[PATCH 3.16 110/217] ALSA: hda - Fix unconditional GPIO toggle via automute

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 1f7c6658962fa1260c1658d681bd6bb0c746b99a upstream.

Cirrus HD-audio driver may adjust GPIO pins for EAPD dynamically
depending on the jack plug state. This works fine for the auto-mute
mode where the speaker gets muted upon the HP jack plug. OTOH, when
the auto-mute mode is off, this turns off the EAPD unexpectedly
depending on the jack state, which results in the silent speaker
output.

This patch fixes the silent speaker output issue by setting GPIO bits
constantly when the auto-mute mode is off.

Reported-and-tested-by: moo...@gmail.com
Signed-off-by: Takashi Iwai <ti...@suse.de>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
sound/pci/hda/patch_cirrus.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/patch_cirrus.c
+++ b/sound/pci/hda/patch_cirrus.c
@@ -176,8 +176,12 @@ static void cs_automute(struct hda_codec
snd_hda_gen_update_outputs(codec);

if (spec->gpio_eapd_hp || spec->gpio_eapd_speaker) {
- spec->gpio_data = spec->gen.hp_jack_present ?
- spec->gpio_eapd_hp : spec->gpio_eapd_speaker;
+ if (spec->gen.automute_speaker)
+ spec->gpio_data = spec->gen.hp_jack_present ?
+ spec->gpio_eapd_hp : spec->gpio_eapd_speaker;
+ else
+ spec->gpio_data =
+ spec->gpio_eapd_hp | spec->gpio_eapd_speaker;
snd_hda_codec_write(codec, 0x01, 0,
AC_VERB_SET_GPIO_DATA, spec->gpio_data);
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Haishuang Yan <yanhai...@cmss.chinamobile.com>

[ Upstream commit be447f305494e019dfc37ea4cdf3b0e4200b4eba ]

pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
right place.

Signed-off-by: Haishuang Yan <yanhai...@cmss.chinamobile.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/l2tp/l2tp_ip6.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff
struct l2tp_tunnel *tunnel = NULL;
int length;

- /* Point to L2TP header */
- optr = ptr = skb->data;
-
if (!pskb_may_pull(skb, 4))
goto discard;

+ /* Point to L2TP header */
+ optr = ptr = skb->data;
session_id = ntohl(*((__be32 *) ptr));
ptr += 4;

@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff
if (!pskb_may_pull(skb, length))
goto discard;

+ /* Point to L2TP header */
+ optr = ptr = skb->data;
+ ptr += 4;
pr_debug("%s: ip recv\n", tunnel->name);
print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.com>

commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.

The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.

See: http://seclists.org/bugtraq/2016/Mar/61

Signed-off-by: Oliver Neukum <ONe...@suse.com>
[johan: fix OOB endpoint check and add error messages ]
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)

--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1252,8 +1252,27 @@ static int digi_port_init(struct usb_ser

static int digi_startup(struct usb_serial *serial)
{
+ struct device *dev = &serial->interface->dev;
struct digi_serial *serial_priv;
int ret;
+ int i;
+
+ /* check whether the device has the expected number of endpoints */
+ if (serial->num_port_pointers < serial->type->num_ports + 1) {
+ dev_err(dev, "OOB endpoints missing\n");
+ return -ENODEV;
+ }
+
+ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
+ if (!serial->port[i]->read_urb) {
+ dev_err(dev, "bulk-in endpoint missing\n");
+ return -ENODEV;
+ }
+ if (!serial->port[i]->write_urb) {
+ dev_err(dev, "bulk-out endpoint missing\n");
+ return -ENODEV;
+ }
+ }

serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yong Li <sdli...@gmail.com>

commit 9b8e3ec34318663affced3c14d960e78d760dd9a upstream.

The current implementation only uses the first byte in val,
the second byte is always 0. Change it to use cpu_to_le16
to write the two bytes into the register

Signed-off-by: Yong Li <sdli...@gmail.com>
Reviewed-by: Phil Reid <pr...@electromag.com.au>
Signed-off-by: Linus Walleij <linus....@linaro.org>
[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpio/gpio-pca953x.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpio/gpio-pca953x.c
+++ b/drivers/gpio/gpio-pca953x.c
@@ -18,6 +18,7 @@
#include <linux/i2c.h>
#include <linux/platform_data/pca953x.h>
#include <linux/slab.h>
+#include <asm/unaligned.h>
#ifdef CONFIG_OF_GPIO
#include <linux/of_platform.h>
#endif
@@ -154,7 +155,7 @@ static int pca953x_write_regs(struct pca
switch (chip->chip_type) {
case PCA953X_TYPE:
ret = i2c_smbus_write_word_data(chip->client,
- reg << 1, (u16) *val);
+ reg << 1, cpu_to_le16(get_unaligned((u16 *)val)));
break;
case PCA957X_TYPE:
ret = i2c_smbus_write_byte_data(chip->client, reg << 1,

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky <schwi...@de.ibm.com>

commit 3446c13b268af86391d06611327006b059b8bab1 upstream.

The fork of a process with four page table levels is broken since
git commit 6252d702c5311ce9 "[S390] dynamic page tables."

All new mm contexts are created with three page table levels and
an asce limit of 4TB. If the parent has four levels dup_mmap will
add vmas to the new context which are outside of the asce limit.
The subsequent call to copy_page_range will walk the three level
page table structure of the new process with non-zero pgd and pud
indexes. This leads to memory clobbers as the pgd_index *and* the
pud_index is added to the mm->pgd pointer without a pgd_deref
in between.

The init_new_context() function is selecting the number of page
table levels for a new context. The function is used by mm_init()
which in turn is called by dup_mm() and mm_alloc(). These two are
used by fork() and exec(). The init_new_context() function can
distinguish the two cases by looking at mm->context.asce_limit,
for fork() the mm struct has been copied and the number of page
table levels may not change. For exec() the mm_alloc() function
set the new mm structure to zero, in this case a three-level page
table is created as the temporary stack space is located at
STACK_TOP_MAX = 4TB.

This fixes CVE-2016-2143.

Reported-by: Marcin Kościelnicki <kori...@0x04.net>
Reviewed-by: Heiko Carstens <heiko.c...@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>
[bwh: Backported to 3.16:
- 31-bit s390 is still supported so keep the #ifdef CONFIG_64BIT conditions
- PMDs are not accounted so don't call mm_inc_nr_pmds()
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/arch/s390/include/asm/mmu_context.h
+++ b/arch/s390/include/asm/mmu_context.h
@@ -15,16 +15,22 @@
static inline int init_new_context(struct task_struct *tsk,
struct mm_struct *mm)
{
+ spin_lock_init(&mm->context.list_lock);
+ INIT_LIST_HEAD(&mm->context.pgtable_list);
+ INIT_LIST_HEAD(&mm->context.gmap_list);
cpumask_clear(&mm->context.cpu_attach_mask);
atomic_set(&mm->context.attach_count, 0);
mm->context.flush_mm = 0;
- mm->context.asce_bits = _ASCE_TABLE_LENGTH | _ASCE_USER_BITS;
-#ifdef CONFIG_64BIT
- mm->context.asce_bits |= _ASCE_TYPE_REGION3;
-#endif
mm->context.has_pgste = 0;
mm->context.use_skey = 0;
- mm->context.asce_limit = STACK_TOP_MAX;
+ if (mm->context.asce_limit == 0) {
+ /* context created by exec, set asce limit to 4TB */
+ mm->context.asce_bits = _ASCE_TABLE_LENGTH | _ASCE_USER_BITS;
+#ifdef CONFIG_64BIT
+ mm->context.asce_bits |= _ASCE_TYPE_REGION3;
+#endif
+ mm->context.asce_limit = STACK_TOP_MAX;
+ }
crst_table_init((unsigned long *) mm->pgd, pgd_entry_type(mm));
return 0;
}
@@ -110,10 +116,6 @@ static inline void activate_mm(struct mm
static inline void arch_dup_mmap(struct mm_struct *oldmm,
struct mm_struct *mm)
{
-#ifdef CONFIG_64BIT
- if (oldmm->context.asce_limit < mm->context.asce_limit)
- crst_table_downgrade(mm, oldmm->context.asce_limit);
-#endif
}

static inline void arch_exit_mmap(struct mm_struct *mm)
--- a/arch/s390/include/asm/pgalloc.h
+++ b/arch/s390/include/asm/pgalloc.h
@@ -124,12 +124,26 @@ static inline void pud_populate(struct m

static inline pgd_t *pgd_alloc(struct mm_struct *mm)
{
- spin_lock_init(&mm->context.list_lock);
- INIT_LIST_HEAD(&mm->context.pgtable_list);
- INIT_LIST_HEAD(&mm->context.gmap_list);
- return (pgd_t *) crst_table_alloc(mm);
+ unsigned long *table = crst_table_alloc(mm);
+
+ if (!table)
+ return NULL;
+ if (mm->context.asce_limit == (1UL << 31)) {
+ /* Forking a compat process with 2 page table levels */
+ if (!pgtable_pmd_page_ctor(virt_to_page(table))) {
+ crst_table_free(mm, table);
+ return NULL;
+ }
+ }
+ return (pgd_t *) table;
+}
+
+static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd)
+{
+ if (mm->context.asce_limit == (1UL << 31))
+ pgtable_pmd_page_dtor(virt_to_page(pgd));
+ crst_table_free(mm, (unsigned long *) pgd);
}
-#define pgd_free(mm, pgd) crst_table_free(mm, (unsigned long *) pgd)

static inline void pmd_populate(struct mm_struct *mm,
pmd_t *pmd, pgtable_t pte)

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 upstream.

Just a minor code cleanup: unify the error paths.

Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/usb/quirks.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -155,23 +155,18 @@ static int create_fixed_stream_quirk(str
stream = (fp->endpoint & USB_DIR_IN)
? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
err = snd_usb_add_audio_stream(chip, stream, fp);
- if (err < 0) {
- kfree(fp);
- kfree(rate_table);
- return err;
- }
+ if (err < 0)
+ goto error;
if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
fp->altset_idx >= iface->num_altsetting) {
- kfree(fp);
- kfree(rate_table);
- return -EINVAL;
+ err = -EINVAL;
+ goto error;
}
alts = &iface->altsetting[fp->altset_idx];
altsd = get_iface_desc(alts);
if (altsd->bNumEndpoints < 1) {
- kfree(fp);
- kfree(rate_table);
- return -EINVAL;
+ err = -EINVAL;
+ goto error;
}

fp->protocol = altsd->bInterfaceProtocol;
@@ -184,6 +179,11 @@ static int create_fixed_stream_quirk(str
snd_usb_init_pitch(chip, fp->iface, alts, fp);
snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max);
return 0;
+
+ error:
+ kfree(fp);
+ kfree(rate_table);
+ return err;
}

static int create_auto_pcm_quirk(struct snd_usb_audio *chip,

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Manish Chopra <manish...@qlogic.com>

[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ]

When running small packets [length < 256 bytes] traffic, packets were
being dropped due to invalid data in those packets which were
delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
ensures copying latest and updated data into skb from the receive buffer.

Signed-off-by: Sony Chacko <sony....@qlogic.com>
Signed-off-by: Manish Chopra <manish...@qlogic.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c
+++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c
@@ -1648,7 +1648,18 @@ static void ql_process_mac_rx_skb(struct
return;
}
skb_reserve(new_skb, NET_IP_ALIGN);
+
+ pci_dma_sync_single_for_cpu(qdev->pdev,
+ dma_unmap_addr(sbq_desc, mapaddr),
+ dma_unmap_len(sbq_desc, maplen),
+ PCI_DMA_FROMDEVICE);
+
memcpy(skb_put(new_skb, length), skb->data, length);
+
+ pci_dma_sync_single_for_device(qdev->pdev,
+ dma_unmap_addr(sbq_desc, mapaddr),
+ dma_unmap_len(sbq_desc, maplen),
+ PCI_DMA_FROMDEVICE);
skb = new_skb;

/* Frame error, so drop the packet. */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kristian Evensen <kristian...@gmail.com>

commit e439bd4a4fdeb29488f48f14845ad35607e6302c upstream.

The WeTelecom-WPD600N is an LTE module that, in addition to supporting most
"normal" bands, also supports LTE over 450MHz. Manual testing showed that
only interface number three replies to QMI messages.

Cc: Bjørn Mork <bj...@mork.no>
Signed-off-by: Kristian Evensen <kristian...@gmail.com>
Acked-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -793,6 +793,7 @@ static const struct usb_device_id produc
{QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
{QMI_FIXED_INTF(0x413c, 0x81b1, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
{QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
+ {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */

/* 4. Gobi 1000 devices */
{QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rob Clark <robd...@gmail.com>

commit 7779c5e23c5132c22a219f1f5554ef81dd15ee91 upstream.

1) don't let other threads trying to bang on aux channel interrupt the
defer timeout/logic
2) don't let other threads interrupt the i2c over aux logic

Technically, according to people who actually have the DP spec, this
should not be required. In practice, it makes some troublesome Dell
monitor (and perhaps others) work, so probably a case of "It's compliant
if it works with windows" on the hw vendor's part..

v2: rebased to come before DPCD/AUX logging patch for easier backport
to stable branches.

Reported-by: Dave Wysochanski <dwys...@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1274157
Signed-off-by: Rob Clark <robd...@gmail.com>
Reviewed-by: Ville Syrjälä <ville....@linux.intel.com>
Reviewed-by: Daniel Vetter <daniel...@ffwll.ch>
Signed-off-by: Dave Airlie <air...@redhat.com>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpu/drm/drm_dp_helper.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)

--- a/drivers/gpu/drm/drm_dp_helper.c
+++ b/drivers/gpu/drm/drm_dp_helper.c
@@ -368,7 +368,7 @@ static int drm_dp_dpcd_access(struct drm
{
struct drm_dp_aux_msg msg;
unsigned int retry;
- int err;
+ int err = 0;

memset(&msg, 0, sizeof(msg));
msg.address = offset;
@@ -376,6 +376,8 @@ static int drm_dp_dpcd_access(struct drm
msg.buffer = buffer;
msg.size = size;

+ mutex_lock(&aux->hw_mutex);
+
/*
* The specification doesn't give any recommendation on how often to
* retry native transactions. We used to retry 7 times like for
@@ -384,25 +386,24 @@ static int drm_dp_dpcd_access(struct drm
*/
for (retry = 0; retry < 32; retry++) {

- mutex_lock(&aux->hw_mutex);
err = aux->transfer(aux, &msg);
- mutex_unlock(&aux->hw_mutex);
if (err < 0) {
if (err == -EBUSY)
continue;

- return err;
+ goto unlock;
}


switch (msg.reply & DP_AUX_NATIVE_REPLY_MASK) {
case DP_AUX_NATIVE_REPLY_ACK:
if (err < size)
- return -EPROTO;
- return err;
+ err = -EPROTO;
+ goto unlock;

case DP_AUX_NATIVE_REPLY_NACK:
- return -EIO;
+ err = -EIO;
+ goto unlock;

case DP_AUX_NATIVE_REPLY_DEFER:
usleep_range(400, 500);
@@ -411,7 +412,11 @@ static int drm_dp_dpcd_access(struct drm
}

DRM_DEBUG_KMS("too many retries, giving up\n");
- return -EIO;
+ err = -EIO;
+
+unlock:
+ mutex_unlock(&aux->hw_mutex);
+ return err;
}

/**
@@ -600,9 +605,7 @@ static int drm_dp_i2c_do_msg(struct drm_
* before giving up the AUX transaction.
*/
for (retry = 0; retry < 7; retry++) {
- mutex_lock(&aux->hw_mutex);
err = aux->transfer(aux, msg);
- mutex_unlock(&aux->hw_mutex);
if (err < 0) {
if (err == -EBUSY)
continue;
@@ -682,6 +685,8 @@ static int drm_dp_i2c_xfer(struct i2c_ad

memset(&msg, 0, sizeof(msg));

+ mutex_lock(&aux->hw_mutex);
+
for (i = 0; i < num; i++) {
msg.address = msgs[i].addr;
msg.request = (msgs[i].flags & I2C_M_RD) ?
@@ -726,6 +731,8 @@ static int drm_dp_i2c_xfer(struct i2c_ad
msg.size = 0;
(void)drm_dp_i2c_do_msg(aux, &msg);

+ mutex_unlock(&aux->hw_mutex);
+
return err;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexande...@amd.com>

commit a64663d9870364bd2a2df62bf0d3a9fbe5ea62a8 upstream.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=115291

Signed-off-by: Alex Deucher <alexande...@amd.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpu/drm/radeon/si_dpm.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2925,6 +2925,7 @@ static struct si_dpm_quirk si_dpm_quirk_
{ PCI_VENDOR_ID_ATI, 0x6810, 0x174b, 0xe271, 85000, 90000 },
{ PCI_VENDOR_ID_ATI, 0x6811, 0x1462, 0x2015, 0, 120000 },
{ PCI_VENDOR_ID_ATI, 0x6811, 0x1043, 0x2015, 0, 120000 },
+ { PCI_VENDOR_ID_ATI, 0x6811, 0x148c, 0x2015, 0, 120000 },
{ 0, 0, 0, 0 },
};

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bobi Mihalca <bobbym...@touchtech.ro>

commit 83a9efb5b8170b7cffef4f62656656e1d8ad2ccd upstream.

Apply the new fixup that is used for ASUS N750JV to another similar
model, N500JV, too, for reducing the headphone noise.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=115181
Signed-off-by: Bobi Mihalca <bobbym...@touchtech.ro>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/pci/hda/patch_realtek.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6070,7 +6070,7 @@ static const struct snd_pci_quirk alc662
SND_PCI_QUIRK(0x1028, 0x0696, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x0698, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
- SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A),
+ SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_ASUS_Nx50),
SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A),
SND_PCI_QUIRK(0x1043, 0x129d, "Asus N750", ALC662_FIXUP_ASUS_Nx50),
SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <ty...@mit.edu>

commit daf647d2dd58cec59570d7698a45b98e580f2076 upstream.

With the internal Quota feature, mke2fs creates empty quota inodes and
quota usage tracking is enabled as soon as the file system is mounted.
Since quotacheck is no longer preallocating all of the blocks in the
quota inode that are likely needed to be written to, we are now seeing
a lockdep false positive caused by needing to allocate a quota block
from inside ext4_map_blocks(), while holding i_data_sem for a data
inode. This results in this complaint:

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&ei->i_data_sem);
lock(&s->s_dquot.dqio_mutex);
lock(&ei->i_data_sem);
lock(&s->s_dquot.dqio_mutex);

Google-Bug-Id: 27907753

Signed-off-by: Theodore Ts'o <ty...@mit.edu>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/ext4.h | 23 +++++++++++++++++++++++
fs/ext4/move_extent.c | 11 +++++++++--
fs/ext4/super.c | 25 +++++++++++++++++++++++--
3 files changed, 55 insertions(+), 4 deletions(-)

--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -850,6 +850,29 @@ do { \
#include "extents_status.h"

/*
+ * Lock subclasses for i_data_sem in the ext4_inode_info structure.
+ *
+ * These are needed to avoid lockdep false positives when we need to
+ * allocate blocks to the quota inode during ext4_map_blocks(), while
+ * holding i_data_sem for a normal (non-quota) inode. Since we don't
+ * do quota tracking for the quota inode, this avoids deadlock (as
+ * well as infinite recursion, since it isn't turtles all the way
+ * down...)
+ *
+ * I_DATA_SEM_NORMAL - Used for most inodes
+ * I_DATA_SEM_OTHER - Used by move_inode.c for the second normal inode
+ * where the second inode has larger inode number
+ * than the first
+ * I_DATA_SEM_QUOTA - Used for quota inodes only
+ */
+enum {
+ I_DATA_SEM_NORMAL = 0,
+ I_DATA_SEM_OTHER,
+ I_DATA_SEM_QUOTA,
+};
+
+
+/*
* fourth extended file system inode data in memory
*/
struct ext4_inode_info {
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -154,10 +154,10 @@ ext4_double_down_write_data_sem(struct i
{
if (first < second) {
down_write(&EXT4_I(first)->i_data_sem);
- down_write_nested(&EXT4_I(second)->i_data_sem, SINGLE_DEPTH_NESTING);
+ down_write_nested(&EXT4_I(second)->i_data_sem, I_DATA_SEM_OTHER);
} else {
down_write(&EXT4_I(second)->i_data_sem);
- down_write_nested(&EXT4_I(first)->i_data_sem, SINGLE_DEPTH_NESTING);
+ down_write_nested(&EXT4_I(first)->i_data_sem, I_DATA_SEM_OTHER);

}
}
@@ -1124,6 +1124,13 @@ mext_check_arguments(struct inode *orig_
return -EINVAL;
}

+ if (IS_NOQUOTA(orig_inode) || IS_NOQUOTA(donor_inode)) {
+ ext4_debug("ext4 move extent: The argument files should "
+ "not be quota files [ino:orig %lu, donor %lu]\n",
+ orig_inode->i_ino, donor_inode->i_ino);
+ return -EBUSY;
+ }
+
/* Ext4 move extent supports only extent based file */
if (!(ext4_test_inode_flag(orig_inode, EXT4_INODE_EXTENTS))) {
ext4_debug("ext4 move extent: orig file is not extents "
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5160,6 +5160,20 @@ static int ext4_quota_on_mount(struct su
EXT4_SB(sb)->s_jquota_fmt, type);
}

+static void lockdep_set_quota_inode(struct inode *inode, int subclass)
+{
+ struct ext4_inode_info *ei = EXT4_I(inode);
+
+ /* The first argument of lockdep_set_subclass has to be
+ * *exactly* the same as the argument to init_rwsem() --- in
+ * this case, in init_once() --- or lockdep gets unhappy
+ * because the name of the lock is set using the
+ * stringification of the argument to init_rwsem().
+ */
+ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */
+ lockdep_set_subclass(&ei->i_data_sem, subclass);
+}
+
/*
* Standard function to be called on quota_on
*/
@@ -5199,8 +5213,12 @@ static int ext4_quota_on(struct super_bl
if (err)
return err;
}
-
- return dquot_quota_on(sb, type, format_id, path);
+ lockdep_set_quota_inode(path->dentry->d_inode, I_DATA_SEM_QUOTA);
+ err = dquot_quota_on(sb, type, format_id, path);
+ if (err)
+ lockdep_set_quota_inode(path->dentry->d_inode,
+ I_DATA_SEM_NORMAL);
+ return err;
}

static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
@@ -5226,8 +5244,11 @@ static int ext4_quota_enable(struct supe

/* Don't account quota for quota files to avoid recursion */
qf_inode->i_flags |= S_NOQUOTA;
+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
err = dquot_enable(qf_inode, type, format_id, flags);
iput(qf_inode);
+ if (err)
+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);

return err;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexande...@amd.com>

commit 0e5585dc870af947fab2af96a88c2d8b4270247c upstream.

Higher mclk values are not stable due to a bug somewhere.
Limit them for now.

Signed-off-by: Alex Deucher <alexande...@amd.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpu/drm/radeon/si_dpm.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -3017,6 +3017,10 @@ static void si_apply_state_adjust_rules(
ps->performance_levels[i].sclk = max_sclk;
}
}
+ /* limit mclk on all R7 370 parts for stability */
+ if (rdev->pdev->device == 0x6811 &&
+ rdev->pdev->revision == 0x81)
+ max_mclk = 120000;

/* XXX validate the min clocks required for display */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Petri Gynther <pgyn...@google.com>

commit 7dd399130efb5a454daf24075b7563d197114e39 upstream.

skb_len needs to be skb_headlen(skb) in bcmgenet_xmit_single().

Fragmented skbs can have only Ethernet + IP + TCP headers (14+20+20=54 bytes)
in the linear buffer, followed by the rest in fragments. Bumping skb_len to
ETH_ZLEN would be incorrect for this case, as it would introduce garbage
between TCP header and the fragment data.

This also works with regular/non-fragmented small packets < ETH_ZLEN bytes.
Successfully tested this on GENETv3 with 42-byte ARP frames.

For testing, I used:
ethtool -K eth0 tx-checksum-ipv4 off
ethtool -K eth0 tx-checksum-ipv6 off
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
Signed-off-by: Petri Gynther <pgyn...@google.com>
Acked-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -979,7 +979,7 @@ static int bcmgenet_xmit_single(struct n

tx_cb_ptr->skb = skb;

- skb_len = skb_headlen(skb) < ETH_ZLEN ? ETH_ZLEN : skb_headlen(skb);
+ skb_len = skb_headlen(skb);

mapping = dma_map_single(kdev, skb->data, skb_len, DMA_TO_DEVICE);
ret = dma_mapping_error(kdev, mapping);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <kees...@chromium.org>

commit 82168140bc4cec7ec9bad39705518541149ff8b7 upstream.

In preparation for splitting out ET_DYN ASLR, this refactors the use of
mmap_rnd() to be used similarly to arm, and extracts the checking of
PF_RANDOMIZE.

Signed-off-by: Kees Cook <kees...@chromium.org>
Reviewed-by: Ingo Molnar <mi...@kernel.org>
Cc: Oleg Nesterov <ol...@redhat.com>
Cc: Andy Lutomirski <lu...@amacapital.net>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/mm/mmap.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)

--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -67,22 +67,21 @@ static int mmap_is_legacy(void)

static unsigned long mmap_rnd(void)
{
- unsigned long rnd = 0;
+ unsigned long rnd;

/*
- * 8 bits of randomness in 32bit mmaps, 20 address space bits
- * 28 bits of randomness in 64bit mmaps, 40 address space bits
- */
- if (current->flags & PF_RANDOMIZE) {
- if (mmap_is_ia32())
- rnd = get_random_int() % (1<<8);
- else
- rnd = get_random_int() % (1<<28);
- }
+ * 8 bits of randomness in 32bit mmaps, 20 address space bits
+ * 28 bits of randomness in 64bit mmaps, 40 address space bits
+ */
+ if (mmap_is_ia32())
+ rnd = (unsigned long)get_random_int() % (1<<8);
+ else
+ rnd = (unsigned long)get_random_int() % (1<<28);
+
return rnd << PAGE_SHIFT;
}

-static unsigned long mmap_base(void)
+static unsigned long mmap_base(unsigned long rnd)
{
unsigned long gap = rlimit(RLIMIT_STACK);

@@ -91,19 +90,19 @@ static unsigned long mmap_base(void)
else if (gap > MAX_GAP)
gap = MAX_GAP;

- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
+ return PAGE_ALIGN(TASK_SIZE - gap - rnd);
}

/*
* Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
* does, but not when emulating X86_32
*/
-static unsigned long mmap_legacy_base(void)
+static unsigned long mmap_legacy_base(unsigned long rnd)
{
if (mmap_is_ia32())
return TASK_UNMAPPED_BASE;
else
- return TASK_UNMAPPED_BASE + mmap_rnd();
+ return TASK_UNMAPPED_BASE + rnd;
}

/*
@@ -112,13 +111,18 @@ static unsigned long mmap_legacy_base(vo
*/
void arch_pick_mmap_layout(struct mm_struct *mm)
{
- mm->mmap_legacy_base = mmap_legacy_base();
- mm->mmap_base = mmap_base();
+ unsigned long random_factor = 0UL;
+
+ if (current->flags & PF_RANDOMIZE)
+ random_factor = mmap_rnd();
+
+ mm->mmap_legacy_base = mmap_legacy_base(random_factor);

if (mmap_is_legacy()) {
mm->mmap_base = mm->mmap_legacy_base;
mm->get_unmapped_area = arch_get_unmapped_area;
} else {
+ mm->mmap_base = mmap_base(random_factor);
mm->get_unmapped_area = arch_get_unmapped_area_topdown;
}
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <bj...@mork.no>

[ Upstream commit e84810c7b85a2d7897797b3ad3e879168a8e032a ]

Thomas reports:
"Windows:

00 diagnostics
01 modem
02 at-port
03 nmea
04 nic

Linux:

T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2001 ProdID=7e19 Rev=02.32
S: Manufacturer=Mobile Connect
S: Product=Mobile Connect
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"

Reported-by: Thomas Schäfer <tsch...@t-online.de>
Signed-off-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 8677c6a..8153e97 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -749,6 +749,7 @@ static const struct usb_device_id products[] = {
{QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */
{QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */
{QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
+ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
{QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
{QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
{QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbon...@redhat.com>

commit 95272c29378ee7dc15f43fa2758cb28a5913a06d upstream.

-ftracer can duplicate asm blocks causing compilation to fail in
noclone functions. For example, KVM declares a global variable
in an asm like

asm("2: ... \n
.pushsection data \n
.global vmx_return \n
vmx_return: .long 2b");

and -ftracer causes a double declaration.

Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Michal Marek <mma...@suse.cz>
Cc: k...@vger.kernel.org
Reported-by: Linda Walsh <lk...@tlinx.org>
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>
[bwh: Backported to 3.16: apply to compiler-gcc{4,5}.h]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/include/linux/compiler-gcc4.h
+++ b/include/linux/compiler-gcc4.h
@@ -54,7 +54,7 @@
#define unreachable() __builtin_unreachable()

/* Mark a function definition as prohibited from being cloned. */
-#define __noclone __attribute__((__noclone__))
+#define __noclone __attribute__((__noclone__, __optimize__("no-tracer")))

#endif /* GCC_VERSION >= 40500 */

--- a/include/linux/compiler-gcc5.h
+++ b/include/linux/compiler-gcc5.h
@@ -40,7 +40,7 @@
#define unreachable() __builtin_unreachable()

/* Mark a function definition as prohibited from being cloned. */
-#define __noclone __attribute__((__noclone__))
+#define __noclone __attribute__((__noclone__, __optimize__("no-tracer")))

/*
* Tell the optimizer that something else uses this function or variable.

