[PATCH 3.16 013/129] clk: dove: fix refcount leak in dove_clk_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit 8d726c5128298386b907963033be93407b0c4275 upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Reviewed-by: Gregory CLEMENT Fixes: 8f7fc5450b64 ("clk: mvebu: dove: maintain clock init order") Fixes: 63b8d92c793f ("clk: add Dove PLL divider support for GPU, VMeta and AXI clocks") Signed-off-by: Stephen Boyd [bwh: Backported to 3.16: There is no ddnp variable here] Signed-off-by: Ben Hutchings --- --- a/drivers/clk/mvebu/dove.c +++ b/drivers/clk/mvebu/dove.c @@ -187,7 +187,9 @@ static void __init dove_clk_init(struct mvebu_coreclk_setup(np, _coreclks); - if (cgnp) + if (cgnp) { mvebu_clk_gating_setup(cgnp, dove_gating_desc); + of_node_put(cgnp); + } } CLK_OF_DECLARE(dove_clk, "marvell,dove-core-clock", dove_clk_init);
[PATCH 3.16 012/129] clk: armada-xp: fix refcount leak in axp_clk_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit db20a90a4b6745dad62753f8bd2f66afdd5abc84 upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Reviewed-by: Gregory CLEMENT Fixes: 0a11a6ae9437 ("clk: mvebu: armada-xp: maintain clock init order") Signed-off-by: Stephen Boyd Signed-off-by: Ben Hutchings --- drivers/clk/mvebu/armada-xp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/clk/mvebu/armada-xp.c +++ b/drivers/clk/mvebu/armada-xp.c @@ -202,7 +202,9 @@ static void __init axp_clk_init(struct d mvebu_coreclk_setup(np, _coreclks); - if (cgnp) + if (cgnp) { mvebu_clk_gating_setup(cgnp, axp_gating_desc); + of_node_put(cgnp); + } } CLK_OF_DECLARE(axp_clk, "marvell,armada-xp-core-clock", axp_clk_init);
[PATCH 3.16 002/129] staging: iio: adt7316: invert the logic of the check for an ldac pin
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jeremy Fertic commit 85a1c11913312132d0800ca2c1c42a011f96ea92 upstream. ADT7316_DA_EN_VIA_DAC_LDCA is set when the dac and ldac registers are being used to update the dacs instead of the ldac pin. ADT7516_SEL_AIN3 is an adc input that shares the ldac pin. Only set these bits if an ldac pin is not being used. This could be backported to stable, but note there are various other bugs that probably make that a waste of time. Signed-off-by: Jeremy Fertic Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") Signed-off-by: Jonathan Cameron [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/staging/iio/addac/adt7316.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/staging/iio/addac/adt7316.c +++ b/drivers/staging/iio/addac/adt7316.c @@ -2130,7 +2130,7 @@ int adt7316_probe(struct device *dev, st return -ENODEV; chip->ldac_pin = adt7316_platform_data[1]; - if (chip->ldac_pin) { + if (!chip->ldac_pin) { chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA; if ((chip->id & ID_FAMILY_MASK) == ID_ADT75XX) chip->config1 |= ADT7516_SEL_AIN3;
[PATCH 3.16 018/129] drm: Fix error handling in drm_legacy_addctx
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: YueHaibing commit c39191feed4540fed98badeb484833dcf659bb96 upstream. 'ctx->handle' is unsigned, it never less than zero. This patch use int 'tmp_handle' to handle the err condition. Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr") Signed-off-by: YueHaibing Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20181229024907.12852-1-yuehaib...@huawei.com [bwh: Backported to 3.16: We only have the "legacy" driver type here] Signed-off-by: Ben Hutchings --- drivers/gpu/drm/drm_context.c | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) --- a/drivers/gpu/drm/drm_context.c +++ b/drivers/gpu/drm/drm_context.c @@ -309,19 +309,22 @@ int drm_addctx(struct drm_device *dev, v { struct drm_ctx_list *ctx_entry; struct drm_ctx *ctx = data; + int tmp_handle; - ctx->handle = drm_ctxbitmap_next(dev); - if (ctx->handle == DRM_KERNEL_CONTEXT) { + tmp_handle = drm_ctxbitmap_next(dev); + if (tmp_handle == DRM_KERNEL_CONTEXT) { /* Skip kernel's context and get a new one. */ - ctx->handle = drm_ctxbitmap_next(dev); + tmp_handle = drm_ctxbitmap_next(dev); } - DRM_DEBUG("%d\n", ctx->handle); - if (ctx->handle < 0) { + DRM_DEBUG("%d\n", tmp_handle); + if (tmp_handle < 0) { DRM_DEBUG("Not enough free contexts.\n"); /* Should this return -EBUSY instead? */ - return -ENOMEM; + return tmp_handle; } + ctx->handle = tmp_handle; + ctx_entry = kmalloc(sizeof(*ctx_entry), GFP_KERNEL); if (!ctx_entry) { DRM_DEBUG("out of memory\n");
[PATCH 3.16 003/129] staging: iio: adt7316: allow adt751x to use internal vref for all dacs
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jeremy Fertic commit 10bfe7cc1739c22f0aa296b39e53f61e9e3f4d99 upstream. With adt7516/7/9, internal vref is available for dacs a and b, dacs c and d, or all dacs. The driver doesn't currently support internal vref for all dacs. Change the else if to an if so both bits are checked rather than just one or the other. Signed-off-by: Jeremy Fertic Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings --- drivers/staging/iio/addac/adt7316.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/staging/iio/addac/adt7316.c +++ b/drivers/staging/iio/addac/adt7316.c @@ -1093,7 +1093,7 @@ static ssize_t adt7316_store_DAC_interna ldac_config = chip->ldac_config & (~ADT7516_DAC_IN_VREF_MASK); if (data & 0x1) ldac_config |= ADT7516_DAC_AB_IN_VREF; - else if (data & 0x2) + if (data & 0x2) ldac_config |= ADT7516_DAC_CD_IN_VREF; } else { ret = kstrtou8(buf, 16, );
[PATCH 3.16 015/129] staging: iio: adt7316: fix handling of dac high resolution option
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jeremy Fertic commit 76b7fe8d6c4daf4db672eb953c892c6f6572a282 upstream. The adt7316/7 and adt7516/7 have the option to output voltage proportional to temperature on dac a and/or dac b. The default dac resolution in this mode is 8 bits with the dac high resolution option enabling 10 bits. None of these settings affect dacs c and d. Remove the "1 (12 bits)" output from the show function since that is not an option for this mode. Return "1 (10 bits)" if the device is one of the above mentioned chips and the dac high resolution mode is enabled. In the store function, the driver currently allows the user to write to the ADT7316_DA_HIGH_RESOLUTION bit regardless of the device in use. Add a check to return an error in the case of an adt7318 or adt7519. Remove the else statement that clears the ADT7316_DA_HIGH_RESOLUTION bit. Instead, clear it before conditionally enabling it, depending on user input. This matches the typical pattern in the driver when an attribute is a boolean. Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") Signed-off-by: Jeremy Fertic Signed-off-by: Jonathan Cameron [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/staging/iio/addac/adt7316.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) --- a/drivers/staging/iio/addac/adt7316.c +++ b/drivers/staging/iio/addac/adt7316.c @@ -635,9 +635,7 @@ static ssize_t adt7316_show_da_high_reso struct adt7316_chip_info *chip = iio_priv(dev_info); if (chip->config3 & ADT7316_DA_HIGH_RESOLUTION) { - if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) - return sprintf(buf, "1 (12 bits)\n"); - else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) + if (chip->id != ID_ADT7318 && chip->id != ID_ADT7519) return sprintf(buf, "1 (10 bits)\n"); } @@ -654,10 +652,12 @@ static ssize_t adt7316_store_da_high_res u8 config3; int ret; + if (chip->id == ID_ADT7318 || chip->id == ID_ADT7519) + return -EPERM; + + config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION); if (buf[0] == '1') - config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION; - else - config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION); + config3 |= ADT7316_DA_HIGH_RESOLUTION; ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3); if (ret)
[PATCH 3.16 000/129] 3.16.70-rc1 review
This is the start of the stable review cycle for the 3.16.70 release. There are 129 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Jul 09 20:00:00 UTC 2019. Anything received after that time might be too late. All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. - Aaro Koskinen (1): mmc: omap: fix the maximum timeout setting [a6327b5e57fdc679c842588c3be046c0b39cc127] Aditya Pakki (1): md: Fix failed allocation of md_register_thread [e406f12dde1a8375d77ea02d91f313fb1a9c6aec] Alistair Strachan (1): media: uvcvideo: Fix 'type' check leading to overflow [47bb117911b051bbc90764a8bff96543cbd2005f] Aneesh Kumar K.V (1): powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search [3b4d07d2674f6b4a9281031f99d1f7efd325b16d] Ard Biesheuvel (1): crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling [eaf46edf6ea89675bd36245369c8de5063a0272c] Arnd Bergmann (1): cpufreq: pxa2xx: remove incorrect __init annotation [9505b98ccddc454008ca7efff90044e3e857c827] Axel Lin (1): regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA [c25d47888f0fb3d836d68322d4aea2caf31a75a6] Bart Van Assche (1): scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock [32e36bfbcf31452a854263e7c7f32fbefc4b44d8] Ben Hutchings (1): binder: Replace "%p" with "%pK" for stable [fdfb4a99b6ab8c393db19e3b92968b74ca2757b0, 19c987241ca1216a51118b2bd0185b8bc5081783, 7a4408c6bd3eb1dafba67986259191be081e3efb] Buland Singh (1): hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable [24d48a61f230da130cc2ec2e526eacf229e3] Christophe Leroy (4): powerpc/32: Clear on-stack exception marker upon exception return [9580b71b5a7863c24a9bd18bcd2ad759b86b1eff] powerpc/83xx: Also save/restore SPRG4-7 during suspend [36da5ff0bea2dc67298150ead8d8471575c54c7d] powerpc/irq: drop arch_early_irq_init() [607ea5090b3fb61fea1d0bc5278e6c1d40ab5bd6] powerpc/wii: properly disable use of BATs when requested. [6d183ca8baec983dc4208ca45ece3c36763df912] Colin Ian King (4): rtc: 88pm80x: fix unintended sign extension [fb0b322537a831b5b0cb948c56f8f958ce493d3a] rtc: 88pm860x: fix unintended sign extension [dc9e47160626cdb58d5c39a4f43dcfdb27a5c004] rtc: ds1672: fix unintended sign extension [f0c04c276739ed8acbb41b4868e942a55b128dca] rtc: pm8xxx: fix unintended sign extension [e42280886018c6f77f0a90190f7cba344b0df3e0] Dan Carpenter (1): xen, cpu_hotplug: Prevent an out of bounds access [201676095dda7e5b31a5e1d116d10fc22985075e] Dan Robertson (1): btrfs: init csum_list before possible free [e49be14b8d80e23bb7c53d78c21717a474ade76b] Daniel Axtens (1): bcache: never writeback a discard operation [9951379b0ca88c95876ad9778b9099e19a95d566] Daniel Jordan (1): mm, swap: bounds check swap_info array accesses to avoid NULL derefs [c10d38cc8d3e43f946b6c2bf4602c86791587f30] Doug Berger (1): irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code [33517881ede742107f416533b8c3e4abc56763da] Eric Biggers (5): crypto: ahash - fix another early termination in hash walk [77568e535af7c4f97eaef1e555bf0af83772456c] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails [ba7d7433a0e998c902132bd47330e355a1eaa894] crypto: pcbc - remove bogus memcpy()s with src == dest [251b7aea34ba3c4d4fdfa9447695642eb8b8b098] crypto: testmgr - skip crc32c context test for ahash algorithms [eb5e6730db98fcc4b51148b4a819fa4bf864ae54] crypto: tgr192 - fix unaligned memory access [f990f7fb58ac8ac9a43316f09a48cff1a49dda42] Eric Dumazet (6): gro_cells: make sure device is up in gro_cells_receive() [2a5ff07a0eb945f291e361aa6f6becca8340ba46] l2tp: fix infoleak in l2tp_ip6_recvmsg() [163d1c3d6f17556ed3c340d3789ea93be95d6c28] net/hsr: fix possible crash in add_timer() [1e027960edfaa6a43f9ca31081729b716598112b] netns: provide pure entropy for net_hash_mix() [355b98553789b646ed97ad801a619ff898471b92] tcp: refine memory limit test in tcp_fragment() [b6653b3629e5b88202be3c9abc44713973f5c4b4] vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() [59cbf56fcd98ba2a715b6e97c4e43f773f956393] Eric W. Biederman (1): fs/nfs: Fix nfs_parse_devna
[PATCH 3.16 017/129] staging: iio: adt7316: fix the dac write calculation
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jeremy Fertic commit 78accaea117c1ae878774974fab91ac4a0b0e2b0 upstream. The lsb calculation is not masking the correct bits from the user input. Subtract 1 from (1 << offset) to correctly set up the mask to be applied to user input. The lsb register stores its value starting at the bit 7 position. adt7316_store_DAC() currently assumes the value is at the other end of the register. Shift the lsb value before storing it in a new variable lsb_reg, and write this variable to the lsb register. Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") Signed-off-by: Jeremy Fertic Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings --- drivers/staging/iio/addac/adt7316.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/staging/iio/addac/adt7316.c +++ b/drivers/staging/iio/addac/adt7316.c @@ -1448,7 +1448,7 @@ static ssize_t adt7316_show_DAC(struct a static ssize_t adt7316_store_DAC(struct adt7316_chip_info *chip, int channel, const char *buf, size_t len) { - u8 msb, lsb, offset; + u8 msb, lsb, lsb_reg, offset; u16 data; int ret; @@ -1466,9 +1466,13 @@ static ssize_t adt7316_store_DAC(struct return -EINVAL; if (chip->dac_bits > 8) { - lsb = data & (1 << offset); + lsb = data & ((1 << offset) - 1); + if (chip->dac_bits == 12) + lsb_reg = lsb << ADT7316_DA_12_BIT_LSB_SHIFT; + else + lsb_reg = lsb << ADT7316_DA_10_BIT_LSB_SHIFT; ret = chip->bus.write(chip->bus.client, - ADT7316_DA_DATA_BASE + channel * 2, lsb); + ADT7316_DA_DATA_BASE + channel * 2, lsb_reg); if (ret) return -EIO; }
[PATCH 3.16 011/129] clk: kirkwood: fix refcount leak in kirkwood_clk_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit e7beeab9c61591cd0e690d8733d534c3f4278ff8 upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Reviewed-by: Gregory CLEMENT Fixes: 58d516ae95cb ("clk: mvebu: kirkwood: maintain clock init order") Signed-off-by: Stephen Boyd [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/clk/mvebu/kirkwood.c +++ b/drivers/clk/mvebu/kirkwood.c @@ -236,8 +236,11 @@ static void __init kirkwood_clk_init(str else mvebu_coreclk_setup(np, _coreclks); - if (cgnp) + if (cgnp) { mvebu_clk_gating_setup(cgnp, kirkwood_gating_desc); + + of_node_put(cgnp); + } } CLK_OF_DECLARE(kirkwood_clk, "marvell,kirkwood-core-clock", kirkwood_clk_init);
[PATCH 3.16 001/129] staging: iio: adt7316: fix register and bit definitions
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jeremy Fertic commit 53a6f022b4fe8645468adaffca901dbf8c3c547e upstream. Change two register addresses and one bit definition to match the datasheet. Note that there are many issues in this driver so I would not suggest backporting these fixes to stable trees. Signed-off-by: Jeremy Fertic Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") Signed-off-by: Jonathan Cameron Signed-off-by: Ben Hutchings --- drivers/staging/iio/addac/adt7316.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/staging/iio/addac/adt7316.c +++ b/drivers/staging/iio/addac/adt7316.c @@ -59,8 +59,8 @@ #define ADT7316_CONFIG10x18 #define ADT7316_CONFIG20x19 #define ADT7316_CONFIG30x1A -#define ADT7316_LDAC_CONFIG0x1B -#define ADT7316_DAC_CONFIG 0x1C +#define ADT7316_DAC_CONFIG 0x1B +#define ADT7316_LDAC_CONFIG0x1C #define ADT7316_INT_MASK1 0x1D #define ADT7316_INT_MASK2 0x1E #define ADT7316_IN_TEMP_OFFSET 0x1F @@ -117,7 +117,7 @@ */ #define ADT7316_ADCLK_22_5 0x1 #define ADT7316_DA_HIGH_RESOLUTION 0x2 -#define ADT7316_DA_EN_VIA_DAC_LDCA 0x4 +#define ADT7316_DA_EN_VIA_DAC_LDCA 0x8 #define ADT7516_AIN_IN_VREF0x10 #define ADT7316_EN_IN_TEMP_PROP_DACA 0x20 #define ADT7316_EN_EX_TEMP_PROP_DACB 0x40
[PATCH 3.16 028/129] media: v4l2: i2c: ov7670: Fix PLL bypass register values
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jacopo Mondi commit 61da76beef1e4f0b6ba7be4f8d0cf0dac7ce1f55 upstream. The following commits: commit f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675") commit 04ee6d92047e ("[media] media: ov7670: add possibility to bypass pll for ov7675") introduced the ability to bypass PLL multiplier and use input clock (xvclk) as pixel clock output frequency for ov7675 sensor. PLL is bypassed using register DBLV[7:6], according to ov7670 and ov7675 sensor manuals. Macros used to set DBLV register seem wrong in the driver, as their values do not match what reported in the datasheet. Fix by changing DBLV_* macros to use bits [7:6] and set bits [3:0] to default 0x0a reserved value (according to datasheets). While at there, remove a write to DBLV register in "ov7675_set_framerate()" that over-writes the previous one to the same register that takes "info->pll_bypass" flag into account instead of setting PLL multiplier to 4x unconditionally. And, while at there, since "info->pll_bypass" is only used in set/get_framerate() functions used by ov7675 only, it is not necessary to check for the device id at probe time to make sure that when using ov7670 "info->pll_bypass" is set to false. Fixes: f6dd927f34d6 ("[media] media: ov7670: calculate framerate properly for ov7675") Signed-off-by: Jacopo Mondi Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings --- drivers/media/i2c/ov7670.c | 16 ++-- 1 file changed, 6 insertions(+), 10 deletions(-) --- a/drivers/media/i2c/ov7670.c +++ b/drivers/media/i2c/ov7670.c @@ -167,10 +167,10 @@ MODULE_PARM_DESC(debug, "Debug level (0- #define REG_GFIX 0x69/* Fix gain control */ #define REG_DBLV 0x6b/* PLL control an debugging */ -#define DBLV_BYPASS0x00/* Bypass PLL */ -#define DBLV_X40x01/* clock x4 */ -#define DBLV_X60x10/* clock x6 */ -#define DBLV_X80x11/* clock x8 */ +#define DBLV_BYPASS0x0a/* Bypass PLL */ +#define DBLV_X40x4a/* clock x4 */ +#define DBLV_X60x8a/* clock x6 */ +#define DBLV_X80xca/* clock x8 */ #define REG_REG76 0x76/* OV's name */ #define R76_BLKPCOR0x80/* Black pixel correction enable */ @@ -845,7 +845,7 @@ static int ov7675_set_framerate(struct v if (ret < 0) return ret; - return ov7670_write(sd, REG_DBLV, DBLV_X4); + return 0; } static void ov7670_get_framerate_legacy(struct v4l2_subdev *sd, @@ -1552,11 +1552,7 @@ static int ov7670_probe(struct i2c_clien if (config->clock_speed) info->clock_speed = config->clock_speed; - /* -* It should be allowed for ov7670 too when it is migrated to -* the new frame rate formula. -*/ - if (config->pll_bypass && id->driver_data != MODEL_OV7670) + if (config->pll_bypass) info->pll_bypass = true; if (config->pclk_hb_disable)
[PATCH 3.16 023/129] selinux: avoid silent denials in permissive mode under RCU walk
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Stephen Smalley commit 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e upstream. commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") results in no audit messages at all if in permissive mode because the cache is updated during the rcu walk and thus no denial occurs on the subsequent ref walk. Fix this by not updating the cache when performing a non-blocking permission check. This only affects search and symlink read checks during rcu walk. Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe") Reported-by: BMK Signed-off-by: Stephen Smalley Signed-off-by: Paul Moore [bwh: Backported to 3.16: - Add flags parameter to avc_update_node(), done upstream in commit fa1aa143ac4a "selinux: extended permissions for ioctls" - Adjust context] Signed-off-by: Ben Hutchings --- --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -528,6 +528,7 @@ static inline int avc_sidcmp(u32 x, u32 * @perms : Permission mask bits * @ssid,@tsid,@tclass : identifier of an AVC entry * @seqno : sequence number when decision was made + * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0. * * if a valid AVC entry doesn't exist,this function returns -ENOENT. * if kmalloc() called internal returns NULL, this function returns -ENOMEM. @@ -535,7 +536,7 @@ static inline int avc_sidcmp(u32 x, u32 * will release later by RCU. */ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass, - u32 seqno) + u32 seqno, unsigned int flags) { int hvalue, rc = 0; unsigned long flag; @@ -543,6 +544,23 @@ static int avc_update_node(u32 event, u3 struct hlist_head *head; spinlock_t *lock; + /* +* If we are in a non-blocking code path, e.g. VFS RCU walk, +* then we must not add permissions to a cache entry +* because we cannot safely audit the denial. Otherwise, +* during the subsequent blocking retry (e.g. VFS ref walk), we +* will find the permissions already granted in the cache entry +* and won't audit anything at all, leading to silent denials in +* permissive mode that only appear when in enforcing mode. +* +* See the corresponding handling in slow_avc_audit(), and the +* logic in selinux_inode_follow_link and selinux_inode_permission +* for the VFS MAY_NOT_BLOCK flag, which is transliterated into +* AVC_NONBLOCKING for avc_has_perm_noaudit(). +*/ + if (flags & AVC_NONBLOCKING) + return 0; + node = avc_alloc_node(); if (!node) { rc = -ENOMEM; @@ -690,7 +708,7 @@ static noinline int avc_denied(u32 ssid, return -EACCES; avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, - tsid, tclass, avd->seqno); + tsid, tclass, avd->seqno, flags); return 0; } @@ -701,7 +719,7 @@ static noinline int avc_denied(u32 ssid, * @tsid: target security identifier * @tclass: target security class * @requested: requested permissions, interpreted based on @tclass - * @flags: AVC_STRICT or 0 + * @flags: AVC_STRICT, AVC_NONBLOCKING, or 0 * @avd: access vector decisions * * Check the AVC to determine whether the @requested permissions are granted @@ -781,7 +799,9 @@ int avc_has_perm_flags(u32 ssid, u32 tsi struct av_decision avd; int rc, rc2; - rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, ); + rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, + (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, + ); rc2 = avc_audit(ssid, tsid, tclass, requested, , rc, auditdata, flags); --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2818,7 +2818,9 @@ static int selinux_inode_permission(stru sid = cred_sid(cred); isec = inode->i_security; - rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, ); + rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, + (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0, + ); audited = avc_audit_required(perms, , rc, from_access ? FILE__AUDIT_ACCESS : 0, ); --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -143,6 +143,7 @@ static inline int avc_audit(u32 ssid, u3 } #define AVC_STRICT 1 /* Ignore permissive mode. */ +#define AVC_NONBLOCKING4 /* non blocking */ int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested, unsigned flags,
[PATCH 3.16 031/129] ASoC: imx-sgtl5000: put of nodes if finding codec fails
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Stefan Agner commit d9866572486802bc598a3e8576a5231378d190de upstream. Make sure to properly put the of node in case finding the codec fails. Fixes: 81e8e4926167 ("ASoC: fsl: add sgtl5000 clock support for imx-sgtl5000") Signed-off-by: Stefan Agner Reviewed-by: Daniel Baluta Acked-by: Nicolin Chen Reviewed-by: Fabio Estevam Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings --- sound/soc/fsl/imx-sgtl5000.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/sound/soc/fsl/imx-sgtl5000.c +++ b/sound/soc/fsl/imx-sgtl5000.c @@ -118,7 +118,8 @@ static int imx_sgtl5000_probe(struct pla codec_dev = of_find_i2c_device_by_node(codec_np); if (!codec_dev) { dev_err(>dev, "failed to find codec platform device\n"); - return -EPROBE_DEFER; + ret = -EPROBE_DEFER; + goto fail; } data = devm_kzalloc(>dev, sizeof(*data), GFP_KERNEL);
