[PATCH 3.16 013/129] clk: dove: fix refcount leak in dove_clk_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit 8d726c5128298386b907963033be93407b0c4275 upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Reviewed-by: Gregory CLEMENT
Fixes: 8f7fc5450b64 ("clk: mvebu: dove: maintain clock init order")
Fixes: 63b8d92c793f ("clk: add Dove PLL divider support for GPU, VMeta and AXI
clocks")
Signed-off-by: Stephen Boyd
[bwh: Backported to 3.16: There is no ddnp variable here]
Signed-off-by: Ben Hutchings
---
--- a/drivers/clk/mvebu/dove.c
+++ b/drivers/clk/mvebu/dove.c
@@ -187,7 +187,9 @@ static void __init dove_clk_init(struct
mvebu_coreclk_setup(np, _coreclks);
- if (cgnp)
+ if (cgnp) {
mvebu_clk_gating_setup(cgnp, dove_gating_desc);
+ of_node_put(cgnp);
+ }
}
CLK_OF_DECLARE(dove_clk, "marvell,dove-core-clock", dove_clk_init);
[PATCH 3.16 012/129] clk: armada-xp: fix refcount leak in axp_clk_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit db20a90a4b6745dad62753f8bd2f66afdd5abc84 upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Reviewed-by: Gregory CLEMENT
Fixes: 0a11a6ae9437 ("clk: mvebu: armada-xp: maintain clock init order")
Signed-off-by: Stephen Boyd
Signed-off-by: Ben Hutchings
---
drivers/clk/mvebu/armada-xp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/clk/mvebu/armada-xp.c
+++ b/drivers/clk/mvebu/armada-xp.c
@@ -202,7 +202,9 @@ static void __init axp_clk_init(struct d
mvebu_coreclk_setup(np, _coreclks);
- if (cgnp)
+ if (cgnp) {
mvebu_clk_gating_setup(cgnp, axp_gating_desc);
+ of_node_put(cgnp);
+ }
}
CLK_OF_DECLARE(axp_clk, "marvell,armada-xp-core-clock", axp_clk_init);
[PATCH 3.16 002/129] staging: iio: adt7316: invert the logic of the check for an ldac pin
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jeremy Fertic
commit 85a1c11913312132d0800ca2c1c42a011f96ea92 upstream.
ADT7316_DA_EN_VIA_DAC_LDCA is set when the dac and ldac registers are being
used to update the dacs instead of the ldac pin. ADT7516_SEL_AIN3 is an adc
input that shares the ldac pin. Only set these bits if an ldac pin is not
being used.
This could be backported to stable, but note there are various
other bugs that probably make that a waste of time.
Signed-off-by: Jeremy Fertic
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jonathan Cameron
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/addac/adt7316.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -2130,7 +2130,7 @@ int adt7316_probe(struct device *dev, st
return -ENODEV;
chip->ldac_pin = adt7316_platform_data[1];
- if (chip->ldac_pin) {
+ if (!chip->ldac_pin) {
chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA;
if ((chip->id & ID_FAMILY_MASK) == ID_ADT75XX)
chip->config1 |= ADT7516_SEL_AIN3;
[PATCH 3.16 018/129] drm: Fix error handling in drm_legacy_addctx
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: YueHaibing
commit c39191feed4540fed98badeb484833dcf659bb96 upstream.
'ctx->handle' is unsigned, it never less than zero.
This patch use int 'tmp_handle' to handle the err condition.
Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr")
Signed-off-by: YueHaibing
Signed-off-by: Daniel Vetter
Link:
https://patchwork.freedesktop.org/patch/msgid/20181229024907.12852-1-yuehaib...@huawei.com
[bwh: Backported to 3.16: We only have the "legacy" driver type here]
Signed-off-by: Ben Hutchings
---
drivers/gpu/drm/drm_context.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/drm_context.c
+++ b/drivers/gpu/drm/drm_context.c
@@ -309,19 +309,22 @@ int drm_addctx(struct drm_device *dev, v
{
struct drm_ctx_list *ctx_entry;
struct drm_ctx *ctx = data;
+ int tmp_handle;
- ctx->handle = drm_ctxbitmap_next(dev);
- if (ctx->handle == DRM_KERNEL_CONTEXT) {
+ tmp_handle = drm_ctxbitmap_next(dev);
+ if (tmp_handle == DRM_KERNEL_CONTEXT) {
/* Skip kernel's context and get a new one. */
- ctx->handle = drm_ctxbitmap_next(dev);
+ tmp_handle = drm_ctxbitmap_next(dev);
}
- DRM_DEBUG("%d\n", ctx->handle);
- if (ctx->handle < 0) {
+ DRM_DEBUG("%d\n", tmp_handle);
+ if (tmp_handle < 0) {
DRM_DEBUG("Not enough free contexts.\n");
/* Should this return -EBUSY instead? */
- return -ENOMEM;
+ return tmp_handle;
}
+ ctx->handle = tmp_handle;
+
ctx_entry = kmalloc(sizeof(*ctx_entry), GFP_KERNEL);
if (!ctx_entry) {
DRM_DEBUG("out of memory\n");
[PATCH 3.16 003/129] staging: iio: adt7316: allow adt751x to use internal vref for all dacs
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jeremy Fertic
commit 10bfe7cc1739c22f0aa296b39e53f61e9e3f4d99 upstream.
With adt7516/7/9, internal vref is available for dacs a and b, dacs c and
d, or all dacs. The driver doesn't currently support internal vref for all
dacs. Change the else if to an if so both bits are checked rather than
just one or the other.
Signed-off-by: Jeremy Fertic
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/addac/adt7316.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -1093,7 +1093,7 @@ static ssize_t adt7316_store_DAC_interna
ldac_config = chip->ldac_config & (~ADT7516_DAC_IN_VREF_MASK);
if (data & 0x1)
ldac_config |= ADT7516_DAC_AB_IN_VREF;
- else if (data & 0x2)
+ if (data & 0x2)
ldac_config |= ADT7516_DAC_CD_IN_VREF;
} else {
ret = kstrtou8(buf, 16, );
[PATCH 3.16 015/129] staging: iio: adt7316: fix handling of dac high resolution option
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jeremy Fertic
commit 76b7fe8d6c4daf4db672eb953c892c6f6572a282 upstream.
The adt7316/7 and adt7516/7 have the option to output voltage proportional
to temperature on dac a and/or dac b. The default dac resolution in this
mode is 8 bits with the dac high resolution option enabling 10 bits. None
of these settings affect dacs c and d. Remove the "1 (12 bits)" output from
the show function since that is not an option for this mode. Return
"1 (10 bits)" if the device is one of the above mentioned chips and the dac
high resolution mode is enabled.
In the store function, the driver currently allows the user to write to the
ADT7316_DA_HIGH_RESOLUTION bit regardless of the device in use. Add a check
to return an error in the case of an adt7318 or adt7519. Remove the else
statement that clears the ADT7316_DA_HIGH_RESOLUTION bit. Instead, clear it
before conditionally enabling it, depending on user input. This matches the
typical pattern in the driver when an attribute is a boolean.
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jeremy Fertic
Signed-off-by: Jonathan Cameron
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/addac/adt7316.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -635,9 +635,7 @@ static ssize_t adt7316_show_da_high_reso
struct adt7316_chip_info *chip = iio_priv(dev_info);
if (chip->config3 & ADT7316_DA_HIGH_RESOLUTION) {
- if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516)
- return sprintf(buf, "1 (12 bits)\n");
- else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517)
+ if (chip->id != ID_ADT7318 && chip->id != ID_ADT7519)
return sprintf(buf, "1 (10 bits)\n");
}
@@ -654,10 +652,12 @@ static ssize_t adt7316_store_da_high_res
u8 config3;
int ret;
+ if (chip->id == ID_ADT7318 || chip->id == ID_ADT7519)
+ return -EPERM;
+
+ config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION);
if (buf[0] == '1')
- config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION;
- else
- config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION);
+ config3 |= ADT7316_DA_HIGH_RESOLUTION;
ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3);
if (ret)
[PATCH 3.16 000/129] 3.16.70-rc1 review
This is the start of the stable review cycle for the 3.16.70 release. There are 129 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Jul 09 20:00:00 UTC 2019. Anything received after that time might be too late. All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. - Aaro Koskinen (1): mmc: omap: fix the maximum timeout setting [a6327b5e57fdc679c842588c3be046c0b39cc127] Aditya Pakki (1): md: Fix failed allocation of md_register_thread [e406f12dde1a8375d77ea02d91f313fb1a9c6aec] Alistair Strachan (1): media: uvcvideo: Fix 'type' check leading to overflow [47bb117911b051bbc90764a8bff96543cbd2005f] Aneesh Kumar K.V (1): powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search [3b4d07d2674f6b4a9281031f99d1f7efd325b16d] Ard Biesheuvel (1): crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling [eaf46edf6ea89675bd36245369c8de5063a0272c] Arnd Bergmann (1): cpufreq: pxa2xx: remove incorrect __init annotation [9505b98ccddc454008ca7efff90044e3e857c827] Axel Lin (1): regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA [c25d47888f0fb3d836d68322d4aea2caf31a75a6] Bart Van Assche (1): scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock [32e36bfbcf31452a854263e7c7f32fbefc4b44d8] Ben Hutchings (1): binder: Replace "%p" with "%pK" for stable [fdfb4a99b6ab8c393db19e3b92968b74ca2757b0, 19c987241ca1216a51118b2bd0185b8bc5081783, 7a4408c6bd3eb1dafba67986259191be081e3efb] Buland Singh (1): hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable [24d48a61f230da130cc2ec2e526eacf229e3] Christophe Leroy (4): powerpc/32: Clear on-stack exception marker upon exception return [9580b71b5a7863c24a9bd18bcd2ad759b86b1eff] powerpc/83xx: Also save/restore SPRG4-7 during suspend [36da5ff0bea2dc67298150ead8d8471575c54c7d] powerpc/irq: drop arch_early_irq_init() [607ea5090b3fb61fea1d0bc5278e6c1d40ab5bd6] powerpc/wii: properly disable use of BATs when requested. [6d183ca8baec983dc4208ca45ece3c36763df912] Colin Ian King (4): rtc: 88pm80x: fix unintended sign extension [fb0b322537a831b5b0cb948c56f8f958ce493d3a] rtc: 88pm860x: fix unintended sign extension [dc9e47160626cdb58d5c39a4f43dcfdb27a5c004] rtc: ds1672: fix unintended sign extension [f0c04c276739ed8acbb41b4868e942a55b128dca] rtc: pm8xxx: fix unintended sign extension [e42280886018c6f77f0a90190f7cba344b0df3e0] Dan Carpenter (1): xen, cpu_hotplug: Prevent an out of bounds access [201676095dda7e5b31a5e1d116d10fc22985075e] Dan Robertson (1): btrfs: init csum_list before possible free [e49be14b8d80e23bb7c53d78c21717a474ade76b] Daniel Axtens (1): bcache: never writeback a discard operation [9951379b0ca88c95876ad9778b9099e19a95d566] Daniel Jordan (1): mm, swap: bounds check swap_info array accesses to avoid NULL derefs [c10d38cc8d3e43f946b6c2bf4602c86791587f30] Doug Berger (1): irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code [33517881ede742107f416533b8c3e4abc56763da] Eric Biggers (5): crypto: ahash - fix another early termination in hash walk [77568e535af7c4f97eaef1e555bf0af83772456c] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails [ba7d7433a0e998c902132bd47330e355a1eaa894] crypto: pcbc - remove bogus memcpy()s with src == dest [251b7aea34ba3c4d4fdfa9447695642eb8b8b098] crypto: testmgr - skip crc32c context test for ahash algorithms [eb5e6730db98fcc4b51148b4a819fa4bf864ae54] crypto: tgr192 - fix unaligned memory access [f990f7fb58ac8ac9a43316f09a48cff1a49dda42] Eric Dumazet (6): gro_cells: make sure device is up in gro_cells_receive() [2a5ff07a0eb945f291e361aa6f6becca8340ba46] l2tp: fix infoleak in l2tp_ip6_recvmsg() [163d1c3d6f17556ed3c340d3789ea93be95d6c28] net/hsr: fix possible crash in add_timer() [1e027960edfaa6a43f9ca31081729b716598112b] netns: provide pure entropy for net_hash_mix() [355b98553789b646ed97ad801a619ff898471b92] tcp: refine memory limit test in tcp_fragment() [b6653b3629e5b88202be3c9abc44713973f5c4b4] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() [59cbf56fcd98ba2a715b6e97c4e43f773f956393] Eric W. Biederman (1): fs/nfs: Fix nfs_parse_devna
[PATCH 3.16 017/129] staging: iio: adt7316: fix the dac write calculation
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jeremy Fertic
commit 78accaea117c1ae878774974fab91ac4a0b0e2b0 upstream.
The lsb calculation is not masking the correct bits from the user input.
Subtract 1 from (1 << offset) to correctly set up the mask to be applied
to user input.
The lsb register stores its value starting at the bit 7 position.
adt7316_store_DAC() currently assumes the value is at the other end of the
register. Shift the lsb value before storing it in a new variable lsb_reg,
and write this variable to the lsb register.
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jeremy Fertic
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/addac/adt7316.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -1448,7 +1448,7 @@ static ssize_t adt7316_show_DAC(struct a
static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip,
int channel, const char *buf, size_t len)
{
- u8 msb, lsb, offset;
+ u8 msb, lsb, lsb_reg, offset;
u16 data;
int ret;
@@ -1466,9 +1466,13 @@ static ssize_t adt7316_store_DAC(struct
return -EINVAL;
if (chip->dac_bits > 8) {
- lsb = data & (1 << offset);
+ lsb = data & ((1 << offset) - 1);
+ if (chip->dac_bits == 12)
+ lsb_reg = lsb << ADT7316_DA_12_BIT_LSB_SHIFT;
+ else
+ lsb_reg = lsb << ADT7316_DA_10_BIT_LSB_SHIFT;
ret = chip->bus.write(chip->bus.client,
- ADT7316_DA_DATA_BASE + channel * 2, lsb);
+ ADT7316_DA_DATA_BASE + channel * 2, lsb_reg);
if (ret)
return -EIO;
}
[PATCH 3.16 011/129] clk: kirkwood: fix refcount leak in kirkwood_clk_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit e7beeab9c61591cd0e690d8733d534c3f4278ff8 upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Reviewed-by: Gregory CLEMENT
Fixes: 58d516ae95cb ("clk: mvebu: kirkwood: maintain clock init order")
Signed-off-by: Stephen Boyd
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/clk/mvebu/kirkwood.c
+++ b/drivers/clk/mvebu/kirkwood.c
@@ -236,8 +236,11 @@ static void __init kirkwood_clk_init(str
else
mvebu_coreclk_setup(np, _coreclks);
- if (cgnp)
+ if (cgnp) {
mvebu_clk_gating_setup(cgnp, kirkwood_gating_desc);
+
+ of_node_put(cgnp);
+ }
}
CLK_OF_DECLARE(kirkwood_clk, "marvell,kirkwood-core-clock",
kirkwood_clk_init);
[PATCH 3.16 001/129] staging: iio: adt7316: fix register and bit definitions
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jeremy Fertic
commit 53a6f022b4fe8645468adaffca901dbf8c3c547e upstream.
Change two register addresses and one bit definition to match the
datasheet.
Note that there are many issues in this driver so I would
not suggest backporting these fixes to stable trees.
Signed-off-by: Jeremy Fertic
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/addac/adt7316.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -59,8 +59,8 @@
#define ADT7316_CONFIG10x18
#define ADT7316_CONFIG20x19
#define ADT7316_CONFIG30x1A
-#define ADT7316_LDAC_CONFIG0x1B
-#define ADT7316_DAC_CONFIG 0x1C
+#define ADT7316_DAC_CONFIG 0x1B
+#define ADT7316_LDAC_CONFIG0x1C
#define ADT7316_INT_MASK1 0x1D
#define ADT7316_INT_MASK2 0x1E
#define ADT7316_IN_TEMP_OFFSET 0x1F
@@ -117,7 +117,7 @@
*/
#define ADT7316_ADCLK_22_5 0x1
#define ADT7316_DA_HIGH_RESOLUTION 0x2
-#define ADT7316_DA_EN_VIA_DAC_LDCA 0x4
+#define ADT7316_DA_EN_VIA_DAC_LDCA 0x8
#define ADT7516_AIN_IN_VREF0x10
#define ADT7316_EN_IN_TEMP_PROP_DACA 0x20
#define ADT7316_EN_EX_TEMP_PROP_DACB 0x40
[PATCH 3.16 028/129] media: v4l2: i2c: ov7670: Fix PLL bypass register values
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jacopo Mondi
commit 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 upstream.
The following commits:
commit f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for
ov7675")
commit 04ee6d92047e ("[media] media: ov7670: add possibility to bypass pll for
ov7675")
introduced the ability to bypass PLL multiplier and use input clock (xvclk)
as pixel clock output frequency for ov7675 sensor.
PLL is bypassed using register DBLV[7:6], according to ov7670 and ov7675
sensor manuals. Macros used to set DBLV register seem wrong in the
driver, as their values do not match what reported in the datasheet.
Fix by changing DBLV_* macros to use bits [7:6] and set bits [3:0] to
default 0x0a reserved value (according to datasheets).
While at there, remove a write to DBLV register in
"ov7675_set_framerate()" that over-writes the previous one to the same
register that takes "info->pll_bypass" flag into account instead of setting PLL
multiplier to 4x unconditionally.
And, while at there, since "info->pll_bypass" is only used in
set/get_framerate() functions used by ov7675 only, it is not necessary
to check for the device id at probe time to make sure that when using
ov7670 "info->pll_bypass" is set to false.
Fixes: f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for
ov7675")
Signed-off-by: Jacopo Mondi
Signed-off-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/i2c/ov7670.c | 16 ++--
1 file changed, 6 insertions(+), 10 deletions(-)
--- a/drivers/media/i2c/ov7670.c
+++ b/drivers/media/i2c/ov7670.c
@@ -167,10 +167,10 @@ MODULE_PARM_DESC(debug, "Debug level (0-
#define REG_GFIX 0x69/* Fix gain control */
#define REG_DBLV 0x6b/* PLL control an debugging */
-#define DBLV_BYPASS0x00/* Bypass PLL */
-#define DBLV_X40x01/* clock x4 */
-#define DBLV_X60x10/* clock x6 */
-#define DBLV_X80x11/* clock x8 */
+#define DBLV_BYPASS0x0a/* Bypass PLL */
+#define DBLV_X40x4a/* clock x4 */
+#define DBLV_X60x8a/* clock x6 */
+#define DBLV_X80xca/* clock x8 */
#define REG_REG76 0x76/* OV's name */
#define R76_BLKPCOR0x80/* Black pixel correction enable */
@@ -845,7 +845,7 @@ static int ov7675_set_framerate(struct v
if (ret < 0)
return ret;
- return ov7670_write(sd, REG_DBLV, DBLV_X4);
+ return 0;
}
static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd,
@@ -1552,11 +1552,7 @@ static int ov7670_probe(struct i2c_clien
if (config->clock_speed)
info->clock_speed = config->clock_speed;
- /*
-* It should be allowed for ov7670 too when it is migrated to
-* the new frame rate formula.
-*/
- if (config->pll_bypass && id->driver_data != MODEL_OV7670)
+ if (config->pll_bypass)
info->pll_bypass = true;
if (config->pclk_hb_disable)
[PATCH 3.16 023/129] selinux: avoid silent denials in permissive mode under RCU walk
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Stephen Smalley
commit 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e upstream.
commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
results in no audit messages at all if in permissive mode because the
cache is updated during the rcu walk and thus no denial occurs on
the subsequent ref walk. Fix this by not updating the cache when
performing a non-blocking permission check. This only affects search
and symlink read checks during rcu walk.
Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
Reported-by: BMK
Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore
[bwh: Backported to 3.16:
- Add flags parameter to avc_update_node(), done upstream in commit
fa1aa143ac4a "selinux: extended permissions for ioctls"
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -528,6 +528,7 @@ static inline int avc_sidcmp(u32 x, u32
* @perms : Permission mask bits
* @ssid,@tsid,@tclass : identifier of an AVC entry
* @seqno : sequence number when decision was made
+ * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0.
*
* if a valid AVC entry doesn't exist,this function returns -ENOENT.
* if kmalloc() called internal returns NULL, this function returns -ENOMEM.
@@ -535,7 +536,7 @@ static inline int avc_sidcmp(u32 x, u32
* will release later by RCU.
*/
static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16
tclass,
- u32 seqno)
+ u32 seqno, unsigned int flags)
{
int hvalue, rc = 0;
unsigned long flag;
@@ -543,6 +544,23 @@ static int avc_update_node(u32 event, u3
struct hlist_head *head;
spinlock_t *lock;
+ /*
+* If we are in a non-blocking code path, e.g. VFS RCU walk,
+* then we must not add permissions to a cache entry
+* because we cannot safely audit the denial. Otherwise,
+* during the subsequent blocking retry (e.g. VFS ref walk), we
+* will find the permissions already granted in the cache entry
+* and won't audit anything at all, leading to silent denials in
+* permissive mode that only appear when in enforcing mode.
+*
+* See the corresponding handling in slow_avc_audit(), and the
+* logic in selinux_inode_follow_link and selinux_inode_permission
+* for the VFS MAY_NOT_BLOCK flag, which is transliterated into
+* AVC_NONBLOCKING for avc_has_perm_noaudit().
+*/
+ if (flags & AVC_NONBLOCKING)
+ return 0;
+
node = avc_alloc_node();
if (!node) {
rc = -ENOMEM;
@@ -690,7 +708,7 @@ static noinline int avc_denied(u32 ssid,
return -EACCES;
avc_update_node(AVC_CALLBACK_GRANT, requested, ssid,
- tsid, tclass, avd->seqno);
+ tsid, tclass, avd->seqno, flags);
return 0;
}
@@ -701,7 +719,7 @@ static noinline int avc_denied(u32 ssid,
* @tsid: target security identifier
* @tclass: target security class
* @requested: requested permissions, interpreted based on @tclass
- * @flags: AVC_STRICT or 0
+ * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0
* @avd: access vector decisions
*
* Check the AVC to determine whether the @requested permissions are granted
@@ -781,7 +799,9 @@ int avc_has_perm_flags(u32 ssid, u32 tsi
struct av_decision avd;
int rc, rc2;
- rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, );
+ rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested,
+ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
+ );
rc2 = avc_audit(ssid, tsid, tclass, requested, , rc,
auditdata, flags);
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2818,7 +2818,9 @@ static int selinux_inode_permission(stru
sid = cred_sid(cred);
isec = inode->i_security;
- rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, );
+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms,
+ (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
+ );
audited = avc_audit_required(perms, , rc,
from_access ? FILE__AUDIT_ACCESS : 0,
);
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -143,6 +143,7 @@ static inline int avc_audit(u32 ssid, u3
}
#define AVC_STRICT 1 /* Ignore permissive mode. */
+#define AVC_NONBLOCKING4 /* non blocking */
int avc_has_perm_noaudit(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
unsigned flags,
[PATCH 3.16 031/129] ASoC: imx-sgtl5000: put of nodes if finding codec fails
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Stefan Agner
commit d9866572486802bc598a3e8576a5231378d190de upstream.
Make sure to properly put the of node in case finding the codec
fails.
