[PATCH 3.16 067/366] ipc/shm: Fix shmctl(..., IPC_STAT, ...) between pid namespaces.

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Eric W. Biederman" commit 98f929b1bd4d0b7c7a77d0d9776d1b924db2e454 upstream. Today shm_cpid and shm_lpid are remembered in the pid namespace of the creator and the processes that last

[PATCH 3.16 107/366] btrfs: Fix possible softlock on single core machines

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Nikolay Borisov commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 upstream. do_chunk_alloc implements a loop checking whether there is a pending chunk allocation and if so causes the caller do

[PATCH 3.16 066/366] ipc/util: Helpers for making the sysvipc operations pid namespace aware

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Eric W. Biederman" commit 03f1fc09180b345582889a344b012d069b3a6dbe upstream. Capture the pid namespace when /proc/sysvipc/msg /proc/sysvipc/shm and /proc/sysvipc/sem are opened, and make it

[PATCH 3.16 199/366] tcp: don't read out-of-bounds opsize

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Jann Horn commit 7e5a206ab686f098367b61aca989f5cdfa8114a3 upstream. The old code reads the "opsize" variable from out-of-bounds memory (first byte behind the segment) if a broken TCP segment

[PATCH 3.16 114/366] hugetlbfs: fix bug in pgoff overflow checking

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Mike Kravetz commit 5df63c2a149ae65a9ec239e7c2af44efa6f79beb upstream. This is a fix for a regression in 32 bit kernels caused by an invalid check for pgoff overflow in hugetlbfs mmap setup.

[PATCH 3.16 274/366] RDMA/mlx5: Don't assume that medium blueFlame register exists

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Yishai Hadas commit 18b0362e87dfa09e355093b897b9db854e360d28 upstream. User can leave system without medium BlueFlames registers, however the code assumed that at least one such register

[PATCH 3.16 198/366] hwmon: (nct6683) Enable EC access if disabled at boot

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Guenter Roeck commit dbac00f0cf634120d77edee10d25e3f6899d7636 upstream. On Asrock Z370M Pro4, it was observed that EC access was disabled after initially booting the system. As a result, the

[PATCH 3.16 178/366] Don't leak MNT_INTERNAL away from internal mounts

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Al Viro commit 16a34adb9392b2fe4195267475ab5b472e55292c upstream. We want it only for the stuff created by SB_KERNMOUNT mounts, *not* for their copies. As it is, creating a deep stack of

[PATCH 3.16 099/366] kvm: x86: fix a compile warning

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Peng Hao commit 3140c156e919b0f5fad5c5f6cf7876c39d1d4f06 upstream. fix a "warning: no previous prototype". Signed-off-by: Peng Hao Signed-off-by: Paolo Bonzini Signed-off-by: Ben Hutchings

[PATCH 3.16 090/366] ext4: force revalidation of directory pointer after seekdir(2)

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Theodore Ts'o commit e40ff213898502d299351cc2fe1e350cd186f0d3 upstream. A malicious user could force the directory pointer to be in an invalid spot by using seekdir(2). Use the mechanism we

[PATCH 3.16 136/366] drm/radeon: make MacBook Pro d3_delay quirk more generic

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Bjorn Helgaas commit 5938628c51a711ae2169d68b2e3a4f7d93d4dbea upstream. The PCI Power Management Spec, r1.2, sec 5.6.1, requires a 10 millisecond delay when powering on a device, i.e.,

[PATCH 3.16 297/366] ALSA: usb: mixer: volume quirk for CM102-A+/102S+

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Federico Cuello commit 21493316a3c4598f308d5a9fa31cc74639c4caff upstream. Currently it's not possible to set volume lower than 26% (it just mutes). Also fixes this warning: Warning!

