENT) {
clear_bit(DEVICE_STATE_PRESENT, >flags);
break;
}
@@ -325,7 +325,7 @@ static bool rt2x00usb_kick_tx_entry(stru
 
status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC);
if (status) {
-   if (status == -ENODEV)
+   if (status == -ENODEV || status == -ENOENT)
clear_bit(DEVICE_STATE_PRESENT, >flags);
set_bit(ENTRY_DATA_IO_FAILED, >flags);
rt2x00lib_dmadone(entry);
@@ -414,7 +414,7 @@ static bool rt2x00usb_kick_rx_entry(stru
 
status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC);
if (status) {
-   if (status == -ENODEV)
+   if (status == -ENODEV || status == -ENOENT)
clear_bit(DEVICE_STATE_PRESENT, >flags);
set_bit(ENTRY_DATA_IO_FAILED, >flags);
rt2x00lib_dmadone(entry);

[PATCH 3.16 049/136] crypto: caam - fix incorrect define

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Radu Alexe 

commit cc2f8ab5334a736fa0e775cfccf06c1e268667f0 upstream.

Fixes: 3ebfa92f49a6 ("crypto: caam - Add new macros for building extended SEC 
descriptors (> 64 words)")
Signed-off-by: Radu Alexe 
Signed-off-by: Horia Geantă 
Signed-off-by: Herbert Xu 
Signed-off-by: Ben Hutchings 
---
 drivers/crypto/caam/desc.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/crypto/caam/desc.h
+++ b/drivers/crypto/caam/desc.h
@@ -1434,7 +1434,7 @@ struct sec4_sg_entry {
 #define MATH_SRC1_REG2 (0x02 << MATH_SRC1_SHIFT)
 #define MATH_SRC1_REG3 (0x03 << MATH_SRC1_SHIFT)
 #define MATH_SRC1_IMM  (0x04 << MATH_SRC1_SHIFT)
-#define MATH_SRC1_DPOVRD   (0x07 << MATH_SRC0_SHIFT)
+#define MATH_SRC1_DPOVRD   (0x07 << MATH_SRC1_SHIFT)
 #define MATH_SRC1_INFIFO   (0x0a << MATH_SRC1_SHIFT)
 #define MATH_SRC1_OUTFIFO  (0x0b << MATH_SRC1_SHIFT)
 #define MATH_SRC1_ONE  (0x0c << MATH_SRC1_SHIFT)

[PATCH 3.16 128/136] x86, vdso: Move the vvar area before the vdso text

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Andy Lutomirski 

commit e6577a7ce99a506b587bcd1d2cd803cb45119557 upstream.

Putting the vvar area after the vdso text is rather complicated: it
only works of the total length of the vdso text mapping is known at
vdso link time, and the linker doesn't allow symbol addresses to
depend on the sizes of non-allocatable data after the PT_LOAD
segment.

Moving the vvar area before the vdso text will allow is to safely
map non-allocatable data after the vdso text, which is a nice
simplification.

Signed-off-by: Andy Lutomirski 
Link: 
http://lkml.kernel.org/r/156c78c0d93144ff1055a66493783b9e56813983.1405040914.git.l...@amacapital.net
Signed-off-by: H. Peter Anvin 
Signed-off-by: Ben Hutchings 
---
 arch/x86/include/asm/vdso.h | 18 -
 arch/x86/vdso/vdso-layout.lds.S | 44 ++---
 arch/x86/vdso/vdso2c.c  | 12 ++-
 arch/x86/vdso/vdso2c.h  | 25 ++-
 arch/x86/vdso/vma.c | 20 ++-
 5 files changed, 62 insertions(+), 57 deletions(-)

--- a/arch/x86/include/asm/vdso.h
+++ b/arch/x86/include/asm/vdso.h
@@ -18,15 +18,15 @@ struct vdso_image {
 
unsigned long alt, alt_len;
 
-   unsigned long sym_end_mapping;  /* Total size of the mapping */
+   long sym_vvar_start;  /* Negative offset to the vvar area */
 
-   unsigned long sym_vvar_page;
-   unsigned long sym_hpet_page;
-   unsigned long sym_VDSO32_NOTE_MASK;
-   unsigned long sym___kernel_sigreturn;
-   unsigned long sym___kernel_rt_sigreturn;
-   unsigned long sym___kernel_vsyscall;
-   unsigned long sym_VDSO32_SYSENTER_RETURN;
+   long sym_vvar_page;
+   long sym_hpet_page;
+   long sym_VDSO32_NOTE_MASK;
+   long sym___kernel_sigreturn;
+   long sym___kernel_rt_sigreturn;
+   long sym___kernel_vsyscall;
+   long sym_VDSO32_SYSENTER_RETURN;
 };
 
 #ifdef CONFIG_X86_64
--- a/arch/x86/vdso/vdso-layout.lds.S
+++ b/arch/x86/vdso/vdso-layout.lds.S
@@ -18,6 +18,25 @@
 
 SECTIONS
 {
+   /*
+* User/kernel shared data is before the vDSO.  This may be a little
+* uglier than putting it after the vDSO, but it avoids issues with
+* non-allocatable things that dangle past the end of the PT_LOAD
+* segment.
+*/
+
+   vvar_start = . - 2 * PAGE_SIZE;
+   vvar_page = vvar_start;
+
+   /* Place all vvars at the offsets in asm/vvar.h. */
+#define EMIT_VVAR(name, offset) vvar_ ## name = vvar_page + offset;
+#define __VVAR_KERNEL_LDS
+#include 
+#undef __VVAR_KERNEL_LDS
+#undef EMIT_VVAR
+
+   hpet_page = vvar_start + PAGE_SIZE;
+
. = SIZEOF_HEADERS;
 
.hash   : { *(.hash) }  :text
@@ -74,31 +93,6 @@ SECTIONS
.altinstructions: { *(.altinstructions) }   :text
.altinstr_replacement   : { *(.altinstr_replacement) }  :text
 
-   /*
-* The remainder of the vDSO consists of special pages that are
-* shared between the kernel and userspace.  It needs to be at the
-* end so that it doesn't overlap the mapping of the actual
-* vDSO image.
-*/
-
-   . = ALIGN(PAGE_SIZE);
-   vvar_page = .;
-
-   /* Place all vvars at the offsets in asm/vvar.h. */
-#define EMIT_VVAR(name, offset) vvar_ ## name = vvar_page + offset;
-#define __VVAR_KERNEL_LDS
-#include 
-#undef __VVAR_KERNEL_LDS
-#undef EMIT_VVAR
-
-   . = vvar_page + PAGE_SIZE;
-
-   hpet_page = .;
-   . = . + PAGE_SIZE;
-
-   . = ALIGN(PAGE_SIZE);
-   end_mapping = .;
-
/DISCARD/ : {
*(.discard)
*(.discard.*)
--- a/arch/x86/vdso/vdso2c.c
+++ b/arch/x86/vdso/vdso2c.c
@@ -20,9 +20,9 @@ const char *outfilename;
 
 /* Symbols that we need in vdso2c. */
 enum {
+   sym_vvar_start,
sym_vvar_page,
sym_hpet_page,
-   sym_end_mapping,
sym_VDSO_FAKE_SECTION_TABLE_START,
sym_VDSO_FAKE_SECTION_TABLE_END,
 };
@@ -38,9 +38,9 @@ struct vdso_sym {
 };
 
 struct vdso_sym required_syms[] = {
+   [sym_vvar_start] = {"vvar_start", true},
[sym_vvar_page] = {"vvar_page", true},
[sym_hpet_page] = {"hpet_page", true},
-   [sym_end_mapping] = {"end_mapping", true},
[sym_VDSO_FAKE_SECTION_TABLE_START] = {
"VDSO_FAKE_SECTION_TABLE_START", false
},
@@ -96,9 +96,11 @@ extern void bad_put_le(void);
 
 #define NSYMS (sizeof(required_syms) / sizeof(required_syms[0]))
 
-#define BITSFUNC3(name, bits) name##bits
-#define BITSFUNC2(name, bits) BITSFUNC3(name, bits)
-#define BITSFUNC(name) BITSFUNC2(name, ELF_BITS)
+#define BITSFUNC3(name, bits, suffix) name##bits##suffix
+#define BITSFUNC2(name, bits, suffix) BITSFUNC3(name, bits, suffix)
+#define BITSFUNC(name) 

[PATCH 3.16 015/136] p54: don't unregister leds when they are not initialized

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Andrey Konovalov 

commit fc09785de0a364427a5df63d703bae9a306ed116 upstream.

ieee80211_register_hw() in p54_register_common() may fail and leds won't
get initialized. Currently p54_unregister_common() doesn't check that and
always calls p54_unregister_leds(). The fix is to check priv->registered
flag before calling p54_unregister_leds().

Found by syzkaller.

INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 1 PID: 1404 Comm: kworker/1:1 Not tainted
4.14.0-rc1-42251-gebb2c2437d80-dirty #205
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x395 lib/dump_stack.c:52
 register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769
 __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385
 lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002
 flush_work+0xf0/0x8c0 kernel/workqueue.c:2886
 __cancel_work_timer+0x51d/0x870 kernel/workqueue.c:2961
 cancel_delayed_work_sync+0x1f/0x30 kernel/workqueue.c:3081
 p54_unregister_leds+0x6c/0xc0 drivers/net/wireless/intersil/p54/led.c:160
 p54_unregister_common+0x3d/0xb0 drivers/net/wireless/intersil/p54/main.c:856
 p54u_disconnect+0x86/0x120 drivers/net/wireless/intersil/p54/p54usb.c:1073
 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423
 __device_release_driver drivers/base/dd.c:861
 device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893
 device_release_driver+0x1e/0x30 drivers/base/dd.c:918
 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565
 device_del+0x5c4/0xab0 drivers/base/core.c:1985
 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170
 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124
 hub_port_connect drivers/usb/core/hub.c:4754
 hub_port_connect_change drivers/usb/core/hub.c:5009
 port_event drivers/usb/core/hub.c:5115
 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195
 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
 process_scheduled_works kernel/workqueue.c:2179
 worker_thread+0xb2b/0x1850 kernel/workqueue.c:2255
 kthread+0x3a1/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Signed-off-by: Andrey Konovalov 
Acked-by: Christian Lamparter 
Signed-off-by: Kalle Valo 
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings 
---
 drivers/net/wireless/p54/main.c | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/net/wireless/p54/main.c
+++ b/drivers/net/wireless/p54/main.c
@@ -851,12 +851,11 @@ void p54_unregister_common(struct ieee80
 {
struct p54_common *priv = dev->priv;
 
-#ifdef CONFIG_P54_LEDS
-   p54_unregister_leds(priv);
-#endif /* CONFIG_P54_LEDS */
-
if (priv->registered) {
priv->registered = false;
+#ifdef CONFIG_P54_LEDS
+   p54_unregister_leds(priv);
+#endif /* CONFIG_P54_LEDS */
ieee80211_unregister_hw(dev);
}
 

[PATCH 3.16 131/136] x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Andy Lutomirski 

commit dac16fba6fc590fa7239676b35ed75dae4c4cd2b upstream.

