[PATCH 3.14 14/29] tile: use free_bootmem

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 649ccd08534ee26deb2e5b08509800d0e95167f5 upstream.

MacBook Pro 5,2 with ALC889 codec had already a fixup entry, but this
seems not working correctly, a fix for pin NID 0x15 is needed in
addition. It's equivalent with the fixup for MacBook Air 1,1, so use
this instead.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=102131
Reported-and-tested-by: Jeffery Miller <jeff...@gmail.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/pci/hda/patch_realtek.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2282,7 +2282,7 @@ static const struct snd_pci_quirk alc882
SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF),
SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF),
SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF),
- SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_IMAC91_VREF),
+ SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF),

SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD),
SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:10:07 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Zhuang Jin Can <jin.can...@intel.com>

commit fac4271d1126c45ceaceb7f4a336317b771eb121 upstream.

When the link is just waken, it's in Resume state, and driver sets PLS to
U0. This refers to Phase 1. Phase 2 refers to when the link has completed
the transition from Resume state to U0.

With the fix of xhci: report U3 when link is in resume state, it also
exposes an issue that usb3 roothub and controller can suspend right
after phase 1, and this causes a hard hang in controller.

To fix the issue, we need to prevent usb3 bus suspend if any port is
resuming in phase 1.

[merge separate USB2 and USB3 port resume checking to one -Mathias]

Signed-off-by: Zhuang Jin Can <jin.can...@intel.com>
Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/usb/host/xhci-hub.c | 6 +++---
drivers/usb/host/xhci-ring.c | 3 +++
drivers/usb/host/xhci.h | 1 +
3 files changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1117,10 +1117,10 @@ int xhci_bus_suspend(struct usb_hcd *hcd
spin_lock_irqsave(&xhci->lock, flags);

if (hcd->self.root_hub->do_remote_wakeup) {
- if (bus_state->resuming_ports) {
+ if (bus_state->resuming_ports || /* USB2 */
+ bus_state->port_remote_wakeup) { /* USB3 */
spin_unlock_irqrestore(&xhci->lock, flags);
- xhci_dbg(xhci, "suspend failed because "
- "a port is resuming\n");
+ xhci_dbg(xhci, "suspend failed because a port is resuming\n");
return -EBUSY;
}
}
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1740,6 +1740,9 @@ static void handle_port_status(struct xh
usb_hcd_resume_root_hub(hcd);
}

+ if (hcd->speed == HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE)
+ bus_state->port_remote_wakeup &= ~(1 << faked_port_index);
+
if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) {
xhci_dbg(xhci, "port resume event for port %d\n", port_id);

--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -285,6 +285,7 @@ struct xhci_op_regs {
#define XDEV_U0 (0x0 << 5)
#define XDEV_U2 (0x2 << 5)
#define XDEV_U3 (0x3 << 5)
+#define XDEV_INACTIVE (0x6 << 5)
#define XDEV_RESUME (0xf << 5)
/* true: port has power (see HCC_PPC) */
#define PORT_POWER (1 << 9)

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:10:07 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Fupan Li <fupa...@windriver.com>

Commit 35d5134b7d5a
("x86/efi: Correct EFI boot stub use of code32_start")
imported a bug, which will cause 32bit kernel boot failed
using efi method. It should use the label's address instead
of the value stored in the label to caculate the address of
code32_start.

Signed-off-by: Fupan Li <fupa...@windriver.com>
Reviewed-by: Matt Fleming <matt.f...@intel.com>
---
arch/x86/boot/compressed/head_32.S | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/boot/compressed/head_32.S
+++ b/arch/x86/boot/compressed/head_32.S
@@ -54,7 +54,7 @@ ENTRY(efi_pe_entry)
call reloc
reloc:
popl %ecx
- subl reloc, %ecx
+ subl $reloc, %ecx
movl %ecx, BP_code32_start(%eax)

sub $0x4, %esp

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:20:05 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jingju Hou <houj...@marvell.com>

commit 9cd76049f0d90ae241f5ad80e311489824527000 upstream.

pdev->dev.platform_data is not initialized if match is true in function
sdhci_pxav3_probe. Just local variable pdata is assigned the return value
from function pxav3_get_mmc_pdata().

static int sdhci_pxav3_probe(struct platform_device *pdev) {

struct sdhci_pxa_platdata *pdata = pdev->dev.platform_data;
...
if (match) {
ret = mmc_of_parse(host->mmc);
if (ret)
goto err_of_parse;
sdhci_get_of_property(pdev);
pdata = pxav3_get_mmc_pdata(dev);
}
...
}

Signed-off-by: Jingju Hou <houj...@marvell.com>
Fixes: b650352dd3df("mmc: sdhci-pxa: Add device tree support")
Signed-off-by: Ulf Hansson <ulf.h...@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/mmc/host/sdhci-pxav3.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -257,6 +257,7 @@ static int sdhci_pxav3_probe(struct plat
goto err_of_parse;
sdhci_get_of_property(pdev);
pdata = pxav3_get_mmc_pdata(dev);
+ pdev->dev.platform_data = pdata;
} else if (pdata) {
/* on-chip device */
if (pdata->flags & PXA_FLAG_CARD_PERMANENT)

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:20:07 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <ne...@suse.com>

commit 34cab6f42003cb06f48f86a86652984dec338ae9 upstream.

When we get a read error from the last working device, we don't
try to repair it, and don't fail the device. We simple report a
read error to the caller.

However the current test for 'is this the last working device' is
wrong.
When there is only one fully working device, it assumes that a
non-faulty device is that device. However a spare which is rebuilding
would be non-faulty but so not the only working device.

So change the test from "!Faulty" to "In_sync". If ->degraded says
there is only one fully working device and this device is in_sync,
this must be the one.

This bug has existed since we allowed read_balance to read from
a recovering spare in v3.0

Reported-and-tested-by: Alexander Lyakas <alex.b...@gmail.com>
Fixes: 76073054c95b ("md/raid1: clean up read_balance.")
Signed-off-by: NeilBrown <ne...@suse.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/md/raid1.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -336,7 +336,7 @@ static void raid1_end_read_request(struc
spin_lock_irqsave(&conf->device_lock, flags);
if (r1_bio->mddev->degraded == conf->raid_disks ||
(r1_bio->mddev->degraded == conf->raid_disks-1 &&
- !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags)))
+ test_bit(In_sync, &conf->mirrors[mirror].rdev->flags)))
uptodate = 1;
spin_unlock_irqrestore(&conf->device_lock, flags);

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:50:05 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.com>

commit 5fb2c782f451a4fb9c19c076e2c442839faf0f76 upstream.

This device automatically switches itself to another mode (0x1405)
unless the specific access pattern of Windows is followed in its
initial mode. That makes a dirty unmount of the internal storage
devices inevitable if they are mounted. So the card reader of
such a device should be ignored, lest an unclean removal become
inevitable.

This replaces an earlier patch that ignored all LUNs of this device.
That patch was overly broad.

Signed-off-by: Oliver Neukum <one...@suse.com>
Reviewed-by: Lars Melin <lar...@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

unread,

Aug 8, 2015, 6:50:06 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Yao-Wen Mao <yao...@google.com>

commit 2d1cb7f658fb9c3ba8f9dab8aca297d4dfdec835 upstream.

Add the correct dB ranges of Bose Companion 5 and Drangonfly DAC 1.2.

Signed-off-by: Yao-Wen Mao <yao...@google.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

sound/usb/mixer_maps.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)

--- a/sound/usb/mixer_maps.c
+++ b/sound/usb/mixer_maps.c
@@ -336,6 +336,20 @@ static const struct usbmix_name_map scms
{ 0 }
};

+/* Bose companion 5, the dB conversion factor is 16 instead of 256 */
+static struct usbmix_dB_map bose_companion5_dB = {-5006, -6};
+static struct usbmix_name_map bose_companion5_map[] = {
+ { 3, NULL, .dB = &bose_companion5_dB },
+ { 0 } /* terminator */
+};
+
+/* Dragonfly DAC 1.2, the dB conversion factor is 1 instead of 256 */
+static struct usbmix_dB_map dragonfly_1_2_dB = {0, 5000};
+static struct usbmix_name_map dragonfly_1_2_map[] = {
+ { 7, NULL, .dB = &dragonfly_1_2_dB },
+ { 0 } /* terminator */
+};
+
/*
* Control map entries
*/
@@ -442,6 +456,16 @@ static struct usbmix_ctl_map usbmix_ctl_
.id = USB_ID(0x25c4, 0x0003),
.map = scms_usb3318_map,
},
+ {
+ /* Bose Companion 5 */
+ .id = USB_ID(0x05a7, 0x1020),
+ .map = bose_companion5_map,
+ },
+ {
+ /* Dragonfly DAC 1.2 */
+ .id = USB_ID(0x21b4, 0x0081),
+ .map = dragonfly_1_2_map,
+ },
{ 0 } /* terminator */

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:50:06 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.s...@linux.intel.com>

commit 5c02a4206538da12c040b51778d310df84c6bf6c upstream.

Since NULL is used as valid clock object on optional clocks we have to handle
this case in avr32 implementation as well.

Fixes: e1824dfe0d8e (net: macb: Adjust tx_clk when link speed changes)
Signed-off-by: Andy Shevchenko <andriy.s...@linux.intel.com>
Acked-by: Hans-Christian Egtvedt <egt...@samfundet.no>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/avr32/mach-at32ap/clock.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)

--- a/arch/avr32/mach-at32ap/clock.c
+++ b/arch/avr32/mach-at32ap/clock.c
@@ -80,6 +80,9 @@ int clk_enable(struct clk *clk)
{
unsigned long flags;

+ if (!clk)
+ return 0;
+
spin_lock_irqsave(&clk_lock, flags);
__clk_enable(clk);
spin_unlock_irqrestore(&clk_lock, flags);
@@ -106,6 +109,9 @@ void clk_disable(struct clk *clk)
{
unsigned long flags;

+ if (IS_ERR_OR_NULL(clk))
+ return;
+
spin_lock_irqsave(&clk_lock, flags);
__clk_disable(clk);
spin_unlock_irqrestore(&clk_lock, flags);
@@ -117,6 +123,9 @@ unsigned long clk_get_rate(struct clk *c
unsigned long flags;
unsigned long rate;

+ if (!clk)
+ return 0;
+
spin_lock_irqsave(&clk_lock, flags);
rate = clk->get_rate(clk);
spin_unlock_irqrestore(&clk_lock, flags);
@@ -129,6 +138,9 @@ long clk_round_rate(struct clk *clk, uns
{
unsigned long flags, actual_rate;

+ if (!clk)
+ return 0;
+
if (!clk->set_rate)
return -ENOSYS;

@@ -145,6 +157,9 @@ int clk_set_rate(struct clk *clk, unsign
unsigned long flags;
long ret;

+ if (!clk)
+ return 0;
+
if (!clk->set_rate)
return -ENOSYS;

@@ -161,6 +176,9 @@ int clk_set_parent(struct clk *clk, stru
unsigned long flags;
int ret;

+ if (!clk)
+ return 0;
+
if (!clk->set_parent)
return -ENOSYS;

@@ -174,7 +192,7 @@ EXPORT_SYMBOL(clk_set_parent);

struct clk *clk_get_parent(struct clk *clk)
{
- return clk->parent;
+ return !clk ? NULL : clk->parent;
}
EXPORT_SYMBOL(clk_get_parent);

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:50:06 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lior Amsalem <al...@marvell.com>

commit 945b47441d83d2392ac9f984e0267ad521f24268 upstream.

This commit adds the necessary quirk to make the Marvell 4140 SATA PMP
work properly. This PMP doesn't like SRST on port number 4 (the host
port) so this commit marks this port as not supporting SRST.

Signed-off-by: Lior Amsalem <al...@marvell.com>
Reviewed-by: Nadav Haklai <nad...@marvell.com>
Signed-off-by: Thomas Petazzoni <thomas.p...@free-electrons.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/ata/libata-pmp.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/ata/libata-pmp.c
+++ b/drivers/ata/libata-pmp.c
@@ -460,6 +460,13 @@ static void sata_pmp_quirks(struct ata_p
ATA_LFLAG_NO_SRST |
ATA_LFLAG_ASSUME_ATA;
}
+ } else if (vendor == 0x11ab && devid == 0x4140) {
+ /* Marvell 4140 quirks */
+ ata_for_each_link(link, ap, EDGE) {
+ /* port 4 is for SEMB device and it doesn't like SRST */
+ if (link->pmp == 4)
+ link->flags |= ATA_LFLAG_DISABLED;
+ }

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:50:06 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tejun Heo <t...@kernel.org>

commit 5f6c2d2b7dbb541c1e922538c49fa04c494ae3d7 upstream.

When a blkcg configuration is targeted to a partition rather than a
whole device, blkg_conf_prep fails with -EINVAL; unfortunately, it
forgets to put the gendisk ref in that case. Fix it.

Signed-off-by: Tejun Heo <t...@kernel.org>
Signed-off-by: Jens Axboe <ax...@fb.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

block/blk-cgroup.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -703,8 +703,12 @@ int blkg_conf_prep(struct blkcg *blkcg,
return -EINVAL;

disk = get_gendisk(MKDEV(major, minor), &part);
- if (!disk || part)
+ if (!disk)
return -EINVAL;
+ if (part) {
+ put_disk(disk);
+ return -EINVAL;
+ }

rcu_read_lock();
spin_lock_irq(disk->queue->queue_lock);

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:50:06 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Skorodumov <sdm...@parallels.com>

commit 7cc03e48965453b5df1cce5062c826189b04b960 upstream.

The efi_info structure stores low 32 bits of memory map
in efi_memmap and high 32 bits in efi_memmap_hi.

While constructing pointer in the setup_e820(), need
to take into account all 64 bit of the pointer.

It is because on 64bit machine the function
efi_get_memory_map() may return full 64bit pointer and before
the patch that pointer was truncated.

The issue is triggered on Parallles virtual machine and
fixed with this patch.

Signed-off-by: Dmitry Skorodumov <sdm...@parallels.com>
Cc: Denis V. Lunev <d...@openvz.org>
Signed-off-by: Matt Fleming <matt.f...@intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

unread,

Aug 8, 2015, 6:50:08 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <n...@linux-iscsi.org>

commit 417c20a9bdd1e876384127cf096d8ae8b559066c upstream.

This patch fixes a use-after-free bug in iscsit_release_sessions_for_tpg()
where se_portal_group->session_lock was incorrectly released/re-acquired
while walking the active se_portal_group->tpg_sess_list.

The can result in a NULL pointer dereference when iscsit_close_session()
shutdown happens in the normal path asynchronously to this code, causing
a bogus dereference of an already freed list entry to occur.

To address this bug, walk the session list checking for the same state
as before, but move entries to a local list to avoid dropping the lock
while walking the active list.

As before, signal using iscsi_session->session_restatement=1 for those
list entries to be released locally by iscsit_free_session() code.

Reported-by: Sunilkumar Nadumuttlu <s...@datera.io>
Cc: Sunilkumar Nadumuttlu <s...@datera.io>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/target/iscsi/iscsi_target.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4709,6 +4709,7 @@ int iscsit_release_sessions_for_tpg(stru
struct iscsi_session *sess;
struct se_portal_group *se_tpg = &tpg->tpg_se_tpg;
struct se_session *se_sess, *se_sess_tmp;
+ LIST_HEAD(free_list);
int session_count = 0;

spin_lock_bh(&se_tpg->session_lock);
@@ -4730,14 +4731,17 @@ int iscsit_release_sessions_for_tpg(stru
}
atomic_set(&sess->session_reinstatement, 1);
spin_unlock(&sess->conn_lock);
- spin_unlock_bh(&se_tpg->session_lock);

- iscsit_free_session(sess);
- spin_lock_bh(&se_tpg->session_lock);
+ list_move_tail(&se_sess->sess_list, &free_list);
+ }
+ spin_unlock_bh(&se_tpg->session_lock);

+ list_for_each_entry_safe(se_sess, se_sess_tmp, &free_list, sess_list) {
+ sess = (struct iscsi_session *)se_sess->fabric_sess_ptr;
+
+ iscsit_free_session(sess);
session_count++;
}
- spin_unlock_bh(&se_tpg->session_lock);

pr_debug("Released %d iSCSI Session(s) from Target Portal"
" Group: %hu\n", session_count, tpg->tpgt);

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:50:08 PM8/8/15

to

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Kirill A. Shutemov" <kirill....@linux.intel.com>

commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d upstream.

Reading page fault handler code I've noticed that under right
circumstances kernel would map anonymous pages into file mappings: if
the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated
on ->mmap(), kernel would handle page fault to not populated pte with
do_anonymous_page().

Let's change page fault handler to use do_anonymous_page() only on
anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not
shared.

For file mappings without vm_ops->fault() or shred VMA without vm_ops,
page fault on pte_none() entry would lead to SIGBUS.