[PATCH 3.16 323/366] tcp: purge write queue in tcp_connect_init()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 7f582b248d0a86bae5788c548d7bb5bca6f7691a upstream. syzkaller found a reliable way to crash the host, hitting a BUG() in __tcp_retransmit_skb() Malicous MSG_FASTOPEN is

[PATCH 3.16 109/366] ipv6: sit: better validate user provided tunnel names

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit b95211e066fc3494b7c115060b2297b4ba21f025 upstream. Use dev_valid_name() to make sure user does not provide illegal device name. syzbot caught the following bug : BUG:

[PATCH 3.16 061/366] parisc: Fix HPMC handler by increasing size to multiple of 16 bytes

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Helge Deller commit d5654e156bc4d68a87bbaa6d7e020baceddf6e68 upstream. Make sure that the HPMC (High Priority Machine Check) handler is 16-byte aligned and that it's length in the IVT is a

[PATCH 3.16 058/366] s390/qdio: don't retry EQBS after CCQ 96

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Julian Wiedmann commit dae55b6fef58530c13df074bcc182c096609339e upstream. Immediate retry of EQBS after CCQ 96 means that we potentially misreport the state of buffers inspected during the

[PATCH 3.16 069/366] ipc/msg: Fix msgctl(..., IPC_STAT, ...) between pid namespaces

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Eric W. Biederman" commit 39a4940eaa185910bb802ca9829c12268fd2c855 upstream. Today msg_lspid and msg_lrpid are remembered in the pid namespace of the creator and the processes that last send

[PATCH 3.16 319/366] i2c: pmcmsp: fix error return from master_xfer

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Peter Rosin commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b upstream. Returning -1 (-EPERM) is not appropriate here, go with -EIO. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang

[PATCH 3.16 322/366] tick/broadcast: Use for_each_cpu() specially on UP kernels

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dexuan Cui commit 5596fe34495cf0f645f417eb928ef224df3e3cb4 upstream. for_each_cpu() unintuitively reports CPU0 as set independent of the actual cpumask content on UP kernels. This causes an

[PATCH 3.16 335/366] xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Joe Jin commit 4855c92dbb7b3b85c23e88ab7ca04f99b9677b41 upstream. When run raidconfig from Dom0 we found that the Xen DMA heap is reduced, but Dom Heap is increased by the same size. Tracing

[PATCH 3.16 321/366] ARM: davinci: board-dm646x-evm: set VPIF capture card name

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Sekhar Nori commit bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c upstream. VPIF capture driver expects card name to be set since it uses it without checking for NULL. The commit which introduced

[PATCH 3.16 320/366] i2c: viperboard: return message count on master_xfer success

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Peter Rosin commit 35cd67a0caf767aba472452865dcb4471fcce2b1 upstream. Returning zero is wrong in this case. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 174a13aa8669

[PATCH 3.16 200/366] RDMA/ucma: Introduce safer rdma_addr_size() variants

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Roland Dreier commit 84652aefb347297aa08e91e283adf7b18f77c2d5 upstream. There are several places in the ucma ABI where userspace can pass in a sockaddr but set the address family to AF_IB.

[PATCH 3.16 030/366] media: s3c-camif: fix out-of-bounds array access

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit a398e043637a4819a0e96467bfecaabf3224dd62 upstream. While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer:

[PATCH 3.16 318/366] i2c: pmcmsp: return message count on master_xfer success

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Peter Rosin commit de9a8634f1cb4560a35696d472cc7f1383d9b866 upstream. Returning zero is wrong in this case. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Fixes: 1b144df1d7d6

[PATCH 3.16 315/366] mmap: relax file size limit for regular files

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Linus Torvalds commit 423913ad4ae5b3e8fb8983f70969fb522261ba26 upstream. Commit be83bbf80682 ("mmap: introduce sane default mmap limits") was introduced to catch problems in various ad-hoc

[PATCH 3.16 129/366] s390/ipl: ensure loadparm valid flag is set

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Vasily Gorbik commit 15deb080a6087b73089139569558965750e69d67 upstream. When loadparm is set in reipl parm block, the kernel should also set DIAG308_FLAGS_LP_VALID flag. This fixes loadparm

