[PATCH 4.2.y-ckt 003/273] [media] usbvision: fix crash on detecting device with invalid configuration

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Vladis Dronov <vdr...@redhat.com>

commit fa52bd506f274b7619955917abfde355e3d19ffe upstream.

The usbvision driver crashes when a specially crafted usb device with invalid
number of interfaces or endpoints is detected. This fix adds checks that the
device has proper configuration expected by the driver.

Reported-by: Ralf Spenneberg <ra...@spenneberg.net>
Signed-off-by: Vladis Dronov <vdr...@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mch...@osg.samsung.com>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---
drivers/media/usb/usbvision/usbvision-video.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
index 2f98fc2..ac95bbd 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1542,9 +1542,23 @@ static int usbvision_probe(struct usb_interface *intf,

if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
- else
+ else if (ifnum < dev->actconfig->desc.bNumInterfaces)
interface = &dev->actconfig->interface[ifnum]->altsetting[0];
+ else {
+ dev_err(&intf->dev, "interface %d is invalid, max is %d\n",
+ ifnum, dev->actconfig->desc.bNumInterfaces - 1);
+ ret = -ENODEV;
+ goto err_usb;
+ }
+
+ if (interface->desc.bNumEndpoints < 2) {
+ dev_err(&intf->dev, "interface %d has %d endpoints, but must"
+ " have minimum 2\n", ifnum, interface->desc.bNumEndpoints);
+ ret = -ENODEV;
+ goto err_usb;
+ }
endpoint = &interface->endpoint[1].desc;
+
if (!usb_endpoint_xfer_isoc(endpoint)) {
dev_err(&intf->dev, "%s: interface %d. has non-ISO endpoint!\n",
__func__, ifnum);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Wenyou Yang <wenyo...@atmel.com>

commit aae6b18f5c95b9dc78de66d1e27e8afeee2763b7 upstream.

On SAMA5D4EK board, the Ethernet doesn't work after resuming from the suspend
state.

Signed-off-by: Wenyou Yang <wenyo...@atmel.com>
[nicola...@atmel.com: adapt to newer kernel]
Fixes: 38153a017896 ("ARM: at91/dt: sama5d4: add dts for sama5d4 xplained board")
Signed-off-by: Nicolas Ferre <nicola...@atmel.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/arm/boot/dts/at91-sama5d4ek.dts | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/arch/arm/boot/dts/at91-sama5d4ek.dts b/arch/arm/boot/dts/at91-sama5d4ek.dts
index d782f29..07a6063 100644
--- a/arch/arm/boot/dts/at91-sama5d4ek.dts
+++ b/arch/arm/boot/dts/at91-sama5d4ek.dts
@@ -142,8 +142,15 @@
};

macb0: ethernet@f8020000 {
+ pinctrl-0 = <&pinctrl_macb0_rmii &pinctrl_macb0_phy_irq>;
phy-mode = "rmii";
status = "okay";
+
+ ethernet-phy@1 {
+ reg = <0x1>;
+ interrupt-parent = <&pioE>;
+ interrupts = <1 IRQ_TYPE_LEVEL_LOW>;
+ };
};

mmc1: mmc@fc000000 {
@@ -175,6 +182,10 @@

pinctrl@fc06a000 {
board {
+ pinctrl_macb0_phy_irq: macb0_phy_irq {
+ atmel,pins =
+ <AT91_PIOE 1 AT91_PERIPH_GPIO AT91_PINCTRL_NONE>;
+ };
pinctrl_mmc0_cd: mmc0_cd {
atmel,pins =
<AT91_PIOE 5 AT91_PERIPH_GPIO AT91_PINCTRL_PULL_UP_DEGLITCH>;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Hariprasad S <harip...@chelsio.com>

commit 67f1aee6f45059fd6b0f5b0ecb2c97ad0451f6b3 upstream.

The cxgb3_*_send() functions return NET_XMIT_ values, which are
positive integers values. So don't treat positive return values
as an error.

Signed-off-by: Steve Wise <sw...@opengridcomputing.com>
Signed-off-by: Hariprasad Shenai <harip...@chelsio.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/infiniband/hw/cxgb3/iwch_cm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/cxgb3/iwch_cm.c b/drivers/infiniband/hw/cxgb3/iwch_cm.c
index cb78b1e..f504ba7 100644
--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
+++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
@@ -149,7 +149,7 @@ static int iwch_l2t_send(struct t3cdev *tdev, struct sk_buff *skb, struct l2t_en
error = l2t_send(tdev, skb, l2e);
if (error < 0)
kfree_skb(skb);
- return error;
+ return error < 0 ? error : 0;
}

int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
@@ -165,7 +165,7 @@ int iwch_cxgb3_ofld_send(struct t3cdev *tdev, struct sk_buff *skb)
error = cxgb3_ofld_send(tdev, skb);
if (error < 0)
kfree_skb(skb);
- return error;
+ return error < 0 ? error : 0;
}

static void release_tid(struct t3cdev *tdev, u32 hwtid, struct sk_buff *skb)
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jan Kara <ja...@suse.cz>

commit 74dae4278546b897eb81784fdfcce872ddd8b2b8 upstream.

Competing overwrite DIO in dioread_nolock mode will just overwrite
pointer to io_end in the inode. This may result in data corruption or
extent conversion happening from IO completion interrupt because we
don't properly set buffer_defer_completion() when unlocked DIO races
with locked DIO to unwritten extent.

Since unlocked DIO doesn't need io_end for anything, just avoid
allocating it and corrupting pointer from inode for locked DIO.
A cleaner fix would be to avoid these games with io_end pointer from the
inode but that requires more intrusive changes so we leave that for
later.

Signed-off-by: Jan Kara <ja...@suse.cz>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

fs/ext4/inode.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index ba8efb7..5651043 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3142,29 +3142,29 @@ static ssize_t ext4_ext_direct_IO(struct kiocb *iocb, struct iov_iter *iter,
* case, we allocate an io_end structure to hook to the iocb.
*/
iocb->private = NULL;
- ext4_inode_aio_set(inode, NULL);
- if (!is_sync_kiocb(iocb)) {
- io_end = ext4_init_io_end(inode, GFP_NOFS);
- if (!io_end) {
- ret = -ENOMEM;
- goto retake_lock;
- }
- /*
- * Grab reference for DIO. Will be dropped in ext4_end_io_dio()
- */
- iocb->private = ext4_get_io_end(io_end);
- /*
- * we save the io structure for current async direct
- * IO, so that later ext4_map_blocks() could flag the
- * io structure whether there is a unwritten extents
- * needs to be converted when IO is completed.
- */
- ext4_inode_aio_set(inode, io_end);
- }
-
if (overwrite) {
get_block_func = ext4_get_block_write_nolock;
} else {
+ ext4_inode_aio_set(inode, NULL);
+ if (!is_sync_kiocb(iocb)) {
+ io_end = ext4_init_io_end(inode, GFP_NOFS);
+ if (!io_end) {
+ ret = -ENOMEM;
+ goto retake_lock;
+ }
+ /*
+ * Grab reference for DIO. Will be dropped in
+ * ext4_end_io_dio()
+ */
+ iocb->private = ext4_get_io_end(io_end);
+ /*
+ * we save the io structure for current async direct
+ * IO, so that later ext4_map_blocks() could flag the
+ * io structure whether there is a unwritten extents
+ * needs to be converted when IO is completed.
+ */
+ ext4_inode_aio_set(inode, io_end);
+ }
get_block_func = ext4_get_block_write;
dio_flags = DIO_LOCKING;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Oliver Neukum <one...@suse.com>

commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.

This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.

Signed-off-by: Oliver Neukum <one...@suse.com>
Cc: Vladis Dronov <vdr...@redhat.com>
Signed-off-by: Hans Verkuil <hans.v...@cisco.com>

Signed-off-by: Mauro Carvalho Chehab <mch...@osg.samsung.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/media/usb/usbvision/usbvision-video.c b/drivers/media/usb/usbvision/usbvision-video.c
index 1c6d31f..2f98fc2 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1533,6 +1533,13 @@ static int usbvision_probe(struct usb_interface *intf,
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);

+ /*
+ * this is a security check.
+ * an exploit using an incorrect bInterfaceNumber is known
+ */
+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+ return -ENODEV;
+

if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];

else
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alex Deucher <alexande...@amd.com>

commit 8e7cedc6f7fe762ffe6e348502be34b11fa79298 upstream.

set_power_state defaults to no displays, so we need to update
the display configuration after setting up the powerstate on the
first call. In most cases this is not an issue since ends up
getting called multiple times at any given modeset and the proper
order is achieved in the display changed handling at the top of
the function.

Reviewed-by: Christian König <christia...@amd.com>
Acked-by: Jordan Lazare <Jordan...@amd.com>
Signed-off-by: Alex Deucher <alexande...@amd.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
index 91c7556..c484e22 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c
@@ -592,8 +592,6 @@ force:

/* update display watermarks based on new power state */
amdgpu_display_bandwidth_update(adev);
- /* update displays */
- amdgpu_dpm_display_configuration_changed(adev);

adev->pm.dpm.current_active_crtcs = adev->pm.dpm.new_active_crtcs;
adev->pm.dpm.current_active_crtc_count = adev->pm.dpm.new_active_crtc_count;
@@ -613,6 +611,9 @@ force:

amdgpu_dpm_post_set_power_state(adev);

+ /* update displays */
+ amdgpu_dpm_display_configuration_changed(adev);
+
if (adev->pm.funcs->force_performance_level) {
if (adev->pm.dpm.thermal_active) {
enum amdgpu_dpm_forced_level level = adev->pm.dpm.forced_level;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:10 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: James Hogan <james...@imgtec.com>

commit f4dce1ffd2e30fa31756876ef502ce6d2324be35 upstream.

Since commit 4c21b8fd8f14 ("MIPS: seccomp: Handle indirect system calls
(o32)"), syscall_get_arguments() attempts to handle o32 indirect syscall
arguments by incrementing both the start argument number and the number
of arguments to fetch. However only the start argument number needs to
be incremented. The number of arguments does not change, they're just
shifted up by one, and in fact the output array is provided by the
caller and is likely only n entries long, so reading more arguments
overflows the output buffer.

In the case of seccomp, this results in it fetching 7 arguments starting
at the 2nd one, which overflows the unsigned long args[6] in
populate_seccomp_data(). This clobbers the $s0 register from
syscall_trace_enter() which __seccomp_phase1_filter() saved onto the
stack, into which syscall_trace_enter() had placed its syscall number
argument. This caused Chromium to crash.

Credit goes to Milko for tracking it down as far as $s0 being clobbered.

Fixes: 4c21b8fd8f14 ("MIPS: seccomp: Handle indirect system calls (o32)")
Reported-by: Milko Leporis <milko....@imgtec.com>
Signed-off-by: James Hogan <james...@imgtec.com>
Cc: linux...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12213/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/mips/include/asm/syscall.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
index 6499d93..47bc45a 100644
--- a/arch/mips/include/asm/syscall.h
+++ b/arch/mips/include/asm/syscall.h
@@ -101,10 +101,8 @@ static inline void syscall_get_arguments(struct task_struct *task,
/* O32 ABI syscall() - Either 64-bit with O32 or 32-bit */
if ((config_enabled(CONFIG_32BIT) ||
test_tsk_thread_flag(task, TIF_32BIT_REGS)) &&
- (regs->regs[2] == __NR_syscall)) {
+ (regs->regs[2] == __NR_syscall))
i++;
- n++;
- }

while (n--)
ret |= mips_get_syscall_arg(args++, task, regs, i++);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:10 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mario Kleiner <mario.kl...@gmail.com>

commit bb74fc1bf3072bd3ab4ed5f43afd287a63baf2d7 upstream.

drm_vblank_offdelay can have three different types of values:

< 0 is to be always treated the same as dev->vblank_disable_immediate
= 0 is to be treated as "never disable vblanks"
> 0 is to be treated as disable immediate if kms driver wants it
that way via dev->vblank_disable_immediate. Otherwise it is
a disable timeout in msecs.

This got broken in Linux 3.18+ for the implementation of
drm_vblank_on. If the user specified a value of zero which should
always reenable vblank irqs in this function, a kms driver could
override the users choice by setting vblank_disable_immediate
to true. This patch fixes the regression and keeps the user in
control.

v2: Only reenable vblank if there are clients left or the user
requested to "never disable vblanks" via offdelay 0. Enabling
vblanks even in the "delayed disable" case (offdelay > 0) was
specifically added by Ville in commit cd19e52aee922
("drm: Kick start vblank interrupts at drm_vblank_on()"),
but after discussion it turns out that this was done by accident.

Citing Ville: "I think it just ended up as a mess due to changing
some of the semantics of offdelay<0 vs. offdelay==0 vs.
disable_immediate during the review of the series. So yeah, given
how drm_vblank_put() works now, I'd just make this check for
offdelay==0."

Signed-off-by: Mario Kleiner <mario.kl...@gmail.com>
Reviewed-by: Daniel Vetter <daniel...@ffwll.ch>

Cc: mic...@daenzer.net
Cc: vba...@suse.cz
Cc: ville....@linux.intel.com
Cc: daniel...@ffwll.ch
Cc: dri-...@lists.freedesktop.org
Cc: alexande...@amd.com
Cc: christia...@amd.com
Signed-off-by: Dave Airlie <air...@redhat.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/gpu/drm/drm_irq.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index b50fa0a..6447b48 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -1338,8 +1338,7 @@ void drm_vblank_on(struct drm_device *dev, int crtc)
* re-enable interrupts if there are users left, or the
* user wishes vblank interrupts to be enabled all the time.
*/
- if (atomic_read(&vblank->refcount) != 0 ||
- (!dev->vblank_disable_immediate && drm_vblank_offdelay == 0))
+ if (atomic_read(&vblank->refcount) != 0 || drm_vblank_offdelay == 0)
WARN_ON(drm_vblank_enable(dev, crtc));
spin_unlock_irqrestore(&dev->vbl_lock, irqflags);
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:10 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Nishanth Menon <n...@ti.com>

commit 000e0949148382c4962489593a2f05504c2a6771 upstream.

Thermal hook gpio_fan_get_cur_state is only interested in knowing
the current speed index that was setup in the system, this is
already available as part of fan_data->speed_index which is always
set by set_fan_speed. Using get_fan_speed_index is useful when we
have no idea about the fan speed configuration (for example during
fan_ctrl_init).

When thermal framework invokes
gpio_fan_get_cur_state=>get_fan_speed_index via gpio_fan_get_cur_state
especially in a polled configuration for thermal governor, we
basically hog the i2c interface to the extent that other functions
fail to get any traffic out :(.

Instead, just provide the last state set in the driver - since the gpio
fan driver is responsible for the fan state immaterial of override, the
fan_data->speed_index should accurately reflect the state.

Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks")
Reported-by: Tony Lindgren <to...@atomide.com>
Cc: Guenter Roeck <li...@roeck-us.net>
Cc: Eduardo Valentin <edub...@gmail.com>
Signed-off-by: Nishanth Menon <n...@ti.com>
Signed-off-by: Guenter Roeck <li...@roeck-us.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/hwmon/gpio-fan.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/drivers/hwmon/gpio-fan.c b/drivers/hwmon/gpio-fan.c
index a3dae6d..83ea8c8 100644
--- a/drivers/hwmon/gpio-fan.c
+++ b/drivers/hwmon/gpio-fan.c
@@ -406,16 +406,11 @@ static int gpio_fan_get_cur_state(struct thermal_cooling_device *cdev,
unsigned long *state)
{
struct gpio_fan_data *fan_data = cdev->devdata;
- int r;

if (!fan_data)
return -EINVAL;

- r = get_fan_speed_index(fan_data);
- if (r < 0)
- return r;
-
- *state = r;
+ *state = fan_data->speed_index;
return 0;
}

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Konrad Rzeszutek Wilk <konra...@oracle.com>

commit d159457b84395927b5a52adb72f748dd089ad5e5 upstream.

Commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 (xen/pciback: Save
xen_pci_op commands before processing it) broke enabling MSI-X because
it would never copy the resulting vectors into the response. The
number of vectors requested was being overwritten by the return value
(typically zero for success).

Save the number of vectors before processing the op, so the correct
number of vectors are copied afterwards.

Signed-off-by: Konrad Rzeszutek Wilk <konra...@oracle.com>
Reviewed-by: Jan Beulich <jbeu...@suse.com>
Signed-off-by: David Vrabel <david....@citrix.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/xen/xen-pciback/pciback_ops.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
index 1078e8d..fb02214 100644
--- a/drivers/xen/xen-pciback/pciback_ops.c
+++ b/drivers/xen/xen-pciback/pciback_ops.c
@@ -333,6 +333,9 @@ void xen_pcibk_do_op(struct work_struct *data)
struct xen_pcibk_dev_data *dev_data = NULL;
struct xen_pci_op *op = &pdev->op;
int test_intx = 0;
+#ifdef CONFIG_PCI_MSI
+ unsigned int nr = 0;
+#endif

*op = pdev->sh_info->op;
barrier();
@@ -361,6 +364,7 @@ void xen_pcibk_do_op(struct work_struct *data)
op->err = xen_pcibk_disable_msi(pdev, dev, op);
break;
case XEN_PCI_OP_enable_msix:
+ nr = op->value;
op->err = xen_pcibk_enable_msix(pdev, dev, op);
break;
case XEN_PCI_OP_disable_msix:
@@ -383,7 +387,7 @@ void xen_pcibk_do_op(struct work_struct *data)
if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) {
unsigned int i;

- for (i = 0; i < op->value; i++)
+ for (i = 0; i < nr; i++)
pdev->sh_info->op.msix_entries[i].vector =
op->msix_entries[i].vector;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Tony Lindgren <to...@atomide.com>

commit 0a0b13275558c32bbf6241464a7244b1ffd5afb3 upstream.

We don't want to write to .text, so let's move l2_inv_api_params
to .data and access it via a pointer.

Cc: Kees Cook <kees...@chromium.org>
Cc: Laura Abbott <lab...@redhat.com>
Cc: Nishanth Menon <n...@ti.com>
Cc: Richard Woodruff <r-woo...@ti.com>
Cc: Russell King <li...@arm.linux.org.uk>
Cc: Tero Kristo <t-kr...@ti.com>
Acked-by: Nicolas Pitre <ni...@linaro.org>
Fixes: 1e6b48116a95 ("ARM: mm: allow non-text sections to be
non-executable")
Signed-off-by: Tony Lindgren <to...@atomide.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/arm/mach-omap2/sleep34xx.S | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S
index 8e2a7ac..1b9f052 100644
--- a/arch/arm/mach-omap2/sleep34xx.S
+++ b/arch/arm/mach-omap2/sleep34xx.S
@@ -436,12 +436,14 @@ skipl2dis:
and r1, #0x700
cmp r1, #0x300
beq l2_inv_gp
+ adr r0, l2_inv_api_params_offset
+ ldr r3, [r0]
+ add r3, r3, r0 @ r3 points to dummy parameters
mov r0, #40 @ set service ID for PPA
mov r12, r0 @ copy secure Service ID in r12
mov r1, #0 @ set task id for ROM code in r1
mov r2, #4 @ set some flags in r2, r6
mov r6, #0xff
- adr r3, l2_inv_api_params @ r3 points to dummy parameters
dsb @ data write barrier
dmb @ data memory barrier
smc #1 @ call SMI monitor (smi #1)
@@ -475,8 +477,8 @@ skipl2dis:
b logic_l1_restore

.align
-l2_inv_api_params:
- .word 0x1, 0x00
+l2_inv_api_params_offset:
+ .long l2_inv_api_params - .
l2_inv_gp:
/* Execute smi to invalidate L2 cache */
mov r12, #0x1 @ set up to invalidate L2
@@ -531,6 +533,10 @@ l2dis_3630_offset:
l2dis_3630:
.word 0

+ .data
+l2_inv_api_params:
+ .word 0x1, 0x00
+
/*
* Internal functions
*/
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Matthew Wilcox <wi...@linux.intel.com>

commit 46437f9a554fbe3e110580ca08ab703b59f2f95a upstream.

If the indirect_ptr bit is set on a slot, that indicates we need to redo
the lookup. Introduce a new function radix_tree_iter_retry() which
forces the loop to retry the lookup by setting 'slot' to NULL and
turning the iterator back to point at the problematic entry.

This is a pretty rare problem to hit at the moment; the lookup has to
race with a grow of the radix tree from a height of 0. The consequences
of hitting this race are that gang lookup could return a pointer to a
radix_tree_node instead of a pointer to whatever the user had inserted
in the tree.

Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
Signed-off-by: Matthew Wilcox <wi...@linux.intel.com>
Cc: Hugh Dickins <hu...@google.com>
Cc: Ohad Ben-Cohen <oh...@wizery.com>
Cc: Konstantin Khlebnikov <khleb...@openvz.org>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

include/linux/radix-tree.h | 16 ++++++++++++++++
lib/radix-tree.c | 12 ++++++++++--
2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h
index 33170db..1a2b227 100644
--- a/include/linux/radix-tree.h
+++ b/include/linux/radix-tree.h
@@ -370,6 +370,22 @@ void **radix_tree_next_chunk(struct radix_tree_root *root,
struct radix_tree_iter *iter, unsigned flags);

/**
+ * radix_tree_iter_retry - retry this chunk of the iteration
+ * @iter: iterator state
+ *
+ * If we iterate over a tree protected only by the RCU lock, a race
+ * against deletion or creation may result in seeing a slot for which
+ * radix_tree_deref_retry() returns true. If so, call this function
+ * and continue the iteration.
+ */
+static inline __must_check
+void **radix_tree_iter_retry(struct radix_tree_iter *iter)
+{
+ iter->next_index = iter->index;
+ return NULL;
+}
+
+/**
* radix_tree_chunk_size - get current chunk size
*
* @iter: pointer to radix tree iterator
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index f9ebe1c..6608430 100644
--- a/lib/radix-tree.c
+++ b/lib/radix-tree.c
@@ -1019,9 +1019,13 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results,
return 0;

radix_tree_for_each_slot(slot, root, &iter, first_index) {
- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot));
+ results[ret] = rcu_dereference_raw(*slot);
if (!results[ret])
continue;
+ if (radix_tree_is_indirect_ptr(results[ret])) {
+ slot = radix_tree_iter_retry(&iter);
+ continue;
+ }
if (++ret == max_items)
break;
}
@@ -1098,9 +1102,13 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results,
return 0;

radix_tree_for_each_tagged(slot, root, &iter, first_index, tag) {
- results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot));
+ results[ret] = rcu_dereference_raw(*slot);
if (!results[ret])
continue;
+ if (radix_tree_is_indirect_ptr(results[ret])) {
+ slot = radix_tree_iter_retry(&iter);
+ continue;
+ }
if (++ret == max_items)
break;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ivaylo Dimitrov <ivo.g.di...@gmail.com>

commit 3f315c5b850fa7aff73f50de8e316b98f611a32b upstream.

Commit e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid
filesystem corruption") partially fixed onenand configuration when GPMC
module is reset. Finish the job by also providing the correct values in
ONENAND_REG_SYS_CFG1 register.

Fixes: e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid
filesystem corruption")
Signed-off-by: Ivaylo Dimitrov <ivo.g.di...@gmail.com>
Tested-by: Aaro Koskinen <aaro.k...@iki.fi>
Signed-off-by: Tony Lindgren <to...@atomide.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/arm/mach-omap2/gpmc-onenand.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-omap2/gpmc-onenand.c b/arch/arm/mach-omap2/gpmc-onenand.c
index 7b76ce0..8633c70 100644
--- a/arch/arm/mach-omap2/gpmc-onenand.c
+++ b/arch/arm/mach-omap2/gpmc-onenand.c
@@ -101,10 +101,8 @@ static void omap2_onenand_set_async_mode(void __iomem *onenand_base)

static void set_onenand_cfg(void __iomem *onenand_base)
{
- u32 reg;
+ u32 reg = ONENAND_SYS_CFG1_RDY | ONENAND_SYS_CFG1_INT;

- reg = readw(onenand_base + ONENAND_REG_SYS_CFG1);
- reg &= ~((0x7 << ONENAND_SYS_CFG1_BRL_SHIFT) | (0x7 << 9));
reg |= (latency << ONENAND_SYS_CFG1_BRL_SHIFT) |
ONENAND_SYS_CFG1_BL_16;
if (onenand_flags & ONENAND_FLAG_SYNCREAD)
@@ -123,6 +121,7 @@ static void set_onenand_cfg(void __iomem *onenand_base)
reg |= ONENAND_SYS_CFG1_VHF;
else
reg &= ~ONENAND_SYS_CFG1_VHF;
+
writew(reg, onenand_base + ONENAND_REG_SYS_CFG1);
}

@@ -289,6 +288,7 @@ static int omap2_onenand_setup_async(void __iomem *onenand_base)
}
}

+ onenand_async.sync_write = true;
omap2_onenand_calc_async_timings(&t);

ret = gpmc_cs_program_settings(gpmc_onenand_data->cs, &onenand_async);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Tony Lindgren <to...@atomide.com>

commit 4da597d16602d14405b71a18d45e1c59f28f0fd2 upstream.

We don't want to write to .text so let's move ppa_zero_params and
ppa_por_params to .data and access them via pointers.

Note that I have not been able to test as we I don't have a HS
omap4 to test with. The code has been changed in similar way as
for omap3 though.

Cc: Kees Cook <kees...@chromium.org>
Cc: Laura Abbott <lab...@redhat.com>
Cc: Nishanth Menon <n...@ti.com>
Cc: Richard Woodruff <r-woo...@ti.com>
Cc: Russell King <li...@arm.linux.org.uk>
Cc: Tero Kristo <t-kr...@ti.com>
Acked-by: Nicolas Pitre <ni...@linaro.org>
Fixes: 1e6b48116a95 ("ARM: mm: allow non-text sections to be
non-executable")

Signed-off-by: Tony Lindgren <to...@atomide.com>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/arm/mach-omap2/sleep44xx.S | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/arch/arm/mach-omap2/sleep44xx.S b/arch/arm/mach-omap2/sleep44xx.S
index ad1bb94..5373a32 100644
--- a/arch/arm/mach-omap2/sleep44xx.S
+++ b/arch/arm/mach-omap2/sleep44xx.S
@@ -29,12 +29,6 @@
dsb
.endm

-ppa_zero_params:
- .word 0x0
-
-ppa_por_params:
- .word 1, 0
-
#ifdef CONFIG_ARCH_OMAP4

/*
@@ -266,7 +260,9 @@ ENTRY(omap4_cpu_resume)
beq skip_ns_smp_enable
ppa_actrl_retry:
mov r0, #OMAP4_PPA_CPU_ACTRL_SMP_INDEX
- adr r3, ppa_zero_params @ Pointer to parameters
+ adr r1, ppa_zero_params_offset
+ ldr r3, [r1]
+ add r3, r3, r1 @ Pointer to ppa_zero_params
mov r1, #0x0 @ Process ID
mov r2, #0x4 @ Flag
mov r6, #0xff
@@ -303,7 +299,9 @@ skip_ns_smp_enable:
ldr r0, =OMAP4_PPA_L2_POR_INDEX
ldr r1, =OMAP44XX_SAR_RAM_BASE
ldr r4, [r1, #L2X0_PREFETCH_CTRL_OFFSET]
- adr r3, ppa_por_params
+ adr r1, ppa_por_params_offset
+ ldr r3, [r1]
+ add r3, r3, r1 @ Pointer to ppa_por_params
str r4, [r3, #0x04]
mov r1, #0x0 @ Process ID
mov r2, #0x4 @ Flag
@@ -328,6 +326,8 @@ skip_l2en:
#endif

b cpu_resume @ Jump to generic resume
+ppa_por_params_offset:
+ .long ppa_por_params - .
ENDPROC(omap4_cpu_resume)
#endif /* CONFIG_ARCH_OMAP4 */

@@ -382,4 +382,13 @@ ENTRY(omap_do_wfi)
nop

ldmfd sp!, {pc}
+ppa_zero_params_offset:
+ .long ppa_zero_params - .
ENDPROC(omap_do_wfi)
+
+ .data
+ppa_zero_params:
+ .word 0
+
+ppa_por_params:
+ .word 1, 0
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: David Howells <dhow...@redhat.com>

commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f upstream.

If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
matches get skipped if there's no more data to be had rather than a
data-overrun error being reported.

This is due to the code segment that decides whether to skip optional
matches (ie. matches that could get ignored because an element is marked
OPTIONAL in the grammar) due to a lack of data also skips non-optional
elements if the data pointer has reached the end of the buffer.

This can be tested with the data decoder for the new RSA akcipher algorithm
that takes three non-optional integers. Currently, it skips the last
integer if there is insufficient data.

Without the fix, #defining DEBUG in asn1_decoder.c will show something
like:

next_op: pc=0/13 dp=0/270 C=0 J=0
- match? 30 30 00
- TAG: 30 266 CONS
next_op: pc=2/13 dp=4/270 C=1 J=0
- match? 02 02 00
- TAG: 02 257
- LEAF: 257
next_op: pc=5/13 dp=265/270 C=1 J=0
- match? 02 02 00
- TAG: 02 3
- LEAF: 3
next_op: pc=8/13 dp=270/270 C=1 J=0
next_op: pc=11/13 dp=270/270 C=1 J=0
- end cons t=4 dp=270 l=270/270

The next_op line for pc=8/13 should be followed by a match line.

This is not exploitable for X.509 certificates by means of shortening the
message and fixing up the ASN.1 CONS tags because:

(1) The relevant records being built up are cleared before use.

(2) If the message is shortened sufficiently to remove the public key, the
ASN.1 parse of the RSA key will fail quickly due to a lack of data.

(3) Extracted signature data is either turned into MPIs (which cope with a
0 length) or is simpler integers specifying algoritms and suchlike
(which can validly be 0); and

(4) The AKID and SKID extensions are optional and their removal is handled
without risking passing a NULL to asymmetric_key_generate_id().

(5) If the certificate is truncated sufficiently to remove the subject,
issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
stack underflow' return.

This is not exploitable for PKCS#7 messages by means of removal of elements
from such a message from the tail end of a sequence:

(1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
as detailed above.

(2) The message digest content isn't used if it shows a NULL pointer,
similarly, the authattrs aren't used if that shows a NULL pointer.

(3) A missing signature results in a NULL MPI - which the MPI routines deal
with.

(4) If data is NULL, it is expected that the message has detached content and
that is handled appropriately.

(5) If the serialNumber is excised, the unconditional action associated
with it will pick up the containing SEQUENCE instead, so no NULL
pointer will be seen here.

If both the issuer and the serialNumber are excised, the ASN.1 decode
will fail with an 'Unexpected tag' return.

In either case, there's no way to get to asymmetric_key_generate_id()
with a NULL pointer.

(6) Other fields are decoded to simple integers. Shortening the message
to omit an algorithm ID field will cause checks on this to fail early
in the verification process.

This can also be tested by snipping objects off of the end of the ASN.1 stream
such that mandatory tags are removed - or even from the end of internal
SEQUENCEs. If any mandatory tag is missing, the error EBADMSG *should* be
produced. Without this patch ERANGE or ENOPKG might be produced or the parse
may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
later, depending on what gets snipped.

Just snipping off the final BIT_STRING or OCTET_STRING from either sample
should be a start since both are mandatory and neither will cause an EBADMSG
without the patches

Reported-by: Marcel Holtmann <mar...@holtmann.org>
Signed-off-by: David Howells <dhow...@redhat.com>
Tested-by: Marcel Holtmann <mar...@holtmann.org>
Reviewed-by: David Woodhouse <David.W...@intel.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

lib/asn1_decoder.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
index 1a000bb..d60ce8a 100644
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -208,9 +208,8 @@ next_op:
unsigned char tmp;

/* Skip conditional matches if possible */
- if ((op & ASN1_OP_MATCH__COND &&
- flags & FLAG_MATCHED) ||
- dp == datalen) {
+ if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
+ (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
pc += asn1_op_lengths[op];
goto next_op;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Konrad Rzeszutek Wilk <konra...@oracle.com>

commit 8d47065f7d1980dde52abb874b301054f3013602 upstream.

Commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 (xen/pciback: Don't
allow MSI-X ops if PCI_COMMAND_MEMORY is not set) prevented enabling
MSI-X on passed-through virtual functions, because it checked the VF
for PCI_COMMAND_MEMORY but this is not a valid bit for VFs.

Instead, check the physical function for PCI_COMMAND_MEMORY.

Signed-off-by: Konrad Rzeszutek Wilk <konra...@oracle.com>
Reviewed-by: Jan Beulich <jbeu...@suse.com>
Signed-off-by: David Vrabel <david....@citrix.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/xen/xen-pciback/pciback_ops.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c
index 73dafdc..1078e8d 100644
--- a/drivers/xen/xen-pciback/pciback_ops.c
+++ b/drivers/xen/xen-pciback/pciback_ops.c
@@ -227,8 +227,9 @@ int xen_pcibk_enable_msix(struct xen_pcibk_device *pdev,
/*
* PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able
* to access the BARs where the MSI-X entries reside.
+ * But VF devices are unique in which the PF needs to be checked.
*/
- pci_read_config_word(dev, PCI_COMMAND, &cmd);
+ pci_read_config_word(pci_physfn(dev), PCI_COMMAND, &cmd);
if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY))
return -ENXIO;

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lu Baolu <baol...@linux.intel.com>

commit fa89537783cb442263fa5a14df6c7693eaf32f11 upstream.

Commit abce329c27b3 ("xhci: Workaround to get D3 working in Intel xHCI")
adds a workaround for a limitation of PME storm caused by SSIC port in
some Intel SoCs. This commit only handled one SSIC port, while there
are actually two SSIC ports in the chips. This patch handles both SSIC
ports. Without this fix, users still see PME storm.

Signed-off-by: Zhuang Jin Can <jin.can...@intel.com>
Signed-off-by: Lu Baolu <baol...@linux.intel.com>
Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/usb/host/xhci-pci.c | 48 +++++++++++++++++++++++++++------------------
1 file changed, 29 insertions(+), 19 deletions(-)

diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index c92235a..fda3c5c 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -28,7 +28,9 @@
#include "xhci.h"
#include "xhci-trace.h"

-#define PORT2_SSIC_CONFIG_REG2 0x883c
+#define SSIC_PORT_NUM 2
+#define SSIC_PORT_CFG2 0x880c
+#define SSIC_PORT_CFG2_OFFSET 0x30
#define PROG_DONE (1 << 30)
#define SSIC_PORT_UNUSED (1 << 31)

@@ -320,28 +322,36 @@ static void xhci_pme_quirk(struct usb_hcd *hcd, bool suspend)
struct pci_dev *pdev = to_pci_dev(hcd->self.controller);
u32 val;
void __iomem *reg;
+ int i;

if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI) {

- reg = (void __iomem *) xhci->cap_regs + PORT2_SSIC_CONFIG_REG2;
-
- /* Notify SSIC that SSIC profile programming is not done */
- val = readl(reg) & ~PROG_DONE;
- writel(val, reg);
-
- /* Mark SSIC port as unused(suspend) or used(resume) */
- val = readl(reg);
- if (suspend)
- val |= SSIC_PORT_UNUSED;
- else
- val &= ~SSIC_PORT_UNUSED;
- writel(val, reg);
-
- /* Notify SSIC that SSIC profile programming is done */
- val = readl(reg) | PROG_DONE;
- writel(val, reg);
- readl(reg);
+ for (i = 0; i < SSIC_PORT_NUM; i++) {
+ reg = (void __iomem *) xhci->cap_regs +
+ SSIC_PORT_CFG2 +
+ i * SSIC_PORT_CFG2_OFFSET;
+
+ /*
+ * Notify SSIC that SSIC profile programming
+ * is not done.
+ */
+ val = readl(reg) & ~PROG_DONE;
+ writel(val, reg);
+
+ /* Mark SSIC port as unused(suspend) or used(resume) */
+ val = readl(reg);
+ if (suspend)
+ val |= SSIC_PORT_UNUSED;
+ else
+ val &= ~SSIC_PORT_UNUSED;
+ writel(val, reg);
+
+ /* Notify SSIC that SSIC profile programming is done */
+ val = readl(reg) | PROG_DONE;
+ writel(val, reg);
+ readl(reg);
+ }
}

reg = (void __iomem *) xhci->cap_regs + 0x80a4;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:12 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Haozhong Zhang <haozhon...@intel.com>

commit 81b1b9ca6d5ca5f3ce91c0095402def657cf5db3 upstream.

The current handling of accesses to guest MSR_TSC_AUX returns error if
vcpu does not support rdtscp, though those accesses are initiated by
host. This can result in the reboot failure of some versions of
QEMU. This patch fixes this issue by passing those host initiated
accesses for further handling instead.

Signed-off-by: Haozhong Zhang <haozhon...@intel.com>
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>
Backported-by: Thomas Lamprecht <t.lam...@proxmox.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/x86/kvm/vmx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 9906a08..8db7c2f 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2673,7 +2673,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
msr_info->data = vcpu->arch.ia32_xss;
break;
case MSR_TSC_AUX:
- if (!to_vmx(vcpu)->rdtscp_enabled)
+ if (!to_vmx(vcpu)->rdtscp_enabled && !msr_info->host_initiated)
return 1;
/* Otherwise falls through */
default:
@@ -2779,7 +2779,7 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
clear_atomic_switch_msr(vmx, MSR_IA32_XSS);
break;
case MSR_TSC_AUX:
- if (!vmx->rdtscp_enabled)
+ if (!vmx->rdtscp_enabled && !msr_info->host_initiated)
return 1;
/* Check reserved bit, higher 32 bits should be zero */
if ((data >> 32) != 0)
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:12 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Herton R. Krzesinski" <her...@redhat.com>

commit 2831c89f42dcde440cfdccb9fee9f42d54bbc1ef upstream.

This change fixes a bug for a corner case where we have the the last
release from a pty master/slave coming from a previously opened /dev/tty
file. When this happens, the tty->driver_data can be stale, due to all
ptmx or pts/N files having already been closed before (and thus the inode
related to these files, which tty->driver_data points to, being already
freed/destroyed).

The fix here is to keep a reference on the opened master ptmx inode.
We maintain the inode referenced until the final pty_unix98_shutdown,
and only pass this inode to devpts_kill_index.

Signed-off-by: Herton R. Krzesinski <her...@redhat.com>
Reviewed-by: Peter Hurley <pe...@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/tty/pty.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index 4d5e840..5c260c8 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -672,7 +672,14 @@ static void pty_unix98_remove(struct tty_driver *driver, struct tty_struct *tty)
/* this is called once with whichever end is closed last */
static void pty_unix98_shutdown(struct tty_struct *tty)
{
- devpts_kill_index(tty->driver_data, tty->index);
+ struct inode *ptmx_inode;
+
+ if (tty->driver->subtype == PTY_TYPE_MASTER)
+ ptmx_inode = tty->driver_data;
+ else
+ ptmx_inode = tty->link->driver_data;
+ devpts_kill_index(ptmx_inode, tty->index);
+ iput(ptmx_inode); /* drop reference we acquired at ptmx_open */
}

static const struct tty_operations ptm_unix98_ops = {
@@ -764,6 +771,15 @@ static int ptmx_open(struct inode *inode, struct file *filp)
set_bit(TTY_PTY_LOCK, &tty->flags); /* LOCK THE SLAVE */
tty->driver_data = inode;

+ /*
+ * In the case where all references to ptmx inode are dropped and we
+ * still have /dev/tty opened pointing to the master/slave pair (ptmx
+ * is closed/released before /dev/tty), we must make sure that the inode
+ * is still valid when we call the final pty_unix98_shutdown, thus we
+ * hold an additional reference to the ptmx inode
+ */
+ ihold(inode);
+
tty_add_file(tty, filp);

slave_inode = devpts_pty_new(inode,
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:12 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Gavin Shan <gws...@linux.vnet.ibm.com>

commit 05ba75f848647135f063199dc0e9f40fee769724 upstream.

When PE is created, its primary bus is cached to pe->bus. At later
point, the cached primary bus is returned from eeh_pe_bus_get().
However, we could get stale cached primary bus and run into kernel
crash in one case: full hotplug as part of fenced PHB error recovery
releases all PCI busses under the PHB at unplugging time and recreate
them at plugging time. pe->bus is still dereferencing the PCI bus
that was released.

This adds another PE flag (EEH_PE_PRI_BUS) to represent the validity
of pe->bus. pe->bus is updated when its first child EEH device is
online and the flag is set. Before unplugging in full hotplug for
error recovery, the flag is cleared.

Fixes: 8cdb2833 ("powerpc/eeh: Trace PCI bus from PE")
Reported-by: Andrew Donnellan <andrew.d...@au1.ibm.com>
Reported-by: Pradipta Ghosh <prad...@in.ibm.com>
Signed-off-by: Gavin Shan <gws...@linux.vnet.ibm.com>
Tested-by: Andrew Donnellan <andrew.d...@au1.ibm.com>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/powerpc/include/asm/eeh.h | 1 +
arch/powerpc/kernel/eeh_driver.c | 3 +++
arch/powerpc/kernel/eeh_pe.c | 2 +-
arch/powerpc/platforms/powernv/eeh-powernv.c | 5 ++++-
4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/include/asm/eeh.h b/arch/powerpc/include/asm/eeh.h
index c5eb86f..867c39b 100644
--- a/arch/powerpc/include/asm/eeh.h
+++ b/arch/powerpc/include/asm/eeh.h
@@ -81,6 +81,7 @@ struct pci_dn;
#define EEH_PE_KEEP (1 << 8) /* Keep PE on hotplug */
#define EEH_PE_CFG_RESTRICTED (1 << 9) /* Block config on error */
#define EEH_PE_REMOVED (1 << 10) /* Removed permanently */
+#define EEH_PE_PRI_BUS (1 << 11) /* Cached primary bus */

struct eeh_pe {
int type; /* PE type: PHB/Bus/Device */
diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
index 89eb4bc..afeb2bd 100644
--- a/arch/powerpc/kernel/eeh_driver.c
+++ b/arch/powerpc/kernel/eeh_driver.c
@@ -561,6 +561,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus)
*/
eeh_pe_state_mark(pe, EEH_PE_KEEP);
if (bus) {
+ eeh_pe_state_clear(pe, EEH_PE_PRI_BUS);
pci_lock_rescan_remove();
pcibios_remove_pci_devices(bus);
pci_unlock_rescan_remove();
@@ -792,6 +793,7 @@ perm_error:
* the their PCI config any more.
*/
if (frozen_bus) {
+ eeh_pe_state_clear(pe, EEH_PE_PRI_BUS);
eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED);

pci_lock_rescan_remove();
@@ -875,6 +877,7 @@ static void eeh_handle_special_event(void)
continue;

/* Notify all devices to be down */
+ eeh_pe_state_clear(pe, EEH_PE_PRI_BUS);
bus = eeh_pe_bus_get(phb_pe);
eeh_pe_dev_traverse(pe,
eeh_report_failure, NULL);
diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
index 22f6d95..c3e0420 100644
--- a/arch/powerpc/kernel/eeh_pe.c
+++ b/arch/powerpc/kernel/eeh_pe.c
@@ -906,7 +906,7 @@ struct pci_bus *eeh_pe_bus_get(struct eeh_pe *pe)
bus = pe->phb->bus;
} else if (pe->type & EEH_PE_BUS ||
pe->type & EEH_PE_DEVICE) {
- if (pe->bus) {
+ if (pe->state & EEH_PE_PRI_BUS) {
bus = pe->bus;
goto out;
}
diff --git a/arch/powerpc/platforms/powernv/eeh-powernv.c b/arch/powerpc/platforms/powernv/eeh-powernv.c
index 7cf0df8..b9b852e 100644
--- a/arch/powerpc/platforms/powernv/eeh-powernv.c
+++ b/arch/powerpc/platforms/powernv/eeh-powernv.c
@@ -457,9 +457,12 @@ static void *pnv_eeh_probe(struct pci_dn *pdn, void *data)
* PCI devices of the PE are expected to be removed prior
* to PE reset.
*/
- if (!edev->pe->bus)
+ if (!(edev->pe->state & EEH_PE_PRI_BUS)) {
edev->pe->bus = pci_find_bus(hose->global_number,
pdn->busno);
+ if (edev->pe->bus)
+ edev->pe->state |= EEH_PE_PRI_BUS;
+ }

/*
* Enable EEH explicitly so that we will do EEH check
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:12 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: David Vrabel <david....@citrix.com>

commit 98dd166ea3a3c3b57919e20d9b0d1237fcd0349d upstream.

With commit 633d6f17cd91ad5bf2370265946f716e42d388c6 (x86/xen: prepare
p2m list for memory hotplug) the P2M may be sized to accomdate a much
larger amount of memory than the domain currently has.

When saving a domain, the toolstack must scan all the P2M looking for
populated pages. This results in a performance regression due to the
unnecessary scanning.

Instead of reporting (via shared_info) the maximum possible size of
the P2M, hint at the last PFN which might be populated. This hint is
increased as new leaves are added to the P2M (in the expectation that
they will be used for populated entries).

Signed-off-by: David Vrabel <david....@citrix.com>
[ tim.gardner: backport to 4.2-stable ]
Signed-off-by: Tim Gardner <tim.g...@canonical.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/x86/xen/p2m.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c
index 8b7f18e..912b123 100644
--- a/arch/x86/xen/p2m.c
+++ b/arch/x86/xen/p2m.c
@@ -108,6 +108,15 @@ static unsigned long *p2m_identity;
static pte_t *p2m_missing_pte;
static pte_t *p2m_identity_pte;

+/*
+ * Hint at last populated PFN.
+ *
+ * Used to set HYPERVISOR_shared_info->arch.max_pfn so the toolstack
+ * can avoid scanning the whole P2M (which may be sized to account for
+ * hotplugged memory).
+ */
+static unsigned long xen_p2m_last_pfn;
+
static inline unsigned p2m_top_index(unsigned long pfn)
{
BUG_ON(pfn >= MAX_P2M_PFN);
@@ -262,7 +271,7 @@ void xen_setup_mfn_list_list(void)

HYPERVISOR_shared_info->arch.pfn_to_mfn_frame_list_list =
virt_to_mfn(p2m_top_mfn);
- HYPERVISOR_shared_info->arch.max_pfn = xen_max_p2m_pfn;
+ HYPERVISOR_shared_info->arch.max_pfn = xen_p2m_last_pfn;
}

/* Set up p2m_top to point to the domain-builder provided p2m pages */
@@ -394,6 +403,8 @@ void __init xen_vmalloc_p2m_tree(void)
static struct vm_struct vm;
unsigned long p2m_limit;

+ xen_p2m_last_pfn = xen_max_p2m_pfn;
+
p2m_limit = (phys_addr_t)P2M_LIMIT * 1024 * 1024 * 1024 / PAGE_SIZE;
vm.flags = VM_ALLOC;
vm.size = ALIGN(sizeof(unsigned long) * max(xen_max_p2m_pfn, p2m_limit),
@@ -590,6 +601,12 @@ static bool alloc_p2m(unsigned long pfn)
free_p2m_page(p2m);
}

+ /* Expanded the p2m? */
+ if (pfn > xen_p2m_last_pfn) {
+ xen_p2m_last_pfn = pfn;
+ HYPERVISOR_shared_info->arch.max_pfn = xen_p2m_last_pfn;
+ }
+
return true;
}

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:12 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ursula Braun <ubr...@linux.vnet.ibm.com>

commit e5ebe63214d44d4dcf43df02edf3613e04d671b9 upstream.

/sys/class/net/<interface>/operstate for an active qeth network
interface offen shows "unknown", which translates to "state UNKNOWN
in output of "ip link show". It is caused by a missing initialization
of the __LINK_STATE_NOCARRIER bit in the net_device state field.
This patch adds a netif_carrier_off() invocation when creating the
net_device for a qeth device.

Signed-off-by: Ursula Braun <ubr...@linux.vnet.ibm.com>
Acked-by: Hendrik Brueckner <brue...@linux.vnet.ibm.com>
Reference-ID: Bugzilla 133209
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/s390/net/qeth_l2_main.c | 1 +
drivers/s390/net/qeth_l3_main.c | 1 +
2 files changed, 2 insertions(+)

diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
index 2e65b98..86f6b36 100644
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -1004,6 +1004,7 @@ static int qeth_l2_setup_netdev(struct qeth_card *card)
qeth_l2_request_initial_mac(card);
SET_NETDEV_DEV(card->dev, &card->gdev->dev);
netif_napi_add(card->dev, &card->napi, qeth_l2_poll, QETH_NAPI_WEIGHT);
+ netif_carrier_off(card->dev);
return register_netdev(card->dev);
}

diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
index 70eb2f6..5243202 100644
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3331,6 +3331,7 @@ static int qeth_l3_setup_netdev(struct qeth_card *card)

SET_NETDEV_DEV(card->dev, &card->gdev->dev);
netif_napi_add(card->dev, &card->napi, qeth_l3_poll, QETH_NAPI_WEIGHT);
+ netif_carrier_off(card->dev);
return register_netdev(card->dev);
}

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:12 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mauro Carvalho Chehab <mch...@osg.samsung.com>

commit e8beb02343e7582980c6705816cd957cf4f74c7a upstream.

The tda1004x was updating the properties cache before locking.
If the device is not locked, the data at the registers are just
random values with no real meaning.

This caused the driver to fail with libdvbv5, as such library
calls GET_PROPERTY from time to time, in order to return the
DVB stats.

Tested with a saa7134 card 78:
ASUSTeK P7131 Dual, vendor PCI ID: 1043:4862

Signed-off-by: Mauro Carvalho Chehab <mch...@osg.samsung.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/media/dvb-frontends/tda1004x.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/drivers/media/dvb-frontends/tda1004x.c b/drivers/media/dvb-frontends/tda1004x.c
index 0e209b5..c6abeb4 100644
--- a/drivers/media/dvb-frontends/tda1004x.c
+++ b/drivers/media/dvb-frontends/tda1004x.c
@@ -903,9 +903,18 @@ static int tda1004x_get_fe(struct dvb_frontend *fe)
{
struct dtv_frontend_properties *fe_params = &fe->dtv_property_cache;
struct tda1004x_state* state = fe->demodulator_priv;
+ int status;

dprintk("%s\n", __func__);

+ status = tda1004x_read_byte(state, TDA1004X_STATUS_CD);
+ if (status == -1)
+ return -EIO;
+
+ /* Only update the properties cache if device is locked */
+ if (!(status & 8))
+ return 0;
+
// inversion status
fe_params->inversion = INVERSION_OFF;
if (tda1004x_read_byte(state, TDA1004X_CONFC1) & 0x20)
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:13 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Filipe Manana <fdma...@suse.com>

commit 313140023026ae542ad76e7e268c56a1eaa2c28e upstream.

In the extent_same ioctl, we were grabbing the pages (locked) and
attempting to read them without bothering about any concurrent IO
against them. That is, we were not checking for any ongoing ordered
extents nor waiting for them to complete, which leads to a race where
the extent_same() code gets a checksum verification error when it
reads the pages, producing a message like the following in dmesg
and making the operation fail to user space with -ENOMEM:

[18990.161265] BTRFS warning (device sdc): csum failed ino 259 off 495616 csum 685204116 expected csum 1515870868

Fix this by using btrfs_readpage() for reading the pages instead of
extent_read_full_page_nolock(), which waits for any concurrent ordered
extents to complete and locks the io range. Also do better error handling
and don't treat all failures as -ENOMEM, as that's clearly misleasing,
becoming identical to the checks and operation of prepare_uptodate_page().

The use of extent_read_full_page_nolock() was required before
commit f441460202cb ("btrfs: fix deadlock with extent-same and readpage"),
as we had the range locked in an inode's io tree before attempting to
read the pages.

Fixes: f441460202cb ("btrfs: fix deadlock with extent-same and readpage")
Signed-off-by: Filipe Manana <fdma...@suse.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

fs/btrfs/ioctl.c | 29 +++++++++++++++++++++--------
1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 3435b34..fc784e9 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2769,21 +2769,27 @@ out:
static struct page *extent_same_get_page(struct inode *inode, pgoff_t index)
{
struct page *page;
- struct extent_io_tree *tree = &BTRFS_I(inode)->io_tree;

page = grab_cache_page(inode->i_mapping, index);
if (!page)
- return NULL;
+ return ERR_PTR(-ENOMEM);

if (!PageUptodate(page)) {
- if (extent_read_full_page_nolock(tree, page, btrfs_get_extent,
- 0))
- return NULL;
+ int ret;
+
+ ret = btrfs_readpage(NULL, page);
+ if (ret)
+ return ERR_PTR(ret);
lock_page(page);
if (!PageUptodate(page)) {
unlock_page(page);
page_cache_release(page);
- return NULL;
+ return ERR_PTR(-EIO);
+ }
+ if (page->mapping != inode->i_mapping) {
+ unlock_page(page);
+ page_cache_release(page);
+ return ERR_PTR(-EAGAIN);
}
}

@@ -2797,9 +2803,16 @@ static int gather_extent_pages(struct inode *inode, struct page **pages,
pgoff_t index = off >> PAGE_CACHE_SHIFT;

for (i = 0; i < num_pages; i++) {
+again:
pages[i] = extent_same_get_page(inode, index + i);
- if (!pages[i])
- return -ENOMEM;
+ if (IS_ERR(pages[i])) {
+ int err = PTR_ERR(pages[i]);
+
+ if (err == -EAGAIN)
+ goto again;
+ pages[i] = NULL;
+ return err;
+ }
}
return 0;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:14 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Kamal Mostafa <ka...@canonical.com>

This reverts commit 504017f7fa4377d77f134a6465f047858318e1f1.

Breaks ppc64 builds on hosts which don't include the kmod patch:
"depmod: Ignore PowerPC64 ABIv2 .TOC. symbol"

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/powerpc/kernel/misc_64.S | 28 ++++++++++++++++++++++++++++
arch/powerpc/kernel/module_64.c | 12 +++---------
scripts/mod/modpost.c | 3 +--
3 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/arch/powerpc/kernel/misc_64.S b/arch/powerpc/kernel/misc_64.S
index bda85a1..4e314b9 100644
--- a/arch/powerpc/kernel/misc_64.S
+++ b/arch/powerpc/kernel/misc_64.S
@@ -634,3 +634,31 @@ _GLOBAL(kexec_sequence)
li r5,0
blr /* image->start(physid, image->start, 0); */
#endif /* CONFIG_KEXEC */
+
+#ifdef CONFIG_MODULES
+#if defined(_CALL_ELF) && _CALL_ELF == 2
+
+#ifdef CONFIG_MODVERSIONS
+.weak __crc_TOC.
+.section "___kcrctab+TOC.","a"
+.globl __kcrctab_TOC.
+__kcrctab_TOC.:
+ .llong __crc_TOC.
+#endif
+
+/*
+ * Export a fake .TOC. since both modpost and depmod will complain otherwise.
+ * Both modpost and depmod strip the leading . so we do the same here.
+ */
+.section "__ksymtab_strings","a"
+__kstrtab_TOC.:
+ .asciz "TOC."
+
+.section "___ksymtab+TOC.","a"
+/* This symbol name is important: it's used by modpost to find exported syms */
+.globl __ksymtab_TOC.
+__ksymtab_TOC.:
+ .llong 0 /* .value */
+ .llong __kstrtab_TOC.
+#endif /* ELFv2 */
+#endif /* MODULES */
diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
index ac64ffd..59663af 100644
--- a/arch/powerpc/kernel/module_64.c
+++ b/arch/powerpc/kernel/module_64.c
@@ -326,10 +326,7 @@ static void dedotify_versions(struct modversion_info *vers,
}
}

-/*
- * Undefined symbols which refer to .funcname, hack to funcname. Make .TOC.
- * seem to be defined (value set later).
- */
+/* Undefined symbols which refer to .funcname, hack to funcname (or .TOC.) */
static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab)
{
unsigned int i;
@@ -337,11 +334,8 @@ static void dedotify(Elf64_Sym *syms, unsigned int numsyms, char *strtab)
for (i = 1; i < numsyms; i++) {
if (syms[i].st_shndx == SHN_UNDEF) {
char *name = strtab + syms[i].st_name;
- if (name[0] == '.') {
- if (strcmp(name+1, "TOC.") == 0)
- syms[i].st_shndx = SHN_ABS;
+ if (name[0] == '.')
memmove(name, name+1, strlen(name));
- }
}
}
}
@@ -357,7 +351,7 @@ static Elf64_Sym *find_dot_toc(Elf64_Shdr *sechdrs,
numsyms = sechdrs[symindex].sh_size / sizeof(Elf64_Sym);

for (i = 1; i < numsyms; i++) {
- if (syms[i].st_shndx == SHN_ABS
+ if (syms[i].st_shndx == SHN_UNDEF
&& strcmp(strtab + syms[i].st_name, "TOC.") == 0)
return &syms[i];
}
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index a23ee3b..12d3db3 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -593,8 +593,7 @@ static int ignore_undef_symbol(struct elf_info *info, const char *symname)
if (strncmp(symname, "_restgpr0_", sizeof("_restgpr0_") - 1) == 0 ||
strncmp(symname, "_savegpr0_", sizeof("_savegpr0_") - 1) == 0 ||
strncmp(symname, "_restvr_", sizeof("_restvr_") - 1) == 0 ||
- strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0 ||
- strcmp(symname, ".TOC.") == 0)
+ strncmp(symname, "_savevr_", sizeof("_savevr_") - 1) == 0)
return 1;
/* Do not ignore this symbol */
return 0;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:14 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jeremy McNicoll <jmcn...@redhat.com>

commit 7dde55787b43a8f2b4021916db38d90c03a2ec64 upstream.

WCH382 2S board is a PCIe card with 2 DB9 COM ports detected as
Serial controller: Device 1c00:3253 (rev 10) (prog-if 05 [16850])

Signed-off-by: Jeremy McNicoll <jmcn...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/tty/serial/8250/8250_pci.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
index f85839e..78aeb11 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -2021,6 +2021,7 @@ pci_wch_ch38x_setup(struct serial_private *priv,
#define PCIE_VENDOR_ID_WCH 0x1c00
#define PCIE_DEVICE_ID_WCH_CH382_2S1P 0x3250
#define PCIE_DEVICE_ID_WCH_CH384_4S 0x3470
+#define PCIE_DEVICE_ID_WCH_CH382_2S 0x3253

#define PCI_VENDOR_ID_PERICOM 0x12D8
#define PCI_DEVICE_ID_PERICOM_PI7C9X7951 0x7951
@@ -2745,6 +2746,14 @@ static struct pci_serial_quirk pci_serial_quirks[] __refdata = {
.subdevice = PCI_ANY_ID,
.setup = pci_wch_ch353_setup,
},
+ /* WCH CH382 2S card (16850 clone) */
+ {
+ .vendor = PCIE_VENDOR_ID_WCH,
+ .device = PCIE_DEVICE_ID_WCH_CH382_2S,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .setup = pci_wch_ch38x_setup,
+ },
/* WCH CH382 2S1P card (16850 clone) */
{
.vendor = PCIE_VENDOR_ID_WCH,
@@ -3065,6 +3074,7 @@ enum pci_board_num_t {
pbn_fintek_4,
pbn_fintek_8,
pbn_fintek_12,
+ pbn_wch382_2,
pbn_wch384_4,
pbn_pericom_PI7C9X7951,
pbn_pericom_PI7C9X7952,
@@ -3895,6 +3905,13 @@ static struct pciserial_board pci_boards[] = {
.base_baud = 115200,
.first_offset = 0x40,
},
+ [pbn_wch382_2] = {
+ .flags = FL_BASE0,
+ .num_ports = 2,
+ .base_baud = 115200,
+ .uart_offset = 8,
+ .first_offset = 0xC0,
+ },
[pbn_wch384_4] = {
.flags = FL_BASE0,
.num_ports = 4,
@@ -5707,6 +5724,10 @@ static struct pci_device_id serial_pci_tbl[] = {
PCI_ANY_ID, PCI_ANY_ID,
0, 0, pbn_b0_bt_2_115200 },

+ { PCIE_VENDOR_ID_WCH, PCIE_DEVICE_ID_WCH_CH382_2S,
+ PCI_ANY_ID, PCI_ANY_ID,
+ 0, 0, pbn_wch382_2 },
+
{ PCIE_VENDOR_ID_WCH, PCIE_DEVICE_ID_WCH_CH384_4S,
PCI_ANY_ID, PCI_ANY_ID,
0, 0, pbn_wch384_4 },
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:14 PM3/7/16

to

This is the start of the review cycle for the Linux 4.2.8-ckt5 stable
kernel.

This version contains 273 new patches, summarized below. The new patches
are posted as replies to this message and also available in this git branch:

http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-4.2.y-review

git://kernel.ubuntu.com/ubuntu/linux.git linux-4.2.y-review

The review period for version 4.2.8-ckt5 will be open for the next three
days. To report a problem, please reply to the relevant follow-up patch
message.

For more information about the Linux 4.2.y-ckt extended stable kernel
series, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .

-Kamal

--
Documentation/networking/ip-sysctl.txt | 8 +
MAINTAINERS | 8 -
arch/arc/include/asm/irqflags-arcv2.h | 11 +
arch/arc/kernel/entry-arcv2.S | 30 ++-
arch/arc/kernel/mcip.c | 15 ++
arch/arm/boot/dts/at91-sama5d4_xplained.dts | 2 +-
arch/arm/boot/dts/at91-sama5d4ek.dts | 11 +
arch/arm/boot/dts/kirkwood-ds112.dts | 2 +-
arch/arm/boot/dts/logicpd-torpedo-som.dtsi | 1 +
arch/arm/boot/dts/sama5d4.dtsi | 2 +-
arch/arm/boot/dts/ste-nomadik-stn8815.dtsi | 37 +--
arch/arm/common/icst.c | 9 +-
arch/arm/mach-omap2/gpmc-onenand.c | 6 +-
arch/arm/mach-omap2/sleep34xx.S | 61 +++--
arch/arm/mach-omap2/sleep44xx.S | 25 +-
arch/mips/include/asm/syscall.h | 4 +-

arch/powerpc/include/asm/eeh.h | 1 +
arch/powerpc/kernel/eeh_driver.c | 3 +

drivers/s390/net/qeth_l2_main.c | 1 +
drivers/s390/net/qeth_l3_main.c | 1 +

drivers/scsi/device_handler/scsi_dh_rdac.c | 4 +-
drivers/scsi/qla2xxx/qla_init.c | 10 +-
drivers/scsi/qla2xxx/qla_isr.c | 4 +-
drivers/scsi/qla2xxx/qla_mid.c | 4 +-
drivers/scsi/qla2xxx/qla_os.c | 6 +
drivers/scsi/qla2xxx/qla_tmpl.c | 16 ++
drivers/scsi/scsi_devinfo.c | 1 +
drivers/scsi/scsi_sysfs.c | 6 +-
drivers/scsi/sg.c | 2 +-
drivers/spi/spi-atmel.c | 1 +
drivers/target/target_core_device.c | 43 +++
drivers/target/target_core_file.c | 29 +--
drivers/target/target_core_iblock.c | 56 +---
drivers/target/target_core_tmr.c | 136 +++++++---
drivers/target/target_core_transport.c | 290 ++++++++++++++-------
drivers/tty/pty.c | 21 +-
drivers/tty/serial/8250/8250_pci.c | 21 ++
drivers/tty/serial/omap-serial.c | 8 +-
drivers/usb/dwc3/core.h | 1 -
drivers/usb/dwc3/ep0.c | 5 -
drivers/usb/dwc3/gadget.c | 70 +++--
drivers/usb/host/xhci-pci.c | 56 +++-
drivers/usb/host/xhci.c | 4 +-
drivers/usb/host/xhci.h | 1 +
drivers/usb/serial/cp210x.c | 2 +
drivers/usb/serial/option.c | 9 +
drivers/xen/xen-pciback/pciback_ops.c | 9 +-
drivers/xen/xen-scsiback.c | 10 +-
fs/btrfs/backref.c | 10 +-
fs/btrfs/delayed-inode.c | 3 +-
fs/btrfs/delayed-inode.h | 2 +-
fs/btrfs/inode.c | 14 +-
fs/btrfs/ioctl.c | 149 +++++++----
fs/cifs/cifsencrypt.c | 2 +-
fs/devpts/inode.c | 20 ++
fs/ext4/inode.c | 72 +++--
fs/ext4/move_extent.c | 15 +-
fs/ext4/resize.c | 2 +-
fs/hpfs/namei.c | 31 +--
fs/inode.c | 6 +
fs/namei.c | 22 +-
fs/nfs/nfs4proc.c | 4 +-
fs/ocfs2/aops.c | 1 +
fs/ocfs2/dlm/dlmrecovery.c | 2 +
include/asm-generic/cputime_nsecs.h | 5 +-
include/drm/drm_cache.h | 9 +
include/drm/drm_fixed.h | 53 +++-
include/linux/cgroup-defs.h | 6 +
include/linux/compiler.h | 2 +-
include/linux/devpts_fs.h | 4 +
include/linux/ipv6.h | 1 +
include/linux/nfs_fs.h | 4 +-
include/linux/radix-tree.h | 22 +-
include/linux/rmap.h | 14 -
include/linux/skbuff.h | 1 +
include/linux/tracepoint.h | 5 +
include/net/af_unix.h | 4 +-
include/net/ip6_route.h | 12 +-
include/net/ip_fib.h | 1 +
include/net/scm.h | 1 +
include/sound/hdaudio.h | 2 +-
include/sound/rawmidi.h | 4 +
include/target/target_core_backend.h | 4 +
include/target/target_core_base.h | 3 +
include/uapi/linux/ipv6.h | 2 +
ipc/msgutil.c | 2 +-
ipc/shm.c | 55 +++-
kernel/bpf/verifier.c | 2 +-
kernel/cgroup.c | 22 +-
kernel/module.c | 28 +-
kernel/resource.c | 5 +-
kernel/trace/trace_events.c | 3 +-
kernel/workqueue.c | 18 +-
lib/asn1_decoder.c | 5 +-
lib/dump_stack.c | 7 +-
lib/klist.c | 6 +-
lib/radix-tree.c | 12 +-
mm/backing-dev.c | 2 +-
mm/memory.c | 14 +-
mm/mmap.c | 89 ++++---
mm/vmstat.c | 6 +-
net/batman-adv/hard-interface.c | 25 ++
net/bridge/br.c | 3 +-
net/ceph/messenger.c | 15 +-
net/core/flow_dissector.c | 13 +-
net/core/scm.c | 7 +
net/core/skbuff.c | 2 +
net/core/sysctl_net_core.c | 10 +
net/ipv4/devinet.c | 2 +-
net/ipv4/ip_sockglue.c | 2 +
net/ipv4/ping.c | 4 +-
net/ipv4/raw.c | 4 +-
net/ipv4/route.c | 77 +++++-
net/ipv4/tcp.c | 16 +-
net/ipv4/tcp_ipv4.c | 13 +-
net/ipv4/udp.c | 4 +-
net/ipv6/addrconf.c | 17 +-
net/ipv6/datagram.c | 3 +
net/ipv6/ip6_flowlabel.c | 5 +-
net/ipv6/ip6_output.c | 6 +-
net/ipv6/ndisc.c | 16 +-
net/ipv6/route.c | 8 +-
net/iucv/af_iucv.c | 3 +
net/l2tp/l2tp_netlink.c | 18 +-
net/mac80211/ibss.c | 1 -
net/mac80211/mesh.c | 11 -
net/mac80211/mesh.h | 4 -
net/mac80211/mlme.c | 2 -
net/mac80211/scan.c | 12 +-
net/netfilter/nfnetlink.c | 10 +-
net/netlink/af_netlink.c | 3 +-
net/rfkill/core.c | 16 +-
net/sctp/protocol.c | 47 +++-
net/sctp/socket.c | 11 +-
net/sunrpc/cache.c | 2 +-
net/switchdev/switchdev.c | 15 +-
net/tipc/subscr.c | 11 +-
net/unix/af_unix.c | 28 +-
net/unix/diag.c | 2 +-
net/unix/garbage.c | 8 +-
scripts/mod/modpost.c | 3 +-
security/integrity/evm/evm_main.c | 3 +-
security/keys/process_keys.c | 1 +
sound/core/oss/pcm_oss.c | 21 +-
sound/core/pcm_native.c | 16 +-
sound/core/rawmidi.c | 134 +++++++---
sound/core/seq/seq_clientmgr.c | 3 +
sound/core/seq/seq_memory.c | 13 +-
sound/core/seq/seq_ports.c | 236 +++++++++--------
sound/core/seq/seq_timer.c | 87 +++++--
sound/core/seq/seq_virmidi.c | 23 +-
sound/core/timer.c | 98 ++++---
sound/drivers/dummy.c | 37 +--
sound/hda/hdac_controller.c | 7 +-
sound/pci/hda/hda_controller.c | 47 ++--
sound/pci/hda/hda_generic.c | 4 +-
sound/pci/hda/hda_intel.c | 4 +-
sound/pci/hda/hda_jack.c | 2 +-
sound/pci/hda/hda_jack.h | 2 +-
sound/pci/hda/patch_ca0132.c | 5 +-
sound/pci/hda/patch_cirrus.c | 27 ++
sound/pci/hda/patch_hdmi.c | 5 +-
sound/pci/hda/patch_realtek.c | 55 +++-
sound/pci/hda/patch_sigmatel.c | 6 +-
sound/soc/codecs/rt5645.c | 2 +-
sound/soc/soc-pcm.c | 3 +-
sound/usb/midi.c | 1 -
sound/usb/quirks.c | 4 +-
virt/kvm/arm/vgic.c | 4 +-
virt/kvm/async_pf.c | 2 +-
272 files changed, 3054 insertions(+), 1385 deletions(-)

Adam Ford (1):
ARM: dts: Fix wl12xx missing clocks that cause hangs

Akinobu Mita (1):
iio: pressure: mpl115: fix temperature offset sign

Al Viro (4):
do_last(): don't let a bogus return value from ->open() et.al. to confuse us
namei: ->d_inode of a pinned dentry is stable only for positives
should_follow_link(): validate ->d_seq after having decided to follow
do_last(): ELOOP failure exit should be done after leaving RCU mode

Alex Deucher (5):
drm/amdgpu: move gmc7 support out of CIK dependency
drm/amdgpu: pull topaz gmc bits into gmc_v7
drm/amdgpu: drop topaz support from gmc8 module
drm/amdgpu/pm: adjust display configuration after powerstate
drm/radeon/pm: adjust display configuration after powerstate

Alexander Duyck (2):
flow_dissector: Fix unaligned access in __skb_flow_dissector when used by eth_get_headlen
net: Copy inner L3 and L4 headers as unaligned on GRE TEB

Alexandra Yates (1):
ahci: Intel DNV device IDs SATA

Alexey Kardashevskiy (1):
powerpc/ioda: Set "read" permission when "write" is set

Amir Vadai (1):
net/mlx4_en: Count HW buffer overrun only once

Andrea Arcangeli (1):
mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED

Andreas Schwab (1):
powerpc: Fix dedotify for binutils >= 2.26

Andrew Lunn (1):
batman-adv: Avoid endless loop in bat-on-bat netdevice check

Andrey Grodzovsky (1):
drm/dp/mst: Reverse order of MST enable and clearing VC payload table.

Andrey Konovalov (1):
ALSA: usb-audio: avoid freeing umidi object twice

Andrey Skvortsov (1):
USB: option: add support for SIM7100E

Andy Lutomirski (1):
x86/entry/compat: Add missing CLAC to entry_INT80_32

Andy Shevchenko (1):
dmaengine: dw: disable BLOCK IRQs for non-cyclic xfer

Anton Protopopov (2):
cifs: fix erroneous return value
rtnl: RTM_GETNETCONF: fix wrong return value

Arnd Bergmann (2):
tracing: Fix freak link error caused by branch tracer
Input: xpad - remove unused function

Ashok Kumar (1):
irqchip/gic-v3-its: Fix double ICC_EOIR write for LPI in EOImode==1

Bard Liao (1):
ASoC: rt5645: fix the shift bit of IN1 boost

Bart Van Assche (1):
target: Invoke release_cmd() callback without holding a spinlock

Benjamin Coddington (1):
NFSv4: Fix a dentry leak on alias use

Bjørn Mork (2):
USB: option: add "4G LTE usb-modem U901"
qmi_wwan: add "4G LTE usb-modem U901"

Boris BREZILLON (1):
crypto: marvell/cesa - fix test in mv_cesa_dev_dma_init()

CQ Tang (1):
iommu/vt-d: Fix 64-bit accesses to 32-bit DMAR_GSTS_REG

Carol L Soto (1):
IB/IPoIB: Do not set skb truesize since using one linearskb

Christian Borntraeger (1):
KVM: async_pf: do not warn on page allocation failures

Christian König (1):
drm/amdgpu: fix issue with overlapping userptrs

Christoph Hellwig (1):
nfs: fix nfs_size_to_loff_t

Colin Ian King (1):
x86/mpx: Fix off-by-one comparison with nr_registers

Cyrille Pitchen (2):
spi: atmel: fix gpio chip-select in case of non-DT platform
crypto: atmel-sha - fix atmel_sha_remove()

Dan Carpenter (2):
iio: inkern: fix a NULL dereference on error
intel_scu_ipcutil: underflow in scu_reg_access()

Dan Williams (1):
nfit: fix multi-interface dimm handling, acpi6.1 compatibility

Daniel Borkmann (1):
bpf: fix branch offset adjustment on backjumps after patching ctx expansion

Daniel Jurgens (1):
net/mlx4_core: Do not BUG_ON during reset when PCI is offline

Dave Airlie (1):
drm: add helper to check for wc memory support

David Henningsson (2):
ALSA: hda - Fix static checker warning in patch_hdmi.c
ALSA: hda - Fixup speaker pass-through control for nid 0x14 on ALC225

David Howells (1):
ASN.1: Fix non-match detection failure on data overrun

David Sterba (1):
btrfs: properly set the termination value of ctx->pos in readdir

David Vrabel (1):
x86/xen/p2m: hint at the last populated P2M entry

Davidlohr Bueso (1):
ipc: convert invalid scenarios to use WARN_ON

Dmitry Torokhov (1):
Input: vmmouse - fix absolute device registration

Dmitry V. Levin (1):
unix_diag: fix incorrect sign extension in unix_lookup_by_ino

Eran Ben Elisha (1):
net/mlx4_core: Fix potential corruption in counters database

Eric Dumazet (6):
dump_stack: avoid potential deadlocks
tcp: fix NULL deref in tcp_v4_send_ack()
af_unix: fix struct pid memory leak
tcp: beware of alignments in tcp_get_info()
ipv6: fix a lockdep splat
ipv4: fix memory leaks in ip_cmsg_send() callers

Eryu Guan (1):
ext4: don't read blocks from disk after extents being swapped

Eugenia Emantayev (2):
net/mlx4_en: Choose time-stamping shift value according to HW frequency
net/mlx4_en: Avoid changing dev->features directly in run-time

Filipe Manana (3):
Btrfs: fix invalid page accesses in extent_same (dedup) ioctl
Btrfs: fix page reading in extent_same ioctl leading to csum errors
Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl

Flora Cui (1):
drm/amdgpu: fix s4 resume

Florian Fainelli (6):
MAINTAINERS: Remove stale entry for BCM33xx chips
net: phy: bcm7xxx: Fix shadow mode 2 disabling
net: phy: bcm7xxx: Fix bcm7xxx_config_init() check
net: phy: Fix phy_mac_interrupt()
net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS
net: phy: bcm7xxx: Fix 40nm EPHY features

Gabriele Mazzotta (1):
iio: light: acpi-als: Report data as processed

Gavin Shan (2):
powerpc/eeh: Fix stale cached primary bus
powerpc/powernv: Fix stale PE primary bus

Gerd Hoffmann (1):
drm/qxl: use kmalloc_array to alloc reloc_info in qxl_process_single_command

Gerhard Uttenthaler (1):
can: ems_usb: Fix possible tx overflow

Guillaume Nault (1):
pppoe: fix reference counting in PPPoE proxy

Guozhonghua (1):
ocfs2: unlock inode if deleting inode from orphan fails

Hangbin Liu (1):
net/ipv6: add sysctl option accept_ra_min_hop_limit

Hannes Frederic Sowa (2):
pptp: fix illegal memory access caused by multiple bind()s
unix: correctly track in-flight fds in sending process user_struct

Hannes Reinecke (2):
scsi_dh_rdac: always retry MODE SELECT on command lock violation
bio: return EINTR if copying to user space got interrupted

Hans Westgaard Ry (1):
net:Add sysctl_max_skb_frags

Haozhong Zhang (1):
KVM: VMX: Fix host initiated access to guest MSR_TSC_AUX

Hariprasad S (1):
iw_cxgb3: Fix incorrectly returning error on success

Harry Wentland (2):
drm: Add drm_fixp_from_fraction and drm_fixp2int_ceil
drm/dp/mst: Calculate MST PBN with 31.32 fixed point

Heiko Carstens (3):
s390/perf_event: fix address range for asynchronous stack
s390/stacktrace: fix address ranges for asynchronous and panic stack
s390/oprofile: fix address range for asynchronous stack

Heinrich Schuchardt (1):
ARM: dts: kirkwood: use unique machine name for ds112

Herbert Xu (2):
crypto: shash - Fix has_key setting
crypto: algif_skcipher - Do not set MAY_BACKLOG on the async path

Herton R. Krzesinski (2):
pty: fix possible use after free of tty->driver_data
pty: make sure super_block is still valid in final /dev/tty close

Ido Schimmel (1):
switchdev: Require RTNL mutex to be held when sending FDB notifications

Ilya Dryomov (2):
libceph: don't bail early from try_read() when skipping a message
libceph: use the right footer size when skipping a message

Insu Yun (2):
drm: fix missing reference counting decrease
ext4: fix potential integer overflow

Ivaylo Dimitrov (1):
ARM: OMAP2+: Fix onenand initialization to avoid filesystem corruption

James Bottomley (2):
klist: fix starting point removed bug in klist iterators
scsi: fix soft lockup in scsi_remove_target() on module removal

James Hogan (1):
MIPS: Fix buffer overflow in syscall_get_arguments()

Jan Kara (2):
ext4: fix bh->b_state corruption
ext4: fix crashes in dioread_nolock mode

Jani Nikula (3):
drm/i915/dp: fall back to 18 bpp when sink capability is unknown
drm/i915/dsi: defend gpio table against out of bounds access
drm/i915/dsi: don't pass arbitrary data to sideband

Jay Vosburgh (2):
bonding: Fix ARP monitor validation
bonding: don't use stale speed and duplex information

Jeremy McNicoll (1):
tty: Add support for PCIe WCH382 2S multi-IO card

Johannes Berg (1):
rfkill: fix rfkill_fop_read wait_event usage

John Youn (1):
usb: dwc3: Fix assignment of EP transfer resources

Jonathan Cameron (1):
iio:adc:ti_am335x_adc Fix buffered mode by identifying as software buffer.

Juergen Gross (1):
xen/scsiback: correct frontend counting

Jurgen Kramer (2):
ALSA: usb-audio: Fix OPPO HA-1 vendor ID
ALSA: usb-audio: Add native DSD support for PS Audio NuWave DAC

Kai-Heng Feng (1):
ALSA: hda - Fixing background noise on Dell Inspiron 3162

Kailang Yang (1):
ALSA: hda/realtek - Support Dell headset mode for ALC225

Kamal Mostafa (1):
[stable-only] Revert "powerpc: Simplify module TOC handling"

Ken Lin (1):
USB: cp210x: add IDs for GE B650V3 and B850V3 boards

Ken Wang (2):
drm/amdgpu: iceland use CI based MC IP
drm/amdgpu: The VI specific EXE bit should only apply to GMC v8.0 above

Ken-ichirou MATSUZAWA (1):
netlink: not trim skb for mmaped socket when dump

Kirill A. Shutemov (3):
drivers/scsi/sg.c: mark VMA as VM_IO to prevent migration
mm: fix regression in remap_file_pages() emulation
ipc/shm: handle removed segments gracefully in shm_mmap()

Konrad Rzeszutek Wilk (3):
xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY
xen/pciback: Save the number of MSI-X entries to be copied later.
xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.

Konstantin Khlebnikov (2):
mm: replace vma_lock_anon_vma with anon_vma_lock_read/write
radix-tree: fix oops after radix_tree_iter_retry

Larry Finger (1):
rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly encoded

Lev Lybin (1):
ALSA: usb-audio: Add quirk for Microsoft LifeCam HD-6000

Linus Torvalds (1):
vmstat: explicitly schedule per-cpu work on the CPU we need it to run on

Linus Walleij (3):
ARM: nomadik: fix up SD/MMC DT settings
ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()
ARM: 8519/1: ICST: try other dividends than 1

Lisa Du (1):
drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE

Lu Baolu (4):
usb: xhci: handle both SSIC ports in PME stuck quirk
usb: xhci: add a quirk bit for ssic port unused
usb: xhci: set SSIC port unused only if xhci_suspend succeeds
usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms

Luca Coelho (1):
iwlwifi: mvm: don't allow sched scans without matches to be started

Luis R. Rodriguez (1):
modules: fix modparam async_probe request

Lyude (1):
drm/i915/skl: Don't skip mst encoders in skl_ddi_pll_select()

Manfred Rudigier (1):
net: dp83640: Fix tx timestamp overflow handling.

Marcelo Ricardo Leitner (1):
sctp: allow setting SCTP_SACK_IMMEDIATELY by the application

Mario Kleiner (1):
drm: Fix treatment of drm_vblank_offdelay in drm_vblank_on() (v2)

Mark Fasheh (1):
btrfs: fix clone / extent-same deadlocks

Mark Rutland (1):
KVM: arm/arm64: vgic: Ensure bitmaps are long enough

Mark Tomlinson (1):
l2tp: Fix error creating L2TP tunnels

Markus Elfring (1):
iio-light: Use a signed return type for ltr501_match_samp_freq()

Martin Schwidefsky (1):
s390/compat: correct restore of high gprs on signal return

Mathias Krause (1):
crypto: user - lock crypto_alg_list on alg dump

Mathias Nyman (1):
xhci: Fix list corruption in urb dequeue at host removal

Matthew Wilcox (2):
radix-tree: fix race in gang lookup
drivers/hwspinlock: fix race between radix tree insertion and lookup

Mauro Carvalho Chehab (2):
[media] tda1004x: only update the frontend properties if locked
[media] saa7134-alsa: Only frees registered sound cards

Mika Westerberg (1):
SCSI: Add Marvell Console to VPD blacklist

Mike Christie (1):
target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors

Mike Krinkin (1):
KVM: x86: MMU: fix ubsan index-out-of-range warning

Mike Snitzer (1):
dm: fix dm_rq_target_io leak on faults with .request_fn DM w/ blk-mq paths

Mikulas Patocka (1):
hpfs: don't truncate the file when delete fails

Mohamed Jamsheeth Hajanajubudeen (1):
ARM: dts: at91: sama5d4: fix instance id of DBGU

Mykola Lysenko (1):
drm/dp/mst: deallocate payload on port destruction

Neil Horman (1):
sctp: Fix port hash table size computation

Nicholas Bellinger (5):
target: Fix LUN_RESET active I/O handling for ACK_KREF
target: Fix LUN_RESET active TMR descriptor handling
target: Fix TAS handling for multi-session se_node_acls
target: Fix remote-port TMR ABORT + se_cmd fabric stop
target: Fix race with SCF_SEND_DELAYED_TAS handling

Nicolai Hähnle (2):
drm/amdgpu: remove unnecessary forward declaration
drm/radeon: hold reference to fences in radeon_sa_bo_new

Nicolas Ferre (1):
ARM: dts: at91: sama5d4 xplained: fix phy0 IRQ type

Nishanth Menon (1):
hwmon: (gpio-fan) Remove un-necessary speed_index lookup for thermal hook

Oded Gabbay (2):
drm/radeon: mask out WC from BO on unsupported arches
drm/amdgpu: mask out WC from BO on unsupported arches

Oliver Neukum (1):
[media] usbvision fix overflow of interfaces array

Paolo Abeni (2):
ipv6: enforce flowi6_oif usage in ip6_dst_lookup_tail()
ipv6/udp: use sticky pktinfo egress ifindex on connect()

Paolo Bonzini (1):
KVM: x86: fix missed hardware breakpoints

Parthasarathy Bhuvaragan (1):
tipc: fix connection abort during subscription cancel

Peter Hurley (1):
serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)

Peter Rosin (1):
hwmon: (ads1015) Handle negative conversion values correctly

Phil Turnbull (1):
netfilter: nfnetlink: correctly validate length of batch messages

Quinn Tran (1):
qla2xxx: Fix stale pointer access.

Rainer Weikusat (2):
af_unix: Guard against other == sk in unix_dgram_sendmsg
af_unix: Don't set err in unix_stream_read_generic unless there was an error

Rasmus Villemoes (4):
drm/i915: fix error path in intel_setup_gmbus()
drm/amdgpu: use post-decrement in error handling
drm/radeon: use post-decrement in error handling
[media] exynos4-is: fix a format string bug

Rusty Russell (1):
module: wrapper for symbol name.

Ryan Ware (1):
EVM: Use crypto_memneq() for digest comparisons

Sachin Kulkarni (1):
mac80211: Requeue work after scan complete for all VIF types.

Sebastian Andrzej Siewior (1):
PCI/AER: Flush workqueue on device remove to avoid use-after-free

Shawn Lin (1):
phy: core: fix wrong err handle for phy_power_on

Simon Guinot (1):
kernel/resource.c: fix muxed resource handling in __request_region()

Siva Reddy Kallam (1):
tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs

Stefan Haberland (2):
s390/dasd: prevent incorrect length error under z/VM after PAV changes
s390/dasd: fix refcount for PAV reassignment

Stefan Hajnoczi (1):
sunrpc/cache: fix off-by-one in qword_get()

Steven Rostedt (Red Hat) (2):
tracepoints: Do not trace when cpu is offline
tracing: Fix showing function event in available_events

Tahsin Erdogan (1):
writeback: initialize inode members that track writeback history

Takashi Iwai (24):
ALSA: seq: Fix race at closing in virmidi driver
ALSA: rawmidi: Remove kernel WARNING for NULL user-space buffer check
ALSA: pcm: Fix potential deadlock in OSS emulation
ALSA: seq: Fix yet another races among ALSA timer accesses
ALSA: timer: Code cleanup
ALSA: timer: Fix link corruption due to double start or stop
ALSA: hda - Add fixup for Mac Mini 7,1 model
ALSA: rawmidi: Make snd_rawmidi_transmit() race-free
ALSA: rawmidi: Fix race at copying & updating the position
ALSA: seq: Fix lockdep warnings due to double mutex locks
ALSA: timer: Fix leftover link at closing
Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo"
ALSA: hda - Fix speaker output from VAIO AiO machines
ALSA: dummy: Implement timer backend switching more safely
ALSA: timer: Fix wrong instance passed to slave callbacks
ALSA: timer: Fix race between stop and interrupt
ALSA: hda - Fix bad dereference of jack object
ALSA: timer: Fix race at concurrent reads
ALSA: seq: Fix leak of pool buffer at concurrent writes
ALSA: hda - Cancel probe work instead of flush at remove
ALSA: seq: Fix double port list deletion
ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream
ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2
ALSA: hda - Loop interrupt handling until really cleared

Tejun Heo (5):
Revert "workqueue: make sure delayed work run in local cpu"
cgroup: make sure a parent css isn't offlined before its children
libata: disable forced PORTS_IMPL for >= AHCI 1.3
libata: fix sff host state machine locking while polling
workqueue: handle NUMA_NO_NODE for unbound pool_workqueue lookup

Tetsuo Handa (1):
mm, vmstat: fix wrong WQ sleep when memory reclaim doesn't make any progress

Thomas Hellstrom (1):
drm/vmwgfx: Fix an fb unlocking bug

Tony Lindgren (7):
ARM: OMAP2+: Fix wait_dll_lock_timed for rodata
ARM: OMAP2+: Fix l2dis_3630 for rodata
ARM: OMAP2+: Fix save_secure_ram_context for rodata
ARM: OMAP2+: Fix l2_inv_api_params for rodata
ARM: OMAP2+: Fix ppa_zero_params and ppa_por_params for rodata
phy: twl4030-usb: Relase usb phy on unload
phy: twl4030-usb: Fix unbalanced pm_runtime_enable on module reload

Toshi Kani (3):
x86/uaccess/64: Make the __copy_user_nocache() assembly code more readable
x86/uaccess/64: Handle the caching of 4-byte nocache copies properly in __copy_user_nocache()
x86/mm: Fix vmalloc_fault() to handle large pages properly

Ursula Braun (2):
qeth: initialize net_device with carrier off
af_iucv: Validate socket address length in iucv_sock_bind()

Vegard Nossum (2):
iio: add IIO_TRIGGER dependency to STK8BA50
iio: add HAS_IOMEM dependency to VF610_ADC

Vineet Gupta (2):
ARCv2: STAR 9000950267: Handle return from intr to Delay Slot #2
ARCv2: SMP: Emulate IPI to self using software triggered interrupt

Vinod Koul (1):
ASoC: dpcm: fix the BE state on hw_free

Vladis Dronov (1):
[media] usbvision: fix crash on detecting device with invalid configuration

Wang, Rui Y (1):
crypto: algif_hash - wait for crypto_ahash_init() to complete

Wenyou Yang (1):
ARM: dts: at91: sama5d4ek: add phy address and IRQ for macb0

Xin Long (2):
sctp: translate network order to host order when users get a hmacid
route: check and remove route cache when we get route

Yevgeny Pats (1):
KEYS: Fix keyring ref leak in join_session_keyring()

Yong Li (1):
iio: dac: mcp4725: set iio name property in sysfs

suba...@codeaurora.org (1):
ipv6: addrconf: Fix recursive spin lock call

xuejiufei (1):
ocfs2/dlm: clear refmap bit of recovery lock while doing local recovery cleanup

zengtao (1):
cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()

Kamal Mostafa

unread,

Mar 7, 2016, 6:00:15 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Matthew Wilcox <wi...@linux.intel.com>

commit c6400ba7e13a41539342f1b6e1f9e78419cb0148 upstream.

of_hwspin_lock_get_id() is protected by the RCU lock, which means that
insertions can occur simultaneously with the lookup. If the radix tree
transitions from a height of 0, we can see a slot with the indirect_ptr
bit set, which will cause us to at least read random memory, and could
cause other havoc.

Fix this by using the newly introduced radix_tree_iter_retry().

Signed-off-by: Matthew Wilcox <wi...@linux.intel.com>
Cc: Hugh Dickins <hu...@google.com>
Cc: Ohad Ben-Cohen <oh...@wizery.com>
Cc: Konstantin Khlebnikov <khleb...@openvz.org>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/hwspinlock/hwspinlock_core.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/hwspinlock/hwspinlock_core.c b/drivers/hwspinlock/hwspinlock_core.c
index 52f708b..d50c701 100644
--- a/drivers/hwspinlock/hwspinlock_core.c
+++ b/drivers/hwspinlock/hwspinlock_core.c
@@ -313,6 +313,10 @@ int of_hwspin_lock_get_id(struct device_node *np, int index)
hwlock = radix_tree_deref_slot(slot);
if (unlikely(!hwlock))
continue;
+ if (radix_tree_is_indirect_ptr(hwlock)) {

+ slot = radix_tree_iter_retry(&iter);
+ continue;
+ }

if (hwlock->bank->dev->of_node == args.np) {
ret = 0;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:01:38 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Simon Guinot <simon....@sequanux.org>

commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream.

In __request_region, if a conflict with a BUSY and MUXED resource is
detected, then the caller goes to sleep and waits for the resource to be
released. A pointer on the conflicting resource is kept. At wake-up
this pointer is used as a parent to retry to request the region.

A first problem is that this pointer might well be invalid (if for
example the conflicting resource have already been freed). Another
problem is that the next call to __request_region() fails to detect a
remaining conflict. The previously conflicting resource is passed as a
parameter and __request_region() will look for a conflict among the
children of this resource and not at the resource itself. It is likely
to succeed anyway, even if there is still a conflict.

Instead, the parent of the conflicting resource should be passed to
__request_region().

As a fix, this patch doesn't update the parent resource pointer in the
case we have to wait for a muxed region right after.

Reported-and-tested-by: Vincent Pelletier <plr.v...@gmail.com>
Signed-off-by: Simon Guinot <simon....@sequanux.org>
Tested-by: Vincent Donnefort <vdonn...@gmail.com>

Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

kernel/resource.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/resource.c b/kernel/resource.c
index fed052a..b8c8480 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -1072,9 +1072,10 @@ struct resource * __request_region(struct resource *parent,
if (!conflict)
break;
if (conflict != parent) {
- parent = conflict;
- if (!(conflict->flags & IORESOURCE_BUSY))
+ if (!(conflict->flags & IORESOURCE_BUSY)) {
+ parent = conflict;
continue;
+ }
}
if (conflict->flags & flags & IORESOURCE_MUXED) {
add_wait_queue(&muxed_resource_wait, &wait);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:01:48 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Tejun Heo <t...@kernel.org>

commit 566d1827df2ef0cbe921d3d6946ac3007b1a6938 upstream.

Some early controllers incorrectly reported zero ports in PORTS_IMPL
register and the ahci driver fabricates PORTS_IMPL from the number of
ports in those cases. This hasn't mattered but with the new nvme
controllers there are cases where zero PORTS_IMPL is valid and should
be honored.

Disable the workaround for >= AHCI 1.3.

Signed-off-by: Tejun Heo <t...@kernel.org>
Reported-by: Andy Lutomirski <lu...@amacapital.net>
Link: http://lkml.kernel.org/g/CALCETrU7yMvXEDhjAUShoHEh...@mail.gmail.com
Cc: Sergei Shtylyov <sergei....@cogentembedded.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/ata/libahci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
index 98c482a..317f85d 100644
--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -495,8 +495,8 @@ void ahci_save_initial_config(struct device *dev, struct ahci_host_priv *hpriv)
}
}

- /* fabricate port_map from cap.nr_ports */
- if (!port_map) {
+ /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */
+ if (!port_map && vers < 0x10300) {
port_map = (1 << ahci_nr_ports(cap)) - 1;
dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map);

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:02:01 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Xin Long <lucie...@gmail.com>

[ Upstream commit 7a84bd46647ff181eb2659fdc99590e6f16e501d ]

Commit ed5a377d87dc ("sctp: translate host order to network order when
setting a hmacid") corrected the hmacid byte-order when setting a hmacid.
but the same issue also exists on getting a hmacid.

We fix it by changing hmacids to host order when users get them with
getsockopt.

