[PATCH 3.16 017/233] USB: serial: ftdi_sio: fix setting latency for unprivileged users

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Anthony Mallet <anthony...@laas.fr>

commit bb246681b3ed0967489a7401ad528c1aaa1a4c2e upstream.

Commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") enables unprivileged users to set the FTDI latency timer,
but there was a logic flaw that skipped sending the corresponding
USB control message to the device.

Specifically, the device latency timer would not be updated until next
open, something which was later also inadvertently broken by commit
c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port
probe").

A recent commit c6dce2626606 ("USB: serial: ftdi_sio: fix extreme
low-latency setting") disabled the low-latency mode by default so we now
need this fix to allow unprivileged users to again enable it.

Signed-off-by: Anthony Mallet <anthony...@laas.fr>
[johan: amend commit message]
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Fixes: c19db4c9e49a ("USB: ftdi_sio: set device latency timeout at port probe").
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
drivers/usb/serial/ftdi_sio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1521,9 +1521,9 @@ static int set_serial_info(struct tty_st
(new_serial.flags & ASYNC_FLAGS));
priv->custom_divisor = new_serial.custom_divisor;

+check_and_exit:
write_latency_timer(port);

-check_and_exit:
if ((old_priv.flags & ASYNC_SPD_MASK) !=
(priv->flags & ASYNC_SPD_MASK)) {
if ((priv->flags & ASYNC_SPD_MASK) == ASYNC_SPD_HI)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit 6f64ec74515925cced6df4571638b5a099a49aae upstream.

Similar to the fix provided by Dominik Heidler in commit
9b3dc0a17d73 ("l2tp: cast l2tp traffic counter to unsigned")
we need to take care of 32bit kernels in dev_get_stats().

When using atomic_long_read(), we add a 'long' to u64 and
might misinterpret high order bit, unless we cast to unsigned.

Fixes: caf586e5f23ce ("net: add a core netdev->rx_dropped counter")
Fixes: 015f0688f57ca ("net: net: add a core netdev->tx_dropped counter")
Fixes: 6e7333d315a76 ("net: add rx_nohandler stat counter")
Signed-off-by: Eric Dumazet <edum...@google.com>
Cc: Jarod Wilson <ja...@redhat.com>
Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.16: only {rx,tx}_dropped are updated here]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6509,8 +6509,8 @@ struct rtnl_link_stats64 *dev_get_stats(
} else {
netdev_stats_to_stats64(storage, &dev->stats);
}
- storage->rx_dropped += atomic_long_read(&dev->rx_dropped);
- storage->tx_dropped += atomic_long_read(&dev->tx_dropped);
+ storage->rx_dropped += (unsigned long)atomic_long_read(&dev->rx_dropped);
+ storage->tx_dropped += (unsigned long)atomic_long_read(&dev->tx_dropped);
return storage;
}
EXPORT_SYMBOL(dev_get_stats);

[Ben Hutchings]

This is the start of the stable review cycle for the 3.16.48 release.
There are 233 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Sep 12 12:00:00 UTC 2017.
Anything received after that time might be too late.

A combined patch relative to 3.16.47 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Adrien Vergé (1):
USB: quirks: Apply ALWAYS_POLL to all ELAN devices
[33bd2dd03dd0bfa1130d11062a9e5f40d0cf1d3f]

Al Viro (5):
excessive checks in ufs_write_failed() and ufs_evict_inode()
[babef37dccbaa49249a22bae9150686815d7be71]
fix ufs_isblockset()
[414cf7186dbec29bd946c138d6b5c09da5955a08]
osf_wait4(): fix infoleak
[a8c39544a6eb2093c04afd5005b6192bd0e880c6]
ufs: restore maintaining ->i_blocks
[eb315d2ae614493fd1ebb026c75a80573d84f7ad]
ufs: set correct ->s_maxsize
[6b0d144fa758869bdd652c50aa41aaf601232550]

Alan Stern (2):
USB: ene_usb6250: fix DMA to the stack
[628c2893d44876ddd11602400c70606ade62e129]
USB: xhci: fix lock-inversion problem
[63aea0dbab90a2461faaae357cbc8cfd6c8de9fe]

Alex Deucher (3):
drm/radeon/ci: disable mclk switching for high refresh rates (v2)
[58d7e3e427db1bd68f33025519a9468140280a75]
drm/radeon: add a PX quirk for another K53TK variant
[4eb59793cca00b0e629b6d55b5abb5acb82c5868]
drm/radeon: add a quirk for Toshiba Satellite L20-183
[acfd6ee4fa7ebeee75511825fe02be3f7ac1d668]

Alex Wood (1):
HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
[f83f90cf7ba68deb09406ea9da80852a64c4db29]

Alexander Sverdlin (1):
dmaengine: ep93xx: Always start from BASE0
[0037ae47812b1f431cc602100d1d51f37d77b61e]

Alexander Tsoy (1):
ALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430
[1fc2e41f7af4572b07190f9dec28396b418e9a36]

Andrew Lunn (1):
net: phy: marvell: Limit errata to 88m1101
[f2899788353c13891412b273fdff5f02d49aa40f]

Andrey Korolyov (1):
USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs
[5f63424ab7daac840df2b12dd5bcc5b38d50f779]

Anthony Mallet (1):
USB: serial: ftdi_sio: fix setting latency for unprivileged users
[bb246681b3ed0967489a7401ad528c1aaa1a4c2e]

Arend van Spriel (1):
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
[8f44c9a41386729fea410e688959ddaa9d51be7c]

Bart Van Assche (1):
target/iscsi: Fix indentation in iscsi_target_start_negotiation()
[1efaa949396b5d9e8d1e6edef7e97e9ce1a97319]

Ben Hutchings (1):
ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
[6e80ac5cc992ab6256c3dae87f7e57db15e1a58c]

Benjamin Peterson (1):
x86/watchdog: Fix Kconfig help text file path reference to lockup watchdog documentation
[c9525a3fab63fbe091007494f8b7a06438eea6a7]

Benjamin Tissoires (3):
HID: add HID_QUIRK_NOGET to Quanta 3003 too
[962b7a0e77015802f0ceefe6f0e3cad3f10fd4f8]
HID: quirks: add QUIRK_NOGET for an other TPV touchscreen
[c9b57724b38d4c1555ee49418be3d76801e3327c]
HID: uclogic: Set quirks from inside the driver
[70b69cfb88467988116c4863056495fa3615271a]

Bjørn Mork (1):
USB: serial: qcserial: add more Lenovo EM74xx device IDs
[8d7a10dd323993cc40bd37bce8bc570133b0c396]

Chris Brandt (2):
usb: r8a66597-hcd: decrease timeout
[dd14a3e9b92ac6f0918054f9e3477438760a4fa6]
usb: r8a66597-hcd: select a different endpoint on timeout
[1f873d857b6c2fefb4dada952674aa01bcfb92bd]

Christian Lamparter (1):
net: emac: fix reset timeout with AR8035 phy
[19d90ece81da802207a9b91ce95a29fbdc40626e]

Christophe JAILLET (3):
SMB2: Fix share type handling
[cd1230070ae1c12fd34cf6a557bfa81bf9311009]
[media] vb2: Fix an off by one error in 'vb2_plane_vaddr'
[5ebb6dd36c9f5fb37b1077b393c254d70a14cb46]
serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
[be40597a1bc173bf9dadccdf5388b956f620ae8f]

Colin Ian King (3):
HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL
[ed9ab4287f96e66340e0390e2c583f2f9110cba0]
btrfs: fix incorrect error return ret being passed to mapping_set_error
[bff5baf8aa37a97293725a16c03f49872249c07e]
netxen_nic: set rcode to the return status from the call to netxen_issue_cmd
[0fe20fafd1791f993806d417048213ec57b81045]

Corentin Labbe (1):
usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk
[d2f48f05cd2a2a0a708fbfa45f1a00a87660d937]

Dan Carpenter (7):
PowerCap: Fix an error code in powercap_register_zone()
[216c4e9db4c9d1d2a382b42880442dc632cd47d9]
block: fix an error code in add_partition()
[7bd897cfce1eb373892d35d7f73201b0f9b221c4]
drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
[f0c62e9878024300319ba2438adc7b06c6b9c448]
libceph: NULL deref on crush_decode() error path
[293dffaad8d500e1a5336eeb90d544cf40d4fbd8]
uio: add missing error codes
[0320a278b9ef80cfa44f74b7f9bb36781695f3ee]
xfrm: NULL dereference on allocation failure
[e747f64336fc15e1c823344942923195b800aa1e]
xfrm: Oops on error in pfkey_msg2xfrm_state()
[1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633]

Daniel Bristot de Oliveira (1):
HID: usbhid: enable NO_INIT_REPORTS quirk for Semico USB Keykoard2
[c14022bfd2eb2d2ece74a405dfbdb02a829c07bc]

Daniel Drake (1):
Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list
[817ae460c784f32cd45e60b2b1b21378c3c6a847]

Daniel Keller (1):
HID: microsoft: Add Surface 4 type cover pro 4 not JP versions
[2ae3986b84e9d325bc92a1efbcf0c6b0f5016b35]

Daniele Palmas (1):
usb: serial: option: add Telit ME910 support
[40dd46048c155b8f0683f468c950a1c107f77a7c]

David S. Miller (1):
ipv6: Fix leak in ipv6_gso_segment().
[e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789]

David Sterba (1):
btrfs: use correct types for page indices in btrfs_page_exists_in_range
[cc2b702c52094b637a351d7491ac5200331d0445]

Dominik Heidler (1):

l2tp: cast l2tp traffic counter to unsigned

[9b3dc0a17d7388c4fb83736ca45253a93e994ce4]

Donavan Lance (1):
HID: Add new Microsoft Type Cover 3 product ID
[c6956eb70e2549a3c2fa6ee525e02776d293caf4]

Doug Berger (1):
ARM: 8685/1: ensure memblock-limit is pmd-aligned
[9e25ebfe56ece7541cd10a20d715cbdd148a2e06]

Emmanuel Grumbach (1):
mac80211: don't look at the PM bit of BAR frames
[769dc04db3ed8484798aceb015b94deacc2ba557]

Eric Anholt (1):
watchdog: bcm281xx: Fix use of uninitialized spinlock.
[fedf266f9955d9a019643cde199a2fd9a0259f6f]

Eric Biggers (1):
KEYS: fix dereferencing NULL payload with nonzero length
[5649645d725c73df4302428ee4e02c869248b4c5]

Eric Dumazet (4):
net: fix compile error in skb_orphan_partial()
[9142e9007f2d7ab58a587a1e1d921b0064a339aa]
net: ping: do not abuse udp_poll()
[77d4b1d36926a9b8387c6b53eeba42bcaaffcea3]
net: prevent sign extension in dev_get_stats()
[6f64ec74515925cced6df4571638b5a099a49aae]
netem: fix skb_orphan_partial()
[f6ba8d33cfbb46df569972e64dbb5bb7e929bfd9]

Eric W. Biederman (2):
pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
[b9a985db98961ae1ba0be169f19df1c567e4ffe0]
signal: Only reschedule timers on signals timers have sent
[57db7e4a2d92c2d3dfbca4ef8057849b2682436b]

Eryu Guan (1):
xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff()
[8affebe16d79ebefb1d9d6d56a46dc89716f9453]

Felipe Balbi (1):
usb: host: xhci: simplify irq handler return
[76a35293b901915c5dcb4a87a4a0da8d7caf39fe]

Feras Daoud (1):
IB/ipoib: Fix memory leak in create child syscall
[4542d66bb26f2d021c70a78e46f183c6675fc4c9]

Geert Uytterhoeven (2):
serial: ifx6x60: Remove dangerous spi_driver casts
[9a499db0325b8a8e2368f21fef66705b120f38ba]
sh_eth: Use platform device for printing before register_netdev()
[5f5c5449acad0cd3322e53e1ac68c044483b0aa5]

Gilad Ben-Yossef (1):
crypto: gcm - wait for crypto op not signal safe
[f3ad587070d6bd961ab942b3fd7a85d00dfc934b]