Signed-off-by: Kirill A. Shutemov <kirill....@linux.intel.com>
Acked-by: Oleg Nesterov <ol...@redhat.com>
Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Willy Tarreau <w...@1wt.eu>
Cc: sta...@vger.kernel.org
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/memory.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3234,6 +3234,10 @@ static int do_anonymous_page(struct mm_s

pte_unmap(page_table);

+ /* File mapping without ->vm_ops ? */
+ if (vma->vm_flags & VM_SHARED)
+ return VM_FAULT_SIGBUS;
+
/* Check if we need to add a guard page to the stack */
if (check_stack_guard_page(vma, address) < 0)
return VM_FAULT_SIGSEGV;
@@ -3502,6 +3506,9 @@ static int do_linear_fault(struct mm_str
- vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;

pte_unmap(page_table);
+ /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
+ if (!vma->vm_ops->fault)
+ return VM_FAULT_SIGBUS;
return __do_fault(mm, vma, address, pmd, pgoff, flags, orig_pte);
}

@@ -3650,11 +3657,9 @@ static int handle_pte_fault(struct mm_st
entry = ACCESS_ONCE(*pte);
if (!pte_present(entry)) {
if (pte_none(entry)) {
- if (vma->vm_ops) {
- if (likely(vma->vm_ops->fault))
- return do_linear_fault(mm, vma, address,
+ if (vma->vm_ops)
+ return do_linear_fault(mm, vma, address,
pte, pmd, flags, entry);
- }
return do_anonymous_page(mm, vma, address,
pte, pmd, flags);

Greg Kroah-Hartman

unread,

Aug 8, 2015, 6:50:11 PM8/8/15

to

This is the start of the stable review cycle for the 3.14.50 release.
There are 29 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Mon Aug 10 22:06:58 UTC 2015.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.14.50-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gre...@linuxfoundation.org>
Linux 3.14.50-rc1

Fupan Li <fupa...@windriver.com>
efi: fix 32bit kernel boot failed problem using efi

Nicholas Bellinger <n...@linux-iscsi.org>
iscsi-target: Fix iser explicit logout TX kthread leak

Nicholas Bellinger <n...@linux-iscsi.org>
iscsi-target: Fix use-after-free during TPG session shutdown

Andy Shevchenko <andriy.s...@linux.intel.com>
avr32: handle NULL as a valid clock object

Marc-André Lureau <marcandr...@redhat.com>
vhost: actually track log eventfd file

Wengang Wang <wen.ga...@oracle.com>
rds: rds_ib_device.refcount overflow

Dmitry Skorodumov <sdm...@parallels.com>
x86/efi: Use all 64 bit of efi_memmap in setup_e820()

Zhuang Jin Can <jin.can...@intel.com>
xhci: do not report PLC when link is in internal resume state

Zhuang Jin Can <jin.can...@intel.com>
xhci: prevent bus_suspend if SS port resuming in phase 1

Zhuang Jin Can <jin.can...@intel.com>

xhci: report U3 when link is in resume state

Brian Campbell <ba...@z273.org.uk>
xhci: Calculate old endpoints correctly on device reset

Oliver Neukum <one...@suse.com>
usb-storage: ignore ZTE MF 823 card reader in mode 0x1225

Lior Amsalem <al...@marvell.com>
ata: pmp: add quirk for Marvell 4140 SATA PMP

Tejun Heo <t...@kernel.org>
blkcg: fix gendisk reference leak in blkg_conf_prep()

Bernhard Bender <bernhar...@bytecmed.com>
Input: usbtouchscreen - avoid unresponsive TSC-30 touch screen

Chris Metcalf <cmet...@ezchip.com>
tile: use free_bootmem_late() for initrd

NeilBrown <ne...@suse.com>
md/raid1: fix test for 'was read error from last working device'.

Jingju Hou <houj...@marvell.com>
mmc: sdhci-pxav3: fix platform_data is not initialized

Joakim Tjernlund <Joakim.T...@transmode.se>
mmc: sdhci-esdhc: Make 8BIT bus work

Tom Hughes <t...@compton.nu>
mac80211: clear subdir_stations when removing debugfs

Seymour, Shane M <shane....@hp.com>
st: null pointer dereference panic caused by use after kref_put by st_open

Takashi Iwai <ti...@suse.de>
ALSA: hda - Fix MacBook Pro 5,2 quirk

Yao-Wen Mao <yao...@google.com>
ALSA: usb-audio: add dB range mapping for some devices

Dominic Sacré <domini...@gmx.de>
ALSA: usb-audio: Add MIDI support for Steinberg MI2/MI4

Thomas Gleixner <tg...@linutronix.de>
genirq: Prevent resend to interrupts marked IRQ_NESTED_THREAD

Alexey Brodkin <abro...@synopsys.com>
ARC: make sure instruction_pointer() returns unsigned value

Martin Schwidefsky <schwi...@de.ibm.com>
s390/sclp: clear upper register halves in _sclp_print_early

Al Viro <vi...@ZenIV.linux.org.uk>
freeing unlinked file indefinitely delayed

Kirill A. Shutemov <kirill....@linux.intel.com>
mm: avoid setting up anonymous pages into file mapping

-------------

Diffstat:

Makefile | 4 +-
arch/arc/include/asm/ptrace.h | 2 +-
arch/avr32/mach-at32ap/clock.c | 20 ++++++++-
arch/s390/kernel/sclp.S | 4 ++
arch/tile/kernel/setup.c | 2 +-
arch/x86/boot/compressed/eboot.c | 4 ++
arch/x86/boot/compressed/head_32.S | 2 +-
block/blk-cgroup.c | 6 ++-
drivers/ata/libata-pmp.c | 7 +++
drivers/input/touchscreen/usbtouchscreen.c | 3 ++
drivers/md/raid1.c | 2 +-
drivers/mmc/host/sdhci-esdhc.h | 2 +-
drivers/mmc/host/sdhci-pxav3.c | 1 +
drivers/scsi/st.c | 2 +-
drivers/target/iscsi/iscsi_target.c | 30 ++++++++++---
drivers/usb/host/xhci-hub.c | 22 +++++++---
drivers/usb/host/xhci-ring.c | 3 ++
drivers/usb/host/xhci.c | 3 ++
drivers/usb/host/xhci.h | 1 +
drivers/usb/storage/unusual_devs.h | 12 ++++++
drivers/vhost/vhost.c | 1 +
fs/dcache.c | 3 ++
kernel/irq/resend.c | 18 +++++---
mm/memory.c | 13 ++++--
net/mac80211/debugfs_netdev.c | 1 +
net/rds/ib_rdma.c | 4 +-
sound/pci/hda/patch_realtek.c | 2 +-
sound/usb/mixer_maps.c | 24 +++++++++++
sound/usb/quirks-table.h | 68 ++++++++++++++++++++++++++++++
29 files changed, 233 insertions(+), 33 deletions(-)

Guenter Roeck

unread,

Aug 8, 2015, 11:20:04 PM8/8/15

to

On 08/08/2015 03:07 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.14.50 release.
> There are 29 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Mon Aug 10 22:06:58 UTC 2015.
> Anything received after that time might be too late.
>

Build results:
total: 135 pass: 135 fail: 0
Qemu test results:
total: 58 pass: 56 fail: 2
Failed tests:
arm:realview-eb-mpcore:arm_realview_eb_defconfig
arm:realview-eb:arm_realview_eb_defconfig

As with 3.10, the failed qemu tests are not new problems, but found due to
newly introduced tests. Request to include the fix in -stable is here [1].

Details are available at http://server.roeck-us.net:8010/builders.

Guenter

---
[1] http://permalink.gmane.org/gmane.linux.kernel.stable/145285

Sudip Mukherjee

unread,

Aug 10, 2015, 1:10:06 AM8/10/15

to

On Sat, Aug 08, 2015 at 03:07:23PM -0700, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.14.50 release.
> There are 29 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Mon Aug 10 22:06:58 UTC 2015.
> Anything received after that time might be too late.

Compiled and booted on x86_32. No errors in dmesg.

regards
sudip

Shuah Khan

unread,

Aug 10, 2015, 2:20:06 PM8/10/15

unread,

Aug 12, 2015, 5:00:09 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <ne...@suse.com>

commit 34cab6f42003cb06f48f86a86652984dec338ae9 upstream.

When we get a read error from the last working device, we don't
try to repair it, and don't fail the device. We simple report a
read error to the caller.

However the current test for 'is this the last working device' is
wrong.
When there is only one fully working device, it assumes that a
non-faulty device is that device. However a spare which is rebuilding
would be non-faulty but so not the only working device.

So change the test from "!Faulty" to "In_sync". If ->degraded says
there is only one fully working device and this device is in_sync,
this must be the one.

This bug has existed since we allowed read_balance to read from
a recovering spare in v3.0

Reported-and-tested-by: Alexander Lyakas <alex.b...@gmail.com>
Fixes: 76073054c95b ("md/raid1: clean up read_balance.")
Signed-off-by: NeilBrown <ne...@suse.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/md/raid1.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index b96ee9d78aa3..9be97e0bd149 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -336,7 +336,7 @@ static void raid1_end_read_request(struct bio *bio, int error)

spin_lock_irqsave(&conf->device_lock, flags);
if (r1_bio->mddev->degraded == conf->raid_disks ||
(r1_bio->mddev->degraded == conf->raid_disks-1 &&
- !test_bit(Faulty, &conf->mirrors[mirror].rdev->flags)))
+ test_bit(In_sync, &conf->mirrors[mirror].rdev->flags)))
uptodate = 1;
spin_unlock_irqrestore(&conf->device_lock, flags);
}

Luis Henriques

unread,

Aug 12, 2015, 5:00:09 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Joe Perches <j...@perches.com>

commit a28e4b2b18ccb90df402da3f21e1a83c9d4f8ec1 upstream.

Removing unnecessary static buffers is good.
Use the vsprintf %pV extension instead.

Signed-off-by: Joe Perches <j...@perches.com>
Signed-off-by: Mikulas Patocka <mik...@twibright.com>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

fs/hpfs/super.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c
index e12a06b300e0..8685c655737f 100644
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -52,17 +52,20 @@ static void unmark_dirty(struct super_block *s)
}

/* Filesystem error... */
-static char err_buf[1024];
-
void hpfs_error(struct super_block *s, const char *fmt, ...)
{
+ struct va_format vaf;
va_list args;

va_start(args, fmt);
- vsnprintf(err_buf, sizeof(err_buf), fmt, args);
+
+ vaf.fmt = fmt;
+ vaf.va = &args;
+
+ pr_err("filesystem error: %pV", &vaf);
+
va_end(args);

- pr_err("filesystem error: %s", err_buf);
if (!hpfs_sb(s)->sb_was_error) {
if (hpfs_sb(s)->sb_err == 2) {
pr_cont("; crashing the system because you wanted it\n");

Luis Henriques

unread,

Aug 12, 2015, 5:00:09 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Chris Metcalf <cmet...@ezchip.com>

commit 3f81d2447b37ac697b3c600039f2c6b628c06e21 upstream.

We were previously using free_bootmem() and just getting lucky
that nothing too bad happened.

Signed-off-by: Chris Metcalf <cmet...@ezchip.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/tile/kernel/setup.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/tile/kernel/setup.c b/arch/tile/kernel/setup.c
index 112ababa9e55..d8a9df999da3 100644
--- a/arch/tile/kernel/setup.c
+++ b/arch/tile/kernel/setup.c
@@ -1144,7 +1144,7 @@ static void __init load_hv_initrd(void)

void __init free_initrd_mem(unsigned long begin, unsigned long end)
{
- free_bootmem(__pa(begin), end - begin);
+ free_bootmem_late(__pa(begin), end - begin);
}

static int __init setup_initrd(char *str)

Luis Henriques

unread,

Aug 12, 2015, 5:00:10 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky <schwi...@de.ibm.com>

commit f9c87a6f46d508eae0d9ae640be98d50f237f827 upstream.

If the kernel is compiled with gcc 5.1 and the XZ compression option
the decompress_kernel function calls _sclp_print_early in 64-bit mode
while the content of the upper register half of %r6 is non-zero.
This causes a specification exception on the servc instruction in
_sclp_servc.

The _sclp_print_early function saves and restores the upper registers
halves but it fails to clear them for the 31-bit code of the mini sclp
driver.

Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/s390/kernel/sclp.S | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/arch/s390/kernel/sclp.S b/arch/s390/kernel/sclp.S
index a41f2c99dcc8..a0c4e7652647 100644
--- a/arch/s390/kernel/sclp.S
+++ b/arch/s390/kernel/sclp.S
@@ -277,6 +277,8 @@ ENTRY(_sclp_print_early)

jno .Lesa2
ahi %r15,-80
stmh %r6,%r15,96(%r15) # store upper register halves
+ basr %r13,0
+ lmh %r0,%r15,.Lzeroes-.(%r13) # clear upper register halves
.Lesa2:
#endif
lr %r10,%r2 # save string pointer

@@ -300,6 +302,8 @@ ENTRY(_sclp_print_early)

#endif
lm %r6,%r15,120(%r15) # restore registers
br %r14
+.Lzeroes:
+ .fill 64,4,0

.LwritedataS4:
.long 0x00760005 # SCLP command for write data

Luis Henriques

unread,

Aug 12, 2015, 5:00:10 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit d339727c2b1a10f25e6636670ab6e1841170e328 upstream.

User space can crash kernel with

ip link add ifb10 numtxqueues 100000 type ifb

We must replace a BUG_ON() by proper test and return -EINVAL for
crazy values.

Fixes: 60877a32bce00 ("net: allow large number of tx queues")
Signed-off-by: Eric Dumazet <edum...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/core/dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index afa766c453e0..2e616d68a7aa 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6049,7 +6049,8 @@ static int netif_alloc_netdev_queues(struct net_device *dev)
struct netdev_queue *tx;
size_t sz = count * sizeof(*tx);

- BUG_ON(count < 1 || count > 0xffff);
+ if (count < 1 || count > 0xffff)
+ return -EINVAL;

tx = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
if (!tx) {

Luis Henriques

unread,

Aug 12, 2015, 5:00:10 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdma...@suse.com>

commit c3f4a1685bb87e59c886ee68f7967eae07d4dffa upstream.

The free space entries are allocated using kmem_cache_zalloc(),
through __btrfs_add_free_space(), therefore we should use
kmem_cache_free() and not kfree() to avoid any confusion and
any potential problem. Looking at the kfree() definition at
mm/slab.c it has the following comment:

/*
* (...)
*
* Don't free memory not originally allocated by kmalloc()
* or you will run into trouble.
*/

So better be safe and use kmem_cache_free().

Signed-off-by: Filipe Manana <fdma...@suse.com>
Reviewed-by: David Sterba <dst...@suse.cz>
Signed-off-by: Chris Mason <c...@fb.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

fs/btrfs/inode-map.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c
index 888fbe19079f..f25c68d84811 100644
--- a/fs/btrfs/inode-map.c
+++ b/fs/btrfs/inode-map.c
@@ -271,7 +271,7 @@ void btrfs_unpin_free_ino(struct btrfs_root *root)
__btrfs_add_free_space(ctl, info->offset, count);
free:
rb_erase(&info->offset_index, rbroot);
- kfree(info);
+ kmem_cache_free(btrfs_free_space_cachep, info);

Luis Henriques

unread,

Aug 12, 2015, 5:10:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: "Martin K. Petersen" <martin....@oracle.com>

commit f3f5da624e0a891c34d8cd513c57f1d9b0c7dadc upstream.

This fixes a data corruption bug when using discard on top of MD linear,
raid0 and raid10 personalities.

Commit 20d0189b1012 "block: Introduce new bio_split()" permits sharing
the bio_vec between the two resulting bios. That is fine for read/write
requests where the bio_vec is immutable. For discards, however, we need
to be able to attach a payload and update the bio_vec so the page can
get mapped to a scatterlist entry. Therefore the bio_vec can not be
shared when splitting discards and we must do a full clone.

Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Reported-by: Seunguk Shin <seungu...@samsung.com>
Tested-by: Seunguk Shin <seungu...@samsung.com>
Cc: Seunguk Shin <seungu...@samsung.com>
Cc: Jens Axboe <ax...@fb.com>
Cc: Kent Overstreet <kent.ov...@gmail.com>
Reviewed-by: Christoph Hellwig <h...@lst.de>
Signed-off-by: Jens Axboe <ax...@fb.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

block/bio.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/block/bio.c b/block/bio.c
index 0ec61c9e536c..6467e6afdcd9 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1820,8 +1820,9 @@ EXPORT_SYMBOL(bio_endio_nodec);
* Allocates and returns a new bio which represents @sectors from the start of
* @bio, and updates @bio to represent the remaining sectors.
*
- * The newly allocated bio will point to @bio's bi_io_vec; it is the caller's
- * responsibility to ensure that @bio is not freed before the split.
+ * Unless this is a discard request the newly allocated bio will point
+ * to @bio's bi_io_vec; it is the caller's responsibility to ensure that
+ * @bio is not freed before the split.
*/
struct bio *bio_split(struct bio *bio, int sectors,
gfp_t gfp, struct bio_set *bs)
@@ -1831,7 +1832,15 @@ struct bio *bio_split(struct bio *bio, int sectors,
BUG_ON(sectors <= 0);
BUG_ON(sectors >= bio_sectors(bio));

- split = bio_clone_fast(bio, gfp, bs);
+ /*
+ * Discards need a mutable bio_vec to accommodate the payload
+ * required by the DSM TRIM and UNMAP commands.
+ */
+ if (bio->bi_rw & REQ_DISCARD)
+ split = bio_clone_bioset(bio, gfp, bs);
+ else
+ split = bio_clone_fast(bio, gfp, bs);
+
if (!split)
return NULL;

Luis Henriques

unread,

Aug 12, 2015, 5:10:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.c...@de.ibm.com>

commit e47994dd44bcb4a77b4152bd0eada585934703c0 upstream.

The sfpc inline assembly within execve_tail() may incorrectly set bits
28-31 of the sfpc instruction to a value which is not zero.
These bits however are currently unused and therefore should be zero
so we won't get surprised if these bits will be used in the future.

Therefore remove the second operand from the inline assembly.