Fixes: Commit ed5a377d87dc ("sctp: translate host order to network order when setting a hmacid")
Signed-off-by: Xin Long <lucie...@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/sctp/socket.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index fb5c86b..f66b17b 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5543,6 +5543,7 @@ static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
struct sctp_hmac_algo_param *hmacs;
__u16 data_len = 0;
u32 num_idents;
+ int i;

if (!ep->auth_enable)
return -EACCES;
@@ -5560,8 +5561,12 @@ static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
return -EFAULT;
if (put_user(num_idents, &p->shmac_num_idents))
return -EFAULT;
- if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len))
- return -EFAULT;
+ for (i = 0; i < num_idents; i++) {
+ __u16 hmacid = ntohs(hmacs->hmac_ids[i]);
+
+ if (copy_to_user(&p->shmac_idents[i], &hmacid, sizeof(__u16)))
+ return -EFAULT;

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Heiko Carstens <heiko.c...@de.ibm.com>

commit 1f8cbb9c8365061d8b866e9b4f4403e029d57989 upstream.

git commit dc7ee00d4771 ("s390: lowcore stack pointer offsets")
introduced a regression in regard to perf_callchain_kernel(). The
stack pointer for the asynchronous stack in the lowcore now has an
additional offset applied. This offset needs to be taken into account
in the calculation for the low and high address for the stack.

This bug was already partially fixed with 9cc5c206d9b4
("s390/dumpstack: fix address ranges for asynchronous and panic
stack"). This patch fixes it also for the perf_event code.

Fixes: dc7ee00d4771 ("s390: lowcore stack pointer offsets")
Signed-off-by: Heiko Carstens <heiko.c...@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/s390/kernel/perf_event.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/s390/kernel/perf_event.c b/arch/s390/kernel/perf_event.c
index 61595c1..f4307f6 100644
--- a/arch/s390/kernel/perf_event.c
+++ b/arch/s390/kernel/perf_event.c
@@ -262,12 +262,13 @@ static unsigned long __store_trace(struct perf_callchain_entry *entry,
void perf_callchain_kernel(struct perf_callchain_entry *entry,
struct pt_regs *regs)
{
- unsigned long head;
+ unsigned long head, frame_size;
struct stack_frame *head_sf;

if (user_mode(regs))
return;

+ frame_size = STACK_FRAME_OVERHEAD + sizeof(struct pt_regs);
head = regs->gprs[15];
head_sf = (struct stack_frame *) head;

@@ -275,8 +276,9 @@ void perf_callchain_kernel(struct perf_callchain_entry *entry,
return;

head = head_sf->back_chain;
- head = __store_trace(entry, head, S390_lowcore.async_stack - ASYNC_SIZE,
- S390_lowcore.async_stack);
+ head = __store_trace(entry, head,
+ S390_lowcore.async_stack + frame_size - ASYNC_SIZE,
+ S390_lowcore.async_stack + frame_size);

__store_trace(entry, head, S390_lowcore.thread_info,
S390_lowcore.thread_info + THREAD_SIZE);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Daniel Jurgens <dan...@mellanox.com>

commit 22e3817e6c8301dc0520b855c8a2d764580e719c upstream.

The PCI channel could go offline during reset due to EEH. Don't bug on in
this case, the error is recoverable.

Fixes: f6bc11e42646 ('net/mlx4_core: Enhance the catas flow to support device reset')
Signed-off-by: Daniel Jurgens <dan...@mellanox.com>
Reviewed-by: Yishai Hadas <yis...@mellanox.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ethernet/mellanox/mlx4/catas.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/catas.c b/drivers/net/ethernet/mellanox/mlx4/catas.c
index 715de8a..c7e9399 100644
--- a/drivers/net/ethernet/mellanox/mlx4/catas.c
+++ b/drivers/net/ethernet/mellanox/mlx4/catas.c
@@ -182,10 +182,17 @@ void mlx4_enter_error_state(struct mlx4_dev_persistent *persist)
err = mlx4_reset_slave(dev);
else
err = mlx4_reset_master(dev);
- BUG_ON(err != 0);

+ if (!err) {
+ mlx4_err(dev, "device was reset successfully\n");
+ } else {
+ /* EEH could have disabled the PCI channel during reset. That's
+ * recoverable and the PCI error flow will handle it.
+ */
+ if (!pci_channel_offline(dev->persist->pdev))
+ BUG_ON(1);
+ }
dev->persist->state |= MLX4_DEVICE_STATE_INTERNAL_ERROR;
- mlx4_err(dev, "device was reset successfully\n");
mutex_unlock(&persist->device_state_mutex);

/* At that step HW was already reset, now notify clients */
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eugenia Emantayev <eug...@mellanox.com>

[ Upstream commit 31c128b66e5b28f468076e4f3ca3025c35342041 ]

Previously, the shift value used for time-stamping was constant and didn't
depend on the HW chip frequency. Change that to take the frequency into account
and calculate the maximal value in cycles per wraparound of ten seconds. This
time slot was chosen since it gives a good accuracy in time synchronization.

Algorithm for shift value calculation:
* Round up the maximal value in cycles to nearest power of two

* Calculate maximal multiplier by division of all 64 bits set
to above result

* Then, invert the function clocksource_khz2mult() to get the shift from
maximal mult value

Fixes: ec693d47010e ('net/mlx4_en: Add HW timestamping (TS) support')
Signed-off-by: Eugenia Emantayev <eug...@mellanox.com>
Reviewed-by: Matan Barak <mat...@mellanox.com>
Signed-off-by: Or Gerlitz <oger...@mellanox.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ethernet/mellanox/mlx4/en_clock.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
index 038f9ce..1494997 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
@@ -236,6 +236,24 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = {
.enable = mlx4_en_phc_enable,
};

+#define MLX4_EN_WRAP_AROUND_SEC 10ULL
+
+/* This function calculates the max shift that enables the user range
+ * of MLX4_EN_WRAP_AROUND_SEC values in the cycles register.
+ */
+static u32 freq_to_shift(u16 freq)
+{
+ u32 freq_khz = freq * 1000;
+ u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
+ u64 max_val_cycles_rounded = is_power_of_2(max_val_cycles + 1) ?
+ max_val_cycles : roundup_pow_of_two(max_val_cycles) - 1;
+ /* calculate max possible multiplier in order to fit in 64bit */
+ u64 max_mul = div_u64(0xffffffffffffffffULL, max_val_cycles_rounded);
+
+ /* This comes from the reverse of clocksource_khz2mult */
+ return ilog2(div_u64(max_mul * freq_khz, 1000000));
+}
+
void mlx4_en_init_timestamp(struct mlx4_en_dev *mdev)
{
struct mlx4_dev *dev = mdev->dev;
@@ -254,12 +272,7 @@ void mlx4_en_init_timestamp(struct mlx4_en_dev *mdev)
memset(&mdev->cycles, 0, sizeof(mdev->cycles));
mdev->cycles.read = mlx4_en_read_clock;
mdev->cycles.mask = CLOCKSOURCE_MASK(48);
- /* Using shift to make calculation more accurate. Since current HW
- * clock frequency is 427 MHz, and cycles are given using a 48 bits
- * register, the biggest shift when calculating using u64, is 14
- * (max_cycles * multiplier < 2^64)
- */
- mdev->cycles.shift = 14;
+ mdev->cycles.shift = freq_to_shift(dev->caps.hca_core_clock);
mdev->cycles.mult =
clocksource_khz2mult(1000 * dev->caps.hca_core_clock, mdev->cycles.shift);
mdev->nominal_c_mult = mdev->cycles.mult;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eugenia Emantayev <eug...@mellanox.com>

[ Upstream commit 925ab1aa9394bbaeac47ee5b65d3fdf0fb8135cf ]

It's forbidden to manually change dev->features in run-time. Currently, this is
done in the driver to make sure that GSO_UDP_TUNNEL is advertized only when
VXLAN tunnel is set. However, since the stack actually does features intersection
with hw_enc_features, we can safely revert to advertizing features early when
registering the netdevice.

Fixes: f4a1edd56120 ('net/mlx4_en: Advertize encapsulation offloads [...]')
Signed-off-by: Eugenia Emantayev <eug...@mellanox.com>

Signed-off-by: Or Gerlitz <oger...@mellanox.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
index 8544af0..caac278 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2342,8 +2342,6 @@ out:
/* set offloads */
priv->dev->hw_enc_features |= NETIF_F_IP_CSUM | NETIF_F_RXCSUM |
NETIF_F_TSO | NETIF_F_GSO_UDP_TUNNEL;
- priv->dev->hw_features |= NETIF_F_GSO_UDP_TUNNEL;
- priv->dev->features |= NETIF_F_GSO_UDP_TUNNEL;
}

static void mlx4_en_del_vxlan_offloads(struct work_struct *work)
@@ -2354,8 +2352,6 @@ static void mlx4_en_del_vxlan_offloads(struct work_struct *work)
/* unset offloads */
priv->dev->hw_enc_features &= ~(NETIF_F_IP_CSUM | NETIF_F_RXCSUM |
NETIF_F_TSO | NETIF_F_GSO_UDP_TUNNEL);
- priv->dev->hw_features &= ~NETIF_F_GSO_UDP_TUNNEL;
- priv->dev->features &= ~NETIF_F_GSO_UDP_TUNNEL;

ret = mlx4_SET_PORT_VXLAN(priv->mdev->dev, priv->port,
VXLAN_STEER_BY_OUTER_MAC, 0);
@@ -2959,6 +2955,11 @@ int mlx4_en_init_netdev(struct mlx4_en_dev *mdev, int port,
priv->rss_hash_fn = ETH_RSS_HASH_TOP;
}

+ if (mdev->dev->caps.tunnel_offload_mode == MLX4_TUNNEL_OFFLOAD_MODE_VXLAN) {
+ dev->hw_features |= NETIF_F_GSO_UDP_TUNNEL;
+ dev->features |= NETIF_F_GSO_UDP_TUNNEL;
+ }
+
mdev->pndev[port] = dev;
mdev->upper[port] = NULL;

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Heinrich Schuchardt <xypro...@gmx.de>

commit 9d021c9d1b4b774a35d8a03d58dbf029544debda upstream.

Downstream packages like Debian flash-kernel use
/proc/device-tree/model
to determine which dtb file to install.

Hence each dts in the Linux kernel should provide a unique model
identifier.

Commit 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS
devices") created the new files kirkwood-ds111.dts and kirkwood-ds112.dts
using the same model identifier.

This patch provides a unique model identifier for the
Synology DiskStation DS112.

Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices")
Signed-off-by: Heinrich Schuchardt <xypro...@gmx.de>
Reviewed-by: Andrew Lunn <and...@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory...@free-electrons.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/arm/boot/dts/kirkwood-ds112.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/kirkwood-ds112.dts b/arch/arm/boot/dts/kirkwood-ds112.dts
index bf4143c..b84af3d 100644
--- a/arch/arm/boot/dts/kirkwood-ds112.dts
+++ b/arch/arm/boot/dts/kirkwood-ds112.dts
@@ -14,7 +14,7 @@
#include "kirkwood-synology.dtsi"

/ {
- model = "Synology DS111";
+ model = "Synology DS112";
compatible = "synology,ds111", "marvell,kirkwood";

memory {
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Carol L Soto <cls...@linux.vnet.ibm.com>

commit bb6a777369449d15a4a890306d2f925cae720e1c upstream.

We are seeing this warning: at net/core/skbuff.c:4174
and before commit a44878d10063 ("IB/ipoib: Use one linear skb in RX flow")
skb truesize was not being set when ipoib was using just one skb.
Removing this line avoids the warning when running tcp tests like iperf.

Fixes: a44878d10063 ("IB/ipoib: Use one linear skb in RX flow")
Signed-off-by: Carol L Soto <cls...@linux.vnet.ibm.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/infiniband/ulp/ipoib/ipoib_ib.c | 2 --
1 file changed, 2 deletions(-)

diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ib.c b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
index d266667..b5a851f 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -245,8 +245,6 @@ static void ipoib_ib_handle_rx_wc(struct net_device *dev, struct ib_wc *wc)
skb_reset_mac_header(skb);
skb_pull(skb, IPOIB_ENCAP_LEN);

- skb->truesize = SKB_TRUESIZE(skb->len);
-
++dev->stats.rx_packets;
dev->stats.rx_bytes += skb->len;

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mark Tomlinson <mark.to...@alliedtelesis.co.nz>

[ Upstream commit 853effc55b0f975abd6d318cca486a9c1b67e10f ]

A previous commit (33f72e6) added notification via netlink for tunnels
when created/modified/deleted. If the notification returned an error,
this error was returned from the tunnel function. If there were no
listeners, the error code ESRCH was returned, even though having no
listeners is not an error. Other calls to this and other similar
notification functions either ignore the error code, or filter ESRCH.
This patch checks for ESRCH and does not flag this as an error.

Reviewed-by: Hamish Martin <hamish...@alliedtelesis.co.nz>
Signed-off-by: Mark Tomlinson <mark.to...@alliedtelesis.co.nz>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/l2tp/l2tp_netlink.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 9e13c2f..fe92a08 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -124,8 +124,13 @@ static int l2tp_tunnel_notify(struct genl_family *family,
ret = l2tp_nl_tunnel_send(msg, info->snd_portid, info->snd_seq,
NLM_F_ACK, tunnel, cmd);

- if (ret >= 0)
- return genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
+ if (ret >= 0) {
+ ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
+ /* We don't care if no one is listening */
+ if (ret == -ESRCH)
+ ret = 0;
+ return ret;
+ }

nlmsg_free(msg);

@@ -147,8 +152,13 @@ static int l2tp_session_notify(struct genl_family *family,
ret = l2tp_nl_session_send(msg, info->snd_portid, info->snd_seq,
NLM_F_ACK, session, cmd);

- if (ret >= 0)
- return genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
+ if (ret >= 0) {
+ ret = genlmsg_multicast_allns(family, msg, 0, 0, GFP_ATOMIC);
+ /* We don't care if no one is listening */
+ if (ret == -ESRCH)
+ ret = 0;
+ return ret;
+ }

nlmsg_free(msg);

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bj...@mork.no>

[ Upstream commit aac8d3c282e024c344c5b86dc1eab7af88bb9716 ]

Thomas reports:

T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=05c6 ProdID=6001 Rev=00.00
S: Manufacturer=USB Modem
S: Product=USB Modem
S: SerialNumber=1234567890ABCDEF
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage

Reported-by: Thomas Schäfer <tsch...@t-online.de>
Signed-off-by: Bjørn Mork <bj...@mork.no>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/usb/qmi_wwan.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 628e3fb..46c0b9f 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -546,6 +546,7 @@ static const struct usb_device_id products[] = {

/* 3. Combined interface devices matching on interface number */
{QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */
+ {QMI_FIXED_INTF(0x05c6, 0x6001, 3)}, /* 4G LTE usb-modem U901 */
{QMI_FIXED_INTF(0x05c6, 0x7000, 0)},
{QMI_FIXED_INTF(0x05c6, 0x7001, 1)},
{QMI_FIXED_INTF(0x05c6, 0x7002, 1)},
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Anton Protopopov <a.s.pro...@gmail.com>

[ Upstream commit a97eb33ff225f34a8124774b3373fd244f0e83ce ]

An error response from a RTM_GETNETCONF request can return the positive
error value EINVAL in the struct nlmsgerr that can mislead userspace.

Signed-off-by: Anton Protopopov <a.s.pro...@gmail.com>
Acked-by: Cong Wang <xiyou.w...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/ipv4/devinet.c | 2 +-
net/ipv6/addrconf.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 2d9cb17..0420012 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1845,7 +1845,7 @@ static int inet_netconf_get_devconf(struct sk_buff *in_skb,
if (err < 0)
goto errout;

- err = EINVAL;
+ err = -EINVAL;
if (!tb[NETCONFA_IFINDEX])
goto errout;

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index ff6e0dc..335f495 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -569,7 +569,7 @@ static int inet6_netconf_get_devconf(struct sk_buff *in_skb,
if (err < 0)
goto errout;

- err = EINVAL;
+ err = -EINVAL;
if (!tb[NETCONFA_IFINDEX])
goto errout;

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alexander Duyck <adu...@mirantis.com>

[ Upstream commit 78565208d73ca9b654fb9a6b142214d52eeedfd1 ]

This patch corrects the unaligned accesses seen on GRE TEB tunnels when
generating hash keys. Specifically what this patch does is make it so that
we force the use of skb_copy_bits when the GRE inner headers will be
unaligned due to NET_IP_ALIGNED being a non-zero value.

Signed-off-by: Alexander Duyck <adu...@mirantis.com>
Acked-by: Tom Herbert <t...@herbertland.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/core/flow_dissector.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index bb98f8b..7b25277 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -381,6 +381,13 @@ ip_proto_again:
return false;
proto = eth->h_proto;
nhoff += sizeof(*eth);
+
+ /* Cap headers that we access via pointers at the
+ * end of the Ethernet header as our maximum alignment
+ * at that point is only 2 bytes.
+ */
+ if (NET_IP_ALIGN)
+ hlen = nhoff;
}
goto again;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "Dmitry V. Levin" <l...@altlinux.org>

[ Upstream commit b5f0549231ffb025337be5a625b0ff9f52b016f0 ]

The value passed by unix_diag_get_exact to unix_lookup_by_ino has type
__u32, but unix_lookup_by_ino's argument ino has type int, which is not
a problem yet.
However, when ino is compared with sock_i_ino return value of type
unsigned long, ino is sign extended to signed long, and this results
to incorrect comparison on 64-bit architectures for inode numbers
greater than INT_MAX.

This bug was found by strace test suite.

Fixes: 5d3cae8bc39d ("unix_diag: Dumping exact socket core")
Signed-off-by: Dmitry V. Levin <l...@altlinux.org>
Acked-by: Cong Wang <xiyou.w...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/unix/diag.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/unix/diag.c b/net/unix/diag.c
index c512f64..4d96797 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -220,7 +220,7 @@ done:
return skb->len;
}

-static struct sock *unix_lookup_by_ino(int ino)
+static struct sock *unix_lookup_by_ino(unsigned int ino)
{
int i;
struct sock *sk;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Rainer Weikusat <rwei...@mobileactivedefense.com>

commit 1b92ee3d03af6643df395300ba7748f19ecdb0c5 upstream.

The present unix_stream_read_generic contains various code sequences of
the form

err = -EDISASTER;
if (<test>)
goto out;

This has the unfortunate side effect of possibly causing the error code
to bleed through to the final

out:
return copied ? : err;

and then to be wrongly returned if no data was copied because the caller
didn't supply a data buffer, as demonstrated by the program available at

http://pad.lv/1540731

Change it such that err is only set if an error condition was detected.

Fixes: 3822b5c2fc62 ("af_unix: Revert 'lock_interruptible' in stream receive code")
Reported-by: Joseph Salisbury <joseph.s...@canonical.com>
Signed-off-by: Rainer Weikusat <rwei...@mobileactivedefense.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/unix/af_unix.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index b5f9049..18a0116 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2274,13 +2274,15 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
size_t size = state->size;
unsigned int last_len;

- err = -EINVAL;
- if (sk->sk_state != TCP_ESTABLISHED)
+ if (unlikely(sk->sk_state != TCP_ESTABLISHED)) {
+ err = -EINVAL;
goto out;
+ }

- err = -EOPNOTSUPP;
- if (flags & MSG_OOB)
+ if (unlikely(flags & MSG_OOB)) {
+ err = -EOPNOTSUPP;
goto out;
+ }

target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
timeo = sock_rcvtimeo(sk, noblock);
@@ -2326,9 +2328,11 @@ again:
goto unlock;

unix_state_unlock(sk);
- err = -EAGAIN;
- if (!timeo)
+ if (!timeo) {
+ err = -EAGAIN;
break;
+ }
+
mutex_unlock(&u->readlock);

timeo = unix_stream_data_wait(sk, timeo, last,
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit c6dd213abe40132f83e6ee569d70f3d60aa8b257 upstream.

The PHY entries for BCM7425/29/35 declare the 40nm Ethernet PHY as being
10/100/1000 capable, while this is just a 10/100 capable PHY device, fix that.

Fixes: d068b02cfdfc2 ("net: phy: add BCM7425 and BCM7429 PHYs")
Fixes: 9458ceab4917 ("net: phy: bcm7xxx: Add entry for BCM7435")
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[ kamal: backport to 4.2-stable: no BCM7435 ]

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/phy/bcm7xxx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c
index 38b57f6..e1d154f 100644
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -408,7 +408,7 @@ static struct phy_driver bcm7xxx_driver[] = {
.phy_id = PHY_ID_BCM7425,
.phy_id_mask = 0xfffffff0,
.name = "Broadcom BCM7425",
- .features = PHY_GBIT_FEATURES |
+ .features = PHY_BASIC_FEATURES |
SUPPORTED_Pause | SUPPORTED_Asym_Pause,
.flags = PHY_IS_INTERNAL,
.config_init = bcm7xxx_config_init,
@@ -421,7 +421,7 @@ static struct phy_driver bcm7xxx_driver[] = {
.phy_id = PHY_ID_BCM7429,
.phy_id_mask = 0xfffffff0,
.name = "Broadcom BCM7429",
- .features = PHY_GBIT_FEATURES |
+ .features = PHY_BASIC_FEATURES |
SUPPORTED_Pause | SUPPORTED_Asym_Pause,
.flags = PHY_IS_INTERNAL,
.config_init = bcm7xxx_config_init,
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Guillaume Nault <g.n...@alphalink.fr>

[ Upstream commit 29e73269aa4d36f92b35610c25f8b01c789b0dc8 ]

Drop reference on the relay_po socket when __pppoe_xmit() succeeds.
This is already handled correctly in the error path.

Signed-off-by: Guillaume Nault <g.n...@alphalink.fr>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ppp/pppoe.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 0a37f84..4e0068e7 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -395,6 +395,8 @@ static int pppoe_rcv_core(struct sock *sk, struct sk_buff *skb)

if (!__pppoe_xmit(sk_pppox(relay_po), skb))
goto abort_put;
+
+ sock_put(sk_pppox(relay_po));
} else {
if (sock_queue_rcv_skb(sk, skb))
goto abort_kfree;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Heiko Carstens <heiko.c...@de.ibm.com>

commit 232f5dd78586a684a7364a486b934e19384189dc upstream.

git commit dc7ee00d4771 ("s390: lowcore stack pointer offsets")

introduced a regression in regard to s390_backtrace(). The stack

pointer for the asynchronous stack in the lowcore now has an
additional offset applied. This offset needs to be taken into account
in the calculation for the low and high address for the stack.

This bug was already partially fixed with commit 9cc5c206d9b4

("s390/dumpstack: fix address ranges for asynchronous and panic

stack"). This patch fixes it also for the oprofile code.

Fixes: dc7ee00d4771 ("s390: lowcore stack pointer offsets")
Signed-off-by: Heiko Carstens <heiko.c...@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/s390/oprofile/backtrace.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/s390/oprofile/backtrace.c b/arch/s390/oprofile/backtrace.c
index 8a6811b..71164df 100644
--- a/arch/s390/oprofile/backtrace.c
+++ b/arch/s390/oprofile/backtrace.c
@@ -55,12 +55,13 @@ __show_trace(unsigned int *depth, unsigned long sp,

void s390_backtrace(struct pt_regs * const regs, unsigned int depth)

{
- unsigned long head;
+ unsigned long head, frame_size;
struct stack_frame* head_sf;

if (user_mode(regs))
return;

+ frame_size = STACK_FRAME_OVERHEAD + sizeof(struct pt_regs);
head = regs->gprs[15];
head_sf = (struct stack_frame*)head;

@@ -69,8 +70,9 @@ void s390_backtrace(struct pt_regs * const regs, unsigned int depth)

head = head_sf->back_chain;

- head = __show_trace(&depth, head, S390_lowcore.async_stack - ASYNC_SIZE,
- S390_lowcore.async_stack);
+ head = __show_trace(&depth, head,

+ S390_lowcore.async_stack + frame_size - ASYNC_SIZE,
+ S390_lowcore.async_stack + frame_size);

__show_trace(&depth, head, S390_lowcore.thread_info,

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jay Vosburgh <jay.vo...@canonical.com>

commit 266b495f11d6706018f66250cb02a788ff2490d7 upstream.

There is presently a race condition between the bonding periodic
link monitor and the updating of a slave's speed and duplex. The former
occurs on a periodic basis, and the latter in response to a driver's
calling of netif_carrier_on.

It is possible for the periodic monitor to run between the
driver call of netif_carrier_on and the receipt of the NETDEV_CHANGE
event that causes bonding to update the slave's speed and duplex. This
manifests most notably as a report that a slave is up and "0 Mbps full
duplex" after enslavement, but in principle could report an incorrect
speed and duplex after any link up event if the device comes up with a
different speed or duplex. This affects the 802.3ad aggregator
selection, as the speed and duplex are selection criteria.

This is fixed by updating the speed and duplex in the periodic
monitor, prior to using that information.

This was done historically in bonding, but the call to
bond_update_speed_duplex was removed in commit 876254ae2758 ("bonding:
don't call update_speed_duplex() under spinlocks"), as it might sleep
under lock. Later, the locking was changed to only hold RTNL, and so
after commit 876254ae2758 ("bonding: don't call update_speed_duplex()
under spinlocks") this call is again safe.

Tested-by: "Tantilov, Emil S" <emil.s....@intel.com>
Cc: Veaceslav Falico <vfa...@gmail.com>
Cc: dingtianhong <dingti...@huawei.com>
Fixes: 876254ae2758 ("bonding: don't call update_speed_duplex() under spinlocks")
Signed-off-by: Jay Vosburgh <jay.vo...@canonical.com>
Acked-by: Ding Tianhong <dingti...@huawei.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/bonding/bond_main.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index ba0e359..197ee34 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2092,6 +2092,7 @@ static void bond_miimon_commit(struct bonding *bond)
continue;

case BOND_LINK_UP:
+ bond_update_speed_duplex(slave);
bond_set_slave_link_state(slave, BOND_LINK_UP);
slave->last_link_up = jiffies;

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Phil Turnbull <phil.t...@oracle.com>

commit c58d6c93680f28ac58984af61d0a7ebf4319c241 upstream.

If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.

The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.

If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:

[ 41.455421] ==================================================================
[ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
[ 41.456431] Read of size 4294967280 by task a.out/987
[ 41.456431] =============================================================================
[ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 41.456431] -----------------------------------------------------------------------------
...
[ 41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
[ 41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
[ 41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 .......@EV."3...
[ 41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
^^ start of batch nlmsg with
nlmsg_len=4294967280
...
[ 41.456431] Memory state around the buggy address:
[ 41.456431] ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ^
[ 41.456431] ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 41.456431] ==================================================================

Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.

CAP_NET_ADMIN is required to trigger the bugs.

Fixes: 9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
Signed-off-by: Phil Turnbull <phil.t...@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/netfilter/nfnetlink.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 27b93da..197a538 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -328,10 +328,12 @@ replay:
nlh = nlmsg_hdr(skb);
err = 0;

- if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
- skb->len < nlh->nlmsg_len) {
- err = -EINVAL;
- goto ack;
+ if (nlh->nlmsg_len < NLMSG_HDRLEN ||
+ skb->len < nlh->nlmsg_len ||
+ nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
+ nfnl_err_reset(&err_list);
+ status |= NFNL_BATCH_FAILURE;
+ goto done;
}

/* Only requests are handled by the kernel */
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Rasmus Villemoes <li...@rasmusvillemoes.dk>

commit 76a563675485849f6f9ad5b30df220438b3628c1 upstream.

Ironically, 7d4020c3c400 ("[media] exynos4-is: fix some warnings when
compiling on arm64") fixed some format string bugs but introduced a
new one. buf_index is a simple int, so it should be printed with %d,
not %pad (which is correctly used for dma_addr_t).

Fixes: 7d4020c3c400 ("[media] exynos4-is: fix some warnings when compiling on arm64")

Signed-off-by: Rasmus Villemoes <li...@rasmusvillemoes.dk>
Signed-off-by: Mauro Carvalho Chehab <mch...@osg.samsung.com>
[ kamal: backport to 4.2-stable: context ]

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/media/platform/exynos4-is/fimc-isp-video.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c b/drivers/media/platform/exynos4-is/fimc-isp-video.c
index 76b6b4d..ebb063e 100644
--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
+++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
@@ -219,8 +219,8 @@ static void isp_video_capture_buffer_queue(struct vb2_buffer *vb)
ivb->dma_addr[i];

isp_dbg(2, &video->ve.vdev,
- "dma_buf %pad (%d/%d/%d) addr: %pad\n",
- &buf_index, ivb->index, i, vb->v4l2_buf.index,
+ "dma_buf %d (%d/%d/%d) addr: %pad\n",
+ buf_index, ivb->index, i, vb->v4l2_buf.index,
&ivb->dma_addr[i]);
}

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Arnd Bergmann <ar...@arndb.de>

commit a6ed4a18ba6a6f5a01e024b9d221d6439bf6ca4c upstream.

There are two definitions of xpad_identify_controller(), one is used
when CONFIG_JOYSTICK_XPAD_LEDS is set, but the other one is empty
and never used, and we get a gcc warning about it:

drivers/input/joystick/xpad.c:1210:13: warning: 'xpad_identify_controller' defined but not used [-Wunused-function]

This removes the second definition.

Signed-off-by: Arnd Bergmann <ar...@arndb.de>
Fixes: cae705baa40b ("Input: xpad - re-send LED command on present event")
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/input/joystick/xpad.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index f8850f9..38fd7b7 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1005,7 +1005,6 @@ static void xpad_led_disconnect(struct usb_xpad *xpad)
#else
static int xpad_led_probe(struct usb_xpad *xpad) { return 0; }
static void xpad_led_disconnect(struct usb_xpad *xpad) { }
-static void xpad_identify_controller(struct usb_xpad *xpad) { }
#endif

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:10 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit deccd16f91f930af8e91ffbbfc839d0ad8da999d upstream.

Commit 5ea94e7686a3 ("phy: add phy_mac_interrupt()") to use with
PHY_IGNORE_INTERRUPT added a cancel_work_sync() into phy_mac_interrupt()
which is allowed to sleep, whereas phy_mac_interrupt() is expected to be
callable from interrupt context.

Now that we have fixed how the PHY state machine treats
PHY_IGNORE_INTERRUPT with respect to state changes, we can just set the
new link state, and queue the PHY state machine for execution so it is
going to read the new link state.

For that to work properly, we need to update phy_change() not to try to
invoke any interrupt callbacks if we have configured the PHY device for
PHY_IGNORE_INTERRUPT, because that PHY device and its driver are not
required to implement those.

