[PATCH 3.2 199/199] sctp: deny peeloff operation on asocs with threads sleeping on it

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marcelo Ricardo Leitner <marcelo...@gmail.com>

commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 upstream.

commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
attempted to avoid a BUG_ON call when the association being used for a
sendmsg() is blocked waiting for more sndbuf and another thread did a
peeloff operation on such asoc, moving it to another socket.

As Ben Hutchings noticed, then in such case it would return without
locking back the socket and would cause two unlocks in a row.

Further analysis also revealed that it could allow a double free if the
application managed to peeloff the asoc that is created during the
sendmsg call, because then sctp_sendmsg() would try to free the asoc
that was created only for that call.

This patch takes another approach. It will deny the peeloff operation
if there is a thread sleeping on the asoc, so this situation doesn't
exist anymore. This avoids the issues described above and also honors
the syscalls that are already being handled (it can be multiple sendmsg
calls).

Joint work with Xin Long.

Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
Cc: Alexander Popov <alex....@linux.com>
Cc: Ben Hutchings <b...@decadent.org.uk>
Signed-off-by: Marcelo Ricardo Leitner <marcelo...@gmail.com>
Signed-off-by: Xin Long <lucie...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/sctp/socket.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4242,6 +4242,12 @@ SCTP_STATIC int sctp_do_peeloff(struct s
struct sctp_af *af;
int err = 0;

+ /* If there is a thread waiting on more sndbuf space for
+ * sending on this asoc, it cannot be peeled.
+ */
+ if (waitqueue_active(&asoc->wait))
+ return -EBUSY;
+
/* An association cannot be branched off from an already peeled-off
* socket, nor is this supported for tcp style sockets.
*/
@@ -6492,8 +6498,6 @@ static int sctp_wait_for_sndbuf(struct s
*/
sctp_release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
- if (sk != asoc->base.sk)
- goto do_error;
sctp_lock_sock(sk);

*timeo_p = current_timeo;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <wil...@google.com>

[ Upstream commit 837585a5375c38d40361cfe64e6fd11e1addb936 ]

When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
Data length is verified to be greater than or equal to expected header
length tun->vnet_hdr_sz before copying.

Macvtap functions read the value once, but unless READ_ONCE is used,
the compiler may ignore this and read multiple times. Enforce a single
read and locally cached value to avoid updates between test and use.

Signed-off-by: Willem de Bruijn <wil...@google.com>
Suggested-by: Eric Dumazet <edum...@google.com>
Acked-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: BAckported to 3.2:
- Use ACCESS_ONCE() instead of READ_ONCE()
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/macvtap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -687,7 +687,7 @@ static ssize_t macvtap_get_user(struct m
size_t linear;

if (q->flags & IFF_VNET_HDR) {
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);

err = -EINVAL;
if (len < vnet_hdr_len)
@@ -817,7 +817,7 @@ static ssize_t macvtap_put_user(struct m

if (q->flags & IFF_VNET_HDR) {
struct virtio_net_hdr vnet_hdr;
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);
if ((len -= vnet_hdr_len) < 0)
return -EINVAL;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Larry Finger <Larry....@lwfinger.net>

commit 8052d7245b6089992343c80b38b14dbbd8354651 upstream.

When there is a CRC error in the SPROM read from the device, the code
attempts to handle a fallback SPROM. When this also fails, the driver
returns zero rather than an error code.

Signed-off-by: Larry Finger <Larry....@lwfinger.net>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/ssb/pci.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/ssb/pci.c
+++ b/drivers/ssb/pci.c
@@ -713,6 +713,7 @@ static int ssb_pci_sprom_get(struct ssb_
ssb_printk(KERN_WARNING PFX "WARNING: Using"
" fallback SPROM failed (err %d)\n",
err);
+ goto out_free;
} else {
ssb_dprintk(KERN_DEBUG PFX "Using SPROM"
" revision %d provided by"

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Davidlohr Bueso <da...@stgolabs.net>

commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.

The issue is described here, with a nice testcase:

https://bugzilla.kernel.org/show_bug.cgi?id=192931

The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
the address rounded down to 0. For the regular mmap case, the
protection mentioned above is that the kernel gets to generate the
address -- arch_get_unmapped_area() will always check for MAP_FIXED and
return that address. So by the time we do security_mmap_addr(0) things
get funky for shmat().

The testcase itself shows that while a regular user crashes, root will
not have a problem attaching a nil-page. There are two possible fixes
to this. The first, and which this patch does, is to simply allow root
to crash as well -- this is also regular mmap behavior, ie when hacking
up the testcase and adding mmap(... |MAP_FIXED). While this approach
is the safer option, the second alternative is to ignore SHM_RND if the
rounded address is 0, thus only having MAP_SHARED flags. This makes the
behavior of shmat() identical to the mmap() case. The downside of this
is obviously user visible, but does make sense in that it maintains
semantics after the round-down wrt 0 address and mmap.

Passes shm related ltp tests.

Link: http://lkml.kernel.org/r/1486050195-18629-1-...@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbu...@suse.de>
Reported-by: Gareth Evans <gareth...@contextis.co.uk>
Cc: Manfred Spraul <man...@colorfullife.com>
Cc: Michael Kerrisk <mtk.ma...@googlemail.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
[bwh: Backported to 3.2: use SHMLBA constant instead of shmlba parameter]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -963,8 +963,13 @@ long do_shmat(int shmid, char __user *sh
goto out;
else if ((addr = (ulong)shmaddr)) {
if (addr & (SHMLBA-1)) {
- if (shmflg & SHM_RND)
- addr &= ~(SHMLBA-1); /* round down */
+ /*
+ * Round down to the nearest multiple of shmlba.
+ * For sane do_mmap_pgoff() parameters, avoid
+ * round downs that trigger nil-page and MAP_FIXED.
+ */
+ if ((shmflg & SHM_RND) && addr >= SHMLBA)
+ addr &= ~(SHMLBA - 1);
else
#ifndef __ARCH_FORCE_SHMLBA
if (addr & ~PAGE_MASK)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuha...@gmail.com>

commit 24803f38a5c0b6c57ed800b47e695f9ce474bc3a upstream.

In commit 24cf3af3fed5 ("igmp: call ip_mc_clear_src..."), we forgot to remove
igmpv3_clear_delrec() in ip_mc_down(), which also called ip_mc_clear_src().
This make us clear all IGMPv3 source filter info after NETDEV_DOWN.
Move igmpv3_clear_delrec() to ip_mc_destroy_dev() and then no need
ip_mc_clear_src() in ip_mc_destroy_dev().

On the other hand, we should restore back instead of free all source filter
info in igmpv3_del_delrec(). Or we will not able to restore IGMPv3 source
filter info after NETDEV_UP and NETDEV_POST_TYPE_CHANGE.

Fixes: 24cf3af3fed5 ("igmp: call ip_mc_clear_src() only when ...")
Signed-off-by: Hangbin Liu <liuha...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2:
- Use IGMP_Unsolicited_Report_Count instead of sysctl_igmp_qrv
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -140,7 +140,7 @@
time_before(jiffies, (in_dev)->mr_v2_seen)))

static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im);
-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr);
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im);
static void igmpv3_clear_delrec(struct in_device *in_dev);
static int sf_setstate(struct ip_mc_list *pmc);
static void sf_markstate(struct ip_mc_list *pmc);
@@ -1082,10 +1082,14 @@ static void igmpv3_add_delrec(struct in_
spin_unlock_bh(&in_dev->mc_tomb_lock);
}

-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr)
+/*
+ * restore ip_mc_list deleted records
+ */
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im)
{
struct ip_mc_list *pmc, *pmc_prev;
- struct ip_sf_list *psf, *psf_next;
+ struct ip_sf_list *psf;
+ __be32 multiaddr = im->multiaddr;

spin_lock_bh(&in_dev->mc_tomb_lock);
pmc_prev = NULL;
@@ -1101,16 +1105,26 @@ static void igmpv3_del_delrec(struct in_
in_dev->mc_tomb = pmc->next;
}
spin_unlock_bh(&in_dev->mc_tomb_lock);
+
+ spin_lock_bh(&im->lock);
if (pmc) {
- for (psf=pmc->tomb; psf; psf=psf_next) {
- psf_next = psf->sf_next;
- kfree(psf);
+ im->interface = pmc->interface;
+ im->crcount = in_dev->mr_qrv ?: IGMP_Unsolicited_Report_Count;
+ im->sfmode = pmc->sfmode;
+ if (pmc->sfmode == MCAST_INCLUDE) {
+ im->tomb = pmc->tomb;
+ im->sources = pmc->sources;
+ for (psf = im->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->crcount;
}
in_dev_put(pmc->interface);
- kfree(pmc);
}
+ spin_unlock_bh(&im->lock);
}

+/*
+ * flush ip_mc_list deleted records
+ */
static void igmpv3_clear_delrec(struct in_device *in_dev)
{
struct ip_mc_list *pmc, *nextpmc;
@@ -1255,7 +1269,7 @@ void ip_mc_inc_group(struct in_device *i
rcu_assign_pointer(in_dev->mc_list, im);

#ifdef CONFIG_IP_MULTICAST
- igmpv3_del_delrec(in_dev, im->multiaddr);
+ igmpv3_del_delrec(in_dev, im);
#endif
igmp_group_added(im);
if (!in_dev->dead)
@@ -1345,8 +1359,12 @@ void ip_mc_remap(struct in_device *in_de

ASSERT_RTNL();

- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}

/* Device going down */
@@ -1367,7 +1385,6 @@ void ip_mc_down(struct in_device *in_dev
in_dev->mr_gq_running = 0;
if (del_timer(&in_dev->mr_gq_timer))
__in_dev_put(in_dev);
- igmpv3_clear_delrec(in_dev);
#endif

ip_mc_dec_group(in_dev, IGMP_ALL_HOSTS);
@@ -1402,8 +1419,12 @@ void ip_mc_up(struct in_device *in_dev)

ip_mc_inc_group(in_dev, IGMP_ALL_HOSTS);

- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}

/*
@@ -1418,13 +1439,13 @@ void ip_mc_destroy_dev(struct in_device

/* Deactivate timers */
ip_mc_down(in_dev);
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_clear_delrec(in_dev);
+#endif

while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
in_dev->mc_list = i->next_rcu;
in_dev->mc_count--;
-
- /* We've dropped the groups in ip_mc_down already */
- ip_mc_clear_src(i);
ip_ma_put(i);
}
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 815a7141c4d1b11610dccb7fcbb38633759824f2 upstream.

Make sure to drop any reference taken by bus_find_device() when creating
devices during init and driver registration.

Fixes: 55347cc9962f ("[POWERPC] ibmebus: Add device creation and bus probing based on of_device")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kernel/ibmebus.c | 8 ++++++--

1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -179,6 +179,7 @@ static int ibmebus_create_device(struct
static int ibmebus_create_devices(const struct of_device_id *matches)
{
struct device_node *root, *child;
+ struct device *dev;
int ret = 0;

root = of_find_node_by_path("/");
@@ -187,9 +188,12 @@ static int ibmebus_create_devices(const
if (!of_match_node(matches, child))
continue;

- if (bus_find_device(&ibmebus_bus_type, NULL, child,
- ibmebus_match_node))
+ dev = bus_find_device(&ibmebus_bus_type, NULL, child,
+ ibmebus_match_node);
+ if (dev) {
+ put_device(dev);
continue;
+ }

ret = ibmebus_create_device(child);
if (ret) {

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 ]

This function suffers from multiple issues.

First one is that pskb_may_pull() may reallocate skb->head,
so the 'raw' pointer needs either to be reloaded or not used at all.

Second issue is that NEXTHDR_DEST handling does not validate
that the options are present in skb->data, so we might read
garbage or access non existent memory.

With help from Willem de Bruijn.

Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Dmitry Vyukov <dvy...@google.com>
Cc: Willem de Bruijn <wil...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv6/ip6_tunnel.c | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -372,18 +372,19 @@ ip6_tnl_dev_uninit(struct net_device *de
static __u16
parse_tlv_tnl_enc_lim(struct sk_buff *skb, __u8 * raw)
{
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
- __u8 nexthdr = ipv6h->nexthdr;
- __u16 off = sizeof (*ipv6h);
+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
+ unsigned int nhoff = raw - skb->data;
+ unsigned int off = nhoff + sizeof(*ipv6h);
+ u8 next, nexthdr = ipv6h->nexthdr;

while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
- __u16 optlen = 0;
struct ipv6_opt_hdr *hdr;
- if (raw + off + sizeof (*hdr) > skb->data &&
- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr)))
+ u16 optlen;
+
+ if (!pskb_may_pull(skb, off + sizeof(*hdr)))
break;

- hdr = (struct ipv6_opt_hdr *) (raw + off);
+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
if (nexthdr == NEXTHDR_FRAGMENT) {
struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
if (frag_hdr->frag_off)
@@ -394,20 +395,29 @@ parse_tlv_tnl_enc_lim(struct sk_buff *sk
} else {
optlen = ipv6_optlen(hdr);
}
+ /* cache hdr->nexthdr, since pskb_may_pull() might
+ * invalidate hdr
+ */
+ next = hdr->nexthdr;
if (nexthdr == NEXTHDR_DEST) {
- __u16 i = off + 2;
+ u16 i = 2;
+
+ /* Remember : hdr is no longer valid at this point. */
+ if (!pskb_may_pull(skb, off + optlen))
+ break;
+
while (1) {
struct ipv6_tlv_tnl_enc_lim *tel;

/* No more room for encapsulation limit */
- if (i + sizeof (*tel) > off + optlen)
+ if (i + sizeof(*tel) > optlen)
break;

- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i];
+ tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
- return i;
+ return i + off - nhoff;
/* else jump to next option */
if (tel->type)
i += tel->length + 2;
@@ -415,7 +425,7 @@ parse_tlv_tnl_enc_lim(struct sk_buff *sk
i++;
}
}
- nexthdr = hdr->nexthdr;
+ nexthdr = next;
off += optlen;
}
return 0;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 4763601a56f155ddf94ef35fc2c41504a2de15f5 upstream.

The function returns -EINVAL even if it builds the stream properly.
The bogus error code sneaked in during the code refactoring, but it
wasn't noticed until now since the returned error code itself is
ignored in anyway. Kill it here, but there is no behavior change by
this patch, obviously.

Fixes: e5779998bf8b ('ALSA: usb-audio: refactor code')
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/usb/card.c | 1 -
1 file changed, 1 deletion(-)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -207,7 +207,6 @@ static int snd_usb_create_stream(struct
if (! snd_usb_parse_audio_interface(chip, interface)) {
usb_set_interface(dev, interface, 0); /* reset the current interface */
usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
- return -EINVAL;
}

return 0;

[Ben Hutchings]

This is the start of the stable review cycle for the 3.2.87 release.
There are 199 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
Anything received after that time might be too late.

A combined patch relative to 3.2.86 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Aidan Thornton (2):
USB: serial: ch341: add register and USB request definitions
[6fde8d29b0424f292a4ec5dbce01458ad759a41f]
USB: serial: ch341: reinitialize chip on reconfiguration
[4e46c410e050bcac36deadbd8e20449d078204e8]

Akinobu Mita (1):
sysrq: attach sysrq handler correctly for 32-bit kernel
[802c03881f29844af0252b6e22be5d2f65f93fd0]

Al Viro (2):
Fix missing sanity check in /dev/sg
[137d01df511b3afe1f05499aea05f3bafc0fb221]
nfs_write_end(): fix handling of short copies
[c0cf3ef5e0f47e385920450b245d22bead93e7ad]

Alan Stern (7):
PCI: Check for PME in targeted sleep state
[6496ebd7edf446fccf8266a1a70ffcb64252593e]
USB: UHCI: report non-PME wakeup signalling for Intel hardware
[ccdb6be9ec6580ef69f68949ebe26e0fb58a6fb0]
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
[bcdbeb844773333d2d1c08004f3b3e25921040e5]
USB: fix problems with duplicate endpoint addresses
[0a8fd1346254974c3a852338508e4a4cddbb35f1]
USB: gadgetfs: fix checks of wTotalLength in config descriptors
[1c069b057dcf64fada952eaa868d35f02bb0cfc2]
USB: gadgetfs: fix unbounded memory allocation bug
[faab50984fe6636e616c7cc3d30308ba391d36fd]
USB: gadgetfs: fix use-after-free bug
[add333a81a16abbd4f106266a2553677a165725f]

Alex Porosanu (1):
crypto: caam - fix AEAD givenc descriptors
[d128af17876d79b87edf048303f98b35f6a53dbc]

Amir Vadai (1):
net/sched: pedit: make sure that offset is valid
[95c2027bfeda21a28eb245121e6a249f38d0788e]

Andy Shevchenko (1):
platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
[5a00b6c2438460b870a451f14593fc40d3c7edf6]

Anoob Soman (2):
packet: Do not call fanout_release from atomic contexts
[2bd624b4611ffee36422782d16e1c944d1351e98]
packet: call fanout_release, while UNREGISTERING a netdev
[6664498280cf17a59c3e7cf1a931444c02633ed1]

Anssi Hannula (1):
net: xilinx_emaclite: fix receive buffer overflow
[cd224553641848dd17800fe559e4ff5d208553e8]

Anton Blanchard (1):
powerpc: Ignore reserved field in DCSR and PVR reads and writes
[178f358208ceb8b38e5cff3f815e0db4a6a70a07]

Arnaldo Carvalho de Melo (1):
perf scripting: Avoid leaking the scripting_context variable
[cf346d5bd4b9d61656df2f72565c9b354ef3ca0d]

Arnd Bergmann (2):
[media] DaVinci-VPFE-Capture: fix error handling
[d3d83ee20afda16ad0133ba00f63c11a8d842a35]
scsi: mvsas: fix command_active typo
[af15769ffab13d777e55fdef09d0762bf0c249c4]

Arvind Yadav (1):
ata: sata_mv:- Handle return value of devm_ioremap.
[064c3db9c564cc5be514ac21fb4aa26cc33db746]

Augusto Mecking Caringi (1):
vme: Fix wrong pointer utilization in ca91cx42_slave_get
[c8a6a09c1c617402cc9254b2bc8da359a0347d75]

Bart Van Assche (2):
IB/mad: Fix an array index check
[2fe2f378dd45847d2643638c07a7658822087836]
IB/multicast: Check ib_find_pkey() return value
[d3a2418ee36a59bc02e9d454723f3175dcf4bfd9]

Ben Hutchings (6):
Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
[not upstream; the reverted commit is fine upstream but depends
on other changes I haven't backported]
catc: Combine failure cleanup code in catc_probe()
[d41149145f98fe26dcd0bfd1d6cc095e6e041418]
catc: Use heap buffer for memory size test
[2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478]
kconfig/nconf: Fix hang when editing symbol with a long prompt
[79e51b5c2deea542b3bb8c66e0d502230b017dde]
net/sock: Add sock_efree() function
[62bccb8cdb69051b95a55ab0c489e3cab261c8ef]
rtl8150: Use heap buffers for all register access
[7926aff5c57b577ab0f43364ff0c59d968f6a414]

Benjamin Block (1):
scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
[dac37e15b7d511e026a9313c8c46794c144103cd]

Bjørn Mork (1):
USB: serial: option: add device ID for HP lt2523 (Novatel E371)
[5d03a2fd2292e71936c4235885c35ccc3c94695b]

Boris Ostrovsky (1):
xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
[74470954857c264168d2b5a113904cf0cfd27d18]

Chandan Rajendra (2):
ext4: fix mballoc breakage with 64k block size
[69e43e8cc971a79dd1ee5d4343d8e63f82725123]
ext4: fix stack memory corruption with 64k block size
[30a9d7afe70ed6bd9191d3000e2ef1a34fb58493]

Chris Friesen (1):
route: do not cache fib route info on local routes with oif
[d6d5e999e5df67f8ec20b6be45e2229455ee3699]

Con Kolivas (1):
ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks
[82ffb6fc637150b279f49e174166d2aa3853eaf4]

Dan Carpenter (4):
ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
[63117f09c768be05a0bf465911297dc76394f686]
sparc: leon: Fix a retry loop in leon_init_timers()
[601e6e3cc5bf6adb7d076fe24d10f6191a25ba9b]
target/iscsi: Fix double free in lio_target_tiqn_addtpg()
[a91918cd3ea11f91c68e08e1e8ce1b560447a80e]
usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
[c95a9f83711bf53faeb4ed9bbb63a3f065613dfb]

Daniel Borkmann (1):
net, sched: fix soft lockup in tc_classify
[628185cfddf1dfb701c4efe2cfd72cf5b09f5702]

Daniele Palmas (1):
USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041
[5b09eff0c379002527ad72ea5ea38f25da8a8650]

Darrick J. Wong (1):
ext4: reject inodes with negative size
[7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58]

Dave Jones (1):
ipv6: handle -EFAULT from skb_copy_bits
[a98f91758995cb59611e61318dddd8a6956b52c3]

Dave Martin (2):
ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
[228dbbfb5d77f8e047b2a1d78da14b7158433027]
powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
[99dfe80a2a246c600440a815741fd2e74a8b4977]

David S. Miller (2):
decnet: Do not build routes to devices without decnet private data.
[a36a0d4008488fa545c74445d69eaf56377d5d4e]
irda: Fix lockdep annotations in hashbin_delete().
[4c03b862b12f980456f9de92db6d508a4999b788]

Davidlohr Bueso (1):
ipc/shm: Fix shmat mmap nil-page protection
[95e91b831f87ac8e1f8ed50c14d709089b4e01b8]

Douglas Caetano dos Santos (1):
tcp: fix wrong checksum calculation on MTU probing
[2fe664f1fcf7c4da6891f95708a7a56d3c024354]

Eric Dumazet (18):
can: Fix kernel panic at security_sock_rcv_skb
[f1712c73714088a7252d276a57126d56c7d37e64]
dccp: do not send reset to already closed sockets
[346da62cc186c4b4b1ac59f87f4482b47a047388]
dccp: fix out of bound access in dccp_v4_err()
[6706a97fec963d6cb3f7fc2978ec1427b4651214]
gro: use min_t() in skb_gro_reset_offset()
[7cfd5fd5a9813f1430290d20c0fead9b4582a307]
ipv6: dccp: fix out of bound access in dccp_v6_err()
[1aa9d1a0e7eefcc61696e147d123453fc0016005]
ipv6: fix ip6_tnl_parse_tlv_enc_lim()
[fbfa743a9d2a0ffa24251764f10afc13eb21e739]
l2tp: do not use udp_ioctl()
[72fb96e7bdbbdd4421b0726992496531060f3636]
net/dccp: fix use-after-free in dccp_invalid_packet
[648f0c28df282636c0c8a7a19ca3ce5fc80a39c3]
net/llc: avoid BUG_ON() in skb_orphan()
[8b74d439e1697110c5e5c600643e823eb1dd0762]
net: avoid sk_forward_alloc overflows
[20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d]
net: clear sk_err_soft in sk_clone_lock()
[e551c32d57c88923f99f8f010e89ca7ed0735e83]
net: fix sk_mem_reclaim_partial()
[1a24e04e4b50939daa3041682b38b82c896ca438]
net: mangle zero checksum in skb_checksum_help()
[4f2e4ad56a65f3b7d64c258e373cb71e8d2499f4]
netlabel: out of bound access in cipso_v4_validate()
[d71b7896886345c53ef1d84bda2bc758554f5d61]
packet: fix races in fanout_add()
[d199fab63c11998a602205f7ee7ff7c05c97164b]
sysctl: fix proc_doulongvec_ms_jiffies_minmax()
[ff9f8a7cf935468a94d9927c68b00daae701667e]
tcp: fix 0 divide in __tcp_select_window()
[06425c308b92eaf60767bc71d359f4cbc7a561f8]
tcp: fix overflow in __tcp_retransmit_skb()
[ffb4d6c8508657824bcef68a36b2a0f9d8c09d10]

Eric Ren (1):
ocfs2: fix crash caused by stale lvb with fsdlm plugin
[e7ee2c089e94067d68475990bdeed211c8852917]

Eric Sandeen (1):
xfs: fix up xfs_swap_extent_forks inline extent handling
[4dfce57db6354603641132fac3c887614e3ebe81]

Eugenia Emantayev (1):
net/mlx4_en: Fix bad WQE issue
[6496bbf0ec481966ef9ffe5b6660d8d1b55c60cc]

Eva Rachel Retuya (1):
staging: iio: ad7606: fix improper setting of oversampling pins
[b321a38d2407c7e425c54bc09be909a34e49f740]

Felipe Balbi (1):
usb: gadget: composite: correctly initialize ep->maxpacket
[e8f29bb719b47a234f33b0af62974d7a9521a52c]