Signed-off-by: Andy Lutomirski 
Reviewed-by: Paolo Bonzini 
Cc: Andy Lutomirski 
Cc: Borislav Petkov 
Cc: Brian Gerst 
Cc: Denys Vlasenko 
Cc: H. Peter Anvin 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: linux...@kvack.org
Link: 
http://lkml.kernel.org/r/9d37826fdc7e2d2809efe31d5345f97186859284.1449702533.git.l...@kernel.org
Signed-off-by: Ingo Molnar 
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings 
---
 arch/x86/vdso/vclock_gettime.c  | 20 
 arch/x86/vdso/vdso-layout.lds.S |  3 ++-
 arch/x86/vdso/vdso2c.c  |  3 +++
 arch/x86/vdso/vma.c | 13 +
 arch/x86/include/asm/pvclock.h  |  9 +
 arch/x86/include/asm/vdso.h |  1 +
 arch/x86/kernel/kvmclock.c  |  5 +
 7 files changed, 41 insertions(+), 13 deletions(-)

--- a/arch/x86/vdso/vclock_gettime.c
+++ b/arch/x86/vdso/vclock_gettime.c
@@ -36,6 +36,11 @@ static notrace cycle_t vread_hpet(void)
 }
 #endif
 
+#ifdef CONFIG_PARAVIRT_CLOCK
+extern u8 pvclock_page
+   __attribute__((visibility("hidden")));
+#endif
+
 #ifndef BUILD_VDSO32
 
 #include 
@@ -62,23 +67,14 @@ notrace static long vdso_fallback_gtod(s
 
 #ifdef CONFIG_PARAVIRT_CLOCK
 
-static notrace const struct pvclock_vsyscall_time_info *get_pvti(int cpu)
+static notrace const struct pvclock_vsyscall_time_info *get_pvti0(void)
 {
-   const struct pvclock_vsyscall_time_info *pvti_base;
-   int idx = cpu / (PAGE_SIZE/PVTI_SIZE);
-   int offset = cpu % (PAGE_SIZE/PVTI_SIZE);
-
-   BUG_ON(PVCLOCK_FIXMAP_BEGIN + idx > PVCLOCK_FIXMAP_END);
-
-   pvti_base = (struct pvclock_vsyscall_time_info *)
-   __fix_to_virt(PVCLOCK_FIXMAP_BEGIN+idx);
-
-   return _base[offset];
+   return (const struct pvclock_vsyscall_time_info *)_page;
 }
 
 static notrace cycle_t vread_pvclock(int *mode)
 {
-   const struct pvclock_vcpu_time_info *pvti = _pvti(0)->pvti;
+   const struct pvclock_vcpu_time_info *pvti = _pvti0()->pvti;
cycle_t ret;
u64 tsc, pvti_tsc;
u64 last, delta, pvti_system_time;
--- a/arch/x86/vdso/vdso-layout.lds.S
+++ b/arch/x86/vdso/vdso-layout.lds.S
@@ -25,7 +25,7 @@ SECTIONS
 * segment.
 */
 
-   vvar_start = . - 2 * PAGE_SIZE;
+   vvar_start = . - 3 * PAGE_SIZE;
vvar_page = vvar_start;
 
/* Place all vvars at the offsets in asm/vvar.h. */
@@ -36,6 +36,7 @@ SECTIONS
 #undef EMIT_VVAR
 
hpet_page = vvar_start + PAGE_SIZE;
+   pvclock_page = vvar_start + 2 * PAGE_SIZE;
 
. = SIZEOF_HEADERS;
 
--- a/arch/x86/vdso/vdso2c.c
+++ b/arch/x86/vdso/vdso2c.c
@@ -23,6 +23,7 @@ enum {
sym_vvar_start,
sym_vvar_page,
sym_hpet_page,
+   sym_pvclock_page,
sym_VDSO_FAKE_SECTION_TABLE_START,
sym_VDSO_FAKE_SECTION_TABLE_END,
 };
@@ -30,6 +31,7 @@ enum {
 const int special_pages[] = {
sym_vvar_page,
sym_hpet_page,
+   sym_pvclock_page,
 };
 
 struct vdso_sym {
@@ -41,6 +43,7 @@ struct vdso_sym required_syms[] = {
[sym_vvar_start] = {"vvar_start", true},
[sym_vvar_page] = {"vvar_page", true},
[sym_hpet_page] = {"hpet_page", true},
+   [sym_pvclock_page] = {"pvclock_page", true},
[sym_VDSO_FAKE_SECTION_TABLE_START] = {
"VDSO_FAKE_SECTION_TABLE_START", false
},
--- a/arch/x86/vdso/vma.c
+++ b/arch/x86/vdso/vma.c
@@ -113,6 +113,7 @@ static int map_vdso(const struct vdso_im
.name = "[vvar]",
.pages = no_pages,
};
+   struct pvclock_vsyscall_time_info *pvti;
 
if (calculate_addr) {
addr = vdso_addr(current->mm->start_stack,
@@ -182,6 +183,18 @@ static int map_vdso(const struct vdso_im
}
 #endif
 
+   pvti = pvclock_pvti_cpu0_va();
+   if (pvti && image->sym_pvclock_page) {
+   ret = remap_pfn_range(vma,
+ text_start + image->sym_pvclock_page,
+ __pa(pvti) >> PAGE_SHIFT,
+ PAGE_SIZE,
+ PAGE_READONLY);
+
+   if (ret)
+   goto up_fail;
+   }
+
 up_fail:
if (ret)
current->mm->context.vdso = NULL;
--- a/arch/x86/include/asm/pvclock.h
+++ b/arch/x86/include/asm/pvclock.h
@@ -4,6 +4,15 @@
 #include 
 #include 
 
+#ifdef CONFIG_PARAVIRT_CLOCK
+extern struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void);
+#else
+static inline struct 

[PATCH 3.16 125/136] usbip: prevent vhci_hcd driver from leaking a socket pointer address

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Shuah Khan 

commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream.

When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the

/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.

Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.

As this opens a security hole, the fix replaces socket pointer address with
sockfd.

Reported-by: Secunia Research 
Signed-off-by: Shuah Khan 
Signed-off-by: Greg Kroah-Hartman 
[bwh: Backported to 3.16:
 - usbip port status does not include hub type
 - Adjust filenames, context, indentation]
Signed-off-by: Ben Hutchings 
---
 drivers/staging/usbip/usbip_common.h |  1 +
 drivers/staging/usbip/vhci_sysfs.c   | 25 
-
 drivers/staging/usbip/userspace/libsrc/vhci_driver.c |  8 
 3 files changed, 21 insertions(+), 13 deletions(-)

--- a/drivers/staging/usbip/usbip_common.h
+++ b/drivers/staging/usbip/usbip_common.h
@@ -261,6 +261,7 @@ struct usbip_device {
/* lock for status */
spinlock_t lock;
 
+   int sockfd;
struct socket *tcp_socket;
 
struct task_struct *tcp_rx;
--- a/drivers/staging/usbip/vhci_sysfs.c
+++ b/drivers/staging/usbip/vhci_sysfs.c
@@ -39,13 +39,18 @@ static ssize_t status_show(struct device
 
/*
 * output example:
-* prt sta spd dev socket   local_busid
-* 000 004 000 000 c5a7bb80 1-2.3
-* 001 004 000 000 d8cee980 2-3.4
+* prt sta spd dev sockfdlocal_busid
+* 000 004 000 000 3 1-2.3
+* 001 004 000 000 4 2-3.4
+*
+* Output includes socket fd instead of socket pointer address to avoid
+* leaking kernel memory address in:
+*  /sys/devices/platform/vhci_hcd.0/status and in debug output.
+* The socket pointer address is not used at the moment and it was made
+* visible as a convenient way to find IP address from socket pointer
+* address by looking up /proc/net/{tcp,tcp6}. As this opens a security
+* hole, the change is made to use sockfd instead.
 *
-* IP address can be retrieved from a socket pointer address by looking
-* up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
-* port number and its peer IP address.
 */
out += sprintf(out,
   "prt sta spd bus dev socket   local_busid\n");
@@ -59,7 +64,7 @@ static ssize_t status_show(struct device
if (vdev->ud.status == VDEV_ST_USED) {
out += sprintf(out, "%03u %08x ",
   vdev->speed, vdev->devid);
-   out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
+   out += sprintf(out, "%u", vdev->ud.sockfd);
out += sprintf(out, "%s", dev_name(>udev->dev));
 
} else {
@@ -223,6 +228,7 @@ static ssize_t store_attach(struct devic
 
vdev->devid = devid;
vdev->speed = speed;
+   vdev->ud.sockfd = sockfd;
vdev->ud.tcp_socket = socket;
vdev->ud.status = VDEV_ST_NOTASSIGNED;
 
--- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
+++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
@@ -55,12 +55,12 @@ static int parse_status(const char *valu
 
while (*c != '\0') {
int port, status, speed, devid;
-   unsigned long socket;
+   int sockfd;
char lbusid[SYSFS_BUS_ID_SIZE];
 
-   ret = sscanf(c, "%d %d %d %x %lx %31s\n",
+   ret = sscanf(c, "%d %d %d %x %u %31s\n",
, , ,
-   , , lbusid);
+   , , lbusid);
 
if (ret < 5) {
dbg("sscanf failed: %d", ret);
@@ -69,7 +69,7 @@ static int parse_status(const char *valu
 
dbg("port %d status %d speed %d devid %x",
port, status, speed, devid);
-   dbg("socket %lx lbusid %s", socket, lbusid);
+   dbg("sockfd %u lbusid %s", sockfd, lbusid);
 
 
/* if a device is connected, look at it */

[PATCH 3.16 014/136] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Jani Nikula 

commit 348e4058ebf53904e817eec7a1b25327143c2ed2 upstream.

While technically CHV isn't DDI, we do look at the VBT based DDI port
info for HDMI DDC pin and DP AUX channel. (We call these "alternate",
but they're really just something that aren't platform defaults.)

In commit e4ab73a13291 ("drm/i915: Respect alternate_ddc_pin for all DDI
ports") Ville writes, "IIRC there may be CHV system that might actually
need this."

I'm not sure why there couldn't be even more platforms that need this,
but start conservative, and parse the info for CHV in addition to DDI.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100553
Reported-by: Marek Wilczewski 
Reviewed-by: Ville Syrjälä 
Signed-off-by: Jani Nikula 
Link: 
https://patchwork.freedesktop.org/patch/msgid/d0815082cb98487618429b62414854137049b888.1506586821.git.jani.nik...@intel.com
[bwh: Backported to 3.16: IS_CHERRYVIEW() takes a drm_device pointer]
Signed-off-by: Ben Hutchings 
---
 drivers/gpu/drm/i915/intel_bios.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/intel_bios.c
+++ b/drivers/gpu/drm/i915/intel_bios.c
@@ -1007,7 +1007,7 @@ static void parse_ddi_ports(struct drm_i
struct drm_device *dev = dev_priv->dev;
enum port port;
 
-   if (!HAS_DDI(dev))
+   if (!HAS_DDI(dev) && !IS_CHERRYVIEW(dev))
return;
 
if (!dev_priv->vbt.child_dev_num)

[PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Ladi Prosek 

commit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream.

Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers:

"The GDTR and IDTR limits are each set to H."

Signed-off-by: Ladi Prosek 
Signed-off-by: Paolo Bonzini 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings 
---
 arch/x86/kvm/vmx.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7076,6 +7076,8 @@ void load_vmcs12_host_state(struct kvm_v
vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip);
vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base);
vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base);
+   vmcs_write32(GUEST_IDTR_LIMIT, 0x);
+   vmcs_write32(GUEST_GDTR_LIMIT, 0x);
vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base);
vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base);
vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);

[PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Gabriele Paoloni 

commit 86acc790717fb60fb51ea3095084e331d8711c74 upstream.

Previously, if an non-fatal error was reported by an endpoint, we
called report_error_detected() for the endpoint, every sibling on the
bus, and their descendents.  If any of them did not implement the
.error_detected() method, do_recovery() failed, leaving all these
devices unrecovered.

For example, the system described in the bugzilla below has two devices:

  :74:02.0 [19e5:a230] SAS controller, driver has .error_detected()
  :74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected()

When a device such as 74:02.0 reported a non-fatal error, do_recovery()
failed because 74:03.0 lacked an .error_detected() method.  But per PCIe
r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and
does not affect 74:03.0:

  Non-fatal errors are uncorrectable errors which cause a particular
  transaction to be unreliable but the Link is otherwise fully functional.
  Isolating Non-fatal from Fatal errors provides Requester/Receiver logic
  in a device or system management software the opportunity to recover from
  the error without resetting the components on the Link and disturbing
  other transactions in progress.  Devices not associated with the
  transaction in error are not impacted by the error.

Report non-fatal errors only to the endpoint that reported them.  We really
want to check for AER_NONFATAL here, but the current code structure doesn't
allow that.  Looking for pci_channel_io_normal is the best we can do now.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055
Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver")
Signed-off-by: Gabriele Paoloni 
Signed-off-by: Dongdong Liu 
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas 
Signed-off-by: Ben Hutchings 
---
 drivers/pci/pcie/aer/aerdrv_core.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -367,7 +367,14 @@ static pci_ers_result_t broadcast_error_
 * If the error is reported by an end point, we think this
 * error is related to the upstream link of the end point.
 */
-   pci_walk_bus(dev->bus, cb, _data);
+   if (state == pci_channel_io_normal)
+   /*
+* the error is non fatal so the bus is ok, just invoke
+* the callback for the function that logged the error.
+*/
+   cb(dev, _data);
+   else
+   pci_walk_bus(dev->bus, cb, _data);
}
 
return result_data.result;

[PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Lepton Wu 

This finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed
out that the reason of that crash is that NX bit get set for page tables.
It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map

Link: https://www.spinics.net/lists/kernel/msg2689835.html

Reviewed-by: Guenter Roeck 
Signed-off-by: Lepton Wu 
Signed-off-by: Greg Kroah-Hartman 
(backported from Greg K-H's 4.4 stable-queue)
Signed-off-by: Juerg Haefliger 
Signed-off-by: Ben Hutchings 
---
 arch/x86/mm/kaiser.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/mm/kaiser.c
+++ b/arch/x86/mm/kaiser.c
@@ -189,6 +189,8 @@ static int kaiser_add_user_map(const voi
 * requires that not to be #defined to 0): so mask it off here.
 */
flags &= ~_PAGE_GLOBAL;
+   if (!(__supported_pte_mask & _PAGE_NX))
+   flags &= ~_PAGE_NX;
 
if (flags & _PAGE_USER)
BUG_ON(address < FIXADDR_START || end_addr >= FIXADDR_TOP);

Re: [PATCH] KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use

[Peter Xu]

On Fri, Feb 09, 2018 at 02:01:33PM +0100, Vitaly Kuznetsov wrote:
> Devices which use level-triggered interrupts under Windows 2016 with
> Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV
> unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC
> version which has no EOI register so EOI never happens.
> 
> The issue was discovered and discussed a while ago:
> https://www.spinics.net/lists/kvm/msg148098.html
> 
> While this is a guest OS bug (it should check that IOAPIC has the required
> capabilities before disabling EOI broadcast) we can workaround it in KVM:
> advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway.
> 
> Signed-off-by: Vitaly Kuznetsov 
> ---
> - Radim's suggestion was to disable DIRECTED_EOI unconditionally but I'm not
>   that radical :-) In theory, we may have multiple IOAPICs in userspace in
>   future and DIRECTED_EOI can be leveraged.