Signed-off-by: Heiko Carstens <heiko.c...@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwi...@de.ibm.com>
Signed-off-by: Kamal Mostafa <ka...@canonical.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/s390/kernel/process.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
index 93b9ca42e5c0..8a7f7732db1f 100644
--- a/arch/s390/kernel/process.c
+++ b/arch/s390/kernel/process.c
@@ -195,7 +195,7 @@ asmlinkage void execve_tail(void)
{
current->thread.fp_regs.fpc = 0;
if (MACHINE_HAS_IEEE)
- asm volatile("sfpc %0,%0" : : "d" (0));
+ asm volatile("sfpc %0" : : "d" (0));
}

/*

Luis Henriques

unread,

Aug 12, 2015, 5:10:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Tomas Winkler <tomas....@intel.com>

commit 9098f84cced870f54d8c410dd2444cfa61467fa0 upstream.

Enclosing mmc_blk_put() is missing in power_ro_lock_show() sysfs handler,
let's add it.

Fixes: add710eaa886 ("mmc: boot partition ro lock support")
Signed-off-by: Tomas Winkler <tomas....@intel.com>
Signed-off-by: Ulf Hansson <ulf.h...@linaro.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/mmc/card/block.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 7ec3c79852e5..96d2f08a2516 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -205,6 +205,8 @@ static ssize_t power_ro_lock_show(struct device *dev,

ret = snprintf(buf, PAGE_SIZE, "%d\n", locked);

+ mmc_blk_put(md);
+
return ret;

Luis Henriques

unread,

Aug 12, 2015, 5:10:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nik...@cumulusnetworks.com>

commit 7d5cd2ce5292b45e555de776cb9e72975a07460d upstream.

If the bond is enslaving a device with different type it will be setup
by it, but if after being setup the enslave fails the bond doesn't
switch back its type and also keeps pointers to foreign structures that can
be long gone. Thus revert back any type changes if the enslave failed and
the bond had to change its type.
Example:
Before patch:
$ echo lo > bond0/bonding/slaves
-bash: echo: write error: Cannot assign requested address
$ ip l sh bond0
20: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN
mode DEFAULT group default
link/loopback 16:54:78:34:bd:41 brd 00:00:00:00:00:00
$ echo +eth1 > bond0/bonding/slaves
$ ip l sh bond0
20: bond0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
link/ether 52:54:00:3f:47:69 brd ff:ff:ff:ff:ff:ff
(notice the MASTER flag is gone)

After patch:
$ echo lo > bond0/bonding/slaves
-bash: echo: write error: Cannot assign requested address
$ ip l sh bond0
21: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN
mode DEFAULT group default qlen 1000
link/ether 6e:66:94:f6:07:fc brd ff:ff:ff:ff:ff:ff
$ echo +eth1 > bond0/bonding/slaves
$ ip l sh bond0
21: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN
mode DEFAULT group default qlen 1000
link/ether 52:54:00:3f:47:69 brd ff:ff:ff:ff:ff:ff

Signed-off-by: Nikolay Aleksandrov <nik...@cumulusnetworks.com>
Fixes: e36b9d16c6a6 ("bonding: clean muticast addresses when device changes type")

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/net/bonding/bond_main.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 2a3c843122ce..e7421fa1d103 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1642,9 +1642,16 @@ err_free:

err_undo_flags:
/* Enslave of first slave has failed and we need to fix master's mac */
- if (!bond_has_slaves(bond) &&
- ether_addr_equal_64bits(bond_dev->dev_addr, slave_dev->dev_addr))
- eth_hw_addr_random(bond_dev);
+ if (!bond_has_slaves(bond)) {
+ if (ether_addr_equal_64bits(bond_dev->dev_addr,
+ slave_dev->dev_addr))
+ eth_hw_addr_random(bond_dev);
+ if (bond_dev->type != ARPHRD_ETHER) {
+ ether_setup(bond_dev);
+ bond_dev->flags |= IFF_MASTER;
+ bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+ }
+ }

return res;

Luis Henriques

unread,

Aug 12, 2015, 5:10:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Edward Hyunkoo Jee <ed...@google.com>

commit 0848f6428ba3a2e42db124d41ac6f548655735bf upstream.

When ip_frag_queue() computes positions, it assumes that the passed
sk_buff does not contain L2 headers.

However, when PACKET_FANOUT_FLAG_DEFRAG is used, IP reassembly
functions can be called on outgoing packets that contain L2 headers.

Also, IPv4 checksum is not corrected after reassembly.

Fixes: 7736d33f4262 ("packet: Add pre-defragmentation support for ipv4 fanouts.")
Signed-off-by: Edward Hyunkoo Jee <ed...@google.com>
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Willem de Bruijn <wil...@google.com>
Cc: Jerry Chu <hk...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[ luis: backported to 3.16: adjusted context ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/ipv4/ip_fragment.c | 7 +++++--

1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 8ff962d15c99..f5dad3f607d9 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -358,7 +358,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
ihl = ip_hdrlen(skb);

/* Determine the position of this fragment. */
- end = offset + skb->len - ihl;
+ end = offset + skb->len - skb_network_offset(skb) - ihl;
err = -EINVAL;

/* Is this the final fragment? */
@@ -388,7 +388,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
goto err;

err = -ENOMEM;
- if (pskb_pull(skb, ihl) == NULL)
+ if (!pskb_pull(skb, skb_network_offset(skb) + ihl))
goto err;

err = pskb_trim_rcsum(skb, end - offset);
@@ -629,6 +629,9 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
iph->frag_off = qp->q.max_size ? htons(IP_DF) : 0;
iph->tot_len = htons(len);
iph->tos |= ecn;
+
+ ip_send_check(iph);
+
IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS);
qp->q.fragments = NULL;
qp->q.fragments_tail = NULL;

unread,

Aug 12, 2015, 5:10:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit 50c2e4dd6749725338621fff456b26d3a592259f upstream.

The > should be >=. I also added spaces around the '-' operations so
the code is a little more consistent and matches the condition better.

Fixes: f53c3fe8dad7 ('xen-netback: Introduce TX grant mapping')
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/net/xen-netback/netback.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index c65b636bcab9..09e4f4ef4eb8 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -1703,13 +1703,13 @@ static inline void xenvif_tx_dealloc_action(struct xenvif_queue *queue)
smp_rmb();

while (dc != dp) {
- BUG_ON(gop - queue->tx_unmap_ops > MAX_PENDING_REQS);
+ BUG_ON(gop - queue->tx_unmap_ops >= MAX_PENDING_REQS);
pending_idx =
queue->dealloc_ring[pending_index(dc++)];

- pending_idx_release[gop-queue->tx_unmap_ops] =
+ pending_idx_release[gop - queue->tx_unmap_ops] =
pending_idx;
- queue->pages_to_unmap[gop-queue->tx_unmap_ops] =
+ queue->pages_to_unmap[gop - queue->tx_unmap_ops] =
queue->mmap_pages[pending_idx];
gnttab_set_unmap_op(gop,
idx_to_kaddr(queue, pending_idx),

Luis Henriques

unread,

Aug 12, 2015, 5:10:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alessio Igor Bogani <alessio...@elettra.eu>

commit 304f0a98d168563b5f69c53a7544c36e6d221ac4 upstream.

The commit 0718e59ae259 ("mmc: sdhci: move FSL ESDHC reset handling quirk into
esdhc code") states that Freescale esdhc is the only controller which needs
the interrupt registers restored after a reset. So it moves
SDHCI_QUIRK_RESTORE_IRQS_AFTER_RESET quirk handling code into the
esdhc-imx driver only. Unfortunately the same controller is used in
other boards which use the of-esdhc driver instead (like powerpc P2020).

Restore interrupts after reset in the sdhci-of-esdhc driver also.

Signed-off-by: Alessio Igor Bogani <alessio...@elettra.eu>
Signed-off-by: Ulf Hansson <ulf.h...@linaro.org>
Cc: Jakub Kicinski <kuba...@wp.pl>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

unread,

Aug 12, 2015, 5:10:10 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <nik...@cumulusnetworks.com>

commit 5ebc784625ea68a9570d1f70557e7932988cd1b4 upstream.

Since the mdb add/del code was introduced there have been 2 br_mdb_notify
calls when doing br_mdb_add() resulting in 2 notifications on each add.

Example:
Command: bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
Before patch:
root@debian:~# bridge monitor all
[MDB]dev br0 port eth1 grp 239.0.0.1 permanent
[MDB]dev br0 port eth1 grp 239.0.0.1 permanent

After patch:
root@debian:~# bridge monitor all
[MDB]dev br0 port eth1 grp 239.0.0.1 permanent

Signed-off-by: Nikolay Aleksandrov <nik...@cumulusnetworks.com>
Fixes: cfd567543590 ("bridge: add support of adding and deleting mdb entries")

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/bridge/br_mdb.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
index 4754f2d32bb3..f426da78054b 100644
--- a/net/bridge/br_mdb.c
+++ b/net/bridge/br_mdb.c
@@ -350,7 +350,6 @@ static int br_mdb_add_group(struct net_bridge *br, struct net_bridge_port *port,
if (state == MDB_TEMPORARY)
mod_timer(&p->timer, now + br->multicast_membership_interval);

- br_mdb_notify(br->dev, port, group, RTM_NEWMDB);
return 0;

Luis Henriques

unread,

Aug 12, 2015, 5:10:12 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jingju Hou <houj...@marvell.com>

commit 9cd76049f0d90ae241f5ad80e311489824527000 upstream.

pdev->dev.platform_data is not initialized if match is true in function
sdhci_pxav3_probe. Just local variable pdata is assigned the return value
from function pxav3_get_mmc_pdata().

static int sdhci_pxav3_probe(struct platform_device *pdev) {

struct sdhci_pxa_platdata *pdata = pdev->dev.platform_data;
...
if (match) {
ret = mmc_of_parse(host->mmc);
if (ret)
goto err_of_parse;
sdhci_get_of_property(pdev);
pdata = pxav3_get_mmc_pdata(dev);
}
...
}

Signed-off-by: Jingju Hou <houj...@marvell.com>
Fixes: b650352dd3df("mmc: sdhci-pxa: Add device tree support")
Signed-off-by: Ulf Hansson <ulf.h...@linaro.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/mmc/host/sdhci-pxav3.c | 1 +

1 file changed, 1 insertion(+)

diff --git a/drivers/mmc/host/sdhci-pxav3.c b/drivers/mmc/host/sdhci-pxav3.c
index 3ceadd11f641..e630970c4f31 100644
--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -360,6 +360,7 @@ static int sdhci_pxav3_probe(struct platform_device *pdev)
goto err_of_parse;
sdhci_get_of_property(pdev);
pdata = pxav3_get_mmc_pdata(dev);
+ pdev->dev.platform_data = pdata;
} else if (pdata) {
/* on-chip device */
if (pdata->flags & PXA_FLAG_CARD_PERMANENT)

Luis Henriques

unread,

Aug 12, 2015, 5:20:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Lu Baolu <baol...@linux.intel.com>

commit 2d2a316765d956bc5cb6bb367b2ec52ca59ab8e9 upstream.

Commit 25cd2882e2fc ("usb/xhci: Change how we indicate a host supports
Link PM.") removed the code to set lpm_capable for USB 3.0 super-speed
root hub. The intention of that change was to avoid touching usb core
internal field, a.k.a. lpm_capable, and let usb core to set it by
checking U1 and U2 exit latency values in the descriptor.

Usb core checks and sets lpm_capable in hub_port_init(). Unfortunately,
root hub is a special usb device as it has no parent. Hub_port_init()
will never be called for a root hub device. That means lpm_capable will
by no means be set for the root hub. As the result, lpm isn't functional
at all in Linux kernel.

This patch add the code to check and set lpm_capable when registering a
root hub device. It could be back-ported to kernels as old as v3.15,
that contains the Commit 25cd2882e2fc ("usb/xhci: Change how we indicate
a host supports Link PM.").

Reported-by: Kevin Strasser <kevin.s...@linux.intel.com>
Signed-off-by: Lu Baolu <baol...@linux.intel.com>
Acked-by: Alan Stern <st...@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/core/hcd.c | 7 +++++--
drivers/usb/core/hub.c | 2 +-
drivers/usb/core/usb.h | 1 +
3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 4195906f94d6..c4dc63ad580a 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1025,9 +1025,12 @@ static int register_root_hub(struct usb_hcd *hcd)
dev_name(&usb_dev->dev), retval);
return (retval < 0) ? retval : -EMSGSIZE;
}
- if (usb_dev->speed == USB_SPEED_SUPER) {
+
+ if (le16_to_cpu(usb_dev->descriptor.bcdUSB) >= 0x0201) {
retval = usb_get_bos_descriptor(usb_dev);
- if (retval < 0) {
+ if (!retval) {
+ usb_dev->lpm_capable = usb_device_supports_lpm(usb_dev);
+ } else if (usb_dev->speed == USB_SPEED_SUPER) {
mutex_unlock(&usb_bus_list_lock);
dev_dbg(parent_dev, "can't read %s bos descriptor %d\n",
dev_name(&usb_dev->dev), retval);
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index a3ab650a1f72..962fdf5c621b 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -126,7 +126,7 @@ struct usb_hub *usb_hub_to_struct_hub(struct usb_device *hdev)
return usb_get_intfdata(hdev->actconfig->interface[0]);
}

-static int usb_device_supports_lpm(struct usb_device *udev)
+int usb_device_supports_lpm(struct usb_device *udev)
{
/* USB 2.1 (and greater) devices indicate LPM support through
* their USB 2.0 Extended Capabilities BOS descriptor.
diff --git a/drivers/usb/core/usb.h b/drivers/usb/core/usb.h
index d9d08720c386..d7ac1603826b 100644
--- a/drivers/usb/core/usb.h
+++ b/drivers/usb/core/usb.h
@@ -65,6 +65,7 @@ extern int usb_hub_init(void);
extern void usb_hub_cleanup(void);
extern int usb_major_init(void);
extern void usb_major_cleanup(void);
+extern int usb_device_supports_lpm(struct usb_device *udev);

#ifdef CONFIG_PM

Luis Henriques

unread,

Aug 12, 2015, 5:20:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Stefan Agner <ste...@agner.ch>

commit 25b401c1816ae64bcc5dcb1d39ab41812522a0ce upstream.

If a valid power regulator or a dummy regulator is used (which
happens to be the case when no regulator is specified), restart_work
is queued no matter whether the device was running or not at suspend
time. Since work queues get initialized in the ndo_open callback,
resuming leads to a NULL pointer exception.

Reverse exactly the steps executed at suspend time:
- Enable the power regulator in any case
- Enable the transceiver regulator if the device was running, even in
case we have a power regulator
- Queue restart_work only in case the device was running

Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.")
Signed-off-by: Stefan Agner <ste...@agner.ch>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/net/can/spi/mcp251x.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
index 5df239e68812..cc7ee1b6602b 100644
--- a/drivers/net/can/spi/mcp251x.c
+++ b/drivers/net/can/spi/mcp251x.c
@@ -1228,17 +1228,16 @@ static int __maybe_unused mcp251x_can_resume(struct device *dev)
struct spi_device *spi = to_spi_device(dev);
struct mcp251x_priv *priv = spi_get_drvdata(spi);

- if (priv->after_suspend & AFTER_SUSPEND_POWER) {
+ if (priv->after_suspend & AFTER_SUSPEND_POWER)
mcp251x_power_enable(priv->power, 1);
+
+ if (priv->after_suspend & AFTER_SUSPEND_UP) {
+ mcp251x_power_enable(priv->transceiver, 1);
queue_work(priv->wq, &priv->restart_work);
} else {
- if (priv->after_suspend & AFTER_SUSPEND_UP) {
- mcp251x_power_enable(priv->transceiver, 1);
- queue_work(priv->wq, &priv->restart_work);
- } else {
- priv->after_suspend = 0;
- }
+ priv->after_suspend = 0;
}
+
priv->force_quit = 0;
enable_irq(spi->irq);
return 0;

Luis Henriques

unread,

Aug 12, 2015, 5:20:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Subbaraya Sundeep Bhatta <subbaraya.su...@xilinx.com>

commit 76e838c9f7765f9a6205b4d558d75a66104bc60d upstream.

We need to return error to caller if command is not sent to
controller succesfully.

Signed-off-by: Subbaraya Sundeep Bhatta <sbh...@xilinx.com>
Fixes: 72246da40f37 (usb: Introduce DesignWare USB3 DRD Driver)
Signed-off-by: Felipe Balbi <ba...@ti.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/dwc3/gadget.c | 2 ++

1 file changed, 2 insertions(+)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 18d2ffcc462b..8946e34cef63 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -414,6 +414,8 @@ int dwc3_send_gadget_ep_cmd(struct dwc3 *dwc, unsigned ep,
if (!(reg & DWC3_DEPCMD_CMDACT)) {
dev_vdbg(dwc->dev, "Command Complete --> %d\n",
DWC3_DEPCMD_STATUS(reg));
+ if (DWC3_DEPCMD_STATUS(reg))
+ return -EINVAL;

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Tejun Heo <t...@kernel.org>

commit 5f6c2d2b7dbb541c1e922538c49fa04c494ae3d7 upstream.

When a blkcg configuration is targeted to a partition rather than a
whole device, blkg_conf_prep fails with -EINVAL; unfortunately, it
forgets to put the gendisk ref in that case. Fix it.