Fixes: 81e8e4926167 ("ASoC: fsl: add sgtl5000 clock support for imx-sgtl5000")
Signed-off-by: Stefan Agner
Reviewed-by: Daniel Baluta
Acked-by: Nicolin Chen
Reviewed-by: Fabio Estevam
Signed-off-by: Mark Brown
Signed-off-by: Ben Hutchings
---
sound/soc/fsl/imx-sgtl5000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/soc/fsl/imx-sgtl5000.c
+++ b/sound/soc/fsl/imx-sgtl5000.c
@@ -118,7 +118,8 @@ static int imx_sgtl5000_probe(struct pla
codec_dev = of_find_i2c_device_by_node(codec_np);
if (!codec_dev) {
dev_err(>dev, "failed to find codec platform device\n");
- return -EPROBE_DEFER;
+ ret = -EPROBE_DEFER;
+ goto fail;
}
data = devm_kzalloc(>dev, sizeof(*data), GFP_KERNEL);
[PATCH 3.16 024/129] crypto: pcbc - remove bogus memcpy()s with src == dest
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 upstream.
The memcpy()s in the PCBC implementation use walk->iv as both the source
and destination, which has undefined behavior. These memcpy()'s are
actually unneeded, because walk->iv is already used to hold the previous
plaintext block XOR'd with the previous ciphertext block. Thus,
walk->iv is already updated to its final value.
So remove the broken and unnecessary memcpy()s.
Fixes: 91652be5d1b9 ("[CRYPTO] pcbc: Add Propagated CBC template")
Cc: David Howells
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
crypto/pcbc.c | 14 --
1 file changed, 4 insertions(+), 10 deletions(-)
--- a/crypto/pcbc.c
+++ b/crypto/pcbc.c
@@ -52,7 +52,7 @@ static int crypto_pcbc_encrypt_segment(s
unsigned int nbytes = walk->nbytes;
u8 *src = walk->src.virt.addr;
u8 *dst = walk->dst.virt.addr;
- u8 *iv = walk->iv;
+ u8 * const iv = walk->iv;
do {
crypto_xor(iv, src, bsize);
@@ -76,7 +76,7 @@ static int crypto_pcbc_encrypt_inplace(s
int bsize = crypto_cipher_blocksize(tfm);
unsigned int nbytes = walk->nbytes;
u8 *src = walk->src.virt.addr;
- u8 *iv = walk->iv;
+ u8 * const iv = walk->iv;
u8 tmpbuf[bsize];
do {
@@ -89,8 +89,6 @@ static int crypto_pcbc_encrypt_inplace(s
src += bsize;
} while ((nbytes -= bsize) >= bsize);
- memcpy(walk->iv, iv, bsize);
-
return nbytes;
}
@@ -130,7 +128,7 @@ static int crypto_pcbc_decrypt_segment(s
unsigned int nbytes = walk->nbytes;
u8 *src = walk->src.virt.addr;
u8 *dst = walk->dst.virt.addr;
- u8 *iv = walk->iv;
+ u8 * const iv = walk->iv;
do {
fn(crypto_cipher_tfm(tfm), dst, src);
@@ -142,8 +140,6 @@ static int crypto_pcbc_decrypt_segment(s
dst += bsize;
} while ((nbytes -= bsize) >= bsize);
- memcpy(walk->iv, iv, bsize);
-
return nbytes;
}
@@ -156,7 +152,7 @@ static int crypto_pcbc_decrypt_inplace(s
int bsize = crypto_cipher_blocksize(tfm);
unsigned int nbytes = walk->nbytes;
u8 *src = walk->src.virt.addr;
- u8 *iv = walk->iv;
+ u8 * const iv = walk->iv;
u8 tmpbuf[bsize];
do {
@@ -169,8 +165,6 @@ static int crypto_pcbc_decrypt_inplace(s
src += bsize;
} while ((nbytes -= bsize) >= bsize);
- memcpy(walk->iv, iv, bsize);
-
return nbytes;
}
[PATCH 3.16 021/129] RDMA/ocrdma: Fix out of bounds index check in query pkey
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Gal Pressman
commit b188940796c7be31c1b8c25a9a0e0842c2e7a49e upstream.
The pkey table size is one element, index should be tested for > 0 instead
of > 1.
Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA
adapter")
Signed-off-by: Gal Pressman
Signed-off-by: Jason Gunthorpe
Signed-off-by: Ben Hutchings
---
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -39,7 +39,7 @@
int ocrdma_query_pkey(struct ib_device *ibdev, u8 port, u16 index, u16 *pkey)
{
- if (index > 1)
+ if (index > 0)
return -EINVAL;
*pkey = 0x;
[PATCH 3.16 027/129] media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Pawe? Chmiel
commit 19c624c6b29e244c418f8b44a711cbf5e82e3cd4 upstream.
This commit corrects max and step values for v4l2 control for
V4L2_CID_JPEG_RESTART_INTERVAL. Max should be 0x and step should be 1.
It was found by using v4l2-compliance tool and checking result of
VIDIOC_QUERY_EXT_CTRL/QUERYMENU test.
Previously it was complaining that step was bigger than difference
between max and min.
Fixes: 15f4bc3b1f42 ("[media] s5p-jpeg: Add JPEG controls support")
Signed-off-by: Pawe? Chmiel
Reviewed-by: Jacek Anaszewski
Reviewed-by: Sylwester Nawrocki
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/platform/s5p-jpeg/jpeg-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
@@ -1363,7 +1363,7 @@ static int s5p_jpeg_controls_create(stru
v4l2_ctrl_new_std(>ctrl_handler, _jpeg_ctrl_ops,
V4L2_CID_JPEG_RESTART_INTERVAL,
- 0, 3, 0x, 0);
+ 0, 0x, 1, 0);
if (ctx->jpeg->variant->version == SJPEG_S5P)
mask = ~0x06; /* 422, 420 */
}
[PATCH 3.16 032/129] m68k: Add -ffreestanding to CFLAGS
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Finn Thain commit 28713169d879b67be2ef2f84dcf54905de238294 upstream. This patch fixes a build failure when using GCC 8.1: /usr/bin/ld: block/partitions/ldm.o: in function `ldm_parse_tocblock': block/partitions/ldm.c:153: undefined reference to `strcmp' This is caused by a new optimization which effectively replaces a strncmp() call with a strcmp() call. This affects a number of strncmp() call sites in the kernel. The entire class of optimizations is avoided with -fno-builtin, which gets enabled by -ffreestanding. This may avoid possible future build failures in case new optimizations appear in future compilers. I haven't done any performance measurements with this patch but I did count the function calls in a defconfig build. For example, there are now 23 more sprintf() calls and 39 fewer strcpy() calls. The effect on the other libc functions is smaller. If this harms performance we can tackle that regression by optimizing the call sites, ideally using semantic patches. That way, clang and ICC builds might benfit too. Reference: https://marc.info/?l=linux-m68k=15451481644=2 Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Signed-off-by: Ben Hutchings --- arch/m68k/Makefile | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) --- a/arch/m68k/Makefile +++ b/arch/m68k/Makefile @@ -59,7 +59,10 @@ cpuflags-$(CONFIG_M5206e):= $(call cc-o cpuflags-$(CONFIG_M5206) := $(call cc-option,-mcpu=5206,-m5200) KBUILD_AFLAGS += $(cpuflags-y) -KBUILD_CFLAGS += $(cpuflags-y) -pipe +KBUILD_CFLAGS += $(cpuflags-y) + +KBUILD_CFLAGS += -pipe -ffreestanding + ifdef CONFIG_MMU # without -fno-strength-reduce the 53c7xx.c driver fails ;-( KBUILD_CFLAGS += -fno-strength-reduce -ffixed-a2
[PATCH 3.16 005/129] clk: socfpga: fix refcount leak
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit 7f9705beeb3759e69165e7aff588f6488ff6c1ac upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Fixes: 5343325ff3dd ("clk: socfpga: add a clock driver for the Arria 10
platform")
Fixes: a30d27ed739b ("clk: socfpga: fix clock driver for 3.15")
Signed-off-by: Stephen Boyd
[bwh: Backported to 3.16: drop changes in clk-pll-a10.c]
Signed-off-by: Ben Hutchings
---
--- a/drivers/clk/socfpga/clk-pll.c
+++ b/drivers/clk/socfpga/clk-pll.c
@@ -102,6 +102,7 @@ static __init struct clk *__socfpga_pll_
clkmgr_np = of_find_compatible_node(NULL, NULL, "altr,clk-mgr");
clk_mgr_base_addr = of_iomap(clkmgr_np, 0);
+ of_node_put(clkmgr_np);
BUG_ON(!clk_mgr_base_addr);
pll_clk->hw.reg = clk_mgr_base_addr + reg;
[PATCH 3.16 030/129] crypto: tgr192 - fix unaligned memory access
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit f990f7fb58ac8ac9a43316f09a48cff1a49dda42 upstream.
Fix an unaligned memory access in tgr192_transform() by using the
unaligned access helpers.
Fixes: 06ace7a9bafe ("[CRYPTO] Use standard byte order macros wherever
possible")
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
crypto/tgr192.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/crypto/tgr192.c
+++ b/crypto/tgr192.c
@@ -25,8 +25,9 @@
#include
#include
#include
-#include
#include
+#include
+#include
#define TGR192_DIGEST_SIZE 24
#define TGR160_DIGEST_SIZE 20
@@ -468,10 +469,9 @@ static void tgr192_transform(struct tgr1
u64 a, b, c, aa, bb, cc;
u64 x[8];
int i;
- const __le64 *ptr = (const __le64 *)data;
for (i = 0; i < 8; i++)
- x[i] = le64_to_cpu(ptr[i]);
+ x[i] = get_unaligned_le64(data + i * sizeof(__le64));
/* save */
a = aa = tctx->a;
[PATCH 3.16 020/129] IB/usnic: Fix out of bounds index check in query pkey
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Gal Pressman
commit 4959d5da5737dd804255c75b8cea0a2929ce279a upstream.
The pkey table size is one element, index should be tested for > 0 instead
of > 1.
Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
Signed-off-by: Gal Pressman
Acked-by: Parvi Kaustubhi
Signed-off-by: Jason Gunthorpe
Signed-off-by: Ben Hutchings
---
drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
+++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c
@@ -410,7 +410,7 @@ int usnic_ib_query_gid(struct ib_device
int usnic_ib_query_pkey(struct ib_device *ibdev, u8 port, u16 index,
u16 *pkey)
{
- if (index > 1)
+ if (index > 0)
return -EINVAL;
*pkey = 0x;
[PATCH 3.16 029/129] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit ba7d7433a0e998c902132bd47330e355a1eaa894 upstream.
Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context. In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.
It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms. Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a
key, to prevent the tfm from being used until a new key is set.
Note: we can't set CRYPTO_TFM_NEED_KEY for OPTIONAL_KEY algorithms, so
->setkey() for those must nevertheless be atomic. That's fine for now
since only the crc32 and crc32c algorithms set OPTIONAL_KEY, and it's
not intended that OPTIONAL_KEY be used much.
[Cc stable mainly because when introducing the NEED_KEY flag I changed
AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
previously didn't have this problem. So these "incompletely keyed"
states became theoretically accessible via AF_ALG -- though, the
opportunities for causing real mischief seem pretty limited.]
Fixes: 9fa68f620041 ("crypto: hash - prevent using keyed hashes without setting
key")
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
crypto/ahash.c | 28 +++-
crypto/shash.c | 18 +-
2 files changed, 32 insertions(+), 14 deletions(-)
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -200,6 +200,21 @@ static int ahash_setkey_unaligned(struct
return ret;
}
+static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key,
+ unsigned int keylen)
+{
+ return -ENOSYS;
+}
+
+static void ahash_set_needkey(struct crypto_ahash *tfm)
+{
+ const struct hash_alg_common *alg = crypto_hash_alg_common(tfm);
+
+ if (tfm->setkey != ahash_nosetkey &&
+ !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
+ crypto_ahash_set_flags(tfm, CRYPTO_TFM_NEED_KEY);
+}
+
int crypto_ahash_setkey(struct crypto_ahash *tfm, const u8 *key,
unsigned int keylen)
{
@@ -211,20 +226,16 @@ int crypto_ahash_setkey(struct crypto_ah
else
err = tfm->setkey(tfm, key, keylen);
- if (err)
+ if (unlikely(err)) {
+ ahash_set_needkey(tfm);
return err;
+ }
crypto_ahash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
return 0;
}
EXPORT_SYMBOL_GPL(crypto_ahash_setkey);
-static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key,
- unsigned int keylen)
-{
- return -ENOSYS;
-}
-
static inline unsigned int ahash_align_buffer_size(unsigned len,
unsigned long mask)
{
@@ -493,8 +504,7 @@ static int crypto_ahash_init_tfm(struct
if (alg->setkey) {
hash->setkey = alg->setkey;
- if (!(alg->halg.base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
- crypto_ahash_set_flags(hash, CRYPTO_TFM_NEED_KEY);
+ ahash_set_needkey(hash);
}
if (alg->export)
hash->export = alg->export;
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -52,6 +52,13 @@ static int shash_setkey_unaligned(struct
return err;
}
+static void shash_set_needkey(struct crypto_shash *tfm, struct shash_alg *alg)
+{
+ if (crypto_shash_alg_has_setkey(alg) &&
+ !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY))
+ crypto_shash_set_flags(tfm, CRYPTO_TFM_NEED_KEY);
+}
+
int crypto_shash_setkey(struct crypto_shash *tfm, const u8 *key,
unsigned int keylen)
{
@@ -64,8 +71,10 @@ int crypto_shash_setkey(struct crypto_sh
else
err = shash->setkey(tfm, key, keylen);
- if (err)
+ if (unlikely(err)) {
+ shash_set_needkey(tfm, shash);
return err;
+ }
crypto_shash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
return 0;
@@ -367,7 +376,8 @@ int crypto_init_shash_ops_async(struct c
crt->final = shash_async_final;
crt->finup = shash_async_finup;
crt->digest = shash_async_digest;
- crt->setkey = shash_async_setkey;
+ if (crypto_shash_alg_has_setkey(alg))
+ crt->setkey = shash_async_setkey;
crypto_ahash_set_flags(crt, crypto_shash_get_flags(shash) &
CRYPTO_TFM_NEED_KEY);
@@ -534,9 +544,7 @@ static int crypto_shash_init_tfm(struct
hash->descsize = alg->descsize;
- if (crypto_shash_alg_has
[PATCH 3.16 033/129] pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Geert Uytterhoeven
commit 8e32e881947be98abaa917157fefc4a3319e90af upstream.
When declaring the HSPI RX1_B and TX1_B pins, two mistakes were made:
- the rows and columns in the BGA pin matrix, from which the pin
numbers are derived, were exchanged,
- it was not taken into account that pin row labelling skips
characters I, O, Q, and S.
Fix the order, and the corresponding pin names.
Notes:
- The actual values of the pin numbers don't really matter (they just
have to be unique), so the wrong order didn't have any impact,
- Changing the names of the pins is user-visible, but there are no
users in (upstream) DTS files.
Fixes: 4f82e3ee724f1712 ("sh-pfc: Support pins not associated with a GPIO port")
Fixes: 09cc76a95802e87d ("sh-pfc: r8a7778: add HSPI pin groups")
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Simon Horman
Signed-off-by: Ben Hutchings
---
drivers/pinctrl/sh-pfc/pfc-r8a7778.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7778.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7778.c
@@ -1265,8 +1265,8 @@ static const struct sh_pfc_pin pinmux_pi
/* Pins not associated with a GPIO port */
SH_PFC_PIN_NAMED(3, 20, C20),
- SH_PFC_PIN_NAMED(20, 1, T1),
- SH_PFC_PIN_NAMED(25, 2, Y2),
+ SH_PFC_PIN_NAMED(1, 20, A20),
+ SH_PFC_PIN_NAMED(2, 25, B25),
};
/* - macro */
@@ -1401,7 +1401,7 @@ HSPI_PFC_DAT(hspi1_a, HSPI_CLK1_A,HSPI
HSPI_RX1_A, HSPI_TX1_A);
HSPI_PFC_PIN(hspi1_b, RCAR_GP_PIN(0, 27), RCAR_GP_PIN(0, 26),
- PIN_NUMBER(20, 1), PIN_NUMBER(25, 2));
+ PIN_NUMBER(1, 20), PIN_NUMBER(2, 25));
HSPI_PFC_DAT(hspi1_b, HSPI_CLK1_B,HSPI_CS1_B,
HSPI_RX1_B, HSPI_TX1_B);
[PATCH 3.16 039/129] mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: YueHaibing
commit 32937a82f36c7bbe08db4052de94bc7ade4e3c51 upstream.
Fix a static code checker warning:
drivers/mtd/devices/docg3.c:1875
doc_probe_device() warn: passing zero to 'ERR_PTR'
Fixes: ae9d4934b2d7 ("mtd: docg3: add multiple floor support")
Signed-off-by: YueHaibing
Acked-by: Robert Jarzmik
Signed-off-by: Boris Brezillon
Signed-off-by: Ben Hutchings
---
drivers/mtd/devices/docg3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -1939,7 +1939,7 @@ nomem3:
nomem2:
kfree(docg3);
nomem1:
- return ERR_PTR(ret);
+ return ret ? ERR_PTR(ret) : NULL;
}
/**
[PATCH 3.16 051/129] rtc: 88pm860x: fix unintended sign extension
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit dc9e47160626cdb58d5c39a4f43dcfdb27a5c004 upstream.
Shifting a u8 by 24 will cause the value to be promoted to an integer. If
the top bit of the u8 is set then the following conversion to an unsigned
long will sign extend the value causing the upper 32 bits to be set in
the result.
Fix this by casting the u8 value to an unsigned long before the shift.
Detected by CoverityScan, CID#144925-144928 ("Unintended sign extension")
Fixes: 008b30408c40 ("mfd: Add rtc support to 88pm860x")
Signed-off-by: Colin Ian King
Signed-off-by: Alexandre Belloni
Signed-off-by: Ben Hutchings
---
drivers/rtc/rtc-88pm860x.c | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/rtc/rtc-88pm860x.c
+++ b/drivers/rtc/rtc-88pm860x.c
@@ -115,11 +115,13 @@ static int pm860x_rtc_read_time(struct d
pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf);
dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1],
buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]);
- base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7];
+ base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) |
+ (buf[5] << 8) | buf[7];
/* load 32-bit read-only counter */
pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf);
- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+ (buf[1] << 8) | buf[0];
ticks = base + data;
dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
base, data, ticks);
@@ -145,7 +147,8 @@ static int pm860x_rtc_set_time(struct de
/* load 32-bit read-only counter */
pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf);
- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+ (buf[1] << 8) | buf[0];
base = ticks - data;
dev_dbg(info->dev, "set base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
base, data, ticks);
@@ -170,10 +173,12 @@ static int pm860x_rtc_read_alarm(struct
pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf);
dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1],
buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]);
- base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7];
+ base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) |
+ (buf[5] << 8) | buf[7];
pm860x_bulk_read(info->i2c, PM8607_RTC_EXPIRE1, 4, buf);
- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+ (buf[1] << 8) | buf[0];
ticks = base + data;
dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
base, data, ticks);
@@ -198,11 +203,13 @@ static int pm860x_rtc_set_alarm(struct d
pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf);
dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1],
buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]);
- base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7];
+ base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) |
+ (buf[5] << 8) | buf[7];
/* load 32-bit read-only counter */
pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf);
- data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+ data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+ (buf[1] << 8) | buf[0];
ticks = base + data;
dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n",
base, data, ticks);
[PATCH 3.16 048/129] USB: serial: cp210x: add ID for Ingenico 3070
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ivan Mironov
commit dd9d3d86b08d6a106830364879c42c78db85389c upstream.
Here is how this device appears in kernel log:
usb 3-1: new full-speed USB device number 18 using xhci_hcd
usb 3-1: New USB device found, idVendor=0b00, idProduct=3070
usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 3-1: Product: Ingenico 3070
usb 3-1: Manufacturer: Silicon Labs
usb 3-1: SerialNumber: 0001
Apparently this is a POS terminal with embedded USB-to-Serial converter.
Signed-off-by: Ivan Mironov
Signed-off-by: Johan Hovold
Signed-off-by: Ben Hutchings
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -57,6 +57,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless
smartcard reader */
{ USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC
Device */
{ USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console
*/
+ { USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */
{ USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher
Acceptor */
{ USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */
{ USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */
[PATCH 3.16 042/129] devres: always use dev_name() in devm_ioremap_resource()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Sergei Shtylyov
commit 8d84b18f5678d3adfdb9375dfb0d968da2dc753d upstream.
devm_ioremap_resource() prefers calling devm_request_mem_region() with a
resource name instead of a device name -- this looks pretty iff a resource
name isn't specified via a device tree with a "reg-names" property (in this
case, a resource name is set to a device node's full name), but if it is,
it doesn't really scale since these names are only unique to a given device
node, not globally; so, looking at the output of 'cat /proc/iomem', you do
not have an idea which memory region belongs to which device (see "dirmap",
"regs", and "wbuf" lines below):
0800-0bff : dirmap
4800-bfff : System RAM
4800-48007fff : reserved
4808-48b0 : Kernel code
48b1-48b8 : reserved
48b9-48c7afff : Kernel data
bc6a4000-bcbf : reserved
bcc0f000-bebf : reserved
bec0e000-bec0efff : reserved
bec11000-bec11fff : reserved
bec12000-bec14fff : reserved
bec15000-bfff : reserved
e605-e605004f : gpio@e605
e6051000-e605104f : gpio@e6051000
e6052000-e605204f : gpio@e6052000
e6053000-e605304f : gpio@e6053000
e6054000-e605404f : gpio@e6054000
e6055000-e605504f : gpio@e6055000
e606-e606050b : pin-controller@e606
e6e6-e6e6003f : e6e6.serial
e740-e7400fff : ethernet@e740
ee20-ee2001ff : regs
ee208000-ee2080ff : wbuf
I think that devm_request_mem_region() should be called with dev_name()
despite the region names won't look as pretty as before (however, we gain
more consistency with e.g. the serial driver:
0800-0bff : ee20.rpc
4800-bfff : System RAM
4800-48007fff : reserved
4808-48b0 : Kernel code
48b1-48b8 : reserved
48b9-48c7afff : Kernel data
bc6a4000-bcbf : reserved
bcc0f000-bebf : reserved
bec0e000-bec0efff : reserved
bec11000-bec11fff : reserved
bec12000-bec14fff : reserved
bec15000-bfff : reserved
e605-e605004f : e605.gpio
e6051000-e605104f : e6051000.gpio
e6052000-e605204f : e6052000.gpio
e6053000-e605304f : e6053000.gpio
e6054000-e605404f : e6054000.gpio
e6055000-e605504f : e6055000.gpio
e606-e606050b : e606.pin-controller
e6e6-e6e6003f : e6e6.serial
e740-e7400fff : e740.ethernet
ee20-ee2001ff : ee20.rpc
ee208000-ee2080ff : ee20.rpc
Fixes: 72f8c0bfa0de ("lib: devres: add convenience function to remap a
resource")
Signed-off-by: Sergei Shtylyov
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
lib/devres.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/lib/devres.c
+++ b/lib/devres.c
@@ -109,7 +109,6 @@ EXPORT_SYMBOL(devm_iounmap);
void __iomem *devm_ioremap_resource(struct device *dev, struct resource *res)
{
resource_size_t size;
- const char *name;
void __iomem *dest_ptr;
BUG_ON(!dev);
@@ -120,9 +119,8 @@ void __iomem *devm_ioremap_resource(stru
}
size = resource_size(res);
- name = res->name ?: dev_name(dev);
- if (!devm_request_mem_region(dev, res->start, size, name)) {
+ if (!devm_request_mem_region(dev, res->start, size, dev_name(dev))) {
dev_err(dev, "can't request region for resource %pR\n", res);
return IOMEM_ERR_PTR(-EBUSY);
}
[PATCH 3.16 037/129] mtd: docg3: Don't leak docg3->bbt in error path
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Richard Weinberger
commit 45c2ebd702a468d5037cf16aa4f8ea8d67776f6a upstream.