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <li...@roeck-us.net>

commit 3c2e2266a5bd2d1cef258e6e54dca1d99946379f upstream.

arm:pxa_defconfig can result in the following crash if the max1111 driver
is not instantiated.

Unhandled fault: page domain fault (0x01b) at 0x00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: : 1b [#1] PREEMPT ARM
Modules linked in:
CPU: 0 PID: 300 Comm: kworker/0:1 Not tainted 4.5.0-01301-g1701f680407c #10
Hardware name: SHARP Akita
Workqueue: events sharpsl_charge_toggle
task: c390a000 ti: c391e000 task.ti: c391e000
PC is at max1111_read_channel+0x20/0x30
LR is at sharpsl_pm_pxa_read_max1111+0x2c/0x3c
pc : [<c03aaab0>] lr : [<c0024b50>] psr: 20000013
...
[<c03aaab0>] (max1111_read_channel) from [<c0024b50>]
(sharpsl_pm_pxa_read_max1111+0x2c/0x3c)
[<c0024b50>] (sharpsl_pm_pxa_read_max1111) from [<c00262e0>]
(spitzpm_read_devdata+0x5c/0xc4)
[<c00262e0>] (spitzpm_read_devdata) from [<c0024094>]
(sharpsl_check_battery_temp+0x78/0x110)
[<c0024094>] (sharpsl_check_battery_temp) from [<c0024f9c>]
(sharpsl_charge_toggle+0x48/0x110)
[<c0024f9c>] (sharpsl_charge_toggle) from [<c004429c>]
(process_one_work+0x14c/0x48c)
[<c004429c>] (process_one_work) from [<c0044618>] (worker_thread+0x3c/0x5d4)
[<c0044618>] (worker_thread) from [<c004a238>] (kthread+0xd0/0xec)
[<c004a238>] (kthread) from [<c000a670>] (ret_from_fork+0x14/0x24)

This can occur because the SPI controller driver (SPI_PXA2XX) is built as
module and thus not necessarily loaded. While building SPI_PXA2XX into the
kernel would make the problem disappear, it appears prudent to ensure that
the driver is instantiated before accessing its data structures.

Cc: Arnd Bergmann <ar...@arndb.de>
Signed-off-by: Guenter Roeck <li...@roeck-us.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hwmon/max1111.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/hwmon/max1111.c
+++ b/drivers/hwmon/max1111.c
@@ -85,6 +85,9 @@ static struct max1111_data *the_max1111;

int max1111_read_channel(int channel)
{
+ if (!the_max1111 || !the_max1111->spi)
+ return -ENODEV;
+
return max1111_read(&the_max1111->spi->dev, channel);
}
EXPORT_SYMBOL(max1111_read_channel);
@@ -258,6 +261,9 @@ static int max1111_remove(struct spi_dev
{
struct max1111_data *data = spi_get_drvdata(spi);

+#ifdef CONFIG_SHARPSL_PM
+ the_max1111 = NULL;
+#endif
hwmon_device_unregister(data->hwmon_dev);
sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group);
sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Xishi Qiu <qiux...@huawei.com>

commit 6f25a14a7053b69917e2ebea0d31dd444cd31fd5 upstream.

It is incorrect to use next_node to find a target node, it will return
MAX_NUMNODES or invalid node. This will lead to crash in buddy system
allocation.

Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
Signed-off-by: Xishi Qiu <qiux...@huawei.com>
Acked-by: Vlastimil Babka <vba...@suse.cz>
Acked-by: Naoya Horiguchi <n-hor...@ah.jp.nec.com>
Cc: Joonsoo Kim <js1...@gmail.com>
Cc: David Rientjes <rien...@google.com>
Cc: "Laura Abbott" <lau...@codeaurora.org>
Cc: Hui Zhu <zhu...@xiaomi.com>
Cc: Wang Xiaoqiang <wang...@lzu.edu.cn>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

mm/page_isolation.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/mm/page_isolation.c
+++ b/mm/page_isolation.c
@@ -259,11 +259,11 @@ struct page *alloc_migrate_target(struct
* now as a simple work-around, we use the next node for destination.
*/
if (PageHuge(page)) {
- nodemask_t src = nodemask_of_node(page_to_nid(page));
- nodemask_t dst;
- nodes_complement(dst, src);
+ int node = next_online_node(page_to_nid(page));
+ if (node == MAX_NUMNODES)
+ node = first_online_node;
return alloc_huge_page_node(page_hstate(compound_head(page)),
- next_node(page_to_nid(page), dst));
+ node);
}

if (PageHighMem(page))

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.com>

commit 1666984c8625b3db19a9abc298931d35ab7bc64b upstream.

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum <ONe...@suse.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/usbnet.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1729,6 +1729,13 @@ out3:
if (info->unbind)
info->unbind (dev, udev);
out1:
+ /* subdrivers must undo all they did in bind() if they
+ * fail it, but we may fail later and a deferred kevent
+ * may trigger an error resubmitting itself and, worse,
+ * schedule a timer. So we kill it all just in case.
+ */
+ cancel_work_sync(&dev->kevent);
+ del_timer_sync(&dev->delay);
free_netdev(net);
out:
return status;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Petr Štetiar <yn...@true.cz>

commit b3d8cf019fb9dd28389b08da7bf54ffabf453ed3 upstream.

This device has same vendor and product IDs as G2K devices, but it has
different number of interfaces(4 vs 5) and also different interface
layout where EC20 has QMI on interface 4 instead of 0.

lsusb output:

Bus 002 Device 003: ID 05c6:9215 Qualcomm, Inc. Acer Gobi 2000
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x05c6 Qualcomm, Inc.
idProduct 0x9215 Acer Gobi 2000 Wireless Modem
bcdDevice 2.32
iManufacturer 1 Quectel
iProduct 2 Quectel LTE Module
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 209
bNumInterfaces 5
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xa0
(Bus Powered)
Remote Wakeup
MaxPower 500mA

Signed-off-by: Petr Štetiar <yn...@true.cz>
Acked-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -823,6 +823,7 @@ static const struct usb_device_id produc
{QMI_GOBI_DEVICE(0x05c6, 0x9245)}, /* Samsung Gobi 2000 Modem device (VL176) */
{QMI_GOBI_DEVICE(0x03f0, 0x251d)}, /* HP Gobi 2000 Modem device (VP412) */
{QMI_GOBI_DEVICE(0x05c6, 0x9215)}, /* Acer Gobi 2000 Modem device (VP413) */
+ {QMI_FIXED_INTF(0x05c6, 0x9215, 4)}, /* Quectel EC20 Mini PCIe */
{QMI_GOBI_DEVICE(0x05c6, 0x9265)}, /* Asus Gobi 2000 Modem device (VR305) */
{QMI_GOBI_DEVICE(0x05c6, 0x9235)}, /* Top Global Gobi 2000 Modem device (VR306) */
{QMI_GOBI_DEVICE(0x05c6, 0x9275)}, /* iRex Technologies Gobi 2000 Modem device (VR307) */
@@ -854,10 +855,24 @@ static const struct usb_device_id produc
};
MODULE_DEVICE_TABLE(usb, products);

+static bool quectel_ec20_detected(struct usb_interface *intf)
+{
+ struct usb_device *dev = interface_to_usbdev(intf);
+
+ if (dev->actconfig &&
+ le16_to_cpu(dev->descriptor.idVendor) == 0x05c6 &&
+ le16_to_cpu(dev->descriptor.idProduct) == 0x9215 &&
+ dev->actconfig->desc.bNumInterfaces == 5)
+ return true;
+
+ return false;
+}
+
static int qmi_wwan_probe(struct usb_interface *intf,
const struct usb_device_id *prod)
{
struct usb_device_id *id = (struct usb_device_id *)prod;
+ struct usb_interface_descriptor *desc = &intf->cur_altsetting->desc;

/* Workaround to enable dynamic IDs. This disables usbnet
* blacklisting functionality. Which, if required, can be
@@ -869,6 +884,12 @@ static int qmi_wwan_probe(struct usb_int
id->driver_info = (unsigned long)&qmi_wwan_info;
}

+ /* Quectel EC20 quirk where we've QMI on interface 4 instead of 0 */
+ if (quectel_ec20_detected(intf) && desc->bInterfaceNumber == 0) {
+ dev_dbg(&intf->dev, "Quectel EC20 quirk, skipping interface 0\n");

+ return -ENODEV;
+ }
+

return usbnet_probe(intf, id);
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu...@qlogic.com>

commit 5e47f1985d7107331c3f64fb3ec83d66fd73577e upstream.

This patch fixes an active I/O shutdown bug for fabric
drivers using target_wait_for_sess_cmds(), where se_cmd
descriptor shutdown would result in hung tasks waiting
indefinitely for se_cmd->cmd_wait_comp to complete().

To address this bug, drop the incorrect list_del_init()
usage in target_wait_for_sess_cmds() and always complete()
during se_cmd target_release_cmd_kref() put, in order to
let caller invoke the final fabric release callback
into se_cmd->se_tfo->release_cmd() code.

Reported-by: Himanshu Madhani <himanshu...@qlogic.com>
Tested-by: Himanshu Madhani <himanshu...@qlogic.com>
Signed-off-by: Himanshu Madhani <himanshu...@qlogic.com>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/target/target_core_transport.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2540,8 +2540,6 @@ void target_wait_for_sess_cmds(struct se

list_for_each_entry_safe(se_cmd, tmp_cmd,
&se_sess->sess_wait_list, se_cmd_list) {
- list_del_init(&se_cmd->se_cmd_list);
-
pr_debug("Waiting for se_cmd: %p t_state: %d, fabric state:"
" %d\n", se_cmd, se_cmd->t_state,
se_cmd->se_tfo->get_cmd_state(se_cmd));

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Josh Boyer <jwb...@fedoraproject.org>

commit ea6db90e750328068837bed34cb1302b7a177339 upstream.

A Fedora user reports that the ftdi_sio driver works properly for the
ICP DAS I-7561U device. Further, the user manual for these devices
instructs users to load the driver and add the ids using the sysfs
interface.

Add support for these in the driver directly so that the devices work
out of the box instead of needing manual configuration.

Reported-by: <thes...@mail.ru>
Signed-off-by: Josh Boyer <jwb...@fedoraproject.org>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ftdi_sio.c | 4 ++++
drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++
2 files changed, 12 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1017,6 +1017,10 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
+ /* ICP DAS I-756xU devices */
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
+ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
{ } /* Terminating entry */
};

--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -872,6 +872,14 @@
#define NOVITUS_BONO_E_PID 0x6010

/*
+ * ICPDAS I-756*U devices
+ */
+#define ICPDAS_VID 0x1b5c
+#define ICPDAS_I7560U_PID 0x0103
+#define ICPDAS_I7561U_PID 0x0104
+#define ICPDAS_I7563U_PID 0x0105
+
+/*
* RT Systems programming cables for various ham radios
*/
#define RTSYSTEMS_VID 0x2100 /* Vendor ID */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Pieter Hollants <pie...@hollants.com>

commit 2070c48cf2b78af89ba529c00992eaaa18df8ef7 upstream.

Added the USB IDs 0x413c:0x81b1 for the "Dell Wireless 5809e Gobi(TM) 4G
LTE Mobile Broadband Card", a Dell-branded Sierra Wireless EM7305 LTE
card in M.2 form factor, used eg. in Dell's Latitude E7540 Notebook
series.

Signed-off-by: Pieter Hollants <pie...@hollants.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -787,6 +787,7 @@ static const struct usb_device_id produc
{QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
{QMI_FIXED_INTF(0x413c, 0x81a8, 8)}, /* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */

{QMI_FIXED_INTF(0x413c, 0x81a9, 8)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */

+ {QMI_FIXED_INTF(0x413c, 0x81b1, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */

{QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <li...@roeck-us.net>

commit 968ce1b1f45a7d76b5471b19bd035dbecc72f32d upstream.

The old web page for the hwmon subsystem is no longer operational,
and the mailing list has become unreliable. Move both to kernel.org.

Reviewed-by: Jean Delvare <jdel...@suse.de>
Signed-off-by: Guenter Roeck <li...@roeck-us.net>
[bwh: Backported to 3.16: the set of hwmon drivers is different, so do a
search-and-replace for the same addresses]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

MAINTAINERS | 96 ++++++++++++++++++++++++++++++-------------------------------
1 file changed, 48 insertions(+), 48 deletions(-)

--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -218,13 +218,13 @@ F: kernel/sys_ni.c

ABIT UGURU 1,2 HARDWARE MONITOR DRIVER
M: Hans de Goede <hdeg...@redhat.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/abituguru.c

ABIT UGURU 3 HARDWARE MONITOR DRIVER
M: Alistair John Strachan <alis...@devzero.co.uk>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/abituguru3.c

@@ -355,14 +355,14 @@ S: Maintained

ADM1025 HARDWARE MONITOR DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/adm1025
F: drivers/hwmon/adm1025.c

ADM1029 HARDWARE MONITOR DRIVER
M: Corentin Labbe <clabbe....@gmail.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/adm1029.c

@@ -407,7 +407,7 @@ F: drivers/video/backlight/adp8860_bl.c

ADS1015 HARDWARE MONITOR DRIVER
M: Dirk Eibach <eib...@gdsys.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/ads1015
F: drivers/hwmon/ads1015.c
@@ -420,7 +420,7 @@ F: drivers/macintosh/therm_adt746x.c

ADT7475 HARDWARE MONITOR DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/adt7475
F: drivers/hwmon/adt7475.c
@@ -568,7 +568,7 @@ F: include/linux/ccp.h

AMD FAM15H PROCESSOR POWER MONITORING DRIVER
M: Andreas Herrmann <herrmann...@googlemail.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/fam15h_power
F: drivers/hwmon/fam15h_power.c
@@ -689,7 +689,7 @@ F: drivers/input/mouse/bcm5974.c

APPLE SMC DRIVER
M: Henrik Rydberg <ryd...@euromail.se>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/applesmc.c

@@ -1504,7 +1504,7 @@ F: include/media/as3645a.h

ASC7621 HARDWARE MONITOR DRIVER
M: George Joseph <george...@fairview5.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/asc7621
F: drivers/hwmon/asc7621.c
@@ -1583,7 +1583,7 @@ F: drivers/net/wireless/ath/carl9170/

ATK0110 HWMON DRIVER
M: Luca Tettamanti <kron...@gmail.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/asus_atk0110.c

@@ -2459,7 +2459,7 @@ F: mm/page_cgroup.c

CORETEMP HARDWARE MONITORING DRIVER
M: Fenghua Yu <fengh...@intel.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/coretemp
F: drivers/hwmon/coretemp.c
@@ -2931,7 +2931,7 @@ T: git git://git.infradead.org/users/vko

DME1737 HARDWARE MONITOR DRIVER
M: Juerg Haefliger <jue...@gmail.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/dme1737
F: drivers/hwmon/dme1737.c
@@ -3559,7 +3559,7 @@ F: include/video/exynos_mipi*

F71805F HARDWARE MONITORING DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/f71805f
F: drivers/hwmon/f71805f.c
@@ -3632,7 +3632,7 @@ F: fs/*

FINTEK F75375S HARDWARE MONITOR AND FAN CONTROLLER DRIVER
M: Riku Voipio <riku....@iki.fi>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/f75375s.c
F: include/linux/f75375s.h
@@ -4093,8 +4093,8 @@ F: drivers/tty/hvc/
HARDWARE MONITORING
M: Jean Delvare <jdel...@suse.de>
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
-W: http://www.lm-sensors.org/
+L: linux...@vger.kernel.org
+W: http://hwmon.wiki.kernel.org/
T: quilt kernel.org/pub/linux/kernel/people/jdelvare/linux-2.6/jdelvare-hwmon/
T: git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
S: Maintained
@@ -4540,7 +4540,7 @@ F: drivers/usb/atm/ueagle-atm.c

INA209 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/ina209
F: Documentation/devicetree/bindings/i2c/ina209.txt
@@ -4548,7 +4548,7 @@ F: drivers/hwmon/ina209.c

INA2XX HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/ina2xx
F: drivers/hwmon/ina2xx.c
@@ -4967,7 +4967,7 @@ F: drivers/isdn/hardware/eicon/

IT87 HARDWARE MONITORING DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/it87
F: drivers/hwmon/it87.c
@@ -5003,7 +5003,7 @@ F: drivers/media/dvb-frontends/ix2505v*

JC42.4 TEMPERATURE SENSOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/jc42.c
F: Documentation/hwmon/jc42
@@ -5054,14 +5054,14 @@ F: drivers/tty/serial/jsm/

K10TEMP HARDWARE MONITORING DRIVER
M: Clemens Ladisch <cle...@ladisch.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/k10temp
F: drivers/hwmon/k10temp.c

K8TEMP HARDWARE MONITORING DRIVER
M: Rudolf Marek <r.m...@assembler.cz>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/k8temp
F: drivers/hwmon/k8temp.c
@@ -5467,27 +5467,27 @@ F: net/llc/

LM73 HARDWARE MONITOR DRIVER
M: Guillaume Ligneul <guillaum...@gmail.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/lm73.c

LM78 HARDWARE MONITOR DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/lm78
F: drivers/hwmon/lm78.c

LM83 HARDWARE MONITOR DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/lm83
F: drivers/hwmon/lm83.c

LM90 HARDWARE MONITOR DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/lm90
F: Documentation/devicetree/bindings/hwmon/lm90.txt
@@ -5495,7 +5495,7 @@ F: drivers/hwmon/lm90.c

LM95234 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/lm95234
F: drivers/hwmon/lm95234.c
@@ -5562,7 +5562,7 @@ F: drivers/scsi/sym53c8xx_2/

LTC4261 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/ltc4261
F: drivers/hwmon/ltc4261.c
@@ -5733,21 +5733,21 @@ F: include/uapi/linux/matroxfb.h

MAX16065 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/max16065
F: drivers/hwmon/max16065.c

MAX6650 HARDWARE MONITOR AND FAN CONTROLLER DRIVER
M: "Hans J. Koch" <h...@hansjkoch.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/max6650
F: drivers/hwmon/max6650.c

MAX6697 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/max6697
F: Documentation/devicetree/bindings/i2c/max6697.txt
@@ -6105,7 +6105,7 @@ F: drivers/scsi/NCR_D700.*

NCT6775 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/nct6775
F: drivers/hwmon/nct6775.c
@@ -6745,7 +6745,7 @@ F: drivers/video/logo/logo_parisc*

PC87360 HARDWARE MONITORING DRIVER
M: Jim Cromie <jim.c...@gmail.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/pc87360
F: drivers/hwmon/pc87360.c
@@ -6757,7 +6757,7 @@ F: drivers/char/pc8736x_gpio.c

PC87427 HARDWARE MONITORING DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/pc87427
F: drivers/hwmon/pc87427.c
@@ -6999,8 +6999,8 @@ F: drivers/rtc/rtc-puv3.c

PMBUS HARDWARE MONITORING DRIVERS
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
-W: http://www.lm-sensors.org/
+L: linux...@vger.kernel.org
+W: http://hwmon.wiki.kernel.org/
W: http://www.roeck-us.net/linux/drivers/
T: git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
S: Maintained
@@ -8290,28 +8290,28 @@ F: drivers/media/i2c/smiapp-pll.h

SMM665 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/smm665
F: drivers/hwmon/smm665.c

SMSC EMC2103 HARDWARE MONITOR DRIVER
M: Steve Glendinning <steve.gl...@shawell.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/emc2103
F: drivers/hwmon/emc2103.c

SMSC SCH5627 HARDWARE MONITOR DRIVER
M: Hans de Goede <hdeg...@redhat.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Supported
F: Documentation/hwmon/sch5627
F: drivers/hwmon/sch5627.c

SMSC47B397 HARDWARE MONITOR DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/smsc47b397
F: drivers/hwmon/smsc47b397.c
@@ -9175,7 +9175,7 @@ F: include/linux/mmc/sh_mobile_sdhi.h

TMP401 HARDWARE MONITOR DRIVER
M: Guenter Roeck <li...@roeck-us.net>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/tmp401
F: drivers/hwmon/tmp401.c
@@ -9813,14 +9813,14 @@ F: include/linux/regulator/

VT1211 HARDWARE MONITOR DRIVER
M: Juerg Haefliger <jue...@gmail.com>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/vt1211
F: drivers/hwmon/vt1211.c

VT8231 HARDWARE MONITOR DRIVER
M: Roger Lucas <vt8...@hiddenengine.co.uk>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/vt8231.c

@@ -9839,21 +9839,21 @@ F: drivers/w1/

W83791D HARDWARE MONITORING DRIVER
M: Marc Hulsman <m.hu...@tudelft.nl>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/w83791d
F: drivers/hwmon/w83791d.c

W83793 HARDWARE MONITORING DRIVER
M: Rudolf Marek <r.m...@assembler.cz>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: Documentation/hwmon/w83793
F: drivers/hwmon/w83793.c

W83795 HARDWARE MONITORING DRIVER
M: Jean Delvare <jdel...@suse.de>
-L: lm-se...@lm-sensors.org
+L: linux...@vger.kernel.org
S: Maintained
F: drivers/hwmon/w83795.c

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro....@renesas.com>

commit 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d upstream.

This patch fixes an issue that usbhsg_queue_done() may cause kernel
panic when dma callback is running and usb_ep_disable() is called
by interrupt handler. (Especially, we can reproduce this issue using
g_audio with usb-dmac driver.)

For example of a flow:
usbhsf_dma_complete (on tasklet)
--> usbhsf_pkt_handler (on tasklet)
--> usbhsg_queue_done (on tasklet)
*** interrupt happened and usb_ep_disable() is called ***
--> usbhsg_queue_pop (on tasklet)
Then, oops happened.

Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro....@renesas.com>
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/renesas_usbhs/mod_gadget.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -137,10 +137,14 @@ static void usbhsg_queue_done(struct usb
struct usbhs_pipe *pipe = pkt->pipe;
struct usbhsg_uep *uep = usbhsg_pipe_to_uep(pipe);
struct usbhsg_request *ureq = usbhsg_pkt_to_ureq(pkt);
+ unsigned long flags;

ureq->req.actual = pkt->actual;

- usbhsg_queue_pop(uep, ureq, 0);
+ usbhs_lock(priv, flags);
+ if (uep)
+ __usbhsg_queue_pop(uep, ureq, 0);
+ usbhs_unlock(priv, flags);
}

static void usbhsg_queue_push(struct usbhsg_uep *uep,

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hector Marco-Gisbert <hecm...@upv.es>

commit 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb upstream.

Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
the stack and the executable are randomized but not other mmapped files
(libraries, vDSO, etc.). This patch enables randomization for the
libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.

By default on i386 there are 8 bits for the randomization of the libraries,
vDSO and mmaps which only uses 1MB of VA.

This patch preserves the original randomness, using 1MB of VA out of 3GB or
4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.

The first obvious security benefit is that all objects are randomized (not
only the stack and the executable) in legacy mode which highly increases
the ASLR effectiveness, otherwise the attackers may use these
non-randomized areas. But also sensitive setuid/setgid applications are
more secure because currently, attackers can disable the randomization of
these applications by setting the ulimit stack to "unlimited". This is a
very old and widely known trick to disable the ASLR in i386 which has been
allowed for too long.

Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
personality flag, but fortunately this doesn't work on setuid/setgid
applications because there is security checks which clear Security-relevant
flags.

This patch always randomizes the mmap_legacy_base address, removing the
possibility to disable the ASLR by setting the stack to "unlimited".

Signed-off-by: Hector Marco-Gisbert <hecm...@upv.es>
Acked-by: Ismael Ripoll Ripoll <iri...@upv.es>
Acked-by: Kees Cook <kees...@chromium.org>
Acked-by: Arjan van de Ven <ar...@linux.intel.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: ak...@linux-foundation.org
Cc: kees Cook <kees...@chromium.org>
Link: http://lkml.kernel.org/r/1457639460-5242-1-gi...@upv.es
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/mm/mmap.c | 14 +-------------
1 file changed, 1 insertion(+), 13 deletions(-)

--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned
}

/*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
- if (mmap_is_ia32())
- return TASK_UNMAPPED_BASE;
- else
- return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
* This function, called very early during the creation of a new
* process VM image, sets up which VM layout function to use:
*/
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_str

if (current->flags & PF_RANDOMIZE)

random_factor = mmap_rnd();

- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <wil...@google.com>

[ Upstream commit 8e2ad4113ce4671686740f808ff2795395c39eef ]

The stack expects link layer headers in the skb linear section.
Macvtap can create skbs with llheader in frags in edge cases:
when (IFF_VNET_HDR is off or vnet_hdr.hdr_len < ETH_HLEN) and
prepad + len > PAGE_SIZE and vnet_hdr.flags has no or bad csum.

Add checks to ensure linear is always at least ETH_HLEN.
At this point, len is already ensured to be >= ETH_HLEN.

For backwards compatiblity, rounds up short vnet_hdr.hdr_len.
This differs from tap and packet, which return an error.

Fixes b9fb9ee07e67 ("macvtap: add GSO/csum offload support")
Signed-off-by: Willem de Bruijn <wil...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: don't use macvtap16_to_cpu()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/macvtap.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -690,6 +690,8 @@ static ssize_t macvtap_get_user(struct m
copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN;
if (copylen > good_linear)
copylen = good_linear;
+ else if (copylen < ETH_HLEN)
+ copylen = ETH_HLEN;
linear = copylen;
if (iov_pages(iv, vnet_hdr_len + copylen, count)
<= MAX_SKB_FRAGS)
@@ -698,10 +700,11 @@ static ssize_t macvtap_get_user(struct m

if (!zerocopy) {
copylen = len;
- if (vnet_hdr.hdr_len > good_linear)
+ linear = vnet_hdr.hdr_len;
+ if (linear > good_linear)
linear = good_linear;
- else
- linear = vnet_hdr.hdr_len;
+ else if (linear < ETH_HLEN)
+ linear = ETH_HLEN;
}

skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen,

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <del...@gmx.de>

commit 2ef4dfd9d9f288943e249b78365a69e3ea3ec072 upstream.

Handling exceptions from modules never worked on parisc.
It was just masked by the fact that exceptions from modules
don't happen during normal use.

When a module triggers an exception in get_user() we need to load the
main kernel dp value before accessing the exception_data structure, and
afterwards restore the original dp value of the module on exit.

Noticed-by: Mikulas Patocka <mpat...@redhat.com>
Signed-off-by: Helge Deller <del...@gmx.de>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/parisc/include/asm/uaccess.h | 1 +
arch/parisc/kernel/asm-offsets.c | 1 +
arch/parisc/lib/fixup.S | 6 ++++++
arch/parisc/mm/fault.c | 1 +
4 files changed, 9 insertions(+)

--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -79,6 +79,7 @@ struct exception_table_entry {
*/
struct exception_data {
unsigned long fault_ip;
+ unsigned long fault_gp;
unsigned long fault_space;
unsigned long fault_addr;
};
--- a/arch/parisc/kernel/asm-offsets.c
+++ b/arch/parisc/kernel/asm-offsets.c
@@ -292,6 +292,7 @@ int main(void)
DEFINE(ASM_PT_INITIAL, PT_INITIAL);
BLANK();
DEFINE(EXCDATA_IP, offsetof(struct exception_data, fault_ip));
+ DEFINE(EXCDATA_GP, offsetof(struct exception_data, fault_gp));
DEFINE(EXCDATA_SPACE, offsetof(struct exception_data, fault_space));
DEFINE(EXCDATA_ADDR, offsetof(struct exception_data, fault_addr));
BLANK();
--- a/arch/parisc/lib/fixup.S
+++ b/arch/parisc/lib/fixup.S
@@ -26,6 +26,7 @@

#ifdef CONFIG_SMP
.macro get_fault_ip t1 t2
+ loadgp
addil LT%__per_cpu_offset,%r27
LDREG RT%__per_cpu_offset(%r1),\t1
/* t2 = smp_processor_id() */
@@ -40,14 +41,19 @@
LDREG RT%exception_data(%r1),\t1
/* t1 = &__get_cpu_var(exception_data) */
add,l \t1,\t2,\t1
+ /* %r27 = t1->fault_gp - restore gp */
+ LDREG EXCDATA_GP(\t1), %r27
/* t1 = t1->fault_ip */
LDREG EXCDATA_IP(\t1), \t1
.endm
#else
.macro get_fault_ip t1 t2
+ loadgp
/* t1 = &__get_cpu_var(exception_data) */
addil LT%exception_data,%r27
LDREG RT%exception_data(%r1),\t2
+ /* %r27 = t2->fault_gp - restore gp */
+ LDREG EXCDATA_GP(\t2), %r27
/* t1 = t2->fault_ip */
LDREG EXCDATA_IP(\t2), \t1
.endm
--- a/arch/parisc/mm/fault.c
+++ b/arch/parisc/mm/fault.c
@@ -151,6 +151,7 @@ int fixup_exception(struct pt_regs *regs
struct exception_data *d;
d = this_cpu_ptr(&exception_data);
d->fault_ip = regs->iaoq[0];
+ d->fault_gp = regs->gr[27];
d->fault_space = regs->isr;
d->fault_addr = regs->ior;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <bj...@mork.no>

commit d48d5691ebf88a15d95ba96486917ffc79256536 upstream.

Thomas reports:
"Windows:

00 diagnostics
01 modem
02 at-port
03 nmea
04 nic

Linux:

T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2001 ProdID=7e19 Rev=02.32
S: Manufacturer=Mobile Connect
S: Product=Mobile Connect
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"

Reported-by: Thomas Schäfer <tsch...@t-online.de>
Signed-off-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1829,6 +1829,8 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <wil...@google.com>

[ Upstream commit 2793a23aacbd754dbbb5cb75093deb7e4103bace ]

Netdevice parameter hard_header_len is variously interpreted both as
an upper and lower bound on link layer header length. The field is
used as upper bound when reserving room at allocation, as lower bound
when validating user input in PF_PACKET.