Signed-off-by: Tejun Heo <t...@kernel.org>
Signed-off-by: Jens Axboe <ax...@fb.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

block/blk-cgroup.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 28d227c5ca77..efc4fa54372a 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -716,8 +716,12 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol,
return -EINVAL;

disk = get_gendisk(MKDEV(major, minor), &part);
- if (!disk || part)
+ if (!disk)
return -EINVAL;
+ if (part) {
+ put_disk(disk);
+ return -EINVAL;
+ }

rcu_read_lock();
spin_lock_irq(disk->queue->queue_lock);

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Denys Vlasenko <dvla...@redhat.com>

commit 0784b36448a2a85b95b6eb21a69b9045c896c065 upstream.

No code changes.

Signed-off-by: Denys Vlasenko <dvla...@redhat.com>
Acked-by: Borislav Petkov <b...@suse.de>
Cc: Alexei Starovoitov <a...@plumgrid.com>
Cc: Andy Lutomirski <lu...@amacapital.net>
Cc: Borislav Petkov <b...@alien8.de>
Cc: Frederic Weisbecker <fwei...@gmail.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Kees Cook <kees...@chromium.org>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Oleg Nesterov <ol...@redhat.com>
Cc: Steven Rostedt <ros...@goodmis.org>
Cc: Will Drewry <w...@chromium.org>
Link: http://lkml.kernel.org/r/1427899858-7165-1-gi...@redhat.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/x86/kernel/entry_64.S | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 94aa18a9cc11..c13aaaac878b 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1423,19 +1423,7 @@ ENTRY(error_exit)
CFI_ENDPROC
END(error_exit)

-/*
- * Test if a given stack is an NMI stack or not.
- */
- .macro test_in_nmi reg stack nmi_ret normal_ret
- cmpq %\reg, \stack
- ja \normal_ret
- subq $EXCEPTION_STKSZ, %\reg
- cmpq %\reg, \stack
- jb \normal_ret
- jmp \nmi_ret
- .endm
-
- /* runs on exception stack */
+/* Runs on exception stack */
ENTRY(nmi)
INTR_FRAME
PARAVIRT_ADJUST_EXCEPTION_FRAME
@@ -1496,8 +1484,18 @@ ENTRY(nmi)
* We check the variable because the first NMI could be in a
* breakpoint routine using a breakpoint stack.
*/
- lea 6*8(%rsp), %rdx
- test_in_nmi rdx, 4*8(%rsp), nested_nmi, first_nmi
+ lea 6*8(%rsp), %rdx
+ /* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */
+ cmpq %rdx, 4*8(%rsp)
+ /* If the stack pointer is above the NMI stack, this is a normal NMI */
+ ja first_nmi
+ subq $EXCEPTION_STKSZ, %rdx
+ cmpq %rdx, 4*8(%rsp)
+ /* If it is below the NMI stack, it is a normal NMI */
+ jb first_nmi
+ /* Ah, it is within the NMI stack, treat it as nested */
+ jmp nested_nmi
+
CFI_REMEMBER_STATE

nested_nmi:

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Simon Guinot <simon....@sequanux.org>

commit a84e32894191cfcbffa54180d78d7d4654d56c20 upstream.

With the actual code, if a memory allocation error happens while
refilling a Rx descriptor, then the original Rx buffer is both passed
to the networking stack (in a SKB) and let in the Rx ring. This leads
to various kernel oops and crashes.

As a fix, this patch moves Rx descriptor refilling ahead of building
SKB with the associated Rx buffer. In case of a memory allocation
failure, data is dropped and the original DMA buffer is put back into
the Rx ring.

Signed-off-by: Simon Guinot <simon....@sequanux.org>
Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
Tested-by: Yoann Sculo <yo...@sculo.fr>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/net/ethernet/marvell/mvneta.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index 807fbdc4b21b..109908574224 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -1433,7 +1433,7 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
struct mvneta_rx_queue *rxq)
{
struct net_device *dev = pp->dev;
- int rx_done, rx_filled;
+ int rx_done;
u32 rcvd_pkts = 0;
u32 rcvd_bytes = 0;

@@ -1444,7 +1444,6 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
rx_todo = rx_done;

rx_done = 0;
- rx_filled = 0;

/* Fairness NAPI loop */
while (rx_done < rx_todo) {
@@ -1455,7 +1454,6 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
int rx_bytes, err;

rx_done++;
- rx_filled++;
rx_status = rx_desc->status;
rx_bytes = rx_desc->data_size - (ETH_FCS_LEN + MVNETA_MH_SIZE);
data = (unsigned char *)rx_desc->buf_cookie;
@@ -1495,6 +1493,14 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
continue;
}

+ /* Refill processing */
+ err = mvneta_rx_refill(pp, rx_desc);
+ if (err) {
+ netdev_err(dev, "Linux processing - Can't refill\n");
+ rxq->missed++;
+ goto err_drop_frame;
+ }
+
skb = build_skb(data, pp->frag_size > PAGE_SIZE ? 0 : pp->frag_size);
if (!skb)
goto err_drop_frame;
@@ -1514,14 +1520,6 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
mvneta_rx_csum(pp, rx_status, skb);

napi_gro_receive(&pp->napi, skb);
-
- /* Refill processing */
- err = mvneta_rx_refill(pp, rx_desc);
- if (err) {
- netdev_err(dev, "Linux processing - Can't refill\n");
- rxq->missed++;
- rx_filled--;
- }
}

if (rcvd_pkts) {
@@ -1534,7 +1532,7 @@ static int mvneta_rx(struct mvneta_port *pp, int rx_todo,
}

/* Update rxq management counters */
- mvneta_rxq_desc_num_update(pp, rxq, rx_done, rx_filled);
+ mvneta_rxq_desc_num_update(pp, rxq, rx_done, rx_done);

return rx_done;

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Denys Vlasenko <dvla...@redhat.com>

commit a30b0085f54efae11f6256df4e4a16af7eefc1c4 upstream.

Jumping to the very next instruction is not very useful:

jmp label
label:

Removing the jump.

Signed-off-by: Denys Vlasenko <dvla...@redhat.com>

Cc: Alexei Starovoitov <a...@plumgrid.com>
Cc: Andy Lutomirski <lu...@amacapital.net>
Cc: Borislav Petkov <b...@alien8.de>

Cc: Brian Gerst <brg...@gmail.com>

Cc: Frederic Weisbecker <fwei...@gmail.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Kees Cook <kees...@chromium.org>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Oleg Nesterov <ol...@redhat.com>
Cc: Steven Rostedt <ros...@goodmis.org>

Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Will Drewry <w...@chromium.org>
Link: http://lkml.kernel.org/r/1428439424-7258-5-gi...@redhat.com

Signed-off-by: Ingo Molnar <mi...@kernel.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/x86/kernel/entry_64.S | 1 -

1 file changed, 1 deletion(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index c13aaaac878b..c0ec84a1890e 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1494,7 +1494,6 @@ ENTRY(nmi)

/* If it is below the NMI stack, it is a normal NMI */

jb first_nmi

/* Ah, it is within the NMI stack, treat it as nested */

- jmp nested_nmi

CFI_REMEMBER_STATE

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: AMAN DEEP <aman...@samsung.com>

commit 3496810663922617d4b706ef2780c279252ddd6a upstream.

virt_dev->num_cached_rings counts on freed ring and is not updated
correctly. In xhci_free_or_cache_endpoint_ring() function, the free ring
is added into cache and then num_rings_cache is incremented as below:
virt_dev->ring_cache[rings_cached] =
virt_dev->eps[ep_index].ring;
virt_dev->num_rings_cached++;
here, free ring pointer is added to a current index and then
index is incremented.
So current index always points to empty location in the ring cache.
For getting available free ring, current index should be decremented
first and then corresponding ring buffer value should be taken from ring
cache.

But In function xhci_endpoint_init(), the num_rings_cached index is
accessed before decrement.
virt_dev->eps[ep_index].new_ring =
virt_dev->ring_cache[virt_dev->num_rings_cached];
virt_dev->ring_cache[virt_dev->num_rings_cached] = NULL;
virt_dev->num_rings_cached--;
This is bug in manipulating the index of ring cache.
And it should be as below:
virt_dev->num_rings_cached--;
virt_dev->eps[ep_index].new_ring =
virt_dev->ring_cache[virt_dev->num_rings_cached];
virt_dev->ring_cache[virt_dev->num_rings_cached] = NULL;

Signed-off-by: Aman Deep <aman...@samsung.com>

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/host/xhci-mem.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 8936211b161d..5c68f227b8bf 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1431,10 +1431,10 @@ int xhci_endpoint_init(struct xhci_hcd *xhci,
/* Attempt to use the ring cache */
if (virt_dev->num_rings_cached == 0)
return -ENOMEM;
+ virt_dev->num_rings_cached--;
virt_dev->eps[ep_index].new_ring =
virt_dev->ring_cache[virt_dev->num_rings_cached];
virt_dev->ring_cache[virt_dev->num_rings_cached] = NULL;
- virt_dev->num_rings_cached--;
xhci_reinit_cached_ring(xhci, virt_dev->eps[ep_index].new_ring,
1, type);

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: John Youn <John...@synopsys.com>

commit aebda618718157a69c0dc0adb978d69bc2b8723c upstream.

This fixes an issue introduced in commit b23c843992b6 (usb: dwc3:
gadget: fix DEPSTARTCFG for non-EP0 EPs) that made sure we would
only use DEPSTARTCFG once per SetConfig.

The trick is that we should use one DEPSTARTCFG per SetConfig *OR*
SetInterface. SetInterface was completely missed from the original
patch.

This problem became aparent after commit 76e838c9f776 (usb: dwc3:
gadget: return error if command sent to DEPCMD register fails)
added checking of the return status of device endpoint commands.

'Set Endpoint Transfer Resource' command was caught failing
occasionally. This is because the Transfer Resource
Index was not getting reset during a SET_INTERFACE request.

Finally, to fix the issue, was we have to do is make sure that
our start_config_issued flag gets reset whenever we receive a
SetInterface request.

To verify the problem (and its fix), all we have to do is run
test 9 from testusb with 'testusb -t 9 -s 2048 -a -c 5000'.

Tested-by: Huang Rui <ray....@amd.com>
Tested-by: Subbaraya Sundeep Bhatta <subbaraya.su...@xilinx.com>
Fixes: b23c843992b6 (usb: dwc3: gadget: fix DEPSTARTCFG for non-EP0 EPs)
Signed-off-by: John Youn <john...@synopsys.com>

Signed-off-by: Felipe Balbi <ba...@ti.com>
[ luis: backported to 3.16:

- replaced dwc3_trace() by dev_vdbg() ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/dwc3/ep0.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
index 0985ff715c0c..bcefce032757 100644
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -707,6 +707,10 @@ static int dwc3_ep0_std_request(struct dwc3 *dwc, struct usb_ctrlrequest *ctrl)
dev_vdbg(dwc->dev, "USB_REQ_SET_ISOCH_DELAY\n");
ret = dwc3_ep0_set_isoch_delay(dwc, ctrl);
break;
+ case USB_REQ_SET_INTERFACE:
+ dev_vdbg(dwc->dev, "USB_REQ_SET_INTERFACE");
+ dwc->start_config_issued = false;
+ /* Fall through */
default:
dev_vdbg(dwc->dev, "Forwarding to gadget driver\n");
ret = dwc3_ep0_delegate_req(dwc, ctrl);

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.com>

commit 5fb2c782f451a4fb9c19c076e2c442839faf0f76 upstream.

This device automatically switches itself to another mode (0x1405)
unless the specific access pattern of Windows is followed in its
initial mode. That makes a dirty unmount of the internal storage
devices inevitable if they are mounted. So the card reader of
such a device should be ignored, lest an unclean removal become
inevitable.

This replaces an earlier patch that ignored all LUNs of this device.
That patch was overly broad.

Signed-off-by: Oliver Neukum <one...@suse.com>
Reviewed-by: Lars Melin <lar...@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/storage/unusual_devs.h | 12 ++++++++++++
1 file changed, 12 insertions(+)

diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
index 1b79286e385a..092de140ef1e 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -2046,6 +2046,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0200,
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_READ_DISC_INFO ),

+/* Reported by Oliver Neukum <one...@suse.com>
+ * This device morphes spontaneously into another device if the access
+ * pattern of Windows isn't followed. Thus writable media would be dirty
+ * if the initial instance is used. So the device is limited to its
+ * virtual CD.
+ * And yes, the concept that BCD goes up to 9 is not heeded */
+UNUSUAL_DEV( 0x19d2, 0x1225, 0x0000, 0xffff,
+ "ZTE,Incorporated",
+ "ZTE WCDMA Technologies MSM",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_SINGLE_LUN ),
+
/* Reported by Sven Geggus <sven-...@geggus.net>
* This encrypted pen drive returns bogus data for the initial READ(10).
*/

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Brian Campbell <ba...@z273.org.uk>

commit 326124a027abc9a7f43f72dc94f6f0f7a55b02b3 upstream.

When resetting a device the number of active TTs may need to be
corrected by xhci_update_tt_active_eps, but the number of old active
endpoints supplied to it was always zero, so the number of TTs and the
bandwidth reserved for them was not updated, and could rise
unnecessarily.

This affected systems using Intel's Patherpoint chipset, which rely on
software bandwidth checking. For example, a Lenovo X230 would lose the
ability to use ports on the docking station after enough suspend/resume
cycles because the bandwidth calculated would rise with every cycle when
a suitable device is attached.

The correct number of active endpoints is calculated in the same way as
in xhci_reserve_bandwidth.

Signed-off-by: Brian Campbell <ba...@z273.org.uk>
Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/host/xhci.c | 3 +++

1 file changed, 3 insertions(+)

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index b61913116fe2..7ce24229e863 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3466,6 +3466,9 @@ int xhci_discover_or_reset_device(struct usb_hcd *hcd, struct usb_device *udev)
return -EINVAL;
}

+ if (virt_dev->tt_info)
+ old_active_eps = virt_dev->tt_info->active_eps;
+
if (virt_dev->udev != udev) {
/* If the virt_dev and the udev does not match, this virt_dev
* may belong to another udev.

Luis Henriques

unread,

Aug 12, 2015, 5:20:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: "Martin K. Petersen" <martin....@oracle.com>

commit 9051bd393cf25e76dfb45409792719a854661500 upstream.

A new Micron drive was just announced, once again recycling the first
part of the model string. Add an underscore to the M510/M550 pattern to
avoid picking up the new DC drive.

Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

[ luis: backported to 3.16: adjusted context ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/ata/libata-core.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index a3593aef073a..c9707bcf430c 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4227,7 +4227,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
/* devices that don't properly handle queued TRIM commands */
{ "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
- { "Micron_M5[15]0*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
+ { "Micron_M5[15]0_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*M550*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },

Luis Henriques

unread,

Aug 12, 2015, 5:20:09 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 7d8021c967648accd1b78e5e1ddaad655cd2c61f upstream.

This patch fixes a bug introduced by commit 977dcfdc6031 ("USB: OHCI:
don't lose track of EDs when a controller dies"). The commit changed
ed_state from ED_UNLINK to ED_IDLE too early, before finish_urb() had
been called. The user-visible consequence is that the driver
occasionally crashes or locks up when an URB is submitted while
another URB for the same endpoint is being unlinked.

This patch moves the ED state change later, to the right place. The
drawback is that now we may unnecessarily execute some instructions
multiple times when a controller dies. Since controllers dying is an
exceptional occurrence, a little wasted time won't matter.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Reported-by: Heiko Przybyl <lil...@web.de>
Tested-by: Heiko Przybyl <lil...@web.de>
Fixes: 977dcfdc60311e7aa571cabf6f39c36dde13339e
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

unread,

Aug 12, 2015, 5:20:10 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Chris Wilson <ch...@chris-wilson.co.uk>

commit 648a9bc5308d952f2c80772301b339f73026f013 upstream.

Since the hardware sometimes mysteriously totally flummoxes the 64bit
read of a 64bit register when read using a single instruction, split the
read into two instructions. Since the read here is of automatically
incrementing timestamp counters, we also have to be very careful in
order to make sure that it does not increment between the two
instructions.

However, since userspace tried to workaround this issue and so enshrined
this ABI for a broken hardware read and in the process neglected that
the read only fails in some environments, we have to introduce a new
uABI flag for userspace to request the 2x32 bit accurate read of the
timestamp.

v2: Fix alignment check and include details of the workaround for
userspace.