Signed-off-by: Richard Weinberger
Signed-off-by: Brian Norris
Signed-off-by: Ben Hutchings
---
drivers/mtd/devices/docg3.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/mtd/devices/docg3.c
+++ b/drivers/mtd/devices/docg3.c
@@ -1907,7 +1907,7 @@ doc_probe_device(struct docg3_cascade *c
ret = 0;
if (chip_id != (u16)(~chip_id_inv)) {
- goto nomem3;
+ goto nomem4;
}
switch (chip_id) {
@@ -1917,7 +1917,7 @@ doc_probe_device(struct docg3_cascade *c
break;
default:
doc_err("Chip id %04x is not a DiskOnChip G3 chip\n", chip_id);
- goto nomem3;
+ goto nomem4;
}
doc_set_driver_info(chip_id, mtd);
@@ -1926,6 +1926,8 @@ doc_probe_device(struct docg3_cascade *c
doc_reload_bbt(docg3);
return mtd;
+nomem4:
+ kfree(docg3->bbt);
nomem3:
kfree(mtd);
nomem2:
[PATCH 3.16 007/129] clk: imx6q: fix refcount leak in imx6q_clocks_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit c9ec1d8fef31b5fc9e90e99f9bd685db5caa7c5e upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Fixes: 2acd1b6f889c ("ARM: i.MX6: implement clocks using common clock
framework")
Signed-off-by: Stephen Boyd
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
arch/arm/mach-imx/clk-imx6q.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-imx/clk-imx6q.c
+++ b/arch/arm/mach-imx/clk-imx6q.c
@@ -157,6 +157,7 @@ static void __init imx6q_clocks_init(str
np = of_find_compatible_node(NULL, NULL, "fsl,imx6q-anatop");
base = of_iomap(np, 0);
WARN_ON(!base);
+ of_node_put(np);
/* Audio/video PLL post dividers do not work on i.MX6q revision 1.0 */
if (cpu_is_imx6q() && imx_get_soc_revision() == IMX_CHIP_REVISION_1_0) {
[PATCH 3.16 043/129] crypto: testmgr - skip crc32c context test for ahash algorithms
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit eb5e6730db98fcc4b51148b4a819fa4bf864ae54 upstream.
Instantiating "cryptd(crc32c)" causes a crypto self-test failure because
the crypto_alloc_shash() in alg_test_crc32c() fails. This is because
cryptd(crc32c) is an ahash algorithm, not a shash algorithm; so it can
only be accessed through the ahash API, unlike shash algorithms which
can be accessed through both the ahash and shash APIs.
As the test is testing the shash descriptor format which is only
applicable to shash algorithms, skip it for ahash algorithms.
(Note that it's still important to fix crypto self-test failures even
for weird algorithm instantiations like cryptd(crc32c) that no one
would really use; in fips_enabled mode unprivileged users can use them
to panic the kernel, and also they prevent treating a crypto self-test
failure as a bug when fuzzing the kernel.)
Fixes: 8e3ee85e68c5 ("crypto: crc32c - Test descriptor context format")
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
crypto/testmgr.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1655,14 +1655,21 @@ static int alg_test_crc32c(const struct
err = alg_test_hash(desc, driver, type, mask);
if (err)
- goto out;
+ return err;
tfm = crypto_alloc_shash(driver, type, mask);
if (IS_ERR(tfm)) {
+ if (PTR_ERR(tfm) == -ENOENT) {
+ /*
+* This crc32c implementation is only available through
+* ahash API, not the shash API, so the remaining part
+* of the test is not applicable to it.
+*/
+ return 0;
+ }
printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: "
"%ld\n", driver, PTR_ERR(tfm));
- err = PTR_ERR(tfm);
- goto out;
+ return PTR_ERR(tfm);
}
do {
@@ -1691,7 +1698,6 @@ static int alg_test_crc32c(const struct
crypto_free_shash(tfm);
-out:
return err;
}
[PATCH 3.16 041/129] ext2: Fix underflow in ext2_max_size()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jan Kara
commit 1c2d14212b15a60300a2d4f6364753e87394c521 upstream.
When ext2 filesystem is created with 64k block size, ext2_max_size()
will return value less than 0. Also, we cannot write any file in this fs
since the sb->maxbytes is less than 0. The core of the problem is that
the size of block index tree for such large block size is more than
i_blocks can carry. So fix the computation to count with this
possibility.
File size limits computed with the new function for the full range of
possible block sizes look like:
bits file_size
10 17247252480
11275415851008
12 2196873666560
13 2197948973056
14 2198486220800
15 2198754754560
16 219906752
Reported-by: yangerkun
Signed-off-by: Jan Kara
Signed-off-by: Ben Hutchings
---
fs/ext2/super.c | 39 +--
1 file changed, 25 insertions(+), 14 deletions(-)
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -701,7 +701,8 @@ static loff_t ext2_max_size(int bits)
{
loff_t res = EXT2_NDIR_BLOCKS;
int meta_blocks;
- loff_t upper_limit;
+ unsigned int upper_limit;
+ unsigned int ppb = 1 << (bits-2);
/* This is calculated to be the largest file size for a
* dense, file such that the total number of
@@ -715,24 +716,34 @@ static loff_t ext2_max_size(int bits)
/* total blocks in file system block size */
upper_limit >>= (bits - 9);
-
- /* indirect blocks */
- meta_blocks = 1;
- /* double indirect blocks */
- meta_blocks += 1 + (1LL << (bits-2));
- /* tripple indirect blocks */
- meta_blocks += 1 + (1LL << (bits-2)) + (1LL << (2*(bits-2)));
-
- upper_limit -= meta_blocks;
- upper_limit <<= bits;
-
+ /* Compute how many blocks we can address by block tree */
res += 1LL << (bits-2);
res += 1LL << (2*(bits-2));
res += 1LL << (3*(bits-2));
+ /* Does block tree limit file size? */
+ if (res < upper_limit)
+ goto check_lfs;
+
+ res = upper_limit;
+ /* How many metadata blocks are needed for addressing upper_limit? */
+ upper_limit -= EXT2_NDIR_BLOCKS;
+ /* indirect blocks */
+ meta_blocks = 1;
+ upper_limit -= ppb;
+ /* double indirect blocks */
+ if (upper_limit < ppb * ppb) {
+ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb);
+ res -= meta_blocks;
+ goto check_lfs;
+ }
+ meta_blocks += 1 + ppb;
+ upper_limit -= ppb * ppb;
+ /* tripple indirect blocks for the rest */
+ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) +
+ DIV_ROUND_UP(upper_limit, ppb*ppb);
+ res -= meta_blocks;
+check_lfs:
res <<= bits;
- if (res > upper_limit)
- res = upper_limit;
-
if (res > MAX_LFS_FILESIZE)
res = MAX_LFS_FILESIZE;
[PATCH 3.16 040/129] tty: ipwireless: Fix potential NULL pointer dereference
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: YueHaibing
commit 7dd50e205b3348dc7784efbdf85723551de64a25 upstream.
There is a potential NULL pointer dereference in case
alloc_ctrl_packet() fails and returns NULL.
Fixes: 099dc4fb6265 ("ipwireless: driver for PC Card 3G/UMTS modem")
Signed-off-by: YueHaibing
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/tty/ipwireless/hardware.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/tty/ipwireless/hardware.c
+++ b/drivers/tty/ipwireless/hardware.c
@@ -1515,6 +1515,8 @@ static void ipw_send_setup_packet(struct
sizeof(struct ipw_setup_get_version_query_packet),
ADDR_SETUP_PROT, TL_PROTOCOLID_SETUP,
TL_SETUP_SIGNO_GET_VERSION_QRY);
+ if (!ver_packet)
+ return;
ver_packet->header.length = sizeof(struct tl_setup_get_version_qry);
/*
[PATCH 3.16 050/129] crypto: ahash - fix another early termination in hash walk
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream.
Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and
"michael_mic", fail the improved hash tests because they sometimes
produce the wrong digest. The bug is that in the case where a
scatterlist element crosses pages, not all the data is actually hashed
because the scatterlist walk terminates too early. This happens because
the 'nbytes' variable in crypto_hash_walk_done() is assigned the number
of bytes remaining in the page, then later interpreted as the number of
bytes remaining in the scatterlist element. Fix it.
Fixes: 900a081f6912 ("crypto: ahash - Fix early termination in hash walk")
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
crypto/ahash.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -84,17 +84,17 @@ static int hash_walk_new_entry(struct cr
int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err)
{
unsigned int alignmask = walk->alignmask;
- unsigned int nbytes = walk->entrylen;
walk->data -= walk->offset;
- if (nbytes && walk->offset & alignmask && !err) {
- walk->offset = ALIGN(walk->offset, alignmask + 1);
- nbytes = min(nbytes,
-((unsigned int)(PAGE_SIZE)) - walk->offset);
- walk->entrylen -= nbytes;
+ if (walk->entrylen && (walk->offset & alignmask) && !err) {
+ unsigned int nbytes;
+ walk->offset = ALIGN(walk->offset, alignmask + 1);
+ nbytes = min(walk->entrylen,
+(unsigned int)(PAGE_SIZE - walk->offset));
if (nbytes) {
+ walk->entrylen -= nbytes;
walk->data += walk->offset;
return nbytes;
}
@@ -114,7 +114,7 @@ int crypto_hash_walk_done(struct crypto_
if (err)
return err;
- if (nbytes) {
+ if (walk->entrylen) {
walk->offset = 0;
walk->pg++;
return hash_walk_next(walk);
[PATCH 3.16 034/129] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Buland Singh
commit 24d48a61f230da130cc2ec2e526eacf229e3 upstream.
Commit '3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for
user processes")' introduced a new kernel command line parameter hpet_mmap,
that is required to expose the memory map of the HPET registers to
user-space. Unfortunately the kernel command line parameter 'hpet_mmap' is
broken and never takes effect due to missing '=' character in the __setup()
code of hpet_mmap_enable.
Before this patch:
dmesg output with the kernel command line parameter hpet_mmap=1
[0.204152] HPET mmap disabled
dmesg output with the kernel command line parameter hpet_mmap=0
[0.204192] HPET mmap disabled
After this patch:
dmesg output with the kernel command line parameter hpet_mmap=1
[0.203945] HPET mmap enabled
dmesg output with the kernel command line parameter hpet_mmap=0
[0.204652] HPET mmap disabled
Fixes: 3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for user
processes")
Signed-off-by: Buland Singh
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/char/hpet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/hpet.c
+++ b/drivers/char/hpet.c
@@ -377,7 +377,7 @@ static __init int hpet_mmap_enable(char
pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled");
return 1;
}
-__setup("hpet_mmap", hpet_mmap_enable);
+__setup("hpet_mmap=", hpet_mmap_enable);
static int hpet_mmap(struct file *file, struct vm_area_struct *vma)
{
[PATCH 3.16 054/129] bcache: never writeback a discard operation
/msg06996.html
Previous reports:
- https://bugzilla.kernel.org/show_bug.cgi?id=201051
- https://bugzilla.kernel.org/show_bug.cgi?id=196103
- https://www.spinics.net/lists/linux-bcache/msg06885.html
(Coly Li: minor modification to follow maximum 75 chars per line rule)
Cc: Kent Overstreet
Fixes: 72c270612bd3 ("bcache: Write out full stripes")
Signed-off-by: Daniel Axtens
Signed-off-by: Coly Li
Signed-off-by: Jens Axboe
[bwh: Backported to 3.16: check REQ_DISCARD flag instead of calling bio_op()]
Signed-off-by: Ben Hutchings
---
drivers/md/bcache/writeback.h | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -68,6 +68,9 @@ static inline bool should_writeback(stru
in_use > CUTOFF_WRITEBACK_SYNC)
return false;
+ if (bio->bi_rw & REQ_DISCARD)
+ return false;
+
if (dc->partial_stripes_expensive &&
bcache_dev_stripe_dirty(dc, bio->bi_iter.bi_sector,
bio_sectors(bio)))
[PATCH 3.16 047/129] rtc: ds1672: fix unintended sign extension
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit f0c04c276739ed8acbb41b4868e942a55b128dca upstream.
Shifting a u8 by 24 will cause the value to be promoted to an integer. If
the top bit of the u8 is set then the following conversion to an unsigned
long will sign extend the value causing the upper 32 bits to be set in
the result.
Fix this by casting the u8 value to an unsigned long before the shift.
Detected by CoverityScan, CID#138801 ("Unintended sign extension")
Fixes: edf1aaa31fc5 ("[PATCH] RTC subsystem: DS1672 driver")
Signed-off-by: Colin Ian King
Signed-off-by: Alexandre Belloni
Signed-off-by: Ben Hutchings
---
drivers/rtc/rtc-ds1672.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/rtc/rtc-ds1672.c
+++ b/drivers/rtc/rtc-ds1672.c
@@ -60,7 +60,8 @@ static int ds1672_get_datetime(struct i2
"%s: raw read data - counters=%02x,%02x,%02x,%02x\n",
__func__, buf[0], buf[1], buf[2], buf[3]);
- time = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+ time = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
+ (buf[1] << 8) | buf[0];
rtc_time_to_tm(time, tm);
[PATCH 3.16 044/129] crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ard Biesheuvel
commit eaf46edf6ea89675bd36245369c8de5063a0272c upstream.
The NEON MAC calculation routine fails to handle the case correctly
where there is some data in the buffer, and the input fills it up
exactly. In this case, we enter the loop at the end with w8 == 0,
while a negative value is assumed, and so the loop carries on until
the increment of the 32-bit counter wraps around, which is quite
obviously wrong.
So omit the loop altogether in this case, and exit right away.
Reported-by: Eric Biggers
Fixes: a3fd82105b9d1 ("arm64/crypto: AES in CCM mode using ARMv8 Crypto ...")
Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
arch/arm64/crypto/aes-ce-ccm-core.S | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/arch/arm64/crypto/aes-ce-ccm-core.S
+++ b/arch/arm64/crypto/aes-ce-ccm-core.S
@@ -74,12 +74,13 @@ ENTRY(ce_aes_ccm_auth_data)
beq 10f
ext v0.16b, v0.16b, v0.16b, #1 /* rotate out the mac bytes */
b 7b
-8: mov w7, w8
+8: cbz w8, 91f
+ mov w7, w8
add w8, w8, #16
9: ext v1.16b, v1.16b, v1.16b, #1
addsw7, w7, #1
bne 9b
- eor v0.16b, v0.16b, v1.16b
+91:eor v0.16b, v0.16b, v1.16b
st1 {v0.16b}, [x0]
10:str w8, [x3]
ret
[PATCH 3.16 056/129] jbd2: clear dirty flag when revoking a buffer from an older transaction
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: "zhangyi (F)"
commit 904cdbd41d749a476863a0ca41f6f396774f26e4 upstream.
Now, we capture a data corruption problem on ext4 while we're truncating
an extent index block. Imaging that if we are revoking a buffer which
has been journaled by the committing transaction, the buffer's jbddirty
flag will not be cleared in jbd2_journal_forget(), so the commit code
will set the buffer dirty flag again after refile the buffer.
fsx kjournald2
jbd2_journal_commit_transaction
jbd2_journal_revokecommit phase 1~5...
jbd2_journal_forget
belongs to older transactioncommit phase 6
jbddirty not clear __jbd2_journal_refile_buffer
__jbd2_journal_unfile_buffer
test_clear_buffer_jbddirty
mark_buffer_dirty
Finally, if the freed extent index block was allocated again as data
block by some other files, it may corrupt the file data after writing
cached pages later, such as during unmount time. (In general,
clean_bdev_aliases() related helpers should be invoked after
re-allocation to prevent the above corruption, but unfortunately we
missed it when zeroout the head of extra extent blocks in
ext4_ext_handle_unwritten_extents()).
This patch mark buffer as freed and set j_next_transaction to the new
transaction when it already belongs to the committing transaction in
jbd2_journal_forget(), so that commit code knows it should clear dirty
bits when it is done with the buffer.
This problem can be reproduced by xfstests generic/455 easily with
seeds (3246 3247 3248 3249).
Signed-off-by: zhangyi (F)
Signed-off-by: Theodore Ts'o
Reviewed-by: Jan Kara
Signed-off-by: Ben Hutchings
---
fs/jbd2/transaction.c | 17 -
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1479,14 +1479,21 @@ int jbd2_journal_forget (handle_t *handl
/* However, if the buffer is still owned by a prior
* (committing) transaction, we can't drop it yet... */
JBUFFER_TRACE(jh, "belongs to older transaction");
- /* ... but we CAN drop it from the new transaction if we
-* have also modified it since the original commit. */
+ /* ... but we CAN drop it from the new transaction through
+* marking the buffer as freed and set j_next_transaction to
+* the new transaction, so that not only the commit code
+* knows it should clear dirty bits when it is done with the
+* buffer, but also the buffer can be checkpointed only
+* after the new transaction commits. */
- if (jh->b_next_transaction) {
- J_ASSERT(jh->b_next_transaction == transaction);
+ set_buffer_freed(bh);
+
+ if (!jh->b_next_transaction) {
spin_lock(>j_list_lock);
- jh->b_next_transaction = NULL;
+ jh->b_next_transaction = transaction;
spin_unlock(>j_list_lock);
+ } else {
+ J_ASSERT(jh->b_next_transaction == transaction);
/*
* only drop a reference if this transaction modified
[PATCH 3.16 058/129] ext4: update quota information while swapping boot loader inode
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: yangerkun
commit aa507b5faf38784defe49f5e64605ac3c4425e26 upstream.
While do swap between two inode, they swap i_data without update
quota information. Also, swap_inode_boot_loader can do "revert"
somtimes, so update the quota while all operations has been finished.
Signed-off-by: yangerkun
Signed-off-by: Theodore Ts'o
[bwh: Backported to 3.16:
- Include
- dquot_initialize() does not return an erro
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -14,6 +14,7 @@
#include
#include
#include
+#include
#include
#include "ext4_jbd2.h"
#include "ext4.h"
@@ -66,9 +67,6 @@ static void swap_inode_data(struct inode
memswap(>i_version, >i_version,
sizeof(inode1->i_version));
- memswap(>i_blocks, >i_blocks,
- sizeof(inode1->i_blocks));
- memswap(>i_bytes, >i_bytes, sizeof(inode1->i_bytes));
memswap(>i_atime, >i_atime, sizeof(inode1->i_atime));
memswap(>i_mtime, >i_mtime, sizeof(inode1->i_mtime));
@@ -117,6 +115,9 @@ static long swap_inode_boot_loader(struc
struct inode *inode_bl;
struct ext4_inode_info *ei_bl;
struct ext4_sb_info *sbi = EXT4_SB(sb);
+ qsize_t size, size_bl, diff;
+ blkcnt_t blocks;
+ unsigned short bytes;
inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL);
if (IS_ERR(inode_bl))
@@ -179,6 +180,11 @@ static long swap_inode_boot_loader(struc
memset(ei_bl->i_data, 0, sizeof(ei_bl->i_data));
}
+ dquot_initialize(inode);
+
+ size = (qsize_t)(inode->i_blocks) * (1 << 9) + inode->i_bytes;
+ size_bl = (qsize_t)(inode_bl->i_blocks) * (1 << 9) + inode_bl->i_bytes;
+ diff = size - size_bl;
swap_inode_data(inode, inode_bl);
inode->i_ctime = inode_bl->i_ctime = ext4_current_time(inode);
@@ -194,24 +200,46 @@ static long swap_inode_boot_loader(struc
err = ext4_mark_inode_dirty(handle, inode);
if (err < 0) {
+ /* No need to update quota information. */
ext4_warning(inode->i_sb,
"couldn't mark inode #%lu dirty (err %d)",
inode->i_ino, err);
/* Revert all changes: */
swap_inode_data(inode, inode_bl);
ext4_mark_inode_dirty(handle, inode);
- } else {
- err = ext4_mark_inode_dirty(handle, inode_bl);
- if (err < 0) {
- ext4_warning(inode_bl->i_sb,
- "couldn't mark inode #%lu dirty (err %d)",
- inode_bl->i_ino, err);
- /* Revert all changes: */
- swap_inode_data(inode, inode_bl);
- ext4_mark_inode_dirty(handle, inode);
- ext4_mark_inode_dirty(handle, inode_bl);
- }
+ goto err_out1;
}
+
+ blocks = inode_bl->i_blocks;
+ bytes = inode_bl->i_bytes;
+ inode_bl->i_blocks = inode->i_blocks;
+ inode_bl->i_bytes = inode->i_bytes;
+ err = ext4_mark_inode_dirty(handle, inode_bl);
+ if (err < 0) {
+ /* No need to update quota information. */
+ ext4_warning(inode_bl->i_sb,
+ "couldn't mark inode #%lu dirty (err %d)",
+ inode_bl->i_ino, err);
+ goto revert;
+ }
+
+ /* Bootloader inode should not be counted into quota information. */
+ if (diff > 0)
+ dquot_free_space(inode, diff);
+ else
+ err = dquot_alloc_space(inode, -1 * diff);
+
+ if (err < 0) {
+revert:
+ /* Revert all changes: */
+ inode_bl->i_blocks = blocks;
+ inode_bl->i_bytes = bytes;
+ swap_inode_data(inode, inode_bl);
+ ext4_mark_inode_dirty(handle, inode);
+ ext4_mark_inode_dirty(handle, inode_bl);
+ }
+
+err_out1:
ext4_journal_stop(handle);
ext4_double_up_write_data_sem(inode, inode_bl);
[PATCH 3.16 055/129] bcache: treat stale && dirty keys as bad keys
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tang Junhui
commit 58ac323084ebf44f8470eeb8b82660f9d0ee3689 upstream.
Stale && dirty keys can be produced in the follow way:
After writeback in write_dirty_finish(), dirty keys k1 will
replace by clean keys k2
==>ret = bch_btree_insert(dc->disk.c, , NULL, >key);
==>btree_insert_fn(struct btree_op *b_op, struct btree *b)
==>static int bch_btree_insert_node(struct btree *b,
struct btree_op *op,
struct keylist *insert_keys,
atomic_t *journal_ref,
Then two steps:
A) update k1 to k2 in btree node memory;
bch_btree_insert_keys(b, op, insert_keys, replace_key)
B) Write the bset(contains k2) to cache disk by a 30s delay work
bch_btree_leaf_dirty(b, journal_ref).
But before the 30s delay work write the bset to cache device,
these things happened:
A) GC works, and reclaim the bucket k2 point to;
B) Allocator works, and invalidate the bucket k2 point to,
and increase the gen of the bucket, and place it into free_inc
fifo;
C) Until now, the 30s delay work still does not finish work,
so in the disk, the key still is k1, it is dirty and stale
(its gen is smaller than the gen of the bucket). and then the
machine power off suddenly happens;
D) When the machine power on again, after the btree reconstruction,
the stale dirty key appear.
In bch_extent_bad(), when expensive_debug_checks is off, it would
treat the dirty key as good even it is stale keys, and it would
cause bellow probelms:
A) In read_dirty() it would cause machine crash:
BUG_ON(ptr_stale(dc->disk.c, >key, 0));
B) It could be worse when reads hits stale dirty keys, it would
read old incorrect data.
