[PATCH 3.2 199/199] sctp: deny peeloff operation on asocs with threads sleeping on it

32 views
Skip to first unread message

Ben Hutchings

unread,
Mar 10, 2017, 7:20:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marcelo Ricardo Leitner <marcelo...@gmail.com>

commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 upstream.

commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
attempted to avoid a BUG_ON call when the association being used for a
sendmsg() is blocked waiting for more sndbuf and another thread did a
peeloff operation on such asoc, moving it to another socket.

As Ben Hutchings noticed, then in such case it would return without
locking back the socket and would cause two unlocks in a row.

Further analysis also revealed that it could allow a double free if the
application managed to peeloff the asoc that is created during the
sendmsg call, because then sctp_sendmsg() would try to free the asoc
that was created only for that call.

This patch takes another approach. It will deny the peeloff operation
if there is a thread sleeping on the asoc, so this situation doesn't
exist anymore. This avoids the issues described above and also honors
the syscalls that are already being handled (it can be multiple sendmsg
calls).

Joint work with Xin Long.

Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
Cc: Alexander Popov <alex....@linux.com>
Cc: Ben Hutchings <b...@decadent.org.uk>
Signed-off-by: Marcelo Ricardo Leitner <marcelo...@gmail.com>
Signed-off-by: Xin Long <lucie...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/sctp/socket.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4242,6 +4242,12 @@ SCTP_STATIC int sctp_do_peeloff(struct s
struct sctp_af *af;
int err = 0;

+ /* If there is a thread waiting on more sndbuf space for
+ * sending on this asoc, it cannot be peeled.
+ */
+ if (waitqueue_active(&asoc->wait))
+ return -EBUSY;
+
/* An association cannot be branched off from an already peeled-off
* socket, nor is this supported for tcp style sockets.
*/
@@ -6492,8 +6498,6 @@ static int sctp_wait_for_sndbuf(struct s
*/
sctp_release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
- if (sk != asoc->base.sk)
- goto do_error;
sctp_lock_sock(sk);

*timeo_p = current_timeo;

Ben Hutchings

unread,
Mar 10, 2017, 7:20:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <wil...@google.com>

[ Upstream commit 837585a5375c38d40361cfe64e6fd11e1addb936 ]

When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
Data length is verified to be greater than or equal to expected header
length tun->vnet_hdr_sz before copying.

Macvtap functions read the value once, but unless READ_ONCE is used,
the compiler may ignore this and read multiple times. Enforce a single
read and locally cached value to avoid updates between test and use.

Signed-off-by: Willem de Bruijn <wil...@google.com>
Suggested-by: Eric Dumazet <edum...@google.com>
Acked-by: Eric Dumazet <edum...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: BAckported to 3.2:
- Use ACCESS_ONCE() instead of READ_ONCE()
- Adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/net/macvtap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -687,7 +687,7 @@ static ssize_t macvtap_get_user(struct m
size_t linear;

if (q->flags & IFF_VNET_HDR) {
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);

err = -EINVAL;
if (len < vnet_hdr_len)
@@ -817,7 +817,7 @@ static ssize_t macvtap_put_user(struct m

if (q->flags & IFF_VNET_HDR) {
struct virtio_net_hdr vnet_hdr;
- vnet_hdr_len = q->vnet_hdr_sz;
+ vnet_hdr_len = ACCESS_ONCE(q->vnet_hdr_sz);
if ((len -= vnet_hdr_len) < 0)
return -EINVAL;

Ben Hutchings

unread,
Mar 10, 2017, 7:20:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Larry Finger <Larry....@lwfinger.net>

commit 8052d7245b6089992343c80b38b14dbbd8354651 upstream.

When there is a CRC error in the SPROM read from the device, the code
attempts to handle a fallback SPROM. When this also fails, the driver
returns zero rather than an error code.

Signed-off-by: Larry Finger <Larry....@lwfinger.net>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/ssb/pci.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/ssb/pci.c
+++ b/drivers/ssb/pci.c
@@ -713,6 +713,7 @@ static int ssb_pci_sprom_get(struct ssb_
ssb_printk(KERN_WARNING PFX "WARNING: Using"
" fallback SPROM failed (err %d)\n",
err);
+ goto out_free;
} else {
ssb_dprintk(KERN_DEBUG PFX "Using SPROM"
" revision %d provided by"

Ben Hutchings

unread,
Mar 10, 2017, 7:20:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Davidlohr Bueso <da...@stgolabs.net>

commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.

The issue is described here, with a nice testcase:

https://bugzilla.kernel.org/show_bug.cgi?id=192931

The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
the address rounded down to 0. For the regular mmap case, the
protection mentioned above is that the kernel gets to generate the
address -- arch_get_unmapped_area() will always check for MAP_FIXED and
return that address. So by the time we do security_mmap_addr(0) things
get funky for shmat().

The testcase itself shows that while a regular user crashes, root will
not have a problem attaching a nil-page. There are two possible fixes
to this. The first, and which this patch does, is to simply allow root
to crash as well -- this is also regular mmap behavior, ie when hacking
up the testcase and adding mmap(... |MAP_FIXED). While this approach
is the safer option, the second alternative is to ignore SHM_RND if the
rounded address is 0, thus only having MAP_SHARED flags. This makes the
behavior of shmat() identical to the mmap() case. The downside of this
is obviously user visible, but does make sense in that it maintains
semantics after the round-down wrt 0 address and mmap.

Passes shm related ltp tests.

Link: http://lkml.kernel.org/r/1486050195-18629-1-...@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbu...@suse.de>
Reported-by: Gareth Evans <gareth...@contextis.co.uk>
Cc: Manfred Spraul <man...@colorfullife.com>
Cc: Michael Kerrisk <mtk.ma...@googlemail.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
[bwh: Backported to 3.2: use SHMLBA constant instead of shmlba parameter]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -963,8 +963,13 @@ long do_shmat(int shmid, char __user *sh
goto out;
else if ((addr = (ulong)shmaddr)) {
if (addr & (SHMLBA-1)) {
- if (shmflg & SHM_RND)
- addr &= ~(SHMLBA-1); /* round down */
+ /*
+ * Round down to the nearest multiple of shmlba.
+ * For sane do_mmap_pgoff() parameters, avoid
+ * round downs that trigger nil-page and MAP_FIXED.
+ */
+ if ((shmflg & SHM_RND) && addr >= SHMLBA)
+ addr &= ~(SHMLBA - 1);
else
#ifndef __ARCH_FORCE_SHMLBA
if (addr & ~PAGE_MASK)

Ben Hutchings

unread,
Mar 10, 2017, 7:20:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuha...@gmail.com>

commit 24803f38a5c0b6c57ed800b47e695f9ce474bc3a upstream.

In commit 24cf3af3fed5 ("igmp: call ip_mc_clear_src..."), we forgot to remove
igmpv3_clear_delrec() in ip_mc_down(), which also called ip_mc_clear_src().
This make us clear all IGMPv3 source filter info after NETDEV_DOWN.
Move igmpv3_clear_delrec() to ip_mc_destroy_dev() and then no need
ip_mc_clear_src() in ip_mc_destroy_dev().

On the other hand, we should restore back instead of free all source filter
info in igmpv3_del_delrec(). Or we will not able to restore IGMPv3 source
filter info after NETDEV_UP and NETDEV_POST_TYPE_CHANGE.

Fixes: 24cf3af3fed5 ("igmp: call ip_mc_clear_src() only when ...")
Signed-off-by: Hangbin Liu <liuha...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2:
- Use IGMP_Unsolicited_Report_Count instead of sysctl_igmp_qrv
- Adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -140,7 +140,7 @@
time_before(jiffies, (in_dev)->mr_v2_seen)))

static void igmpv3_add_delrec(struct in_device *in_dev, struct ip_mc_list *im);
-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr);
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im);
static void igmpv3_clear_delrec(struct in_device *in_dev);
static int sf_setstate(struct ip_mc_list *pmc);
static void sf_markstate(struct ip_mc_list *pmc);
@@ -1082,10 +1082,14 @@ static void igmpv3_add_delrec(struct in_
spin_unlock_bh(&in_dev->mc_tomb_lock);
}

-static void igmpv3_del_delrec(struct in_device *in_dev, __be32 multiaddr)
+/*
+ * restore ip_mc_list deleted records
+ */
+static void igmpv3_del_delrec(struct in_device *in_dev, struct ip_mc_list *im)
{
struct ip_mc_list *pmc, *pmc_prev;
- struct ip_sf_list *psf, *psf_next;
+ struct ip_sf_list *psf;
+ __be32 multiaddr = im->multiaddr;

spin_lock_bh(&in_dev->mc_tomb_lock);
pmc_prev = NULL;
@@ -1101,16 +1105,26 @@ static void igmpv3_del_delrec(struct in_
in_dev->mc_tomb = pmc->next;
}
spin_unlock_bh(&in_dev->mc_tomb_lock);
+
+ spin_lock_bh(&im->lock);
if (pmc) {
- for (psf=pmc->tomb; psf; psf=psf_next) {
- psf_next = psf->sf_next;
- kfree(psf);
+ im->interface = pmc->interface;
+ im->crcount = in_dev->mr_qrv ?: IGMP_Unsolicited_Report_Count;
+ im->sfmode = pmc->sfmode;
+ if (pmc->sfmode == MCAST_INCLUDE) {
+ im->tomb = pmc->tomb;
+ im->sources = pmc->sources;
+ for (psf = im->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->crcount;
}
in_dev_put(pmc->interface);
- kfree(pmc);
}
+ spin_unlock_bh(&im->lock);
}

+/*
+ * flush ip_mc_list deleted records
+ */
static void igmpv3_clear_delrec(struct in_device *in_dev)
{
struct ip_mc_list *pmc, *nextpmc;
@@ -1255,7 +1269,7 @@ void ip_mc_inc_group(struct in_device *i
rcu_assign_pointer(in_dev->mc_list, im);

#ifdef CONFIG_IP_MULTICAST
- igmpv3_del_delrec(in_dev, im->multiaddr);
+ igmpv3_del_delrec(in_dev, im);
#endif
igmp_group_added(im);
if (!in_dev->dead)
@@ -1345,8 +1359,12 @@ void ip_mc_remap(struct in_device *in_de

ASSERT_RTNL();

- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}

/* Device going down */
@@ -1367,7 +1385,6 @@ void ip_mc_down(struct in_device *in_dev
in_dev->mr_gq_running = 0;
if (del_timer(&in_dev->mr_gq_timer))
__in_dev_put(in_dev);
- igmpv3_clear_delrec(in_dev);
#endif

ip_mc_dec_group(in_dev, IGMP_ALL_HOSTS);
@@ -1402,8 +1419,12 @@ void ip_mc_up(struct in_device *in_dev)

ip_mc_inc_group(in_dev, IGMP_ALL_HOSTS);

- for_each_pmc_rtnl(in_dev, pmc)
+ for_each_pmc_rtnl(in_dev, pmc) {
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_del_delrec(in_dev, pmc);
+#endif
igmp_group_added(pmc);
+ }
}

/*
@@ -1418,13 +1439,13 @@ void ip_mc_destroy_dev(struct in_device

/* Deactivate timers */
ip_mc_down(in_dev);
+#ifdef CONFIG_IP_MULTICAST
+ igmpv3_clear_delrec(in_dev);
+#endif

while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
in_dev->mc_list = i->next_rcu;
in_dev->mc_count--;
-
- /* We've dropped the groups in ip_mc_down already */
- ip_mc_clear_src(i);
ip_ma_put(i);
}
}

Ben Hutchings

unread,
Mar 10, 2017, 7:20:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 815a7141c4d1b11610dccb7fcbb38633759824f2 upstream.

Make sure to drop any reference taken by bus_find_device() when creating
devices during init and driver registration.

Fixes: 55347cc9962f ("[POWERPC] ibmebus: Add device creation and bus probing based on of_device")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
arch/powerpc/kernel/ibmebus.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -179,6 +179,7 @@ static int ibmebus_create_device(struct
static int ibmebus_create_devices(const struct of_device_id *matches)
{
struct device_node *root, *child;
+ struct device *dev;
int ret = 0;

root = of_find_node_by_path("/");
@@ -187,9 +188,12 @@ static int ibmebus_create_devices(const
if (!of_match_node(matches, child))
continue;

- if (bus_find_device(&ibmebus_bus_type, NULL, child,
- ibmebus_match_node))
+ dev = bus_find_device(&ibmebus_bus_type, NULL, child,
+ ibmebus_match_node);
+ if (dev) {
+ put_device(dev);
continue;
+ }

ret = ibmebus_create_device(child);
if (ret) {

Ben Hutchings

unread,
Mar 10, 2017, 7:20:08 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit fbfa743a9d2a0ffa24251764f10afc13eb21e739 ]

This function suffers from multiple issues.

First one is that pskb_may_pull() may reallocate skb->head,
so the 'raw' pointer needs either to be reloaded or not used at all.

Second issue is that NEXTHDR_DEST handling does not validate
that the options are present in skb->data, so we might read
garbage or access non existent memory.

With help from Willem de Bruijn.

Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Dmitry Vyukov <dvy...@google.com>
Cc: Willem de Bruijn <wil...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/ipv6/ip6_tunnel.c | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -372,18 +372,19 @@ ip6_tnl_dev_uninit(struct net_device *de
static __u16
parse_tlv_tnl_enc_lim(struct sk_buff *skb, __u8 * raw)
{
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
- __u8 nexthdr = ipv6h->nexthdr;
- __u16 off = sizeof (*ipv6h);
+ const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)raw;
+ unsigned int nhoff = raw - skb->data;
+ unsigned int off = nhoff + sizeof(*ipv6h);
+ u8 next, nexthdr = ipv6h->nexthdr;

while (ipv6_ext_hdr(nexthdr) && nexthdr != NEXTHDR_NONE) {
- __u16 optlen = 0;
struct ipv6_opt_hdr *hdr;
- if (raw + off + sizeof (*hdr) > skb->data &&
- !pskb_may_pull(skb, raw - skb->data + off + sizeof (*hdr)))
+ u16 optlen;
+
+ if (!pskb_may_pull(skb, off + sizeof(*hdr)))
break;

- hdr = (struct ipv6_opt_hdr *) (raw + off);
+ hdr = (struct ipv6_opt_hdr *)(skb->data + off);
if (nexthdr == NEXTHDR_FRAGMENT) {
struct frag_hdr *frag_hdr = (struct frag_hdr *) hdr;
if (frag_hdr->frag_off)
@@ -394,20 +395,29 @@ parse_tlv_tnl_enc_lim(struct sk_buff *sk
} else {
optlen = ipv6_optlen(hdr);
}
+ /* cache hdr->nexthdr, since pskb_may_pull() might
+ * invalidate hdr
+ */
+ next = hdr->nexthdr;
if (nexthdr == NEXTHDR_DEST) {
- __u16 i = off + 2;
+ u16 i = 2;
+
+ /* Remember : hdr is no longer valid at this point. */
+ if (!pskb_may_pull(skb, off + optlen))
+ break;
+
while (1) {
struct ipv6_tlv_tnl_enc_lim *tel;

/* No more room for encapsulation limit */
- if (i + sizeof (*tel) > off + optlen)
+ if (i + sizeof(*tel) > optlen)
break;

- tel = (struct ipv6_tlv_tnl_enc_lim *) &raw[i];
+ tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
/* return index of option if found and valid */
if (tel->type == IPV6_TLV_TNL_ENCAP_LIMIT &&
tel->length == 1)
- return i;
+ return i + off - nhoff;
/* else jump to next option */
if (tel->type)
i += tel->length + 2;
@@ -415,7 +425,7 @@ parse_tlv_tnl_enc_lim(struct sk_buff *sk
i++;
}
}
- nexthdr = hdr->nexthdr;
+ nexthdr = next;
off += optlen;
}
return 0;

Ben Hutchings

unread,
Mar 10, 2017, 7:20:09 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 4763601a56f155ddf94ef35fc2c41504a2de15f5 upstream.

The function returns -EINVAL even if it builds the stream properly.
The bogus error code sneaked in during the code refactoring, but it
wasn't noticed until now since the returned error code itself is
ignored in anyway. Kill it here, but there is no behavior change by
this patch, obviously.

Fixes: e5779998bf8b ('ALSA: usb-audio: refactor code')
Signed-off-by: Takashi Iwai <ti...@suse.de>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
sound/usb/card.c | 1 -
1 file changed, 1 deletion(-)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -207,7 +207,6 @@ static int snd_usb_create_stream(struct
if (! snd_usb_parse_audio_interface(chip, interface)) {
usb_set_interface(dev, interface, 0); /* reset the current interface */
usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
- return -EINVAL;
}

return 0;

Ben Hutchings

unread,
Mar 10, 2017, 7:21:38 AM3/10/17
to
This is the start of the stable review cycle for the 3.2.87 release.
There are 199 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
Anything received after that time might be too late.