Florian Fainelli (2):
drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments
[cd74da957ba2d03787ede1c22bbb183d9c728aad]
net: korina: Fix NAPI versus resources freeing
[e6afb1ad88feddf2347ea779cfaf4d03d3cd40b6]

Geoff Levand (1):
powerpc/ps3: Fix system hang with GCC 5 builds
[6dff5b67054e17c91bd630bcdda17cfca5aa4215]

Gerald Schaefer (1):
s390/vmlogrdr: fix IUCV buffer allocation
[5457e03de918f7a3e294eb9d26a608ab8a579976]

Greg Kroah-Hartman (2):
HID: hid-cypress: validate length of report
[1ebb71143758f45dc0fa76e2f48429e13b16d110]
usb: gadgetfs: restrict upper bound on device configuration size
[0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1]

Guenter Roeck (2):
cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
[328cf6927bb72cadefddebbc9a23c793108147a2]
hwmon: (ds620) Fix overflows seen when writing temperature limits
[e36ce99ee0815d7919a7b589bfb66f3de50b6bc7]

Hangbin Liu (3):
igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
[9c8bb163ae784be4f79ae504e78c862806087c54]
igmp: do not remove igmp souce list info when set link down
[24803f38a5c0b6c57ed800b47e695f9ce474bc3a]
mld: do not remove mld souce list info when set link down
[1666d49e1d416fcc2cce708242a52fe3317ea8ba]

Helge Deller (1):
parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
[2ad5d52d42810bed95100a3d912679d8864421ec]

Herbert Xu (3):
gro: Disable frag0 optimization on IPv6 ext headers
[57ea52a865144aedbcd619ee0081155e658b6f7d]
gro: Enter slow-path if there is no tailroom
[1272ce87fa017ca4cf32920764d879656b7a005a]
tun: Fix TUN_PKT_STRIP setting
[2eb783c43e7cf807a45899c10ed556b6dc116625]

Huang Rui (1):
iommu/amd: Fix the left value check of cmd buffer
[432abf68a79332282329286d190e21fe3ac02a31]

Ilya Dryomov (1):
libceph: verify authorize reply on connect
[5c056fdc5b474329037f2aa18401bd73033e0ce0]

J. Bruce Fields (1):
svcrpc: don't leak contexts on PROC_DESTROY
[78794d1890708cf94e3961261e52dcec2cc34722]

Jack Morgenstein (1):
net/mlx4_core: Fix racy CQ (Completion Queue) free
[291c566a28910614ce42d0ffe82196eddd6346f4]

Jan Kara (1):
fsnotify: Fix possible use-after-free in inode iteration on umount
[5716863e0f8251d3360d4cbfc0e44e08007075df]

Jeff Layton (1):
ceph: fix bad endianness handling in parse_reply_info_extra
[6df8c9d80a27cb587f61b4f06b57e248d8bc3f86]

Jeff Mahoney (1):
btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
[2a362249187a8d0f6d942d6e1d763d150a296f47]

Jens Axboe (1):
nbd: fix use-after-free of rq/bio in the xmit path
[429a787be6793554ee02aacc7e1f11ebcecc4453]

Jeremy Linton (1):
net: sky2: Fix shutdown crash
[06ba3b2133dc203e1e9bc36cee7f0839b79a9e8b]

Jiri Slaby (1):
net: sctp, forbid negative length
[a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf]

Johan Hovold (32):
USB: ch341: forward USB errors to USB serial core
[06946a66546aedfc5192645e8fc56081441e378c]
USB: ch341: remove redundant close from open error path
[394a10331a9e43100a8ee293255cfc428c7355ac]
USB: serial: ch341: fix baud rate and line-control handling
[55fa15b5987db22b4f35d3f0798928c126be5f1c]
USB: serial: ch341: fix control-message error handling
[2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae]
USB: serial: ch341: fix initial modem-control state
[4e2da44691cffbfffb1535f478d19bc2dca3e62b]
USB: serial: ch341: fix modem-control and B0 handling
[030ee7ae52a46a2be52ccc8242c4a330aba8d38e]
USB: serial: ch341: fix open and resume after B0
[a20047f36e2f6a1eea4f1fd261aaa55882369868]
USB: serial: ch341: fix open error handling
[f2950b78547ffb8475297ada6b92bc2d774d5461]
USB: serial: ch341: fix resume after reset
[ce5e292828117d1b71cbd3edf9e9137cf31acd30]
USB: serial: cyberjack: fix NULL-deref at open
[3dca01114dcecb1cf324534cd8d75fd1306a516b]
USB: serial: garmin_gps: fix memory leak on failed URB submit
[c4ac4496e835b78a45dfbf74f6173932217e4116]
USB: serial: io_edgeport: fix NULL-deref at open
[0dd408425eb21ddf26a692b3c8044c9e7d1a7948]
USB: serial: io_ti: fix NULL-deref at open
[a323fefc6f5079844dc62ffeb54f491d0242ca35]
USB: serial: io_ti: fix another NULL-deref at open
[4f9785cc99feeb3673993b471f646b4dbaec2cc1]
USB: serial: iuu_phoenix: fix NULL-deref at open
[90507d54f712d81b74815ef3a4bbb555cd9fab2f]
USB: serial: keyspan_pda: verify endpoints at probe
[5d9b0f859babe96175cd33d7162a9463a875ffde]
USB: serial: kl5kusb105: fix open error path
[6774d5f53271d5f60464f824748995b71da401ab]
USB: serial: kobil_sct: fix NULL-deref in write
[21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09]
USB: serial: mos7720: fix NULL-deref at open
[b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc]
USB: serial: mos7720: fix parallel probe
[fde1faf872ed86d88e245191bc15a8e57368cd1c]
USB: serial: mos7720: fix parport use-after-free on probe errors
[75dd211e773afcbc264677b0749d1cf7d937ab2d]
USB: serial: mos7720: fix use-after-free on probe errors
[91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3]
USB: serial: mos7840: fix NULL-deref at open
[5c75633ef751dd4cd8f443dc35152c1ae563162e]
USB: serial: mos7840: fix misleading interrupt-URB comment
[472d7e55d559aa1cbf58c73b14fcfc4651b1a9f5]
USB: serial: omninet: fix NULL-derefs at open and disconnect
[a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e]
USB: serial: oti6858: fix NULL-deref at open
[5afeef2366db14587b65558bbfd5a067542e07fb]
USB: serial: pl2303: fix NULL-deref at open
[76ab439ed1b68778e9059c79ecc5d14de76c89a8]
USB: serial: spcp8x5: fix NULL-deref at open
[cc0909248258f679c4bb4cd315565d40abaf6bc6]
USB: serial: ti_usb_3410_5052: fix NULL-deref at open
[ef079936d3cd09e63612834fe2698eeada0d8e3f]
powerpc/ibmebus: Fix device reference leaks in sysfs interface
[fe0f3168169f7c34c29b0cf0c489f126a7f29643]
powerpc/ibmebus: Fix further device reference leaks
[815a7141c4d1b11610dccb7fcbb38633759824f2]
powerpc/pci/rpadlpar: Fix device reference leaks
[99e5cde5eae78bef95bfe7c16ccda87fb070149b]

Josef Bacik (1):
nbd: only set MSG_MORE when we have more to send
[d61b7f972dab2a7d187c38254845546dfc8eed85]

Kefeng Wang (1):
ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
[03e4deff4987f79c34112c5ba4eb195d4f9382b0]

Keno Fischer (1):
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
[8310d48b125d19fcd9521d83b8293e63eb1646aa]

Kirtika Ruchandani (1):
regmap: cache: Remove unused 'blksize' variable
[daaadbf07433b15c452b2ff411a293b2ccd98e03]

Krzysztof Kozlowski (1):
thermal: hwmon: Properly report critical temperature in sysfs
[f37fabb8643eaf8e3b613333a72f683770c85eca]

Krzysztof Opasiak (1):
usb: gadget: composite: Test get_alt() presence instead of set_alt()
[7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f]

Larry Finger (1):
ssb: Fix error routine when fallback SPROM fails
[8052d7245b6089992343c80b38b14dbbd8354651]

Leon Romanovsky (1):
net/mlx4: Remove BUG_ON from ICM allocation routine
[c1d5f8ff80ea84768f5fae1ca9d1abfbb5e6bbaa]

Lukasz Odzioba (1):
x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
[dd853fd216d1485ed3045ff772079cc8689a9a4a]

Lukáš Lalinský (1):
USB: Add quirk for WORLDE easykey.25 MIDI keyboard
[d9b2997e4a0a874e452df7cdd7de5a54502bd0aa]

Maor Gottlieb (1):
IB/mlx4: Put non zero value in max_ah device attribute
[731e0415b4af3a133d0316e4dc8ef0ea57dc3fdf]

Marcel J.E. Mol (1):
USB: serial: pl2303: add ATEN device ID
[d07830db1bdb254e4b50d366010b219286b8c937]

Marcelo Ricardo Leitner (3):
sctp: assign assoc_id earlier in __sctp_connect
[7233bc84a3aeda835d334499dc00448373caf5c0]

sctp: avoid BUG_ON on sctp_wait_for_sndbuf

[2dcab598484185dea7ec22219c76dcdd59e3cb90]
sctp: deny peeloff operation on asocs with threads sleeping on it
[dfcb9f4f99f1e9a49e43398a7bfbf56927544af1]

Marcos Paulo de Souza (1):
Input: i8042 - add Pegatron touchpad to noloop table
[41c567a5d7d1a986763e58c3394782813c3bcb03]

Mark Rutland (1):
ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
[ddc37832a1349f474c4532de381498020ed71d31]

Mathias Nyman (2):
xhci: fix deadlock at host remove by running watchdog correctly
[d6169d04097fd9ddf811e63eae4e5cd71e6666e2]
xhci: free xhci virtual devices with leaf nodes first
[ee8665e28e8d90ce69d4abe5a469c14a8707ae0e]

Mauro Carvalho Chehab (1):
[media] siano: make it work again with CONFIG_VMAP_STACK
[f9c85ee67164b37f9296eab3b754e543e4e96a1c]

Maxime Jayat (1):
net: socket: fix recvmmsg not returning error from sock_error
[e623a9e9dec29ae811d11f83d0074ba254aba374]

Michal Hocko (2):
hotplug: Make register and unregister notifier API symmetric
[777c6e0daebb3fcefbbd6f620410a946b07ef6d0]
mm, fs: check for fatal signals in do_generic_file_read()
[5abf186a30a89d5b9c18a6bf93a2c192c9fd52f6]

Michal Tesar (1):
igmp: Make igmp group member RFC 3376 compliant
[7ababb782690e03b78657e27bd051e20163af2d6]

Miklos Szeredi (1):
vfs: fix uninitialized flags in splice_to_pipe()
[5a81e6a171cdbd1fa8bc1fdd80c23d3d71816fac]

Nathaniel Quillin (1):
USB: cdc-acm: add device id for GW Instek AFG-125
[301216044e4c27d5a7323c1fa766266fad00db5e]

NeilBrown (1):
block_dev: don't test bdev->bd_contains when it is not stable
[bcc7f5b4bee8e327689a4d994022765855c807ff]

Nicolas Iooss (1):
[media] ite-cir: initialize use_demodulator before using it
[7ec03e60ef81c19b5d3a46dd070ee966774b860f]

Nicolas PLANEL (1):
USB: ch341: set tty baud speed according to tty struct
[aa91def41a7bb1fd65492934ce6bea19202b6080]

Nikolay Aleksandrov (1):
net: bridge: fix old ioctl unlocked net device walk
[31ca0458a61a502adb7ed192bf9716c6d05791a5]

Oliver Hartkopp (1):
can: bcm: fix hrtimer/tasklet termination in bcm op removal
[a06393ed03167771246c4c43192d9c264bc48412]

Ondrej Kozina (1):
dm crypt: mark key as invalid until properly loaded
[265e9098bac02bc5e36cda21fdbad34cb5b2f48d]

Pan Bian (1):
USB: serial: kl5kusb105: abort on open exception path
[3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c]

Paolo Abeni (1):
ip6_tunnel: disable caching when the traffic class is inherited
[b5c2d49544e5930c96e2632a7eece3f4325a1888]

Patrik Jakobsson (1):
drm/gma500: Add compat ioctl
[0a97c81a9717431e6c57ea845b59c3c345edce67]

Rasmus Villemoes (1):
lib/vsprintf.c: improve sanity check in vsnprintf()
[2aa2f9e21e4eb25c720b2e7d80f8929638f6ad73]

Reiter Wolfgang (2):
drop_monitor: add missing call to genlmsg_end
[4200462d88f47f3759bdf4705f87e207b0f5b2e4]
drop_monitor: consider inserted data in genlmsg_end
[3b48ab2248e61408910e792fe84d6ec466084c1a]

Richard Weinberger (1):
ubifs: Fix journal replay wrt. xattr nodes
[1cb51a15b576ee325d527726afff40947218fd5e]

Robbie Ko (1):
Btrfs: fix tree search logic when replaying directory entry deletes
[2a7bf53f577e49c43de4ffa7776056de26db65d9]

Salvatore Benedetto (1):
crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
[d6040764adcb5cb6de1489422411d701c158bb69]

Shmulik Ladkani (1):
net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
[d65f2fa680d6f91438461df54c83a331b3a631c9]

Soheil Hassas Yeganeh (1):
sock: fix sendmmsg for partial sendmsg
[3023898b7d4aac65987bd2f485cc22390aae6f78]

Stefan Wahren (1):
mmc: mxs-mmc: Fix additional cycles after transmission stop
[01167c7b9cbf099c69fe411a228e4e9c7104e123]

Steffen Maier (3):
scsi: zfcp: do not trace pure benign residual HBA responses at default level
[56d23ed7adf3974f10e91b643bd230e9c65b5f79]
scsi: zfcp: fix rport unblock race with LUN recovery
[6f2ce1c6af37191640ee3ff6e8fc39ea10352f4c]
scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
[2dfa6688aafdc3f74efeb1cf05fb871465d67f79]

Stephen Hemminger (1):
netvsc: reduce maximum GSO size
[a50af86dd49ee1851d1ccf06dd0019c05b95e297]

Takashi Iwai (3):
ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
[37a7ea4a9b81f6a864c10a7cb0b96458df5310a3]
ALSA: seq: Fix race at creating a queue
[4842e98f26dd80be3623c4714a244ba52ea096a8]
ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
[4763601a56f155ddf94ef35fc2c41504a2de15f5]

Theodore Ts'o (3):
ext4: add sanity checking to count_overhead()
[c48ae41bafe31e9a66d8be2ced4e42a6b57fa814]
ext4: fix in-superblock mount options processing
[5aee0f8a3f42c94c5012f1673420aee96315925a]
ext4: use more strict checks for inodes_per_block on mount
[cd6bb35bf7f6d7d922509bf50265383a0ceabe96]

Thorsten Horstmann (1):
mac80211: Fix adding of mesh vendor IEs
[da7061c82e4a1bc6a5e134ef362c86261906c860]

Tom Goff (1):
ipmr/ip6mr: Initialize the last assert time of mfc entries.
[70a0dec45174c976c64b4c8c1d0898581f759948]

Tony Lindgren (1):
usb: musb: Fix trying to free already-free IRQ 4
[8c300fe282fa254ea730c92cb0983e2642dc1fff]

Vlad Tsyrklevich (1):
i2c: fix kernel memory disclosure in dev interface
[30f939feaeee23e21391cfc7b484f012eb189c3c]

WANG Cong (3):
ping: fix a null pointer dereference
[73d2c6678e6c3af7e7a42b1e78cd0211782ade32]
sch_dsmark: update backlog as well
[bdf17661f63a79c3cb4209b970b1cc39e34f7543]
sch_htb: update backlog as well
[431e3a8e36a05a37126f34b41aa3a5a6456af04e]

Wei Fang (1):
scsi: avoid a permanent stop of the scsi device's request queue
[d2a145252c52792bc59e4767b486b26c430af4bb]

Willem de Bruijn (2):
macvtap: read vnet_hdr_size once
[837585a5375c38d40361cfe64e6fd11e1addb936]
tun: read vnet_hdr_sz once
[e1edab87faf6ca30cd137e0795bc73aa9a9a22ec]

Yang Yang (1):
futex: Move futex_init() to core_initcall
[25f71d1c3e98ef0e52371746220d66458eac75bc]

Yegor Yefremov (1):
can: ti_hecc: add missing prepare and unprepare of the clock
[befa60113ce7ea270cb51eada28443ca2756f480]

Makefile | 4 +-
arch/arm/include/asm/cputype.h | 3 +
arch/arm/kernel/hw_breakpoint.c | 16 +++
arch/arm/kernel/ptrace.c | 2 +-
arch/cris/boot/rescue/Makefile | 8 ++
arch/parisc/include/asm/bitops.h | 8 +-
arch/parisc/include/asm/bitsperlong.h | 2 -
arch/parisc/include/asm/swab.h | 5 +-
arch/powerpc/boot/ps3-head.S | 5 -
arch/powerpc/boot/ps3.c | 8 +-
arch/powerpc/include/asm/ppc-opcode.h | 6 +-
arch/powerpc/kernel/ibmebus.c | 16 ++-
arch/powerpc/kernel/ptrace.c | 7 +
arch/sparc/kernel/leon_kernel.c | 56 ++++----
arch/x86/kernel/cpu/common.c | 2 +-
arch/x86/kvm/x86.c | 17 +--
crypto/algapi.c | 1 +
drivers/ata/sata_mv.c | 3 +
drivers/base/dma-mapping.c | 4 +-
drivers/base/regmap/regcache-lzo.c | 8 +-
drivers/block/nbd.c | 34 +++--
drivers/crypto/caam/caamalg.c | 4 +-
drivers/hid/hid-cypress.c | 3 +
drivers/hwmon/ds620.c | 2 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/infiniband/core/mad.c | 2 +-
drivers/infiniband/core/multicast.c | 7 +-
drivers/infiniband/hw/mlx4/main.c | 1 +
drivers/input/serio/i8042-x86ia64io.h | 6 +
drivers/iommu/amd_iommu.c | 2 +-
drivers/md/dm-crypt.c | 7 +-
drivers/media/dvb/siano/smsusb.c | 17 ++-
drivers/media/rc/ite-cir.c | 2 +
drivers/media/video/davinci/vpfe_capture.c | 1 +
drivers/mmc/host/mxs-mmc.c | 6 +-
drivers/net/can/ti_hecc.c | 16 ++-
drivers/net/ethernet/korina.c | 8 +-
drivers/net/ethernet/marvell/sky2.c | 13 ++
drivers/net/ethernet/mellanox/mlx4/cq.c | 38 ++---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 +-
drivers/net/ethernet/mellanox/mlx4/icm.c | 7 +-
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 10 +-
drivers/net/macvtap.c | 4 +-
drivers/net/tun.c | 20 ++-
drivers/net/usb/catc.c | 56 +++++---
drivers/net/usb/rtl8150.c | 34 ++++-
drivers/net/xen-netfront.c | 4 +-
drivers/pci/hotplug/rpadlpar_core.c | 10 +-
drivers/pci/pci.c | 4 +
drivers/platform/x86/intel_mid_powerbtn.c | 2 +-
drivers/s390/char/vmlogrdr.c | 2 +-
drivers/s390/scsi/zfcp_dbf.c | 17 ++-
drivers/s390/scsi/zfcp_dbf.h | 41 +++++-
drivers/s390/scsi/zfcp_erp.c | 61 +++++++-
drivers/s390/scsi/zfcp_ext.h | 4 +-
drivers/s390/scsi/zfcp_fsf.c | 8 +-
drivers/s390/scsi/zfcp_fsf.h | 3 +-
drivers/s390/scsi/zfcp_reqlist.h | 30 +++-
drivers/s390/scsi/zfcp_scsi.c | 61 +++++++-
drivers/scsi/mvsas/mv_94xx.c | 2 +-
drivers/scsi/scsi_sysfs.c | 4 -
drivers/scsi/sg.c | 4 +
drivers/ssb/pci.c | 1 +
drivers/staging/gma500/psb_drv.c | 3 +
drivers/staging/hv/netvsc_drv.c | 4 +
drivers/staging/iio/adc/ad7606_core.c | 2 +-
drivers/staging/vme/bridges/vme_ca91cx42.c | 2 +-
drivers/target/iscsi/iscsi_target_tpg.c | 1 -
drivers/thermal/thermal_sys.c | 2 +-
drivers/tty/sysrq.c | 4 +-
drivers/usb/class/cdc-acm.c | 1 +
drivers/usb/core/config.c | 10 ++
drivers/usb/core/quirks.c | 4 +
drivers/usb/gadget/composite.c | 14 +-
drivers/usb/gadget/dummy_hcd.c | 6 +-
drivers/usb/gadget/inode.c | 17 ++-
drivers/usb/host/uhci-pci.c | 4 +
drivers/usb/host/xhci-mem.c | 42 +++++-
drivers/usb/host/xhci-ring.c | 6 -
drivers/usb/host/xhci.c | 12 --
drivers/usb/musb/musbhsdma.h | 2 +-
drivers/usb/serial/ch341.c | 192 ++++++++++++++++----------
drivers/usb/serial/cyberjack.c | 3 +
drivers/usb/serial/garmin_gps.c | 1 +
drivers/usb/serial/io_edgeport.c | 5 +
drivers/usb/serial/io_ti.c | 16 ++-
drivers/usb/serial/iuu_phoenix.c | 5 +
drivers/usb/serial/keyspan_pda.c | 8 +-
drivers/usb/serial/kl5kusb105.c | 35 +++--
drivers/usb/serial/kobil_sct.c | 5 +
drivers/usb/serial/mos7720.c | 51 +++----
drivers/usb/serial/mos7840.c | 10 +-
drivers/usb/serial/omninet.c | 6 +
drivers/usb/serial/option.c | 7 +
drivers/usb/serial/oti6858.c | 8 ++
drivers/usb/serial/pl2303.c | 9 ++
drivers/usb/serial/pl2303.h | 1 +
drivers/usb/serial/spcp8x5.c | 7 +
drivers/usb/serial/ti_usb_3410_5052.c | 7 +
fs/block_dev.c | 2 +-
fs/btrfs/ioctl.c | 6 +-
fs/btrfs/tree-log.c | 3 +-
fs/ceph/mds_client.c | 4 +-
fs/ext4/inode.c | 6 +
fs/ext4/mballoc.c | 4 +-
fs/ext4/super.c | 64 +++++----
fs/nfs/file.c | 2 +-
fs/notify/inode_mark.c | 46 ++----
fs/ocfs2/dlmglue.c | 10 ++
fs/ocfs2/stackglue.c | 6 +
fs/ocfs2/stackglue.h | 3 +
fs/splice.c | 1 +
fs/ubifs/tnc.c | 25 +++-
fs/xfs/xfs_dfrag.c | 7 +-
include/linux/can/core.h | 7 +-
include/linux/cpu.h | 12 +-
include/linux/netdevice.h | 9 +-
include/net/cipso_ipv4.h | 4 +
include/net/sock.h | 17 ++-
ipc/shm.c | 9 +-
kernel/cpu.c | 13 +-
kernel/futex.c | 2 +-
kernel/sysctl.c | 1 +
lib/vsprintf.c | 2 +-
mm/filemap.c | 5 +
mm/huge_memory.c | 19 ++-
net/bridge/br_ioctl.c | 5 +-
net/can/af_can.c | 12 +-
net/can/af_can.h | 3 +-
net/can/bcm.c | 27 ++--
net/can/gw.c | 2 +-
net/can/raw.c | 4 +-
net/ceph/messenger.c | 13 ++
net/core/dev.c | 6 +-
net/core/drop_monitor.c | 39 ++++--
net/core/sock.c | 15 +-
net/dccp/ipv4.c | 26 ++--
net/dccp/ipv6.c | 15 +-
net/dccp/proto.c | 4 +
net/decnet/dn_route.c | 9 +-
net/ipv4/cipso_ipv4.c | 4 +
net/ipv4/igmp.c | 55 ++++++--
net/ipv4/ipmr.c | 4 +-
net/ipv4/ping.c | 2 +
net/ipv4/route.c | 12 ++
net/ipv4/tcp_output.c | 21 +--
net/ipv6/addrconf.c | 4 +-
net/ipv6/af_inet6.c | 1 +
net/ipv6/ip6_tunnel.c | 47 +++++--
net/ipv6/ip6mr.c | 1 +
net/ipv6/mcast.c | 50 ++++---
net/ipv6/raw.c | 7 +-
net/irda/irqueue.c | 34 +++--
net/l2tp/l2tp_core.h | 1 +
net/l2tp/l2tp_ip.c | 27 +++-
net/llc/llc_conn.c | 3 +
net/llc/llc_sap.c | 3 +
net/mac80211/mesh.c | 2 +-
net/packet/af_packet.c | 45 ++++--
net/sched/act_pedit.c | 24 +++-
net/sched/cls_api.c | 4 +-
net/sched/em_meta.c | 9 +-
net/sched/sch_dsmark.c | 3 +
net/sched/sch_htb.c | 5 +-
net/sctp/socket.c | 19 ++-
net/socket.c | 19 ++-
net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
scripts/kconfig/nconf.gui.c | 15 +-
sound/core/seq/seq_memory.c | 9 +-
sound/core/seq/seq_queue.c | 33 +++--
sound/usb/card.c | 1 -
sound/usb/mixer.c | 3 +-
tools/perf/util/trace-event-scripting.c | 6 +-
173 files changed, 1534 insertions(+), 671 deletions(-)

--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chandan Rajendra <cha...@linux.vnet.ibm.com>

commit 30a9d7afe70ed6bd9191d3000e2ef1a34fb58493 upstream.