Clarify the definition to be maximum header length. For validation
of untrusted headers, add an optional validate member to header_ops.

Allow bypassing of validation by passing CAP_SYS_RAWIO, for instance
for deliberate testing of corrupt input. In this case, pad trailing
bytes, as some device drivers expect completely initialized headers.

See also http://comments.gmane.org/gmane.linux.network/401064

Signed-off-by: Willem de Bruijn <wil...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: net_device has inline comments instead of kernel-doc]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -262,6 +262,7 @@ struct header_ops {
void (*cache_update)(struct hh_cache *hh,
const struct net_device *dev,
const unsigned char *haddr);
+ bool (*validate)(const char *ll_header, unsigned int len);
};

/* These flag bits are private to the generic network queueing
@@ -1347,7 +1348,7 @@ struct net_device {

unsigned int mtu; /* interface MTU value */
unsigned short type; /* interface hardware type */
- unsigned short hard_header_len; /* hardware hdr length */
+ unsigned short hard_header_len; /* maximum hardware hdr length */

/* extra head- and tailroom the hardware may need, but not in all cases
* can this be guaranteed, especially tailroom. Some cases also use
@@ -2071,6 +2072,24 @@ static inline int dev_rebuild_header(str
return dev->header_ops->rebuild(skb);
}

+/* ll_header must have at least hard_header_len allocated */
+static inline bool dev_validate_header(const struct net_device *dev,
+ char *ll_header, int len)
+{
+ if (likely(len >= dev->hard_header_len))
+ return true;
+
+ if (capable(CAP_SYS_RAWIO)) {
+ memset(ll_header + len, 0, dev->hard_header_len - len);

+ return true;
+ }
+

+ if (dev->header_ops && dev->header_ops->validate)
+ return dev->header_ops->validate(ll_header, len);

+
+ return false;
+}
+

typedef int gifconf_func_t(struct net_device * dev, char __user * bufptr, int len);
int register_gifconf(unsigned int family, gifconf_func_t *gifconf);
static inline int unregister_gifconf(unsigned int family)

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <casc...@redhat.com>

commit b6ee376cb0b7fb4e7e07d6cd248bd40436fb9ba6 upstream.

When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set
before ip6_tnl_create2 is called. When register_netdevice is called, there
is no linkinfo attribute in the NEWLINK message because of that.

Setting rtnl_link_ops before calling register_netdevice fixes that.

Fixes: 0b112457229d ("ip6tnl: add support of link creation via rtnl")
Signed-off-by: Thadeu Lima de Souza Cascardo <casc...@redhat.com>
Acked-by: Nicolas Dichtel <nicolas...@6wind.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv6/ip6_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -273,12 +273,12 @@ static int ip6_tnl_create2(struct net_de

t = netdev_priv(dev);

+ dev->rtnl_link_ops = &ip6_link_ops;
err = register_netdevice(dev);
if (err < 0)
goto out;

strcpy(t->parms.name, dev->name);
- dev->rtnl_link_ops = &ip6_link_ops;

dev_hold(dev);
ip6_tnl_link(ip6n, t);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <bj...@mork.no>

commit 0db65fcfcded76fe4f74e3ca9f4e2baf67b683ef upstream.

New device IDs shamelessly lifted from the vendor driver.

Signed-off-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 4 ++++

1 file changed, 4 insertions(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -766,6 +766,10 @@ static const struct usb_device_id produc
{QMI_FIXED_INTF(0x1199, 0x9056, 8)}, /* Sierra Wireless Modem */
{QMI_FIXED_INTF(0x1199, 0x9057, 8)},
{QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */
+ {QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */
+ {QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */
+ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */
+ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */
{QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
{QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
{QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kristian Evensen <kristian...@gmail.com>

commit 18715b261541f35ccede9b8686ee3ebaac697d38 upstream.

SIMCom 7230E is a QMI LTE module with support for most "normal" bands.
Manual testing has showed that only interface five works.

Cc: Bjørn Mork <bj...@mork.no>
Signed-off-by: Kristian Evensen <kristian...@gmail.com>
Acked-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -794,6 +794,7 @@ static const struct usb_device_id produc

{QMI_FIXED_INTF(0x413c, 0x81b1, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
{QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */

{QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
+ {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */

/* 4. Gobi 1000 devices */

{QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jann Horn <ja...@thejh.net>

commit 378c6520e7d29280f400ef2ceaf155c86f05a71a upstream.

This commit fixes the following security hole affecting systems where
all of the following conditions are fulfilled:

- The fs.suid_dumpable sysctl is set to 2.
- The kernel.core_pattern sysctl's value starts with "/". (Systems
where kernel.core_pattern starts with "|/" are not affected.)
- Unprivileged user namespace creation is permitted. (This is
true on Linux >=3.8, but some distributions disallow it by
default using a distro patch.)

Under these conditions, if a program executes under secure exec rules,
causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
namespace, changes its root directory and crashes, the coredump will be
written using fsuid=0 and a path derived from kernel.core_pattern - but
this path is interpreted relative to the root directory of the process,
allowing the attacker to control where a coredump will be written with
root privileges.

To fix the security issue, always interpret core_pattern for dumps that
are written under SUID_DUMP_ROOT relative to the root directory of init.

Signed-off-by: Jann Horn <ja...@thejh.net>
Acked-by: Kees Cook <kees...@chromium.org>
Cc: Al Viro <vi...@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebie...@xmission.com>
Cc: Andy Lutomirski <lu...@kernel.org>
Cc: Oleg Nesterov <ol...@redhat.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/um/drivers/mconsole_kern.c | 2 +-
fs/coredump.c | 30 ++++++++++++++++++++++++++----
fs/fhandle.c | 2 +-
fs/open.c | 6 ++----
include/linux/fs.h | 2 +-
kernel/sysctl_binary.c | 2 +-
6 files changed, 32 insertions(+), 12 deletions(-)

--- a/arch/um/drivers/mconsole_kern.c
+++ b/arch/um/drivers/mconsole_kern.c
@@ -133,7 +133,7 @@ void mconsole_proc(struct mc_request *re
ptr += strlen("proc");
ptr = skip_spaces(ptr);

- file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY);
+ file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY, 0);
if (IS_ERR(file)) {
mconsole_reply(req, "Failed to open file", 1, 0);
printk(KERN_ERR "open /proc/%s: %ld\n", ptr, PTR_ERR(file));
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -32,6 +32,9 @@
#include <linux/pipe_fs_i.h>
#include <linux/oom.h>
#include <linux/compat.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/path.h>

#include <asm/uaccess.h>
#include <asm/mmu_context.h>
@@ -613,6 +616,8 @@ void do_coredump(const siginfo_t *siginf
}
} else {
struct inode *inode;
+ int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW |
+ O_LARGEFILE | O_EXCL;

if (cprm.limit < binfmt->min_coredump)
goto fail_unlock;
@@ -651,10 +656,27 @@ void do_coredump(const siginfo_t *siginf
* what matters is that at least one of the two processes
* writes its coredump successfully, not which one.
*/
- cprm.file = filp_open(cn.corename,
- O_CREAT | 2 | O_NOFOLLOW |
- O_LARGEFILE | O_EXCL,
- 0600);
+ if (need_suid_safe) {
+ /*
+ * Using user namespaces, normal user tasks can change
+ * their current->fs->root to point to arbitrary
+ * directories. Since the intention of the "only dump
+ * with a fully qualified path" rule is to control where
+ * coredumps may be placed using root privileges,
+ * current->fs->root must not be used. Instead, use the
+ * root directory of init_task.
+ */
+ struct path root;
+
+ task_lock(&init_task);
+ get_fs_root(init_task.fs, &root);
+ task_unlock(&init_task);
+ cprm.file = file_open_root(root.dentry, root.mnt,
+ cn.corename, open_flags, 0600);
+ path_put(&root);
+ } else {
+ cprm.file = filp_open(cn.corename, open_flags, 0600);
+ }
if (IS_ERR(cprm.file))
goto fail_unlock;

--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -228,7 +228,7 @@ long do_handle_open(int mountdirfd,
path_put(&path);
return fd;
}
- file = file_open_root(path.dentry, path.mnt, "", open_flag);
+ file = file_open_root(path.dentry, path.mnt, "", open_flag, 0);
if (IS_ERR(file)) {
put_unused_fd(fd);
retval = PTR_ERR(file);
--- a/fs/open.c
+++ b/fs/open.c
@@ -946,14 +946,12 @@ struct file *filp_open(const char *filen
EXPORT_SYMBOL(filp_open);

struct file *file_open_root(struct dentry *dentry, struct vfsmount *mnt,
- const char *filename, int flags)
+ const char *filename, int flags, umode_t mode)
{
struct open_flags op;
- int err = build_open_flags(flags, 0, &op);
+ int err = build_open_flags(flags, mode, &op);
if (err)
return ERR_PTR(err);
- if (flags & O_CREAT)
- return ERR_PTR(-EINVAL);
if (!filename && (flags & O_DIRECTORY))
if (!dentry->d_inode->i_op->lookup)
return ERR_PTR(-ENOTDIR);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2030,7 +2030,7 @@ extern long do_sys_open(int dfd, const c
extern struct file *file_open_name(struct filename *, int, umode_t);
extern struct file *filp_open(const char *, int, umode_t);
extern struct file *file_open_root(struct dentry *, struct vfsmount *,
- const char *, int);
+ const char *, int, umode_t);
extern struct file * dentry_open(const struct path *, int, const struct cred *);
extern int filp_close(struct file *, fl_owner_t id);

--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -1320,7 +1320,7 @@ static ssize_t binary_sysctl(const int *
}

mnt = task_active_pid_ns(current)->proc_mnt;
- file = file_open_root(mnt->mnt_root, mnt, pathname, flags);
+ file = file_open_root(mnt->mnt_root, mnt, pathname, flags, 0);
result = PTR_ERR(file);
if (IS_ERR(file))
goto out_putname;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Xin Long <lucie...@gmail.com>

[ Upstream commit 40b4f0fd74e46c017814618d67ec9127ff20f157 ]

As the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check
the port of addresses, just like sctp_v4_cmp_addr, cause it's invoked by
sctp_cmp_addr_exact().

Now sctp_v6_cmp_addr just check the port when two addresses have different
family, and lack the port check for two ipv6 addresses. that will make
sctp_hash_cmp() cannot work well.

so fix it by adding ports comparison in sctp_v6_cmp_addr().

Signed-off-by: Xin Long <lucie...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/sctp/ipv6.c | 2 ++

1 file changed, 2 insertions(+)

--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -519,6 +519,8 @@ static int sctp_v6_cmp_addr(const union
}
return 0;
}
+ if (addr1->v6.sin6_port != addr2->v6.sin6_port)
+ return 0;
if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
return 0;
/* If this is a linklocal address, compare the scope_id. */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.va...@sandisk.com>

commit 51093254bf879bc9ce96590400a87897c7498463 upstream.

Let the target core check task existence instead of the SRP target
driver. Additionally, let the target core check the validity of the
task management request instead of the ib_srpt driver.

This patch fixes the following kernel crash:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
IP: [<ffffffffa0565f37>] srpt_handle_new_iu+0x6d7/0x790 [ib_srpt]
Oops: 0002 [#1] SMP
Call Trace:
[<ffffffffa05660ce>] srpt_process_completion+0xde/0x570 [ib_srpt]
[<ffffffffa056669f>] srpt_compl_thread+0x13f/0x160 [ib_srpt]
[<ffffffff8109726f>] kthread+0xcf/0xe0
[<ffffffff81613cfc>] ret_from_fork+0x7c/0xb0

Signed-off-by: Bart Van Assche <bart.va...@sandisk.com>
Fixes: 3e4f574857ee ("ib_srpt: Convert TMR path to target_submit_tmr")
Tested-by: Alex Estrin <alex....@intel.com>
Reviewed-by: Christoph Hellwig <h...@lst.de>
Cc: Nicholas Bellinger <n...@linux-iscsi.org>
Cc: Sagi Grimberg <sa...@mellanox.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>
[bwh: Backported to 3.16: deleted code is slightly different]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/infiniband/ulp/srpt/ib_srpt.c | 59 +----------------------------------
1 file changed, 1 insertion(+), 58 deletions(-)

--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1744,47 +1744,6 @@ send_sense:
return -1;
}

-/**
- * srpt_rx_mgmt_fn_tag() - Process a task management function by tag.
- * @ch: RDMA channel of the task management request.
- * @fn: Task management function to perform.
- * @req_tag: Tag of the SRP task management request.
- * @mgmt_ioctx: I/O context of the task management request.
- *
- * Returns zero if the target core will process the task management
- * request asynchronously.
- *
- * Note: It is assumed that the initiator serializes tag-based task management
- * requests.
- */
-static int srpt_rx_mgmt_fn_tag(struct srpt_send_ioctx *ioctx, u64 tag)
-{
- struct srpt_device *sdev;
- struct srpt_rdma_ch *ch;
- struct srpt_send_ioctx *target;
- int ret, i;
-
- ret = -EINVAL;
- ch = ioctx->ch;
- BUG_ON(!ch);
- BUG_ON(!ch->sport);
- sdev = ch->sport->sdev;
- BUG_ON(!sdev);
- spin_lock_irq(&sdev->spinlock);
- for (i = 0; i < ch->rq_size; ++i) {
- target = ch->ioctx_ring[i];
- if (target->cmd.se_lun == ioctx->cmd.se_lun &&
- target->tag == tag &&
- srpt_get_cmd_state(target) != SRPT_STATE_DONE) {
- ret = 0;
- /* now let the target core abort &target->cmd; */
- break;
- }
- }
- spin_unlock_irq(&sdev->spinlock);
- return ret;
-}
-
static int srp_tmr_to_tcm(int fn)
{
switch (fn) {
@@ -1819,7 +1778,6 @@ static void srpt_handle_tsk_mgmt(struct
struct se_cmd *cmd;
struct se_session *sess = ch->sess;
uint64_t unpacked_lun;
- uint32_t tag = 0;
int tcm_tmr;
int rc;

@@ -1835,25 +1793,10 @@ static void srpt_handle_tsk_mgmt(struct
srpt_set_cmd_state(send_ioctx, SRPT_STATE_MGMT);
send_ioctx->tag = srp_tsk->tag;
tcm_tmr = srp_tmr_to_tcm(srp_tsk->tsk_mgmt_func);
- if (tcm_tmr < 0) {
- send_ioctx->cmd.se_tmr_req->response =
- TMR_TASK_MGMT_FUNCTION_NOT_SUPPORTED;
- goto fail;
- }
unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_tsk->lun,
sizeof(srp_tsk->lun));
-
- if (srp_tsk->tsk_mgmt_func == SRP_TSK_ABORT_TASK) {
- rc = srpt_rx_mgmt_fn_tag(send_ioctx, srp_tsk->task_tag);
- if (rc < 0) {
- send_ioctx->cmd.se_tmr_req->response =
- TMR_TASK_DOES_NOT_EXIST;
- goto fail;
- }
- tag = srp_tsk->task_tag;
- }
rc = target_submit_tmr(&send_ioctx->cmd, sess, NULL, unpacked_lun,
- srp_tsk, tcm_tmr, GFP_KERNEL, tag,
+ srp_tsk, tcm_tmr, GFP_KERNEL, srp_tsk->task_tag,
TARGET_SCF_ACK_KREF);
if (rc != 0) {
send_ioctx->cmd.se_tmr_req->response = TMR_FUNCTION_REJECTED;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+...@glider.be>

commit ff1cab374ad98f4b9f408525ca9c08992b4ed784 upstream.

The BSP team noticed that there is spin/mutex lock issue on sh-sci when
CPUFREQ is used. The issue is that the notifier function may call
mutex_lock() while the spinlock is held, which can lead to a BUG().
This may happen if CPUFREQ is changed while another CPU calls
clk_get_rate().

Taking the spinlock was added to the notifier function in commit
e552de2413edad1a ("sh-sci: add platform device private data"), to
protect the list of serial ports against modification during traversal.
At that time the Common Clock Framework didn't exist yet, and
clk_get_rate() just returned clk->rate without taking a mutex.
Note that since commit d535a2305facf9b4 ("serial: sh-sci: Require a
device per port mapping."), there's no longer a list of serial ports to
traverse, and taking the spinlock became superfluous.

To fix the issue, just remove the cpufreq notifier:
1. The notifier doesn't work correctly: all it does is update the
stored clock rate; it does not update the divider in the hardware.
The divider will only be updated when calling sci_set_termios().
I believe this was broken back in 2004, when the old
drivers/char/sh-sci.c driver (where the notifier did update the
divider) was replaced by drivers/serial/sh-sci.c (where the
notifier just updated port->uartclk).
Cfr. full-history-linux commits 6f8deaef2e9675d9 ("[PATCH] sh: port
sh-sci driver to the new API") and 3f73fe878dc9210a ("[PATCH]
Remove old sh-sci driver").
2. On modern SoCs, the sh-sci parent clock rate is no longer related
to the CPU clock rate anyway, so using a cpufreq notifier is
futile.

Signed-off-by: Geert Uytterhoeven <geert+...@glider.be>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/tty/serial/sh-sci.c | 39 ---------------------------------------
1 file changed, 39 deletions(-)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -38,7 +38,6 @@
#include <linux/major.h>
#include <linux/module.h>
#include <linux/mm.h>
-#include <linux/notifier.h>
#include <linux/of.h>
#include <linux/platform_device.h>
#include <linux/pm_runtime.h>
@@ -118,8 +117,6 @@ struct sci_port {
struct timer_list rx_timer;
unsigned int rx_timeout;
#endif
-
- struct notifier_block freq_transition;
};

/* Function prototypes */
@@ -1029,29 +1026,6 @@ static irqreturn_t sci_mpxed_interrupt(i
return ret;
}

-/*
- * Here we define a transition notifier so that we can update all of our
- * ports' baud rate when the peripheral clock changes.
- */
-static int sci_notifier(struct notifier_block *self,
- unsigned long phase, void *p)
-{
- struct sci_port *sci_port;
- unsigned long flags;
-
- sci_port = container_of(self, struct sci_port, freq_transition);
-
- if (phase == CPUFREQ_POSTCHANGE) {
- struct uart_port *port = &sci_port->port;
-
- spin_lock_irqsave(&port->lock, flags);
- port->uartclk = clk_get_rate(sci_port->iclk);
- spin_unlock_irqrestore(&port->lock, flags);
- }
-
- return NOTIFY_OK;
-}
-
static struct sci_irq_desc {
const char *desc;
irq_handler_t handler;
@@ -2406,9 +2380,6 @@ static int sci_remove(struct platform_de
{
struct sci_port *port = platform_get_drvdata(dev);

- cpufreq_unregister_notifier(&port->freq_transition,
- CPUFREQ_TRANSITION_NOTIFIER);
-
uart_remove_one_port(&sci_uart_driver, &port->port);

sci_cleanup_single(port);
@@ -2557,16 +2528,6 @@ static int sci_probe(struct platform_dev
if (ret)
return ret;

- sp->freq_transition.notifier_call = sci_notifier;
-
- ret = cpufreq_register_notifier(&sp->freq_transition,
- CPUFREQ_TRANSITION_NOTIFIER);
- if (unlikely(ret < 0)) {
- uart_remove_one_port(&sci_uart_driver, &sp->port);
- sci_cleanup_single(sp);

- return ret;
- }
-

#ifdef CONFIG_SH_STANDARD_BIOS
sh_bios_gdb_detach();
#endif

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <bj...@mork.no>

[ Upstream commit 48906f62c96cc2cd35753e59310cb70eb08cc6a5 ]

Some devices will silently fail setup unless they are reset first.
This is necessary even if the data interface is already in
altsetting 0, which it will be when the device is probed for the
first time. Briefly toggling the altsetting forces a function
reset regardless of the initial state.

This fixes a setup problem observed on a number of Huawei devices,
appearing to operate in NTB-32 mode even if we explicitly set them
to NTB-16 mode.

Signed-off-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/cdc_ncm.c | 6 +++++-

1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -815,7 +815,11 @@ advance:

iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber;

- /* reset data interface */
+ /* Reset data interface. Some devices will not reset properly
+ * unless they are configured first. Toggle the altsetting to
+ * force a reset
+ */
+ usb_set_interface(dev->udev, iface_no, data_altsetting);
temp = usb_set_interface(dev->udev, iface_no, 0);
if (temp) {
dev_dbg(&intf->dev, "set interface failed\n");

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit aeb6641f8ebdd61939f462a8255b316f9bfab707 upstream.

gcc-6 complains about the indentation of the lpfc_destroy_vport_work_array()
call in lpfc_online(), which clearly doesn't look right:

drivers/scsi/lpfc/lpfc_init.c: In function 'lpfc_online':
drivers/scsi/lpfc/lpfc_init.c:2880:3: warning: statement is indented as if it were guarded by... [-Wmisleading-indentation]
lpfc_destroy_vport_work_array(phba, vports);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/lpfc/lpfc_init.c:2863:2: note: ...this 'if' clause, but it is not
if (vports != NULL)
^~

Looking at the patch that introduced this code, it's clear that the
behavior is correct and the indentation is wrong.

This fixes the indentation and adds curly braces around the previous
if() block for clarity, as that is most likely what caused the code
to be misindented in the first place.

Signed-off-by: Arnd Bergmann <ar...@arndb.de>
Fixes: 549e55cd2a1b ("[SCSI] lpfc 8.2.2 : Fix locking around HBA's port_list")
Reviewed-by: Sebastian Herbszt <her...@gmx.de>
Reviewed-by: Hannes Reinecke <ha...@suse.com>
Reviewed-by: Ewan D. Milne <emi...@redhat.com>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/scsi/lpfc/lpfc_init.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -2817,7 +2817,7 @@ lpfc_online(struct lpfc_hba *phba)
}

vports = lpfc_create_vport_work_array(phba);
- if (vports != NULL)
+ if (vports != NULL) {
for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) {
struct Scsi_Host *shost;
shost = lpfc_shost_from_vport(vports[i]);
@@ -2834,7 +2834,8 @@ lpfc_online(struct lpfc_hba *phba)
}
spin_unlock_irq(shost->host_lock);
}
- lpfc_destroy_vport_work_array(phba, vports);
+ }
+ lpfc_destroy_vport_work_array(phba, vports);

lpfc_unblock_mgmt_io(phba);
return 0;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <dan...@iogearbox.net>

[ Upstream commit 5a5abb1fa3b05dd6aa821525832644c1e7d2905f ]

Sasha Levin reported a suspicious rcu_dereference_protected() warning
found while fuzzing with trinity that is similar to this one:

[ 52.765684] net/core/filter.c:2262 suspicious rcu_dereference_protected() usage!
[ 52.765688] other info that might help us debug this:
[ 52.765695] rcu_scheduler_active = 1, debug_locks = 1
[ 52.765701] 1 lock held by a.out/1525:
[ 52.765704] #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff816a64b7>] rtnl_lock+0x17/0x20
[ 52.765721] stack backtrace:
[ 52.765728] CPU: 1 PID: 1525 Comm: a.out Not tainted 4.5.0+ #264
[...]
[ 52.765768] Call Trace:
[ 52.765775] [<ffffffff813e488d>] dump_stack+0x85/0xc8
[ 52.765784] [<ffffffff810f2fa5>] lockdep_rcu_suspicious+0xd5/0x110
[ 52.765792] [<ffffffff816afdc2>] sk_detach_filter+0x82/0x90
[ 52.765801] [<ffffffffa0883425>] tun_detach_filter+0x35/0x90 [tun]
[ 52.765810] [<ffffffffa0884ed4>] __tun_chr_ioctl+0x354/0x1130 [tun]
[ 52.765818] [<ffffffff8136fed0>] ? selinux_file_ioctl+0x130/0x210
[ 52.765827] [<ffffffffa0885ce3>] tun_chr_ioctl+0x13/0x20 [tun]
[ 52.765834] [<ffffffff81260ea6>] do_vfs_ioctl+0x96/0x690
[ 52.765843] [<ffffffff81364af3>] ? security_file_ioctl+0x43/0x60
[ 52.765850] [<ffffffff81261519>] SyS_ioctl+0x79/0x90
[ 52.765858] [<ffffffff81003ba2>] do_syscall_64+0x62/0x140
[ 52.765866] [<ffffffff817d563f>] entry_SYSCALL64_slow_path+0x25/0x25

Same can be triggered with PROVE_RCU (+ PROVE_RCU_REPEATEDLY) enabled
from tun_attach_filter() when user space calls ioctl(tun_fd, TUN{ATTACH,
DETACH}FILTER, ...) for adding/removing a BPF filter on tap devices.

Since the fix in f91ff5b9ff52 ("net: sk_{detach|attach}_filter() rcu
fixes") sk_attach_filter()/sk_detach_filter() now dereferences the
filter with rcu_dereference_protected(), checking whether socket lock
is held in control path.

Since its introduction in 994051625981 ("tun: socket filter support"),
tap filters are managed under RTNL lock from __tun_chr_ioctl(). Thus the
sock_owned_by_user(sk) doesn't apply in this specific case and therefore
triggers the false positive.

Extend the BPF API with __sk_attach_filter()/__sk_detach_filter() pair
that is used by tap filters and pass in lockdep_rtnl_is_held() for the
rcu_dereference_protected() checks instead.

Reported-by: Sasha Levin <sasha...@oracle.com>
Signed-off-by: Daniel Borkmann <dan...@iogearbox.net>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16:
- Drop changes to sk_attach_bpf(), __sk_attach_prog()
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -553,7 +553,8 @@ static int tun_attach(struct tun_struct

/* Re-attach the filter to persist device */
if (!skip_filter && (tun->filter_attached == true)) {
- err = sk_attach_filter(&tun->fprog, tfile->socket.sk);
+ err = __sk_attach_filter(&tun->fprog, tfile->socket.sk,
+ lockdep_rtnl_is_held());
if (!err)
goto out;
}
@@ -1792,7 +1793,7 @@ static void tun_detach_filter(struct tun

for (i = 0; i < n; i++) {
tfile = rtnl_dereference(tun->tfiles[i]);
- sk_detach_filter(tfile->socket.sk);
+ __sk_detach_filter(tfile->socket.sk, lockdep_rtnl_is_held());
}

tun->filter_attached = false;
@@ -1805,7 +1806,8 @@ static int tun_attach_filter(struct tun_

for (i = 0; i < tun->numqueues; i++) {
tfile = rtnl_dereference(tun->tfiles[i]);
- ret = sk_attach_filter(&tun->fprog, tfile->socket.sk);
+ ret = __sk_attach_filter(&tun->fprog, tfile->socket.sk,
+ lockdep_rtnl_is_held());
if (ret) {
tun_detach_filter(tun, i);
return ret;
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -359,7 +359,10 @@ int sk_unattached_filter_create(struct s
void sk_unattached_filter_destroy(struct sk_filter *fp);

int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk);
+int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk,
+ bool locked);
int sk_detach_filter(struct sock *sk);
+int __sk_detach_filter(struct sock *sk, bool locked);

int sk_chk_filter(struct sock_filter *filter, unsigned int flen);
int sk_get_filter(struct sock *sk, struct sock_filter __user *filter,
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1590,7 +1590,8 @@ EXPORT_SYMBOL_GPL(sk_unattached_filter_d
* occurs or there is insufficient memory for the filter a negative
* errno code is returned. On success the return is zero.
*/
-int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
+int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk,
+ bool locked)
{
struct sk_filter *fp, *old_fp;
unsigned int fsize = sk_filter_proglen(fprog);
@@ -1629,8 +1630,7 @@ int sk_attach_filter(struct sock_fprog *
if (IS_ERR(fp))
return PTR_ERR(fp);

- old_fp = rcu_dereference_protected(sk->sk_filter,
- sock_owned_by_user(sk));
+ old_fp = rcu_dereference_protected(sk->sk_filter, locked);
rcu_assign_pointer(sk->sk_filter, fp);

if (old_fp)
@@ -1638,9 +1638,14 @@ int sk_attach_filter(struct sock_fprog *

return 0;
}
-EXPORT_SYMBOL_GPL(sk_attach_filter);
+EXPORT_SYMBOL_GPL(__sk_attach_filter);

-int sk_detach_filter(struct sock *sk)
+int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
+{
+ return __sk_attach_filter(fprog, sk, sock_owned_by_user(sk));
+}
+
+int __sk_detach_filter(struct sock *sk, bool locked)
{
int ret = -ENOENT;
struct sk_filter *filter;
@@ -1648,8 +1653,7 @@ int sk_detach_filter(struct sock *sk)
if (sock_flag(sk, SOCK_FILTER_LOCKED))
return -EPERM;

- filter = rcu_dereference_protected(sk->sk_filter,
- sock_owned_by_user(sk));
+ filter = rcu_dereference_protected(sk->sk_filter, locked);
if (filter) {
RCU_INIT_POINTER(sk->sk_filter, NULL);
sk_filter_uncharge(sk, filter);
@@ -1658,7 +1662,12 @@ int sk_detach_filter(struct sock *sk)

return ret;
}
-EXPORT_SYMBOL_GPL(sk_detach_filter);
+EXPORT_SYMBOL_GPL(__sk_detach_filter);
+
+int sk_detach_filter(struct sock *sk)
+{
+ return __sk_detach_filter(sk, sock_owned_by_user(sk));
+}

int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
unsigned int len)

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Haishuang Yan <yanhai...@cmss.chinamobile.com>

[ Upstream commit 5745b8232e942abd5e16e85fa9b27cc21324acf0 ]

pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
right place.