A combined patch relative to 3.2.86 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Aidan Thornton (2):
USB: serial: ch341: add register and USB request definitions
[6fde8d29b0424f292a4ec5dbce01458ad759a41f]
USB: serial: ch341: reinitialize chip on reconfiguration
[4e46c410e050bcac36deadbd8e20449d078204e8]

Akinobu Mita (1):
sysrq: attach sysrq handler correctly for 32-bit kernel
[802c03881f29844af0252b6e22be5d2f65f93fd0]

Al Viro (2):
Fix missing sanity check in /dev/sg
[137d01df511b3afe1f05499aea05f3bafc0fb221]
nfs_write_end(): fix handling of short copies
[c0cf3ef5e0f47e385920450b245d22bead93e7ad]

Alan Stern (7):
PCI: Check for PME in targeted sleep state
[6496ebd7edf446fccf8266a1a70ffcb64252593e]
USB: UHCI: report non-PME wakeup signalling for Intel hardware
[ccdb6be9ec6580ef69f68949ebe26e0fb58a6fb0]
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
[bcdbeb844773333d2d1c08004f3b3e25921040e5]
USB: fix problems with duplicate endpoint addresses
[0a8fd1346254974c3a852338508e4a4cddbb35f1]
USB: gadgetfs: fix checks of wTotalLength in config descriptors
[1c069b057dcf64fada952eaa868d35f02bb0cfc2]
USB: gadgetfs: fix unbounded memory allocation bug
[faab50984fe6636e616c7cc3d30308ba391d36fd]
USB: gadgetfs: fix use-after-free bug
[add333a81a16abbd4f106266a2553677a165725f]

Alex Porosanu (1):
crypto: caam - fix AEAD givenc descriptors
[d128af17876d79b87edf048303f98b35f6a53dbc]

Amir Vadai (1):
net/sched: pedit: make sure that offset is valid
[95c2027bfeda21a28eb245121e6a249f38d0788e]

Andy Shevchenko (1):
platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
[5a00b6c2438460b870a451f14593fc40d3c7edf6]

Anoob Soman (2):
packet: Do not call fanout_release from atomic contexts
[2bd624b4611ffee36422782d16e1c944d1351e98]
packet: call fanout_release, while UNREGISTERING a netdev
[6664498280cf17a59c3e7cf1a931444c02633ed1]

Anssi Hannula (1):
net: xilinx_emaclite: fix receive buffer overflow
[cd224553641848dd17800fe559e4ff5d208553e8]

Anton Blanchard (1):
powerpc: Ignore reserved field in DCSR and PVR reads and writes
[178f358208ceb8b38e5cff3f815e0db4a6a70a07]

Arnaldo Carvalho de Melo (1):
perf scripting: Avoid leaking the scripting_context variable
[cf346d5bd4b9d61656df2f72565c9b354ef3ca0d]

Arnd Bergmann (2):
[media] DaVinci-VPFE-Capture: fix error handling
[d3d83ee20afda16ad0133ba00f63c11a8d842a35]
scsi: mvsas: fix command_active typo
[af15769ffab13d777e55fdef09d0762bf0c249c4]

Arvind Yadav (1):
ata: sata_mv:- Handle return value of devm_ioremap.
[064c3db9c564cc5be514ac21fb4aa26cc33db746]

Augusto Mecking Caringi (1):
vme: Fix wrong pointer utilization in ca91cx42_slave_get
[c8a6a09c1c617402cc9254b2bc8da359a0347d75]

Bart Van Assche (2):
IB/mad: Fix an array index check
[2fe2f378dd45847d2643638c07a7658822087836]
IB/multicast: Check ib_find_pkey() return value
[d3a2418ee36a59bc02e9d454723f3175dcf4bfd9]

Ben Hutchings (6):
Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
[not upstream; the reverted commit is fine upstream but depends
on other changes I haven't backported]
catc: Combine failure cleanup code in catc_probe()
[d41149145f98fe26dcd0bfd1d6cc095e6e041418]
catc: Use heap buffer for memory size test
[2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478]
kconfig/nconf: Fix hang when editing symbol with a long prompt
[79e51b5c2deea542b3bb8c66e0d502230b017dde]
net/sock: Add sock_efree() function
[62bccb8cdb69051b95a55ab0c489e3cab261c8ef]
rtl8150: Use heap buffers for all register access
[7926aff5c57b577ab0f43364ff0c59d968f6a414]

Benjamin Block (1):
scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
[dac37e15b7d511e026a9313c8c46794c144103cd]

Bjørn Mork (1):
USB: serial: option: add device ID for HP lt2523 (Novatel E371)
[5d03a2fd2292e71936c4235885c35ccc3c94695b]

Boris Ostrovsky (1):
xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
[74470954857c264168d2b5a113904cf0cfd27d18]

Chandan Rajendra (2):
ext4: fix mballoc breakage with 64k block size
[69e43e8cc971a79dd1ee5d4343d8e63f82725123]
ext4: fix stack memory corruption with 64k block size
[30a9d7afe70ed6bd9191d3000e2ef1a34fb58493]

Chris Friesen (1):
route: do not cache fib route info on local routes with oif
[d6d5e999e5df67f8ec20b6be45e2229455ee3699]

Con Kolivas (1):
ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks
[82ffb6fc637150b279f49e174166d2aa3853eaf4]

Dan Carpenter (4):
ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
[63117f09c768be05a0bf465911297dc76394f686]
sparc: leon: Fix a retry loop in leon_init_timers()
[601e6e3cc5bf6adb7d076fe24d10f6191a25ba9b]
target/iscsi: Fix double free in lio_target_tiqn_addtpg()
[a91918cd3ea11f91c68e08e1e8ce1b560447a80e]
usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
[c95a9f83711bf53faeb4ed9bbb63a3f065613dfb]

Daniel Borkmann (1):
net, sched: fix soft lockup in tc_classify
[628185cfddf1dfb701c4efe2cfd72cf5b09f5702]

Daniele Palmas (1):
USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041
[5b09eff0c379002527ad72ea5ea38f25da8a8650]

Darrick J. Wong (1):
ext4: reject inodes with negative size
[7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58]

Dave Jones (1):
ipv6: handle -EFAULT from skb_copy_bits
[a98f91758995cb59611e61318dddd8a6956b52c3]

Dave Martin (2):
ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
[228dbbfb5d77f8e047b2a1d78da14b7158433027]
powerpc/ptrace: Preserve previous fprs/vsrs on short regset write
[99dfe80a2a246c600440a815741fd2e74a8b4977]

David S. Miller (2):
decnet: Do not build routes to devices without decnet private data.
[a36a0d4008488fa545c74445d69eaf56377d5d4e]
irda: Fix lockdep annotations in hashbin_delete().
[4c03b862b12f980456f9de92db6d508a4999b788]

Davidlohr Bueso (1):
ipc/shm: Fix shmat mmap nil-page protection
[95e91b831f87ac8e1f8ed50c14d709089b4e01b8]

Douglas Caetano dos Santos (1):
tcp: fix wrong checksum calculation on MTU probing
[2fe664f1fcf7c4da6891f95708a7a56d3c024354]

Eric Dumazet (18):
can: Fix kernel panic at security_sock_rcv_skb
[f1712c73714088a7252d276a57126d56c7d37e64]
dccp: do not send reset to already closed sockets
[346da62cc186c4b4b1ac59f87f4482b47a047388]
dccp: fix out of bound access in dccp_v4_err()
[6706a97fec963d6cb3f7fc2978ec1427b4651214]
gro: use min_t() in skb_gro_reset_offset()
[7cfd5fd5a9813f1430290d20c0fead9b4582a307]
ipv6: dccp: fix out of bound access in dccp_v6_err()
[1aa9d1a0e7eefcc61696e147d123453fc0016005]
ipv6: fix ip6_tnl_parse_tlv_enc_lim()
[fbfa743a9d2a0ffa24251764f10afc13eb21e739]
l2tp: do not use udp_ioctl()
[72fb96e7bdbbdd4421b0726992496531060f3636]
net/dccp: fix use-after-free in dccp_invalid_packet
[648f0c28df282636c0c8a7a19ca3ce5fc80a39c3]
net/llc: avoid BUG_ON() in skb_orphan()
[8b74d439e1697110c5e5c600643e823eb1dd0762]
net: avoid sk_forward_alloc overflows
[20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d]
net: clear sk_err_soft in sk_clone_lock()
[e551c32d57c88923f99f8f010e89ca7ed0735e83]
net: fix sk_mem_reclaim_partial()
[1a24e04e4b50939daa3041682b38b82c896ca438]
net: mangle zero checksum in skb_checksum_help()
[4f2e4ad56a65f3b7d64c258e373cb71e8d2499f4]
netlabel: out of bound access in cipso_v4_validate()
[d71b7896886345c53ef1d84bda2bc758554f5d61]
packet: fix races in fanout_add()
[d199fab63c11998a602205f7ee7ff7c05c97164b]
sysctl: fix proc_doulongvec_ms_jiffies_minmax()
[ff9f8a7cf935468a94d9927c68b00daae701667e]
tcp: fix 0 divide in __tcp_select_window()
[06425c308b92eaf60767bc71d359f4cbc7a561f8]
tcp: fix overflow in __tcp_retransmit_skb()
[ffb4d6c8508657824bcef68a36b2a0f9d8c09d10]

Eric Ren (1):
ocfs2: fix crash caused by stale lvb with fsdlm plugin
[e7ee2c089e94067d68475990bdeed211c8852917]

Eric Sandeen (1):
xfs: fix up xfs_swap_extent_forks inline extent handling
[4dfce57db6354603641132fac3c887614e3ebe81]

Eugenia Emantayev (1):
net/mlx4_en: Fix bad WQE issue
[6496bbf0ec481966ef9ffe5b6660d8d1b55c60cc]

Eva Rachel Retuya (1):
staging: iio: ad7606: fix improper setting of oversampling pins
[b321a38d2407c7e425c54bc09be909a34e49f740]

Felipe Balbi (1):
usb: gadget: composite: correctly initialize ep->maxpacket
[e8f29bb719b47a234f33b0af62974d7a9521a52c]

Florian Fainelli (2):
drivers: base: dma-mapping: Fix typo in dmam_alloc_non_coherent comments
[cd74da957ba2d03787ede1c22bbb183d9c728aad]
net: korina: Fix NAPI versus resources freeing
[e6afb1ad88feddf2347ea779cfaf4d03d3cd40b6]

Geoff Levand (1):
powerpc/ps3: Fix system hang with GCC 5 builds
[6dff5b67054e17c91bd630bcdda17cfca5aa4215]

Gerald Schaefer (1):
s390/vmlogrdr: fix IUCV buffer allocation
[5457e03de918f7a3e294eb9d26a608ab8a579976]

Greg Kroah-Hartman (2):
HID: hid-cypress: validate length of report
[1ebb71143758f45dc0fa76e2f48429e13b16d110]
usb: gadgetfs: restrict upper bound on device configuration size
[0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1]

Guenter Roeck (2):
cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
[328cf6927bb72cadefddebbc9a23c793108147a2]
hwmon: (ds620) Fix overflows seen when writing temperature limits
[e36ce99ee0815d7919a7b589bfb66f3de50b6bc7]

Hangbin Liu (3):
igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
[9c8bb163ae784be4f79ae504e78c862806087c54]
igmp: do not remove igmp souce list info when set link down
[24803f38a5c0b6c57ed800b47e695f9ce474bc3a]
mld: do not remove mld souce list info when set link down
[1666d49e1d416fcc2cce708242a52fe3317ea8ba]

Helge Deller (1):
parisc: Don't use BITS_PER_LONG in userspace-exported swab.h header
[2ad5d52d42810bed95100a3d912679d8864421ec]

Herbert Xu (3):
gro: Disable frag0 optimization on IPv6 ext headers
[57ea52a865144aedbcd619ee0081155e658b6f7d]
gro: Enter slow-path if there is no tailroom
[1272ce87fa017ca4cf32920764d879656b7a005a]
tun: Fix TUN_PKT_STRIP setting
[2eb783c43e7cf807a45899c10ed556b6dc116625]

Huang Rui (1):
iommu/amd: Fix the left value check of cmd buffer
[432abf68a79332282329286d190e21fe3ac02a31]

Ilya Dryomov (1):
libceph: verify authorize reply on connect
[5c056fdc5b474329037f2aa18401bd73033e0ce0]

J. Bruce Fields (1):
svcrpc: don't leak contexts on PROC_DESTROY
[78794d1890708cf94e3961261e52dcec2cc34722]

Jack Morgenstein (1):
net/mlx4_core: Fix racy CQ (Completion Queue) free
[291c566a28910614ce42d0ffe82196eddd6346f4]

Jan Kara (1):
fsnotify: Fix possible use-after-free in inode iteration on umount
[5716863e0f8251d3360d4cbfc0e44e08007075df]

Jeff Layton (1):
ceph: fix bad endianness handling in parse_reply_info_extra
[6df8c9d80a27cb587f61b4f06b57e248d8bc3f86]

Jeff Mahoney (1):
btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls
[2a362249187a8d0f6d942d6e1d763d150a296f47]

Jens Axboe (1):
nbd: fix use-after-free of rq/bio in the xmit path
[429a787be6793554ee02aacc7e1f11ebcecc4453]

Jeremy Linton (1):
net: sky2: Fix shutdown crash
[06ba3b2133dc203e1e9bc36cee7f0839b79a9e8b]

Jiri Slaby (1):
net: sctp, forbid negative length
[a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf]

Johan Hovold (32):
USB: ch341: forward USB errors to USB serial core
[06946a66546aedfc5192645e8fc56081441e378c]
USB: ch341: remove redundant close from open error path
[394a10331a9e43100a8ee293255cfc428c7355ac]
USB: serial: ch341: fix baud rate and line-control handling
[55fa15b5987db22b4f35d3f0798928c126be5f1c]
USB: serial: ch341: fix control-message error handling
[2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae]
USB: serial: ch341: fix initial modem-control state
[4e2da44691cffbfffb1535f478d19bc2dca3e62b]
USB: serial: ch341: fix modem-control and B0 handling
[030ee7ae52a46a2be52ccc8242c4a330aba8d38e]
USB: serial: ch341: fix open and resume after B0
[a20047f36e2f6a1eea4f1fd261aaa55882369868]
USB: serial: ch341: fix open error handling
[f2950b78547ffb8475297ada6b92bc2d774d5461]
USB: serial: ch341: fix resume after reset
[ce5e292828117d1b71cbd3edf9e9137cf31acd30]
USB: serial: cyberjack: fix NULL-deref at open
[3dca01114dcecb1cf324534cd8d75fd1306a516b]
USB: serial: garmin_gps: fix memory leak on failed URB submit
[c4ac4496e835b78a45dfbf74f6173932217e4116]
USB: serial: io_edgeport: fix NULL-deref at open
[0dd408425eb21ddf26a692b3c8044c9e7d1a7948]
USB: serial: io_ti: fix NULL-deref at open
[a323fefc6f5079844dc62ffeb54f491d0242ca35]
USB: serial: io_ti: fix another NULL-deref at open
[4f9785cc99feeb3673993b471f646b4dbaec2cc1]
USB: serial: iuu_phoenix: fix NULL-deref at open
[90507d54f712d81b74815ef3a4bbb555cd9fab2f]
USB: serial: keyspan_pda: verify endpoints at probe
[5d9b0f859babe96175cd33d7162a9463a875ffde]
USB: serial: kl5kusb105: fix open error path
[6774d5f53271d5f60464f824748995b71da401ab]
USB: serial: kobil_sct: fix NULL-deref in write
[21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09]
USB: serial: mos7720: fix NULL-deref at open
[b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc]
USB: serial: mos7720: fix parallel probe
[fde1faf872ed86d88e245191bc15a8e57368cd1c]
USB: serial: mos7720: fix parport use-after-free on probe errors
[75dd211e773afcbc264677b0749d1cf7d937ab2d]
USB: serial: mos7720: fix use-after-free on probe errors
[91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3]
USB: serial: mos7840: fix NULL-deref at open
[5c75633ef751dd4cd8f443dc35152c1ae563162e]
USB: serial: mos7840: fix misleading interrupt-URB comment
[472d7e55d559aa1cbf58c73b14fcfc4651b1a9f5]
USB: serial: omninet: fix NULL-derefs at open and disconnect
[a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e]
USB: serial: oti6858: fix NULL-deref at open
[5afeef2366db14587b65558bbfd5a067542e07fb]
USB: serial: pl2303: fix NULL-deref at open
[76ab439ed1b68778e9059c79ecc5d14de76c89a8]
USB: serial: spcp8x5: fix NULL-deref at open
[cc0909248258f679c4bb4cd315565d40abaf6bc6]
USB: serial: ti_usb_3410_5052: fix NULL-deref at open
[ef079936d3cd09e63612834fe2698eeada0d8e3f]
powerpc/ibmebus: Fix device reference leaks in sysfs interface
[fe0f3168169f7c34c29b0cf0c489f126a7f29643]
powerpc/ibmebus: Fix further device reference leaks
[815a7141c4d1b11610dccb7fcbb38633759824f2]
powerpc/pci/rpadlpar: Fix device reference leaks
[99e5cde5eae78bef95bfe7c16ccda87fb070149b]