The number of 'counters' elements needed in 'struct sg' is
super_block->s_blocksize_bits + 2. Presently we have 16 'counters'
elements in the array. This is insufficient for block sizes >= 32k. In
such cases the memcpy operation performed in ext4_mb_seq_groups_show()
would cause stack memory corruption.

Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <cha...@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Reviewed-by: Jan Kara <ja...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/mballoc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2134,7 +2134,7 @@ static int ext4_mb_seq_groups_show(struc
struct ext4_buddy e4b;
struct sg {
struct ext4_group_info info;
- ext4_grpblk_t counters[16];
+ ext4_grpblk_t counters[EXT4_MAX_BLOCK_LOG_SIZE + 2];
} sg;

group--;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <kr...@kernel.org>

commit f37fabb8643eaf8e3b613333a72f683770c85eca upstream.

In the critical sysfs entry the thermal hwmon was returning wrong
temperature to the user-space. It was reporting the temperature of the
first trip point instead of the temperature of critical trip point.

For example:
/sys/class/hwmon/hwmon0/temp1_crit:50000
/sys/class/thermal/thermal_zone0/trip_point_0_temp:50000
/sys/class/thermal/thermal_zone0/trip_point_0_type:active
/sys/class/thermal/thermal_zone0/trip_point_3_temp:120000
/sys/class/thermal/thermal_zone0/trip_point_3_type:critical

Since commit e68b16abd91d ("thermal: add hwmon sysfs I/F") the driver
have been registering a sysfs entry if get_crit_temp() callback was
provided. However when accessed, it was calling get_trip_temp() instead
of the get_crit_temp().

Fixes: e68b16abd91d ("thermal: add hwmon sysfs I/F")
Signed-off-by: Krzysztof Kozlowski <kr...@kernel.org>
Signed-off-by: Zhang Rui <rui....@intel.com>
[bwh: Backported to 3.2: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/thermal/thermal_sys.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/thermal/thermal_sys.c
+++ b/drivers/thermal/thermal_sys.c
@@ -486,7 +486,7 @@ temp_crit_show(struct device *dev, struc
long temperature;
int ret;

- ret = tz->ops->get_trip_temp(tz, 0, &temperature);
+ ret = tz->ops->get_crit_temp(tz, &temperature);
if (ret)
return ret;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

[ Upstream commit 63117f09c768be05a0bf465911297dc76394f686 ]

Casting is a high precedence operation but "off" and "i" are in terms of
bytes so we need to have some parenthesis here.

Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Acked-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv6/ip6_tunnel.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -413,7 +413,7 @@ parse_tlv_tnl_enc_lim(struct sk_buff *sk

if (i + sizeof(*tel) > optlen)
break;

- tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit f1712c73714088a7252d276a57126d56c7d37e64 ]

Zhang Yanmin reported crashes [1] and provided a patch adding a
synchronize_rcu() call in can_rx_unregister()

The main problem seems that the sockets themselves are not RCU
protected.

If CAN uses RCU for delivery, then sockets should be freed only after
one RCU grace period.

Recent kernels could use sock_set_flag(sk, SOCK_RCU_FREE), but let's
ease stable backports with the following fix instead.

[1]
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff81495e25>] selinux_socket_sock_rcv_skb+0x65/0x2a0

Call Trace:
<IRQ>
[<ffffffff81485d8c>] security_sock_rcv_skb+0x4c/0x60
[<ffffffff81d55771>] sk_filter+0x41/0x210
[<ffffffff81d12913>] sock_queue_rcv_skb+0x53/0x3a0
[<ffffffff81f0a2b3>] raw_rcv+0x2a3/0x3c0
[<ffffffff81f06eab>] can_rcv_filter+0x12b/0x370
[<ffffffff81f07af9>] can_receive+0xd9/0x120
[<ffffffff81f07beb>] can_rcv+0xab/0x100
[<ffffffff81d362ac>] __netif_receive_skb_core+0xd8c/0x11f0
[<ffffffff81d36734>] __netif_receive_skb+0x24/0xb0
[<ffffffff81d37f67>] process_backlog+0x127/0x280
[<ffffffff81d36f7b>] net_rx_action+0x33b/0x4f0
[<ffffffff810c88d4>] __do_softirq+0x184/0x440
[<ffffffff81f9e86c>] do_softirq_own_stack+0x1c/0x30
<EOI>
[<ffffffff810c76fb>] do_softirq.part.18+0x3b/0x40
[<ffffffff810c8bed>] do_softirq+0x1d/0x20
[<ffffffff81d30085>] netif_rx_ni+0xe5/0x110
[<ffffffff8199cc87>] slcan_receive_buf+0x507/0x520
[<ffffffff8167ef7c>] flush_to_ldisc+0x21c/0x230
[<ffffffff810e3baf>] process_one_work+0x24f/0x670
[<ffffffff810e44ed>] worker_thread+0x9d/0x6f0
[<ffffffff810e4450>] ? rescuer_thread+0x480/0x480
[<ffffffff810ebafc>] kthread+0x12c/0x150
[<ffffffff81f9ccef>] ret_from_fork+0x3f/0x70

Reported-by: Zhang Yanmin <yanmin...@intel.com>
Signed-off-by: Eric Dumazet <edum...@google.com>
Acked-by: Oliver Hartkopp <sock...@hartkopp.net>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

include/linux/can/core.h | 7 +++----
net/can/af_can.c | 12 ++++++++++--
net/can/af_can.h | 3 ++-
net/can/bcm.c | 4 ++--
net/can/gw.c | 2 +-
net/can/raw.c | 4 ++--
6 files changed, 20 insertions(+), 12 deletions(-)

--- a/include/linux/can/core.h
+++ b/include/linux/can/core.h
@@ -45,10 +45,9 @@ struct can_proto {
extern int can_proto_register(const struct can_proto *cp);
extern void can_proto_unregister(const struct can_proto *cp);

-extern int can_rx_register(struct net_device *dev, canid_t can_id,
- canid_t mask,
- void (*func)(struct sk_buff *, void *),
- void *data, char *ident);
+int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
+ void (*func)(struct sk_buff *, void *),
+ void *data, char *ident, struct sock *sk);

extern void can_rx_unregister(struct net_device *dev, canid_t can_id,
canid_t mask,
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -403,6 +403,7 @@ static struct hlist_head *find_rcv_list(
* @func: callback function on filter match
* @data: returned parameter for callback function
* @ident: string for calling module indentification
+ * @sk: socket pointer (might be NULL)
*
* Description:
* Invokes the callback function with the received sk_buff and the given
@@ -426,7 +427,7 @@ static struct hlist_head *find_rcv_list(
*/
int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
void (*func)(struct sk_buff *, void *), void *data,
- char *ident)
+ char *ident, struct sock *sk)
{
struct receiver *r;
struct hlist_head *rl;
@@ -454,6 +455,7 @@ int can_rx_register(struct net_device *d
r->func = func;
r->data = data;
r->ident = ident;
+ r->sk = sk;

hlist_add_head_rcu(&r->list, rl);
d->entries++;
@@ -478,8 +480,11 @@ EXPORT_SYMBOL(can_rx_register);
static void can_rx_delete_receiver(struct rcu_head *rp)
{
struct receiver *r = container_of(rp, struct receiver, rcu);
+ struct sock *sk = r->sk;

kmem_cache_free(rcv_cache, r);
+ if (sk)
+ sock_put(sk);
}

/**
@@ -558,8 +563,11 @@ void can_rx_unregister(struct net_device
spin_unlock(&can_rcvlists_lock);

/* schedule the receiver item for deletion */
- if (r)
+ if (r) {
+ if (r->sk)
+ sock_hold(r->sk);
call_rcu(&r->rcu, can_rx_delete_receiver);
+ }
}
EXPORT_SYMBOL(can_rx_unregister);

--- a/net/can/af_can.h
+++ b/net/can/af_can.h
@@ -50,13 +50,14 @@

struct receiver {
struct hlist_node list;
- struct rcu_head rcu;
canid_t can_id;
canid_t mask;
unsigned long matches;
void (*func)(struct sk_buff *, void *);
void *data;
char *ident;
+ struct sock *sk;
+ struct rcu_head rcu;
};

enum { RX_ERR, RX_ALL, RX_FIL, RX_INV, RX_EFF, RX_MAX };
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1174,7 +1174,7 @@ static int bcm_rx_setup(struct bcm_msg_h
err = can_rx_register(dev, op->can_id,
REGMASK(op->can_id),
bcm_rx_handler, op,
- "bcm");
+ "bcm", sk);

op->rx_reg_dev = dev;
dev_put(dev);
@@ -1183,7 +1183,7 @@ static int bcm_rx_setup(struct bcm_msg_h
} else
err = can_rx_register(NULL, op->can_id,
REGMASK(op->can_id),
- bcm_rx_handler, op, "bcm");
+ bcm_rx_handler, op, "bcm", sk);
if (err) {
/* this bcm rx op is broken -> remove it */
list_del(&op->list);
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -405,7 +405,7 @@ static inline int cgw_register_filter(st
{
return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
gwj->ccgw.filter.can_mask, can_can_gw_rcv,
- gwj, "gw");
+ gwj, "gw", NULL);
}

static inline void cgw_unregister_filter(struct cgw_job *gwj)
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -158,7 +158,7 @@ static int raw_enable_filters(struct net
for (i = 0; i < count; i++) {
err = can_rx_register(dev, filter[i].can_id,
filter[i].can_mask,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);
if (err) {
/* clean up successfully registered filters */
while (--i >= 0)
@@ -179,7 +179,7 @@ static int raw_enable_errfilter(struct n

if (err_mask)
err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);

return err;
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuha...@gmail.com>

commit 1666d49e1d416fcc2cce708242a52fe3317ea8ba upstream.

This is an IPv6 version of commit 24803f38a5c0 ("igmp: do not remove igmp
souce list..."). In mld_del_delrec(), we will restore back all source filter
info instead of flush them.

Move mld_clear_delrec() from ipv6_mc_down() to ipv6_mc_destroy_dev() since
we should not remove source list info when set link down. Remove
igmp6_group_dropped() in ipv6_mc_destroy_dev() since we have called it in
ipv6_mc_down().

Also clear all source info after igmp6_group_dropped() instead of in it
because ipv6_mc_down() will call igmp6_group_dropped().

Signed-off-by: Hangbin Liu <liuha...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2:
- Timer code moved around in ipv6_mc_down() is different
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv6/mcast.c | 51 ++++++++++++++++++++++++++++++---------------------
1 file changed, 30 insertions(+), 21 deletions(-)

--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -92,7 +92,7 @@ static void mld_gq_timer_expire(unsigned
static void mld_ifc_timer_expire(unsigned long data);
static void mld_ifc_event(struct inet6_dev *idev);
static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr);
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
static void mld_clear_delrec(struct inet6_dev *idev);
static int sf_setstate(struct ifmcaddr6 *pmc);
static void sf_markstate(struct ifmcaddr6 *pmc);
@@ -691,9 +691,9 @@ static void igmp6_group_dropped(struct i
dev_mc_del(dev, buf);
}

- if (mc->mca_flags & MAF_NOREPORT)
- goto done;
spin_unlock_bh(&mc->mca_lock);
+ if (mc->mca_flags & MAF_NOREPORT)
+ return;

if (!mc->idev->dead)
igmp6_leave_group(mc);
@@ -701,8 +701,6 @@ static void igmp6_group_dropped(struct i
spin_lock_bh(&mc->mca_lock);
if (del_timer(&mc->mca_timer))
atomic_dec(&mc->mca_refcnt);
-done:
- ip6_mc_clear_src(mc);
spin_unlock_bh(&mc->mca_lock);
}

@@ -747,10 +745,11 @@ static void mld_add_delrec(struct inet6_
spin_unlock_bh(&idev->mc_lock);
}

-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
{
struct ifmcaddr6 *pmc, *pmc_prev;
- struct ip6_sf_list *psf, *psf_next;
+ struct ip6_sf_list *psf;
+ struct in6_addr *pmca = &im->mca_addr;

spin_lock_bh(&idev->mc_lock);
pmc_prev = NULL;
@@ -767,14 +766,20 @@ static void mld_del_delrec(struct inet6_
}
spin_unlock_bh(&idev->mc_lock);

+ spin_lock_bh(&im->mca_lock);
if (pmc) {
- for (psf=pmc->mca_tomb; psf; psf=psf_next) {

- psf_next = psf->sf_next;
- kfree(psf);

+ im->idev = pmc->idev;
+ im->mca_crcount = idev->mc_qrv;
+ im->mca_sfmode = pmc->mca_sfmode;
+ if (pmc->mca_sfmode == MCAST_INCLUDE) {
+ im->mca_tomb = pmc->mca_tomb;
+ im->mca_sources = pmc->mca_sources;
+ for (psf = im->mca_sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->mca_crcount;
}
in6_dev_put(pmc->idev);
- kfree(pmc);
}
+ spin_unlock_bh(&im->mca_lock);
}

static void mld_clear_delrec(struct inet6_dev *idev)
@@ -877,7 +882,7 @@ int ipv6_dev_mc_inc(struct net_device *d
idev->mc_list = mc;
write_unlock_bh(&idev->lock);

- mld_del_delrec(idev, &mc->mca_addr);
+ mld_del_delrec(idev, mc);
igmp6_group_added(mc);
ma_put(mc);
return 0;
@@ -898,6 +903,7 @@ int __ipv6_dev_mc_dec(struct inet6_dev *
write_unlock_bh(&idev->lock);

igmp6_group_dropped(ma);
+ ip6_mc_clear_src(ma);

ma_put(ma);
return 0;
@@ -2231,18 +2237,20 @@ void ipv6_mc_down(struct inet6_dev *idev
/* Withdraw multicast list */

read_lock_bh(&idev->lock);
+
+ for (i = idev->mc_list; i; i=i->next)
+ igmp6_group_dropped(i);
+
+ /* Should stop timer after group drop. or we will
+ * start timer again in mld_ifc_event()
+ */
idev->mc_ifc_count = 0;
if (del_timer(&idev->mc_ifc_timer))
__in6_dev_put(idev);
idev->mc_gq_running = 0;
if (del_timer(&idev->mc_gq_timer))
__in6_dev_put(idev);
-
- for (i = idev->mc_list; i; i=i->next)
- igmp6_group_dropped(i);
read_unlock_bh(&idev->lock);
-
- mld_clear_delrec(idev);
}


@@ -2255,8 +2263,10 @@ void ipv6_mc_up(struct inet6_dev *idev)
/* Install multicast list, except for all-nodes (already installed) */

read_lock_bh(&idev->lock);
- for (i = idev->mc_list; i; i=i->next)
+ for (i = idev->mc_list; i; i = i->next) {
+ mld_del_delrec(idev, i);
igmp6_group_added(i);
+ }
read_unlock_bh(&idev->lock);
}

@@ -2289,6 +2299,7 @@ void ipv6_mc_destroy_dev(struct inet6_de

/* Deactivate timers */
ipv6_mc_down(idev);
+ mld_clear_delrec(idev);

/* Delete all-nodes address. */
/* We cannot call ipv6_dev_mc_dec() directly, our caller in
@@ -2303,11 +2314,9 @@ void ipv6_mc_destroy_dev(struct inet6_de
write_lock_bh(&idev->lock);
while ((i = idev->mc_list) != NULL) {
idev->mc_list = i->next;
- write_unlock_bh(&idev->lock);

- igmp6_group_dropped(i);
+ write_unlock_bh(&idev->lock);
ma_put(i);
-
write_lock_bh(&idev->lock);
}
write_unlock_bh(&idev->lock);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit fe0f3168169f7c34c29b0cf0c489f126a7f29643 upstream.

Make sure to drop any reference taken by bus_find_device() in the sysfs
callbacks that are used to create and destroy devices based on
device-tree entries.

Fixes: 6bccf755ff53 ("[POWERPC] ibmebus: dynamic addition/removal of adapters, some code cleanup")

Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kernel/ibmebus.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c

@@ -261,6 +261,7 @@ static ssize_t ibmebus_store_probe(struc
const char *buf, size_t count)
{
struct device_node *dn = NULL;
+ struct device *dev;
char *path;
ssize_t rc = 0;

@@ -268,8 +269,10 @@ static ssize_t ibmebus_store_probe(struc
if (!path)
return -ENOMEM;

- if (bus_find_device(&ibmebus_bus_type, NULL, path,
- ibmebus_match_path)) {
+ dev = bus_find_device(&ibmebus_bus_type, NULL, path,
+ ibmebus_match_path);

+ if (dev) {
+ put_device(dev);

printk(KERN_WARNING "%s: %s has already been probed\n",
__func__, path);
rc = -EEXIST;
@@ -305,6 +308,7 @@ static ssize_t ibmebus_store_remove(stru
if ((dev = bus_find_device(&ibmebus_bus_type, NULL, path,
ibmebus_match_path))) {
of_device_unregister(to_platform_device(dev));
+ put_device(dev);

kfree(path);
return count;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ondrej Kozina <oko...@redhat.com>

commit 265e9098bac02bc5e36cda21fdbad34cb5b2f48d upstream.

In crypt_set_key(), if a failure occurs while replacing the old key
(e.g. tfm->setkey() fails) the key must not have DM_CRYPT_KEY_VALID flag
set. Otherwise, the crypto layer would have an invalid key that still
has DM_CRYPT_KEY_VALID flag set.

Signed-off-by: Ondrej Kozina <oko...@redhat.com>
Reviewed-by: Mikulas Patocka <mpat...@redhat.com>
Signed-off-by: Mike Snitzer <sni...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/md/dm-crypt.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1322,12 +1322,15 @@ static int crypt_set_key(struct crypt_co
if (!cc->key_size && strcmp(key, "-"))
goto out;

+ /* clear the flag since following operations may invalidate previously valid key */
+ clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
+
if (cc->key_size && crypt_decode_key(cc->key, key, cc->key_size) < 0)
goto out;

- set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
-
r = crypt_setkey_allcpus(cc);
+ if (!r)
+ set_bit(DM_CRYPT_KEY_VALID, &cc->flags);

out:
/* Hex key string not needed after here, so wipe it. */

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 6496ebd7edf446fccf8266a1a70ffcb64252593e upstream.

One some systems, the firmware does not allow certain PCI devices to be put
in deep D-states. This can cause problems for wakeup signalling, if the
device does not support PME# in the deepest allowed suspend state. For
example, Pierre reports that on his system, ACPI does not permit his xHCI
host controller to go into D3 during runtime suspend -- but D3 is the only
state in which the controller can generate PME# signals. As a result, the
controller goes into runtime suspend but never wakes up, so it doesn't work
properly. USB devices plugged into the controller are never detected.

If the device relies on PME# for wakeup signals but is not capable of
generating PME# in the target state, the PCI core should accurately report
that it cannot do wakeup from runtime suspend. This patch modifies the
pci_dev_run_wake() routine to add this check.

Reported-by: Pierre de Villemereuil <fl...@mailoo.org>
Tested-by: Pierre de Villemereuil <fl...@mailoo.org>
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Signed-off-by: Bjorn Helgaas <bhel...@google.com>
Acked-by: Rafael J. Wysocki <rafael.j...@intel.com>
CC: Lukas Wunner <lu...@wunner.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/pci/pci.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1763,6 +1763,10 @@ bool pci_dev_run_wake(struct pci_dev *de
if (!dev->pme_support)
return false;

+ /* PME-capable in principle, but not from the intended sleep state */
+ if (!pci_pme_capable(dev, pci_target_state(dev)))
+ return false;
+
while (bus->parent) {
struct pci_dev *bridge = bus->self;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 6774d5f53271d5f60464f824748995b71da401ab upstream.

Kill urbs and disable read before returning from open on failure to
retrieve the line state.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: replaced code was using dbg()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/kl5kusb105.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)

--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -338,7 +338,7 @@ static int klsi_105_open(struct tty_str
rc = usb_serial_generic_open(tty, port);
if (rc) {
retval = rc;
- goto exit;
+ goto err_free_cfg;
}

rc = usb_control_msg(port->serial->dev,
@@ -357,17 +357,32 @@ static int klsi_105_open(struct tty_str
dbg("%s - enabled reading", __func__);

rc = klsi_105_get_line_state(port, &line_state);
- if (rc >= 0) {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_state = line_state;
- spin_unlock_irqrestore(&priv->lock, flags);
- dbg("%s - read line state 0x%lx", __func__, line_state);
- retval = 0;
- } else
+ if (rc < 0) {
retval = rc;
+ goto err_disable_read;
+ }
+
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_state = line_state;
+ spin_unlock_irqrestore(&priv->lock, flags);
+ dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__,
+ line_state);
+
+ return 0;

-exit:
+err_disable_read:
+ usb_control_msg(port->serial->dev,
+ usb_sndctrlpipe(port->serial->dev, 0),
+ KL5KUSB105A_SIO_CONFIGURE,
+ USB_TYPE_VENDOR | USB_DIR_OUT,
+ KL5KUSB105A_SIO_CONFIGURE_READ_OFF,
+ 0, /* index */
+ NULL, 0,
+ KLSI_TIMEOUT);
+ usb_serial_generic_close(port);
+err_free_cfg:
kfree(cfg);
+
return retval;
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuha...@gmail.com>

commit 9c8bb163ae784be4f79ae504e78c862806087c54 upstream.

In function igmpv3/mld_add_delrec() we allocate pmc and put it in
idev->mc_tomb, so we should free it when we don't need it in del_delrec().
But I removed kfree(pmc) incorrectly in latest two patches. Now fix it.

Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when ...")
Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when ...")
Reported-by: Daniel Borkmann <dan...@iogearbox.net>

Signed-off-by: Hangbin Liu <liuha...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv4/igmp.c | 1 +
net/ipv6/mcast.c | 1 +
2 files changed, 2 insertions(+)

--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1118,6 +1118,7 @@ static void igmpv3_del_delrec(struct in_

psf->sf_crcount = im->crcount;
}
in_dev_put(pmc->interface);

+ kfree(pmc);
}
spin_unlock_bh(&im->lock);
}
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -778,6 +778,7 @@ static void mld_del_delrec(struct inet6_

psf->sf_crcount = im->mca_crcount;
}
in6_dev_put(pmc->idev);

+ kfree(pmc);
}
spin_unlock_bh(&im->mca_lock);
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chandan Rajendra <cha...@linux.vnet.ibm.com>

commit 69e43e8cc971a79dd1ee5d4343d8e63f82725123 upstream.

'border' variable is set to a value of 2 times the block size of the
underlying filesystem. With 64k block size, the resulting value won't
fit into a 16-bit variable. Hence this commit changes the data type of
'border' to 'unsigned int'.

Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <cha...@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>

Reviewed-by: Andreas Dilger <adi...@dilger.ca>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/mballoc.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -652,7 +652,7 @@ static void ext4_mb_mark_free_simple(str
ext4_grpblk_t min;
ext4_grpblk_t max;
ext4_grpblk_t chunk;
- unsigned short border;
+ unsigned int border;

BUG_ON(len > EXT4_CLUSTERS_PER_GROUP(sb));

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

This reverts commit bc48f6f5a8c6d628a1af649306eaf906493bb986, which was
commit 9dbe6cf941a6fe82933aef565e4095fb10f65023 upstream. It depends on
several other large commits to work, and without them causes a regression.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1408333
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Cc: Eric Wheeler <k...@lists.ewheeler.net>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -843,8 +843,7 @@ static u32 msrs_to_save[] = {
#ifdef CONFIG_X86_64
MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
#endif
- MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
- MSR_TSC_AUX,
+ MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
};

static unsigned num_msrs_to_save;
@@ -3882,20 +3881,6 @@ static void kvm_init_msr_list(void)
for (i = j = KVM_SAVE_MSRS_BEGIN; i < ARRAY_SIZE(msrs_to_save); i++) {
if (rdmsr_safe(msrs_to_save[i], &dummy[0], &dummy[1]) < 0)
continue;
-
- /*
- * Even MSRs that are valid in the host may not be exposed
- * to the guests in some cases.
- */
- switch (msrs_to_save[i]) {
- case MSR_TSC_AUX:
- if (!kvm_x86_ops->rdtscp_supported())
- continue;
- break;
- default:
- break;
- }
-
if (j < i)
msrs_to_save[j] = msrs_to_save[i];
j++;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit d3d83ee20afda16ad0133ba00f63c11a8d842a35 upstream.