Signed-off-by: Haishuang Yan <yanhai...@cmss.chinamobile.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/l2tp/l2tp_ip.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff *
struct l2tp_tunnel *tunnel = NULL;
int length;

- /* Point to L2TP header */
- optr = ptr = skb->data;
-
if (!pskb_may_pull(skb, 4))
goto discard;

+ /* Point to L2TP header */
+ optr = ptr = skb->data;
session_id = ntohl(*((__be32 *) ptr));
ptr += 4;

@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff *
if (!pskb_may_pull(skb, length))
goto discard;

+ /* Point to L2TP header */
+ optr = ptr = skb->data;
+ ptr += 4;
pr_debug("%s: ip recv\n", tunnel->name);
print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eryu Guan <guan...@gmail.com>

commit 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 upstream.

ext4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on
error (e.g. EIO) and iloc.bh can be NULL in this case. But the error is
ignored in the following "if" condition and ext4_expand_extra_isize()
might be called with NULL iloc.bh set, which triggers NULL pointer
dereference.

This is uncovered by commit 8b4953e13f4c ("ext4: reserve code points for
the project quota feature"), which enlarges the ext4_inode size, and
run the following script on new kernel but with old mke2fs:

#/bin/bash
mnt=/mnt/ext4
devname=ext4-error
dev=/dev/mapper/$devname
fsimg=/home/fs.img

trap cleanup 0 1 2 3 9 15

cleanup()
{
umount $mnt >/dev/null 2>&1
dmsetup remove $devname
losetup -d $backend_dev
rm -f $fsimg
exit 0
}

rm -f $fsimg
fallocate -l 1g $fsimg
backend_dev=`losetup -f --show $fsimg`
devsize=`blockdev --getsz $backend_dev`

good_tab="0 $devsize linear $backend_dev 0"
error_tab="0 $devsize error $backend_dev 0"

dmsetup create $devname --table "$good_tab"

mkfs -t ext4 $dev
mount -t ext4 -o errors=continue,strictatime $dev $mnt

dmsetup load $devname --table "$error_tab" && dmsetup resume $devname
echo 3 > /proc/sys/vm/drop_caches
ls -l $mnt
exit 0

[ Patch changed to simplify the function a tiny bit. -- Ted ]

Signed-off-by: Eryu Guan <guan...@gmail.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5008,6 +5008,8 @@ int ext4_mark_inode_dirty(handle_t *hand
might_sleep();
trace_ext4_mark_inode_dirty(inode, _RET_IP_);
err = ext4_reserve_inode_write(handle, inode, &iloc);
+ if (err)
+ return err;
if (ext4_handle_valid(handle) &&
EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize &&
!ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) {
@@ -5038,9 +5040,7 @@ int ext4_mark_inode_dirty(handle_t *hand
}
}
}
- if (!err)
- err = ext4_mark_iloc_dirty(handle, inode, &iloc);
- return err;
+ return ext4_mark_iloc_dirty(handle, inode, &iloc);
}

/*

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jakub Sitnicki <jk...@redhat.com>

commit 3ba3458fb9c050718b95275a3310b74415e767e2 upstream.

When sending a UDPv6 message longer than MTU, account for the length
of fragmentable IPv6 extension headers in skb->network_header offset.
Same as we do in alloc_new_skb path in __ip6_append_data().

This ensures that later on __ip6_make_skb() will make space in
headroom for fragmentable extension headers:

/* move skb->data to ip header from ext header */
if (skb->data < skb_network_header(skb))
__skb_pull(skb, skb_network_offset(skb));

Prevents a splat due to skb_under_panic:

skbuff: skb_under_panic: text:ffffffff8143397b len:2126 put:14 \
head:ffff880005bacf50 data:ffff880005bacf4a tail:0x48 end:0xc0 dev:lo
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:104!
invalid opcode: 0000 [#1] KASAN
CPU: 0 PID: 160 Comm: reproducer Not tainted 4.6.0-rc2 #65
[...]
Call Trace:
[<ffffffff813eb7b9>] skb_push+0x79/0x80
[<ffffffff8143397b>] eth_header+0x2b/0x100
[<ffffffff8141e0d0>] neigh_resolve_output+0x210/0x310
[<ffffffff814eab77>] ip6_finish_output2+0x4a7/0x7c0
[<ffffffff814efe3a>] ip6_output+0x16a/0x280
[<ffffffff815440c1>] ip6_local_out+0xb1/0xf0
[<ffffffff814f1115>] ip6_send_skb+0x45/0xd0
[<ffffffff81518836>] udp_v6_send_skb+0x246/0x5d0
[<ffffffff8151985e>] udpv6_sendmsg+0xa6e/0x1090
[...]

Reported-by: Ji Jianwen <ji...@redhat.com>
Signed-off-by: Jakub Sitnicki <jk...@redhat.com>
Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv6/ip6_output.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1049,9 +1049,8 @@ static inline int ip6_ufo_append_data(st
int getfrag(void *from, char *to, int offset, int len,
int odd, struct sk_buff *skb),
void *from, int length, int hh_len, int fragheaderlen,
- int transhdrlen, int mtu,unsigned int flags,
- struct rt6_info *rt)
-
+ int exthdrlen, int transhdrlen, int mtu,
+ unsigned int flags, struct rt6_info *rt)
{
struct sk_buff *skb;
struct frag_hdr fhdr;
@@ -1075,7 +1074,7 @@ static inline int ip6_ufo_append_data(st
skb_put(skb,fragheaderlen + transhdrlen);

/* initialize network header pointer */
- skb_reset_network_header(skb);
+ skb_set_network_header(skb, exthdrlen);

/* initialize protocol header pointer */
skb->transport_header = skb->network_header + fragheaderlen;
@@ -1300,7 +1299,7 @@ emsgsize:
(rt->dst.dev->features & NETIF_F_UFO) &&
(sk->sk_type == SOCK_DGRAM)) {
err = ip6_ufo_append_data(sk, getfrag, from, length,
- hh_len, fragheaderlen,
+ hh_len, fragheaderlen, exthdrlen,
transhdrlen, mtu, flags, rt);
if (err)
goto error;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bill Sommerfeld <wsomm...@google.com>

[ Upstream commit 59dca1d8a6725a121dae6c452de0b2611d5865dc ]

IPv4 interprets a negative return value from a protocol handler as a
request to redispatch to a new protocol. In contrast, IPv6 interprets a
negative value as an error, and interprets a positive value as a request
for redispatch.

UDP for IPv6 was unaware of this difference. Change __udp6_lib_rcv() to
return a positive value for redispatch. Note that the socket's
encap_rcv hook still needs to return a negative value to request
dispatch, and in the case of IPv6 packets, adjust IP6CB(skb)->nhoff to
identify the byte containing the next protocol.

Signed-off-by: Bill Sommerfeld <wsomm...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv6/udp.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -899,11 +899,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
ret = udpv6_queue_rcv_skb(sk, skb);
sock_put(sk);

- /* a return value > 0 means to resubmit the input, but
- * it wants the return to be -protocol, or 0
- */
+ /* a return value > 0 means to resubmit the input */
if (ret > 0)
- return -ret;
+ return ret;

return 0;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Reinhard Speyerer <rs...@arcor.de>

commit e3426ca7bc2957ee072f61360c2b81b4adb629ad upstream.

Sierra Wireless MC7305/MC7355 with USB ID 1199:9041 also provide a
second QMI/network interface like the MC73xx with USB ID 1199:68c0 on
USB interface #10 when used in the appropriate USB configuration.
Add the corresponding QMI_FIXED_INTF entry to the qmi_wwan driver.

Please note that the second QMI/network interface is not working for
early MC73xx firmware versions like 01.08.x as the device does not
respond to QMI messages on the second /dev/cdc-wdm port.

Signed-off-by: Reinhard Speyerer <rs...@arcor.de>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c

@@ -758,6 +758,7 @@ static const struct usb_device_id produc
{QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */
{QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */
{QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */
+ {QMI_FIXED_INTF(0x1199, 0x9041, 10)}, /* Sierra Wireless MC7305/MC7355 */
{QMI_FIXED_INTF(0x1199, 0x9051, 8)}, /* Netgear AirCard 340U */
{QMI_FIXED_INTF(0x1199, 0x9053, 8)}, /* Sierra Wireless Modem */
{QMI_FIXED_INTF(0x1199, 0x9054, 8)}, /* Sierra Wireless Modem */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal <f...@strlen.de>

commit 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91 upstream.

Otherwise this function may read data beyond the ruleset blob.

Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv4/netfilter/arp_tables.c | 6 ++++--
net/ipv4/netfilter/ip_tables.c | 6 ++++--
net/ipv6/netfilter/ip6_tables.c | 6 ++++--
3 files changed, 12 insertions(+), 6 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -563,7 +563,8 @@ static inline int check_entry_size_and_h
int err;

if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct arpt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p\n", e);
return -EINVAL;
}
@@ -1223,7 +1224,8 @@ check_compat_entry_size_and_hooks(struct

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL;
}
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -726,7 +726,8 @@ check_entry_size_and_hooks(struct ipt_en
int err;

if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct ipt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p\n", e);
return -EINVAL;
}
@@ -1489,7 +1490,8 @@ check_compat_entry_size_and_hooks(struct

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
- (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL;
}
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -737,7 +737,8 @@ check_entry_size_and_hooks(struct ip6t_e
int err;

if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
- (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct ip6t_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p\n", e);
return -EINVAL;
}
@@ -1501,7 +1502,8 @@ check_compat_entry_size_and_hooks(struct

duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
- (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
+ (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit ||
+ (unsigned char *)e + e->next_offset > limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 upstream.

gcc-6 finds an out of bounds access in the fst_add_one function
when calculating the end of the mmio area:

drivers/net/wan/farsync.c: In function 'fst_add_one':
drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
#define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
^
include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
__builtin_offsetof(a, b)
^
drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
#define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
^~~~~~~~
drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
+ BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
^~~~~~~~~~

The warning is correct, but not critical because this appears
to be a write-only variable that is set by each WAN driver but
never accessed afterwards.

I'm taking the minimal fix here, using the correct pointer by
pointing 'mem_end' to the last byte inside of the register area
as all other WAN drivers do, rather than the first byte outside of
it. An alternative would be to just remove the mem_end member
entirely.

Signed-off-by: Arnd Bergmann <ar...@arndb.de>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/wan/farsync.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -2516,7 +2516,7 @@ fst_add_one(struct pci_dev *pdev, const
dev->mem_start = card->phys_mem
+ BUF_OFFSET ( txBuffer[i][0][0]);
dev->mem_end = card->phys_mem
- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
+ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]);
dev->base_addr = card->pci_conf;
dev->irq = card->irq;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guo-Fu Tseng <cool...@cooldavid.org>

commit 0772a99b818079e628a1da122ac7ee023faed83e upstream.

Otherwise it might be back on resume right after going to suspend in
some hardware.

Reported-by: Diego Viola <diego...@gmail.com>
Signed-off-by: Guo-Fu Tseng <cool...@cooldavid.org>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/jme.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)

--- a/drivers/net/ethernet/jme.c
+++ b/drivers/net/ethernet/jme.c
@@ -270,11 +270,17 @@ jme_reset_mac_processor(struct jme_adapt
}

static inline void
-jme_clear_pm(struct jme_adapter *jme)
+jme_clear_pm_enable_wol(struct jme_adapter *jme)
{
jwrite32(jme, JME_PMCS, PMCS_STMASK | jme->reg_pmcs);
}

+static inline void
+jme_clear_pm_disable_wol(struct jme_adapter *jme)
+{
+ jwrite32(jme, JME_PMCS, PMCS_STMASK);
+}
+
static int
jme_reload_eeprom(struct jme_adapter *jme)
{
@@ -1857,7 +1863,7 @@ jme_open(struct net_device *netdev)
struct jme_adapter *jme = netdev_priv(netdev);
int rc;

- jme_clear_pm(jme);
+ jme_clear_pm_disable_wol(jme);
JME_NAPI_ENABLE(jme);

tasklet_init(&jme->linkch_task, jme_link_change_tasklet,
@@ -1933,7 +1939,7 @@ jme_powersave_phy(struct jme_adapter *jm
jme_set_100m_half(jme);
if (jme->reg_pmcs & (PMCS_LFEN | PMCS_LREN))
jme_wait_link(jme);
- jme_clear_pm(jme);
+ jme_clear_pm_enable_wol(jme);
} else {
jme_phy_off(jme);
}
@@ -2650,7 +2656,6 @@ jme_set_wol(struct net_device *netdev,
if (wol->wolopts & WAKE_MAGIC)
jme->reg_pmcs |= PMCS_MFEN;

- jwrite32(jme, JME_PMCS, jme->reg_pmcs);
device_set_wakeup_enable(&jme->pdev->dev, !!(jme->reg_pmcs));

return 0;
@@ -3176,7 +3181,7 @@ jme_init_one(struct pci_dev *pdev,
jme->mii_if.mdio_read = jme_mdio_read;
jme->mii_if.mdio_write = jme_mdio_write;

- jme_clear_pm(jme);
+ jme_clear_pm_disable_wol(jme);
device_set_wakeup_enable(&pdev->dev, true);

jme_set_phyfifo_5level(jme);
@@ -3308,7 +3313,7 @@ jme_resume(struct device *dev)
if (!netif_running(netdev))
return 0;

- jme_clear_pm(jme);
+ jme_clear_pm_disable_wol(jme);
jme_phy_on(jme);
if (test_bit(JME_FLAG_SSET, &jme->flags))
jme_set_settings(netdev, &jme->old_ecmd);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <lu...@kernel.org>

commit c29016cf41fe9fa994a5ecca607cf5f1cd98801e upstream.

iopl(3) is supposed to work if iopl is already 3, even if
unprivileged. This didn't work right on Xen PV. Fix it.

Reviewewd-by: Jan Beulich <JBeu...@suse.com>
Signed-off-by: Andy Lutomirski <lu...@kernel.org>
Cc: Andrew Cooper <andrew....@citrix.com>
Cc: Andy Lutomirski <lu...@amacapital.net>
Cc: Boris Ostrovsky <boris.o...@oracle.com>
Cc: Borislav Petkov <b...@alien8.de>
Cc: Brian Gerst <brg...@gmail.com>
Cc: David Vrabel <david....@citrix.com>
Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Jan Beulich <JBeu...@suse.com>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>

Link: http://lkml.kernel.org/r/8ce12013e6e4c0a44a97e316be4a6f...@kernel.org
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/kernel/ioport.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -96,9 +96,14 @@ asmlinkage long sys_ioperm(unsigned long
SYSCALL_DEFINE1(iopl, unsigned int, level)
{
struct pt_regs *regs = current_pt_regs();
- unsigned int old = (regs->flags >> 12) & 3;
struct thread_struct *t = &current->thread;

+ /*
+ * Careful: the IOPL bits in regs->flags are undefined under Xen PV
+ * and changing them has no effect.
+ */
+ unsigned int old = t->iopl >> X86_EFLAGS_IOPL_BIT;
+
if (level > 3)
return -EINVAL;
/* Trying to gain more privileges? */
@@ -106,8 +111,9 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
}
- regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
- t->iopl = level << 12;
+ regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
+ (level << X86_EFLAGS_IOPL_BIT);
+ t->iopl = level << X86_EFLAGS_IOPL_BIT;
set_iopl_mask(t->iopl);

return 0;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdma...@suse.com>

commit 56f23fdbb600e6087db7b009775b95ce07cc3195 upstream.

If we rename an inode A (be it a file or a directory), create a new
inode B with the old name of inode A and under the same parent directory,
fsync inode B and then power fail, at log tree replay time we end up
removing inode A completely. If inode A is a directory then all its files
are gone too.

Example scenarios where this happens:
This is reproducible with the following steps, taken from a couple of
test cases written for fstests which are going to be submitted upstream
soon:

# Scenario 1

mkfs.btrfs -f /dev/sdc
mount /dev/sdc /mnt
mkdir -p /mnt/a/x
echo "hello" > /mnt/a/x/foo
echo "world" > /mnt/a/x/bar
sync
mv /mnt/a/x /mnt/a/y
mkdir /mnt/a/x
xfs_io -c fsync /mnt/a/x
<power failure happens>

The next time the fs is mounted, log tree replay happens and
the directory "y" does not exist nor do the files "foo" and
"bar" exist anywhere (neither in "y" nor in "x", nor the root
nor anywhere).

# Scenario 2

mkfs.btrfs -f /dev/sdc
mount /dev/sdc /mnt
mkdir /mnt/a
echo "hello" > /mnt/a/foo
sync
mv /mnt/a/foo /mnt/a/bar
echo "world" > /mnt/a/foo
xfs_io -c fsync /mnt/a/foo
<power failure happens>

The next time the fs is mounted, log tree replay happens and the
file "bar" does not exists anymore. A file with the name "foo"
exists and it matches the second file we created.

Another related problem that does not involve file/data loss is when a
new inode is created with the name of a deleted snapshot and we fsync it:

mkfs.btrfs -f /dev/sdc
mount /dev/sdc /mnt
mkdir /mnt/testdir
btrfs subvolume snapshot /mnt /mnt/testdir/snap
btrfs subvolume delete /mnt/testdir/snap
rmdir /mnt/testdir
mkdir /mnt/testdir
xfs_io -c fsync /mnt/testdir # or fsync some file inside /mnt/testdir
<power failure>

The next time the fs is mounted the log replay procedure fails because
it attempts to delete the snapshot entry (which has dir item key type
of BTRFS_ROOT_ITEM_KEY) as if it were a regular (non-root) entry,
resulting in the following error that causes mount to fail:

[52174.510532] BTRFS info (device dm-0): failed to delete reference to snap, inode 257 parent 257
[52174.512570] ------------[ cut here ]------------
[52174.513278] WARNING: CPU: 12 PID: 28024 at fs/btrfs/inode.c:3986 __btrfs_unlink_inode+0x178/0x351 [btrfs]()
[52174.514681] BTRFS: Transaction aborted (error -2)
[52174.515630] Modules linked in: btrfs dm_flakey dm_mod overlay crc32c_generic ppdev xor raid6_pq acpi_cpufreq parport_pc tpm_tis sg parport tpm evdev i2c_piix4 proc
[52174.521568] CPU: 12 PID: 28024 Comm: mount Tainted: G W 4.5.0-rc6-btrfs-next-27+ #1
[52174.522805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
[52174.524053] 0000000000000000 ffff8801df2a7710 ffffffff81264e93 ffff8801df2a7758
[52174.524053] 0000000000000009 ffff8801df2a7748 ffffffff81051618 ffffffffa03591cd
[52174.524053] 00000000fffffffe ffff88015e6e5000 ffff88016dbc3c88 ffff88016dbc3c88
[52174.524053] Call Trace:
[52174.524053] [<ffffffff81264e93>] dump_stack+0x67/0x90
[52174.524053] [<ffffffff81051618>] warn_slowpath_common+0x99/0xb2
[52174.524053] [<ffffffffa03591cd>] ? __btrfs_unlink_inode+0x178/0x351 [btrfs]
[52174.524053] [<ffffffff81051679>] warn_slowpath_fmt+0x48/0x50
[52174.524053] [<ffffffffa03591cd>] __btrfs_unlink_inode+0x178/0x351 [btrfs]
[52174.524053] [<ffffffff8118f5e9>] ? iput+0xb0/0x284
[52174.524053] [<ffffffffa0359fe8>] btrfs_unlink_inode+0x1c/0x3d [btrfs]
[52174.524053] [<ffffffffa038631e>] check_item_in_log+0x1fe/0x29b [btrfs]
[52174.524053] [<ffffffffa0386522>] replay_dir_deletes+0x167/0x1cf [btrfs]
[52174.524053] [<ffffffffa038739e>] fixup_inode_link_count+0x289/0x2aa [btrfs]
[52174.524053] [<ffffffffa038748a>] fixup_inode_link_counts+0xcb/0x105 [btrfs]
[52174.524053] [<ffffffffa038a5ec>] btrfs_recover_log_trees+0x258/0x32c [btrfs]
[52174.524053] [<ffffffffa03885b2>] ? replay_one_extent+0x511/0x511 [btrfs]
[52174.524053] [<ffffffffa034f288>] open_ctree+0x1dd4/0x21b9 [btrfs]
[52174.524053] [<ffffffffa032b753>] btrfs_mount+0x97e/0xaed [btrfs]
[52174.524053] [<ffffffff8108e1b7>] ? trace_hardirqs_on+0xd/0xf
[52174.524053] [<ffffffff8117bafa>] mount_fs+0x67/0x131
[52174.524053] [<ffffffff81193003>] vfs_kern_mount+0x6c/0xde
[52174.524053] [<ffffffffa032af81>] btrfs_mount+0x1ac/0xaed [btrfs]
[52174.524053] [<ffffffff8108e1b7>] ? trace_hardirqs_on+0xd/0xf
[52174.524053] [<ffffffff8108c262>] ? lockdep_init_map+0xb9/0x1b3
[52174.524053] [<ffffffff8117bafa>] mount_fs+0x67/0x131
[52174.524053] [<ffffffff81193003>] vfs_kern_mount+0x6c/0xde
[52174.524053] [<ffffffff8119590f>] do_mount+0x8a6/0x9e8
[52174.524053] [<ffffffff811358dd>] ? strndup_user+0x3f/0x59
[52174.524053] [<ffffffff81195c65>] SyS_mount+0x77/0x9f
[52174.524053] [<ffffffff814935d7>] entry_SYSCALL_64_fastpath+0x12/0x6b
[52174.561288] ---[ end trace 6b53049efb1a3ea6 ]---

Fix this by forcing a transaction commit when such cases happen.
This means we check in the commit root of the subvolume tree if there
was any other inode with the same reference when the inode we are
fsync'ing is a new inode (created in the current transaction).

Test cases for fstests, covering all the scenarios given above, were
submitted upstream for fstests:

* fstests: generic test for fsync after renaming directory
https://patchwork.kernel.org/patch/8694281/

* fstests: generic test for fsync after renaming file
https://patchwork.kernel.org/patch/8694301/

* fstests: add btrfs test for fsync after snapshot deletion
https://patchwork.kernel.org/patch/8670671/

Signed-off-by: Filipe Manana <fdma...@suse.com>
Signed-off-by: Chris Mason <c...@fb.com>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/btrfs/tree-log.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 137 insertions(+)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -3877,6 +3877,127 @@ static int logged_inode_size(struct btrf
return 0;
}

+/*
+ * When we are logging a new inode X, check if it doesn't have a reference that
+ * matches the reference from some other inode Y created in a past transaction
+ * and that was renamed in the current transaction. If we don't do this, then at
+ * log replay time we can lose inode Y (and all its files if it's a directory):
+ *
+ * mkdir /mnt/x
+ * echo "hello world" > /mnt/x/foobar
+ * sync
+ * mv /mnt/x /mnt/y
+ * mkdir /mnt/x # or touch /mnt/x
+ * xfs_io -c fsync /mnt/x
+ * <power fail>
+ * mount fs, trigger log replay
+ *
+ * After the log replay procedure, we would lose the first directory and all its
+ * files (file foobar).
+ * For the case where inode Y is not a directory we simply end up losing it:
+ *
+ * echo "123" > /mnt/foo
+ * sync
+ * mv /mnt/foo /mnt/bar
+ * echo "abc" > /mnt/foo
+ * xfs_io -c fsync /mnt/foo
+ * <power fail>
+ *
+ * We also need this for cases where a snapshot entry is replaced by some other
+ * entry (file or directory) otherwise we end up with an unreplayable log due to
+ * attempts to delete the snapshot entry (entry of type BTRFS_ROOT_ITEM_KEY) as
+ * if it were a regular entry:
+ *
+ * mkdir /mnt/x
+ * btrfs subvolume snapshot /mnt /mnt/x/snap
+ * btrfs subvolume delete /mnt/x/snap
+ * rmdir /mnt/x
+ * mkdir /mnt/x
+ * fsync /mnt/x or fsync some new file inside it
+ * <power fail>
+ *
+ * The snapshot delete, rmdir of x, mkdir of a new x and the fsync all happen in
+ * the same transaction.
+ */
+static int btrfs_check_ref_name_override(struct extent_buffer *eb,
+ const int slot,
+ const struct btrfs_key *key,
+ struct inode *inode)
+{
+ int ret;
+ struct btrfs_path *search_path;
+ char *name = NULL;
+ u32 name_len = 0;
+ u32 item_size = btrfs_item_size_nr(eb, slot);
+ u32 cur_offset = 0;
+ unsigned long ptr = btrfs_item_ptr_offset(eb, slot);
+
+ search_path = btrfs_alloc_path();
+ if (!search_path)
+ return -ENOMEM;
+ search_path->search_commit_root = 1;
+ search_path->skip_locking = 1;
+
+ while (cur_offset < item_size) {
+ u64 parent;
+ u32 this_name_len;
+ u32 this_len;
+ unsigned long name_ptr;
+ struct btrfs_dir_item *di;
+
+ if (key->type == BTRFS_INODE_REF_KEY) {
+ struct btrfs_inode_ref *iref;
+
+ iref = (struct btrfs_inode_ref *)(ptr + cur_offset);
+ parent = key->offset;
+ this_name_len = btrfs_inode_ref_name_len(eb, iref);
+ name_ptr = (unsigned long)(iref + 1);
+ this_len = sizeof(*iref) + this_name_len;
+ } else {
+ struct btrfs_inode_extref *extref;
+
+ extref = (struct btrfs_inode_extref *)(ptr +
+ cur_offset);
+ parent = btrfs_inode_extref_parent(eb, extref);
+ this_name_len = btrfs_inode_extref_name_len(eb, extref);
+ name_ptr = (unsigned long)&extref->name;
+ this_len = sizeof(*extref) + this_name_len;
+ }
+
+ if (this_name_len > name_len) {
+ char *new_name;
+
+ new_name = krealloc(name, this_name_len, GFP_NOFS);
+ if (!new_name) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ name_len = this_name_len;
+ name = new_name;
+ }
+
+ read_extent_buffer(eb, name, name_ptr, this_name_len);
+ di = btrfs_lookup_dir_item(NULL, BTRFS_I(inode)->root,
+ search_path, parent,
+ name, this_name_len, 0);
+ if (di && !IS_ERR(di)) {
+ ret = 1;
+ goto out;
+ } else if (IS_ERR(di)) {
+ ret = PTR_ERR(di);
+ goto out;
+ }
+ btrfs_release_path(search_path);
+
+ cur_offset += this_len;
+ }
+ ret = 0;
+out:
+ btrfs_free_path(search_path);
+ kfree(name);
+ return ret;
+}
+
/* log a single inode in the tree log.
* At least one parent directory for this inode must exist in the tree
* or be logged already.
@@ -4027,6 +4148,22 @@ again:
if (min_key.type == BTRFS_INODE_ITEM_KEY)
need_log_inode_item = false;

+ if ((min_key.type == BTRFS_INODE_REF_KEY ||
+ min_key.type == BTRFS_INODE_EXTREF_KEY) &&
+ BTRFS_I(inode)->generation == trans->transid) {
+ ret = btrfs_check_ref_name_override(path->nodes[0],
+ path->slots[0],
+ &min_key, inode);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
+ } else if (ret > 0) {
+ err = 1;
+ btrfs_set_log_full_commit(root->fs_info, trans);
+ goto out_unlock;
+ }
+ }
+
src = path->nodes[0];
if (ins_nr && ins_start_slot + ins_nr == path->slots[0]) {
ins_nr++;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Westphal <f...@strlen.de>

commit bdf533de6968e9686df777dc178486f600c6e617 upstream.

We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.

Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv4/netfilter/arp_tables.c | 17 ++++++++---------
net/ipv4/netfilter/ip_tables.c | 17 ++++++++---------
net/ipv6/netfilter/ip6_tables.c | 17 ++++++++---------
3 files changed, 24 insertions(+), 27 deletions(-)

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -470,14 +470,12 @@ static int mark_source_chains(const stru
return 1;
}

-static inline int check_entry(const struct arpt_entry *e, const char *name)
+static inline int check_entry(const struct arpt_entry *e)
{
const struct xt_entry_target *t;

- if (!arp_checkentry(&e->arp)) {
- duprintf("arp_tables: arp check failed %p %s.\n", e, name);
+ if (!arp_checkentry(&e->arp))
return -EINVAL;
- }

if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
return -EINVAL;
@@ -518,10 +516,6 @@ find_check_entry(struct arpt_entry *e, c
struct xt_target *target;
int ret;

- ret = check_entry(e, name);
- if (ret)
- return ret;
-
t = arpt_get_target(e);
target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
t->u.user.revision);
@@ -566,6 +560,7 @@ static inline int check_entry_size_and_h
unsigned int valid_hooks)
{
unsigned int h;
+ int err;

if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||

(unsigned char *)e + sizeof(struct arpt_entry) >= limit) {

@@ -580,6 +575,10 @@ static inline int check_entry_size_and_h
return -EINVAL;
}

+ err = check_entry(e);

+ if (err)
+ return err;

+
/* Check hooks & underflows */
for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1237,7 +1236,7 @@ check_compat_entry_size_and_hooks(struct
}

/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct arpt_entry *)e, name);
+ ret = check_entry((struct arpt_entry *)e);
if (ret)
return ret;

--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -565,14 +565,12 @@ static void cleanup_match(struct xt_entr
}

static int
-check_entry(const struct ipt_entry *e, const char *name)
+check_entry(const struct ipt_entry *e)
{
const struct xt_entry_target *t;

- if (!ip_checkentry(&e->ip)) {
- duprintf("ip check failed %p %s.\n", e, name);
+ if (!ip_checkentry(&e->ip))
return -EINVAL;
- }

if (e->target_offset + sizeof(struct xt_entry_target) >
e->next_offset)
@@ -662,10 +660,6 @@ find_check_entry(struct ipt_entry *e, st
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;

- ret = check_entry(e, name);
- if (ret)
- return ret;
-
j = 0;
mtpar.net = net;
mtpar.table = name;
@@ -729,6 +723,7 @@ check_entry_size_and_hooks(struct ipt_en
unsigned int valid_hooks)
{
unsigned int h;
+ int err;

if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||

(unsigned char *)e + sizeof(struct ipt_entry) >= limit) {

@@ -743,6 +738,10 @@ check_entry_size_and_hooks(struct ipt_en
return -EINVAL;
}

+ err = check_entry(e);

+ if (err)
+ return err;

+
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1503,7 +1502,7 @@ check_compat_entry_size_and_hooks(struct
}

/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ipt_entry *)e, name);
+ ret = check_entry((struct ipt_entry *)e);
if (ret)
return ret;

--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -575,14 +575,12 @@ static void cleanup_match(struct xt_entr
}

static int
-check_entry(const struct ip6t_entry *e, const char *name)
+check_entry(const struct ip6t_entry *e)
{
const struct xt_entry_target *t;

- if (!ip6_checkentry(&e->ipv6)) {
- duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+ if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- }

if (e->target_offset + sizeof(struct xt_entry_target) >
e->next_offset)
@@ -673,10 +671,6 @@ find_check_entry(struct ip6t_entry *e, s
struct xt_mtchk_param mtpar;
struct xt_entry_match *ematch;

- ret = check_entry(e, name);
- if (ret)
- return ret;
-
j = 0;
mtpar.net = net;
mtpar.table = name;
@@ -740,6 +734,7 @@ check_entry_size_and_hooks(struct ip6t_e
unsigned int valid_hooks)
{
unsigned int h;
+ int err;

if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||

(unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {

@@ -754,6 +749,10 @@ check_entry_size_and_hooks(struct ip6t_e
return -EINVAL;
}

+ err = check_entry(e);

+ if (err)
+ return err;

+
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
@@ -1515,7 +1514,7 @@ check_compat_entry_size_and_hooks(struct
}

/* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ip6t_entry *)e, name);
+ ret = check_entry((struct ip6t_entry *)e);
if (ret)
return ret;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Diego Viola <diego...@gmail.com>

[ Upstream commit ee50c130c82175eaa0820c96b6d3763928af2241 ]

The JMC260 network card fails to suspend/resume because the call to
jme_start_irq() was too early, moving the call to jme_start_irq() after
the call to jme_reset_link() makes it work.