Heiner Kallweit (1):
genirq: Release resources in __setup_irq() error path
[fa07ab72cbb0d843429e61bf179308aed6cbe0dd]

Hui Wang (1):
ALSA: hda - set input_path bitmap to zero after moving it to new place
[a8f20fd25bdce81a8e41767c39f456d346b63427]

Ilya Matveychikov (1):
lib/cmdline.c: fix get_options() overflow while parsing ranges
[a91e0f680bcd9e10c253ae8b62462a38bd48f09f]

James Hogan (1):
MIPS: Avoid accidental raw backtrace
[854236363370995a609a10b03e35fd3dc5e9e4a1]

James Morse (1):
mm/memory-failure.c: use compound_head() flags for huge pages
[7258ae5c5a2ce2f5969e8b18b881be40ab55433d]

Jan Kara (4):
ext4: fix SEEK_HOLE
[7d95eddf313c88b24f99d4ca9c2411a4b82fef33]
ext4: fix data corruption for mmap writes
[a056bdaae7a181f7dcc876cfab2f94538e508709]
ext4: fix fdatasync(2) after extent manipulation operations
[67a7d5f561f469ad2fa5154d2888258ab8e6df7c]
xfs: Fix missed holes in SEEK_HOLE implementation
[5375023ae1266553a7baa0845e82917d8803f48c]

Jann Horn (1):
ptrace: use fsuid, fsgid, effective creds for fs access checks
[caaee6234d05a58c5b4d05e7bf766131b810a657]

Jason A. Donenfeld (1):
mac80211/wpa: use constant time memory comparison for MACs
[98c67d187db7808b1f3c95f2110dd4392d034182]

Jeff Mahoney (1):
btrfs: fix memory leak in update_space_info failure path
[896533a7da929136d0432713f02a3edffece2826]

Jiang Yi (1):
iscsi-target: Always wait for kthread_should_stop() before kthread exit
[5e0cf5e6c43b9e19fc0284f69e5cd2b4a47523b0]

Jimmy Berry (1):
HID: usbhid: add Logitech G710+ keyboard quirk NOGET
[0d51571d51ea8eb72b903b2a4f3f43a38e7bc718]

Jisheng Zhang (1):
usb: chipidea: udc: fix NULL pointer dereference if udc_start failed
[aa1f058d7d9244423b8c5a75b9484b1115df7f02]

Joe Thornber (2):
dm space map disk: fix some book keeping in the disk space map
[0377a07c7a035e0d033cd8b29f0cb15244c0916a]
dm thin metadata: call precommit before saving the roots
[91bcdb92d39711d1adb40c26b653b7978d93eb98]

Johan Hovold (14):
USB: gadget: dummy_hcd: fix hub-descriptor removable fields
[d81182ce30dbd497a1e7047d7fda2af040347790]
USB: hub: fix SS hub-descriptor handling
[2c25a2c818023df64463aac3288a9f969491e507]
USB: hub: fix SS max number of ports
[93491ced3c87c94b12220dbac0527e1356702179]
USB: hub: fix non-SS hub-descriptor handling
[bec444cd1c94c48df409a35ad4e5b143c245c3f7]
USB: iowarrior: fix info ioctl on big-endian hosts
[dd5ca753fa92fb736b1395db892bd29f78e6d408]
USB: serial: io_ti: fix div-by-zero in set_termios
[6aeb75e6adfaed16e58780309613a578fe1ee90b]
USB: serial: ir-usb: fix big-endian baud-rate debug printk
[ad0ccac76dcc92c3331f4c94c9fc54f8bf1ab20c]
USB: serial: mct_u232: fix big-endian baud-rate handling
[26cede343656c0bc2c33cdc783771282405c7fb2]
USB: usbip: fix nonconforming hub descriptor
[ec963b412a54aac8e527708ecad06a6988a86fb4]
net: irda: irda-usb: fix firmware name on big-endian hosts
[75cf067953d5ee543b3bda90bbfcbee5e1f94ae8]
of: fdt: add missing allocation-failure check
[49e67dd17649b60b4d54966e18ec9c80198227f0]
serial: ifx6x60: fix use-after-free on module unload
[1e948479b3d63e3ac0ecca13cbf4921c7d17c168]
uwb: fix device quirk on big-endian hosts
[41318a2b82f5d5fe1fb408f6d6e0b22aa557111d]
watchdog: pcwd_usb: fix NULL-deref at probe
[46c319b848268dab3f0e7c4a5b6e9146d3bca8a4]

Johannes Thumshirn (1):
scsi: qla2xxx: don't disable a not previously enabled PCI device
[ddff7ed45edce4a4c92949d3c61cd25d229c4a14]

Julian Wiedmann (1):
s390/qeth: unbreak OSM and OSN support
[2d2ebb3ed0c6acfb014f98e427298673a5d07b82]

Julius Werner (2):
drivers: char: mem: Check for address space wraparound with mmap()
[b299cde245b0b76c977f4291162cf668e087b408]
drivers: char: mem: Fix wraparound check to allow mappings up to the end
[32829da54d9368103a2f03269a5120aa9ee4d5da]

Kirill Tkhai (1):
pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes()
[3fd37226216620c1a468afa999739d5016fbc349]

Konstantin Khlebnikov (3):
ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
[9651e6b2e20648d04d5e1fe6479a3056047e8781]
ext4: keep existing extra fields when inode expands
[887a9730614727c4fff7cb756711b190593fc1df]
ext4: use __GFP_NOFAIL in ext4_free_blocks()
[adb7ef600cc9d9d15ecc934cc26af5c1379777df]

Linus Torvalds (1):
Sanitize 'move_pages()' permission checks
[197e7e521384a23b9e585178f3f11c9fa08274b9]

Liping Zhang (1):
netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
[fefa92679dbe0c613e62b6c27235dcfbe9640ad1]

Liwei Song (1):
i2c: ismt: fix wrong device address when unmap the data buffer
[17e83549e199d89aace7788a9f11c108671eecf5]

Lyude (1):
drm/radeon: Unbreak HPD handling for r600+
[3d18e33735a02b1a90aecf14410bf3edbfd4d3dc]

Malcolm Priestley (3):
staging: rtl8192e: fix 2 byte alignment of register BSSIDR.
[867510bde14e7b7fc6dd0f50b48f6753cfbd227a]
staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
[baabd567f87be05330faa5140f72a91960e7405a]
staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
[90be652c9f157d44b9c2803f902a8839796c090d]

Marc Kleine-Budde (1):
can: gs_usb: fix memory leak in gs_cmd_reset()
[5cda3ee5138e91ac369ed9d0b55eab0dab077686]

Marc Zyngier (3):
arm64: KVM: Allow unaligned accesses at EL2
[78fd6dcf11468a5a131b8365580d0c613bcc02cb]
arm64: KVM: Preserve RES1 bits in SCTLR_EL2
[d68c1f7fd1b7148dab5fe658321d511998969f2d]
arm: KVM: Allow unaligned accesses at HYP
[33b5c38852b29736f3b472dd095c9a18ec22746f]

Marcel Hasler (2):
HID: usbhid: Add quirk for Mayflash/Dragonrise DolphinBar.
[8aa2cc7e747881d1fd52db28261b201d4e3e5565]
HID: usbhid: Add quirks for Mayflash/Dragonrise GameCube and PS3 adapters
[b2554000f5b5d2a3a368d09c6debf7da64901fcf]

Marcin Nowakowski (1):
MIPS: kprobes: flush_insn_slot should flush only if probe initialised
[698b851073ddf5a894910d63ca04605e0473414e]

Marian Krivoš (1):
HID: support for keyboard - Corsair STRAFE
[3da30bfc0b0a572a4f977a586edf34cf3dd503c3]

Mark Rutland (1):
mm: numa: avoid waiting on freed migrated pages
[3c226c637b69104f6b9f1c6ec5b08d7b741b3229]

Mathias Nyman (1):
xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
[a0c16630d35a874e82bdf2088f58ecaca1024315]

Matt Ranostay (3):
iio: proximity: as3935: fix AS3935_INT mask
[275292d3a3d62670b1b13484707b74e5239b4bb0]
iio: proximity: as3935: fix iio_trigger_poll issue
[9122b54f266ddee09654fe3fbc503c1a60f4a01c]
iio: proximity: as3935: recalibrate RCO after resume
[6272c0de13abf1480f701d38288f28a11b4301c4]

Max Filippov (1):
net: ethoc: enable NAPI before poll may be scheduled
[d220b942a4b6a0640aee78841608f4aa5e8e185e]

Michael Ellerman (4):
powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
[e41e53cd4fe331d0d1f06f8e4ed7e2cc63ee2c34]
powerpc/numa: Fix percpu allocations to be NUMA aware
[ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b]
powerpc/spufs: Fix coredump of SPU contexts
[99acc9bede06bbb2662aafff51f5b9e529fa845e]
selftests/powerpc: Fix TM resched DSCR test with some compilers
[fe06fe860250a4f01d0eaf70a2563b1997174a74]

Michael Thalmeier (1):
usb: chipidea: debug: check before accessing ci_role
[0340ff83cd4475261e7474033a381bc125b45244]

Michail Georgios Etairidis (1):
i2c: imx: Use correct function to write to register
[6c782a5ea56a799658e213a78dc1455264938afa]

Michal Kubeček (2):
net: account for current skb length when deciding about UFO
[a5cb659bbc1c8644efa0c3138a757a1e432a4880]
net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
[e44699d2c28067f69698ccb68dd3ddeacfebc434]

Milan Plzik (1):
HID: kye: Fix report descriptor for Genius PenSketch M912
[feb6faf1e5d46276c5430e36ffb4a6f62bf8d55b]

Naveen N. Rao (1):
powerpc/kprobes: Pause function_graph tracing during jprobes handling
[a9f8553e935f26cb5447f67e280946b0923cd2dc]

Nazar Mokrynskyi (1):
HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk
[567a44ecb44eb2584ddb93e962cfb133ce77e0bb]

NeilBrown (1):
autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL
[9fa4eb8e490a28de40964b1b0e583d8db4c7e57c]

Nicholas Bellinger (4):
configfs: Fix race between create_link and configfs_rmdir
[ba80aa909c99802c428682c352b0ee0baac0acd3]
iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race
[8f0dfb3d8b1120c61f6e2cc3729290db10772b2d]
iscsi-target: Fix initial login PDU asynchronous socket close OOPs
[25cdda95fda78d22d44157da15aa7ea34be3c804]
target: Fix kref->refcount underflow in transport_cmd_finish_abort
[73d4e580ccc5c3e05cea002f18111f66c9c07034]

Nicholas Piggin (1):
powerpc/64: Initialise thread_info for emergency stacks
[34f19ff1b5a0d11e46df479623d6936460105c9f]

Oleg Drokin (1):
staging/lustre/lov: remove set_fs() call from lov_getstripe()
[0a33252e060e97ed3fbdcec9517672f1e91aaef3]

Oliver Neukum (2):
HID: usbhid: more mice with ALWAYS_POLL
[003e817a9ecf6cfded59630858bbf04056d71e9a]
HID: usbhid: yet another mouse with ALWAYS_POLL
[43faadfe96d3f049f4ae2c4090d2e57b9aafb995]

Oliver Schmitt (1):
HID: usbhid: Fix for the WiiU adapter from Mayflash
[b6ad9a26e7c6fae74062baa9b8a7f583a803e092]

Oscar Campos (1):
HID: corsair: support for K65-K70 Rapidfire and Scimitar Pro RGB
[deaba636997557fce46ca7bcb509bff5ea1b0558]

Paolo Bonzini (2):
kvm: async_pf: fix rcu_irq_enter() with irqs enabled
[bbaf0e2b1c1b4f88abd6ef49576f0efb1734eae5]
srcu: Allow use of Classic SRCU from both process and interrupt context
[1123a6041654e8f889014659593bad4168e542c2]