[PATCH 3.16 024/129] crypto: pcbc - remove bogus memcpy()s with src == dest
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 upstream. The memcpy()s in the PCBC implementation use walk->iv as both the source and destination, which has undefined behavior. These memcpy()'s are actually unneeded, because walk->iv is already used to hold the previous plaintext block XOR'd with the previous ciphertext block. Thus, walk->iv is already updated to its final value. So remove the broken and unnecessary memcpy()s. Fixes: 91652be5d1b9 ("[CRYPTO] pcbc: Add Propagated CBC template") Cc: David Howells Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- crypto/pcbc.c | 14 -- 1 file changed, 4 insertions(+), 10 deletions(-) --- a/crypto/pcbc.c +++ b/crypto/pcbc.c @@ -52,7 +52,7 @@ static int crypto_pcbc_encrypt_segment(s unsigned int nbytes = walk->nbytes; u8 *src = walk->src.virt.addr; u8 *dst = walk->dst.virt.addr; - u8 *iv = walk->iv; + u8 * const iv = walk->iv; do { crypto_xor(iv, src, bsize); @@ -76,7 +76,7 @@ static int crypto_pcbc_encrypt_inplace(s int bsize = crypto_cipher_blocksize(tfm); unsigned int nbytes = walk->nbytes; u8 *src = walk->src.virt.addr; - u8 *iv = walk->iv; + u8 * const iv = walk->iv; u8 tmpbuf[bsize]; do { @@ -89,8 +89,6 @@ static int crypto_pcbc_encrypt_inplace(s src += bsize; } while ((nbytes -= bsize) >= bsize); - memcpy(walk->iv, iv, bsize); - return nbytes; } @@ -130,7 +128,7 @@ static int crypto_pcbc_decrypt_segment(s unsigned int nbytes = walk->nbytes; u8 *src = walk->src.virt.addr; u8 *dst = walk->dst.virt.addr; - u8 *iv = walk->iv; + u8 * const iv = walk->iv; do { fn(crypto_cipher_tfm(tfm), dst, src); @@ -142,8 +140,6 @@ static int crypto_pcbc_decrypt_segment(s dst += bsize; } while ((nbytes -= bsize) >= bsize); - memcpy(walk->iv, iv, bsize); - return nbytes; } @@ -156,7 +152,7 @@ static int crypto_pcbc_decrypt_inplace(s int bsize = crypto_cipher_blocksize(tfm); unsigned int nbytes = walk->nbytes; u8 *src = walk->src.virt.addr; - u8 *iv = walk->iv; + u8 * const iv = walk->iv; u8 tmpbuf[bsize]; do { @@ -169,8 +165,6 @@ static int crypto_pcbc_decrypt_inplace(s src += bsize; } while ((nbytes -= bsize) >= bsize); - memcpy(walk->iv, iv, bsize); - return nbytes; }
[PATCH 3.16 021/129] RDMA/ocrdma: Fix out of bounds index check in query pkey
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Gal Pressman commit b188940796c7be31c1b8c25a9a0e0842c2e7a49e upstream. The pkey table size is one element, index should be tested for > 0 instead of > 1. Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA adapter") Signed-off-by: Gal Pressman Signed-off-by: Jason Gunthorpe Signed-off-by: Ben Hutchings --- drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -39,7 +39,7 @@ int ocrdma_query_pkey(struct ib_device *ibdev, u8 port, u16 index, u16 *pkey) { - if (index > 1) + if (index > 0) return -EINVAL; *pkey = 0x;
[PATCH 3.16 027/129] media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Pawe? Chmiel commit 19c624c6b29e244c418f8b44a711cbf5e82e3cd4 upstream. This commit corrects max and step values for v4l2 control for V4L2_CID_JPEG_RESTART_INTERVAL. Max should be 0x and step should be 1. It was found by using v4l2-compliance tool and checking result of VIDIOC_QUERY_EXT_CTRL/QUERYMENU test. Previously it was complaining that step was bigger than difference between max and min. Fixes: 15f4bc3b1f42 ("[media] s5p-jpeg: Add JPEG controls support") Signed-off-by: Pawe? Chmiel Reviewed-by: Jacek Anaszewski Reviewed-by: Sylwester Nawrocki Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings --- drivers/media/platform/s5p-jpeg/jpeg-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/media/platform/s5p-jpeg/jpeg-core.c +++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c @@ -1363,7 +1363,7 @@ static int s5p_jpeg_controls_create(stru v4l2_ctrl_new_std(>ctrl_handler, _jpeg_ctrl_ops, V4L2_CID_JPEG_RESTART_INTERVAL, - 0, 3, 0x, 0); + 0, 0x, 1, 0); if (ctx->jpeg->variant->version == SJPEG_S5P) mask = ~0x06; /* 422, 420 */ }
[PATCH 3.16 032/129] m68k: Add -ffreestanding to CFLAGS
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Finn Thain commit 28713169d879b67be2ef2f84dcf54905de238294 upstream. This patch fixes a build failure when using GCC 8.1: /usr/bin/ld: block/partitions/ldm.o: in function `ldm_parse_tocblock': block/partitions/ldm.c:153: undefined reference to `strcmp' This is caused by a new optimization which effectively replaces a strncmp() call with a strcmp() call. This affects a number of strncmp() call sites in the kernel. The entire class of optimizations is avoided with -fno-builtin, which gets enabled by -ffreestanding. This may avoid possible future build failures in case new optimizations appear in future compilers. I haven't done any performance measurements with this patch but I did count the function calls in a defconfig build. For example, there are now 23 more sprintf() calls and 39 fewer strcpy() calls. The effect on the other libc functions is smaller. If this harms performance we can tackle that regression by optimizing the call sites, ideally using semantic patches. That way, clang and ICC builds might benfit too. Reference: https://marc.info/?l=linux-m68k=15451481644=2 Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Signed-off-by: Ben Hutchings --- arch/m68k/Makefile | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) --- a/arch/m68k/Makefile +++ b/arch/m68k/Makefile @@ -59,7 +59,10 @@ cpuflags-$(CONFIG_M5206e):= $(call cc-o cpuflags-$(CONFIG_M5206) := $(call cc-option,-mcpu=5206,-m5200) KBUILD_AFLAGS += $(cpuflags-y) -KBUILD_CFLAGS += $(cpuflags-y) -pipe +KBUILD_CFLAGS += $(cpuflags-y) + +KBUILD_CFLAGS += -pipe -ffreestanding + ifdef CONFIG_MMU # without -fno-strength-reduce the 53c7xx.c driver fails ;-( KBUILD_CFLAGS += -fno-strength-reduce -ffixed-a2
[PATCH 3.16 005/129] clk: socfpga: fix refcount leak
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit 7f9705beeb3759e69165e7aff588f6488ff6c1ac upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 5343325ff3dd ("clk: socfpga: add a clock driver for the Arria 10 platform") Fixes: a30d27ed739b ("clk: socfpga: fix clock driver for 3.15") Signed-off-by: Stephen Boyd [bwh: Backported to 3.16: drop changes in clk-pll-a10.c] Signed-off-by: Ben Hutchings --- --- a/drivers/clk/socfpga/clk-pll.c +++ b/drivers/clk/socfpga/clk-pll.c @@ -102,6 +102,7 @@ static __init struct clk *__socfpga_pll_ clkmgr_np = of_find_compatible_node(NULL, NULL, "altr,clk-mgr"); clk_mgr_base_addr = of_iomap(clkmgr_np, 0); + of_node_put(clkmgr_np); BUG_ON(!clk_mgr_base_addr); pll_clk->hw.reg = clk_mgr_base_addr + reg;
[PATCH 3.16 030/129] crypto: tgr192 - fix unaligned memory access
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit f990f7fb58ac8ac9a43316f09a48cff1a49dda42 upstream. Fix an unaligned memory access in tgr192_transform() by using the unaligned access helpers. Fixes: 06ace7a9bafe ("[CRYPTO] Use standard byte order macros wherever possible") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- crypto/tgr192.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/crypto/tgr192.c +++ b/crypto/tgr192.c @@ -25,8 +25,9 @@ #include #include #include -#include #include +#include +#include #define TGR192_DIGEST_SIZE 24 #define TGR160_DIGEST_SIZE 20 @@ -468,10 +469,9 @@ static void tgr192_transform(struct tgr1 u64 a, b, c, aa, bb, cc; u64 x[8]; int i; - const __le64 *ptr = (const __le64 *)data; for (i = 0; i < 8; i++) - x[i] = le64_to_cpu(ptr[i]); + x[i] = get_unaligned_le64(data + i * sizeof(__le64)); /* save */ a = aa = tctx->a;
[PATCH 3.16 020/129] IB/usnic: Fix out of bounds index check in query pkey
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Gal Pressman commit 4959d5da5737dd804255c75b8cea0a2929ce279a upstream. The pkey table size is one element, index should be tested for > 0 instead of > 1. Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver") Signed-off-by: Gal Pressman Acked-by: Parvi Kaustubhi Signed-off-by: Jason Gunthorpe Signed-off-by: Ben Hutchings --- drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/infiniband/hw/usnic/usnic_ib_verbs.c +++ b/drivers/infiniband/hw/usnic/usnic_ib_verbs.c @@ -410,7 +410,7 @@ int usnic_ib_query_gid(struct ib_device int usnic_ib_query_pkey(struct ib_device *ibdev, u8 port, u16 index, u16 *pkey) { - if (index > 1) + if (index > 0) return -EINVAL; *pkey = 0x;
[PATCH 3.16 029/129] crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit ba7d7433a0e998c902132bd47330e355a1eaa894 upstream. Some algorithms have a ->setkey() method that is not atomic, in the sense that setting a key can fail after changes were already made to the tfm context. In this case, if a key was already set the tfm can end up in a state that corresponds to neither the old key nor the new key. It's not feasible to make all ->setkey() methods atomic, especially ones that have to key multiple sub-tfms. Therefore, make the crypto API set CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a key, to prevent the tfm from being used until a new key is set. Note: we can't set CRYPTO_TFM_NEED_KEY for OPTIONAL_KEY algorithms, so ->setkey() for those must nevertheless be atomic. That's fine for now since only the crc32 and crc32c algorithms set OPTIONAL_KEY, and it's not intended that OPTIONAL_KEY be used much. [Cc stable mainly because when introducing the NEED_KEY flag I changed AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG previously didn't have this problem. So these "incompletely keyed" states became theoretically accessible via AF_ALG -- though, the opportunities for causing real mischief seem pretty limited.] Fixes: 9fa68f620041 ("crypto: hash - prevent using keyed hashes without setting key") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- crypto/ahash.c | 28 +++- crypto/shash.c | 18 +- 2 files changed, 32 insertions(+), 14 deletions(-) --- a/crypto/ahash.c +++ b/crypto/ahash.c @@ -200,6 +200,21 @@ static int ahash_setkey_unaligned(struct return ret; } +static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int keylen) +{ + return -ENOSYS; +} + +static void ahash_set_needkey(struct crypto_ahash *tfm) +{ + const struct hash_alg_common *alg = crypto_hash_alg_common(tfm); + + if (tfm->setkey != ahash_nosetkey && + !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) + crypto_ahash_set_flags(tfm, CRYPTO_TFM_NEED_KEY); +} + int crypto_ahash_setkey(struct crypto_ahash *tfm, const u8 *key, unsigned int keylen) { @@ -211,20 +226,16 @@ int crypto_ahash_setkey(struct crypto_ah else err = tfm->setkey(tfm, key, keylen); - if (err) + if (unlikely(err)) { + ahash_set_needkey(tfm); return err; + } crypto_ahash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY); return 0; } EXPORT_SYMBOL_GPL(crypto_ahash_setkey); -static int ahash_nosetkey(struct crypto_ahash *tfm, const u8 *key, - unsigned int keylen) -{ - return -ENOSYS; -} - static inline unsigned int ahash_align_buffer_size(unsigned len, unsigned long mask) { @@ -493,8 +504,7 @@ static int crypto_ahash_init_tfm(struct if (alg->setkey) { hash->setkey = alg->setkey; - if (!(alg->halg.base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) - crypto_ahash_set_flags(hash, CRYPTO_TFM_NEED_KEY); + ahash_set_needkey(hash); } if (alg->export) hash->export = alg->export; --- a/crypto/shash.c +++ b/crypto/shash.c @@ -52,6 +52,13 @@ static int shash_setkey_unaligned(struct return err; } +static void shash_set_needkey(struct crypto_shash *tfm, struct shash_alg *alg) +{ + if (crypto_shash_alg_has_setkey(alg) && + !(alg->base.cra_flags & CRYPTO_ALG_OPTIONAL_KEY)) + crypto_shash_set_flags(tfm, CRYPTO_TFM_NEED_KEY); +} + int crypto_shash_setkey(struct crypto_shash *tfm, const u8 *key, unsigned int keylen) { @@ -64,8 +71,10 @@ int crypto_shash_setkey(struct crypto_sh else err = shash->setkey(tfm, key, keylen); - if (err) + if (unlikely(err)) { + shash_set_needkey(tfm, shash); return err; + } crypto_shash_clear_flags(tfm, CRYPTO_TFM_NEED_KEY); return 0; @@ -367,7 +376,8 @@ int crypto_init_shash_ops_async(struct c crt->final = shash_async_final; crt->finup = shash_async_finup; crt->digest = shash_async_digest; - crt->setkey = shash_async_setkey; + if (crypto_shash_alg_has_setkey(alg)) + crt->setkey = shash_async_setkey; crypto_ahash_set_flags(crt, crypto_shash_get_flags(shash) & CRYPTO_TFM_NEED_KEY); @@ -534,9 +544,7 @@ static int crypto_shash_init_tfm(struct hash->descsize = alg->descsize; - if (crypto_shash_alg_has
[PATCH 3.16 033/129] pinctrl: sh-pfc: r8a7778: Fix HSPI pin numbers and names
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Geert Uytterhoeven commit 8e32e881947be98abaa917157fefc4a3319e90af upstream. When declaring the HSPI RX1_B and TX1_B pins, two mistakes were made: - the rows and columns in the BGA pin matrix, from which the pin numbers are derived, were exchanged, - it was not taken into account that pin row labelling skips characters I, O, Q, and S. Fix the order, and the corresponding pin names. Notes: - The actual values of the pin numbers don't really matter (they just have to be unique), so the wrong order didn't have any impact, - Changing the names of the pins is user-visible, but there are no users in (upstream) DTS files. Fixes: 4f82e3ee724f1712 ("sh-pfc: Support pins not associated with a GPIO port") Fixes: 09cc76a95802e87d ("sh-pfc: r8a7778: add HSPI pin groups") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Ben Hutchings --- drivers/pinctrl/sh-pfc/pfc-r8a7778.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/pinctrl/sh-pfc/pfc-r8a7778.c +++ b/drivers/pinctrl/sh-pfc/pfc-r8a7778.c @@ -1265,8 +1265,8 @@ static const struct sh_pfc_pin pinmux_pi /* Pins not associated with a GPIO port */ SH_PFC_PIN_NAMED(3, 20, C20), - SH_PFC_PIN_NAMED(20, 1, T1), - SH_PFC_PIN_NAMED(25, 2, Y2), + SH_PFC_PIN_NAMED(1, 20, A20), + SH_PFC_PIN_NAMED(2, 25, B25), }; /* - macro */ @@ -1401,7 +1401,7 @@ HSPI_PFC_DAT(hspi1_a, HSPI_CLK1_A,HSPI HSPI_RX1_A, HSPI_TX1_A); HSPI_PFC_PIN(hspi1_b, RCAR_GP_PIN(0, 27), RCAR_GP_PIN(0, 26), - PIN_NUMBER(20, 1), PIN_NUMBER(25, 2)); + PIN_NUMBER(1, 20), PIN_NUMBER(2, 25)); HSPI_PFC_DAT(hspi1_b, HSPI_CLK1_B,HSPI_CS1_B, HSPI_RX1_B, HSPI_TX1_B);
[PATCH 3.16 039/129] mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: YueHaibing commit 32937a82f36c7bbe08db4052de94bc7ade4e3c51 upstream. Fix a static code checker warning: drivers/mtd/devices/docg3.c:1875 doc_probe_device() warn: passing zero to 'ERR_PTR' Fixes: ae9d4934b2d7 ("mtd: docg3: add multiple floor support") Signed-off-by: YueHaibing Acked-by: Robert Jarzmik Signed-off-by: Boris Brezillon Signed-off-by: Ben Hutchings --- drivers/mtd/devices/docg3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/mtd/devices/docg3.c +++ b/drivers/mtd/devices/docg3.c @@ -1939,7 +1939,7 @@ nomem3: nomem2: kfree(docg3); nomem1: - return ERR_PTR(ret); + return ret ? ERR_PTR(ret) : NULL; } /**
[PATCH 3.16 051/129] rtc: 88pm860x: fix unintended sign extension
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit dc9e47160626cdb58d5c39a4f43dcfdb27a5c004 upstream. Shifting a u8 by 24 will cause the value to be promoted to an integer. If the top bit of the u8 is set then the following conversion to an unsigned long will sign extend the value causing the upper 32 bits to be set in the result. Fix this by casting the u8 value to an unsigned long before the shift. Detected by CoverityScan, CID#144925-144928 ("Unintended sign extension") Fixes: 008b30408c40 ("mfd: Add rtc support to 88pm860x") Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings --- drivers/rtc/rtc-88pm860x.c | 21 ++--- 1 file changed, 14 insertions(+), 7 deletions(-) --- a/drivers/rtc/rtc-88pm860x.c +++ b/drivers/rtc/rtc-88pm860x.c @@ -115,11 +115,13 @@ static int pm860x_rtc_read_time(struct d pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf); dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]); - base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7]; + base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) | + (buf[5] << 8) | buf[7]; /* load 32-bit read-only counter */ pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf); - data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; + data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | + (buf[1] << 8) | buf[0]; ticks = base + data; dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", base, data, ticks); @@ -145,7 +147,8 @@ static int pm860x_rtc_set_time(struct de /* load 32-bit read-only counter */ pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf); - data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; + data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | + (buf[1] << 8) | buf[0]; base = ticks - data; dev_dbg(info->dev, "set base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", base, data, ticks); @@ -170,10 +173,12 @@ static int pm860x_rtc_read_alarm(struct pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf); dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]); - base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7]; + base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) | + (buf[5] << 8) | buf[7]; pm860x_bulk_read(info->i2c, PM8607_RTC_EXPIRE1, 4, buf); - data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; + data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | + (buf[1] << 8) | buf[0]; ticks = base + data; dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", base, data, ticks); @@ -198,11 +203,13 @@ static int pm860x_rtc_set_alarm(struct d pm860x_page_bulk_read(info->i2c, REG0_ADDR, 8, buf); dev_dbg(info->dev, "%x-%x-%x-%x-%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7]); - base = (buf[1] << 24) | (buf[3] << 16) | (buf[5] << 8) | buf[7]; + base = ((unsigned long)buf[1] << 24) | (buf[3] << 16) | + (buf[5] << 8) | buf[7]; /* load 32-bit read-only counter */ pm860x_bulk_read(info->i2c, PM8607_RTC_COUNTER1, 4, buf); - data = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; + data = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | + (buf[1] << 8) | buf[0]; ticks = base + data; dev_dbg(info->dev, "get base:0x%lx, RO count:0x%lx, ticks:0x%lx\n", base, data, ticks);
[PATCH 3.16 048/129] USB: serial: cp210x: add ID for Ingenico 3070
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Ivan Mironov commit dd9d3d86b08d6a106830364879c42c78db85389c upstream. Here is how this device appears in kernel log: usb 3-1: new full-speed USB device number 18 using xhci_hcd usb 3-1: New USB device found, idVendor=0b00, idProduct=3070 usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 3-1: Product: Ingenico 3070 usb 3-1: Manufacturer: Silicon Labs usb 3-1: SerialNumber: 0001 Apparently this is a POS terminal with embedded USB-to-Serial converter. Signed-off-by: Ivan Mironov Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings --- drivers/usb/serial/cp210x.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -57,6 +57,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ + { USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */ { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */
[PATCH 3.16 042/129] devres: always use dev_name() in devm_ioremap_resource()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Sergei Shtylyov commit 8d84b18f5678d3adfdb9375dfb0d968da2dc753d upstream. devm_ioremap_resource() prefers calling devm_request_mem_region() with a resource name instead of a device name -- this looks pretty iff a resource name isn't specified via a device tree with a "reg-names" property (in this case, a resource name is set to a device node's full name), but if it is, it doesn't really scale since these names are only unique to a given device node, not globally; so, looking at the output of 'cat /proc/iomem', you do not have an idea which memory region belongs to which device (see "dirmap", "regs", and "wbuf" lines below): 0800-0bff : dirmap 4800-bfff : System RAM 4800-48007fff : reserved 4808-48b0 : Kernel code 48b1-48b8 : reserved 48b9-48c7afff : Kernel data bc6a4000-bcbf : reserved bcc0f000-bebf : reserved bec0e000-bec0efff : reserved bec11000-bec11fff : reserved bec12000-bec14fff : reserved bec15000-bfff : reserved e605-e605004f : gpio@e605 e6051000-e605104f : gpio@e6051000 e6052000-e605204f : gpio@e6052000 e6053000-e605304f : gpio@e6053000 e6054000-e605404f : gpio@e6054000 e6055000-e605504f : gpio@e6055000 e606-e606050b : pin-controller@e606 e6e6-e6e6003f : e6e6.serial e740-e7400fff : ethernet@e740 ee20-ee2001ff : regs ee208000-ee2080ff : wbuf I think that devm_request_mem_region() should be called with dev_name() despite the region names won't look as pretty as before (however, we gain more consistency with e.g. the serial driver: 0800-0bff : ee20.rpc 4800-bfff : System RAM 4800-48007fff : reserved 4808-48b0 : Kernel code 48b1-48b8 : reserved 48b9-48c7afff : Kernel data bc6a4000-bcbf : reserved bcc0f000-bebf : reserved bec0e000-bec0efff : reserved bec11000-bec11fff : reserved bec12000-bec14fff : reserved bec15000-bfff : reserved e605-e605004f : e605.gpio e6051000-e605104f : e6051000.gpio e6052000-e605204f : e6052000.gpio e6053000-e605304f : e6053000.gpio e6054000-e605404f : e6054000.gpio e6055000-e605504f : e6055000.gpio e606-e606050b : e606.pin-controller e6e6-e6e6003f : e6e6.serial e740-e7400fff : e740.ethernet ee20-ee2001ff : ee20.rpc ee208000-ee2080ff : ee20.rpc Fixes: 72f8c0bfa0de ("lib: devres: add convenience function to remap a resource") Signed-off-by: Sergei Shtylyov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- lib/devres.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/lib/devres.c +++ b/lib/devres.c @@ -109,7 +109,6 @@ EXPORT_SYMBOL(devm_iounmap); void __iomem *devm_ioremap_resource(struct device *dev, struct resource *res) { resource_size_t size; - const char *name; void __iomem *dest_ptr; BUG_ON(!dev); @@ -120,9 +119,8 @@ void __iomem *devm_ioremap_resource(stru } size = resource_size(res); - name = res->name ?: dev_name(dev); - if (!devm_request_mem_region(dev, res->start, size, name)) { + if (!devm_request_mem_region(dev, res->start, size, dev_name(dev))) { dev_err(dev, "can't request region for resource %pR\n", res); return IOMEM_ERR_PTR(-EBUSY); }
[PATCH 3.16 037/129] mtd: docg3: Don't leak docg3->bbt in error path
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Richard Weinberger commit 45c2ebd702a468d5037cf16aa4f8ea8d67776f6a upstream. Signed-off-by: Richard Weinberger Signed-off-by: Brian Norris Signed-off-by: Ben Hutchings --- drivers/mtd/devices/docg3.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/mtd/devices/docg3.c +++ b/drivers/mtd/devices/docg3.c @@ -1907,7 +1907,7 @@ doc_probe_device(struct docg3_cascade *c ret = 0; if (chip_id != (u16)(~chip_id_inv)) { - goto nomem3; + goto nomem4; } switch (chip_id) { @@ -1917,7 +1917,7 @@ doc_probe_device(struct docg3_cascade *c break; default: doc_err("Chip id %04x is not a DiskOnChip G3 chip\n", chip_id); - goto nomem3; + goto nomem4; } doc_set_driver_info(chip_id, mtd); @@ -1926,6 +1926,8 @@ doc_probe_device(struct docg3_cascade *c doc_reload_bbt(docg3); return mtd; +nomem4: + kfree(docg3->bbt); nomem3: kfree(mtd); nomem2:
[PATCH 3.16 007/129] clk: imx6q: fix refcount leak in imx6q_clocks_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit c9ec1d8fef31b5fc9e90e99f9bd685db5caa7c5e upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 2acd1b6f889c ("ARM: i.MX6: implement clocks using common clock framework") Signed-off-by: Stephen Boyd [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- arch/arm/mach-imx/clk-imx6q.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/arm/mach-imx/clk-imx6q.c +++ b/arch/arm/mach-imx/clk-imx6q.c @@ -157,6 +157,7 @@ static void __init imx6q_clocks_init(str np = of_find_compatible_node(NULL, NULL, "fsl,imx6q-anatop"); base = of_iomap(np, 0); WARN_ON(!base); + of_node_put(np); /* Audio/video PLL post dividers do not work on i.MX6q revision 1.0 */ if (cpu_is_imx6q() && imx_get_soc_revision() == IMX_CHIP_REVISION_1_0) {
[PATCH 3.16 043/129] crypto: testmgr - skip crc32c context test for ahash algorithms
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit eb5e6730db98fcc4b51148b4a819fa4bf864ae54 upstream. Instantiating "cryptd(crc32c)" causes a crypto self-test failure because the crypto_alloc_shash() in alg_test_crc32c() fails. This is because cryptd(crc32c) is an ahash algorithm, not a shash algorithm; so it can only be accessed through the ahash API, unlike shash algorithms which can be accessed through both the ahash and shash APIs. As the test is testing the shash descriptor format which is only applicable to shash algorithms, skip it for ahash algorithms. (Note that it's still important to fix crypto self-test failures even for weird algorithm instantiations like cryptd(crc32c) that no one would really use; in fips_enabled mode unprivileged users can use them to panic the kernel, and also they prevent treating a crypto self-test failure as a bug when fuzzing the kernel.) Fixes: 8e3ee85e68c5 ("crypto: crc32c - Test descriptor context format") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- crypto/testmgr.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -1655,14 +1655,21 @@ static int alg_test_crc32c(const struct err = alg_test_hash(desc, driver, type, mask); if (err) - goto out; + return err; tfm = crypto_alloc_shash(driver, type, mask); if (IS_ERR(tfm)) { + if (PTR_ERR(tfm) == -ENOENT) { + /* +* This crc32c implementation is only available through +* ahash API, not the shash API, so the remaining part +* of the test is not applicable to it. +*/ + return 0; + } printk(KERN_ERR "alg: crc32c: Failed to load transform for %s: " "%ld\n", driver, PTR_ERR(tfm)); - err = PTR_ERR(tfm); - goto out; + return PTR_ERR(tfm); } do { @@ -1691,7 +1698,6 @@ static int alg_test_crc32c(const struct crypto_free_shash(tfm); -out: return err; }
[PATCH 3.16 041/129] ext2: Fix underflow in ext2_max_size()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Kara commit 1c2d14212b15a60300a2d4f6364753e87394c521 upstream. When ext2 filesystem is created with 64k block size, ext2_max_size() will return value less than 0. Also, we cannot write any file in this fs since the sb->maxbytes is less than 0. The core of the problem is that the size of block index tree for such large block size is more than i_blocks can carry. So fix the computation to count with this possibility. File size limits computed with the new function for the full range of possible block sizes look like: bits file_size 10 17247252480 11275415851008 12 2196873666560 13 2197948973056 14 2198486220800 15 2198754754560 16 219906752 Reported-by: yangerkun Signed-off-by: Jan Kara Signed-off-by: Ben Hutchings --- fs/ext2/super.c | 39 +-- 1 file changed, 25 insertions(+), 14 deletions(-) --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -701,7 +701,8 @@ static loff_t ext2_max_size(int bits) { loff_t res = EXT2_NDIR_BLOCKS; int meta_blocks; - loff_t upper_limit; + unsigned int upper_limit; + unsigned int ppb = 1 << (bits-2); /* This is calculated to be the largest file size for a * dense, file such that the total number of @@ -715,24 +716,34 @@ static loff_t ext2_max_size(int bits) /* total blocks in file system block size */ upper_limit >>= (bits - 9); - - /* indirect blocks */ - meta_blocks = 1; - /* double indirect blocks */ - meta_blocks += 1 + (1LL << (bits-2)); - /* tripple indirect blocks */ - meta_blocks += 1 + (1LL << (bits-2)) + (1LL << (2*(bits-2))); - - upper_limit -= meta_blocks; - upper_limit <<= bits; - + /* Compute how many blocks we can address by block tree */ res += 1LL << (bits-2); res += 1LL << (2*(bits-2)); res += 1LL << (3*(bits-2)); + /* Does block tree limit file size? */ + if (res < upper_limit) + goto check_lfs; + + res = upper_limit; + /* How many metadata blocks are needed for addressing upper_limit? */ + upper_limit -= EXT2_NDIR_BLOCKS; + /* indirect blocks */ + meta_blocks = 1; + upper_limit -= ppb; + /* double indirect blocks */ + if (upper_limit < ppb * ppb) { + meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb); + res -= meta_blocks; + goto check_lfs; + } + meta_blocks += 1 + ppb; + upper_limit -= ppb * ppb; + /* tripple indirect blocks for the rest */ + meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) + + DIV_ROUND_UP(upper_limit, ppb*ppb); + res -= meta_blocks; +check_lfs: res <<= bits; - if (res > upper_limit) - res = upper_limit; - if (res > MAX_LFS_FILESIZE) res = MAX_LFS_FILESIZE;
[PATCH 3.16 040/129] tty: ipwireless: Fix potential NULL pointer dereference
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: YueHaibing commit 7dd50e205b3348dc7784efbdf85723551de64a25 upstream. There is a potential NULL pointer dereference in case alloc_ctrl_packet() fails and returns NULL. Fixes: 099dc4fb6265 ("ipwireless: driver for PC Card 3G/UMTS modem") Signed-off-by: YueHaibing Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/tty/ipwireless/hardware.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/tty/ipwireless/hardware.c +++ b/drivers/tty/ipwireless/hardware.c @@ -1515,6 +1515,8 @@ static void ipw_send_setup_packet(struct sizeof(struct ipw_setup_get_version_query_packet), ADDR_SETUP_PROT, TL_PROTOCOLID_SETUP, TL_SETUP_SIGNO_GET_VERSION_QRY); + if (!ver_packet) + return; ver_packet->header.length = sizeof(struct tl_setup_get_version_qry); /*
[PATCH 3.16 050/129] crypto: ahash - fix another early termination in hash walk
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Biggers commit 77568e535af7c4f97eaef1e555bf0af83772456c upstream. Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and "michael_mic", fail the improved hash tests because they sometimes produce the wrong digest. The bug is that in the case where a scatterlist element crosses pages, not all the data is actually hashed because the scatterlist walk terminates too early. This happens because the 'nbytes' variable in crypto_hash_walk_done() is assigned the number of bytes remaining in the page, then later interpreted as the number of bytes remaining in the scatterlist element. Fix it. Fixes: 900a081f6912 ("crypto: ahash - Fix early termination in hash walk") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- crypto/ahash.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) --- a/crypto/ahash.c +++ b/crypto/ahash.c @@ -84,17 +84,17 @@ static int hash_walk_new_entry(struct cr int crypto_hash_walk_done(struct crypto_hash_walk *walk, int err) { unsigned int alignmask = walk->alignmask; - unsigned int nbytes = walk->entrylen; walk->data -= walk->offset; - if (nbytes && walk->offset & alignmask && !err) { - walk->offset = ALIGN(walk->offset, alignmask + 1); - nbytes = min(nbytes, -((unsigned int)(PAGE_SIZE)) - walk->offset); - walk->entrylen -= nbytes; + if (walk->entrylen && (walk->offset & alignmask) && !err) { + unsigned int nbytes; + walk->offset = ALIGN(walk->offset, alignmask + 1); + nbytes = min(walk->entrylen, +(unsigned int)(PAGE_SIZE - walk->offset)); if (nbytes) { + walk->entrylen -= nbytes; walk->data += walk->offset; return nbytes; } @@ -114,7 +114,7 @@ int crypto_hash_walk_done(struct crypto_ if (err) return err; - if (nbytes) { + if (walk->entrylen) { walk->offset = 0; walk->pg++; return hash_walk_next(walk);
[PATCH 3.16 034/129] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Buland Singh commit 24d48a61f230da130cc2ec2e526eacf229e3 upstream. Commit '3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for user processes")' introduced a new kernel command line parameter hpet_mmap, that is required to expose the memory map of the HPET registers to user-space. Unfortunately the kernel command line parameter 'hpet_mmap' is broken and never takes effect due to missing '=' character in the __setup() code of hpet_mmap_enable. Before this patch: dmesg output with the kernel command line parameter hpet_mmap=1 [0.204152] HPET mmap disabled dmesg output with the kernel command line parameter hpet_mmap=0 [0.204192] HPET mmap disabled After this patch: dmesg output with the kernel command line parameter hpet_mmap=1 [0.203945] HPET mmap enabled dmesg output with the kernel command line parameter hpet_mmap=0 [0.204652] HPET mmap disabled Fixes: 3d035f580699 ("drivers/char/hpet.c: allow user controlled mmap for user processes") Signed-off-by: Buland Singh Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/char/hpet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/char/hpet.c +++ b/drivers/char/hpet.c @@ -377,7 +377,7 @@ static __init int hpet_mmap_enable(char pr_info("HPET mmap %s\n", hpet_mmap_enabled ? "enabled" : "disabled"); return 1; } -__setup("hpet_mmap", hpet_mmap_enable); +__setup("hpet_mmap=", hpet_mmap_enable); static int hpet_mmap(struct file *file, struct vm_area_struct *vma) {
[PATCH 3.16 054/129] bcache: never writeback a discard operation
/msg06996.html Previous reports: - https://bugzilla.kernel.org/show_bug.cgi?id=201051 - https://bugzilla.kernel.org/show_bug.cgi?id=196103 - https://www.spinics.net/lists/linux-bcache/msg06885.html (Coly Li: minor modification to follow maximum 75 chars per line rule) Cc: Kent Overstreet Fixes: 72c270612bd3 ("bcache: Write out full stripes") Signed-off-by: Daniel Axtens Signed-off-by: Coly Li Signed-off-by: Jens Axboe [bwh: Backported to 3.16: check REQ_DISCARD flag instead of calling bio_op()] Signed-off-by: Ben Hutchings --- drivers/md/bcache/writeback.h | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/md/bcache/writeback.h +++ b/drivers/md/bcache/writeback.h @@ -68,6 +68,9 @@ static inline bool should_writeback(stru in_use > CUTOFF_WRITEBACK_SYNC) return false; + if (bio->bi_rw & REQ_DISCARD) + return false; + if (dc->partial_stripes_expensive && bcache_dev_stripe_dirty(dc, bio->bi_iter.bi_sector, bio_sectors(bio)))
[PATCH 3.16 047/129] rtc: ds1672: fix unintended sign extension
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit f0c04c276739ed8acbb41b4868e942a55b128dca upstream. Shifting a u8 by 24 will cause the value to be promoted to an integer. If the top bit of the u8 is set then the following conversion to an unsigned long will sign extend the value causing the upper 32 bits to be set in the result. Fix this by casting the u8 value to an unsigned long before the shift. Detected by CoverityScan, CID#138801 ("Unintended sign extension") Fixes: edf1aaa31fc5 ("[PATCH] RTC subsystem: DS1672 driver") Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings --- drivers/rtc/rtc-ds1672.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/rtc/rtc-ds1672.c +++ b/drivers/rtc/rtc-ds1672.c @@ -60,7 +60,8 @@ static int ds1672_get_datetime(struct i2 "%s: raw read data - counters=%02x,%02x,%02x,%02x\n", __func__, buf[0], buf[1], buf[2], buf[3]); - time = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]; + time = ((unsigned long)buf[3] << 24) | (buf[2] << 16) | + (buf[1] << 8) | buf[0]; rtc_time_to_tm(time, tm);
[PATCH 3.16 044/129] crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Ard Biesheuvel commit eaf46edf6ea89675bd36245369c8de5063a0272c upstream. The NEON MAC calculation routine fails to handle the case correctly where there is some data in the buffer, and the input fills it up exactly. In this case, we enter the loop at the end with w8 == 0, while a negative value is assumed, and so the loop carries on until the increment of the 32-bit counter wraps around, which is quite obviously wrong. So omit the loop altogether in this case, and exit right away. Reported-by: Eric Biggers Fixes: a3fd82105b9d1 ("arm64/crypto: AES in CCM mode using ARMv8 Crypto ...") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- arch/arm64/crypto/aes-ce-ccm-core.S | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/arch/arm64/crypto/aes-ce-ccm-core.S +++ b/arch/arm64/crypto/aes-ce-ccm-core.S @@ -74,12 +74,13 @@ ENTRY(ce_aes_ccm_auth_data) beq 10f ext v0.16b, v0.16b, v0.16b, #1 /* rotate out the mac bytes */ b 7b -8: mov w7, w8 +8: cbz w8, 91f + mov w7, w8 add w8, w8, #16 9: ext v1.16b, v1.16b, v1.16b, #1 addsw7, w7, #1 bne 9b - eor v0.16b, v0.16b, v1.16b +91:eor v0.16b, v0.16b, v1.16b st1 {v0.16b}, [x0] 10:str w8, [x3] ret
[PATCH 3.16 056/129] jbd2: clear dirty flag when revoking a buffer from an older transaction
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: "zhangyi (F)" commit 904cdbd41d749a476863a0ca41f6f396774f26e4 upstream. Now, we capture a data corruption problem on ext4 while we're truncating an extent index block. Imaging that if we are revoking a buffer which has been journaled by the committing transaction, the buffer's jbddirty flag will not be cleared in jbd2_journal_forget(), so the commit code will set the buffer dirty flag again after refile the buffer. fsx kjournald2 jbd2_journal_commit_transaction jbd2_journal_revokecommit phase 1~5... jbd2_journal_forget belongs to older transactioncommit phase 6 jbddirty not clear __jbd2_journal_refile_buffer __jbd2_journal_unfile_buffer test_clear_buffer_jbddirty mark_buffer_dirty Finally, if the freed extent index block was allocated again as data block by some other files, it may corrupt the file data after writing cached pages later, such as during unmount time. (In general, clean_bdev_aliases() related helpers should be invoked after re-allocation to prevent the above corruption, but unfortunately we missed it when zeroout the head of extra extent blocks in ext4_ext_handle_unwritten_extents()). This patch mark buffer as freed and set j_next_transaction to the new transaction when it already belongs to the committing transaction in jbd2_journal_forget(), so that commit code knows it should clear dirty bits when it is done with the buffer. This problem can be reproduced by xfstests generic/455 easily with seeds (3246 3247 3248 3249). Signed-off-by: zhangyi (F) Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Ben Hutchings --- fs/jbd2/transaction.c | 17 - 1 file changed, 12 insertions(+), 5 deletions(-) --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -1479,14 +1479,21 @@ int jbd2_journal_forget (handle_t *handl /* However, if the buffer is still owned by a prior * (committing) transaction, we can't drop it yet... */ JBUFFER_TRACE(jh, "belongs to older transaction"); - /* ... but we CAN drop it from the new transaction if we -* have also modified it since the original commit. */ + /* ... but we CAN drop it from the new transaction through +* marking the buffer as freed and set j_next_transaction to +* the new transaction, so that not only the commit code +* knows it should clear dirty bits when it is done with the +* buffer, but also the buffer can be checkpointed only +* after the new transaction commits. */ - if (jh->b_next_transaction) { - J_ASSERT(jh->b_next_transaction == transaction); + set_buffer_freed(bh); + + if (!jh->b_next_transaction) { spin_lock(>j_list_lock); - jh->b_next_transaction = NULL; + jh->b_next_transaction = transaction; spin_unlock(>j_list_lock); + } else { + J_ASSERT(jh->b_next_transaction == transaction); /* * only drop a reference if this transaction modified
[PATCH 3.16 058/129] ext4: update quota information while swapping boot loader inode
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: yangerkun commit aa507b5faf38784defe49f5e64605ac3c4425e26 upstream. While do swap between two inode, they swap i_data without update quota information. Also, swap_inode_boot_loader can do "revert" somtimes, so update the quota while all operations has been finished. Signed-off-by: yangerkun Signed-off-by: Theodore Ts'o [bwh: Backported to 3.16: - Include - dquot_initialize() does not return an erro - Adjust context] Signed-off-by: Ben Hutchings --- --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include "ext4_jbd2.h" #include "ext4.h" @@ -66,9 +67,6 @@ static void swap_inode_data(struct inode memswap(>i_version, >i_version, sizeof(inode1->i_version)); - memswap(>i_blocks, >i_blocks, - sizeof(inode1->i_blocks)); - memswap(>i_bytes, >i_bytes, sizeof(inode1->i_bytes)); memswap(>i_atime, >i_atime, sizeof(inode1->i_atime)); memswap(>i_mtime, >i_mtime, sizeof(inode1->i_mtime)); @@ -117,6 +115,9 @@ static long swap_inode_boot_loader(struc struct inode *inode_bl; struct ext4_inode_info *ei_bl; struct ext4_sb_info *sbi = EXT4_SB(sb); + qsize_t size, size_bl, diff; + blkcnt_t blocks; + unsigned short bytes; inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL); if (IS_ERR(inode_bl)) @@ -179,6 +180,11 @@ static long swap_inode_boot_loader(struc memset(ei_bl->i_data, 0, sizeof(ei_bl->i_data)); } + dquot_initialize(inode); + + size = (qsize_t)(inode->i_blocks) * (1 << 9) + inode->i_bytes; + size_bl = (qsize_t)(inode_bl->i_blocks) * (1 << 9) + inode_bl->i_bytes; + diff = size - size_bl; swap_inode_data(inode, inode_bl); inode->i_ctime = inode_bl->i_ctime = ext4_current_time(inode); @@ -194,24 +200,46 @@ static long swap_inode_boot_loader(struc err = ext4_mark_inode_dirty(handle, inode); if (err < 0) { + /* No need to update quota information. */ ext4_warning(inode->i_sb, "couldn't mark inode #%lu dirty (err %d)", inode->i_ino, err); /* Revert all changes: */ swap_inode_data(inode, inode_bl); ext4_mark_inode_dirty(handle, inode); - } else { - err = ext4_mark_inode_dirty(handle, inode_bl); - if (err < 0) { - ext4_warning(inode_bl->i_sb, - "couldn't mark inode #%lu dirty (err %d)", - inode_bl->i_ino, err); - /* Revert all changes: */ - swap_inode_data(inode, inode_bl); - ext4_mark_inode_dirty(handle, inode); - ext4_mark_inode_dirty(handle, inode_bl); - } + goto err_out1; } + + blocks = inode_bl->i_blocks; + bytes = inode_bl->i_bytes; + inode_bl->i_blocks = inode->i_blocks; + inode_bl->i_bytes = inode->i_bytes; + err = ext4_mark_inode_dirty(handle, inode_bl); + if (err < 0) { + /* No need to update quota information. */ + ext4_warning(inode_bl->i_sb, + "couldn't mark inode #%lu dirty (err %d)", + inode_bl->i_ino, err); + goto revert; + } + + /* Bootloader inode should not be counted into quota information. */ + if (diff > 0) + dquot_free_space(inode, diff); + else + err = dquot_alloc_space(inode, -1 * diff); + + if (err < 0) { +revert: + /* Revert all changes: */ + inode_bl->i_blocks = blocks; + inode_bl->i_bytes = bytes; + swap_inode_data(inode, inode_bl); + ext4_mark_inode_dirty(handle, inode); + ext4_mark_inode_dirty(handle, inode_bl); + } + +err_out1: ext4_journal_stop(handle); ext4_double_up_write_data_sem(inode, inode_bl);
[PATCH 3.16 055/129] bcache: treat stale && dirty keys as bad keys
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Tang Junhui commit 58ac323084ebf44f8470eeb8b82660f9d0ee3689 upstream. Stale && dirty keys can be produced in the follow way: After writeback in write_dirty_finish(), dirty keys k1 will replace by clean keys k2 ==>ret = bch_btree_insert(dc->disk.c, , NULL, >key); ==>btree_insert_fn(struct btree_op *b_op, struct btree *b) ==>static int bch_btree_insert_node(struct btree *b, struct btree_op *op, struct keylist *insert_keys, atomic_t *journal_ref, Then two steps: A) update k1 to k2 in btree node memory; bch_btree_insert_keys(b, op, insert_keys, replace_key) B) Write the bset(contains k2) to cache disk by a 30s delay work bch_btree_leaf_dirty(b, journal_ref). But before the 30s delay work write the bset to cache device, these things happened: A) GC works, and reclaim the bucket k2 point to; B) Allocator works, and invalidate the bucket k2 point to, and increase the gen of the bucket, and place it into free_inc fifo; C) Until now, the 30s delay work still does not finish work, so in the disk, the key still is k1, it is dirty and stale (its gen is smaller than the gen of the bucket). and then the machine power off suddenly happens; D) When the machine power on again, after the btree reconstruction, the stale dirty key appear. In bch_extent_bad(), when expensive_debug_checks is off, it would treat the dirty key as good even it is stale keys, and it would cause bellow probelms: A) In read_dirty() it would cause machine crash: BUG_ON(ptr_stale(dc->disk.c, >key, 0)); B) It could be worse when reads hits stale dirty keys, it would read old incorrect data. This patch tolerate the existence of these stale && dirty keys, and treat them as bad key in bch_extent_bad(). (Coly Li: fix indent which was modified by sender's email client) Signed-off-by: Tang Junhui Signed-off-by: Coly Li Signed-off-by: Jens Axboe [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/md/bcache/extents.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) --- a/drivers/md/bcache/extents.c +++ b/drivers/md/bcache/extents.c @@ -530,6 +530,7 @@ static bool bch_extent_bad(struct btree_ struct btree *b = container_of(bk, struct btree, keys); struct bucket *g; unsigned i, stale; + char buf[80]; if (!KEY_PTRS(k) || bch_extent_invalid(bk, k)) @@ -539,20 +540,20 @@ static bool bch_extent_bad(struct btree_ if (!ptr_available(b->c, k, i)) return true; - if (!expensive_debug_checks(b->c) && KEY_DIRTY(k)) - return false; - for (i = 0; i < KEY_PTRS(k); i++) { g = PTR_BUCKET(b->c, k, i); stale = ptr_stale(b->c, k, i); + if (stale && KEY_DIRTY(k)) { + bch_extent_to_text(buf, sizeof(buf), k); + pr_info("stale dirty pointer, stale %u, key: %s", + stale, buf); + } + btree_bug_on(stale > 96, b, "key too stale: %i, need_gc %u", stale, b->c->need_gc); - btree_bug_on(stale && KEY_DIRTY(k) && KEY_SIZE(k), -b, "stale dirty pointer"); - if (stale) return true;
[PATCH 3.16 064/129] iscsi_ibft: Fix missing break in switch statement
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: "Gustavo A. R. Silva" commit df997abeebadaa4824271009e2d2b526a70a11cb upstream. Add missing break statement in order to prevent the code from falling through to case ISCSI_BOOT_TGT_NAME, which is unnecessary. This bug was found thanks to the ongoing efforts to enable -Wimplicit-fallthrough. Fixes: b33a84a38477 ("ibft: convert iscsi_ibft module to iscsi boot lib") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings --- drivers/firmware/iscsi_ibft.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/firmware/iscsi_ibft.c +++ b/drivers/firmware/iscsi_ibft.c @@ -503,6 +503,7 @@ static umode_t __init ibft_check_tgt_for case ISCSI_BOOT_TGT_NIC_ASSOC: case ISCSI_BOOT_TGT_CHAP_TYPE: rc = S_IRUGO; + break; case ISCSI_BOOT_TGT_NAME: if (tgt->tgt_name_len) rc = S_IRUGO;