[PATCH 3.16 166/366] MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Matt Redfearn commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream. The __clear_user function is defined to return the number of bytes that could not be cleared. From the underlying

[PATCH 3.16 176/366] drm/msm: Fix possible null dereference on failure of get_pages()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings commit 3976626ea3d2011f8fd3f3a47070a8b792018253 upstream. Commit 62e3a3e342af changed get_pages() to initialise msm_gem_object::pages before trying to initialise

[PATCH 3.16 006/366] regmap: Support bulk reads for devices without raw formatting

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Mark Brown commit d5b98eb12420ce856caaf57dc5256eedc56a3747 upstream. When doing a bulk read from a device which lacks raw I/O support we fall back to doing register at a time reads but we

perf's handling of unfindable user symbols...

Perf has this hack where it uses the kernel symbol map as a backup when a symbol can't be found in the user's symbol table(s). This causes problems because the tests driving this code path use machine__kernel_ip(), and that is completely meaningless on Sparc. On sparc64 the kernel and user

Re: [PATCH v1] KVM/x86/vPMU: Guest PMI Optimization

On 10/13/2018 04:09 PM, Paolo Bonzini wrote: It's not clear to me why you're special casing PMIs here. The optimization should work generically, right? Yeah, you can even just check if the counter is in the struct cpu_hw_events guest mask, and if so always write the counter MSR directly.

[PATCH 3.16 248/366] ALSA: pcm: Check PCM state at xfern compat ioctl

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream. Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go further and hit the sanity check pcm_sanity_check()

[PATCH 3.16 213/366] ALSA: seq: oss: Hardening for potential Spectre v1

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 8d218dd8116695ecda7164f97631c069938aa22e upstream. As Smatch recently suggested, a few places in OSS sequencer codes may expand the array directly from the user-space

[PATCH 3.16 239/366] NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: SZ Lin (林上智) commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream. This patch adds support for PID 0x90b2 of ublox R410M. qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer [/dev/cdc-wdm0]

[PATCH 3.16 126/366] fanotify: fix logic of events on child

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Amir Goldstein commit 54a307ba8d3cd00a3902337ffaae28f436eeb1a4 upstream. When event on child inodes are sent to the parent inode mark and parent inode mark was not marked with

[PATCH 3.16 188/366] l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit 5411b6187adf62909e3b998ac782e722904c7487 upstream. Commit 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file") assumed that if

[PATCH 3.16 168/366] KEYS: DNS: limit the length of option strings

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 upstream. Adding a dns_resolver key whose payload contains a very long option name resulted in that string being printed in full.

[PATCH 3.16 157/366] team: avoid adding twice the same option to the event list

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Paolo Abeni commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 upstream. When parsing the options provided by the user space, team_nl_cmd_options_set() insert them in a temporary list to send

[PATCH 3.16 363/366] net: davinci_emac: Fix runtime pm calls for davinci_emac

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tony Lindgren commit b5133e7a988b2cf8e1cd2b23231f36aff35ceffc upstream. Commit 3ba97381343b ("net: ethernet: davinci_emac: add pm_runtime support") added support for runtime PM, but it causes

[PATCH 3.16 177/366] ALSA: rawmidi: Fix missing input substream checks in compat ioctls

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11 upstream. Some rawmidi compat ioctls lack of the input substream checks (although they do check only for rfile->output). This

[PATCH 3.16 185/366] usbip: vhci_hcd: Fix usb device and sockfd leaks

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Shuah Khan commit 9020a7efe537856eb3e826ebebdf38a5d07a7857 upstream. vhci_hcd fails to do reset to put usb device and sockfd in the module remove/stop paths. Fix the leak. Signed-off-by:

[PATCH 3.16 208/366] mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Joakim Tjernlund commit 6510bbc88e3258631831ade49033537081950605 upstream. Currently it is possible to read and/or write to suspend EB's. Writing /dev/mtdX or /dev/mtdblockX from several

[PATCH 3.16 124/366] sctp: do not leak kernel memory to user space

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb upstream. syzbot produced a nice report [1] Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory to user