I sort of agree on this, especially considering that we already have
IOAPIC version 0x20 support in QEMU already.

> ---
>  arch/x86/kvm/lapic.c | 10 +-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> index 924ac8ce9d50..5339287fee63 100644
> --- a/arch/x86/kvm/lapic.c
> +++ b/arch/x86/kvm/lapic.c
> @@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu)
>   if (!lapic_in_kernel(vcpu))
>   return;
>  
> + /*
> +  * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation)
> +  * which doesn't have EOI register; Some buggy OSes (e.g. Windows with
> +  * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC
> +  * version first and level-triggered interrupts never get EOIed in
> +  * IOAPIC.
> +  */
>   feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0);
> - if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31
> + if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) &&
> + !ioapic_in_kernel(vcpu->kvm))
>   v |= APIC_LVR_DIRECTED_EOI;
>   kvm_lapic_set_reg(apic, APIC_LVR, v);
>  }
> -- 
> 2.14.3
> 

Does this mean that we can avoid the migration problem that Radim
raised in previous discussion?  Basically the OSs should only probe
this version once for each boot, if so I think it should be fine.  But
since you didn't mention that in either commit message and comment, I
would like to ask and confirm.

For the change itself, it looks sane to me.

Thanks,

-- 
Peter Xu

[PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Johan Hovold 

commit 74d471b598444b7f2d964930f7234779c80960a0 upstream.

Make sure to free the port private data before returning after a failed
probe attempt.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman 
Signed-off-by: Johan Hovold 
Signed-off-by: Ben Hutchings 
---
 drivers/usb/serial/garmin_gps.c | 6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1476,6 +1476,12 @@ static int garmin_attach(struct usb_seri
usb_set_serial_port_data(port, garmin_data_p);
 
status = garmin_init_session(port);
+   if (status)
+   goto err_free;
+
+   return 0;
+err_free:
+   kfree(garmin_data_p);
 
return status;
 }

[PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d upstream.

FIFO_MODE() is a macro expression with a '<<' operator, which gcc points
out could be misread as a '<':

drivers/input/misc/adxl34x.c: In function 'adxl34x_probe':
drivers/input/misc/adxl34x.c:799:36: error: '<<' in boolean context, did you 
mean '<' ? [-Werror=int-in-bool-context]

While utility of this warning is being disputed (Chief Penguin: "This
warning is clearly pure garbage.") FIFO_MODE() extracts range of values,
with 0 being FIFO_BYPASS, and not something that is logically boolean.

This converts the test to an explicit comparison with FIFO_BYPASS,
making it clearer to gcc and the reader what is intended.

Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers")
Signed-off-by: Arnd Bergmann 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Ben Hutchings 
---
 drivers/input/misc/adxl34x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/misc/adxl34x.c
+++ b/drivers/input/misc/adxl34x.c
@@ -797,7 +797,7 @@ struct adxl34x *adxl34x_probe(struct dev
 
if (pdata->watermark) {
ac->int_mask |= WATERMARK;
-   if (!FIFO_MODE(pdata->fifo_mode))
+   if (FIFO_MODE(pdata->fifo_mode) == FIFO_BYPASS)
ac->pdata.fifo_mode |= FIFO_STREAM;
} else {
ac->int_mask |= DATA_READY;

Re: [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr()

[alex chen]

Hi Ben,

ocfs2_dio_end_io_write() was introduced in 4.6 and the problem this patch
fixes is only exist in the kernel 4.6 and above 4.6.

Thanks,
Alex

On 2018/2/11 12:20, Ben Hutchings wrote:
> 3.2.99-rc1 review patch.  If anyone has any objections, please let me know.
> 
> --
> 
> From: alex chen 
> 
> commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream.
> 
> we should wait dio requests to finish before inode lock in
> ocfs2_setattr(), otherwise the following deadlock will happen:
> 
> process 1  process 2process 3
> truncate file 'A'  end_io of writing file 'A'   receiving the bast 
> messages
> ocfs2_setattr
>  ocfs2_inode_lock_tracker
>   ocfs2_inode_lock_full
>  inode_dio_wait
>   __inode_dio_wait
>   -->waiting for all dio
>   requests finish
> dlm_proxy_ast_handler
>  dlm_do_local_bast
>   ocfs2_blocking_ast
>
> ocfs2_generic_handle_bast
> set 
> OCFS2_LOCK_BLOCKED flag
> dio_end_io
>  dio_bio_end_aio
>   dio_complete
>ocfs2_dio_end_io
> ocfs2_dio_end_io_write
>  ocfs2_inode_lock
>   __ocfs2_cluster_lock
>ocfs2_wait_for_mask
>-->waiting for OCFS2_LOCK_BLOCKED
>flag to be cleared, that is waiting
>for 'process 1' unlocking the inode lock
>inode_dio_end
>-->here dec the i_dio_count, but will never
>be called, so a deadlock happened.
> 
> Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com
> Signed-off-by: Alex Chen 
> Reviewed-by: Jun Piao 
> Reviewed-by: Joseph Qi 
> Acked-by: Changwei Ge 
> Cc: Mark Fasheh 
> Cc: Joel Becker 
> Cc: Junxiao Bi 
> Signed-off-by: Andrew Morton 
> Signed-off-by: Linus Torvalds 
> Signed-off-by: Ben Hutchings 
> ---
>  fs/ocfs2/file.c | 9 +++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -1130,6 +1130,13 @@ int ocfs2_setattr(struct dentry *dentry,
>   dquot_initialize(inode);
>   size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE;
>   if (size_change) {
> + /*
> +  * Here we should wait dio to finish before inode lock
> +  * to avoid a deadlock between ocfs2_setattr() and
> +  * ocfs2_dio_end_io_write()
> +  */
> + inode_dio_wait(inode);
> +
>   status = ocfs2_rw_lock(inode, 1);
>   if (status < 0) {
>   mlog_errno(status);
> @@ -1149,8 +1156,6 @@ int ocfs2_setattr(struct dentry *dentry,
>   if (status)
>   goto bail_unlock;
>  
> - inode_dio_wait(inode);
> -
>   if (i_size_read(inode) >= attr->ia_size) {
>   if (ocfs2_should_order_data(inode)) {
>   status = ocfs2_begin_ordered_truncate(inode,
> 
> 
> .
> 

Re: [PATCH 09/31] x86/entry/32: Leave the kernel via trampoline stack

[Linus Torvalds]

On Sat, Feb 10, 2018 at 7:26 AM, David Laight  wrote:
>
> The alignment doesn't matter, 'rep movsl' will still work.

.. no it won't. It might not copy the last two bytes or whatever,
because the shift of the count will have ignored the low bits.

But since an unaligned stack pointer really shouldn't be an issue,
it's fine to not care.

>> Indeed, "rep movs" has some setup overhead that makes it undesirable
>> for small sizes. In my testing, moving less than 128 bytes with "rep movs"
>> is a loss.
>
> It very much depends on the cpu.

No again.

It does NOT depend on the CPU, since the only CPU's that are relevant
to this patch are the ones that don't do 64-bit. If you run a 32-bit
Linux on a 64-bit CPU, performance simply isn't an issue. The problem
is between keyboard and chair, not in the kernel.

And absolutely *no* 32-bit-only CPU does "rep movs" really well.  Some
of them do it even worse than others (P4), but none of them do a great
job.

That said, none of them should do _such_ a shitty job that this will
be in the least noticeable compared to all the crazy %cr3 stuff.

Linus

[PATCH 1/2] gpio: omap: Delete an error message for a failed memory allocation in omap_gpio_probe()

[SF Markus Elfring]

From: Markus Elfring 
Date: Sat, 10 Feb 2018 21:46:30 +0100

Omit an extra message for a memory allocation failure in this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring 
---
 drivers/gpio/gpio-omap.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
index ab5035b96886..4db6f13fa133 100644
--- a/drivers/gpio/gpio-omap.c
+++ b/drivers/gpio/gpio-omap.c
@@ -1158,10 +1158,8 @@ static int omap_gpio_probe(struct platform_device *pdev)
return -EINVAL;
 
bank = devm_kzalloc(dev, sizeof(struct gpio_bank), GFP_KERNEL);
-   if (!bank) {
-   dev_err(dev, "Memory alloc failed\n");
+   if (!bank)
return -ENOMEM;
-   }
 
irqc = devm_kzalloc(dev, sizeof(*irqc), GFP_KERNEL);
if (!irqc)
-- 
2.16.1

Re: [PATCH] x86_64: trim clear_page.S includes

[Borislav Petkov]

On Sat, Jan 13, 2018 at 10:06:48PM +0300, Alexey Dobriyan wrote:
> After alternatives were shifted to the call site, only 2 headers are
> necessary.
> 
> Signed-off-by: Alexey Dobriyan 
> ---
> 
>  arch/x86/lib/clear_page_64.S |2 --
>  1 file changed, 2 deletions(-)
> 
> --- a/arch/x86/lib/clear_page_64.S
> +++ b/arch/x86/lib/clear_page_64.S
> @@ -1,6 +1,4 @@
>  #include 
> -#include 
> -#include 
>  #include 
>  
>  /*

Reviewed-by: Borislav Petkov 

-- 
Regards/Gruss,
Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 
(AG Nürnberg)
-- 

[PATCH] gpio-ml-ioh: Delete an error message for a failed memory allocation in ioh_gpio_probe()

[SF Markus Elfring]

From: Markus Elfring 
Date: Sat, 10 Feb 2018 22:27:15 +0100

Omit an extra message for a memory allocation failure in this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring 
---
 drivers/gpio/gpio-ml-ioh.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/gpio/gpio-ml-ioh.c b/drivers/gpio/gpio-ml-ioh.c
index 4b80e996d976..b3678bd1c120 100644
--- a/drivers/gpio/gpio-ml-ioh.c
+++ b/drivers/gpio/gpio-ml-ioh.c
@@ -445,7 +445,6 @@ static int ioh_gpio_probe(struct pci_dev *pdev,
 
chip_save = kzalloc(sizeof(*chip) * 8, GFP_KERNEL);
if (chip_save == NULL) {
-   dev_err(>dev, "%s : kzalloc failed", __func__);
ret = -ENOMEM;
goto err_kzalloc;
}
-- 
2.16.1

Re: [PATCH] MAINTAINERS: auxdisplay: remove obsolete webpages

[Joe Perches]

On Sat, 2018-02-10 at 09:32 -0800, Randy Dunlap wrote:
> On 02/10/2018 01:56 AM, Miguel Ojeda wrote:
> > Cc: Randy Dunlap 
> > Signed-off-by: Miguel Ojeda 
> 
> Acked-by: Randy Dunlap 
> 
> Are you merging this directly to Linus?  or what?

A generic negative of these removals, even for ancient
drivers that may or may not work anymore, is that the
old links may still be found on things like the
wayback machine/archive.org.

Miguel, do you have a copy of this link source?

If you do, should it be introduced as a .rst into
Documentation/ somewhere?