A recent cleanup had the right idea to remove the initialization
of the error variable, but missed the actual benefit of that,
which is that we get warnings if there is a bug in it. Now
we get a warning about a bug that was introduced by this cleanup:

drivers/media/platform/davinci/vpfe_capture.c: In function 'vpfe_probe':
drivers/media/platform/davinci/vpfe_capture.c:1992:9: error: 'ret' may be used uninitialized in this function [-Werror=maybe-uninitialized]

This adds the missing initialization that the warning is about,
and another one that was preexisting and that we did not get
a warning for. That second bug has existed since the driver
was first added.

Fixes: efb74461f5a6 ("[media] DaVinci-VPFE-Capture: Delete an unnecessary variable initialisation in vpfe_probe()")
Fixes: 7da8a6cb3e5b ("V4L/DVB (12248): v4l: vpfe capture bridge driver for DM355 and DM6446")

[mch...@s-opensource.com: fix a merge conflict]
Signed-off-by: Arnd Bergmann <ar...@arndb.de>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

[bwh: Backported to 3.2: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/media/video/davinci/vpfe_capture.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/media/video/davinci/vpfe_capture.c
+++ b/drivers/media/video/davinci/vpfe_capture.c
@@ -2002,6 +2002,7 @@ static __init int vpfe_probe(struct plat
v4l2_info(&vpfe_dev->v4l2_dev,
"v4l2 sub device %s register fails\n",
sdinfo->name);
+ ret = -ENXIO;
goto probe_sd_out;
}
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit c95a9f83711bf53faeb4ed9bbb63a3f065613dfb upstream.

We normally use the passed in gfp flags for allocations, it's just these
two which were missed.

Fixes: 22d45f01a836 ("usb/xhci: replace pci_*_consistent() with dma_*_coherent()")
Cc: Mathias Nyman <mathia...@intel.com>
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Acked-by: Sebastian Andrzej Siewior <big...@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci-mem.c | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2234,7 +2234,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
* "physically contiguous and 64-byte (cache line) aligned".
*/
xhci->dcbaa = dma_alloc_coherent(dev, sizeof(*xhci->dcbaa), &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->dcbaa)
goto fail;
memset(xhci->dcbaa, 0, sizeof *(xhci->dcbaa));
@@ -2315,7 +2315,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,

xhci->erst.entries = dma_alloc_coherent(dev,
sizeof(struct xhci_erst_entry) * ERST_NUM_SEGS, &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->erst.entries)
goto fail;
xhci_dbg(xhci, "// Allocated event ring segment table at 0x%llx\n",

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <her...@gondor.apana.org.au>

commit 2eb783c43e7cf807a45899c10ed556b6dc116625 upstream.

We set the flag TUN_PKT_STRIP if the user buffer provided is too
small to contain the entire packet plus meta-data. However, this
has been broken ever since we added GSO meta-data. VLAN acceleration
also has the same problem.

This patch fixes this by taking both into account when setting the
TUN_PKT_STRIP flag.

The fact that this has been broken for six years without anyone
realising means that nobody actually uses this flag.

Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr")
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2:
- No VLAN acceleration support
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/tun.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -767,12 +767,16 @@ static ssize_t tun_put_user(struct tun_s
{
struct tun_pi pi = { 0, skb->protocol };
ssize_t total = 0;
+ int vnet_hdr_sz = 0;
+
+ if (tun->flags & TUN_VNET_HDR)
+ vnet_hdr_sz = tun->vnet_hdr_sz;

if (!(tun->flags & TUN_NO_PI)) {
if ((len -= sizeof(pi)) < 0)
return -EINVAL;

- if (len < skb->len) {
+ if (len < skb->len + vnet_hdr_sz) {
/* Packet will be striped */
pi.flags |= TUN_PKT_STRIP;
}
@@ -782,9 +786,9 @@ static ssize_t tun_put_user(struct tun_s
total += sizeof(pi);
}

- if (tun->flags & TUN_VNET_HDR) {
+ if (vnet_hdr_sz) {
struct virtio_net_hdr gso = { 0 }; /* no info leak */
- if ((len -= tun->vnet_hdr_sz) < 0)
+ if ((len -= vnet_hdr_sz) < 0)
return -EINVAL;

if (skb_is_gso(skb)) {
@@ -827,7 +831,7 @@ static ssize_t tun_put_user(struct tun_s
if (unlikely(memcpy_toiovecend(iv, (void *)&gso, total,
sizeof(gso))))
return -EFAULT;
- total += tun->vnet_hdr_sz;
+ total += vnet_hdr_sz;
}

len = min_t(int, skb->len, len);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit af15769ffab13d777e55fdef09d0762bf0c249c4 upstream.

gcc-7 notices that the condition in mvs_94xx_command_active looks
suspicious:

drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active':
drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]

This was introduced when the mv_printk() statement got added, and leads
to the condition being ignored. This is probably harmless.

Changing '&&' to '&' makes the code look reasonable, as we check the
command bit before setting and printing it.

Fixes: a4632aae8b66 ("[SCSI] mvsas: Add new macros and functions")
Signed-off-by: Arnd Bergmann <ar...@arndb.de>
Reviewed-by: Johannes Thumshirn <jthum...@suse.de>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/scsi/mvsas/mv_94xx.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/mvsas/mv_94xx.c
+++ b/drivers/scsi/mvsas/mv_94xx.c
@@ -622,7 +622,7 @@ static void mvs_94xx_command_active(stru
{
u32 tmp;
tmp = mvs_cr32(mvi, MVS_COMMAND_ACTIVE+(slot_idx >> 3));
- if (tmp && 1 << (slot_idx % 32)) {
+ if (tmp & 1 << (slot_idx % 32)) {
mv_printk("command active %08X, slot [%x].\n", tmp, slot_idx);
mvs_cw32(mvi, MVS_COMMAND_ACTIVE + (slot_idx >> 3),
1 << (slot_idx % 32));

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 99e5cde5eae78bef95bfe7c16ccda87fb070149b upstream.

Make sure to drop any device reference taken by vio_find_node() when
adding and removing virtual I/O slots.

Fixes: 5eeb8c63a38f ("[PATCH] PCI Hotplug: rpaphp: Move VIO registration")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/pci/hotplug/rpadlpar_core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/pci/hotplug/rpadlpar_core.c
+++ b/drivers/pci/hotplug/rpadlpar_core.c
@@ -259,8 +259,13 @@ static int dlpar_add_phb(char *drc_name,

static int dlpar_add_vio_slot(char *drc_name, struct device_node *dn)
{
- if (vio_find_node(dn))
+ struct vio_dev *vio_dev;
+
+ vio_dev = vio_find_node(dn);
+ if (vio_dev) {
+ put_device(&vio_dev->dev);
return -EINVAL;
+ }

if (!vio_register_device_node(dn)) {
printk(KERN_ERR
@@ -336,6 +341,9 @@ static int dlpar_remove_vio_slot(char *d
return -EINVAL;

vio_unregister_device(vio_dev);
+
+ put_device(&vio_dev->dev);
+
return 0;
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit 8b74d439e1697110c5e5c600643e823eb1dd0762 upstream.

It seems nobody used LLC since linux-3.12.

Fortunately fuzzers like syzkaller still know how to run this code,
otherwise it would be no fun.

Setting skb->sk without skb->destructor leads to all kinds of
bugs, we now prefer to be very strict about it.

Ideally here we would use skb_set_owner() but this helper does not exist yet,
only CAN seems to have a private helper for that.

Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Andrey Konovalov <andre...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/llc/llc_conn.c | 3 +++
net/llc/llc_sap.c | 3 +++
2 files changed, 6 insertions(+)

--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa
* another trick required to cope with how the PROCOM state
* machine works. -acme
*/
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
}
if (!sock_owned_by_user(sk))
llc_conn_rcv(sk, skb);
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -294,7 +294,10 @@ static void llc_sap_rcv(struct llc_sap *

ev->type = LLC_SAP_EV_TYPE_PDU;
ev->reason = 0;
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
llc_sap_state_process(sap, skb);
}

[Guenter Roeck]

On 03/10/2017 03:46 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.2.87 release.
> There are 199 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
> Anything received after that time might be too late.
>

Build results:
total: 89 pass: 89 fail: 0
Qemu test results:
total: 69 pass: 69 fail: 0

Details are available at http://kerneltests.org/builders/

Guenter

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eva Rachel Retuya <erar...@gmail.com>

commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream.

The oversampling ratio is controlled using the oversampling pins,
OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
bit.

The gpio connected to the OS2 pin is not being set correctly, only OS0
and OS1 pins are being set. Fix the typo to allow proper control of the
oversampling pins.

Signed-off-by: Eva Rachel Retuya <erar...@gmail.com>
Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
Acked-by: Lars-Peter Clausen <la...@metafoo.de>
Signed-off-by: Jonathan Cameron <ji...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/staging/iio/adc/ad7606_core.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/adc/ad7606_core.c
+++ b/drivers/staging/iio/adc/ad7606_core.c
@@ -185,7 +185,7 @@ static ssize_t ad7606_store_oversampling
mutex_lock(&indio_dev->mlock);
gpio_set_value(st->pdata->gpio_os0, (ret >> 0) & 1);
gpio_set_value(st->pdata->gpio_os1, (ret >> 1) & 1);
- gpio_set_value(st->pdata->gpio_os1, (ret >> 2) & 1);
+ gpio_set_value(st->pdata->gpio_os2, (ret >> 2) & 1);
st->oversampling = lval;
mutex_unlock(&indio_dev->mlock);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <ty...@mit.edu>

commit 5aee0f8a3f42c94c5012f1673420aee96315925a upstream.

Fix a large number of problems with how we handle mount options in the
superblock. For one, if the string in the superblock is long enough
that it is not null terminated, we could run off the end of the string
and try to interpret superblocks fields as characters. It's unlikely
this will cause a security problem, but it could result in an invalid
parse. Also, parse_options is destructive to the string, so in some
cases if there is a comma-separated string, it would be modified in
the superblock. (Fortunately it only happens on file systems with a
1k block size.)

Signed-off-by: Theodore Ts'o <ty...@mit.edu>

[bwh: Backported to 3.2: adjust context, indentation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/super.c | 38 +++++++++++++++++++++++---------------
1 file changed, 23 insertions(+), 15 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3240,7 +3240,7 @@ static int ext4_fill_super(struct super_
char *orig_data = kstrdup(data, GFP_KERNEL);
struct buffer_head *bh;
struct ext4_super_block *es = NULL;
- struct ext4_sb_info *sbi;
+ struct ext4_sb_info *sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
ext4_fsblk_t block;
ext4_fsblk_t sb_block = get_sb_block(&data);
ext4_fsblk_t logical_sb_block;
@@ -3260,16 +3260,14 @@ static int ext4_fill_super(struct super_
unsigned int journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
ext4_group_t first_not_zeroed;

- sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
- if (!sbi)
- goto out_free_orig;
+ if ((data && !orig_data) || !sbi)
+ goto out_free_base;

sbi->s_blockgroup_lock =
kzalloc(sizeof(struct blockgroup_lock), GFP_KERNEL);
- if (!sbi->s_blockgroup_lock) {
- kfree(sbi);
- goto out_free_orig;
- }
+ if (!sbi->s_blockgroup_lock)
+ goto out_free_base;
+
sb->s_fs_info = sbi;
sbi->s_mount_opt = 0;
sbi->s_resuid = EXT4_DEF_RESUID;
@@ -3378,11 +3376,19 @@ static int ext4_fill_super(struct super_
*/
sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT;

- if (!parse_options((char *) sbi->s_es->s_mount_opts, sb,
- &journal_devnum, &journal_ioprio, NULL, 0)) {
- ext4_msg(sb, KERN_WARNING,
- "failed to parse options in superblock: %s",
- sbi->s_es->s_mount_opts);
+ if (sbi->s_es->s_mount_opts[0]) {
+ char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+ sizeof(sbi->s_es->s_mount_opts),
+ GFP_KERNEL);
+ if (!s_mount_opts)
+ goto failed_mount;
+ if (!parse_options(s_mount_opts, sb, &journal_devnum,
+ &journal_ioprio, NULL, 0)) {
+ ext4_msg(sb, KERN_WARNING,
+ "failed to parse options in superblock: %s",
+ s_mount_opts);
+ }
+ kfree(s_mount_opts);
}
if (!parse_options((char *) data, sb, &journal_devnum,
&journal_ioprio, NULL, 0))
@@ -3978,7 +3984,9 @@ no_journal:
descr = "out journal";

ext4_msg(sb, KERN_INFO, "mounted filesystem with%s. "
- "Opts: %s%s%s", descr, sbi->s_es->s_mount_opts,
+ "Opts: %.*s%s%s", descr,
+ (int) sizeof(sbi->s_es->s_mount_opts),
+ sbi->s_es->s_mount_opts,
*sbi->s_es->s_mount_opts ? "; " : "", orig_data);

if (es->s_error_count)
@@ -4036,8 +4044,8 @@ failed_mount:
out_fail:
sb->s_fs_info = NULL;
kfree(sbi->s_blockgroup_lock);
+out_free_base:
kfree(sbi);
-out_free_orig:
kfree(orig_data);
return ret;
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <ac...@redhat.com>

commit cf346d5bd4b9d61656df2f72565c9b354ef3ca0d upstream.

Both register_perl_scripting() and register_python_scripting() allocate
this variable, fix it by checking if it already was.

Cc: Adrian Hunter <adrian...@intel.com>
Cc: David Ahern <dsa...@gmail.com>
Cc: Frederic Weisbecker <fwei...@gmail.com>
Cc: Jiri Olsa <jo...@kernel.org>
Cc: Namhyung Kim <namh...@kernel.org>
Cc: Tom Zanussi <tzan...@gmail.com>
Cc: Wang Nan <wang...@huawei.com>
Fixes: 7e4b21b84c43 ("perf/scripts: Add Python scripting engine")
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

tools/perf/util/trace-event-scripting.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/tools/perf/util/trace-event-scripting.c
+++ b/tools/perf/util/trace-event-scripting.c
@@ -88,7 +88,8 @@ static void register_python_scripting(st
if (err)
die("error registering py script extension");

- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}

#ifdef NO_LIBPYTHON
@@ -149,7 +150,8 @@ static void register_perl_scripting(stru
if (err)
die("error registering pl script extension");

- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}

#ifdef NO_LIBPERL

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

commit d41149145f98fe26dcd0bfd1d6cc095e6e041418 upstream.

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Signed-off-by: David S. Miller <da...@davemloft.net>

---
drivers/net/usb/catc.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)

--- a/drivers/net/usb/catc.c
+++ b/drivers/net/usb/catc.c
@@ -765,7 +765,7 @@ static int catc_probe(struct usb_interfa
struct net_device *netdev;
struct catc *catc;
u8 broadcast[6];
- int i, pktsz;
+ int i, pktsz, ret;

if (usb_set_interface(usbdev,
intf->altsetting->desc.bInterfaceNumber, 1)) {
@@ -800,12 +800,8 @@ static int catc_probe(struct usb_interfa
if ((!catc->ctrl_urb) || (!catc->tx_urb) ||
(!catc->rx_urb) || (!catc->irq_urb)) {
err("No free urbs available.");
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto fail_free;
}

/* The F5U011 has the same vendor/product as the netmate but a device version of 0x130 */
@@ -902,16 +898,21 @@ static int catc_probe(struct usb_interfa
usb_set_intfdata(intf, catc);

SET_NETDEV_DEV(netdev, &intf->dev);
- if (register_netdev(netdev) != 0) {
- usb_set_intfdata(intf, NULL);
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -EIO;
- }
+ ret = register_netdev(netdev);
+ if (ret)
+ goto fail_clear_intfdata;
+
return 0;
+
+fail_clear_intfdata:
+ usb_set_intfdata(intf, NULL);
+fail_free:
+ usb_free_urb(catc->ctrl_urb);
+ usb_free_urb(catc->tx_urb);
+ usb_free_urb(catc->rx_urb);
+ usb_free_urb(catc->irq_urb);
+ free_netdev(netdev);
+ return ret;
}

static void catc_disconnect(struct usb_interface *intf)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <bfi...@redhat.com>

commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.

Context expiry times are in units of seconds since boot, not unix time.

The use of get_seconds() here therefore sets the expiry time decades in
the future. This prevents timely freeing of contexts destroyed by
client RPC_GSS_PROC_DESTROY requests. We'd still free them eventually
(when the module is unloaded or the container shut down), but a lot of
contexts could pile up before then.

Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
Reported-by: Andy Adamson <and...@netapp.com>
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/sunrpc/auth_gss/svcauth_gss.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1151,7 +1151,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
case RPC_GSS_PROC_DESTROY:
if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
goto auth_err;
- rsci->h.expiry_time = get_seconds();
+ rsci->h.expiry_time = seconds_since_boot();
set_bit(CACHE_NEGATIVE, &rsci->h.flags);
if (resv->iov_len + 4 > PAGE_SIZE)
goto drop;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathia...@linux.intel.com>

commit d6169d04097fd9ddf811e63eae4e5cd71e6666e2 upstream.

If a URB is killed while the host is removed we can end up in a situation
where the hub thread takes the roothub device lock, and waits for
the URB to be given back by xhci-hcd, blocking the host remove code.

xhci-hcd tries to stop the endpoint and give back the urb, but can't
as the host is removed from PCI bus at the same time, preventing the normal
way of giving back urb.

Instead we need to rely on the stop command timeout function to give back
the urb. This xhci_stop_endpoint_command_watchdog() timeout function
used a XHCI_STATE_DYING flag to indicate if the timeout function is already
running, but later this flag has been taking into use in other places to
mark that xhci is dying.

Remove checks for XHCI_STATE_DYING in xhci_urb_dequeue. We are still
checking that reading from pci state does not return 0xffffffff or that
host is not halted before trying to stop the endpoint.

This whole area of stopping endpoints, giving back URBs, and the wathdog
timeout need rework, this fix focuses on solving a specific deadlock
issue that we can then send to stable before any major rework.

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
[bwh: Backported to 3.2: the checks look slightly different]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci-ring.c | 11 -----------
drivers/usb/host/xhci.c | 13 -------------
2 files changed, 24 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -969,12 +969,6 @@ void xhci_stop_endpoint_command_watchdog
spin_lock_irqsave(&xhci->lock, flags);

ep->stop_cmds_pending--;
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg(xhci, "Stop EP timer ran, but another timer marked "
- "xHCI as DYING, exiting.\n");
- spin_unlock_irqrestore(&xhci->lock, flags);
- return;
- }
if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) {
xhci_dbg(xhci, "Stop EP timer ran, but no command pending, "
"exiting.\n");
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1549,18 +1549,6 @@ int xhci_urb_dequeue(struct usb_hcd *hcd
xhci_urb_free_priv(xhci, urb_priv);
return ret;
}
- if ((xhci->xhc_state & XHCI_STATE_DYING) ||
- (xhci->xhc_state & XHCI_STATE_HALTED)) {
- xhci_dbg(xhci, "Ep 0x%x: URB %p to be canceled on "
- "non-responsive xHCI host.\n",
- urb->ep->desc.bEndpointAddress, urb);
- /* Let the stop endpoint command watchdog timer (which set this
- * state) finish cleaning up the endpoint TD lists. We must
- * have caught it in the middle of dropping a lock and giving
- * back an URB.
- */
- goto done;
- }

xhci_dbg(xhci, "Cancel URB %p\n", urb);
xhci_dbg(xhci, "Event ring:\n");

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Hartkopp <sock...@hartkopp.net>

commit a06393ed03167771246c4c43192d9c264bc48412 upstream.

When removing a bcm tx operation either a hrtimer or a tasklet might run.
As the hrtimer triggers its associated tasklet and vice versa we need to
take care to mutually terminate both handlers.

Reported-by: Michael Josenhans <michael....@web.de>
Signed-off-by: Oliver Hartkopp <sock...@hartkopp.net>
Tested-by: Michael Josenhans <michael....@web.de>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/can/bcm.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)

--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -702,14 +702,23 @@ static struct bcm_op *bcm_find_op(struct

static void bcm_remove_op(struct bcm_op *op)
{
- hrtimer_cancel(&op->timer);
- hrtimer_cancel(&op->thrtimer);
+ if (op->tsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->tsklet.state) ||
+ hrtimer_active(&op->timer)) {
+ hrtimer_cancel(&op->timer);
+ tasklet_kill(&op->tsklet);
+ }
+ }

- if (op->tsklet.func)
- tasklet_kill(&op->tsklet);
-
- if (op->thrtsklet.func)
- tasklet_kill(&op->thrtsklet);
+ if (op->thrtsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) ||
+ hrtimer_active(&op->thrtimer)) {
+ hrtimer_cancel(&op->thrtimer);
+ tasklet_kill(&op->thrtsklet);
+ }
+ }

if ((op->frames) && (op->frames != &op->sframe))
kfree(op->frames);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <her...@gondor.apana.org.au>

commit 57ea52a865144aedbcd619ee0081155e658b6f7d upstream.

The GRO fast path caches the frag0 address. This address becomes
invalid if frag0 is modified by pskb_may_pull or its variants.
So whenever that happens we must disable the frag0 optimization.

This is usually done through the combination of gro_header_hard
and gro_header_slow, however, the IPv6 extension header path did
the pulling directly and would continue to use the GRO fast path
incorrectly.

This patch fixes it by disabling the fast path when we enter the
IPv6 extension header path.

Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address")
Reported-by: Slava Shwartsman <sla...@mellanox.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

include/linux/netdevice.h | 9 +++++++--
net/ipv6/af_inet6.c | 1 +
2 files changed, 8 insertions(+), 2 deletions(-)

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1676,14 +1676,19 @@ static inline int skb_gro_header_hard(st
return NAPI_GRO_CB(skb)->frag0_len < hlen;
}

+static inline void skb_gro_frag0_invalidate(struct sk_buff *skb)
+{
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+}
+
static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
unsigned int offset)
{
if (!pskb_may_pull(skb, hlen))
return NULL;

- NAPI_GRO_CB(skb)->frag0 = NULL;
- NAPI_GRO_CB(skb)->frag0_len = 0;
+ skb_gro_frag0_invalidate(skb);
return skb->data + offset;
}

--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -879,6 +879,7 @@ static struct sk_buff **ipv6_gro_receive
ops = rcu_dereference(inet6_protos[proto]);
if (!ops || !ops->gro_receive) {
__pskb_pull(skb, skb_gro_offset(skb));
+ skb_gro_frag0_invalidate(skb);
proto = ipv6_gso_pull_exthdrs(skb, proto);
skb_gro_pull(skb, -skb_transport_offset(skb));
skb_reset_transport_header(skb);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukáš Lalinský <lu...@oxygene.sk>

commit d9b2997e4a0a874e452df7cdd7de5a54502bd0aa upstream.

Add a quirk for WORLDE easykey.25 MIDI keyboard (idVendor=0218,
idProduct=0401). The device reports that it has config string
descriptor at index 3, but when the system selects the configuration
and tries to get the description, it returns a -EPROTO error,
the communication restarts and this keeps repeating over and over again.
Not requesting the string descriptor makes the device work correctly.

Relevant info from Wireshark:

[...]

CONFIGURATION DESCRIPTOR
bLength: 9
bDescriptorType: 0x02 (CONFIGURATION)
wTotalLength: 101
bNumInterfaces: 2
bConfigurationValue: 1
iConfiguration: 3
Configuration bmAttributes: 0xc0 SELF-POWERED NO REMOTE-WAKEUP
1... .... = Must be 1: Must be 1 for USB 1.1 and higher
.1.. .... = Self-Powered: This device is SELF-POWERED
..0. .... = Remote Wakeup: This device does NOT support remote wakeup
bMaxPower: 50 (100mA)

[...]

45 0.369104 host 2.38.0 USB 64 GET DESCRIPTOR Request STRING

[...]

URB setup
bmRequestType: 0x80
1... .... = Direction: Device-to-host
.00. .... = Type: Standard (0x00)
...0 0000 = Recipient: Device (0x00)
bRequest: GET DESCRIPTOR (6)
Descriptor Index: 0x03
bDescriptorType: 0x03
Language Id: English (United States) (0x0409)
wLength: 255

46 0.369255 2.38.0 host USB 64 GET DESCRIPTOR Response STRING[Malformed Packet]

[...]