Prior this change suspend/resume would fail unless /sys/power/pm_async=0
was explicitly specified.

Relevant bug report: https://bugzilla.kernel.org/show_bug.cgi?id=112351

Signed-off-by: Diego Viola <diego...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/jme.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/jme.c
+++ b/drivers/net/ethernet/jme.c
@@ -3316,13 +3316,14 @@ jme_resume(struct device *dev)
jme_reset_phy_processor(jme);
jme_phy_calibration(jme);
jme_phy_setEA(jme);
- jme_start_irq(jme);
netif_device_attach(netdev);

atomic_inc(&jme->link_changing);

jme_reset_link(jme);

+ jme_start_irq(jme);
+
return 0;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Martyn Welch <martyn...@collabora.co.uk>

commit cddc9434e3dcc37a85c4412fb8e277d3a582e456 upstream.

The CP2105 is used in the GE Healthcare Remote Alarm Box, with the
Manufacturer ID of 0x1901 and Product ID of 0x0194.

Signed-off-by: Martyn Welch <martyn...@collabora.co.uk>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/cp210x.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -164,6 +164,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
{ USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
{ USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <bj...@mork.no>

[ Upstream commit bf13c94ccb33c3182efc92ce4989506a0f541243 ]

The MC74xx and EM74xx modules use different IDs by default, according
to the Lenovo EM7455 driver for Windows.

Signed-off-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -768,8 +768,10 @@ static const struct usb_device_id produc
{QMI_FIXED_INTF(0x1199, 0x9061, 8)}, /* Sierra Wireless Modem */
{QMI_FIXED_INTF(0x1199, 0x9070, 8)}, /* Sierra Wireless MC74xx/EM74xx */
{QMI_FIXED_INTF(0x1199, 0x9070, 10)}, /* Sierra Wireless MC74xx/EM74xx */
- {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx/EM74xx */
- {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx/EM74xx */
+ {QMI_FIXED_INTF(0x1199, 0x9071, 8)}, /* Sierra Wireless MC74xx */
+ {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx */
+ {QMI_FIXED_INTF(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */
+ {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rabin Vincent <ra...@rab.in>

commit d6785d9152147596f60234157da2b02540c3e60f upstream.

Running the following command:

busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null

with any tracing enabled pretty very quickly leads to various NULL
pointer dereferences and VM BUG_ON()s, such as these:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: [<ffffffff8119df6c>] generic_pipe_buf_release+0xc/0x40
Call Trace:
[<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<ffffffff81196869>] do_sendfile+0x199/0x380
[<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<ffffffff8192cbee>] entry_SYSCALL_64_fastpath+0x12/0x6d

page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0)
kernel BUG at include/linux/mm.h:367!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
RIP: [<ffffffff8119df9c>] generic_pipe_buf_release+0x3c/0x40
Call Trace:
[<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<ffffffff81196869>] do_sendfile+0x199/0x380
[<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<ffffffff8192cd1e>] tracesys_phase2+0x84/0x89

(busybox's cat uses sendfile(2), unlike the coreutils version)

This is because tracing_splice_read_pipe() can call splice_to_pipe()
with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and
we fill the page pointers and the other fields of the pipe_buffers with
garbage.

All other callers of splice_to_pipe() avoid calling it when nr_pages ==
0, and we could make tracing_splice_read_pipe() do that too, but it
seems reasonable to have splice_to_page() handle this condition
gracefully.

Signed-off-by: Rabin Vincent <ra...@rab.in>
Reviewed-by: Christoph Hellwig <h...@lst.de>
Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/splice.c | 3 +++
1 file changed, 3 insertions(+)

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -186,6 +186,9 @@ ssize_t splice_to_pipe(struct pipe_inode
unsigned int spd_pages = spd->nr_pages;
int ret, do_wakeup, page_nr;

+ if (!spd_pages)
+ return 0;
+
ret = 0;
do_wakeup = 0;
page_nr = 0;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <del...@gmx.de>

commit ef72f3110d8b19f4c098a0bff7ed7d11945e70c6 upstream.

The kernel module testcase (lib/test_user_copy.c) exhibited a kernel
crash on parisc if the parameters for copy_from_user were reversed
("illegal reversed copy_to_user" testcase).

Fix this potential crash by checking the fault handler if the faulting
address is in the exception table.

Signed-off-by: Helge Deller <del...@gmx.de>
Cc: Kees Cook <kees...@chromium.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/parisc/kernel/traps.c | 3 +++

1 file changed, 3 insertions(+)

--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -802,6 +802,9 @@ void notrace handle_interruption(int cod

if (fault_space == 0 && !in_atomic())
{
+ /* Clean up and return if in exception table. */
+ if (fixup_exception(regs))
+ return;
pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC);
parisc_terminate("Kernel Fault", regs, code, fault_address);
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Schemmel Hans-Christoph <Hans-Christ...@gemalto.com>

commit bd9e33508c5e1eb5d807d11d7bfc52125fcdb04e upstream.

Added support for Gemalto's Cinterion PHxx WWAN interfaces
by adding QMI_FIXED_INTF with Cinterion's VID and PID.

PHxx can have:
2 RmNet Interfaces (PID 0x0082) or
1 RmNet + 1 USB Audio interface (PID 0x0083).

Signed-off-by: Hans-Christoph Schemmel <hans-christ...@gemalto.com>
Acked-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/usb/qmi_wwan.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -786,6 +786,9 @@ static const struct usb_device_id produc
{QMI_FIXED_INTF(0x0b3c, 0xc00b, 4)}, /* Olivetti Olicard 500 */
{QMI_FIXED_INTF(0x1e2d, 0x0060, 4)}, /* Cinterion PLxx */
{QMI_FIXED_INTF(0x1e2d, 0x0053, 4)}, /* Cinterion PHxx,PXxx */
+ {QMI_FIXED_INTF(0x1e2d, 0x0082, 4)}, /* Cinterion PHxx,PXxx (2 RmNet) */
+ {QMI_FIXED_INTF(0x1e2d, 0x0082, 5)}, /* Cinterion PHxx,PXxx (2 RmNet) */
+ {QMI_FIXED_INTF(0x1e2d, 0x0083, 4)}, /* Cinterion PHxx,PXxx (1 RmNet + USB Audio)*/
{QMI_FIXED_INTF(0x413c, 0x81a2, 8)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
{QMI_FIXED_INTF(0x413c, 0x81a3, 8)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
{QMI_FIXED_INTF(0x413c, 0x81a4, 8)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.com>

commit 0d5ce778c43bf888328231bcdce05d5c860655aa upstream.

A typo of j for i led to a logic bug. To rule out future
confusion, the variable names are made meaningful.

Signed-off-by: Oliver Neukum <ONe...@suse.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/core/hub.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4221,7 +4221,7 @@ hub_port_init (struct usb_hub *hub, stru
{
struct usb_device *hdev = hub->hdev;
struct usb_hcd *hcd = bus_to_hcd(hdev->bus);
- int i, j, retval;
+ int retries, operations, retval, i;
unsigned delay = HUB_SHORT_RESET_TIME;
enum usb_device_speed oldspeed = udev->speed;
const char *speed;
@@ -4323,7 +4323,7 @@ hub_port_init (struct usb_hub *hub, stru
* first 8 bytes of the device descriptor to get the ep0 maxpacket
* value.
*/
- for (i = 0; i < GET_DESCRIPTOR_TRIES; (++i, msleep(100))) {
+ for (retries = 0; retries < GET_DESCRIPTOR_TRIES; (++retries, msleep(100))) {
bool did_new_scheme = false;

if (use_new_scheme(udev, retry_counter)) {
@@ -4350,7 +4350,7 @@ hub_port_init (struct usb_hub *hub, stru
* 255 is for WUSB devices, we actually need to use
* 512 (WUSB1.0[4.8.1]).
*/
- for (j = 0; j < 3; ++j) {
+ for (operations = 0; operations < 3; ++operations) {
buf->bMaxPacketSize0 = 0;
r = usb_control_msg(udev, usb_rcvaddr0pipe(),
USB_REQ_GET_DESCRIPTOR, USB_DIR_IN,
@@ -4376,7 +4376,7 @@ hub_port_init (struct usb_hub *hub, stru
* reset. But only on the first attempt,
* lest we get into a time out/reset loop
*/
- if (r == 0 || (r == -ETIMEDOUT && j == 0))
+ if (r == 0 || (r == -ETIMEDOUT && retries == 0))
break;
}
udev->descriptor.bMaxPacketSize0 =
@@ -4408,7 +4408,7 @@ hub_port_init (struct usb_hub *hub, stru
* authorization will assign the final address.
*/
if (udev->wusb == 0) {
- for (j = 0; j < SET_ADDRESS_TRIES; ++j) {
+ for (operations = 0; operations < SET_ADDRESS_TRIES; ++operations) {
retval = hub_set_address(udev, devnum);
if (retval >= 0)
break;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro....@renesas.com>

commit 6490865c67825277b29638e839850882600b48ec upstream.

This patch adds a code to surely disable TX IRQ of the pipe before
starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
may happen in rare cases when DMAC is used.

Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro....@renesas.com>
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/renesas_usbhs/fifo.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -851,6 +851,7 @@ static int usbhsf_dma_prepare_push(struc

pkt->trans = len;

+ usbhsf_tx_irq_ctrl(pipe, 0);
INIT_WORK(&pkt->work, xfer_work);
schedule_work(&pkt->work);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Or Gerlitz <oger...@mellanox.com>

commit 6b6c07bdcdc97ccac2596063bfc32a5faddfe884 upstream.

The command timeout is terribly long, whole two hours. Make it 60s so if
things do go wrong, the user gets feedback in relatively short time, so
they can take corrective actions and/or investigate using tools and such.

Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Or Gerlitz <oger...@mellanox.com>
Signed-off-by: Leon Romanovsky <leo...@mellanox.com>
Signed-off-by: Saeed Mahameed <sae...@mellanox.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

include/linux/mlx5/driver.h | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -54,7 +54,7 @@ enum {
/* one minute for the sake of bringup. Generally, commands must always
* complete and we may need to increase this timeout value
*/
- MLX5_CMD_TIMEOUT_MSEC = 7200 * 1000,
+ MLX5_CMD_TIMEOUT_MSEC = 60 * 1000,
MLX5_CMD_WQ_MAX_NAME = 32,
};

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit 3af0d554c1ce11e9d0953381ff566271f9ab81a9 upstream.

There were two issues here:
1) dma_mapping_error() return true/false but we want to return -ENOMEM
2) If dmaengine_prep_slave_sg() failed then "err" wasn't set but
presumably that should be -ENOMEM as well.

I changed the success path to "return 0;" instead of "return ret;" for
clarity.

Fixes: 94fe8c683cea ('ks8842: Support DMA when accessed via timberdale')
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/micrel/ks8842.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/micrel/ks8842.c
+++ b/drivers/net/ethernet/micrel/ks8842.c
@@ -561,8 +561,8 @@ static int __ks8842_start_new_rx_dma(str
sg_init_table(sg, 1);
sg_dma_address(sg) = dma_map_single(adapter->dev,
ctl->skb->data, DMA_BUFFER_SIZE, DMA_FROM_DEVICE);
- err = dma_mapping_error(adapter->dev, sg_dma_address(sg));
- if (unlikely(err)) {
+ if (dma_mapping_error(adapter->dev, sg_dma_address(sg))) {
+ err = -ENOMEM;
sg_dma_address(sg) = 0;
goto out;
}
@@ -572,8 +572,10 @@ static int __ks8842_start_new_rx_dma(str
ctl->adesc = dmaengine_prep_slave_sg(ctl->chan,
sg, 1, DMA_DEV_TO_MEM, DMA_PREP_INTERRUPT);

- if (!ctl->adesc)
+ if (!ctl->adesc) {
+ err = -ENOMEM;
goto out;
+ }

ctl->adesc->callback_param = netdev;
ctl->adesc->callback = ks8842_dma_rx_cb;
@@ -584,7 +586,7 @@ static int __ks8842_start_new_rx_dma(str
goto out;
}

- return err;
+ return 0;
out:
if (sg_dma_address(sg))
dma_unmap_single(adapter->dev, sg_dma_address(sg),

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michael Hennerich <michael....@analog.com>

commit f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577 upstream.

Fix RDAC read back errors caused by a typo. Value must shift by 2.

Fixes: a4bd394956f2 ("drivers/misc/ad525x_dpot.c: new features")
Signed-off-by: Michael Hennerich <michael....@analog.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/misc/ad525x_dpot.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/misc/ad525x_dpot.c
+++ b/drivers/misc/ad525x_dpot.c
@@ -215,7 +215,7 @@ static s32 dpot_read_i2c(struct dpot_dat
*/
value = swab16(value);

- if (dpot->uid == DPOT_UID(AD5271_ID))
+ if (dpot->uid == DPOT_UID(AD5274_ID))
value = value >> 2;
return value;
default:

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault <g.n...@alphalink.fr>

commit e8e56ffd9d2973398b60ece1f1bebb8d67b4d032 upstream.

Locking ppp_mutex must be done before dereferencing file->private_data,
otherwise it could be modified before ppp_unattached_ioctl() takes the
lock. This could lead ppp_unattached_ioctl() to override ->private_data,
thus leaking reference to the ppp_file previously pointed to.

v2: lock all ppp_ioctl() instead of just checking private_data in
ppp_unattached_ioctl(), to avoid ambiguous behaviour.

Fixes: f3ff8a4d80e8 ("ppp: push BKL down into the driver")
Signed-off-by: Guillaume Nault <g.n...@alphalink.fr>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ppp/ppp_generic.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)

--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -561,7 +561,7 @@ static int get_filter(void __user *arg,

static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
- struct ppp_file *pf = file->private_data;
+ struct ppp_file *pf;
struct ppp *ppp;
int err = -EFAULT, val, val2, i;
struct ppp_idle idle;
@@ -571,9 +571,14 @@ static long ppp_ioctl(struct file *file,
void __user *argp = (void __user *)arg;
int __user *p = argp;

- if (!pf)
- return ppp_unattached_ioctl(current->nsproxy->net_ns,
- pf, file, cmd, arg);
+ mutex_lock(&ppp_mutex);
+
+ pf = file->private_data;
+ if (!pf) {
+ err = ppp_unattached_ioctl(current->nsproxy->net_ns,
+ pf, file, cmd, arg);
+ goto out;
+ }

if (cmd == PPPIOCDETACH) {
/*
@@ -588,7 +593,6 @@ static long ppp_ioctl(struct file *file,
* this fd and reopening /dev/ppp.
*/
err = -EINVAL;
- mutex_lock(&ppp_mutex);
if (pf->kind == INTERFACE) {
ppp = PF_TO_PPP(pf);
if (file == ppp->owner)
@@ -600,15 +604,13 @@ static long ppp_ioctl(struct file *file,
} else
pr_warn("PPPIOCDETACH file->f_count=%ld\n",
atomic_long_read(&file->f_count));
- mutex_unlock(&ppp_mutex);
- return err;
+ goto out;
}

if (pf->kind == CHANNEL) {
struct channel *pch;
struct ppp_channel *chan;

- mutex_lock(&ppp_mutex);
pch = PF_TO_CHANNEL(pf);

switch (cmd) {
@@ -630,17 +632,16 @@ static long ppp_ioctl(struct file *file,
err = chan->ops->ioctl(chan, cmd, arg);
up_read(&pch->chan_sem);
}
- mutex_unlock(&ppp_mutex);
- return err;
+ goto out;
}

if (pf->kind != INTERFACE) {
/* can't happen */
pr_err("PPP: not interface or channel??\n");
- return -EINVAL;
+ err = -EINVAL;
+ goto out;
}

- mutex_lock(&ppp_mutex);
ppp = PF_TO_PPP(pf);
switch (cmd) {
case PPPIOCSMRU:
@@ -811,7 +812,10 @@ static long ppp_ioctl(struct file *file,
default:
err = -ENOTTY;
}
+
+out:
mutex_unlock(&ppp_mutex);
+
return err;
}

@@ -824,7 +828,6 @@ static int ppp_unattached_ioctl(struct n
struct ppp_net *pn;
int __user *p = (int __user *)arg;

- mutex_lock(&ppp_mutex);
switch (cmd) {
case PPPIOCNEWUNIT:
/* Create a new ppp unit */
@@ -875,7 +878,7 @@ static int ppp_unattached_ioctl(struct n
default:
err = -ENOTTY;
}
- mutex_unlock(&ppp_mutex);
+
return err;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Martin K. Petersen" <martin....@oracle.com>

commit f08bb1e0dbdd0297258d0b8cd4dbfcc057e57b2a upstream.

During revalidate we check whether device capacity has changed before we
decide whether to output disk information or not.

The check for old capacity failed to take into account that we scaled
sdkp->capacity based on the reported logical block size. And therefore
the capacity test would always fail for devices with sectors bigger than
512 bytes and we would print several copies of the same discovery
information.

Avoid scaling sdkp->capacity and instead adjust the value on the fly
when setting the block device capacity and generating fake C/H/S
geometry.

Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Reported-by: Hannes Reinecke <ha...@suse.de>
Reviewed-by: Hannes Reinicke <ha...@suse.de>
Reviewed-by: Ewan Milne <emi...@redhat.com>

Signed-off-by: Martin K. Petersen <martin....@oracle.com>

[bwh: Backported to 3.16:
- logical_to_sectors() is a new function
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1245,18 +1245,19 @@ static int sd_getgeo(struct block_device
struct scsi_disk *sdkp = scsi_disk(bdev->bd_disk);
struct scsi_device *sdp = sdkp->device;
struct Scsi_Host *host = sdp->host;
+ sector_t capacity = logical_to_sectors(sdp, sdkp->capacity);
int diskinfo[4];

/* default to most commonly used values */
- diskinfo[0] = 0x40; /* 1 << 6 */
- diskinfo[1] = 0x20; /* 1 << 5 */
- diskinfo[2] = sdkp->capacity >> 11;
-
+ diskinfo[0] = 0x40; /* 1 << 6 */
+ diskinfo[1] = 0x20; /* 1 << 5 */
+ diskinfo[2] = capacity >> 11;
+
/* override with calculated, extended default, or driver values */
if (host->hostt->bios_param)
- host->hostt->bios_param(sdp, bdev, sdkp->capacity, diskinfo);
+ host->hostt->bios_param(sdp, bdev, capacity, diskinfo);
else
- scsicam_bios_param(bdev, sdkp->capacity, diskinfo);
+ scsicam_bios_param(bdev, capacity, diskinfo);

geo->heads = diskinfo[0];
geo->sectors = diskinfo[1];
@@ -2235,14 +2236,6 @@ got_data:

sdp->use_16_for_rw = (sdkp->capacity > 0xffffffff);

- /* Rescale capacity to 512-byte units */
- if (sector_size == 4096)
- sdkp->capacity <<= 3;
- else if (sector_size == 2048)
- sdkp->capacity <<= 2;
- else if (sector_size == 1024)
- sdkp->capacity <<= 1;
-
blk_queue_physical_block_size(sdp->request_queue,
sdkp->physical_block_size);
sdkp->device->sector_size = sector_size;
@@ -2766,7 +2759,7 @@ static int sd_revalidate_disk(struct gen

blk_queue_flush(sdkp->disk->queue, flush);

- set_capacity(disk, sdkp->capacity);
+ set_capacity(disk, logical_to_sectors(sdp, sdkp->capacity));
sd_config_write_same(sdkp);
kfree(buffer);

--- a/drivers/scsi/sd.h
+++ b/drivers/scsi/sd.h
@@ -63,7 +63,7 @@ struct scsi_disk {
struct device dev;
struct gendisk *disk;
atomic_t openers;
- sector_t capacity; /* size in 512-byte sectors */
+ sector_t capacity; /* size in logical blocks */
u32 max_ws_blocks;
u32 max_unmap_blocks;
u32 unmap_granularity;
@@ -142,6 +142,11 @@ static inline int scsi_medium_access_com
return 0;
}

+static inline sector_t logical_to_sectors(struct scsi_device *sdev, sector_t blocks)
+{
+ return blocks << (ilog2(sdev->sector_size) - 9);
+}
+
/*
* A DIF-capable target device can be formatted with different
* protection schemes. Currently 0 through 3 are defined:

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: John Dahlstrom <jod...@SDF.ORG>

commit 4db9675d927a71faa66e5ab128d2390d6329750b upstream.

Some Lenovo ideapad models lack a physical rfkill switch.
On Lenovo models ideapad Y700 Touch-15ISK and ideapad Y700-15ISK,
ideapad-laptop would wrongly report all radios as blocked by
hardware which caused wireless network connections to fail.

Add these models without an rfkill switch to the no_hw_rfkill list.

Signed-off-by: John Dahlstrom <jod...@sdf.org>
Signed-off-by: Darren Hart <dvh...@linux.intel.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/platform/x86/ideapad-laptop.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -839,6 +839,20 @@ static struct dmi_system_id no_hw_rfkill
},
},
{
+ .ident = "Lenovo ideapad Y700-15ISK",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ISK"),
+ },
+ },
+ {
+ .ident = "Lenovo ideapad Y700 Touch-15ISK",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700 Touch-15ISK"),
+ },
+ },
+ {
.ident = "Lenovo ideapad Y700-17ISK",
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <her...@gondor.apana.org.au>

This bug has already bee fixed upstream since 4.2. However, it
was fixed during the AEAD conversion so no fix was backported to
the older kernels.

[bwh: The upstream commit was adcbc688fe2f ("crypto: gcm - Convert to
new AEAD interface")]

When we do an RFC 4543 decryption, we will end up writing the
ICV beyond the end of the dst buffer. This should lead to a
crash but for some reason it was never noticed.

This patch fixes it by only writing back the ICV for encryption.

Fixes: d733ac90f9fe ("crypto: gcm - fix rfc4543 to handle async...")
Reported-by: Patrick Meyer <patric...@vasgard.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>
---
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc45
aead_request_set_tfm(subreq, ctx->child);
aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done,
req);
+ if (!enc)
+ aead_request_set_callback(subreq, req->base.flags,
+ req->base.complete, req->base.data);
aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
aead_request_set_assoc(subreq, assoc, assoclen);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tg...@linutronix.de>

commit e9532e69b8d1d1284e8ecf8d2586de34aec61244 upstream.

On CPU hotplug the steal time accounting can keep a stale rq->prev_steal_time
value over CPU down and up. So after the CPU comes up again the delta
calculation in steal_account_process_tick() wreckages itself due to the
unsigned math:

u64 steal = paravirt_steal_clock(smp_processor_id());

steal -= this_rq()->prev_steal_time;

So if steal is smaller than rq->prev_steal_time we end up with an insane large
value which then gets added to rq->prev_steal_time, resulting in a permanent
wreckage of the accounting. As a consequence the per CPU stats in /proc/stat
become stale.

Nice trick to tell the world how idle the system is (100%) while the CPU is
100% busy running tasks. Though we prefer realistic numbers.

None of the accounting values which use a previous value to account for
fractions is reset at CPU hotplug time. update_rq_clock_task() has a sanity
check for prev_irq_time and prev_steal_time_rq, but that sanity check solely
deals with clock warps and limits the /proc/stat visible wreckage. The
prev_time values are still wrong.

Solution is simple: Reset rq->prev_*_time when the CPU is plugged in again.

Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
Acked-by: Rik van Riel <ri...@redhat.com>
Cc: Frederic Weisbecker <fwei...@gmail.com>
Cc: Glauber Costa <glo...@parallels.com>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>

Fixes: commit 095c0aa83e52 "sched: adjust scheduler cpu power for stolen time"
Fixes: commit aa483808516c "sched: Remove irq time from available CPU power"
Fixes: commit e6e6685accfa "KVM guest: Steal time accounting"
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1603041539490.3686@nanos
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/sched/core.c | 1 +
kernel/sched/sched.h | 13 +++++++++++++
2 files changed, 14 insertions(+)

--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5111,6 +5111,7 @@ migration_call(struct notifier_block *nf

case CPU_UP_PREPARE:
rq->calc_load_update = calc_load_update;
+ account_reset_rq(rq);
break;

case CPU_ONLINE:
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -1548,3 +1548,16 @@ static inline u64 irq_time_read(int cpu)
}
#endif /* CONFIG_64BIT */
#endif /* CONFIG_IRQ_TIME_ACCOUNTING */
+
+static inline void account_reset_rq(struct rq *rq)
+{
+#ifdef CONFIG_IRQ_TIME_ACCOUNTING
+ rq->prev_irq_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT
+ rq->prev_steal_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
+ rq->prev_steal_time_rq = 0;
+#endif
+}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas....@amd.com>

commit ce0ae266feaf35930394bd770c69778e4ef03ba9 upstream.

Since a crypto_ahash_import() can be called against a request context
that has not had a crypto_ahash_init() performed, the request context
needs to be cleared to insure there is no random data present. If not,
the random data can result in a kernel oops during crypto_ahash_update().

Signed-off-by: Tom Lendacky <thomas....@amd.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 1 +
drivers/crypto/ccp/ccp-crypto-sha.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
@@ -225,6 +225,7 @@ static int ccp_aes_cmac_import(struct ah
/* 'in' may not be aligned so memcpy to local variable */
memcpy(&state, in, sizeof(state));

+ memset(rctx, 0, sizeof(*rctx));
rctx->null_msg = state.null_msg;
memcpy(rctx->iv, state.iv, sizeof(rctx->iv));
rctx->buf_count = state.buf_count;
--- a/drivers/crypto/ccp/ccp-crypto-sha.c
+++ b/drivers/crypto/ccp/ccp-crypto-sha.c
@@ -219,6 +219,7 @@ static int ccp_sha_import(struct ahash_r
/* 'in' may not be aligned so memcpy to local variable */
memcpy(&state, in, sizeof(state));

+ memset(rctx, 0, sizeof(*rctx));
rctx->type = state.type;
rctx->msg_bits = state.msg_bits;
rctx->first = state.first;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kan Liang <kan....@intel.com>

commit c3d266c8a9838cc141b69548bc3b1b18808ae8c4 upstream.

This patch tries to fix a PEBS warning found in my stress test. The
following perf command can easily trigger the pebs warning or spurious
NMI error on Skylake/Broadwell/Haswell platforms:

sudo perf record -e 'cpu/umask=0x04,event=0xc4/pp,cycles,branches,ref-cycles,cache-misses,cache-references' --call-graph fp -b -c1000 -a

Also the NMI watchdog must be enabled.

For this case, the events number is larger than counter number. So
perf has to do multiplexing.

In perf_mux_hrtimer_handler, it does perf_pmu_disable(), schedule out
old events, rotate_ctx, schedule in new events and finally
perf_pmu_enable().

If the old events include precise event, the MSR_IA32_PEBS_ENABLE
should be cleared when perf_pmu_disable(). The MSR_IA32_PEBS_ENABLE
should keep 0 until the perf_pmu_enable() is called and the new event is
precise event.

However, there is a corner case which could restore PEBS_ENABLE to
stale value during the above period. In perf_pmu_disable(), GLOBAL_CTRL
will be set to 0 to stop overflow and followed PMI. But there may be
pending PMI from an earlier overflow, which cannot be stopped. So even
GLOBAL_CTRL is cleared, the kernel still be possible to get PMI. At
the end of the PMI handler, __intel_pmu_enable_all() will be called,
which will restore the stale values if old events haven't scheduled
out.

Once the stale pebs value is set, it's impossible to be corrected if
the new events are non-precise. Because the pebs_enabled will be set
to 0. x86_pmu.enable_all() will ignore the MSR_IA32_PEBS_ENABLE
setting. As a result, the following NMI with stale PEBS_ENABLE
trigger pebs warning.