Patrik Jakobsson (1):
drm/gma500/psb: Actually use VBT mode when it is found
[82bc9a42cf854fdf63155759c0aa790bd1f361b0]

Paul Burton (2):
MIPS: Fix IRQ tracing & lockdep when rescheduling
[d8550860d910c6b7b70f830f59003b33daaa52c9]
MIPS: pm-cps: Drop manual cache-line alignment of ready_count
[161c51ccb7a6faf45ffe09aa5cf1ad85ccdad503]

Paul E. McKenney (1):
rcu: Move preemption disabling out of __srcu_read_lock()
[49f5903b473c5f63f3b57856d1bd4593db0a2eef]

Paul Mackerras (2):
KVM: PPC: Book3S HV: Context-switch EBB registers properly
[ca8efa1df1d15a1795a2da57f9f6aada6ed6b946]
KVM: PPC: Book3S HV: Preserve userspace HTM state properly
[46a704f8409f79fd66567ad3f8a7304830a84293]

Paul Moore (1):
selinux: fix double free in selinux_parse_opts_str()
[023f108dcc187e34ef864bf10ed966cf25e14e2a]

Pavel Shilovsky (1):
CIFS: Improve readdir verbosity
[dcd87838c06f05ab7650b249ebf0d5b57ae63e1e]

Peter Chen (1):
usb: host: xhci-mem: allocate zeroed Scratchpad Buffer
[7480d912d549f414e0ce39331870899e89a5598c]

Peter Ujfalusi (1):
usb: musb: tusb6010_omap: Do not reset the other direction's packet size
[6df2b42f7c040d57d9ecb67244e04e905ab87ac6]

Punit Agrawal (1):
mm/migrate: fix refcount handling when !hugepage_migration_supported()
[30809f559a0d348c2dfd7ab05e9a451e2384962e]

Radim Krčmář (1):
KVM: x86: zero base3 of unusable segments
[f0367ee1d64d27fa08be2407df5c125442e885e3]

Raimund Roth (1):
HID: microsoft: Add Surface Power Cover
[18eec2cd7e9746cd672ada102987534ae16f0f44]

Rajkumar Manoharan (1):
mac80211: strictly check mesh address extension mode
[5667c86acf021e6dcf02584408b4484a273ac68f]

Raphael Assenat (1):
HID: usbhid: Add a quirk for raphnet multi-gamepad adapters
[d6ea2f88ac3659b799d8079a4fbda4f8faf6ff90]

Reyad Attiyat (1):
HID: microsoft: Add quirk for MS Surface Type/Touch cover
[c5b2b809cee8db018ac68566fe2114c175d79b5b]

Richard Cochran (1):
net: dp83640: Avoid NULL pointer dereference.
[db9d8b29d19d2801793e4419f4c6272bf8951c62]

Richard Narron (1):
fs/ufs: Set UFS default maximum bytes per file
[239e250e4acbc0104d514307029c0839e834a51a]

Robert Jarzmik (1):
tags: honor COMPILED_SOURCE with apart output directory
[cbf52a3e6a8a92beec6e0c70abf4111cd8f8faf7]

Roger Pau Monne (1):
xen: fix bio vec merging
[462cdace790ac2ed6aad1b19c9c0af0143b6aab0]

Russell King (1):
net: phy: fix marvell phy status reading
[898805e0cdf7fd860ec21bf661d3a0285a3defbd]

Sabrina Dubroca (2):
tracing/kprobes: Allow to create probe with a module name starting with a digit
[9e52b32567126fe146f198971364f68d3bc5233f]
xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
[9b3eb54106cf6acd03f07cf0ab01c13676a226c2]

Sean Young (2):
HID: sjoy: support Super Joy Box 4
[6e5e9a06a206010eabd19b523fd0833c51afc0b0]
[media] rc-core: race condition during ir_raw_event_register()
[963761a0b2e85663ee4a5630f72930885a06598a]

Sebastian Parschauer (1):
HID: Add quirk for Dell PIXART OEM mouse
[3db28271f0feae129262d30e41384a7c4c767987]

Sebastian Reichel (1):
i2c: i2c-tiny-usb: fix buffer not being DMA capable
[5165da5923d6c7df6f2927b0113b2e4d9288661e]

SeongJae Park (6):
perf probe: Fix examples section of documentation
[d89269a89ebb6a74512f3f40e89cd12017f60a75]
perf script python: Fix wrong code snippets in documentation
[26ddb8722df865aa67fbe459107d2f3f8e5c6829]
perf script python: Remove dups in documentation examples
[14fc42fa1b3e7ea5160c84d0e686a3a0c1ffe619]
perf script python: Updated trace_unhandled() signature
[1bf8d5a4a5da19b1f6e7958fe67db4118fa7a1c1]
perf script: Fix documentation errors
[34d4453dac257be53c21abf2f713c992fb692b5c]
perf script: Fix outdated comment for perf-trace-python
[c76132dc5182776b98e946d674cb41c421661ea9]

Serhey Popovych (2):
ipv6: Do not leak throw route references
[07f615574f8ac499875b21c1142f26308234a92c]
rtnetlink: add IFLA_GROUP to ifla_policy
[db833d40ad3263b2ee3b59a1ba168bb3cfed8137]

Soheil Hassas Yeganeh (1):
tcp: eliminate negative reordering in tcp_clean_rtx_queue
[bafbb9c73241760023d8981191ddd30bb1c6dbac]

Stafford Horne (1):
HID: quirks: Add no_init_reports for AKAI midi controller
[a382c30c662a31dd8f51cc4b6dad82d39205d50c]

Steffen Klassert (1):
af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
[d90c902449a7561f1b1d58ba5a0d11728ce8b0b2]

Steinar H. Gunderson (1):
HID: add quirk for Akai MIDImix.
[4973ca9a01e2354b159acedec1b9b8eb8de02ab7]

Stephen Just (1):
HID: microsoft: Add Surface 3 type cover
[0439de75d32c249bd9f5824ffd5e40c4c2109d77]

Sui Chen (1):
ahci: Acer SA5-271 SSD Not Detected Fix
[8bfd174312629866efa535193d9e563768ff4307]

Suman Anna (1):
uio: fix incorrect memory leak cleanup
[0d83539092ddb1ab79b4d65bccb866bf07ea2ccd]

Suzuki K Poulose (3):
kvm: arm/arm64: Fix race in resetting stage2 PGD
[6c0d706b563af732adb094c5bf807437e8963e84]
kvm: arm/arm64: Fix use after free of stage2 page table
[0c428a6a9256fcd66817e12db32a50b405ed2e5c]
kvm: arm/arm64: Force reading uncached stage2 PGD
[2952a6070e07ebdd5896f1f5b861acad677caded]

Sven Eckelmann (1):
batman-adv: Fix rx packet/bytes stats on local ARP reply
[36d4d68cd658d914ef73ac845705c4a89e7d9e2f]

Takashi Iwai (1):
ASoC: Fix use-after-free at card unregistration
[4efda5f2130da033aeedc5b3205569893b910de2]

Thinh Nguyen (2):
usb: dwc3: gadget: Prevent losing events in event cache
[d325a1de49d61ee11aca58a529571c91ecea7879]
usb: gadget: f_mass_storage: Serialize wake and sleep execution
[dc9217b69dd6089dcfeb86ed4b3c671504326087]

Thomas Gleixner (4):
alarmtimer: Prevent overflow of relative timers
[f4781e76f90df7aec400635d73ea4c35ee1d4765]
alarmtimer: Rate limit periodic intervals
[ff86bf0c65f14346bf2440534f9ba5ac232c39a0]
slub/memcg: cure the brainless abuse of sysfs attributes
[478fe3037b2278d276d4cd9cd0ab06c4cb2e9b32]
tracing/kprobes: Enforce kprobes teardown after testing
[30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd]

Thomas Petazzoni (1):
usb: host: xhci-plat: propagate return value of platform_get_irq()
[4b148d5144d64ee135b8924350cb0b3a7fd21150]

Tomasz Kramkowski (1):
HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter
[9547837bdccb4af127528b36a73377150658b4ac]

Tomasz Wilczyński (1):
cpufreq: conservative: Allow down_threshold to take values from 1 to 10
[b8e11f7d2791bd9320be1c6e772a60b2aa093e45]

Trent Lloyd (1):
HID: usbhid: quirks for Corsair RGB keyboard & mice (K70R, K95RGB, M65RGB, K70RGB, K65RGB)
[282bf1fe6dca4b768d6bedc14aea1b82c36241c1]

Ulrik De Bie (1):
Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled
[47eb0c8b4d9eb6368941c6a9bb443f00847a46d7]

Ursula Braun (1):
s390/qeth: handle sysfs error during initialization
[9111e7880ccf419548c7b0887df020b08eadb075]

Uwe Kleine-König (2):
net: ethernet: ax88796: don't call free_irq without request_irq first
[82533ad9a1ce3a7a6863849a552c2cc041b55e0d]
pinctrl: mxs: atomically switch mux and drive strength config
[da6c2addf66d7ff7d0b090d6267d4292f951e4e6]

Vamsi Krishna Samavedam (1):
USB: core: replace %p with %pK
[2f964780c03b73de269b08d12aff96a9618d13f3]

Vasilis Liaskovitis (1):
HID: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch
[d529a4ad91efcf68b65440c6555895fd7ad5a08e]

Vladis Dronov (1):
xfrm: policy: check policy direction value
[7bab09631c2a303f87a7eb7e3d69e888673b9b7e]

WANG Cong (5):
ipv6: avoid unregistering inet6_dev for loopback
[60abc0be96e00ca71bac083215ac91ad2e575096]
ipv6: initialize route null entry in addrconf_init()
[2f460933f58eee3393aba64f0f6d14acb08d1724]
ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER
[76da0704507bbc51875013f6557877ab308cfd0a]
ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf
[242d3a49a2a1a71d8eb9f953db1bcaa9d698ce00]
tcp: reset sk_rx_dst in tcp_disconnect()
[d747a7a51b00984127a88113cdbbc26f91e9d815]

Wangzhao Cai (1):
HID: add quirk for 0x04d9:0xa096 device
[30c6fd4277ebab2a32ae5635d34283354b1bc8f2]

Wanpeng Li (5):
KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
[cbfc6c9184ce71b52df4b1d82af5afc81a709178]
KVM: async_pf: avoid async pf injection when in guest mode
[9bc1f09f6fa76fdf31eb7d6a4a4df43574725f93]
KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation
[a3641631d14571242eec0d30c9faa786cbf52d44]
KVM: nVMX: Fix exception injection
[d4912215d1031e4fb3d1038d2e1857218dba0d0a]
KVM: x86: Fix load damaged SSEx MXCSR register
[a575813bfe4bc15aba511a5e91e61d242bff8b9d]

Wei Wang (2):
tcp: avoid fastopen API to be used on AF_UNSPEC
[ba615f675281d76fd19aa03558777f81fb6b6084]
tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
[499350a5a6e7512d9ed369ed63a4244b6536f4f8]

Yisheng Xie (1):
mlock: fix mlock count can not decrease in race condition
[70feee0e1ef331b22cc51f383d532a0d043fbdcc]

Yu Zhao (1):
swap: cond_resched in swap_cgroup_prepare()
[ef70762948dde012146926720b70e79736336764]

Yuchung Cheng (1):
tcp: avoid fragmenting peculiar skbs in SACK
[b451e5d24ba6687c6f0e7319c727a709a1846c06]

Yuta Kobayashi (1):
HID: microsoft: Add Surface 4 type cover pro 4 (JP)
[b490a8537df60d449199e162417da74ee9262515]

Yuval Mintz (1):
bnx2x: Fix Multi-Cos
[3968d38917eb9bd0cd391265f6c9c538d9b33ffa]

Zheng Li (1):
ipv4: Should use consistent conditional judgement for ip fragment in __ip_append_data and ip_finish_output
[0a28cfd51e17f4f0a056bcf66bfbe492c3b99f38]