Frame 46: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
USB URB
[Source: 2.38.0]
[Destination: host]
URB id: 0xffff88021f62d480
URB type: URB_COMPLETE ('C')
URB transfer type: URB_CONTROL (0x02)
Endpoint: 0x80, Direction: IN
Device: 38
URB bus id: 2
Device setup request: not relevant ('-')
Data: present (0)
URB sec: 1484896277
URB usec: 455031
URB status: Protocol error (-EPROTO) (-71)
URB length [bytes]: 0
Data length [bytes]: 0
[Request in: 45]
[Time from request: 0.000151000 seconds]
Unused Setup Header
Interval: 0
Start frame: 0
Copy of Transfer Flags: 0x00000200
Number of ISO descriptors: 0
[Malformed Packet: USB]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]

Signed-off-by: Lukáš Lalinský <lu...@oxygene.sk>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/core/quirks.c | 4 ++++

1 file changed, 4 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -36,6 +36,10 @@ static const struct usb_device_id usb_qu
/* CBM - Flash disk */
{ USB_DEVICE(0x0204, 0x6025), .driver_info = USB_QUIRK_RESET_RESUME },

+ /* WORLDE easy key (easykey.25) MIDI controller */
+ { USB_DEVICE(0x0218, 0x0401), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
/* HP 5300/5370C scanner */
{ USB_DEVICE(0x03f0, 0x0701), .driver_info =
USB_QUIRK_STRING_FETCH_255 },

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

commit 7926aff5c57b577ab0f43364ff0c59d968f6a414 upstream.

Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

Signed-off-by: David S. Miller <da...@davemloft.net>

---
drivers/net/usb/rtl8150.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)

--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -178,16 +178,36 @@ static const char driver_name [] = "rtl8
*/
static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
{
- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmalloc(size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
+ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
+ indx, 0, buf, size, 500);
+ if (ret > 0 && ret <= size)
+ memcpy(data, buf, ret);
+ kfree(buf);
+ return ret;
}

-static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data)
{
- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmemdup(data, size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
+ indx, 0, buf, size, 500);
+ kfree(buf);
+ return ret;
}

static void ctrl_callback(struct urb *urb)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave....@arm.com>

commit 99dfe80a2a246c600440a815741fd2e74a8b4977 upstream.

Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.

Fixes: c6e6771b87d4 ("powerpc: Introduce VSX thread_struct and CONFIG_VSX")
Signed-off-by: Dave Martin <Dave....@arm.com>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
[bwh: Backported to 3.2:
- fpscr and fpr are direct members of struct thread_struct
- Use memcpy() for fpscr, like the reverse copy below, to avoid type error
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kernel/ptrace.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -359,6 +359,10 @@ static int fpr_set(struct task_struct *t
flush_fp_to_thread(target);

#ifdef CONFIG_VSX
+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.TS_FPR(i);
+ memcpy(&buf[32], &target->thread.fpscr, sizeof(double));
+
/* copy to local buffer then write that out */
i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
if (i)
@@ -501,6 +505,9 @@ static int vsr_set(struct task_struct *t

flush_vsx_to_thread(target);

+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.fpr[i][TS_VSRLOWOFFSET];
+
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
buf, 0, 32 * sizeof(double));
for (i = 0; i < 32 ; i++)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thorsten Horstmann <thor...@defutech.de>

commit da7061c82e4a1bc6a5e134ef362c86261906c860 upstream.

The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead
it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The
return value in mesh_add_vendor_ies must therefore be checked against
ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with
WLAN_EID_VENDOR_SPECIFIC will be rejected.

Fixes: 082ebb0c258d ("mac80211: fix mesh beacon format")
Signed-off-by: Thorsten Horstmann <thor...@defutech.de>
Signed-off-by: Mathias Kretschmer <mathias.k...@fit.fraunhofer.de>
Signed-off-by: Simon Wunderlich <s...@simonwunderlich.de>
[sv...@narfation.org: Add commit message]
Signed-off-by: Sven Eckelmann <sv...@narfation.org>
Signed-off-by: Johannes Berg <johann...@intel.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/mac80211/mesh.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -280,7 +280,7 @@ mesh_add_vendor_ies(struct sk_buff *skb,
/* fast-forward to vendor IEs */
offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0);

- if (offset) {
+ if (offset < ifmsh->ie_len) {
len = ifmsh->ie_len - offset;
data = ifmsh->ie + offset;
if (skb_tailroom(skb) < len)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Josef Bacik <jba...@fb.com>

commit d61b7f972dab2a7d187c38254845546dfc8eed85 upstream.

A user noticed that write performance was horrible over loopback and we
traced it to an inversion of when we need to set MSG_MORE. It should be
set when we have more bvec's to send, not when we are on the last bvec.
This patch made the test go from 20 iops to 78k iops.

Signed-off-by: Josef Bacik <jba...@fb.com>
Fixes: 429a787be679 ("nbd: fix use-after-free of rq/bio in the xmit path")
Signed-off-by: Jens Axboe <ax...@fb.com>
[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/block/nbd.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -232,7 +232,7 @@ static inline int sock_send_bvec(struct
/* always call with the tx_lock held */
static int nbd_send_req(struct nbd_device *lo, struct request *req)
{
- int result, flags;
+ int result;
struct nbd_request request;
unsigned long size = blk_rq_bytes(req);
struct bio *bio;
@@ -259,7 +259,6 @@ static int nbd_send_req(struct nbd_devic
if (nbd_cmd(req) != NBD_CMD_WRITE)
return 0;

- flags = 0;
bio = req->bio;
while (bio) {
struct bio *next = bio->bi_next;
@@ -268,9 +267,8 @@ static int nbd_send_req(struct nbd_devic

bio_for_each_segment(bvec, bio, i) {
bool is_last = !next && i == bio->bi_vcnt - 1;
+ int flags = is_last ? 0 : MSG_MORE;

- if (is_last)
- flags = MSG_MORE;
dprintk(DBG_TX, "%s: request %p: sending %d bytes data\n",
lo->disk->disk_name, req, bvec->bv_len);
result = sock_send_bvec(lo, bvec, flags);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 76ab439ed1b68778e9059c79ecc5d14de76c89a8 upstream.

Fix NULL-pointer dereference in open() should a type-0 or type-1 device
lack the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at pl2303_open+0x38/0xec [pl2303]

Note that a missing interrupt-in endpoint would have caused open() to
fail.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/pl2303.c | 8 ++++++++
1 file changed, 8 insertions(+)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -185,10 +185,18 @@ static int pl2303_vendor_write(__u16 val
static int pl2303_startup(struct usb_serial *serial)
{
struct pl2303_private *priv;
+ unsigned char num_ports = serial->num_ports;
enum pl2303_type type = type_0;
unsigned char *buf;
int i;

+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
buf = kmalloc(10, GFP_KERNEL);
if (buf == NULL)
return -ENOMEM;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tony Lindgren <to...@atomide.com>

commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.

When unloading omap2430, we can get the following splat:

WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
Trying to free already-free IRQ 4
...
[<c01a8b78>] (free_irq) from [<bf0aea84>]
(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
[<bf0aea84>] (musbhs_dma_controller_destroy [musb_hdrc]) from
[<bf09f88c>] (musb_remove+0xf0/0x12c [musb_hdrc])
[<bf09f88c>] (musb_remove [musb_hdrc]) from [<c056a384>]
(platform_drv_remove+0x24/0x3c)
...

This is because the irq number in use is 260 nowadays, and the dma
controller is using u8 instead of int.

Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
Signed-off-by: Tony Lindgren <to...@atomide.com>
[b-...@ti.com: added Fixes tag]
Signed-off-by: Bin Liu <b-...@ti.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/musb/musbhsdma.h | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/musb/musbhsdma.h
+++ b/drivers/usb/musb/musbhsdma.h
@@ -161,5 +161,5 @@ struct musb_dma_controller {
void __iomem *base;
u8 channel_count;
u8 used_channels;
- u8 irq;
+ int irq;
};

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukasz Odzioba <lukasz....@intel.com>

commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream.

A negative number can be specified in the cmdline which will be used as
setup_clear_cpu_cap() argument. With that we can clear/set some bit in
memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
to misbehave. This patch adds lower bound check to setup_disablecpuid().

Boris Petkov reproduced a crash:

[ 1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
[ 1.236535] IP: memcpy_erms+0x6/0x10

Signed-off-by: Lukasz Odzioba <lukasz....@intel.com>
Acked-by: Borislav Petkov <b...@suse.de>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: andi....@intel.com
Cc: b...@alien8.de
Cc: dave....@linux.intel.com
Cc: lu...@kernel.org
Cc: sla...@gmail.com
Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
Link: http://lkml.kernel.org/r/1482933340-11857-1-git-s...@intel.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/kernel/cpu/common.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1012,7 +1012,7 @@ static __init int setup_disablecpuid(cha
{
int bit;

- if (get_option(&arg, &bit) && bit < NCAPINTS*32)
+ if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
setup_clear_cpu_cap(bit);
else
return 0;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.w...@gmail.com>

commit 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 upstream.

Andrey reported a kernel crash:

general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880060048040 task.stack: ffff880069be8000
RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
FS: 00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
Call Trace:
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
SYSC_sendto+0x660/0x810 net/socket.c:1687
SyS_sendto+0x40/0x50 net/socket.c:1655
entry_SYSCALL_64_fastpath+0x1f/0xc2

This is because we miss a check for NULL pointer for skb_peek() when
the queue is empty. Other places already have the same check.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Andrey Konovalov <andre...@google.com>
Tested-by: Andrey Konovalov <andre...@google.com>
Signed-off-by: Cong Wang <xiyou.w...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv4/ping.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -452,6 +452,8 @@ static int ping_push_pending_frames(stru
{
struct sk_buff *skb = skb_peek(&sk->sk_write_queue);

+ if (!skb)
+ return 0;
pfh->wcheck = csum_partial((char *)&pfh->icmph,
sizeof(struct icmphdr), pfh->wcheck);
pfh->icmph.checksum = csum_fold(pfh->wcheck);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream.

When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it. Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.

The fix is to reference the queue object at the right time.

Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

sound/core/seq/seq_queue.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)

--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -183,6 +183,8 @@ void __exit snd_seq_queues_delete(void)
}
}

+static void queue_use(struct snd_seq_queue *queue, int client, int use);
+
/* allocate a new queue -
* return queue index value or negative value for error
*/
@@ -194,11 +196,11 @@ int snd_seq_queue_alloc(int client, int
if (q == NULL)
return -ENOMEM;
q->info_flags = info_flags;
+ queue_use(q, client, 1);
if (queue_list_add(q) < 0) {
queue_delete(q);
return -ENOMEM;
}
- snd_seq_queue_use(q->queue, client, 1); /* use this queue */
return q->queue;
}

@@ -504,19 +506,9 @@ int snd_seq_queue_timer_set_tempo(int qu
return result;
}

-
-/* use or unuse this queue -
- * if it is the first client, starts the timer.
- * if it is not longer used by any clients, stop the timer.
- */
-int snd_seq_queue_use(int queueid, int client, int use)
+/* use or unuse this queue */
+static void queue_use(struct snd_seq_queue *queue, int client, int use)
{
- struct snd_seq_queue *queue;
-
- queue = queueptr(queueid);
- if (queue == NULL)
- return -EINVAL;
- mutex_lock(&queue->timer_mutex);
if (use) {
if (!test_and_set_bit(client, queue->clients_bitmap))
queue->clients++;
@@ -531,6 +523,21 @@ int snd_seq_queue_use(int queueid, int c
} else {
snd_seq_timer_close(queue);
}
+}
+
+/* use or unuse this queue -
+ * if it is the first client, starts the timer.
+ * if it is not longer used by any clients, stop the timer.
+ */
+int snd_seq_queue_use(int queueid, int client, int use)
+{
+ struct snd_seq_queue *queue;
+
+ queue = queueptr(queueid);
+ if (queue == NULL)
+ return -EINVAL;
+ mutex_lock(&queue->timer_mutex);
+ queue_use(queue, client, use);
mutex_unlock(&queue->timer_mutex);
queuefree(queue);
return 0;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michal Hocko <mho...@suse.com>

commit 5abf186a30a89d5b9c18a6bf93a2c192c9fd52f6 upstream.

do_generic_file_read() can be told to perform a large request from
userspace. If the system is under OOM and the reading task is the OOM
victim then it has an access to memory reserves and finishing the full
request can lead to the full memory depletion which is dangerous. Make
sure we rather go with a short read and allow the killed task to
terminate.

Link: http://lkml.kernel.org/r/20170201092706...@kernel.org
Signed-off-by: Michal Hocko <mho...@suse.com>
Reviewed-by: Christoph Hellwig <h...@lst.de>
Cc: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Cc: Al Viro <vi...@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

mm/filemap.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1117,6 +1117,11 @@ static void do_generic_file_read(struct

cond_resched();
find_page:
+ if (fatal_signal_pending(current)) {
+ error = -EINTR;
+ goto out;
+ }
+
page = find_get_page(mapping, index);
if (!page) {
page_cache_sync_readahead(mapping,

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

Extracted from commit 62bccb8cdb69 ("net-timestamp: Make the clone operation
stand-alone from phy timestamping").

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1117,6 +1117,7 @@ extern struct sk_buff *sock_rmalloc(str
gfp_t priority);
extern void sock_wfree(struct sk_buff *skb);
extern void sock_rfree(struct sk_buff *skb);
+void sock_efree(struct sk_buff *skb);

extern int sock_setsockopt(struct socket *sock, int level,
int op, char __user *optval,
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1369,6 +1369,11 @@ void sock_rfree(struct sk_buff *skb)
}
EXPORT_SYMBOL(sock_rfree);

+void sock_efree(struct sk_buff *skb)
+{
+ sock_put(skb->sk);
+}
+EXPORT_SYMBOL(sock_efree);

int sock_i_uid(struct sock *sk)
{

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Ren <zr...@suse.com>

commit e7ee2c089e94067d68475990bdeed211c8852917 upstream.

The crash happens rather often when we reset some cluster nodes while
nodes contend fiercely to do truncate and append.

The crash backtrace is below:

dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover_grant 1 locks on 971 resources
dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover 9 generation 5 done: 4 ms
ocfs2: Begin replay journal (node 318952601, slot 2) on device (253,18)
ocfs2: End replay journal (node 318952601, slot 2) on device (253,18)
ocfs2: Beginning quota recovery on device (253,18) for slot 2
ocfs2: Finishing quota recovery on device (253,18) for slot 2
(truncate,30154,1):ocfs2_truncate_file:470 ERROR: bug expression: le64_to_cpu(fe->i_size) != i_size_read(inode)
(truncate,30154,1):ocfs2_truncate_file:470 ERROR: Inode 290321, inode i_size = 732 != di i_size = 937, i_flags = 0x1
------------[ cut here ]------------
kernel BUG at /usr/src/linux/fs/ocfs2/file.c:470!
invalid opcode: 0000 [#1] SMP
Modules linked in: ocfs2_stack_user(OEN) ocfs2(OEN) ocfs2_nodemanager ocfs2_stackglue(OEN) quota_tree dlm(OEN) configfs fuse sd_mod iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs softdog xfs libcrc32c ppdev parport_pc pcspkr parport joydev virtio_balloon virtio_net i2c_piix4 acpi_cpufreq button processor ext4 crc16 jbd2 mbcache ata_generic cirrus virtio_blk ata_piix drm_kms_helper ahci syscopyarea libahci sysfillrect sysimgblt fb_sys_fops ttm floppy libata drm virtio_pci virtio_ring uhci_hcd virtio ehci_hcd usbcore serio_raw usb_common sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
Supported: No, Unsupported modules are loaded
CPU: 1 PID: 30154 Comm: truncate Tainted: G OE N 4.4.21-69-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
task: ffff88004ff6d240 ti: ffff880074e68000 task.ti: ffff880074e68000
RIP: 0010:[<ffffffffa05c8c30>] [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
RSP: 0018:ffff880074e6bd50 EFLAGS: 00010282
RAX: 0000000000000074 RBX: 000000000000029e RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff880074e6bda8 R08: 000000003675dc7a R09: ffffffff82013414
R10: 0000000000034c50 R11: 0000000000000000 R12: ffff88003aab3448
R13: 00000000000002dc R14: 0000000000046e11 R15: 0000000000000020
FS: 00007f839f965700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f839f97e000 CR3: 0000000036723000 CR4: 00000000000006e0
Call Trace:
ocfs2_setattr+0x698/0xa90 [ocfs2]
notify_change+0x1ae/0x380
do_truncate+0x5e/0x90
do_sys_ftruncate.constprop.11+0x108/0x160
entry_SYSCALL_64_fastpath+0x12/0x6d
Code: 24 28 ba d6 01 00 00 48 c7 c6 30 43 62 a0 8b 41 2c 89 44 24 08 48 8b 41 20 48 c7 c1 78 a3 62 a0 48 89 04 24 31 c0 e8 a0 97 f9 ff <0f> 0b 3d 00 fe ff ff 0f 84 ab fd ff ff 83 f8 fc 0f 84 a2 fd ff
RIP [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]

It's because ocfs2_inode_lock() get us stale LVB in which the i_size is
not equal to the disk i_size. We mistakenly trust the LVB because the
underlaying fsdlm dlm_lock() doesn't set lkb_sbflags with
DLM_SBF_VALNOTVALID properly for us. But, why?

The current code tries to downconvert lock without DLM_LKF_VALBLK flag
to tell o2cb don't update RSB's LVB if it's a PR->NULL conversion, even
if the lock resource type needs LVB. This is not the right way for
fsdlm.

The fsdlm plugin behaves different on DLM_LKF_VALBLK, it depends on
DLM_LKF_VALBLK to decide if we care about the LVB in the LKB. If
DLM_LKF_VALBLK is not set, fsdlm will skip recovering RSB's LVB from
this lkb and set the right DLM_SBF_VALNOTVALID appropriately when node
failure happens.

The following diagram briefly illustrates how this crash happens:

RSB1 is inode metadata lock resource with LOCK_TYPE_USES_LVB;

The 1st round:

Node1 Node2
RSB1: PR
RSB1(master): NULL->EX
ocfs2_downconvert_lock(PR->NULL, set_lvb==0)
ocfs2_dlm_lock(no DLM_LKF_VALBLK)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

dlm_lock(no DLM_LKF_VALBLK)
convert_lock(overwrite lkb->lkb_exflags
with no DLM_LKF_VALBLK)

RSB1: NULL RSB1: EX
reset Node2
dlm_recover_rsbs()
recover_lvb()

/* The LVB is not trustable if the node with EX fails and
* no lock >= PR is left. We should set RSB_VALNOTVALID for RSB1.
*/

if(!(kb_exflags & DLM_LKF_VALBLK)) /* This means we miss the chance to
return; * to invalid the LVB here.
*/

The 2nd round:

Node 1 Node2
RSB1(become master from recovery)

ocfs2_setattr()
ocfs2_inode_lock(NULL->EX)
/* dlm_lock() return the stale lvb without setting DLM_SBF_VALNOTVALID */
ocfs2_meta_lvb_is_trustable() return 1 /* so we don't refresh inode from disk */
ocfs2_truncate_file()
mlog_bug_on_msg(disk isize != i_size_read(inode)) /* crash! */

The fix is quite straightforward. We keep to set DLM_LKF_VALBLK flag
for dlm_lock() if the lock resource type needs LVB and the fsdlm plugin
is uesed.

Link: http://lkml.kernel.org/r/1481275846-6604-1-...@suse.com
Signed-off-by: Eric Ren <zr...@suse.com>
Reviewed-by: Joseph Qi <jiang...@gmail.com>
Cc: Mark Fasheh <mfa...@versity.com>
Cc: Joel Becker <jl...@evilplan.org>
Cc: Junxiao Bi <junxi...@oracle.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ocfs2/dlmglue.c | 10 ++++++++++
fs/ocfs2/stackglue.c | 6 ++++++
fs/ocfs2/stackglue.h | 3 +++
3 files changed, 19 insertions(+)

--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -3270,6 +3270,16 @@ static int ocfs2_downconvert_lock(struct
mlog(ML_BASTS, "lockres %s, level %d => %d\n", lockres->l_name,
lockres->l_level, new_level);

+ /*
+ * On DLM_LKF_VALBLK, fsdlm behaves differently with o2cb. It always
+ * expects DLM_LKF_VALBLK being set if the LKB has LVB, so that
+ * we can recover correctly from node failure. Otherwise, we may get
+ * invalid LVB in LKB, but without DLM_SBF_VALNOTVALID being set.
+ */
+ if (!ocfs2_is_o2cb_active() &&
+ lockres->l_ops->flags & LOCK_TYPE_USES_LVB)
+ lvb = 1;
+
if (lvb)
dlm_flags |= DLM_LKF_VALBLK;

--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -48,6 +48,12 @@ static char ocfs2_hb_ctl_path[OCFS2_MAX_
*/
static struct ocfs2_stack_plugin *active_stack;

+inline int ocfs2_is_o2cb_active(void)
+{
+ return !strcmp(active_stack->sp_name, OCFS2_STACK_PLUGIN_O2CB);
+}
+EXPORT_SYMBOL_GPL(ocfs2_is_o2cb_active);
+
static struct ocfs2_stack_plugin *ocfs2_stack_lookup(const char *name)
{
struct ocfs2_stack_plugin *p;
--- a/fs/ocfs2/stackglue.h
+++ b/fs/ocfs2/stackglue.h
@@ -289,4 +289,7 @@ void ocfs2_stack_glue_set_max_proto_vers
int ocfs2_stack_glue_register(struct ocfs2_stack_plugin *plugin);
void ocfs2_stack_glue_unregister(struct ocfs2_stack_plugin *plugin);

+/* In ocfs2_downconvert_lock(), we need to know which stack we are using */
+int ocfs2_is_o2cb_active(void);
+
#endif /* STACKGLUE_H */

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit e6afb1ad88feddf2347ea779cfaf4d03d3cd40b6 upstream.

Commit beb0babfb77e ("korina: disable napi on close and restart")
introduced calls to napi_disable() that were missing before,
unfortunately this leaves a small window during which NAPI has a chance
to run, yet we just freed resources since korina_free_ring() has been
called:

Fix this by disabling NAPI first then freeing resource, and make sure
that we also cancel the restart task before doing the resource freeing.

Fixes: beb0babfb77e ("korina: disable napi on close and restart")
Reported-by: Alexandros C. Couloumbis <al...@ozo.com>
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/korina.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/korina.c
+++ b/drivers/net/ethernet/korina.c
@@ -906,10 +906,10 @@ static void korina_restart_task(struct w
DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR,
&lp->rx_dma_regs->dmasm);

- korina_free_ring(dev);
-
napi_disable(&lp->napi);

+ korina_free_ring(dev);
+
if (korina_init(dev) < 0) {
printk(KERN_ERR "%s: cannot restart device\n", dev->name);
return;
@@ -1070,12 +1070,12 @@ static int korina_close(struct net_devic
tmp = tmp | DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR;
writel(tmp, &lp->rx_dma_regs->dmasm);

- korina_free_ring(dev);
-
napi_disable(&lp->napi);

cancel_work_sync(&lp->restart_task);

+ korina_free_ring(dev);
+
free_irq(lp->rx_irq, dev);
free_irq(lp->tx_irq, dev);
free_irq(lp->ovr_irq, dev);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream.

When checking a new device's descriptors, the USB core does not check
for duplicate endpoint addresses. This can cause a problem when the
sysfs files for those endpoints are created; trying to create multiple
files with the same name will provoke a WARNING:

WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
sysfs: cannot create duplicate filename
'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
Kernel panic - not syncing: panic_on_warn set ...

CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
[<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
[<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
[<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
[<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
[< inline >] create_dir lib/kobject.c:71
[<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
[< inline >] kobject_add_varg lib/kobject.c:366
[<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
[<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
[<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
[<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
[<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
[<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
[<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
[<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263

This patch prevents the problem by checking for duplicate endpoint
addresses during enumeration and skipping any duplicates.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>

Reported-by: Andrey Konovalov <andre...@google.com>
Tested-by: Andrey Konovalov <andre...@google.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/core/config.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -207,6 +207,16 @@ static int usb_parse_endpoint(struct dev
if (ifp->desc.bNumEndpoints >= num_ep)
goto skip_to_next_endpoint_or_interface_descriptor;

+ /* Check for duplicate endpoint addresses */
+ for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+ if (ifp->endpoint[i].desc.bEndpointAddress ==
+ d->bEndpointAddress) {
+ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+ cfgno, inum, asnum, d->bEndpointAddress);
+ goto skip_to_next_endpoint_or_interface_descriptor;
+ }
+ }
+
endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
++ifp->desc.bNumEndpoints;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit cc0909248258f679c4bb4cd315565d40abaf6bc6 upstream.