[PATCH 3.16 067/129] serial: 8250_pci: Fix number of ports for ACCES serial cards
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jay Dolan commit b896b03bc7fce43a07012cc6bf5e2ab2fddf3364 upstream. Have the correct number of ports created for ACCES serial cards. Two port cards show up as four ports, and four port cards show up as eight. Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards") Signed-off-by: Jay Dolan Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/tty/serial/8250/8250_pci.c | 36 +++--- 1 file changed, 18 insertions(+), 18 deletions(-) --- a/drivers/tty/serial/8250/8250_pci.c +++ b/drivers/tty/serial/8250/8250_pci.c @@ -4943,10 +4943,10 @@ static struct pci_device_id serial_pci_t */ { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SDB, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2S, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, PCI_ANY_ID, PCI_ANY_ID, 0, 0, pbn_pericom_PI7C9X7954 }, @@ -4955,10 +4955,10 @@ static struct pci_device_id serial_pci_t pbn_pericom_PI7C9X7954 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_2DB, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_2, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, PCI_ANY_ID, PCI_ANY_ID, 0, 0, pbn_pericom_PI7C9X7954 }, @@ -4967,10 +4967,10 @@ static struct pci_device_id serial_pci_t pbn_pericom_PI7C9X7954 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_2SMDB, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_COM_2SM, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, PCI_ANY_ID, PCI_ANY_ID, 0, 0, pbn_pericom_PI7C9X7954 }, @@ -4979,13 +4979,13 @@ static struct pci_device_id serial_pci_t pbn_pericom_PI7C9X7954 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_1, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7951 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_2, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_2, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, PCI_ANY_ID, PCI_ANY_ID, 0, 0, pbn_pericom_PI7C9X7954 }, @@ -4994,16 +4994,16 @@ static struct pci_device_id serial_pci_t pbn_pericom_PI7C9X7954 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2S, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, PCI_ANY_ID, PCI_ANY_ID, 0, 0, pbn_pericom_PI7C9X7954 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_2, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_2, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_PI7C9X7952 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, PCI_ANY_ID, PCI_ANY_ID, 0, 0, pbn_pericom_PI7C9X7954 }, @@ -5012,13 +5012,13 @@ static struct pci_device_id serial_pci_t pbn_pericom_PI7C9X7954 }, { PCI_VENDOR_ID_ACCESIO, PCI_DEVICE_ID_ACCESIO_PCIE_ICM_2SM, PCI_ANY_ID, PCI_ANY_ID, 0, 0, - pbn_pericom_PI7C9X7954 }, + pbn_pericom_
[PATCH 3.16 066/129] tpm: Fix off-by-one when reading binary_bios_measurements
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jia Zhang commit 64494d39ff630a63b5308042b20132b491e3706b upstream. It is unable to read the entry when it is the only one in binary_bios_measurements: 00 00 00 00 08 00 00 00 c4 2f ed ad 26 82 00 cb 0010 1d 15 f9 78 41 c3 44 e7 9d ae 33 20 00 00 00 00 0020 This is obviously a firmware problem on my linux machine: Manufacturer: Inspur Product Name: SA5212M4 Version: 01 However, binary_bios_measurements should return it any way, rather than nothing, after all its content is completely valid. Fixes: 55a82ab3181b ("tpm: add bios measurement log") Signed-off-by: Jia Zhang Reviewd-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen [bwh: Backported to 3.16: - Fix an additional comparison in tpm1_bios_measurements_start() - Adjust filename, context] Signed-off-by: Ben Hutchings --- --- a/drivers/char/tpm/tpm_eventlog.c +++ b/drivers/char/tpm/tpm_eventlog.c @@ -81,7 +81,7 @@ static void *tpm_bios_measurements_start for (i = 0; i < *pos; i++) { event = addr; - if ((addr + sizeof(struct tcpa_event)) < limit) { + if ((addr + sizeof(struct tcpa_event)) <= limit) { if (event->event_type == 0 && event->event_size == 0) return NULL; addr += sizeof(struct tcpa_event) + event->event_size; @@ -89,13 +89,13 @@ static void *tpm_bios_measurements_start } /* now check if current entry is valid */ - if ((addr + sizeof(struct tcpa_event)) >= limit) + if ((addr + sizeof(struct tcpa_event)) > limit) return NULL; event = addr; if ((event->event_type == 0 && event->event_size == 0) || - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit)) + ((addr + sizeof(struct tcpa_event) + event->event_size) > limit)) return NULL; return addr; @@ -111,7 +111,7 @@ static void *tpm_bios_measurements_next( v += sizeof(struct tcpa_event) + event->event_size; /* now check if current entry is valid */ - if ((v + sizeof(struct tcpa_event)) >= limit) + if ((v + sizeof(struct tcpa_event)) > limit) return NULL; event = v; @@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next( return NULL; if ((event->event_type == 0 && event->event_size == 0) || - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit)) + ((v + sizeof(struct tcpa_event) + event->event_size) > limit)) return NULL; (*pos)++;
[PATCH 3.16 053/129] rtc: pm8xxx: fix unintended sign extension
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit e42280886018c6f77f0a90190f7cba344b0df3e0 upstream. Shifting a u8 by 24 will cause the value to be promoted to an integer. If the top bit of the u8 is set then the following conversion to an unsigned long will sign extend the value causing the upper 32 bits to be set in the result. Fix this by casting the u8 value to an unsigned long before the shift. Detected by CoverityScan, CID#1309693 ("Unintended sign extension") Fixes: 9a9a54ad7aa2 ("drivers/rtc: add support for Qualcomm PMIC8xxx RTC") Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings --- drivers/rtc/rtc-pm8xxx.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/rtc/rtc-pm8xxx.c +++ b/drivers/rtc/rtc-pm8xxx.c @@ -175,7 +175,8 @@ static int pm8xxx_rtc_read_time(struct d } } - secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24); + secs = value[0] | (value[1] << 8) | (value[2] << 16) | + ((unsigned long)value[3] << 24); rtc_time_to_tm(secs, tm); @@ -253,7 +254,8 @@ static int pm8xxx_rtc_read_alarm(struct return rc; } - secs = value[0] | (value[1] << 8) | (value[2] << 16) | (value[3] << 24); + secs = value[0] | (value[1] << 8) | (value[2] << 16) | + ((unsigned long)value[3] << 24); rtc_time_to_tm(secs, >time);
[PATCH 3.16 065/129] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jarkko Sakkinen commit 442601e87a4769a8daba4976ec3afa5222ca211d upstream. Return -E2BIG when the transfer is incomplete. The upper layer does not retry, so not doing that is incorrect behaviour. Fixes: a2871c62e186 ("tpm: Add support for Atmel I2C TPMs") Signed-off-by: Jarkko Sakkinen Reviewed-by: Stefan Berger Reviewed-by: Jerry Snitselaar [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/char/tpm/tpm_i2c_atmel.c +++ b/drivers/char/tpm/tpm_i2c_atmel.c @@ -65,7 +65,14 @@ static int i2c_atmel_send(struct tpm_chi dev_dbg(chip->dev, "%s(buf=%*ph len=%0zx) -> sts=%d\n", __func__, (int)min_t(size_t, 64, len), buf, len, status); - return status; + if (status < 0) + return status; + + /* The upper layer does not support incomplete sends. */ + if (status != len) + return -E2BIG; + + return 0; } static int i2c_atmel_recv(struct tpm_chip *chip, u8 *buf, size_t count)
[PATCH 3.16 061/129] pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Geert Uytterhoeven commit a4b0350047f1b10207e25e72d7cd3f7826e93769 upstream. The entry for "scifb2_data_c" in the SCIFB2 pin group array contains a typo, thus the group cannot be selected. Fixes: 5088451962389924 ("pinctrl: sh-pfc: r8a7791 PFC support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Signed-off-by: Ben Hutchings --- drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c +++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c @@ -4433,7 +4433,7 @@ static const char * const scifb2_groups[ "scifb2_data_b", "scifb2_clk_b", "scifb2_ctrl_b", - "scifb0_data_c", + "scifb2_data_c", "scifb2_clk_c", "scifb2_data_d", };
[PATCH 3.16 069/129] leds: lp55xx: fix null deref on firmware load failure
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Michal Kazior commit 5ddb0869bfc1bca6cfc592c74c64a026f936638c upstream. I've stumbled upon a kernel crash and the logs pointed me towards the lp5562 driver: > <4>[306013.841294] lp5562 0-0030: Direct firmware load for lp5562 failed with > error -2 > <4>[306013.894990] lp5562 0-0030: Falling back to user helper > ... > <3>[306073.924886] lp5562 0-0030: firmware request failed > <1>[306073.939456] Unable to handle kernel NULL pointer dereference at > virtual address > <4>[306074.251011] PC is at _raw_spin_lock+0x1c/0x58 > <4>[306074.255539] LR is at release_firmware+0x6c/0x138 > ... After taking a look I noticed firmware_release() could be called with either NULL or a dangling pointer. Fixes: 10c06d178df11 ("leds-lp55xx: support firmware interface") Signed-off-by: Michal Kazior Signed-off-by: Jacek Anaszewski Signed-off-by: Ben Hutchings --- drivers/leds/leds-lp55xx-common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/leds/leds-lp55xx-common.c +++ b/drivers/leds/leds-lp55xx-common.c @@ -214,7 +214,7 @@ static void lp55xx_firmware_loaded(const if (!fw) { dev_err(dev, "firmware request failed\n"); - goto out; + return; } /* handling firmware data is chip dependent */ @@ -227,9 +227,9 @@ static void lp55xx_firmware_loaded(const mutex_unlock(>lock); -out: /* firmware should be released for other channel use */ release_firmware(chip->fw); + chip->fw = NULL; } static int lp55xx_request_firmware(struct lp55xx_chip *chip)
[PATCH 3.16 079/129] irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Doug Berger commit 33517881ede742107f416533b8c3e4abc56763da upstream. Using the irq_gc_lock/irq_gc_unlock functions in the suspend and resume functions creates the opportunity for a deadlock during suspend, resume, and shutdown. Using the irq_gc_lock_irqsave/ irq_gc_unlock_irqrestore variants prevents this possible deadlock. Fixes: 7f646e92766e2 ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller") Signed-off-by: Doug Berger Signed-off-by: Florian Fainelli [maz: tidied up $SUBJECT] Signed-off-by: Marc Zyngier [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/irqchip/irq-brcmstb-l2.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/irqchip/irq-brcmstb-l2.c +++ b/drivers/irqchip/irq-brcmstb-l2.c @@ -82,8 +82,9 @@ static void brcmstb_l2_intc_suspend(stru { struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); struct brcmstb_l2_intc_data *b = gc->private; + unsigned long flags; - irq_gc_lock(gc); + irq_gc_lock_irqsave(gc, flags); /* Save the current mask */ b->saved_mask = __raw_readl(b->base + CPU_MASK_STATUS); @@ -92,22 +93,23 @@ static void brcmstb_l2_intc_suspend(stru __raw_writel(~gc->wake_active, b->base + CPU_MASK_SET); __raw_writel(gc->wake_active, b->base + CPU_MASK_CLEAR); } - irq_gc_unlock(gc); + irq_gc_unlock_irqrestore(gc, flags); } static void brcmstb_l2_intc_resume(struct irq_data *d) { struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d); struct brcmstb_l2_intc_data *b = gc->private; + unsigned long flags; - irq_gc_lock(gc); + irq_gc_lock_irqsave(gc, flags); /* Clear unmasked non-wakeup interrupts */ __raw_writel(~b->saved_mask & ~gc->wake_active, b->base + CPU_CLEAR); /* Restore the saved mask */ __raw_writel(b->saved_mask, b->base + CPU_MASK_SET); __raw_writel(~b->saved_mask, b->base + CPU_MASK_CLEAR); - irq_gc_unlock(gc); + irq_gc_unlock_irqrestore(gc, flags); } int __init brcmstb_l2_intc_of_init(struct device_node *np,
[PATCH 3.16 080/129] powerpc/83xx: Also save/restore SPRG4-7 during suspend
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Christophe Leroy commit 36da5ff0bea2dc67298150ead8d8471575c54c7d upstream. The 83xx has 8 SPRG registers and uses at least SPRG4 for DTLB handling LRU. Fixes: 2319f1239592 ("powerpc/mm: e300c2/c3/c4 TLB errata workaround") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/platforms/83xx/suspend-asm.S | 34 ++- 1 file changed, 27 insertions(+), 7 deletions(-) --- a/arch/powerpc/platforms/83xx/suspend-asm.S +++ b/arch/powerpc/platforms/83xx/suspend-asm.S @@ -26,13 +26,13 @@ #define SS_MSR 0x74 #define SS_SDR10x78 #define SS_LR 0x7c -#define SS_SPRG0x80 /* 4 SPRGs */ -#define SS_DBAT0x90 /* 8 DBATs */ -#define SS_IBAT0xd0 /* 8 IBATs */ -#define SS_TB 0x110 -#define SS_CR 0x118 -#define SS_GPREG 0x11c /* r12-r31 */ -#define STATE_SAVE_SIZE 0x16c +#define SS_SPRG0x80 /* 8 SPRGs */ +#define SS_DBAT0xa0 /* 8 DBATs */ +#define SS_IBAT0xe0 /* 8 IBATs */ +#define SS_TB 0x120 +#define SS_CR 0x128 +#define SS_GPREG 0x12c /* r12-r31 */ +#define STATE_SAVE_SIZE 0x17c .section .data .align 5 @@ -103,6 +103,16 @@ _GLOBAL(mpc83xx_enter_deep_sleep) stw r7, SS_SPRG+12(r3) stw r8, SS_SDR1(r3) + mfspr r4, SPRN_SPRG4 + mfspr r5, SPRN_SPRG5 + mfspr r6, SPRN_SPRG6 + mfspr r7, SPRN_SPRG7 + + stw r4, SS_SPRG+16(r3) + stw r5, SS_SPRG+20(r3) + stw r6, SS_SPRG+24(r3) + stw r7, SS_SPRG+28(r3) + mfspr r4, SPRN_DBAT0U mfspr r5, SPRN_DBAT0L mfspr r6, SPRN_DBAT1U @@ -493,6 +503,16 @@ mpc83xx_deep_resume: mtspr SPRN_IBAT7U, r6 mtspr SPRN_IBAT7L, r7 + lwz r4, SS_SPRG+16(r3) + lwz r5, SS_SPRG+20(r3) + lwz r6, SS_SPRG+24(r3) + lwz r7, SS_SPRG+28(r3) + + mtspr SPRN_SPRG4, r4 + mtspr SPRN_SPRG5, r5 + mtspr SPRN_SPRG6, r6 + mtspr SPRN_SPRG7, r7 + lwz r4, SS_SPRG+0(r3) lwz r5, SS_SPRG+4(r3) lwz r6, SS_SPRG+8(r3)
[PATCH 3.16 085/129] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: "Aneesh Kumar K.V" commit 3b4d07d2674f6b4a9281031f99d1f7efd325b16d upstream. When doing top-down search the low_limit is not PAGE_SIZE but rather max(PAGE_SIZE, mmap_min_addr). This handle cases in which mmap_min_addr > PAGE_SIZE. Fixes: fba2369e6ceb ("mm: use vm_unmapped_area() on powerpc architecture") Reviewed-by: Laurent Dufour Signed-off-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- arch/powerpc/mm/slice.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) --- a/arch/powerpc/mm/slice.c +++ b/arch/powerpc/mm/slice.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -313,6 +314,7 @@ static unsigned long slice_find_area_top int pshift = max_t(int, mmu_psize_defs[psize].shift, PAGE_SHIFT); unsigned long addr, found, prev; struct vm_unmapped_area_info info; + unsigned long min_addr = max(PAGE_SIZE, mmap_min_addr); info.flags = VM_UNMAPPED_AREA_TOPDOWN; info.length = len; @@ -320,7 +322,7 @@ static unsigned long slice_find_area_top info.align_offset = 0; addr = mm->mmap_base; - while (addr > PAGE_SIZE) { + while (addr > min_addr) { info.high_limit = addr; if (!slice_scan_available(addr - 1, available, 0, )) continue; @@ -332,8 +334,8 @@ static unsigned long slice_find_area_top * Check if we need to reduce the range, or if we can * extend it to cover the previous available slice. */ - if (addr < PAGE_SIZE) - addr = PAGE_SIZE; + if (addr < min_addr) + addr = min_addr; else if (slice_scan_available(addr - 1, available, 0, )) { addr = prev; goto prev_slice; @@ -415,7 +417,7 @@ unsigned long slice_get_unmapped_area(un addr = _ALIGN_UP(addr, 1ul << pshift); slice_dbg(" aligned addr=%lx\n", addr); /* Ignore hint if it's too large or overlaps a VMA */ - if (addr > mm->task_size - len || + if (addr > mm->task_size - len || addr < mmap_min_addr || !slice_area_is_free(mm, addr, len)) addr = 0; }
[PATCH 3.16 081/129] powerpc/wii: properly disable use of BATs when requested.
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Christophe Leroy commit 6d183ca8baec983dc4208ca45ece3c36763df912 upstream. 'nobats' kernel parameter or some options like CONFIG_DEBUG_PAGEALLOC deny the use of BATS for mapping memory. This patch makes sure that the specific wii RAM mapping function takes it into account as well. Fixes: de32400dd26e ("wii: use both mem1 and mem2 as ram") Reviewed-by: Jonathan Neuschafer Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/platforms/embedded6xx/wii.c | 4 1 file changed, 4 insertions(+) --- a/arch/powerpc/platforms/embedded6xx/wii.c +++ b/arch/powerpc/platforms/embedded6xx/wii.c @@ -104,6 +104,10 @@ unsigned long __init wii_mmu_mapin_mem2( /* MEM2 64MB@0x1000 */ delta = wii_hole_start + wii_hole_size; size = top - delta; + + if (__map_without_bats) + return delta; + for (bl = 128<<10; bl < max_size; bl <<= 1) { if (bl * 2 > size) break;
[PATCH 3.16 071/129] ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: "S.j. Wang" commit cc29ea007347f39f4c5a4d27b0b555955a0277f9 upstream. The ESAI_xCR_xWA is xCR's bit, not the xCCR's bit, driver set it to wrong register, correct it. Fixes 43d24e76b698 ("ASoC: fsl_esai: Add ESAI CPU DAI driver") Signed-off-by: Shengjiu Wang Reviewed-by: Fabio Estevam Ackedy-by: Nicolin Chen Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings --- sound/soc/fsl/fsl_esai.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/sound/soc/fsl/fsl_esai.c +++ b/sound/soc/fsl/fsl_esai.c @@ -392,7 +392,8 @@ static int fsl_esai_set_dai_fmt(struct s break; case SND_SOC_DAIFMT_RIGHT_J: /* Data on rising edge of bclk, frame high, right aligned */ - xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCR_xWA; + xccr |= ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP; + xcr |= ESAI_xCR_xWA; break; case SND_SOC_DAIFMT_DSP_A: /* Data on rising edge of bclk, frame high, 1clk before data */ @@ -449,12 +450,12 @@ static int fsl_esai_set_dai_fmt(struct s return -EINVAL; } - mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR; + mask = ESAI_xCR_xFSL | ESAI_xCR_xFSR | ESAI_xCR_xWA; regmap_update_bits(esai_priv->regmap, REG_ESAI_TCR, mask, xcr); regmap_update_bits(esai_priv->regmap, REG_ESAI_RCR, mask, xcr); mask = ESAI_xCCR_xCKP | ESAI_xCCR_xHCKP | ESAI_xCCR_xFSP | - ESAI_xCCR_xFSD | ESAI_xCCR_xCKD | ESAI_xCR_xWA; + ESAI_xCCR_xFSD | ESAI_xCCR_xCKD; regmap_update_bits(esai_priv->regmap, REG_ESAI_TCCR, mask, xccr); regmap_update_bits(esai_priv->regmap, REG_ESAI_RCCR, mask, xccr);
[PATCH 3.16 009/129] clk: vf610: fix refcount leak in vf610_clocks_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit 567177024e0313e4f0dcba7ba10c0732e50e655d upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: 1f2c5fd5f048 ("ARM: imx: add VF610 clock support") Signed-off-by: Stephen Boyd [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- arch/arm/mach-imx/clk-vf610.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/arm/mach-imx/clk-vf610.c +++ b/arch/arm/mach-imx/clk-vf610.c @@ -117,6 +117,7 @@ static void __init vf610_clocks_init(str np = of_find_compatible_node(NULL, NULL, "fsl,vf610-anatop"); anatop_base = of_iomap(np, 0); BUG_ON(!anatop_base); + of_node_put(np); np = ccm_node; ccm_base = of_iomap(np, 0);
[PATCH 3.16 068/129] serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jay Dolan commit 78d3820b9bd39028727c6aab7297b63c093db343 upstream. The four port Pericom chips have the fourth port at the wrong address. Make use of quirk to fix it. Fixes: c8d192428f52 ("serial: 8250: added acces i/o products quad and octal serial cards") Signed-off-by: Jay Dolan Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/tty/serial/8250/8250_pci.c | 105 + 1 file changed, 105 insertions(+) --- a/drivers/tty/serial/8250/8250_pci.c +++ b/drivers/tty/serial/8250/8250_pci.c @@ -2183,6 +2183,111 @@ static struct pci_serial_quirk pci_seria .setup = pci_default_setup, .exit = pci_plx9050_exit, }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SDB, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4S, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4DB, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM232_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SMDB, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_MPCIE_COM_4SM, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM422_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM485_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4S, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM232_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_MPCIE_ICM232_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM422_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM485_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM232_4, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_COM_4SM, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, + { + .vendor = PCI_VENDOR_ID_ACCESIO, + .device = PCI_DEVICE_ID_ACCESIO_PCIE_ICM_4SM, + .subvendor = PCI_ANY_ID, + .subdevice = PCI_ANY_ID, + .setup = pci_pericom_setup, + }, /* * SBS Te
[PATCH 3.16 076/129] ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 2757970f6d0d0a112247600b23d38c0c728ceeb3 upstream. The node obtained from of_find_node_by_path() has to be unreferenced after the use, but we forgot it for the root node. Fixes: f0fba2ad1b6b ("ASoC: multi-component - ASoC Multi-Component Support") Cc: Timur Tabi Cc: Nicolin Chen Cc: Xiubo Li Cc: Fabio Estevam Signed-off-by: Takashi Iwai Acked-by: Nicolin Chen Signed-off-by: Mark Brown [bwh: Backported to 3.16: - Move declaration of root to the top of the function as there is no suitable block scope - Adjust context] Signed-off-by: Ben Hutchings --- --- a/sound/soc/fsl/fsl_ssi.c +++ b/sound/soc/fsl/fsl_ssi.c @@ -1229,6 +1229,7 @@ static int fsl_ssi_probe(struct platform struct fsl_ssi_private *ssi_private; int ret = 0; struct device_node *np = pdev->dev.of_node; + struct device_node *root; const struct of_device_id *of_id; const char *p, *sprop; const uint32_t *iprop; @@ -1373,7 +1374,9 @@ static int fsl_ssi_probe(struct platform * device tree. We also pass the address of the CPU DAI driver * structure. */ - sprop = of_get_property(of_find_node_by_path("/"), "compatible", NULL); + root = of_find_node_by_path("/"); + sprop = of_get_property(root, "compatible", NULL); + of_node_put(root); /* Sometimes the compatible name has a "fsl," prefix, so we strip it. */ p = strrchr(sprop, ','); if (p)
[PATCH 3.16 074/129] perf header: Fix wrong node write in NUMA_TOPOLOGY feature
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jiri Olsa commit b00ccb27f97367d89e2d7b419ed198b0985be55d upstream. We are currently passing the node index instead of the real node number. Signed-off-by: Jiri Olsa Acked-by: Namhyung Kim Cc: Alexander Shishkin Cc: Peter Zijlstra Fixes: fbe96f29ce4b ("perf tools: Make perf.data more self-descriptive (v8)" Link: http://lkml.kernel.org/r/20190219095815.15931-2-jo...@kernel.org Signed-off-by: Arnaldo Carvalho de Melo [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- tools/perf/util/header.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/perf/util/header.c +++ b/tools/perf/util/header.c @@ -1009,7 +1009,7 @@ static int write_numa_topology(int fd, s if (ret < 0) break; - ret = write_topo_node(fd, i); + ret = write_topo_node(fd, j); if (ret < 0) break; }
[PATCH 3.16 060/129] parport_pc: fix find_superio io compare code, should use equal test.