Makefile | 4 +-
arch/alpha/kernel/osf_sys.c | 6 +-
arch/arm/kvm/init.S | 5 +-
arch/arm/kvm/mmu.c | 23 ++-
arch/arm/mm/mmu.c | 8 +-
arch/arm64/include/asm/kvm_arm.h | 5 +
arch/arm64/kvm/hyp-init.S | 11 +-
arch/mips/include/asm/kprobes.h | 3 +-
arch/mips/kernel/entry.S | 3 +
arch/mips/kernel/pm-cps.c | 9 +-
arch/mips/kernel/traps.c | 2 +
arch/powerpc/include/asm/page.h | 12 ++
arch/powerpc/include/asm/topology.h | 14 ++
arch/powerpc/kernel/kprobes.c | 11 ++
arch/powerpc/kernel/setup_64.c | 32 +++-
arch/powerpc/kvm/book3s_hv.c | 37 ++++
arch/powerpc/platforms/cell/spufs/coredump.c | 2 +
arch/x86/Kconfig | 2 +-
arch/x86/kernel/i387.c | 1 +
arch/x86/kernel/kvm.c | 2 +-
arch/x86/kvm/cpuid.c | 20 +-
arch/x86/kvm/mmu.c | 7 +-
arch/x86/kvm/mmu.h | 1 +
arch/x86/kvm/vmx.c | 2 +-
arch/x86/kvm/x86.c | 38 ++--
block/partition-generic.c | 4 +-
crypto/gcm.c | 6 +-
drivers/ata/ahci.c | 38 ++++
drivers/char/mem.c | 5 +
drivers/cpufreq/cpufreq_conservative.c | 4 +-
drivers/dma/ep93xx_dma.c | 2 +
drivers/gpu/drm/gma500/psb_intel_lvds.c | 18 +-
drivers/gpu/drm/radeon/ci_dpm.c | 6 +
drivers/gpu/drm/radeon/cik.c | 2 +-
drivers/gpu/drm/radeon/evergreen.c | 2 +-
drivers/gpu/drm/radeon/r600.c | 2 +-
drivers/gpu/drm/radeon/radeon_combios.c | 7 +
drivers/gpu/drm/radeon/radeon_device.c | 4 +
drivers/gpu/drm/radeon/si.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 2 +
drivers/hid/hid-core.c | 20 +-
drivers/hid/hid-ids.h | 75 +++++++-
drivers/hid/hid-kye.c | 140 ++++++++++++++
drivers/hid/hid-microsoft.c | 14 +-
drivers/hid/hid-sjoy.c | 3 +
drivers/hid/hid-uclogic.c | 27 +++
drivers/hid/usbhid/hid-quirks.c | 64 +++++--
drivers/i2c/busses/i2c-imx.c | 4 +-
drivers/i2c/busses/i2c-ismt.c | 2 +-
drivers/i2c/busses/i2c-tiny-usb.c | 25 ++-
drivers/iio/proximity/as3935.c | 14 +-
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 7 +-
drivers/input/mouse/elantech.c | 16 ++
drivers/input/serio/i8042-x86ia64io.h | 7 +
drivers/md/dm-thin-metadata.c | 4 +-
drivers/md/persistent-data/dm-space-map-disk.c | 15 +-
drivers/media/rc/ir-raw.c | 13 +-
drivers/media/v4l2-core/videobuf2-core.c | 2 +-
drivers/net/can/usb/gs_usb.c | 2 +
drivers/net/ethernet/8390/ax88796.c | 7 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 2 +-
drivers/net/ethernet/ethoc.c | 3 +-
drivers/net/ethernet/ibm/emac/core.c | 26 ++-
.../net/ethernet/qlogic/netxen/netxen_nic_ctx.c | 2 +-
drivers/net/ethernet/renesas/sh_eth.c | 2 +-
drivers/net/irda/irda-usb.c | 2 +-
drivers/net/phy/dp83640.c | 2 +-
drivers/net/phy/marvell.c | 68 ++++---
.../net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 5 +
drivers/of/fdt.c | 3 +
drivers/pinctrl/pinctrl-mxs.c | 16 +-
drivers/powercap/powercap_sys.c | 1 +
drivers/s390/net/qeth_core.h | 4 +
drivers/s390/net/qeth_core_main.c | 21 ++-
drivers/s390/net/qeth_core_sys.c | 24 ++-
drivers/s390/net/qeth_l2.h | 2 +
drivers/s390/net/qeth_l2_main.c | 16 +-
drivers/s390/net/qeth_l2_sys.c | 8 +
drivers/s390/net/qeth_l3_main.c | 6 +-
drivers/scsi/qla2xxx/qla_os.c | 8 +-
drivers/staging/lustre/lustre/lov/lov_pack.c | 9 -
drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 24 ++-
drivers/staging/usbip/vhci_hcd.c | 11 +-
drivers/target/iscsi/iscsi_target.c | 31 ++-
drivers/target/iscsi/iscsi_target_core.h | 1 +
drivers/target/iscsi/iscsi_target_erl0.c | 6 +-
drivers/target/iscsi/iscsi_target_erl0.h | 2 +-
drivers/target/iscsi/iscsi_target_login.c | 4 +
drivers/target/iscsi/iscsi_target_nego.c | 208 ++++++++++++++-------
drivers/target/target_core_internal.h | 2 +-
drivers/target/target_core_tmr.c | 16 +-
drivers/target/target_core_transport.c | 9 +-
drivers/tty/serial/efm32-uart.c | 11 +-
drivers/tty/serial/ifx6x60.c | 6 +-
drivers/uio/uio.c | 24 ++-
drivers/usb/chipidea/debug.c | 3 +-
drivers/usb/chipidea/udc.c | 8 +-
drivers/usb/core/devio.c | 4 +-
drivers/usb/core/hcd.c | 4 +-
drivers/usb/core/hub.c | 27 ++-
drivers/usb/core/urb.c | 2 +-
drivers/usb/dwc3/gadget.c | 9 +
drivers/usb/gadget/dummy_hcd.c | 6 +-
drivers/usb/gadget/f_mass_storage.c | 13 +-
drivers/usb/host/r8a66597-hcd.c | 6 +-
drivers/usb/host/xhci-mem.c | 2 +-
drivers/usb/host/xhci-pci.c | 10 +-
drivers/usb/host/xhci-plat.c | 2 +-
drivers/usb/host/xhci-ring.c | 37 ++--
drivers/usb/misc/iowarrior.c | 2 +-
drivers/usb/musb/tusb6010_omap.c | 13 +-
drivers/usb/serial/ftdi_sio.c | 10 +-
drivers/usb/serial/ftdi_sio_ids.h | 2 +
drivers/usb/serial/io_ti.c | 5 +-
drivers/usb/serial/ir-usb.c | 21 ++-
drivers/usb/serial/mct_u232.c | 2 +-
drivers/usb/serial/option.c | 8 +
drivers/usb/serial/qcserial.c | 2 +
drivers/usb/storage/ene_ub6250.c | 90 +++++----
drivers/uwb/i1480/dfu/usb.c | 5 +-
drivers/watchdog/bcm_kona_wdt.c | 3 +-
drivers/watchdog/pcwd_usb.c | 3 +
drivers/xen/biomerge.c | 3 +-
fs/autofs4/dev-ioctl.c | 2 +-
fs/btrfs/extent-tree.c | 1 +
fs/btrfs/extent_io.c | 2 +-
fs/btrfs/inode.c | 4 +-
fs/cifs/smb1ops.c | 9 +-
fs/cifs/smb2ops.c | 4 +-
fs/cifs/smb2pdu.c | 14 +-
fs/configfs/symlink.c | 3 +-
fs/ext4/extents.c | 3 +
fs/ext4/file.c | 50 ++---
fs/ext4/inode.c | 25 ++-
fs/ext4/mballoc.c | 70 ++++---
fs/proc/array.c | 2 +-
fs/proc/base.c | 21 ++-
fs/proc/namespaces.c | 4 +-
fs/proc/task_mmu.c | 4 +-
fs/proc/task_nommu.c | 2 +-
fs/stat.c | 1 +
fs/ufs/balloc.c | 26 ++-
fs/ufs/inode.c | 5 +-
fs/ufs/super.c | 23 ++-
fs/ufs/truncate.c | 6 -
fs/ufs/util.h | 10 +-
fs/xfs/xfs_file.c | 31 +--
include/linux/kprobes.h | 4 +-
include/linux/ptrace.h | 24 ++-
include/linux/srcu.h | 3 +-
include/net/addrconf.h | 2 +
include/net/ip6_route.h | 1 +
include/net/ipv6.h | 1 +
include/net/xfrm.h | 10 -
include/uapi/linux/usb/ch11.h | 3 +
kernel/events/core.c | 2 +-
kernel/fork.c | 8 +-
kernel/futex.c | 2 +-
kernel/futex_compat.c | 2 +-
kernel/irq/manage.c | 4 +-
kernel/kcmp.c | 4 +-
kernel/kprobes.c | 2 +-
kernel/pid_namespace.c | 2 +-
kernel/ptrace.c | 39 +++-
kernel/rcu/srcu.c | 12 +-
kernel/signal.c | 20 +-
kernel/time/alarmtimer.c | 14 +-
kernel/trace/trace_kprobe.c | 18 +-
lib/cmdline.c | 6 +-
mm/huge_memory.c | 9 +-
mm/memory-failure.c | 13 +-
mm/migrate.c | 11 +-
mm/mlock.c | 5 +-
mm/page_cgroup.c | 3 +
mm/process_vm_access.c | 2 +-
mm/slub.c | 6 +-
net/batman-adv/distributed-arp-table.c | 5 +-
net/ceph/osdmap.c | 1 +
net/core/dev.c | 12 +-
net/core/rtnetlink.c | 2 +
net/core/sock.c | 15 +-
net/ipv4/af_inet.c | 2 +-
net/ipv4/ip_output.c | 2 +-
net/ipv4/tcp.c | 13 +-
net/ipv4/tcp_input.c | 11 +-
net/ipv6/addrconf.c | 8 +-
net/ipv6/fib6_rules.c | 3 +-
net/ipv6/ip6_offload.c | 4 +-
net/ipv6/ip6_output.c | 17 +-
net/ipv6/ping.c | 2 +-
net/ipv6/raw.c | 2 +-
net/ipv6/route.c | 43 +++--
net/ipv6/xfrm6_mode_ro.c | 2 +
net/ipv6/xfrm6_mode_transport.c | 2 +
net/key/af_key.c | 19 +-
net/l2tp/l2tp_eth.c | 13 +-
net/mac80211/rx.c | 9 +-
net/mac80211/wpa.c | 5 +-
net/netfilter/nf_conntrack_netlink.c | 7 +-
net/wireless/util.c | 14 +-
net/xfrm/xfrm_policy.c | 53 +-----
scripts/tags.sh | 1 +
security/commoncap.c | 7 +-
security/keys/keyctl.c | 4 +-
security/selinux/hooks.c | 5 +-
sound/pci/hda/hda_generic.c | 1 +
sound/pci/hda/patch_sigmatel.c | 2 +
sound/soc/soc-core.c | 5 +-
tools/perf/Documentation/perf-probe.txt | 8 +-
tools/perf/Documentation/perf-script-perl.txt | 2 +-
tools/perf/Documentation/perf-script-python.txt | 23 +--
.../util/scripting-engines/trace-event-python.c | 2 +-
.../testing/selftests/powerpc/tm/tm-resched-dscr.c | 2 +-
213 files changed, 1803 insertions(+), 791 deletions(-)

--
Ben Hutchings
For every complex problem
there is a solution that is simple, neat, and wrong.

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit b9a985db98961ae1ba0be169f19df1c567e4ffe0 upstream.

The code can potentially sleep for an indefinite amount of time in
zap_pid_ns_processes triggering the hung task timeout, and increasing
the system average. This is undesirable. Sleep with a task state of
TASK_INTERRUPTIBLE instead of TASK_UNINTERRUPTIBLE to remove these
undesirable side effects.

Apparently under heavy load this has been allowing Chrome to trigger
the hung time task timeout error and cause ChromeOS to reboot.