Fix NULL-pointer dereference in open() should the device lack the

expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...

PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]

Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver")
Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: add this check to the existing
usb_serial_driver::attach implementation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/spcp8x5.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

--- a/drivers/usb/serial/spcp8x5.c
+++ b/drivers/usb/serial/spcp8x5.c
@@ -176,6 +176,13 @@ static int spcp8x5_startup(struct usb_se
int i;
enum spcp8x5_type type = SPCP825_007_TYPE;
u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);

+ unsigned char num_ports = serial->num_ports;

+

+ if (serial->num_bulk_in < num_ports ||

+ serial->num_bulk_out < num_ports) {

+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }

if (product == 0x0201)
type = SPCP825_007_TYPE;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Akinobu Mita <akinob...@gmail.com>

commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream.

The sysrq input handler should be attached to the input device which has
a left alt key.

On 32-bit kernels, some input devices which has a left alt key cannot
attach sysrq handler. Because the keybit bitmap in struct input_device_id
for sysrq is not correctly initialized. KEY_LEFTALT is 56 which is
greater than BITS_PER_LONG on 32-bit kernels.

I found this problem when using a matrix keypad device which defines
a KEY_LEFTALT (56) but doesn't have a KEY_O (24 == 56%32).

Cc: Jiri Slaby <jsl...@suse.com>
Signed-off-by: Akinobu Mita <akinob...@gmail.com>
Acked-by: Dmitry Torokhov <dmitry....@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/tty/sysrq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -763,8 +763,8 @@ static const struct input_device_id sysr
{
.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
INPUT_DEVICE_ID_MATCH_KEYBIT,
- .evbit = { BIT_MASK(EV_KEY) },
- .keybit = { BIT_MASK(KEY_LEFTALT) },
+ .evbit = { [BIT_WORD(EV_KEY)] = BIT_MASK(EV_KEY) },
+ .keybit = { [BIT_WORD(KEY_LEFTALT)] = BIT_MASK(KEY_LEFTALT) },
},
{ },
};

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 90507d54f712d81b74815ef3a4bbb555cd9fab2f upstream.

Fix NULL-pointer dereference at open should the device lack a bulk-in or
bulk-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...

PC is at iuu_open+0x78/0x59c [iuu_phoenix]

Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints
check")

Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: add this check to the existing
usb_serial_driver::attach implementation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -112,7 +112,12 @@ static int iuu_alloc_buf(struct iuu_priv

static int iuu_startup(struct usb_serial *serial)
{

+ unsigned char num_ports = serial->num_ports;

struct iuu_private *priv;
+
+ if (serial->num_bulk_in < num_ports || serial->num_bulk_out < num_ports)
+ return -ENODEV;
+
priv = kzalloc(sizeof(struct iuu_private), GFP_KERNEL);
dbg("%s- priv allocation success", __func__);
if (!priv)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.va...@sandisk.com>

commit 2fe2f378dd45847d2643638c07a7658822087836 upstream.

The array ib_mad_mgmt_class_table.method_table has MAX_MGMT_CLASS
(80) elements. Hence compare the array index with that value instead
of with IB_MGMT_MAX_METHODS (128). This patch avoids that Coverity
reports the following:

Overrunning array class->method_table of 80 8-byte elements at element index 127 (byte offset 1016) using index convert_mgmt_class(mad_hdr->mgmt_class) (which evaluates to 127).

Fixes: commit b7ab0b19a85f ("IB/mad: Verify mgmt class in received MADs")
Signed-off-by: Bart Van Assche <bart.va...@sandisk.com>
Cc: Sean Hefty <sean....@intel.com>
Reviewed-by: Hal Rosenstock <h...@mellanox.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/infiniband/core/mad.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -1598,7 +1598,7 @@ find_mad_agent(struct ib_mad_port_privat
if (!class)
goto out;
if (convert_mgmt_class(mad->mad_hdr.mgmt_class) >=
- IB_MGMT_MAX_METHODS)
+ ARRAY_SIZE(class->method_table))
goto out;
method = class->method_table[convert_mgmt_class(
mad->mad_hdr.mgmt_class)];

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Steffen Maier <ma...@linux.vnet.ibm.com>

commit 56d23ed7adf3974f10e91b643bd230e9c65b5f79 upstream.

Since quite a while, Linux issues enough SCSI commands per scsi_device
which successfully return with FCP_RESID_UNDER, FSF_FCP_RSP_AVAILABLE,
and SAM_STAT_GOOD. This floods the HBA trace area and we cannot see
other and important HBA trace records long enough.

Therefore, do not trace HBA response errors for pure benign residual
under counts at the default trace level.

This excludes benign residual under count combined with other validity
bits set in FCP_RSP_IU, such as FCP_SNS_LEN_VAL. For all those other
cases, we still do want to see both the HBA record and the corresponding
SCSI record by default.

Signed-off-by: Steffen Maier <ma...@linux.vnet.ibm.com>
Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
Reviewed-by: Benjamin Block <bbl...@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/s390/scsi/zfcp_dbf.h | 30 ++++++++++++++++++++++++++++--
drivers/s390/scsi/zfcp_fsf.h | 3 ++-
2 files changed, 30 insertions(+), 3 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
* zfcp device driver
* debug feature declarations
*
- * Copyright IBM Corp. 2008, 2015
+ * Copyright IBM Corp. 2008, 2016
*/

#ifndef ZFCP_DBF_H
@@ -283,6 +283,30 @@ struct zfcp_dbf {
struct zfcp_dbf_scsi scsi_buf;
};

+/**
+ * zfcp_dbf_hba_fsf_resp_suppress - true if we should not trace by default
+ * @req: request that has been completed
+ *
+ * Returns true if FCP response with only benign residual under count.
+ */
+static inline
+bool zfcp_dbf_hba_fsf_resp_suppress(struct zfcp_fsf_req *req)
+{
+ struct fsf_qtcb *qtcb = req->qtcb;
+ u32 fsf_stat = qtcb->header.fsf_status;
+ struct fcp_resp *fcp_rsp;
+ u8 rsp_flags, fr_status;
+
+ if (qtcb->prefix.qtcb_type != FSF_IO_COMMAND)
+ return false; /* not an FCP response */
+ fcp_rsp = (struct fcp_resp *)&qtcb->bottom.io.fcp_rsp;
+ rsp_flags = fcp_rsp->fr_flags;
+ fr_status = fcp_rsp->fr_status;
+ return (fsf_stat == FSF_FCP_RSP_AVAILABLE) &&
+ (rsp_flags == FCP_RESID_UNDER) &&
+ (fr_status == SAM_STAT_GOOD);
+}
+
static inline
void zfcp_dbf_hba_fsf_resp(char *tag, int level, struct zfcp_fsf_req *req)
{
@@ -304,7 +328,9 @@ void zfcp_dbf_hba_fsf_response(struct zf
zfcp_dbf_hba_fsf_resp("fs_perr", 1, req);

} else if (qtcb->header.fsf_status != FSF_GOOD) {
- zfcp_dbf_hba_fsf_resp("fs_ferr", 1, req);
+ zfcp_dbf_hba_fsf_resp("fs_ferr",
+ zfcp_dbf_hba_fsf_resp_suppress(req)
+ ? 5 : 1, req);

} else if ((req->fsf_command == FSF_QTCB_OPEN_PORT_WITH_DID) ||
(req->fsf_command == FSF_QTCB_OPEN_LUN)) {
--- a/drivers/s390/scsi/zfcp_fsf.h
+++ b/drivers/s390/scsi/zfcp_fsf.h
@@ -3,7 +3,7 @@
*
* Interface to the FSF support functions.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/

#ifndef FSF_H
@@ -86,6 +86,7 @@
#define FSF_APP_TAG_CHECK_FAILURE 0x00000082
#define FSF_REF_TAG_CHECK_FAILURE 0x00000083
#define FSF_ADAPTER_STATUS_AVAILABLE 0x000000AD
+#define FSF_FCP_RSP_AVAILABLE 0x000000AF
#define FSF_UNKNOWN_COMMAND 0x000000E2
#define FSF_UNKNOWN_OP_SUBTYPE 0x000000E3
#define FSF_INVALID_COMMAND_OPTION 0x000000E5

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yegor Yefremov <yegor...@googlemail.com>

commit befa60113ce7ea270cb51eada28443ca2756f480 upstream.

In order to make the driver work with the common clock framework, this
patch converts the clk_enable()/clk_disable() to
clk_prepare_enable()/clk_disable_unprepare().

Also add error checking for clk_prepare_enable().

Signed-off-by: Yegor Yefremov <yegor...@googlemail.com>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/can/ti_hecc.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/net/can/ti_hecc.c
+++ b/drivers/net/can/ti_hecc.c
@@ -942,7 +942,12 @@ static int ti_hecc_probe(struct platform
netif_napi_add(ndev, &priv->napi, ti_hecc_rx_poll,
HECC_DEF_NAPI_WEIGHT);

- clk_enable(priv->clk);
+ err = clk_prepare_enable(priv->clk);
+ if (err) {
+ dev_err(&pdev->dev, "clk_prepare_enable() failed\n");
+ goto probe_exit_clk;
+ }
+
err = register_candev(ndev);
if (err) {
dev_err(&pdev->dev, "register_candev() failed\n");
@@ -972,7 +977,7 @@ static int __devexit ti_hecc_remove(stru
struct ti_hecc_priv *priv = netdev_priv(ndev);

unregister_candev(ndev);
- clk_disable(priv->clk);
+ clk_disable_unprepare(priv->clk);
clk_put(priv->clk);
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
iounmap(priv->base);
@@ -998,7 +1003,7 @@ static int ti_hecc_suspend(struct platfo
hecc_set_bit(priv, HECC_CANMC, HECC_CANMC_PDR);
priv->can.state = CAN_STATE_SLEEPING;

- clk_disable(priv->clk);
+ clk_disable_unprepare(priv->clk);

return 0;
}
@@ -1007,8 +1012,11 @@ static int ti_hecc_resume(struct platfor
{
struct net_device *dev = platform_get_drvdata(pdev);
struct ti_hecc_priv *priv = netdev_priv(dev);
+ int err;

- clk_enable(priv->clk);
+ err = clk_prepare_enable(priv->clk);
+ if (err)
+ return err;

hecc_clear_bit(priv, HECC_CANMC, HECC_CANMC_PDR);
priv->can.state = CAN_STATE_ERROR_ACTIVE;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <her...@gondor.apana.org.au>

commit 1272ce87fa017ca4cf32920764d879656b7a005a upstream.

The GRO path has a fast-path where we avoid calling pskb_may_pull
and pskb_expand by directly accessing frag0. However, this should
only be done if we have enough tailroom in the skb as otherwise
we'll have to expand it later anyway.

This patch adds the check by capping frag0_len with the skb tailroom.

Fixes: cb18978cbf45 ("gro: Open-code final pskb_may_pull")

Reported-by: Slava Shwartsman <sla...@mellanox.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edum...@google.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/core/dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3627,7 +3627,8 @@ void skb_gro_reset_offset(struct sk_buff
!PageHighMem(skb_frag_page(&skb_shinfo(skb)->frags[0]))) {
NAPI_GRO_CB(skb)->frag0 =
skb_frag_address(&skb_shinfo(skb)->frags[0]);
- NAPI_GRO_CB(skb)->frag0_len = skb_frag_size(&skb_shinfo(skb)->frags[0]);
+ NAPI_GRO_CB(skb)->frag0_len = min(skb_frag_size(&skb_shinfo(skb)->frags[0]),
+ skb->end - skb->tail);
}
}
EXPORT_SYMBOL(skb_gro_reset_offset);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.s...@linux.intel.com>

commit 5a00b6c2438460b870a451f14593fc40d3c7edf6 upstream.

The commit 1c6c69525b40 ("genirq: Reject bogus threaded irq requests")
starts refusing misconfigured interrupt handlers. This makes
intel_mid_powerbtn not working anymore.

Add a mandatory flag to a threaded IRQ request in the driver.

Fixes: 1c6c69525b40 ("genirq: Reject bogus threaded irq requests")
Signed-off-by: Andy Shevchenko <andriy.s...@linux.intel.com>

[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/platform/x86/intel_mid_powerbtn.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/platform/x86/intel_mid_powerbtn.c
+++ b/drivers/platform/x86/intel_mid_powerbtn.c
@@ -72,7 +72,7 @@ static int __devinit mfld_pb_probe(struc

input_set_capability(input, EV_KEY, KEY_POWER);

- error = request_threaded_irq(irq, NULL, mfld_pb_isr, 0,
+ error = request_threaded_irq(irq, NULL, mfld_pb_isr, IRQF_ONESHOT,
DRIVER_NAME, input);
if (error) {
dev_err(&pdev->dev, "Unable to request irq %d for mfld power"

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Weinberger <ric...@nod.at>

commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.

When replaying the journal it can happen that a journal entry points to
a garbage collected node.
This is the case when a power-cut occurred between a garbage collect run
and a commit. In such a case nodes have to be read using the failable
read functions to detect whether the found node matches what we expect.

One corner case was forgotten, when the journal contains an entry to
remove an inode all xattrs have to be removed too. UBIFS models xattr
like directory entries, so the TNC code iterates over
all xattrs of the inode and removes them too. This code re-uses the
functions for walking directories and calls ubifs_tnc_next_ent().
ubifs_tnc_next_ent() expects to be used only after the journal and
aborts when a node does not match the expected result. This behavior can
render an UBIFS volume unmountable after a power-cut when xattrs are
used.

Fix this issue by using failable read functions in ubifs_tnc_next_ent()
too when replaying the journal.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Reported-by: Rock Lee <rockd...@gmail.com>
Reviewed-by: David Gstir <da...@sigma-star.at>
Signed-off-by: Richard Weinberger <ric...@nod.at>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ubifs/tnc.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)

--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -34,6 +34,11 @@
#include <linux/slab.h>
#include "ubifs.h"

+static int try_read_node(const struct ubifs_info *c, void *buf, int type,
+ int len, int lnum, int offs);
+static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
+ struct ubifs_zbranch *zbr, void *node);
+
/*
* Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
* @NAME_LESS: name corresponding to the first argument is less than second
@@ -420,7 +425,19 @@ static int tnc_read_node_nm(struct ubifs
return 0;
}

- err = ubifs_tnc_read_node(c, zbr, node);
+ if (c->replaying) {
+ err = fallible_read_node(c, &zbr->key, zbr, node);
+ /*
+ * When the node was not found, return -ENOENT, 0 otherwise.
+ * Negative return codes stay as-is.
+ */
+ if (err == 0)
+ err = -ENOENT;
+ else if (err == 1)
+ err = 0;
+ } else {
+ err = ubifs_tnc_read_node(c, zbr, node);
+ }
if (err)
return err;

@@ -2785,7 +2802,11 @@ struct ubifs_dent_node *ubifs_tnc_next_e
if (nm->name) {
if (err) {
/* Handle collisions */
- err = resolve_collision(c, key, &znode, &n, nm);
+ if (c->replaying)
+ err = fallible_resolve_collision(c, key, &znode, &n,
+ nm, 0);
+ else
+ err = resolve_collision(c, key, &znode, &n, nm);
dbg_tnc("rc returned %d, znode %p, n %d",
err, znode, n);
if (unlikely(err < 0))

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 4e2da44691cffbfffb1535f478d19bc2dca3e62b upstream.

DTR and RTS will be asserted by the tty-layer when the port is opened
and deasserted on close (if HUPCL is set). Make sure the initial state
is not-asserted before the port is first opened as well.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ch341.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -270,7 +270,6 @@ static int ch341_attach(struct usb_seria

spin_lock_init(&priv->lock);
priv->baud_rate = DEFAULT_BAUD_RATE;
- priv->line_control = CH341_BIT_RTS | CH341_BIT_DTR;

r = ch341_configure(serial->dev, priv);
if (r < 0)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 55fa15b5987db22b4f35d3f0798928c126be5f1c upstream.

Revert to using direct register writes to set the divisor and
line-control registers.

A recent change switched to using the init vendor command to update
these registers, something which also enabled support for CH341A
devices. It turns out that simply setting bit 7 in the divisor register
is sufficient to support CH341A and specifically prevent data from being
buffered until a full endpoint-size packet (32 bytes) has been received.

Using the init command also had the side-effect of temporarily
deasserting the DTR/RTS signals on every termios change (including
initialisation on open) something which for example could cause problems
in setups where DTR is used to trigger a reset.

Fixes: 4e46c410e050 ("USB: serial: ch341: reinitialize chip on
reconfiguration")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ch341.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -133,8 +133,8 @@ static int ch341_control_in(struct usb_d
return r;
}

-static int ch341_init_set_baudrate(struct usb_device *dev,
- struct ch341_private *priv, unsigned ctrl)
+static int ch341_set_baudrate_lcr(struct usb_device *dev,
+ struct ch341_private *priv, u8 lcr)
{
short a;
int r;
@@ -159,9 +159,19 @@ static int ch341_init_set_baudrate(struc
factor = 0x10000 - factor;
a = (factor & 0xff00) | divisor;

- /* 0x9c is "enable SFR_UART Control register and timer" */
- r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT,
- 0x9c | (ctrl << 8), a | 0x80);
+ /*
+ * CH341A buffers data until a full endpoint-size packet (32 bytes)
+ * has been received unless bit 7 is set.
+ */
+ a |= BIT(7);
+
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a);
+ if (r)
+ return r;
+
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, lcr);
+ if (r)
+ return r;

return r;
}
@@ -240,7 +250,7 @@ static int ch341_configure(struct usb_de
if (r < 0)
goto out;

- r = ch341_init_set_baudrate(dev, priv, 0);
+ r = ch341_set_baudrate_lcr(dev, priv, 0);
if (r < 0)
goto out;

@@ -378,7 +388,7 @@ static void ch341_set_termios(struct tty
if (baud_rate) {
priv->baud_rate = baud_rate;

- r = ch341_init_set_baudrate(port->serial->dev, priv, ctrl);
+ r = ch341_set_baudrate_lcr(port->serial->dev, priv, ctrl);
if (r < 0 && old_termios) {
priv->baud_rate = tty_termios_baud_rate(old_termios);
tty_termios_copy_hw(tty->termios, old_termios);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Helge Deller <del...@gmx.de>

commit 2ad5d52d42810bed95100a3d912679d8864421ec upstream.

In swab.h the "#if BITS_PER_LONG > 32" breaks compiling userspace programs if
BITS_PER_LONG is #defined by userspace with the sizeof() compiler builtin.

Solve this problem by using __BITS_PER_LONG instead. Since we now
#include asm/bitsperlong.h avoid further potential userspace pollution
by moving the #define of SHIFT_PER_LONG to bitops.h which is not
exported to userspace.

This patch unbreaks compiling qemu on hppa/parisc.

Signed-off-by: Helge Deller <del...@gmx.de>
[bwh: Backported to 3.2: adjust filenames]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/parisc/include/asm/bitops.h | 8 +++++++-
arch/parisc/include/asm/bitsperlong.h | 2 --
arch/parisc/include/asm/swab.h | 5 +++--
3 files changed, 10 insertions(+), 5 deletions(-)

--- a/arch/parisc/include/asm/bitops.h
+++ b/arch/parisc/include/asm/bitops.h
@@ -6,7 +6,7 @@
#endif

#include <linux/compiler.h>
-#include <asm/types.h> /* for BITS_PER_LONG/SHIFT_PER_LONG */
+#include <asm/types.h>
#include <asm/byteorder.h>
#include <linux/atomic.h>

@@ -16,6 +16,12 @@
* to include/asm-i386/bitops.h or kerneldoc
*/

+#if __BITS_PER_LONG == 64
+#define SHIFT_PER_LONG 6
+#else
+#define SHIFT_PER_LONG 5
+#endif
+
#define CHOP_SHIFTCOUNT(x) (((unsigned long) (x)) & (BITS_PER_LONG - 1))


--- a/arch/parisc/include/asm/bitsperlong.h
+++ b/arch/parisc/include/asm/bitsperlong.h
@@ -9,10 +9,8 @@
*/
#if (defined(__KERNEL__) && defined(CONFIG_64BIT)) || defined (__LP64__)
#define __BITS_PER_LONG 64
-#define SHIFT_PER_LONG 6
#else
#define __BITS_PER_LONG 32
-#define SHIFT_PER_LONG 5
#endif

#include <asm-generic/bitsperlong.h>
--- a/arch/parisc/include/asm/swab.h
+++ b/arch/parisc/include/asm/swab.h
@@ -1,6 +1,7 @@
#ifndef _PARISC_SWAB_H
#define _PARISC_SWAB_H

+#include <asm/bitsperlong.h>
#include <linux/types.h>
#include <linux/compiler.h>

@@ -38,7 +39,7 @@ static inline __attribute_const__ __u32
}
#define __arch_swab32 __arch_swab32

-#if BITS_PER_LONG > 32
+#if __BITS_PER_LONG > 32
/*
** From "PA-RISC 2.0 Architecture", HP Professional Books.
** See Appendix I page 8 , "Endian Byte Swapping".
@@ -61,6 +62,6 @@ static inline __attribute_const__ __u64
return x;
}
#define __arch_swab64 __arch_swab64
-#endif /* BITS_PER_LONG > 32 */
+#endif /* __BITS_PER_LONG > 32 */

#endif /* _PARISC_SWAB_H */

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 0dd408425eb21ddf26a692b3c8044c9e7d1a7948 upstream.

Fix NULL-pointer dereference when initialising URBs at open should a
non-EPIC device lack a bulk-in or interrupt-in endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000028
...
PC is at edge_open+0x24c/0x3e8 [io_edgeport]

Note that the EPIC-device probe path has the required sanity checks so
this makes those checks partially redundant.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/io_edgeport.c | 5 +++++

1 file changed, 5 insertions(+)

--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2936,6 +2936,11 @@ static int edge_startup(struct usb_seria
EDGE_COMPATIBILITY_MASK1,
EDGE_COMPATIBILITY_MASK2 };

+ if (serial->num_bulk_in < 1 || serial->num_interrupt_in < 1) {

+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }

+
dev = serial->dev;

/* create our private serial structure */

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 394a10331a9e43100a8ee293255cfc428c7355ac upstream.

Remove redundant call to ch341_close from error path when submission of
the interrupt urb fails in open.

Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ch341.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -338,7 +338,6 @@ static int ch341_open(struct tty_struct
if (r) {
dev_err(&port->dev, "%s - failed submitting interrupt urb,"
" error %d\n", __func__, r);
- ch341_close(port);
goto out;
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bjørn Mork <bj...@mork.no>

commit 5d03a2fd2292e71936c4235885c35ccc3c94695b upstream.

Yet another laptop vendor rebranded Novatel E371.

Signed-off-by: Bjørn Mork <bj...@mork.no>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1963,6 +1963,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /* HP lt2523 (Novatel E371) */
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae upstream.

A short control transfer would currently fail to be detected, something
which could lead to stale buffer data being used as valid input.

Check for short transfers, and make sure to log any transfer errors.

Note that this also avoids leaking heap data to user space (TIOCMGET)
and the remote device (break control).

Fixes: 6ce76104781a ("USB: Driver for CH341 USB-serial adaptor")

Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ch341.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -115,6 +115,8 @@ static int ch341_control_out(struct usb_
r = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
value, index, NULL, 0, DEFAULT_TIMEOUT);
+ if (r < 0)
+ dev_err(&dev->dev, "failed to send control message: %d\n", r);

return r;
}
@@ -130,7 +132,20 @@ static int ch341_control_in(struct usb_d
r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
value, index, buf, bufsize, DEFAULT_TIMEOUT);
- return r;
+ if (r < bufsize) {
+ if (r >= 0) {
+ dev_err(&dev->dev,
+ "short control message received (%d < %u)\n",
+ r, bufsize);
+ r = -EIO;
+ }
+
+ dev_err(&dev->dev, "failed to receive control message: %d\n",
+ r);

+ return r;
+ }
+

+ return 0;
}

static int ch341_set_baudrate_lcr(struct usb_device *dev,
@@ -184,9 +199,9 @@ static int ch341_set_handshake(struct us

static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;
unsigned long flags;

dbg("ch341_get_status()");
@@ -199,15 +214,10 @@ static int ch341_get_status(struct usb_d

if (r < 0)
goto out;

- /* setup the private status if available */
- if (r == 2) {
- r = 0;
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
- priv->multi_status_change = 0;
- spin_unlock_irqrestore(&priv->lock, flags);
- } else
- r = -EPROTO;
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
+ priv->multi_status_change = 0;
+ spin_unlock_irqrestore(&priv->lock, flags);

out: kfree(buffer);
return r;
@@ -217,9 +227,9 @@ out: kfree(buffer);

static int ch341_configure(struct usb_device *dev, struct ch341_private *priv)
{
+ const unsigned int size = 2;
char *buffer;
int r;
- const unsigned size = 8;

dbg("ch341_configure()");

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Salvatore Benedetto <salvatore...@intel.com>

commit d6040764adcb5cb6de1489422411d701c158bb69 upstream.