[PATCH 3.16 284/366] f2fs: reposition unlock_new_inode to prevent accessing invalid inode

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Chao Yu commit b73e52824c8920a5ff754e3c8ff68466a7dd61f9 upstream. As the race condition on the inode cache, following scenario can appear: [Thread a] [Thread b]

[PATCH 3.16 269/366] can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Jimmy Assarsson commit 6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89 upstream. Increase rx_dropped, if alloc_can_skb() fails, not tx_dropped. Signed-off-by: Jimmy Assarsson Signed-off-by: Marc

[PATCH 3.16 279/366] tracing: Fix regex_match_front() to not over compare the test string

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream. The regex match function regex_match_front() in the tracing filter logic, was fixed to test just the

[PATCH 3.16 309/366] VMXNET3: Check for map error in vmxnet3_set_mc

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy King commit 4ad9a64f53c619969dede1143d56ccda1a453c39 upstream. We should check if the map of the table actually succeeds, and also free resources accordingly. Version bumped to 1.2.1.0

[PATCH 3.16 305/366] tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all}

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Steven Rostedt (VMware)" commit 45dd9b0666a162f8e4be76096716670cf1741f0e upstream. Doing an audit of trace events, I discovered two trace events in the xen subsystem that use a hack to

[PATCH 3.16 277/366] net/mlx4_en: Verify coalescing parameters are in range

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Moshe Shemesh commit 6ad4e91c6d796b38a7f0e724db1de28eeb122bad upstream. Add check of coalescing parameters received through ethtool are within range of values supported by the HW. Driver gets

[PATCH 3.16 301/366] drm/i915/userptr: reject zero user_size

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Matthew Auld commit 20943f984967477c906522112d2b6b5a29f94684 upstream. Operating on a zero sized GEM userptr object will lead to explosions. Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping

[PATCH 3.16 314/366] drm: set FMODE_UNSIGNED_OFFSET for drm files

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Dave Airlie commit 76ef6b28ea4f81c3d511866a9b31392caa833126 upstream. Since we have the ttm and gem vma managers using a subset of the file address space for objects, and these start at

[PATCH 3.16 308/366] MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki" commit 9a3a92ccfe3620743d4ae57c987dc8e9c5f88996 upstream. Check the TIF_32BIT_FPREGS task setting of the tracee rather than the tracer in determining the layout of

[PATCH 3.16 311/366] vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexey Khoroshilov commit fb5c6cfaec126d9a96b9dd471d4711bf4c737a6f upstream. vmxnet3_set_mc() checks new_table_pa returned by dma_map_single() with dma_mapping_error(), but even there it

[PATCH 3.16 304/366] net/mlx4_core: Fix error handling in mlx4_init_port_info.

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tarick Bedeir commit 57f6f99fdad9984801cde05c1db68fe39b474a10 upstream. Avoid exiting the function with a lingering sysfs file (if the first call to device_create_file() fails while the

[PATCH 3.16 234/366] libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Hans de Goede commit 184add2ca23ce5edcac0ab9c3b9be13f91e7b567 upstream. Richard Jones has reported that using med_power_with_dipm on a T450s with a Sandisk SD7UB3Q256G1001 SSD (firmware

[PATCH 3.16 303/366] ARM: keystone: fix platform_domain_notifier array overrun

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Russell King commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa upstream. platform_domain_notifier contains a variable sized array, which the pm_clk_notify() notifier treats as a NULL terminated

[PATCH 3.16 298/366] x86/kexec: Avoid double free_page() upon do_kexec_load() failure

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tetsuo Handa commit a466ef76b815b86748d9870ef2a430af7b39c710 upstream. >From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Wed, 9 May 2018

[PATCH 3.16 306/366] MIPS: ptrace: Expose FIR register through FP regset

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki" commit 71e909c0cdad28a1df1fa14442929e68615dee45 upstream. Correct commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") and expose the FIR register using the