Reported-by: Vovo Yang <vo...@google.com>
Reported-by: Guenter Roeck <li...@roeck-us.net>
Tested-by: Guenter Roeck <li...@roeck-us.net>
Fixes: 6347e9009104 ("pidns: guarantee that the pidns init will be the last pidns process reaped")
Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/pid_namespace.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/pid_namespace.c
+++ b/kernel/pid_namespace.c
@@ -234,7 +234,7 @@ void zap_pid_ns_processes(struct pid_nam
* Make sure they all go away, see free_pid().
*/
for (;;) {
- set_current_state(TASK_UNINTERRUPTIBLE);
+ set_current_state(TASK_INTERRUPTIBLE);
if (pid_ns->nr_hashed == init_pids)
break;
schedule();

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Cochran <richard...@gmail.com>

commit db9d8b29d19d2801793e4419f4c6272bf8951c62 upstream.

The function, skb_complete_tx_timestamp(), used to allow passing in a
NULL pointer for the time stamps, but that was changed in commit
62bccb8cdb69051b95a55ab0c489e3cab261c8ef ("net-timestamp: Make the
clone operation stand-alone from phy timestamping"), and the existing
call sites, all of which are in the dp83640 driver, were fixed up.

Even though the kernel-doc was subsequently updated in commit
7a76a021cd5a292be875fbc616daf03eab1e6996 ("net-timestamp: Update
skb_complete_tx_timestamp comment"), still a bug fix from Manfred
Rudigier came into the driver using the old semantics. Probably
Manfred derived that patch from an older kernel version.

This fix should be applied to the stable trees as well.

Fixes: 81e8f2e930fe ("net: dp83640: Fix tx timestamp overflow handling.")
Signed-off-by: Richard Cochran <richard...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/phy/dp83640.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -802,7 +802,7 @@ static void decode_txts(struct dp83640_p
if (overflow) {
pr_debug("tx timestamp queue overflow, count %d\n", overflow);
while (skb) {
- skb_complete_tx_timestamp(skb, NULL);
+ kfree_skb(skb);
skb = skb_dequeue(&dp83640->tx_queue);
}
return;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ursula Braun <ubr...@linux.vnet.ibm.com>

commit 9111e7880ccf419548c7b0887df020b08eadb075 upstream.

When setting up the device from within the layer discipline's
probe routine, creating the layer-specific sysfs attributes can fail.
Report this error back to the caller, and handle it by
releasing the layer discipline.

Signed-off-by: Ursula Braun <ubr...@linux.vnet.ibm.com>
[jwi: updated commit msg, moved an OSN change to a subsequent patch]
Signed-off-by: Julian Wiedmann <j...@linux.vnet.ibm.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/s390/net/qeth_core_main.c | 4 +++-
drivers/s390/net/qeth_core_sys.c | 2 ++
drivers/s390/net/qeth_l2_main.c | 5 ++++-
drivers/s390/net/qeth_l3_main.c | 5 ++++-
4 files changed, 13 insertions(+), 3 deletions(-)

--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -5426,8 +5426,10 @@ static int qeth_core_set_online(struct c
if (rc)
goto err;
rc = card->discipline->setup(card->gdev);
- if (rc)
+ if (rc) {
+ qeth_core_free_discipline(card);
goto err;
+ }
}
rc = card->discipline->set_online(gdev);
err:
--- a/drivers/s390/net/qeth_core_sys.c
+++ b/drivers/s390/net/qeth_core_sys.c
@@ -459,6 +459,8 @@ static ssize_t qeth_dev_layer2_store(str
goto out;

rc = card->discipline->setup(card->gdev);
+ if (rc)
+ qeth_core_free_discipline(card);
out:
mutex_unlock(&card->discipline_mutex);
return rc ? rc : count;
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -890,8 +890,11 @@ static int qeth_l2_stop(struct net_devic
static int qeth_l2_probe_device(struct ccwgroup_device *gdev)
{
struct qeth_card *card = dev_get_drvdata(&gdev->dev);
+ int rc;

- qeth_l2_create_device_attributes(&gdev->dev);
+ rc = qeth_l2_create_device_attributes(&gdev->dev);
+ if (rc)
+ return rc;
INIT_LIST_HEAD(&card->vid_list);
INIT_LIST_HEAD(&card->mc_list);
card->options.layer2 = 1;
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3317,8 +3317,11 @@ static int qeth_l3_setup_netdev(struct q
static int qeth_l3_probe_device(struct ccwgroup_device *gdev)
{
struct qeth_card *card = dev_get_drvdata(&gdev->dev);
+ int rc;

- qeth_l3_create_device_attributes(&gdev->dev);
+ rc = qeth_l3_create_device_attributes(&gdev->dev);
+ if (rc)
+ return rc;
card->options.layer2 = 0;
card->info.hwtrap = 0;
return 0;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edum...@google.com>

commit f6ba8d33cfbb46df569972e64dbb5bb7e929bfd9 upstream.

I should have known that lowering skb->truesize was dangerous :/

In case packets are not leaving the host via a standard Ethernet device,
but looped back to local sockets, bad things can happen, as reported
by Michael Madsen ( https://bugzilla.kernel.org/show_bug.cgi?id=195713 )

So instead of tweaking skb->truesize, lets change skb->destructor
and keep a reference on the owner socket via its sk_refcnt.

Fixes: f2f872f9272a ("netem: Introduce skb_orphan_partial() helper")
Signed-off-by: Eric Dumazet <edum...@google.com>
Reported-by: Michael Madsen <m...@nabto.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: drop changes to the preceding comment and the
fast path, which we don't have]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1654,17 +1654,17 @@ EXPORT_SYMBOL(sock_wfree);

void skb_orphan_partial(struct sk_buff *skb)
{
- /* TCP stack sets skb->ooo_okay based on sk_wmem_alloc,
- * so we do not completely orphan skb, but transfert all
- * accounted bytes but one, to avoid unexpected reorders.
- */
if (skb->destructor == sock_wfree
#ifdef CONFIG_INET
|| skb->destructor == tcp_wfree
#endif
) {
- atomic_sub(skb->truesize - 1, &skb->sk->sk_wmem_alloc);
- skb->truesize = 1;
+ struct sock *sk = skb->sk;
+
+ if (atomic_inc_not_zero(&sk->sk_refcnt)) {
+ atomic_sub(skb->truesize, &sk->sk_wmem_alloc);
+ skb->destructor = sock_efree;
+ }
} else {
skb_orphan(skb);
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <vdr...@redhat.com>

commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.

The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
as an array index. This can lead to an out-of-bound access, kernel lockup and
DoS. Add a check for the 'dir' value.

This fixes CVE-2017-11600.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Reported-by: "bo Zhang" <zhangbo...@gmail.com>
Signed-off-by: Vladis Dronov <vdr...@redhat.com>
Signed-off-by: Steffen Klassert <steffen....@secunet.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/xfrm/xfrm_policy.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3123,9 +3123,15 @@ int xfrm_migrate(const struct xfrm_selec
struct xfrm_state *x_new[XFRM_MAX_DEPTH];
struct xfrm_migrate *mp;

+ /* Stage 0 - sanity checks */
if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
goto out;

+ if (dir >= XFRM_POLICY_MAX) {
+ err = -EINVAL;
+ goto out;
+ }
+
/* Stage 1 - find policy */
if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
err = -ENOENT;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kirill Tkhai <ktk...@virtuozzo.com>

commit 3fd37226216620c1a468afa999739d5016fbc349 upstream.

Imagine we have a pid namespace and a task from its parent's pid_ns,
which made setns() to the pid namespace. The task is doing fork(),
while the pid namespace's child reaper is dying. We have the race
between them:

Task from parent pid_ns Child reaper
copy_process() ..
alloc_pid() ..
.. zap_pid_ns_processes()
.. disable_pid_allocation()
.. read_lock(&tasklist_lock)
.. iterate over pids in pid_ns
.. kill tasks linked to pids
.. read_unlock(&tasklist_lock)
write_lock_irq(&tasklist_lock); ..
attach_pid(p, PIDTYPE_PID); ..
.. ..

So, just created task p won't receive SIGKILL signal,
and the pid namespace will be in contradictory state.
Only manual kill will help there, but does the userspace
care about this? I suppose, the most users just inject
a task into a pid namespace and wait a SIGCHLD from it.

The patch fixes the problem. It simply checks for
(pid_ns->nr_hashed & PIDNS_HASH_ADDING) in copy_process().
We do it under the tasklist_lock, and can't skip
PIDNS_HASH_ADDING as noted by Oleg:

"zap_pid_ns_processes() does disable_pid_allocation()
and then takes tasklist_lock to kill the whole namespace.
Given that copy_process() checks PIDNS_HASH_ADDING
under write_lock(tasklist) they can't race;
if copy_process() takes this lock first, the new child will
be killed, otherwise copy_process() can't miss
the change in ->nr_hashed."

If allocation is disabled, we just return -ENOMEM
like it's made for such cases in alloc_pid().

v2: Do not move disable_pid_allocation(), do not
introduce a new variable in copy_process() and simplify
the patch as suggested by Oleg Nesterov.
Account the problem with double irq enabling
found by Eric W. Biederman.

Fixes: c876ad768215 ("pidns: Stop pid allocation when init dies")
Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com>
CC: Andrew Morton <ak...@linux-foundation.org>
CC: Ingo Molnar <mi...@kernel.org>
CC: Peter Zijlstra <pet...@infradead.org>
CC: Oleg Nesterov <ol...@redhat.com>
CC: Mike Rapoport <rp...@linux.vnet.ibm.com>
CC: Michal Hocko <mho...@suse.com>
CC: Andy Lutomirski <lu...@kernel.org>
CC: "Eric W. Biederman" <ebie...@xmission.com>
CC: Andrei Vagin <ava...@openvz.org>
CC: Cyrill Gorcunov <gorc...@openvz.org>
CC: Serge Hallyn <se...@hallyn.com>
Acked-by: Oleg Nesterov <ol...@redhat.com>

Signed-off-by: Eric W. Biederman <ebie...@xmission.com>

[bwh: Backported to 3.16: the proper cleanup label is bad_fork_free_pid, not
bad_fork_cancel_cgroup]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/fork.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1444,11 +1444,13 @@ static struct task_struct *copy_process(
*/
recalc_sigpending();
if (signal_pending(current)) {
- spin_unlock(&current->sighand->siglock);
- write_unlock_irq(&tasklist_lock);
retval = -ERESTARTNOINTR;
goto bad_fork_free_pid;
}
+ if (unlikely(!(ns_of_pid(pid)->nr_hashed & PIDNS_HASH_ADDING))) {
+ retval = -ENOMEM;
+ goto bad_fork_free_pid;
+ }

if (likely(p->pid)) {
ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
@@ -1500,6 +1502,8 @@ static struct task_struct *copy_process(
return p;

bad_fork_free_pid:
+ spin_unlock(&current->sighand->siglock);
+ write_unlock_irq(&tasklist_lock);
if (pid != &init_struct_pid)
free_pid(pid);
bad_fork_cleanup_io:

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Joe Thornber <e...@redhat.com>

commit 0377a07c7a035e0d033cd8b29f0cb15244c0916a upstream.

When decrementing the reference count for a block, the free count wasn't
being updated if the reference count went to zero.

Signed-off-by: Joe Thornber <e...@redhat.com>
Signed-off-by: Mike Snitzer <sni...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/md/persistent-data/dm-space-map-disk.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)

--- a/drivers/md/persistent-data/dm-space-map-disk.c
+++ b/drivers/md/persistent-data/dm-space-map-disk.c
@@ -140,10 +140,23 @@ static int sm_disk_inc_block(struct dm_s

static int sm_disk_dec_block(struct dm_space_map *sm, dm_block_t b)
{
+ int r;
+ uint32_t old_count;
enum allocation_event ev;
struct sm_disk *smd = container_of(sm, struct sm_disk, sm);

- return sm_ll_dec(&smd->ll, b, &ev);
+ r = sm_ll_dec(&smd->ll, b, &ev);
+ if (!r && (ev == SM_FREE)) {
+ /*
+ * It's only free if it's also free in the last
+ * transaction.
+ */
+ r = sm_ll_lookup(&smd->old_ll, b, &old_count);
+ if (!r && !old_count)
+ smd->nr_allocated_this_transaction--;
+ }
+
+ return r;
}

static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lyude <ly...@redhat.com>

commit 3d18e33735a02b1a90aecf14410bf3edbfd4d3dc upstream.