Make sure CRYPTO_ALG_DEAD bit is cleared before proceeding with
the algorithm registration. This fixes qat-dh registration when
driver is restarted

Signed-off-by: Salvatore Benedetto <salvatore...@intel.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

crypto/algapi.c | 1 +

1 file changed, 1 insertion(+)

--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -354,6 +354,7 @@ int crypto_register_alg(struct crypto_al
struct crypto_larval *larval;
int err;

+ alg->cra_flags &= ~CRYPTO_ALG_DEAD;
err = crypto_check_alg(alg);
if (err)
return err;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Keno Fischer <ke...@juliacomputing.com>

commit 8310d48b125d19fcd9521d83b8293e63eb1646aa upstream.

In commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from
__get_user_pages()"), the mm code was changed from unsetting FOLL_WRITE
after a COW was resolved to setting the (newly introduced) FOLL_COW
instead. Simultaneously, the check in gup.c was updated to still allow
writes with FOLL_FORCE set if FOLL_COW had also been set.

However, a similar check in huge_memory.c was forgotten. As a result,
remote memory writes to ro regions of memory backed by transparent huge
pages cause an infinite loop in the kernel (handle_mm_fault sets
FOLL_COW and returns 0 causing a retry, but follow_trans_huge_pmd bails
out immidiately because `(flags & FOLL_WRITE) && !pmd_write(*pmd)` is
true.

While in this state the process is stil SIGKILLable, but little else
works (e.g. no ptrace attach, no other signals). This is easily
reproduced with the following code (assuming thp are set to always):

#include <assert.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#define TEST_SIZE 5 * 1024 * 1024

int main(void) {
int status;
pid_t child;
int fd = open("/proc/self/mem", O_RDWR);
void *addr = mmap(NULL, TEST_SIZE, PROT_READ,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
assert(addr != MAP_FAILED);
pid_t parent_pid = getpid();
if ((child = fork()) == 0) {
void *addr2 = mmap(NULL, TEST_SIZE, PROT_READ | PROT_WRITE,
MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
assert(addr2 != MAP_FAILED);
memset(addr2, 'a', TEST_SIZE);
pwrite(fd, addr2, TEST_SIZE, (uintptr_t)addr);
return 0;
}
assert(child == waitpid(child, &status, 0));
assert(WIFEXITED(status) && WEXITSTATUS(status) == 0);
return 0;
}

Fix this by updating follow_trans_huge_pmd in huge_memory.c analogously
to the update in gup.c in the original commit. The same pattern exists
in follow_devmap_pmd. However, we should not be able to reach that
check with FOLL_COW set, so add WARN_ONCE to make sure we notice if we
ever do.

[ak...@linux-foundation.org: coding-style fixes]
Link: http://lkml.kernel.org/r/20170106015...@juliacomputing.com
Signed-off-by: Keno Fischer <ke...@juliacomputing.com>
Acked-by: Kirill A. Shutemov <kirill....@linux.intel.com>
Cc: Greg Thelen <gth...@google.com>
Cc: Nicholas Piggin <npi...@gmail.com>
Cc: Willy Tarreau <w...@1wt.eu>
Cc: Oleg Nesterov <ol...@redhat.com>
Cc: Kees Cook <kees...@chromium.org>
Cc: Andy Lutomirski <lu...@kernel.org>
Cc: Michal Hocko <mho...@suse.com>
Cc: Hugh Dickins <hu...@google.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
[bwh: Backported to 3.2:

- Drop change to follow_devmap_pmd()
- pmd_dirty() is not available; check the page flags as in
can_follow_write_pte()
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -964,6 +964,18 @@ out:
return ret;
}

+/*
+ * FOLL_FORCE can write to even unwritable pmd's, but only
+ * after we've gone through a COW cycle and they are dirty.
+ */
+static inline bool can_follow_write_pmd(pmd_t pmd, struct page *page,
+ unsigned int flags)
+{
+ return pmd_write(pmd) ||
+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) &&
+ page && PageAnon(page));
+}
+
struct page *follow_trans_huge_pmd(struct mm_struct *mm,
unsigned long addr,
pmd_t *pmd,
@@ -973,11 +985,12 @@ struct page *follow_trans_huge_pmd(struc

assert_spin_locked(&mm->page_table_lock);

- if (flags & FOLL_WRITE && !pmd_write(*pmd))
- goto out;
-
page = pmd_page(*pmd);
VM_BUG_ON(!PageHead(page));
+
+ if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, page, flags))
+ goto out;
+
if (flags & FOLL_TOUCH) {
pmd_t _pmd;
/*

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Marcel J.E. Mol" <mar...@mesa.nl>

commit d07830db1bdb254e4b50d366010b219286b8c937 upstream.

Seems that ATEN serial-to-usb devices using pl2303 exist with
different device ids. This patch adds a missing device ID so it
is recognised by the driver.

Signed-off-by: Marcel J.E. Mol <mar...@mesa.nl>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -55,6 +55,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) },
{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) },
{ USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID) },
+ { USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID2) },
{ USB_DEVICE(ATEN_VENDOR_ID2, ATEN_PRODUCT_ID) },
{ USB_DEVICE(ELCOM_VENDOR_ID, ELCOM_PRODUCT_ID) },
{ USB_DEVICE(ELCOM_VENDOR_ID, ELCOM_PRODUCT_ID_UCSGT) },
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -27,6 +27,7 @@
#define ATEN_VENDOR_ID 0x0557
#define ATEN_VENDOR_ID2 0x0547
#define ATEN_PRODUCT_ID 0x2008
+#define ATEN_PRODUCT_ID2 0x2118

#define IODATA_VENDOR_ID 0x04bb
#define IODATA_PRODUCT_ID 0x0a03

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit ff9f8a7cf935468a94d9927c68b00daae701667e upstream.

We perform the conversion between kernel jiffies and ms only when
exporting kernel value to user space.

We need to do the opposite operation when value is written by user.

Only matters when HZ != 1000

Signed-off-by: Eric Dumazet <edum...@google.com>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/sysctl.c | 1 +

1 file changed, 1 insertion(+)

--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2554,6 +2554,7 @@ static int __do_proc_doulongvec_minmax(v
break;
if (neg)
continue;
+ val = convmul * val / convdiv;
if ((min && val < *min) || (max && val > *max))
continue;
*i = val;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jla...@redhat.com>

commit 6df8c9d80a27cb587f61b4f06b57e248d8bc3f86 upstream.

sparse says:

fs/ceph/mds_client.c:291:23: warning: restricted __le32 degrades to integer
fs/ceph/mds_client.c:293:28: warning: restricted __le32 degrades to integer
fs/ceph/mds_client.c:294:28: warning: restricted __le32 degrades to integer
fs/ceph/mds_client.c:296:28: warning: restricted __le32 degrades to integer

The op value is __le32, so we need to convert it before comparing it.

Signed-off-by: Jeff Layton <jla...@redhat.com>
Reviewed-by: Sage Weil <sa...@redhat.com>
Signed-off-by: Ilya Dryomov <idry...@gmail.com>
[bwh: Backported to 3.2: only filelock and directory replies are handled]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ceph/mds_client.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -238,7 +238,9 @@ static int parse_reply_info_extra(void *
struct ceph_mds_reply_info_parsed *info,
int features)
{
- if (info->head->op == CEPH_MDS_OP_GETFILELOCK)
+ u32 op = le32_to_cpu(info->head->op);
+
+ if (op == CEPH_MDS_OP_GETFILELOCK)
return parse_reply_info_filelock(p, end, info, features);
else
return parse_reply_info_dir(p, end, info, features);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arvind Yadav <arvind....@gmail.com>

commit 064c3db9c564cc5be514ac21fb4aa26cc33db746 upstream.

Here, If devm_ioremap will fail. It will return NULL.
Then hpriv->base = NULL - 0x20000; Kernel can run into
a NULL-pointer dereference. This error check will avoid
NULL pointer dereference.

Signed-off-by: Arvind Yadav <arvind....@gmail.com>
Signed-off-by: Tejun Heo <t...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/ata/sata_mv.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/ata/sata_mv.c
+++ b/drivers/ata/sata_mv.c
@@ -4059,6 +4059,9 @@ static int mv_platform_probe(struct plat
host->iomap = NULL;
hpriv->base = devm_ioremap(&pdev->dev, res->start,
resource_size(res));
+ if (!hpriv->base)
+ return -ENOMEM;
+
hpriv->base -= SATAHC0_REG_BASE;

#if defined(CONFIG_HAVE_CLK)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:

BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011

ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738

Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15

[<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
[< inline >] check_memory_region_inline mm/kasan/kasan.c:308
[<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
[<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
[< inline >] copy_from_user arch/x86/include/asm/uaccess.h:689
[< inline >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
[<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
[<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
[<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
[< inline >] SYSC_write fs/read_write.c:607
[<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
[<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2

Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.

This patch fixes the warning. It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andre...@google.com>
Tested-by: Andrey Konovalov <andre...@google.com>

Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>
[bwh: Backported to 3.2 adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/gadget/inode.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1196,7 +1196,7 @@ ep0_write (struct file *fd, const char _
/* data and/or status stage for control request */
} else if (dev->state == STATE_DEV_SETUP) {

- /* IN DATA+STATUS caller makes len <= wLength */
+ len = min_t(size_t, len, dev->setup_wLength);
if (dev->setup_in) {
retval = setup_req (dev->gadget->ep0, dev->req, len);
if (retval == 0) {

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Huang Rui <ray....@amd.com>

commit 432abf68a79332282329286d190e21fe3ac02a31 upstream.

The generic command buffer entry is 128 bits (16 bytes), so the offset
of tail and head pointer should be 16 bytes aligned and increased with
0x10 per command.

When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE.

So when left space of cmd buf should be able to store only two
command, we should be issued one COMPLETE_WAIT additionally to wait
all older commands completed. Then the left space should be increased
after IOMMU fetching from cmd buf.

So left check value should be left <= 0x20 (two commands).

Signed-off-by: Huang Rui <ray....@amd.com>
Fixes: ac0ea6e92b222 ('x86/amd-iommu: Improve handling of full command buffer')
Signed-off-by: Joerg Roedel <jro...@suse.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/iommu/amd_iommu.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -641,7 +641,7 @@ again:
next_tail = (tail + sizeof(*cmd)) % iommu->cmd_buf_size;
left = (head - next_tail) % iommu->cmd_buf_size;

- if (left <= 2) {
+ if (left <= 0x20) {
struct iommu_cmd sync_cmd;
volatile u64 sem = 0;
int ret;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e upstream.

Fix NULL-pointer dereferences at open() and disconnect() should the
device lack the expected bulk-out endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 000000b4
...
[c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
[<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
[<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
[<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
[<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])

Unable to handle kernel NULL pointer dereference at virtual address 00000234
...
[<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: add this check to the existing
usb_serial_driver::attach implementation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -152,6 +152,12 @@ static int omninet_attach(struct usb_ser
struct omninet_data *od;
struct usb_serial_port *port = serial->port[0];

+ /* The second bulk-out endpoint is used for writing. */
+ if (serial->num_bulk_out < 2) {

+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+

od = kmalloc(sizeof(struct omninet_data), GFP_KERNEL);
if (!od) {
dev_err(&port->dev, "%s- kmalloc(%Zd) failed.\n",

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit c4ac4496e835b78a45dfbf74f6173932217e4116 upstream.

Make sure to free the URB transfer buffer in case submission fails (e.g.
due to a disconnect).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/garmin_gps.c | 1 +

1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1075,6 +1075,7 @@ static int garmin_write_bulk(struct usb_
"%s - usb_submit_urb(write bulk) failed with status = %d\n",
__func__, status);
count = status;
+ kfree(buffer);
}

/* we are done with this urb, so let the host driver

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gre...@linuxfoundation.org>

commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.

Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.

So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.

Reported-by: Andrey Konovalov <andre...@google.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>
[bwh: Backported to 3.2: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/gadget/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1861,7 +1861,8 @@ dev_config (struct file *fd, const char
u32 tag;
char *kbuf;

- if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
+ if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ||
+ (len > PAGE_SIZE * 4))
return -EINVAL;

/* we might need to change message format someday */

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 75dd211e773afcbc264677b0749d1cf7d937ab2d upstream.

Do not submit the interrupt URB until after the parport has been
successfully registered to avoid another use-after-free in the
completion handler when accessing the freed parport private data in case
of a racing completion.

Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/mos7720.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)

--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -2137,22 +2137,20 @@ static int mos7720_startup(struct usb_se
usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);

- /* start the interrupt urb */
- ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
- if (ret_val)
- dev_err(&dev->dev,
- "%s - Error %d submitting control urb\n",
- __func__, ret_val);
-
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
if (product == MOSCHIP_DEVICE_ID_7715) {
ret_val = mos7715_parport_init(serial);
- if (ret_val < 0) {
- usb_kill_urb(serial->port[0]->interrupt_in_urb);
+ if (ret_val < 0)
return ret_val;
- }
}
#endif
+ /* start the interrupt urb */
+ ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
+ if (ret_val) {
+ dev_err(&dev->dev, "failed to submit interrupt urb: %d\n",
+ ret_val);
+ }
+
/* LSR For Port 1 */
read_mos_reg(serial, 0, LSR, &data);
dbg("LSR:%x", data);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3 upstream.

The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:

Unable to handle kernel paging request at virtual address 6b6b6be7
...
[<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
[<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
[<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)

Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel
port on moschip 7715")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/mos7720.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -2147,8 +2147,10 @@ static int mos7720_startup(struct usb_se

#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
if (product == MOSCHIP_DEVICE_ID_7715) {
ret_val = mos7715_parport_init(serial);
- if (ret_val < 0)

+ if (ret_val < 0) {
+ usb_kill_urb(serial->port[0]->interrupt_in_urb);
return ret_val;
+ }
}
#endif

/* LSR For Port 1 */

@@ -2162,6 +2164,8 @@ static void mos7720_release(struct usb_s
{
int i;

+ usb_kill_urb(serial->port[0]->interrupt_in_urb);
+
#ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
/* close the parallel port */

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicolas PLANEL <nicolas...@enovance.com>

commit aa91def41a7bb1fd65492934ce6bea19202b6080 upstream.

The ch341_set_baudrate() function initialize the device baud speed
according to the value on priv->baud_rate. By default the ch341_open() set
it to a hardcoded value (DEFAULT_BAUD_RATE 9600). Unfortunately, the
tty_struct is not initialized with the same default value. (usually 56700)

This means that the tty_struct and the device baud rate generator are not
synchronized after opening the port.

Fixup is done by calling ch341_set_termios() if tty exist.
Remove unnecessary variable priv->baud_rate setup as it's already done by
ch341_port_probe().
Remove unnecessary call to ch341_set_{handshake,baudrate}() in
ch341_open() as there already called in ch341_configure() and
ch341_set_termios()

Signed-off-by: Nicolas PLANEL <nicolas...@enovance.com>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ch341.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -88,6 +88,10 @@ struct ch341_private {
u8 multi_status_change; /* status changed multiple since last call */
};

+static void ch341_set_termios(struct tty_struct *tty,
+ struct usb_serial_port *port,
+ struct ktermios *old_termios);
+
static int ch341_control_out(struct usb_device *dev, u8 request,
u16 value, u16 index)
{
@@ -318,19 +322,12 @@ static int ch341_open(struct tty_struct

dbg("ch341_open()");

- priv->baud_rate = DEFAULT_BAUD_RATE;
-

r = ch341_configure(serial->dev, priv);

if (r)
goto out;

- r = ch341_set_handshake(serial->dev, priv->line_control);
- if (r)
- goto out;
-
- r = ch341_set_baudrate(serial->dev, priv);
- if (r)
- goto out;
+ if (tty)
+ ch341_set_termios(tty, port, NULL);

dbg("%s - submitting interrupt urb", __func__);
port->interrupt_in_urb->dev = serial->dev;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09 upstream.

Fix NULL-pointer dereference in write() should the device lack the
expected interrupt-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000054
...
PC is at kobil_write+0x144/0x2a0 [kobil_sct]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: add this check to the existing
usb_serial_driver::attach implementation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/usb/serial/kobil_sct.c
+++ b/drivers/usb/serial/kobil_sct.c
@@ -150,6 +150,11 @@ static int kobil_startup(struct usb_seri
struct usb_host_interface *altsetting;
struct usb_host_endpoint *endpoint;

+ if (serial->num_interrupt_out < serial->num_ports) {
+ dev_err(&serial->interface->dev, "missing interrupt-out endpoint\n");

+ return -ENODEV;
+ }
+

priv = kmalloc(sizeof(struct kobil_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc upstream.

Fix NULL-pointer dereference at port open if a device lacks the expected
bulk in and out endpoints.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
[<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/mos7720.c | 5 +++++

1 file changed, 5 insertions(+)

--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -2079,6 +2079,11 @@ static int mos7720_startup(struct usb_se
return -ENODEV;
}

+ if (serial->num_bulk_in < 2 || serial->num_bulk_out < 2) {
+ dev_err(&serial->interface->dev, "missing bulk endpoints\n");

+ return -ENODEV;
+ }
+

product = le16_to_cpu(serial->dev->descriptor.idProduct);
dev = serial->dev;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 472d7e55d559aa1cbf58c73b14fcfc4651b1a9f5 upstream.

The interrupt URB is killed at final port close since commit
0de9a7024e7a ("USB: overhaul of mos7840 driver").

Fixes: 0de9a7024e7a ("USB: overhaul of mos7840 driver")

Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/mos7840.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1071,9 +1071,7 @@ static int mos7840_open(struct tty_struc
serial,
serial->port[0]->interrupt_in_urb->interval);

- /* start interrupt read for mos7840 *
- * will continue as long as mos7840 is connected */
-
+ /* start interrupt read for mos7840 */
response =

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 5afeef2366db14587b65558bbfd5a067542e07fb upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...

PC is at oti6858_open+0x30/0x1d0 [oti6858]

Note that a missing interrupt-in endpoint would have caused open() to
fail.

Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42
cable)")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: add this check to the existing
usb_serial_driver::attach implementation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/usb/serial/oti6858.c
+++ b/drivers/usb/serial/oti6858.c
@@ -347,9 +347,17 @@ static void send_data(struct work_struct
static int oti6858_startup(struct usb_serial *serial)
{

struct usb_serial_port *port = serial->port[0];

+ unsigned char num_ports = serial->num_ports;
struct oti6858_private *priv;
int i;

+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");

+ return -ENODEV;
+ }
+

for (i = 0; i < serial->num_ports; ++i) {
priv = kzalloc(sizeof(struct oti6858_private), GFP_KERNEL);
if (!priv)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Benjamin Block <bbl...@linux.vnet.ibm.com>

commit dac37e15b7d511e026a9313c8c46794c144103cd upstream.

When SCSI EH invokes zFCP's callbacks for eh_device_reset_handler() and
eh_target_reset_handler(), it expects us to relent the ownership over
the given scsi_cmnd and all other scsi_cmnds within the same scope - LUN
or target - when returning with SUCCESS from the callback ('release'
them). SCSI EH can then reuse those commands.

We did not follow this rule to release commands upon SUCCESS; and if
later a reply arrived for one of those supposed to be released commands,
we would still make use of the scsi_cmnd in our ingress tasklet. This
will at least result in undefined behavior or a kernel panic because of
a wrong kernel pointer dereference.

To fix this, we NULLify all pointers to scsi_cmnds (struct zfcp_fsf_req
*)->data in the matching scope if a TMF was successful. This is done
under the locks (struct zfcp_adapter *)->abort_lock and (struct
zfcp_reqlist *)->lock to prevent the requests from being removed from
the request-hashtable, and the ingress tasklet from making use of the
scsi_cmnd-pointer in zfcp_fsf_fcp_cmnd_handler().

For cases where a reply arrives during SCSI EH, but before we get a
chance to NULLify the pointer - but before we return from the callback
-, we assume that the code is protected from races via the CAS operation
in blk_complete_request() that is called in scsi_done().

The following stacktrace shows an example for a crash resulting from the
previous behavior:

Unable to handle kernel pointer dereference at virtual kernel address fffffee17a672000
Oops: 0038 [#1] SMP
CPU: 2 PID: 0 Comm: swapper/2 Not tainted
task: 00000003f7ff5be0 ti: 00000003f3d38000 task.ti: 00000003f3d38000
Krnl PSW : 0404d00180000000 00000000001156b0 (smp_vcpu_scheduled+0x18/0x40)
R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 EA:3
Krnl GPRS: 000000200000007e 0000000000000000 fffffee17a671fd8 0000000300000015
ffffffff80000000 00000000005dfde8 07000003f7f80e00 000000004fa4e800
000000036ce8d8f8 000000036ce8d9c0 00000003ece8fe00 ffffffff969c9e93
00000003fffffffd 000000036ce8da10 00000000003bf134 00000003f3b07918
Krnl Code: 00000000001156a2: a7190000 lghi %r1,0
00000000001156a6: a7380015 lhi %r3,21
#00000000001156aa: e32050000008 ag %r2,0(%r5)
>00000000001156b0: 482022b0 lh %r2,688(%r2)
00000000001156b4: ae123000 sigp %r1,%r2,0(%r3)
00000000001156b8: b2220020 ipm %r2
00000000001156bc: 8820001c srl %r2,28
00000000001156c0: c02700000001 xilf %r2,1
Call Trace:
([<0000000000000000>] 0x0)
[<000003ff807bdb8e>] zfcp_fsf_fcp_cmnd_handler+0x3de/0x490 [zfcp]
[<000003ff807be30a>] zfcp_fsf_req_complete+0x252/0x800 [zfcp]
[<000003ff807c0a48>] zfcp_fsf_reqid_check+0xe8/0x190 [zfcp]
[<000003ff807c194e>] zfcp_qdio_int_resp+0x66/0x188 [zfcp]
[<000003ff80440c64>] qdio_kick_handler+0xdc/0x310 [qdio]
[<000003ff804463d0>] __tiqdio_inbound_processing+0xf8/0xcd8 [qdio]
[<0000000000141fd4>] tasklet_action+0x9c/0x170
[<0000000000141550>] __do_softirq+0xe8/0x258
[<000000000010ce0a>] do_softirq+0xba/0xc0
[<000000000014187c>] irq_exit+0xc4/0xe8
[<000000000046b526>] do_IRQ+0x146/0x1d8
[<00000000005d6a3c>] io_return+0x0/0x8
[<00000000005d6422>] vtime_stop_cpu+0x4a/0xa0
([<0000000000000000>] 0x0)
[<0000000000103d8a>] arch_cpu_idle+0xa2/0xb0
[<0000000000197f94>] cpu_startup_entry+0x13c/0x1f8
[<0000000000114782>] smp_start_secondary+0xda/0xe8
[<00000000005d6efe>] restart_int_handler+0x56/0x6c
[<0000000000000000>] 0x0
Last Breaking-Event-Address:
[<00000000003bf12e>] arch_spin_lock_wait+0x56/0xb0

Suggested-by: Steffen Maier <ma...@linux.vnet.ibm.com>
Signed-off-by: Benjamin Block <bbl...@linux.vnet.ibm.com>
Fixes: ea127f9754 ("[PATCH] s390 (7/7): zfcp host adapter.") (tglx/history.git)
Signed-off-by: Steffen Maier <ma...@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/s390/scsi/zfcp_dbf.h | 11 ++++++++
drivers/s390/scsi/zfcp_reqlist.h | 30 ++++++++++++++++++++-
drivers/s390/scsi/zfcp_scsi.c | 57 ++++++++++++++++++++++++++++++++++++++--
3 files changed, 95 insertions(+), 3 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -388,4 +388,15 @@ void zfcp_dbf_scsi_devreset(char *tag, s
_zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
}

+/**
+ * zfcp_dbf_scsi_nullcmnd() - trace NULLify of SCSI command in dev/tgt-reset.
+ * @scmnd: SCSI command that was NULLified.
+ * @fsf_req: request that owned @scmnd.
+ */
+static inline void zfcp_dbf_scsi_nullcmnd(struct scsi_cmnd *scmnd,
+ struct zfcp_fsf_req *fsf_req)
+{
+ _zfcp_dbf_scsi("scfc__1", 3, scmnd, fsf_req);
+}
+
#endif /* ZFCP_DBF_H */
--- a/drivers/s390/scsi/zfcp_reqlist.h
+++ b/drivers/s390/scsi/zfcp_reqlist.h
@@ -4,7 +4,7 @@
* Data structure and helper functions for tracking pending FSF
* requests.
*
- * Copyright IBM Corporation 2009
+ * Copyright IBM Corp. 2009, 2016
*/