Fixes: 5ea94e7686a3 ("phy: add phy_mac_interrupt() to use with PHY_IGNORE_INTERRUPT")
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/phy/phy.c | 31 ++++++++++++++++++-------------
1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
index 34fe339..8e7f683 100644
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -687,25 +687,29 @@ void phy_change(struct work_struct *work)
struct phy_device *phydev =
container_of(work, struct phy_device, phy_queue);

- if (phydev->drv->did_interrupt &&
- !phydev->drv->did_interrupt(phydev))
- goto ignore;
+ if (phy_interrupt_is_valid(phydev)) {
+ if (phydev->drv->did_interrupt &&
+ !phydev->drv->did_interrupt(phydev))
+ goto ignore;

- if (phy_disable_interrupts(phydev))
- goto phy_err;
+ if (phy_disable_interrupts(phydev))
+ goto phy_err;
+ }

mutex_lock(&phydev->lock);
if ((PHY_RUNNING == phydev->state) || (PHY_NOLINK == phydev->state))
phydev->state = PHY_CHANGELINK;
mutex_unlock(&phydev->lock);

- atomic_dec(&phydev->irq_disable);
- enable_irq(phydev->irq);
+ if (phy_interrupt_is_valid(phydev)) {
+ atomic_dec(&phydev->irq_disable);
+ enable_irq(phydev->irq);

- /* Reenable interrupts */
- if (PHY_HALTED != phydev->state &&
- phy_config_interrupt(phydev, PHY_INTERRUPT_ENABLED))
- goto irq_enable_err;
+ /* Reenable interrupts */
+ if (PHY_HALTED != phydev->state &&
+ phy_config_interrupt(phydev, PHY_INTERRUPT_ENABLED))
+ goto irq_enable_err;
+ }

/* reschedule state queue work to run as soon as possible */
cancel_delayed_work_sync(&phydev->state_queue);
@@ -997,9 +1001,10 @@ void phy_state_machine(struct work_struct *work)

void phy_mac_interrupt(struct phy_device *phydev, int new_link)
{
- cancel_work_sync(&phydev->phy_queue);
phydev->link = new_link;
- schedule_work(&phydev->phy_queue);
+
+ /* Trigger a state machine change */
+ queue_work(system_power_efficient_wq, &phydev->phy_queue);
}
EXPORT_SYMBOL(phy_mac_interrupt);

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:10 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Xin Long <lucie...@gmail.com>

[ Upstream commit deed49df7390d5239024199e249190328f1651e7 ]

Since the gc of ipv4 route was removed, the route cached would has
no chance to be removed, and even it has been timeout, it still could
be used, cause no code to check it's expires.

Fix this issue by checking and removing route cache when we get route.

Signed-off-by: Xin Long <lucie...@gmail.com>
Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

include/net/ip_fib.h | 1 +
net/ipv4/route.c | 77 ++++++++++++++++++++++++++++++++++++++++++----------
2 files changed, 64 insertions(+), 14 deletions(-)

diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index ff6d78f..468cc2a 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -59,6 +59,7 @@ struct fib_nh_exception {
struct rtable __rcu *fnhe_rth_input;
struct rtable __rcu *fnhe_rth_output;
unsigned long fnhe_stamp;
+ struct rcu_head rcu;
};

struct fnhe_hash_bucket {
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index e681b85..eca349c 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -125,6 +125,7 @@ static int ip_rt_mtu_expires __read_mostly = 10 * 60 * HZ;
static int ip_rt_min_pmtu __read_mostly = 512 + 20 + 20;
static int ip_rt_min_advmss __read_mostly = 256;

+static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT;
/*
* Interface to generic destination cache.
*/
@@ -751,7 +752,7 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow
struct fib_nh *nh = &FIB_RES_NH(res);

update_or_create_fnhe(nh, fl4->daddr, new_gw,
- 0, 0);
+ 0, jiffies + ip_rt_gc_timeout);
}
if (kill_route)
rt->dst.obsolete = DST_OBSOLETE_KILL;
@@ -1536,6 +1537,36 @@ static void ip_handle_martian_source(struct net_device *dev,
#endif
}

+static void ip_del_fnhe(struct fib_nh *nh, __be32 daddr)
+{
+ struct fnhe_hash_bucket *hash;
+ struct fib_nh_exception *fnhe, __rcu **fnhe_p;
+ u32 hval = fnhe_hashfun(daddr);
+
+ spin_lock_bh(&fnhe_lock);
+
+ hash = rcu_dereference_protected(nh->nh_exceptions,
+ lockdep_is_held(&fnhe_lock));
+ hash += hval;
+
+ fnhe_p = &hash->chain;
+ fnhe = rcu_dereference_protected(*fnhe_p, lockdep_is_held(&fnhe_lock));
+ while (fnhe) {
+ if (fnhe->fnhe_daddr == daddr) {
+ rcu_assign_pointer(*fnhe_p, rcu_dereference_protected(
+ fnhe->fnhe_next, lockdep_is_held(&fnhe_lock)));
+ fnhe_flush_routes(fnhe);
+ kfree_rcu(fnhe, rcu);
+ break;
+ }
+ fnhe_p = &fnhe->fnhe_next;
+ fnhe = rcu_dereference_protected(fnhe->fnhe_next,
+ lockdep_is_held(&fnhe_lock));
+ }
+
+ spin_unlock_bh(&fnhe_lock);
+}
+
/* called in rcu_read_lock() section */
static int __mkroute_input(struct sk_buff *skb,
const struct fib_result *res,
@@ -1590,11 +1621,20 @@ static int __mkroute_input(struct sk_buff *skb,

fnhe = find_exception(&FIB_RES_NH(*res), daddr);
if (do_cache) {
- if (fnhe)
+ if (fnhe) {
rth = rcu_dereference(fnhe->fnhe_rth_input);
- else
- rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
+ if (rth && rth->dst.expires &&
+ time_after(jiffies, rth->dst.expires)) {
+ ip_del_fnhe(&FIB_RES_NH(*res), daddr);
+ fnhe = NULL;
+ } else {
+ goto rt_cache;
+ }
+ }
+
+ rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);

+rt_cache:
if (rt_cache_valid(rth)) {
skb_dst_set_noref(skb, &rth->dst);
goto out;
@@ -1943,19 +1983,29 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
struct fib_nh *nh = &FIB_RES_NH(*res);

fnhe = find_exception(nh, fl4->daddr);
- if (fnhe)
+ if (fnhe) {
prth = &fnhe->fnhe_rth_output;
- else {
- if (unlikely(fl4->flowi4_flags &
- FLOWI_FLAG_KNOWN_NH &&
- !(nh->nh_gw &&
- nh->nh_scope == RT_SCOPE_LINK))) {
- do_cache = false;
- goto add;
+ rth = rcu_dereference(*prth);
+ if (rth && rth->dst.expires &&
+ time_after(jiffies, rth->dst.expires)) {
+ ip_del_fnhe(nh, fl4->daddr);
+ fnhe = NULL;
+ } else {
+ goto rt_cache;
}
- prth = raw_cpu_ptr(nh->nh_pcpu_rth_output);
}
+
+ if (unlikely(fl4->flowi4_flags &
+ FLOWI_FLAG_KNOWN_NH &&
+ !(nh->nh_gw &&
+ nh->nh_scope == RT_SCOPE_LINK))) {
+ do_cache = false;
+ goto add;
+ }
+ prth = raw_cpu_ptr(nh->nh_pcpu_rth_output);
rth = rcu_dereference(*prth);
+
+rt_cache:
if (rt_cache_valid(rth)) {
dst_hold(&rth->dst);
return rth;
@@ -2503,7 +2553,6 @@ void ip_rt_multicast_event(struct in_device *in_dev)
}

#ifdef CONFIG_SYSCTL
-static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT;
static int ip_rt_gc_interval __read_mostly = 60 * HZ;
static int ip_rt_gc_min_interval __read_mostly = HZ / 2;
static int ip_rt_gc_elasticity __read_mostly = 8;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:10 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Amir Vadai <am...@vadai.me>

[ Upstream commit 281e8b2fdf8e4ef366b899453cae50e09b577ada ]

RdropOvflw counts overrun of HW buffer, therefore should
be used for rx_fifo_errors only.

Currently RdropOvflw counter is mistakenly also set into
rx_missed_errors and rx_over_errors too, which makes the
device total dropped packets accounting to show wrong results.

Fix that. Use it for rx_fifo_errors only.

Fixes: c27a02cd94d6 ('mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC')
Signed-off-by: Amir Vadai <am...@vadai.me>

Signed-off-by: Eugenia Emantayev <eug...@mellanox.com>
Signed-off-by: Or Gerlitz <oger...@mellanox.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ethernet/mellanox/mlx4/en_port.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/en_port.c b/drivers/net/ethernet/mellanox/mlx4/en_port.c
index ee99e67..3904b5f 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_port.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_port.c
@@ -238,11 +238,11 @@ int mlx4_en_DUMP_ETH_STATS(struct mlx4_en_dev *mdev, u8 port, u8 reset)
stats->collisions = 0;
stats->rx_dropped = be32_to_cpu(mlx4_en_stats->RDROP);
stats->rx_length_errors = be32_to_cpu(mlx4_en_stats->RdropLength);
- stats->rx_over_errors = be32_to_cpu(mlx4_en_stats->RdropOvflw);
+ stats->rx_over_errors = 0;
stats->rx_crc_errors = be32_to_cpu(mlx4_en_stats->RCRC);
stats->rx_frame_errors = 0;
stats->rx_fifo_errors = be32_to_cpu(mlx4_en_stats->RdropOvflw);
- stats->rx_missed_errors = be32_to_cpu(mlx4_en_stats->RdropOvflw);
+ stats->rx_missed_errors = 0;
stats->tx_aborted_errors = 0;
stats->tx_carrier_errors = 0;
stats->tx_fifo_errors = 0;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:10 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eran Ben Elisha <era...@mellanox.com>

commit 6b94bab0ee8d5def6a2aac0ef6204ee6e24386b6 upstream.

The error flow in procedure handle_existing_counter() is wrong.

The procedure should exit after encountering the error, not continue
as if everything is OK.

Fixes: 68230242cdbc ('net/mlx4_core: Add port attribute when tracking counters')
Signed-off-by: Eran Ben Elisha <era...@mellanox.com>
Signed-off-by: Jack Morgenstein <ja...@dev.mellanox.co.il>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 10 ++++++----

1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
index 8bead97..b2614a8 100644
--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
@@ -905,11 +905,13 @@ static int handle_existing_counter(struct mlx4_dev *dev, u8 slave, int port,

spin_lock_irq(mlx4_tlock(dev));
r = find_res(dev, counter_index, RES_COUNTER);
- if (!r || r->owner != slave)
+ if (!r || r->owner != slave) {
ret = -EINVAL;
- counter = container_of(r, struct res_counter, com);
- if (!counter->port)
- counter->port = port;
+ } else {
+ counter = container_of(r, struct res_counter, com);
+ if (!counter->port)
+ counter->port = port;
+ }

spin_unlock_irq(mlx4_tlock(dev));
return ret;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:13 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit d5c3d84657db57bd23ecd58b97f1c99dd42a7b80 upstream.

Commit 2c7b49212a86 ("phy: fix the use of PHY_IGNORE_INTERRUPT") changed
a hunk in phy_state_machine() in the PHY_RUNNING case which was not
needed. The change essentially makes the PHY library treat PHY devices
with PHY_IGNORE_INTERRUPT to keep polling for the PHY device, even
though the intent is not to do it.

Fix this by reverting that specific hunk, which makes the PHY state
machine wait for state changes, and stay in the PHY_RUNNING state for as
long as needed.

Fixes: 2c7b49212a86 ("phy: fix the use of PHY_IGNORE_INTERRUPT")
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/phy/phy.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
index 8e7f683..beca810 100644
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -901,10 +901,10 @@ void phy_state_machine(struct work_struct *work)
phydev->adjust_link(phydev->attached_dev);
break;
case PHY_RUNNING:
- /* Only register a CHANGE if we are polling or ignoring
- * interrupts and link changed since latest checking.
+ /* Only register a CHANGE if we are polling and link changed
+ * since latest checking.
*/
- if (!phy_interrupt_is_valid(phydev)) {
+ if (phydev->irq == PHY_POLL) {
old_link = phydev->link;
err = phy_read_status(phydev);
if (err)
@@ -995,8 +995,13 @@ void phy_state_machine(struct work_struct *work)
dev_dbg(&phydev->dev, "PHY state change %s -> %s\n",
phy_state_to_str(old_state), phy_state_to_str(phydev->state));

- queue_delayed_work(system_power_efficient_wq, &phydev->state_queue,
- PHY_STATE_TIME * HZ);
+ /* Only re-schedule a PHY state machine change if we are polling the
+ * PHY, if PHY_IGNORE_INTERRUPT is set, then we will be moving
+ * between states from phy_mac_interrupt()
+ */
+ if (phydev->irq == PHY_POLL)
+ queue_delayed_work(system_power_efficient_wq, &phydev->state_queue,
+ PHY_STATE_TIME * HZ);

}

void phy_mac_interrupt(struct phy_device *phydev, int new_link)

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:13 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit 258bf44364263cb6391f35ebaca3c2366655bded upstream.

Since we were wrongly advertising gigabit features for these 10/100 only
Ethernet PHYs, bcm7xxx_config_init() which is supposed to apply workaround
would have not run since the check would be true, now that we have fixed the
PHY features, remove that check since it has no reasoning to be there anymore.

Fixes: e18556ee3bd83 ("net: phy: bcm7xxx: do not use PHY_BRCM_100MBPS_WAR")

Signed-off-by: Florian Fainelli <f.fai...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/phy/bcm7xxx.c | 4 ----
1 file changed, 4 deletions(-)

diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c
index 24e2071..38b57f6 100644
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -324,10 +324,6 @@ static int bcm7xxx_config_init(struct phy_device *phydev)
phy_write(phydev, MII_BCM7XXX_AUX_MODE, MII_BCM7XX_64CLK_MDIO);
phy_read(phydev, MII_BCM7XXX_AUX_MODE);

- /* Workaround only required for 100Mbits/sec capable PHYs */
- if (phydev->supported & PHY_GBIT_FEATURES)
- return 0;
-
/* set shadow mode 2 */
ret = phy_set_clr_bits(phydev, MII_BCM7XXX_TEST,
MII_BCM7XXX_SHD_MODE_2, MII_BCM7XXX_SHD_MODE_2);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:13 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit 87bee0ecf01d2ed0d48bba1fb12c954f9476d243 upstream.

Commit 70371cef114ca ("MAINTAINERS: Add entry for BMIPS multiplatform
kernel") supersedes this entry for BCM33xx.

Fixes: 70371cef114ca ("MAINTAINERS: Add entry for BMIPS multiplatform kernel")
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>
Cc: blo...@openwrt.org
Cc: cern...@gmail.com
Cc: linux...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12301/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

MAINTAINERS | 8 --------
1 file changed, 8 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 66a6649..4be1334 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2223,14 +2223,6 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/rpi/linux-rpi.git
S: Maintained
N: bcm2835

-BROADCOM BCM33XX MIPS ARCHITECTURE
-M: Kevin Cernekee <cern...@gmail.com>
-L: linux...@linux-mips.org
-S: Maintained
-F: arch/mips/bcm3384/*
-F: arch/mips/include/asm/mach-bcm3384/*
-F: arch/mips/kernel/*bmips*
-
BROADCOM BCM47XX MIPS ARCHITECTURE
M: Hauke Mehrtens <ha...@hauke-m.de>
M: Rafał Miłecki <zaj...@gmail.com>
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:13 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Neil Horman <nho...@tuxdriver.com>

[ Upstream commit d9749fb5942f51555dc9ce1ac0dbb1806960a975 ]

Dmitry Vyukov noted recently that the sctp_port_hashtable had an error in
its size computation, observing that the current method never guaranteed
that the hashsize (measured in number of entries) would be a power of two,
which the input hash function for that table requires. The root cause of
the problem is that two values need to be computed (one, the allocation
order of the storage requries, as passed to __get_free_pages, and two the
number of entries for the hash table). Both need to be ^2, but for
different reasons, and the existing code is simply computing one order
value, and using it as the basis for both, which is wrong (i.e. it assumes
that ((1<<order)*PAGE_SIZE)/sizeof(bucket) is still ^2 when its not).

To fix this, we change the logic slightly. We start by computing a goal
allocation order (which is limited by the maximum size hash table we want
to support. Then we attempt to allocate that size table, decreasing the
order until a successful allocation is made. Then, with the resultant
successful order we compute the number of buckets that hash table supports,
which we then round down to the nearest power of two, giving us the number
of entries the table actually supports.

I've tested this locally here, using non-debug and spinlock-debug kernels,
and the number of entries in the hashtable consistently work out to be
powers of two in all cases.

Signed-off-by: Neil Horman <nho...@tuxdriver.com>
Reported-by: Dmitry Vyukov <dvy...@google.com>
CC: Dmitry Vyukov <dvy...@google.com>
CC: Vladislav Yasevich <vyas...@gmail.com>
CC: "David S. Miller" <da...@davemloft.net>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/sctp/protocol.c | 47 ++++++++++++++++++++++++++++++++++++++---------
1 file changed, 38 insertions(+), 9 deletions(-)

diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 3ac604f..4441bd0 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -60,6 +60,8 @@
#include <net/inet_common.h>
#include <net/inet_ecn.h>

+#define MAX_SCTP_PORT_HASH_ENTRIES (64 * 1024)
+
/* Global data structures. */
struct sctp_globals sctp_globals __read_mostly;

@@ -1332,6 +1334,8 @@ static __init int sctp_init(void)
unsigned long limit;
int max_share;
int order;
+ int num_entries;
+ int max_entry_order;

sock_skb_cb_check_size(sizeof(struct sctp_ulpevent));

@@ -1384,14 +1388,24 @@ static __init int sctp_init(void)

/* Size and allocate the association hash table.
* The methodology is similar to that of the tcp hash tables.
+ * Though not identical. Start by getting a goal size
*/
if (totalram_pages >= (128 * 1024))
goal = totalram_pages >> (22 - PAGE_SHIFT);
else
goal = totalram_pages >> (24 - PAGE_SHIFT);

- for (order = 0; (1UL << order) < goal; order++)
- ;
+ /* Then compute the page order for said goal */
+ order = get_order(goal);
+
+ /* Now compute the required page order for the maximum sized table we
+ * want to create
+ */
+ max_entry_order = get_order(MAX_SCTP_PORT_HASH_ENTRIES *
+ sizeof(struct sctp_bind_hashbucket));
+
+ /* Limit the page order by that maximum hash table size */
+ order = min(order, max_entry_order);

do {
sctp_assoc_hashsize = (1UL << order) * PAGE_SIZE /
@@ -1425,27 +1439,42 @@ static __init int sctp_init(void)
INIT_HLIST_HEAD(&sctp_ep_hashtable[i].chain);
}

- /* Allocate and initialize the SCTP port hash table. */
+ /* Allocate and initialize the SCTP port hash table.
+ * Note that order is initalized to start at the max sized
+ * table we want to support. If we can't get that many pages
+ * reduce the order and try again
+ */
do {
- sctp_port_hashsize = (1UL << order) * PAGE_SIZE /
- sizeof(struct sctp_bind_hashbucket);
- if ((sctp_port_hashsize > (64 * 1024)) && order > 0)
- continue;
sctp_port_hashtable = (struct sctp_bind_hashbucket *)
__get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order);
} while (!sctp_port_hashtable && --order > 0);
+
if (!sctp_port_hashtable) {
pr_err("Failed bind hash alloc\n");
status = -ENOMEM;
goto err_bhash_alloc;
}
+
+ /* Now compute the number of entries that will fit in the
+ * port hash space we allocated
+ */
+ num_entries = (1UL << order) * PAGE_SIZE /
+ sizeof(struct sctp_bind_hashbucket);
+
+ /* And finish by rounding it down to the nearest power of two
+ * this wastes some memory of course, but its needed because
+ * the hash function operates based on the assumption that
+ * that the number of entries is a power of two
+ */
+ sctp_port_hashsize = rounddown_pow_of_two(num_entries);
+
for (i = 0; i < sctp_port_hashsize; i++) {
spin_lock_init(&sctp_port_hashtable[i].lock);
INIT_HLIST_HEAD(&sctp_port_hashtable[i].chain);
}

- pr_info("Hash tables configured (established %d bind %d)\n",
- sctp_assoc_hashsize, sctp_port_hashsize);
+ pr_info("Hash tables configured (established %d bind %d/%d)\n",
+ sctp_assoc_hashsize, sctp_port_hashsize, num_entries);

sctp_sysctl_register();

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:15 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit 50d899808d33a5b0aa82be23e824119944042689 upstream.

The clear and set masks in the call to phy_set_clr_bits() called from
bcm7xxx_config_init() are inverted. We need to fix this by swapping the two
arguments, that is, set 0 bits, but clear the shade mode 2 enable bit.

Fixes: b560a58c45c66 ("net: phy: add Broadcom BCM7xxx internal PHY driver")
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/phy/bcm7xxx.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c
index 6b701b3..24e2071 100644
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -344,7 +344,7 @@ static int bcm7xxx_config_init(struct phy_device *phydev)
phy_write(phydev, MII_BCM7XXX_100TX_FALSE_CAR, 0x7555);

/* reset shadow mode 2 */
- ret = phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, MII_BCM7XXX_SHD_MODE_2, 0);
+ ret = phy_set_clr_bits(phydev, MII_BCM7XXX_TEST, 0, MII_BCM7XXX_SHD_MODE_2);
if (ret < 0)
return ret;

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:15 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Daniel Borkmann <dan...@iogearbox.net>

[ Upstream commit a1b14d27ed0965838350f1377ff97c93ee383492 ]

When ctx access is used, the kernel often needs to expand/rewrite
instructions, so after that patching, branch offsets have to be
adjusted for both forward and backward jumps in the new eBPF program,
but for backward jumps it fails to account the delta. Meaning, for
example, if the expansion happens exactly on the insn that sits at
the jump target, it doesn't fix up the back jump offset.

Analysis on what the check in adjust_branches() is currently doing:

/* adjust offset of jmps if necessary */
if (i < pos && i + insn->off + 1 > pos)
insn->off += delta;
else if (i > pos && i + insn->off + 1 < pos)
insn->off -= delta;

First condition (forward jumps):

Before: After:

insns[0] insns[0]
insns[1] <--- i/insn insns[1] <--- i/insn
insns[2] <--- pos insns[P] <--- pos
insns[3] insns[P] `------| delta
insns[4] <--- target_X insns[P] `-----|
insns[5] insns[3]
insns[4] <--- target_X
insns[5]

First case is if we cross pos-boundary and the jump instruction was
before pos. This is handeled correctly. I.e. if i == pos, then this
would mean our jump that we currently check was the patchlet itself
that we just injected. Since such patchlets are self-contained and
have no awareness of any insns before or after the patched one, the
delta is correctly not adjusted. Also, for the second condition in
case of i + insn->off + 1 == pos, means we jump to that newly patched
instruction, so no offset adjustment are needed. That part is correct.

Second condition (backward jumps):

Before: After:

insns[0] insns[0]
insns[1] <--- target_X insns[1] <--- target_X
insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y
insns[3] insns[P] `------| delta
insns[4] <--- i/insn insns[P] `-----|
insns[5] insns[3]
insns[4] <--- i/insn
insns[5]

Second interesting case is where we cross pos-boundary and the jump
instruction was after pos. Backward jump with i == pos would be
impossible and pose a bug somewhere in the patchlet, so the first
condition checking i > pos is okay only by itself. However, i +
insn->off + 1 < pos does not always work as intended to trigger the
adjustment. It works when jump targets would be far off where the
delta wouldn't matter. But, for example, where the fixed insn->off
before pointed to pos (target_Y), it now points to pos + delta, so
that additional room needs to be taken into account for the check.
This means that i) both tests here need to be adjusted into pos + delta,
and ii) for the second condition, the test needs to be <= as pos
itself can be a target in the backjump, too.

Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields")
Signed-off-by: Daniel Borkmann <dan...@iogearbox.net>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

kernel/bpf/verifier.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4d19a8c..9fccb7c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1975,7 +1975,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta)
/* adjust offset of jmps if necessary */
if (i < pos && i + insn->off + 1 > pos)
insn->off += delta;
- else if (i > pos && i + insn->off + 1 < pos)
+ else if (i > pos + delta && i + insn->off + 1 <= pos + delta)
insn->off -= delta;
}
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:15 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ken-ichirou MATSUZAWA <cham...@gmail.com>

commit aa3a022094fac7f6e48050e139fa8a5a2e3265ce upstream.

We should not trim skb for mmaped socket since its buf size is fixed
and userspace will read as frame which data equals head. mmaped
socket will not call recvmsg, means max_recvmsg_len is 0,
skb_reserve was not called before commit: db65a3aaf29e.

Fixes: db65a3aaf29e (netlink: Trim skb to alloc size to avoid MSG_TRUNC)
Signed-off-by: Ken-ichirou MATSUZAWA <cha...@h4.dion.ne.jp>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/netlink/af_netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index a7fc3d4..f7cb8c6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2802,7 +2802,8 @@ static int netlink_dump(struct sock *sk)
* reasonable static buffer based on the expected largest dump of a
* single netdev. The outcome is MSG_TRUNC error.
*/
- skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+ if (!netlink_rx_is_mmaped(sk))
+ skb_reserve(skb, skb_tailroom(skb) - alloc_size);
netlink_skb_set_owner_r(skb, sk);

len = cb->dump(skb, cb);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:16 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Andrew Lunn <and...@lunn.ch>

commit 1bc4e2b000e7fa9773d6623bc8850561ce10a4fb upstream.

batman-adv checks in different situation if a new device is already on top
of a different batman-adv device. This is done by getting the iflink of a
device and all its parent. It assumes that this iflink is always a parent
device in an acyclic graph. But this assumption is broken by devices like
veth which are actually a pair of two devices linked to each other. The
recursive check would therefore get veth0 when calling dev_get_iflink on
veth1. And it gets veth0 when calling dev_get_iflink with veth1.

Creating a veth pair and loading batman-adv freezes parts of the system

ip link add veth0 type veth peer name veth1
modprobe batman-adv

An RCU stall will be detected on the system which cannot be fixed.

INFO: rcu_sched self-detected stall on CPU
1: (5264 ticks this GP) idle=3e9/140000000000001/0
softirq=144683/144686 fqs=5249
(t=5250 jiffies g=46 c=45 q=43)
Task dump for CPU 1:
insmod R running task 0 247 245 0x00000008
ffffffff8151f140 ffffffff8107888e ffff88000fd141c0 ffffffff8151f140
0000000000000000 ffffffff81552df0 ffffffff8107b420 0000000000000001
ffff88000e3fa700 ffffffff81540b00 ffffffff8107d667 0000000000000001
Call Trace:
<IRQ> [<ffffffff8107888e>] ? rcu_dump_cpu_stacks+0x7e/0xd0
[<ffffffff8107b420>] ? rcu_check_callbacks+0x3f0/0x6b0
[<ffffffff8107d667>] ? hrtimer_run_queues+0x47/0x180
[<ffffffff8107cf9d>] ? update_process_times+0x2d/0x50
[<ffffffff810873fb>] ? tick_handle_periodic+0x1b/0x60
[<ffffffff810290ae>] ? smp_trace_apic_timer_interrupt+0x5e/0x90
[<ffffffff813bbae2>] ? apic_timer_interrupt+0x82/0x90
<EOI> [<ffffffff812c3fd7>] ? __dev_get_by_index+0x37/0x40
[<ffffffffa0031f3e>] ? batadv_hard_if_event+0xee/0x3a0 [batman_adv]
[<ffffffff812c5801>] ? register_netdevice_notifier+0x81/0x1a0
[...]

This can be avoided by checking if two devices are each others parent and
stopping the check in this situation.

Fixes: b7eddd0b3950 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface")
Signed-off-by: Andrew Lunn <and...@lunn.ch>
[sv...@narfation.org: rewritten description, extracted fix]
Signed-off-by: Sven Eckelmann <sv...@narfation.org>
Signed-off-by: Marek Lindner <marekl...@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a...@unstable.cc>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/batman-adv/hard-interface.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)

diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index f4a15d2..3edf7b0 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -75,6 +75,28 @@ out:
}

/**
+ * batadv_mutual_parents - check if two devices are each others parent
+ * @dev1: 1st net_device
+ * @dev2: 2nd net_device
+ *
+ * veth devices come in pairs and each is the parent of the other!
+ *
+ * Return: true if the devices are each others parent, otherwise false
+ */
+static bool batadv_mutual_parents(const struct net_device *dev1,
+ const struct net_device *dev2)
+{
+ int dev1_parent_iflink = dev_get_iflink(dev1);
+ int dev2_parent_iflink = dev_get_iflink(dev2);
+
+ if (!dev1_parent_iflink || !dev2_parent_iflink)
+ return false;
+
+ return (dev1_parent_iflink == dev2->ifindex) &&
+ (dev2_parent_iflink == dev1->ifindex);
+}
+
+/**
* batadv_is_on_batman_iface - check if a device is a batman iface descendant
* @net_dev: the device to check
*
@@ -107,6 +129,9 @@ static bool batadv_is_on_batman_iface(const struct net_device *net_dev)
if (WARN(!parent_dev, "Cannot find parent device"))
return false;

+ if (batadv_mutual_parents(net_dev, parent_dev))
+ return false;
+
ret = batadv_is_on_batman_iface(parent_dev);

return ret;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:16 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Rainer Weikusat <rwei...@mobileactivedefense.com>

[ Upstream commit a5527dda344fff0514b7989ef7a755729769daa1 ]

The unix_dgram_sendmsg routine use the following test

if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {

to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.

Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmh...@pmhahn.de>
Signed-off-by: Rainer Weikusat <rwei...@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmh...@pmhahn.de>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/unix/af_unix.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 7c29ec3..b5f9049 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1780,7 +1780,12 @@ restart_locked:
goto out_unlock;
}

- if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ /* other == sk && unix_peer(other) != sk if
+ * - unix_peer(sk) == NULL, destination address bound to sk
+ * - unix_peer(sk) == sk by time of get but disconnected before lock
+ */
+ if (other != sk &&
+ unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
if (timeo) {
timeo = unix_wait_for_peer(other, timeo);

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:16 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Tahsin Erdogan <tah...@google.com>

commit 3d65ae4634ed8350aee98a4e6f4e41fe40c7d282 upstream.

inode struct members that track cgroup writeback information
should be reinitialized when inode gets allocated from
kmem_cache. Otherwise, their values remain and get used by the
new inode.

Signed-off-by: Tahsin Erdogan <tah...@google.com>
Acked-by: Tejun Heo <t...@kernel.org>
Fixes: d10c80955265 ("writeback: implement foreign cgroup inode bdi_writeback switching")
Signed-off-by: Jens Axboe <ax...@fb.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

fs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/inode.c b/fs/inode.c
index d30640f..8d72fac 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -156,6 +156,12 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
inode->i_rdev = 0;
inode->dirtied_when = 0;

+#ifdef CONFIG_CGROUP_WRITEBACK
+ inode->i_wb_frn_winner = 0;
+ inode->i_wb_frn_avg_time = 0;
+ inode->i_wb_frn_history = 0;
+#endif
+
if (security_inode_alloc(inode))
goto out;
spin_lock_init(&inode->i_lock);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:10:24 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Heiko Carstens <heiko.c...@de.ibm.com>

commit 9900c48c46d8bcf497972024c5fe366e6d9771f3 upstream.

git commit dc7ee00d4771 ("s390: lowcore stack pointer offsets")

introduced a regression in regard to save_stack_trace(). The stack
pointer for the asynchronous and the panic stack in the lowcore now
have an additional offset applied to them. This offset needs to be

taken into account in the calculation for the low and high address for

the stacks.

This bug was already partially fixed with 9cc5c206d9b4

("s390/dumpstack: fix address ranges for asynchronous and panic

stack"). This patch fixes it also for the stacktrace code.

Fixes: dc7ee00d4771 ("s390: lowcore stack pointer offsets")
Signed-off-by: Heiko Carstens <heiko.c...@de.ibm.com>

Tested-by: Peter Oberparleiter <obe...@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/s390/kernel/stacktrace.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/arch/s390/kernel/stacktrace.c b/arch/s390/kernel/stacktrace.c
index 1785cd8..8be2c35 100644
--- a/arch/s390/kernel/stacktrace.c
+++ b/arch/s390/kernel/stacktrace.c
@@ -63,17 +63,18 @@ static unsigned long save_context_stack(struct stack_trace *trace,
void save_stack_trace(struct stack_trace *trace)
{
register unsigned long sp asm ("15");
- unsigned long orig_sp, new_sp;
+ unsigned long orig_sp, new_sp, frame_size;

+ frame_size = STACK_FRAME_OVERHEAD + sizeof(struct pt_regs);

orig_sp = sp & PSW_ADDR_INSN;
new_sp = save_context_stack(trace, orig_sp,
- S390_lowcore.panic_stack - PAGE_SIZE,
- S390_lowcore.panic_stack, 1);
+ S390_lowcore.panic_stack + frame_size - PAGE_SIZE,
+ S390_lowcore.panic_stack + frame_size, 1);
if (new_sp != orig_sp)
return;
new_sp = save_context_stack(trace, new_sp,
- S390_lowcore.async_stack - ASYNC_SIZE,
- S390_lowcore.async_stack, 1);

+ S390_lowcore.async_stack + frame_size - ASYNC_SIZE,

+ S390_lowcore.async_stack + frame_size, 1);
if (new_sp != orig_sp)
return;
save_context_stack(trace, new_sp,
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:05 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit fa0dc04df259ba2df3ce1920e9690c7842f8fa4b ]

Dmitry reported a struct pid leak detected by a syzkaller program.