Josef Bacik (1):
nbd: only set MSG_MORE when we have more to send
[d61b7f972dab2a7d187c38254845546dfc8eed85]

Kefeng Wang (1):
ipv6: addrconf: Avoid addrconf_disable_change() using RCU read-side lock
[03e4deff4987f79c34112c5ba4eb195d4f9382b0]

Keno Fischer (1):
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
[8310d48b125d19fcd9521d83b8293e63eb1646aa]

Kirtika Ruchandani (1):
regmap: cache: Remove unused 'blksize' variable
[daaadbf07433b15c452b2ff411a293b2ccd98e03]

Krzysztof Kozlowski (1):
thermal: hwmon: Properly report critical temperature in sysfs
[f37fabb8643eaf8e3b613333a72f683770c85eca]

Krzysztof Opasiak (1):
usb: gadget: composite: Test get_alt() presence instead of set_alt()
[7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f]

Larry Finger (1):
ssb: Fix error routine when fallback SPROM fails
[8052d7245b6089992343c80b38b14dbbd8354651]

Leon Romanovsky (1):
net/mlx4: Remove BUG_ON from ICM allocation routine
[c1d5f8ff80ea84768f5fae1ca9d1abfbb5e6bbaa]

Lukasz Odzioba (1):
x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
[dd853fd216d1485ed3045ff772079cc8689a9a4a]

Lukáš Lalinský (1):
USB: Add quirk for WORLDE easykey.25 MIDI keyboard
[d9b2997e4a0a874e452df7cdd7de5a54502bd0aa]

Maor Gottlieb (1):
IB/mlx4: Put non zero value in max_ah device attribute
[731e0415b4af3a133d0316e4dc8ef0ea57dc3fdf]

Marcel J.E. Mol (1):
USB: serial: pl2303: add ATEN device ID
[d07830db1bdb254e4b50d366010b219286b8c937]

Marcelo Ricardo Leitner (3):
sctp: assign assoc_id earlier in __sctp_connect
[7233bc84a3aeda835d334499dc00448373caf5c0]
sctp: avoid BUG_ON on sctp_wait_for_sndbuf
[2dcab598484185dea7ec22219c76dcdd59e3cb90]
sctp: deny peeloff operation on asocs with threads sleeping on it
[dfcb9f4f99f1e9a49e43398a7bfbf56927544af1]

Marcos Paulo de Souza (1):
Input: i8042 - add Pegatron touchpad to noloop table
[41c567a5d7d1a986763e58c3394782813c3bcb03]

Mark Rutland (1):
ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
[ddc37832a1349f474c4532de381498020ed71d31]

Mathias Nyman (2):
xhci: fix deadlock at host remove by running watchdog correctly
[d6169d04097fd9ddf811e63eae4e5cd71e6666e2]
xhci: free xhci virtual devices with leaf nodes first
[ee8665e28e8d90ce69d4abe5a469c14a8707ae0e]

Mauro Carvalho Chehab (1):
[media] siano: make it work again with CONFIG_VMAP_STACK
[f9c85ee67164b37f9296eab3b754e543e4e96a1c]

Maxime Jayat (1):
net: socket: fix recvmmsg not returning error from sock_error
[e623a9e9dec29ae811d11f83d0074ba254aba374]

Michal Hocko (2):
hotplug: Make register and unregister notifier API symmetric
[777c6e0daebb3fcefbbd6f620410a946b07ef6d0]
mm, fs: check for fatal signals in do_generic_file_read()
[5abf186a30a89d5b9c18a6bf93a2c192c9fd52f6]

Michal Tesar (1):
igmp: Make igmp group member RFC 3376 compliant
[7ababb782690e03b78657e27bd051e20163af2d6]

Miklos Szeredi (1):
vfs: fix uninitialized flags in splice_to_pipe()
[5a81e6a171cdbd1fa8bc1fdd80c23d3d71816fac]

Nathaniel Quillin (1):
USB: cdc-acm: add device id for GW Instek AFG-125
[301216044e4c27d5a7323c1fa766266fad00db5e]

NeilBrown (1):
block_dev: don't test bdev->bd_contains when it is not stable
[bcc7f5b4bee8e327689a4d994022765855c807ff]

Nicolas Iooss (1):
[media] ite-cir: initialize use_demodulator before using it
[7ec03e60ef81c19b5d3a46dd070ee966774b860f]

Nicolas PLANEL (1):
USB: ch341: set tty baud speed according to tty struct
[aa91def41a7bb1fd65492934ce6bea19202b6080]

Nikolay Aleksandrov (1):
net: bridge: fix old ioctl unlocked net device walk
[31ca0458a61a502adb7ed192bf9716c6d05791a5]

Oliver Hartkopp (1):
can: bcm: fix hrtimer/tasklet termination in bcm op removal
[a06393ed03167771246c4c43192d9c264bc48412]

Ondrej Kozina (1):
dm crypt: mark key as invalid until properly loaded
[265e9098bac02bc5e36cda21fdbad34cb5b2f48d]

Pan Bian (1):
USB: serial: kl5kusb105: abort on open exception path
[3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c]

Paolo Abeni (1):
ip6_tunnel: disable caching when the traffic class is inherited
[b5c2d49544e5930c96e2632a7eece3f4325a1888]

Patrik Jakobsson (1):
drm/gma500: Add compat ioctl
[0a97c81a9717431e6c57ea845b59c3c345edce67]

Rasmus Villemoes (1):
lib/vsprintf.c: improve sanity check in vsnprintf()
[2aa2f9e21e4eb25c720b2e7d80f8929638f6ad73]

Reiter Wolfgang (2):
drop_monitor: add missing call to genlmsg_end
[4200462d88f47f3759bdf4705f87e207b0f5b2e4]
drop_monitor: consider inserted data in genlmsg_end
[3b48ab2248e61408910e792fe84d6ec466084c1a]

Richard Weinberger (1):
ubifs: Fix journal replay wrt. xattr nodes
[1cb51a15b576ee325d527726afff40947218fd5e]

Robbie Ko (1):
Btrfs: fix tree search logic when replaying directory entry deletes
[2a7bf53f577e49c43de4ffa7776056de26db65d9]

Salvatore Benedetto (1):
crypto: api - Clear CRYPTO_ALG_DEAD bit before registering an alg
[d6040764adcb5cb6de1489422411d701c158bb69]

Shmulik Ladkani (1):
net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
[d65f2fa680d6f91438461df54c83a331b3a631c9]

Soheil Hassas Yeganeh (1):
sock: fix sendmmsg for partial sendmsg
[3023898b7d4aac65987bd2f485cc22390aae6f78]

Stefan Wahren (1):
mmc: mxs-mmc: Fix additional cycles after transmission stop
[01167c7b9cbf099c69fe411a228e4e9c7104e123]

Steffen Maier (3):
scsi: zfcp: do not trace pure benign residual HBA responses at default level
[56d23ed7adf3974f10e91b643bd230e9c65b5f79]
scsi: zfcp: fix rport unblock race with LUN recovery
[6f2ce1c6af37191640ee3ff6e8fc39ea10352f4c]
scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
[2dfa6688aafdc3f74efeb1cf05fb871465d67f79]

Stephen Hemminger (1):
netvsc: reduce maximum GSO size
[a50af86dd49ee1851d1ccf06dd0019c05b95e297]

Takashi Iwai (3):
ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
[37a7ea4a9b81f6a864c10a7cb0b96458df5310a3]
ALSA: seq: Fix race at creating a queue
[4842e98f26dd80be3623c4714a244ba52ea096a8]
ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
[4763601a56f155ddf94ef35fc2c41504a2de15f5]

Theodore Ts'o (3):
ext4: add sanity checking to count_overhead()
[c48ae41bafe31e9a66d8be2ced4e42a6b57fa814]
ext4: fix in-superblock mount options processing
[5aee0f8a3f42c94c5012f1673420aee96315925a]
ext4: use more strict checks for inodes_per_block on mount
[cd6bb35bf7f6d7d922509bf50265383a0ceabe96]

Thorsten Horstmann (1):
mac80211: Fix adding of mesh vendor IEs
[da7061c82e4a1bc6a5e134ef362c86261906c860]

Tom Goff (1):
ipmr/ip6mr: Initialize the last assert time of mfc entries.
[70a0dec45174c976c64b4c8c1d0898581f759948]

Tony Lindgren (1):
usb: musb: Fix trying to free already-free IRQ 4
[8c300fe282fa254ea730c92cb0983e2642dc1fff]

Vlad Tsyrklevich (1):
i2c: fix kernel memory disclosure in dev interface
[30f939feaeee23e21391cfc7b484f012eb189c3c]

WANG Cong (3):
ping: fix a null pointer dereference
[73d2c6678e6c3af7e7a42b1e78cd0211782ade32]
sch_dsmark: update backlog as well
[bdf17661f63a79c3cb4209b970b1cc39e34f7543]
sch_htb: update backlog as well
[431e3a8e36a05a37126f34b41aa3a5a6456af04e]

Wei Fang (1):
scsi: avoid a permanent stop of the scsi device's request queue
[d2a145252c52792bc59e4767b486b26c430af4bb]

Willem de Bruijn (2):
macvtap: read vnet_hdr_size once
[837585a5375c38d40361cfe64e6fd11e1addb936]
tun: read vnet_hdr_sz once
[e1edab87faf6ca30cd137e0795bc73aa9a9a22ec]

Yang Yang (1):
futex: Move futex_init() to core_initcall
[25f71d1c3e98ef0e52371746220d66458eac75bc]

Yegor Yefremov (1):
can: ti_hecc: add missing prepare and unprepare of the clock
[befa60113ce7ea270cb51eada28443ca2756f480]

Makefile | 4 +-
arch/arm/include/asm/cputype.h | 3 +
arch/arm/kernel/hw_breakpoint.c | 16 +++
arch/arm/kernel/ptrace.c | 2 +-
arch/cris/boot/rescue/Makefile | 8 ++
arch/parisc/include/asm/bitops.h | 8 +-
arch/parisc/include/asm/bitsperlong.h | 2 -
arch/parisc/include/asm/swab.h | 5 +-
arch/powerpc/boot/ps3-head.S | 5 -
arch/powerpc/boot/ps3.c | 8 +-
arch/powerpc/include/asm/ppc-opcode.h | 6 +-
arch/powerpc/kernel/ibmebus.c | 16 ++-
arch/powerpc/kernel/ptrace.c | 7 +
arch/sparc/kernel/leon_kernel.c | 56 ++++----
arch/x86/kernel/cpu/common.c | 2 +-
arch/x86/kvm/x86.c | 17 +--
crypto/algapi.c | 1 +
drivers/ata/sata_mv.c | 3 +
drivers/base/dma-mapping.c | 4 +-
drivers/base/regmap/regcache-lzo.c | 8 +-
drivers/block/nbd.c | 34 +++--
drivers/crypto/caam/caamalg.c | 4 +-
drivers/hid/hid-cypress.c | 3 +
drivers/hwmon/ds620.c | 2 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/infiniband/core/mad.c | 2 +-
drivers/infiniband/core/multicast.c | 7 +-
drivers/infiniband/hw/mlx4/main.c | 1 +
drivers/input/serio/i8042-x86ia64io.h | 6 +
drivers/iommu/amd_iommu.c | 2 +-
drivers/md/dm-crypt.c | 7 +-
drivers/media/dvb/siano/smsusb.c | 17 ++-
drivers/media/rc/ite-cir.c | 2 +
drivers/media/video/davinci/vpfe_capture.c | 1 +
drivers/mmc/host/mxs-mmc.c | 6 +-
drivers/net/can/ti_hecc.c | 16 ++-
drivers/net/ethernet/korina.c | 8 +-
drivers/net/ethernet/marvell/sky2.c | 13 ++
drivers/net/ethernet/mellanox/mlx4/cq.c | 38 ++---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 +-
drivers/net/ethernet/mellanox/mlx4/icm.c | 7 +-
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 10 +-
drivers/net/macvtap.c | 4 +-
drivers/net/tun.c | 20 ++-
drivers/net/usb/catc.c | 56 +++++---
drivers/net/usb/rtl8150.c | 34 ++++-
drivers/net/xen-netfront.c | 4 +-
drivers/pci/hotplug/rpadlpar_core.c | 10 +-
drivers/pci/pci.c | 4 +
drivers/platform/x86/intel_mid_powerbtn.c | 2 +-
drivers/s390/char/vmlogrdr.c | 2 +-
drivers/s390/scsi/zfcp_dbf.c | 17 ++-
drivers/s390/scsi/zfcp_dbf.h | 41 +++++-
drivers/s390/scsi/zfcp_erp.c | 61 +++++++-
drivers/s390/scsi/zfcp_ext.h | 4 +-
drivers/s390/scsi/zfcp_fsf.c | 8 +-
drivers/s390/scsi/zfcp_fsf.h | 3 +-
drivers/s390/scsi/zfcp_reqlist.h | 30 +++-
drivers/s390/scsi/zfcp_scsi.c | 61 +++++++-
drivers/scsi/mvsas/mv_94xx.c | 2 +-
drivers/scsi/scsi_sysfs.c | 4 -
drivers/scsi/sg.c | 4 +
drivers/ssb/pci.c | 1 +
drivers/staging/gma500/psb_drv.c | 3 +
drivers/staging/hv/netvsc_drv.c | 4 +
drivers/staging/iio/adc/ad7606_core.c | 2 +-
drivers/staging/vme/bridges/vme_ca91cx42.c | 2 +-
drivers/target/iscsi/iscsi_target_tpg.c | 1 -
drivers/thermal/thermal_sys.c | 2 +-
drivers/tty/sysrq.c | 4 +-
drivers/usb/class/cdc-acm.c | 1 +
drivers/usb/core/config.c | 10 ++
drivers/usb/core/quirks.c | 4 +
drivers/usb/gadget/composite.c | 14 +-
drivers/usb/gadget/dummy_hcd.c | 6 +-
drivers/usb/gadget/inode.c | 17 ++-
drivers/usb/host/uhci-pci.c | 4 +
drivers/usb/host/xhci-mem.c | 42 +++++-
drivers/usb/host/xhci-ring.c | 6 -
drivers/usb/host/xhci.c | 12 --
drivers/usb/musb/musbhsdma.h | 2 +-
drivers/usb/serial/ch341.c | 192 ++++++++++++++++----------
drivers/usb/serial/cyberjack.c | 3 +
drivers/usb/serial/garmin_gps.c | 1 +
drivers/usb/serial/io_edgeport.c | 5 +
drivers/usb/serial/io_ti.c | 16 ++-
drivers/usb/serial/iuu_phoenix.c | 5 +
drivers/usb/serial/keyspan_pda.c | 8 +-
drivers/usb/serial/kl5kusb105.c | 35 +++--
drivers/usb/serial/kobil_sct.c | 5 +
drivers/usb/serial/mos7720.c | 51 +++----
drivers/usb/serial/mos7840.c | 10 +-
drivers/usb/serial/omninet.c | 6 +
drivers/usb/serial/option.c | 7 +
drivers/usb/serial/oti6858.c | 8 ++
drivers/usb/serial/pl2303.c | 9 ++
drivers/usb/serial/pl2303.h | 1 +
drivers/usb/serial/spcp8x5.c | 7 +
drivers/usb/serial/ti_usb_3410_5052.c | 7 +
fs/block_dev.c | 2 +-
fs/btrfs/ioctl.c | 6 +-
fs/btrfs/tree-log.c | 3 +-
fs/ceph/mds_client.c | 4 +-
fs/ext4/inode.c | 6 +
fs/ext4/mballoc.c | 4 +-
fs/ext4/super.c | 64 +++++----
fs/nfs/file.c | 2 +-
fs/notify/inode_mark.c | 46 ++----
fs/ocfs2/dlmglue.c | 10 ++
fs/ocfs2/stackglue.c | 6 +
fs/ocfs2/stackglue.h | 3 +
fs/splice.c | 1 +
fs/ubifs/tnc.c | 25 +++-
fs/xfs/xfs_dfrag.c | 7 +-
include/linux/can/core.h | 7 +-
include/linux/cpu.h | 12 +-
include/linux/netdevice.h | 9 +-
include/net/cipso_ipv4.h | 4 +
include/net/sock.h | 17 ++-
ipc/shm.c | 9 +-
kernel/cpu.c | 13 +-
kernel/futex.c | 2 +-
kernel/sysctl.c | 1 +
lib/vsprintf.c | 2 +-
mm/filemap.c | 5 +
mm/huge_memory.c | 19 ++-
net/bridge/br_ioctl.c | 5 +-
net/can/af_can.c | 12 +-
net/can/af_can.h | 3 +-
net/can/bcm.c | 27 ++--
net/can/gw.c | 2 +-
net/can/raw.c | 4 +-
net/ceph/messenger.c | 13 ++
net/core/dev.c | 6 +-
net/core/drop_monitor.c | 39 ++++--
net/core/sock.c | 15 +-
net/dccp/ipv4.c | 26 ++--
net/dccp/ipv6.c | 15 +-
net/dccp/proto.c | 4 +
net/decnet/dn_route.c | 9 +-
net/ipv4/cipso_ipv4.c | 4 +
net/ipv4/igmp.c | 55 ++++++--
net/ipv4/ipmr.c | 4 +-
net/ipv4/ping.c | 2 +
net/ipv4/route.c | 12 ++
net/ipv4/tcp_output.c | 21 +--
net/ipv6/addrconf.c | 4 +-
net/ipv6/af_inet6.c | 1 +
net/ipv6/ip6_tunnel.c | 47 +++++--
net/ipv6/ip6mr.c | 1 +
net/ipv6/mcast.c | 50 ++++---
net/ipv6/raw.c | 7 +-
net/irda/irqueue.c | 34 +++--
net/l2tp/l2tp_core.h | 1 +
net/l2tp/l2tp_ip.c | 27 +++-
net/llc/llc_conn.c | 3 +
net/llc/llc_sap.c | 3 +
net/mac80211/mesh.c | 2 +-
net/packet/af_packet.c | 45 ++++--
net/sched/act_pedit.c | 24 +++-
net/sched/cls_api.c | 4 +-
net/sched/em_meta.c | 9 +-
net/sched/sch_dsmark.c | 3 +
net/sched/sch_htb.c | 5 +-
net/sctp/socket.c | 19 ++-
net/socket.c | 19 ++-
net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
scripts/kconfig/nconf.gui.c | 15 +-
sound/core/seq/seq_memory.c | 9 +-
sound/core/seq/seq_queue.c | 33 +++--
sound/usb/card.c | 1 -
sound/usb/mixer.c | 3 +-
tools/perf/util/trace-event-scripting.c | 6 +-
173 files changed, 1534 insertions(+), 671 deletions(-)