> Thanks.
> 
> > ---
> >  MAINTAINERS | 8 
> >  1 file changed, 8 deletions(-)
> > 
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index e6c26cb47d02..01e302f7967e 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -2484,8 +2484,6 @@ F:kernel/audit*
> >  
> >  AUXILIARY DISPLAY DRIVERS
> >  M: Miguel Ojeda Sandonis 
> > -W: http://miguelojeda.es/auxdisplay.htm
> > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm
> >  S: Maintained
> >  F: drivers/auxdisplay/
> >  F: include/linux/cfag12864b.h
> > @@ -3373,16 +3371,12 @@ F:  include/linux/usb/wusb*
> >  
> >  CFAG12864B LCD DRIVER
> >  M: Miguel Ojeda Sandonis 
> > -W: http://miguelojeda.es/auxdisplay.htm
> > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm
> >  S: Maintained
> >  F: drivers/auxdisplay/cfag12864b.c
> >  F: include/linux/cfag12864b.h

Another suggestion would be to move
"include/linux/cfag12864b.h" into drivers/auxdisplay

> >  CFAG12864BFB LCD FRAMEBUFFER DRIVER
> >  M: Miguel Ojeda Sandonis 
> > -W: http://miguelojeda.es/auxdisplay.htm
> > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm
> >  S: Maintained
> >  F: drivers/auxdisplay/cfag12864bfb.c
> >  F: include/linux/cfag12864b.h
> > @@ -7866,8 +7860,6 @@ F:kernel/kprobes.c
> >  
> >  KS0108 LCD CONTROLLER DRIVER
> >  M: Miguel Ojeda Sandonis 
> > -W: http://miguelojeda.es/auxdisplay.htm
> > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm
> >  S: Maintained
> >  F: Documentation/auxdisplay/ks0108
> >  F: drivers/auxdisplay/ks0108.c
> > 
> 
> 

Re: [PATCH] f2fs: set_code_data in move_data_block

[Yunlong Song]

Ping...

move_data_block misses set_cold_data, then the F2FS_WB_CP_DATA will
lack these data pages in move_data_block, and write_checkpoint can
not make sure this pages committed to the flash.

On 2018/2/8 20:33, Yunlong Song wrote:

Signed-off-by: Yunlong Song 
---
  fs/f2fs/gc.c | 1 +
  1 file changed, 1 insertion(+)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index b9d93fd..2095630 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -692,6 +692,7 @@ static void move_data_block(struct inode *inode, block_t 
bidx,
fio.op = REQ_OP_WRITE;
fio.op_flags = REQ_SYNC;
fio.new_blkaddr = newaddr;
+   set_cold_data(fio.page);
err = f2fs_submit_page_write();
if (err) {
if (PageWriteback(fio.encrypted_page))



--
Thanks,
Yunlong Song

[PATCH 3.16 035/136] l2tp: protect sock pointer of struct pppol2tp_session with RCU

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741 upstream.

pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.

To this end, this patch protects the pppol2tp socket pointer using RCU.

The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().

The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.

With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.

Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_ppp.c | 154 ++--
 1 file changed, 101 insertions(+), 53 deletions(-)

--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -122,8 +122,11 @@
 struct pppol2tp_session {
int owner;  /* pid that opened the socket */
 
-   struct sock *sock;  /* Pointer to the session
+   struct mutexsk_lock;/* Protects .sk */
+   struct sock __rcu   *sk;/* Pointer to the session
 * PPPoX socket */
+   struct sock *__sk;  /* Copy of .sk, for cleanup */
+   struct rcu_head rcu;/* For asynchronous release */
struct sock *tunnel_sock;   /* Pointer to the tunnel UDP
 * socket */
int flags;  /* accessed by PPPIOCGFLAGS.
@@ -138,6 +141,24 @@ static const struct ppp_channel_ops pppo
 
 static const struct proto_ops pppol2tp_ops;
 
+/* Retrieves the pppol2tp socket associated to a session.
+ * A reference is held on the returned socket, so this function must be paired
+ * with sock_put().
+ */
+static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session)
+{
+   struct pppol2tp_session *ps = l2tp_session_priv(session);
+   struct sock *sk;
+
+   rcu_read_lock();
+   sk = rcu_dereference(ps->sk);
+   if (sk)
+   sock_hold(sk);
+   rcu_read_unlock();
+
+   return sk;
+}
+
 /* Helpers to obtain tunnel/session contexts from sockets.
  */
 static inline struct l2tp_session *pppol2tp_sock_to_session(struct sock *sk)
@@ -225,7 +246,8 @@ static void pppol2tp_recv(struct l2tp_se
/* If the socket is bound, send it in to PPP's input queue. Otherwise
 * queue it on the session socket.
 */
-   sk = ps->sock;
+   rcu_read_lock();
+   sk = rcu_dereference(ps->sk);
if (sk == NULL)
goto no_sock;
 
@@ -263,30 +285,16 @@ static void pppol2tp_recv(struct l2tp_se
kfree_skb(skb);
}
}
+   rcu_read_unlock();
 
return;
 
 no_sock:
+   rcu_read_unlock();
l2tp_info(session, PPPOL2TP_MSG_DATA, "%s: no socket\n", session->name);
kfree_skb(skb);
 }
 
-static void pppol2tp_session_sock_hold(struct l2tp_session *session)
-{
-   struct pppol2tp_session *ps = l2tp_session_priv(session);
-
-   if (ps->sock)
-   sock_hold(ps->sock);
-}
-
-static void pppol2tp_session_sock_put(struct l2tp_session *session)
-{
-   struct pppol2tp_session *ps = l2tp_session_priv(session);
-
-   if (ps->sock)
-   sock_put(ps->sock);
-}
-
 

[PATCH 3.16 046/136] drm/radeon: fix atombios on big endian

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Roman Kapl 

commit 4f626a4ac8f57ddabf06d03870adab91e463217f upstream.

The function for byteswapping the data send to/from atombios was buggy for
num_bytes not divisible by four. The function must be aware of the fact
that after byte-swapping the u32 units, valid bytes might end up after the
num_bytes boundary.

This patch was tested on kernel 3.12 and allowed us to sucesfully use
DisplayPort on and Radeon SI card. Namely it fixed the link training and
EDID readout.

The function is patched both in radeon and amd drivers, since the functions
and the fixes are identical.

Signed-off-by: Roman Kapl 
Signed-off-by: Alex Deucher 
[bwh: Backported to 3.16: drop changes in amdgpu]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/gpu/drm/radeon/atombios_dp.c
+++ b/drivers/gpu/drm/radeon/atombios_dp.c
@@ -45,34 +45,32 @@ static char *pre_emph_names[] = {
 
 /* radeon AUX functions */
 
-/* Atom needs data in little endian format
- * so swap as appropriate when copying data to
- * or from atom. Note that atom operates on
- * dw units.
+/* Atom needs data in little endian format so swap as appropriate when copying
+ * data to or from atom. Note that atom operates on dw units.
+ *
+ * Use to_le=true when sending data to atom and provide at least
+ * ALIGN(num_bytes,4) bytes in the dst buffer.
+ *
+ * Use to_le=false when receiving data from atom and provide ALIGN(num_bytes,4)
+ * byes in the src buffer.
  */
 void radeon_atom_copy_swap(u8 *dst, u8 *src, u8 num_bytes, bool to_le)
 {
 #ifdef __BIG_ENDIAN
-   u8 src_tmp[20], dst_tmp[20]; /* used for byteswapping */
-   u32 *dst32, *src32;
+   u32 src_tmp[5], dst_tmp[5];
int i;
+   u8 align_num_bytes = ALIGN(num_bytes, 4);
 
-   memcpy(src_tmp, src, num_bytes);
-   src32 = (u32 *)src_tmp;
-   dst32 = (u32 *)dst_tmp;
if (to_le) {
-   for (i = 0; i < ((num_bytes + 3) / 4); i++)
-   dst32[i] = cpu_to_le32(src32[i]);
-   memcpy(dst, dst_tmp, num_bytes);
+   memcpy(src_tmp, src, num_bytes);
+   for (i = 0; i < align_num_bytes / 4; i++)
+   dst_tmp[i] = cpu_to_le32(src_tmp[i]);
+   memcpy(dst, dst_tmp, align_num_bytes);
} else {
-   u8 dws = num_bytes & ~3;
-   for (i = 0; i < ((num_bytes + 3) / 4); i++)
-   dst32[i] = le32_to_cpu(src32[i]);
-   memcpy(dst, dst_tmp, dws);
-   if (num_bytes % 4) {
-   for (i = 0; i < (num_bytes % 4); i++)
-   dst[dws+i] = dst_tmp[dws+i];
-   }
+   memcpy(src_tmp, src, align_num_bytes);
+   for (i = 0; i < align_num_bytes / 4; i++)
+   dst_tmp[i] = le32_to_cpu(src_tmp[i]);
+   memcpy(dst, dst_tmp, num_bytes);
}
 #else
memcpy(dst, src, num_bytes);

[PATCH 3.16 031/136] mtd: nand: omap2: Fix subpage write

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Roger Quadros 

commit 739c64414f01748a36e7d82c8e0611dea94412bd upstream.

Since v4.12, NAND subpage writes were causing a NULL pointer
dereference on OMAP platforms (omap2-nand) using OMAP_ECC_BCH4_CODE_HW,
OMAP_ECC_BCH8_CODE_HW and OMAP_ECC_BCH16_CODE_HW.

This is because for those ECC modes, omap_calculate_ecc_bch()
generates ECC bytes for the entire (multi-sector) page and this can
overflow the ECC buffer provided by nand_write_subpage_hwecc()
as it expects ecc.calculate() to return ECC bytes for just one sector.

However, the root cause of the problem is present since v3.9
but was not seen then as NAND buffers were being allocated
as one big chunk prior to commit 3deb9979c731 ("mtd: nand: allocate
aligned buffers if NAND_OWN_BUFFERS is unset").

Fix the issue by providing a OMAP optimized write_subpage()
implementation.

Fixes: 62116e5171e0 ("mtd: nand: omap2: Support for hardware BCH error 
correction.")
Signed-off-by: Roger Quadros 
Signed-off-by: Boris Brezillon 
[bwh: Backported to 3.16:
 - Open-code mtd_to_omap()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/mtd/nand/omap2.c
+++ b/drivers/mtd/nand/omap2.c
@@ -1163,130 +1163,174 @@ static u8  bch8_polynomial[] = {0xef, 0x
0x97, 0x79, 0xe5, 0x24, 0xb5};
 
 /**
- * omap_calculate_ecc_bch - Generate bytes of ECC bytes
+ * _omap_calculate_ecc_bch - Generate ECC bytes for one sector
  * @mtd:   MTD device structure
  * @dat:   The pointer to data on which ecc is computed
  * @ecc_code:  The ecc_code buffer
+ * @i: The sector number (for a multi sector page)
  *
- * Support calculating of BCH4/8 ecc vectors for the page
+ * Support calculating of BCH4/8/16 ECC vectors for one sector
+ * within a page. Sector number is in @i.
  */
-static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd,
-   const u_char *dat, u_char *ecc_calc)
+static int _omap_calculate_ecc_bch(struct mtd_info *mtd,
+  const u_char *dat, u_char *ecc_calc, int i)
 {
struct omap_nand_info *info = container_of(mtd, struct omap_nand_info,
   mtd);
int eccbytes= info->nand.ecc.bytes;
struct gpmc_nand_regs   *gpmc_regs = >reg;
u8 *ecc_code;
-   unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4;
+   unsigned long bch_val1, bch_val2, bch_val3, bch_val4;
u32 val;
-   int i, j;
+   int j;
+
+   ecc_code = ecc_calc;
+   switch (info->ecc_opt) {
+   case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
+   case OMAP_ECC_BCH8_CODE_HW:
+   bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+   bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+   bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
+   bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
+   *ecc_code++ = (bch_val4 & 0xFF);
+   *ecc_code++ = ((bch_val3 >> 24) & 0xFF);
+   *ecc_code++ = ((bch_val3 >> 16) & 0xFF);
+   *ecc_code++ = ((bch_val3 >> 8) & 0xFF);
+   *ecc_code++ = (bch_val3 & 0xFF);
+   *ecc_code++ = ((bch_val2 >> 24) & 0xFF);
+   *ecc_code++ = ((bch_val2 >> 16) & 0xFF);
+   *ecc_code++ = ((bch_val2 >> 8) & 0xFF);
+   *ecc_code++ = (bch_val2 & 0xFF);
+   *ecc_code++ = ((bch_val1 >> 24) & 0xFF);
+   *ecc_code++ = ((bch_val1 >> 16) & 0xFF);
+   *ecc_code++ = ((bch_val1 >> 8) & 0xFF);
+   *ecc_code++ = (bch_val1 & 0xFF);
+   break;
+   case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
+   case OMAP_ECC_BCH4_CODE_HW:
+   bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
+   bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
+   *ecc_code++ = ((bch_val2 >> 12) & 0xFF);
+   *ecc_code++ = ((bch_val2 >> 4) & 0xFF);
+   *ecc_code++ = ((bch_val2 & 0xF) << 4) |
+   ((bch_val1 >> 28) & 0xF);
+   *ecc_code++ = ((bch_val1 >> 20) & 0xFF);
+   *ecc_code++ = ((bch_val1 >> 12) & 0xFF);
+   *ecc_code++ = ((bch_val1 >> 4) & 0xFF);
+   *ecc_code++ = ((bch_val1 & 0xF) << 4);
+   break;
+   case OMAP_ECC_BCH16_CODE_HW:
+   val = readl(gpmc_regs->gpmc_bch_result6[i]);
+   ecc_code[0]  = ((val >>  8) & 0xFF);
+   ecc_code[1]  = ((val >>  0) & 0xFF);
+   val = readl(gpmc_regs->gpmc_bch_result5[i]);
+   ecc_code[2]  = ((val >> 24) & 0xFF);
+   ecc_code[3]  = ((val >> 16) & 0xFF);
+   ecc_code[4]  = ((val >>  8) & 0xFF);
+   ecc_code[5]  = ((val >>  0) & 

[PATCH 3.16 029/136] net: bcmgenet: enable loopback during UniMAC sw_reset

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Doug Berger 

commit 28c2d1a7a0bfdf3617800d2beae1c67983c03d15 upstream.