We end up reading the interrupt register for HPD5, and then writing it
to HPD6 which on systems without anything using HPD5 results in
permanently disabling hotplug on one of the display outputs after the
first time we acknowledge a hotplug interrupt from the GPU.

This code is really bad. But for now, let's just fix this. I will
hopefully have a large patch series to refactor all of this soon.

Reviewed-by: Christian König <christia...@amd.com>
Signed-off-by: Lyude <ly...@redhat.com>
Signed-off-by: Alex Deucher <alexande...@amd.com>
[bwh: Backported to 3.16: drop the DC_HPD6_RX_INTERRUPT cases]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/drivers/gpu/drm/radeon/cik.c
+++ b/drivers/gpu/drm/radeon/cik.c
@@ -7334,7 +7334,7 @@ static inline void cik_irq_ack(struct ra
WREG32(DC_HPD5_INT_CONTROL, tmp);
}
if (rdev->irq.stat_regs.cik.disp_int_cont5 & DC_HPD6_INTERRUPT) {
- tmp = RREG32(DC_HPD5_INT_CONTROL);
+ tmp = RREG32(DC_HPD6_INT_CONTROL);
tmp |= DC_HPDx_INT_ACK;
WREG32(DC_HPD6_INT_CONTROL, tmp);
}
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -4692,7 +4692,7 @@ static void evergreen_irq_ack(struct rad
WREG32(DC_HPD5_INT_CONTROL, tmp);
}
if (rdev->irq.stat_regs.evergreen.disp_int_cont5 & DC_HPD6_INTERRUPT) {
- tmp = RREG32(DC_HPD5_INT_CONTROL);
+ tmp = RREG32(DC_HPD6_INT_CONTROL);
tmp |= DC_HPDx_INT_ACK;
WREG32(DC_HPD6_INT_CONTROL, tmp);
}
--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -3725,7 +3725,7 @@ static void r600_irq_ack(struct radeon_d
WREG32(DC_HPD5_INT_CONTROL, tmp);
}
if (rdev->irq.stat_regs.r600.disp_int_cont2 & DC_HPD6_INTERRUPT) {
- tmp = RREG32(DC_HPD5_INT_CONTROL);
+ tmp = RREG32(DC_HPD6_INT_CONTROL);
tmp |= DC_HPDx_INT_ACK;
WREG32(DC_HPD6_INT_CONTROL, tmp);
}
--- a/drivers/gpu/drm/radeon/si.c
+++ b/drivers/gpu/drm/radeon/si.c
@@ -6071,7 +6071,7 @@ static inline void si_irq_ack(struct rad
WREG32(DC_HPD5_INT_CONTROL, tmp);
}
if (rdev->irq.stat_regs.evergreen.disp_int_cont5 & DC_HPD6_INTERRUPT) {
- tmp = RREG32(DC_HPD5_INT_CONTROL);
+ tmp = RREG32(DC_HPD6_INT_CONTROL);
tmp |= DC_HPDx_INT_ACK;
WREG32(DC_HPD6_INT_CONTROL, tmp);
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dominik Heidler <dhei...@suse.de>

commit 9b3dc0a17d7388c4fb83736ca45253a93e994ce4 upstream.

This fixes a counter problem on 32bit systems:
When the rx_bytes counter reached 2 GiB, it jumpd to (2^64 Bytes - 2GiB) Bytes.

rtnl_link_stats64 has __u64 type and atomic_long_read returns
atomic_long_t which is signed. Due to the conversation
we get an incorrect value on 32bit systems if the MSB of
the atomic_long_t value is set.

CC: Tom Parkin <tpa...@katalix.com>
Fixes: 7b7c0719cd7a ("l2tp: avoid deadlock in l2tp stats update")
Signed-off-by: Dominik Heidler <dhei...@suse.de>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/l2tp/l2tp_eth.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -111,12 +111,13 @@ static struct rtnl_link_stats64 *l2tp_et
{
struct l2tp_eth *priv = netdev_priv(dev);

- stats->tx_bytes = atomic_long_read(&priv->tx_bytes);
- stats->tx_packets = atomic_long_read(&priv->tx_packets);
- stats->tx_dropped = atomic_long_read(&priv->tx_dropped);
- stats->rx_bytes = atomic_long_read(&priv->rx_bytes);
- stats->rx_packets = atomic_long_read(&priv->rx_packets);
- stats->rx_errors = atomic_long_read(&priv->rx_errors);
+ stats->tx_bytes = (unsigned long) atomic_long_read(&priv->tx_bytes);
+ stats->tx_packets = (unsigned long) atomic_long_read(&priv->tx_packets);
+ stats->tx_dropped = (unsigned long) atomic_long_read(&priv->tx_dropped);
+ stats->rx_bytes = (unsigned long) atomic_long_read(&priv->rx_bytes);
+ stats->rx_packets = (unsigned long) atomic_long_read(&priv->rx_packets);
+ stats->rx_errors = (unsigned long) atomic_long_read(&priv->rx_errors);
+
return stats;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jisheng Zhang <jsz...@marvell.com>

commit aa1f058d7d9244423b8c5a75b9484b1115df7f02 upstream.

Fix below NULL pointer dereference. we set ci->roles[CI_ROLE_GADGET]
too early in ci_hdrc_gadget_init(), if udc_start() fails due to some
reason, the ci->roles[CI_ROLE_GADGET] check in ci_hdrc_gadget_destroy
can't protect us.

We fix this issue by only setting ci->roles[CI_ROLE_GADGET] if
udc_start() succeed.

[ 1.398550] Unable to handle kernel NULL pointer dereference at
virtual address 00000000
...
[ 1.448600] PC is at dma_pool_free+0xb8/0xf0
[ 1.453012] LR is at dma_pool_free+0x28/0xf0
[ 2.113369] [<ffffff80081817d8>] dma_pool_free+0xb8/0xf0
[ 2.118857] [<ffffff800841209c>] destroy_eps+0x4c/0x68
[ 2.124165] [<ffffff8008413770>] ci_hdrc_gadget_destroy+0x28/0x50
[ 2.130461] [<ffffff800840fa30>] ci_hdrc_probe+0x588/0x7e8
[ 2.136129] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
[ 2.142066] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
[ 2.148270] [<ffffff800837f68c>] __device_attach_driver+0x9c/0xf8
[ 2.154563] [<ffffff800837d570>] bus_for_each_drv+0x58/0x98
[ 2.160317] [<ffffff800837f174>] __device_attach+0xc4/0x138
[ 2.166072] [<ffffff800837f738>] device_initial_probe+0x10/0x18
[ 2.172185] [<ffffff800837e58c>] bus_probe_device+0x94/0xa0
[ 2.177940] [<ffffff800837c560>] device_add+0x3f0/0x560
[ 2.183337] [<ffffff8008380d20>] platform_device_add+0x180/0x240
[ 2.189541] [<ffffff800840f0e8>] ci_hdrc_add_device+0x440/0x4f8
[ 2.195654] [<ffffff8008414194>] ci_hdrc_usb2_probe+0x13c/0x2d8
[ 2.201769] [<ffffff8008380fb8>] platform_drv_probe+0x50/0xb8
[ 2.207705] [<ffffff800837f494>] driver_probe_device+0x1fc/0x2a8
[ 2.213910] [<ffffff800837f5ec>] __driver_attach+0xac/0xb0
[ 2.219575] [<ffffff800837d4b0>] bus_for_each_dev+0x60/0xa0
[ 2.225329] [<ffffff800837ec80>] driver_attach+0x20/0x28
[ 2.230816] [<ffffff800837e880>] bus_add_driver+0x1d0/0x238
[ 2.236571] [<ffffff800837fdb0>] driver_register+0x60/0xf8
[ 2.242237] [<ffffff8008380ef4>] __platform_driver_register+0x44/0x50
[ 2.248891] [<ffffff80086fd440>] ci_hdrc_usb2_driver_init+0x18/0x20
[ 2.255365] [<ffffff8008082950>] do_one_initcall+0x38/0x128
[ 2.261121] [<ffffff80086e0d00>] kernel_init_freeable+0x1ac/0x250
[ 2.267414] [<ffffff800852f0b8>] kernel_init+0x10/0x100
[ 2.272810] [<ffffff8008082680>] ret_from_fork+0x10/0x50

Fixes: 3f124d233e97 ("usb: chipidea: add role init and destroy APIs")
Signed-off-by: Jisheng Zhang <jsz...@marvell.com>
Signed-off-by: Peter Chen <peter...@nxp.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/chipidea/udc.c | 8 ++++++--

1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/chipidea/udc.c
+++ b/drivers/usb/chipidea/udc.c
@@ -1892,6 +1892,7 @@ static void udc_id_switch_for_host(struc
int ci_hdrc_gadget_init(struct ci_hdrc *ci)
{
struct ci_role_driver *rdrv;
+ int ret;

if (!hw_read(ci, CAP_DCCPARAMS, DCCPARAMS_DC))
return -ENXIO;
@@ -1904,7 +1905,10 @@ int ci_hdrc_gadget_init(struct ci_hdrc *
rdrv->stop = udc_id_switch_for_host;
rdrv->irq = udc_irq;
rdrv->name = "gadget";
- ci->roles[CI_ROLE_GADGET] = rdrv;

- return udc_start(ci);
+ ret = udc_start(ci);
+ if (!ret)
+ ci->roles[CI_ROLE_GADGET] = rdrv;
+
+ return ret;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit e747f64336fc15e1c823344942923195b800aa1e upstream.

The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We
added a new call to security_xfrm_state_alloc() which sets "err" to zero
so there several places where we can return ERR_PTR(0) if kmalloc()
fails. The caller is expecting error pointers so it leads to a NULL
dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Signed-off-by: Steffen Klassert <steffen....@secunet.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/key/af_key.c | 1 +
1 file changed, 1 insertion(+)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1156,6 +1156,7 @@ static struct xfrm_state * pfkey_msg2xfr
goto out;
}

+ err = -ENOBUFS;
key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
if (sa->sadb_sa_auth) {
int keysize = 0;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Ujfalusi <peter.u...@ti.com>

commit 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 upstream.

We have one register for each EP to set the maximum packet size for both
TX and RX.
If for example an RX programming would happen before the previous TX
transfer finishes we would reset the TX packet side.

To fix this issue, only modify the TX or RX part of the register.

Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support")
Signed-off-by: Peter Ujfalusi <peter.u...@ti.com>
Tested-by: Tony Lindgren <to...@atomide.com>
Signed-off-by: Bin Liu <b-...@ti.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/musb/tusb6010_omap.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/usb/musb/tusb6010_omap.c
+++ b/drivers/usb/musb/tusb6010_omap.c
@@ -220,6 +220,7 @@ static int tusb_omap_dma_program(struct
u32 dma_remaining;
int src_burst, dst_burst;
u16 csr;
+ u32 psize;
int ch;
s8 dmareq;
s8 sync_dev;
@@ -391,15 +392,19 @@ static int tusb_omap_dma_program(struct

if (chdat->tx) {
/* Send transfer_packet_sz packets at a time */
- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET,
- chdat->transfer_packet_sz);
+ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET);
+ psize &= ~0x7ff;
+ psize |= chdat->transfer_packet_sz;
+ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize);

musb_writel(ep_conf, TUSB_EP_TX_OFFSET,
TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len));
} else {
/* Receive transfer_packet_sz packets at a time */
- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET,
- chdat->transfer_packet_sz << 16);
+ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET);
+ psize &= ~(0x7ff << 16);
+ psize |= (chdat->transfer_packet_sz << 16);
+ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize);

musb_writel(ep_conf, TUSB_EP_RX_OFFSET,
TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len));

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: James Morse <james...@arm.com>

commit 7258ae5c5a2ce2f5969e8b18b881be40ab55433d upstream.

memory_failure() chooses a recovery action function based on the page
flags. For huge pages it uses the tail page flags which don't have
anything interesting set, resulting in:

> Memory failure: 0x9be3b4: Unknown page state
> Memory failure: 0x9be3b4: recovery action for unknown page: Failed

Instead, save a copy of the head page's flags if this is a huge page,
this means if there are no relevant flags for this tail page, we use the
head pages flags instead. This results in the me_huge_page() recovery
action being called:

> Memory failure: 0x9b7969: recovery action for huge page: Delayed

For hugepages that have not yet been allocated, this allows the hugepage
to be dequeued.