--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.

Ben Hutchings

unread,
Mar 10, 2017, 7:30:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chandan Rajendra <cha...@linux.vnet.ibm.com>

commit 30a9d7afe70ed6bd9191d3000e2ef1a34fb58493 upstream.

The number of 'counters' elements needed in 'struct sg' is
super_block->s_blocksize_bits + 2. Presently we have 16 'counters'
elements in the array. This is insufficient for block sizes >= 32k. In
such cases the memcpy operation performed in ext4_mb_seq_groups_show()
would cause stack memory corruption.

Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <cha...@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Reviewed-by: Jan Kara <ja...@suse.cz>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
fs/ext4/mballoc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2134,7 +2134,7 @@ static int ext4_mb_seq_groups_show(struc
struct ext4_buddy e4b;
struct sg {
struct ext4_group_info info;
- ext4_grpblk_t counters[16];
+ ext4_grpblk_t counters[EXT4_MAX_BLOCK_LOG_SIZE + 2];
} sg;

group--;

Ben Hutchings

unread,
Mar 10, 2017, 7:30:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <kr...@kernel.org>

commit f37fabb8643eaf8e3b613333a72f683770c85eca upstream.

In the critical sysfs entry the thermal hwmon was returning wrong
temperature to the user-space. It was reporting the temperature of the
first trip point instead of the temperature of critical trip point.

For example:
/sys/class/hwmon/hwmon0/temp1_crit:50000
/sys/class/thermal/thermal_zone0/trip_point_0_temp:50000
/sys/class/thermal/thermal_zone0/trip_point_0_type:active
/sys/class/thermal/thermal_zone0/trip_point_3_temp:120000
/sys/class/thermal/thermal_zone0/trip_point_3_type:critical

Since commit e68b16abd91d ("thermal: add hwmon sysfs I/F") the driver
have been registering a sysfs entry if get_crit_temp() callback was
provided. However when accessed, it was calling get_trip_temp() instead
of the get_crit_temp().

Fixes: e68b16abd91d ("thermal: add hwmon sysfs I/F")
Signed-off-by: Krzysztof Kozlowski <kr...@kernel.org>
Signed-off-by: Zhang Rui <rui....@intel.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/thermal/thermal_sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/thermal/thermal_sys.c
+++ b/drivers/thermal/thermal_sys.c
@@ -486,7 +486,7 @@ temp_crit_show(struct device *dev, struc
long temperature;
int ret;

- ret = tz->ops->get_trip_temp(tz, 0, &temperature);
+ ret = tz->ops->get_crit_temp(tz, &temperature);
if (ret)
return ret;

Ben Hutchings

unread,
Mar 10, 2017, 7:30:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

[ Upstream commit 63117f09c768be05a0bf465911297dc76394f686 ]

Casting is a high precedence operation but "off" and "i" are in terms of
bytes so we need to have some parenthesis here.

Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Acked-by: Eric Dumazet <edum...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/ipv6/ip6_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -413,7 +413,7 @@ parse_tlv_tnl_enc_lim(struct sk_buff *sk
if (i + sizeof(*tel) > optlen)
break;

- tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
+ tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);

Ben Hutchings

unread,
Mar 10, 2017, 7:30:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

[ Upstream commit f1712c73714088a7252d276a57126d56c7d37e64 ]

Zhang Yanmin reported crashes [1] and provided a patch adding a
synchronize_rcu() call in can_rx_unregister()

The main problem seems that the sockets themselves are not RCU
protected.

If CAN uses RCU for delivery, then sockets should be freed only after
one RCU grace period.

Recent kernels could use sock_set_flag(sk, SOCK_RCU_FREE), but let's
ease stable backports with the following fix instead.

[1]
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff81495e25>] selinux_socket_sock_rcv_skb+0x65/0x2a0

Call Trace:
<IRQ>
[<ffffffff81485d8c>] security_sock_rcv_skb+0x4c/0x60
[<ffffffff81d55771>] sk_filter+0x41/0x210
[<ffffffff81d12913>] sock_queue_rcv_skb+0x53/0x3a0
[<ffffffff81f0a2b3>] raw_rcv+0x2a3/0x3c0
[<ffffffff81f06eab>] can_rcv_filter+0x12b/0x370
[<ffffffff81f07af9>] can_receive+0xd9/0x120
[<ffffffff81f07beb>] can_rcv+0xab/0x100
[<ffffffff81d362ac>] __netif_receive_skb_core+0xd8c/0x11f0
[<ffffffff81d36734>] __netif_receive_skb+0x24/0xb0
[<ffffffff81d37f67>] process_backlog+0x127/0x280
[<ffffffff81d36f7b>] net_rx_action+0x33b/0x4f0
[<ffffffff810c88d4>] __do_softirq+0x184/0x440
[<ffffffff81f9e86c>] do_softirq_own_stack+0x1c/0x30
<EOI>
[<ffffffff810c76fb>] do_softirq.part.18+0x3b/0x40
[<ffffffff810c8bed>] do_softirq+0x1d/0x20
[<ffffffff81d30085>] netif_rx_ni+0xe5/0x110
[<ffffffff8199cc87>] slcan_receive_buf+0x507/0x520
[<ffffffff8167ef7c>] flush_to_ldisc+0x21c/0x230
[<ffffffff810e3baf>] process_one_work+0x24f/0x670
[<ffffffff810e44ed>] worker_thread+0x9d/0x6f0
[<ffffffff810e4450>] ? rescuer_thread+0x480/0x480
[<ffffffff810ebafc>] kthread+0x12c/0x150
[<ffffffff81f9ccef>] ret_from_fork+0x3f/0x70

Reported-by: Zhang Yanmin <yanmin...@intel.com>
Signed-off-by: Eric Dumazet <edum...@google.com>
Acked-by: Oliver Hartkopp <sock...@hartkopp.net>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
include/linux/can/core.h | 7 +++----
net/can/af_can.c | 12 ++++++++++--
net/can/af_can.h | 3 ++-
net/can/bcm.c | 4 ++--
net/can/gw.c | 2 +-
net/can/raw.c | 4 ++--
6 files changed, 20 insertions(+), 12 deletions(-)

--- a/include/linux/can/core.h
+++ b/include/linux/can/core.h
@@ -45,10 +45,9 @@ struct can_proto {
extern int can_proto_register(const struct can_proto *cp);
extern void can_proto_unregister(const struct can_proto *cp);

-extern int can_rx_register(struct net_device *dev, canid_t can_id,
- canid_t mask,
- void (*func)(struct sk_buff *, void *),
- void *data, char *ident);
+int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
+ void (*func)(struct sk_buff *, void *),
+ void *data, char *ident, struct sock *sk);

extern void can_rx_unregister(struct net_device *dev, canid_t can_id,
canid_t mask,
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -403,6 +403,7 @@ static struct hlist_head *find_rcv_list(
* @func: callback function on filter match
* @data: returned parameter for callback function
* @ident: string for calling module indentification
+ * @sk: socket pointer (might be NULL)
*
* Description:
* Invokes the callback function with the received sk_buff and the given
@@ -426,7 +427,7 @@ static struct hlist_head *find_rcv_list(
*/
int can_rx_register(struct net_device *dev, canid_t can_id, canid_t mask,
void (*func)(struct sk_buff *, void *), void *data,
- char *ident)
+ char *ident, struct sock *sk)
{
struct receiver *r;
struct hlist_head *rl;
@@ -454,6 +455,7 @@ int can_rx_register(struct net_device *d
r->func = func;
r->data = data;
r->ident = ident;
+ r->sk = sk;

hlist_add_head_rcu(&r->list, rl);
d->entries++;
@@ -478,8 +480,11 @@ EXPORT_SYMBOL(can_rx_register);
static void can_rx_delete_receiver(struct rcu_head *rp)
{
struct receiver *r = container_of(rp, struct receiver, rcu);
+ struct sock *sk = r->sk;

kmem_cache_free(rcv_cache, r);
+ if (sk)
+ sock_put(sk);
}

/**
@@ -558,8 +563,11 @@ void can_rx_unregister(struct net_device
spin_unlock(&can_rcvlists_lock);

/* schedule the receiver item for deletion */
- if (r)
+ if (r) {
+ if (r->sk)
+ sock_hold(r->sk);
call_rcu(&r->rcu, can_rx_delete_receiver);
+ }
}
EXPORT_SYMBOL(can_rx_unregister);

--- a/net/can/af_can.h
+++ b/net/can/af_can.h
@@ -50,13 +50,14 @@

struct receiver {
struct hlist_node list;
- struct rcu_head rcu;
canid_t can_id;
canid_t mask;
unsigned long matches;
void (*func)(struct sk_buff *, void *);
void *data;
char *ident;
+ struct sock *sk;
+ struct rcu_head rcu;
};

enum { RX_ERR, RX_ALL, RX_FIL, RX_INV, RX_EFF, RX_MAX };
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1174,7 +1174,7 @@ static int bcm_rx_setup(struct bcm_msg_h
err = can_rx_register(dev, op->can_id,
REGMASK(op->can_id),
bcm_rx_handler, op,
- "bcm");
+ "bcm", sk);

op->rx_reg_dev = dev;
dev_put(dev);
@@ -1183,7 +1183,7 @@ static int bcm_rx_setup(struct bcm_msg_h
} else
err = can_rx_register(NULL, op->can_id,
REGMASK(op->can_id),
- bcm_rx_handler, op, "bcm");
+ bcm_rx_handler, op, "bcm", sk);
if (err) {
/* this bcm rx op is broken -> remove it */
list_del(&op->list);
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -405,7 +405,7 @@ static inline int cgw_register_filter(st
{
return can_rx_register(gwj->src.dev, gwj->ccgw.filter.can_id,
gwj->ccgw.filter.can_mask, can_can_gw_rcv,
- gwj, "gw");
+ gwj, "gw", NULL);
}

static inline void cgw_unregister_filter(struct cgw_job *gwj)
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -158,7 +158,7 @@ static int raw_enable_filters(struct net
for (i = 0; i < count; i++) {
err = can_rx_register(dev, filter[i].can_id,
filter[i].can_mask,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);
if (err) {
/* clean up successfully registered filters */
while (--i >= 0)
@@ -179,7 +179,7 @@ static int raw_enable_errfilter(struct n

if (err_mask)
err = can_rx_register(dev, 0, err_mask | CAN_ERR_FLAG,
- raw_rcv, sk, "raw");
+ raw_rcv, sk, "raw", sk);

return err;
}

Ben Hutchings

unread,
Mar 10, 2017, 7:30:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuha...@gmail.com>

commit 1666d49e1d416fcc2cce708242a52fe3317ea8ba upstream.

This is an IPv6 version of commit 24803f38a5c0 ("igmp: do not remove igmp
souce list..."). In mld_del_delrec(), we will restore back all source filter
info instead of flush them.

Move mld_clear_delrec() from ipv6_mc_down() to ipv6_mc_destroy_dev() since
we should not remove source list info when set link down. Remove
igmp6_group_dropped() in ipv6_mc_destroy_dev() since we have called it in
ipv6_mc_down().

Also clear all source info after igmp6_group_dropped() instead of in it
because ipv6_mc_down() will call igmp6_group_dropped().

Signed-off-by: Hangbin Liu <liuha...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2:
- Timer code moved around in ipv6_mc_down() is different
- Adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/ipv6/mcast.c | 51 ++++++++++++++++++++++++++++++---------------------
1 file changed, 30 insertions(+), 21 deletions(-)

--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -92,7 +92,7 @@ static void mld_gq_timer_expire(unsigned
static void mld_ifc_timer_expire(unsigned long data);
static void mld_ifc_event(struct inet6_dev *idev);
static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr);
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
static void mld_clear_delrec(struct inet6_dev *idev);
static int sf_setstate(struct ifmcaddr6 *pmc);
static void sf_markstate(struct ifmcaddr6 *pmc);
@@ -691,9 +691,9 @@ static void igmp6_group_dropped(struct i
dev_mc_del(dev, buf);
}

- if (mc->mca_flags & MAF_NOREPORT)
- goto done;
spin_unlock_bh(&mc->mca_lock);
+ if (mc->mca_flags & MAF_NOREPORT)
+ return;

if (!mc->idev->dead)
igmp6_leave_group(mc);
@@ -701,8 +701,6 @@ static void igmp6_group_dropped(struct i
spin_lock_bh(&mc->mca_lock);
if (del_timer(&mc->mca_timer))
atomic_dec(&mc->mca_refcnt);
-done:
- ip6_mc_clear_src(mc);
spin_unlock_bh(&mc->mca_lock);
}

@@ -747,10 +745,11 @@ static void mld_add_delrec(struct inet6_
spin_unlock_bh(&idev->mc_lock);
}

-static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
+static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
{
struct ifmcaddr6 *pmc, *pmc_prev;
- struct ip6_sf_list *psf, *psf_next;
+ struct ip6_sf_list *psf;
+ struct in6_addr *pmca = &im->mca_addr;

spin_lock_bh(&idev->mc_lock);
pmc_prev = NULL;
@@ -767,14 +766,20 @@ static void mld_del_delrec(struct inet6_
}
spin_unlock_bh(&idev->mc_lock);

+ spin_lock_bh(&im->mca_lock);
if (pmc) {
- for (psf=pmc->mca_tomb; psf; psf=psf_next) {
- psf_next = psf->sf_next;
- kfree(psf);
+ im->idev = pmc->idev;
+ im->mca_crcount = idev->mc_qrv;
+ im->mca_sfmode = pmc->mca_sfmode;
+ if (pmc->mca_sfmode == MCAST_INCLUDE) {
+ im->mca_tomb = pmc->mca_tomb;
+ im->mca_sources = pmc->mca_sources;
+ for (psf = im->mca_sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->mca_crcount;
}
in6_dev_put(pmc->idev);
- kfree(pmc);
}
+ spin_unlock_bh(&im->mca_lock);
}

static void mld_clear_delrec(struct inet6_dev *idev)
@@ -877,7 +882,7 @@ int ipv6_dev_mc_inc(struct net_device *d
idev->mc_list = mc;
write_unlock_bh(&idev->lock);