This patch tolerate the existence of these stale && dirty keys,
and treat them as bad key in bch_extent_bad().
(Coly Li: fix indent which was modified by sender's email client)
Signed-off-by: Tang Junhui
Signed-off-by: Coly Li
Signed-off-by: Jens Axboe
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/md/bcache/extents.c | 13 +++--
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/md/bcache/extents.c
+++ b/drivers/md/bcache/extents.c
@@ -530,6 +530,7 @@ static bool bch_extent_bad(struct btree_
struct btree *b = container_of(bk, struct btree, keys);
struct bucket *g;
unsigned i, stale;
+ char buf[80];
if (!KEY_PTRS(k) ||
bch_extent_invalid(bk, k))
@@ -539,20 +540,20 @@ static bool bch_extent_bad(struct btree_
if (!ptr_available(b->c, k, i))
return true;
- if (!expensive_debug_checks(b->c) && KEY_DIRTY(k))
- return false;
-
for (i = 0; i < KEY_PTRS(k); i++) {
g = PTR_BUCKET(b->c, k, i);
stale = ptr_stale(b->c, k, i);
+ if (stale && KEY_DIRTY(k)) {
+ bch_extent_to_text(buf, sizeof(buf), k);
+ pr_info("stale dirty pointer, stale %u, key: %s",
+ stale, buf);
+ }
+
btree_bug_on(stale > 96, b,
"key too stale: %i, need_gc %u",
stale, b->c->need_gc);
- btree_bug_on(stale && KEY_DIRTY(k) && KEY_SIZE(k),
-b, "stale dirty pointer");
-
if (stale)
return true;
[PATCH 3.16 064/129] iscsi_ibft: Fix missing break in switch statement
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Gustavo A. R. Silva"
commit df997abeebadaa4824271009e2d2b526a70a11cb upstream.
Add missing break statement in order to prevent the code from falling
through to case ISCSI_BOOT_TGT_NAME, which is unnecessary.
This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.
Fixes: b33a84a38477 ("ibft: convert iscsi_ibft module to iscsi boot lib")
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Ben Hutchings
---
drivers/firmware/iscsi_ibft.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/firmware/iscsi_ibft.c
+++ b/drivers/firmware/iscsi_ibft.c
@@ -503,6 +503,7 @@ static umode_t __init ibft_check_tgt_for
case ISCSI_BOOT_TGT_NIC_ASSOC:
case ISCSI_BOOT_TGT_CHAP_TYPE:
rc = S_IRUGO;
+ break;
case ISCSI_BOOT_TGT_NAME:
if (tgt->tgt_name_len)
rc = S_IRUGO;
[PATCH 3.16 067/129] serial: 8250_pci: Fix number of ports for ACCES serial cards
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jay Dolan
commit b896b03bc7fce43a07012cc6bf5e2ab2fddf3364 upstream.
Have the correct number of ports created for ACCES serial cards. Two port
cards show up as four ports, and four port cards show up as eight.
Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal
serial cards")
Signed-off-by: Jay Dolan
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/tty/serial/8250/8250_pci.c | 36 +++---
1 file changed, 18 insertions(+), 18 deletions(-)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -4943,10 +4943,10 @@ static struct pci_device_id serial_pci_t
*/
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
pbn_pericom_PI7C9X7954 },
@@ -4955,10 +4955,10 @@ static struct pci_device_id serial_pci_t
pbn_pericom_PI7C9X7954 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
pbn_pericom_PI7C9X7954 },
@@ -4967,10 +4967,10 @@ static struct pci_device_id serial_pci_t
pbn_pericom_PI7C9X7954 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
pbn_pericom_PI7C9X7954 },
@@ -4979,13 +4979,13 @@ static struct pci_device_id serial_pci_t
pbn_pericom_PI7C9X7954 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7951 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
pbn_pericom_PI7C9X7954 },
@@ -4994,16 +4994,16 @@ static struct pci_device_id serial_pci_t
pbn_pericom_PI7C9X7954 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
pbn_pericom_PI7C9X7954 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_PI7C9X7952 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
pbn_pericom_PI7C9X7954 },
@@ -5012,13 +5012,13 @@ static struct pci_device_id serial_pci_t
pbn_pericom_PI7C9X7954 },
{ PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM,
PCI_ANY_ID, PCI_ANY_ID, 0, 0,
- pbn_pericom_PI7C9X7954 },
+ pbn_pericom_
[PATCH 3.16 066/129] tpm: Fix off-by-one when reading binary_bios_measurements
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jia Zhang
commit 64494d39ff630a63b5308042b20132b491e3706b upstream.
It is unable to read the entry when it is the only one in
binary_bios_measurements:
00 00 00 00 08 00 00 00 c4 2f ed ad 26 82 00 cb
0010 1d 15 f9 78 41 c3 44 e7 9d ae 33 20 00 00 00 00
0020
This is obviously a firmware problem on my linux machine:
Manufacturer: Inspur
Product Name: SA5212M4
Version: 01
However, binary_bios_measurements should return it any way,
rather than nothing, after all its content is completely
valid.
Fixes: 55a82ab3181b ("tpm: add bios measurement log")
Signed-off-by: Jia Zhang
Reviewd-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
[bwh: Backported to 3.16:
- Fix an additional comparison in tpm1_bios_measurements_start()
- Adjust filename, context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/char/tpm/tpm_eventlog.c
+++ b/drivers/char/tpm/tpm_eventlog.c
@@ -81,7 +81,7 @@ static void *tpm_bios_measurements_start
for (i = 0; i < *pos; i++) {
event = addr;
- if ((addr + sizeof(struct tcpa_event)) < limit) {
+ if ((addr + sizeof(struct tcpa_event)) <= limit) {
if (event->event_type == 0 && event->event_size == 0)
return NULL;
addr += sizeof(struct tcpa_event) + event->event_size;
@@ -89,13 +89,13 @@ static void *tpm_bios_measurements_start
}
/* now check if current entry is valid */
- if ((addr + sizeof(struct tcpa_event)) >= limit)
+ if ((addr + sizeof(struct tcpa_event)) > limit)
return NULL;
event = addr;
if ((event->event_type == 0 && event->event_size == 0) ||
- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
+ ((addr + sizeof(struct tcpa_event) + event->event_size) > limit))
return NULL;
return addr;
@@ -111,7 +111,7 @@ static void *tpm_bios_measurements_next(
v += sizeof(struct tcpa_event) + event->event_size;
/* now check if current entry is valid */
- if ((v + sizeof(struct tcpa_event)) >= limit)
+ if ((v + sizeof(struct tcpa_event)) > limit)
return NULL;
event = v;
@@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next(
return NULL;
if ((event->event_type == 0 && event->event_size == 0) ||
- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
+ ((v + sizeof(struct tcpa_event) + event->event_size) > limit))
return NULL;
(*pos)++;
[PATCH 3.16 053/129] rtc: pm8xxx: fix unintended sign extension
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit e42280886018c6f77f0a90190f7cba344b0df3e0 upstream.
Shifting a u8 by 24 will cause the value to be promoted to an integer. If
the top bit of the u8 is set then the following conversion to an unsigned
long will sign extend the value causing the upper 32 bits to be set in
the result.
Fix this by casting the u8 value to an unsigned long before the shift.
Detected by CoverityScan, CID#1309693 ("Unintended sign extension")
Fixes: 9a9a54ad7aa2 ("drivers/rtc: add support for Qualcomm PMIC8xxx RTC")
Signed-off-by: Colin Ian King
Signed-off-by: Alexandre Belloni
Signed-off-by: Ben Hutchings
---
drivers/rtc/rtc-pm8xxx.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/rtc/rtc-pm8xxx.c
+++ b/drivers/rtc/rtc-pm8xxx.c
@@ -175,7 +175,8 @@ static int pm8xxx_rtc_read_time(struct d
}
}
- secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24);
+ secs = value[0] | (value[1] << 8) | (value[2] << 16) |
+ ((unsigned long)value[3] << 24);
rtc_time_to_tm(secs, tm);
@@ -253,7 +254,8 @@ static int pm8xxx_rtc_read_alarm(struct
return rc;
}
- secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24);
+ secs = value[0] | (value[1] << 8) | (value[2] << 16) |
+ ((unsigned long)value[3] << 24);
rtc_time_to_tm(secs, >time);
[PATCH 3.16 065/129] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jarkko Sakkinen
commit 442601e87a4769a8daba4976ec3afa5222ca211d upstream.
Return -E2BIG when the transfer is incomplete. The upper layer does
not retry, so not doing that is incorrect behaviour.
Fixes: a2871c62e186 ("tpm: Add support for Atmel I2C TPMs")
Signed-off-by: Jarkko Sakkinen
Reviewed-by: Stefan Berger
Reviewed-by: Jerry Snitselaar
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/char/tpm/tpm_i2c_atmel.c
+++ b/drivers/char/tpm/tpm_i2c_atmel.c
@@ -65,7 +65,14 @@ static int i2c_atmel_send(struct tpm_chi
dev_dbg(chip->dev,
"%s(buf=%*ph len=%0zx) -> sts=%d\n", __func__,
(int)min_t(size_t, 64, len), buf, len, status);
- return status;
+ if (status < 0)
+ return status;
+
+ /* The upper layer does not support incomplete sends. */
+ if (status != len)
+ return -E2BIG;
+
+ return 0;
}
static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
[PATCH 3.16 061/129] pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Geert Uytterhoeven
commit a4b0350047f1b10207e25e72d7cd3f7826e93769 upstream.
The entry for "scifb2_data_c" in the SCIFB2 pin group array contains a
typo, thus the group cannot be selected.
Fixes: 5088451962389924 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Simon Horman
Signed-off-by: Ben Hutchings
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -4433,7 +4433,7 @@ static const char * const scifb2_groups[
"scifb2_data_b",
"scifb2_clk_b",
"scifb2_ctrl_b",
- "scifb0_data_c",
+ "scifb2_data_c",
"scifb2_clk_c",
"scifb2_data_d",
};
[PATCH 3.16 069/129] leds: lp55xx: fix null deref on firmware load failure
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Michal Kazior
commit 5ddb0869bfc1bca6cfc592c74c64a026f936638c upstream.
I've stumbled upon a kernel crash and the logs
pointed me towards the lp5562 driver:
> <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with
> error -2
> <4>[306013.894990] lp5562 0-0030: Falling back to user helper
> ...
> <3>[306073.924886] lp5562 0-0030: firmware request failed
> <1>[306073.939456] Unable to handle kernel NULL pointer dereference at
> virtual address
> <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58
> <4>[306074.255539] LR is at release_firmware+0x6c/0x138
> ...
After taking a look I noticed firmware_release()
could be called with either NULL or a dangling
pointer.
Fixes: 10c06d178df11 ("leds-lp55xx: support firmware interface")
Signed-off-by: Michal Kazior
Signed-off-by: Jacek Anaszewski
Signed-off-by: Ben Hutchings
---
drivers/leds/leds-lp55xx-common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/leds/leds-lp55xx-common.c
+++ b/drivers/leds/leds-lp55xx-common.c
@@ -214,7 +214,7 @@ static void lp55xx_firmware_loaded(const
if (!fw) {
dev_err(dev, "firmware request failed\n");
- goto out;
+ return;
}
/* handling firmware data is chip dependent */
@@ -227,9 +227,9 @@ static void lp55xx_firmware_loaded(const
mutex_unlock(>lock);
-out:
/* firmware should be released for other channel use */
release_firmware(chip->fw);
+ chip->fw = NULL;
}
static int lp55xx_request_firmware(struct lp55xx_chip *chip)
[PATCH 3.16 079/129] irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Doug Berger
commit 33517881ede742107f416533b8c3e4abc56763da upstream.
Using the irq_gc_lock/irq_gc_unlock functions in the suspend and
resume functions creates the opportunity for a deadlock during
suspend, resume, and shutdown. Using the irq_gc_lock_irqsave/
irq_gc_unlock_irqrestore variants prevents this possible deadlock.
Fixes: 7f646e92766e2 ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2
interrupt controller")
Signed-off-by: Doug Berger
Signed-off-by: Florian Fainelli
[maz: tidied up $SUBJECT]
Signed-off-by: Marc Zyngier
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/irqchip/irq-brcmstb-l2.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/irqchip/irq-brcmstb-l2.c
+++ b/drivers/irqchip/irq-brcmstb-l2.c
@@ -82,8 +82,9 @@ static void brcmstb_l2_intc_suspend(stru
{
struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
struct brcmstb_l2_intc_data *b = gc->private;
+ unsigned long flags;
- irq_gc_lock(gc);
+ irq_gc_lock_irqsave(gc, flags);
/* Save the current mask */
b->saved_mask = __raw_readl(b->base + CPU_MASK_STATUS);
@@ -92,22 +93,23 @@ static void brcmstb_l2_intc_suspend(stru
__raw_writel(~gc->wake_active, b->base + CPU_MASK_SET);
__raw_writel(gc->wake_active, b->base + CPU_MASK_CLEAR);
}
- irq_gc_unlock(gc);
+ irq_gc_unlock_irqrestore(gc, flags);
}
static void brcmstb_l2_intc_resume(struct irq_data *d)
{
struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
struct brcmstb_l2_intc_data *b = gc->private;
+ unsigned long flags;
- irq_gc_lock(gc);
+ irq_gc_lock_irqsave(gc, flags);
/* Clear unmasked non-wakeup interrupts */
__raw_writel(~b->saved_mask & ~gc->wake_active, b->base + CPU_CLEAR);
/* Restore the saved mask */
__raw_writel(b->saved_mask, b->base + CPU_MASK_SET);
__raw_writel(~b->saved_mask, b->base + CPU_MASK_CLEAR);
- irq_gc_unlock(gc);
+ irq_gc_unlock_irqrestore(gc, flags);
}
int __init brcmstb_l2_intc_of_init(struct device_node *np,
[PATCH 3.16 080/129] powerpc/83xx: Also save/restore SPRG4-7 during suspend
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Christophe Leroy
commit 36da5ff0bea2dc67298150ead8d8471575c54c7d upstream.
The 83xx has 8 SPRG registers and uses at least SPRG4
for DTLB handling LRU.
Fixes: 2319f1239592 ("powerpc/mm: e300c2/c3/c4 TLB errata workaround")
Signed-off-by: Christophe Leroy
Signed-off-by: Michael Ellerman
Signed-off-by: Ben Hutchings
---
arch/powerpc/platforms/83xx/suspend-asm.S | 34 ++-
1 file changed, 27 insertions(+), 7 deletions(-)
--- a/arch/powerpc/platforms/83xx/suspend-asm.S
+++ b/arch/powerpc/platforms/83xx/suspend-asm.S
@@ -26,13 +26,13 @@
#define SS_MSR 0x74
#define SS_SDR10x78
#define SS_LR 0x7c
-#define SS_SPRG0x80 /* 4 SPRGs */
-#define SS_DBAT0x90 /* 8 DBATs */
-#define SS_IBAT0xd0 /* 8 IBATs */
-#define SS_TB 0x110
-#define SS_CR 0x118
-#define SS_GPREG 0x11c /* r12-r31 */
-#define STATE_SAVE_SIZE 0x16c
+#define SS_SPRG0x80 /* 8 SPRGs */
+#define SS_DBAT0xa0 /* 8 DBATs */
+#define SS_IBAT0xe0 /* 8 IBATs */
+#define SS_TB 0x120
+#define SS_CR 0x128
+#define SS_GPREG 0x12c /* r12-r31 */
+#define STATE_SAVE_SIZE 0x17c
.section .data
.align 5
@@ -103,6 +103,16 @@ _GLOBAL(mpc83xx_enter_deep_sleep)
stw r7, SS_SPRG+12(r3)
stw r8, SS_SDR1(r3)
+ mfspr r4, SPRN_SPRG4
+ mfspr r5, SPRN_SPRG5
+ mfspr r6, SPRN_SPRG6
+ mfspr r7, SPRN_SPRG7
+
+ stw r4, SS_SPRG+16(r3)
+ stw r5, SS_SPRG+20(r3)
+ stw r6, SS_SPRG+24(r3)
+ stw r7, SS_SPRG+28(r3)
+
mfspr r4, SPRN_DBAT0U
mfspr r5, SPRN_DBAT0L
mfspr r6, SPRN_DBAT1U
@@ -493,6 +503,16 @@ mpc83xx_deep_resume:
mtspr SPRN_IBAT7U, r6
mtspr SPRN_IBAT7L, r7
+ lwz r4, SS_SPRG+16(r3)
+ lwz r5, SS_SPRG+20(r3)
+ lwz r6, SS_SPRG+24(r3)
+ lwz r7, SS_SPRG+28(r3)
+
+ mtspr SPRN_SPRG4, r4
+ mtspr SPRN_SPRG5, r5
+ mtspr SPRN_SPRG6, r6
+ mtspr SPRN_SPRG7, r7
+
lwz r4, SS_SPRG+0(r3)
lwz r5, SS_SPRG+4(r3)
lwz r6, SS_SPRG+8(r3)
[PATCH 3.16 085/129] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Aneesh Kumar K.V"
commit 3b4d07d2674f6b4a9281031f99d1f7efd325b16d upstream.
When doing top-down search the low_limit is not PAGE_SIZE but rather
max(PAGE_SIZE, mmap_min_addr). This handle cases in which mmap_min_addr >
PAGE_SIZE.
Fixes: fba2369e6ceb ("mm: use vm_unmapped_area() on powerpc architecture")
Reviewed-by: Laurent Dufour
Signed-off-by: Aneesh Kumar K.V
Signed-off-by: Michael Ellerman
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
arch/powerpc/mm/slice.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/arch/powerpc/mm/slice.c
+++ b/arch/powerpc/mm/slice.c
@@ -30,6 +30,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -313,6 +314,7 @@ static unsigned long slice_find_area_top
int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT);
unsigned long addr, found, prev;
struct vm_unmapped_area_info info;
+ unsigned long min_addr = max(PAGE_SIZE, mmap_min_addr);
info.flags = VM_UNMAPPED_AREA_TOPDOWN;
info.length = len;
@@ -320,7 +322,7 @@ static unsigned long slice_find_area_top
info.align_offset = 0;
addr = mm->mmap_base;
- while (addr > PAGE_SIZE) {
+ while (addr > min_addr) {
info.high_limit = addr;
if (!slice_scan_available(addr - 1, available, 0, ))
continue;
@@ -332,8 +334,8 @@ static unsigned long slice_find_area_top
* Check if we need to reduce the range, or if we can
* extend it to cover the previous available slice.
*/
- if (addr < PAGE_SIZE)
- addr = PAGE_SIZE;
+ if (addr < min_addr)
+ addr = min_addr;
else if (slice_scan_available(addr - 1, available, 0, )) {
addr = prev;
goto prev_slice;
@@ -415,7 +417,7 @@ unsigned long slice_get_unmapped_area(un
addr = _ALIGN_UP(addr, 1ul << pshift);
slice_dbg(" aligned addr=%lx\n", addr);
/* Ignore hint if it's too large or overlaps a VMA */
- if (addr > mm->task_size - len ||
+ if (addr > mm->task_size - len || addr < mmap_min_addr ||
!slice_area_is_free(mm, addr, len))
addr = 0;
}
[PATCH 3.16 081/129] powerpc/wii: properly disable use of BATs when requested.
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Christophe Leroy
commit 6d183ca8baec983dc4208ca45ece3c36763df912 upstream.
'nobats' kernel parameter or some options like CONFIG_DEBUG_PAGEALLOC
deny the use of BATS for mapping memory.
This patch makes sure that the specific wii RAM mapping function
takes it into account as well.
Fixes: de32400dd26e ("wii: use both mem1 and mem2 as ram")
Reviewed-by: Jonathan Neuschafer
Signed-off-by: Christophe Leroy
Signed-off-by: Michael Ellerman
Signed-off-by: Ben Hutchings
---
arch/powerpc/platforms/embedded6xx/wii.c | 4
1 file changed, 4 insertions(+)
--- a/arch/powerpc/platforms/embedded6xx/wii.c
+++ b/arch/powerpc/platforms/embedded6xx/wii.c
@@ -104,6 +104,10 @@ unsigned long __init wii_mmu_mapin_mem2(
/* MEM2 64MB@0x1000 */
delta = wii_hole_start + wii_hole_size;
size = top - delta;
+
+ if (__map_without_bats)
+ return delta;
+
for (bl = 128<<10; bl < max_size; bl <<= 1) {
if (bl * 2 > size)
break;
[PATCH 3.16 071/129] ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: "S.j. Wang"
commit cc29ea007347f39f4c5a4d27b0b555955a0277f9 upstream.
The ESAI_xCR_xWA is xCR's bit, not the xCCR's bit, driver set it to
wrong register, correct it.
Fixes 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver")
Signed-off-by: Shengjiu Wang
Reviewed-by: Fabio Estevam
Ackedy-by: Nicolin Chen
Signed-off-by: Mark Brown
Signed-off-by: Ben Hutchings
---
sound/soc/fsl/fsl_esai.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/sound/soc/fsl/fsl_esai.c
+++ b/sound/soc/fsl/fsl_esai.c
@@ -392,7 +392,8 @@ static int fsl_esai_set_dai_fmt(struct s
break;
case SND_SOC_DAIFMT_RIGHT_J:
/* Data on rising edge of bclk, frame high, right aligned */
- xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA;
+ xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP;
+ xcr |= ESAI_xCR_xWA;
break;
case SND_SOC_DAIFMT_DSP_A:
/* Data on rising edge of bclk, frame high, 1clk before data */
@@ -449,12 +450,12 @@ static int fsl_esai_set_dai_fmt(struct s
return -EINVAL;
}
- mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR;
+ mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA;
regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr);
regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr);
mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP |
- ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA;
+ ESAI_xCCR_xFSD | ESAI_xCCR_xCKD;
regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr);
regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr);
[PATCH 3.16 009/129] clk: vf610: fix refcount leak in vf610_clocks_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit 567177024e0313e4f0dcba7ba10c0732e50e655d upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Fixes: 1f2c5fd5f048 ("ARM: imx: add VF610 clock support")
Signed-off-by: Stephen Boyd
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
arch/arm/mach-imx/clk-vf610.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-imx/clk-vf610.c
+++ b/arch/arm/mach-imx/clk-vf610.c
@@ -117,6 +117,7 @@ static void __init vf610_clocks_init(str
np = of_find_compatible_node(NULL, NULL, "fsl,vf610-anatop");
anatop_base = of_iomap(np, 0);
BUG_ON(!anatop_base);
+ of_node_put(np);
np = ccm_node;
ccm_base = of_iomap(np, 0);
[PATCH 3.16 068/129] serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jay Dolan
commit 78d3820b9bd39028727c6aab7297b63c093db343 upstream.
The four port Pericom chips have the fourth port at the wrong address.
Make use of quirk to fix it.
Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal
serial cards")
Signed-off-by: Jay Dolan
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/tty/serial/8250/8250_pci.c | 105 +
1 file changed, 105 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -2183,6 +2183,111 @@ static struct pci_serial_quirk pci_seria
.setup = pci_default_setup,
.exit = pci_plx9050_exit,
},
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
+ {
+ .vendor = PCI_VENDOR_ID_ACCESIO,
+ .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_pericom_setup,
+ },
/*
* SBS Te
[PATCH 3.16 076/129] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 2757970f6d0d0a112247600b23d38c0c728ceeb3 upstream.