It is necessary for the UniMAC to be clocked at least 5 cycles
while the sw_reset is asserted to ensure a clean reset.

It was discovered that this condition was not being met when
connected to an external RGMII PHY that disabled the Rx clock in
the Power Save state.

This commit modifies the reset_umac function to place the (RG)MII
interface into a local loopback mode where the Rx clock comes
from the GENET sourced Tx clk during the sw_reset to ensure the
presence and stability of the clock.

In addition, it turns out that the sw_reset of the UniMAC is not
self clearing, but this was masked by a bug in the timeout code.

The sw_reset is now explicitly cleared by zeroing the UMAC_CMD
register before returning from reset_umac which makes it no
longer necessary to do so in init_umac and makes the clearing of
CMD_TX_EN and CMD_RX_EN by umac_enable_set redundant. The
timeout code (and its associated bug) are removed so reset_umac
no longer needs to return a result, and that means init_umac
that calls reset_umac does not need to as well.

Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
Signed-off-by: Doug Berger 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16:
 - Update call to init_umac() in bcmgenet_wol_resume()
 - Drop changes in bcmgenet_resume()
 - Adjust context]
Signed-off-by: Ben Hutchings 
---
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -1509,12 +1509,8 @@ static void bcmgenet_free_rx_buffers(str
}
 }
 
-static int reset_umac(struct bcmgenet_priv *priv)
+static void reset_umac(struct bcmgenet_priv *priv)
 {
-   struct device *kdev = >pdev->dev;
-   unsigned int timeout = 0;
-   u32 reg;
-
/* 7358a0/7552a0: bad default in RBUF_FLUSH_CTRL.umac_sw_rst */
bcmgenet_rbuf_ctrl_set(priv, 0);
udelay(10);
@@ -1522,38 +1518,21 @@ static int reset_umac(struct bcmgenet_pr
/* disable MAC while updating its registers */
bcmgenet_umac_writel(priv, 0, UMAC_CMD);
 
-   /* issue soft reset, wait for it to complete */
-   bcmgenet_umac_writel(priv, CMD_SW_RESET, UMAC_CMD);
-   while (timeout++ < 1000) {
-   reg = bcmgenet_umac_readl(priv, UMAC_CMD);
-   if (!(reg & CMD_SW_RESET))
-   return 0;
-
-   udelay(1);
-   }
-
-   if (timeout == 1000) {
-   dev_err(kdev,
-   "timeout waiting for MAC to come out of resetn\n");
-   return -ETIMEDOUT;
-   }
-
-   return 0;
+   /* issue soft reset with (rg)mii loopback to ensure a stable rxclk */
+   bcmgenet_umac_writel(priv, CMD_SW_RESET | CMD_LCL_LOOP_EN, UMAC_CMD);
+   udelay(2);
+   bcmgenet_umac_writel(priv, 0, UMAC_CMD);
 }
 
-static int init_umac(struct bcmgenet_priv *priv)
+static void init_umac(struct bcmgenet_priv *priv)
 {
struct device *kdev = >pdev->dev;
-   int ret;
u32 reg, cpu_mask_clear;
 
dev_dbg(>pdev->dev, "bcmgenet: init_umac\n");
 
-   ret = reset_umac(priv);
-   if (ret)
-   return ret;
+   reset_umac(priv);
 
-   bcmgenet_umac_writel(priv, 0, UMAC_CMD);
/* clear tx/rx counter */
bcmgenet_umac_writel(priv,
MIB_RESET_RX | MIB_RESET_TX | MIB_RESET_RUNT, UMAC_MIB_CTRL);
@@ -1604,8 +1583,6 @@ static int init_umac(struct bcmgenet_pri
 
/* Enable rx/tx engine.*/
dev_dbg(kdev, "done init umac\n");
-
-   return 0;
 }
 
 /* Initialize all house-keeping variables for a TX ring, along
@@ -1994,14 +1971,10 @@ static void bcmgenet_set_hw_addr(struct
 
 static int bcmgenet_wol_resume(struct bcmgenet_priv *priv)
 {
-   int ret;
-
/* From WOL-enabled suspend, switch to regular clock */
clk_disable(priv->clk_wol);
/* init umac registers to synchronize s/w with h/w */
-   ret = init_umac(priv);
-   if (ret)
-   return ret;
+   init_umac(priv);
 
phy_init_hw(priv->phydev);
/* Speed settings must be restored */
@@ -2062,14 +2035,7 @@ static int bcmgenet_open(struct net_devi
/* take MAC out of reset */
bcmgenet_umac_reset(priv);
 
-   ret = init_umac(priv);
-   if (ret)
-   goto err_clk_disable;
-
-   /* disable ethernet MAC while updating its registers */
-   reg = bcmgenet_umac_readl(priv, UMAC_CMD);
-   reg &= ~(CMD_TX_EN | CMD_RX_EN);
-   bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+   init_umac(priv);
 
bcmgenet_set_hw_addr(priv, dev->dev_addr);
 
@@ -2603,9 +2569,7 @@ static int bcmgenet_probe(struct platfor
!strcasecmp(phy_mode_str, "internal"))
bcmgenet_power_up(priv, 

[PATCH 3.16 033/136] l2tp: don't register sessions in l2tp_session_create()

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guillaume Nault 

commit 3953ae7b218df4d1e544b98a393666f9ae58a78c upstream.

Sessions created by l2tp_session_create() aren't fully initialised:
some pseudo-wire specific operations need to be done before making the
session usable. Therefore the PPP and Ethernet pseudo-wires continue
working on the returned l2tp session while it's already been exposed to
the rest of the system.
This can lead to various issues. In particular, the session may enter
the deletion process before having been fully initialised, which will
confuse the session removal code.

This patch moves session registration out of l2tp_session_create(), so
that callers can control when the session is exposed to the rest of the
system. This is done by the new l2tp_session_register() function.

Only pppol2tp_session_create() can be easily converted to avoid
modifying its session after registration (the debug message is dropped
in order to avoid the need for holding a reference on the session).

For pppol2tp_connect() and l2tp_eth_create()), more work is needed.
That'll be done in followup patches. For now, let's just register the
session right after its creation, like it was done before. The only
difference is that we can easily take a reference on the session before
registering it, so, at least, we're sure it's not going to be freed
while we're working on it.

Signed-off-by: Guillaume Nault 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 net/l2tp/l2tp_core.c | 21 +++--
 net/l2tp/l2tp_core.h |  3 +++
 net/l2tp/l2tp_eth.c  |  9 +
 net/l2tp/l2tp_ppp.c  | 23 +--
 4 files changed, 36 insertions(+), 20 deletions(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -370,8 +370,8 @@ struct l2tp_session *l2tp_session_get_by
 }
 EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
 
-static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
- struct l2tp_session *session)
+int l2tp_session_register(struct l2tp_session *session,
+ struct l2tp_tunnel *tunnel)
 {
struct l2tp_session *session_walk;
struct hlist_head *g_head;
@@ -419,6 +419,10 @@ static int l2tp_session_add_to_tunnel(st
hlist_add_head(>hlist, head);
write_unlock_bh(>hlist_lock);
 
+   /* Ignore management session in session count value */
+   if (session->session_id != 0)
+   atomic_inc(_session_count);
+
return 0;
 
 err_tlock_pnlock:
@@ -428,6 +432,7 @@ err_tlock:
 
return err;
 }
+EXPORT_SYMBOL_GPL(l2tp_session_register);
 
 /* Lookup a tunnel by id
  */
@@ -1868,7 +1873,6 @@ EXPORT_SYMBOL_GPL(l2tp_session_set_heade
 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel 
*tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
 {
struct l2tp_session *session;
-   int err;
 
session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
if (session != NULL) {
@@ -1926,17 +1930,6 @@ struct l2tp_session *l2tp_session_create
 
l2tp_session_inc_refcount(session);
 
-   err = l2tp_session_add_to_tunnel(tunnel, session);
-   if (err) {
-   kfree(session);
-
-   return ERR_PTR(err);
-   }
-
-   /* Ignore management session in session count value */
-   if (session->session_id != 0)
-   atomic_inc(_session_count);
-
return session;
}
 
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -274,6 +274,9 @@ struct l2tp_session *l2tp_session_create
 struct l2tp_tunnel *tunnel,
 u32 session_id, u32 peer_session_id,
 struct l2tp_session_cfg *cfg);
+int l2tp_session_register(struct l2tp_session *session,
+ struct l2tp_tunnel *tunnel);
+
 void __l2tp_session_unhash(struct l2tp_session *session);
 int l2tp_session_delete(struct l2tp_session *session);
 void l2tp_session_free(struct l2tp_session *session);
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -217,6 +217,13 @@ static int l2tp_eth_create(struct net *n
goto out;
}
 
+   l2tp_session_inc_refcount(session);
+   rc = l2tp_session_register(session, tunnel);
+   if (rc < 0) {
+   kfree(session);
+   goto out;
+   }
+
dev = alloc_netdev(sizeof(*priv), name, l2tp_eth_dev_setup);
if (!dev) {
rc = -ENOMEM;
@@ -250,6 +257,7 @@ static int l2tp_eth_create(struct net *n
__module_get(THIS_MODULE);
/* Must be done after register_netdev() */
  

[PATCH 3.16 037/136] btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit 3993b112dac968612b0b213ed59cb30f50b0015b upstream.

There are checks on fs_info in __btrfs_panic to avoid dereferencing a
null fs_info, however, there is a call to btrfs_crit that may also
dereference a null fs_info. Fix this by adding a check to see if fs_info
is null and only print the s_id if fs_info is non-null.

Detected by CoverityScan CID#401973 ("Dereference after null check")

Fixes: efe120a067c8 ("Btrfs: convert printk to btrfs_ and fix BTRFS prefix")
Signed-off-by: Colin Ian King 
Reviewed-by: David Sterba 
Signed-off-by: David Sterba 
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings 
---
 fs/btrfs/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -185,7 +185,6 @@ static const char * const logtypes[] = {
 
 void btrfs_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...)
 {
-   struct super_block *sb = fs_info->sb;
char lvl[4];
struct va_format vaf;
va_list args;
@@ -207,7 +206,8 @@ void btrfs_printk(const struct btrfs_fs_
vaf.fmt = fmt;
vaf.va = 
 
-   printk("%sBTRFS %s (device %s): %pV\n", lvl, type, sb->s_id, );
+   printk("%sBTRFS %s (device %s): %pV\n", lvl, type,
+   fs_info ? fs_info->sb->s_id : "", );
 
va_end(args);
 }

[PATCH 3.16 122/136] usbip: fix NULL pointer dereference on errors

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Alexander Popov 

commit 8c7003a3b4b4afd3734cdcc39217ef22d78a4a16 upstream.

Fix NULL pointer dereference and obsolete comments forgotten when
usbip server was converted from an interface driver to a device driver.