- mld_del_delrec(idev, &mc->mca_addr);
+ mld_del_delrec(idev, mc);
igmp6_group_added(mc);
ma_put(mc);
return 0;
@@ -898,6 +903,7 @@ int __ipv6_dev_mc_dec(struct inet6_dev *
write_unlock_bh(&idev->lock);

igmp6_group_dropped(ma);
+ ip6_mc_clear_src(ma);

ma_put(ma);
return 0;
@@ -2231,18 +2237,20 @@ void ipv6_mc_down(struct inet6_dev *idev
/* Withdraw multicast list */

read_lock_bh(&idev->lock);
+
+ for (i = idev->mc_list; i; i=i->next)
+ igmp6_group_dropped(i);
+
+ /* Should stop timer after group drop. or we will
+ * start timer again in mld_ifc_event()
+ */
idev->mc_ifc_count = 0;
if (del_timer(&idev->mc_ifc_timer))
__in6_dev_put(idev);
idev->mc_gq_running = 0;
if (del_timer(&idev->mc_gq_timer))
__in6_dev_put(idev);
-
- for (i = idev->mc_list; i; i=i->next)
- igmp6_group_dropped(i);
read_unlock_bh(&idev->lock);
-
- mld_clear_delrec(idev);
}


@@ -2255,8 +2263,10 @@ void ipv6_mc_up(struct inet6_dev *idev)
/* Install multicast list, except for all-nodes (already installed) */

read_lock_bh(&idev->lock);
- for (i = idev->mc_list; i; i=i->next)
+ for (i = idev->mc_list; i; i = i->next) {
+ mld_del_delrec(idev, i);
igmp6_group_added(i);
+ }
read_unlock_bh(&idev->lock);
}

@@ -2289,6 +2299,7 @@ void ipv6_mc_destroy_dev(struct inet6_de

/* Deactivate timers */
ipv6_mc_down(idev);
+ mld_clear_delrec(idev);

/* Delete all-nodes address. */
/* We cannot call ipv6_dev_mc_dec() directly, our caller in
@@ -2303,11 +2314,9 @@ void ipv6_mc_destroy_dev(struct inet6_de
write_lock_bh(&idev->lock);
while ((i = idev->mc_list) != NULL) {
idev->mc_list = i->next;
- write_unlock_bh(&idev->lock);

- igmp6_group_dropped(i);
+ write_unlock_bh(&idev->lock);
ma_put(i);
-
write_lock_bh(&idev->lock);
}
write_unlock_bh(&idev->lock);

Ben Hutchings

unread,
Mar 10, 2017, 7:30:08 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit fe0f3168169f7c34c29b0cf0c489f126a7f29643 upstream.

Make sure to drop any reference taken by bus_find_device() in the sysfs
callbacks that are used to create and destroy devices based on
device-tree entries.

Fixes: 6bccf755ff53 ("[POWERPC] ibmebus: dynamic addition/removal of adapters, some code cleanup")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
arch/powerpc/kernel/ibmebus.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -261,6 +261,7 @@ static ssize_t ibmebus_store_probe(struc
const char *buf, size_t count)
{
struct device_node *dn = NULL;
+ struct device *dev;
char *path;
ssize_t rc = 0;

@@ -268,8 +269,10 @@ static ssize_t ibmebus_store_probe(struc
if (!path)
return -ENOMEM;

- if (bus_find_device(&ibmebus_bus_type, NULL, path,
- ibmebus_match_path)) {
+ dev = bus_find_device(&ibmebus_bus_type, NULL, path,
+ ibmebus_match_path);
+ if (dev) {
+ put_device(dev);
printk(KERN_WARNING "%s: %s has already been probed\n",
__func__, path);
rc = -EEXIST;
@@ -305,6 +308,7 @@ static ssize_t ibmebus_store_remove(stru
if ((dev = bus_find_device(&ibmebus_bus_type, NULL, path,
ibmebus_match_path))) {
of_device_unregister(to_platform_device(dev));
+ put_device(dev);

kfree(path);
return count;

Ben Hutchings

unread,
Mar 10, 2017, 7:30:08 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ondrej Kozina <oko...@redhat.com>

commit 265e9098bac02bc5e36cda21fdbad34cb5b2f48d upstream.

In crypt_set_key(), if a failure occurs while replacing the old key
(e.g. tfm->setkey() fails) the key must not have DM_CRYPT_KEY_VALID flag
set. Otherwise, the crypto layer would have an invalid key that still
has DM_CRYPT_KEY_VALID flag set.

Signed-off-by: Ondrej Kozina <oko...@redhat.com>
Reviewed-by: Mikulas Patocka <mpat...@redhat.com>
Signed-off-by: Mike Snitzer <sni...@redhat.com>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/md/dm-crypt.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1322,12 +1322,15 @@ static int crypt_set_key(struct crypt_co
if (!cc->key_size && strcmp(key, "-"))
goto out;

+ /* clear the flag since following operations may invalidate previously valid key */
+ clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
+
if (cc->key_size && crypt_decode_key(cc->key, key, cc->key_size) < 0)
goto out;

- set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
-
r = crypt_setkey_allcpus(cc);
+ if (!r)
+ set_bit(DM_CRYPT_KEY_VALID, &cc->flags);

out:
/* Hex key string not needed after here, so wipe it. */

Ben Hutchings

unread,
Mar 10, 2017, 7:30:08 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 6496ebd7edf446fccf8266a1a70ffcb64252593e upstream.

One some systems, the firmware does not allow certain PCI devices to be put
in deep D-states. This can cause problems for wakeup signalling, if the
device does not support PME# in the deepest allowed suspend state. For
example, Pierre reports that on his system, ACPI does not permit his xHCI
host controller to go into D3 during runtime suspend -- but D3 is the only
state in which the controller can generate PME# signals. As a result, the
controller goes into runtime suspend but never wakes up, so it doesn't work
properly. USB devices plugged into the controller are never detected.

If the device relies on PME# for wakeup signals but is not capable of
generating PME# in the target state, the PCI core should accurately report
that it cannot do wakeup from runtime suspend. This patch modifies the
pci_dev_run_wake() routine to add this check.

Reported-by: Pierre de Villemereuil <fl...@mailoo.org>
Tested-by: Pierre de Villemereuil <fl...@mailoo.org>
Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Signed-off-by: Bjorn Helgaas <bhel...@google.com>
Acked-by: Rafael J. Wysocki <rafael.j...@intel.com>
CC: Lukas Wunner <lu...@wunner.de>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/pci/pci.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1763,6 +1763,10 @@ bool pci_dev_run_wake(struct pci_dev *de
if (!dev->pme_support)
return false;

+ /* PME-capable in principle, but not from the intended sleep state */
+ if (!pci_pme_capable(dev, pci_target_state(dev)))
+ return false;
+
while (bus->parent) {
struct pci_dev *bridge = bus->self;

Ben Hutchings

unread,
Mar 10, 2017, 7:30:13 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 6774d5f53271d5f60464f824748995b71da401ab upstream.

Kill urbs and disable read before returning from open on failure to
retrieve the line state.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: replaced code was using dbg()]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/serial/kl5kusb105.c | 33 ++++++++++++++++++++++++---------
1 file changed, 24 insertions(+), 9 deletions(-)

--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -338,7 +338,7 @@ static int klsi_105_open(struct tty_str
rc = usb_serial_generic_open(tty, port);
if (rc) {
retval = rc;
- goto exit;
+ goto err_free_cfg;
}

rc = usb_control_msg(port->serial->dev,
@@ -357,17 +357,32 @@ static int klsi_105_open(struct tty_str
dbg("%s - enabled reading", __func__);

rc = klsi_105_get_line_state(port, &line_state);
- if (rc >= 0) {
- spin_lock_irqsave(&priv->lock, flags);
- priv->line_state = line_state;
- spin_unlock_irqrestore(&priv->lock, flags);
- dbg("%s - read line state 0x%lx", __func__, line_state);
- retval = 0;
- } else
+ if (rc < 0) {
retval = rc;
+ goto err_disable_read;
+ }
+
+ spin_lock_irqsave(&priv->lock, flags);
+ priv->line_state = line_state;
+ spin_unlock_irqrestore(&priv->lock, flags);
+ dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__,
+ line_state);
+
+ return 0;

-exit:
+err_disable_read:
+ usb_control_msg(port->serial->dev,
+ usb_sndctrlpipe(port->serial->dev, 0),
+ KL5KUSB105A_SIO_CONFIGURE,
+ USB_TYPE_VENDOR | USB_DIR_OUT,
+ KL5KUSB105A_SIO_CONFIGURE_READ_OFF,
+ 0, /* index */
+ NULL, 0,
+ KLSI_TIMEOUT);
+ usb_serial_generic_close(port);
+err_free_cfg:
kfree(cfg);
+
return retval;
}

Ben Hutchings

unread,
Mar 10, 2017, 7:40:04 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuha...@gmail.com>

commit 9c8bb163ae784be4f79ae504e78c862806087c54 upstream.

In function igmpv3/mld_add_delrec() we allocate pmc and put it in
idev->mc_tomb, so we should free it when we don't need it in del_delrec().
But I removed kfree(pmc) incorrectly in latest two patches. Now fix it.

Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when ...")
Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when ...")
Reported-by: Daniel Borkmann <dan...@iogearbox.net>
Signed-off-by: Hangbin Liu <liuha...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/ipv4/igmp.c | 1 +
net/ipv6/mcast.c | 1 +
2 files changed, 2 insertions(+)

--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1118,6 +1118,7 @@ static void igmpv3_del_delrec(struct in_
psf->sf_crcount = im->crcount;
}
in_dev_put(pmc->interface);
+ kfree(pmc);
}
spin_unlock_bh(&im->lock);
}
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -778,6 +778,7 @@ static void mld_del_delrec(struct inet6_
psf->sf_crcount = im->mca_crcount;
}
in6_dev_put(pmc->idev);
+ kfree(pmc);
}
spin_unlock_bh(&im->mca_lock);
}

Ben Hutchings

unread,
Mar 10, 2017, 7:40:04 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chandan Rajendra <cha...@linux.vnet.ibm.com>

commit 69e43e8cc971a79dd1ee5d4343d8e63f82725123 upstream.

'border' variable is set to a value of 2 times the block size of the
underlying filesystem. With 64k block size, the resulting value won't
fit into a 16-bit variable. Hence this commit changes the data type of
'border' to 'unsigned int'.

Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <cha...@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Reviewed-by: Andreas Dilger <adi...@dilger.ca>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
fs/ext4/mballoc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -652,7 +652,7 @@ static void ext4_mb_mark_free_simple(str
ext4_grpblk_t min;
ext4_grpblk_t max;
ext4_grpblk_t chunk;
- unsigned short border;
+ unsigned int border;

BUG_ON(len > EXT4_CLUSTERS_PER_GROUP(sb));

Ben Hutchings

unread,
Mar 10, 2017, 7:40:04 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

This reverts commit bc48f6f5a8c6d628a1af649306eaf906493bb986, which was
commit 9dbe6cf941a6fe82933aef565e4095fb10f65023 upstream. It depends on
several other large commits to work, and without them causes a regression.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1408333
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Cc: Eric Wheeler <k...@lists.ewheeler.net>
---
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -843,8 +843,7 @@ static u32 msrs_to_save[] = {
#ifdef CONFIG_X86_64
MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
#endif
- MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
- MSR_TSC_AUX,
+ MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA
};

static unsigned num_msrs_to_save;
@@ -3882,20 +3881,6 @@ static void kvm_init_msr_list(void)
for (i = j = KVM_SAVE_MSRS_BEGIN; i < ARRAY_SIZE(msrs_to_save); i++) {
if (rdmsr_safe(msrs_to_save[i], &dummy[0], &dummy[1]) < 0)
continue;
-
- /*
- * Even MSRs that are valid in the host may not be exposed
- * to the guests in some cases.
- */
- switch (msrs_to_save[i]) {
- case MSR_TSC_AUX:
- if (!kvm_x86_ops->rdtscp_supported())
- continue;
- break;
- default:
- break;
- }
-
if (j < i)
msrs_to_save[j] = msrs_to_save[i];
j++;

Ben Hutchings

unread,
Mar 10, 2017, 7:40:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit d3d83ee20afda16ad0133ba00f63c11a8d842a35 upstream.

A recent cleanup had the right idea to remove the initialization
of the error variable, but missed the actual benefit of that,
which is that we get warnings if there is a bug in it. Now
we get a warning about a bug that was introduced by this cleanup:

drivers/media/platform/davinci/vpfe_capture.c: In function 'vpfe_probe':
drivers/media/platform/davinci/vpfe_capture.c:1992:9: error: 'ret' may be used uninitialized in this function [-Werror=maybe-uninitialized]

This adds the missing initialization that the warning is about,
and another one that was preexisting and that we did not get
a warning for. That second bug has existed since the driver
was first added.

Fixes: efb74461f5a6 ("[media] DaVinci-VPFE-Capture: Delete an unnecessary variable initialisation in vpfe_probe()")
Fixes: 7da8a6cb3e5b ("V4L/DVB (12248): v4l: vpfe capture bridge driver for DM355 and DM6446")

[mch...@s-opensource.com: fix a merge conflict]
Signed-off-by: Arnd Bergmann <ar...@arndb.de>

Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/media/video/davinci/vpfe_capture.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/media/video/davinci/vpfe_capture.c
+++ b/drivers/media/video/davinci/vpfe_capture.c
@@ -2002,6 +2002,7 @@ static __init int vpfe_probe(struct plat
v4l2_info(&vpfe_dev->v4l2_dev,
"v4l2 sub device %s register fails\n",
sdinfo->name);
+ ret = -ENXIO;
goto probe_sd_out;
}
}

Ben Hutchings

unread,
Mar 10, 2017, 7:40:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit c95a9f83711bf53faeb4ed9bbb63a3f065613dfb upstream.

We normally use the passed in gfp flags for allocations, it's just these
two which were missed.

Fixes: 22d45f01a836 ("usb/xhci: replace pci_*_consistent() with dma_*_coherent()")
Cc: Mathias Nyman <mathia...@intel.com>
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Acked-by: Sebastian Andrzej Siewior <big...@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/host/xhci-mem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2234,7 +2234,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
* "physically contiguous and 64-byte (cache line) aligned".
*/
xhci->dcbaa = dma_alloc_coherent(dev, sizeof(*xhci->dcbaa), &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->dcbaa)
goto fail;
memset(xhci->dcbaa, 0, sizeof *(xhci->dcbaa));
@@ -2315,7 +2315,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,

xhci->erst.entries = dma_alloc_coherent(dev,
sizeof(struct xhci_erst_entry) * ERST_NUM_SEGS, &dma,
- GFP_KERNEL);
+ flags);
if (!xhci->erst.entries)
goto fail;
xhci_dbg(xhci, "// Allocated event ring segment table at 0x%llx\n",

Ben Hutchings

unread,
Mar 10, 2017, 7:40:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <her...@gondor.apana.org.au>

commit 2eb783c43e7cf807a45899c10ed556b6dc116625 upstream.

We set the flag TUN_PKT_STRIP if the user buffer provided is too
small to contain the entire packet plus meta-data. However, this
has been broken ever since we added GSO meta-data. VLAN acceleration
also has the same problem.

This patch fixes this by taking both into account when setting the
TUN_PKT_STRIP flag.

The fact that this has been broken for six years without anyone
realising means that nobody actually uses this flag.

Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr")
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2:
- No VLAN acceleration support
- Adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/net/tun.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -767,12 +767,16 @@ static ssize_t tun_put_user(struct tun_s
{
struct tun_pi pi = { 0, skb->protocol };
ssize_t total = 0;
+ int vnet_hdr_sz = 0;
+
+ if (tun->flags & TUN_VNET_HDR)
+ vnet_hdr_sz = tun->vnet_hdr_sz;

if (!(tun->flags & TUN_NO_PI)) {
if ((len -= sizeof(pi)) < 0)
return -EINVAL;

- if (len < skb->len) {
+ if (len < skb->len + vnet_hdr_sz) {
/* Packet will be striped */
pi.flags |= TUN_PKT_STRIP;
}
@@ -782,9 +786,9 @@ static ssize_t tun_put_user(struct tun_s
total += sizeof(pi);
}

- if (tun->flags & TUN_VNET_HDR) {
+ if (vnet_hdr_sz) {
struct virtio_net_hdr gso = { 0 }; /* no info leak */
- if ((len -= tun->vnet_hdr_sz) < 0)
+ if ((len -= vnet_hdr_sz) < 0)
return -EINVAL;

if (skb_is_gso(skb)) {
@@ -827,7 +831,7 @@ static ssize_t tun_put_user(struct tun_s
if (unlikely(memcpy_toiovecend(iv, (void *)&gso, total,
sizeof(gso))))
return -EFAULT;
- total += tun->vnet_hdr_sz;
+ total += vnet_hdr_sz;
}

len = min_t(int, skb->len, len);

Ben Hutchings

unread,
Mar 10, 2017, 7:40:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <ar...@arndb.de>

commit af15769ffab13d777e55fdef09d0762bf0c249c4 upstream.

gcc-7 notices that the condition in mvs_94xx_command_active looks
suspicious:

drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active':
drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]

This was introduced when the mv_printk() statement got added, and leads
to the condition being ignored. This is probably harmless.

Changing '&&' to '&' makes the code look reasonable, as we check the
command bit before setting and printing it.

Fixes: a4632aae8b66 ("[SCSI] mvsas: Add new macros and functions")
Signed-off-by: Arnd Bergmann <ar...@arndb.de>
Reviewed-by: Johannes Thumshirn <jthum...@suse.de>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/scsi/mvsas/mv_94xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/mvsas/mv_94xx.c
+++ b/drivers/scsi/mvsas/mv_94xx.c
@@ -622,7 +622,7 @@ static void mvs_94xx_command_active(stru
{
u32 tmp;
tmp = mvs_cr32(mvi, MVS_COMMAND_ACTIVE+(slot_idx >> 3));
- if (tmp && 1 << (slot_idx % 32)) {
+ if (tmp & 1 << (slot_idx % 32)) {
mv_printk("command active %08X, slot [%x].\n", tmp, slot_idx);
mvs_cw32(mvi, MVS_COMMAND_ACTIVE + (slot_idx >> 3),
1 << (slot_idx % 32));

Ben Hutchings

unread,
Mar 10, 2017, 7:50:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 99e5cde5eae78bef95bfe7c16ccda87fb070149b upstream.

Make sure to drop any device reference taken by vio_find_node() when
adding and removing virtual I/O slots.

Fixes: 5eeb8c63a38f ("[PATCH] PCI Hotplug: rpaphp: Move VIO registration")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/pci/hotplug/rpadlpar_core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/pci/hotplug/rpadlpar_core.c
+++ b/drivers/pci/hotplug/rpadlpar_core.c
@@ -259,8 +259,13 @@ static int dlpar_add_phb(char *drc_name,

static int dlpar_add_vio_slot(char *drc_name, struct device_node *dn)
{
- if (vio_find_node(dn))
+ struct vio_dev *vio_dev;
+
+ vio_dev = vio_find_node(dn);
+ if (vio_dev) {
+ put_device(&vio_dev->dev);
return -EINVAL;
+ }

if (!vio_register_device_node(dn)) {
printk(KERN_ERR
@@ -336,6 +341,9 @@ static int dlpar_remove_vio_slot(char *d
return -EINVAL;

vio_unregister_device(vio_dev);
+
+ put_device(&vio_dev->dev);
+
return 0;
}

Ben Hutchings

unread,
Mar 10, 2017, 7:50:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit 8b74d439e1697110c5e5c600643e823eb1dd0762 upstream.

It seems nobody used LLC since linux-3.12.

Fortunately fuzzers like syzkaller still know how to run this code,
otherwise it would be no fun.

Setting skb->sk without skb->destructor leads to all kinds of
bugs, we now prefer to be very strict about it.

Ideally here we would use skb_set_owner() but this helper does not exist yet,
only CAN seems to have a private helper for that.

Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Andrey Konovalov <andre...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/llc/llc_conn.c | 3 +++
net/llc/llc_sap.c | 3 +++
2 files changed, 6 insertions(+)

--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sa
* another trick required to cope with how the PROCOM state
* machine works. -acme
*/
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
}
if (!sock_owned_by_user(sk))
llc_conn_rcv(sk, skb);
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -294,7 +294,10 @@ static void llc_sap_rcv(struct llc_sap *

ev->type = LLC_SAP_EV_TYPE_PDU;
ev->reason = 0;
+ skb_orphan(skb);
+ sock_hold(sk);
skb->sk = sk;
+ skb->destructor = sock_efree;
llc_sap_state_process(sap, skb);
}

Guenter Roeck

unread,
Mar 10, 2017, 7:50:05 AM3/10/17
to
On 03/10/2017 03:46 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.2.87 release.
> There are 199 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Mar 15 00:00:00 UTC 2017.
> Anything received after that time might be too late.
>

Build results:
total: 89 pass: 89 fail: 0
Qemu test results:
total: 69 pass: 69 fail: 0

Details are available at http://kerneltests.org/builders/

Guenter

Ben Hutchings

unread,
Mar 10, 2017, 7:50:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eva Rachel Retuya <erar...@gmail.com>

commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream.

The oversampling ratio is controlled using the oversampling pins,
OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
bit.

The gpio connected to the OS2 pin is not being set correctly, only OS0
and OS1 pins are being set. Fix the typo to allow proper control of the
oversampling pins.

Signed-off-by: Eva Rachel Retuya <erar...@gmail.com>
Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
Acked-by: Lars-Peter Clausen <la...@metafoo.de>
Signed-off-by: Jonathan Cameron <ji...@kernel.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/staging/iio/adc/ad7606_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/adc/ad7606_core.c
+++ b/drivers/staging/iio/adc/ad7606_core.c
@@ -185,7 +185,7 @@ static ssize_t ad7606_store_oversampling
mutex_lock(&indio_dev->mlock);
gpio_set_value(st->pdata->gpio_os0, (ret >> 0) & 1);
gpio_set_value(st->pdata->gpio_os1, (ret >> 1) & 1);
- gpio_set_value(st->pdata->gpio_os1, (ret >> 2) & 1);
+ gpio_set_value(st->pdata->gpio_os2, (ret >> 2) & 1);
st->oversampling = lval;
mutex_unlock(&indio_dev->mlock);

Ben Hutchings

unread,
Mar 10, 2017, 7:50:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <ty...@mit.edu>

commit 5aee0f8a3f42c94c5012f1673420aee96315925a upstream.

Fix a large number of problems with how we handle mount options in the
superblock. For one, if the string in the superblock is long enough
that it is not null terminated, we could run off the end of the string
and try to interpret superblocks fields as characters. It's unlikely
this will cause a security problem, but it could result in an invalid
parse. Also, parse_options is destructive to the string, so in some
cases if there is a comma-separated string, it would be modified in
the superblock. (Fortunately it only happens on file systems with a
1k block size.)

Signed-off-by: Theodore Ts'o <ty...@mit.edu>
[bwh: Backported to 3.2: adjust context, indentation]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
fs/ext4/super.c | 38 +++++++++++++++++++++++---------------
1 file changed, 23 insertions(+), 15 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3240,7 +3240,7 @@ static int ext4_fill_super(struct super_
char *orig_data = kstrdup(data, GFP_KERNEL);
struct buffer_head *bh;
struct ext4_super_block *es = NULL;
- struct ext4_sb_info *sbi;
+ struct ext4_sb_info *sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
ext4_fsblk_t block;
ext4_fsblk_t sb_block = get_sb_block(&data);
ext4_fsblk_t logical_sb_block;
@@ -3260,16 +3260,14 @@ static int ext4_fill_super(struct super_
unsigned int journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
ext4_group_t first_not_zeroed;

- sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
- if (!sbi)
- goto out_free_orig;
+ if ((data && !orig_data) || !sbi)
+ goto out_free_base;

sbi->s_blockgroup_lock =
kzalloc(sizeof(struct blockgroup_lock), GFP_KERNEL);
- if (!sbi->s_blockgroup_lock) {
- kfree(sbi);
- goto out_free_orig;
- }
+ if (!sbi->s_blockgroup_lock)
+ goto out_free_base;
+
sb->s_fs_info = sbi;
sbi->s_mount_opt = 0;
sbi->s_resuid = EXT4_DEF_RESUID;
@@ -3378,11 +3376,19 @@ static int ext4_fill_super(struct super_
*/
sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT;

- if (!parse_options((char *) sbi->s_es->s_mount_opts, sb,
- &journal_devnum, &journal_ioprio, NULL, 0)) {
- ext4_msg(sb, KERN_WARNING,
- "failed to parse options in superblock: %s",
- sbi->s_es->s_mount_opts);
+ if (sbi->s_es->s_mount_opts[0]) {
+ char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+ sizeof(sbi->s_es->s_mount_opts),
+ GFP_KERNEL);
+ if (!s_mount_opts)
+ goto failed_mount;
+ if (!parse_options(s_mount_opts, sb, &journal_devnum,
+ &journal_ioprio, NULL, 0)) {
+ ext4_msg(sb, KERN_WARNING,
+ "failed to parse options in superblock: %s",
+ s_mount_opts);
+ }
+ kfree(s_mount_opts);
}
if (!parse_options((char *) data, sb, &journal_devnum,
&journal_ioprio, NULL, 0))
@@ -3978,7 +3984,9 @@ no_journal:
descr = "out journal";

ext4_msg(sb, KERN_INFO, "mounted filesystem with%s. "
- "Opts: %s%s%s", descr, sbi->s_es->s_mount_opts,
+ "Opts: %.*s%s%s", descr,
+ (int) sizeof(sbi->s_es->s_mount_opts),
+ sbi->s_es->s_mount_opts,
*sbi->s_es->s_mount_opts ? "; " : "", orig_data);

if (es->s_error_count)
@@ -4036,8 +4044,8 @@ failed_mount:
out_fail:
sb->s_fs_info = NULL;
kfree(sbi->s_blockgroup_lock);
+out_free_base:
kfree(sbi);
-out_free_orig:
kfree(orig_data);
return ret;
}

Ben Hutchings

unread,
Mar 10, 2017, 7:50:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <ac...@redhat.com>

commit cf346d5bd4b9d61656df2f72565c9b354ef3ca0d upstream.

Both register_perl_scripting() and register_python_scripting() allocate
this variable, fix it by checking if it already was.

Cc: Adrian Hunter <adrian...@intel.com>
Cc: David Ahern <dsa...@gmail.com>
Cc: Frederic Weisbecker <fwei...@gmail.com>
Cc: Jiri Olsa <jo...@kernel.org>
Cc: Namhyung Kim <namh...@kernel.org>
Cc: Tom Zanussi <tzan...@gmail.com>
Cc: Wang Nan <wang...@huawei.com>
Fixes: 7e4b21b84c43 ("perf/scripts: Add Python scripting engine")
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
tools/perf/util/trace-event-scripting.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/tools/perf/util/trace-event-scripting.c
+++ b/tools/perf/util/trace-event-scripting.c
@@ -88,7 +88,8 @@ static void register_python_scripting(st
if (err)
die("error registering py script extension");

- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}

#ifdef NO_LIBPYTHON
@@ -149,7 +150,8 @@ static void register_perl_scripting(stru
if (err)
die("error registering pl script extension");

- scripting_context = malloc(sizeof(struct scripting_context));
+ if (scripting_context == NULL)
+ scripting_context = malloc(sizeof(*scripting_context));
}

#ifdef NO_LIBPERL

Ben Hutchings

unread,
Mar 10, 2017, 7:50:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

commit d41149145f98fe26dcd0bfd1d6cc095e6e041418 upstream.

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Signed-off-by: David S. Miller <da...@davemloft.net>
---
drivers/net/usb/catc.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)

--- a/drivers/net/usb/catc.c
+++ b/drivers/net/usb/catc.c
@@ -765,7 +765,7 @@ static int catc_probe(struct usb_interfa
struct net_device *netdev;
struct catc *catc;
u8 broadcast[6];
- int i, pktsz;
+ int i, pktsz, ret;

if (usb_set_interface(usbdev,
intf->altsetting->desc.bInterfaceNumber, 1)) {
@@ -800,12 +800,8 @@ static int catc_probe(struct usb_interfa
if ((!catc->ctrl_urb) || (!catc->tx_urb) ||
(!catc->rx_urb) || (!catc->irq_urb)) {
err("No free urbs available.");
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto fail_free;
}

/* The F5U011 has the same vendor/product as the netmate but a device version of 0x130 */
@@ -902,16 +898,21 @@ static int catc_probe(struct usb_interfa
usb_set_intfdata(intf, catc);

SET_NETDEV_DEV(netdev, &intf->dev);
- if (register_netdev(netdev) != 0) {
- usb_set_intfdata(intf, NULL);
- usb_free_urb(catc->ctrl_urb);
- usb_free_urb(catc->tx_urb);
- usb_free_urb(catc->rx_urb);
- usb_free_urb(catc->irq_urb);
- free_netdev(netdev);
- return -EIO;
- }
+ ret = register_netdev(netdev);
+ if (ret)
+ goto fail_clear_intfdata;
+
return 0;
+
+fail_clear_intfdata:
+ usb_set_intfdata(intf, NULL);
+fail_free:
+ usb_free_urb(catc->ctrl_urb);
+ usb_free_urb(catc->tx_urb);
+ usb_free_urb(catc->rx_urb);
+ usb_free_urb(catc->irq_urb);
+ free_netdev(netdev);
+ return ret;
}

static void catc_disconnect(struct usb_interface *intf)

Ben Hutchings

unread,
Mar 10, 2017, 7:50:08 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <bfi...@redhat.com>

commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.

Context expiry times are in units of seconds since boot, not unix time.

The use of get_seconds() here therefore sets the expiry time decades in
the future. This prevents timely freeing of contexts destroyed by
client RPC_GSS_PROC_DESTROY requests. We'd still free them eventually
(when the module is unloaded or the container shut down), but a lot of
contexts could pile up before then.

Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
Reported-by: Andy Adamson <and...@netapp.com>
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1151,7 +1151,7 @@ svcauth_gss_accept(struct svc_rqst *rqst
case RPC_GSS_PROC_DESTROY:
if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
goto auth_err;
- rsci->h.expiry_time = get_seconds();
+ rsci->h.expiry_time = seconds_since_boot();
set_bit(CACHE_NEGATIVE, &rsci->h.flags);
if (resv->iov_len + 4 > PAGE_SIZE)
goto drop;

Ben Hutchings

unread,
Mar 10, 2017, 7:50:09 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathia...@linux.intel.com>

commit d6169d04097fd9ddf811e63eae4e5cd71e6666e2 upstream.

If a URB is killed while the host is removed we can end up in a situation
where the hub thread takes the roothub device lock, and waits for
the URB to be given back by xhci-hcd, blocking the host remove code.

xhci-hcd tries to stop the endpoint and give back the urb, but can't
as the host is removed from PCI bus at the same time, preventing the normal
way of giving back urb.

Instead we need to rely on the stop command timeout function to give back
the urb. This xhci_stop_endpoint_command_watchdog() timeout function
used a XHCI_STATE_DYING flag to indicate if the timeout function is already
running, but later this flag has been taking into use in other places to
mark that xhci is dying.

Remove checks for XHCI_STATE_DYING in xhci_urb_dequeue. We are still
checking that reading from pci state does not return 0xffffffff or that
host is not halted before trying to stop the endpoint.

This whole area of stopping endpoints, giving back URBs, and the wathdog
timeout need rework, this fix focuses on solving a specific deadlock
issue that we can then send to stable before any major rework.

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
[bwh: Backported to 3.2: the checks look slightly different]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/host/xhci-ring.c | 11 -----------
drivers/usb/host/xhci.c | 13 -------------
2 files changed, 24 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -969,12 +969,6 @@ void xhci_stop_endpoint_command_watchdog
spin_lock_irqsave(&xhci->lock, flags);

ep->stop_cmds_pending--;
- if (xhci->xhc_state & XHCI_STATE_DYING) {
- xhci_dbg(xhci, "Stop EP timer ran, but another timer marked "
- "xHCI as DYING, exiting.\n");
- spin_unlock_irqrestore(&xhci->lock, flags);
- return;
- }
if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) {
xhci_dbg(xhci, "Stop EP timer ran, but no command pending, "
"exiting.\n");
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1549,18 +1549,6 @@ int xhci_urb_dequeue(struct usb_hcd *hcd
xhci_urb_free_priv(xhci, urb_priv);
return ret;
}
- if ((xhci->xhc_state & XHCI_STATE_DYING) ||
- (xhci->xhc_state & XHCI_STATE_HALTED)) {
- xhci_dbg(xhci, "Ep 0x%x: URB %p to be canceled on "
- "non-responsive xHCI host.\n",
- urb->ep->desc.bEndpointAddress, urb);
- /* Let the stop endpoint command watchdog timer (which set this
- * state) finish cleaning up the endpoint TD lists. We must
- * have caught it in the middle of dropping a lock and giving
- * back an URB.
- */
- goto done;
- }

xhci_dbg(xhci, "Cancel URB %p\n", urb);
xhci_dbg(xhci, "Event ring:\n");

Ben Hutchings

unread,
Mar 10, 2017, 7:50:10 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Hartkopp <sock...@hartkopp.net>

commit a06393ed03167771246c4c43192d9c264bc48412 upstream.