Reported-by: Karol Herbst <freed...@karolherbst.de>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91317
Testcase: igt/gem_reg_read
Signed-off-by: Chris Wilson <ch...@chris-wilson.co.uk>
Cc: Michał Winiarski <michal.w...@intel.com>
Tested-by: Michał Winiarski <michal.w...@intel.com>
Signed-off-by: Daniel Vetter <daniel...@ffwll.ch>

[ luis: backported to 3.16: adjusted context ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/gpu/drm/i915/intel_uncore.c | 26 +++++++++++++++++++-------
include/uapi/drm/i915_drm.h | 8 ++++++++
2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/drm/i915/intel_uncore.c b/drivers/gpu/drm/i915/intel_uncore.c
index 28ac6156ec1d..5334c770714b 100644
--- a/drivers/gpu/drm/i915/intel_uncore.c
+++ b/drivers/gpu/drm/i915/intel_uncore.c
@@ -863,10 +863,12 @@ int i915_reg_read_ioctl(struct drm_device *dev,
struct drm_i915_private *dev_priv = dev->dev_private;
struct drm_i915_reg_read *reg = data;
struct register_whitelist const *entry = whitelist;
+ unsigned size;
+ u64 offset;
int i, ret = 0;

for (i = 0; i < ARRAY_SIZE(whitelist); i++, entry++) {
- if (entry->offset == reg->offset &&
+ if (entry->offset == (reg->offset & -entry->size) &&
(1 << INTEL_INFO(dev)->gen & entry->gen_bitmask))
break;
}
@@ -874,23 +876,33 @@ int i915_reg_read_ioctl(struct drm_device *dev,
if (i == ARRAY_SIZE(whitelist))
return -EINVAL;

+ /* We use the low bits to encode extra flags as the register should
+ * be naturally aligned (and those that are not so aligned merely
+ * limit the available flags for that register).
+ */
+ offset = entry->offset;
+ size = entry->size;
+ size |= reg->offset ^ offset;
+
intel_runtime_pm_get(dev_priv);

- switch (entry->size) {
+ switch (size) {
+ case 8 | 1:
+ reg->val = I915_READ64_2x32(offset, offset+4);
+ break;
case 8:
- reg->val = I915_READ64(reg->offset);
+ reg->val = I915_READ64(offset);
break;
case 4:
- reg->val = I915_READ(reg->offset);
+ reg->val = I915_READ(offset);
break;
case 2:
- reg->val = I915_READ16(reg->offset);
+ reg->val = I915_READ16(offset);
break;
case 1:
- reg->val = I915_READ8(reg->offset);
+ reg->val = I915_READ8(offset);
break;
default:
- WARN_ON(1);
ret = -EINVAL;
goto out;
}
diff --git a/include/uapi/drm/i915_drm.h b/include/uapi/drm/i915_drm.h
index ff57f07c3249..86a07d6ece9c 100644
--- a/include/uapi/drm/i915_drm.h
+++ b/include/uapi/drm/i915_drm.h
@@ -1035,6 +1035,14 @@ struct drm_i915_reg_read {
__u64 offset;
__u64 val; /* Return value */
};
+/* Known registers:
+ *
+ * Render engine timestamp - 0x2358 + 64bit - gen7+
+ * - Note this register returns an invalid value if using the default
+ * single instruction 8byte read, in order to workaround that use
+ * offset (0x2538 | 1) instead.
+ *
+ */

struct drm_i915_reset_stats {
__u32 ctx_id;

Luis Henriques

unread,

Aug 12, 2015, 5:20:10 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Zhuang Jin Can <jin.can...@intel.com>

commit 243292a2ad3dc365849b820a64868927168894ac upstream.

xhci_hub_report_usb3_link_state() returns pls as U0 when the link
is in resume state, and this causes usb core to think the link is in
U0 while actually it's in resume state. When usb core transfers
control request on the link, it fails with TRB error as the link
is not ready for transfer.

To fix the issue, report U3 when the link is in resume state, thus
usb core knows the link it's not ready for transfer.

Signed-off-by: Zhuang Jin Can <jin.can...@intel.com>

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/host/xhci-hub.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index 8c21c3bcd59b..c3e187ef925d 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -477,10 +477,13 @@ static void xhci_hub_report_usb3_link_state(struct xhci_hcd *xhci,
u32 pls = status_reg & PORT_PLS_MASK;

/* resume state is a xHCI internal state.
- * Do not report it to usb core.
+ * Do not report it to usb core, instead, pretend to be U3,
+ * thus usb core knows it's not ready for transfer
*/
- if (pls == XDEV_RESUME)
+ if (pls == XDEV_RESUME) {
+ *status |= USB_SS_PORT_LS_U3;
return;
+ }

/* When the CAS bit is set then warm reset
* should be performed on port

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit 8f5063e97f393d49611151d3cf7dcbeb41397f12 upstream.

port_index is used an index into an array, and this information comes
from Device Tree, make sure that port_index is not equal to the array
size before using it. Move the check against port_index earlier in the
loop.

Fixes: 5e95329b701c: ("dsa: add device tree bindings to register DSA switches")
Reported-by: Dan Carpenter <dan.ca...@oracle.com>
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/dsa/dsa.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index 5db37cef50a9..d3ca32dc167f 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -427,6 +427,8 @@ static int dsa_of_probe(struct platform_device *pdev)
continue;

port_index = be32_to_cpup(port_reg);
+ if (port_index >= DSA_MAX_PORTS)
+ break;

port_name = of_get_property(port, "label", NULL);
if (!port_name)
@@ -449,8 +451,6 @@ static int dsa_of_probe(struct platform_device *pdev)
goto out_free_chip;
}

- if (port_index == DSA_MAX_PORTS)
- break;

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Mimi Zohar <zo...@linux.vnet.ibm.com>

commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream.

To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled. As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.

Some LSMs defer file labeling on pseudo filesystems. This patch
permits the labeling of existing files on pseudo files systems.

Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
[ luis: backported to 3.16:
- added magic.h header file ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

security/integrity/evm/evm_main.c | 12 ++++++++++++

1 file changed, 12 insertions(+)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 970772c731ff..41f32259437c 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -22,6 +22,7 @@
#include <linux/xattr.h>
#include <linux/integrity.h>
#include <linux/evm.h>
+#include <linux/magic.h>
#include <crypto/hash.h>
#include "evm.h"

@@ -290,6 +291,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
iint = integrity_iint_find(dentry->d_inode);
if (iint && (iint->flags & IMA_NEW_FILE))
return 0;
+
+ /* exception for pseudo filesystems */
+ if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
+ || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
+ return 0;
+
+ integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
+ dentry->d_inode, dentry->d_name.name,
+ "update_metadata",
+ integrity_status_msg[evm_status],
+ -EPERM, 0);
}
out:
if (evm_status != INTEGRITY_PASS)

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Angga <Hermin.An...@alliedtelesis.co.nz>

commit 4c938d22c88a9ddccc8c55a85e0430e9c62b1ac5 upstream.

Before commit daad151263cf ("ipv6: Make ipv6_is_mld() inline and use it
from ip6_mc_input().") MLD packets were only processed locally. After the
change, a copy of MLD packet goes through ip6_mr_input, causing
MRT6MSG_NOCACHE message to be generated to user space.

Make MLD packet only processed locally.

Fixes: daad151263cf ("ipv6: Make ipv6_is_mld() inline and use it from ip6_mc_input().")
Signed-off-by: Hermin Anggawijaya <hermin.an...@alliedtelesis.co.nz>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/ipv6/ip6_input.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 51d54dc376f3..05c94d9c3776 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -329,10 +329,10 @@ int ip6_mc_input(struct sk_buff *skb)
if (offset < 0)
goto out;

- if (!ipv6_is_mld(skb, nexthdr, offset))
- goto out;
+ if (ipv6_is_mld(skb, nexthdr, offset))
+ deliver = true;

- deliver = true;
+ goto out;
}
/* unknown RA - process it normally */

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <lu...@kernel.org>

commit 810bc075f78ff2c221536eb3008eac6a492dba2d upstream.

We have a tricky bug in the nested NMI code: if we see RSP
pointing to the NMI stack on NMI entry from kernel mode, we
assume that we are executing a nested NMI.

This isn't quite true. A malicious userspace program can point
RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
happen while RSP is still pointing at the NMI stack.

Fix it with a sneaky trick. Set DF in the region of code that
the RSP check is intended to detect. IRET will clear DF
atomically.

( Note: other than paravirt, there's little need for all this
complexity. We could check RIP instead of RSP. )

Signed-off-by: Andy Lutomirski <lu...@kernel.org>
Reviewed-by: Steven Rostedt <ros...@goodmis.org>
Cc: Borislav Petkov <b...@suse.de>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Signed-off-by: Ingo Molnar <mi...@kernel.org>
[bwh: Backported to 4.0: adjust filename, context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
[ luis: backported to 3.16: Used Ben's backport to 4.0 ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/x86/kernel/entry_64.S | 29 +++++++++++++++++++++++++----
1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 8a6866b2f2a6..79565bd80cc2 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1613,7 +1613,14 @@ ENTRY(nmi)
/*
* Now test if the previous stack was an NMI stack. This covers
* the case where we interrupt an outer NMI after it clears
- * "NMI executing" but before IRET.
+ * "NMI executing" but before IRET. We need to be careful, though:
+ * there is one case in which RSP could point to the NMI stack
+ * despite there being no NMI active: naughty userspace controls
+ * RSP at the very beginning of the SYSCALL targets. We can
+ * pull a fast one on naughty userspace, though: we program
+ * SYSCALL to mask DF, so userspace cannot cause DF to be set
+ * if it controls the kernel's RSP. We set DF before we clear
+ * "NMI executing".
*/
lea 6*8(%rsp), %rdx

/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */

@@ -1624,10 +1631,16 @@ ENTRY(nmi)
cmpq %rdx, 4*8(%rsp)

/* If it is below the NMI stack, it is a normal NMI */
jb first_nmi

- /* Ah, it is within the NMI stack, treat it as nested */
+
+ /* Ah, it is within the NMI stack. */
+
+ testb $(X86_EFLAGS_DF >> 8), (3*8 + 1)(%rsp)
+ jz first_nmi /* RSP was user controlled. */

CFI_REMEMBER_STATE

+ /* This is a nested NMI. */
+
nested_nmi:
/*
* Modify the "iret" frame to point to repeat_nmi, forcing another
@@ -1739,8 +1752,16 @@ nmi_restore:

RESTORE_ALL 6*8

- /* Clear "NMI executing". */
- movq $0, 5*8(%rsp)
+ /*
+ * Clear "NMI executing". Set DF first so that we can easily
+ * distinguish the remaining code between here and IRET from
+ * the SYSCALL entry and exit paths. On a native kernel, we
+ * could just inspect RIP, but, on paravirt kernels,
+ * INTERRUPT_RETURN can translate into a jump into a
+ * hypercall page.
+ */
+ std
+ movq $0, 5*8(%rsp) /* clear "NMI executing" */

/*
* INTERRUPT_RETURN reads the "iret" frame and exits the NMI

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <vi...@zeniv.linux.org.uk>

commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.

unfortunately, allowing an arbitrary 16bit value means a possibility of
overflow in the calculation of total number of pages in bio_map_user_iov() -
we rely on there being no more than PAGE_SIZE members of sum in the
first loop there. If that sum wraps around, we end up allocating
too small array of pointers to pages and it's easy to overflow it in
the second loop.

X-Coverup: TINC (and there's no lumber cartel either)
Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>
[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
that function.]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/scsi/sg.c | 3 +++

1 file changed, 3 insertions(+)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 791460b798f4..2aa95c89b5bf 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1693,6 +1693,9 @@ static int sg_start_req(Sg_request *srp, unsigned char *cmd)
md->from_user = 0;
}

+ if (unlikely(iov_count > UIO_MAXIOV))
+ return -EINVAL;
+
if (iov_count) {
int len, size = sizeof(struct sg_iovec) * iov_count;
struct iovec *iov;

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: "Kirill A. Shutemov" <kirill....@linux.intel.com>

commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d upstream.

Reading page fault handler code I've noticed that under right
circumstances kernel would map anonymous pages into file mappings: if
the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated
on ->mmap(), kernel would handle page fault to not populated pte with
do_anonymous_page().

Let's change page fault handler to use do_anonymous_page() only on
anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not
shared.

For file mappings without vm_ops->fault() or shred VMA without vm_ops,
page fault on pte_none() entry would lead to SIGBUS.

Signed-off-by: Kirill A. Shutemov <kirill....@linux.intel.com>
Acked-by: Oleg Nesterov <ol...@redhat.com>
Cc: Andrew Morton <ak...@linux-foundation.org>
Cc: Willy Tarreau <w...@1wt.eu>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
[ luis: backported to 3.16: used Kirill's backport to 3.18 ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

mm/memory.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index e7ae35a5ffeb..4e03447b1ef2 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2637,6 +2637,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,

pte_unmap(page_table);

+ /* File mapping without ->vm_ops ? */
+ if (vma->vm_flags & VM_SHARED)
+ return VM_FAULT_SIGBUS;
+
/* Check if we need to add a guard page to the stack */
if (check_stack_guard_page(vma, address) < 0)
return VM_FAULT_SIGSEGV;
@@ -3031,6 +3035,9 @@ static int do_linear_fault(struct mm_struct *mm, struct vm_area_struct *vma,
- vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;

pte_unmap(page_table);
+ /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
+ if (!vma->vm_ops->fault)
+ return VM_FAULT_SIGBUS;
if (!(flags & FAULT_FLAG_WRITE))
return do_read_fault(mm, vma, address, pmd, pgoff, flags,
orig_pte);
@@ -3191,11 +3198,10 @@ static int handle_pte_fault(struct mm_struct *mm,
entry = *pte;
if (!pte_present(entry)) {
if (pte_none(entry)) {
- if (vma->vm_ops) {
- if (likely(vma->vm_ops->fault))
- return do_linear_fault(mm, vma, address,
+ if (vma->vm_ops)
+ return do_linear_fault(mm, vma, address,
pte, pmd, flags, entry);
- }
+
return do_anonymous_page(mm, vma, address,
pte, pmd, flags);

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Aleksei Mamlin <maml...@gmail.com>

commit 08c85d2a599d967ede38a847f5594447b6100642 upstream.

Enabling AA on HP 250GB SATA disk VB0250EAVER causes errors:

[ 3.788362] ata3.00: failed to enable AA (error_mask=0x1)
[ 3.789243] ata3.00: failed to enable AA (error_mask=0x1)

Add the ATA_HORKAGE_BROKEN_FPDMA_AA for this specific harddisk.

tj: Collected FPDMA_AA entries and updated comment.

Signed-off-by: Aleksei Mamlin <maml...@gmail.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/ata/libata-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index a554b2e17cd4..ef37e80fe9d5 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4173,9 +4173,10 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
{ "ST3320[68]13AS", "SD1[5-9]", ATA_HORKAGE_NONCQ |
ATA_HORKAGE_FIRMWARE_WARN },

- /* Seagate Momentus SpinPoint M8 seem to have FPMDA_AA issues */
+ /* drives which fail FPDMA_AA activation (some may freeze afterwards) */
{ "ST1000LM024 HN-M101MBB", "2AR10001", ATA_HORKAGE_BROKEN_FPDMA_AA },
{ "ST1000LM024 HN-M101MBB", "2BA30001", ATA_HORKAGE_BROKEN_FPDMA_AA },
+ { "VB0250EAVER", "HPG7", ATA_HORKAGE_BROKEN_FPDMA_AA },

/* Blacklist entries taken from Silicon Image 3124/3132
Windows driver .inf file - also several Linux problem reports */

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo....@iki.fi>

commit fc24f2b2094366da8786f59f2606307e934cea17 upstream.

Frag needed should be sent only if the inner header asked
to not fragment. Currently fragmentation is broken if the
tunnel has df set, but df was not asked in the original
packet. The tunnel's df needs to be still checked to update
internally the pmtu cache.

Commit 23a3647bc4f93bac broke it, and this commit fixes
the ipv4 df check back to the way it was.

Fixes: 23a3647bc4f93bac ("ip_tunnels: Use skb-len to PMTU check.")
Cc: Pravin B Shelar <psh...@nicira.com>
Signed-off-by: Timo Teräs <timo....@iki.fi>
Acked-by: Pravin B Shelar <psh...@nicira.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/ipv4/ip_tunnel.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 6c2719373bc5..51dd1605f944 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -488,7 +488,8 @@ drop:
EXPORT_SYMBOL_GPL(ip_tunnel_rcv);

static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb,
- struct rtable *rt, __be16 df)
+ struct rtable *rt, __be16 df,
+ const struct iphdr *inner_iph)
{
struct ip_tunnel *tunnel = netdev_priv(dev);
int pkt_size = skb->len - tunnel->hlen - dev->hard_header_len;
@@ -505,7 +506,8 @@ static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb,

if (skb->protocol == htons(ETH_P_IP)) {
if (!skb_is_gso(skb) &&
- (df & htons(IP_DF)) && mtu < pkt_size) {
+ (inner_iph->frag_off & htons(IP_DF)) &&
+ mtu < pkt_size) {
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
return -E2BIG;
@@ -636,7 +638,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
goto tx_error;
}

- if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off)) {
+ if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off, inner_iph)) {
ip_rt_put(rt);
goto tx_error;

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Lior Amsalem <al...@marvell.com>

commit 945b47441d83d2392ac9f984e0267ad521f24268 upstream.

This commit adds the necessary quirk to make the Marvell 4140 SATA PMP
work properly. This PMP doesn't like SRST on port number 4 (the host
port) so this commit marks this port as not supporting SRST.

Signed-off-by: Lior Amsalem <al...@marvell.com>
Reviewed-by: Nadav Haklai <nad...@marvell.com>
Signed-off-by: Thomas Petazzoni <thomas.p...@free-electrons.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/ata/libata-pmp.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c
index 7ccc084bf1df..85aa76116a30 100644
--- a/drivers/ata/libata-pmp.c
+++ b/drivers/ata/libata-pmp.c
@@ -460,6 +460,13 @@ static void sata_pmp_quirks(struct ata_port *ap)
ATA_LFLAG_NO_SRST |
ATA_LFLAG_ASSUME_ATA;
}
+ } else if (vendor == 0x11ab && devid == 0x4140) {
+ /* Marvell 4140 quirks */
+ ata_for_each_link(link, ap, EDGE) {
+ /* port 4 is for SEMB device and it doesn't like SRST */
+ if (link->pmp == 4)
+ link->flags |= ATA_LFLAG_DISABLED;
+ }

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Marek Szyprowski <m.szyp...@samsung.com>

commit 462859aa7bbe1ac83ec4377a0a06fe60778f3f27 upstream.

nr_bitmaps member of mapping structure stores the number of already
allocated bitmaps and it is interpreted as loop iterator (it starts from
0 not from 1), so a comparison against number of possible bitmap
extensions should include this fact. This patch fixes this by changing
the extension failure condition. This issue has been introduced by
commit 4d852ef8c2544ce21ae41414099a7504c61164a0 ("arm: dma-mapping: Add
support to extend DMA IOMMU mappings").