I NEED YOUR URGENT ASSISTANCE

-- Hi friend I am a banker in ADB BANK. I want to transfer an abandoned sum of USD15.6Million to your Bank account. 40/percent will be your share. No risk involved but keeps it as secret. Contact me for more details. Please reply me through my alternative email id only

[PATCH] sched/fair: Fix update min_vruntime in dequeue_entity()

The comment and the code around 2nd update_min_vruntime() are not in agreement. From commit b60205c7c558 ("sched/fair: Fix min_vruntime tracking"), I think that we want to update min_vruntime when a task is sleeping/migrating. So, the check is inverted there. Fixes: b60205c7c558 ("sched/fair: Fix

[PATCH 3.16 245/366] tracepoint: Do not warn on ENOMEM

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Mathieu Desnoyers commit d66a270be3310d7aa132fec0cea77d3d32a0ff75 upstream. Tracepoint should only warn when a kernel API user does not respect the required preconditions (e.g. same

[PATCH 3.16 243/366] net: support compat 64-bit time in {s,g}etsockopt

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Lance Richardson commit 988bf7243e03ef69238381594e0334a79cef74a6 upstream. For the x32 ABI, struct timeval has two 64-bit fields. However the kernel currently interprets the user-space values

[PATCH 3.16 257/366] dccp: fix tasklet usage

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit a8d7aa17bbc970971ccdf71988ea19230ab368b1 upstream. syzbot reported a crash in tasklet_action_common() caused by dccp. dccp needs to make sure socket wont disappear before

[PATCH 3.16 247/366] tcp: fix TCP_REPAIR_QUEUE bound checking

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9 upstream. syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out() with following C-repro : socket(PF_INET,

[PATCH 3.16 218/366] ALSA: asihpi: Hardening for potential Spectre v1

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit f9d94b57e30fd1575b4935045b32d738668aa74b upstream. As recently Smatch suggested, a couple of places in ASIHPI driver may expand the array directly from the user-space

[PATCH 3.16 212/366] ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit f5e94b4c6ebdabe0f602d796e0430180927521a0 upstream. When get_synthdev() is called for a MIDI device, it returns the fixed midi_synth_dev without the use refcounting. OTOH,

[PATCH 3.16 207/366] team: fix netconsole setup over team

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Xin Long commit 9cf2f437ca5b39828984064fad213e68fc17ef11 upstream. The same fix in Commit dbe173079ab5 ("bridge: fix netconsole setup over bridge") is also needed for team driver. While at

[PATCH 3.16 238/366] sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Xin Long commit d625329b06e46bd20baf9ee40847d11982569204 upstream. Since sctp ipv6 socket also supports v4 addrs, it's possible to compare two v4 addrs in pf v6 .cmp_addr,

[PATCH 3.16 211/366] packet: fix bitfield update race

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Willem de Bruijn commit a6361f0ca4b25460f2cdf3235ebe8115f622901e upstream. Updates to the bitfields in struct packet_sock are not atomic. Serialize these read-modify-write cycles. Move

[PATCH 3.16 217/366] ALSA: asihpi: used parts of message/response are zeroed before use

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eliot Blennerhassett commit 51e6f47dd2e3463dac6f37128fd7b7cb40c500de upstream. Signed-off-by: Eliot Blennerhassett Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings ---

[PATCH 3.16 220/366] ALSA: rme9652: Hardening for potential Spectre v1

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit f526afcd8f71945c23ce581d7864ace93de8a4f7 upstream. As recently Smatch suggested, one place in RME9652 driver may expand the array directly from the user-space value with

[PATCH 3.16 242/366] iw_cxgb4: Atomically flush per QP HW CQEs

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Bharat Potnuri commit 2df19e19ae90d94fd8724083f161f368a2797537 upstream. When a CQ is shared by multiple QPs, c4iw_flush_hw_cq() needs to acquire corresponding QP lock before moving the CQEs