The node obtained from of_find_node_by_path() has to be unreferenced
after the use, but we forgot it for the root node.
Fixes: f0fba2ad1b6b ("ASoC: multi-component - ASoC Multi-Component Support")
Cc: Timur Tabi
Cc: Nicolin Chen
Cc: Xiubo Li
Cc: Fabio Estevam
Signed-off-by: Takashi Iwai
Acked-by: Nicolin Chen
Signed-off-by: Mark Brown
[bwh: Backported to 3.16:
- Move declaration of root to the top of the function as there is no
suitable block scope
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/sound/soc/fsl/fsl_ssi.c
+++ b/sound/soc/fsl/fsl_ssi.c
@@ -1229,6 +1229,7 @@ static int fsl_ssi_probe(struct platform
struct fsl_ssi_private *ssi_private;
int ret = 0;
struct device_node *np = pdev->dev.of_node;
+ struct device_node *root;
const struct of_device_id *of_id;
const char *p, *sprop;
const uint32_t *iprop;
@@ -1373,7 +1374,9 @@ static int fsl_ssi_probe(struct platform
* device tree. We also pass the address of the CPU DAI driver
* structure.
*/
- sprop = of_get_property(of_find_node_by_path("/"), "compatible", NULL);
+ root = of_find_node_by_path("/");
+ sprop = of_get_property(root, "compatible", NULL);
+ of_node_put(root);
/* Sometimes the compatible name has a "fsl," prefix, so we strip it. */
p = strrchr(sprop, ',');
if (p)
[PATCH 3.16 074/129] perf header: Fix wrong node write in NUMA_TOPOLOGY feature
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jiri Olsa
commit b00ccb27f97367d89e2d7b419ed198b0985be55d upstream.
We are currently passing the node index instead of the real node number.
Signed-off-by: Jiri Olsa
Acked-by: Namhyung Kim
Cc: Alexander Shishkin
Cc: Peter Zijlstra
Fixes: fbe96f29ce4b ("perf tools: Make perf.data more self-descriptive (v8)"
Link: http://lkml.kernel.org/r/20190219095815.15931-2-jo...@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
tools/perf/util/header.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/util/header.c
+++ b/tools/perf/util/header.c
@@ -1009,7 +1009,7 @@ static int write_numa_topology(int fd, s
if (ret < 0)
break;
- ret = write_topo_node(fd, i);
+ ret = write_topo_node(fd, j);
if (ret < 0)
break;
}
[PATCH 3.16 060/129] parport_pc: fix find_superio io compare code, should use equal test.
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: QiaoChong
commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream.
In the original code before 181bf1e815a2 the loop was continuing until
it finds the first matching superios[i].io and p->base.
But after 181bf1e815a2 the logic changed and the loop now returns the
pointer to the first mismatched array element which is then used in
get_superio_dma() and get_superio_irq() and thus returning the wrong
value.
Fix the condition so that it now returns the correct pointer.
Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for")
Cc: Alan Cox
Signed-off-by: QiaoChong
[rewrite the commit message]
Signed-off-by: Sudip Mukherjee
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/parport/parport_pc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/parport/parport_pc.c
+++ b/drivers/parport/parport_pc.c
@@ -1377,7 +1377,7 @@ static struct superio_struct *find_super
{
int i;
for (i = 0; i < NR_SUPERIOS; i++)
- if (superios[i].io != p->base)
+ if (superios[i].io == p->base)
return [i];
return NULL;
}
[PATCH 3.16 072/129] cdc-wdm: pass return value of recover_from_urb_loss
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: YueHaibing
commit 0742a338f5b3446a26de551ad8273fb41b2787f2 upstream.
'rv' is the correct return value, pass it upstream instead of 0
Fixes: 17d80d562fd7 ("USB: autosuspend for cdc-wdm")
Signed-off-by: YueHaibing
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/class/cdc-wdm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -1089,7 +1089,7 @@ static int wdm_post_reset(struct usb_int
rv = recover_from_urb_loss(desc);
mutex_unlock(>wlock);
mutex_unlock(>rlock);
- return 0;
+ return rv;
}
static struct usb_driver wdm_driver = {
[PATCH 3.16 078/129] fs/nfs: Fix nfs_parse_devname to not modify it's argument
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Eric W. Biederman"
commit 40cc394be1aa18848b8757e03bd8ed23281f572e upstream.
In the rare and unsupported case of a hostname list nfs_parse_devname
will modify dev_name. There is no need to modify dev_name as the all
that is being computed is the length of the hostname, so the computed
length can just be shorted.
Fixes: dc04589827f7 ("NFS: Use common device name parsing logic for NFSv4 and
NFSv2/v3")
Signed-off-by: "Eric W. Biederman"
Signed-off-by: Trond Myklebust
Signed-off-by: Ben Hutchings
---
fs/nfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1893,7 +1893,7 @@ static int nfs_parse_devname(const char
/* kill possible hostname list: not supported */
comma = strchr(dev_name, ',');
if (comma != NULL && comma < end)
- *comma = 0;
+ len = comma - dev_name;
}
if (len > maxnamlen)
[PATCH 3.16 090/129] powerpc/powernv: Make opal log only readable by root
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jordan Niethe
commit 7b62f9bd2246b7d3d086e571397c14ba52645ef1 upstream.
Currently the opal log is globally readable. It is kernel policy to
limit the visibility of physical addresses / kernel pointers to root.
Given this and the fact the opal log may contain this information it
would be better to limit the readability to root.
Fixes: bfc36894a48b ("powerpc/powernv: Add OPAL message log interface")
Signed-off-by: Jordan Niethe
Reviewed-by: Stewart Smith
Reviewed-by: Andrew Donnellan
Signed-off-by: Michael Ellerman
Signed-off-by: Ben Hutchings
---
arch/powerpc/platforms/powernv/opal-msglog.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/powernv/opal-msglog.c
+++ b/arch/powerpc/platforms/powernv/opal-msglog.c
@@ -92,7 +92,7 @@ out:
}
static struct bin_attribute opal_msglog_attr = {
- .attr = {.name = "msglog", .mode = 0444},
+ .attr = {.name = "msglog", .mode = 0400},
.read = opal_msglog_read
};
[PATCH 3.16 095/129] powerpc/32: Clear on-stack exception marker upon exception return
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Christophe Leroy commit 9580b71b5a7863c24a9bd18bcd2ad759b86b1eff upstream. Clear the on-stack STACK_FRAME_REGS_MARKER on exception exit in order to avoid confusing stacktrace like the one below. Call Trace: [c0e9dca0] [c01c42a0] print_address_description+0x64/0x2bc (unreliable) [c0e9dcd0] [c01c4684] kasan_report+0xfc/0x180 [c0e9dd10] [c0895130] memchr+0x24/0x74 [c0e9dd30] [c00a9e38] msg_print_text+0x124/0x574 [c0e9dde0] [c00ab710] console_unlock+0x114/0x4f8 [c0e9de40] [c00adc60] vprintk_emit+0x188/0x1c4 --- interrupt: c0e9df00 at 0x400f330 LR = init_stack+0x1f00/0x2000 [c0e9de80] [c00ae3c4] printk+0xa8/0xcc (unreliable) [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108 [c0e9df50] [c0c15434] start_kernel+0x310/0x488 [c0e9dff0] [3484] 0x3484 With this patch the trace becomes: Call Trace: [c0e9dca0] [c01c42c0] print_address_description+0x64/0x2bc (unreliable) [c0e9dcd0] [c01c46a4] kasan_report+0xfc/0x180 [c0e9dd10] [c0895150] memchr+0x24/0x74 [c0e9dd30] [c00a9e58] msg_print_text+0x124/0x574 [c0e9dde0] [c00ab730] console_unlock+0x114/0x4f8 [c0e9de40] [c00adc80] vprintk_emit+0x188/0x1c4 [c0e9de80] [c00ae3e4] printk+0xa8/0xcc [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108 [c0e9df50] [c0c15434] start_kernel+0x310/0x488 [c0e9dff0] [3484] 0x3484 Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/kernel/entry_32.S | 9 + 1 file changed, 9 insertions(+) --- a/arch/powerpc/kernel/entry_32.S +++ b/arch/powerpc/kernel/entry_32.S @@ -757,6 +757,9 @@ fast_exception_return: mtcrr10 lwz r10,_LINK(r11) mtlrr10 + /* Clear the exception_marker on the stack to avoid confusing stacktrace */ + li r10, 0 + stw r10, 8(r11) REST_GPR(10, r11) mtspr SPRN_SRR1,r9 mtspr SPRN_SRR0,r12 @@ -987,6 +990,9 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRE mtcrf 0xFF,r10 mtlrr11 + /* Clear the exception_marker on the stack to avoid confusing stacktrace */ + li r10, 0 + stw r10, 8(r1) /* * Once we put values in SRR0 and SRR1, we are in a state * where exceptions are not recoverable, since taking an @@ -1024,6 +1030,9 @@ exc_exit_restart_end: mtlrr11 lwz r10,_CCR(r1) mtcrf 0xff,r10 + /* Clear the exception_marker on the stack to avoid confusing stacktrace */ + li r10, 0 + stw r10, 8(r1) REST_2GPRS(9, r1) .globl exc_exit_restart exc_exit_restart:
[PATCH 3.16 077/129] KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Sean Christopherson
commit ddfd1730fd829743e41213e32ccc8b4aa6dc8325 upstream.
When installing new memslots, KVM sets bit 0 of the generation number to
indicate that an update is in-progress. Until the update is complete,
there are no guarantees as to whether a vCPU will see the old or the new
memslots. Explicity prevent caching MMIO accesses so as to avoid using
an access cached from the old memslots after the new memslots have been
installed.
Note that it is unclear whether or not disabling caching during the
update window is strictly necessary as there is no definitive
documentation as to what ordering guarantees KVM provides with respect
to updating memslots. That being said, the MMIO spte code does not
allow reusing sptes created while an update is in-progress, and the
associated documentation explicitly states:
We do not want to use an MMIO sptes created with an odd generation
number, ... If KVM is unlucky and creates an MMIO spte while the
low bit is 1, the next access to the spte will always be a cache miss.
At the very least, disabling the per-vCPU MMIO cache during updates will
make its behavior consistent with the MMIO spte behavior and
documentation.
Fixes: 56f17dd3fbc4 ("kvm: x86: fix stale mmio cache bug")
Signed-off-by: Sean Christopherson
Signed-off-by: Paolo Bonzini
[
Signed-off-by: Ben Hutchings
---
arch/x86/kvm/x86.h | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -75,10 +75,15 @@ static inline u32 bit(int bitno)
static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu,
gva_t gva, gfn_t gfn, unsigned access)
{
+ u64 gen = kvm_memslots(vcpu->kvm)->generation;
+
+ if (unlikely(gen & 1))
+ return;
+
vcpu->arch.mmio_gva = gva & PAGE_MASK;
vcpu->arch.access = access;
vcpu->arch.mmio_gfn = gfn;
- vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation;
+ vcpu->arch.mmio_gen = gen;
}
static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu)
[PATCH 3.16 088/129] serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Lubomir Rintel commit f4817843e39ce78aace0195a57d4e8500a65a898 upstream. There are two other drivers that bind to mrvl,mmp-uart and both of them assume register shift of 2 bits. There are device trees that lack the property and rely on that assumption. If this driver wins the race to bind to those devices, it should behave the same as the older deprecated driver. Signed-off-by: Lubomir Rintel Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/tty/serial/of_serial.c | 4 1 file changed, 4 insertions(+) --- a/drivers/tty/serial/of_serial.c +++ b/drivers/tty/serial/of_serial.c @@ -93,6 +93,10 @@ static int of_platform_serial_setup(stru if (of_property_read_u32(np, "reg-offset", ) == 0) port->mapbase += prop; + /* Compatibility with the deprecated pxa driver and 8250_pxa drivers. */ + if (of_device_is_compatible(np, "mrvl,mmp-uart")) + port->regshift = 2; + /* Check for registers offset within the devices address range */ if (of_property_read_u32(np, "reg-shift", ) == 0) port->regshift = prop;
[PATCH 3.16 094/129] 9p: use inode->i_lock to protect i_size_write() under 32-bit
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hou Tao
commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream.
Use inode->i_lock to protect i_size_write(), else i_size_read() in
generic_fillattr() may loop infinitely in read_seqcount_begin() when
multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl()
simultaneously under 32-bit SMP environment, and a soft lockup will be
triggered as show below:
watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217]
Modules linked in:
CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-5-g7f702faf5a9e #4
Hardware name: Generic DT based system
PC is at generic_fillattr+0x104/0x108
LR is at 0xec497f00
pc : [<802b8898>]lr : []psr: 200c0013
sp : ec497e20 ip : ed608030 fp : ec497e3c
r10: r9 : ec497f00 r8 : ed608030
r7 : ec497ebc r6 : ec497f00 r5 : ee5c1550 r4 : ee005780
r3 : 052d r2 : r1 : ec497f00 r0 : ed608030
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: ac48006a DAC: 0051
CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-5-g7f702faf5a9e #4
Hardware name: Generic DT based system
Backtrace:
[<8010d974>] (dump_backtrace) from [<8010dc88>] (show_stack+0x20/0x24)
[<8010dc68>] (show_stack) from [<80a1d194>] (dump_stack+0xb0/0xdc)
[<80a1d0e4>] (dump_stack) from [<80109f34>] (show_regs+0x1c/0x20)
[<80109f18>] (show_regs) from [<801d0a80>] (watchdog_timer_fn+0x280/0x2f8)
[<801d0800>] (watchdog_timer_fn) from [<80198658>]
(__hrtimer_run_queues+0x18c/0x380)
[<801984cc>] (__hrtimer_run_queues) from [<80198e60>]
(hrtimer_run_queues+0xb8/0xf0)
[<80198da8>] (hrtimer_run_queues) from [<801973e8>]
(run_local_timers+0x28/0x64)
[<801973c0>] (run_local_timers) from [<80197460>]
(update_process_times+0x3c/0x6c)
[<80197424>] (update_process_times) from [<801ab2b8>]
(tick_nohz_handler+0xe0/0x1bc)
[<801ab1d8>] (tick_nohz_handler) from [<80843050>]
(arch_timer_handler_virt+0x38/0x48)
[<80843018>] (arch_timer_handler_virt) from [<80180a64>]
(handle_percpu_devid_irq+0x8c/0x240)
[<801809d8>] (handle_percpu_devid_irq) from [<8017ac20>]
(generic_handle_irq+0x34/0x44)
[<8017abec>] (generic_handle_irq) from [<8017b344>]
(__handle_domain_irq+0x6c/0xc4)
[<8017b2d8>] (__handle_domain_irq) from [<801022e0>]
(gic_handle_irq+0x4c/0x88)
[<80102294>] (gic_handle_irq) from [<80101a30>] (__irq_svc+0x70/0x98)
[<802b8794>] (generic_fillattr) from [<8056b284>]
(v9fs_vfs_getattr_dotl+0x74/0xa4)
[<8056b210>] (v9fs_vfs_getattr_dotl) from [<802b8904>]
(vfs_getattr_nosec+0x68/0x7c)
[<802b889c>] (vfs_getattr_nosec) from [<802b895c>] (vfs_getattr+0x44/0x48)
[<802b8918>] (vfs_getattr) from [<802b8a74>] (vfs_statx+0x9c/0xec)
[<802b89d8>] (vfs_statx) from [<802b9428>] (sys_lstat64+0x48/0x78)
[<802b93e0>] (sys_lstat64) from [<80101000>] (ret_fast_syscall+0x0/0x28)
[dominique.marti...@cea.fr: updated comment to not refer to a function
in another subsystem]
Link: http://lkml.kernel.org/r/20190124063514.8571-2-hout...@huawei.com
Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of
using inode->i_size directly.")
Reported-by: Xing Gaopeng
Signed-off-by: Hou Tao
Signed-off-by: Dominique Martinet
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
fs/9p/v9fs_vfs.h | 23 +--
fs/9p/vfs_file.c | 6 +-
fs/9p/vfs_inode.c | 23 +++
fs/9p/vfs_inode_dotl.c | 27 ++-
fs/9p/vfs_super.c | 4 ++--
5 files changed, 53 insertions(+), 30 deletions(-)
--- a/fs/9p/v9fs_vfs.h
+++ b/fs/9p/v9fs_vfs.h
@@ -40,6 +40,9 @@
*/
#define P9_LOCK_TIMEOUT (30*HZ)
+/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */
+#define V9FS_STAT2INODE_KEEP_ISIZE 1
+
extern struct file_system_type v9fs_fs_type;
extern const struct address_space_operations v9fs_addr_operations;
extern const struct file_operations v9fs_file_operations;
@@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_
struct inode *inode, umode_t mode, dev_t);
void v9fs_evict_inode(struct inode *inode);
ino_t v9fs_qid2ino(struct p9_qid *qid);
-void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *);
-void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *);
+void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode,
+ struct super_block *sb, unsigned int flags);
+void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode,
+ unsigned int flags);
int v9fs_dir_release(struct inode *inod
[PATCH 3.16 102/129] mm: fix potential data race in SyS_swapon
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hugh Dickins
commit 6f179af88f60b32c2855e7f3e16ea8e336a7043f upstream.
While running KernelThreadSanitizer (ktsan) on upstream kernel with
trinity, we got a few reports from SyS_swapon, here is one of them:
Read of size 8 by thread T307 (K7621):
[< inlined>] SyS_swapon+0x3c0/0x1850 SYSC_swapon mm/swapfile.c:2395
[] SyS_swapon+0x3c0/0x1850 mm/swapfile.c:2345
[] ia32_do_call+0x1b/0x25
Looks like the swap_lock should be taken when iterating through the
swap_info array on lines 2392 - 2401: q->swap_file may be reset to
NULL by another thread before it is dereferenced for f_mapping.
But why is that iteration needed at all? Doesn't the claim_swapfile()
which follows do all that is needed to check for a duplicate entry -
FMODE_EXCL on a bdev, testing IS_SWAPFILE under i_mutex on a regfile?
Well, not quite: bd_may_claim() allows the same "holder" to claim the
bdev again, so we do need to use a different holder than "sys_swapon";
and we should not replace appropriate -EBUSY by inappropriate -EINVAL.
Index i was reused in a cpu loop further down: renamed cpu there.
Reported-by: Andrey Konovalov
Signed-off-by: Hugh Dickins
Signed-off-by: Al Viro
Signed-off-by: Ben Hutchings
---
mm/swapfile.c | 25 +++--
1 file changed, 7 insertions(+), 18 deletions(-)
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -2144,11 +2144,10 @@ static int claim_swapfile(struct swap_in
if (S_ISBLK(inode->i_mode)) {
p->bdev = bdgrab(I_BDEV(inode));
error = blkdev_get(p->bdev,
- FMODE_READ | FMODE_WRITE | FMODE_EXCL,
- sys_swapon);
+ FMODE_READ | FMODE_WRITE | FMODE_EXCL, p);
if (error < 0) {
p->bdev = NULL;
- return -EINVAL;
+ return error;
}
p->old_block_size = block_size(p->bdev);
error = set_blocksize(p->bdev, PAGE_SIZE);
@@ -2365,7 +2364,6 @@ SYSCALL_DEFINE2(swapon, const char __use
struct filename *name;
struct file *swap_file = NULL;
struct address_space *mapping;
- int i;
int prio;
int error;
union swap_header *swap_header;
@@ -2405,19 +2403,8 @@ SYSCALL_DEFINE2(swapon, const char __use
p->swap_file = swap_file;
mapping = swap_file->f_mapping;
-
- for (i = 0; i < nr_swapfiles; i++) {
- struct swap_info_struct *q = swap_info[i];
-
- if (q == p || !q->swap_file)
- continue;
- if (mapping == q->swap_file->f_mapping) {
- error = -EBUSY;
- goto bad_swap;
- }
- }
-
inode = mapping->host;
+
/* If S_ISREG(inode->i_mode) will do mutex_lock(>i_mutex); */
error = claim_swapfile(p, inode);
if (unlikely(error))
@@ -2450,6 +2437,8 @@ SYSCALL_DEFINE2(swapon, const char __use
goto bad_swap;
}
if (p->bdev && blk_queue_nonrot(bdev_get_queue(p->bdev))) {
+ int cpu;
+
p->flags |= SWP_SOLIDSTATE;
/*
* select a random position to start with to help wear leveling
@@ -2468,9 +2457,9 @@ SYSCALL_DEFINE2(swapon, const char __use
error = -ENOMEM;
goto bad_swap;
}
- for_each_possible_cpu(i) {
+ for_each_possible_cpu(cpu) {
struct percpu_cluster *cluster;
- cluster = per_cpu_ptr(p->percpu_cluster, i);
+ cluster = per_cpu_ptr(p->percpu_cluster, cpu);
cluster_set_null(>index);
}
}
[PATCH 3.16 084/129] btrfs: init csum_list before possible free
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Robertson
commit e49be14b8d80e23bb7c53d78c21717a474ade76b upstream.
The scrub_ctx csum_list member must be initialized before scrub_free_ctx
is called. If the csum_list is not initialized beforehand, the
list_empty call in scrub_free_csums will result in a null deref if the
allocation fails in the for loop.
Fixes: a2de733c78fa ("btrfs: scrub")
Reviewed-by: Nikolay Borisov
Signed-off-by: Dan Robertson
Reviewed-by: David Sterba
Signed-off-by: David Sterba
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
fs/btrfs/scrub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -417,6 +417,7 @@ struct scrub_ctx *scrub_setup_ctx(struct
sctx->pages_per_rd_bio = pages_per_rd_bio;
sctx->curr = -1;
sctx->dev_root = dev->dev_root;
+ INIT_LIST_HEAD(>csum_list);
for (i = 0; i < SCRUB_BIOS_PER_SCTX; ++i) {
struct scrub_bio *sbio;
@@ -444,7 +445,6 @@ struct scrub_ctx *scrub_setup_ctx(struct
atomic_set(>workers_pending, 0);
atomic_set(>cancel_req, 0);
sctx->csum_size = btrfs_super_csum_size(fs_info->super_copy);
- INIT_LIST_HEAD(>csum_list);
spin_lock_init(>list_lock);
spin_lock_init(>stat_lock);
[PATCH 3.16 073/129] libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Lubomir Rintel
commit 607076a904c435f2677fadaadd4af546279db68b upstream.
It doesn't make sense and the USB core warns on each submit of such
URB, easily flooding the message buffer with tracebacks.
Analogous issue was fixed in regular libertas driver in commit 6528d8804780
("libertas: don't set URB_ZERO_PACKET on IN USB transfer").
Signed-off-by: Lubomir Rintel
Reviewed-by: Steve deRosier
Signed-off-by: Kalle Valo
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/net/wireless/libertas_tf/if_usb.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/net/wireless/libertas_tf/if_usb.c
+++ b/drivers/net/wireless/libertas_tf/if_usb.c
@@ -440,8 +440,6 @@ static int __if_usb_submit_rx_urb(struct
skb_tail_pointer(skb),
MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, cardp);
- cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET;
-
lbtf_deb_usb2(>udev->dev, "Pointer for rx_urb %p\n",
cardp->rx_urb);
ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC);
[PATCH 3.16 087/129] staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held.
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tetsuo Handa
commit ecd182cbf4e107928077866399100228d2359c60 upstream.
ashmem_pin() is calling range_shrink() without checking whether
range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex
held should be avoided because ashmem_shrink_scan() tries to hold it.
Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin()
and make range_alloc() not to fail.