Signed-off-by: Alexander Popov 
Signed-off-by: Greg Kroah-Hartman 
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings 
---
 drivers/staging/usbip/stub.h |  1 -
 drivers/staging/usbip/stub_dev.c |  4 ++--
 drivers/staging/usbip/stub_rx.c  | 19 +++
 drivers/staging/usbip/stub_tx.c  |  6 +++---
 4 files changed, 12 insertions(+), 18 deletions(-)

--- a/drivers/staging/usbip/stub.h
+++ b/drivers/staging/usbip/stub.h
@@ -33,7 +33,6 @@
 #define STUB_BUSID_ALLOC 3
 
 struct stub_device {
-   struct usb_interface *interface;
struct usb_device *udev;
 
struct usbip_device ud;
--- a/drivers/staging/usbip/stub_dev.c
+++ b/drivers/staging/usbip/stub_dev.c
@@ -246,7 +246,7 @@ static void stub_device_reset(struct usb
 
dev_dbg(>dev, "device reset");
 
-   ret = usb_lock_device_for_reset(udev, sdev->interface);
+   ret = usb_lock_device_for_reset(udev, NULL);
if (ret < 0) {
dev_err(>dev, "lock for reset\n");
spin_lock_irq(>lock);
@@ -279,7 +279,7 @@ static void stub_device_unusable(struct
 
 /**
  * stub_device_alloc - allocate a new stub_device struct
- * @interface: usb_interface of a new device
+ * @udev: usb_device of a new device
  *
  * Allocates and initializes a new stub_device struct.
  */
--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -165,12 +165,7 @@ static int tweak_reset_device_cmd(struct
 
dev_info(>dev->dev, "usb_queue_reset_device\n");
 
-   /*
-* With the implementation of pre_reset and post_reset the driver no
-* longer unbinds. This allows the use of synchronous reset.
-*/
-
-   if (usb_lock_device_for_reset(sdev->udev, sdev->interface) < 0) {
+   if (usb_lock_device_for_reset(sdev->udev, NULL) < 0) {
dev_err(>dev->dev, "could not obtain lock to reset 
device\n");
return 0;
}
@@ -321,7 +316,7 @@ static struct stub_priv *stub_priv_alloc
 
priv = kmem_cache_zalloc(stub_priv_cache, GFP_ATOMIC);
if (!priv) {
-   dev_err(>interface->dev, "alloc stub_priv\n");
+   dev_err(>udev->dev, "alloc stub_priv\n");
spin_unlock_irqrestore(>priv_lock, flags);
usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC);
return NULL;
@@ -352,7 +347,7 @@ static int get_pipe(struct stub_device *
else
ep = udev->ep_out[epnum & 0x7f];
if (!ep) {
-   dev_err(>interface->dev, "no such endpoint?, %d\n",
+   dev_err(>udev->dev, "no such endpoint?, %d\n",
epnum);
BUG();
}
@@ -387,7 +382,7 @@ static int get_pipe(struct stub_device *
}
 
/* NOT REACHED */
-   dev_err(>interface->dev, "get pipe, epnum %d\n", epnum);
+   dev_err(>udev->dev, "get pipe, epnum %d\n", epnum);
return 0;
 }
 
@@ -466,7 +461,7 @@ static void stub_recv_cmd_submit(struct
priv->urb = usb_alloc_urb(0, GFP_KERNEL);
 
if (!priv->urb) {
-   dev_err(>interface->dev, "malloc urb\n");
+   dev_err(>dev, "malloc urb\n");
usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC);
return;
}
@@ -486,7 +481,7 @@ static void stub_recv_cmd_submit(struct
priv->urb->setup_packet = kmemdup(>u.cmd_submit.setup, 8,
  GFP_KERNEL);
if (!priv->urb->setup_packet) {
-   dev_err(>interface->dev, "allocate setup_packet\n");
+   dev_err(>dev, "allocate setup_packet\n");
usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC);
return;
}
@@ -517,7 +512,7 @@ static void stub_recv_cmd_submit(struct
usbip_dbg_stub_rx("submit urb ok, seqnum %u\n",
  pdu->base.seqnum);
else {
-   dev_err(>interface->dev, "submit_urb error, %d\n", ret);
+   dev_err(>dev, "submit_urb error, %d\n", ret);
usbip_dump_header(pdu);
usbip_dump_urb(priv->urb);
 
--- a/drivers/staging/usbip/stub_tx.c
+++ b/drivers/staging/usbip/stub_tx.c
@@ -233,7 +233,7 @@ static int stub_send_ret_submit(struct s
}
 
if (txsize != sizeof(pdu_header) + urb->actual_length) {
-   dev_err(>interface->dev,
+   dev_err(>udev->dev,
"actual length of urb %d does not 

[PATCH 3.16 124/136] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Shuah Khan 

commit c6688ef9f29762e65bce325ef4acd6c675806366 upstream.

Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations. Validate early in get_pipe() and return
failure.

Reported-by: Secunia Research 
Signed-off-by: Shuah Khan 
Signed-off-by: Greg Kroah-Hartman 
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings 
---
 drivers/staging/usbip/stub_rx.c | 35 +++
 1 file changed, 31 insertions(+), 4 deletions(-)

--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -336,11 +336,13 @@ static struct stub_priv *stub_priv_alloc
return priv;
 }
 
-static int get_pipe(struct stub_device *sdev, int epnum, int dir)
+static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
 {
struct usb_device *udev = sdev->udev;
struct usb_host_endpoint *ep;
struct usb_endpoint_descriptor *epd = NULL;
+   int epnum = pdu->base.ep;
+   int dir = pdu->base.direction;
 
if (epnum < 0 || epnum > 15)
goto err_ret;
@@ -353,6 +355,15 @@ static int get_pipe(struct stub_device *
goto err_ret;
 
epd = >desc;
+
+   /* validate transfer_buffer_length */
+   if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
+   dev_err(>udev->dev,
+   "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",
+   pdu->u.cmd_submit.transfer_buffer_length);
+   return -1;
+   }
+
if (usb_endpoint_xfer_control(epd)) {
if (dir == USBIP_DIR_OUT)
return usb_sndctrlpipe(udev, epnum);
@@ -375,6 +386,21 @@ static int get_pipe(struct stub_device *
}
 
if (usb_endpoint_xfer_isoc(epd)) {
+   /* validate packet size and number of packets */
+   unsigned int maxp, packets, bytes;
+
+   maxp = usb_endpoint_maxp(epd);
+   maxp *= usb_endpoint_maxp_mult(epd);
+   bytes = pdu->u.cmd_submit.transfer_buffer_length;
+   packets = DIV_ROUND_UP(bytes, maxp);
+
+   if (pdu->u.cmd_submit.number_of_packets < 0 ||
+   pdu->u.cmd_submit.number_of_packets > packets) {
+   dev_err(>udev->dev,
+   "CMD_SUBMIT: isoc invalid num packets %d\n",
+   pdu->u.cmd_submit.number_of_packets);
+   return -1;
+   }
if (dir == USBIP_DIR_OUT)
return usb_sndisocpipe(udev, epnum);
else
@@ -383,7 +409,7 @@ static int get_pipe(struct stub_device *
 
 err_ret:
/* NOT REACHED */
-   dev_err(>udev->dev, "get pipe() invalid epnum %d\n", epnum);
+   dev_err(>udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum);
return -1;
 }
 
@@ -448,7 +474,7 @@ static void stub_recv_cmd_submit(struct
struct stub_priv *priv;
struct usbip_device *ud = >ud;
struct usb_device *udev = sdev->udev;
-   int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);
+   int pipe = get_pipe(sdev, pdu);
 
if (pipe == -1)
return;
@@ -471,7 +497,8 @@ static void stub_recv_cmd_submit(struct
}
 
/* allocate urb transfer buffer, if needed */
-   if (pdu->u.cmd_submit.transfer_buffer_length > 0) {
+   if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
+   pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
priv->urb->transfer_buffer =
kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
GFP_KERNEL);

[PATCH 3.16 111/136] igbvf: Use smp_rmb rather than read_barrier_depends

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Brian King 

commit 1e1f9ca546556e508d021545861f6b5fc75a95fe upstream.

The original issue being fixed in this patch was seen with the ixgbe
driver, but the same issue exists with igbvf as well, as the code is
very similar. read_barrier_depends is not sufficient to ensure
loads following it are not speculatively loaded out of order
by the CPU, which can result in stale data being loaded, causing
potential system crashes.

Signed-off-by: Brian King 
Acked-by: Jesse Brandeburg 
Tested-by: Aaron Brown 
Signed-off-by: Jeff Kirsher 
Signed-off-by: Ben Hutchings 
---
 drivers/net/ethernet/intel/igbvf/netdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/intel/igbvf/netdev.c
+++ b/drivers/net/ethernet/intel/igbvf/netdev.c
@@ -808,7 +808,7 @@ static bool igbvf_clean_tx_irq(struct ig
break;
 
/* prevent any other reads prior to eop_desc */
-   read_barrier_depends();
+   smp_rmb();
 
/* if DD is not set pending work has not been completed */
if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD)))

[PATCH 3.16 106/136] ALSA: usb-audio: Fix potential zero-division at parsing FU

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Takashi Iwai 

commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream.

parse_audio_feature_unit() contains a code dividing potentially with
zero when a malformed FU descriptor is passed.  Although there is
already a sanity check, it checks only the value zero, hence it can
still lead to a zero-division when a value 1 is passed there.

Fix it by correcting the sanity check (and the error message
thereof).

Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Signed-off-by: Takashi Iwai 
Signed-off-by: Ben Hutchings 
---
 sound/usb/mixer.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1385,9 +1385,9 @@ static int parse_audio_feature_unit(stru
return -EINVAL;
}
csize = hdr->bControlSize;
-   if (!csize) {
+   if (csize <= 1) {
usb_audio_dbg(state->chip,
- "unit %u: invalid bControlSize == 0\n",
+ "unit %u: invalid bControlSize <= 1\n",
  unitid);
return -EINVAL;
}

[PATCH 3.16 105/136] ALSA: usb-audio: Fix potential out-of-bound access at parsing SU

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Takashi Iwai 

commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream.

The usb-audio driver may trigger an out-of-bound access at parsing a
malformed selector unit, as it checks the header length only after
evaluating bNrInPins field, which can be already above the given
length.  Fix it by adding the length check beforehand.

Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs")
Signed-off-by: Takashi Iwai 
Signed-off-by: Ben Hutchings 
---
 sound/usb/mixer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2020,7 +2020,8 @@ static int parse_audio_selector_unit(str
const struct usbmix_name_map *map;
char **namelist;
 
-   if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
+   if (desc->bLength < 5 || !desc->bNrInPins ||
+   desc->bLength < 5 + desc->bNrInPins) {
usb_audio_err(state->chip,
"invalid SELECTOR UNIT descriptor %d\n", unitid);
return -EINVAL;

[PATCH 3.16 109/136] i40e: Use smp_rmb rather than read_barrier_depends

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Brian King 

commit 52c6912fde0133981ee50ba08808f257829c4c93 upstream.

The original issue being fixed in this patch was seen with the ixgbe
driver, but the same issue exists with i40e as well, as the code is
very similar. read_barrier_depends is not sufficient to ensure
loads following it are not speculatively loaded out of order
by the CPU, which can result in stale data being loaded, causing
potential system crashes.

Signed-off-by: Brian King 
Acked-by: Jesse Brandeburg 
Tested-by: Andrew Bowers 
Signed-off-by: Jeff Kirsher 
Signed-off-by: Ben Hutchings 
---
 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -3047,7 +3047,7 @@ static bool i40e_clean_fdir_tx_irq(struc
break;
 
/* prevent any other reads prior to eop_desc */
-   read_barrier_depends();
+   smp_rmb();
 
/* if the descriptor isn't done, no work yet to do */
if (!(eop_desc->cmd_type_offset_bsz &
--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
@@ -657,7 +657,7 @@ static bool i40e_clean_tx_irq(struct i40
break;
 
/* prevent any other reads prior to eop_desc */
-   read_barrier_depends();
+   smp_rmb();
 
/* we have caught up to head, no work left to do */
if (tx_head == tx_desc)

[PATCH 3.16 104/136] ALSA: usb-audio: Add sanity checks to FE parser

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Takashi Iwai 

commit d937cd6790a2bef2d07b500487646bd794c039bb upstream.

When the usb-audio descriptor contains the malformed feature unit
description with a too short length, the driver may access
out-of-bounds.  Add a sanity check of the header size at the beginning
of parse_audio_feature_unit().

Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Reported-by: Andrey Konovalov 
Signed-off-by: Takashi Iwai 
Signed-off-by: Ben Hutchings 
---
 sound/usb/mixer.c | 12 
 1 file changed, 12 insertions(+)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1378,6 +1378,12 @@ static int parse_audio_feature_unit(stru
__u8 *bmaControls;
 
if (state->mixer->protocol == UAC_VERSION_1) {
+   if (hdr->bLength < 7) {
+   usb_audio_err(state->chip,
+ "unit %u: invalid UAC_FEATURE_UNIT 
descriptor\n",
+ unitid);
+   return -EINVAL;
+   }
csize = hdr->bControlSize;
if (!csize) {
usb_audio_dbg(state->chip,
@@ -1395,6 +1401,12 @@ static int parse_audio_feature_unit(stru
}
} else {
struct uac2_feature_unit_descriptor *ftr = _ftr;
+   if (hdr->bLength < 6) {
+   usb_audio_err(state->chip,
+ "unit %u: invalid UAC_FEATURE_UNIT 
descriptor\n",
+ unitid);
+   return -EINVAL;
+   }
csize = 4;
channels = (hdr->bLength - 6) / 4 - 1;
bmaControls = ftr->bmaControls;

[PATCH 3.16 113/136] i40evf: Use smp_rmb rather than read_barrier_depends

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Brian King 

commit f72271e2a0ae4277d53c4053f5eed8bb346ba38a upstream.

The original issue being fixed in this patch was seen with the ixgbe
driver, but the same issue exists with i40evf as well, as the code is
very similar. read_barrier_depends is not sufficient to ensure
loads following it are not speculatively loaded out of order
by the CPU, which can result in stale data being loaded, causing
potential system crashes.

Signed-off-by: Brian King 
Acked-by: Jesse Brandeburg 
Tested-by: Andrew Bowers 
Signed-off-by: Jeff Kirsher 
Signed-off-by: Ben Hutchings 
---
 drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
@@ -216,7 +216,7 @@ static bool i40e_clean_tx_irq(struct i40
break;
 
/* prevent any other reads prior to eop_desc */
-   read_barrier_depends();
+   smp_rmb();
 
/* we have caught up to head, no work left to do */
if (tx_head == tx_desc)

[PATCH 3.16 000/136] 3.16.54-rc1 review

[Ben Hutchings]

This is the start of the stable review cycle for the 3.16.54 release.
There are 136 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Feb 13 12:00:00 UTC 2018.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-

Alan Stern (1):
  USB: usbfs: compute urb->actual_length for isochronous
 [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54]

Alex Chen (1):
  ocfs2: should wait dio before inode lock in ocfs2_setattr()
 [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300]

Alexander Popov (1):
  usbip: fix NULL pointer dereference on errors
 [8c7003a3b4b4afd3734cdcc39217ef22d78a4a16]

Alexander Potapenko (1):
  sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
 [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d]

Alexander Steffen (1):
  tpm-dev-common: Reject too short writes
 [ee70bc1e7b63ac8023c9ff9475d8741e397316e7]

Alexandre Belloni (1):
  rtc: set the alarm to the next expiring timer
 [74717b28cb32e1ad3c1042cafd76b264c8c0f68d]

Andreas Rohner (1):
  nilfs2: fix race condition that causes file system corruption
 [31ccb1f7ba3cfe29631587d451cf5bb8ab593550]

Andrew F. Davis (1):
  ASoC: cs42l56: Fix reset GPIO name in example DT binding
 [8adc430603d67e76a0f8491df21654f691acda62]

Andrey Konovalov (1):
  p54: don't unregister leds when they are not initialized
 [fc09785de0a364427a5df63d703bae9a306ed116]

Andy Lutomirski (4):
  x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader
 [6b078f5de7fc0851af4102493c7b5bb07e49c4cb]
  x86, vdso: Move the vvar area before the vdso text
 [e6577a7ce99a506b587bcd1d2cd803cb45119557]
  x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap
 [dac16fba6fc590fa7239676b35ed75dae4c4cd2b]
  x86/vdso: Remove pvclock fixmap machinery
 [cc1e24fdb064d3126a494716f22ad4fc39306742]

Anna Schumaker (1):
  NFS: Avoid RCU usage in tracepoints
 [3944369db701f075092357b511fd9f5755771585]

Arnd Bergmann (4):
  Input: adxl34x - do not treat FIFO_MODE() as boolean
 [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d]
  drm: gma500: fix logic error
 [67a3b63a54cbe18944191f43d644686731cf30c7]
  elf_fdpic: fix unused variable warning
 [11e3e8d6d9274bf630859b4c47bc4e4d76f289db]
  isofs: fix timestamps beyond 2027
 [34be4dbf87fc3e474a842305394534216d428f5d]

Bart Van Assche (3):
  IB/srp: Avoid that a cable pull can trigger a kernel crash
 [8a0d18c62121d3c554a83eb96e2752861d84d937]
  IB/srpt: Do not accept invalid initiator port names
 [c70ca38960399a63d5c048b7b700612ea321d17e]
  target/iscsi: Fix iSCSI task reassignment handling
 [59b6986dbfcdab96a971f9663221849de79a7556]

Ben Hutchings (1):
  usbip: tools: Install all headers needed for libusbip development
 [c15562c0dcb2c7f26e891923b784cf1926b8c833]

Ben Seri (1):
  Bluetooth: Prevent stack info leak from the EFS element.
 [06e7e776ca4d36547e503279aeff996cbb292c16]

Bernhard Rosenkraenzer (1):
  USB: Add delay-init quirk for Corsair K70 LUX keyboards
 [a0fea6027f19c62727315aba1a7fae75a9caa842]

Boshi Wang (1):
  ima: fix hash algorithm initialization
 [ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee]

Brent Taylor (1):
  mtd: nand: Fix writing mtdoops to nand flash.
 [30863e38ebeb500a31cecee8096fb5002677dd9b]

Brian King (6):
  i40e: Use smp_rmb rather than read_barrier_depends
 [52c6912fde0133981ee50ba08808f257829c4c93]
  i40evf: Use smp_rmb rather than read_barrier_depends
 [f72271e2a0ae4277d53c4053f5eed8bb346ba38a]
  igb: Use smp_rmb rather than read_barrier_depends
 [c4cb99185b4cc96c0a1c70104dc21ae14d7e7f28]
  igbvf: Use smp_rmb rather than read_barrier_depends
 [1e1f9ca546556e508d021545861f6b5fc75a95fe]
  ixgbe: Fix skb list corruption on Power systems
 [0a9a17e3bb4564caf4bfe2a6783ae1287667d188]
  ixgbevf: Use smp_rmb rather than read_barrier_depends
 [ae0c585d93dfaf923d2c7eb44b2c3ab92854ea9b]

Christian König (1):
  drm/ttm: once more fix ttm_buffer_object_transfer
 [4d98e5ee6084f6d7bc578c5d5f86de7156aaa4cb]

Chuck Lever (1):
  nfs: Fix ugly referral attributes
 [c05cefcc72416a37eba5a2b35f0704ed758a9145]

Colin Ian King (3):
  btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit
 [3993b112dac968612b0b213ed59cb30f50b0015b]
  rtc: interface: ignore expired timers when enqueuing new timers
 [2b2f5ff00f63847d95adad6289bd8b05f5983dd5]
  staging: rtl8188eu: avoid a null 

[PATCH 3.16 135/136] kaiser: Set _PAGE_NX only if supported

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

This resolves a crash if loaded under qemu + haxm under windows.
See https://www.spinics.net/lists/kernel/msg2689835.html for details.
Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that
the same log is also seen with vanilla v4.4.110-rc1).

[0.712750] Freeing unused kernel memory: 552K
[0.721821] init: Corrupted page table at address 57b029b332e0
[0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067
[0.722761] Bad pagetable: 000b [#1] PREEMPT SMP
[0.722761] Modules linked in:
[0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 
8800bc28c000
[0.722761] RIP: 0010:[]  [] 
__clear_user+0x42/0x67
[0.722761] RSP: :8800bc28fcf8  EFLAGS: 00010202
[0.722761] RAX:  RBX: 01a4 RCX: 01a4
[0.722761] RDX:  RSI: 0008 RDI: 57b029b332e0
[0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000
[0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0
[0.722761] R13:  R14: 57b029b33340 R15: 8800bb1e2a00
[0.722761] FS:  () GS:8800bfb0() 
knlGS:
[0.722761] CS:  0010 DS:  ES:  CR0: 8005003b
[0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0
[0.722761] Stack:
[0.722761]  57b029b332e0 8800bb95fa80 8800bc28fd18 
83f4120c
[0.722761]  8800bc28fe18 83e9e7a1 8800bc28fd68 

[0.722761]  8800bc29 8800bc29 8800bc29 
8800bc29
[0.722761] Call Trace:
[0.722761]  [] clear_user+0x2e/0x30
[0.722761]  [] load_elf_binary+0xa7f/0x18f7
[0.722761]  [] search_binary_handler+0x86/0x19c
[0.722761]  [] do_execveat_common.isra.26+0x909/0xf98
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761]  [] do_execve+0x23/0x25
[0.722761]  [] run_init_process+0x2b/0x2d
[0.722761]  [] kernel_init+0x6d/0xda
[0.722761]  [] ret_from_fork+0x3f/0x70
[0.722761]  [] ? rest_init+0x87/0x87
[0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1
eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17
48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff
[0.722761] RIP  [] __clear_user+0x42/0x67
[0.722761]  RSP 
[0.722761] ---[ end trace def703879b4ff090 ]---
[0.722761] BUG: sleeping function called from invalid context at 
/mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21
[0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init
[0.722761] CPU: 1 PID: 1 Comm: init Tainted: G  D 4.4.96 #31
[0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[0.722761]  0086 dcb5d76098c89836 8800bc28fa30 
83f34004
[0.722761]  84839dc2 0015 8800bc28fa40 
83d57dc9
[0.722761]  8800bc28fa68 83d57e6a 84a53640 

[0.722761] Call Trace:
[0.722761]  [] dump_stack+0x4d/0x63
[0.722761]  [] ___might_sleep+0x13a/0x13c
[0.722761]  [] __might_sleep+0x9f/0xa6
[0.722761]  [] down_read+0x20/0x31
[0.722761]  [] __blocking_notifier_call_chain+0x35/0x63
[0.722761]  [] blocking_notifier_call_chain+0x14/0x16
[0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd
[0.722761]  [] profile_task_exit+0x1a/0x1c
[0.802309]  [] do_exit+0x39/0xe7f
[0.802309]  [] ? vprintk_default+0x1d/0x1f
[0.802309]  [] ? printk+0x57/0x73
[0.802309]  [] oops_end+0x80/0x85
[0.802309]  [] pgtable_bad+0x8a/0x95
[0.802309]  [] __do_page_fault+0x8c/0x352
[0.802309]  [] ? file_has_perm+0xc4/0xe5
[0.802309]  [] do_page_fault+0xc/0xe
[0.802309]  [] page_fault+0x22/0x30
[0.802309]  [] ? __clear_user+0x42/0x67
[0.802309]  [] ? __clear_user+0x23/0x67
[0.802309]  [] clear_user+0x2e/0x30
[0.802309]  [] load_elf_binary+0xa7f/0x18f7
[0.802309]  [] search_binary_handler+0x86/0x19c
[0.802309]  [] do_execveat_common.isra.26+0x909/0xf98
[0.802309]  [] ? rest_init+0x87/0x87
[0.802309]  [] do_execve+0x23/0x25
[0.802309]  [] run_init_process+0x2b/0x2d
[0.802309]  [] kernel_init+0x6d/0xda
[0.802309]  [] ret_from_fork+0x3f/0x70
[0.802309]  [] ? rest_init+0x87/0x87
[0.830559] Kernel panic - not syncing: Attempted to kill init!  
exitcode=0x0009
[0.830559]
[0.831305] Kernel Offset: 

[PATCH 3.16 006/136] rtc: interface: ignore expired timers when enqueuing new timers

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Colin Ian King 

commit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream.

This patch fixes a RTC wakealarm issue, namely, the event fires during
hibernate and is not cleared from the list, causing hwclock to block.

The current enqueuing does not trigger an alarm if any expired timers
already exist on the timerqueue. This can occur when a RTC wake alarm
is used to wake a machine out of hibernate and the resumed state has
old expired timers that have not been removed from the timer queue.
This fix skips over any expired timers and triggers an alarm if there
are no pending timers on the timerqueue. Note that the skipped expired
timer will get reaped later on, so there is no need to clean it up
immediately.

The issue can be reproduced by putting a machine into hibernate and
waking it with the RTC wakealarm.  Running the example RTC test program
from tools/testing/selftests/timers/rtctest.c after the hibernate will
block indefinitely.  With the fix, it no longer blocks after the
hibernate resume.