Bug happens in unix_stream_recvmsg() when we break the loop when a
signal is pending, without properly releasing scm.

Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv routines")
Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Rainer Weikusat <rwei...@mobileactivedefense.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/unix/af_unix.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 7926de1..7f4cc3e 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2331,6 +2331,7 @@ again:

if (signal_pending(current)) {
err = sock_intr_errno(timeo);
+ scm_destroy(&scm);
goto out;
}

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:05 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Takashi Iwai <ti...@suse.de>

commit ed8b1d6d2c741ab26d60d499d7fbb7ac801f0f51 upstream.

A slave timer element also unlinks at snd_timer_stop() but it takes
only slave_active_lock. When a slave is assigned to a master,
however, this may become a race against the master's interrupt
handling, eventually resulting in a list corruption. The actual bug
could be seen with a syzkaller fuzzer test case in BugLink below.

As a fix, we need to take timeri->timer->lock when timer isn't NULL,
i.e. assigned to a master, while the assignment to a master itself is
protected by slave_active_lock.

BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX5...@mail.gmail.com
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

sound/core/timer.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index 37afa28..05745c46 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -518,9 +518,13 @@ static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
spin_unlock_irqrestore(&slave_active_lock, flags);
return -EBUSY;
}
+ if (timeri->timer)
+ spin_lock(&timeri->timer->lock);
timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
list_del_init(&timeri->ack_list);
list_del_init(&timeri->active_list);
+ if (timeri->timer)
+ spin_unlock(&timeri->timer->lock);
spin_unlock_irqrestore(&slave_active_lock, flags);
goto __end;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:06 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Parthasarathy Bhuvaragan <parthasarath...@ericsson.com>

[ Upstream commit 4d5cfcba2f6ec494d8810b9e3c0a7b06255c8067 ]

In 'commit 7fe8097cef5f ("tipc: fix nullpointer bug when subscribing
to events")', we terminate the connection if the subscription
creation fails.
In the same commit, the subscription creation result was based on
the value of the subscription pointer (set in the function) instead
of the return code.

Unfortunately, the same function tipc_subscrp_create() handles
subscription cancel request. For a subscription cancellation request,
the subscription pointer cannot be set. Thus if a subscriber has
several subscriptions and cancels any of them, the connection is
terminated.

In this commit, we terminate the connection based on the return value
of tipc_subscrp_create().
Fixes: commit 7fe8097cef5f ("tipc: fix nullpointer bug when subscribing to events")

Reviewed-by: Jon Maloy <jon....@ericsson.com>
Signed-off-by: Parthasarathy Bhuvaragan <parthasarath...@ericsson.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/tipc/subscr.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index 350cca3..69ee2ee 100644
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -289,15 +289,14 @@ static void tipc_subscrb_rcv_cb(struct net *net, int conid,
struct sockaddr_tipc *addr, void *usr_data,
void *buf, size_t len)
{
- struct tipc_subscriber *subscriber = usr_data;
+ struct tipc_subscriber *subscrb = usr_data;
struct tipc_subscription *sub = NULL;
struct tipc_net *tn = net_generic(net, tipc_net_id);

- tipc_subscrp_create(net, (struct tipc_subscr *)buf, subscriber, &sub);
- if (sub)
- tipc_nametbl_subscribe(sub);
- else
- tipc_conn_terminate(tn->topsrv, subscriber->conid);
+ if (tipc_subscrp_create(net, (struct tipc_subscr *)buf, subscrb, &sub))
+ return tipc_conn_terminate(tn->topsrv, subscrb->conid);
+
+ tipc_nametbl_subscribe(sub);
}

/* Handle one request to establish a new subscriber */
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:06 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit 919483096bfe75dda338e98d56da91a263746a0a ]

Dmitry reported memory leaks of IP options allocated in
ip_cmsg_send() when/if this function returns an error.

Callers are responsible for the freeing.

Many thanks to Dmitry for the report and diagnostic.

Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/ipv4/ip_sockglue.c | 2 ++
net/ipv4/ping.c | 4 +++-
net/ipv4/raw.c | 4 +++-
net/ipv4/udp.c | 4 +++-
4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 5f73a7c..a501242 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -249,6 +249,8 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
switch (cmsg->cmsg_type) {
case IP_RETOPTS:
err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr));
+
+ /* Our caller is responsible for freeing ipc->opt */
err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg),
err < 40 ? err : 40);
if (err)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 05ff44b..f6ee0d5 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -745,8 +745,10 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)

if (msg->msg_controllen) {
err = ip_cmsg_send(sock_net(sk), msg, &ipc, false);
- if (err)
+ if (unlikely(err)) {
+ kfree(ipc.opt);
return err;
+ }
if (ipc.opt)
free = 1;
}
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 561cd4b..c77aac7 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -543,8 +543,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)

if (msg->msg_controllen) {
err = ip_cmsg_send(sock_net(sk), msg, &ipc, false);
- if (err)
+ if (unlikely(err)) {
+ kfree(ipc.opt);
goto out;
+ }
if (ipc.opt)
free = 1;
}
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 1b8c5ba..a390174 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -963,8 +963,10 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
if (msg->msg_controllen) {
err = ip_cmsg_send(sock_net(sk), msg, &ipc,
sk->sk_family == AF_INET6);
- if (err)
+ if (unlikely(err)) {
+ kfree(ipc.opt);
return err;
+ }
if (ipc.opt)
free = 1;
connected = 0;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:06 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Hannes Frederic Sowa <han...@stressinduktion.org>

[ Upstream commit 9a368aff9cb370298fa02feeffa861f2db497c18 ]

Several times already this has been reported as kasan reports caused by
syzkaller and trinity and people always looked at RCU races, but it is
much more simple. :)

In case we bind a pptp socket multiple times, we simply add it to
the callid_sock list but don't remove the old binding. Thus the old
socket stays in the bucket with unused call_id indexes and doesn't get
cleaned up. This causes various forms of kasan reports which were hard
to pinpoint.

Simply don't allow multiple binds and correct error handling in
pptp_bind. Also keep sk_state bits in place in pptp_connect.

Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
Cc: Dmitry Kozlov <x...@mail.ru>
Cc: Sasha Levin <sasha...@oracle.com>
Cc: Dmitry Vyukov <dvy...@google.com>
Reported-by: Dmitry Vyukov <dvy...@google.com>
Cc: Dave Jones <da...@codemonkey.org.uk>
Reported-by: Dave Jones <da...@codemonkey.org.uk>
Signed-off-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ppp/pptp.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index b910cae..f55670b 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -129,24 +129,27 @@ static int lookup_chan_dst(u16 call_id, __be32 d_addr)
return i < MAX_CALLID;
}

-static int add_chan(struct pppox_sock *sock)
+static int add_chan(struct pppox_sock *sock,
+ struct pptp_addr *sa)
{
static int call_id;

spin_lock(&chan_lock);
- if (!sock->proto.pptp.src_addr.call_id) {
+ if (!sa->call_id) {
call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, call_id + 1);
if (call_id == MAX_CALLID) {
call_id = find_next_zero_bit(callid_bitmap, MAX_CALLID, 1);
if (call_id == MAX_CALLID)
goto out_err;
}
- sock->proto.pptp.src_addr.call_id = call_id;
- } else if (test_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap))
+ sa->call_id = call_id;
+ } else if (test_bit(sa->call_id, callid_bitmap)) {
goto out_err;
+ }

- set_bit(sock->proto.pptp.src_addr.call_id, callid_bitmap);
- rcu_assign_pointer(callid_sock[sock->proto.pptp.src_addr.call_id], sock);
+ sock->proto.pptp.src_addr = *sa;
+ set_bit(sa->call_id, callid_bitmap);
+ rcu_assign_pointer(callid_sock[sa->call_id], sock);
spin_unlock(&chan_lock);

return 0;
@@ -415,7 +418,6 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,
struct sock *sk = sock->sk;
struct sockaddr_pppox *sp = (struct sockaddr_pppox *) uservaddr;
struct pppox_sock *po = pppox_sk(sk);
- struct pptp_opt *opt = &po->proto.pptp;
int error = 0;

if (sockaddr_len < sizeof(struct sockaddr_pppox))
@@ -423,10 +425,22 @@ static int pptp_bind(struct socket *sock, struct sockaddr *uservaddr,

lock_sock(sk);

- opt->src_addr = sp->sa_addr.pptp;
- if (add_chan(po))
+ if (sk->sk_state & PPPOX_DEAD) {
+ error = -EALREADY;
+ goto out;
+ }
+
+ if (sk->sk_state & PPPOX_BOUND) {
error = -EBUSY;
+ goto out;
+ }
+
+ if (add_chan(po, &sp->sa_addr.pptp))
+ error = -EBUSY;
+ else
+ sk->sk_state |= PPPOX_BOUND;

+out:
release_sock(sk);
return error;
}
@@ -497,7 +511,7 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr,
}

opt->dst_addr = sp->sa_addr.pptp;
- sk->sk_state = PPPOX_CONNECTED;
+ sk->sk_state |= PPPOX_CONNECTED;

end:
release_sock(sk);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:06 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Jay Vosburgh <jay.vo...@canonical.com>

[ Upstream commit 21a75f0915dde8674708b39abfcda113911c49b1 ]

The current logic in bond_arp_rcv will accept an incoming ARP for
validation if (a) the receiving slave is either "active" (which includes
the currently active slave, or the current ARP slave) or, (b) there is a
currently active slave, and it has received an ARP since it became active.
For case (b), the receiving slave isn't the currently active slave, and is
receiving the original broadcast ARP request, not an ARP reply from the
target.

This logic can fail if there is no currently active slave. In
this situation, the ARP probe logic cycles through all slaves, assigning
each in turn as the "current_arp_slave" for one arp_interval, then setting
that one as "active," and sending an ARP probe from that slave. The
current logic expects the ARP reply to arrive on the sending
current_arp_slave, however, due to switch FDB updating delays, the reply
may be directed to another slave.

This can arise if the bonding slaves and switch are working, but
the ARP target is not responding. When the ARP target recovers, a
condition may result wherein the ARP target host replies faster than the
switch can update its forwarding table, causing each ARP reply to be sent
to the previous current_arp_slave. This will never pass the logic in
bond_arp_rcv, as neither of the above conditions (a) or (b) are met.

Some experimentation on a LAN shows ARP reply round trips in the
200 usec range, but my available switches never update their FDB in less
than 4000 usec.

This patch changes the logic in bond_arp_rcv to additionally
accept an ARP reply for validation on any slave if there is a current ARP
slave and it sent an ARP probe during the previous arp_interval.

Fixes: aeea64ac717a ("bonding: don't trust arp requests unless active slave really works")
Cc: Veaceslav Falico <vfa...@gmail.com>
Cc: Andy Gospodarek <go...@cumulusnetworks.com>
Signed-off-by: Jay Vosburgh <jay.vo...@canonical.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/bonding/bond_main.c | 39 ++++++++++++++++++++++++++++-----------
1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 593dc28..ba0e359 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -214,6 +214,8 @@ static void bond_uninit(struct net_device *bond_dev);
static struct rtnl_link_stats64 *bond_get_stats(struct net_device *bond_dev,
struct rtnl_link_stats64 *stats);
static void bond_slave_arr_handler(struct work_struct *work);
+static bool bond_time_in_interval(struct bonding *bond, unsigned long last_act,
+ int mod);

/*---------------------------- General routines -----------------------------*/

@@ -2420,7 +2422,7 @@ int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
struct slave *slave)
{
struct arphdr *arp = (struct arphdr *)skb->data;
- struct slave *curr_active_slave;
+ struct slave *curr_active_slave, *curr_arp_slave;
unsigned char *arp_ptr;
__be32 sip, tip;
int alen, is_arp = skb->protocol == __cpu_to_be16(ETH_P_ARP);
@@ -2467,26 +2469,41 @@ int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
&sip, &tip);

curr_active_slave = rcu_dereference(bond->curr_active_slave);
+ curr_arp_slave = rcu_dereference(bond->current_arp_slave);

- /* Backup slaves won't see the ARP reply, but do come through
- * here for each ARP probe (so we swap the sip/tip to validate
- * the probe). In a "redundant switch, common router" type of
- * configuration, the ARP probe will (hopefully) travel from
- * the active, through one switch, the router, then the other
- * switch before reaching the backup.
+ /* We 'trust' the received ARP enough to validate it if:
+ *
+ * (a) the slave receiving the ARP is active (which includes the
+ * current ARP slave, if any), or
+ *
+ * (b) the receiving slave isn't active, but there is a currently
+ * active slave and it received valid arp reply(s) after it became
+ * the currently active slave, or
+ *
+ * (c) there is an ARP slave that sent an ARP during the prior ARP
+ * interval, and we receive an ARP reply on any slave. We accept
+ * these because switch FDB update delays may deliver the ARP
+ * reply to a slave other than the sender of the ARP request.
*
- * We 'trust' the arp requests if there is an active slave and
- * it received valid arp reply(s) after it became active. This
- * is done to avoid endless looping when we can't reach the
+ * Note: for (b), backup slaves are receiving the broadcast ARP
+ * request, not a reply. This request passes from the sending
+ * slave through the L2 switch(es) to the receiving slave. Since
+ * this is checking the request, sip/tip are swapped for
+ * validation.
+ *
+ * This is done to avoid endless looping when we can't reach the
* arp_ip_target and fool ourselves with our own arp requests.
*/
-
if (bond_is_active_slave(slave))
bond_validate_arp(bond, slave, sip, tip);
else if (curr_active_slave &&
time_after(slave_last_rx(bond, curr_active_slave),
curr_active_slave->last_link_up))
bond_validate_arp(bond, slave, tip, sip);
+ else if (curr_arp_slave && (arp->ar_op == htons(ARPOP_REPLY)) &&
+ bond_time_in_interval(bond,
+ dev_trans_start(curr_arp_slave->dev), 1))
+ bond_validate_arp(bond, slave, sip, tip);

out_unlock:
if (arp != (struct arphdr *)skb->data)
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Toshi Kani <toshi...@hpe.com>

commit a82eee7424525e34e98d821dd059ce14560a1e35 upstream.

Data corruption issues were observed in tests which initiated
a system crash/reset while accessing BTT devices. This problem
is reproducible.

The BTT driver calls pmem_rw_bytes() to update data in pmem
devices. This interface calls __copy_user_nocache(), which
uses non-temporal stores so that the stores to pmem are
persistent.

__copy_user_nocache() uses non-temporal stores when a request
size is 8 bytes or larger (and is aligned by 8 bytes). The
BTT driver updates the BTT map table, which entry size is
4 bytes. Therefore, updates to the map table entries remain
cached, and are not written to pmem after a crash.

Change __copy_user_nocache() to use non-temporal store when
a request size is 4 bytes. The change extends the current
byte-copy path for a less-than-8-bytes request, and does not
add any overhead to the regular path.

Reported-and-tested-by: Micah Parrish <micah....@hpe.com>
Reported-and-tested-by: Brian Boylston <brian.b...@hpe.com>
Signed-off-by: Toshi Kani <toshi...@hpe.com>
Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Andy Lutomirski <lu...@amacapital.net>
Cc: Borislav Petkov <b...@alien8.de>
Cc: Borislav Petkov <b...@suse.de>
Cc: Brian Gerst <brg...@gmail.com>
Cc: Dan Williams <dan.j.w...@intel.com>
Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Luis R. Rodriguez <mcg...@suse.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Ross Zwisler <ross.z...@linux.intel.com>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Toshi Kani <toshi...@hp.com>
Cc: Vishal Verma <vishal....@intel.com>
Cc: linux-...@lists.01.org
Link: http://lkml.kernel.org/r/1455225857-12039-3-git...@hpe.com
[ Small readability edits. ]
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/x86/lib/copy_user_64.S | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
index a644aad..27f89c7 100644
--- a/arch/x86/lib/copy_user_64.S
+++ b/arch/x86/lib/copy_user_64.S
@@ -237,13 +237,14 @@ ENDPROC(copy_user_enhanced_fast_string)
* Note: Cached memory copy is used when destination or size is not
* naturally aligned. That is:
* - Require 8-byte alignment when size is 8 bytes or larger.
+ * - Require 4-byte alignment when size is 4 bytes.
*/
ENTRY(__copy_user_nocache)
ASM_STAC

- /* If size is less than 8 bytes, go to byte copy */
+ /* If size is less than 8 bytes, go to 4-byte copy */
cmpl $8,%edx
- jb .L_1b_cache_copy_entry
+ jb .L_4b_nocache_copy_entry

/* If destination is not 8-byte aligned, "cache" copy to align it */
ALIGN_DESTINATION
@@ -282,7 +283,7 @@ ENTRY(__copy_user_nocache)
movl %edx,%ecx
andl $7,%edx
shrl $3,%ecx
- jz .L_1b_cache_copy_entry /* jump if count is 0 */
+ jz .L_4b_nocache_copy_entry /* jump if count is 0 */

/* Perform 8-byte nocache loop-copy */
.L_8b_nocache_copy_loop:
@@ -294,11 +295,33 @@ ENTRY(__copy_user_nocache)
jnz .L_8b_nocache_copy_loop

/* If no byte left, we're done */
-.L_1b_cache_copy_entry:
+.L_4b_nocache_copy_entry:
+ andl %edx,%edx
+ jz .L_finish_copy
+
+ /* If destination is not 4-byte aligned, go to byte copy: */
+ movl %edi,%ecx
+ andl $3,%ecx
+ jnz .L_1b_cache_copy_entry
+
+ /* Set 4-byte copy count (1 or 0) and remainder */
+ movl %edx,%ecx
+ andl $3,%edx
+ shrl $2,%ecx
+ jz .L_1b_cache_copy_entry /* jump if count is 0 */
+
+ /* Perform 4-byte nocache copy: */
+30: movl (%rsi),%r8d
+31: movnti %r8d,(%rdi)
+ leaq 4(%rsi),%rsi
+ leaq 4(%rdi),%rdi
+
+ /* If no bytes left, we're done: */
andl %edx,%edx
jz .L_finish_copy

/* Perform byte "cache" loop-copy for the remainder */
+.L_1b_cache_copy_entry:
movl %edx,%ecx
.L_1b_cache_copy_loop:
40: movb (%rsi),%al
@@ -323,6 +346,9 @@ ENTRY(__copy_user_nocache)
.L_fixup_8b_copy:
lea (%rdx,%rcx,8),%rdx
jmp .L_fixup_handle_tail
+.L_fixup_4b_copy:
+ lea (%rdx,%rcx,4),%rdx
+ jmp .L_fixup_handle_tail
.L_fixup_1b_copy:
movl %ecx,%edx
.L_fixup_handle_tail:
@@ -348,6 +374,8 @@ ENTRY(__copy_user_nocache)
_ASM_EXTABLE(16b,.L_fixup_4x8b_copy)
_ASM_EXTABLE(20b,.L_fixup_8b_copy)
_ASM_EXTABLE(21b,.L_fixup_8b_copy)
+ _ASM_EXTABLE(30b,.L_fixup_4b_copy)
+ _ASM_EXTABLE(31b,.L_fixup_4b_copy)
_ASM_EXTABLE(40b,.L_fixup_1b_copy)
_ASM_EXTABLE(41b,.L_fixup_1b_copy)
ENDPROC(__copy_user_nocache)
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit 44c3d0c1c0a880354e9de5d94175742e2c7c9683 ]

Silence lockdep false positive about rcu_dereference() being
used in the wrong context.

First one should use rcu_dereference_protected() as we own the spinlock.

Second one should be a normal assignation, as no barrier is needed.

Fixes: 18367681a10bd ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.")
Reported-by: Dave Jones <da...@codemonkey.org.uk>
Signed-off-by: Eric Dumazet <edum...@google.com>

Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/ipv6/ip6_flowlabel.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 1f9ebe3..dc2db4f 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -540,12 +540,13 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
}
spin_lock_bh(&ip6_sk_fl_lock);
for (sflp = &np->ipv6_fl_list;
- (sfl = rcu_dereference(*sflp)) != NULL;
+ (sfl = rcu_dereference_protected(*sflp,
+ lockdep_is_held(&ip6_sk_fl_lock))) != NULL;
sflp = &sfl->next) {
if (sfl->fl->label == freq.flr_label) {
if (freq.flr_label == (np->flow_label&IPV6_FLOWLABEL_MASK))
np->flow_label &= ~IPV6_FLOWLABEL_MASK;
- *sflp = rcu_dereference(sfl->next);
+ *sflp = sfl->next;
spin_unlock_bh(&ip6_sk_fl_lock);
fl_release(sfl->fl);
kfree_rcu(sfl, rcu);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Marcelo Ricardo Leitner <marcelo...@gmail.com>

[ Upstream commit 27f7ed2b11d42ab6d796e96533c2076ec220affc ]

This patch extends commit b93d6471748d ("sctp: implement the sender side
for SACK-IMMEDIATELY extension") as it didn't white list
SCTP_SACK_IMMEDIATELY on sctp_msghdr_parse(), causing it to be
understood as an invalid flag and returning -EINVAL to the application.

Note that the actual handling of the flag is already there in
sctp_datamsg_from_user().

https://tools.ietf.org/html/rfc7053#section-7

Fixes: b93d6471748d ("sctp: implement the sender side for SACK-IMMEDIATELY extension")
Signed-off-by: Marcelo Ricardo Leitner <marcelo...@gmail.com>
Acked-by: Vlad Yasevich <vyas...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/sctp/socket.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9dee804..fb5c86b 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -6641,6 +6641,7 @@ static int sctp_msghdr_parse(const struct msghdr *msg, sctp_cmsgs_t *cmsgs)

if (cmsgs->srinfo->sinfo_flags &
~(SCTP_UNORDERED | SCTP_ADDR_OVER |
+ SCTP_SACK_IMMEDIATELY |
SCTP_ABORT | SCTP_EOF))
return -EINVAL;
break;
@@ -6664,6 +6665,7 @@ static int sctp_msghdr_parse(const struct msghdr *msg, sctp_cmsgs_t *cmsgs)

if (cmsgs->sinfo->snd_flags &
~(SCTP_UNORDERED | SCTP_ADDR_OVER |
+ SCTP_SACK_IMMEDIATELY |
SCTP_ABORT | SCTP_EOF))
return -EINVAL;
break;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Alexander Duyck <adu...@mirantis.com>

[ Upstream commit 461547f3158978c180d74484d58e82be9b8e7357, since
we lack the flow dissector flags in this release we guard the
flow label access using a test on 'skb' being NULL ]

This patch fixes an issue with unaligned accesses when using
eth_get_headlen on a page that was DMA aligned instead of being IP aligned.
The fact is when trying to check the length we don't need to be looking at
the flow label so we can reorder the checks to first check if we are
supposed to gather the flow label and then make the call to actually get
it.

v2: Updated path so that either STOP_AT_FLOW_LABEL or KEY_FLOW_LABEL can
cause us to check for the flow label.

Reported-by: Sowmini Varadhan <sowmini....@oracle.com>
Signed-off-by: Alexander Duyck <adu...@mirantis.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/core/flow_dissector.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 2a834c6..bb98f8b 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -192,7 +192,6 @@ ip:
case htons(ETH_P_IPV6): {
const struct ipv6hdr *iph;
struct ipv6hdr _iph;
- __be32 flow_label;

ipv6:
iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
@@ -214,8 +213,9 @@ ipv6:
key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
}

- flow_label = ip6_flowlabel(iph);
- if (flow_label) {
+ if (skb && ip6_flowlabel(iph)) {
+ __be32 flow_label = ip6_flowlabel(iph);
+
if (skb_flow_dissector_uses_key(flow_dissector,
FLOW_DISSECTOR_KEY_FLOW_LABEL)) {
key_tags = skb_flow_dissector_target(flow_dissector,
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ursula Braun <ursula...@de.ibm.com>

[ Upstream commit 52a82e23b9f2a9e1d429c5207f8575784290d008 ]

Signed-off-by: Ursula Braun <ursula...@de.ibm.com>
Reported-by: Dmitry Vyukov <dvy...@google.com>
Reviewed-by: Evgeny Cherkashin <Eugene....@ru.ibm.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/iucv/af_iucv.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 918151c..3a743d8e 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -709,6 +709,9 @@ static int iucv_sock_bind(struct socket *sock, struct sockaddr *addr,
if (!addr || addr->sa_family != AF_IUCV)
return -EINVAL;

+ if (addr_len < sizeof(struct sockaddr_iucv))
+ return -EINVAL;
+
lock_sock(sk);
if (sk->sk_state != IUCV_OPEN) {
err = -EBADFD;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit ff5d749772018602c47509bdc0093ff72acd82ec ]

With some combinations of user provided flags in netlink command,
it is possible to call tcp_get_info() with a buffer that is not 8-bytes
aligned.

It does matter on some arches, so we need to use put_unaligned() to
store the u64 fields.

Current iproute2 package does not trigger this particular issue.

Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info")
Fixes: 977cb0ecf82e ("tcp: add pacing_rate information into tcp_info")
Signed-off-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/ipv4/tcp.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 45534a5..a7b4cf6 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -279,6 +279,7 @@

#include <asm/uaccess.h>
#include <asm/ioctls.h>
+#include <asm/unaligned.h>
#include <net/busy_poll.h>

int sysctl_tcp_fin_timeout __read_mostly = TCP_FIN_TIMEOUT;
@@ -2634,6 +2635,7 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info)
const struct inet_connection_sock *icsk = inet_csk(sk);
u32 now = tcp_time_stamp;
unsigned int start;
+ u64 rate64;
u32 rate;

memset(info, 0, sizeof(*info));
@@ -2698,15 +2700,17 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info)
info->tcpi_total_retrans = tp->total_retrans;

rate = READ_ONCE(sk->sk_pacing_rate);
- info->tcpi_pacing_rate = rate != ~0U ? rate : ~0ULL;
+ rate64 = rate != ~0U ? rate : ~0ULL;
+ put_unaligned(rate64, &info->tcpi_pacing_rate);

rate = READ_ONCE(sk->sk_max_pacing_rate);
- info->tcpi_max_pacing_rate = rate != ~0U ? rate : ~0ULL;
+ rate64 = rate != ~0U ? rate : ~0ULL;
+ put_unaligned(rate64, &info->tcpi_max_pacing_rate);

do {
start = u64_stats_fetch_begin_irq(&tp->syncp);
- info->tcpi_bytes_acked = tp->bytes_acked;
- info->tcpi_bytes_received = tp->bytes_received;
+ put_unaligned(tp->bytes_acked, &info->tcpi_bytes_acked);
+ put_unaligned(tp->bytes_received, &info->tcpi_bytes_received);
} while (u64_stats_fetch_retry_irq(&tp->syncp, start));
info->tcpi_segs_out = tp->segs_out;
info->tcpi_segs_in = tp->segs_in;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Toshi Kani <toshi...@hpe.com>

commit f4eafd8bcd5229e998aa252627703b8462c3b90f upstream.

A kernel page fault oops with the callstack below was observed
when a read syscall was made to a pmem device after a huge amount
(>512GB) of vmalloc ranges was allocated by ioremap() on a x86_64
system:

BUG: unable to handle kernel paging request at ffff880840000ff8
IP: vmalloc_fault+0x1be/0x300
PGD c7f03a067 PUD 0
Oops: 0000 [#1] SM
Call Trace:
__do_page_fault+0x285/0x3e0
do_page_fault+0x2f/0x80
? put_prev_entity+0x35/0x7a0
page_fault+0x28/0x30
? memcpy_erms+0x6/0x10
? schedule+0x35/0x80
? pmem_rw_bytes+0x6a/0x190 [nd_pmem]
? schedule_timeout+0x183/0x240
btt_log_read+0x63/0x140 [nd_btt]
:
? __symbol_put+0x60/0x60
? kernel_read+0x50/0x80
SyS_finit_module+0xb9/0xf0
entry_SYSCALL_64_fastpath+0x1a/0xa4

Since v4.1, ioremap() supports large page (pud/pmd) mappings in
x86_64 and PAE. vmalloc_fault() however assumes that the vmalloc
range is limited to pte mappings.

vmalloc faults do not normally happen in ioremap'd ranges since
ioremap() sets up the kernel page tables, which are shared by
user processes. pgd_ctor() sets the kernel's PGD entries to
user's during fork(). When allocation of the vmalloc ranges
crosses a 512GB boundary, ioremap() allocates a new pud table
and updates the kernel PGD entry to point it. If user process's
PGD entry does not have this update yet, a read/write syscall
to the range will cause a vmalloc fault, which hits the Oops
above as it does not handle a large page properly.

Following changes are made to vmalloc_fault().

64-bit:

- No change for the PGD sync operation as it handles large
pages already.
- Add pud_huge() and pmd_huge() to the validation code to
handle large pages.
- Change pud_page_vaddr() to pud_pfn() since an ioremap range
is not directly mapped (while the if-statement still works
with a bogus addr).
- Change pmd_page() to pmd_pfn() since an ioremap range is not
backed by struct page (while the if-statement still works
with a bogus addr).

32-bit:
- No change for the sync operation since the index3 PGD entry
covers the entire vmalloc range, which is always valid.
(A separate change to sync PGD entry is necessary if this
memory layout is changed regardless of the page size.)
- Add pmd_huge() to the validation code to handle large pages.
This is for completeness since vmalloc_fault() won't happen
in ioremap'd ranges as its PGD entry is always valid.

Reported-by: Henning Schild <henning...@siemens.com>
Signed-off-by: Toshi Kani <toshi...@hpe.com>
Acked-by: Borislav Petkov <b...@alien8.de>

Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Andy Lutomirski <lu...@amacapital.net>

Cc: Brian Gerst <brg...@gmail.com>

Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Luis R. Rodriguez <mcg...@suse.com>
Cc: Peter Zijlstra <pet...@infradead.org>

Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Toshi Kani <toshi...@hp.com>

Cc: linu...@kvack.org
Cc: linux-...@lists.01.org
Link: http://lkml.kernel.org/r/1455758214-24623-1-git...@hpe.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/x86/mm/fault.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 9dc9098..1d3beaf 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -286,6 +286,9 @@ static noinline int vmalloc_fault(unsigned long address)
if (!pmd_k)
return -1;

+ if (pmd_huge(*pmd_k))
+ return 0;
+
pte_k = pte_offset_kernel(pmd_k, address);
if (!pte_present(*pte_k))
return -1;
@@ -357,8 +360,6 @@ void vmalloc_sync_all(void)
* 64-bit:
*
* Handle a fault on the vmalloc area
- *
- * This assumes no large pages in there.
*/
static noinline int vmalloc_fault(unsigned long address)
{
@@ -400,17 +401,23 @@ static noinline int vmalloc_fault(unsigned long address)
if (pud_none(*pud_ref))
return -1;

- if (pud_none(*pud) || pud_page_vaddr(*pud) != pud_page_vaddr(*pud_ref))
+ if (pud_none(*pud) || pud_pfn(*pud) != pud_pfn(*pud_ref))
BUG();

+ if (pud_huge(*pud))
+ return 0;
+
pmd = pmd_offset(pud, address);
pmd_ref = pmd_offset(pud_ref, address);
if (pmd_none(*pmd_ref))
return -1;

- if (pmd_none(*pmd) || pmd_page(*pmd) != pmd_page(*pmd_ref))
+ if (pmd_none(*pmd) || pmd_pfn(*pmd) != pmd_pfn(*pmd_ref))
BUG();

+ if (pmd_huge(*pmd))
+ return 0;
+
pte_ref = pte_offset_kernel(pmd_ref, address);
if (!pte_present(*pte_ref))
return -1;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paolo Abeni <pab...@redhat.com>

[ Upstream commit 6f21c96a78b835259546d8f3fb4edff0f651d478 ]

The current implementation of ip6_dst_lookup_tail basically
ignore the egress ifindex match: if the saddr is set,
ip6_route_output() purposefully ignores flowi6_oif, due
to the commit d46a9d678e4c ("net: ipv6: Dont add RT6_LOOKUP_F_IFACE
flag if saddr set"), if the saddr is 'any' the first route lookup
in ip6_dst_lookup_tail fails, but upon failure a second lookup will
be performed with saddr set, thus ignoring the ifindex constraint.