#ifndef ZFCP_REQLIST_H
@@ -180,4 +180,32 @@ static inline void zfcp_reqlist_move(str
spin_unlock_irqrestore(&rl->lock, flags);
}

+/**
+ * zfcp_reqlist_apply_for_all() - apply a function to every request.
+ * @rl: the requestlist that contains the target requests.
+ * @f: the function to apply to each request; the first parameter of the
+ * function will be the target-request; the second parameter is the same
+ * pointer as given with the argument @data.
+ * @data: freely chosen argument; passed through to @f as second parameter.
+ *
+ * Uses :c:macro:`list_for_each_entry` to iterate over the lists in the hash-
+ * table (not a 'safe' variant, so don't modify the list).
+ *
+ * Holds @rl->lock over the entire request-iteration.
+ */
+static inline void
+zfcp_reqlist_apply_for_all(struct zfcp_reqlist *rl,
+ void (*f)(struct zfcp_fsf_req *, void *), void *data)
+{
+ struct zfcp_fsf_req *req;
+ unsigned long flags;
+ unsigned int i;
+
+ spin_lock_irqsave(&rl->lock, flags);
+ for (i = 0; i < ZFCP_REQ_LIST_BUCKETS; i++)
+ list_for_each_entry(req, &rl->buckets[i], list)
+ f(req, data);
+ spin_unlock_irqrestore(&rl->lock, flags);
+}
+
#endif /* ZFCP_REQLIST_H */
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
*
* Interface to Linux SCSI midlayer.
*
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
*/

#define KMSG_COMPONENT "zfcp"
@@ -230,6 +230,57 @@ static int zfcp_scsi_eh_abort_handler(st
return retval;
}

+struct zfcp_scsi_req_filter {
+ u8 tmf_scope;
+ u32 lun_handle;
+ u32 port_handle;
+};
+
+static void zfcp_scsi_forget_cmnd(struct zfcp_fsf_req *old_req, void *data)
+{
+ struct zfcp_scsi_req_filter *filter =
+ (struct zfcp_scsi_req_filter *)data;
+
+ /* already aborted - prevent side-effects - or not a SCSI command */
+ if (old_req->data == NULL || old_req->fsf_command != FSF_QTCB_FCP_CMND)
+ return;
+
+ /* (tmf_scope == FCP_TMF_TGT_RESET || tmf_scope == FCP_TMF_LUN_RESET) */
+ if (old_req->qtcb->header.port_handle != filter->port_handle)
+ return;
+
+ if (filter->tmf_scope == FCP_TMF_LUN_RESET &&
+ old_req->qtcb->header.lun_handle != filter->lun_handle)
+ return;
+
+ zfcp_dbf_scsi_nullcmnd((struct scsi_cmnd *)old_req->data, old_req);
+ old_req->data = NULL;
+}
+
+static void zfcp_scsi_forget_cmnds(struct zfcp_scsi_dev *zsdev, u8 tm_flags)
+{
+ struct zfcp_adapter *adapter = zsdev->port->adapter;
+ struct zfcp_scsi_req_filter filter = {
+ .tmf_scope = FCP_TMF_TGT_RESET,
+ .port_handle = zsdev->port->handle,
+ };
+ unsigned long flags;
+
+ if (tm_flags == FCP_TMF_LUN_RESET) {
+ filter.tmf_scope = FCP_TMF_LUN_RESET;
+ filter.lun_handle = zsdev->lun_handle;
+ }
+
+ /*
+ * abort_lock secures against other processings - in the abort-function
+ * and normal cmnd-handler - of (struct zfcp_fsf_req *)->data
+ */
+ write_lock_irqsave(&adapter->abort_lock, flags);
+ zfcp_reqlist_apply_for_all(adapter->req_list, zfcp_scsi_forget_cmnd,
+ &filter);
+ write_unlock_irqrestore(&adapter->abort_lock, flags);
+}
+
static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
{
struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
@@ -262,8 +313,10 @@ static int zfcp_task_mgmt_function(struc
if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
retval = FAILED;
- } else
+ } else {
zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+ zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
+ }

zfcp_fsf_req_free(fsf_req);
return retval;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit a20047f36e2f6a1eea4f1fd261aaa55882369868 upstream.

The private baud_rate variable is used to configure the port at open and
reset-resume and must never be set to (and left at) zero or reset-resume
and all further open attempts will fail.

Fixes: aa91def41a7b ("USB: ch341: set tty baud speed according to tty
struct")
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -366,14 +366,15 @@ static void ch341_set_termios(struct tty

baud_rate = tty_get_baud_rate(tty);

- priv->baud_rate = baud_rate;
-
ctrl = CH341_LCR_ENABLE_RX | CH341_LCR_ENABLE_TX | CH341_LCR_CS8;

if (baud_rate) {
spin_lock_irqsave(&priv->lock, flags);
priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
spin_unlock_irqrestore(&priv->lock, flags);
+
+ priv->baud_rate = baud_rate;
+

r = ch341_init_set_baudrate(port->serial->dev, priv, ctrl);

[Ben Hutchings]

On Fri, 2017-03-10 at 04:47 -0800, Guenter Roeck wrote:
> On 03/10/2017 03:46 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.2.87
> > release.
> > There are 199 patches in this series, which will be posted as
> > responses
> > to this one.  If anyone has any issues with these being applied,
> > please
> > let me know.
> >
> > Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 89 pass: 89 fail: 0
> Qemu test results:
> total: 69 pass: 69 fail: 0
>
> Details are available at http://kerneltests.org/builders/

Thanks for checking.

Ben.

--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.

Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user. In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE). And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).

This patch adds the additional check and fixes the existing check. It
may do a little more than strictly necessary, but one extra check
won't hurt.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
CC: Andrey Konovalov <andre...@google.com>
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>
[bwh: Backported to 3.2: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/gadget/inode.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1841,10 +1841,12 @@ static struct usb_gadget_driver probe_dr
* such as configuration notifications.
*/

-static int is_valid_config (struct usb_config_descriptor *config)
+static int is_valid_config(struct usb_config_descriptor *config,
+ unsigned int total)
{
return config->bDescriptorType == USB_DT_CONFIG
&& config->bLength == USB_DT_CONFIG_SIZE
+ && total >= USB_DT_CONFIG_SIZE
&& config->bConfigurationValue != 0
&& (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
&& (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
@@ -1886,7 +1888,8 @@ dev_config (struct file *fd, const char
/* full or low speed config */
dev->config = (void *) kbuf;
total = le16_to_cpu(dev->config->wTotalLength);
- if (!is_valid_config (dev->config) || total >= length)
+ if (!is_valid_config(dev->config, total) ||
+ total > length - USB_DT_DEVICE_SIZE)
goto fail;
kbuf += total;
length -= total;
@@ -1895,7 +1898,8 @@ dev_config (struct file *fd, const char
if (kbuf [1] == USB_DT_CONFIG) {
dev->hs_config = (void *) kbuf;
total = le16_to_cpu(dev->hs_config->wTotalLength);
- if (!is_valid_config (dev->hs_config) || total >= length)
+ if (!is_valid_config(dev->hs_config, total) ||
+ total > length - USB_DT_DEVICE_SIZE)
goto fail;
kbuf += total;
length -= total;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gre...@linuxfoundation.org>

commit 1ebb71143758f45dc0fa76e2f48429e13b16d110 upstream.

Make sure we have enough of a report structure to validate before
looking at it.

Reported-by: Benoit Camredon <benoit....@airbus.com>
Tested-by: Benoit Camredon <benoit....@airbus.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-cypress.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/hid/hid-cypress.c
+++ b/drivers/hid/hid-cypress.c
@@ -40,6 +40,9 @@ static __u8 *cp_report_fixup(struct hid_
if (!(quirks & CP_RDESC_SWAPPED_MIN_MAX))
return rdesc;

+ if (*rsize < 4)
+ return rdesc;
+
for (i = 0; i < *rsize - 4; i++)
if (rdesc[i] == 0x29 && rdesc[i + 2] == 0x19) {
__u8 tmp;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <dan...@iogearbox.net>

commit 628185cfddf1dfb701c4efe2cfd72cf5b09f5702 upstream.

Shahar reported a soft lockup in tc_classify(), where we run into an
endless loop when walking the classifier chain due to tp->next == tp
which is a state we should never run into. The issue only seems to
trigger under load in the tc control path.

What happens is that in tc_ctl_tfilter(), thread A allocates a new
tp, initializes it, sets tp_created to 1, and calls into tp->ops->change()
with it. In that classifier callback we had to unlock/lock the rtnl
mutex and returned with -EAGAIN. One reason why we need to drop there
is, for example, that we need to request an action module to be loaded.

This happens via tcf_exts_validate() -> tcf_action_init/_1() meaning
after we loaded and found the requested action, we need to redo the
whole request so we don't race against others. While we had to unlock
rtnl in that time, thread B's request was processed next on that CPU.
Thread B added a new tp instance successfully to the classifier chain.
When thread A returned grabbing the rtnl mutex again, propagating -EAGAIN
and destroying its tp instance which never got linked, we goto replay
and redo A's request.

This time when walking the classifier chain in tc_ctl_tfilter() for
checking for existing tp instances we had a priority match and found
the tp instance that was created and linked by thread B. Now calling
again into tp->ops->change() with that tp was successful and returned
without error.

tp_created was never cleared in the second round, thus kernel thinks
that we need to link it into the classifier chain (once again). tp and
*back point to the same object due to the match we had earlier on. Thus
for thread B's already public tp, we reset tp->next to tp itself and
link it into the chain, which eventually causes the mentioned endless
loop in tc_classify() once a packet hits the data path.

Fix is to clear tp_created at the beginning of each request, also when
we replay it. On the paths that can cause -EAGAIN we already destroy
the original tp instance we had and on replay we really need to start
from scratch. It seems that this issue was first introduced in commit
12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining
and avoid kernel panic when we use cls_cgroup").

Fixes: 12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining and avoid kernel panic when we use cls_cgroup")
Reported-by: Shahar Klein <sha...@mellanox.com>
Signed-off-by: Daniel Borkmann <dan...@iogearbox.net>
Cc: Cong Wang <xiyou.w...@gmail.com>
Acked-by: Eric Dumazet <edum...@google.com>
Tested-by: Shahar Klein <sha...@mellanox.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/sched/cls_api.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -137,9 +137,11 @@ static int tc_ctl_tfilter(struct sk_buff
unsigned long cl;
unsigned long fh;
int err;
- int tp_created = 0;
+ int tp_created;

replay:
+ tp_created = 0;
+
t = NLMSG_DATA(n);
protocol = TC_H_MIN(t->tcm_info);
prio = TC_H_MAJ(t->tcm_info);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leo...@mellanox.com>

commit c1d5f8ff80ea84768f5fae1ca9d1abfbb5e6bbaa upstream.

This patch removes BUG_ON() macro from mlx4_alloc_icm_coherent()
by checking DMA address alignment in advance and performing proper
folding in case of error.

Fixes: 5b0bf5e25efe ("mlx4_core: Support ICM tables in coherent memory")
Reported-by: Ozgur Karatas <okar...@member.fsf.org>
Signed-off-by: Leon Romanovsky <leo...@mellanox.com>
Signed-off-by: Tariq Toukan <tar...@mellanox.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/mellanox/mlx4/icm.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx4/icm.c
+++ b/drivers/net/ethernet/mellanox/mlx4/icm.c
@@ -113,8 +113,13 @@ static int mlx4_alloc_icm_coherent(struc
if (!buf)
return -ENOMEM;

+ if (offset_in_page(buf)) {
+ dma_free_coherent(dev, PAGE_SIZE << order,
+ buf, sg_dma_address(mem));
+ return -ENOMEM;
+ }
+
sg_set_buf(mem, buf, PAGE_SIZE << order);
- BUG_ON(mem->offset);
sg_dma_len(mem) = PAGE_SIZE << order;
return 0;
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 030ee7ae52a46a2be52ccc8242c4a330aba8d38e upstream.

The modem-control signals are managed by the tty-layer during open and
should not be asserted prematurely when set_termios is called from
driver open.

Also make sure that the signals are asserted only when changing speed
from B0.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ch341.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -369,10 +369,6 @@ static void ch341_set_termios(struct tty

ctrl = CH341_LCR_ENABLE_RX | CH341_LCR_ENABLE_TX | CH341_LCR_CS8;

if (baud_rate) {

- spin_lock_irqsave(&priv->lock, flags);
- priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
- spin_unlock_irqrestore(&priv->lock, flags);

-
priv->baud_rate = baud_rate;

r = ch341_init_set_baudrate(port->serial->dev, priv, ctrl);

@@ -380,13 +376,14 @@ static void ch341_set_termios(struct tty
priv->baud_rate = tty_termios_baud_rate(old_termios);
tty_termios_copy_hw(tty->termios, old_termios);
}
- } else {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
- spin_unlock_irqrestore(&priv->lock, flags);
}

- ch341_set_handshake(port->serial->dev, priv->line_control);
+ spin_lock_irqsave(&priv->lock, flags);
+ if (C_BAUD(tty) == B0)
+ priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
+ else if (old_termios && (old_termios->c_cflag & CBAUD) == B0)
+ priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
+ spin_unlock_irqrestore(&priv->lock, flags);

/* Unimplemented:
* (cflag & CSIZE) : data bits [5, 8]

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.va...@sandisk.com>

commit d3a2418ee36a59bc02e9d454723f3175dcf4bfd9 upstream.

This patch avoids that Coverity complains about not checking the
ib_find_pkey() return value.

Fixes: commit 547af76521b3 ("IB/multicast: Report errors on multicast groups if P_key changes")
Signed-off-by: Bart Van Assche <bart.va...@sandisk.com>
Cc: Sean Hefty <sean....@intel.com>
Signed-off-by: Doug Ledford <dled...@redhat.com>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/infiniband/core/multicast.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -516,8 +516,11 @@ static void join_handler(int status, str
if (status)
process_join_error(group, status);
else {
- ib_find_pkey(group->port->dev->device, group->port->port_num,
- be16_to_cpu(rec->pkey), &pkey_index);
+
+ if (ib_find_pkey(group->port->dev->device,
+ group->port->port_num, be16_to_cpu(rec->pkey),
+ &pkey_index))
+ pkey_index = MCAST_INVALID_PKEY_INDEX;

spin_lock_irq(&group->port->lock);
group->rec = *rec;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Darrick J. Wong" <darric...@oracle.com>

commit 7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58 upstream.

Don't load an inode with a negative size; this causes integer overflow
problems in the VFS.

[ Added EXT4_ERROR_INODE() to mark file system as corrupted. -TYT]

Fixes: a48380f769df (ext4: rename i_dir_acl to i_size_high)
Signed-off-by: Darrick J. Wong <darric...@oracle.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
[bwh: Backported to 3.2: use EIO instead of EFSCORRUPTED]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3829,6 +3829,7 @@ struct inode *ext4_iget(struct super_blo
struct inode *inode;
journal_t *journal = EXT4_SB(sb)->s_journal;
long ret;
+ loff_t size;
int block;

inode = iget_locked(sb, ino);
@@ -3880,6 +3881,11 @@ struct inode *ext4_iget(struct super_blo
ei->i_file_acl |=
((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
inode->i_size = ext4_isize(raw_inode);
+ if ((size = i_size_read(inode)) < 0) {
+ EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size);
+ ret = -EIO;
+ goto bad_inode;
+ }
ei->i_disksize = inode->i_size;
#ifdef CONFIG_QUOTA
ei->i_reserved_quota = 0;

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Aidan Thornton <mako...@gmail.com>

commit 6fde8d29b0424f292a4ec5dbce01458ad759a41f upstream.

No functional changes, this just gives names to some registers and USB
requests based on Grigori Goronzy's work and WinChipTech's Linux driver
(which reassuringly agree), then uses them in place of magic numbers.
This also renames the misnamed BREAK2 register (actually UART config)

Signed-off-by: Aidan Thornton <mako...@gmail.com>
Reviewed-by: Grigori Goronzy <gr...@chown.ath.cx>
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ch341.c | 51 +++++++++++++++++++++++++++++-----------------
1 file changed, 32 insertions(+), 19 deletions(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -62,13 +62,26 @@
* the Net/FreeBSD uchcom.c driver by Takanori Watanabe. Domo arigato.
*/

+#define CH341_REQ_READ_VERSION 0x5F
#define CH341_REQ_WRITE_REG 0x9A
#define CH341_REQ_READ_REG 0x95
-#define CH341_REG_BREAK1 0x05
-#define CH341_REG_BREAK2 0x18
-#define CH341_NBREAK_BITS_REG1 0x01
-#define CH341_NBREAK_BITS_REG2 0x40
+#define CH341_REQ_SERIAL_INIT 0xA1
+#define CH341_REQ_MODEM_CTRL 0xA4

+#define CH341_REG_BREAK 0x05
+#define CH341_REG_LCR 0x18
+#define CH341_NBREAK_BITS 0x01
+
+#define CH341_LCR_ENABLE_RX 0x80
+#define CH341_LCR_ENABLE_TX 0x40
+#define CH341_LCR_MARK_SPACE 0x20
+#define CH341_LCR_PAR_EVEN 0x10
+#define CH341_LCR_ENABLE_PAR 0x08
+#define CH341_LCR_STOP_BITS_2 0x04
+#define CH341_LCR_CS8 0x03
+#define CH341_LCR_CS7 0x02
+#define CH341_LCR_CS6 0x01
+#define CH341_LCR_CS5 0x00

static int debug;

@@ -147,9 +160,9 @@ static int ch341_set_baudrate(struct usb
a = (factor & 0xff00) | divisor;
b = factor & 0xff;

- r = ch341_control_out(dev, 0x9a, 0x1312, a);
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x1312, a);
if (!r)
- r = ch341_control_out(dev, 0x9a, 0x0f2c, b);
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x0f2c, b);

return r;
}
@@ -157,7 +170,7 @@ static int ch341_set_baudrate(struct usb
static int ch341_set_handshake(struct usb_device *dev, u8 control)
{
dbg("ch341_set_handshake(0x%02x)", control);
- return ch341_control_out(dev, 0xa4, ~control, 0);
+ return ch341_control_out(dev, CH341_REQ_MODEM_CTRL, ~control, 0);
}

static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
@@ -173,7 +186,7 @@ static int ch341_get_status(struct usb_d
if (!buffer)
return -ENOMEM;

- r = ch341_control_in(dev, 0x95, 0x0706, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_REG, 0x0706, 0, buffer, size);
if (r < 0)
goto out;

@@ -206,11 +219,11 @@ static int ch341_configure(struct usb_de
return -ENOMEM;

/* expect two bytes 0x27 0x00 */
- r = ch341_control_in(dev, 0x5f, 0, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_VERSION, 0, 0, buffer, size);
if (r < 0)
goto out;

- r = ch341_control_out(dev, 0xa1, 0, 0);
+ r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0, 0);
if (r < 0)
goto out;

@@ -219,11 +232,11 @@ static int ch341_configure(struct usb_de
goto out;

/* expect two bytes 0x56 0x00 */
- r = ch341_control_in(dev, 0x95, 0x2518, 0, buffer, size);
+ r = ch341_control_in(dev, CH341_REQ_READ_REG, 0x2518, 0, buffer, size);
if (r < 0)
goto out;

- r = ch341_control_out(dev, 0x9a, 0x2518, 0x0050);
+ r = ch341_control_out(dev, CH341_REQ_WRITE_REG, 0x2518, 0x0050);
if (r < 0)
goto out;

@@ -232,7 +245,7 @@ static int ch341_configure(struct usb_de
if (r < 0)
goto out;

- r = ch341_control_out(dev, 0xa1, 0x501f, 0xd90a);
+ r = ch341_control_out(dev, CH341_REQ_SERIAL_INIT, 0x501f, 0xd90a);
if (r < 0)
goto out;

@@ -382,7 +395,7 @@ static void ch341_set_termios(struct tty
static void ch341_break_ctl(struct tty_struct *tty, int break_state)
{
const uint16_t ch341_break_reg =
- CH341_REG_BREAK1 | ((uint16_t) CH341_REG_BREAK2 << 8);
+ ((uint16_t) CH341_REG_LCR << 8) | CH341_REG_BREAK;
struct usb_serial_port *port = tty->driver_data;
int r;
uint16_t reg_contents;
@@ -407,12 +420,12 @@ static void ch341_break_ctl(struct tty_s
__func__, break_reg[0], break_reg[1]);
if (break_state != 0) {
dbg("%s - Enter break state requested", __func__);
- break_reg[0] &= ~CH341_NBREAK_BITS_REG1;
- break_reg[1] &= ~CH341_NBREAK_BITS_REG2;
+ break_reg[0] &= ~CH341_NBREAK_BITS;
+ break_reg[1] &= ~CH341_LCR_ENABLE_TX;
} else {
dbg("%s - Leave break state requested", __func__);
- break_reg[0] |= CH341_NBREAK_BITS_REG1;
- break_reg[1] |= CH341_NBREAK_BITS_REG2;
+ break_reg[0] |= CH341_NBREAK_BITS;
+ break_reg[1] |= CH341_LCR_ENABLE_TX;
}
dbg("%s - New ch341 break register contents - reg1: %x, reg2: %x",
__func__, break_reg[0], break_reg[1]);

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 5c75633ef751dd4cd8f443dc35152c1ae563162e upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...

PC is at mos7840_open+0x88/0x8dc [mos7840]

Note that we continue to treat the interrupt-in endpoint as optional for
now.

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold <jo...@kernel.org>

[bwh: Backported to 3.2: add this check to the existing
usb_serial_driver::attach implementation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/mos7840.c | 12 ++++++++++++
1 file changed, 12 insertions(+)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2386,6 +2386,12 @@ static int mos7840_startup(struct usb_se
return -1;
}

+ if (serial->num_bulk_in < serial->num_ports ||
+ serial->num_bulk_out < serial->num_ports) {

+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+

dev = serial->dev;

dbg("%s", "Entering...");

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit a91918cd3ea11f91c68e08e1e8ce1b560447a80e upstream.

This iscsit_tpg_add_portal_group() function is only called from
lio_target_tiqn_addtpg(). Both functions free the "tpg" pointer on
error so it's a double free bug. The memory is allocated in the caller
so it should be freed in the caller and not here.

Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Reviewed-by: David Disseldorp <dd...@suse.de>
[ bvanassche: Added "Fix" at start of patch title ]

Signed-off-by: Bart Van Assche <bart.va...@sandisk.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/target/iscsi/iscsi_target_tpg.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/target/iscsi/iscsi_target_tpg.c
+++ b/drivers/target/iscsi/iscsi_target_tpg.c
@@ -253,7 +253,6 @@ err_out:
iscsi_release_param_list(tpg->param_list);
tpg->param_list = NULL;
}
- kfree(tpg);
return -ENOMEM;
}

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 3dca01114dcecb1cf324534cd8d75fd1306a516b upstream.

Fix NULL-pointer dereference when clearing halt at open should the device
lack a bulk-out endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...

PC is at cyberjack_open+0x40/0x9c [cyberjack]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: add this check to the existing
usb_serial_driver::attach implementation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/usb/serial/cyberjack.c
+++ b/drivers/usb/serial/cyberjack.c
@@ -122,6 +122,9 @@ static int cyberjack_startup(struct usb_

dbg("%s", __func__);

+ if (serial->num_bulk_out < serial->num_ports)
+ return -ENODEV;
+
/* allocate the private data structure */
priv = kmalloc(sizeof(struct cyberjack_private), GFP_KERNEL);
if (!priv)

[Ben Hutchings]

3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit add333a81a16abbd4f106266a2553677a165725f upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:

BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
<IRQ> [ 201.343209] [< inline >] __dump_stack lib/dump_stack.c:15
<IRQ> [ 201.343209] [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[< inline >] print_address_description mm/kasan/report.c:197
[<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
[< inline >] kasan_report mm/kasan/report.c:306
[<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
[< inline >] config_buf drivers/usb/gadget/legacy/inode.c:1298
[<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
[<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
[<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
[< inline >] expire_timers kernel/time/timer.c:1348
[<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
[<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
[<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284

The cause of the bug is subtle. The dev_config() routine gets called
twice by the fuzzer. The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev->hs_config to be set. But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.

The second time dev_config() is called, the user data contains only a
full-speed config descriptor. But dev->hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config. Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.

The fix is simple: Clear dev->hs_config if the passed-in data does not
contain a high-speed config descriptor.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andre...@google.com>
Tested-by: Andrey Konovalov <andre...@google.com>
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>
[bwh: Backported to 3.2: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/gadget/inode.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1899,6 +1899,8 @@ dev_config (struct file *fd, const char

goto fail;
kbuf += total;
length -= total;

+ } else {
+ dev->hs_config = NULL;
}

/* could support multiple configs, using another encoding! */