When removing a bcm tx operation either a hrtimer or a tasklet might run.
As the hrtimer triggers its associated tasklet and vice versa we need to
take care to mutually terminate both handlers.

Reported-by: Michael Josenhans <michael....@web.de>
Signed-off-by: Oliver Hartkopp <sock...@hartkopp.net>
Tested-by: Michael Josenhans <michael....@web.de>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/can/bcm.c | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)

--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -702,14 +702,23 @@ static struct bcm_op *bcm_find_op(struct

static void bcm_remove_op(struct bcm_op *op)
{
- hrtimer_cancel(&op->timer);
- hrtimer_cancel(&op->thrtimer);
+ if (op->tsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->tsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->tsklet.state) ||
+ hrtimer_active(&op->timer)) {
+ hrtimer_cancel(&op->timer);
+ tasklet_kill(&op->tsklet);
+ }
+ }

- if (op->tsklet.func)
- tasklet_kill(&op->tsklet);
-
- if (op->thrtsklet.func)
- tasklet_kill(&op->thrtsklet);
+ if (op->thrtsklet.func) {
+ while (test_bit(TASKLET_STATE_SCHED, &op->thrtsklet.state) ||
+ test_bit(TASKLET_STATE_RUN, &op->thrtsklet.state) ||
+ hrtimer_active(&op->thrtimer)) {
+ hrtimer_cancel(&op->thrtimer);
+ tasklet_kill(&op->thrtsklet);
+ }
+ }

if ((op->frames) && (op->frames != &op->sframe))
kfree(op->frames);

Ben Hutchings

unread,
Mar 10, 2017, 7:50:11 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <her...@gondor.apana.org.au>

commit 57ea52a865144aedbcd619ee0081155e658b6f7d upstream.

The GRO fast path caches the frag0 address. This address becomes
invalid if frag0 is modified by pskb_may_pull or its variants.
So whenever that happens we must disable the frag0 optimization.

This is usually done through the combination of gro_header_hard
and gro_header_slow, however, the IPv6 extension header path did
the pulling directly and would continue to use the GRO fast path
incorrectly.

This patch fixes it by disabling the fast path when we enter the
IPv6 extension header path.

Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address")
Reported-by: Slava Shwartsman <sla...@mellanox.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edum...@google.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
include/linux/netdevice.h | 9 +++++++--
net/ipv6/af_inet6.c | 1 +
2 files changed, 8 insertions(+), 2 deletions(-)

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1676,14 +1676,19 @@ static inline int skb_gro_header_hard(st
return NAPI_GRO_CB(skb)->frag0_len < hlen;
}

+static inline void skb_gro_frag0_invalidate(struct sk_buff *skb)
+{
+ NAPI_GRO_CB(skb)->frag0 = NULL;
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+}
+
static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
unsigned int offset)
{
if (!pskb_may_pull(skb, hlen))
return NULL;

- NAPI_GRO_CB(skb)->frag0 = NULL;
- NAPI_GRO_CB(skb)->frag0_len = 0;
+ skb_gro_frag0_invalidate(skb);
return skb->data + offset;
}

--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -879,6 +879,7 @@ static struct sk_buff **ipv6_gro_receive
ops = rcu_dereference(inet6_protos[proto]);
if (!ops || !ops->gro_receive) {
__pskb_pull(skb, skb_gro_offset(skb));
+ skb_gro_frag0_invalidate(skb);
proto = ipv6_gso_pull_exthdrs(skb, proto);
skb_gro_pull(skb, -skb_transport_offset(skb));
skb_reset_transport_header(skb);

Ben Hutchings

unread,
Mar 10, 2017, 8:00:04 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukáš Lalinský <lu...@oxygene.sk>

commit d9b2997e4a0a874e452df7cdd7de5a54502bd0aa upstream.

Add a quirk for WORLDE easykey.25 MIDI keyboard (idVendor=0218,
idProduct=0401). The device reports that it has config string
descriptor at index 3, but when the system selects the configuration
and tries to get the description, it returns a -EPROTO error,
the communication restarts and this keeps repeating over and over again.
Not requesting the string descriptor makes the device work correctly.

Relevant info from Wireshark:

[...]

CONFIGURATION DESCRIPTOR
bLength: 9
bDescriptorType: 0x02 (CONFIGURATION)
wTotalLength: 101
bNumInterfaces: 2
bConfigurationValue: 1
iConfiguration: 3
Configuration bmAttributes: 0xc0 SELF-POWERED NO REMOTE-WAKEUP
1... .... = Must be 1: Must be 1 for USB 1.1 and higher
.1.. .... = Self-Powered: This device is SELF-POWERED
..0. .... = Remote Wakeup: This device does NOT support remote wakeup
bMaxPower: 50 (100mA)

[...]

45 0.369104 host 2.38.0 USB 64 GET DESCRIPTOR Request STRING

[...]

URB setup
bmRequestType: 0x80
1... .... = Direction: Device-to-host
.00. .... = Type: Standard (0x00)
...0 0000 = Recipient: Device (0x00)
bRequest: GET DESCRIPTOR (6)
Descriptor Index: 0x03
bDescriptorType: 0x03
Language Id: English (United States) (0x0409)
wLength: 255

46 0.369255 2.38.0 host USB 64 GET DESCRIPTOR Response STRING[Malformed Packet]

[...]

Frame 46: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
USB URB
[Source: 2.38.0]
[Destination: host]
URB id: 0xffff88021f62d480
URB type: URB_COMPLETE ('C')
URB transfer type: URB_CONTROL (0x02)
Endpoint: 0x80, Direction: IN
Device: 38
URB bus id: 2
Device setup request: not relevant ('-')
Data: present (0)
URB sec: 1484896277
URB usec: 455031
URB status: Protocol error (-EPROTO) (-71)
URB length [bytes]: 0
Data length [bytes]: 0
[Request in: 45]
[Time from request: 0.000151000 seconds]
Unused Setup Header
Interval: 0
Start frame: 0
Copy of Transfer Flags: 0x00000200
Number of ISO descriptors: 0
[Malformed Packet: USB]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]

Signed-off-by: Lukáš Lalinský <lu...@oxygene.sk>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -36,6 +36,10 @@ static const struct usb_device_id usb_qu
/* CBM - Flash disk */
{ USB_DEVICE(0x0204, 0x6025), .driver_info = USB_QUIRK_RESET_RESUME },

+ /* WORLDE easy key (easykey.25) MIDI controller */
+ { USB_DEVICE(0x0218, 0x0401), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
/* HP 5300/5370C scanner */
{ USB_DEVICE(0x03f0, 0x0701), .driver_info =
USB_QUIRK_STRING_FETCH_255 },

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

commit 7926aff5c57b577ab0f43364ff0c59d968f6a414 upstream.

Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
Signed-off-by: David S. Miller <da...@davemloft.net>
---
drivers/net/usb/rtl8150.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)

--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -178,16 +178,36 @@ static const char driver_name [] = "rtl8
*/
static int get_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
{
- return usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
- RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmalloc(size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_rcvctrlpipe(dev->udev, 0),
+ RTL8150_REQ_GET_REGS, RTL8150_REQT_READ,
+ indx, 0, buf, size, 500);
+ if (ret > 0 && ret <= size)
+ memcpy(data, buf, ret);
+ kfree(buf);
+ return ret;
}

-static int set_registers(rtl8150_t * dev, u16 indx, u16 size, void *data)
+static int set_registers(rtl8150_t * dev, u16 indx, u16 size, const void *data)
{
- return usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
- RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
- indx, 0, data, size, 500);
+ void *buf;
+ int ret;
+
+ buf = kmemdup(data, size, GFP_NOIO);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0),
+ RTL8150_REQ_SET_REGS, RTL8150_REQT_WRITE,
+ indx, 0, buf, size, 500);
+ kfree(buf);
+ return ret;
}

static void ctrl_callback(struct urb *urb)

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave....@arm.com>

commit 99dfe80a2a246c600440a815741fd2e74a8b4977 upstream.

Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.

Fixes: c6e6771b87d4 ("powerpc: Introduce VSX thread_struct and CONFIG_VSX")
Signed-off-by: Dave Martin <Dave....@arm.com>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>
[bwh: Backported to 3.2:
- fpscr and fpr are direct members of struct thread_struct
- Use memcpy() for fpscr, like the reverse copy below, to avoid type error
- Adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
arch/powerpc/kernel/ptrace.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/arch/powerpc/kernel/ptrace.c
+++ b/arch/powerpc/kernel/ptrace.c
@@ -359,6 +359,10 @@ static int fpr_set(struct task_struct *t
flush_fp_to_thread(target);

#ifdef CONFIG_VSX
+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.TS_FPR(i);
+ memcpy(&buf[32], &target->thread.fpscr, sizeof(double));
+
/* copy to local buffer then write that out */
i = user_regset_copyin(&pos, &count, &kbuf, &ubuf, buf, 0, -1);
if (i)
@@ -501,6 +505,9 @@ static int vsr_set(struct task_struct *t

flush_vsx_to_thread(target);

+ for (i = 0; i < 32 ; i++)
+ buf[i] = target->thread.fpr[i][TS_VSRLOWOFFSET];
+
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
buf, 0, 32 * sizeof(double));
for (i = 0; i < 32 ; i++)

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thorsten Horstmann <thor...@defutech.de>

commit da7061c82e4a1bc6a5e134ef362c86261906c860 upstream.

The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead
it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The
return value in mesh_add_vendor_ies must therefore be checked against
ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with
WLAN_EID_VENDOR_SPECIFIC will be rejected.

Fixes: 082ebb0c258d ("mac80211: fix mesh beacon format")
Signed-off-by: Thorsten Horstmann <thor...@defutech.de>
Signed-off-by: Mathias Kretschmer <mathias.k...@fit.fraunhofer.de>
Signed-off-by: Simon Wunderlich <s...@simonwunderlich.de>
[sv...@narfation.org: Add commit message]
Signed-off-by: Sven Eckelmann <sv...@narfation.org>
Signed-off-by: Johannes Berg <johann...@intel.com>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/mac80211/mesh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -280,7 +280,7 @@ mesh_add_vendor_ies(struct sk_buff *skb,
/* fast-forward to vendor IEs */
offset = ieee80211_ie_split_vendor(ifmsh->ie, ifmsh->ie_len, 0);

- if (offset) {
+ if (offset < ifmsh->ie_len) {
len = ifmsh->ie_len - offset;
data = ifmsh->ie + offset;
if (skb_tailroom(skb) < len)

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Josef Bacik <jba...@fb.com>

commit d61b7f972dab2a7d187c38254845546dfc8eed85 upstream.

A user noticed that write performance was horrible over loopback and we
traced it to an inversion of when we need to set MSG_MORE. It should be
set when we have more bvec's to send, not when we are on the last bvec.
This patch made the test go from 20 iops to 78k iops.

Signed-off-by: Josef Bacik <jba...@fb.com>
Fixes: 429a787be679 ("nbd: fix use-after-free of rq/bio in the xmit path")
Signed-off-by: Jens Axboe <ax...@fb.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/block/nbd.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -232,7 +232,7 @@ static inline int sock_send_bvec(struct
/* always call with the tx_lock held */
static int nbd_send_req(struct nbd_device *lo, struct request *req)
{
- int result, flags;
+ int result;
struct nbd_request request;
unsigned long size = blk_rq_bytes(req);
struct bio *bio;
@@ -259,7 +259,6 @@ static int nbd_send_req(struct nbd_devic
if (nbd_cmd(req) != NBD_CMD_WRITE)
return 0;

- flags = 0;
bio = req->bio;
while (bio) {
struct bio *next = bio->bi_next;
@@ -268,9 +267,8 @@ static int nbd_send_req(struct nbd_devic

bio_for_each_segment(bvec, bio, i) {
bool is_last = !next && i == bio->bi_vcnt - 1;
+ int flags = is_last ? 0 : MSG_MORE;

- if (is_last)
- flags = MSG_MORE;
dprintk(DBG_TX, "%s: request %p: sending %d bytes data\n",
lo->disk->disk_name, req, bvec->bv_len);
result = sock_send_bvec(lo, bvec, flags);

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 76ab439ed1b68778e9059c79ecc5d14de76c89a8 upstream.

Fix NULL-pointer dereference in open() should a type-0 or type-1 device
lack the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at pl2303_open+0x38/0xec [pl2303]

Note that a missing interrupt-in endpoint would have caused open() to
fail.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/serial/pl2303.c | 8 ++++++++
1 file changed, 8 insertions(+)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -185,10 +185,18 @@ static int pl2303_vendor_write(__u16 val
static int pl2303_startup(struct usb_serial *serial)
{
struct pl2303_private *priv;
+ unsigned char num_ports = serial->num_ports;
enum pl2303_type type = type_0;
unsigned char *buf;
int i;

+ if (serial->num_bulk_in < num_ports ||
+ serial->num_bulk_out < num_ports ||
+ serial->num_interrupt_in < num_ports) {
+ dev_err(&serial->interface->dev, "missing endpoints\n");
+ return -ENODEV;
+ }
+
buf = kmalloc(10, GFP_KERNEL);
if (buf == NULL)
return -ENOMEM;

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tony Lindgren <to...@atomide.com>

commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.

When unloading omap2430, we can get the following splat:

WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
Trying to free already-free IRQ 4
...
[<c01a8b78>] (free_irq) from [<bf0aea84>]
(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
[<bf0aea84>] (musbhs_dma_controller_destroy [musb_hdrc]) from
[<bf09f88c>] (musb_remove+0xf0/0x12c [musb_hdrc])
[<bf09f88c>] (musb_remove [musb_hdrc]) from [<c056a384>]
(platform_drv_remove+0x24/0x3c)
...

This is because the irq number in use is 260 nowadays, and the dma
controller is using u8 instead of int.

Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
Signed-off-by: Tony Lindgren <to...@atomide.com>
[b-...@ti.com: added Fixes tag]
Signed-off-by: Bin Liu <b-...@ti.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/musb/musbhsdma.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/musb/musbhsdma.h
+++ b/drivers/usb/musb/musbhsdma.h
@@ -161,5 +161,5 @@ struct musb_dma_controller {
void __iomem *base;
u8 channel_count;
u8 used_channels;
- u8 irq;
+ int irq;
};

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lukasz Odzioba <lukasz....@intel.com>

commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream.

A negative number can be specified in the cmdline which will be used as
setup_clear_cpu_cap() argument. With that we can clear/set some bit in
memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
to misbehave. This patch adds lower bound check to setup_disablecpuid().

Boris Petkov reproduced a crash:

[ 1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
[ 1.236535] IP: memcpy_erms+0x6/0x10

Signed-off-by: Lukasz Odzioba <lukasz....@intel.com>
Acked-by: Borislav Petkov <b...@suse.de>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: andi....@intel.com
Cc: b...@alien8.de
Cc: dave....@linux.intel.com
Cc: lu...@kernel.org
Cc: sla...@gmail.com
Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
Link: http://lkml.kernel.org/r/1482933340-11857-1-git-s...@intel.com
Signed-off-by: Ingo Molnar <mi...@kernel.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
arch/x86/kernel/cpu/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1012,7 +1012,7 @@ static __init int setup_disablecpuid(cha
{
int bit;

- if (get_option(&arg, &bit) && bit < NCAPINTS*32)
+ if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
setup_clear_cpu_cap(bit);
else
return 0;

Ben Hutchings

unread,
Mar 10, 2017, 8:00:05 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.w...@gmail.com>

commit 73d2c6678e6c3af7e7a42b1e78cd0211782ade32 upstream.