This commit adds an output route lookup function variant, which
allows the caller to specify lookup flags, and modify
ip6_dst_lookup_tail() to enforce the ifindex match on the second
lookup via said helper.

ip6_route_output() becames now a static inline function build on
top of ip6_route_output_flags(); as a side effect, out-of-tree
modules need now a GPL license to access the output route lookup
functionality.

Signed-off-by: Paolo Abeni <pab...@redhat.com>

Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Acked-by: David Ahern <d...@cumulusnetworks.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

include/net/ip6_route.h | 12 ++++++++++--
net/ipv6/ip6_output.c | 6 +++++-
net/ipv6/route.c | 8 +++-----
3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
index 297629a..bc5013c 100644
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -64,8 +64,16 @@ static inline bool rt6_need_strict(const struct in6_addr *daddr)

void ip6_route_input(struct sk_buff *skb);

-struct dst_entry *ip6_route_output(struct net *net, const struct sock *sk,
- struct flowi6 *fl6);
+struct dst_entry *ip6_route_output_flags(struct net *net, const struct sock *sk,
+ struct flowi6 *fl6, int flags);
+
+static inline struct dst_entry *ip6_route_output(struct net *net,
+ const struct sock *sk,
+ struct flowi6 *fl6)
+{
+ return ip6_route_output_flags(net, sk, fl6, 0);
+}
+
struct dst_entry *ip6_route_lookup(struct net *net, struct flowi6 *fl6,
int flags);

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 18382b0..8a94048 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -890,6 +890,7 @@ static int ip6_dst_lookup_tail(struct sock *sk,
struct rt6_info *rt;
#endif
int err;
+ int flags = 0;

/* The correct way to handle this would be to do
* ip6_route_get_saddr, and then ip6_route_output; however,
@@ -921,10 +922,13 @@ static int ip6_dst_lookup_tail(struct sock *sk,
dst_release(*dst);
*dst = NULL;
}
+
+ if (fl6->flowi6_oif)
+ flags |= RT6_LOOKUP_F_IFACE;
}

if (!*dst)
- *dst = ip6_route_output(net, sk, fl6);
+ *dst = ip6_route_output_flags(net, sk, fl6, flags);

err = (*dst)->error;
if (err)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 8478719..e36b7fe 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1181,11 +1181,9 @@ static struct rt6_info *ip6_pol_route_output(struct net *net, struct fib6_table
return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags);
}

-struct dst_entry *ip6_route_output(struct net *net, const struct sock *sk,
- struct flowi6 *fl6)
+struct dst_entry *ip6_route_output_flags(struct net *net, const struct sock *sk,
+ struct flowi6 *fl6, int flags)
{
- int flags = 0;
-
fl6->flowi6_iif = LOOPBACK_IFINDEX;

if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl6->daddr))
@@ -1198,7 +1196,7 @@ struct dst_entry *ip6_route_output(struct net *net, const struct sock *sk,

return fib6_rule_lookup(net, fl6, flags, ip6_pol_route_output);
}
-EXPORT_SYMBOL(ip6_route_output);
+EXPORT_SYMBOL_GPL(ip6_route_output_flags);

struct dst_entry *ip6_blackhole_route(struct net *net, struct dst_entry *dst_orig)
{
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit e62a123b8ef7c5dc4db2c16383d506860ad21b47 ]

Neal reported crashes with this stack trace :

RIP: 0010:[<ffffffff8c57231b>] tcp_v4_send_ack+0x41/0x20f
...
CR2: 0000000000000018 CR3: 000000044005c000 CR4: 00000000001427e0
...
[<ffffffff8c57258e>] tcp_v4_reqsk_send_ack+0xa5/0xb4
[<ffffffff8c1a7caa>] tcp_check_req+0x2ea/0x3e0
[<ffffffff8c19e420>] tcp_rcv_state_process+0x850/0x2500
[<ffffffff8c1a6d21>] tcp_v4_do_rcv+0x141/0x330
[<ffffffff8c56cdb2>] sk_backlog_rcv+0x21/0x30
[<ffffffff8c098bbd>] tcp_recvmsg+0x75d/0xf90
[<ffffffff8c0a8700>] inet_recvmsg+0x80/0xa0
[<ffffffff8c17623e>] sock_aio_read+0xee/0x110
[<ffffffff8c066fcf>] do_sync_read+0x6f/0xa0
[<ffffffff8c0673a1>] SyS_read+0x1e1/0x290
[<ffffffff8c5ca262>] system_call_fastpath+0x16/0x1b

The problem here is the skb we provide to tcp_v4_send_ack() had to
be parked in the backlog of a new TCP fastopen child because this child
was owned by the user at the time an out of window packet arrived.

Before queuing a packet, TCP has to set skb->dev to NULL as the device
could disappear before packet is removed from the queue.

Fix this issue by using the net pointer provided by the socket (being a
timewait or a request socket).

IPv6 is immune to the bug : tcp_v6_send_response() already gets the net
pointer from the socket if provided.

Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
Reported-by: Neal Cardwell <ncar...@google.com>
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Jerry Chu <hk...@google.com>
Cc: Yuchung Cheng <ych...@google.com>
Acked-by: Neal Cardwell <ncar...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/ipv4/tcp_ipv4.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index b78df51..236b76f 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -705,7 +705,8 @@ release_sk1:
outside socket context is ugly, certainly. What can I do?
*/

-static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
+static void tcp_v4_send_ack(struct net *net,
+ struct sk_buff *skb, u32 seq, u32 ack,
u32 win, u32 tsval, u32 tsecr, int oif,
struct tcp_md5sig_key *key,
int reply_flags, u8 tos)
@@ -720,7 +721,6 @@ static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
];
} rep;
struct ip_reply_arg arg;
- struct net *net = dev_net(skb_dst(skb)->dev);

memset(&rep.th, 0, sizeof(struct tcphdr));
memset(&arg, 0, sizeof(arg));
@@ -782,7 +782,8 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb)
struct inet_timewait_sock *tw = inet_twsk(sk);
struct tcp_timewait_sock *tcptw = tcp_twsk(sk);

- tcp_v4_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
+ tcp_v4_send_ack(sock_net(sk), skb,
+ tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
tcp_time_stamp + tcptw->tw_ts_offset,
tcptw->tw_ts_recent,
@@ -801,8 +802,10 @@ static void tcp_v4_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
* sk->sk_state == TCP_SYN_RECV -> for Fast Open.
*/
- tcp_v4_send_ack(skb, (sk->sk_state == TCP_LISTEN) ?
- tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
+ u32 seq = (sk->sk_state == TCP_LISTEN) ? tcp_rsk(req)->snt_isn + 1 :
+ tcp_sk(sk)->snd_nxt;
+
+ tcp_v4_send_ack(sock_net(sk), skb, seq,
tcp_rsk(req)->rcv_nxt, req->rcv_wnd,
tcp_time_stamp,
req->ts_recent,
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Hannes Frederic Sowa <han...@stressinduktion.org>

[ Upstream commit 415e3d3e90ce9e18727e8843ae343eda5a58fad6 ]

The commit referenced in the Fixes tag incorrectly accounted the number
of in-flight fds over a unix domain socket to the original opener
of the file-descriptor. This allows another process to arbitrary
deplete the original file-openers resource limit for the maximum of
open files. Instead the sending processes and its struct cred should
be credited.

To do so, we add a reference counted struct user_struct pointer to the
scm_fp_list and use it to account for the number of inflight unix fds.

Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
Reported-by: David Herrmann <dh.he...@gmail.com>
Cc: David Herrmann <dh.he...@gmail.com>
Cc: Willy Tarreau <w...@1wt.eu>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Suggested-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

include/net/af_unix.h | 4 ++--
include/net/scm.h | 1 +
net/core/scm.c | 7 +++++++
net/unix/af_unix.c | 4 ++--
net/unix/garbage.c | 8 ++++----
5 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 49c7683..cdb0a93 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -6,8 +6,8 @@
#include <linux/mutex.h>
#include <net/sock.h>

-void unix_inflight(struct file *fp);
-void unix_notinflight(struct file *fp);
+void unix_inflight(struct user_struct *user, struct file *fp);
+void unix_notinflight(struct user_struct *user, struct file *fp);
void unix_gc(void);
void wait_for_unix_gc(void);
struct sock *unix_get_socket(struct file *filp);
diff --git a/include/net/scm.h b/include/net/scm.h
index 262532d..59fa93c 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -21,6 +21,7 @@ struct scm_creds {
struct scm_fp_list {
short count;
short max;
+ struct user_struct *user;
struct file *fp[SCM_MAX_FD];
};

diff --git a/net/core/scm.c b/net/core/scm.c
index 8a1741b..dce0acb 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
*fplp = fpl;
fpl->count = 0;
fpl->max = SCM_MAX_FD;
+ fpl->user = NULL;
}
fpp = &fpl->fp[fpl->count];

@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
*fpp++ = file;
fpl->count++;
}
+
+ if (!fpl->user)
+ fpl->user = get_uid(current_user());
+
return num;
}

@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm)
scm->fp = NULL;
for (i=fpl->count-1; i>=0; i--)
fput(fpl->fp[i]);
+ free_uid(fpl->user);
kfree(fpl);
}
}
@@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
for (i = 0; i < fpl->count; i++)
get_file(fpl->fp[i]);
new_fpl->max = new_fpl->count;
+ new_fpl->user = get_uid(fpl->user);
}
return new_fpl;
}
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 7f4cc3e..7c29ec3 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1495,7 +1495,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
UNIXCB(skb).fp = NULL;

for (i = scm->fp->count-1; i >= 0; i--)
- unix_notinflight(scm->fp->fp[i]);
+ unix_notinflight(scm->fp->user, scm->fp->fp[i]);
}

static void unix_destruct_scm(struct sk_buff *skb)
@@ -1560,7 +1560,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
return -ENOMEM;

for (i = scm->fp->count - 1; i >= 0; i--)
- unix_inflight(scm->fp->fp[i]);
+ unix_inflight(scm->fp->user, scm->fp->fp[i]);
return max_level;
}

diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index 8fcdc22..6a0d485 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp)
* descriptor if it is for an AF_UNIX socket.
*/

-void unix_inflight(struct file *fp)
+void unix_inflight(struct user_struct *user, struct file *fp)
{
struct sock *s = unix_get_socket(fp);

@@ -133,11 +133,11 @@ void unix_inflight(struct file *fp)
}
unix_tot_inflight++;
}
- fp->f_cred->user->unix_inflight++;
+ user->unix_inflight++;
spin_unlock(&unix_gc_lock);
}

-void unix_notinflight(struct file *fp)
+void unix_notinflight(struct user_struct *user, struct file *fp)
{
struct sock *s = unix_get_socket(fp);

@@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp)
list_del_init(&u->link);
unix_tot_inflight--;
}
- fp->f_cred->user->unix_inflight--;
+ user->unix_inflight--;
spin_unlock(&unix_gc_lock);
}

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: "suba...@codeaurora.org" <suba...@codeaurora.org>

[ Upstream commit 16186a82de1fdd868255448274e64ae2616e2640 ]

A rcu stall with the following backtrace was seen on a system with
forwarding, optimistic_dad and use_optimistic set. To reproduce,
set these flags and allow ipv6 autoconf.

This occurs because the device write_lock is acquired while already
holding the read_lock. Back trace below -

INFO: rcu_preempt self-detected stall on CPU { 1} (t=2100 jiffies
g=3992 c=3991 q=4471)
<6> Task dump for CPU 1:
<2> kworker/1:0 R running task 12168 15 2 0x00000002
<2> Workqueue: ipv6_addrconf addrconf_dad_work
<6> Call trace:
<2> [<ffffffc000084da8>] el1_irq+0x68/0xdc
<2> [<ffffffc000cc4e0c>] _raw_write_lock_bh+0x20/0x30
<2> [<ffffffc000bc5dd8>] __ipv6_dev_ac_inc+0x64/0x1b4
<2> [<ffffffc000bcbd2c>] addrconf_join_anycast+0x9c/0xc4
<2> [<ffffffc000bcf9f0>] __ipv6_ifa_notify+0x160/0x29c
<2> [<ffffffc000bcfb7c>] ipv6_ifa_notify+0x50/0x70
<2> [<ffffffc000bd035c>] addrconf_dad_work+0x314/0x334
<2> [<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
<2> [<ffffffc0000b7324>] worker_thread+0x2f8/0x418
<2> [<ffffffc0000bb40c>] kthread+0xe0/0xec

v2: do addrconf_dad_kick inside read lock and then acquire write
lock for ipv6_ifa_notify as suggested by Eric

Fixes: 7fd2561e4ebdd ("net: ipv6: Add a sysctl to make optimistic
addresses useful candidates")

Cc: Eric Dumazet <edum...@google.com>
Cc: Erik Kline <e...@google.com>
Cc: Hannes Frederic Sowa <han...@stressinduktion.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <suba...@codeaurora.org>

Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Acked-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/ipv6/addrconf.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 54fb696..ff6e0dc 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3425,6 +3425,7 @@ static void addrconf_dad_begin(struct inet6_ifaddr *ifp)
{
struct inet6_dev *idev = ifp->idev;
struct net_device *dev = idev->dev;
+ bool notify = false;

addrconf_join_solict(dev, &ifp->addr);

@@ -3470,7 +3471,7 @@ static void addrconf_dad_begin(struct inet6_ifaddr *ifp)
/* Because optimistic nodes can use this address,
* notify listeners. If DAD fails, RTM_DELADDR is sent.
*/
- ipv6_ifa_notify(RTM_NEWADDR, ifp);
+ notify = true;
}
}

@@ -3478,6 +3479,8 @@ static void addrconf_dad_begin(struct inet6_ifaddr *ifp)
out:
spin_unlock(&ifp->lock);
read_unlock_bh(&idev->lock);
+ if (notify)
+ ipv6_ifa_notify(RTM_NEWADDR, ifp);
}

static void addrconf_dad_start(struct inet6_ifaddr *ifp)
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Hangbin Liu <liuha...@gmail.com>

[ Upstream commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 ]

Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface")
disabled accept hop limit from RA if it is smaller than the current hop
limit for security stuff. But this behavior kind of break the RFC definition.

RFC 4861, 6.3.4. Processing Received Router Advertisements
A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time,
and Retrans Timer) may contain a value denoting that it is
unspecified. In such cases, the parameter should be ignored and the
host should continue using whatever value it is already using.

If the received Cur Hop Limit value is non-zero, the host SHOULD set
its CurHopLimit variable to the received value.

So add sysctl option accept_ra_min_hop_limit to let user choose the minimum
hop limit value they can accept from RA. And set default to 1 to meet RFC
standards.

Signed-off-by: Hangbin Liu <liuha...@gmail.com>
Acked-by: YOSHIFUJI Hideaki <hideaki....@miraclelinux.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

Documentation/networking/ip-sysctl.txt | 8 ++++++++
include/linux/ipv6.h | 1 +
include/uapi/linux/ipv6.h | 2 ++
net/ipv6/addrconf.c | 10 ++++++++++
net/ipv6/ndisc.c | 16 +++++++---------
5 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 5fae770..5d16013 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1340,6 +1340,14 @@ accept_ra_from_local - BOOLEAN
disabled if accept_ra_from_local is disabled
on a specific interface.

+accept_ra_min_hop_limit - INTEGER
+ Minimum hop limit Information in Router Advertisement.
+
+ Hop limit Information in Router Advertisement less than this
+ variable shall be ignored.
+
+ Default: 1
+
accept_ra_pinfo - BOOLEAN
Learn Prefix Information in Router Advertisement.

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index e4b4649..01c2592 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -29,6 +29,7 @@ struct ipv6_devconf {
__s32 max_desync_factor;
__s32 max_addresses;
__s32 accept_ra_defrtr;
+ __s32 accept_ra_min_hop_limit;
__s32 accept_ra_pinfo;
#ifdef CONFIG_IPV6_ROUTER_PREF
__s32 accept_ra_rtr_pref;
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index 5efa54a..80f3b74 100644
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -171,6 +171,8 @@ enum {
DEVCONF_USE_OPTIMISTIC,
DEVCONF_ACCEPT_RA_MTU,
DEVCONF_STABLE_SECRET,
+ DEVCONF_USE_OIF_ADDRS_ONLY,
+ DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
DEVCONF_MAX
};

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index d956e30..54fb696 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -195,6 +195,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
.max_addresses = IPV6_MAX_ADDRESSES,
.accept_ra_defrtr = 1,
.accept_ra_from_local = 0,
+ .accept_ra_min_hop_limit= 1,
.accept_ra_pinfo = 1,
#ifdef CONFIG_IPV6_ROUTER_PREF
.accept_ra_rtr_pref = 1,
@@ -236,6 +237,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
.max_addresses = IPV6_MAX_ADDRESSES,
.accept_ra_defrtr = 1,
.accept_ra_from_local = 0,
+ .accept_ra_min_hop_limit= 1,
.accept_ra_pinfo = 1,
#ifdef CONFIG_IPV6_ROUTER_PREF
.accept_ra_rtr_pref = 1,
@@ -4567,6 +4569,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
array[DEVCONF_MAX_DESYNC_FACTOR] = cnf->max_desync_factor;
array[DEVCONF_MAX_ADDRESSES] = cnf->max_addresses;
array[DEVCONF_ACCEPT_RA_DEFRTR] = cnf->accept_ra_defrtr;
+ array[DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT] = cnf->accept_ra_min_hop_limit;
array[DEVCONF_ACCEPT_RA_PINFO] = cnf->accept_ra_pinfo;
#ifdef CONFIG_IPV6_ROUTER_PREF
array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref;
@@ -5460,6 +5463,13 @@ static struct addrconf_sysctl_table
.proc_handler = proc_dointvec,
},
{
+ .procname = "accept_ra_min_hop_limit",
+ .data = &ipv6_devconf.accept_ra_min_hop_limit,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+ {
.procname = "accept_ra_pinfo",
.data = &ipv6_devconf.accept_ra_pinfo,
.maxlen = sizeof(int),
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index c53331c..b305461 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1225,18 +1225,16 @@ static void ndisc_router_discovery(struct sk_buff *skb)

if (rt)
rt6_set_expires(rt, jiffies + (HZ * lifetime));
- if (ra_msg->icmph.icmp6_hop_limit) {
- /* Only set hop_limit on the interface if it is higher than
- * the current hop_limit.
- */
- if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
+ if (in6_dev->cnf.accept_ra_min_hop_limit < 256 &&
+ ra_msg->icmph.icmp6_hop_limit) {
+ if (in6_dev->cnf.accept_ra_min_hop_limit <= ra_msg->icmph.icmp6_hop_limit) {
in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+ if (rt)
+ dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+ ra_msg->icmph.icmp6_hop_limit);
} else {
- ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than minimum\n");
}
- if (rt)
- dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
- ra_msg->icmph.icmp6_hop_limit);
}

skip_defrtr:
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:11 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Paolo Abeni <pab...@redhat.com>

[ Upstream commit 1cdda91871470f15e79375991bd2eddc6e86ddb1 ]

Currently, the egress interface index specified via IPV6_PKTINFO
is ignored by __ip6_datagram_connect(), so that RFC 3542 section 6.7
can be subverted when the user space application calls connect()
before sendmsg().
Fix it by initializing properly flowi6_oif in connect() before
performing the route lookup.

Signed-off-by: Paolo Abeni <pab...@redhat.com>

Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/ipv6/datagram.c | 3 +++

1 file changed, 3 insertions(+)

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 13ca4cf..8e6cb3f 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -162,6 +162,9 @@ ipv4_connected:
fl6.fl6_dport = inet->inet_dport;
fl6.fl6_sport = inet->inet_sport;

+ if (!fl6.flowi6_oif)
+ fl6.flowi6_oif = np->sticky_pktinfo.ipi6_ifindex;
+
if (!fl6.flowi6_oif && (addr_type&IPV6_ADDR_MULTICAST))
fl6.flowi6_oif = np->mcast_oif;

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:15 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Toshi Kani <toshi...@hpe.com>

commit ee9737c924706aaa72c2ead93e3ad5644681dc1c upstream.

Add comments to __copy_user_nocache() to clarify its procedures
and alignment requirements.

Also change numeric branch target labels to named local labels.

No code changed:

arch/x86/lib/copy_user_64.o:

text data bss dec hex filename
1239 0 0 1239 4d7 copy_user_64.o.before
1239 0 0 1239 4d7 copy_user_64.o.after

md5:
58bed94c2db98c1ca9a2d46d0680aaae copy_user_64.o.before.asm
58bed94c2db98c1ca9a2d46d0680aaae copy_user_64.o.after.asm

Signed-off-by: Toshi Kani <toshi...@hpe.com>

Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Andy Lutomirski <lu...@amacapital.net>

Cc: Borislav Petkov <b...@alien8.de>
Cc: Borislav Petkov <b...@suse.de>

Cc: Brian Gerst <brg...@gmail.com>
Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Luis R. Rodriguez <mcg...@suse.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Toshi Kani <toshi...@hp.com>

Cc: brian.b...@hpe.com
Cc: dan.j.w...@intel.com
Cc: linux-...@lists.01.org
Cc: micah....@hpe.com
Cc: ross.z...@linux.intel.com
Cc: vishal....@intel.com
Link: http://lkml.kernel.org/r/1455225857-12039-2-git...@hpe.com
[ Small readability edits and added object file comparison. ]
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/x86/lib/copy_user_64.S | 114 ++++++++++++++++++++++++++++----------------
1 file changed, 73 insertions(+), 41 deletions(-)

diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
index 982ce34..a644aad 100644
--- a/arch/x86/lib/copy_user_64.S
+++ b/arch/x86/lib/copy_user_64.S
@@ -232,17 +232,30 @@ ENDPROC(copy_user_enhanced_fast_string)

/*
* copy_user_nocache - Uncached memory copy with exception handling
- * This will force destination/source out of cache for more performance.
+ * This will force destination out of cache for more performance.
+ *
+ * Note: Cached memory copy is used when destination or size is not
+ * naturally aligned. That is:
+ * - Require 8-byte alignment when size is 8 bytes or larger.
*/
ENTRY(__copy_user_nocache)
ASM_STAC
+
+ /* If size is less than 8 bytes, go to byte copy */
cmpl $8,%edx
- jb 20f /* less then 8 bytes, go to byte copy loop */
+ jb .L_1b_cache_copy_entry
+
+ /* If destination is not 8-byte aligned, "cache" copy to align it */
ALIGN_DESTINATION
+
+ /* Set 4x8-byte copy count and remainder */
movl %edx,%ecx
andl $63,%edx
shrl $6,%ecx
- jz 17f
+ jz .L_8b_nocache_copy_entry /* jump if count is 0 */
+
+ /* Perform 4x8-byte nocache loop-copy */
+.L_4x8b_nocache_copy_loop:
1: movq (%rsi),%r8
2: movq 1*8(%rsi),%r9
3: movq 2*8(%rsi),%r10
@@ -262,60 +275,79 @@ ENTRY(__copy_user_nocache)
leaq 64(%rsi),%rsi
leaq 64(%rdi),%rdi
decl %ecx
- jnz 1b
-17: movl %edx,%ecx
+ jnz .L_4x8b_nocache_copy_loop
+
+ /* Set 8-byte copy count and remainder */
+.L_8b_nocache_copy_entry:
+ movl %edx,%ecx
andl $7,%edx
shrl $3,%ecx
- jz 20f
-18: movq (%rsi),%r8
-19: movnti %r8,(%rdi)

+ jz .L_1b_cache_copy_entry /* jump if count is 0 */
+

+ /* Perform 8-byte nocache loop-copy */
+.L_8b_nocache_copy_loop:
+20: movq (%rsi),%r8
+21: movnti %r8,(%rdi)
leaq 8(%rsi),%rsi
leaq 8(%rdi),%rdi
decl %ecx
- jnz 18b
-20: andl %edx,%edx
- jz 23f
+ jnz .L_8b_nocache_copy_loop
+
+ /* If no byte left, we're done */
+.L_1b_cache_copy_entry:

+ andl %edx,%edx
+ jz .L_finish_copy
+

+ /* Perform byte "cache" loop-copy for the remainder */
movl %edx,%ecx
-21: movb (%rsi),%al
-22: movb %al,(%rdi)
+.L_1b_cache_copy_loop:
+40: movb (%rsi),%al
+41: movb %al,(%rdi)
incq %rsi
incq %rdi
decl %ecx
- jnz 21b
-23: xorl %eax,%eax
+ jnz .L_1b_cache_copy_loop
+
+ /* Finished copying; fence the prior stores */
+.L_finish_copy:
+ xorl %eax,%eax
ASM_CLAC
sfence
ret

.section .fixup,"ax"
-30: shll $6,%ecx
+.L_fixup_4x8b_copy:
+ shll $6,%ecx
addl %ecx,%edx
- jmp 60f
-40: lea (%rdx,%rcx,8),%rdx
- jmp 60f
-50: movl %ecx,%edx
-60: sfence
+ jmp .L_fixup_handle_tail
+.L_fixup_8b_copy:
+ lea (%rdx,%rcx,8),%rdx
+ jmp .L_fixup_handle_tail
+.L_fixup_1b_copy:
+ movl %ecx,%edx
+.L_fixup_handle_tail:
+ sfence
jmp copy_user_handle_tail
.previous

- _ASM_EXTABLE(1b,30b)
- _ASM_EXTABLE(2b,30b)
- _ASM_EXTABLE(3b,30b)
- _ASM_EXTABLE(4b,30b)
- _ASM_EXTABLE(5b,30b)
- _ASM_EXTABLE(6b,30b)
- _ASM_EXTABLE(7b,30b)
- _ASM_EXTABLE(8b,30b)
- _ASM_EXTABLE(9b,30b)
- _ASM_EXTABLE(10b,30b)
- _ASM_EXTABLE(11b,30b)
- _ASM_EXTABLE(12b,30b)
- _ASM_EXTABLE(13b,30b)
- _ASM_EXTABLE(14b,30b)
- _ASM_EXTABLE(15b,30b)
- _ASM_EXTABLE(16b,30b)
- _ASM_EXTABLE(18b,40b)
- _ASM_EXTABLE(19b,40b)
- _ASM_EXTABLE(21b,50b)
- _ASM_EXTABLE(22b,50b)
+ _ASM_EXTABLE(1b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(2b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(3b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(4b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(5b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(6b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(7b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(8b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(9b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(10b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(11b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(12b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(13b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(14b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(15b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(16b,.L_fixup_4x8b_copy)
+ _ASM_EXTABLE(20b,.L_fixup_8b_copy)
+ _ASM_EXTABLE(21b,.L_fixup_8b_copy)
+ _ASM_EXTABLE(40b,.L_fixup_1b_copy)
+ _ASM_EXTABLE(41b,.L_fixup_1b_copy)
ENDPROC(__copy_user_nocache)
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:20:16 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Ido Schimmel <ido...@mellanox.com>

[ Upstream commit 4f2c6ae5c64c353fb1b0425e4747e5603feadba1 ]

When switchdev drivers process FDB notifications from the underlying
device they resolve the netdev to which the entry points to and notify
the bridge using the switchdev notifier.

However, since the RTNL mutex is not held there is nothing preventing
the netdev from disappearing in the middle, which will cause
br_switchdev_event() to dereference a non-existing netdev.

Make switchdev drivers hold the lock at the beginning of the
notification processing session and release it once it ends, after
notifying the bridge.

Also, remove switchdev_mutex and fdb_lock, as they are no longer needed
when RTNL mutex is held.

Fixes: 03bf0c281234 ("switchdev: introduce switchdev notifier")
Signed-off-by: Ido Schimmel <ido...@mellanox.com>
Signed-off-by: Jiri Pirko <ji...@mellanox.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/ethernet/rocker/rocker.c | 2 ++
net/bridge/br.c | 3 +--
net/switchdev/switchdev.c | 15 ++++++++-------
3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/rocker/rocker.c b/drivers/net/ethernet/rocker/rocker.c
index 2e7f9a2..348f047 100644
--- a/drivers/net/ethernet/rocker/rocker.c
+++ b/drivers/net/ethernet/rocker/rocker.c
@@ -3493,12 +3493,14 @@ static void rocker_port_fdb_learn_work(struct work_struct *work)
info.addr = lw->addr;
info.vid = lw->vid;

+ rtnl_lock();
if (learned && removing)
call_switchdev_notifiers(SWITCHDEV_FDB_DEL,
lw->rocker_port->dev, &info.info);
else if (learned && !removing)
call_switchdev_notifiers(SWITCHDEV_FDB_ADD,
lw->rocker_port->dev, &info.info);
+ rtnl_unlock();

rocker_port_kfree(lw->trans, work);
}
diff --git a/net/bridge/br.c b/net/bridge/br.c
index a1abe49..3addc05 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -121,6 +121,7 @@ static struct notifier_block br_device_notifier = {
.notifier_call = br_device_event
};

+/* called with RTNL */
static int br_switchdev_event(struct notifier_block *unused,
unsigned long event, void *ptr)
{
@@ -130,7 +131,6 @@ static int br_switchdev_event(struct notifier_block *unused,
struct switchdev_notifier_fdb_info *fdb_info;
int err = NOTIFY_DONE;

- rtnl_lock();
p = br_port_get_rtnl(dev);
if (!p)
goto out;
@@ -155,7 +155,6 @@ static int br_switchdev_event(struct notifier_block *unused,
}

out:
- rtnl_unlock();
return err;
}

diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c
index 9f2add3..69bd2b7 100644
--- a/net/switchdev/switchdev.c
+++ b/net/switchdev/switchdev.c
@@ -16,6 +16,7 @@
#include <linux/notifier.h>
#include <linux/netdevice.h>
#include <linux/if_bridge.h>
+#include <linux/rtnetlink.h>
#include <net/ip_fib.h>
#include <net/switchdev.h>

@@ -333,7 +334,6 @@ int switchdev_port_obj_dump(struct net_device *dev, struct switchdev_obj *obj)
}
EXPORT_SYMBOL_GPL(switchdev_port_obj_dump);

-static DEFINE_MUTEX(switchdev_mutex);
static RAW_NOTIFIER_HEAD(switchdev_notif_chain);

/**
@@ -348,9 +348,9 @@ int register_switchdev_notifier(struct notifier_block *nb)
{
int err;

- mutex_lock(&switchdev_mutex);
+ rtnl_lock();
err = raw_notifier_chain_register(&switchdev_notif_chain, nb);
- mutex_unlock(&switchdev_mutex);
+ rtnl_unlock();
return err;
}
EXPORT_SYMBOL_GPL(register_switchdev_notifier);
@@ -366,9 +366,9 @@ int unregister_switchdev_notifier(struct notifier_block *nb)
{
int err;

- mutex_lock(&switchdev_mutex);
+ rtnl_lock();
err = raw_notifier_chain_unregister(&switchdev_notif_chain, nb);
- mutex_unlock(&switchdev_mutex);
+ rtnl_unlock();
return err;
}
EXPORT_SYMBOL_GPL(unregister_switchdev_notifier);
@@ -382,16 +382,17 @@ EXPORT_SYMBOL_GPL(unregister_switchdev_notifier);
* Call all network notifier blocks. This should be called by driver
* when it needs to propagate hardware event.
* Return values are same as for atomic_notifier_call_chain().
+ * rtnl_lock must be held.
*/
int call_switchdev_notifiers(unsigned long val, struct net_device *dev,
struct switchdev_notifier_info *info)
{
int err;

+ ASSERT_RTNL();
+
info->dev = dev;
- mutex_lock(&switchdev_mutex);
err = raw_notifier_call_chain(&switchdev_notif_chain, val, info);
- mutex_unlock(&switchdev_mutex);
return err;
}
EXPORT_SYMBOL_GPL(call_switchdev_notifiers);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:06 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Gerhard Uttenthaler <utten...@ems-wuensche.com>

commit 90cfde46586d2286488d8ed636929e936c0c9ab2 upstream.