The pending PMI after enabled=0 will become harmless if the NMI handler
does not change the state. This patch checks cpuc->enabled in pmi and
only restore the state when PMU is active.

Here is the dump:

Call Trace:
<NMI> [<ffffffff813c3a2e>] dump_stack+0x63/0x85
[<ffffffff810a46f2>] warn_slowpath_common+0x82/0xc0
[<ffffffff810a483a>] warn_slowpath_null+0x1a/0x20
[<ffffffff8100fe2e>] intel_pmu_drain_pebs_nhm+0x2be/0x320
[<ffffffff8100caa9>] intel_pmu_handle_irq+0x279/0x460
[<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
[<ffffffff811f290d>] ? vunmap_page_range+0x20d/0x330
[<ffffffff811f2f11>] ? unmap_kernel_range_noflush+0x11/0x20
[<ffffffff8148379f>] ? ghes_copy_tofrom_phys+0x10f/0x2a0
[<ffffffff814839c8>] ? ghes_read_estatus+0x98/0x170
[<ffffffff81005a7d>] perf_event_nmi_handler+0x2d/0x50
[<ffffffff810310b9>] nmi_handle+0x69/0x120
[<ffffffff810316f6>] default_do_nmi+0xe6/0x100
[<ffffffff810317f2>] do_nmi+0xe2/0x130
[<ffffffff817aea71>] end_repeat_nmi+0x1a/0x1e
[<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
[<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
[<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
<<EOE>> <IRQ> [<ffffffff81006df8>] ? x86_perf_event_set_period+0xd8/0x180
[<ffffffff81006eec>] x86_pmu_start+0x4c/0x100
[<ffffffff8100722d>] x86_pmu_enable+0x28d/0x300
[<ffffffff811994d7>] perf_pmu_enable.part.81+0x7/0x10
[<ffffffff8119cb70>] perf_mux_hrtimer_handler+0x200/0x280
[<ffffffff8119c970>] ? __perf_install_in_context+0xc0/0xc0
[<ffffffff8110f92d>] __hrtimer_run_queues+0xfd/0x280
[<ffffffff811100d8>] hrtimer_interrupt+0xa8/0x190
[<ffffffff81199080>] ? __perf_read_group_add.part.61+0x1a0/0x1a0
[<ffffffff81051bd8>] local_apic_timer_interrupt+0x38/0x60
[<ffffffff817af01d>] smp_apic_timer_interrupt+0x3d/0x50
[<ffffffff817ad15c>] apic_timer_interrupt+0x8c/0xa0
<EOI> [<ffffffff81199080>] ? __perf_read_group_add.part.61+0x1a0/0x1a0
[<ffffffff81123de5>] ? smp_call_function_single+0xd5/0x130
[<ffffffff81123ddb>] ? smp_call_function_single+0xcb/0x130
[<ffffffff81199080>] ? __perf_read_group_add.part.61+0x1a0/0x1a0
[<ffffffff8119765a>] event_function_call+0x10a/0x120
[<ffffffff8119c660>] ? ctx_resched+0x90/0x90
[<ffffffff811971e0>] ? cpu_clock_event_read+0x30/0x30
[<ffffffff811976d0>] ? _perf_event_disable+0x60/0x60
[<ffffffff8119772b>] _perf_event_enable+0x5b/0x70
[<ffffffff81197388>] perf_event_for_each_child+0x38/0xa0
[<ffffffff811976d0>] ? _perf_event_disable+0x60/0x60
[<ffffffff811a0ffd>] perf_ioctl+0x12d/0x3c0
[<ffffffff8134d855>] ? selinux_file_ioctl+0x95/0x1e0
[<ffffffff8124a3a1>] do_vfs_ioctl+0xa1/0x5a0
[<ffffffff81036d29>] ? sched_clock+0x9/0x10
[<ffffffff8124a919>] SyS_ioctl+0x79/0x90
[<ffffffff817ac4b2>] entry_SYSCALL_64_fastpath+0x1a/0xa4
---[ end trace aef202839fe9a71d ]---
Uhhuh. NMI received for unknown reason 2d on CPU 2.
Do you have a strange power saving mode enabled?

Signed-off-by: Kan Liang <kan....@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
Cc: Alexander Shishkin <alexander...@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <ac...@redhat.com>
Cc: Jiri Olsa <jo...@redhat.com>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>

Cc: Stephane Eranian <era...@google.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Vince Weaver <vincent...@maine.edu>
Link: http://lkml.kernel.org/r/1457046448-6184-1-git...@intel.com
[ Fixed various typos and other small details. ]
Signed-off-by: Ingo Molnar <mi...@kernel.org>
[bwh: Backported to 3.16: adjust filenames, context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -504,6 +504,19 @@ void x86_pmu_disable_all(void)
}
}

+/*
+ * There may be PMI landing after enabled=0. The PMI hitting could be before or
+ * after disable_all.
+ *
+ * If PMI hits before disable_all, the PMU will be disabled in the NMI handler.
+ * It will not be re-enabled in the NMI handler again, because enabled=0. After
+ * handling the NMI, disable_all will be called, which will not change the
+ * state either. If PMI hits after disable_all, the PMU is already disabled
+ * before entering NMI handler. The NMI handler will not change the state
+ * either.
+ *
+ * So either situation is harmless.
+ */
static void x86_pmu_disable(struct pmu *pmu)
{
struct cpu_hw_events *cpuc = &__get_cpu_var(cpu_hw_events);
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1043,6 +1043,17 @@ static inline bool intel_pmu_needs_lbr_s
return false;
}

+/*
+ * Used from PMIs where the LBRs are already disabled.
+ *
+ * This function could be called consecutively. It is required to remain in
+ * disabled state if called consecutively.
+ *
+ * During consecutive calls, the same disable value will be written to related
+ * registers, so the PMU state remains unchanged. hw.state in
+ * intel_bts_disable_local will remain PERF_HES_STOPPED too in consecutive
+ * calls.
+ */
static void intel_pmu_disable_all(void)
{
struct cpu_hw_events *cpuc = &__get_cpu_var(cpu_hw_events);
@@ -1433,7 +1444,10 @@ again:
goto again;

done:
- intel_pmu_enable_all(0);
+ /* Only restore PMU state when it's active. See x86_pmu_disable(). */
+ if (cpuc->enabled)
+ intel_pmu_enable_all(0);
+
/*
* Only unmask the NMI after the overflow counters
* have been reset. This avoids spurious NMIs on
--- a/arch/x86/kernel/cpu/perf_event_knc.c
+++ b/arch/x86/kernel/cpu/perf_event_knc.c
@@ -263,7 +263,9 @@ again:
goto again;

done:
- knc_pmu_enable_all(0);
+ /* Only restore PMU state when it's active. See x86_pmu_disable(). */
+ if (cpuc->enabled)
+ knc_pmu_enable_all(0);

return handled;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Benjamin Tissoires <benjamin....@redhat.com>

commit 82be788c96ed5978d3cb4a00079e26b981a3df3f upstream.

Looks like the fimware 8.2 still has the extra buttons spurious release
bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=114321
Signed-off-by: Benjamin Tissoires <benjamin....@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/input/mouse/synaptics.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -838,8 +838,9 @@ static void synaptics_report_ext_buttons
if (!SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap))
return;

- /* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */
- if (SYN_ID_FULL(priv->identity) == 0x801 &&
+ /* Bug in FW 8.1 & 8.2, buttons are reported only when ExtBit is 1 */
+ if ((SYN_ID_FULL(priv->identity) == 0x801 ||
+ SYN_ID_FULL(priv->identity) == 0x802) &&
!((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02))
return;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.com>

commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff upstream.

A malicious device missing interface can make the driver oops.
Add sanity checking.

Signed-off-by: Oliver Neukum <ONe...@suse.com>

Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/input/misc/ims-pcu.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct

pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
union_desc->bMasterInterface0);
+ if (!pcu->ctrl_intf)
+ return -EINVAL;

alt = pcu->ctrl_intf->cur_altsetting;
pcu->ep_ctrl = &alt->endpoint[0].desc;
@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct

pcu->data_intf = usb_ifnum_to_if(pcu->udev,
union_desc->bSlaveInterface0);
+ if (!pcu->data_intf)
+ return -EINVAL;

alt = pcu->data_intf->cur_altsetting;
if (alt->desc.bNumEndpoints != 2) {

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Kochetkov <al.k...@gmail.com>

commit d5861262210067fc01b2fb4f7af2fd85a3453f15 upstream.

Year field must be in BCD format, according to
hym8563 datasheet.

Due to the bug year 2016 became 2010.

Fixes: dcaf03849352 ("rtc: add hym8563 rtc-driver")
Signed-off-by: Alexander Kochetkov <al.k...@gmail.com>
Signed-off-by: Alexandre Belloni <alexandr...@free-electrons.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/rtc/rtc-hym8563.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/rtc/rtc-hym8563.c
+++ b/drivers/rtc/rtc-hym8563.c
@@ -144,7 +144,7 @@ static int hym8563_rtc_set_time(struct d
* it does not seem to carry it over a subsequent write/read.
* So we'll limit ourself to 100 years, starting at 2000 for now.
*/
- buf[6] = tm->tm_year - 100;
+ buf[6] = bin2bcd(tm->tm_year - 100);

/*
* CTL1 only contains TEST-mode bits apart from stop,

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdeg...@redhat.com>

commit 5c915c68763889f0183a1cc61c84bb228b60124a upstream.

On my bttv card "Hauppauge WinTV [card=10]" capturing in YV12 fmt at max
size results in a solid green rectangle being captured (all colors 0 in
YUV).

This turns out to be caused by max-width (924) not being a multiple of 16.

We've likely never hit this problem before since normally xawtv / tvtime,
etc. will prefer packed pixel formats. But when using a video card which
is using xf86-video-modesetting + glamor, only planar XVideo fmts are
available, and xawtv will chose a matching capture format to avoid needing
to do conversion, triggering the solid green window problem.

Signed-off-by: Hans de Goede <hdeg...@redhat.com>
Acked-by: Hans Verkuil <hans.v...@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mch...@osg.samsung.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/media/pci/bt8xx/bttv-driver.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)

--- a/drivers/media/pci/bt8xx/bttv-driver.c
+++ b/drivers/media/pci/bt8xx/bttv-driver.c
@@ -2333,6 +2333,19 @@ static int bttv_g_fmt_vid_overlay(struct
return 0;
}

+static void bttv_get_width_mask_vid_cap(const struct bttv_format *fmt,
+ unsigned int *width_mask,
+ unsigned int *width_bias)
+{
+ if (fmt->flags & FORMAT_FLAGS_PLANAR) {
+ *width_mask = ~15; /* width must be a multiple of 16 pixels */
+ *width_bias = 8; /* nearest */
+ } else {
+ *width_mask = ~3; /* width must be a multiple of 4 pixels */
+ *width_bias = 2; /* nearest */
+ }
+}
+
static int bttv_try_fmt_vid_cap(struct file *file, void *priv,
struct v4l2_format *f)
{
@@ -2342,6 +2355,7 @@ static int bttv_try_fmt_vid_cap(struct f
enum v4l2_field field;
__s32 width, height;
__s32 height2;
+ unsigned int width_mask, width_bias;
int rc;

fmt = format_by_fourcc(f->fmt.pix.pixelformat);
@@ -2374,9 +2388,9 @@ static int bttv_try_fmt_vid_cap(struct f
width = f->fmt.pix.width;
height = f->fmt.pix.height;

+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
rc = limit_scaled_size_lock(fh, &width, &height, field,
- /* width_mask: 4 pixels */ ~3,
- /* width_bias: nearest */ 2,
+ width_mask, width_bias,
/* adjust_size */ 1,
/* adjust_crop */ 0);
if (0 != rc)
@@ -2409,6 +2423,7 @@ static int bttv_s_fmt_vid_cap(struct fil
struct bttv_fh *fh = priv;
struct bttv *btv = fh->btv;
__s32 width, height;
+ unsigned int width_mask, width_bias;
enum v4l2_field field;

retval = bttv_switch_type(fh, f->type);
@@ -2423,9 +2438,10 @@ static int bttv_s_fmt_vid_cap(struct fil
height = f->fmt.pix.height;
field = f->fmt.pix.field;

+ fmt = format_by_fourcc(f->fmt.pix.pixelformat);
+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
retval = limit_scaled_size_lock(fh, &width, &height, f->fmt.pix.field,
- /* width_mask: 4 pixels */ ~3,
- /* width_bias: nearest */ 2,
+ width_mask, width_bias,
/* adjust_size */ 1,
/* adjust_crop */ 1);
if (0 != retval)
@@ -2433,8 +2449,6 @@ static int bttv_s_fmt_vid_cap(struct fil

f->fmt.pix.field = field;

- fmt = format_by_fourcc(f->fmt.pix.pixelformat);
-
/* update our state informations */
fh->fmt = fmt;
fh->cap.field = f->fmt.pix.field;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <ne...@suse.com>

commit a6ab1e8126d205238defbb55d23661a3a5c6a0d8 upstream.

sunrpc_cache_pipe_upcall() can detect a race if CACHE_PENDING is no longer
set. In this case it aborts the queuing of the upcall.
However it has already taken a new counted reference on "h" and
doesn't "put" it, even though it frees the data structure holding the reference.

So let's delay the "cache_get" until we know we need it.

Fixes: f9e1aedc6c79 ("sunrpc/cache: remove races with queuing an upcall.")
Signed-off-by: NeilBrown <ne...@suse.com>
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/sunrpc/cache.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1187,14 +1187,14 @@ int sunrpc_cache_pipe_upcall(struct cach
}

crq->q.reader = 0;
- crq->item = cache_get(h);
crq->buf = buf;
crq->len = 0;
crq->readers = 0;
spin_lock(&queue_lock);
- if (test_bit(CACHE_PENDING, &h->flags))
+ if (test_bit(CACHE_PENDING, &h->flags)) {
+ crq->item = cache_get(h);
list_add_tail(&crq->q.list, &detail->queue);
- else
+ } else
/* Lost a race, no longer PENDING, so don't enqueue */
ret = -EAGAIN;
spin_unlock(&queue_lock);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <hanipo...@gmail.com>

commit 81d90442eac779938217c3444b240aa51fd3db47 upstream.

T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=03 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04ca ProdID=3014 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1546694

Signed-off-by: Dmitry Tunin <hanipo...@gmail.com>
Signed-off-by: Marcel Holtmann <mar...@holtmann.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -93,6 +93,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x04CA, 0x300d) },
{ USB_DEVICE(0x04CA, 0x300f) },
{ USB_DEVICE(0x04CA, 0x3010) },
+ { USB_DEVICE(0x04CA, 0x3014) },
{ USB_DEVICE(0x0930, 0x0219) },
{ USB_DEVICE(0x0930, 0x021c) },
{ USB_DEVICE(0x0930, 0x0220) },
@@ -157,6 +158,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -187,6 +187,7 @@ static const struct usb_device_id blackl
{ USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas....@amd.com>

commit b31dde2a5cb1bf764282abf934266b7193c2bc7c upstream.

Use a local variable for the exported and imported state so that
alignment is not an issue. On export, set a local variable from the
request context and then memcpy the contents of the local variable to
the export memory area. On import, memcpy the import memory area into
a local variable and then use the local variable to set the request
context.

Signed-off-by: Tom Lendacky <thomas....@amd.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 26 ++++++++++++++---------
drivers/crypto/ccp/ccp-crypto-sha.c | 36 +++++++++++++++++++-------------
2 files changed, 37 insertions(+), 25 deletions(-)

--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
@@ -204,12 +204,15 @@ static int ccp_aes_cmac_digest(struct ah
static int ccp_aes_cmac_export(struct ahash_request *req, void *out)
{
struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
- struct ccp_aes_cmac_exp_ctx *state = out;
+ struct ccp_aes_cmac_exp_ctx state;

- state->null_msg = rctx->null_msg;
- memcpy(state->iv, rctx->iv, sizeof(state->iv));
- state->buf_count = rctx->buf_count;
- memcpy(state->buf, rctx->buf, sizeof(state->buf));
+ state.null_msg = rctx->null_msg;
+ memcpy(state.iv, rctx->iv, sizeof(state.iv));
+ state.buf_count = rctx->buf_count;
+ memcpy(state.buf, rctx->buf, sizeof(state.buf));
+
+ /* 'out' may not be aligned so memcpy from local variable */
+ memcpy(out, &state, sizeof(state));

return 0;
}
@@ -217,12 +220,15 @@ static int ccp_aes_cmac_export(struct ah
static int ccp_aes_cmac_import(struct ahash_request *req, const void *in)
{
struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
- const struct ccp_aes_cmac_exp_ctx *state = in;
+ struct ccp_aes_cmac_exp_ctx state;
+
+ /* 'in' may not be aligned so memcpy to local variable */
+ memcpy(&state, in, sizeof(state));

- rctx->null_msg = state->null_msg;
- memcpy(rctx->iv, state->iv, sizeof(rctx->iv));
- rctx->buf_count = state->buf_count;
- memcpy(rctx->buf, state->buf, sizeof(rctx->buf));
+ rctx->null_msg = state.null_msg;
+ memcpy(rctx->iv, state.iv, sizeof(rctx->iv));
+ rctx->buf_count = state.buf_count;
+ memcpy(rctx->buf, state.buf, sizeof(rctx->buf));

return 0;
}
--- a/drivers/crypto/ccp/ccp-crypto-sha.c
+++ b/drivers/crypto/ccp/ccp-crypto-sha.c
@@ -196,14 +196,17 @@ static int ccp_sha_digest(struct ahash_r
static int ccp_sha_export(struct ahash_request *req, void *out)
{
struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
- struct ccp_sha_exp_ctx *state = out;
+ struct ccp_sha_exp_ctx state;

- state->type = rctx->type;
- state->msg_bits = rctx->msg_bits;
- state->first = rctx->first;
- memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
- state->buf_count = rctx->buf_count;
- memcpy(state->buf, rctx->buf, sizeof(state->buf));
+ state.type = rctx->type;
+ state.msg_bits = rctx->msg_bits;
+ state.first = rctx->first;
+ memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
+ state.buf_count = rctx->buf_count;
+ memcpy(state.buf, rctx->buf, sizeof(state.buf));
+
+ /* 'out' may not be aligned so memcpy from local variable */
+ memcpy(out, &state, sizeof(state));

return 0;
}
@@ -211,14 +214,17 @@ static int ccp_sha_export(struct ahash_r
static int ccp_sha_import(struct ahash_request *req, const void *in)
{
struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
- const struct ccp_sha_exp_ctx *state = in;
+ struct ccp_sha_exp_ctx state;
+
+ /* 'in' may not be aligned so memcpy to local variable */
+ memcpy(&state, in, sizeof(state));

- rctx->type = state->type;
- rctx->msg_bits = state->msg_bits;
- rctx->first = state->first;
- memcpy(rctx->ctx, state->ctx, sizeof(rctx->ctx));
- rctx->buf_count = state->buf_count;
- memcpy(rctx->buf, state->buf, sizeof(rctx->buf));
+ rctx->type = state.type;
+ rctx->msg_bits = state.msg_bits;
+ rctx->first = state.first;
+ memcpy(rctx->ctx, state.ctx, sizeof(rctx->ctx));
+ rctx->buf_count = state.buf_count;
+ memcpy(rctx->buf, state.buf, sizeof(rctx->buf));

return 0;
}

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Hurley <pe...@hurleysoftware.com>

commit f33798deecbd59a2955f40ac0ae2bc7dff54c069 upstream.

commit 9ce119f318ba ("tty: Fix GPF in flush_to_ldisc()") fixed a
GPF caused by a line discipline which does not define a receive_buf()
method.

However, the vt driver (and speakup driver also) pushes selection
data directly to the line discipline receive_buf() method via
tty_ldisc_receive_buf(). Fix the same problem in tty_ldisc_receive_buf().

Signed-off-by: Peter Hurley <pe...@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

include/linux/tty.h | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -569,7 +569,7 @@ static inline int tty_ldisc_receive_buf(
count = ld->ops->receive_buf2(ld->tty, p, f, count);
else {
count = min_t(int, count, ld->tty->receive_room);
- if (count)
+ if (count && ld->ops->receive_buf)
ld->ops->receive_buf(ld->tty, p, f, count);
}
return count;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Markus Trippelsdorf <mar...@trippelsdorf.de>

commit d85ce830eef6c10d1e9617172dea4681f02b8424 upstream.

One line in perf_pmu__parse_unit() is indented wrongly, leading to a
warning (=> error) from gcc 6:

util/pmu.c:156:3: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation]

sret = read(fd, alias->unit, UNIT_MAX_LEN);
^~~~

util/pmu.c:153:2: note: ...this 'if' clause, but it is not
if (fd == -1)
^~

Signed-off-by: Markus Trippelsdorf <mar...@trippelsdorf.de>
Acked-by: Ingo Molnar <mi...@kernel.org>
Cc: Ben Hutchings <b...@decadent.org.uk>
Cc: Matt Fleming <ma...@codeblueprint.co.uk>
Cc: Peter Zijlstra <pet...@infradead.org>
Fixes: 410136f5dd96 ("tools/perf/stat: Add event unit and scale support")
Link: http://lkml.kernel.org/r/20151214154440.GC1409@x4
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

tools/perf/util/pmu.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -156,7 +156,7 @@ static int perf_pmu__parse_unit(struct p
if (fd == -1)
return -1;

- sret = read(fd, alias->unit, UNIT_MAX_LEN);
+ sret = read(fd, alias->unit, UNIT_MAX_LEN);
if (sret < 0)
goto error;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <bfi...@redhat.com>

commit 4aed9c46afb80164401143aa0fdcfe3798baa9d5 upstream.

A number of spots in the xdr decoding follow a pattern like

n = be32_to_cpup(p++);
READ_BUF(n + 4);

where n is a u32. The only bounds checking is done in READ_BUF itself,
but since it's checking (n + 4), it won't catch cases where n is very
large, (u32)(-4) or higher. I'm not sure exactly what the consequences
are, but we've seen crashes soon after.

Instead, just break these up into two READ_BUF()s.

Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/nfsd/nfs4xdr.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1072,8 +1072,9 @@ nfsd4_decode_rename(struct nfsd4_compoun

READ_BUF(4);
rename->rn_snamelen = be32_to_cpup(p++);
- READ_BUF(rename->rn_snamelen + 4);
+ READ_BUF(rename->rn_snamelen);
SAVEMEM(rename->rn_sname, rename->rn_snamelen);
+ READ_BUF(4);
rename->rn_tnamelen = be32_to_cpup(p++);
READ_BUF(rename->rn_tnamelen);
SAVEMEM(rename->rn_tname, rename->rn_tnamelen);
@@ -1155,13 +1156,14 @@ nfsd4_decode_setclientid(struct nfsd4_co
READ_BUF(8);
setclientid->se_callback_prog = be32_to_cpup(p++);
setclientid->se_callback_netid_len = be32_to_cpup(p++);
-
- READ_BUF(setclientid->se_callback_netid_len + 4);
+ READ_BUF(setclientid->se_callback_netid_len);
SAVEMEM(setclientid->se_callback_netid_val, setclientid->se_callback_netid_len);
+ READ_BUF(4);
setclientid->se_callback_addr_len = be32_to_cpup(p++);

- READ_BUF(setclientid->se_callback_addr_len + 4);
+ READ_BUF(setclientid->se_callback_addr_len);
SAVEMEM(setclientid->se_callback_addr_val, setclientid->se_callback_addr_len);
+ READ_BUF(4);
setclientid->se_callback_ident = be32_to_cpup(p++);

DECODE_TAIL;
@@ -1628,8 +1630,9 @@ nfsd4_decode_compound(struct nfsd4_compo

READ_BUF(4);
argp->taglen = be32_to_cpup(p++);
- READ_BUF(argp->taglen + 8);
+ READ_BUF(argp->taglen);
SAVEMEM(argp->tag, argp->taglen);
+ READ_BUF(8);
argp->minorversion = be32_to_cpup(p++);
argp->opcnt = be32_to_cpup(p++);
max_reply += 4 + (XDR_QUADLEN(argp->taglen) << 2);

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit e07ff9434167981c993a26d2edbbcb8e13801dbb upstream.

The s5m8767_pmic_probe() function calls s5m8767_get_register() to
read data without checking the return code, which produces a compile-time
warning when that data is accessed:

drivers/regulator/s5m8767.c: In function 's5m8767_pmic_probe':
drivers/regulator/s5m8767.c:924:7: error: 'enable_reg' may be used uninitialized in this function [-Werror=maybe-uninitialized]
drivers/regulator/s5m8767.c:944:30: error: 'enable_val' may be used uninitialized in this function [-Werror=maybe-uninitialized]

This changes the s5m8767_get_register() function to return a -EINVAL
not just for an invalid register number but also for an invalid
regulator number, as both would result in returning uninitialized
data. The s5m8767_pmic_probe() function is then changed accordingly
to fail on a read error, as all the other callers of s5m8767_get_register()
already do.

In practice this probably cannot happen, as we don't call
s5m8767_get_register() with invalid arguments, but the gcc
warning seems valid in principle, in terms writing safe
error checking.

Signed-off-by: Arnd Bergmann <ar...@arndb.de>
Fixes: 9c4c60554acf ("regulator: s5m8767: Convert to use regulator_[enable|disable|is_enabled]_regmap")
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/regulator/s5m8767.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/regulator/s5m8767.c
+++ b/drivers/regulator/s5m8767.c
@@ -202,9 +202,10 @@ static int s5m8767_get_register(struct s
}
}

- if (i < s5m8767->num_regulators)
- *enable_ctrl =
- s5m8767_opmode_reg[reg_id][mode] << S5M8767_ENCTRL_SHIFT;
+ if (i >= s5m8767->num_regulators)
+ return -EINVAL;
+
+ *enable_ctrl = s5m8767_opmode_reg[reg_id][mode] << S5M8767_ENCTRL_SHIFT;

return 0;
}
@@ -938,8 +939,12 @@ static int s5m8767_pmic_probe(struct pla
else
regulators[id].vsel_mask = 0xff;

- s5m8767_get_register(s5m8767, id, &enable_reg,
+ ret = s5m8767_get_register(s5m8767, id, &enable_reg,
&enable_val);
+ if (ret) {
+ dev_err(s5m8767->dev, "error reading registers\n");
+ return ret;
+ }
regulators[id].enable_reg = enable_reg;
regulators[id].enable_mask = S5M8767_ENCTRL_MASK;
regulators[id].enable_val = enable_val;

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Hurley <pe...@hurleysoftware.com>

commit 401879c57f01cbf2da204ad2e8db910525c6dbea upstream.

The N_IRDA line discipline may access the previous line discipline's closed
and already-fre private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
==================================================================
BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr ffff8800331dd068
Read of size 4 by task a.out/13960
=============================================================================
BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected
-----------------------------------------------------------------------------
...
Call Trace:
[<ffffffff815fa2ae>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:279
[<ffffffff836938a2>] irtty_open+0x422/0x550 drivers/net/irda/irtty-sir.c:436
[<ffffffff829f1b80>] tty_ldisc_open.isra.2+0x60/0xa0 drivers/tty/tty_ldisc.c:447
[<ffffffff829f21c0>] tty_set_ldisc+0x1a0/0x940 drivers/tty/tty_ldisc.c:567
[< inline >] tiocsetd drivers/tty/tty_io.c:2650
[<ffffffff829da49e>] tty_ioctl+0xace/0x1fd0 drivers/tty/tty_io.c:2883
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816708ac>] do_vfs_ioctl+0x57c/0xe60 fs/ioctl.c:607
[< inline >] SYSC_ioctl fs/ioctl.c:622
[<ffffffff81671204>] SyS_ioctl+0x74/0x80 fs/ioctl.c:613
[<ffffffff852a7876>] entry_SYSCALL_64_fastpath+0x16/0x7a

Reported-and-tested-by: Dmitry Vyukov <dvy...@google.com>

Signed-off-by: Peter Hurley <pe...@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/irda/irtty-sir.c | 10 ----------
1 file changed, 10 deletions(-)

--- a/drivers/net/irda/irtty-sir.c
+++ b/drivers/net/irda/irtty-sir.c
@@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct

/* Module stuff handled via irda_ldisc.owner - Jean II */

- /* First make sure we're not already connected. */
- if (tty->disc_data != NULL) {
- priv = tty->disc_data;
- if (priv && priv->magic == IRTTY_MAGIC) {
- ret = -EEXIST;
- goto out;
- }
- tty->disc_data = NULL; /* ### */
- }
-
/* stop the underlying driver */
irtty_stop_receiver(tty, TRUE);
if (tty->ops->stop)

[Ben Hutchings]

3.16.35-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <alexande...@intel.com>

commit 35bf7692e765c2275bf93fe573f7ca868ab73453 upstream.

buf_idx type was changed to size_t, and few places
missed out to change the print format from %ld to %zu.
Use also uz for buf.size which is also of size_t

Fixes:
commit 56988f22e097 ("mei: fix possible integer overflow issue")'

Signed-off-by: Alexander Usyskin <alexande...@intel.com>
Signed-off-by: Tomas Winkler <tomas....@intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/misc/mei/amthif.c | 2 +-
drivers/misc/mei/client.c | 2 +-
drivers/misc/mei/interrupt.c | 6 +++---
drivers/misc/mei/main.c | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/misc/mei/amthif.c
+++ b/drivers/misc/mei/amthif.c
@@ -234,7 +234,7 @@ int mei_amthif_read(struct mei_device *d
* remove message from deletion list
*/

- dev_dbg(&dev->pdev->dev, "amthif cb->response_buffer.size - %zd cb->buf_idx - %zd\n",
+ dev_dbg(&dev->pdev->dev, "amthif cb->response_buffer.size - %zu cb->buf_idx - %zu\n",
cb->response_buffer.size, cb->buf_idx);

/* length is being truncated to PAGE_SIZE, however,
--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -849,7 +849,7 @@ int mei_cl_irq_write(struct mei_cl *cl,
return 0;
}

- cl_dbg(dev, cl, "buf: size = %zd idx = %zd\n",
+ cl_dbg(dev, cl, "buf: size = %zu idx = %zu\n",
cb->request_buffer.size, cb->buf_idx);

rets = mei_write_message(dev, &mei_hdr, buf->data + cb->buf_idx);
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -121,7 +121,7 @@ static int mei_cl_irq_read_msg(struct me
buf_sz = mei_hdr->length + cb->buf_idx;
/* catch for integer overflow */
if (buf_sz < cb->buf_idx) {
- cl_err(dev, cl, "message is too big len %d idx %ld\n",
+ cl_err(dev, cl, "message is too big len %d idx %zu\n",
mei_hdr->length, cb->buf_idx);

list_del(&cb->list);
@@ -129,7 +129,7 @@ static int mei_cl_irq_read_msg(struct me
}

if (cb->response_buffer.size < buf_sz) {
- cl_dbg(dev, cl, "message overflow. size %zd len %d idx %zd\n",
+ cl_dbg(dev, cl, "message overflow. size %zu len %d idx %zu\n",
cb->response_buffer.size,
mei_hdr->length, cb->buf_idx);
buffer = krealloc(cb->response_buffer.data, buf_sz, GFP_KERNEL);
@@ -150,7 +150,7 @@ static int mei_cl_irq_read_msg(struct me
if (mei_hdr->msg_complete) {
cl->status = 0;
list_del(&cb->list);
- cl_dbg(dev, cl, "completed read length = %lu\n",
+ cl_dbg(dev, cl, "completed read length = %zu\n",
cb->buf_idx);
list_add_tail(&cb->list, &complete_list->list);
}
--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -262,7 +262,7 @@ static ssize_t mei_read(struct file *fil
}
/* now copy the data to user space */
copy_buffer:
- dev_dbg(&dev->pdev->dev, "buf.size = %zd buf.idx = %zd\n",
+ dev_dbg(&dev->pdev->dev, "buf.size = %zu buf.idx = %zu\n",
cb->response_buffer.size, cb->buf_idx);
if (length == 0 || ubuf == NULL || *offset > cb->buf_idx) {
rets = -EMSGSIZE;

[Ben Hutchings]

This is the start of the stable review cycle for the 3.16.35 release.
There are 217 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Apr 30 22:00:00 UTC 2016.
Anything received after that time might be too late.