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: QiaoChong commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream. In the original code before 181bf1e815a2 the loop was continuing until it finds the first matching superios[i].io and p->base. But after 181bf1e815a2 the logic changed and the loop now returns the pointer to the first mismatched array element which is then used in get_superio_dma() and get_superio_irq() and thus returning the wrong value. Fix the condition so that it now returns the correct pointer. Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for") Cc: Alan Cox Signed-off-by: QiaoChong [rewrite the commit message] Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/parport/parport_pc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/parport/parport_pc.c +++ b/drivers/parport/parport_pc.c @@ -1377,7 +1377,7 @@ static struct superio_struct *find_super { int i; for (i = 0; i < NR_SUPERIOS; i++) - if (superios[i].io != p->base) + if (superios[i].io == p->base) return [i]; return NULL; }
[PATCH 3.16 072/129] cdc-wdm: pass return value of recover_from_urb_loss
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: YueHaibing commit 0742a338f5b3446a26de551ad8273fb41b2787f2 upstream. 'rv' is the correct return value, pass it upstream instead of 0 Fixes: 17d80d562fd7 ("USB: autosuspend for cdc-wdm") Signed-off-by: YueHaibing Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/class/cdc-wdm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -1089,7 +1089,7 @@ static int wdm_post_reset(struct usb_int rv = recover_from_urb_loss(desc); mutex_unlock(>wlock); mutex_unlock(>rlock); - return 0; + return rv; } static struct usb_driver wdm_driver = {
[PATCH 3.16 078/129] fs/nfs: Fix nfs_parse_devname to not modify it's argument
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: "Eric W. Biederman" commit 40cc394be1aa18848b8757e03bd8ed23281f572e upstream. In the rare and unsupported case of a hostname list nfs_parse_devname will modify dev_name. There is no need to modify dev_name as the all that is being computed is the length of the hostname, so the computed length can just be shorted. Fixes: dc04589827f7 ("NFS: Use common device name parsing logic for NFSv4 and NFSv2/v3") Signed-off-by: "Eric W. Biederman" Signed-off-by: Trond Myklebust Signed-off-by: Ben Hutchings --- fs/nfs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nfs/super.c +++ b/fs/nfs/super.c @@ -1893,7 +1893,7 @@ static int nfs_parse_devname(const char /* kill possible hostname list: not supported */ comma = strchr(dev_name, ','); if (comma != NULL && comma < end) - *comma = 0; + len = comma - dev_name; } if (len > maxnamlen)
[PATCH 3.16 090/129] powerpc/powernv: Make opal log only readable by root
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jordan Niethe commit 7b62f9bd2246b7d3d086e571397c14ba52645ef1 upstream. Currently the opal log is globally readable. It is kernel policy to limit the visibility of physical addresses / kernel pointers to root. Given this and the fact the opal log may contain this information it would be better to limit the readability to root. Fixes: bfc36894a48b ("powerpc/powernv: Add OPAL message log interface") Signed-off-by: Jordan Niethe Reviewed-by: Stewart Smith Reviewed-by: Andrew Donnellan Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/platforms/powernv/opal-msglog.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/powerpc/platforms/powernv/opal-msglog.c +++ b/arch/powerpc/platforms/powernv/opal-msglog.c @@ -92,7 +92,7 @@ out: } static struct bin_attribute opal_msglog_attr = { - .attr = {.name = "msglog", .mode = 0444}, + .attr = {.name = "msglog", .mode = 0400}, .read = opal_msglog_read };
[PATCH 3.16 095/129] powerpc/32: Clear on-stack exception marker upon exception return
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Christophe Leroy commit 9580b71b5a7863c24a9bd18bcd2ad759b86b1eff upstream. Clear the on-stack STACK_FRAME_REGS_MARKER on exception exit in order to avoid confusing stacktrace like the one below. Call Trace: [c0e9dca0] [c01c42a0] print_address_description+0x64/0x2bc (unreliable) [c0e9dcd0] [c01c4684] kasan_report+0xfc/0x180 [c0e9dd10] [c0895130] memchr+0x24/0x74 [c0e9dd30] [c00a9e38] msg_print_text+0x124/0x574 [c0e9dde0] [c00ab710] console_unlock+0x114/0x4f8 [c0e9de40] [c00adc60] vprintk_emit+0x188/0x1c4 --- interrupt: c0e9df00 at 0x400f330 LR = init_stack+0x1f00/0x2000 [c0e9de80] [c00ae3c4] printk+0xa8/0xcc (unreliable) [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108 [c0e9df50] [c0c15434] start_kernel+0x310/0x488 [c0e9dff0] [3484] 0x3484 With this patch the trace becomes: Call Trace: [c0e9dca0] [c01c42c0] print_address_description+0x64/0x2bc (unreliable) [c0e9dcd0] [c01c46a4] kasan_report+0xfc/0x180 [c0e9dd10] [c0895150] memchr+0x24/0x74 [c0e9dd30] [c00a9e58] msg_print_text+0x124/0x574 [c0e9dde0] [c00ab730] console_unlock+0x114/0x4f8 [c0e9de40] [c00adc80] vprintk_emit+0x188/0x1c4 [c0e9de80] [c00ae3e4] printk+0xa8/0xcc [c0e9df20] [c0c27e44] early_irq_init+0x38/0x108 [c0e9df50] [c0c15434] start_kernel+0x310/0x488 [c0e9dff0] [3484] 0x3484 Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/kernel/entry_32.S | 9 + 1 file changed, 9 insertions(+) --- a/arch/powerpc/kernel/entry_32.S +++ b/arch/powerpc/kernel/entry_32.S @@ -757,6 +757,9 @@ fast_exception_return: mtcrr10 lwz r10,_LINK(r11) mtlrr10 + /* Clear the exception_marker on the stack to avoid confusing stacktrace */ + li r10, 0 + stw r10, 8(r11) REST_GPR(10, r11) mtspr SPRN_SRR1,r9 mtspr SPRN_SRR0,r12 @@ -987,6 +990,9 @@ END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRE mtcrf 0xFF,r10 mtlrr11 + /* Clear the exception_marker on the stack to avoid confusing stacktrace */ + li r10, 0 + stw r10, 8(r1) /* * Once we put values in SRR0 and SRR1, we are in a state * where exceptions are not recoverable, since taking an @@ -1024,6 +1030,9 @@ exc_exit_restart_end: mtlrr11 lwz r10,_CCR(r1) mtcrf 0xff,r10 + /* Clear the exception_marker on the stack to avoid confusing stacktrace */ + li r10, 0 + stw r10, 8(r1) REST_2GPRS(9, r1) .globl exc_exit_restart exc_exit_restart:
[PATCH 3.16 077/129] KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Sean Christopherson commit ddfd1730fd829743e41213e32ccc8b4aa6dc8325 upstream. When installing new memslots, KVM sets bit 0 of the generation number to indicate that an update is in-progress. Until the update is complete, there are no guarantees as to whether a vCPU will see the old or the new memslots. Explicity prevent caching MMIO accesses so as to avoid using an access cached from the old memslots after the new memslots have been installed. Note that it is unclear whether or not disabling caching during the update window is strictly necessary as there is no definitive documentation as to what ordering guarantees KVM provides with respect to updating memslots. That being said, the MMIO spte code does not allow reusing sptes created while an update is in-progress, and the associated documentation explicitly states: We do not want to use an MMIO sptes created with an odd generation number, ... If KVM is unlucky and creates an MMIO spte while the low bit is 1, the next access to the spte will always be a cache miss. At the very least, disabling the per-vCPU MMIO cache during updates will make its behavior consistent with the MMIO spte behavior and documentation. Fixes: 56f17dd3fbc4 ("kvm: x86: fix stale mmio cache bug") Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini [ Signed-off-by: Ben Hutchings --- arch/x86/kvm/x86.h | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -75,10 +75,15 @@ static inline u32 bit(int bitno) static inline void vcpu_cache_mmio_info(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn, unsigned access) { + u64 gen = kvm_memslots(vcpu->kvm)->generation; + + if (unlikely(gen & 1)) + return; + vcpu->arch.mmio_gva = gva & PAGE_MASK; vcpu->arch.access = access; vcpu->arch.mmio_gfn = gfn; - vcpu->arch.mmio_gen = kvm_memslots(vcpu->kvm)->generation; + vcpu->arch.mmio_gen = gen; } static inline bool vcpu_match_mmio_gen(struct kvm_vcpu *vcpu)
[PATCH 3.16 088/129] serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Lubomir Rintel commit f4817843e39ce78aace0195a57d4e8500a65a898 upstream. There are two other drivers that bind to mrvl,mmp-uart and both of them assume register shift of 2 bits. There are device trees that lack the property and rely on that assumption. If this driver wins the race to bind to those devices, it should behave the same as the older deprecated driver. Signed-off-by: Lubomir Rintel Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/tty/serial/of_serial.c | 4 1 file changed, 4 insertions(+) --- a/drivers/tty/serial/of_serial.c +++ b/drivers/tty/serial/of_serial.c @@ -93,6 +93,10 @@ static int of_platform_serial_setup(stru if (of_property_read_u32(np, "reg-offset", ) == 0) port->mapbase += prop; + /* Compatibility with the deprecated pxa driver and 8250_pxa drivers. */ + if (of_device_is_compatible(np, "mrvl,mmp-uart")) + port->regshift = 2; + /* Check for registers offset within the devices address range */ if (of_property_read_u32(np, "reg-shift", ) == 0) port->regshift = prop;
[PATCH 3.16 094/129] 9p: use inode->i_lock to protect i_size_write() under 32-bit
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Hou Tao commit 5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f upstream. Use inode->i_lock to protect i_size_write(), else i_size_read() in generic_fillattr() may loop infinitely in read_seqcount_begin() when multiple processes invoke v9fs_vfs_getattr() or v9fs_vfs_getattr_dotl() simultaneously under 32-bit SMP environment, and a soft lockup will be triggered as show below: watchdog: BUG: soft lockup - CPU#5 stuck for 22s! [stat:2217] Modules linked in: CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-5-g7f702faf5a9e #4 Hardware name: Generic DT based system PC is at generic_fillattr+0x104/0x108 LR is at 0xec497f00 pc : [<802b8898>]lr : []psr: 200c0013 sp : ec497e20 ip : ed608030 fp : ec497e3c r10: r9 : ec497f00 r8 : ed608030 r7 : ec497ebc r6 : ec497f00 r5 : ee5c1550 r4 : ee005780 r3 : 052d r2 : r1 : ec497f00 r0 : ed608030 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: ac48006a DAC: 0051 CPU: 5 PID: 2217 Comm: stat Not tainted 5.0.0-rc1-5-g7f702faf5a9e #4 Hardware name: Generic DT based system Backtrace: [<8010d974>] (dump_backtrace) from [<8010dc88>] (show_stack+0x20/0x24) [<8010dc68>] (show_stack) from [<80a1d194>] (dump_stack+0xb0/0xdc) [<80a1d0e4>] (dump_stack) from [<80109f34>] (show_regs+0x1c/0x20) [<80109f18>] (show_regs) from [<801d0a80>] (watchdog_timer_fn+0x280/0x2f8) [<801d0800>] (watchdog_timer_fn) from [<80198658>] (__hrtimer_run_queues+0x18c/0x380) [<801984cc>] (__hrtimer_run_queues) from [<80198e60>] (hrtimer_run_queues+0xb8/0xf0) [<80198da8>] (hrtimer_run_queues) from [<801973e8>] (run_local_timers+0x28/0x64) [<801973c0>] (run_local_timers) from [<80197460>] (update_process_times+0x3c/0x6c) [<80197424>] (update_process_times) from [<801ab2b8>] (tick_nohz_handler+0xe0/0x1bc) [<801ab1d8>] (tick_nohz_handler) from [<80843050>] (arch_timer_handler_virt+0x38/0x48) [<80843018>] (arch_timer_handler_virt) from [<80180a64>] (handle_percpu_devid_irq+0x8c/0x240) [<801809d8>] (handle_percpu_devid_irq) from [<8017ac20>] (generic_handle_irq+0x34/0x44) [<8017abec>] (generic_handle_irq) from [<8017b344>] (__handle_domain_irq+0x6c/0xc4) [<8017b2d8>] (__handle_domain_irq) from [<801022e0>] (gic_handle_irq+0x4c/0x88) [<80102294>] (gic_handle_irq) from [<80101a30>] (__irq_svc+0x70/0x98) [<802b8794>] (generic_fillattr) from [<8056b284>] (v9fs_vfs_getattr_dotl+0x74/0xa4) [<8056b210>] (v9fs_vfs_getattr_dotl) from [<802b8904>] (vfs_getattr_nosec+0x68/0x7c) [<802b889c>] (vfs_getattr_nosec) from [<802b895c>] (vfs_getattr+0x44/0x48) [<802b8918>] (vfs_getattr) from [<802b8a74>] (vfs_statx+0x9c/0xec) [<802b89d8>] (vfs_statx) from [<802b9428>] (sys_lstat64+0x48/0x78) [<802b93e0>] (sys_lstat64) from [<80101000>] (ret_fast_syscall+0x0/0x28) [dominique.marti...@cea.fr: updated comment to not refer to a function in another subsystem] Link: http://lkml.kernel.org/r/20190124063514.8571-2-hout...@huawei.com Fixes: 7549ae3e81cc ("9p: Use the i_size_[read, write]() macros instead of using inode->i_size directly.") Reported-by: Xing Gaopeng Signed-off-by: Hou Tao Signed-off-by: Dominique Martinet [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/9p/v9fs_vfs.h | 23 +-- fs/9p/vfs_file.c | 6 +- fs/9p/vfs_inode.c | 23 +++ fs/9p/vfs_inode_dotl.c | 27 ++- fs/9p/vfs_super.c | 4 ++-- 5 files changed, 53 insertions(+), 30 deletions(-) --- a/fs/9p/v9fs_vfs.h +++ b/fs/9p/v9fs_vfs.h @@ -40,6 +40,9 @@ */ #define P9_LOCK_TIMEOUT (30*HZ) +/* flags for v9fs_stat2inode() & v9fs_stat2inode_dotl() */ +#define V9FS_STAT2INODE_KEEP_ISIZE 1 + extern struct file_system_type v9fs_fs_type; extern const struct address_space_operations v9fs_addr_operations; extern const struct file_operations v9fs_file_operations; @@ -61,8 +64,10 @@ int v9fs_init_inode(struct v9fs_session_ struct inode *inode, umode_t mode, dev_t); void v9fs_evict_inode(struct inode *inode); ino_t v9fs_qid2ino(struct p9_qid *qid); -void v9fs_stat2inode(struct p9_wstat *, struct inode *, struct super_block *); -void v9fs_stat2inode_dotl(struct p9_stat_dotl *, struct inode *); +void v9fs_stat2inode(struct p9_wstat *stat, struct inode *inode, + struct super_block *sb, unsigned int flags); +void v9fs_stat2inode_dotl(struct p9_stat_dotl *stat, struct inode *inode, + unsigned int flags); int v9fs_dir_release(struct inode *inod
[PATCH 3.16 102/129] mm: fix potential data race in SyS_swapon
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Hugh Dickins commit 6f179af88f60b32c2855e7f3e16ea8e336a7043f upstream. While running KernelThreadSanitizer (ktsan) on upstream kernel with trinity, we got a few reports from SyS_swapon, here is one of them: Read of size 8 by thread T307 (K7621): [< inlined>] SyS_swapon+0x3c0/0x1850 SYSC_swapon mm/swapfile.c:2395 [] SyS_swapon+0x3c0/0x1850 mm/swapfile.c:2345 [] ia32_do_call+0x1b/0x25 Looks like the swap_lock should be taken when iterating through the swap_info array on lines 2392 - 2401: q->swap_file may be reset to NULL by another thread before it is dereferenced for f_mapping. But why is that iteration needed at all? Doesn't the claim_swapfile() which follows do all that is needed to check for a duplicate entry - FMODE_EXCL on a bdev, testing IS_SWAPFILE under i_mutex on a regfile? Well, not quite: bd_may_claim() allows the same "holder" to claim the bdev again, so we do need to use a different holder than "sys_swapon"; and we should not replace appropriate -EBUSY by inappropriate -EINVAL. Index i was reused in a cpu loop further down: renamed cpu there. Reported-by: Andrey Konovalov Signed-off-by: Hugh Dickins Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- mm/swapfile.c | 25 +++-- 1 file changed, 7 insertions(+), 18 deletions(-) --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2144,11 +2144,10 @@ static int claim_swapfile(struct swap_in if (S_ISBLK(inode->i_mode)) { p->bdev = bdgrab(I_BDEV(inode)); error = blkdev_get(p->bdev, - FMODE_READ | FMODE_WRITE | FMODE_EXCL, - sys_swapon); + FMODE_READ | FMODE_WRITE | FMODE_EXCL, p); if (error < 0) { p->bdev = NULL; - return -EINVAL; + return error; } p->old_block_size = block_size(p->bdev); error = set_blocksize(p->bdev, PAGE_SIZE); @@ -2365,7 +2364,6 @@ SYSCALL_DEFINE2(swapon, const char __use struct filename *name; struct file *swap_file = NULL; struct address_space *mapping; - int i; int prio; int error; union swap_header *swap_header; @@ -2405,19 +2403,8 @@ SYSCALL_DEFINE2(swapon, const char __use p->swap_file = swap_file; mapping = swap_file->f_mapping; - - for (i = 0; i < nr_swapfiles; i++) { - struct swap_info_struct *q = swap_info[i]; - - if (q == p || !q->swap_file) - continue; - if (mapping == q->swap_file->f_mapping) { - error = -EBUSY; - goto bad_swap; - } - } - inode = mapping->host; + /* If S_ISREG(inode->i_mode) will do mutex_lock(>i_mutex); */ error = claim_swapfile(p, inode); if (unlikely(error)) @@ -2450,6 +2437,8 @@ SYSCALL_DEFINE2(swapon, const char __use goto bad_swap; } if (p->bdev && blk_queue_nonrot(bdev_get_queue(p->bdev))) { + int cpu; + p->flags |= SWP_SOLIDSTATE; /* * select a random position to start with to help wear leveling @@ -2468,9 +2457,9 @@ SYSCALL_DEFINE2(swapon, const char __use error = -ENOMEM; goto bad_swap; } - for_each_possible_cpu(i) { + for_each_possible_cpu(cpu) { struct percpu_cluster *cluster; - cluster = per_cpu_ptr(p->percpu_cluster, i); + cluster = per_cpu_ptr(p->percpu_cluster, cpu); cluster_set_null(>index); } }
[PATCH 3.16 084/129] btrfs: init csum_list before possible free
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Robertson commit e49be14b8d80e23bb7c53d78c21717a474ade76b upstream. The scrub_ctx csum_list member must be initialized before scrub_free_ctx is called. If the csum_list is not initialized beforehand, the list_empty call in scrub_free_csums will result in a null deref if the allocation fails in the for loop. Fixes: a2de733c78fa ("btrfs: scrub") Reviewed-by: Nikolay Borisov Signed-off-by: Dan Robertson Reviewed-by: David Sterba Signed-off-by: David Sterba [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/btrfs/scrub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/btrfs/scrub.c +++ b/fs/btrfs/scrub.c @@ -417,6 +417,7 @@ struct scrub_ctx *scrub_setup_ctx(struct sctx->pages_per_rd_bio = pages_per_rd_bio; sctx->curr = -1; sctx->dev_root = dev->dev_root; + INIT_LIST_HEAD(>csum_list); for (i = 0; i < SCRUB_BIOS_PER_SCTX; ++i) { struct scrub_bio *sbio; @@ -444,7 +445,6 @@ struct scrub_ctx *scrub_setup_ctx(struct atomic_set(>workers_pending, 0); atomic_set(>cancel_req, 0); sctx->csum_size = btrfs_super_csum_size(fs_info->super_copy); - INIT_LIST_HEAD(>csum_list); spin_lock_init(>list_lock); spin_lock_init(>stat_lock);
[PATCH 3.16 073/129] libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Lubomir Rintel commit 607076a904c435f2677fadaadd4af546279db68b upstream. It doesn't make sense and the USB core warns on each submit of such URB, easily flooding the message buffer with tracebacks. Analogous issue was fixed in regular libertas driver in commit 6528d8804780 ("libertas: don't set URB_ZERO_PACKET on IN USB transfer"). Signed-off-by: Lubomir Rintel Reviewed-by: Steve deRosier Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/net/wireless/libertas_tf/if_usb.c | 2 -- 1 file changed, 2 deletions(-) --- a/drivers/net/wireless/libertas_tf/if_usb.c +++ b/drivers/net/wireless/libertas_tf/if_usb.c @@ -440,8 +440,6 @@ static int __if_usb_submit_rx_urb(struct skb_tail_pointer(skb), MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, cardp); - cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET; - lbtf_deb_usb2(>udev->dev, "Pointer for rx_urb %p\n", cardp->rx_urb); ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC);
[PATCH 3.16 087/129] staging: android: ashmem: Avoid range_alloc() allocation with ashmem_mutex held.