This patch fixes the problem that more CAN messages could be sent to the
interface as could be send on the CAN bus. This was more likely for slow baud
rates. The sleeping _start_xmit was woken up in the _write_bulk_callback. Under
heavy TX load this produced another bulk transfer without checking the
free_slots variable and hence caused the overflow in the interface.

Signed-off-by: Gerhard Uttenthaler <utten...@ems-wuensche.com>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/can/usb/ems_usb.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
index 2d39038..66409fe 100644
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -117,6 +117,9 @@ MODULE_LICENSE("GPL v2");
*/
#define EMS_USB_ARM7_CLOCK 8000000

+#define CPC_TX_QUEUE_TRIGGER_LOW 25
+#define CPC_TX_QUEUE_TRIGGER_HIGH 35
+
/*
* CAN-Message representation in a CPC_MSG. Message object type is
* CPC_MSG_TYPE_CAN_FRAME or CPC_MSG_TYPE_RTR_FRAME or
@@ -278,6 +281,11 @@ static void ems_usb_read_interrupt_callback(struct urb *urb)
switch (urb->status) {
case 0:
dev->free_slots = dev->intr_in_buffer[1];
+ if(dev->free_slots > CPC_TX_QUEUE_TRIGGER_HIGH){
+ if (netif_queue_stopped(netdev)){
+ netif_wake_queue(netdev);
+ }
+ }
break;

case -ECONNRESET: /* unlink */
@@ -527,8 +535,6 @@ static void ems_usb_write_bulk_callback(struct urb *urb)
/* Release context */
context->echo_index = MAX_TX_URBS;

- if (netif_queue_stopped(netdev))
- netif_wake_queue(netdev);
}

/*
@@ -588,7 +594,7 @@ static int ems_usb_start(struct ems_usb *dev)
int err, i;

dev->intr_in_buffer[0] = 0;
- dev->free_slots = 15; /* initial size */
+ dev->free_slots = 50; /* initial size */

for (i = 0; i < MAX_RX_URBS; i++) {
struct urb *urb = NULL;
@@ -836,7 +842,7 @@ static netdev_tx_t ems_usb_start_xmit(struct sk_buff *skb, struct net_device *ne

/* Slow down tx path */
if (atomic_read(&dev->active_tx_urbs) >= MAX_TX_URBS ||
- dev->free_slots < 5) {
+ dev->free_slots < CPC_TX_QUEUE_TRIGGER_LOW) {
netif_stop_queue(netdev);
}
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:06 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Martin Schwidefsky <schwi...@de.ibm.com>

commit 342300cc9cd3428bc6bfe5809bfcc1b9a0f06702 upstream.

git commit 8070361799ae1e3f4ef347bd10f0a508ac10acfb
"s390: add support for vector extension"
broke 31-bit compat processes in regard to signal handling.

The restore_sigregs_ext32() function is used to restore the additional
elements from the user space signal frame. Among the additional elements
are the upper registers halves for 64-bit register support for 31-bit
processes. The copy_from_user that is used to retrieve the high-gprs
array from the user stack uses an incorrect length, 8 bytes instead of
64 bytes. This causes incorrect upper register halves to get loaded.

Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/s390/kernel/compat_signal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/s390/kernel/compat_signal.c b/arch/s390/kernel/compat_signal.c
index c78ba51..24b7e55 100644
--- a/arch/s390/kernel/compat_signal.c
+++ b/arch/s390/kernel/compat_signal.c
@@ -293,7 +293,7 @@ static int restore_sigregs_ext32(struct pt_regs *regs,

/* Restore high gprs from signal stack */
if (__copy_from_user(&gprs_high, &sregs_ext->gprs_high,
- sizeof(&sregs_ext->gprs_high)))
+ sizeof(sregs_ext->gprs_high)))
return -EFAULT;
for (i = 0; i < NUM_GPRS; i++)
*(__u32 *)&regs->gprs[i] = gprs_high[i];
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:06 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Lisa Du <cl...@marvell.com>

commit 7a64cd887fdb97f074c3fda03bee0bfb9faceac3 upstream.

There's one point was missed in the patch commit da49889deb34 ("staging:
binder: Support concurrent 32 bit and 64 bit processes."). When configure
BINDER_IPC_32BIT, the size of binder_uintptr_t was 32bits, but size of
void * is 64bit on 64bit system. Correct it here.

Signed-off-by: Lisa Du <cl...@marvell.com>
Signed-off-by: Nicolas Boichat <drin...@chromium.org>
Fixes: da49889deb34 ("staging: binder: Support concurrent 32 bit and 64 bit processes.")
Acked-by: Olof Johansson <ol...@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/android/binder.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 6607f3c..f1a26d9 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2074,7 +2074,7 @@ static int binder_thread_write(struct binder_proc *proc,
if (get_user(cookie, (binder_uintptr_t __user *)ptr))
return -EFAULT;

- ptr += sizeof(void *);
+ ptr += sizeof(cookie);
list_for_each_entry(w, &proc->delivered_death, entry) {
struct binder_ref_death *tmp_death = container_of(w, struct binder_ref_death, work);

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Kailang Yang <kai...@realtek.com>

commit cfc5a845e62853edd36e564c23c64588f4adcae6 upstream.

Dell create new platform with ALC298 codec.
This patch will enable headset mode for ALC225/ALC3253 platform.

Signed-off-by: Kailang Yang <kai...@realtek.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

sound/pci/hda/patch_realtek.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index cb26e7d..1c0d005 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5571,6 +5571,9 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
{.id = ALC292_FIXUP_TPT440, .name = "tpt440"},
{}
};
+#define ALC225_STANDARD_PINS \
+ {0x12, 0xb7a60130}, \
+ {0x21, 0x04211020}

#define ALC255_STANDARD_PINS \
{0x18, 0x411111f0}, \
@@ -5625,6 +5628,12 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
{0x1f, 0x411111f0}

static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
+ SND_HDA_PIN_QUIRK(0x10ec0225, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC225_STANDARD_PINS,
+ {0x14, 0x901701a0}),
+ SND_HDA_PIN_QUIRK(0x10ec0225, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC225_STANDARD_PINS,
+ {0x14, 0x901701b0}),
SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE,
ALC255_STANDARD_PINS,
{0x12, 0x40300000},
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Takashi Iwai <ti...@suse.de>

commit 473f414564528a819f0c2bb6b4bf26366b64c9ab upstream.

Currently the interrupt handler of HD-audio driver assumes that no irq
update is needed while processing the irq. But in reality, it has
been confirmed that the HW irq is issued even during the irq
handling. Since we clear the irq status at the beginning, process the
interrupt, then exits from the handler, the lately issued interrupt is
left untouched without being properly processed.

This patch changes the interrupt handler code to loop over the
check-and-process. The handler tries repeatedly as long as the IRQ
status are turned on, and either stream or CORB/RIRB is handled.

For checking the stream handling, snd_hdac_bus_handle_stream_irq()
returns a value indicating the stream indices bits. Other than that,
the change is only in the irq handler itself.

Reported-by: Libin Yang <libin...@linux.intel.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>
[ kamal: backport to 4.2-stable: context ]

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

include/sound/hdaudio.h | 2 +-
sound/hda/hdac_controller.c | 7 ++++++-
sound/pci/hda/hda_controller.c | 47 +++++++++++++++++++++++-------------------
3 files changed, 33 insertions(+), 23 deletions(-)

diff --git a/include/sound/hdaudio.h b/include/sound/hdaudio.h
index 4caf1fd..772d137 100644
--- a/include/sound/hdaudio.h
+++ b/include/sound/hdaudio.h
@@ -343,7 +343,7 @@ void snd_hdac_bus_enter_link_reset(struct hdac_bus *bus);
void snd_hdac_bus_exit_link_reset(struct hdac_bus *bus);

void snd_hdac_bus_update_rirb(struct hdac_bus *bus);
-void snd_hdac_bus_handle_stream_irq(struct hdac_bus *bus, unsigned int status,
+int snd_hdac_bus_handle_stream_irq(struct hdac_bus *bus, unsigned int status,
void (*ack)(struct hdac_bus *,
struct hdac_stream *));

diff --git a/sound/hda/hdac_controller.c b/sound/hda/hdac_controller.c
index b5a17cb..8c48623 100644
--- a/sound/hda/hdac_controller.c
+++ b/sound/hda/hdac_controller.c
@@ -426,18 +426,22 @@ EXPORT_SYMBOL_GPL(snd_hdac_bus_stop_chip);
* @bus: HD-audio core bus
* @status: INTSTS register value
* @ask: callback to be called for woken streams
+ *
+ * Returns the bits of handled streams, or zero if no stream is handled.
*/
-void snd_hdac_bus_handle_stream_irq(struct hdac_bus *bus, unsigned int status,
+int snd_hdac_bus_handle_stream_irq(struct hdac_bus *bus, unsigned int status,
void (*ack)(struct hdac_bus *,
struct hdac_stream *))
{
struct hdac_stream *azx_dev;
u8 sd_status;
+ int handled = 0;

list_for_each_entry(azx_dev, &bus->stream_list, list) {
if (status & azx_dev->sd_int_sta_mask) {
sd_status = snd_hdac_stream_readb(azx_dev, SD_STS);
snd_hdac_stream_writeb(azx_dev, SD_STS, SD_INT_MASK);
+ handled |= 1 << azx_dev->index;
if (!azx_dev->substream || !azx_dev->running ||
!(sd_status & SD_INT_COMPLETE))
continue;
@@ -445,6 +449,7 @@ void snd_hdac_bus_handle_stream_irq(struct hdac_bus *bus, unsigned int status,
ack(bus, azx_dev);
}
}
+ return handled;
}
EXPORT_SYMBOL_GPL(snd_hdac_bus_handle_stream_irq);

diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
index 4013af3..1091b7a 100644
--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -930,6 +930,8 @@ irqreturn_t azx_interrupt(int irq, void *dev_id)
struct azx *chip = dev_id;
struct hdac_bus *bus = azx_bus(chip);
u32 status;
+ bool active, handled = false;
+ int repeat = 0; /* count for avoiding endless loop */

#ifdef CONFIG_PM
if (azx_has_pm_runtime(chip))
@@ -939,33 +941,36 @@ irqreturn_t azx_interrupt(int irq, void *dev_id)

spin_lock(&bus->reg_lock);

- if (chip->disabled) {
- spin_unlock(&bus->reg_lock);
- return IRQ_NONE;
- }
-
- status = azx_readl(chip, INTSTS);
- if (status == 0 || status == 0xffffffff) {
- spin_unlock(&bus->reg_lock);
- return IRQ_NONE;
- }
+ if (chip->disabled)
+ goto unlock;

- snd_hdac_bus_handle_stream_irq(bus, status, stream_update);
+ do {
+ status = azx_readl(chip, INTSTS);
+ if (status == 0 || status == 0xffffffff)
+ break;

- /* clear rirb int */
- status = azx_readb(chip, RIRBSTS);
- if (status & RIRB_INT_MASK) {
- if (status & RIRB_INT_RESPONSE) {
- if (chip->driver_caps & AZX_DCAPS_RIRB_PRE_DELAY)
- udelay(80);
- snd_hdac_bus_update_rirb(bus);
+ handled = true;
+ active = false;
+ if (snd_hdac_bus_handle_stream_irq(bus, status, stream_update))
+ active = true;
+
+ /* clear rirb int */
+ status = azx_readb(chip, RIRBSTS);
+ if (status & RIRB_INT_MASK) {
+ active = true;
+ if (status & RIRB_INT_RESPONSE) {
+ if (chip->driver_caps & AZX_DCAPS_RIRB_PRE_DELAY)
+ udelay(80);
+ snd_hdac_bus_update_rirb(bus);
+ }
+ azx_writeb(chip, RIRBSTS, RIRB_INT_MASK);
}
- azx_writeb(chip, RIRBSTS, RIRB_INT_MASK);
- }
+ } while (active && ++repeat < 10);

+ unlock:
spin_unlock(&bus->reg_lock);

- return IRQ_HANDLED;
+ return IRQ_RETVAL(handled);
}
EXPORT_SYMBOL_GPL(azx_interrupt);

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Manfred Rudigier <Manfred....@omicron.at>

[ Upstream commit 81e8f2e930fe76b9814c71b9d87c30760b5eb705 ]

PHY status frames are not reliable, the PHY may not be able to send them
during heavy receive traffic. This overflow condition is signaled by the
PHY in the next status frame, but the driver did not make use of it.
Instead it always reported wrong tx timestamps to user space after an
overflow happened because it assigned newly received tx timestamps to old
packets in the queue.

This commit fixes this issue by clearing the tx timestamp queue every time
an overflow happens, so that no timestamps are delivered for overflow
packets. This way time stamping will continue correctly after an overflow.

Signed-off-by: Manfred Rudigier <manfred....@omicron.at>
Acked-by: Richard Cochran <richard...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/net/phy/dp83640.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
index 00cb41e..c56cf0b 100644
--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -833,6 +833,11 @@ static void decode_rxts(struct dp83640_private *dp83640,
struct skb_shared_hwtstamps *shhwtstamps = NULL;
struct sk_buff *skb;
unsigned long flags;
+ u8 overflow;
+
+ overflow = (phy_rxts->ns_hi >> 14) & 0x3;
+ if (overflow)
+ pr_debug("rx timestamp queue overflow, count %d\n", overflow);

spin_lock_irqsave(&dp83640->rx_lock, flags);

@@ -875,6 +880,7 @@ static void decode_txts(struct dp83640_private *dp83640,
struct skb_shared_hwtstamps shhwtstamps;
struct sk_buff *skb;
u64 ns;
+ u8 overflow;

/* We must already have the skb that triggered this. */

@@ -884,6 +890,17 @@ static void decode_txts(struct dp83640_private *dp83640,
pr_debug("have timestamp but tx_queue empty\n");
return;
}
+
+ overflow = (phy_txts->ns_hi >> 14) & 0x3;
+ if (overflow) {
+ pr_debug("tx timestamp queue overflow, count %d\n", overflow);
+ while (skb) {
+ skb_complete_tx_timestamp(skb, NULL);
+ skb = skb_dequeue(&dp83640->tx_queue);
+ }
+ return;
+ }
+
ns = phy2txts(phy_txts);
memset(&shhwtstamps, 0, sizeof(shhwtstamps));
shhwtstamps.hwtstamp = ns_to_ktime(ns);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: David Henningsson <david.he...@canonical.com>

commit 2ae955774f29bbd7d16149cb0ae8d0319bf2ecc4 upstream.

On one of the machines we enable, we found that the actual speaker volume
did not always correspond to the volume set in alsamixer. This patch
fixes that problem.

This patch was orginally written by Kailang @ Realtek, I've rebased it
to fit sound git master.

BugLink: https://bugs.launchpad.net/bugs/1549660
Co-Authored-By: Kailang <kai...@realtek.com>
Signed-off-by: David Henningsson <david.he...@canonical.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

sound/pci/hda/patch_realtek.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 1c0d005..ca7f31a 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -3781,6 +3781,10 @@ static void alc_headset_mode_mic_in(struct hda_codec *codec, hda_nid_t hp_pin,

static void alc_headset_mode_default(struct hda_codec *codec)
{
+ static struct coef_fw coef0225[] = {
+ UPDATE_COEF(0x45, 0x3f<<10, 0x34<<10),
+ {}
+ };
static struct coef_fw coef0255[] = {
WRITE_COEF(0x45, 0xc089),
WRITE_COEF(0x45, 0xc489),
@@ -3822,6 +3826,9 @@ static void alc_headset_mode_default(struct hda_codec *codec)
};

switch (codec->core.vendor_id) {
+ case 0x10ec0225:
+ alc_process_coef_fw(codec, coef0225);
+ break;
case 0x10ec0255:
case 0x10ec0256:
alc_process_coef_fw(codec, coef0255);
@@ -4699,6 +4706,7 @@ enum {
ALC293_FIXUP_LENOVO_SPK_NOISE,
ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
ALC255_FIXUP_DELL_SPK_NOISE,
+ ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
};

static const struct hda_fixup alc269_fixups[] = {
@@ -5324,6 +5332,17 @@ static const struct hda_fixup alc269_fixups[] = {
.chained = true,
.chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
},
+ [ALC225_FIXUP_DELL1_MIC_NO_PRESENCE] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+ /* Disable pass-through path for FRONT 14h */
+ { 0x20, AC_VERB_SET_COEF_INDEX, 0x36 },
+ { 0x20, AC_VERB_SET_PROC_COEF, 0x57d7 },
+ {}
+ },
+ .chained = true,
+ .chain_id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE
+ },
};

static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -5628,10 +5647,10 @@ static const struct hda_model_fixup alc269_fixup_models[] = {

{0x1f, 0x411111f0}

static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {

- SND_HDA_PIN_QUIRK(0x10ec0225, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+ SND_HDA_PIN_QUIRK(0x10ec0225, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
ALC225_STANDARD_PINS,
{0x14, 0x901701a0}),
- SND_HDA_PIN_QUIRK(0x10ec0225, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+ SND_HDA_PIN_QUIRK(0x10ec0225, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
ALC225_STANDARD_PINS,

{0x14, 0x901701b0}),
SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE,

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Vineet Gupta <vgu...@synopsys.com>

commit bb143f814ea488769ca2e79e0b376139cb5f134b upstream.

ARConnect/MCIP Inter-Core-Interrupt module can't send interrupt to
local core. So use core intc capability to trigger software
interrupt to self, using an unsued IRQ #21.

This showed up as csd deadlock with LTP trace_sched on a dual core
system. This test acts as scheduler fuzzer, triggering all sorts of
schedulting activity. Trouble starts with IPI to self, which doesn't get
delivered (effectively lost due to H/w capability), but the msg intended
to be sent remain enqueued in per-cpu @ipi_data.

All subsequent IPIs to this core from other cores get elided due to the
IPI coalescing optimization in ipi_send_msg_one() where a pending msg
implies an IPI already sent and assumes other core is yet to ack it.
After the elided IPI, other core simply goes into csd_lock_wait()
but never comes out as this core never sees the interrupt.

Fixes STAR 9001008624

Cc: Peter Zijlstra <pet...@infradead.org>
Signed-off-by: Vineet Gupta <vgu...@synopsys.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/arc/include/asm/irqflags-arcv2.h | 11 +++++++++++
arch/arc/kernel/entry-arcv2.S | 11 ++++++-----
arch/arc/kernel/mcip.c | 15 +++++++++++++++
3 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/arch/arc/include/asm/irqflags-arcv2.h b/arch/arc/include/asm/irqflags-arcv2.h
index ad481c2..cce899e 100644
--- a/arch/arc/include/asm/irqflags-arcv2.h
+++ b/arch/arc/include/asm/irqflags-arcv2.h
@@ -22,6 +22,7 @@
#define AUX_IRQ_CTRL 0x00E
#define AUX_IRQ_ACT 0x043 /* Active Intr across all levels */
#define AUX_IRQ_LVL_PEND 0x200 /* Pending Intr across all levels */
+#define AUX_IRQ_HINT 0x201 /* For generating Soft Interrupts */
#define AUX_IRQ_PRIORITY 0x206
#define ICAUSE 0x40a
#define AUX_IRQ_SELECT 0x40b
@@ -109,6 +110,16 @@ static inline int arch_irqs_disabled(void)
return arch_irqs_disabled_flags(arch_local_save_flags());
}

+static inline void arc_softirq_trigger(int irq)
+{
+ write_aux_reg(AUX_IRQ_HINT, irq);
+}
+
+static inline void arc_softirq_clear(int irq)
+{
+ write_aux_reg(AUX_IRQ_HINT, 0);
+}
+
#else

.macro IRQ_DISABLE scratch
diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S
index 1dc8e45..66527ae 100644
--- a/arch/arc/kernel/entry-arcv2.S
+++ b/arch/arc/kernel/entry-arcv2.S
@@ -45,11 +45,12 @@ VECTOR reserved ; Reserved slots
VECTOR handle_interrupt ; (16) Timer0
VECTOR handle_interrupt ; unused (Timer1)
VECTOR handle_interrupt ; unused (WDT)
-VECTOR handle_interrupt ; (19) ICI (inter core interrupt)
-VECTOR handle_interrupt
-VECTOR handle_interrupt
-VECTOR handle_interrupt
-VECTOR handle_interrupt ; (23) End of fixed IRQs
+VECTOR handle_interrupt ; (19) Inter core Interrupt (IPI)
+VECTOR handle_interrupt ; (20) perf Interrupt
+VECTOR handle_interrupt ; (21) Software Triggered Intr (Self IPI)
+VECTOR handle_interrupt ; unused
+VECTOR handle_interrupt ; (23) unused
+# End of fixed IRQs

.rept CONFIG_ARC_NUMBER_OF_INTERRUPTS - 8
VECTOR handle_interrupt
diff --git a/arch/arc/kernel/mcip.c b/arch/arc/kernel/mcip.c
index 2fb8658..1b7a67d 100644
--- a/arch/arc/kernel/mcip.c
+++ b/arch/arc/kernel/mcip.c
@@ -11,8 +11,11 @@
#include <linux/smp.h>
#include <linux/irq.h>
#include <linux/spinlock.h>
+#include <asm/irqflags-arcv2.h>
#include <asm/mcip.h>

+#define SOFTIRQ_IRQ 21
+
static char smp_cpuinfo_buf[128];
static int idu_detected;

@@ -28,6 +31,7 @@ static DEFINE_RAW_SPINLOCK(mcip_lock);
void mcip_init_smp(unsigned int cpu)
{
smp_ipi_irq_setup(cpu, IPI_IRQ);
+ smp_ipi_irq_setup(cpu, SOFTIRQ_IRQ);
}

static void mcip_ipi_send(int cpu)
@@ -35,6 +39,12 @@ static void mcip_ipi_send(int cpu)
unsigned long flags;
int ipi_was_pending;

+ /* ARConnect can only send IPI to others */
+ if (unlikely(cpu == raw_smp_processor_id())) {
+ arc_softirq_trigger(SOFTIRQ_IRQ);
+ return;
+ }
+
/*
* NOTE: We must spin here if the other cpu hasn't yet
* serviced a previous message. This can burn lots
@@ -69,6 +79,11 @@ static void mcip_ipi_clear(int irq)
unsigned long flags;
unsigned int __maybe_unused copy;

+ if (unlikely(irq == SOFTIRQ_IRQ)) {
+ arc_softirq_clear(irq);
+ return;
+ }
+
raw_spin_lock_irqsave(&mcip_lock, flags);

/* Who sent the IPI */
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:07 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Kai-Heng Feng <kaihe...@gmail.com>

commit 3b43b71f05d3ecd01c4116254666d9492301697d upstream.

After login to the desktop on Dell Inspiron 3162,
there's a very loud background noise comes from the builtin speaker.
The noise does not go away even if the speaker is muted.

The noise disappears after using the aamix fixup.

Codec: Realtek ALC3234
Address: 0
AFG Function Id: 0x1 (unsol 1)
Vendor Id: 0x10ec0255
Subsystem Id: 0x10280725
Revision Id: 0x100002
No Modem Function Group found

BugLink: http://bugs.launchpad.net/bugs/1549620
Signed-off-by: Kai-Heng Feng <kai.he...@canonical.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

sound/pci/hda/patch_realtek.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 2a8b9f7..cb26e7d 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4698,6 +4698,7 @@ enum {
ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE,
ALC293_FIXUP_LENOVO_SPK_NOISE,
ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
+ ALC255_FIXUP_DELL_SPK_NOISE,

};

static const struct hda_fixup alc269_fixups[] = {

@@ -5317,6 +5318,12 @@ static const struct hda_fixup alc269_fixups[] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc233_fixup_lenovo_line2_mic_hotkey,
},
+ [ALC255_FIXUP_DELL_SPK_NOISE] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_disable_aamix,
+ .chained = true,
+ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE

+ },
};

static const struct snd_pci_quirk alc269_fixup_tbl[] = {

@@ -5359,6 +5366,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+ SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Stefan Hajnoczi <stef...@redhat.com>

commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.

The qword_get() function NUL-terminates its output buffer. If the input
string is in hex format \xXXXX... and the same length as the output
buffer, there is an off-by-one:

int qword_get(char **bpp, char *dest, int bufsize)
{
...
while (len < bufsize) {
...
*dest++ = (h << 4) | l;
len++;
}
...
*dest = '\0';
return len;
}

This patch ensures the NUL terminator doesn't fall outside the output
buffer.

Signed-off-by: Stefan Hajnoczi <stef...@redhat.com>
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

net/sunrpc/cache.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 2928aff..8d79e70 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1218,7 +1218,7 @@ int qword_get(char **bpp, char *dest, int bufsize)
if (bp[0] == '\\' && bp[1] == 'x') {
/* HEX STRING */
bp += 2;
- while (len < bufsize) {
+ while (len < bufsize - 1) {
int h, l;

h = hex_to_bin(bp[0]);
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Al Viro <vi...@zeniv.linux.org.uk>

commit a7f775428b8f5808815c0e3004020cedb94cbe3b upstream.

... otherwise d_is_symlink() above might have nothing to do with
the inode value we've got.

Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

fs/namei.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/fs/namei.c b/fs/namei.c
index 1047096..414561f 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1714,6 +1714,11 @@ static inline int should_follow_link(struct nameidata *nd, struct path *link,
return 0;
if (!follow)
return 0;
+ /* make sure that d_is_symlink above matches inode */
+ if (nd->flags & LOOKUP_RCU) {
+ if (read_seqcount_retry(&link->dentry->d_seq, seq))
+ return -ECHILD;
+ }
return pick_link(nd, link, inode, seq);
}

--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:08 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Guozhonghua <guozh...@h3c.com>

commit a4a8481ff68a8a324a878e281bc37f18665224f7 upstream.

When doing append direct io cleanup, if deleting inode fails, it goes
out without unlocking inode, which will cause the inode deadlock.

This issue was introduced by commit cf1776a9e834 ("ocfs2: fix a tiny
race when truncate dio orohaned entry").

Signed-off-by: Guozhonghua <guozh...@h3c.com>
Signed-off-by: Joseph Qi <jose...@huawei.com>
Reviewed-by: Gang He <g...@suse.com>
Cc: Mark Fasheh <mfa...@suse.de>
Cc: Joel Becker <jl...@evilplan.org>
Cc: Junxiao Bi <junxi...@oracle.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

fs/ocfs2/aops.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c
index 0f5fd9d..46112be 100644
--- a/fs/ocfs2/aops.c
+++ b/fs/ocfs2/aops.c
@@ -934,6 +934,7 @@ clean_orphan:
tmp_ret = ocfs2_del_inode_from_orphan(osb, inode, di_bh,
update_isize, end);
if (tmp_ret < 0) {
+ ocfs2_inode_unlock(inode, 1);
ret = tmp_ret;
mlog_errno(ret);
goto out;
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Colin Ian King <colin...@canonical.com>

commit 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 upstream.

In the unlikely event that regno == nr_registers then we get an array
overrun on regoff because the invalid register check is currently
off-by-one. Fix this with a check that regno is >= nr_registers instead.

Detected with static analysis using CoverityScan.

Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information"
Signed-off-by: Colin Ian King <colin...@canonical.com>
Acked-by: Dave Hansen <dave....@linux.intel.com>
Cc: Borislav Petkov <b...@alien8.de>
Cc: "Kirill A . Shutemov" <kirill....@linux.intel.com>
Link: http://lkml.kernel.org/r/1456512931-3388-1-git...@canonical.com
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

arch/x86/mm/mpx.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index 27f8393..b77009c 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -160,7 +160,7 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
break;
}

- if (regno > nr_registers) {
+ if (regno >= nr_registers) {
WARN_ONCE(1, "decoded an instruction with an invalid register");
return -EINVAL;
}
--
2.7.0

Kamal Mostafa

unread,

Mar 7, 2016, 6:30:09 PM3/7/16

to

4.2.8-ckt5 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Mike Snitzer <sni...@redhat.com>

commit 4328daa2e79ed904a42ce00a9f38b9c36b44b21a upstream.

Using request-based DM mpath configured with the following stacking
(.request_fn DM mpath ontop of scsi-mq paths):

echo Y > /sys/module/scsi_mod/parameters/use_blk_mq
echo N > /sys/module/dm_mod/parameters/use_blk_mq

'struct dm_rq_target_io' would leak if a request is requeued before a
blk-mq clone is allocated (or fails to allocate). free_rq_tio()
wasn't being called.

kmemleak reported:

unreferenced object 0xffff8800b90b98c0 (size 112):
comm "kworker/7:1H", pid 5692, jiffies 4295056109 (age 78.589s)
hex dump (first 32 bytes):
00 d0 5c 2c 03 88 ff ff 40 00 bf 01 00 c9 ff ff ..\,....@.......
e0 d9 b1 34 00 88 ff ff 00 00 00 00 00 00 00 00 ...4............
backtrace:
[<ffffffff81672b6e>] kmemleak_alloc+0x4e/0xb0
[<ffffffff811dbb63>] kmem_cache_alloc+0xc3/0x1e0
[<ffffffff8117eae5>] mempool_alloc_slab+0x15/0x20
[<ffffffff8117ec1e>] mempool_alloc+0x6e/0x170
[<ffffffffa00029ac>] dm_old_prep_fn+0x3c/0x180 [dm_mod]
[<ffffffff812fbd78>] blk_peek_request+0x168/0x290
[<ffffffffa0003e62>] dm_request_fn+0xb2/0x1b0 [dm_mod]
[<ffffffff812f66e3>] __blk_run_queue+0x33/0x40
[<ffffffff812f9585>] blk_delay_work+0x25/0x40
[<ffffffff81096fff>] process_one_work+0x14f/0x3d0
[<ffffffff81097715>] worker_thread+0x125/0x4b0
[<ffffffff8109ce88>] kthread+0xd8/0xf0
[<ffffffff8167cb8f>] ret_from_fork+0x3f/0x70
[<ffffffffffffffff>] 0xffffffffffffffff

crash> struct -o dm_rq_target_io
struct dm_rq_target_io {
...
}
SIZE: 112

Fixes: e5863d9ad7 ("dm: allocate requests in target when stacking on blk-mq devices")
Signed-off-by: Mike Snitzer <sni...@redhat.com>

Signed-off-by: Kamal Mostafa <ka...@canonical.com>
---

drivers/md/dm.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index e0bf361..3f82998 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1161,6 +1161,8 @@ static void dm_unprep_request(struct request *rq)

if (clone)
free_rq_clone(clone);
+ else if (!tio->md->queue->mq_ops)
+ free_rq_tio(tio);
}

/*
--
2.7.0