Reported-by: Hyungwon Hwang <human...@samsung.com>
Signed-off-by: Marek Szyprowski <m.szyp...@samsung.com>
Reviewed-by: Hyungwon Hwang <human...@samsung.com>
Signed-off-by: Russell King <rmk+k...@arm.linux.org.uk>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/arm/mm/dma-mapping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index 1f88db06b133..0e09af35f69a 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -2013,7 +2013,7 @@ static int extend_iommu_mapping(struct dma_iommu_mapping *mapping)
{
int next_bitmap;

- if (mapping->nr_bitmaps > mapping->extensions)
+ if (mapping->nr_bitmaps >= mapping->extensions)
return -EINVAL;

next_bitmap = mapping->nr_bitmaps;

Luis Henriques

unread,

Aug 12, 2015, 5:30:06 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 3f2cee73b650921b2e214bf487b2061a1c266504 upstream.

The usbfs API has a peculiar hole: Users are not allowed to reap their
URBs after the device has been disconnected. There doesn't seem to be
any good reason for this; it is an ad-hoc inconsistency.

The patch allows users to issue the USBDEVFS_REAPURB and
USBDEVFS_REAPURBNDELAY ioctls (together with their 32-bit counterparts
on 64-bit systems) even after the device is gone. If no URBs are
pending for a disconnected device then the ioctls will return -ENODEV
rather than -EAGAIN, because obviously no new URBs will ever be able
to complete.

The patch also adds a new capability flag for
USBDEVFS_GET_CAPABILITIES to indicate that the reap-after-disconnect
feature is supported.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Tested-by: Chris Dickens <christophe...@gmail.com>
Acked-by: Hans de Goede <hdeg...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gr...@kroah.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/usb/core/devio.c | 63 +++++++++++++++++++++++----------------
include/uapi/linux/usbdevice_fs.h | 3 +-
2 files changed, 39 insertions(+), 27 deletions(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index fae81924fd4b..a85eadff6bea 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1690,7 +1690,7 @@ static struct async *reap_as(struct usb_dev_state *ps)
for (;;) {
__set_current_state(TASK_INTERRUPTIBLE);
as = async_getcompleted(ps);
- if (as)
+ if (as || !connected(ps))
break;
if (signal_pending(current))
break;
@@ -1713,7 +1713,7 @@ static int proc_reapurb(struct usb_dev_state *ps, void __user *arg)
}
if (signal_pending(current))
return -EINTR;
- return -EIO;
+ return -ENODEV;
}

static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
@@ -1722,10 +1722,11 @@ static int proc_reapurbnonblock(struct usb_dev_state *ps, void __user *arg)
struct async *as;

as = async_getcompleted(ps);
- retval = -EAGAIN;
if (as) {
retval = processcompl(as, (void __user * __user *)arg);
free_async(as);
+ } else {
+ retval = (connected(ps) ? -EAGAIN : -ENODEV);
}
return retval;
}
@@ -1855,7 +1856,7 @@ static int proc_reapurb_compat(struct usb_dev_state *ps, void __user *arg)
}
if (signal_pending(current))
return -EINTR;
- return -EIO;
+ return -ENODEV;
}

static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *arg)
@@ -1863,11 +1864,12 @@ static int proc_reapurbnonblock_compat(struct usb_dev_state *ps, void __user *ar
int retval;
struct async *as;

- retval = -EAGAIN;
as = async_getcompleted(ps);
if (as) {
retval = processcompl_compat(as, (void __user * __user *)arg);
free_async(as);
+ } else {
+ retval = (connected(ps) ? -EAGAIN : -ENODEV);
}
return retval;
}
@@ -2039,7 +2041,8 @@ static int proc_get_capabilities(struct usb_dev_state *ps, void __user *arg)
{
__u32 caps;

- caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM;
+ caps = USBDEVFS_CAP_ZERO_PACKET | USBDEVFS_CAP_NO_PACKET_SIZE_LIM |
+ USBDEVFS_CAP_REAP_AFTER_DISCONNECT;
if (!ps->dev->bus->no_stop_on_short)
caps |= USBDEVFS_CAP_BULK_CONTINUATION;
if (ps->dev->bus->sg_tablesize)
@@ -2139,6 +2142,32 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
return -EPERM;

usb_lock_device(dev);
+
+ /* Reap operations are allowed even after disconnection */
+ switch (cmd) {
+ case USBDEVFS_REAPURB:
+ snoop(&dev->dev, "%s: REAPURB\n", __func__);
+ ret = proc_reapurb(ps, p);
+ goto done;
+
+ case USBDEVFS_REAPURBNDELAY:
+ snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
+ ret = proc_reapurbnonblock(ps, p);
+ goto done;
+
+#ifdef CONFIG_COMPAT
+ case USBDEVFS_REAPURB32:
+ snoop(&dev->dev, "%s: REAPURB32\n", __func__);
+ ret = proc_reapurb_compat(ps, p);
+ goto done;
+
+ case USBDEVFS_REAPURBNDELAY32:
+ snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
+ ret = proc_reapurbnonblock_compat(ps, p);
+ goto done;
+#endif
+ }
+
if (!connected(ps)) {
usb_unlock_device(dev);
return -ENODEV;
@@ -2232,16 +2261,6 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
inode->i_mtime = CURRENT_TIME;
break;

- case USBDEVFS_REAPURB32:
- snoop(&dev->dev, "%s: REAPURB32\n", __func__);
- ret = proc_reapurb_compat(ps, p);
- break;
-
- case USBDEVFS_REAPURBNDELAY32:
- snoop(&dev->dev, "%s: REAPURBNDELAY32\n", __func__);
- ret = proc_reapurbnonblock_compat(ps, p);
- break;
-
case USBDEVFS_IOCTL32:
snoop(&dev->dev, "%s: IOCTL32\n", __func__);
ret = proc_ioctl_compat(ps, ptr_to_compat(p));
@@ -2253,16 +2272,6 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
ret = proc_unlinkurb(ps, p);
break;

- case USBDEVFS_REAPURB:
- snoop(&dev->dev, "%s: REAPURB\n", __func__);
- ret = proc_reapurb(ps, p);
- break;
-
- case USBDEVFS_REAPURBNDELAY:
- snoop(&dev->dev, "%s: REAPURBNDELAY\n", __func__);
- ret = proc_reapurbnonblock(ps, p);
- break;
-
case USBDEVFS_DISCSIGNAL:
snoop(&dev->dev, "%s: DISCSIGNAL\n", __func__);
ret = proc_disconnectsignal(ps, p);
@@ -2305,6 +2314,8 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
ret = proc_free_streams(ps, p);
break;
}
+
+ done:
usb_unlock_device(dev);
if (ret >= 0)
inode->i_atime = CURRENT_TIME;
diff --git a/include/uapi/linux/usbdevice_fs.h b/include/uapi/linux/usbdevice_fs.h
index abe5f4bd4d82..019ba1e0799a 100644
--- a/include/uapi/linux/usbdevice_fs.h
+++ b/include/uapi/linux/usbdevice_fs.h
@@ -128,11 +128,12 @@ struct usbdevfs_hub_portinfo {
char port [127]; /* e.g. port 3 connects to device 27 */
};

-/* Device capability flags */
+/* System and bus capability flags */
#define USBDEVFS_CAP_ZERO_PACKET 0x01
#define USBDEVFS_CAP_BULK_CONTINUATION 0x02
#define USBDEVFS_CAP_NO_PACKET_SIZE_LIM 0x04
#define USBDEVFS_CAP_BULK_SCATTER_GATHER 0x08
+#define USBDEVFS_CAP_REAP_AFTER_DISCONNECT 0x10

/* USBDEVFS_DISCONNECT_CLAIM flags & struct */

Luis Henriques

unread,

Aug 12, 2015, 5:30:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <lu...@kernel.org>

commit 0b22930ebad563ae97ff3f8d7b9f12060b4c6e6b upstream.

I found the nested NMI documentation to be difficult to follow.
Improve the comments.

Signed-off-by: Andy Lutomirski <lu...@kernel.org>
Reviewed-by: Steven Rostedt <ros...@goodmis.org>
Cc: Borislav Petkov <b...@suse.de>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Signed-off-by: Ingo Molnar <mi...@kernel.org>
[bwh: Backported to 4.0: adjust filename, context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
[ luis: backported to 3.16: Used Ben's backport to 4.0 ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/x86/kernel/entry_64.S | 159 ++++++++++++++++++++++++++-------------------
arch/x86/kernel/nmi.c | 4 +-
2 files changed, 93 insertions(+), 70 deletions(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index b39f3401f6d5..0fdb80df2cac 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1444,11 +1444,12 @@ ENTRY(nmi)
* If the variable is not set and the stack is not the NMI
* stack then:
* o Set the special variable on the stack
- * o Copy the interrupt frame into a "saved" location on the stack
- * o Copy the interrupt frame into a "copy" location on the stack
+ * o Copy the interrupt frame into an "outermost" location on the
+ * stack
+ * o Copy the interrupt frame into an "iret" location on the stack
* o Continue processing the NMI
* If the variable is set or the previous stack is the NMI stack:
- * o Modify the "copy" location to jump to the repeate_nmi
+ * o Modify the "iret" location to jump to the repeat_nmi
* o return back to the first NMI
*
* Now on exit of the first NMI, we first clear the stack variable
@@ -1542,18 +1543,60 @@ ENTRY(nmi)

.Lnmi_from_kernel:
/*
- * Check the special variable on the stack to see if NMIs are
- * executing.
+ * Here's what our stack frame will look like:
+ * +---------------------------------------------------------+
+ * | original SS |
+ * | original Return RSP |
+ * | original RFLAGS |
+ * | original CS |
+ * | original RIP |
+ * +---------------------------------------------------------+
+ * | temp storage for rdx |
+ * +---------------------------------------------------------+
+ * | "NMI executing" variable |
+ * +---------------------------------------------------------+
+ * | iret SS } Copied from "outermost" frame |
+ * | iret Return RSP } on each loop iteration; overwritten |
+ * | iret RFLAGS } by a nested NMI to force another |
+ * | iret CS } iteration if needed. |
+ * | iret RIP } |
+ * +---------------------------------------------------------+
+ * | outermost SS } initialized in first_nmi; |
+ * | outermost Return RSP } will not be changed before |
+ * | outermost RFLAGS } NMI processing is done. |
+ * | outermost CS } Copied to "iret" frame on each |
+ * | outermost RIP } iteration. |
+ * +---------------------------------------------------------+
+ * | pt_regs |
+ * +---------------------------------------------------------+
+ *
+ * The "original" frame is used by hardware. Before re-enabling
+ * NMIs, we need to be done with it, and we need to leave enough
+ * space for the asm code here.
+ *
+ * We return by executing IRET while RSP points to the "iret" frame.
+ * That will either return for real or it will loop back into NMI
+ * processing.
+ *
+ * The "outermost" frame is copied to the "iret" frame on each
+ * iteration of the loop, so each iteration starts with the "iret"
+ * frame pointing to the final return target.
+ */
+
+ /*
+ * Determine whether we're a nested NMI.
+ *
+ * First check "NMI executing". If it's set, then we're nested.
+ * This will not detect if we interrupted an outer NMI just
+ * before IRET.
*/
cmpl $1, -8(%rsp)
je nested_nmi

/*
- * Now test if the previous stack was an NMI stack.
- * We need the double check. We check the NMI stack to satisfy the
- * race when the first NMI clears the variable before returning.
- * We check the variable because the first NMI could be in a
- * breakpoint routine using a breakpoint stack.
+ * Now test if the previous stack was an NMI stack. This covers
+ * the case where we interrupt an outer NMI after it clears

+ * "NMI executing" but before IRET.

*/
lea 6*8(%rsp), %rdx
/* Compare the NMI stack (rdx) with the stack we came from (4*8(%rsp)) */

@@ -1570,9 +1613,11 @@ ENTRY(nmi)

nested_nmi:
/*
- * Do nothing if we interrupted the fixup in repeat_nmi.
- * It's about to repeat the NMI handler, so we are fine
- * with ignoring this one.
+ * If we interrupted an NMI that is between repeat_nmi and
+ * end_repeat_nmi, then we must not modify the "iret" frame
+ * because it's being written by the outer NMI. That's okay:
+ * the outer NMI handler is about to call do_nmi anyway,
+ * so we can just resume the outer NMI.
*/
movq $repeat_nmi, %rdx
cmpq 8(%rsp), %rdx
@@ -1582,7 +1627,10 @@ nested_nmi:
ja nested_nmi_out

1:
- /* Set up the interrupted NMIs stack to jump to repeat_nmi */
+ /*
+ * Modify the "iret" frame to point to repeat_nmi, forcing another
+ * iteration of NMI handling.
+ */
leaq -1*8(%rsp), %rdx
movq %rdx, %rsp
CFI_ADJUST_CFA_OFFSET 1*8
@@ -1601,60 +1649,23 @@ nested_nmi_out:
popq_cfi %rdx
CFI_RESTORE rdx

- /* No need to check faults here */
+ /* We are returning to kernel mode, so this cannot result in a fault. */
INTERRUPT_RETURN

CFI_RESTORE_STATE
first_nmi:
- /*
- * Because nested NMIs will use the pushed location that we
- * stored in rdx, we must keep that space available.
- * Here's what our stack frame will look like:
- * +-------------------------+
- * | original SS |
- * | original Return RSP |
- * | original RFLAGS |
- * | original CS |
- * | original RIP |
- * +-------------------------+
- * | temp storage for rdx |
- * +-------------------------+
- * | NMI executing variable |
- * +-------------------------+
- * | copied SS |
- * | copied Return RSP |
- * | copied RFLAGS |
- * | copied CS |
- * | copied RIP |
- * +-------------------------+
- * | Saved SS |
- * | Saved Return RSP |
- * | Saved RFLAGS |
- * | Saved CS |
- * | Saved RIP |
- * +-------------------------+
- * | pt_regs |
- * +-------------------------+
- *
- * The saved stack frame is used to fix up the copied stack frame
- * that a nested NMI may change to make the interrupted NMI iret jump
- * to the repeat_nmi. The original stack frame and the temp storage
- * is also used by nested NMIs and can not be trusted on exit.
- */
- /* Do not pop rdx, nested NMIs will corrupt that part of the stack */
+ /* Restore rdx. */
movq (%rsp), %rdx
CFI_RESTORE rdx

- /* Set the NMI executing variable on the stack. */
+ /* Set "NMI executing" on the stack. */
pushq_cfi $1

- /*
- * Leave room for the "copied" frame
- */
+ /* Leave room for the "iret" frame */
subq $(5*8), %rsp
CFI_ADJUST_CFA_OFFSET 5*8

- /* Copy the stack frame to the Saved frame */
+ /* Copy the "original" frame to the "outermost" frame */
.rept 5
pushq_cfi 11*8(%rsp)
.endr
@@ -1662,6 +1673,7 @@ first_nmi:

/* Everything up to here is safe from nested NMIs */

+repeat_nmi:
/*
* If there was a nested NMI, the first NMI's iret will return
* here. But NMIs are still enabled and we can take another
@@ -1670,16 +1682,21 @@ first_nmi:
* it will just return, as we are about to repeat an NMI anyway.
* This makes it safe to copy to the stack frame that a nested
* NMI will update.
- */
-repeat_nmi:
- /*
- * Update the stack variable to say we are still in NMI (the update
- * is benign for the non-repeat case, where 1 was pushed just above
- * to this very stack slot).
+ *
+ * RSP is pointing to "outermost RIP". gsbase is unknown, but, if
+ * we're repeating an NMI, gsbase has the same value that it had on
+ * the first iteration. paranoid_entry will load the kernel
+ * gsbase if needed before we call do_nmi.
+ *
+ * Set "NMI executing" in case we came back here via IRET.
*/
movq $1, 10*8(%rsp)

- /* Make another copy, this one may be modified by nested NMIs */
+ /*
+ * Copy the "outermost" frame to the "iret" frame. NMIs that nest
+ * here must not modify the "iret" frame while we're writing to
+ * it or it will end up containing garbage.
+ */
addq $(10*8), %rsp
CFI_ADJUST_CFA_OFFSET -10*8
.rept 5
@@ -1690,9 +1707,9 @@ repeat_nmi:
end_repeat_nmi:

/*
- * Everything below this point can be preempted by a nested
- * NMI if the first NMI took an exception and reset our iret stack
- * so that we repeat another NMI.
+ * Everything below this point can be preempted by a nested NMI.
+ * If this happens, then the inner NMI will change the "iret"
+ * frame to point back to repeat_nmi.
*/
pushq_cfi $-1 /* ORIG_RAX: no syscall to restart */
subq $ORIG_RAX-R15, %rsp
@@ -1717,11 +1734,17 @@ end_repeat_nmi:
nmi_swapgs:
SWAPGS_UNSAFE_STACK
nmi_restore:
- /* Pop the extra iret frame at once */
+
RESTORE_ALL 6*8

- /* Clear the NMI executing stack variable */
+ /* Clear "NMI executing". */
movq $0, 5*8(%rsp)
+
+ /*
+ * INTERRUPT_RETURN reads the "iret" frame and exits the NMI
+ * stack in a single instruction. We are returning to kernel
+ * mode, so this cannot result in a fault.
+ */
jmp irq_return
CFI_ENDPROC
END(nmi)
diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
index d8766b1c9974..d05bd2e2ee91 100644
--- a/arch/x86/kernel/nmi.c
+++ b/arch/x86/kernel/nmi.c
@@ -408,8 +408,8 @@ static void default_do_nmi(struct pt_regs *regs)
NOKPROBE_SYMBOL(default_do_nmi);

/*
- * NMIs can hit breakpoints which will cause it to lose its NMI context
- * with the CPU when the breakpoint or page fault does an IRET.
+ * NMIs can page fault or hit breakpoints which will cause it to lose
+ * its NMI context with the CPU when the breakpoint or page fault does an IRET.
*
* As a result, NMIs can nest if NMIs get unmasked due an IRET during
* NMI processing. On x86_64, the asm glue protects us from nested NMIs

Luis Henriques

unread,

Aug 12, 2015, 5:30:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin...@canonical.com>

commit ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 upstream.