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Tetsuo Handa commit ecd182cbf4e107928077866399100228d2359c60 upstream. ashmem_pin() is calling range_shrink() without checking whether range_alloc() succeeded. Also, doing memory allocation with ashmem_mutex held should be avoided because ashmem_shrink_scan() tries to hold it. Therefore, move memory allocation for range_alloc() to ashmem_pin_unpin() and make range_alloc() not to fail. This patch is mostly meant for backporting purpose for fuzz testing on stable/distributor kernels, for there is a plan to remove this code in near future. Signed-off-by: Tetsuo Handa Reviewed-by: Joel Fernandes Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/staging/android/ashmem.c | 42 ++-- 1 file changed, 24 insertions(+), 18 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -158,19 +158,15 @@ static inline void lru_del(struct ashmem * @end: The ending page (inclusive) * * This function is protected by ashmem_mutex. - * - * Return: 0 if successful, or -ENOMEM if there is an error */ -static int range_alloc(struct ashmem_area *asma, - struct ashmem_range *prev_range, unsigned int purged, - size_t start, size_t end) +static void range_alloc(struct ashmem_area *asma, + struct ashmem_range *prev_range, unsigned int purged, + size_t start, size_t end, + struct ashmem_range **new_range) { - struct ashmem_range *range; - - range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL); - if (unlikely(!range)) - return -ENOMEM; + struct ashmem_range *range = *new_range; + *new_range = NULL; range->asma = asma; range->pgstart = start; range->pgend = end; @@ -180,8 +176,6 @@ static int range_alloc(struct ashmem_are if (range_on_lru(range)) lru_add(range); - - return 0; } /** @@ -576,7 +570,8 @@ static int get_name(struct ashmem_area * * * Caller must hold ashmem_mutex. */ -static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend) +static int ashmem_pin(struct ashmem_area *asma, size_t pgstart, size_t pgend, + struct ashmem_range **new_range) { struct ashmem_range *range, *next; int ret = ASHMEM_NOT_PURGED; @@ -628,7 +623,7 @@ static int ashmem_pin(struct ashmem_area * second half and adjust the first chunk's endpoint. */ range_alloc(asma, range, range->purged, - pgend + 1, range->pgend); + pgend + 1, range->pgend, new_range); range_shrink(range, range->pgstart, pgstart - 1); break; } @@ -642,7 +637,8 @@ static int ashmem_pin(struct ashmem_area * * Caller must hold ashmem_mutex. */ -static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend) +static int ashmem_unpin(struct ashmem_area *asma, size_t pgstart, size_t pgend, + struct ashmem_range **new_range) { struct ashmem_range *range, *next; unsigned int purged = ASHMEM_NOT_PURGED; @@ -668,7 +664,8 @@ restart: } } - return range_alloc(asma, range, purged, pgstart, pgend); + range_alloc(asma, range, purged, pgstart, pgend, new_range); + return 0; } /* @@ -701,10 +698,17 @@ static int ashmem_pin_unpin(struct ashme struct ashmem_pin pin; size_t pgstart, pgend; int ret = -EINVAL; + struct ashmem_range *range = NULL; if (unlikely(copy_from_user(, p, sizeof(pin return -EFAULT; + if (cmd == ASHMEM_PIN || cmd == ASHMEM_UNPIN) { + range = kmem_cache_zalloc(ashmem_range_cachep, GFP_KERNEL); + if (!range) + return -ENOMEM; + } + mutex_lock(_mutex); if (unlikely(!asma->file)) @@ -728,10 +732,10 @@ static int ashmem_pin_unpin(struct ashme switch (cmd) { case ASHMEM_PIN: - ret = ashmem_pin(asma, pgstart, pgend); + ret = ashmem_pin(asma, pgstart, pgend, ); break; case ASHMEM_UNPIN: - ret = ashmem_unpin(asma, pgstart, pgend); + ret = ashmem_unpin(asma, pgstart, pgend, ); break; case ASHMEM_GET_PIN_STATUS: ret = ashmem_get_pin_status(asma, pgstart, pgend); @@ -740,6 +744,8 @@ static int ashmem_pin_unpin(struct ashme out_unlock: mutex_unlock(_mutex); + if (range) + kmem_cache_free(ashmem_range_cachep, range); return ret; }
[PATCH 3.16 093/129] NFSv4.1: Reinitialise sequence results before retransmitting a request
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Trond Myklebust commit c1dffe0bf7f9c3d57d9f237a7cb2a81e62babd2b upstream. If we have to retransmit a request, we should ensure that we reinitialise the sequence results structure, since in the event of a signal we need to treat the request as if it had not been sent. Signed-off-by: Trond Myklebust [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/nfs/nfs4proc.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -694,6 +694,13 @@ static int nfs4_sequence_done(struct rpc return nfs41_sequence_done(task, res); } +static void nfs41_sequence_res_init(struct nfs4_sequence_res *res) +{ + res->sr_timestamp = jiffies; + res->sr_status_flags = 0; + res->sr_status = 1; +} + int nfs41_setup_sequence(struct nfs4_session *session, struct nfs4_sequence_args *args, struct nfs4_sequence_res *res, @@ -735,15 +742,9 @@ int nfs41_setup_sequence(struct nfs4_ses slot->slot_nr, slot->seq_nr); res->sr_slot = slot; - res->sr_timestamp = jiffies; - res->sr_status_flags = 0; - /* -* sr_status is only set in decode_sequence, and so will remain -* set to 1 if an rpc level failure occurs. -*/ - res->sr_status = 1; trace_nfs4_setup_sequence(session, args); out_success: + nfs41_sequence_res_init(res); rpc_call_start(task); return 0; out_sleep:
[PATCH 3.16 097/129] ip6mr: Do not call __IP6_INC_STATS() from preemptible context
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Ido Schimmel commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf upstream. Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot assume preemption is disabled when incrementing the counter and accessing a per-CPU variable. Preemption can be enabled when we add a route in process context that corresponds to packets stored in the unresolved queue, which are then forwarded using this route [1]. Fix this by using IP6_INC_STATS() which takes care of disabling preemption on architectures where it is needed. [1] [ 157.451447] BUG: using __this_cpu_add() in preemptible [] code: smcrouted/2314 [ 157.460409] caller is ip6mr_forward2+0x73e/0x10e0 [ 157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted 5.0.0-rc7-custom-03635-g22f2712113f1 #1336 [ 157.460449] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016 [ 157.460461] Call Trace: [ 157.460486] dump_stack+0xf9/0x1be [ 157.460553] check_preemption_disabled+0x1d6/0x200 [ 157.460576] ip6mr_forward2+0x73e/0x10e0 [ 157.460705] ip6_mr_forward+0x9a0/0x1510 [ 157.460771] ip6mr_mfc_add+0x16b3/0x1e00 [ 157.461155] ip6_mroute_setsockopt+0x3cb/0x13c0 [ 157.461384] do_ipv6_setsockopt.isra.8+0x348/0x4060 [ 157.462013] ipv6_setsockopt+0x90/0x110 [ 157.462036] rawv6_setsockopt+0x4a/0x120 [ 157.462058] __sys_setsockopt+0x16b/0x340 [ 157.462198] __x64_sys_setsockopt+0xbf/0x160 [ 157.462220] do_syscall_64+0x14d/0x610 [ 157.462349] entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module method ip6_mr_forward().") Signed-off-by: Ido Schimmel Reported-by: Amit Cohen Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/ipv6/ip6mr.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) --- a/net/ipv6/ip6mr.c +++ b/net/ipv6/ip6mr.c @@ -1984,10 +1984,10 @@ int ip6mr_compat_ioctl(struct sock *sk, static inline int ip6mr_forward2_finish(struct sk_buff *skb) { - IP6_INC_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), -IPSTATS_MIB_OUTFORWDATAGRAMS); - IP6_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), -IPSTATS_MIB_OUTOCTETS, skb->len); + IP6_INC_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), + IPSTATS_MIB_OUTFORWDATAGRAMS); + IP6_ADD_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)), + IPSTATS_MIB_OUTOCTETS, skb->len); return dst_output(skb); }
[PATCH 3.16 119/129] l2tp: fix infoleak in l2tp_ip6_recvmsg()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 163d1c3d6f17556ed3c340d3789ea93be95d6c28 upstream. Back in 2013 Hannes took care of most of such leaks in commit bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls") But the bug in l2tp_ip6_recvmsg() has not been fixed. syzbot report : BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600 kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 copy_to_user include/linux/uaccess.h:174 [inline] move_addr_to_user+0x311/0x570 net/socket.c:227 ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283 do_recvmmsg+0x646/0x10c0 net/socket.c:2390 __sys_recvmmsg net/socket.c:2469 [inline] __do_sys_recvmmsg net/socket.c:2492 [inline] __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485 __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x445819 Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f64453eddb8 EFLAGS: 0246 ORIG_RAX: 012b RAX: ffda RBX: 006dac28 RCX: 00445819 RDX: 0005 RSI: 20002f80 RDI: 0003 RBP: 006dac20 R08: R09: R10: R11: 0246 R12: 006dac2c R13: 7ffeba8f87af R14: 7f64453ee9c0 R15: 20c49ba5e353f7cf Local variable description: addr@___sys_recvmsg Variable was created at: ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244 do_recvmmsg+0x646/0x10c0 net/socket.c:2390 Bytes 0-31 of 32 are uninitialized Memory access of size 32 starts at 8880ae62fbb0 Data copied to user address 2000 Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ip6.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/net/l2tp/l2tp_ip6.c +++ b/net/l2tp/l2tp_ip6.c @@ -664,9 +664,6 @@ static int l2tp_ip6_recvmsg(struct kiocb if (flags & MSG_OOB) goto out; - if (addr_len) - *addr_len = sizeof(*lsa); - if (flags & MSG_ERRQUEUE) return ipv6_recv_error(sk, msg, len, addr_len); @@ -696,6 +693,7 @@ static int l2tp_ip6_recvmsg(struct kiocb lsa->l2tp_conn_id = 0; if (ipv6_addr_type(>l2tp_addr) & IPV6_ADDR_LINKLOCAL) lsa->l2tp_scope_id = IP6CB(skb)->iif; + *addr_len = sizeof(*lsa); } if (np->rxopt.all)
[PATCH 3.16 008/129] clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit 1731e14fb30212dd8c1e9f8fc1af061e56498c55 upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: d55135689019 ("ARM: imx: add clock driver for imx6sx") Signed-off-by: Stephen Boyd [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- arch/arm/mach-imx/clk-imx6sx.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/arm/mach-imx/clk-imx6sx.c +++ b/arch/arm/mach-imx/clk-imx6sx.c @@ -143,6 +143,7 @@ static void __init imx6sx_clocks_init(st np = of_find_compatible_node(NULL, NULL, "fsl,imx6sx-anatop"); base = of_iomap(np, 0); WARN_ON(!base); + of_node_put(np); /* type name parent_name base div_mask */ clks[IMX6SX_CLK_PLL1_SYS] = imx_clk_pllv3(IMX_PLLV3_SYS, "pll1_sys", "osc",base,0x7f);
[PATCH 3.16 086/129] ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
0762c6 leaf_length 7, crc 25286 460 textual descriptor 464 minimal ASCII 468 4c495155 "LIQU" 46c 49445f53 "ID_S" 470 41464649 "AFFI" 474 52455f35 "RE_5" 478 3600 "6" descriptor leaf at 47c - 47c 000762c6 leaf_length 7, crc 25286 480 textual descriptor 484 minimal ASCII 488 4c495155 "LIQU" 48c 49445f53 "ID_S" 490 41464649 "AFFI" 494 52455f35 "RE_5" 498 3600 "6" Fixes: 25784ec2d034 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series") Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/firewire/bebob/bebob.c | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-) --- a/sound/firewire/bebob/bebob.c +++ b/sound/firewire/bebob/bebob.c @@ -396,7 +396,19 @@ static const struct ieee1394_device_id b /* Focusrite, SaffirePro 26 I/O */ SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x0003, _26_spec), /* Focusrite, SaffirePro 10 I/O */ - SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, 0x0006, _10_spec), + { + // The combination of vendor_id and model_id is the same as the + // same as the one of Liquid Saffire 56. + .match_flags= IEEE1394_MATCH_VENDOR_ID | + IEEE1394_MATCH_MODEL_ID | + IEEE1394_MATCH_SPECIFIER_ID | + IEEE1394_MATCH_VERSION, + .vendor_id = VEN_FOCUSRITE, + .model_id = 0x06, + .specifier_id = 0x00a02d, + .version= 0x010001, + .driver_data= (kernel_ulong_t)_10_spec, + }, /* Focusrite, Saffire(no label and LE) */ SND_BEBOB_DEV_ENTRY(VEN_FOCUSRITE, MODEL_FOCUSRITE_SAFFIRE_BOTH, _spec),
[PATCH 3.16 089/129] regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Axel Lin commit c25d47888f0fb3d836d68322d4aea2caf31a75a6 upstream. The wm831x_dcdc_ilim entries needs to be uA because it is used to compare with min_uA and max_uA. While at it also make the array const and change to use unsigned int. Fixes: e4ee831f949a ("regulator: Add WM831x DC-DC buck convertor support") Signed-off-by: Axel Lin Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings --- drivers/regulator/wm831x-dcdc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/regulator/wm831x-dcdc.c +++ b/drivers/regulator/wm831x-dcdc.c @@ -327,8 +327,8 @@ static int wm831x_buckv_get_voltage_sel( } /* Current limit options */ -static u16 wm831x_dcdc_ilim[] = { - 125, 250, 375, 500, 625, 750, 875, 1000 +static const unsigned int wm831x_dcdc_ilim[] = { + 125000, 25, 375000, 50, 625000, 75, 875000, 100 }; static int wm831x_buckv_set_current_limit(struct regulator_dev *rdev,
[PATCH 3.16 100/129] CIFS: Fix read after write for files with read caching
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Pavel Shilovsky commit 6dfbd84684700cb58b34e8602c01c12f3d2595c8 upstream. When we have a READ lease for a file and have just issued a write operation to the server we need to purge the cache and set oplock/lease level to NONE to avoid reading stale data. Currently we do that only if a write operation succedeed thus not covering cases when a request was sent to the server but a negative error code was returned later for some other reasons (e.g. -EIOCBQUEUED or -EINTR). Fix this by turning off caching regardless of the error code being returned. The patches fixes generic tests 075 and 112 from the xfs-tests. Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg Signed-off-by: Ben Hutchings --- fs/cifs/file.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -2661,14 +2661,16 @@ cifs_strict_writev(struct kiocb *iocb, s * these pages but not on the region from pos to ppos+len-1. */ written = cifs_user_writev(iocb, from); - if (written > 0 && CIFS_CACHE_READ(cinode)) { + if (CIFS_CACHE_READ(cinode)) { /* -* Windows 7 server can delay breaking level2 oplock if a write -* request comes - break it on the client to prevent reading -* an old data. +* We have read level caching and we have just sent a write +* request to the server thus making data in the cache stale. +* Zap the cache and set oplock/lease level to NONE to avoid +* reading stale data from the cache. All subsequent read +* operations will read new data from the server. */ cifs_zap_mapping(inode); - cifs_dbg(FYI, "Set no oplock for inode=%p after a write operation\n", + cifs_dbg(FYI, "Set Oplock/Lease to NONE for inode=%p after write\n", inode); cinode->oplock = 0; }
[PATCH 3.16 091/129] Btrfs: fix corruption reading shared and compressed extents after hole punching
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Filipe Manana commit 8e928218780e2f1cf2f5891c7575e8f0b284fcce upstream. In the past we had data corruption when reading compressed extents that are shared within the same file and they are consecutive, this got fixed by commit 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared extents") and by commit 808f80b46790f ("Btrfs: update fix for read corruption of compressed and shared extents"). However there was a case that was missing in those fixes, which is when the shared and compressed extents are referenced with a non-zero offset. The following shell script creates a reproducer for this issue: #!/bin/bash mkfs.btrfs -f /dev/sdc &> /dev/null mount -o compress /dev/sdc /mnt/sdc # Create a file with 3 consecutive compressed extents, each has an # uncompressed size of 128Kb and a compressed size of 4Kb. for ((i = 1; i <= 3; i++)); do head -c 4096 /dev/zero for ((j = 1; j <= 31; j++)); do head -c 4096 /dev/zero | tr '\0' "\377" done done > /mnt/sdc/foobar sync echo "Digest after file creation: $(md5sum /mnt/sdc/foobar)" # Clone the first extent into offsets 128K and 256K. xfs_io -c "reflink /mnt/sdc/foobar 0 128K 128K" /mnt/sdc/foobar xfs_io -c "reflink /mnt/sdc/foobar 0 256K 128K" /mnt/sdc/foobar sync echo "Digest after cloning: $(md5sum /mnt/sdc/foobar)" # Punch holes into the regions that are already full of zeroes. xfs_io -c "fpunch 0 4K" /mnt/sdc/foobar xfs_io -c "fpunch 128K 4K" /mnt/sdc/foobar xfs_io -c "fpunch 256K 4K" /mnt/sdc/foobar sync echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)" echo "Dropping page cache..." sysctl -q vm.drop_caches=1 echo "Digest after hole punching: $(md5sum /mnt/sdc/foobar)" umount /dev/sdc When running the script we get the following output: Digest after file creation: 5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar linked 131072/131072 bytes at offset 131072 128 KiB, 1 ops; 0.0033 sec (36.960 MiB/sec and 295.6830 ops/sec) linked 131072/131072 bytes at offset 262144 128 KiB, 1 ops; 0.0015 sec (78.567 MiB/sec and 628.5355 ops/sec) Digest after cloning: 5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar Digest after hole punching: 5a0888d80d7ab1fd31c229f83a3bbcc8 /mnt/sdc/foobar Dropping page cache... Digest after hole punching: fba694ae8664ed0c2e9ff8937e7f1484 /mnt/sdc/foobar This happens because after reading all the pages of the extent in the range from 128K to 256K for example, we read the hole at offset 256K and then when reading the page at offset 260K we don't submit the existing bio, which is responsible for filling all the page in the range 128K to 256K only, therefore adding the pages from range 260K to 384K to the existing bio and submitting it after iterating over the entire range. Once the bio completes, the uncompressed data fills only the pages in the range 128K to 256K because there's no more data read from disk, leaving the pages in the range 260K to 384K unfilled. It is just a slightly different variant of what was solved by commit 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared extents"). Fix this by forcing a bio submit, during readpages(), whenever we find a compressed extent map for a page that is different from the extent map for the previous page or has a different starting offset (in case it's the same compressed extent), instead of the extent map's original start offset. A test case for fstests follows soon. Reported-by: Zygo Blaxell Fixes: 808f80b46790f ("Btrfs: update fix for read corruption of compressed and shared extents") Fixes: 005efedf2c7d0 ("Btrfs: fix read corruption of compressed and shared extents") Tested-by: Zygo Blaxell Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Ben Hutchings --- fs/btrfs/extent_io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2936,11 +2936,11 @@ static int __do_readpage(struct extent_i */ if (test_bit(EXTENT_FLAG_COMPRESSED, >flags) && prev_em_start && *prev_em_start != (u64)-1 && - *prev_em_start != em->orig_start) + *prev_em_start != em->start) force_bio_submit = true; if (prev_em_start) - *prev_em_start = em->orig_start; + *prev_em_start = em->start; free_extent_map(em); em = NULL;
[PATCH 3.16 098/129] CIFS: Do not reset lease state to NONE on lease break
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Pavel Shilovsky commit 7b9b9edb49ad377b1e06abf14354c227e9ac4b06 upstream. Currently on lease break the client sets a caching level twice: when oplock is detected and when oplock is processed. While the 1st attempt sets the level to the value provided by the server, the 2nd one resets the level to None unconditionally. This happens because the oplock/lease processing code was changed to avoid races between page cache flushes and oplock breaks. The commit c11f1df5003d534 ("cifs: Wait for writebacks to complete before attempting write.") fixed the races for oplocks but didn't apply the same changes for leases resulting in overwriting the server granted value to None. Fix this by properly processing lease breaks. Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French [bwh: Backported to 3.16: drop change in smb311_operations] Signed-off-by: Ben Hutchings --- --- a/fs/cifs/smb2misc.c +++ b/fs/cifs/smb2misc.c @@ -420,7 +420,6 @@ smb2_tcon_has_lease(struct cifs_tcon *tc __u8 lease_state; struct list_head *tmp; struct cifsFileInfo *cfile; - struct TCP_Server_Info *server = tcon->ses->server; struct cifs_pending_open *open; struct cifsInodeInfo *cinode; int ack_req = le32_to_cpu(rsp->Flags & @@ -440,13 +439,25 @@ smb2_tcon_has_lease(struct cifs_tcon *tc cifs_dbg(FYI, "lease key match, lease break 0x%d\n", le32_to_cpu(rsp->NewLeaseState)); - server->ops->set_oplock_level(cinode, lease_state, 0, NULL); - if (ack_req) cfile->oplock_break_cancelled = false; else cfile->oplock_break_cancelled = true; + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, >flags); + + /* +* Set or clear flags depending on the lease state being READ. +* HANDLE caching flag should be added when the client starts +* to defer closing remote file handles with HANDLE leases. +*/ + if (lease_state & SMB2_LEASE_READ_CACHING_HE) + set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + >flags); + else + clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + >flags); + queue_work(cifsoplockd_wq, >oplock_break); kfree(lw); return true; --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -962,6 +962,15 @@ smb2_downgrade_oplock(struct TCP_Server_ } static void +smb21_downgrade_oplock(struct TCP_Server_Info *server, + struct cifsInodeInfo *cinode, bool set_level2) +{ + server->ops->set_oplock_level(cinode, + set_level2 ? SMB2_LEASE_READ_CACHING_HE : + 0, 0, NULL); +} + +static void smb2_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, unsigned int epoch, bool *purge_cache) { @@ -1253,7 +1262,7 @@ struct smb_version_operations smb21_oper .print_stats = smb2_print_stats, .is_oplock_break = smb2_is_valid_oplock_break, .handle_cancelled_mid = smb2_handle_cancelled_mid, - .downgrade_oplock = smb2_downgrade_oplock, + .downgrade_oplock = smb21_downgrade_oplock, .need_neg = smb2_need_neg, .negotiate = smb2_negotiate, .negotiate_wsize = smb2_negotiate_wsize, @@ -1331,7 +1340,7 @@ struct smb_version_operations smb30_oper .dump_share_caps = smb2_dump_share_caps, .is_oplock_break = smb2_is_valid_oplock_break, .handle_cancelled_mid = smb2_handle_cancelled_mid, - .downgrade_oplock = smb2_downgrade_oplock, + .downgrade_oplock = smb21_downgrade_oplock, .need_neg = smb2_need_neg, .negotiate = smb2_negotiate, .negotiate_wsize = smb2_negotiate_wsize,
[PATCH 3.16 107/129] cpufreq: pxa2xx: remove incorrect __init annotation