Andrey reported a kernel crash:

general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ #124
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880060048040 task.stack: ffff880069be8000
RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
FS: 00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
Call Trace:
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
SYSC_sendto+0x660/0x810 net/socket.c:1687
SyS_sendto+0x40/0x50 net/socket.c:1655
entry_SYSCALL_64_fastpath+0x1f/0xc2

This is because we miss a check for NULL pointer for skb_peek() when
the queue is empty. Other places already have the same check.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Andrey Konovalov <andre...@google.com>
Tested-by: Andrey Konovalov <andre...@google.com>
Signed-off-by: Cong Wang <xiyou.w...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
net/ipv4/ping.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -452,6 +452,8 @@ static int ping_push_pending_frames(stru
{
struct sk_buff *skb = skb_peek(&sk->sk_write_queue);

+ if (!skb)
+ return 0;
pfh->wcheck = csum_partial((char *)&pfh->icmph,
sizeof(struct icmphdr), pfh->wcheck);
pfh->icmph.checksum = csum_fold(pfh->wcheck);

Ben Hutchings

unread,
Mar 10, 2017, 8:00:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <ti...@suse.de>

commit 4842e98f26dd80be3623c4714a244ba52ea096a8 upstream.

When a sequencer queue is created in snd_seq_queue_alloc(),it adds the
new queue element to the public list before referencing it. Thus the
queue might be deleted before the call of snd_seq_queue_use(), and it
results in the use-after-free error, as spotted by syzkaller.

The fix is to reference the queue object at the right time.

Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Takashi Iwai <ti...@suse.de>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
sound/core/seq/seq_queue.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)

--- a/sound/core/seq/seq_queue.c
+++ b/sound/core/seq/seq_queue.c
@@ -183,6 +183,8 @@ void __exit snd_seq_queues_delete(void)
}
}

+static void queue_use(struct snd_seq_queue *queue, int client, int use);
+
/* allocate a new queue -
* return queue index value or negative value for error
*/
@@ -194,11 +196,11 @@ int snd_seq_queue_alloc(int client, int
if (q == NULL)
return -ENOMEM;
q->info_flags = info_flags;
+ queue_use(q, client, 1);
if (queue_list_add(q) < 0) {
queue_delete(q);
return -ENOMEM;
}
- snd_seq_queue_use(q->queue, client, 1); /* use this queue */
return q->queue;
}

@@ -504,19 +506,9 @@ int snd_seq_queue_timer_set_tempo(int qu
return result;
}

-
-/* use or unuse this queue -
- * if it is the first client, starts the timer.
- * if it is not longer used by any clients, stop the timer.
- */
-int snd_seq_queue_use(int queueid, int client, int use)
+/* use or unuse this queue */
+static void queue_use(struct snd_seq_queue *queue, int client, int use)
{
- struct snd_seq_queue *queue;
-
- queue = queueptr(queueid);
- if (queue == NULL)
- return -EINVAL;
- mutex_lock(&queue->timer_mutex);
if (use) {
if (!test_and_set_bit(client, queue->clients_bitmap))
queue->clients++;
@@ -531,6 +523,21 @@ int snd_seq_queue_use(int queueid, int c
} else {
snd_seq_timer_close(queue);
}
+}
+
+/* use or unuse this queue -
+ * if it is the first client, starts the timer.
+ * if it is not longer used by any clients, stop the timer.
+ */
+int snd_seq_queue_use(int queueid, int client, int use)
+{
+ struct snd_seq_queue *queue;
+
+ queue = queueptr(queueid);
+ if (queue == NULL)
+ return -EINVAL;
+ mutex_lock(&queue->timer_mutex);
+ queue_use(queue, client, use);
mutex_unlock(&queue->timer_mutex);
queuefree(queue);
return 0;

Ben Hutchings

unread,
Mar 10, 2017, 8:00:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michal Hocko <mho...@suse.com>

commit 5abf186a30a89d5b9c18a6bf93a2c192c9fd52f6 upstream.

do_generic_file_read() can be told to perform a large request from
userspace. If the system is under OOM and the reading task is the OOM
victim then it has an access to memory reserves and finishing the full
request can lead to the full memory depletion which is dangerous. Make
sure we rather go with a short read and allow the killed task to
terminate.

Link: http://lkml.kernel.org/r/20170201092706...@kernel.org
Signed-off-by: Michal Hocko <mho...@suse.com>
Reviewed-by: Christoph Hellwig <h...@lst.de>
Cc: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Cc: Al Viro <vi...@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
mm/filemap.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1117,6 +1117,11 @@ static void do_generic_file_read(struct

cond_resched();
find_page:
+ if (fatal_signal_pending(current)) {
+ error = -EINTR;
+ goto out;
+ }
+
page = find_get_page(mapping, index);
if (!page) {
page_cache_sync_readahead(mapping,

Ben Hutchings

unread,
Mar 10, 2017, 8:00:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <b...@decadent.org.uk>

Extracted from commit 62bccb8cdb69 ("net-timestamp: Make the clone operation
stand-alone from phy timestamping").

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1117,6 +1117,7 @@ extern struct sk_buff *sock_rmalloc(str
gfp_t priority);
extern void sock_wfree(struct sk_buff *skb);
extern void sock_rfree(struct sk_buff *skb);
+void sock_efree(struct sk_buff *skb);

extern int sock_setsockopt(struct socket *sock, int level,
int op, char __user *optval,
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1369,6 +1369,11 @@ void sock_rfree(struct sk_buff *skb)
}
EXPORT_SYMBOL(sock_rfree);

+void sock_efree(struct sk_buff *skb)
+{
+ sock_put(skb->sk);
+}
+EXPORT_SYMBOL(sock_efree);

int sock_i_uid(struct sock *sk)
{

Ben Hutchings

unread,
Mar 10, 2017, 8:00:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Ren <zr...@suse.com>

commit e7ee2c089e94067d68475990bdeed211c8852917 upstream.

The crash happens rather often when we reset some cluster nodes while
nodes contend fiercely to do truncate and append.

The crash backtrace is below:

dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover_grant 1 locks on 971 resources
dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover 9 generation 5 done: 4 ms
ocfs2: Begin replay journal (node 318952601, slot 2) on device (253,18)
ocfs2: End replay journal (node 318952601, slot 2) on device (253,18)
ocfs2: Beginning quota recovery on device (253,18) for slot 2
ocfs2: Finishing quota recovery on device (253,18) for slot 2
(truncate,30154,1):ocfs2_truncate_file:470 ERROR: bug expression: le64_to_cpu(fe->i_size) != i_size_read(inode)
(truncate,30154,1):ocfs2_truncate_file:470 ERROR: Inode 290321, inode i_size = 732 != di i_size = 937, i_flags = 0x1
------------[ cut here ]------------
kernel BUG at /usr/src/linux/fs/ocfs2/file.c:470!
invalid opcode: 0000 [#1] SMP
Modules linked in: ocfs2_stack_user(OEN) ocfs2(OEN) ocfs2_nodemanager ocfs2_stackglue(OEN) quota_tree dlm(OEN) configfs fuse sd_mod iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs softdog xfs libcrc32c ppdev parport_pc pcspkr parport joydev virtio_balloon virtio_net i2c_piix4 acpi_cpufreq button processor ext4 crc16 jbd2 mbcache ata_generic cirrus virtio_blk ata_piix drm_kms_helper ahci syscopyarea libahci sysfillrect sysimgblt fb_sys_fops ttm floppy libata drm virtio_pci virtio_ring uhci_hcd virtio ehci_hcd usbcore serio_raw usb_common sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
Supported: No, Unsupported modules are loaded
CPU: 1 PID: 30154 Comm: truncate Tainted: G OE N 4.4.21-69-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
task: ffff88004ff6d240 ti: ffff880074e68000 task.ti: ffff880074e68000
RIP: 0010:[<ffffffffa05c8c30>] [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
RSP: 0018:ffff880074e6bd50 EFLAGS: 00010282
RAX: 0000000000000074 RBX: 000000000000029e RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ffff880074e6bda8 R08: 000000003675dc7a R09: ffffffff82013414
R10: 0000000000034c50 R11: 0000000000000000 R12: ffff88003aab3448
R13: 00000000000002dc R14: 0000000000046e11 R15: 0000000000000020
FS: 00007f839f965700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f839f97e000 CR3: 0000000036723000 CR4: 00000000000006e0
Call Trace:
ocfs2_setattr+0x698/0xa90 [ocfs2]
notify_change+0x1ae/0x380
do_truncate+0x5e/0x90
do_sys_ftruncate.constprop.11+0x108/0x160
entry_SYSCALL_64_fastpath+0x12/0x6d
Code: 24 28 ba d6 01 00 00 48 c7 c6 30 43 62 a0 8b 41 2c 89 44 24 08 48 8b 41 20 48 c7 c1 78 a3 62 a0 48 89 04 24 31 c0 e8 a0 97 f9 ff <0f> 0b 3d 00 fe ff ff 0f 84 ab fd ff ff 83 f8 fc 0f 84 a2 fd ff
RIP [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]

It's because ocfs2_inode_lock() get us stale LVB in which the i_size is
not equal to the disk i_size. We mistakenly trust the LVB because the
underlaying fsdlm dlm_lock() doesn't set lkb_sbflags with
DLM_SBF_VALNOTVALID properly for us. But, why?

The current code tries to downconvert lock without DLM_LKF_VALBLK flag
to tell o2cb don't update RSB's LVB if it's a PR->NULL conversion, even
if the lock resource type needs LVB. This is not the right way for
fsdlm.

The fsdlm plugin behaves different on DLM_LKF_VALBLK, it depends on
DLM_LKF_VALBLK to decide if we care about the LVB in the LKB. If
DLM_LKF_VALBLK is not set, fsdlm will skip recovering RSB's LVB from
this lkb and set the right DLM_SBF_VALNOTVALID appropriately when node
failure happens.

The following diagram briefly illustrates how this crash happens:

RSB1 is inode metadata lock resource with LOCK_TYPE_USES_LVB;

The 1st round:

Node1 Node2
RSB1: PR
RSB1(master): NULL->EX
ocfs2_downconvert_lock(PR->NULL, set_lvb==0)
ocfs2_dlm_lock(no DLM_LKF_VALBLK)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

dlm_lock(no DLM_LKF_VALBLK)
convert_lock(overwrite lkb->lkb_exflags
with no DLM_LKF_VALBLK)

RSB1: NULL RSB1: EX
reset Node2
dlm_recover_rsbs()
recover_lvb()

/* The LVB is not trustable if the node with EX fails and
* no lock >= PR is left. We should set RSB_VALNOTVALID for RSB1.
*/

if(!(kb_exflags & DLM_LKF_VALBLK)) /* This means we miss the chance to
return; * to invalid the LVB here.
*/

The 2nd round:

Node 1 Node2
RSB1(become master from recovery)

ocfs2_setattr()
ocfs2_inode_lock(NULL->EX)
/* dlm_lock() return the stale lvb without setting DLM_SBF_VALNOTVALID */
ocfs2_meta_lvb_is_trustable() return 1 /* so we don't refresh inode from disk */
ocfs2_truncate_file()
mlog_bug_on_msg(disk isize != i_size_read(inode)) /* crash! */

The fix is quite straightforward. We keep to set DLM_LKF_VALBLK flag
for dlm_lock() if the lock resource type needs LVB and the fsdlm plugin
is uesed.

Link: http://lkml.kernel.org/r/1481275846-6604-1-...@suse.com
Signed-off-by: Eric Ren <zr...@suse.com>
Reviewed-by: Joseph Qi <jiang...@gmail.com>
Cc: Mark Fasheh <mfa...@versity.com>
Cc: Joel Becker <jl...@evilplan.org>
Cc: Junxiao Bi <junxi...@oracle.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
fs/ocfs2/dlmglue.c | 10 ++++++++++
fs/ocfs2/stackglue.c | 6 ++++++
fs/ocfs2/stackglue.h | 3 +++
3 files changed, 19 insertions(+)

--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -3270,6 +3270,16 @@ static int ocfs2_downconvert_lock(struct
mlog(ML_BASTS, "lockres %s, level %d => %d\n", lockres->l_name,
lockres->l_level, new_level);

+ /*
+ * On DLM_LKF_VALBLK, fsdlm behaves differently with o2cb. It always
+ * expects DLM_LKF_VALBLK being set if the LKB has LVB, so that
+ * we can recover correctly from node failure. Otherwise, we may get
+ * invalid LVB in LKB, but without DLM_SBF_VALNOTVALID being set.
+ */
+ if (!ocfs2_is_o2cb_active() &&
+ lockres->l_ops->flags & LOCK_TYPE_USES_LVB)
+ lvb = 1;
+
if (lvb)
dlm_flags |= DLM_LKF_VALBLK;

--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -48,6 +48,12 @@ static char ocfs2_hb_ctl_path[OCFS2_MAX_
*/
static struct ocfs2_stack_plugin *active_stack;

+inline int ocfs2_is_o2cb_active(void)
+{
+ return !strcmp(active_stack->sp_name, OCFS2_STACK_PLUGIN_O2CB);
+}
+EXPORT_SYMBOL_GPL(ocfs2_is_o2cb_active);
+
static struct ocfs2_stack_plugin *ocfs2_stack_lookup(const char *name)
{
struct ocfs2_stack_plugin *p;
--- a/fs/ocfs2/stackglue.h
+++ b/fs/ocfs2/stackglue.h
@@ -289,4 +289,7 @@ void ocfs2_stack_glue_set_max_proto_vers
int ocfs2_stack_glue_register(struct ocfs2_stack_plugin *plugin);
void ocfs2_stack_glue_unregister(struct ocfs2_stack_plugin *plugin);

+/* In ocfs2_downconvert_lock(), we need to know which stack we are using */
+int ocfs2_is_o2cb_active(void);
+
#endif /* STACKGLUE_H */

Ben Hutchings

unread,
Mar 10, 2017, 8:00:06 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fai...@gmail.com>

commit e6afb1ad88feddf2347ea779cfaf4d03d3cd40b6 upstream.

Commit beb0babfb77e ("korina: disable napi on close and restart")
introduced calls to napi_disable() that were missing before,
unfortunately this leaves a small window during which NAPI has a chance
to run, yet we just freed resources since korina_free_ring() has been
called:

Fix this by disabling NAPI first then freeing resource, and make sure
that we also cancel the restart task before doing the resource freeing.

Fixes: beb0babfb77e ("korina: disable napi on close and restart")
Reported-by: Alexandros C. Couloumbis <al...@ozo.com>
Signed-off-by: Florian Fainelli <f.fai...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/net/ethernet/korina.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/korina.c
+++ b/drivers/net/ethernet/korina.c
@@ -906,10 +906,10 @@ static void korina_restart_task(struct w
DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR,
&lp->rx_dma_regs->dmasm);

- korina_free_ring(dev);
-
napi_disable(&lp->napi);

+ korina_free_ring(dev);
+
if (korina_init(dev) < 0) {
printk(KERN_ERR "%s: cannot restart device\n", dev->name);
return;
@@ -1070,12 +1070,12 @@ static int korina_close(struct net_devic
tmp = tmp | DMA_STAT_DONE | DMA_STAT_HALT | DMA_STAT_ERR;
writel(tmp, &lp->rx_dma_regs->dmasm);

- korina_free_ring(dev);
-
napi_disable(&lp->napi);

cancel_work_sync(&lp->restart_task);

+ korina_free_ring(dev);
+
free_irq(lp->rx_irq, dev);
free_irq(lp->tx_irq, dev);
free_irq(lp->ovr_irq, dev);

Ben Hutchings

unread,
Mar 10, 2017, 8:00:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream.

When checking a new device's descriptors, the USB core does not check
for duplicate endpoint addresses. This can cause a problem when the
sysfs files for those endpoints are created; trying to create multiple
files with the same name will provoke a WARNING:

WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
sysfs: cannot create duplicate filename
'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
Kernel panic - not syncing: panic_on_warn set ...

CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
[<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
[<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
[<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
[<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
[<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
[< inline >] create_dir lib/kobject.c:71
[<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
[< inline >] kobject_add_varg lib/kobject.c:366
[<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
[<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
[<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
[<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
[<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
[<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
[<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
[<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263

This patch prevents the problem by checking for duplicate endpoint
addresses during enumeration and skipping any duplicates.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andre...@google.com>
Tested-by: Andrey Konovalov <andre...@google.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/core/config.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -207,6 +207,16 @@ static int usb_parse_endpoint(struct dev
if (ifp->desc.bNumEndpoints >= num_ep)
goto skip_to_next_endpoint_or_interface_descriptor;

+ /* Check for duplicate endpoint addresses */
+ for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+ if (ifp->endpoint[i].desc.bEndpointAddress ==
+ d->bEndpointAddress) {
+ dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+ cfgno, inum, asnum, d->bEndpointAddress);
+ goto skip_to_next_endpoint_or_interface_descriptor;
+ }
+ }
+
endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
++ifp->desc.bNumEndpoints;

Ben Hutchings

unread,
Mar 10, 2017, 8:00:07 AM3/10/17
to
3.2.87-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit cc0909248258f679c4bb4cd315565d40abaf6bc6 up