[PATCH 3.16 256/366] USB: Accept bulk endpoints with 1024-byte maxpacket

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Alan Stern commit fb5ee84ea72c5f1b6cabdd1c9d6e8648995ca7c6 upstream. Some non-compliant high-speed USB devices have bulk endpoints with a 1024-byte maxpacket size. Although such endpoints

[PATCH 3.16 219/366] ALSA: hdspm: Hardening for potential Spectre v1

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 10513142a7114d251670361ad40cba2c61403406 upstream. As recently Smatch suggested, a couple of places in HDSP MADI driver may expand the array directly from the user-space

[PATCH 3.16 222/366] virtio_console: don't tie bufs to a vq

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: "Michael S. Tsirkin" commit 2855b33514d290c51d52d94e25d3ef942cd4d578 upstream. an allocated buffer doesn't need to be tied to a vq - only vq->vdev is ever used. Pass the function the just

[PATCH 3.16 210/366] mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Joakim Tjernlund commit 7b70eb14392a7cf505f9b358d06c33b5af73d1e7 upstream. Currently it is possible to read and/or write to suspend EB's. Writing /dev/mtdX or /dev/mtdblockX from several

[PATCH 3.16 262/366] sched/autogroup: Fix 64-bit kernel nice level adjustment

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Mike Galbraith commit 83929cce95251cc77e5659bf493bd424ae0e7a67 upstream. Michael Kerrisk reported: > Regarding the previous paragraph... My tests indicate > that writing *any* value to the

[PATCH 3.16 240/366] RDMA/cxgb4: release hw resources on device removal

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Raju Rangoju commit 26bff1bd74a4f7417509a83295614e9dab995b2a upstream. The c4iw_rdev_close() logic was not releasing all the hw resources (PBL and RQT memory) during the device removal event

[PATCH 3.16 216/366] ALSA: opl3: Hardening for potential Spectre v1

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream. As recently Smatch suggested, one place in OPL3 driver may expand the array directly from the user-space value with

[PATCH 3.16 241/366] RDMA/iwpm: fix memory leak on map_info

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit f96416cea7bce9afe619c15e87fced70f93f9098 upstream. In the cases where iwpm_hash_bucket is NULL and where function get_mapinfo_hash_bucket returns NULL then the map_info

[PATCH 3.16 264/366] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Peter Zijlstra commit 46b1b577229a091b137831becaa0fae8690ee15a upstream. > arch/x86/events/intel/cstate.c:307 cstate_pmu_event_init() warn: potential > spectre issue 'pkg_msr' (local cap) >

[PATCH 3.16 265/366] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Peter Zijlstra commit ef9ee4ad38445a30909c48998624861716f2a994 upstream. > arch/x86/events/core.c:319 set_ext_hw_attr() warn: potential spectre issue > 'hw_cache_event_ids[cache_type]'

[PATCH 3.16 275/366] cifs: Allocate validate negotiation request through kmalloc

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Long Li commit 2796d303e3c5ec213c578ed3a66872205c126eb8 upstream. The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will return an invalid DMA address for a buffer on

[PATCH 3.16 266/366] rfkill: gpio: fix memory leak in probe error path

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovold commit 4bf01ca21e2e0e4561d1a03c48c3d740418702db upstream. Make sure to free the rfkill device in case registration fails during probe. Fixes: 5e7ca3937fbe ("net: rfkill: gpio:

[PATCH 3.16 263/366] sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Peter Zijlstra commit 354d7793070611b4df5a79fbb0f12752d0ed0cc5 upstream. > kernel/sched/autogroup.c:230 proc_sched_autogroup_set_nice() warn: potential > spectre issue 'sched_prio_to_weight'

[PATCH 3.16 289/366] udf: fix the udf_iget() vs. udf_new_inode() races

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Al Viro commit b231509616feb911c2a7a8814d58c0014ef5b17f upstream. Currently udf_iget() (triggered by NFS) can race with udf_new_inode() leading to two inode structures with the same inode