A combined patch relative to 3.16.7-ckt27 will be posted as an
additional response to this. A shortlog and diffstat can be found
below.

Ben.

-------------

Aaro Koskinen (1):
mtd: onenand: fix deadlock in onenand_block_markbad
[5e64c29e98bfbba1b527b0a164f9493f3db9e8cb]

Aaron Plattner (2):
ALSA: hda - Add new GPU codec ID 0x10de0082 to snd-hda
[2d369c748c2ecc2a012ee85412a04007e67913ec]
ALSA: hda - Add new GPU codec ID 0x10de0083 to snd-hda
[3ec622f40913ae036f218e5e7e92df9c1f1753d9]

Al Viro (1):
unbreak allmodconfig KCONFIG_ALLCONFIG=...
[6b87b70c5339f30e3c5b32085e69625906513dc2]

Alex Deucher (5):
drm/radeon: add PX quirk for asus K53TK
[ff1b129403aad9a5c7cc9a6eaaffe4bd5fc0c67f]
drm/radeon: add a PX quirk list
[4807c5a8a0c87a210c36e3ad74c451a909d88588]
drm/radeon: add a dpm quirk for all R7 370 parts
[0e5585dc870af947fab2af96a88c2d8b4270247c]
drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5
[f971f2263deaa4a441e377b385c11aee0f3b3f9a]
drm/radeon: add another R7 370 quirk
[a64663d9870364bd2a2df62bf0d3a9fbe5ea62a8]

Alexander Kochetkov (1):
rtc: hym8563: fix invalid year calculation
[d5861262210067fc01b2fb4f7af2fd85a3453f15]

Alexander Shishkin (1):
perf/core: Fix perf_sched_count derailment
[927a5570855836e5d5859a80ce7e91e963545e8f]

Alexander Usyskin (1):
mei: fix format string in debug prints
[35bf7692e765c2275bf93fe573f7ca868ab73453]

Amitkumar Karwar (1):
mwifiex: fix corner case association failure
[a6139b6271f9f95377fe3486aed6120c9142779b]

Andi Kleen (2):
perf tools: Dont stop PMU parsing on alias parse error
[940db6dcd3f4659303fdf6befe7416adc4d24118]
perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere
[e17dc65328057c00db7e1bfea249c8771a78b30b]

Andy Lutomirski (1):
x86/iopl: Fix iopl capability check on Xen PV
[c29016cf41fe9fa994a5ecca607cf5f1cd98801e]

Anthony Wong (1):
rt2x00: add new rt2800usb device Buffalo WLI-UC-G450
[f36f299068794ffc5026f25b6a1b3ed615ea832d]

Arnaldo Carvalho de Melo (1):
net: Fix use after free in the recvmmsg exit path
[34b88a68f26a75e4fded796f1a49c40f82234b7d]

Arnd Bergmann (10):
ARM: davinci: make I2C support optional
[8e58041114319ad290e85a7a82077dc9e2f93613]
ASoC: s3c24xx: use const snd_soc_component_driver pointer
[ba4bc32eaa39ba7687f0958ae90eec94da613b46]
ath9k: fix buffer overrun for ar9287
[83d6f1f15f8cce844b0a131cbc63e444620e48b5]
farsync: fix off-by-one bug in fst_add_one
[e725a66c0202b5f36c2f9d59d26a65c53bbf21f7]
lpfc: fix misleading indentation
[aeb6641f8ebdd61939f462a8255b316f9bfab707]
mac80211: avoid excessive stack usage in sta_info
[0ef049dc1167fe834d0ad5d63f89eddc5c70f6e4]
mlx4: add missing braces in verify_qp_parameters
[baefd7015cdb304ce6c94f9679d0486c71954766]
paride: make 'verbose' parameter an 'int' again
[dec63a4dec2d6d01346fd5d96062e67c0636852b]
regulator: s5m8767: fix get_register() error handling
[e07ff9434167981c993a26d2edbbcb8e13801dbb]
xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND"
[13aa38e291bdd4e4018f40dd2f75e464814dcbf3]

Asai Thambi SP (3):
mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild
[d8a18d2d8f5de55666c6011ed175939d22c8e3d8]
mtip32xx: Fix broken service thread handling
[cfc05bd31384c4898bf2437a4de5557f3cf9803a]
mtip32xx: Remove unwanted code from taskfile error handler
[e35b94738a2f7caa12017f69ef385cb6b8028965]

Aurelien Jacquiot (1):
rapidio/rionet: fix deadlock on SMP
[36915976eca58f2eefa040ba8f9939672564df61]

Bart Van Assche (1):
IB/srpt: Simplify srpt_handle_tsk_mgmt()
[51093254bf879bc9ce96590400a87897c7498463]

Ben Hutchings (1):
misc/bmp085: Enable building as a module
[50e6315dba721cbc24ccd6d7b299f1782f210a98]

Benjamin Tissoires (3):
HID: core: do not scan reports if the group is already set
[9578f41aeaee5010384f4f8484da1566e2ce4901]
HID: fix hid_ignore_special_drivers module parameter
[4392bf333388cabdad5afe5b1500002d7b9c318e]
Input: synaptics - handle spurious release of trackstick buttons, again
[82be788c96ed5978d3cb4a00079e26b981a3df3f]

Bill Sommerfeld (1):
udp6: fix UDP/IPv6 encap resubmit path
[59dca1d8a6725a121dae6c452de0b2611d5865dc]

Bjorn Helgaas (2):
PCI: Disable IO/MEM decoding for devices with non-compliant BARs
[b84106b4e2290c081cdab521fa832596cdfea246]
x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs
[b894157145e4ac7598d7062bc93320898a5e059e]

Bjørn Mork (6):
USB: option: add "D-Link DWM-221 B1" device id
[d48d5691ebf88a15d95ba96486917ffc79256536]
cdc_ncm: toggle altsetting to force reset before setup
[48906f62c96cc2cd35753e59310cb70eb08cc6a5]
net: qmi_wwan: remove 1199:9070 device id
[544c8f6507303e921979ac99f46f00a88b42b6e8]
qmi_wwan: add "D-Link DWM-221 B1" device id
[e84810c7b85a2d7897797b3ad3e879168a8e032a]
qmi_wwan: add Sierra Wireless EM74xx device ID
[bf13c94ccb33c3182efc92ce4989506a0f541243]
qmi_wwan: add Sierra Wireless MC74xx/EM74xx
[0db65fcfcded76fe4f74e3ca9f4e2baf67b683ef]

Bobi Mihalca (3):
ALSA: hda - Apply fix for white noise on Asus N550JV, too
[83a9efb5b8170b7cffef4f62656656e1d8ad2ccd]
ALSA: hda - Asus N750JV external subwoofer fixup
[70cf2cbd685e218c3ffd105d9fb6cf0f8d767481]
ALSA: hda - Fix white noise on Asus N750JV headphone
[9d4dc5840f93bcb002fa311693349deae7702bc5]

Boris Ostrovsky (1):
xen/events: Mask a moving irq
[ff1e22e7a638a0782f54f81a6c9cb139aca2da35]

Borislav Petkov (1):
perf stat: Document --detailed option
[f594bae08183fb6b57db55387794ece3e1edf6f6]

Chris Friesen (1):
sched/cputime: Fix steal_account_process_tick() to always return jiffies
[f9c904b7613b8b4c85b10cd6b33ad41b2843fa9d]

Dan Carpenter (4):
EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
[6f3508f61c814ee852c199988a62bd954c50dfc1]
[media] xc2028: unlock on error in xc2028_set_config()
[210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d]
ethernet: micrel: fix some error codes
[3af0d554c1ce11e9d0953381ff566271f9ab81a9]
mdio-sun4i: oops in error handling in probe
[227f33beab746aeec4ef3305bd17b1d374df09e7]

Dan Streetman (1):
nbd: ratelimit error msgs after socket close
[da6ccaaa79caca4f38b540b651238f87215217a2]

Daniel Borkmann (1):
tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter
[5a5abb1fa3b05dd6aa821525832644c1e7d2905f]

Daniel Vetter (1):
drm/udl: Use unlocked gem unreferencing
[72b9ff0612ad8fc969b910cd00ac16b57a1a9ba4]

Dave Jones (1):
x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt()
[7834c10313fb823e538f2772be78edcdeed2e6e3]

Diego Viola (1):
net: jme: fix suspend/resume on JMC260
[ee50c130c82175eaa0820c96b6d3763928af2241]

Dmitri Epshtein (1):
net: mvneta: enable change MAC address when interface is up
[928b6519afeb2a5e2dc61154380b545ed66c476a]

Dmitry Torokhov (1):
HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
[3b654288b196ceaa156029d9457ccbded0489b98]

Dmitry Tunin (4):
Bluetooth: Add new AR3012 ID 0489:e095
[28c971d82fb58ef7cba22e5308be6d2d2590473d]
Bluetooth: btusb: Add a new AR3012 ID 04ca:3014
[81d90442eac779938217c3444b240aa51fd3db47]
Bluetooth: btusb: Add a new AR3012 ID 13d3:3472
[75c6aca4765dbe3d0c1507ab5052f2e373dc2331]
Bluetooth: btusb: Add new AR3012 ID 13d3:3395
[609574eb46335cfac1421a07c0505627cbbab1f0]

Dmitry V. Levin (1):
vfs: show_vfsstat: do not ignore errors from show_devname method
[5f8d498d4364f544fee17125787a47553db02afa]

Douglas Gilbert (1):
sg: fix dxferp in from_to case
[5ecee0a3ee8d74b6950cb41e8989b0c2174568d4]

Eric Dumazet (1):
net: bcmgenet: fix dma api length mismatch
[eee577232203842b4dcadb7ab477a298479633ed]

Eric Wheeler (2):
bcache: cleaned up error handling around register_cache()
[9b299728ed777428b3908ac72ace5f8f84b97789]
bcache: fix cache_set_flush() NULL pointer dereference on OOM
[f8b11260a445169989d01df75d35af0f56178f95]

Eryu Guan (1):
ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
[5e1021f2b6dff1a86a468a1424d59faae2bc63c1]

Fabio Estevam (1):
bus: imx-weim: Take the 'status' property value into account
[33b96d2c9579213cf3f36d7b29841b1e464750c4]

Filipe Manana (1):
Btrfs: fix file/data loss caused by fsync after rename and new inode
[56f23fdbb600e6087db7b009775b95ce07cc3195]

Florian Westphal (3):
netfilter: x_tables: fix unconditional helper
[54d83fc74aa9ec72794373cb47432c5f7fb1a309]
netfilter: x_tables: make sure e->next_offset covers remaining blob size
[6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91]
netfilter: x_tables: validate e->target_offset early
[bdf533de6968e9686df777dc178486f600c6e617]

Geert Uytterhoeven (3):
gpiolib: Fix comment referring to gpio_*() in gpiod_*()
[1cfab8f8b397f7d95ad43f72ed9a1fa7d26e210e]
rtc: vr41xx: Wire up alarm_irq_enable
[a25f4a95ec3cded34c1250364eba704c5e4fdac4]
serial: sh-sci: Remove cpufreq notifier to fix crash/deadlock
[ff1cab374ad98f4b9f408525ca9c08992b4ed784]

Grazvydas Ignotas (1):
HID: logitech: fix Dual Action gamepad support
[5d74325a2201376a95520a4a38a1ce2c65761c49]

Grygorii Strashko (1):
usb: dwc3: keystone: drop dma_mask configuration
[adf9a3ab90eb44e57f9dbf757acd897838b5ec21]

Guenter Roeck (2):
MAINTAINERS: Update mailing list and web page for hwmon subsystem
[968ce1b1f45a7d76b5471b19bd035dbecc72f32d]
hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated
[3c2e2266a5bd2d1cef258e6e54dca1d99946379f]

Guillaume Nault (2):
ppp: ensure file->private_data can't be overridden
[e8e56ffd9d2973398b60ece1f1bebb8d67b4d032]
ppp: take reference on channels netns
[1f461dcdd296eecedaffffc6bae2bfa90bd7eb89]

Guo-Fu Tseng (2):
jme: Do not enable NIC WoL functions on S0
[0772a99b818079e628a1da122ac7ee023faed83e]
jme: Fix device PM wakeup API usage
[81422e672f8181d7ad1ee6c60c723aac649f538f]

Haishuang Yan (2):
ipv4: l2tp: fix a potential issue in l2tp_ip_recv
[5745b8232e942abd5e16e85fa9b27cc21324acf0]
ipv6: l2tp: fix a potential issue in l2tp_ip6_recv
[be447f305494e019dfc37ea4cdf3b0e4200b4eba]

Hans Verkuil (1):
[media] adv7511: TX_EDID_PRESENT is still 1 after a disconnect
[b339a72e04a62f0b1882c43492fc712f1176b3e6]

Hans de Goede (4):
USB: uas: Reduce can_queue to MAX_CMNDS
[55ff8cfbc4e12a7d2187df523938cc671fbebdd1]
[media] bttv: Width must be a multiple of 16 when capturing planar formats
[5c915c68763889f0183a1cc61c84bb228b60124a]
[media] pwc: Add USB id for Philips Spc880nc webcam
[7445e45d19a09e5269dc85f17f9635be29d2f76c]
[media] saa7134: Fix bytesperline not being set correctly for planar formats
[3e71da19f9dc22e39a755d6ae9678661abb66adc]

Hector Marco-Gisbert (1):
x86/mm/32: Enable full randomization on i386 and X86_32
[8b8addf891de8a00e4d39fc32f93f7c5eb8feceb]

Helge Deller (3):
parisc: Avoid function pointers for kernel exception routines
[e3893027a300927049efc1572f852201eb785142]
parisc: Fix kernel crash with reversed copy_from_user()
[ef72f3110d8b19f4c098a0bff7ed7d11945e70c6]
parisc: Unbreak handling exceptions from kernel modules
[2ef4dfd9d9f288943e249b78365a69e3ea3ec072]

Herbert Xu (1):
crypto: gcm - Fix rfc4543 decryption crash
[adcbc688fe2f8107b7f564187593293aa9ea3932]

Himanshu Madhani (1):
target: Fix target_release_cmd_kref shutdown comp leak
[5e47f1985d7107331c3f64fb3ec83d66fd73577e]

Hui Wang (1):
ALSA: hda - fix front mic problem for a HP desktop
[e549d190f7b5f94e9ab36bd965028112914d010d]

Ignat Korchagin (1):
USB: usbip: fix potential out-of-bounds write
[b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb]

J. Bruce Fields (2):
nfsd4: fix bad bounds checking
[4aed9c46afb80164401143aa0fdcfe3798baa9d5]
nfsd: fix deadlock secinfo+readdir compound
[2f6fc056e899bd0144a08da5cacaecbe8997cd74]

Jakub Sitnicki (1):
ipv6: Count in extension headers in skb->network_header
[3ba3458fb9c050718b95275a3310b74415e767e2]

Jann Horn (1):
fs/coredump: prevent fsuid=0 dumps into user-controlled directories
[378c6520e7d29280f400ef2ceaf155c86f05a71a]

Jes Sorensen (1):
md/raid5: Compare apples to apples (or sectors to sectors)
[e7597e69dec59b65c5525db1626b9d34afdfa678]

Jesse Gross (1):
tunnels: Don't apply GRO to multiple layers of encapsulation.
[fac8e0f579695a3ecbc4d3cac369139d7f819971]

Jiri Kosina (1):
kbuild/mkspec: fix grub2 installkernel issue
[c8b08ca558c0067bc9e15ce3f1e70af260410bb2]

Jiri Olsa (1):
perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2
[e72daf3f4d764c47fb71c9bdc7f9c54a503825b1]

John Dahlstrom (1):
ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list
[4db9675d927a71faa66e5ab128d2390d6329750b]

Joseph Qi (2):
ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
[be12b299a83fc807bbaccd2bcb8ec50cbb0cb55c]
ocfs2/dlm: fix race between convert and recovery
[ac7cf246dfdbec3d8fed296c7bf30e16f5099dac]

Josh Boyer (1):
USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices
[ea6db90e750328068837bed34cb1302b7a177339]

Julia Lawall (1):
scripts/coccinelle: modernize &
[1b669e713f277a4d4b3cec84e13d16544ac8286d]

Kan Liang (1):
perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi
[c3d266c8a9838cc141b69548bc3b1b18808ae8c4]

Kees Cook (1):
x86: standardize mmap_rnd() usage
[82168140bc4cec7ec9bad39705518541149ff8b7]

Kent Overstreet (1):
bcache: Fix more early shutdown bugs
[d83353b319d47ef8cce82467da6a25c2d558253f]

Kristian Evensen (2):
net: qmi_wwan: Add SIMCom 7230E
[18715b261541f35ccede9b8686ee3ebaac697d38]
net: qmi_wwan: Add WeTelecom-WPD600N
[e439bd4a4fdeb29488f48f14845ad35607e6302c]

Linus Walleij (2):
clk: versatile: sp810: support reentrance
[ec7957a6aa0aaf981fb8356dc47a2cdd01cde03c]
mtd: map: fix .set_vpp() documentation
[95a001f22b1c5717eafd500a43832249ddd93662]

Lior Amsalem (1):
ARM: dts: armada-375: use armada-370-sata for SATA
[b3a7f31eb7375633cd6a742f19488fc5a4208b36]

Loc Ho (1):
clk: xgene: Add missing parenthesis when clearing divider value
[0f4c7a138dfefb0ebdbaf56e3ba2acd2958a6605]

Lucas Stach (3):
PCI: imx6: Move PHY reset into imx6_pcie_establish_link()
[54a47a83421a3b7ee0e0fab7f65d04179bdf59b6]
PCI: imx6: Move link up check into imx6_pcie_wait_for_link()
[4d107d3b5a686b5834e533a00b73bf7b1cf59df7]
PCI: imx6: Remove broken Gen2 workaround
[a77c5422d7586003643377afdb9915e76d07d21c]

Manish Chopra (1):
qlge: Fix receive packets drop.
[2c9a266afefe137bff06bbe0fc48b4d3b3cb348c]

Marcin Ślusarz (1):
perf tools: handle spaces in file names obtained from /proc/pid/maps
[89fee59b504f86925894fcc9ba79d5c933842f93]

Marco Angaroni (1):
ipvs: correct initial offset of Call-ID header search in SIP persistence engine
[7617a24f83b5d67f4dab1844956be1cebc44aec8]

Mario Kleiner (1):
drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.
[459ee1c3fd097ab56ababd8ff4bb7ef6a792de33]

Markus Trippelsdorf (1):
perf pmu: Fix misleadingly indented assignment (whitespace)
[d85ce830eef6c10d1e9617172dea4681f02b8424]

Martin K. Petersen (4):
sd: Fix discard granularity when LBPRZ=1
[f4327a95dd080ed6aecb185478a88ce1ee4fa3c4]
sd: Fix excessive capacity printing on devices with blocks bigger than 512 bytes
[f08bb1e0dbdd0297258d0b8cd4dbfcc057e57b2a]
sd: Make discard granularity match logical block size when LBPRZ=1
[397737223c59e89dca7305feb6528caef8fbef84]
sd: disable discard_zeroes_data for UNMAP
[7985090aa0201fa7760583f9f8e6ba41a8d4c392]

Martin Schwidefsky (1):
s390/mm: four page table levels vs. fork
[3446c13b268af86391d06611327006b059b8bab1]

Martyn Welch (1):
USB: serial: cp210x: Adding GE Healthcare Device ID
[cddc9434e3dcc37a85c4412fb8e277d3a582e456]

Mateusz Guzik (1):
xfs: fix two memory leaks in xfs_attr_list.c error paths
[2e83b79b2d6c78bf1b4aa227938a214dcbddc83f]

Maurizio Lombardi (1):
be2iscsi: set the boot_kset pointer to NULL in case of failure
[84bd64993f916bcf86270c67686ecf4cea7b8933]

Mauro Carvalho Chehab (1):
[media] xc2028: avoid use after free
[8dfbcc4351a0b6d2f2d77f367552f48ffefafe18]

Max Filippov (2):
xtensa: ISS: don't hang if stdin EOF is reached
[362014c8d9d51d504c167c44ac280169457732be]
xtensa: clear all DBREAKC registers on start
[7de7ac785ae18a2cdc78d7560f48e3213d9ea0ab]

Michael Hennerich (1):
drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
[f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577]

Michael S. Tsirkin (1):
watchdog: rc32434_wdt: fix ioctl error handling
[10e7ac22cdd4d211cef99afcb9371b70cb175be6]

Michal Kazior (1):
mac80211: fix unnecessary frame drops in mesh fwding
[cf44012810ccdd8fd947518e965cb04b7b8498be]

Ming Lei (1):
md: multipath: don't hardcopy bio in .make_request path
[fafcde3ac1a418688a734365203a12483b83907a]

NeilBrown (1):
sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race
[a6ab1e8126d205238defbb55d23661a3a5c6a0d8]

OGAWA Hirofumi (1):
jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path
[c0a2ad9b50dd80eeccd73d9ff962234590d5ec93]

Oliver Neukum (8):
Input: ims-pcu - sanity check against missing interfaces
[a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff]
USB: cypress_m8: add endpoint sanity check
[c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754]
USB: digi_acceleport: do sanity checking for the number of ports
[5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f]
USB: mct_u232: add sanity checking in probe
[4e9a0b05257f29cf4b75f3209243ed71614d062e]
USB: usb_driver_claim_interface: add sanity checking
[0b818e3956fc1ad976bee791eadcbb3b5fec5bfd]
usb: hub: fix a typo in hub_port_init() leading to wrong logic
[0d5ce778c43bf888328231bcdce05d5c860655aa]
usb: retry reset if a device times out
[264904ccc33c604d4b3141bbd33808152dfac45b]
usbnet: cleanup after bind() in probe()
[1666984c8625b3db19a9abc298931d35ab7bc64b]

Or Gerlitz (1):
net/mlx5: Make command timeout way shorter
[6b6c07bdcdc97ccac2596063bfc32a5faddfe884]

Pali Rohár (1):
ARM: OMAP3: Add cpuidle parameters table for omap3430
[98f42221501353067251fbf11e732707dbb68ce3]

Paolo Bonzini (3):
KVM: VMX: avoid guest hang on invalid invept instruction
[2849eb4f99d54925c543db12917127f88b3c38ff]
KVM: fix spin_lock_init order on x86
[e9ad4ec8379ad1ba6f68b8ca1c26b50b5ae0a327]
compiler-gcc: disable -ftracer for __noclone functions
[95272c29378ee7dc15f43fa2758cb28a5913a06d]

Patrik Halfar (1):
Add Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card (rev3) to qmi_wwan
[fb5eb24cdd5cdb83be77d3e4b2f16e92e06bd9e9]

Peter Hurley (2):
net: irda: Fix use-after-free in irtty_open()
[401879c57f01cbf2da204ad2e8db910525c6dbea]
tty: Fix GPF in flush_to_ldisc(), part 2
[f33798deecbd59a2955f40ac0ae2bc7dff54c069]

Peter Zijlstra (1):
bitops: Do not default to __clear_bit() for __clear_bit_unlock()
[f75d48644c56a31731d17fa693c8175328957e1d]

Petr Štetiar (1):
USB: qmi_wwan: Add quirk for Quectel EC20 Mini PCIe module
[b3d8cf019fb9dd28389b08da7bf54ffabf453ed3]

Petri Gynther (1):
net: bcmgenet: fix skb_len in bcmgenet_xmit_single()
[7dd399130efb5a454daf24075b7563d197114e39]

Pieter Hollants (1):
qmi_wwan: Add support for Dell Wireless 5809e 4G Modem
[2070c48cf2b78af89ba529c00992eaaa18df8ef7]

Rabin Vincent (1):
splice: handle zero nr_pages in splice_to_pipe()
[d6785d9152147596f60234157da2b02540c3e60f]

Radim Krčmář (1):
KVM: i8254: change PIT discard tick policy
[7dd0fdff145c5be7146d0ac06732ae3613412ac1]

Raghava Aditya Renukunta (1):
aacraid: Fix memory leak in aac_fib_map_free
[f88fa79a61726ce9434df9b4aede36961f709f17]

Reinhard Speyerer (1):
qmi_wwan: add the second QMI/network interface for Sierra Wireless MC7305/MC7355
[e3426ca7bc2957ee072f61360c2b81b4adb629ad]

Rob Clark (1):
drm/dp: move hw_mutex up the call stack
[7779c5e23c5132c22a219f1f5554ef81dd15ee91]

Robert Doebbelin (1):
fuse: do not use iocb after it may have been freed
[7cabc61e01a0a8b663bd2b4c982aa53048218734]

Russell King (2):
mmc: sdhci: fix data timeout (part 1)
[fafcfda9e78cae8796d1799f14e6457790797555]
mmc: sdhci: fix data timeout (part 2)
[7f05538af71c7d30b5fc821cbe9f318edc645961]

Schemmel Hans-Christoph (1):
qmi_wwan: Added support for Gemalto's Cinterion PHxx WWAN interface
[bd9e33508c5e1eb5d807d11d7bfc52125fcdb04e]

Sebastian Frias (1):
8250: use callbacks to access UART_DLL/UART_DLM
[0b41ce991052022c030fd868e03877700220b090]

Sebastian Ott (1):
s390/pci: enforce fmb page boundary rule
[80c544ded25ac14d7cc3e555abb8ed2c2da99b84]

Sergei Shtylyov (1):
sh_eth: fix NULL pointer dereference in sh_eth_ring_format()
[c1b7fca65070bfadca94dd53a4e6b71cd4f69715]

Stephane Eranian (2):
perf/x86/intel: Add definition for PT PMI bit
[5690ae28e472d25e330ad0c637a5cea3fc39fb32]
perf/x86/pebs: Add workaround for broken OVFL status on HSW+
[8077eca079a212f26419c57226f28696b7100683]

Steven Rostedt (3):
tracing: Fix crash from reading trace_pipe with sendfile
[a29054d9478d0435ab01b7544da4f674ab13f533]
tracing: Fix trace_printk() to print when not using bprintk()
[3debb0a9ddb16526de8b456491b7db60114f7b5e]
tracing: Have preempt(irqs)off trace preempt disabled functions
[cb86e05390debcc084cfdb0a71ed4c5dbbec517d]

Suba...@Codeaurora.Org (1):
xfrm: Fix crash observed during device unregistration and decryption
[071d36bf21bcc837be00cea55bcef8d129e7f609]

Sudip Mukherjee (1):
mac80211: fix memory leak
[ea32f065bd3e3e09f0bcb3042f1664caf6b3e233]

Sushaanth Srirangapathi (1):
fbdev: da8xx-fb: fix videomodes of lcd panels
[713fced8d10fa1c759c8fb6bf9aaa681bae68cad]

Takashi Iwai (3):
ALSA: hda - Fix unconditional GPIO toggle via automute
[1f7c6658962fa1260c1658d681bd6bb0c746b99a]
ALSA: timer: Use mod_timer() for rearming the system timer
[4a07083ed613644c96c34a7dd2853dc5d7c70902]
ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
[902eb7fd1e4af3ac69b9b30f8373f118c92b9729]

Thadeu Lima de Souza Cascardo (1):
ip6_tunnel: set rtnl_link_ops before calling register_netdevice
[b6ee376cb0b7fb4e7e07d6cd248bd40436fb9ba6]