This patch is mostly meant for backporting purpose for fuzz testing on
stable/distributor kernels, for there is a plan to remove this code in
near future.
Signed-off-by: Tetsuo Handa
Reviewed-by: Joel Fernandes
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/staging/android/ashmem.c | 42 ++--
1 file changed, 24 insertions(+), 18 deletions(-)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -158,19 +158,15 @@ static inline void lru_del(struct ashmem
* @end: The ending page (inclusive)
*
* This function is protected by ashmem_mutex.
- *
- * Return: 0 if successful, or -ENOMEM if there is an error
*/
-static int range_alloc(struct ashmem_area *asma,
- struct ashmem_range *prev_range, unsigned int purged,
- size_t start, size_t end)
+static void range_alloc(struct ashmem_area *asma,
+ struct ashmem_range *prev_range, unsigned int purged,
+ size_t start, size_t end,
+ struct ashmem_range **new_range)
{
- struct ashmem_range *range;
-
- range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
- if (unlikely(!range))
- return -ENOMEM;
+ struct ashmem_range *range = *new_range;
+ *new_range = NULL;
range->asma = asma;
range->pgstart = start;
range->pgend = end;
@@ -180,8 +176,6 @@ static int range_alloc(struct ashmem_are
if (range_on_lru(range))
lru_add(range);
-
- return 0;
}
/**
@@ -576,7 +570,8 @@ static int get_name(struct ashmem_area *
*
* Caller must hold ashmem_mutex.
*/
-static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
+static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
+ struct ashmem_range **new_range)
{
struct ashmem_range *range, *next;
int ret = ASHMEM_NOT_PURGED;
@@ -628,7 +623,7 @@ static int ashmem_pin(struct ashmem_area
* second half and adjust the first chunk's endpoint.
*/
range_alloc(asma, range, range->purged,
- pgend + 1, range->pgend);
+ pgend + 1, range->pgend, new_range);
range_shrink(range, range->pgstart, pgstart - 1);
break;
}
@@ -642,7 +637,8 @@ static int ashmem_pin(struct ashmem_area
*
* Caller must hold ashmem_mutex.
*/
-static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend)
+static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend,
+ struct ashmem_range **new_range)
{
struct ashmem_range *range, *next;
unsigned int purged = ASHMEM_NOT_PURGED;
@@ -668,7 +664,8 @@ restart:
}
}
- return range_alloc(asma, range, purged, pgstart, pgend);
+ range_alloc(asma, range, purged, pgstart, pgend, new_range);
+ return 0;
}
/*
@@ -701,10 +698,17 @@ static int ashmem_pin_unpin(struct ashme
struct ashmem_pin pin;
size_t pgstart, pgend;
int ret = -EINVAL;
+ struct ashmem_range *range = NULL;
if (unlikely(copy_from_user(, p, sizeof(pin
return -EFAULT;
+ if (cmd == ASHMEM_PIN || cmd == ASHMEM_UNPIN) {
+ range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL);
+ if (!range)
+ return -ENOMEM;
+ }
+
mutex_lock(_mutex);
if (unlikely(!asma->file))
@@ -728,10 +732,10 @@ static int ashmem_pin_unpin(struct ashme
switch (cmd) {
case ASHMEM_PIN:
- ret = ashmem_pin(asma, pgstart, pgend);
+ ret = ashmem_pin(asma, pgstart, pgend, );
break;
case ASHMEM_UNPIN:
- ret = ashmem_unpin(asma, pgstart, pgend);
+ ret = ashmem_unpin(asma, pgstart, pgend, );
break;
case ASHMEM_GET_PIN_STATUS:
ret = ashmem_get_pin_status(asma, pgstart, pgend);
@@ -740,6 +744,8 @@ static int ashmem_pin_unpin(struct ashme
out_unlock:
mutex_unlock(_mutex);
+ if (range)
+ kmem_cache_free(ashmem_range_cachep, range);
return ret;
}
[PATCH 3.16 093/129] NFSv4.1: Reinitialise sequence results before retransmitting a request
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Trond Myklebust
commit c1dffe0bf7f9c3d57d9f237a7cb2a81e62babd2b upstream.
If we have to retransmit a request, we should ensure that we reinitialise
the sequence results structure, since in the event of a signal
we need to treat the request as if it had not been sent.
Signed-off-by: Trond Myklebust
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
fs/nfs/nfs4proc.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -694,6 +694,13 @@ static int nfs4_sequence_done(struct rpc
return nfs41_sequence_done(task, res);
}
+static void nfs41_sequence_res_init(struct nfs4_sequence_res *res)
+{
+ res->sr_timestamp = jiffies;
+ res->sr_status_flags = 0;
+ res->sr_status = 1;
+}
+
int nfs41_setup_sequence(struct nfs4_session *session,
struct nfs4_sequence_args *args,
struct nfs4_sequence_res *res,
@@ -735,15 +742,9 @@ int nfs41_setup_sequence(struct nfs4_ses
slot->slot_nr, slot->seq_nr);
res->sr_slot = slot;
- res->sr_timestamp = jiffies;
- res->sr_status_flags = 0;
- /*
-* sr_status is only set in decode_sequence, and so will remain
-* set to 1 if an rpc level failure occurs.
-*/
- res->sr_status = 1;
trace_nfs4_setup_sequence(session, args);
out_success:
+ nfs41_sequence_res_init(res);
rpc_call_start(task);
return 0;
out_sleep:
[PATCH 3.16 097/129] ip6mr: Do not call __IP6_INC_STATS() from preemptible context
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ido Schimmel
commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf upstream.
Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from
improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot
assume preemption is disabled when incrementing the counter and
accessing a per-CPU variable.
Preemption can be enabled when we add a route in process context that
corresponds to packets stored in the unresolved queue, which are then
forwarded using this route [1].
Fix this by using IP6_INC_STATS() which takes care of disabling
preemption on architectures where it is needed.
[1]
[ 157.451447] BUG: using __this_cpu_add() in preemptible [] code:
smcrouted/2314
[ 157.460409] caller is ip6mr_forward2+0x73e/0x10e0
[ 157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted
5.0.0-rc7-custom-03635-g22f2712113f1 #1336
[ 157.460449] Hardware name: Mellanox Technologies Ltd.
MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
[ 157.460461] Call Trace:
[ 157.460486] dump_stack+0xf9/0x1be
[ 157.460553] check_preemption_disabled+0x1d6/0x200
[ 157.460576] ip6mr_forward2+0x73e/0x10e0
[ 157.460705] ip6_mr_forward+0x9a0/0x1510
[ 157.460771] ip6mr_mfc_add+0x16b3/0x1e00
[ 157.461155] ip6_mroute_setsockopt+0x3cb/0x13c0
[ 157.461384] do_ipv6_setsockopt.isra.8+0x348/0x4060
[ 157.462013] ipv6_setsockopt+0x90/0x110
[ 157.462036] rawv6_setsockopt+0x4a/0x120
[ 157.462058] __sys_setsockopt+0x16b/0x340
[ 157.462198] __x64_sys_setsockopt+0xbf/0x160
[ 157.462220] do_syscall_64+0x14d/0x610
[ 157.462349] entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module
method ip6_mr_forward().")
Signed-off-by: Ido Schimmel
Reported-by: Amit Cohen
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/ipv6/ip6mr.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1984,10 +1984,10 @@ int ip6mr_compat_ioctl(struct sock *sk,
static inline int ip6mr_forward2_finish(struct sk_buff *skb)
{
- IP6_INC_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
-IPSTATS_MIB_OUTFORWDATAGRAMS);
- IP6_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
-IPSTATS_MIB_OUTOCTETS, skb->len);
+ IP6_INC_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
+ IPSTATS_MIB_OUTFORWDATAGRAMS);
+ IP6_ADD_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
+ IPSTATS_MIB_OUTOCTETS, skb->len);
return dst_output(skb);
}
[PATCH 3.16 119/129] l2tp: fix infoleak in l2tp_ip6_recvmsg()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 upstream.
Back in 2013 Hannes took care of most of such leaks in commit
bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv
syscalls")
But the bug in l2tp_ip6_recvmsg() has not been fixed.
syzbot report :
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
_copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
copy_to_user include/linux/uaccess.h:174 [inline]
move_addr_to_user+0x311/0x570 net/socket.c:227
___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
do_recvmmsg+0x646/0x10c0 net/socket.c:2390
__sys_recvmmsg net/socket.c:2469 [inline]
__do_sys_recvmmsg net/socket.c:2492 [inline]
__se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
__x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x445819
Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f64453eddb8 EFLAGS: 0246 ORIG_RAX: 012b
RAX: ffda RBX: 006dac28 RCX: 00445819
RDX: 0005 RSI: 20002f80 RDI: 0003
RBP: 006dac20 R08: R09:
R10: R11: 0246 R12: 006dac2c
R13: 7ffeba8f87af R14: 7f64453ee9c0 R15: 20c49ba5e353f7cf
Local variable description: addr@___sys_recvmsg
Variable was created at:
___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
do_recvmmsg+0x646/0x10c0 net/socket.c:2390
Bytes 0-31 of 32 are uninitialized
Memory access of size 32 starts at 8880ae62fbb0
Data copied to user address 2000
Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_ip6.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -664,9 +664,6 @@ static int l2tp_ip6_recvmsg(struct kiocb
if (flags & MSG_OOB)
goto out;
- if (addr_len)
- *addr_len = sizeof(*lsa);
-
if (flags & MSG_ERRQUEUE)
return ipv6_recv_error(sk, msg, len, addr_len);
@@ -696,6 +693,7 @@ static int l2tp_ip6_recvmsg(struct kiocb
lsa->l2tp_conn_id = 0;
if (ipv6_addr_type(>l2tp_addr) & IPV6_ADDR_LINKLOCAL)
lsa->l2tp_scope_id = IP6CB(skb)->iif;
+ *addr_len = sizeof(*lsa);
}
if (np->rxopt.all)
[PATCH 3.16 008/129] clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit 1731e14fb30212dd8c1e9f8fc1af061e56498c55 upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Fixes: d55135689019 ("ARM: imx: add clock driver for imx6sx")
Signed-off-by: Stephen Boyd
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
arch/arm/mach-imx/clk-imx6sx.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-imx/clk-imx6sx.c
+++ b/arch/arm/mach-imx/clk-imx6sx.c
@@ -143,6 +143,7 @@ static void __init imx6sx_clocks_init(st
np = of_find_compatible_node(NULL, NULL, "fsl,imx6sx-anatop");
base = of_iomap(np, 0);
WARN_ON(!base);
+ of_node_put(np);
/* type name
parent_name base div_mask */
clks[IMX6SX_CLK_PLL1_SYS] = imx_clk_pllv3(IMX_PLLV3_SYS,
"pll1_sys", "osc",base,0x7f);
[PATCH 3.16 086/129] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
0762c6 leaf_length 7, crc 25286
460 textual descriptor
464 minimal ASCII
468 4c495155 "LIQU"
46c 49445f53 "ID_S"
470 41464649 "AFFI"
474 52455f35 "RE_5"
478 3600 "6"
descriptor leaf at 47c
-
47c 000762c6 leaf_length 7, crc 25286
480 textual descriptor
484 minimal ASCII
488 4c495155 "LIQU"
48c 49445f53 "ID_S"
490 41464649 "AFFI"
494 52455f35 "RE_5"
498 3600 "6"
Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro
series")
Signed-off-by: Takashi Sakamoto
Signed-off-by: Takashi Iwai
Signed-off-by: Ben Hutchings
---
sound/firewire/bebob/bebob.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/sound/firewire/bebob/bebob.c
+++ b/sound/firewire/bebob/bebob.c
@@ -396,7 +396,19 @@ static const struct ieee1394_device_id b
/* Focusrite, SaffirePro 26 I/O */
SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x0003, _26_spec),
/* Focusrite, SaffirePro 10 I/O */
- SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x0006, _10_spec),
+ {
+ // The combination of vendor_id and model_id is the same as the
+ // same as the one of Liquid Saffire 56.
+ .match_flags= IEEE1394_MATCH_VENDOR_ID |
+ IEEE1394_MATCH_MODEL_ID |
+ IEEE1394_MATCH_SPECIFIER_ID |
+ IEEE1394_MATCH_VERSION,
+ .vendor_id = VEN_FOCUSRITE,
+ .model_id = 0x06,
+ .specifier_id = 0x00a02d,
+ .version= 0x010001,
+ .driver_data= (kernel_ulong_t)_10_spec,
+ },
/* Focusrite, Saffire(no label and LE) */
SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, MODEL_FOCUSRITE_SAFFIRE_BOTH,
_spec),
[PATCH 3.16 089/129] regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Axel Lin
commit c25d47888f0fb3d836d68322d4aea2caf31a75a6 upstream.
The wm831x_dcdc_ilim entries needs to be uA because it is used to compare
with min_uA and max_uA.
While at it also make the array const and change to use unsigned int.
Fixes: e4ee831f949a ("regulator: Add WM831x DC-DC buck convertor support")
Signed-off-by: Axel Lin
Acked-by: Charles Keepax
Signed-off-by: Mark Brown
Signed-off-by: Ben Hutchings
---
drivers/regulator/wm831x-dcdc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/regulator/wm831x-dcdc.c
+++ b/drivers/regulator/wm831x-dcdc.c
@@ -327,8 +327,8 @@ static int wm831x_buckv_get_voltage_sel(
}
/* Current limit options */
-static u16 wm831x_dcdc_ilim[] = {
- 125, 250, 375, 500, 625, 750, 875, 1000
+static const unsigned int wm831x_dcdc_ilim[] = {
+ 125000, 25, 375000, 50, 625000, 75, 875000, 100
};
static int wm831x_buckv_set_current_limit(struct regulator_dev *rdev,
[PATCH 3.16 100/129] CIFS: Fix read after write for files with read caching
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Pavel Shilovsky
commit 6dfbd84684700cb58b34e8602c01c12f3d2595c8 upstream.
When we have a READ lease for a file and have just issued a write
operation to the server we need to purge the cache and set oplock/lease
level to NONE to avoid reading stale data. Currently we do that
only if a write operation succedeed thus not covering cases when
a request was sent to the server but a negative error code was
returned later for some other reasons (e.g. -EIOCBQUEUED or -EINTR).
Fix this by turning off caching regardless of the error code being
returned.
The patches fixes generic tests 075 and 112 from the xfs-tests.
Signed-off-by: Pavel Shilovsky
Signed-off-by: Steve French
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Ben Hutchings
---
fs/cifs/file.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -2661,14 +2661,16 @@ cifs_strict_writev(struct kiocb *iocb, s
* these pages but not on the region from pos to ppos+len-1.
*/
written = cifs_user_writev(iocb, from);
- if (written > 0 && CIFS_CACHE_READ(cinode)) {
+ if (CIFS_CACHE_READ(cinode)) {
/*
-* Windows 7 server can delay breaking level2 oplock if a write
-* request comes - break it on the client to prevent reading
-* an old data.
+* We have read level caching and we have just sent a write
+* request to the server thus making data in the cache stale.
+* Zap the cache and set oplock/lease level to NONE to avoid
+* reading stale data from the cache. All subsequent read
+* operations will read new data from the server.
*/
cifs_zap_mapping(inode);
- cifs_dbg(FYI, "Set no oplock for inode=%p after a write
operation\n",
+ cifs_dbg(FYI, "Set Oplock/Lease to NONE for inode=%p after
write\n",
inode);
cinode->oplock = 0;
}
[PATCH 3.16 091/129] Btrfs: fix corruption reading shared and compressed extents after hole punching
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Filipe Manana
commit 8e928218780e2f1cf2f5891c7575e8f0b284fcce upstream.
In the past we had data corruption when reading compressed extents that
are shared within the same file and they are consecutive, this got fixed
by commit 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and
shared extents") and by commit 808f80b46790f ("Btrfs: update fix for read
corruption of compressed and shared extents"). However there was a case
that was missing in those fixes, which is when the shared and compressed
extents are referenced with a non-zero offset. The following shell script
creates a reproducer for this issue:
#!/bin/bash
mkfs.btrfs -f /dev/sdc &> /dev/null
mount -o compress /dev/sdc /mnt/sdc
# Create a file with 3 consecutive compressed extents, each has an
# uncompressed size of 128Kb and a compressed size of 4Kb.
for ((i = 1; i <= 3; i++)); do
head -c 4096 /dev/zero
for ((j = 1; j <= 31; j++)); do
head -c 4096 /dev/zero | tr '\0' "\377"
done
done > /mnt/sdc/foobar
sync
echo "Digest after file creation: $(md5sum /mnt/sdc/foobar)"
# Clone the first extent into offsets 128K and 256K.
xfs_io -c "reflink /mnt/sdc/foobar 0 128K 128K" /mnt/sdc/foobar
xfs_io -c "reflink /mnt/sdc/foobar 0 256K 128K" /mnt/sdc/foobar
sync
echo "Digest after cloning: $(md5sum /mnt/sdc/foobar)"
# Punch holes into the regions that are already full of zeroes.
xfs_io -c "fpunch 0 4K" /mnt/sdc/foobar
xfs_io -c "fpunch 128K 4K" /mnt/sdc/foobar
xfs_io -c "fpunch 256K 4K" /mnt/sdc/foobar
sync
echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)"
echo "Dropping page cache..."
sysctl -q vm.drop_caches=1
echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)"
umount /dev/sdc
When running the script we get the following output:
Digest after file creation: 5a0888d80d7ab1fd31c229f83a3bbcc8
/mnt/sdc/foobar
linked 131072/131072 bytes at offset 131072
128 KiB, 1 ops; 0.0033 sec (36.960 MiB/sec and 295.6830 ops/sec)
linked 131072/131072 bytes at offset 262144
128 KiB, 1 ops; 0.0015 sec (78.567 MiB/sec and 628.5355 ops/sec)
Digest after cloning: 5a0888d80d7ab1fd31c229f83a3bbcc8
/mnt/sdc/foobar
Digest after hole punching: 5a0888d80d7ab1fd31c229f83a3bbcc8
/mnt/sdc/foobar
Dropping page cache...
Digest after hole punching: fba694ae8664ed0c2e9ff8937e7f1484
/mnt/sdc/foobar
This happens because after reading all the pages of the extent in the
range from 128K to 256K for example, we read the hole at offset 256K
and then when reading the page at offset 260K we don't submit the
existing bio, which is responsible for filling all the page in the
range 128K to 256K only, therefore adding the pages from range 260K
to 384K to the existing bio and submitting it after iterating over the
entire range. Once the bio completes, the uncompressed data fills only
the pages in the range 128K to 256K because there's no more data read
from disk, leaving the pages in the range 260K to 384K unfilled. It is
just a slightly different variant of what was solved by commit
005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared
extents").
Fix this by forcing a bio submit, during readpages(), whenever we find a
compressed extent map for a page that is different from the extent map
for the previous page or has a different starting offset (in case it's
the same compressed extent), instead of the extent map's original start
offset.
A test case for fstests follows soon.
Reported-by: Zygo Blaxell
Fixes: 808f80b46790f ("Btrfs: update fix for read corruption of compressed and
shared extents")
Fixes: 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared
extents")
Tested-by: Zygo Blaxell
Signed-off-by: Filipe Manana
Signed-off-by: David Sterba
Signed-off-by: Ben Hutchings
---
fs/btrfs/extent_io.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -2936,11 +2936,11 @@ static int __do_readpage(struct extent_i
*/
if (test_bit(EXTENT_FLAG_COMPRESSED, >flags) &&
prev_em_start && *prev_em_start != (u64)-1 &&
- *prev_em_start != em->orig_start)
+ *prev_em_start != em->start)
force_bio_submit = true;
if (prev_em_start)
- *prev_em_start = em->orig_start;
+ *prev_em_start = em->start;
free_extent_map(em);
em = NULL;
[PATCH 3.16 098/129] CIFS: Do not reset lease state to NONE on lease break
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Pavel Shilovsky
commit 7b9b9edb49ad377b1e06abf14354c227e9ac4b06 upstream.
Currently on lease break the client sets a caching level twice:
when oplock is detected and when oplock is processed. While the
1st attempt sets the level to the value provided by the server,
the 2nd one resets the level to None unconditionally.
This happens because the oplock/lease processing code was changed
to avoid races between page cache flushes and oplock breaks.
The commit c11f1df5003d534 ("cifs: Wait for writebacks to complete
before attempting write.") fixed the races for oplocks but didn't
apply the same changes for leases resulting in overwriting the
server granted value to None. Fix this by properly processing
lease breaks.
Signed-off-by: Pavel Shilovsky
Signed-off-by: Steve French
[bwh: Backported to 3.16: drop change in smb311_operations]
Signed-off-by: Ben Hutchings
---
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -420,7 +420,6 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
__u8 lease_state;
struct list_head *tmp;
struct cifsFileInfo *cfile;
- struct TCP_Server_Info *server = tcon->ses->server;
struct cifs_pending_open *open;
struct cifsInodeInfo *cinode;
int ack_req = le32_to_cpu(rsp->Flags &
@@ -440,13 +439,25 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
cifs_dbg(FYI, "lease key match, lease break 0x%d\n",
le32_to_cpu(rsp->NewLeaseState));
- server->ops->set_oplock_level(cinode, lease_state, 0, NULL);
-
if (ack_req)
cfile->oplock_break_cancelled = false;
else
cfile->oplock_break_cancelled = true;
+ set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, >flags);
+
+ /*
+* Set or clear flags depending on the lease state being READ.
+* HANDLE caching flag should be added when the client starts
+* to defer closing remote file handles with HANDLE leases.
+*/
+ if (lease_state & SMB2_LEASE_READ_CACHING_HE)
+ set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ >flags);
+ else
+ clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
+ >flags);
+
queue_work(cifsoplockd_wq, >oplock_break);
kfree(lw);
return true;
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -962,6 +962,15 @@ smb2_downgrade_oplock(struct TCP_Server_
}
static void
+smb21_downgrade_oplock(struct TCP_Server_Info *server,
+ struct cifsInodeInfo *cinode, bool set_level2)
+{
+ server->ops->set_oplock_level(cinode,
+ set_level2 ? SMB2_LEASE_READ_CACHING_HE :
+ 0, 0, NULL);
+}
+
+static void
smb2_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock,
unsigned int epoch, bool *purge_cache)
{
@@ -1253,7 +1262,7 @@ struct smb_version_operations smb21_oper
.print_stats = smb2_print_stats,
.is_oplock_break = smb2_is_valid_oplock_break,
.handle_cancelled_mid = smb2_handle_cancelled_mid,
- .downgrade_oplock = smb2_downgrade_oplock,
+ .downgrade_oplock = smb21_downgrade_oplock,
.need_neg = smb2_need_neg,
.negotiate = smb2_negotiate,
.negotiate_wsize = smb2_negotiate_wsize,
@@ -1331,7 +1340,7 @@ struct smb_version_operations smb30_oper
.dump_share_caps = smb2_dump_share_caps,
.is_oplock_break = smb2_is_valid_oplock_break,
.handle_cancelled_mid = smb2_handle_cancelled_mid,
- .downgrade_oplock = smb2_downgrade_oplock,
+ .downgrade_oplock = smb21_downgrade_oplock,
.need_neg = smb2_need_neg,
.negotiate = smb2_negotiate,
.negotiate_wsize = smb2_negotiate_wsize,
[PATCH 3.16 107/129] cpufreq: pxa2xx: remove incorrect __init annotation
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit 9505b98ccddc454008ca7efff90044e3e857c827 upstream.
pxa_cpufreq_init_voltages() is marked __init but usually inlined into
the non-__init pxa_cpufreq_init() function. When building with clang,
it can stay as a standalone function in a discarded section, and produce
this warning:
WARNING: vmlinux.o(.text+0x616a00): Section mismatch in reference from the
function pxa_cpufreq_init() to the function
.init.text:pxa_cpufreq_init_voltages()
The function pxa_cpufreq_init() references
the function __init pxa_cpufreq_init_voltages().