Fixes: 524fca1e7356 ("HWPOISON: fix misjudgement of page_action() for errors on mlocked pages")
Link: http://lkml.kernel.org/r/20170524130204.21...@arm.com
Signed-off-by: James Morse <james...@arm.com>
Tested-by: Punit Agrawal <punit....@arm.com>
Acked-by: Punit Agrawal <punit....@arm.com>
Acked-by: Naoya Horiguchi <n-hor...@ah.jp.nec.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

mm/memory-failure.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1179,7 +1179,10 @@ int memory_failure(unsigned long pfn, in
* page_remove_rmap() in try_to_unmap_one(). So to determine page status
* correctly, we save a copy of the page flags at this time.
*/
- page_flags = p->flags;
+ if (PageHuge(p))
+ page_flags = hpage->flags;
+ else
+ page_flags = p->flags;

/*
* unpoison always clear PG_hwpoison inside page lock

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit 293dffaad8d500e1a5336eeb90d544cf40d4fbd8 upstream.

If there is not enough space then ceph_decode_32_safe() does a goto bad.
We need to return an error code in that situation. The current code
returns ERR_PTR(0) which is NULL. The callers are not expecting that
and it results in a NULL dereference.

Fixes: f24e9980eb86 ("ceph: OSD client")
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Reviewed-by: Ilya Dryomov <idry...@gmail.com>
Signed-off-by: Ilya Dryomov <idry...@gmail.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ceph/osdmap.c | 1 +

1 file changed, 1 insertion(+)

--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -270,6 +270,7 @@ static struct crush_map *crush_decode(vo
u32 yes;
struct crush_rule *r;

+ err = -EINVAL;
ceph_decode_32_safe(p, end, yes, bad);
if (!yes) {
dout("crush_decode NO rule %d off %x %p to %p\n",

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Serhey Popovych <serhe.p...@gmail.com>

commit db833d40ad3263b2ee3b59a1ba168bb3cfed8137 upstream.

Network interface groups support added while ago, however
there is no IFLA_GROUP attribute description in policy
and netlink message size calculations until now.

Add IFLA_GROUP attribute to the policy.

Fixes: cbda10fa97d7 ("net_device: add support for network device groups")
Signed-off-by: Serhey Popovych <serhe.p...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>
[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/core/rtnetlink.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -859,6 +859,7 @@ static noinline size_t if_nlmsg_size(con
+ nla_total_size(1) /* IFLA_OPERSTATE */
+ nla_total_size(1) /* IFLA_LINKMODE */
+ nla_total_size(4) /* IFLA_CARRIER_CHANGES */
+ + nla_total_size(4) /* IFLA_GROUP */
+ nla_total_size(ext_filter_mask
& RTEXT_FILTER_VF ? 4 : 0) /* IFLA_NUM_VF */
+ rtnl_vfinfo_size(dev, ext_filter_mask) /* IFLA_VFINFO_LIST */
@@ -1197,6 +1198,7 @@ static const struct nla_policy ifla_poli
[IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 },
[IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_PORT_ID_LEN },
[IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */
+ [IFLA_GROUP] = { .type = NLA_U32 },
};

static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Suzuki K Poulose <suzuki....@arm.com>

commit 6c0d706b563af732adb094c5bf807437e8963e84 upstream.

In kvm_free_stage2_pgd() we check the stage2 PGD before holding
the lock and proceed to take the lock if it is valid. And we unmap
the page tables, followed by releasing the lock. We reset the PGD
only after dropping this lock, which could cause a race condition
where another thread waiting on or even holding the lock, could
potentially see that the PGD is still valid and proceed to perform
a stage2 operation and later encounter a NULL PGD.

[223090.242280] Unable to handle kernel NULL pointer dereference at
virtual address 00000040
[223090.262330] PC is at unmap_stage2_range+0x8c/0x428
[223090.262332] LR is at kvm_unmap_hva_handler+0x2c/0x3c
[223090.262531] Call trace:
[223090.262533] [<ffff0000080adb78>] unmap_stage2_range+0x8c/0x428
[223090.262535] [<ffff0000080adf40>] kvm_unmap_hva_handler+0x2c/0x3c
[223090.262537] [<ffff0000080ace2c>] handle_hva_to_gpa+0xb0/0x104
[223090.262539] [<ffff0000080af988>] kvm_unmap_hva+0x5c/0xbc
[223090.262543] [<ffff0000080a2478>]
kvm_mmu_notifier_invalidate_page+0x50/0x8c
[223090.262547] [<ffff0000082274f8>]
__mmu_notifier_invalidate_page+0x5c/0x84
[223090.262551] [<ffff00000820b700>] try_to_unmap_one+0x1d0/0x4a0
[223090.262553] [<ffff00000820c5c8>] rmap_walk+0x1cc/0x2e0
[223090.262555] [<ffff00000820c90c>] try_to_unmap+0x74/0xa4
[223090.262557] [<ffff000008230ce4>] migrate_pages+0x31c/0x5ac
[223090.262561] [<ffff0000081f869c>] compact_zone+0x3fc/0x7ac
[223090.262563] [<ffff0000081f8ae0>] compact_zone_order+0x94/0xb0
[223090.262564] [<ffff0000081f91c0>] try_to_compact_pages+0x108/0x290
[223090.262569] [<ffff0000081d5108>] __alloc_pages_direct_compact+0x70/0x1ac
[223090.262571] [<ffff0000081d64a0>] __alloc_pages_nodemask+0x434/0x9f4
[223090.262572] [<ffff0000082256f0>] alloc_pages_vma+0x230/0x254
[223090.262574] [<ffff000008235e5c>] do_huge_pmd_anonymous_page+0x114/0x538
[223090.262576] [<ffff000008201bec>] handle_mm_fault+0xd40/0x17a4
[223090.262577] [<ffff0000081fb324>] __get_user_pages+0x12c/0x36c
[223090.262578] [<ffff0000081fb804>] get_user_pages_unlocked+0xa4/0x1b8
[223090.262579] [<ffff0000080a3ce8>] __gfn_to_pfn_memslot+0x280/0x31c
[223090.262580] [<ffff0000080a3dd0>] gfn_to_pfn_prot+0x4c/0x5c
[223090.262582] [<ffff0000080af3f8>] kvm_handle_guest_abort+0x240/0x774
[223090.262584] [<ffff0000080b2bac>] handle_exit+0x11c/0x1ac
[223090.262586] [<ffff0000080ab99c>] kvm_arch_vcpu_ioctl_run+0x31c/0x648
[223090.262587] [<ffff0000080a1d78>] kvm_vcpu_ioctl+0x378/0x768
[223090.262590] [<ffff00000825df5c>] do_vfs_ioctl+0x324/0x5a4
[223090.262591] [<ffff00000825e26c>] SyS_ioctl+0x90/0xa4
[223090.262595] [<ffff000008085d84>] el0_svc_naked+0x38/0x3c

This patch moves the stage2 PGD manipulation under the lock.

Reported-by: Alexander Graf <ag...@suse.de>
Cc: Mark Rutland <mark.r...@arm.com>
Cc: Marc Zyngier <marc.z...@arm.com>
Cc: Paolo Bonzini <pbon...@redhat.com>
Cc: Radim Krčmář <rkr...@redhat.com>
Reviewed-by: Christoffer Dall <cd...@linaro.org>
Reviewed-by: Marc Zyngier <marc.z...@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki....@arm.com>
Signed-off-by: Christoffer Dall <cd...@linaro.org>
[bwh: Backported to 3.16: adjust filename, context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/arm/kvm/mmu.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -635,21 +635,21 @@ void stage2_unmap_vm(struct kvm *kvm)
* Walks the level-1 page table pointed to by kvm->arch.pgd and frees all
* underlying level-2 and level-3 tables before freeing the actual level-1 table
* and setting the struct pointer to NULL.
- *
- * Note we don't need locking here as this is only called when the VM is
- * destroyed, which can only be done once.
*/
void kvm_free_stage2_pgd(struct kvm *kvm)
{
- if (kvm->arch.pgd == NULL)
- return;
+ void *pgd = NULL;

spin_lock(&kvm->mmu_lock);
- unmap_stage2_range(kvm, 0, KVM_PHYS_SIZE);
+ if (kvm->arch.pgd) {
+ unmap_stage2_range(kvm, 0, KVM_PHYS_SIZE);
+ pgd = kvm->arch.pgd;
+ kvm->arch.pgd = NULL;
+ }
spin_unlock(&kvm->mmu_lock);

- free_pages((unsigned long)kvm->arch.pgd, S2_PGD_ORDER);
- kvm->arch.pgd = NULL;
+ if (pgd)
+ free_pages((unsigned long)pgd, S2_PGD_ORDER);
}

static pmd_t *stage2_get_pmd(struct kvm *kvm, struct kvm_mmu_memory_cache *cache,

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebig...@google.com>

commit 5649645d725c73df4302428ee4e02c869248b4c5 upstream.

sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a
NULL payload with nonzero length to be passed to the key type's
->preparse(), ->instantiate(), and/or ->update() methods. Various key
types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did
not handle this case, allowing an unprivileged user to trivially cause a
NULL pointer dereference (kernel oops) if one of these key types was
present. Fix it by doing the copy_from_user() when 'plen' is nonzero
rather than when '_payload' is non-NULL, causing the syscall to fail
with EFAULT as expected when an invalid buffer is specified.

Signed-off-by: Eric Biggers <ebig...@google.com>
Signed-off-by: David Howells <dhow...@redhat.com>
Signed-off-by: James Morris <james.l...@oracle.com>
[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

security/keys/keyctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -97,7 +97,7 @@ SYSCALL_DEFINE5(add_key, const char __us
payload = NULL;

vm = false;
- if (_payload) {
+ if (plen) {
ret = -ENOMEM;
payload = kmalloc(plen, GFP_KERNEL | __GFP_NOWARN);
if (!payload) {
@@ -331,7 +331,7 @@ long keyctl_update_key(key_serial_t id,

/* pull the payload in if one was supplied */
payload = NULL;
- if (_payload) {
+ if (plen) {
ret = -ENOMEM;
payload = kmalloc(plen, GFP_KERNEL);
if (!payload)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Benjamin Peterson <b...@benjamin.pe>

commit c9525a3fab63fbe091007494f8b7a06438eea6a7 upstream.

Signed-off-by: Benjamin Peterson <b...@benjamin.pe>
Acked-by: Thomas Gleixner <tg...@linutronix.de>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Fixes: 9919cba7ff71147803c988521cc1ceb80e7f0f6d ("watchdog: Update documentation")
Link: http://lkml.kernel.org/r/201705210020...@benjamin.pe
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/Kconfig | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -304,7 +304,7 @@ config SMP
Management" code will be disabled if you say Y here.

See also <file:Documentation/x86/i386/IO-APIC.txt>,
- <file:Documentation/nmi_watchdog.txt> and the SMP-HOWTO available at
+ <file:Documentation/lockup-watchdogs.txt> and the SMP-HOWTO available at
<http://www.tldp.org/docs.html#howto>.

If you don't know what to do here, say N.

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <je...@suse.com>

commit 896533a7da929136d0432713f02a3edffece2826 upstream.

If we fail to add the space_info kobject, we'll leak the memory
for the percpu counter.