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit 9505b98ccddc454008ca7efff90044e3e857c827 upstream. pxa_cpufreq_init_voltages() is marked __init but usually inlined into the non-__init pxa_cpufreq_init() function. When building with clang, it can stay as a standalone function in a discarded section, and produce this warning: WARNING: vmlinux.o(.text+0x616a00): Section mismatch in reference from the function pxa_cpufreq_init() to the function .init.text:pxa_cpufreq_init_voltages() The function pxa_cpufreq_init() references the function __init pxa_cpufreq_init_voltages(). This is often because pxa_cpufreq_init lacks a __init annotation or the annotation of pxa_cpufreq_init_voltages is wrong. Fixes: 50e77fcd790e ("ARM: pxa: remove __init from cpufreq_driver->init()") Signed-off-by: Arnd Bergmann Acked-by: Viresh Kumar Reviewed-by: Nathan Chancellor Acked-by: Robert Jarzmik Signed-off-by: Rafael J. Wysocki Signed-off-by: Ben Hutchings --- drivers/cpufreq/pxa2xx-cpufreq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/cpufreq/pxa2xx-cpufreq.c +++ b/drivers/cpufreq/pxa2xx-cpufreq.c @@ -191,7 +191,7 @@ static int pxa_cpufreq_change_voltage(px return ret; } -static void __init pxa_cpufreq_init_voltages(void) +static void pxa_cpufreq_init_voltages(void) { vcc_core = regulator_get(NULL, "vcc_core"); if (IS_ERR(vcc_core)) { @@ -207,7 +207,7 @@ static int pxa_cpufreq_change_voltage(px return 0; } -static void __init pxa_cpufreq_init_voltages(void) { } +static void pxa_cpufreq_init_voltages(void) { } #endif static void find_freq_tables(struct cpufreq_frequency_table **freq_table,
[PATCH 3.16 104/129] s390/virtio: handle find on invalid queue gracefully
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Halil Pasic commit 3438b2c039b4bf26881786a1f3450f016d66ad11 upstream. A queue with a capacity of zero is clearly not a valid virtio queue. Some emulators report zero queue size if queried with an invalid queue index. Instead of crashing in this case let us just return -ENOENT. To make that work properly, let us fix the notifier cleanup logic as well. Signed-off-by: Halil Pasic Signed-off-by: Cornelia Huck Signed-off-by: Michael S. Tsirkin [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/s390/kvm/virtio_ccw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/s390/kvm/virtio_ccw.c +++ b/drivers/s390/kvm/virtio_ccw.c @@ -258,6 +258,8 @@ static void virtio_ccw_drop_indicators(s { struct virtio_ccw_vq_info *info; + if (!vcdev->airq_info) + return; list_for_each_entry(info, >virtqueues, node) drop_airq_indicator(info->vq, vcdev->airq_info); } @@ -386,7 +388,7 @@ static int virtio_ccw_read_vq_conf(struc ccw->count = sizeof(struct vq_config_block); ccw->cda = (__u32)(unsigned long)(vcdev->config_block); ccw_io_helper(vcdev, ccw, VIRTIO_CCW_DOING_READ_VQ_CONF); - return vcdev->config_block->num; + return vcdev->config_block->num ?: -ENOENT; } static void virtio_ccw_del_vq(struct virtqueue *vq, struct ccw1 *ccw)
[PATCH 3.16 096/129] net-sysfs: Fix mem leak in netdev_register_kobject
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: YueHaibing commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab upstream. syzkaller report this: BUG: memory leak unreferenced object 0x88837a71a500 (size 256): comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .N.. ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff ... backtrace: [<db12624b>] netdev_register_kobject+0x124/0x2e0 net/core/net-sysfs.c:1751 [<dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516 [<e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline] [<e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883 [<1b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline] [<1b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690 [<79b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705 [<de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline] [<de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline] [<de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710 [<7ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 [<db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<115be9bb>] 0x It should call kset_unregister to free 'dev->queues_kset' in error path of register_queue_kobjects, otherwise will cause a mem leak. Reported-by: Hulk Robot Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering") Signed-off-by: YueHaibing Signed-off-by: David S. Miller [bwh: Backported to 3.16: net_device pointer is called "net", confusingly] Signed-off-by: Ben Hutchings --- net/core/net-sysfs.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -1219,6 +1219,9 @@ static int register_queue_kobjects(struc error: netdev_queue_update_kobjects(net, txq, 0); net_rx_queue_update_kobjects(net, rxq, 0); +#ifdef CONFIG_SYSFS + kset_unregister(net->queues_kset); +#endif return error; }
[PATCH 3.16 118/129] net/mlx4_core: Fix qp mtt size calculation
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jack Morgenstein commit 8511a653e9250ef36b95803c375a7be0e2edb628 upstream. Calculation of qp mtt size (in function mlx4_RST2INIT_wrapper) ultimately depends on function roundup_pow_of_two. If the amount of memory required by the QP is less than one page, roundup_pow_of_two is called with argument zero. In this case, the roundup_pow_of_two result is undefined. Calling roundup_pow_of_two with a zero argument resulted in the following stack trace: UBSAN: Undefined behaviour in ./include/linux/log2.h:61:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 4 PID: 26939 Comm: rping Tainted: G OE 4.19.0-rc1 Hardware name: Supermicro X9DR3-F/X9DR3-F, BIOS 3.2a 07/09/2015 Call Trace: dump_stack+0x9a/0xeb ubsan_epilogue+0x9/0x7c __ubsan_handle_shift_out_of_bounds+0x254/0x29d ? __ubsan_handle_load_invalid_value+0x180/0x180 ? debug_show_all_locks+0x310/0x310 ? sched_clock+0x5/0x10 ? sched_clock+0x5/0x10 ? sched_clock_cpu+0x18/0x260 ? find_held_lock+0x35/0x1e0 ? mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core] mlx4_RST2INIT_QP_wrapper+0xfb1/0x1440 [mlx4_core] Fix this by explicitly testing for zero, and returning one if the argument is zero (assuming that the next higher power of 2 in this case should be one). Fixes: c82e9aa0a8bc ("mlx4_core: resource tracking for HCA resources used by guests") Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c @@ -2460,13 +2460,13 @@ static int qp_get_mtt_size(struct mlx4_q int total_pages; int total_mem; int page_offset = (be32_to_cpu(qpc->params2) >> 6) & 0x3f; + int tot; sq_size = 1 << (log_sq_size + log_sq_sride + 4); rq_size = (srq|rss|xrc) ? 0 : (1 << (log_rq_size + log_rq_stride + 4)); total_mem = sq_size + rq_size; - total_pages = - roundup_pow_of_two((total_mem + (page_offset << 6)) >> - page_shift); + tot = (total_mem + (page_offset << 6)) >> page_shift; + total_pages = !tot ? 1 : roundup_pow_of_two(tot); return total_pages; }
[PATCH 3.16 109/129] xen, cpu_hotplug: Prevent an out of bounds access
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter commit 201676095dda7e5b31a5e1d116d10fc22985075e upstream. The "cpu" variable comes from the sscanf() so Smatch marks it as untrusted data. We can't pass a higher value than "nr_cpu_ids" to cpu_possible() or it results in an out of bounds access. Fixes: d68d82afd4c8 ("xen: implement CPU hotplugging") Signed-off-by: Dan Carpenter Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross Signed-off-by: Ben Hutchings --- drivers/xen/cpu_hotplug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/xen/cpu_hotplug.c +++ b/drivers/xen/cpu_hotplug.c @@ -47,7 +47,7 @@ static int vcpu_online(unsigned int cpu) } static void vcpu_hotplug(unsigned int cpu) { - if (!cpu_possible(cpu)) + if (cpu >= nr_cpu_ids || !cpu_possible(cpu)) return; switch (vcpu_online(cpu)) {
[PATCH 3.16 110/129] route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Xin Long commit ee60ad219f5c7c4fb2f047f88037770063ef785f upstream. The race occurs in __mkroute_output() when 2 threads lookup a dst: CPU A CPU B find_exception() find_exception() [fnhe expires] ip_del_fnhe() [fnhe is deleted] rt_bind_exception() In rt_bind_exception() it will bind a deleted fnhe with the new dst, and this dst will get no chance to be freed. It causes a dev defcnt leak and consecutive dmesg warnings: unregister_netdevice: waiting for ethX to become free. Usage count = 1 Especially thanks Jon to identify the issue. This patch fixes it by setting fnhe_daddr to 0 in ip_del_fnhe() to stop binding the deleted fnhe with a new dst when checking fnhe's fnhe_daddr and daddr in rt_bind_exception(). It works as both ip_del_fnhe() and rt_bind_exception() are protected by fnhe_lock and the fhne is freed by kfree_rcu(). Fixes: deed49df7390 ("route: check and remove route cache when we get route") Signed-off-by: Jon Maxwell Signed-off-by: Xin Long Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/ipv4/route.c | 4 1 file changed, 4 insertions(+) --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1279,6 +1279,10 @@ static void ip_del_fnhe(struct fib_nh *n if (fnhe->fnhe_daddr == daddr) { rcu_assign_pointer(*fnhe_p, rcu_dereference_protected( fnhe->fnhe_next, lockdep_is_held(_lock))); + /* set fnhe_daddr to 0 to ensure it won't bind with +* new dsts in rt_bind_exception(). +*/ + fnhe->fnhe_daddr = 0; fnhe_flush_routes(fnhe); kfree_rcu(fnhe, rcu); break;
[PATCH 3.16 112/129] gro_cells: make sure device is up in gro_cells_receive()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 2a5ff07a0eb945f291e361aa6f6becca8340ba46 upstream. We keep receiving syzbot reports [1] that show that tunnels do not play the rcu/IFF_UP rules properly. At device dismantle phase, gro_cells_destroy() will be called only after a full rcu grace period is observed after IFF_UP has been cleared. This means that IFF_UP needs to be tested before queueing packets into netif_rx() or gro_cells. This patch implements the test in gro_cells_receive() because too many callers do not seem to bother enough. [1] BUG: unable to handle kernel paging request at f4ca0b9e PGD 0 P4D 0 Oops: [#1] PREEMPT SMP KASAN CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline] RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline] RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline] RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline] RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78 Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03 RSP: 0018:8880aa3f79a8 EFLAGS: 00010a02 RAX: 00e8 RBX: e8c64b70 RCX: 18ca0b9e RDX: c6505ce8 RSI: 858410ca RDI: c6505cf0 RBP: 8880aa3f7a08 R08: 8880aa3e8580 R09: fbfff1263645 R10: fbfff1263644 R11: 8931b223 R12: dc00 R13: R14: e8c64b80 R15: e8c64b75 kobject: 'loop2' (4bd7d84a): kobject_uevent_env FS: () GS:8880ae80() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: f4ca0b9e CR3: 94941000 CR4: 001406f0 Call Trace: kobject: 'loop2' (4bd7d84a): fill_kobj_path: path = '/devices/virtual/block/loop2' ip_tunnel_dev_free+0x19/0x60 net/ipv4/ip_tunnel.c:1010 netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116 ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1124 vti_exit_batch_net+0x23/0x30 net/ipv4/ip_vti.c:495 ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173 worker_thread+0x98/0xe40 kernel/workqueue.c:2319 kthread+0x357/0x430 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Modules linked in: CR2: f4ca0b9e [ end trace 513fc9c1338d1cb3 ] RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline] RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline] RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline] RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline] RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78 Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03 RSP: 0018:8880aa3f79a8 EFLAGS: 00010a02 RAX: 00e8 RBX: e8c64b70 RCX: 18ca0b9e RDX: c6505ce8 RSI: 858410ca RDI: c6505cf0 RBP: 8880aa3f7a08 R08: 8880aa3e8580 R09: fbfff1263645 R10: fbfff1263644 R11: 8931b223 R12: dc00 kobject: 'loop3' (e4ee57a6): kobject_uevent_env R13: R14: e8c64b80 R15: e8c64b75 FS: () GS:8880ae80() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: f4ca0b9e CR3: 94941000 CR4: 001406f0 Fixes: c9e6bc644e55 ("net: add gro_cells infrastructure") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Adjust filename, context - Return type is void] Signed-off-by: Ben Hutchings --- include/net/gro_cells.h | 22 ++ 1 file changed, 18 insertions(+), 4 deletions(-) --- a/include/net/gro_cells.h +++ b/include/net/gro_cells.h @@ -20,18 +20,23 @@ static inline void gro_cells_receive(str struct gro_cell *cell = gcells->cells; struct net_device *dev = skb->dev; + rcu_read_lock(); + if (unlikely(!(dev->flags & IFF_UP))) + goto drop; + if (!cell || skb_cloned(skb) || !(dev->features & NETIF_F_GRO)) { netif_rx(skb); - return; + goto unlock; } if (skb_rx_queue_recorded(skb)) cell += skb_get_rx_queue(skb) & gcells->gro_cells_mask; if (skb_qu
[PATCH 3.16 127/129] mwifiex: Abort at too short BSS descriptor element
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 685c9b7750bfacd6fc1db50d86579980593b7869 upstream. Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that the source descriptor entries contain the enough size for each type and performs copying without checking the source size. This may lead to read over boundary. Fix this by putting the source size check in appropriate places. Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/net/wireless/mwifiex/scan.c | 15 +++ 1 file changed, 15 insertions(+) --- a/drivers/net/wireless/mwifiex/scan.c +++ b/drivers/net/wireless/mwifiex/scan.c @@ -1193,6 +1193,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_FH_PARAMS: + if (element_len + 2 < sizeof(*fh_param_set)) + return -EINVAL; fh_param_set = (struct ieee_types_fh_param_set *) current_ptr; memcpy(_entry->phy_param_set.fh_param_set, @@ -1201,6 +1203,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_DS_PARAMS: + if (element_len + 2 < sizeof(*ds_param_set)) + return -EINVAL; ds_param_set = (struct ieee_types_ds_param_set *) current_ptr; @@ -1212,6 +1216,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_CF_PARAMS: + if (element_len + 2 < sizeof(*cf_param_set)) + return -EINVAL; cf_param_set = (struct ieee_types_cf_param_set *) current_ptr; memcpy(_entry->ss_param_set.cf_param_set, @@ -1220,6 +1226,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_IBSS_PARAMS: + if (element_len + 2 < sizeof(*ibss_param_set)) + return -EINVAL; ibss_param_set = (struct ieee_types_ibss_param_set *) current_ptr; @@ -1229,10 +1237,14 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_ERP_INFO: + if (!element_len) + return -EINVAL; bss_entry->erp_flags = *(current_ptr + 2); break; case WLAN_EID_PWR_CONSTRAINT: + if (!element_len) + return -EINVAL; bss_entry->local_constraint = *(current_ptr + 2); bss_entry->sensed_11h = true; break; @@ -1272,6 +1284,9 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_VENDOR_SPECIFIC: + if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) + return -EINVAL; + vendor_ie = (struct ieee_types_vendor_specific *) current_ptr;
[PATCH 3.16 114/129] It's wrong to add len to sector_nr in raid10 reshape twice
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Xiao Ni commit b761dcf1217760a42f7897c31dcb649f59b2333e upstream. In reshape_request it already adds len to sector_nr already. It's wrong to add len to sector_nr again after adding pages to bio. If there is bad block it can't copy one chunk at a time, it needs to goto read_more. Now the sector_nr is wrong. It can cause data corruption. Signed-off-by: Xiao Ni Signed-off-by: Song Liu Signed-off-by: Ben Hutchings --- drivers/md/raid10.c | 1 - 1 file changed, 1 deletion(-) --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -4506,7 +4506,6 @@ bio_full: atomic_inc(_bio->remaining); read_bio->bi_next = NULL; generic_make_request(read_bio); - sector_nr += nr_sectors; sectors_done += nr_sectors; if (sector_nr <= last) goto read_more;
[PATCH 3.16 117/129] net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jack Morgenstein commit c07d27927f2f2e96fcd27bb9fb330c9ea65612d0 upstream. In procedures mlx4_cmd_use_events() and mlx4_cmd_use_polling(), we need to guarantee that there are no FW commands in progress on the comm channel (for VFs) or wrapped FW commands (on the PF) when SRIOV is active. We do this by also taking the slave_cmd_mutex when SRIOV is active. This is especially important when switching from event to polling, since we free the command-context array during the switch. If there are FW commands in progress (e.g., waiting for a completion event), the completion event handler will access freed memory. Since the decision to use comm_wait or comm_poll is taken before grabbing the event_sem/poll_sem in mlx4_comm_cmd_wait/poll, we must take the slave_cmd_mutex as well (to guarantee that the decision to use events or polling and the call to the appropriate cmd function are atomic). Fixes: a7e1f04905e5 ("net/mlx4_core: Fix deadlock when switching between polling and event fw commands") Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- drivers/net/ethernet/mellanox/mlx4/cmd.c | 8 1 file changed, 8 insertions(+) --- a/drivers/net/ethernet/mellanox/mlx4/cmd.c +++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c @@ -2196,6 +2196,8 @@ int mlx4_cmd_use_events(struct mlx4_dev if (!priv->cmd.context) return -ENOMEM; + if (mlx4_is_mfunc(dev)) + mutex_lock(>cmd.slave_cmd_mutex); down_write(>cmd.switch_sem); for (i = 0; i < priv->cmd.max_cmds; ++i) { priv->cmd.context[i].token = i; @@ -2217,6 +2219,8 @@ int mlx4_cmd_use_events(struct mlx4_dev down(>cmd.poll_sem); priv->cmd.use_events = 1; up_write(>cmd.switch_sem); + if (mlx4_is_mfunc(dev)) + mutex_unlock(>cmd.slave_cmd_mutex); return err; } @@ -2229,6 +2233,8 @@ void mlx4_cmd_use_polling(struct mlx4_de struct mlx4_priv *priv = mlx4_priv(dev); int i; + if (mlx4_is_mfunc(dev)) + mutex_lock(>cmd.slave_cmd_mutex); down_write(>cmd.switch_sem); priv->cmd.use_events = 0; @@ -2239,6 +2245,8 @@ void mlx4_cmd_use_polling(struct mlx4_de up(>cmd.poll_sem); up_write(>cmd.switch_sem); + if (mlx4_is_mfunc(dev)) + mutex_unlock(>cmd.slave_cmd_mutex); } struct mlx4_cmd_mailbox *mlx4_alloc_cmd_mailbox(struct mlx4_dev *dev)
[PATCH 3.16 115/129] md: Fix failed allocation of md_register_thread
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Aditya Pakki commit e406f12dde1a8375d77ea02d91f313fb1a9c6aec upstream. mddev->sync_thread can be set to NULL on kzalloc failure downstream. The patch checks for such a scenario and frees allocated resources. Committer node: Added similar fix to raid5.c, as suggested by Guoqing. Acked-by: Guoqing Jiang Signed-off-by: Aditya Pakki Signed-off-by: Song Liu Signed-off-by: Ben Hutchings --- drivers/md/raid10.c | 2 ++ drivers/md/raid5.c | 2 ++ 2 files changed, 4 insertions(+) --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -3820,6 +3820,8 @@ static int run(struct mddev *mddev) set_bit(MD_RECOVERY_RUNNING, >recovery); mddev->sync_thread = md_register_thread(md_do_sync, mddev, "reshape"); + if (!mddev->sync_thread) + goto out_free_conf; } return 0; --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -6180,6 +6180,8 @@ static int run(struct mddev *mddev) set_bit(MD_RECOVERY_RUNNING, >recovery); mddev->sync_thread = md_register_thread(md_do_sync, mddev, "reshape"); + if (!mddev->sync_thread) + goto abort; }
[PATCH 3.16 103/129] mm, swap: bounds check swap_info array accesses to avoid NULL derefs
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Daniel Jordan commit c10d38cc8d3e43f946b6c2bf4602c86791587f30 upstream. Dan Carpenter reports a potential NULL dereference in get_swap_page_of_type: Smatch complains that the NULL checks on "si" aren't consistent. This seems like a real bug because we have not ensured that the type is valid and so "si" can be NULL. Add the missing check for NULL, taking care to use a read barrier to ensure CPU1 observes CPU0's updates in the correct order: CPU0 CPU1 alloc_swap_info() if (type >= nr_swapfiles) swap_info[type] = p /* handle invalid entry */ smp_wmb()smp_rmb() ++nr_swapfiles p = swap_info[type] Without smp_rmb, CPU1 might observe CPU0's write to nr_swapfiles before CPU0's write to swap_info[type] and read NULL from swap_info[type]. Ying Huang noticed other places in swapfile.c don't order these reads properly. Introduce swap_type_to_swap_info to encourage correct usage. Use READ_ONCE and WRITE_ONCE to follow the Linux Kernel Memory Model (see tools/memory-model/Documentation/explanation.txt). This ordering need not be enforced in places where swap_lock is held (e.g. si_swapinfo) because swap_lock serializes updates to nr_swapfiles and the swap_info array. Link: http://lkml.kernel.org/r/20190131024410.29859-1-daniel.m.jor...@oracle.com Fixes: ec8acf20afb8 ("swap: add per-partition lock for swapfile") Signed-off-by: Daniel Jordan Reported-by: Dan Carpenter Suggested-by: "Huang, Ying" Reviewed-by: Andrea Parri Acked-by: Peter Zijlstra (Intel) Cc: Alan Stern Cc: Andi Kleen Cc: Dave Hansen Cc: Omar Sandoval Cc: Paul McKenney Cc: Shaohua Li Cc: Stephen Rothwell Cc: Tejun Heo Cc: Will Deacon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: - Add swp_swap_info(), as done in upstream commit 0bcac06f27d7 "mm, swap: skip swapcache for swapin of synchronous device" - Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -451,6 +451,7 @@ extern sector_t map_swap_page(struct pag extern sector_t swapdev_block(int, pgoff_t); extern int page_swapcount(struct page *); extern struct swap_info_struct *page_swap_info(struct page *); +extern struct swap_info_struct *swp_swap_info(swp_entry_t entry); extern int reuse_swap_page(struct page *); extern int try_to_free_swap(struct page *); struct backing_dev_info; --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -86,6 +86,15 @@ static DECLARE_WAIT_QUEUE_HEAD(proc_poll /* Activity counter to indicate that a swapon or swapoff has occurred */ static atomic_t proc_poll_event = ATOMIC_INIT(0); +static struct swap_info_struct *swap_type_to_swap_info(int type) +{ + if (type >= ACCESS_ONCE(nr_swapfiles)) + return NULL; + + smp_rmb(); /* Pairs with smp_wmb in alloc_swap_info. */ + return ACCESS_ONCE(swap_info[type]); +} + static inline unsigned char swap_count(unsigned char ent) { return ent & ~SWAP_HAS_CACHE; /* may include COUNT_CONTINUED flag */ @@ -703,12 +712,14 @@ noswap: /* The only caller of this function is now suspend routine */ swp_entry_t get_swap_page_of_type(int type) { - struct swap_info_struct *si; + struct swap_info_struct *si = swap_type_to_swap_info(type); pgoff_t offset; - si = swap_info[type]; + if (!si) + goto fail; + spin_lock(>lock); - if (si && (si->flags & SWP_WRITEOK)) { + if (si->flags & SWP_WRITEOK) { atomic_long_dec(_swap_pages); /* This is called for allocating swap entry, not cache */ offset = scan_swap_map(si, 1); @@ -719,6 +730,7 @@ swp_entry_t get_swap_page_of_type(int ty atomic_long_inc(_swap_pages); } spin_unlock(>lock); +fail: return (swp_entry_t) {0}; } @@ -730,9 +742,9 @@ static struct swap_info_struct *swap_inf if (!entry.val) goto out; type = swp_type(entry); - if (type >= nr_swapfiles) + p = swap_type_to_swap_info(type); + if (!p) goto bad_nofile; - p = swap_info[type]; if (!(p->flags & SWP_USED)) goto bad_device; offset = swp_offset(entry); @@ -1037,10 +1049,9 @@ int swap_type_of(dev_t device, sector_t sector_t swapdev_block(int type, pgoff_t offset) { struct block_device *bdev; + struct swap_info_struct *si = swap_type_to_swap_info(type); - if ((unsigned int)type >= nr_swapfiles) - return 0; - if (!(swap_info[type]->flags & SWP_WRITEOK)) + if (!si || !(si->flags & SWP_WRITEOK))