[PATCH 3.16 268/366] llc: better deal with too small mtu

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 2c5d5b13c6eb79f5677e206b8aad59b3a2097f60 upstream. syzbot loves to set very small mtu on devices, since it brings joy. We must make llc_ui_sendmsg() fool proof. usercopy:

[PATCH 3.16 073/366] usb: musb: gadget: misplaced out of bounds check

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Heinrich Schuchardt commit af6f8529098aeb0e56a68671b450cf74e7a64fcd upstream. musb->endpoints[] has array size MUSB_C_NUM_EPS. We must check array bounds before accessing the array and not

[PATCH 3.16 280/366] ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Andrey Ignatov commit 1b97013bfb11d66f041de691de6f0fec748ce016 upstream. Fix more memory leaks in ip_cmsg_send() callers. Part of them were fixed earlier in 919483096bfe. * udp_sendmsg one

[PATCH 3.16 285/366] f2fs: call f2fs_unlock_op after error was handled

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Jaegeuk Kim commit 44c16156512f33c81e382a1e1df9524e26a7026a upstream. This patch relocates f2fs_unlock_op in every directory operations to be called after any error was processed. Otherwise,

[PATCH 3.16 272/366] s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Hendrik Brueckner commit 4bbaf2584b86b0772413edeac22ff448f36351b1 upstream. Correct a trinity finding for the perf_event_open() system call with a perf event attribute structure that uses a

[PATCH 3.16 187/366] s390/qeth: handle failure on workqueue creation

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Julian Wiedmann commit a936b1ef37ce1e996533878f4b23944f9444dcdf upstream. Creating the global workqueue during driver init may fail, deal with it. Also, destroy the created workqueue on any

[PATCH 3.16 182/366] mm/filemap.c: fix NULL pointer in page_cache_tree_insert()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Matthew Wilcox commit abc1be13fd113ddef5e2d807a466286b864caed3 upstream. f2fs specifies the __GFP_ZERO flag for allocating some of its pages. Unfortunately, the page cache also uses the

[PATCH 3.16 184/366] usbip: vhci_hcd: check rhport before using in vhci_hub_control()

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Shuah Khan commit 5b22f676118ff25049382041da0db8012e57c9e8 upstream. Validate !rhport < 0 before using it to access port_status array. Signed-off-by: Shuah Khan Signed-off-by: Greg

[PATCH 3.16 194/366] drivers: tty: Merge alloc_tty_struct and initialize_tty_struct

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Rasmus Villemoes commit 2c964a2f4191f2229566895f1a0e85f8339f5dd1 upstream. The two functions alloc_tty_struct and initialize_tty_struct are always called together. Merge them into

[PATCH 3.16 179/366] xhci: Fix USB ports for Dell Inspiron 5775

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Kai-Heng Feng commit 621faf4f6a181b6e012c1d1865213f36f4159b7f upstream. The Dell Inspiron 5775 is a Raven Ridge. The Enable Slot command timed out when a USB device gets plugged: [

[PATCH 3.16 267/366] scsi: zfcp: fix infinite iteration on ERP ready list

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Jens Remus commit fa89adba1941e4f3b213399b81732a5c12fd9131 upstream. zfcp_erp_adapter_reopen() schedules blocking of all of the adapter's rports via zfcp_scsi_schedule_rports_block() and

[PATCH 3.16 273/366] libata: Blacklist some Sandisk SSDs for NCQ

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Tejun Heo commit 322579dcc865b94b47345ad1b6002ad167f85405 upstream. Sandisk SSDs SD7SN6S256G and SD8SN8U256G are regularly locking up regularly under sustained moderate load with NCQ enabled.

[PATCH 3.16 039/366] vt: change SGR 21 to follow the standards

3.16.60-rc1 review patch. If anyone has any objections, please let me know. -- From: Mike Frysinger commit 65d9982d7e523a1a8e7c9af012da0d166f72fc56 upstream. ECMA-48 [1] (aka ISO 6429) has defined SGR 21 as "doubly underlined" since at least March 1984. The Linux kernel has

<    1   2   3   4   5   6   7   8   9   10   >