This is often because pxa_cpufreq_init lacks a __init
annotation or the annotation of pxa_cpufreq_init_voltages is wrong.
Fixes: 50e77fcd790e ("ARM: pxa: remove __init from cpufreq_driver->init()")
Signed-off-by: Arnd Bergmann
Acked-by: Viresh Kumar
Reviewed-by: Nathan Chancellor
Acked-by: Robert Jarzmik
Signed-off-by: Rafael J. Wysocki
Signed-off-by: Ben Hutchings
---
drivers/cpufreq/pxa2xx-cpufreq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/cpufreq/pxa2xx-cpufreq.c
+++ b/drivers/cpufreq/pxa2xx-cpufreq.c
@@ -191,7 +191,7 @@ static int pxa_cpufreq_change_voltage(px
return ret;
}
-static void __init pxa_cpufreq_init_voltages(void)
+static void pxa_cpufreq_init_voltages(void)
{
vcc_core = regulator_get(NULL, "vcc_core");
if (IS_ERR(vcc_core)) {
@@ -207,7 +207,7 @@ static int pxa_cpufreq_change_voltage(px
return 0;
}
-static void __init pxa_cpufreq_init_voltages(void) { }
+static void pxa_cpufreq_init_voltages(void) { }
#endif
static void find_freq_tables(struct cpufreq_frequency_table **freq_table,
[PATCH 3.16 104/129] s390/virtio: handle find on invalid queue gracefully
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Halil Pasic
commit 3438b2c039b4bf26881786a1f3450f016d66ad11 upstream.
A queue with a capacity of zero is clearly not a valid virtio queue.
Some emulators report zero queue size if queried with an invalid queue
index. Instead of crashing in this case let us just return -ENOENT. To
make that work properly, let us fix the notifier cleanup logic as well.
Signed-off-by: Halil Pasic
Signed-off-by: Cornelia Huck
Signed-off-by: Michael S. Tsirkin
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/s390/kvm/virtio_ccw.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/s390/kvm/virtio_ccw.c
+++ b/drivers/s390/kvm/virtio_ccw.c
@@ -258,6 +258,8 @@ static void virtio_ccw_drop_indicators(s
{
struct virtio_ccw_vq_info *info;
+ if (!vcdev->airq_info)
+ return;
list_for_each_entry(info, >virtqueues, node)
drop_airq_indicator(info->vq, vcdev->airq_info);
}
@@ -386,7 +388,7 @@ static int virtio_ccw_read_vq_conf(struc
ccw->count = sizeof(struct vq_config_block);
ccw->cda = (__u32)(unsigned long)(vcdev->config_block);
ccw_io_helper(vcdev, ccw, VIRTIO_CCW_DOING_READ_VQ_CONF);
- return vcdev->config_block->num;
+ return vcdev->config_block->num ?: -ENOENT;
}
static void virtio_ccw_del_vq(struct virtqueue *vq, struct ccw1 *ccw)
[PATCH 3.16 096/129] net-sysfs: Fix mem leak in netdev_register_kobject
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: YueHaibing
commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab upstream.
syzkaller report this:
BUG: memory leak
unreferenced object 0x88837a71a500 (size 256):
comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s)
hex dump (first 32 bytes):
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .N..
ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff ...
backtrace:
[<db12624b>] netdev_register_kobject+0x124/0x2e0
net/core/net-sysfs.c:1751
[<dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516
[<e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline]
[<e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883
[<1b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline]
[<1b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690
[<79b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705
[<de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline]
[<de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline]
[<de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710
[<7ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
[<db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<115be9bb>] 0x
It should call kset_unregister to free 'dev->queues_kset'
in error path of register_queue_kobjects, otherwise will cause a mem leak.
Reported-by: Hulk Robot
Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
Signed-off-by: YueHaibing
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: net_device pointer is called "net", confusingly]
Signed-off-by: Ben Hutchings
---
net/core/net-sysfs.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1219,6 +1219,9 @@ static int register_queue_kobjects(struc
error:
netdev_queue_update_kobjects(net, txq, 0);
net_rx_queue_update_kobjects(net, rxq, 0);
+#ifdef CONFIG_SYSFS
+ kset_unregister(net->queues_kset);
+#endif
return error;
}
[PATCH 3.16 118/129] net/mlx4_core: Fix qp mtt size calculation
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jack Morgenstein
commit 8511a653e9250ef36b95803c375a7be0e2edb628 upstream.
Calculation of qp mtt size (in function mlx4_RST2INIT_wrapper)
ultimately depends on function roundup_pow_of_two.
If the amount of memory required by the QP is less than one page,
roundup_pow_of_two is called with argument zero. In this case, the
roundup_pow_of_two result is undefined.
Calling roundup_pow_of_two with a zero argument resulted in the
following stack trace:
UBSAN: Undefined behaviour in ./include/linux/log2.h:61:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 4 PID: 26939 Comm: rping Tainted: G OE 4.19.0-rc1
Hardware name: Supermicro X9DR3-F/X9DR3-F, BIOS 3.2a 07/09/2015
Call Trace:
dump_stack+0x9a/0xeb
ubsan_epilogue+0x9/0x7c
__ubsan_handle_shift_out_of_bounds+0x254/0x29d
? __ubsan_handle_load_invalid_value+0x180/0x180
? debug_show_all_locks+0x310/0x310
? sched_clock+0x5/0x10
? sched_clock+0x5/0x10
? sched_clock_cpu+0x18/0x260
? find_held_lock+0x35/0x1e0
? mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core]
mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core]
Fix this by explicitly testing for zero, and returning one if the
argument is zero (assuming that the next higher power of 2 in this case
should be one).
Fixes: c82e9aa0a8bc ("mlx4_core: resource tracking for HCA resources used by
guests")
Signed-off-by: Jack Morgenstein
Signed-off-by: Tariq Toukan
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -2460,13 +2460,13 @@ static int qp_get_mtt_size(struct mlx4_q
int total_pages;
int total_mem;
int page_offset = (be32_to_cpu(qpc->params2) >> 6) & 0x3f;
+ int tot;
sq_size = 1 << (log_sq_size + log_sq_sride + 4);
rq_size = (srq|rss|xrc) ? 0 : (1 << (log_rq_size + log_rq_stride + 4));
total_mem = sq_size + rq_size;
- total_pages =
- roundup_pow_of_two((total_mem + (page_offset << 6)) >>
- page_shift);
+ tot = (total_mem + (page_offset << 6)) >> page_shift;
+ total_pages = !tot ? 1 : roundup_pow_of_two(tot);
return total_pages;
}
[PATCH 3.16 109/129] xen, cpu_hotplug: Prevent an out of bounds access
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit 201676095dda7e5b31a5e1d116d10fc22985075e upstream.
The "cpu" variable comes from the sscanf() so Smatch marks it as
untrusted data. We can't pass a higher value than "nr_cpu_ids" to
cpu_possible() or it results in an out of bounds access.
Fixes: d68d82afd4c8 ("xen: implement CPU hotplugging")
Signed-off-by: Dan Carpenter
Reviewed-by: Juergen Gross
Signed-off-by: Juergen Gross
Signed-off-by: Ben Hutchings
---
drivers/xen/cpu_hotplug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/xen/cpu_hotplug.c
+++ b/drivers/xen/cpu_hotplug.c
@@ -47,7 +47,7 @@ static int vcpu_online(unsigned int cpu)
}
static void vcpu_hotplug(unsigned int cpu)
{
- if (!cpu_possible(cpu))
+ if (cpu >= nr_cpu_ids || !cpu_possible(cpu))
return;
switch (vcpu_online(cpu)) {
[PATCH 3.16 110/129] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Xin Long
commit ee60ad219f5c7c4fb2f047f88037770063ef785f upstream.
The race occurs in __mkroute_output() when 2 threads lookup a dst:
CPU A CPU B
find_exception()
find_exception() [fnhe expires]
ip_del_fnhe() [fnhe is deleted]
rt_bind_exception()
In rt_bind_exception() it will bind a deleted fnhe with the new dst, and
this dst will get no chance to be freed. It causes a dev defcnt leak and
consecutive dmesg warnings:
unregister_netdevice: waiting for ethX to become free. Usage count = 1
Especially thanks Jon to identify the issue.
This patch fixes it by setting fnhe_daddr to 0 in ip_del_fnhe() to stop
binding the deleted fnhe with a new dst when checking fnhe's fnhe_daddr
and daddr in rt_bind_exception().
It works as both ip_del_fnhe() and rt_bind_exception() are protected by
fnhe_lock and the fhne is freed by kfree_rcu().
Fixes: deed49df7390 ("route: check and remove route cache when we get route")
Signed-off-by: Jon Maxwell
Signed-off-by: Xin Long
Reviewed-by: David Ahern
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/ipv4/route.c | 4
1 file changed, 4 insertions(+)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1279,6 +1279,10 @@ static void ip_del_fnhe(struct fib_nh *n
if (fnhe->fnhe_daddr == daddr) {
rcu_assign_pointer(*fnhe_p, rcu_dereference_protected(
fnhe->fnhe_next, lockdep_is_held(_lock)));
+ /* set fnhe_daddr to 0 to ensure it won't bind with
+* new dsts in rt_bind_exception().
+*/
+ fnhe->fnhe_daddr = 0;
fnhe_flush_routes(fnhe);
kfree_rcu(fnhe, rcu);
break;
[PATCH 3.16 112/129] gro_cells: make sure device is up in gro_cells_receive()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit 2a5ff07a0eb945f291e361aa6f6becca8340ba46 upstream.
We keep receiving syzbot reports [1] that show that tunnels do not play
the rcu/IFF_UP rules properly.
At device dismantle phase, gro_cells_destroy() will be called
only after a full rcu grace period is observed after IFF_UP
has been cleared.
This means that IFF_UP needs to be tested before queueing packets
into netif_rx() or gro_cells.
This patch implements the test in gro_cells_receive() because
too many callers do not seem to bother enough.
[1]
BUG: unable to handle kernel paging request at f4ca0b9e
PGD 0 P4D 0
Oops: [#1] PREEMPT SMP KASAN
CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00
00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10
01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
RSP: 0018:8880aa3f79a8 EFLAGS: 00010a02
RAX: 00e8 RBX: e8c64b70 RCX: 18ca0b9e
RDX: c6505ce8 RSI: 858410ca RDI: c6505cf0
RBP: 8880aa3f7a08 R08: 8880aa3e8580 R09: fbfff1263645
R10: fbfff1263644 R11: 8931b223 R12: dc00
R13: R14: e8c64b80 R15: e8c64b75
kobject: 'loop2' (4bd7d84a): kobject_uevent_env
FS: () GS:8880ae80() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: f4ca0b9e CR3: 94941000 CR4: 001406f0
Call Trace:
kobject: 'loop2' (4bd7d84a): fill_kobj_path: path =
'/devices/virtual/block/loop2'
ip_tunnel_dev_free+0x19/0x60 net/ipv4/ip_tunnel.c:1010
netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116
ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1124
vti_exit_batch_net+0x23/0x30 net/ipv4/ip_vti.c:495
ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
worker_thread+0x98/0xe40 kernel/workqueue.c:2319
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Modules linked in:
CR2: f4ca0b9e
[ end trace 513fc9c1338d1cb3 ]
RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00
00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10
01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
RSP: 0018:8880aa3f79a8 EFLAGS: 00010a02
RAX: 00e8 RBX: e8c64b70 RCX: 18ca0b9e
RDX: c6505ce8 RSI: 858410ca RDI: c6505cf0
RBP: 8880aa3f7a08 R08: 8880aa3e8580 R09: fbfff1263645
R10: fbfff1263644 R11: 8931b223 R12: dc00
kobject: 'loop3' (e4ee57a6): kobject_uevent_env
R13: R14: e8c64b80 R15: e8c64b75
FS: () GS:8880ae80() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: f4ca0b9e CR3: 94941000 CR4: 001406f0
Fixes: c9e6bc644e55 ("net: add gro_cells infrastructure")
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Signed-off-by: David S. Miller
[bwh: Backported to 3.16:
- Adjust filename, context
- Return type is void]
Signed-off-by: Ben Hutchings
---
include/net/gro_cells.h | 22 ++
1 file changed, 18 insertions(+), 4 deletions(-)
--- a/include/net/gro_cells.h
+++ b/include/net/gro_cells.h
@@ -20,18 +20,23 @@ static inline void gro_cells_receive(str
struct gro_cell *cell = gcells->cells;
struct net_device *dev = skb->dev;
+ rcu_read_lock();
+ if (unlikely(!(dev->flags & IFF_UP)))
+ goto drop;
+
if (!cell || skb_cloned(skb) || !(dev->features & NETIF_F_GRO)) {
netif_rx(skb);
- return;
+ goto unlock;
}
if (skb_rx_queue_recorded(skb))
cell += skb_get_rx_queue(skb) & gcells->gro_cells_mask;
if (skb_qu
[PATCH 3.16 127/129] mwifiex: Abort at too short BSS descriptor element
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream. Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that the source descriptor entries contain the enough size for each type and performs copying without checking the source size. This may lead to read over boundary. Fix this by putting the source size check in appropriate places. Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/net/wireless/mwifiex/scan.c | 15 +++ 1 file changed, 15 insertions(+) --- a/drivers/net/wireless/mwifiex/scan.c +++ b/drivers/net/wireless/mwifiex/scan.c @@ -1193,6 +1193,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_FH_PARAMS: + if (element_len + 2 < sizeof(*fh_param_set)) + return -EINVAL; fh_param_set = (struct ieee_types_fh_param_set *) current_ptr; memcpy(_entry->phy_param_set.fh_param_set, @@ -1201,6 +1203,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_DS_PARAMS: + if (element_len + 2 < sizeof(*ds_param_set)) + return -EINVAL; ds_param_set = (struct ieee_types_ds_param_set *) current_ptr; @@ -1212,6 +1216,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_CF_PARAMS: + if (element_len + 2 < sizeof(*cf_param_set)) + return -EINVAL; cf_param_set = (struct ieee_types_cf_param_set *) current_ptr; memcpy(_entry->ss_param_set.cf_param_set, @@ -1220,6 +1226,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_IBSS_PARAMS: + if (element_len + 2 < sizeof(*ibss_param_set)) + return -EINVAL; ibss_param_set = (struct ieee_types_ibss_param_set *) current_ptr; @@ -1229,10 +1237,14 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_ERP_INFO: + if (!element_len) + return -EINVAL; bss_entry->erp_flags = *(current_ptr + 2); break; case WLAN_EID_PWR_CONSTRAINT: + if (!element_len) + return -EINVAL; bss_entry->local_constraint = *(current_ptr + 2); bss_entry->sensed_11h = true; break; @@ -1272,6 +1284,9 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_VENDOR_SPECIFIC: + if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) + return -EINVAL; + vendor_ie = (struct ieee_types_vendor_specific *) current_ptr;
[PATCH 3.16 114/129] It's wrong to add len to sector_nr in raid10 reshape twice
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Xiao Ni commit b761dcf1217760a42f7897c31dcb649f59b2333e upstream. In reshape_request it already adds len to sector_nr already. It's wrong to add len to sector_nr again after adding pages to bio. If there is bad block it can't copy one chunk at a time, it needs to goto read_more. Now the sector_nr is wrong. It can cause data corruption. Signed-off-by: Xiao Ni Signed-off-by: Song Liu Signed-off-by: Ben Hutchings --- drivers/md/raid10.c | 1 - 1 file changed, 1 deletion(-) --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -4506,7 +4506,6 @@ bio_full: atomic_inc(_bio->remaining); read_bio->bi_next = NULL; generic_make_request(read_bio); - sector_nr += nr_sectors; sectors_done += nr_sectors; if (sector_nr <= last) goto read_more;
[PATCH 3.16 117/129] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jack Morgenstein
commit c07d27927f2f2e96fcd27bb9fb330c9ea65612d0 upstream.
In procedures mlx4_cmd_use_events() and mlx4_cmd_use_polling(), we need to
guarantee that there are no FW commands in progress on the comm channel
(for VFs) or wrapped FW commands (on the PF) when SRIOV is active.
We do this by also taking the slave_cmd_mutex when SRIOV is active.
This is especially important when switching from event to polling, since we
free the command-context array during the switch. If there are FW commands
in progress (e.g., waiting for a completion event), the completion event
handler will access freed memory.
Since the decision to use comm_wait or comm_poll is taken before grabbing
the event_sem/poll_sem in mlx4_comm_cmd_wait/poll, we must take the
slave_cmd_mutex as well (to guarantee that the decision to use events or
polling and the call to the appropriate cmd function are atomic).
Fixes: a7e1f04905e5 ("net/mlx4_core: Fix deadlock when switching between
polling and event fw commands")
Signed-off-by: Jack Morgenstein
Signed-off-by: Tariq Toukan
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
drivers/net/ethernet/mellanox/mlx4/cmd.c | 8
1 file changed, 8 insertions(+)
--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
@@ -2196,6 +2196,8 @@ int mlx4_cmd_use_events(struct mlx4_dev
if (!priv->cmd.context)
return -ENOMEM;
+ if (mlx4_is_mfunc(dev))
+ mutex_lock(>cmd.slave_cmd_mutex);
down_write(>cmd.switch_sem);
for (i = 0; i < priv->cmd.max_cmds; ++i) {
priv->cmd.context[i].token = i;
@@ -2217,6 +2219,8 @@ int mlx4_cmd_use_events(struct mlx4_dev
down(>cmd.poll_sem);
priv->cmd.use_events = 1;
up_write(>cmd.switch_sem);
+ if (mlx4_is_mfunc(dev))
+ mutex_unlock(>cmd.slave_cmd_mutex);
return err;
}
@@ -2229,6 +2233,8 @@ void mlx4_cmd_use_polling(struct mlx4_de
struct mlx4_priv *priv = mlx4_priv(dev);
int i;
+ if (mlx4_is_mfunc(dev))
+ mutex_lock(>cmd.slave_cmd_mutex);
down_write(>cmd.switch_sem);
priv->cmd.use_events = 0;
@@ -2239,6 +2245,8 @@ void mlx4_cmd_use_polling(struct mlx4_de
up(>cmd.poll_sem);
up_write(>cmd.switch_sem);
+ if (mlx4_is_mfunc(dev))
+ mutex_unlock(>cmd.slave_cmd_mutex);
}
struct mlx4_cmd_mailbox *mlx4_alloc_cmd_mailbox(struct mlx4_dev *dev)
[PATCH 3.16 115/129] md: Fix failed allocation of md_register_thread
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Aditya Pakki commit e406f12dde1a8375d77ea02d91f313fb1a9c6aec upstream. mddev->sync_thread can be set to NULL on kzalloc failure downstream. The patch checks for such a scenario and frees allocated resources. Committer node: Added similar fix to raid5.c, as suggested by Guoqing. Acked-by: Guoqing Jiang Signed-off-by: Aditya Pakki Signed-off-by: Song Liu Signed-off-by: Ben Hutchings --- drivers/md/raid10.c | 2 ++ drivers/md/raid5.c | 2 ++ 2 files changed, 4 insertions(+) --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3820,6 +3820,8 @@ static int run(struct mddev *mddev) set_bit(MD_RECOVERY_RUNNING, >recovery); mddev->sync_thread = md_register_thread(md_do_sync, mddev, "reshape"); + if (!mddev->sync_thread) + goto out_free_conf; } return 0; --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -6180,6 +6180,8 @@ static int run(struct mddev *mddev) set_bit(MD_RECOVERY_RUNNING, >recovery); mddev->sync_thread = md_register_thread(md_do_sync, mddev, "reshape"); + if (!mddev->sync_thread) + goto abort; }
[PATCH 3.16 103/129] mm, swap: bounds check swap_info array accesses to avoid NULL derefs
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Daniel Jordan
commit c10d38cc8d3e43f946b6c2bf4602c86791587f30 upstream.
Dan Carpenter reports a potential NULL dereference in
get_swap_page_of_type:
Smatch complains that the NULL checks on "si" aren't consistent. This
seems like a real bug because we have not ensured that the type is
valid and so "si" can be NULL.
Add the missing check for NULL, taking care to use a read barrier to
ensure CPU1 observes CPU0's updates in the correct order:
CPU0 CPU1
alloc_swap_info() if (type >= nr_swapfiles)
swap_info[type] = p /* handle invalid entry */
smp_wmb()smp_rmb()
++nr_swapfiles p = swap_info[type]
Without smp_rmb, CPU1 might observe CPU0's write to nr_swapfiles before
CPU0's write to swap_info[type] and read NULL from swap_info[type].
Ying Huang noticed other places in swapfile.c don't order these reads
properly. Introduce swap_type_to_swap_info to encourage correct usage.
Use READ_ONCE and WRITE_ONCE to follow the Linux Kernel Memory Model
(see tools/memory-model/Documentation/explanation.txt).
This ordering need not be enforced in places where swap_lock is held
(e.g. si_swapinfo) because swap_lock serializes updates to nr_swapfiles
and the swap_info array.
Link: http://lkml.kernel.org/r/20190131024410.29859-1-daniel.m.jor...@oracle.com
Fixes: ec8acf20afb8 ("swap: add per-partition lock for swapfile")
Signed-off-by: Daniel Jordan
Reported-by: Dan Carpenter
Suggested-by: "Huang, Ying"
Reviewed-by: Andrea Parri
Acked-by: Peter Zijlstra (Intel)
Cc: Alan Stern
Cc: Andi Kleen
Cc: Dave Hansen
Cc: Omar Sandoval
Cc: Paul McKenney
Cc: Shaohua Li
Cc: Stephen Rothwell
Cc: Tejun Heo
Cc: Will Deacon
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
[bwh: Backported to 3.16:
- Add swp_swap_info(), as done in upstream commit 0bcac06f27d7
"mm, swap: skip swapcache for swapin of synchronous device"
- Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -451,6 +451,7 @@ extern sector_t map_swap_page(struct pag
extern sector_t swapdev_block(int, pgoff_t);
extern int page_swapcount(struct page *);
extern struct swap_info_struct *page_swap_info(struct page *);
+extern struct swap_info_struct *swp_swap_info(swp_entry_t entry);
extern int reuse_swap_page(struct page *);
extern int try_to_free_swap(struct page *);
struct backing_dev_info;
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -86,6 +86,15 @@ static DECLARE_WAIT_QUEUE_HEAD(proc_poll
/* Activity counter to indicate that a swapon or swapoff has occurred */
static atomic_t proc_poll_event = ATOMIC_INIT(0);
+static struct swap_info_struct *swap_type_to_swap_info(int type)
+{
+ if (type >= ACCESS_ONCE(nr_swapfiles))
+ return NULL;
+
+ smp_rmb(); /* Pairs with smp_wmb in alloc_swap_info. */
+ return ACCESS_ONCE(swap_info[type]);
+}
+
static inline unsigned char swap_count(unsigned char ent)
{
return ent & ~SWAP_HAS_CACHE; /* may include COUNT_CONTINUED flag */
@@ -703,12 +712,14 @@ noswap:
/* The only caller of this function is now suspend routine */
swp_entry_t get_swap_page_of_type(int type)
{
- struct swap_info_struct *si;
+ struct swap_info_struct *si = swap_type_to_swap_info(type);
pgoff_t offset;
- si = swap_info[type];
+ if (!si)
+ goto fail;
+
spin_lock(>lock);
- if (si && (si->flags & SWP_WRITEOK)) {
+ if (si->flags & SWP_WRITEOK) {
atomic_long_dec(_swap_pages);
/* This is called for allocating swap entry, not cache */
offset = scan_swap_map(si, 1);
@@ -719,6 +730,7 @@ swp_entry_t get_swap_page_of_type(int ty
atomic_long_inc(_swap_pages);
}
spin_unlock(>lock);
+fail:
return (swp_entry_t) {0};
}
@@ -730,9 +742,9 @@ static struct swap_info_struct *swap_inf
if (!entry.val)
goto out;
type = swp_type(entry);
- if (type >= nr_swapfiles)
+ p = swap_type_to_swap_info(type);
+ if (!p)
goto bad_nofile;
- p = swap_info[type];
if (!(p->flags & SWP_USED))
goto bad_device;
offset = swp_offset(entry);
@@ -1037,10 +1049,9 @@ int swap_type_of(dev_t device, sector_t
sector_t swapdev_block(int type, pgoff_t offset)
{
struct block_device *bdev;
+ struct swap_info_struct *si = swap_type_to_swap_info(type);
- if ((unsigned int)type >= nr_swapfiles)
- return 0;
- if (!(swap_info[type]->flags & SWP_WRITEOK))
+ if (!si || !(si->flags & SWP_WRITEOK))
[PATCH 3.16 106/129] net/hsr: fix possible crash in add_timer()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit 1e027960edfaa6a43f9ca31081729b716598112b upstream.
syzbot found another add_timer() issue, this time in net/hsr [1]
Let's use mod_timer() which is safe.