__key_link_end is not freeing the associated array edit structure
and this leads to a 512 byte memory leak each time an identical
existing key is added with add_key().

The reason the add_key() system call returns okay is that
key_create_or_update() calls __key_link_begin() before checking to see
whether it can update a key directly rather than adding/replacing - which
it turns out it can. Thus __key_link() is not called through
__key_instantiate_and_link() and __key_link_end() must cancel the edit.

CVE-2015-1333

Signed-off-by: Colin Ian King <colin...@canonical.com>
Signed-off-by: David Howells <dhow...@redhat.com>
Signed-off-by: James Morris <james.l...@oracle.com>
Cc: Moritz Mühlenhoff <j...@inutil.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

security/keys/keyring.c | 8 +++++---

1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 9cf2575f0d97..860345cb05f1 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -1151,9 +1151,11 @@ void __key_link_end(struct key *keyring,
if (index_key->type == &key_type_keyring)
up_write(&keyring_serialise_link_sem);

- if (edit && !edit->dead_leaf) {
- key_payload_reserve(keyring,
- keyring->datalen - KEYQUOTA_LINK_BYTES);
+ if (edit) {
+ if (!edit->dead_leaf) {
+ key_payload_reserve(keyring,
+ keyring->datalen - KEYQUOTA_LINK_BYTES);
+ }
assoc_array_cancel_edit(edit);
}
up_write(&keyring->sem);

Luis Henriques

unread,

Aug 12, 2015, 5:30:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Wengang Wang <wen.ga...@oracle.com>

commit 4fabb59449aa44a585b3603ffdadd4c5f4d0c033 upstream.

Fixes: 3e0249f9c05c ("RDS/IB: add refcount tracking to struct rds_ib_device")

There lacks a dropping on rds_ib_device.refcount in case rds_ib_alloc_fmr
failed(mr pool running out). this lead to the refcount overflow.

A complain in line 117(see following) is seen. From vmcore:
s_ib_rdma_mr_pool_depleted is 2147485544 and rds_ibdev->refcount is -2147475448.
That is the evidence the mr pool is used up. so rds_ib_alloc_fmr is very likely
to return ERR_PTR(-EAGAIN).

115 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
116 {
117 BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
118 if (atomic_dec_and_test(&rds_ibdev->refcount))
119 queue_work(rds_wq, &rds_ibdev->free_work);
120 }

fix is to drop refcount when rds_ib_alloc_fmr failed.

Signed-off-by: Wengang Wang <wen.ga...@oracle.com>
Reviewed-by: Haggai Eran <hag...@mellanox.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/rds/ib_rdma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index e8fdb172adbb..a985158d95d5 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -759,8 +759,10 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
}

ibmr = rds_ib_alloc_fmr(rds_ibdev);
- if (IS_ERR(ibmr))
+ if (IS_ERR(ibmr)) {
+ rds_ib_dev_put(rds_ibdev);
return ibmr;
+ }

ret = rds_ib_map_fmr(rds_ibdev, ibmr, sg, nents);
if (ret == 0)

Luis Henriques

unread,

Aug 12, 2015, 5:30:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei....@cogentembedded.com>

commit c1a4c87b06fa564d6e2760a12d4e5a09badc684b upstream.

Printing IRQ # using "%x" and "%u" unsigned formats isn't quite correct as
'ndev->irq' is of type *int*, so the "%d" format needs to be used instead.

While fixing this, beautify the dev_info() message in rcar_can_probe() a bit.

Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver")
Signed-off-by: Sergei Shtylyov <sergei....@cogentembedded.com>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/net/can/rcar_can.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/rcar_can.c b/drivers/net/can/rcar_can.c
index ebdfc3908aad..6a4f107da6bf 100644
--- a/drivers/net/can/rcar_can.c
+++ b/drivers/net/can/rcar_can.c
@@ -517,7 +517,7 @@ static int rcar_can_open(struct net_device *ndev)
napi_enable(&priv->napi);
err = request_irq(ndev->irq, rcar_can_interrupt, 0, ndev->name, ndev);
if (err) {
- netdev_err(ndev, "error requesting interrupt %x\n", ndev->irq);
+ netdev_err(ndev, "error requesting interrupt %d\n", ndev->irq);
goto out_close;
}
can_led_event(ndev, CAN_LED_EVENT_OPEN);
@@ -786,7 +786,7 @@ static int rcar_can_probe(struct platform_device *pdev)

devm_can_led_init(ndev);

- dev_info(&pdev->dev, "device registered (reg_base=%p, irq=%u)\n",
+ dev_info(&pdev->dev, "device registered (regs @ %p, IRQ%d)\n",
priv->regs, ndev->irq);

return 0;

Luis Henriques

unread,

Aug 12, 2015, 5:30:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Julian Anastasov <j...@ssi.bg>

commit e9e4dd3267d0c5234c5c0f47440456b10875dec9 upstream.

commit 381c759d9916 ("ipv4: Avoid crashing in ip_error")
fixes a problem where processed packet comes from device
with destroyed inetdev (dev->ip_ptr). This is not expected
because inetdev_destroy is called in NETDEV_UNREGISTER
phase and packets should not be processed after
dev_close_many() and synchronize_net(). Above fix is still
required because inetdev_destroy can be called for other
reasons. But it shows the real problem: backlog can keep
packets for long time and they do not hold reference to
device. Such packets are then delivered to upper levels
at the same time when device is unregistered.
Calling flush_backlog after NETDEV_UNREGISTER_FINAL still
accounts all packets from backlog but before that some packets
continue to be delivered to upper levels long after the
synchronize_net call which is supposed to wait the last
ones. Also, as Eric pointed out, processed packets, mostly
from other devices, can continue to add new packets to backlog.

Fix the problem by moving flush_backlog early, after the
device driver is stopped and before the synchronize_net() call.
Then use netif_running check to make sure we do not add more
packets to backlog. We have to do it in enqueue_to_backlog
context when the local IRQ is disabled. As result, after the
flush_backlog and synchronize_net sequence all packets
should be accounted.

Thanks to Eric W. Biederman for the test script and his
valuable feedback!

Reported-by: Vittorio Gambaletta <linu...@vittgam.net>
Fixes: 6e583ce5242f ("net: eliminate refcounting in backlog queue")
Cc: Eric W. Biederman <ebie...@xmission.com>
Cc: Stephen Hemminger <ste...@networkplumber.org>
Signed-off-by: Julian Anastasov <j...@ssi.bg>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/core/dev.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 2e616d68a7aa..395830206d73 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3262,6 +3262,8 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu,
local_irq_save(flags);

rps_lock(sd);
+ if (!netif_running(skb->dev))
+ goto drop;
qlen = skb_queue_len(&sd->input_pkt_queue);
if (qlen <= netdev_max_backlog && !skb_flow_limit(skb, qlen)) {
if (skb_queue_len(&sd->input_pkt_queue)) {
@@ -3283,6 +3285,7 @@ enqueue:
goto enqueue;
}

+drop:
sd->dropped++;
rps_unlock(sd);

@@ -5788,6 +5791,7 @@ static void rollback_registered_many(struct list_head *head)
unlist_netdevice(dev);

dev->reg_state = NETREG_UNREGISTERING;
+ on_each_cpu(flush_backlog, dev, 1);
}

synchronize_net();
@@ -6408,8 +6412,6 @@ void netdev_run_todo(void)

dev->reg_state = NETREG_UNREGISTERED;

- on_each_cpu(flush_backlog, dev, 1);
-
netdev_wait_allrefs(dev);

/* paranoia */

Luis Henriques

unread,

Aug 12, 2015, 5:30:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <lu...@kernel.org>

commit 9d05041679904b12c12421cbcf9cb5f4860a8d7b upstream.

32-bit kernels handle nested NMIs in C. Enable the exact same
handling on 64-bit kernels as well. This isn't currently
necessary, but it will become necessary once the asm code starts
allowing limited nesting.

Signed-off-by: Andy Lutomirski <lu...@kernel.org>
Reviewed-by: Steven Rostedt <ros...@goodmis.org>
Cc: Borislav Petkov <b...@suse.de>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/x86/kernel/nmi.c | 123 +++++++++++++++++++++-----------------------------
1 file changed, 52 insertions(+), 71 deletions(-)

diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
index c3e985d1751c..d8766b1c9974 100644
--- a/arch/x86/kernel/nmi.c
+++ b/arch/x86/kernel/nmi.c
@@ -408,15 +408,15 @@ static void default_do_nmi(struct pt_regs *regs)

NOKPROBE_SYMBOL(default_do_nmi);

/*
- * NMIs can hit breakpoints which will cause it to lose its

- * NMI context with the CPU when the breakpoint does an iret.
- */
-#ifdef CONFIG_X86_32
-/*
- * For i386, NMIs use the same stack as the kernel, and we can
- * add a workaround to the iret problem in C (preventing nested
- * NMIs if an NMI takes a trap). Simply have 3 states the NMI
- * can be in:
+ * NMIs can hit breakpoints which will cause it to lose its NMI context
+ * with the CPU when the breakpoint or page fault does an IRET.
+ *
+ * As a result, NMIs can nest if NMIs get unmasked due an IRET during
+ * NMI processing. On x86_64, the asm glue protects us from nested NMIs
+ * if the outer NMI came from kernel mode, but we can still nest if the
+ * outer NMI came from user mode.
+ *
+ * To handle these nested NMIs, we have three states:
*
* 1) not running
* 2) executing
@@ -430,15 +430,14 @@ NOKPROBE_SYMBOL(default_do_nmi);
* (Note, the latch is binary, thus multiple NMIs triggering,
* when one is running, are ignored. Only one NMI is restarted.)
*
- * If an NMI hits a breakpoint that executes an iret, another
- * NMI can preempt it. We do not want to allow this new NMI
- * to run, but we want to execute it when the first one finishes.
- * We set the state to "latched", and the exit of the first NMI will
- * perform a dec_return, if the result is zero (NOT_RUNNING), then
- * it will simply exit the NMI handler. If not, the dec_return
- * would have set the state to NMI_EXECUTING (what we want it to
- * be when we are running). In this case, we simply jump back
- * to rerun the NMI handler again, and restart the 'latched' NMI.
+ * If an NMI executes an iret, another NMI can preempt it. We do not
+ * want to allow this new NMI to run, but we want to execute it when the
+ * first one finishes. We set the state to "latched", and the exit of
+ * the first NMI will perform a dec_return, if the result is zero
+ * (NOT_RUNNING), then it will simply exit the NMI handler. If not, the
+ * dec_return would have set the state to NMI_EXECUTING (what we want it
+ * to be when we are running). In this case, we simply jump back to
+ * rerun the NMI handler again, and restart the 'latched' NMI.
*
* No trap (breakpoint or page fault) should be hit before nmi_restart,
* thus there is no race between the first check of state for NOT_RUNNING
@@ -461,49 +460,36 @@ enum nmi_states {
static DEFINE_PER_CPU(enum nmi_states, nmi_state);
static DEFINE_PER_CPU(unsigned long, nmi_cr2);

-#define nmi_nesting_preprocess(regs) \
- do { \
- if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) { \
- this_cpu_write(nmi_state, NMI_LATCHED); \
- return; \
- } \
- this_cpu_write(nmi_state, NMI_EXECUTING); \
- this_cpu_write(nmi_cr2, read_cr2()); \
- } while (0); \
- nmi_restart:
-
-#define nmi_nesting_postprocess() \
- do { \
- if (unlikely(this_cpu_read(nmi_cr2) != read_cr2())) \
- write_cr2(this_cpu_read(nmi_cr2)); \
- if (this_cpu_dec_return(nmi_state)) \
- goto nmi_restart; \
- } while (0)
-#else /* x86_64 */
+#ifdef CONFIG_X86_64
/*
- * In x86_64 things are a bit more difficult. This has the same problem
- * where an NMI hitting a breakpoint that calls iret will remove the
- * NMI context, allowing a nested NMI to enter. What makes this more
- * difficult is that both NMIs and breakpoints have their own stack.
- * When a new NMI or breakpoint is executed, the stack is set to a fixed
- * point. If an NMI is nested, it will have its stack set at that same
- * fixed address that the first NMI had, and will start corrupting the
- * stack. This is handled in entry_64.S, but the same problem exists with
- * the breakpoint stack.
+ * In x86_64, we need to handle breakpoint -> NMI -> breakpoint. Without
+ * some care, the inner breakpoint will clobber the outer breakpoint's
+ * stack.
*
- * If a breakpoint is being processed, and the debug stack is being used,
- * if an NMI comes in and also hits a breakpoint, the stack pointer
- * will be set to the same fixed address as the breakpoint that was
- * interrupted, causing that stack to be corrupted. To handle this case,
- * check if the stack that was interrupted is the debug stack, and if
- * so, change the IDT so that new breakpoints will use the current stack
- * and not switch to the fixed address. On return of the NMI, switch back
- * to the original IDT.
+ * If a breakpoint is being processed, and the debug stack is being
+ * used, if an NMI comes in and also hits a breakpoint, the stack
+ * pointer will be set to the same fixed address as the breakpoint that
+ * was interrupted, causing that stack to be corrupted. To handle this
+ * case, check if the stack that was interrupted is the debug stack, and
+ * if so, change the IDT so that new breakpoints will use the current
+ * stack and not switch to the fixed address. On return of the NMI,
+ * switch back to the original IDT.
*/
static DEFINE_PER_CPU(int, update_debug_stack);
+#endif

-static inline void nmi_nesting_preprocess(struct pt_regs *regs)
+dotraplinkage notrace void
+do_nmi(struct pt_regs *regs, long error_code)
{
+ if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
+ this_cpu_write(nmi_state, NMI_LATCHED);
+ return;
+ }
+ this_cpu_write(nmi_state, NMI_EXECUTING);
+ this_cpu_write(nmi_cr2, read_cr2());
+nmi_restart:
+
+#ifdef CONFIG_X86_64
/*
* If we interrupted a breakpoint, it is possible that
* the nmi handler will have breakpoints too. We need to
@@ -514,22 +500,8 @@ static inline void nmi_nesting_preprocess(struct pt_regs *regs)
debug_stack_set_zero();
this_cpu_write(update_debug_stack, 1);
}
-}
-
-static inline void nmi_nesting_postprocess(void)
-{
- if (unlikely(this_cpu_read(update_debug_stack))) {
- debug_stack_reset();
- this_cpu_write(update_debug_stack, 0);
- }
-}
#endif

-dotraplinkage notrace void
-do_nmi(struct pt_regs *regs, long error_code)
-{
- nmi_nesting_preprocess(regs);
-
nmi_enter();

inc_irq_stat(__nmi_count);
@@ -539,8 +511,17 @@ do_nmi(struct pt_regs *regs, long error_code)

nmi_exit();

- /* On i386, may loop back to preprocess */
- nmi_nesting_postprocess();
+#ifdef CONFIG_X86_64
+ if (unlikely(this_cpu_read(update_debug_stack))) {
+ debug_stack_reset();
+ this_cpu_write(update_debug_stack, 0);
+ }
+#endif
+
+ if (unlikely(this_cpu_read(nmi_cr2) != read_cr2()))
+ write_cr2(this_cpu_read(nmi_cr2));
+ if (this_cpu_dec_return(nmi_state))
+ goto nmi_restart;
}
NOKPROBE_SYMBOL(do_nmi);

Luis Henriques

unread,

Aug 12, 2015, 5:30:07 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <lu...@kernel.org>

commit 0e181bb58143cb4a2e8f01c281b0816cd0e4798e upstream.

Now that do_nmi saves CR2, we don't need to save it in asm.

Signed-off-by: Andy Lutomirski <lu...@kernel.org>
Reviewed-by: Steven Rostedt <ros...@goodmis.org>

Acked-by: Borislav Petkov <b...@suse.de>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Signed-off-by: Ingo Molnar <mi...@kernel.org>

[bwh: Backported to 4.0: adjust filename, context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

[ luis: backported to 3.16: used Ben's backport to 4.0 ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/x86/kernel/entry_64.S | 18 ------------------
1 file changed, 18 deletions(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index c0ec84a1890e..5ee10d35d79f 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1636,29 +1636,11 @@ end_repeat_nmi:
call save_paranoid
DEFAULT_FRAME 0

- /*
- * Save off the CR2 register. If we take a page fault in the NMI then
- * it could corrupt the CR2 value. If the NMI preempts a page fault
- * handler before it was able to read the CR2 register, and then the
- * NMI itself takes a page fault, the page fault that was preempted
- * will read the information from the NMI page fault and not the
- * origin fault. Save it off and restore it if it changes.
- * Use the r12 callee-saved register.
- */
- movq %cr2, %r12
-
/* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
movq %rsp,%rdi
movq $-1,%rsi
call do_nmi

- /* Did the NMI take a page fault? Restore cr2 if it did */
- movq %cr2, %rcx
- cmpq %rcx, %r12
- je 1f
- movq %r12, %cr2
-1:
-
testl %ebx,%ebx /* swapgs needed? */
jnz nmi_restore
nmi_swapgs:

Luis Henriques

unread,

Aug 12, 2015, 5:30:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Antonio Borneo <borneo....@gmail.com>

commit 6debce6f4e787a8eb4cec94e7afa85fb4f40db27 upstream.