[PATCH 3.16 106/129] net/hsr: fix possible crash in add_timer()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 1e027960edfaa6a43f9ca31081729b716598112b upstream. syzbot found another add_timer() issue, this time in net/hsr [1] Let's use mod_timer() which is safe. [1] kernel BUG at kernel/time/timer.c:1136! invalid opcode: [#1] PREEMPT SMP KASAN CPU: 0 PID: 15909 Comm: syz-executor.3 Not tainted 5.0.0+ #97 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 kobject: 'loop2' (f5629718): kobject_uevent_env RIP: 0010:add_timer kernel/time/timer.c:1136 [inline] RIP: 0010:add_timer+0x654/0xbe0 kernel/time/timer.c:1134 Code: 0f 94 c5 31 ff 44 89 ee e8 09 61 0f 00 45 84 ed 0f 84 77 fd ff ff e8 bb 5f 0f 00 e8 07 10 a0 ff e9 68 fd ff ff e8 ac 5f 0f 00 <0f> 0b e8 a5 5f 0f 00 0f 0b e8 9e 5f 0f 00 4c 89 b5 58 ff ff ff e9 RSP: 0018:8880656eeca0 EFLAGS: 00010246 kobject: 'loop2' (f5629718): fill_kobj_path: path = '/devices/virtual/block/loop2' RAX: 0004 RBX: 11100caddd9a RCX: c9000c436000 RDX: 0004 RSI: 816056c4 RDI: 88806a2f6cc8 RBP: 8880656eed58 R08: 888067f4a300 R09: 888067f4abc8 R10: R11: R12: 88806a2f6cc0 R13: dc00 R14: 0001 R15: 8880656eed30 FS: 7fc2019bf700() GS:8880ae80() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 00738000 CR3: 67e8e000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: hsr_check_announce net/hsr/hsr_device.c:99 [inline] hsr_check_carrier_and_operstate+0x567/0x6f0 net/hsr/hsr_device.c:120 hsr_netdev_notify+0x297/0xa00 net/hsr/hsr_main.c:51 notifier_call_chain+0xc7/0x240 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739 call_netdevice_notifiers_extack net/core/dev.c:1751 [inline] call_netdevice_notifiers net/core/dev.c:1765 [inline] dev_open net/core/dev.c:1436 [inline] dev_open+0x143/0x160 net/core/dev.c:1424 team_port_add drivers/net/team/team.c:1203 [inline] team_add_slave+0xa07/0x15d0 drivers/net/team/team.c:1933 do_set_master net/core/rtnetlink.c:2358 [inline] do_set_master+0x1d4/0x230 net/core/rtnetlink.c:2332 do_setlink+0x966/0x3510 net/core/rtnetlink.c:2493 rtnl_setlink+0x271/0x3b0 net/core/rtnetlink.c:2747 rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:632 sock_write_iter+0x27c/0x3e0 net/socket.c:923 call_write_iter include/linux/fs.h:1869 [inline] do_iter_readv_writev+0x5e0/0x8e0 fs/read_write.c:680 do_iter_write fs/read_write.c:956 [inline] do_iter_write+0x184/0x610 fs/read_write.c:937 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1001 do_writev+0xf6/0x290 fs/read_write.c:1036 __do_sys_writev fs/read_write.c:1109 [inline] __se_sys_writev fs/read_write.c:1106 [inline] __x64_sys_writev+0x75/0xb0 fs/read_write.c:1106 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457f29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fc2019bec78 EFLAGS: 0246 ORIG_RAX: 0014 RAX: ffda RBX: 0003 RCX: 00457f29 RDX: 0001 RSI: 20c0 RDI: 0003 RBP: 0073bf00 R08: R09: R10: R11: 0246 R12: 7fc2019bf6d4 R13: 004c4a60 R14: 004dd218 R15: Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Arvid Brodin Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/hsr/hsr_device.c | 14 ++ 1 file changed, 6 insertions(+), 8 deletions(-) --- a/net/hsr/hsr_device.c +++ b/net/hsr/hsr_device.c @@ -78,9 +78,8 @@ void hsr_check_announce(struct net_devic if ((hsr_dev->operstate == IF_OPER_UP) && (old_operstate != IF_OPER_UP)) { /* Went up */ hsr_priv->announce_count = 0; - hsr_pr
[PATCH 3.16 113/129] kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Zev Weiss commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream. This bug has apparently existed since the introduction of this function in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git, "[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of neighbour sysctls."). As a minimal fix we can simply duplicate the corresponding check in do_proc_dointvec_conv(). Link: http://lkml.kernel.org/r/20190207123426.9202-3-...@bewilderbeest.net Signed-off-by: Zev Weiss Cc: Brendan Higgins Cc: Iurii Zaikin Cc: Kees Cook Cc: Luis Chamberlain Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- kernel/sysctl.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2179,7 +2179,16 @@ static int do_proc_dointvec_minmax_conv( { struct do_proc_dointvec_minmax_conv_param *param = data; if (write) { - int val = *negp ? -*lvalp : *lvalp; + int val; + if (*negp) { + if (*lvalp > (unsigned long) INT_MAX + 1) + return -EINVAL; + val = -*lvalp; + } else { + if (*lvalp > (unsigned long) INT_MAX) + return -EINVAL; + val = *lvalp; + } if ((param->min && *param->min > val) || (param->max && *param->max < val)) return -EINVAL;
[PATCH 3.16 019/129] ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: "Gustavo A. R. Silva" commit e2477233145f2156434afb799583bccd878f3e9f upstream. Fix boolean expressions by using logical AND operator '&&' instead of bitwise operator '&'. This issue was detected with the help of Coccinelle. Fixes: 4fa084af28ca ("ARM: OSIRIS: DVS (Dynamic Voltage Scaling) supoort.") Signed-off-by: Gustavo A. R. Silva [krzk: Fix -Wparentheses warning] Signed-off-by: Krzysztof Kozlowski Signed-off-by: Ben Hutchings --- arch/arm/mach-s3c24xx/mach-osiris-dvs.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) --- a/arch/arm/mach-s3c24xx/mach-osiris-dvs.c +++ b/arch/arm/mach-s3c24xx/mach-osiris-dvs.c @@ -70,16 +70,16 @@ static int osiris_dvs_notify(struct noti switch (val) { case CPUFREQ_PRECHANGE: - if (old_dvs & !new_dvs || - cur_dvs & !new_dvs) { + if ((old_dvs && !new_dvs) || + (cur_dvs && !new_dvs)) { pr_debug("%s: exiting dvs\n", __func__); cur_dvs = false; gpio_set_value(OSIRIS_GPIO_DVS, 1); } break; case CPUFREQ_POSTCHANGE: - if (!old_dvs & new_dvs || - !cur_dvs & new_dvs) { + if ((!old_dvs && new_dvs) || + (!cur_dvs && new_dvs)) { pr_debug("entering dvs\n"); cur_dvs = true; gpio_set_value(OSIRIS_GPIO_DVS, 0);
[PATCH 3.16 123/129] fuse: Add FOPEN_STREAM to use stream_open()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Kirill Smelkov commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream. Starting from commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX") files opened even via nonseekable_open gate read and write via lock and do not allow them to be run simultaneously. This can create read vs write deadlock if a filesystem is trying to implement a socket-like file which is intended to be simultaneously used for both read and write from filesystem client. See commit 10dce8af3422 ("fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes to /proc/xen/xenbus") for a similar deadlock example on /proc/xen/xenbus. To avoid such deadlock it was tempting to adjust fuse_finish_open to use stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE, and in particular GVFS which actually uses offset in its read and write handlers https://codesearch.debian.net/search?q=-%3Enonseekable+%3D https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080 https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346 https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481 so if we would do such a change it will break a real user. Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the opened handler is having stream-like semantics; does not use file position and thus the kernel is free to issue simultaneous read and write request on opened file handle. This patch together with stream_open() should be added to stable kernels starting from v3.14+. This will allow to patch OSSPD and other FUSE filesystems that provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all kernel versions. This should work because fuse_finish_open ignores unknown open flags returned from a filesystem and so passing FOPEN_STREAM to a kernel that is not aware of this flag cannot hurt. In turn the kernel that is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE is sufficient to implement streams without read vs write deadlock. Cc: sta...@vger.kernel.org # v3.14+ Signed-off-by: Kirill Smelkov Signed-off-by: Miklos Szeredi Signed-off-by: Ben Hutchings --- fs/fuse/file.c| 4 +++- include/uapi/linux/fuse.h | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index bc8f5de48fd9..69e471b042a6 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -214,7 +214,9 @@ void fuse_finish_open(struct inode *inode, struct file *file) file->f_op = _direct_io_file_operations; if (!(ff->open_flags & FOPEN_KEEP_CACHE)) invalidate_inode_pages2(inode->i_mapping); - if (ff->open_flags & FOPEN_NONSEEKABLE) + if (ff->open_flags & FOPEN_STREAM) + stream_open(inode, file); + else if (ff->open_flags & FOPEN_NONSEEKABLE) nonseekable_open(inode, file); if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) { struct fuse_inode *fi = get_fuse_inode(inode); diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h index 25084a052a1e..cff91b018953 100644 --- a/include/uapi/linux/fuse.h +++ b/include/uapi/linux/fuse.h @@ -205,10 +205,12 @@ struct fuse_file_lock { * FOPEN_DIRECT_IO: bypass page cache for this open file * FOPEN_KEEP_CACHE: don't invalidate the data cache on open * FOPEN_NONSEEKABLE: the file is not seekable + * FOPEN_STREAM: the file is stream-like (no file position at all) */ #define FOPEN_DIRECT_IO(1 << 0) #define FOPEN_KEEP_CACHE (1 << 1) #define FOPEN_NONSEEKABLE (1 << 2) +#define FOPEN_STREAM (1 << 4) /** * INIT request/reply flags
[PATCH 3.16 120/129] pptp: dst_release sk_dst_cache in pptp_sock_destruct
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Xin Long commit 9417d81f4f8adfe20a12dd1fadf73a618cbd945d upstream. sk_setup_caps() is called to set sk->sk_dst_cache in pptp_connect, so we have to dst_release(sk->sk_dst_cache) in pptp_sock_destruct, otherwise, the dst refcnt will leak. It can be reproduced by this syz log: r1 = socket$pptp(0x18, 0x1, 0x2) bind$pptp(r1, &(0x7f000100)={0x18, 0x2, {0x0, @local}}, 0x1e) connect$pptp(r1, &(0x7f00)={0x18, 0x2, {0x3, @remote}}, 0x1e) Consecutive dmesg warnings will occur: unregister_netdevice: waiting for lo to become free. Usage count = 1 v1->v2: - use rcu_dereference_protected() instead of rcu_dereference_check(), as suggested by Eric. Fixes: 00959ade36ac ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)") Reported-by: Xiumei Mu Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- drivers/net/ppp/pptp.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/ppp/pptp.c +++ b/drivers/net/ppp/pptp.c @@ -579,6 +579,7 @@ static void pptp_sock_destruct(struct so pppox_unbind_sock(sk); } skb_queue_purge(>sk_receive_queue); + dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1)); } static int pptp_create(struct net *net, struct socket *sock)
[PATCH 3.16 022/129] security/selinux: pass 'flags' arg to avc_audit() and avc_has_perm_flags()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: NeilBrown commit 7b20ea2579238f5e0da4bc93276c1b63c960c9ef upstream. This allows MAY_NOT_BLOCK to be passed, in RCU-walk mode, through the new avc_has_perm_flags() to avc_audit() and thence the slow_avc_audit. Signed-off-by: NeilBrown Signed-off-by: Al Viro [bwh: Backported to 3.16 as dependency of commit 3a28cff3bd4b "selinux: avoid silent denials in permissive mode under RCU walk"] Signed-off-by: Ben Hutchings --- security/selinux/avc.c | 18 +- security/selinux/hooks.c | 2 +- security/selinux/include/avc.h | 9 +++-- 3 files changed, 25 insertions(+), 4 deletions(-) --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -768,7 +768,23 @@ int avc_has_perm(u32 ssid, u32 tsid, u16 rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, ); - rc2 = avc_audit(ssid, tsid, tclass, requested, , rc, auditdata); + rc2 = avc_audit(ssid, tsid, tclass, requested, , rc, auditdata, 0); + if (rc2) + return rc2; + return rc; +} + +int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass, + u32 requested, struct common_audit_data *auditdata, + int flags) +{ + struct av_decision avd; + int rc, rc2; + + rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, ); + + rc2 = avc_audit(ssid, tsid, tclass, requested, , rc, + auditdata, flags); if (rc2) return rc2; return rc; --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1569,7 +1569,7 @@ static int cred_has_capability(const str rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, ); if (audit == SECURITY_CAP_AUDIT) { - int rc2 = avc_audit(sid, sid, sclass, av, , rc, ); + int rc2 = avc_audit(sid, sid, sclass, av, , rc, , 0); if (rc2) return rc2; } --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -130,7 +130,8 @@ static inline int avc_audit(u32 ssid, u3 u16 tclass, u32 requested, struct av_decision *avd, int result, - struct common_audit_data *a) + struct common_audit_data *a, + int flags) { u32 audited, denied; audited = avc_audit_required(requested, avd, result, 0, ); @@ -138,7 +139,7 @@ static inline int avc_audit(u32 ssid, u3 return 0; return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, result, - a, 0); + a, flags); } #define AVC_STRICT 1 /* Ignore permissive mode. */ @@ -150,6 +151,10 @@ int avc_has_perm_noaudit(u32 ssid, u32 t int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct common_audit_data *auditdata); +int avc_has_perm_flags(u32 ssid, u32 tsid, + u16 tclass, u32 requested, + struct common_audit_data *auditdata, + int flags); u32 avc_policy_seqno(void);
[PATCH 3.16 108/129] lib/div64.c: off by one in shift
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Stanislaw Gruszka commit cdc94a37493135e355dfc0b0e086d84e3eadb50d upstream. fls counts bits starting from 1 to 32 (returns 0 for zero argument). If we add 1 we shift right one bit more and loose precision from divisor, what cause function incorect results with some numbers. Corrected code was tested in user-space, see bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202391 Link: http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgrus...@redhat.com Fixes: 658716d19f8f ("div64_u64(): improve precision on 32bit platforms") Signed-off-by: Stanislaw Gruszka Reported-by: Siarhei Volkau Tested-by: Siarhei Volkau Acked-by: Oleg Nesterov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- lib/div64.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/lib/div64.c +++ b/lib/div64.c @@ -100,7 +100,7 @@ u64 div64_u64_rem(u64 dividend, u64 divi quot = div_u64_rem(dividend, divisor, ); *remainder = rem32; } else { - int n = 1 + fls(high); + int n = fls(high); quot = div_u64(dividend >> n, divisor >> n); if (quot != 0) @@ -138,7 +138,7 @@ u64 div64_u64(u64 dividend, u64 divisor) if (high == 0) { quot = div_u64(dividend, divisor); } else { - int n = 1 + fls(high); + int n = fls(high); quot = div_u64(dividend >> n, divisor >> n); if (quot != 0)
[PATCH 3.16 125/129] media: uvcvideo: Fix 'type' check leading to overflow
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Alistair Strachan commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream. When initially testing the Camera Terminal Descriptor wTerminalType field (buffer[4]), no mask is used. Later in the function, the MSB is overloaded to store the descriptor subtype, and so a mask of 0x7fff is used to check the type. If a descriptor is specially crafted to set this overloaded bit in the original wTerminalType field, the initial type check will fail (falling through, without adjusting the buffer size), but the later type checks will pass, assuming the buffer has been made suitably large, causing an overflow. Avoid this problem by checking for the MSB in the wTerminalType field. If the bit is set, assume the descriptor is bad, and abort parsing it. Originally reported here: https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8 A similar (non-compiling) patch was provided at that time. Reported-by: syzbot Signed-off-by: Alistair Strachan Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings --- drivers/media/usb/uvc/uvc_driver.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -977,11 +977,19 @@ static int uvc_parse_standard_control(st return -EINVAL; } - /* Make sure the terminal type MSB is not null, otherwise it -* could be confused with a unit. + /* +* Reject invalid terminal types that would cause issues: +* +* - The high byte must be non-zero, otherwise it would be +* confused with a unit. +* +* - Bit 15 must be 0, as we use it internally as a terminal +* direction flag. +* +* Other unknown types are accepted. */ type = get_unaligned_le16([4]); - if ((type & 0xff00) == 0) { + if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) { uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol " "interface %d INPUT_TERMINAL %d has invalid " "type 0x%04x, skipping\n", udev->devnum,
[PATCH 3.16 014/129] staging: iio: adt7316: fix dac_bits assignment
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Jeremy Fertic commit e9de475723de5bf207a5b7b88bdca863393e42c8 upstream. The value of dac_bits is used in adt7316_show_DAC() and adt7316_store_DAC(), and it should be either 8, 10, or 12 bits depending on the device in use. The driver currently only assigns a value to dac_bits in adt7316_store_da_high_resolution(). The purpose of the dac high resolution option is not to change dac resolution for normal operation. Instead, it is specific to an optional feature where one or two of the four dacs can be set to output voltage proportional to temperature. If the user chooses to set dac a and/or dac b to output voltage proportional to temperature, the da_high_resolution attribute can optionally be enabled to use 10 bit resolution rather than the default 8 bits. This is only available on the 10 and 12 bit dac devices. If the user attempts to read or write dacs a or b under these settings, the driver's current behaviour is to return an error. Dacs c and d continue to operate normally under these conditions. With the above in mind, remove the dac_bits assignments from this function since the value of dac_bits as used in the driver is not dependent on this dac high resolution option. Since the dac_bits assignments discussed above are currently the only ones in this driver, the default value of dac_bits is 0. This results in incorrect calculations when the dacs are read or written in adt7316_show_DAC() and adt7316_store_DAC(). To correct this, assign a value to dac_bits in adt7316_probe() to ensure correct operation as soon as the device is registered and available to userspace. Fixes: 35f6b6b86ede ("staging: iio: new ADT7316/7/8 and ADT7516/7/9 driver") Signed-off-by: Jeremy Fertic Signed-off-by: Jonathan Cameron [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/staging/iio/addac/adt7316.c | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) --- a/drivers/staging/iio/addac/adt7316.c +++ b/drivers/staging/iio/addac/adt7316.c @@ -654,15 +654,9 @@ static ssize_t adt7316_store_da_high_res u8 config3; int ret; - chip->dac_bits = 8; - - if (buf[0] == '1') { + if (buf[0] == '1') config3 = chip->config3 | ADT7316_DA_HIGH_RESOLUTION; - if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) - chip->dac_bits = 12; - else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) - chip->dac_bits = 10; - } else + else config3 = chip->config3 & (~ADT7316_DA_HIGH_RESOLUTION); ret = chip->bus.write(chip->bus.client, ADT7316_CONFIG3, config3); @@ -2129,6 +2123,13 @@ int adt7316_probe(struct device *dev, st else return -ENODEV; + if (chip->id == ID_ADT7316 || chip->id == ID_ADT7516) + chip->dac_bits = 12; + else if (chip->id == ID_ADT7317 || chip->id == ID_ADT7517) + chip->dac_bits = 10; + else + chip->dac_bits = 8; + chip->ldac_pin = adt7316_platform_data[1]; if (!chip->ldac_pin) { chip->config3 |= ADT7316_DA_EN_VIA_DAC_LDCA;
[PATCH 3.16 129/129] netns: provide pure entropy for net_hash_mix()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet commit 355b98553789b646ed97ad801a619ff898471b92 upstream. net_hash_mix() currently uses kernel address of a struct net, and is used in many places that could be used to reveal this address to a patient attacker, thus defeating KASLR, for the typical case (initial net namespace, _net is not dynamically allocated) I believe the original implementation tried to avoid spending too many cycles in this function, but security comes first. Also provide entropy regardless of CONFIG_NET_NS. Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes") Signed-off-by: Eric Dumazet Reported-by: Amit Klein Reported-by: Benny Pinkas Cc: Pavel Emelyanov Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -54,6 +54,8 @@ struct net { #endif spinlock_t rules_mod_lock; + u32 hash_mix; + struct list_headlist; /* list of network namespaces */ struct list_headcleanup_list; /* namespaces on death row */ struct list_headexit_list; /* Use only net_mutex */ --- a/include/net/netns/hash.h +++ b/include/net/netns/hash.h @@ -1,21 +1,10 @@ #ifndef __NET_NS_HASH_H__ #define __NET_NS_HASH_H__ -#include +#include -struct net; - -static inline unsigned int net_hash_mix(struct net *net) +static inline u32 net_hash_mix(const struct net *net) { -#ifdef CONFIG_NET_NS - /* -* shift this right to eliminate bits, that are -* always zeroed -*/ - - return (unsigned)(((unsigned long)net) >> L1_CACHE_SHIFT); -#else - return 0; -#endif + return net->hash_mix; } #endif --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -156,6 +156,7 @@ static __net_init int setup_net(struct n atomic_set(>count, 1); atomic_set(>passive, 1); + get_random_bytes(>hash_mix, sizeof(u32)); net->dev_base_seq = 1; net->user_ns = user_ns;
[PATCH 3.16 006/129] clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Yangtao Li commit cee82eb9532090cd1dc953e845d71f9b1445c84e upstream. The of_find_compatible_node() returns a node pointer with refcount incremented, but there is the lack of use of the of_node_put() when done. Add the missing of_node_put() to release the refcount. Signed-off-by: Yangtao Li Fixes: e062b571777f ("clk: exynos4: register clocks using common clock framework") Signed-off-by: Stephen Boyd Signed-off-by: Ben Hutchings --- drivers/clk/samsung/clk-exynos4.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/clk/samsung/clk-exynos4.c +++ b/drivers/clk/samsung/clk-exynos4.c @@ -1032,6 +1032,7 @@ static unsigned long exynos4_get_xom(voi xom = readl(chipid_base + 8); iounmap(chipid_base); + of_node_put(np); } return xom;
[PATCH 3.16 126/129] mwifiex: Fix possible buffer overflows at parsing bss descriptor
3.16.70-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74 upstream. mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in a couple places without checking the destination size. Since the source is given from user-space, this may trigger a heap buffer overflow. Fix it by putting the length check before performing memcpy(). This fix addresses CVE-2019-3846. Reported-by: huangwen Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/net/wireless/mwifiex/scan.c | 4 1 file changed, 4 insertions(+) --- a/drivers/net/wireless/mwifiex/scan.c +++ b/drivers/net/wireless/mwifiex/scan.c @@ -1171,6 +1171,8 @@ int mwifiex_update_bss_desc_with_ie(stru } switch (element_id) { case WLAN_EID_SSID: + if (element_len > IEEE80211_MAX_SSID_LEN) + return -EINVAL; bss_entry->ssid.ssid_len = element_len; memcpy(bss_entry->ssid.ssid, (current_ptr + 2), element_len); @@ -1180,6 +1182,8 @@ int mwifiex_update_bss_desc_with_ie(stru break; case WLAN_EID_SUPP_RATES: + if (element_len > MWIFIEX_SUPPORTED_RATES) + return -EINVAL; memcpy(bss_entry->data_rates, current_ptr + 2, element_len); memcpy(bss_entry->supported_rates, current_ptr + 2,