Theodore Ts'o (1):
ext4: add lockdep annotations for i_data_sem
[daf647d2dd58cec59570d7698a45b98e580f2076]

Thomas Gleixner (1):
sched/cputime: Fix steal time accounting vs. CPU hotplug
[e9532e69b8d1d1284e8ecf8d2586de34aec61244]

Tiffany Lin (1):
[media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32
[7df5ab8774aa383c6d2bff00688d004585d96dfd]

Tom Lendacky (4):
crypto: ccp - Add hash state import and export support
[952bce9792e6bf36fda09c2e5718abb5d9327369]
crypto: ccp - Don't assume export/import areas are aligned
[b31dde2a5cb1bf764282abf934266b7193c2bc7c]
crypto: ccp - Limit the amount of information exported
[d1662165ae612ec8b5f94a6b07e65ea58b6dce34]
crypto: ccp - memset request context to zero during import
[ce0ae266feaf35930394bd770c69778e4ef03ba9]

Tomas Winkler (1):

mei: fix possible integer overflow issue

[f862b6b24f0ffd954633a55f39251a6873b664ca]

Vinayak Menon (1):
of: alloc anywhere from memblock if range not specified
[e53b50c0cbe392c946807abf7d07615a3c588642]

Vittorio Gambaletta (1):
ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.
[4061db03dd71d195b9973ee466f6ed32f6a3fc16]

Vladis Dronov (1):
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
[836b34a935abc91e13e63053d0a83b24dfb5ea78]

Willem de Bruijn (3):
ax25: add link layer header validation function
[ea47781c26510e5d97f80f9aceafe9065bd5e3aa]
macvtap: always pass ethernet header in linear
[8e2ad4113ce4671686740f808ff2795395c39eef]
net: validate variable length ll headers
[2793a23aacbd754dbbb5cb75093deb7e4103bace]

Xin Long (2):
sctp: fix the transports round robin issue when init is retransmitted
[39d2adebf137de5f900843f69f5e500932e31047]
sctp: lack the check for ports in sctp_v6_cmp_addr
[40b4f0fd74e46c017814618d67ec9127ff20f157]

Xishi Qiu (1):
mm: fix invalid node in alloc_migrate_target()
[6f25a14a7053b69917e2ebea0d31dd444cd31fd5]

Yong Li (1):
gpio: pca953x: Use correct u16 value for register word write
[9b8e3ec34318663affced3c14d960e78d760dd9a]

Yoshihiro Shimoda (3):
usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
[894f2fc44f2f3f48c36c973b1123f6ab298be160]
usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
[6490865c67825277b29638e839850882600b48ec]
usb: renesas_usbhs: fix to avoid using a disabled ep in usbhsg_queue_done()
[4fccb0767fdbdb781a9c5b5c15ee7b219443c89d]

Yuki Shibuya (1):
KVM: x86: Inject pending interrupt even if pending nmi exist
[321c5658c5e9192dea0d58ab67cf1791e45b2b26]

MAINTAINERS | 92 +++++++-------
Makefile | 4 +-
arch/arm/boot/dts/armada-375.dtsi | 2 +-
arch/arm/mach-davinci/Kconfig | 14 +--
arch/arm/mach-davinci/board-dm644x-evm.c | 8 +-
arch/arm/mach-davinci/board-dm646x-evm.c | 7 ++
arch/arm/mach-omap2/cpuidle34xx.c | 69 ++++++++++-
arch/parisc/include/asm/uaccess.h | 1 +
arch/parisc/kernel/asm-offsets.c | 1 +
arch/parisc/kernel/parisc_ksyms.c | 10 +-
arch/parisc/kernel/traps.c | 3 +
arch/parisc/lib/fixup.S | 6 +
arch/parisc/mm/fault.c | 1 +
arch/s390/include/asm/mmu_context.h | 20 +--
arch/s390/include/asm/pci.h | 2 +-
arch/s390/include/asm/pgalloc.h | 24 +++-
arch/s390/pci/pci.c | 5 +-
arch/um/drivers/mconsole_kern.c | 2 +-
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/perf_event.h | 2 +
arch/x86/kernel/cpu/perf_event.c | 13 ++
arch/x86/kernel/cpu/perf_event.h | 3 +
arch/x86/kernel/cpu/perf_event_intel.c | 28 ++++-
arch/x86/kernel/cpu/perf_event_intel_ds.c | 24 +++-
arch/x86/kernel/cpu/perf_event_knc.c | 4 +-
arch/x86/kernel/ioport.c | 12 +-
arch/x86/kvm/i8254.c | 12 +-
arch/x86/kvm/vmx.c | 1 +
arch/x86/kvm/x86.c | 20 +--
arch/x86/mm/mmap.c | 44 +++----
arch/x86/pci/fixup.c | 7 ++
arch/xtensa/kernel/head.S | 2 +-
arch/xtensa/platforms/iss/console.c | 10 +-
crypto/gcm.c | 3 +
drivers/block/mtip32xx/mtip32xx.c | 35 +++---
drivers/block/mtip32xx/mtip32xx.h | 5 +
drivers/block/nbd.c | 4 +-
drivers/block/paride/pd.c | 4 +-
drivers/block/paride/pt.c | 4 +-
drivers/bluetooth/ath3k.c | 8 ++
drivers/bluetooth/btusb.c | 4 +
drivers/bus/imx-weim.c | 2 +-
drivers/clk/clk-xgene.c | 4 +-
drivers/clk/versatile/clk-sp810.c | 4 +-
drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 36 ++++++
drivers/crypto/ccp/ccp-crypto-sha.c | 40 ++++++
drivers/crypto/ccp/ccp-crypto.h | 22 ++++
drivers/edac/amd64_edac.c | 2 +-
drivers/gpio/gpio-pca953x.c | 3 +-
drivers/gpio/gpiolib.c | 4 +-
drivers/gpu/drm/drm_dp_helper.c | 27 ++--
drivers/gpu/drm/radeon/atombios_encoders.c | 6 +-
drivers/gpu/drm/radeon/radeon.h | 1 +
drivers/gpu/drm/radeon/radeon_device.c | 74 ++++++++---
drivers/gpu/drm/radeon/si_dpm.c | 6 +
drivers/gpu/drm/udl/udl_fb.c | 2 +-
drivers/gpu/drm/udl/udl_gem.c | 2 +-
drivers/hid/hid-core.c | 7 +-
drivers/hid/i2c-hid/i2c-hid.c | 16 ++-
drivers/hwmon/max1111.c | 6 +
drivers/infiniband/ulp/srpt/ib_srpt.c | 59 +--------
drivers/input/misc/ims-pcu.c | 4 +
drivers/input/mouse/synaptics.c | 5 +-
drivers/md/bcache/super.c | 42 ++++---
drivers/md/multipath.c | 4 +-
drivers/md/raid5.c | 4 +-
drivers/media/i2c/adv7511.c | 21 +++-
drivers/media/pci/bt8xx/bttv-driver.c | 26 +++-
drivers/media/pci/saa7134/saa7134-video.c | 18 ++-
drivers/media/tuners/tuner-xc2028.c | 6 +-
drivers/media/usb/pwc/pwc-if.c | 6 +
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 21 ++--
drivers/misc/Kconfig | 2 +-
drivers/misc/ad525x_dpot.c | 2 +-
drivers/misc/mei/amthif.c | 5 +-
drivers/misc/mei/client.c | 4 +-
drivers/misc/mei/interrupt.c | 24 ++--
drivers/misc/mei/main.c | 5 +-
drivers/misc/mei/mei_dev.h | 4 +-
drivers/mmc/host/sdhci.c | 17 ++-
drivers/mtd/onenand/onenand_base.c | 3 +-
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 +-
drivers/net/ethernet/jme.c | 26 ++--
drivers/net/ethernet/marvell/mvneta.c | 2 +-
.../net/ethernet/mellanox/mlx4/resource_tracker.c | 3 +-
drivers/net/ethernet/micrel/ks8842.c | 10 +-
drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11 ++
drivers/net/ethernet/renesas/sh_eth.c | 3 +-
drivers/net/irda/irtty-sir.c | 10 --
drivers/net/macvtap.c | 9 +-
drivers/net/phy/mdio-sun4i.c | 4 +-
drivers/net/ppp/ppp_generic.c | 35 +++---
drivers/net/rionet.c | 4 +-
drivers/net/tun.c | 8 +-
drivers/net/usb/cdc_ncm.c | 6 +-
drivers/net/usb/qmi_wwan.c | 34 +++++
drivers/net/usb/usbnet.c | 7 ++
drivers/net/wan/farsync.c | 2 +-
drivers/net/wireless/ath/ath9k/eeprom.c | 7 +-
drivers/net/wireless/mwifiex/sta_ioctl.c | 1 +
drivers/net/wireless/rt2x00/rt2800usb.c | 1 +
drivers/of/of_reserved_mem.c | 4 +-
drivers/pci/host/pci-imx6.c | 73 +++++------
drivers/pci/probe.c | 14 +++
drivers/platform/x86/ideapad-laptop.c | 14 +++
drivers/regulator/s5m8767.c | 13 +-
drivers/rtc/rtc-hym8563.c | 2 +-
drivers/rtc/rtc-vr41xx.c | 13 +-
drivers/scsi/aacraid/commsup.c | 9 +-
drivers/scsi/be2iscsi/be_main.c | 1 +
drivers/scsi/lpfc/lpfc_init.c | 5 +-
drivers/scsi/sd.c | 56 +++++----
drivers/scsi/sd.h | 7 +-
drivers/scsi/sg.c | 3 +-
drivers/staging/usbip/usbip_common.c | 11 ++
drivers/target/target_core_transport.c | 2 -
drivers/tty/serial/8250/8250_core.c | 18 +--
drivers/tty/serial/sh-sci.c | 39 ------
drivers/usb/core/driver.c | 6 +-
drivers/usb/core/hub.c | 16 ++-
drivers/usb/dwc3/dwc3-keystone.c | 5 -
drivers/usb/renesas_usbhs/fifo.c | 4 +-
drivers/usb/renesas_usbhs/mod_gadget.c | 6 +-
drivers/usb/serial/cp210x.c | 1 +
drivers/usb/serial/cypress_m8.c | 11 +-
drivers/usb/serial/digi_acceleport.c | 19 +++
drivers/usb/serial/ftdi_sio.c | 4 +
drivers/usb/serial/ftdi_sio_ids.h | 8 ++
drivers/usb/serial/mct_u232.c | 9 +-
drivers/usb/serial/option.c | 2 +
drivers/usb/storage/uas.c | 6 +-
drivers/video/fbdev/Kconfig | 1 -
drivers/video/fbdev/da8xx-fb.c | 7 +-
drivers/watchdog/rc32434_wdt.c | 2 +-
drivers/xen/events/events_base.c | 28 ++++-
fs/btrfs/tree-log.c | 137 +++++++++++++++++++++
fs/coredump.c | 30 ++++-
fs/ext4/ext4.h | 23 ++++
fs/ext4/inode.c | 6 +-
fs/ext4/move_extent.c | 11 +-
fs/ext4/super.c | 25 +++-
fs/fhandle.c | 2 +-
fs/fuse/file.c | 5 +-
fs/jbd2/journal.c | 17 ++-
fs/nfsd/nfs4proc.c | 1 +
fs/nfsd/nfs4xdr.c | 13 +-
fs/ocfs2/dlm/dlmconvert.c | 24 +++-
fs/ocfs2/dlm/dlmrecovery.c | 1 -
fs/open.c | 6 +-
fs/proc_namespace.c | 3 +
fs/splice.c | 3 +
fs/xfs/xfs_attr_list.c | 19 +--
include/asm-generic/bitops/lock.h | 14 +--
include/linux/compiler-gcc4.h | 2 +-
include/linux/compiler-gcc5.h | 2 +-
include/linux/filter.h | 3 +
include/linux/fs.h | 2 +-
include/linux/kernel.h | 6 +-
include/linux/mlx5/driver.h | 2 +-
include/linux/mtd/map.h | 7 +-
include/linux/netdevice.h | 25 +++-
include/linux/pci.h | 1 +
include/linux/tty.h | 2 +-
kernel/events/core.c | 7 +-
kernel/sched/core.c | 1 +
kernel/sched/cputime.c | 14 +--
kernel/sched/sched.h | 13 ++
kernel/sysctl_binary.c | 2 +-
kernel/trace/trace.c | 5 +-
kernel/trace/trace_irqsoff.c | 8 +-
kernel/trace/trace_printk.c | 3 +
mm/page_isolation.c | 8 +-
net/ax25/ax25_ip.c | 15 +++
net/core/dev.c | 2 +-
net/core/filter.c | 25 ++--
net/ipv4/gre_offload.c | 5 +
net/ipv4/netfilter/arp_tables.c | 41 +++---
net/ipv4/netfilter/ip_tables.c | 46 +++----
net/ipv4/udp_offload.c | 6 +-
net/ipv6/ip6_output.c | 9 +-
net/ipv6/ip6_tunnel.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 46 +++----
net/ipv6/udp.c | 6 +-
net/l2tp/l2tp_ip.c | 8 +-
net/l2tp/l2tp_ip6.c | 8 +-
net/mac80211/rx.c | 5 +-
net/mac80211/sta_info.c | 16 ++-
net/netfilter/ipvs/ip_vs_pe_sip.c | 2 +-
net/sctp/associola.c | 2 +-
net/sctp/ipv6.c | 2 +
net/sctp/transport.c | 2 +-
net/socket.c | 38 +++---
net/sunrpc/cache.c | 6 +-
net/xfrm/xfrm_input.c | 3 +
scripts/coccinelle/iterators/use_after_iter.cocci | 2 +-
scripts/kconfig/confdata.c | 14 +--
scripts/package/mkspec | 8 +-
sound/core/timer.c | 4 +-
sound/pci/hda/patch_cirrus.c | 8 +-
sound/pci/hda/patch_hdmi.c | 2 +
sound/pci/hda/patch_realtek.c | 19 ++-
sound/pci/intel8x0.c | 1 +
sound/soc/samsung/s3c-i2s-v2.c | 2 +-
sound/soc/samsung/s3c-i2s-v2.h | 2 +-
sound/usb/quirks.c | 26 ++--
sound/usb/stream.c | 6 +-
tools/perf/Documentation/perf-stat.txt | 8 ++
tools/perf/util/event.c | 2 +-
tools/perf/util/pmu.c | 17 +--
virt/kvm/kvm_main.c | 21 ++--
210 files changed, 1739 insertions(+), 827 deletions(-)

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

[Ben Hutchings]

On Wed, 2016-04-27 at 01:02 +0200, Ben Hutchings wrote:
> 3.16.35-rc1 review patch.  If anyone has any objections, please let me know.

Also dropping this from 3.16-longterm.

Ben.

> ------------------
>
> From: Yoshihiro Shimoda <yoshihiro....@renesas.com>
>

> commit 4fccb0767fdbdb781a9c5b5c15ee7b219443c89d upstream.
>
> This patch fixes an issue that usbhsg_queue_done() may cause kernel
> panic when dma callback is running and usb_ep_disable() is called
> by interrupt handler. (Especially, we can reproduce this issue using
> g_audio with usb-dmac driver.)
>
> For example of a flow:
>  usbhsf_dma_complete (on tasklet)
>   --> usbhsf_pkt_handler (on tasklet)
>    --> usbhsg_queue_done (on tasklet)
>     *** interrupt happened and usb_ep_disable() is called ***
>     --> usbhsg_queue_pop (on tasklet)
>      Then, oops happened.

>
> Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
> Signed-off-by: Yoshihiro Shimoda <yoshihiro....@renesas.com>
> Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>

> Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
> ---

>  drivers/usb/renesas_usbhs/mod_gadget.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> --- a/drivers/usb/renesas_usbhs/mod_gadget.c
> +++ b/drivers/usb/renesas_usbhs/mod_gadget.c
> @@ -137,10 +137,14 @@ static void usbhsg_queue_done(struct usb
>   struct usbhs_pipe *pipe = pkt->pipe;
>   struct usbhsg_uep *uep = usbhsg_pipe_to_uep(pipe);
>   struct usbhsg_request *ureq = usbhsg_pkt_to_ureq(pkt);
> + unsigned long flags;
>  
>   ureq->req.actual = pkt->actual;
>  
> - usbhsg_queue_pop(uep, ureq, 0);
> + usbhs_lock(priv, flags);
> + if (uep)
> + __usbhsg_queue_pop(uep, ureq, 0);
> + usbhs_unlock(priv, flags);
>  }
>  
>  static void usbhsg_queue_push(struct usbhsg_uep *uep,
>
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majo...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
Ben Hutchings
All extremists should be taken out and shot.

[Guenter Roeck]

On Wed, Apr 27, 2016 at 01:02:20AM +0200, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.35 release.
> There are 217 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Apr 30 22:00:00 UTC 2016.
> Anything received after that time might be too late.
>

Build results:
total: 138 pass: 119 fail: 19
Failed builds:
alpha:allmodconfig
arc:allnoconfig
arm:allmodconfig
arm:imx_v6_v7_defconfig
arm:shmobile_defconfig
arm64:allmodconfig
i386:allyesconfig
i386:allmodconfig
m68k:allmodconfig
m68k:allnoconfig
mips:allmodconfig
parisc:allmodconfig
powerpc:allmodconfig
s390:allmodconfig
sparc32:allmodconfig
sparc64:allmodconfig
x86_64:allyesconfig
x86_64:allmodconfig
xtensa:allmodconfig

Qemu test results:
total: 98 pass: 93 fail: 5
Failed tests:
arm:kzm:imx_v6_v7_defconfig
arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc702
arm:smdkc210:multi_v7_defconfig:exynos4210-smdkv310
arm64:smp:defconfig
arm64:nosmp:defconfig

A quick glance through the build results suggests that the build failures can
probably be fixed by pulling in a couple of missing patches. For the qemu tests,
I'll run a comparison against 3.16.7 to see if those are new failures.

Details are available at http://kerneltests.org/builders.

Guenter

[Guenter Roeck]

On 04/26/2016 04:02 PM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.35 release.
> There are 217 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Apr 30 22:00:00 UTC 2016.
> Anything received after that time might be too late.
>

Updated build and test results:

Build results:
total: 137 pass: 135 fail: 2
Failed builds:
arc:allnoconfig
arm64:allmodconfig

Qemu test results:
total: 97 pass: 94 fail: 3
Failed tests:
arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc706

arm64:smp:defconfig
arm64:nosmp:defconfig

This is after dropping a couple of builds and qemu tests which are
known to be bad in 3.16, and after some fixes in the tree.

The arm64 build failure is due to gcc5, which needs a patch from a
later kernel. The other failures are new and did not occur in 3.16.7.

A bisect of the arm64 qemu failure points to commit f98ab7a1e78
("mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't
make any progress"). Unfortunately, that is inconclusive, since there
have been several follow-up commits trying to fix it. After reverting
all those commits, the test still fails.

Guenter

[Ben Hutchings]

Thank you very much for the analysis. I'll look at the failures later
as none of them appear to be related to the current patch series.

Ben.

--
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.

[Guenter Roeck]

On 04/30/2016 12:44 PM, Ben Hutchings wrote:
> On Thu, 2016-04-28 at 21:16 -0700, Guenter Roeck wrote:
>> On 04/26/2016 04:02 PM, Ben Hutchings wrote:
>>>
>>> This is the start of the stable review cycle for the 3.16.35 release.
>>> There are 217 patches in this series, which will be posted as responses
>>> to this one. If anyone has any issues with these being applied, please
>>> let me know.
>>>
>>> Responses should be made by Sat Apr 30 22:00:00 UTC 2016.
>>> Anything received after that time might be too late.
>>>
>> Updated build and test results:
>>
>> Build results:
>> total: 137 pass: 135 fail: 2
>> Failed builds:
>> arc:allnoconfig
>> arm64:allmodconfig
>>
>> Qemu test results:
>> total: 97 pass: 94 fail: 3
>> Failed tests:
>> arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc706

Update:

This failure was sporadic and easily fixed by adding "rootwait"
to the command line options.

Guenter

[Greg Kroah-Hartman]

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <ne...@suse.com>

commit a6ab1e8126d205238defbb55d23661a3a5c6a0d8 upstream.

sunrpc_cache_pipe_upcall() can detect a race if CACHE_PENDING is no longer
set. In this case it aborts the queuing of the upcall.
However it has already taken a new counted reference on "h" and
doesn't "put" it, even though it frees the data structure holding the reference.

So let's delay the "cache_get" until we know we need it.

Fixes: f9e1aedc6c79 ("sunrpc/cache: remove races with queuing an upcall.")
Signed-off-by: NeilBrown <ne...@suse.com>

Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

[Greg Kroah-Hartman]

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eryu Guan <guan...@gmail.com>

commit 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 upstream.

ext4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on
error (e.g. EIO) and iloc.bh can be NULL in this case. But the error is
ignored in the following "if" condition and ext4_expand_extra_isize()
might be called with NULL iloc.bh set, which triggers NULL pointer
dereference.

This is uncovered by commit 8b4953e13f4c ("ext4: reserve code points for
the project quota feature"), which enlarges the ext4_inode size, and
run the following script on new kernel but with old mke2fs:

#/bin/bash
mnt=/mnt/ext4
devname=ext4-error
dev=/dev/mapper/$devname
fsimg=/home/fs.img

trap cleanup 0 1 2 3 9 15

cleanup()
{
umount $mnt >/dev/null 2>&1
dmsetup remove $devname
losetup -d $backend_dev
rm -f $fsimg
exit 0
}

rm -f $fsimg
fallocate -l 1g $fsimg
backend_dev=`losetup -f --show $fsimg`
devsize=`blockdev --getsz $backend_dev`

good_tab="0 $devsize linear $backend_dev 0"
error_tab="0 $devsize error $backend_dev 0"

dmsetup create $devname --table "$good_tab"

mkfs -t ext4 $dev
mount -t ext4 -o errors=continue,strictatime $dev $mnt

dmsetup load $devname --table "$error_tab" && dmsetup resume $devname
echo 3 > /proc/sys/vm/drop_caches
ls -l $mnt
exit 0

[ Patch changed to simplify the function a tiny bit. -- Ted ]

Signed-off-by: Eryu Guan <guan...@gmail.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Cc: Jan Kara <ja...@suse.cz>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/ext4/inode.c | 6 +++---

1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4972,6 +4972,8 @@ int ext4_mark_inode_dirty(handle_t *hand
might_sleep();
trace_ext4_mark_inode_dirty(inode, _RET_IP_);
err = ext4_reserve_inode_write(handle, inode, &iloc);
+ if (err)
+ return err;
if (ext4_handle_valid(handle) &&
EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize &&
!ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) {
@@ -5002,9 +5004,7 @@ int ext4_mark_inode_dirty(handle_t *hand
}
}
}
- if (!err)
- err = ext4_mark_iloc_dirty(handle, inode, &iloc);
- return err;
+ return ext4_mark_iloc_dirty(handle, inode, &iloc);
}

/*

[Greg Kroah-Hartman]

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Kochetkov <al.k...@gmail.com>

commit d5861262210067fc01b2fb4f7af2fd85a3453f15 upstream.

Year field must be in BCD format, according to
hym8563 datasheet.

Due to the bug year 2016 became 2010.

Fixes: dcaf03849352 ("rtc: add hym8563 rtc-driver")
Signed-off-by: Alexander Kochetkov <al.k...@gmail.com>
Signed-off-by: Alexandre Belloni <alexandr...@free-electrons.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/rtc/rtc-hym8563.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

[Greg Kroah-Hartman]

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+...@glider.be>

commit ff1cab374ad98f4b9f408525ca9c08992b4ed784 upstream.

The BSP team noticed that there is spin/mutex lock issue on sh-sci when
CPUFREQ is used. The issue is that the notifier function may call
mutex_lock() while the spinlock is held, which can lead to a BUG().
This may happen if CPUFREQ is changed while another CPU calls
clk_get_rate().

Taking the spinlock was added to the notifier function in commit
e552de2413edad1a ("sh-sci: add platform device private data"), to
protect the list of serial ports against modification during traversal.
At that time the Common Clock Framework didn't exist yet, and
clk_get_rate() just returned clk->rate without taking a mutex.
Note that since commit d535a2305facf9b4 ("serial: sh-sci: Require a
device per port mapping."), there's no longer a list of serial ports to
traverse, and taking the spinlock became superfluous.

To fix the issue, just remove the cpufreq notifier:
1. The notifier doesn't work correctly: all it does is update stored
clock rates; it does not update the divider in the hardware.
The divider will only be updated when calling sci_set_termios().
I believe this was broken back in 2004, when the old
drivers/char/sh-sci.c driver (where the notifier did update the
divider) was replaced by drivers/serial/sh-sci.c (where the
notifier just updated port->uartclk).
Cfr. full-history-linux commits 6f8deaef2e9675d9 ("[PATCH] sh: port
sh-sci driver to the new API") and 3f73fe878dc9210a ("[PATCH]
Remove old sh-sci driver").
2. On modern SoCs, the sh-sci parent clock rate is no longer related
to the CPU clock rate anyway, so using a cpufreq notifier is
futile.

Signed-off-by: Geert Uytterhoeven <geert+...@glider.be>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>



---

drivers/tty/serial/sh-sci.c | 39 ---------------------------------------
1 file changed, 39 deletions(-)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -38,7 +38,6 @@
#include <linux/major.h>
#include <linux/module.h>
#include <linux/mm.h>
-#include <linux/notifier.h>
#include <linux/of.h>
#include <linux/platform_device.h>
#include <linux/pm_runtime.h>
@@ -118,8 +117,6 @@ struct sci_port {
struct timer_list rx_timer;
unsigned int rx_timeout;
#endif
-
- struct notifier_block freq_transition;
};

/* Function prototypes */
@@ -1029,30 +1026,6 @@ static irqreturn_t sci_mpxed_interrupt(i
return ret;
}

-/*
- * Here we define a transition notifier so that we can update all of our
- * ports' baud rate when the peripheral clock changes.
- */
-static int sci_notifier(struct notifier_block *self,
- unsigned long phase, void *p)
-{
- struct sci_port *sci_port;
- unsigned long flags;
-
- sci_port = container_of(self, struct sci_port, freq_transition);
-
- if ((phase == CPUFREQ_POSTCHANGE) ||
- (phase == CPUFREQ_RESUMECHANGE)) {
- struct uart_port *port = &sci_port->port;
-
- spin_lock_irqsave(&port->lock, flags);
- port->uartclk = clk_get_rate(sci_port->iclk);
- spin_unlock_irqrestore(&port->lock, flags);
- }
-
- return NOTIFY_OK;
-}
-
static struct sci_irq_desc {
const char *desc;
irq_handler_t handler;
@@ -2406,9 +2379,6 @@ static int sci_remove(struct platform_de
{
struct sci_port *port = platform_get_drvdata(dev);

- cpufreq_unregister_notifier(&port->freq_transition,
- CPUFREQ_TRANSITION_NOTIFIER);
-
uart_remove_one_port(&sci_uart_driver, &port->port);

sci_cleanup_single(port);
@@ -2559,15 +2529,6 @@ static int sci_probe(struct platform_dev
if (ret)
return ret;

- sp->freq_transition.notifier_call = sci_notifier;
-
- ret = cpufreq_register_notifier(&sp->freq_transition,
- CPUFREQ_TRANSITION_NOTIFIER);
- if (unlikely(ret < 0)) {
- sci_cleanup_single(sp);
- return ret;
- }
-
#ifdef CONFIG_SH_STANDARD_BIOS
sh_bios_gdb_detach();
#endif

[Greg Kroah-Hartman]

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <ne...@suse.com>

commit a6ab1e8126d205238defbb55d23661a3a5c6a0d8 upstream.

sunrpc_cache_pipe_upcall() can detect a race if CACHE_PENDING is no longer
set. In this case it aborts the queuing of the upcall.
However it has already taken a new counted reference on "h" and
doesn't "put" it, even though it frees the data structure holding the reference.

So let's delay the "cache_get" until we know we need it.

Fixes: f9e1aedc6c79 ("sunrpc/cache: remove races with queuing an upcall.")
Signed-off-by: NeilBrown <ne...@suse.com>
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

net/sunrpc/cache.c | 6 +++---

1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1182,14 +1182,14 @@ int sunrpc_cache_pipe_upcall(struct cach

[Greg Kroah-Hartman]

4.5-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Kochetkov <al.k...@gmail.com>

commit d5861262210067fc01b2fb4f7af2fd85a3453f15 upstream.

Year field must be in BCD format, according to
hym8563 datasheet.

Due to the bug year 2016 became 2010.

Fixes: dcaf03849352 ("rtc: add hym8563 rtc-driver")
Signed-off-by: Alexander Kochetkov <al.k...@gmail.com>
Signed-off-by: Alexandre Belloni <alexandr...@free-electrons.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

[Greg Kroah-Hartman]

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <her...@gondor.apana.org.au>

This bug has already bee fixed upstream since 4.2. However, it
was fixed during the AEAD conversion so no fix was backported to
the older kernels.

When we do an RFC 4543 decryption, we will end up writing the
ICV beyond the end of the dst buffer. This should lead to a
crash but for some reason it was never noticed.

This patch fixes it by only writing back the ICV for encryption.

Fixes: d733ac90f9fe ("crypto: gcm - fix rfc4543 to handle async...")
Reported-by: Patrick Meyer <patric...@vasgard.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

crypto/gcm.c | 3 +++
1 file changed, 3 insertions(+)

--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc45
aead_request_set_tfm(subreq, ctx->child);
aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done,
req);
+ if (!enc)
+ aead_request_set_callback(subreq, req->base.flags,
+ req->base.complete, req->base.data);
aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
aead_request_set_assoc(subreq, assoc, assoclen);