Current implementation of cp2112_raw_event() only accepts one data report at a
time. If last received data report is not fully handled yet, a new incoming
data report will overwrite it. In such case we don't guaranteed to propagate
the correct incoming data.

The trivial fix implemented here forces a single report at a time by requesting
in cp2112_read() no more than 61 byte of data, which is the payload size of a
single data report.

Signed-off-by: Antonio Borneo <borneo....@gmail.com>
Tested-by: Ellen Wang <el...@cumulusnetworks.com>
Signed-off-by: Jiri Kosina <jko...@suse.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/hid/hid-cp2112.c | 2 ++

1 file changed, 2 insertions(+)

diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
index 56be85a9a77c..ffe69be882de 100644
--- a/drivers/hid/hid-cp2112.c
+++ b/drivers/hid/hid-cp2112.c
@@ -352,6 +352,8 @@ static int cp2112_read(struct cp2112_device *dev, u8 *data, size_t size)
struct cp2112_force_read_report report;
int ret;

+ if (size > sizeof(dev->read_data))
+ size = sizeof(dev->read_data);
report.report = CP2112_DATA_READ_FORCE_SEND;
report.length = cpu_to_be16(size);

Luis Henriques

unread,

Aug 12, 2015, 5:30:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <lu...@kernel.org>

commit a27507ca2d796cfa8d907de31ad730359c8a6d06 upstream.

Check the repeat_nmi .. end_repeat_nmi special case first. The
next patch will rework the RSP check and, as a side effect, the
RSP check will no longer detect repeat_nmi .. end_repeat_nmi, so
we'll need this ordering of the checks.

Note: this is more subtle than it appears. The check for
repeat_nmi .. end_repeat_nmi jumps straight out of the NMI code
instead of adjusting the "iret" frame to force a repeat. This
is necessary, because the code between repeat_nmi and
end_repeat_nmi sets "NMI executing" and then writes to the
"iret" frame itself. If a nested NMI comes in and modifies the
"iret" frame while repeat_nmi is also modifying it, we'll end up
with garbage. The old code got this right, as does the new
code, but the new code is a bit more explicit.

If we were to move the check right after the "NMI executing"
check, then we'd get it wrong and have random crashes.

( Because the "NMI executing" check would jump to the code that would
modify the "iret" frame without checking if the interrupted NMI was
currently modifying it. )

Signed-off-by: Andy Lutomirski <lu...@kernel.org>
Reviewed-by: Steven Rostedt <ros...@goodmis.org>

Cc: Borislav Petkov <b...@suse.de>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Signed-off-by: Ingo Molnar <mi...@kernel.org>

[bwh: Backported to 4.0: adjust filename, spacing]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
[ luis: backported to 3.16: Used Ben's backport to 4.0 ]

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

arch/x86/kernel/entry_64.S | 34 ++++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 0fdb80df2cac..8a6866b2f2a6 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1586,7 +1586,24 @@ ENTRY(nmi)
/*

* Determine whether we're a nested NMI.

*
- * First check "NMI executing". If it's set, then we're nested.
+ * If we interrupted kernel code between repeat_nmi and
+ * end_repeat_nmi, then we are a nested NMI. We must not
+ * modify the "iret" frame because it's being written by
+ * the outer NMI. That's okay: the outer NMI handler is
+ * about to about to call do_nmi anyway, so we can just
+ * resume the outer NMI.
+ */
+
+ movq $repeat_nmi, %rdx
+ cmpq 8(%rsp), %rdx
+ ja 1f
+ movq $end_repeat_nmi, %rdx
+ cmpq 8(%rsp), %rdx
+ ja nested_nmi_out
+1:
+
+ /*
+ * Now check "NMI executing". If it's set, then we're nested.

* This will not detect if we interrupted an outer NMI just

* before IRET.
*/
@@ -1613,21 +1630,6 @@ ENTRY(nmi)

nested_nmi:
/*
- * If we interrupted an NMI that is between repeat_nmi and
- * end_repeat_nmi, then we must not modify the "iret" frame
- * because it's being written by the outer NMI. That's okay:
- * the outer NMI handler is about to call do_nmi anyway,
- * so we can just resume the outer NMI.
- */
- movq $repeat_nmi, %rdx
- cmpq 8(%rsp), %rdx
- ja 1f
- movq $end_repeat_nmi, %rdx
- cmpq 8(%rsp), %rdx
- ja nested_nmi_out
-
-1:
- /*

* Modify the "iret" frame to point to repeat_nmi, forcing another

* iteration of NMI handling.

*/

Luis Henriques

unread,

Aug 12, 2015, 5:30:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpat...@redhat.com>

commit d531be2ca2f27cca5f041b6a140504999144a617 upstream.

I have a ST4000DM000 disk. If Linux is booted while the disk is spun down,
the command that sets transfer mode causes the disk to spin up. The
spin-up takes longer than the default 5s timeout, so the command fails and
timeout is reported.

Fix this by increasing the timeout to 15s, which is enough for the disk to
spin up.

Signed-off-by: Mikulas Patocka <mpat...@redhat.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/ata/libata-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c

index d9ea12a004bc..a3593aef073a 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4539,7 +4539,8 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev)
else /* In the ancient relic department - skip all of this */
return 0;

- err_mask = ata_exec_internal(dev, &tf, NULL, DMA_NONE, NULL, 0, 0);
+ /* On some disks, this command causes spin-up, so we need longer timeout */
+ err_mask = ata_exec_internal(dev, &tf, NULL, DMA_NONE, NULL, 0, 15000);

DPRINTK("EXIT, err_mask=%x\n", err_mask);
return err_mask;

Luis Henriques

unread,

Aug 12, 2015, 5:30:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Nikolay Aleksandrov <ra...@blackwall.org>

commit f1158b74e54f2e2462ba5e2f45a118246d9d5b43 upstream.

Since commit b0e9a30dd669 ("bridge: Add vlan id to multicast groups")
there's a check in br_ip_equal() for a matching vlan id, but the mdb
functions were not modified to use (or at least zero it) so when an
entry was added it would have a garbage vlan id (from the local br_ip
variable in __br_mdb_add/del) and this would prevent it from being
matched and also deleted. So zero out the whole local ip var to protect
ourselves from future changes and also to fix the current bug, since
there's no vlan id support in the mdb uapi - use always vlan id 0.
Example before patch:
root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb
dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent
RTNETLINK answers: Invalid argument

After patch:
root@debian:~# bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb
dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb del dev br0 port eth1 grp 239.0.0.1 permanent
root@debian:~# bridge mdb

Signed-off-by: Nikolay Aleksandrov <ra...@blackwall.org>
Fixes: b0e9a30dd669 ("bridge: Add vlan id to multicast groups")

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/bridge/br_mdb.c | 2 ++

1 file changed, 2 insertions(+)

diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
index 21927405cf4e..4754f2d32bb3 100644
--- a/net/bridge/br_mdb.c
+++ b/net/bridge/br_mdb.c
@@ -373,6 +373,7 @@ static int __br_mdb_add(struct net *net, struct net_bridge *br,
if (!p || p->br != br || p->state == BR_STATE_DISABLED)
return -EINVAL;

+ memset(&ip, 0, sizeof(ip));
ip.proto = entry->addr.proto;
if (ip.proto == htons(ETH_P_IP))
ip.u.ip4 = entry->addr.u.ip4;
@@ -419,6 +420,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry)
if (!netif_running(br->dev) || br->multicast_disabled)
return -EINVAL;

+ memset(&ip, 0, sizeof(ip));
ip.proto = entry->addr.proto;
if (ip.proto == htons(ETH_P_IP)) {
if (timer_pending(&br->ip4_other_query.timer))

Luis Henriques

unread,

Aug 12, 2015, 5:30:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit c8cf89f73f3d9ecbdea479778f0ac714be79be33 upstream.

cd->sw_addr is used as a MDIO bus address, which cannot exceed
PHY_MAX_ADDR (32), our check was off-by-one.

Fixes: 5e95329b701c ("dsa: add device tree bindings to register DSA switches")

Signed-off-by: Florian Fainelli <f.fai...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

net/dsa/dsa.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index d3ca32dc167f..a3c70870448f 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -418,7 +418,7 @@ static int dsa_of_probe(struct platform_device *pdev)
continue;

cd->sw_addr = be32_to_cpup(sw_addr);
- if (cd->sw_addr > PHY_MAX_ADDR)
+ if (cd->sw_addr >= PHY_MAX_ADDR)
continue;

for_each_available_child_of_node(child, port) {

Luis Henriques

unread,

Aug 12, 2015, 5:30:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: "Seymour, Shane M" <shane....@hp.com>

commit e7ac6c6666bec0a354758a1298d3231e4a635362 upstream.

Two SLES11 SP3 servers encountered similar crashes simultaneously
following some kind of SAN/tape target issue:

...
qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2.
qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2.
qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2.
qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000.
rport-3:0-0: blocked FC remote port time out: removing target and saving binding
qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2.
rport-2:0-0: blocked FC remote port time out: removing target and saving binding
sg_rq_end_io: device detached
BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP
CPU 0
...
Supported: No, Proprietary modules are loaded [1739975.390463]
Pid: 27965, comm: ABCD Tainted: PF X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8
RIP: 0010:[<ffffffff8133b268>] [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
RSP: 0018:ffff8839dc1e7c68 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138
RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0
R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001
R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80
FS: 00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640)
Stack:
ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80
ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000
ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e
Call Trace:
[<ffffffffa03fa309>] st_open+0x129/0x240 [st]
[<ffffffff8115ea1e>] chrdev_open+0x13e/0x200
[<ffffffff811588a8>] __dentry_open+0x198/0x310
[<ffffffff81167d74>] do_last+0x1f4/0x800
[<ffffffff81168fe9>] path_openat+0xd9/0x420
[<ffffffff8116946c>] do_filp_open+0x4c/0xc0
[<ffffffff8115a00f>] do_sys_open+0x17f/0x250
[<ffffffff81468d92>] system_call_fastpath+0x16/0x1b
[<00007f8e4f617fd0>] 0x7f8e4f617fcf
Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0
RIP [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
RSP <ffff8839dc1e7c68>
CR2: 00000000000002a8

Analysis reveals the cause of the crash to be due to STp->device
being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
calls scsi_tape_release(). In st_open() we jump to err_out after
scsi_block_when_processing_errors() completes and returns the
device as offline (sdev_state was SDEV_DEL):

1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
1181 module count. */
1182 static int st_open(struct inode *inode, struct file *filp)
1183 {
1184 int i, retval = (-EIO);
1185 int resumed = 0;
1186 struct scsi_tape *STp;
1187 struct st_partstat *STps;
1188 int dev = TAPE_NR(inode);
1189 char *name;
...
1217 if (scsi_autopm_get_device(STp->device) < 0) {
1218 retval = -EIO;
1219 goto err_out;
1220 }
1221 resumed = 1;
1222 if (!scsi_block_when_processing_errors(STp->device)) {
1223 retval = (-ENXIO);
1224 goto err_out;
1225 }
...
1264 err_out:
1265 normalize_buffer(STp->buffer);
1266 spin_lock(&st_use_lock);
1267 STp->in_use = 0;
1268 spin_unlock(&st_use_lock);
1269 scsi_tape_put(STp); <-- STp->device = 0 after this
1270 if (resumed)
1271 scsi_autopm_put_device(STp->device);
1272 return retval;

The ref count for the struct scsi_tape had already been reduced
to 1 when the .remove method of the st module had been called.
The kref_put() in scsi_tape_put() caused scsi_tape_release()
to be called:

0266 static void scsi_tape_put(struct scsi_tape *STp)
0267 {
0268 struct scsi_device *sdev = STp->device;
0269
0270 mutex_lock(&st_ref_mutex);
0271 kref_put(&STp->kref, scsi_tape_release); <-- calls this
0272 scsi_device_put(sdev);
0273 mutex_unlock(&st_ref_mutex);
0274 }

In scsi_tape_release() the struct scsi_device in the struct
scsi_tape gets set to NULL:

4273 static void scsi_tape_release(struct kref *kref)
4274 {
4275 struct scsi_tape *tpnt = to_scsi_tape(kref);
4276 struct gendisk *disk = tpnt->disk;
4277
4278 tpnt->device = NULL; <<<---- where the dev is nulled
4279
4280 if (tpnt->buffer) {
4281 normalize_buffer(tpnt->buffer);
4282 kfree(tpnt->buffer->reserved_pages);
4283 kfree(tpnt->buffer);
4284 }
4285
4286 disk->private_data = NULL;
4287 put_disk(disk);
4288 kfree(tpnt);
4289 return;
4290 }

Although the problem was reported on SLES11.3 the problem appears
in linux-next as well.

The crash is fixed by reordering the code so we no longer access
the struct scsi_tape after the kref_put() is done on it in st_open().

Signed-off-by: Shane Seymour <shane....@hp.com>
Signed-off-by: Darren Lavender <darren....@hp.com>
Reviewed-by: Johannes Thumshirn <jthum...@suse.com>
Acked-by: Kai Mäkisara <kai.ma...@kolumbus.fi>
Signed-off-by: James Bottomley <JBott...@Odin.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

drivers/scsi/st.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
index 14eb4b256a03..daa67f509133 100644
--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -1262,9 +1262,9 @@ static int st_open(struct inode *inode, struct file *filp)
spin_lock(&st_use_lock);
STp->in_use = 0;
spin_unlock(&st_use_lock);
- scsi_tape_put(STp);
if (resumed)
scsi_autopm_put_device(STp->device);
+ scsi_tape_put(STp);
return retval;

Luis Henriques

unread,

Aug 12, 2015, 5:30:08 AM8/12/15

to

3.16.7-ckt16 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <ac...@redhat.com>

commit 9c0fa8dd3d58de8b688fda758eea1719949c7f0a upstream.

At some point:

commit 2c86c7ca7606
Author: Namhyung Kim <namh...@kernel.org>
Date: Mon Mar 17 18:18:54 2014 -0300

perf report: Merge al->filtered with hist_entry->filtered

We stopped dropping samples for things filtered via the --comms, --dsos,
--symbols, etc, i.e. things marked as filtered in the symbol resolution
routines (thread__find_addr_map(), perf_event__preprocess_sample(),
etc).

But then, in:

commit 268397cb2a47
Author: Namhyung Kim <namh...@kernel.org>
Date: Tue Apr 22 14:49:31 2014 +0900

perf top/tui: Update nr_entries properly after a filter is applied

We don't take into account entries that were filtered in
perf_event__preprocess_sample() and friends, which leads to
inconsistency in the browser seek routines, that expects the number of
hist_entry->filtered entries to match what it thinks is the number of
unfiltered, browsable entries.

So, for instance, when we do:

perf top --symbols ___non_existent_symbol___

the hist_browser__nr_entries() routine thinks there are no filters in
place, uses the hists->nr_entries but all entries are filtered, leading
to a segfault.

Tested with:

perf top --symbols malloc,free --percentage=relative

Freezing, by pressing 'f', at any time and doing the math on the
percentages ends up with 100%, ditto for:

perf top --dsos libpthread-2.20.so,libxul.so --percentage=relative

Both were segfaulting, all fixed now.

More work needed to do away with checking if filters are in place, we
should just use the nr_non_filtered_samples counter, no need to
conditionally use it or hists.nr_filter, as what the browser does is
just show unfiltered stuff. An audit of how it is being accounted is
needed, this is the minimal fix.

Reported-by: Michael Petlan <mpe...@redhat.com>
Fixes: 268397cb2a47 ("perf top/tui: Update nr_entries properly after a filter is applied")
Cc: Adrian Hunter <adrian...@intel.com>
Cc: Borislav Petkov <b...@suse.de>
Cc: David Ahern <dsa...@gmail.com>
Cc: Frederic Weisbecker <fwei...@gmail.com>
Cc: Jiri Olsa <jo...@redhat.com>
Cc: Namhyung Kim <namh...@kernel.org>
Cc: Stephane Eranian <era...@google.com>
Link: http://lkml.kernel.org/n/tip-6w01d5q97q...@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Luis Henriques <luis.he...@canonical.com>
---

tools/perf/ui/browsers/hists.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
index 04a229aa5c0f..868993d355e0 100644
--- a/tools/perf/ui/browsers/hists.c
+++ b/tools/perf/ui/browsers/hists.c
@@ -42,7 +42,7 @@ static struct rb_node *hists__filter_entries(struct rb_node *nd,

static bool hist_browser__has_filter(struct hist_browser *hb)
{
- return hists__has_filter(hb->hists) || hb->min_pcnt;
+ return hists__has_filter(hb->hists) || hb->min_pcnt || symbol_conf.has_filter;
}

static u32 hist_browser__nr_entries(struct hist_browser *hb)

[PATCH 3.14 14/29] tile: use free_bootmem_late() for initrd

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Guenter Roeck

Sudip Mukherjee

Shuah Khan

Greg Kroah-Hartman

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques

Luis Henriques