BugLink: http://bugs.launchpad.net/bugs/1333569

Signed-off-by: Colin Ian King 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Ben Hutchings 
---
 drivers/rtc/interface.c | 16 +++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -778,9 +778,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq);
  */
 static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
 {
+   struct timerqueue_node *next = timerqueue_getnext(>timerqueue);
+   struct rtc_time tm;
+   ktime_t now;
+
timer->enabled = 1;
+   __rtc_read_time(rtc, );
+   now = rtc_tm_to_ktime(tm);
+
+   /* Skip over expired timers */
+   while (next) {
+   if (next->expires.tv64 >= now.tv64)
+   break;
+   next = timerqueue_iterate_next(next);
+   }
+
timerqueue_add(>timerqueue, >node);
-   if (>node == timerqueue_getnext(>timerqueue)) {
+   if (!next) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);

[PATCH 3.2 35/79] blktrace: Fix potential deadlock between delete & sysfs ops

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Waiman Long 

commit 5acb3cc2c2e9d3020a4fee43763c6463767f1572 upstream.

The lockdep code had reported the following unsafe locking scenario:

   CPU0CPU1
   
  lock(s_active#228);
   lock(>bd_mutex/1);
   lock(s_active#228);
  lock(>bd_mutex);

 *** DEADLOCK ***

The deadlock may happen when one task (CPU1) is trying to delete a
partition in a block device and another task (CPU0) is accessing
tracing sysfs file (e.g. /sys/block/dm-1/trace/act_mask) in that
partition.

The s_active isn't an actual lock. It is a reference count (kn->count)
on the sysfs (kernfs) file. Removal of a sysfs file, however, require
a wait until all the references are gone. The reference count is
treated like a rwsem using lockdep instrumentation code.

The fact that a thread is in the sysfs callback method or in the
ioctl call means there is a reference to the opended sysfs or device
file. That should prevent the underlying block structure from being
removed.

Instead of using bd_mutex in the block_device structure, a new
blk_trace_mutex is now added to the request_queue structure to protect
access to the blk_trace structure.

Suggested-by: Christoph Hellwig 
Signed-off-by: Waiman Long 
Acked-by: Steven Rostedt (VMware) 

Fix typo in patch subject line, and prune a comment detailing how
the code used to work.

Signed-off-by: Jens Axboe 
Signed-off-by: Ben Hutchings 
---
 block/blk-core.c|  3 +++
 include/linux/blkdev.h  |  1 +
 kernel/trace/blktrace.c | 18 --
 3 files changed, 16 insertions(+), 6 deletions(-)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -499,6 +499,9 @@ struct request_queue *blk_alloc_queue_no
 
kobject_init(>kobj, _queue_ktype);
 
+#ifdef CONFIG_BLK_DEV_IO_TRACE
+   mutex_init(>blk_trace_mutex);
+#endif
mutex_init(>sysfs_lock);
spin_lock_init(>__queue_lock);
 
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -361,6 +361,7 @@ struct request_queue {
int node;
 #ifdef CONFIG_BLK_DEV_IO_TRACE
struct blk_trace*blk_trace;
+   struct mutexblk_trace_mutex;
 #endif
/*
 * for flush operations
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -631,6 +631,12 @@ int blk_trace_startstop(struct request_q
 }
 EXPORT_SYMBOL_GPL(blk_trace_startstop);
 
+/*
+ * When reading or writing the blktrace sysfs files, the references to the
+ * opened sysfs or device files should prevent the underlying block device
+ * from being removed. So no further delete protection is really needed.
+ */
+
 /**
  * blk_trace_ioctl: - handle the ioctls associated with tracing
  * @bdev:  the block device
@@ -648,7 +654,7 @@ int blk_trace_ioctl(struct block_device
if (!q)
return -ENXIO;
 
-   mutex_lock(>bd_mutex);
+   mutex_lock(>blk_trace_mutex);
 
switch (cmd) {
case BLKTRACESETUP:
@@ -674,7 +680,7 @@ int blk_trace_ioctl(struct block_device
break;
}
 
-   mutex_unlock(>bd_mutex);
+   mutex_unlock(>blk_trace_mutex);
return ret;
 }
 
@@ -1660,7 +1666,7 @@ static ssize_t sysfs_blk_trace_attr_show
if (q == NULL)
goto out_bdput;
 
-   mutex_lock(>bd_mutex);
+   mutex_lock(>blk_trace_mutex);
 
if (attr == _attr_enable) {
ret = sprintf(buf, "%u\n", !!q->blk_trace);
@@ -1679,7 +1685,7 @@ static ssize_t sysfs_blk_trace_attr_show
ret = sprintf(buf, "%llu\n", q->blk_trace->end_lba);
 
 out_unlock_bdev:
-   mutex_unlock(>bd_mutex);
+   mutex_unlock(>blk_trace_mutex);
 out_bdput:
bdput(bdev);
 out:
@@ -1721,7 +1727,7 @@ static ssize_t sysfs_blk_trace_attr_stor
if (q == NULL)
goto out_bdput;
 
-   mutex_lock(>bd_mutex);
+   mutex_lock(>blk_trace_mutex);
 
if (attr == _attr_enable) {
if (value)
@@ -1747,7 +1753,7 @@ static ssize_t sysfs_blk_trace_attr_stor
}
 
 out_unlock_bdev:
-   mutex_unlock(>bd_mutex);
+   mutex_unlock(>blk_trace_mutex);
 out_bdput:
bdput(bdev);
 out:

[PATCH 3.2 69/79] ALSA: seq: Make ioctls race-free

[Ben Hutchings]

3.2.99-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Takashi Iwai 

commit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream.

The ALSA sequencer ioctls have no protection against racy calls while
the concurrent operations may lead to interfere with each other.  As
reported recently, for example, the concurrent calls of setting client
pool with a combination of write calls may lead to either the
unkillable dead-lock or UAF.

As a slightly big hammer solution, this patch introduces the mutex to
make each ioctl exclusive.  Although this may reduce performance via
parallel ioctl calls, usually it's not demanded for sequencer usages,
hence it should be negligible.

Reported-by: Luo Quan 
Reviewed-by: Kees Cook 
Reviewed-by: Greg Kroah-Hartman 
Signed-off-by: Takashi Iwai 
[bwh: Backported to 3.2: ioctl dispatch is done from snd_seq_do_ioctl();
 take the mutex and add ret variable there.]
Signed-off-by: Ben Hutchings 
---
 sound/core/seq/seq_clientmgr.c |   10 --
 sound/core/seq/seq_clientmgr.h |1 +
 2 files changed, 9 insertions(+), 2 deletions(-)

--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create
rwlock_init(>ports_lock);
mutex_init(>ports_mutex);
INIT_LIST_HEAD(>ports_list_head);
+   mutex_init(>ioctl_mutex);
 
/* find free slot in the client table */
spin_lock_irqsave(_lock, flags);
@@ -2188,6 +2189,7 @@ static int snd_seq_do_ioctl(struct snd_s
void __user *arg)
 {
struct seq_ioctl_table *p;
+   int ret;
 
switch (cmd) {
case SNDRV_SEQ_IOCTL_PVERSION:
@@ -2201,8 +2203,12 @@ static int snd_seq_do_ioctl(struct snd_s
if (! arg)
return -EFAULT;
for (p = ioctl_tables; p->cmd; p++) {
-   if (p->cmd == cmd)
-   return p->func(client, arg);
+   if (p->cmd == cmd) {
+   mutex_lock(>ioctl_mutex);
+   ret = p->func(client, arg);
+   mutex_unlock(>ioctl_mutex);
+   return ret;
+   }
}
snd_printd("seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n",
   cmd, _IOC_TYPE(cmd), _IOC_NR(cmd));
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -59,6 +59,7 @@ struct snd_seq_client {
struct list_head ports_list_head;
rwlock_t ports_lock;
struct mutex ports_mutex;
+   struct mutex ioctl_mutex;
int convert32;  /* convert 32->64bit */
 
/* output pool */

[PATCH 3.16 008/136] usbip: tools: Install all headers needed for libusbip development

[Ben Hutchings]

3.16.54-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Ben Hutchings 

commit c15562c0dcb2c7f26e891923b784cf1926b8c833 upstream.

usbip_host_driver.h now depends on several additional headers, which
need to be installed along with it.

Fixes: 021aed845303 ("staging: usbip: userspace: migrate usbip_host_driver ...")
Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with ...")
Signed-off-by: Ben Hutchings 
Acked-by: Shuah Khan 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/staging/usbip/userspace/Makefile.am | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/staging/usbip/userspace/Makefile.am
+++ b/drivers/staging/usbip/userspace/Makefile.am
@@ -1,6 +1,7 @@
 SUBDIRS := libsrc src
 includedir = @includedir@/usbip
 include_HEADERS := $(addprefix libsrc/, \
-usbip_common.h vhci_driver.h usbip_host_driver.h)
+usbip_common.h vhci_driver.h usbip_host_driver.h \
+list.h sysfs_utils.h)
 
 dist_man_MANS := $(addprefix doc/, usbip.8 usbipd.8)

[PATCH v2] Input: gpio_keys: Add level trigger support for GPIO keys

[Baolin Wang]

On some platforms (such as Spreadtrum platform), the GPIO keys can only
be triggered by level type. So this patch introduces one property to
indicate if the GPIO trigger type is level trigger or edge trigger.

Signed-off-by: Baolin Wang 
---
Changes since v1:
 - Diable the GPIO irq until reversing the GPIO level type.
---
 .../devicetree/bindings/input/gpio-keys.txt|2 ++
 drivers/input/keyboard/gpio_keys.c |   26 +++-
 include/linux/gpio_keys.h  |1 +
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/Documentation/devicetree/bindings/input/gpio-keys.txt 
b/Documentation/devicetree/bindings/input/gpio-keys.txt
index a949404..e3104bd 100644
--- a/Documentation/devicetree/bindings/input/gpio-keys.txt
+++ b/Documentation/devicetree/bindings/input/gpio-keys.txt
@@ -29,6 +29,8 @@ Optional subnode-properties:
- linux,can-disable: Boolean, indicates that button is connected
  to dedicated (not shared) interrupt which can be disabled to
  suppress events from the button.
+   - gpio-key,level-trigger: Boolean, indicates that button's interrupt
+ type is level trigger. Otherwise it is edge trigger as default.
 
 Example nodes:
 
diff --git a/drivers/input/keyboard/gpio_keys.c 
b/drivers/input/keyboard/gpio_keys.c
index 87e613d..218698a 100644
--- a/drivers/input/keyboard/gpio_keys.c
+++ b/drivers/input/keyboard/gpio_keys.c
@@ -385,6 +385,20 @@ static void gpio_keys_gpio_work_func(struct work_struct 
*work)
struct gpio_button_data *bdata =
container_of(work, struct gpio_button_data, work.work);
 
+   if (bdata->button->level_trigger) {
+   unsigned int trigger =
+   irq_get_trigger_type(bdata->irq) & ~IRQF_TRIGGER_MASK;
+   int state = gpiod_get_raw_value_cansleep(bdata->gpiod);
+
+   if (state)
+   trigger |= IRQF_TRIGGER_LOW;
+   else
+   trigger |= IRQF_TRIGGER_HIGH;
+
+   irq_set_irq_type(bdata->irq, trigger);
+   enable_irq(bdata->irq);
+   }
+
gpio_keys_gpio_report_event(bdata);
 
if (bdata->button->wakeup)
@@ -397,6 +411,9 @@ static irqreturn_t gpio_keys_gpio_isr(int irq, void *dev_id)
 
BUG_ON(irq != bdata->irq);
 
+   if (bdata->button->level_trigger)
+   disable_irq_nosync(bdata->irq);
+
if (bdata->button->wakeup) {
const struct gpio_keys_button *button = bdata->button;
 
@@ -566,7 +583,11 @@ static int gpio_keys_setup_key(struct platform_device 
*pdev,
INIT_DELAYED_WORK(>work, gpio_keys_gpio_work_func);
 
isr = gpio_keys_gpio_isr;
-   irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
+   if (button->level_trigger)
+   irqflags = gpiod_is_active_low(bdata->gpiod) ?
+   IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH;
+   else
+   irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
 
} else {
if (!button->irq) {
@@ -721,6 +742,9 @@ static void gpio_keys_close(struct input_dev *input)
button->can_disable =
fwnode_property_read_bool(child, "linux,can-disable");
 
+   button->level_trigger =
+   fwnode_property_read_bool(child, 
"gpio-key,level-trigger");
+
if (fwnode_property_read_u32(child, "debounce-interval",
 >debounce_interval))
button->debounce_interval = 5;
diff --git a/include/linux/gpio_keys.h b/include/linux/gpio_keys.h
index d06bf77..5095645 100644
--- a/include/linux/gpio_keys.h
+++ b/include/linux/gpio_keys.h
@@ -28,6 +28,7 @@ struct gpio_keys_button {
int wakeup;
int debounce_interval;
bool can_disable;
+   bool level_trigger;
int value;
unsigned int irq;
 };
-- 
1.7.9.5