[1]
kernel BUG at kernel/time/timer.c:1136!
invalid opcode: [#1] PREEMPT SMP KASAN
CPU: 0 PID: 15909 Comm: syz-executor.3 Not tainted 5.0.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
kobject: 'loop2' (f5629718): kobject_uevent_env
RIP: 0010:add_timer kernel/time/timer.c:1136 [inline]
RIP: 0010:add_timer+0x654/0xbe0 kernel/time/timer.c:1134
Code: 0f 94 c5 31 ff 44 89 ee e8 09 61 0f 00 45 84 ed 0f 84 77 fd ff ff e8 bb
5f 0f 00 e8 07 10 a0 ff e9 68 fd ff ff e8 ac 5f 0f 00 <0f> 0b e8 a5 5f 0f 00 0f
0b e8 9e 5f 0f 00 4c 89 b5 58 ff ff ff e9
RSP: 0018:8880656eeca0 EFLAGS: 00010246
kobject: 'loop2' (f5629718): fill_kobj_path: path =
'/devices/virtual/block/loop2'
RAX: 0004 RBX: 11100caddd9a RCX: c9000c436000
RDX: 0004 RSI: 816056c4 RDI: 88806a2f6cc8
RBP: 8880656eed58 R08: 888067f4a300 R09: 888067f4abc8
R10: R11: R12: 88806a2f6cc0
R13: dc00 R14: 0001 R15: 8880656eed30
FS: 7fc2019bf700() GS:8880ae80() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 00738000 CR3: 67e8e000 CR4: 001406f0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
hsr_check_announce net/hsr/hsr_device.c:99 [inline]
hsr_check_carrier_and_operstate+0x567/0x6f0 net/hsr/hsr_device.c:120
hsr_netdev_notify+0x297/0xa00 net/hsr/hsr_main.c:51
notifier_call_chain+0xc7/0x240 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
call_netdevice_notifiers net/core/dev.c:1765 [inline]
dev_open net/core/dev.c:1436 [inline]
dev_open+0x143/0x160 net/core/dev.c:1424
team_port_add drivers/net/team/team.c:1203 [inline]
team_add_slave+0xa07/0x15d0 drivers/net/team/team.c:1933
do_set_master net/core/rtnetlink.c:2358 [inline]
do_set_master+0x1d4/0x230 net/core/rtnetlink.c:2332
do_setlink+0x966/0x3510 net/core/rtnetlink.c:2493
rtnl_setlink+0x271/0x3b0 net/core/rtnetlink.c:2747
rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192
netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xdd/0x130 net/socket.c:632
sock_write_iter+0x27c/0x3e0 net/socket.c:923
call_write_iter include/linux/fs.h:1869 [inline]
do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680
do_iter_write fs/read_write.c:956 [inline]
do_iter_write+0x184/0x610 fs/read_write.c:937
vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001
do_writev+0xf6/0x290 fs/read_write.c:1036
__do_sys_writev fs/read_write.c:1109 [inline]
__se_sys_writev fs/read_write.c:1106 [inline]
__x64_sys_writev+0x75/0xb0 fs/read_write.c:1106
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457f29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83
7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7fc2019bec78 EFLAGS: 0246 ORIG_RAX: 0014
RAX: ffda RBX: 0003 RCX: 00457f29
RDX: 0001 RSI: 20c0 RDI: 0003
RBP: 0073bf00 R08: R09:
R10: R11: 0246 R12: 7fc2019bf6d4
R13: 004c4a60 R14: 004dd218 R15:
Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless
Redundancy protocol (HSRv0)")
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Cc: Arvid Brodin
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/hsr/hsr_device.c | 14 ++
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -78,9 +78,8 @@ void hsr_check_announce(struct net_devic
if ((hsr_dev->operstate == IF_OPER_UP) && (old_operstate !=
IF_OPER_UP)) {
/* Went up */
hsr_priv->announce_count = 0;
- hsr_pr
[PATCH 3.16 113/129] kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Zev Weiss
commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream.
This bug has apparently existed since the introduction of this function
in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git,
"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of
neighbour sysctls.").
As a minimal fix we can simply duplicate the corresponding check in
do_proc_dointvec_conv().
Link: http://lkml.kernel.org/r/20190207123426.9202-3-...@bewilderbeest.net
Signed-off-by: Zev Weiss
Cc: Brendan Higgins
Cc: Iurii Zaikin
Cc: Kees Cook
Cc: Luis Chamberlain
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
kernel/sysctl.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2179,7 +2179,16 @@ static int do_proc_dointvec_minmax_conv(
{
struct do_proc_dointvec_minmax_conv_param *param = data;
if (write) {
- int val = *negp ? -*lvalp : *lvalp;
+ int val;
+ if (*negp) {
+ if (*lvalp > (unsigned long) INT_MAX + 1)
+ return -EINVAL;
+ val = -*lvalp;
+ } else {
+ if (*lvalp > (unsigned long) INT_MAX)
+ return -EINVAL;
+ val = *lvalp;
+ }
if ((param->min && *param->min > val) ||
(param->max && *param->max < val))
return -EINVAL;
[PATCH 3.16 019/129] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Gustavo A. R. Silva"
commit e2477233145f2156434afb799583bccd878f3e9f upstream.
Fix boolean expressions by using logical AND operator '&&' instead of
bitwise operator '&'.
This issue was detected with the help of Coccinelle.
Fixes: 4fa084af28ca ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.")
Signed-off-by: Gustavo A. R. Silva
[krzk: Fix -Wparentheses warning]
Signed-off-by: Krzysztof Kozlowski
Signed-off-by: Ben Hutchings
---
arch/arm/mach-s3c24xx/mach-osiris-dvs.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
+++ b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c
@@ -70,16 +70,16 @@ static int osiris_dvs_notify(struct noti
switch (val) {
case CPUFREQ_PRECHANGE:
- if (old_dvs & !new_dvs ||
- cur_dvs & !new_dvs) {
+ if ((old_dvs && !new_dvs) ||
+ (cur_dvs && !new_dvs)) {
pr_debug("%s: exiting dvs\n", __func__);
cur_dvs = false;
gpio_set_value(OSIRIS_GPIO_DVS, 1);
}
break;
case CPUFREQ_POSTCHANGE:
- if (!old_dvs & new_dvs ||
- !cur_dvs & new_dvs) {
+ if ((!old_dvs && new_dvs) ||
+ (!cur_dvs && new_dvs)) {
pr_debug("entering dvs\n");
cur_dvs = true;
gpio_set_value(OSIRIS_GPIO_DVS, 0);
[PATCH 3.16 123/129] fuse: Add FOPEN_STREAM to use stream_open()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Kirill Smelkov
commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream.
Starting from commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per
POSIX") files opened even via nonseekable_open gate read and write via lock
and do not allow them to be run simultaneously. This can create read vs
write deadlock if a filesystem is trying to implement a socket-like file
which is intended to be simultaneously used for both read and write from
filesystem client. See commit 10dce8af3422 ("fs: stream_open - opener for
stream-like files so that read and write can run simultaneously without
deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock
on writes to /proc/xen/xenbus") for a similar deadlock example on
/proc/xen/xenbus.
To avoid such deadlock it was tempting to adjust fuse_finish_open to use
stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags,
but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
and in particular GVFS which actually uses offset in its read and write
handlers
https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481
so if we would do such a change it will break a real user.
Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the
opened handler is having stream-like semantics; does not use file position
and thus the kernel is free to issue simultaneous read and write request on
opened file handle.
This patch together with stream_open() should be added to stable kernels
starting from v3.14+. This will allow to patch OSSPD and other FUSE
filesystems that provide stream-like files to return FOPEN_STREAM |
FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all
kernel versions. This should work because fuse_finish_open ignores unknown
open flags returned from a filesystem and so passing FOPEN_STREAM to a
kernel that is not aware of this flag cannot hurt. In turn the kernel that
is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE
is sufficient to implement streams without read vs write deadlock.
Cc: sta...@vger.kernel.org # v3.14+
Signed-off-by: Kirill Smelkov
Signed-off-by: Miklos Szeredi
Signed-off-by: Ben Hutchings
---
fs/fuse/file.c| 4 +++-
include/uapi/linux/fuse.h | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index bc8f5de48fd9..69e471b042a6 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -214,7 +214,9 @@ void fuse_finish_open(struct inode *inode, struct file
*file)
file->f_op = _direct_io_file_operations;
if (!(ff->open_flags & FOPEN_KEEP_CACHE))
invalidate_inode_pages2(inode->i_mapping);
- if (ff->open_flags & FOPEN_NONSEEKABLE)
+ if (ff->open_flags & FOPEN_STREAM)
+ stream_open(inode, file);
+ else if (ff->open_flags & FOPEN_NONSEEKABLE)
nonseekable_open(inode, file);
if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) {
struct fuse_inode *fi = get_fuse_inode(inode);
diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
index 25084a052a1e..cff91b018953 100644
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -205,10 +205,12 @@ struct fuse_file_lock {
* FOPEN_DIRECT_IO: bypass page cache for this open file
* FOPEN_KEEP_CACHE: don't invalidate the data cache on open
* FOPEN_NONSEEKABLE: the file is not seekable
+ * FOPEN_STREAM: the file is stream-like (no file position at all)
*/
#define FOPEN_DIRECT_IO(1 << 0)
#define FOPEN_KEEP_CACHE (1 << 1)
#define FOPEN_NONSEEKABLE (1 << 2)
+#define FOPEN_STREAM (1 << 4)
/**
* INIT request/reply flags
[PATCH 3.16 120/129] pptp: dst_release sk_dst_cache in pptp_sock_destruct
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Xin Long
commit 9417d81f4f8adfe20a12dd1fadf73a618cbd945d upstream.
sk_setup_caps() is called to set sk->sk_dst_cache in pptp_connect,
so we have to dst_release(sk->sk_dst_cache) in pptp_sock_destruct,
otherwise, the dst refcnt will leak.
It can be reproduced by this syz log:
r1 = socket$pptp(0x18, 0x1, 0x2)
bind$pptp(r1, &(0x7f000100)={0x18, 0x2, {0x0, @local}}, 0x1e)
connect$pptp(r1, &(0x7f00)={0x18, 0x2, {0x3, @remote}}, 0x1e)
Consecutive dmesg warnings will occur:
unregister_netdevice: waiting for lo to become free. Usage count = 1
v1->v2:
- use rcu_dereference_protected() instead of rcu_dereference_check(),
as suggested by Eric.
Fixes: 00959ade36ac ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
Reported-by: Xiumei Mu
Signed-off-by: Xin Long
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
drivers/net/ppp/pptp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -579,6 +579,7 @@ static void pptp_sock_destruct(struct so
pppox_unbind_sock(sk);
}
skb_queue_purge(>sk_receive_queue);
+ dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1));
}
static int pptp_create(struct net *net, struct socket *sock)
[PATCH 3.16 022/129] security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: NeilBrown
commit 7b20ea2579238f5e0da4bc93276c1b63c960c9ef upstream.
This allows MAY_NOT_BLOCK to be passed, in RCU-walk mode, through
the new avc_has_perm_flags() to avc_audit() and thence the slow_avc_audit.
Signed-off-by: NeilBrown
Signed-off-by: Al Viro
[bwh: Backported to 3.16 as dependency of commit 3a28cff3bd4b
"selinux: avoid silent denials in permissive mode under RCU walk"]
Signed-off-by: Ben Hutchings
---
security/selinux/avc.c | 18 +-
security/selinux/hooks.c | 2 +-
security/selinux/include/avc.h | 9 +++--
3 files changed, 25 insertions(+), 4 deletions(-)
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -768,7 +768,23 @@ int avc_has_perm(u32 ssid, u32 tsid, u16
rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, );
- rc2 = avc_audit(ssid, tsid, tclass, requested, , rc, auditdata);
+ rc2 = avc_audit(ssid, tsid, tclass, requested, , rc, auditdata, 0);
+ if (rc2)
+ return rc2;
+ return rc;
+}
+
+int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,
+ u32 requested, struct common_audit_data *auditdata,
+ int flags)
+{
+ struct av_decision avd;
+ int rc, rc2;
+
+ rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, );
+
+ rc2 = avc_audit(ssid, tsid, tclass, requested, , rc,
+ auditdata, flags);
if (rc2)
return rc2;
return rc;
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1569,7 +1569,7 @@ static int cred_has_capability(const str
rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, );
if (audit == SECURITY_CAP_AUDIT) {
- int rc2 = avc_audit(sid, sid, sclass, av, , rc, );
+ int rc2 = avc_audit(sid, sid, sclass, av, , rc, , 0);
if (rc2)
return rc2;
}
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -130,7 +130,8 @@ static inline int avc_audit(u32 ssid, u3
u16 tclass, u32 requested,
struct av_decision *avd,
int result,
- struct common_audit_data *a)
+ struct common_audit_data *a,
+ int flags)
{
u32 audited, denied;
audited = avc_audit_required(requested, avd, result, 0, );
@@ -138,7 +139,7 @@ static inline int avc_audit(u32 ssid, u3
return 0;
return slow_avc_audit(ssid, tsid, tclass,
requested, audited, denied, result,
- a, 0);
+ a, flags);
}
#define AVC_STRICT 1 /* Ignore permissive mode. */
@@ -150,6 +151,10 @@ int avc_has_perm_noaudit(u32 ssid, u32 t
int avc_has_perm(u32 ssid, u32 tsid,
u16 tclass, u32 requested,
struct common_audit_data *auditdata);
+int avc_has_perm_flags(u32 ssid, u32 tsid,
+ u16 tclass, u32 requested,
+ struct common_audit_data *auditdata,
+ int flags);
u32 avc_policy_seqno(void);
[PATCH 3.16 108/129] lib/div64.c: off by one in shift
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Stanislaw Gruszka
commit cdc94a37493135e355dfc0b0e086d84e3eadb50d upstream.
fls counts bits starting from 1 to 32 (returns 0 for zero argument). If
we add 1 we shift right one bit more and loose precision from divisor,
what cause function incorect results with some numbers.
Corrected code was tested in user-space, see bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=202391
Link:
http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgrus...@redhat.com
Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms")
Signed-off-by: Stanislaw Gruszka
Reported-by: Siarhei Volkau
Tested-by: Siarhei Volkau
Acked-by: Oleg Nesterov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
lib/div64.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/lib/div64.c
+++ b/lib/div64.c
@@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divi
quot = div_u64_rem(dividend, divisor, );
*remainder = rem32;
} else {
- int n = 1 + fls(high);
+ int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
if (quot != 0)
@@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor)
if (high == 0) {
quot = div_u64(dividend, divisor);
} else {
- int n = 1 + fls(high);
+ int n = fls(high);
quot = div_u64(dividend >> n, divisor >> n);
if (quot != 0)
[PATCH 3.16 125/129] media: uvcvideo: Fix 'type' check leading to overflow
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alistair Strachan
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Reported-by: syzbot
Signed-off-by: Alistair Strachan
Signed-off-by: Laurent Pinchart
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/usb/uvc/uvc_driver.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -977,11 +977,19 @@ static int uvc_parse_standard_control(st
return -EINVAL;
}
- /* Make sure the terminal type MSB is not null, otherwise it
-* could be confused with a unit.
+ /*
+* Reject invalid terminal types that would cause issues:
+*
+* - The high byte must be non-zero, otherwise it would be
+* confused with a unit.
+*
+* - Bit 15 must be 0, as we use it internally as a terminal
+* direction flag.
+*
+* Other unknown types are accepted.
*/
type = get_unaligned_le16([4]);
- if ((type & 0xff00) == 0) {
+ if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
"interface %d INPUT_TERMINAL %d has invalid "
"type 0x%04x, skipping\n", udev->devnum,
[PATCH 3.16 014/129] staging: iio: adt7316: fix dac_bits assignment
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jeremy Fertic
commit e9de475723de5bf207a5b7b88bdca863393e42c8 upstream.
The value of dac_bits is used in adt7316_show_DAC() and adt7316_store_DAC(),
and it should be either 8, 10, or 12 bits depending on the device in use. The
driver currently only assigns a value to dac_bits in
adt7316_store_da_high_resolution(). The purpose of the dac high resolution
option is not to change dac resolution for normal operation. Instead, it
is specific to an optional feature where one or two of the four dacs can
be set to output voltage proportional to temperature. If the user chooses
to set dac a and/or dac b to output voltage proportional to temperature,
the da_high_resolution attribute can optionally be enabled to use 10 bit
resolution rather than the default 8 bits. This is only available on the
10 and 12 bit dac devices. If the user attempts to read or write dacs a
or b under these settings, the driver's current behaviour is to return an
error. Dacs c and d continue to operate normally under these conditions.
With the above in mind, remove the dac_bits assignments from this function
since the value of dac_bits as used in the driver is not dependent on this
dac high resolution option.
Since the dac_bits assignments discussed above are currently the only ones
in this driver, the default value of dac_bits is 0. This results in incorrect
calculations when the dacs are read or written in adt7316_show_DAC() and
adt7316_store_DAC(). To correct this, assign a value to dac_bits in
adt7316_probe() to ensure correct operation as soon as the device is
registered and available to userspace.
Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver")
Signed-off-by: Jeremy Fertic
Signed-off-by: Jonathan Cameron
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/addac/adt7316.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/staging/iio/addac/adt7316.c
+++ b/drivers/staging/iio/addac/adt7316.c
@@ -654,15 +654,9 @@ static ssize_t adt7316_store_da_high_res
u8 config3;
int ret;
- chip->dac_bits = 8;
-
- if (buf[0] == '1') {
+ if (buf[0] == '1')
config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION;
- if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516)
- chip->dac_bits = 12;
- else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517)
- chip->dac_bits = 10;
- } else
+ else
config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION);
ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3);
@@ -2129,6 +2123,13 @@ int adt7316_probe(struct device *dev, st
else
return -ENODEV;
+ if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516)
+ chip->dac_bits = 12;
+ else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517)
+ chip->dac_bits = 10;
+ else
+ chip->dac_bits = 8;
+
chip->ldac_pin = adt7316_platform_data[1];
if (!chip->ldac_pin) {
chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA;
[PATCH 3.16 129/129] netns: provide pure entropy for net_hash_mix()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit 355b98553789b646ed97ad801a619ff898471b92 upstream.
net_hash_mix() currently uses kernel address of a struct net,
and is used in many places that could be used to reveal this
address to a patient attacker, thus defeating KASLR, for
the typical case (initial net namespace, _net is
not dynamically allocated)
I believe the original implementation tried to avoid spending
too many cycles in this function, but security comes first.
Also provide entropy regardless of CONFIG_NET_NS.
Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes")
Signed-off-by: Eric Dumazet
Reported-by: Amit Klein
Reported-by: Benny Pinkas
Cc: Pavel Emelyanov
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -54,6 +54,8 @@ struct net {
#endif
spinlock_t rules_mod_lock;
+ u32 hash_mix;
+
struct list_headlist; /* list of network namespaces */
struct list_headcleanup_list; /* namespaces on death row */
struct list_headexit_list; /* Use only net_mutex */
--- a/include/net/netns/hash.h
+++ b/include/net/netns/hash.h
@@ -1,21 +1,10 @@
#ifndef __NET_NS_HASH_H__
#define __NET_NS_HASH_H__
-#include
+#include
-struct net;
-
-static inline unsigned int net_hash_mix(struct net *net)
+static inline u32 net_hash_mix(const struct net *net)
{
-#ifdef CONFIG_NET_NS
- /*
-* shift this right to eliminate bits, that are
-* always zeroed
-*/
-
- return (unsigned)(((unsigned long)net) >> L1_CACHE_SHIFT);
-#else
- return 0;
-#endif
+ return net->hash_mix;
}
#endif
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -156,6 +156,7 @@ static __net_init int setup_net(struct n
atomic_set(>count, 1);
atomic_set(>passive, 1);
+ get_random_bytes(>hash_mix, sizeof(u32));
net->dev_base_seq = 1;
net->user_ns = user_ns;
[PATCH 3.16 006/129] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yangtao Li
commit cee82eb9532090cd1dc953e845d71f9b1445c84e upstream.
The of_find_compatible_node() returns a node pointer with refcount
incremented, but there is the lack of use of the of_node_put() when
done. Add the missing of_node_put() to release the refcount.
Signed-off-by: Yangtao Li
Fixes: e062b571777f ("clk: exynos4: register clocks using common clock
framework")
Signed-off-by: Stephen Boyd
Signed-off-by: Ben Hutchings
---
drivers/clk/samsung/clk-exynos4.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/clk/samsung/clk-exynos4.c
+++ b/drivers/clk/samsung/clk-exynos4.c
@@ -1032,6 +1032,7 @@ static unsigned long exynos4_get_xom(voi
xom = readl(chipid_base + 8);
iounmap(chipid_base);
+ of_node_put(np);
}
return xom;
[PATCH 3.16 126/129] mwifiex: Fix possible buffer overflows at parsing bss descriptor
3.16.70-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 upstream.
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen
Signed-off-by: Takashi Iwai
Signed-off-by: Kalle Valo
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/net/wireless/mwifiex/scan.c | 4
1 file changed, 4 insertions(+)
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1171,6 +1171,8 @@ int mwifiex_update_bss_desc_with_ie(stru
}
switch (element_id) {
case WLAN_EID_SSID:
+ if (element_len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
bss_entry->ssid.ssid_len = element_len;
memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
element_len);
@@ -1180,6 +1182,8 @@ int mwifiex_update_bss_desc_with_ie(stru
break;
case WLAN_EID_SUPP_RATES:
+ if (element_len > MWIFIEX_SUPPORTED_RATES)
+ return -EINVAL;
memcpy(bss_entry->data_rates, current_ptr + 2,
element_len);
memcpy(bss_entry->supported_rates, current_ptr + 2,