Fixes: 6ab0a2029c (btrfs: publish allocation data in sysfs)
Signed-off-by: Jeff Mahoney <je...@suse.com>
Reviewed-by: Liu Bo <bo.l...@oracle.com>
Signed-off-by: David Sterba <dst...@suse.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/btrfs/extent-tree.c | 1 +

1 file changed, 1 insertion(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -3526,6 +3526,7 @@ static int update_space_info(struct btrf
info->space_info_kobj, "%s",
alloc_name(found->flags));
if (ret) {
+ percpu_counter_destroy(&found->total_bytes_pinned);
kfree(found);
return ret;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.z...@arm.com>

commit 78fd6dcf11468a5a131b8365580d0c613bcc02cb upstream.

We currently have the SCTLR_EL2.A bit set, trapping unaligned accesses
at EL2, but we're not really prepared to deal with it. So far, this
has been unnoticed, until GCC 7 started emitting those (in particular
64bit writes on a 32bit boundary).

Since the rest of the kernel is pretty happy about that, let's follow
its example and set SCTLR_EL2.A to zero. Modern CPUs don't really
care.

Reported-by: Alexander Graf <ag...@suse.de>
Signed-off-by: Marc Zyngier <marc.z...@arm.com>
Signed-off-by: Christoffer Dall <cd...@linaro.org>
[bwh: Backported to 3.16: s/ELx/EL2/]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/arm64/kvm/hyp-init.S | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/arm64/kvm/hyp-init.S
+++ b/arch/arm64/kvm/hyp-init.S
@@ -86,9 +86,10 @@ __do_hyp_init:

/*
* Preserve all the RES1 bits while setting the default flags,
- * as well as the EE bit on BE.
+ * as well as the EE bit on BE. Drop the A flag since the compiler
+ * is allowed to generate unaligned accesses.
*/
- ldr x4, =(SCTLR_EL2_RES1 | SCTLR_EL2_FLAGS)
+ ldr x4, =(SCTLR_EL2_RES1 | (SCTLR_EL2_FLAGS & ~SCTLR_EL2_A))
CPU_BE( orr x4, x4, #SCTLR_EL2_EE)
msr sctlr_el2, x4
isb

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: SeongJae Park <sj38...@gmail.com>

commit d89269a89ebb6a74512f3f40e89cd12017f60a75 upstream.

An example in perf-probe documentation for pattern of function name
based probe addition is not providing example command for that case.

This commit fixes the example to give appropriate example command.

Signed-off-by: SeongJae Park <sj38...@gmail.com>
Acked-by: Masami Hiramatsu <mhir...@kernel.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Taeung Song <treeze...@gmail.com>
Fixes: ee391de876ae ("perf probe: Update perf probe document")
Link: http://lkml.kernel.org/r/20170507103642.3...@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

tools/perf/Documentation/perf-probe.txt | 8 ++++++--

1 file changed, 6 insertions(+), 2 deletions(-)

--- a/tools/perf/Documentation/perf-probe.txt
+++ b/tools/perf/Documentation/perf-probe.txt
@@ -182,9 +182,13 @@ Add a probe on schedule() function 12th
or
./perf probe --add='schedule:12 cpu'

- this will add one or more probes which has the name start with "schedule".
+Add one or more probes which has the name start with "schedule".

- Add probes on lines in schedule() function which calls update_rq_clock().
+ ./perf probe schedule*
+ or
+ ./perf probe --add='schedule*'
+
+Add probes on lines in schedule() function which calls update_rq_clock().

./perf probe 'schedule;update_rq_clock*'
or

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tg...@linutronix.de>

commit f4781e76f90df7aec400635d73ea4c35ee1d4765 upstream.

Andrey reported a alartimer related RCU stall while fuzzing the kernel with
syzkaller.

The reason for this is an overflow in ktime_add() which brings the
resulting time into negative space and causes immediate expiry of the
timer. The following rearm with a small interval does not bring the timer
back into positive space due to the same issue.

This results in a permanent firing alarmtimer which hogs the CPU.

Use ktime_add_safe() instead which detects the overflow and clamps the
result to KTIME_SEC_MAX.

Reported-by: Andrey Konovalov <andre...@google.com>
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Kostya Serebryany <k...@google.com>
Cc: syzkaller <syzk...@googlegroups.com>
Cc: John Stultz <john....@linaro.org>
Cc: Dmitry Vyukov <dvy...@google.com>
Link: http://lkml.kernel.org/r/201705302116...@linutronix.de

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/time/alarmtimer.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/kernel/time/alarmtimer.c
+++ b/kernel/time/alarmtimer.c
@@ -342,7 +342,7 @@ int alarm_start_relative(struct alarm *a
{
struct alarm_base *base = &alarm_bases[alarm->type];

- start = ktime_add(start, base->gettime());
+ start = ktime_add_safe(start, base->gettime());
return alarm_start(alarm, start);
}
EXPORT_SYMBOL_GPL(alarm_start_relative);
@@ -428,7 +428,7 @@ u64 alarm_forward(struct alarm *alarm, k
overrun++;
}

- alarm->node.expires = ktime_add(alarm->node.expires, interval);
+ alarm->node.expires = ktime_add_safe(alarm->node.expires, interval);
return overrun;
}
EXPORT_SYMBOL_GPL(alarm_forward);
@@ -620,7 +620,7 @@ static int alarm_timer_set(struct k_itim
ktime_t now;

now = alarm_bases[timr->it.alarm.alarmtimer.type].gettime();
- exp = ktime_add(now, exp);
+ exp = ktime_add_safe(now, exp);
}

alarm_start(&timr->it.alarm.alarmtimer, exp);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Steinar H. Gunderson" <sgund...@bigfoot.com>

commit 4973ca9a01e2354b159acedec1b9b8eb8de02ab7 upstream.

The Akai MIDImix (09e8:0031) is a MIDI fader controller that speaks
regular MIDI and works well with Linux. However, initialization gets
delayed due to reports timeout:

[3643645.631124] hid-generic 0003:09E8:0031.0020: timeout initializing reports
[3643645.632416] hid-generic 0003:09E8:0031.0020: hiddev0: USB HID v1.11 Device [AKAI MIDI Mix] on usb-0000:00:14.0-2/input0

Adding "usbhid.quirks=0x09e8:0x0031:0x20000000" on the kernel
command line makes the issues go away.

Signed-off-by: Steinar H. Gunderson <sgund...@bigfoot.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 3 +++
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 4 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -64,6 +64,9 @@
#define USB_VENDOR_ID_AKAI 0x2011
#define USB_DEVICE_ID_AKAI_MPKMINI2 0x0715

+#define USB_VENDOR_ID_AKAI_09E8 0x09E8
+#define USB_DEVICE_ID_AKAI_09E8_MIDIMIX 0x0031
+
#define USB_VENDOR_ID_ALCOR 0x058f
#define USB_DEVICE_ID_ALCOR_USBRS232 0x9720

--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -56,6 +56,7 @@ static const struct hid_blacklist {

{ USB_VENDOR_ID_AIREN, USB_DEVICE_ID_AIREN_SLIMPLUS, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_AKAI, USB_DEVICE_ID_AKAI_MPKMINI2, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_AKAI_09E8, USB_DEVICE_ID_AKAI_09E8_MIDIMIX, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_UC100KM, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS124U, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_2PORTKVM, HID_QUIRK_NOGET },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Drake <dr...@endlessm.com>

commit 817ae460c784f32cd45e60b2b1b21378c3c6a847 upstream.

Without this quirk, the touchpad is not responsive on this product, with
the following message repeated in the logs:

psmouse serio1: bad data from KBC - timeout

Add it to the notimeout list alongside other similar Fujitsu laptops.

Signed-off-by: Daniel Drake <dr...@endlessm.com>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -687,6 +687,13 @@ static const struct dmi_system_id __init
DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK U574"),
},
},
+ {
+ /* Fujitsu UH554 laptop */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK UH544"),
+ },
+ },
{ }
};

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Heiner Kallweit <hkall...@gmail.com>

commit fa07ab72cbb0d843429e61bf179308aed6cbe0dd upstream.

In case __irq_set_trigger() fails the resources requested via
irq_request_resources() are not released.

Add the missing release call into the error handling path.

Fixes: c1bacbae8192 ("genirq: Provide irq_request/release_resources chip callbacks")
Signed-off-by: Heiner Kallweit <hkall...@gmail.com>
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
Link: http://lkml.kernel.org/r/655538f5-cb20-a892...@gmail.com

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/irq/manage.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -1174,8 +1174,10 @@ __setup_irq(unsigned int irq, struct irq
ret = __irq_set_trigger(desc, irq,
new->flags & IRQF_TRIGGER_MASK);

- if (ret)
+ if (ret) {
+ irq_release_resources(desc);
goto out_mask;
+ }
}

desc->istate &= ~(IRQS_AUTODETECT | IRQS_SPURIOUS_DISABLED | \

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christoph...@wanadoo.fr>

commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 upstream.

We should ensure that 'plane_no' is '< vb->num_planes' as done in
'vb2_plane_cookie' just a few lines below.

Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework")

Signed-off-by: Christophe JAILLET <christoph...@wanadoo.fr>
Reviewed-by: Sakari Ailus <sakari...@linux.intel.com>
Signed-off-by: Hans Verkuil <hans.v...@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/media/v4l2-core/videobuf2-core.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -1107,7 +1107,7 @@ EXPORT_SYMBOL_GPL(vb2_create_bufs);
*/
void *vb2_plane_vaddr(struct vb2_buffer *vb, unsigned int plane_no)
{
- if (plane_no > vb->num_planes || !vb->planes[plane_no].mem_priv)
+ if (plane_no >= vb->num_planes || !vb->planes[plane_no].mem_priv)
return NULL;

return call_ptr_memop(vb, vaddr, vb->planes[plane_no].mem_priv);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Paul E. McKenney" <pau...@linux.vnet.ibm.com>

commit 49f5903b473c5f63f3b57856d1bd4593db0a2eef upstream.

Currently, __srcu_read_lock() cannot be invoked from restricted
environments because it contains calls to preempt_disable() and
preempt_enable(), both of which can invoke lockdep, which is a bad
idea in some restricted execution modes. This commit therefore moves
the preempt_disable() and preempt_enable() from __srcu_read_lock()
to srcu_read_lock(). It also inserts the preempt_disable() and
preempt_enable() around the call to __srcu_read_lock() in do_exit().

Signed-off-by: Paul E. McKenney <pau...@linux.vnet.ibm.com>
Reviewed-by: Josh Triplett <jo...@joshtriplett.org>
[bwh: Backported to 3.16:
- Drop changes in do_exit()
- Adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/include/linux/srcu.h
+++ b/include/linux/srcu.h
@@ -217,8 +217,11 @@ static inline int srcu_read_lock_held(st
*/
static inline int srcu_read_lock(struct srcu_struct *sp) __acquires(sp)
{
- int retval = __srcu_read_lock(sp);
+ int retval;

+ preempt_disable();
+ retval = __srcu_read_lock(sp);
+ preempt_enable();
rcu_lock_acquire(&(sp)->dep_map);
return retval;
}
--- a/kernel/rcu/srcu.c
+++ b/kernel/rcu/srcu.c
@@ -297,11 +297,9 @@ int __srcu_read_lock(struct srcu_struct
int idx;

idx = ACCESS_ONCE(sp->completed) & 0x1;
- preempt_disable();
ACCESS_ONCE(this_cpu_ptr(sp->per_cpu_ref)->c[idx]) += 1;
smp_mb(); /* B */ /* Avoid leaking the critical section. */
ACCESS_ONCE(this_cpu_ptr(sp->per_cpu_ref)->seq[idx]) += 1;
- preempt_enable();
return idx;
}
EXPORT_SYMBOL_GPL(__srcu_read_lock);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tg...@linutronix.de>

commit 478fe3037b2278d276d4cd9cd0ab06c4cb2e9b32 upstream.

memcg_propagate_slab_attrs() abuses the sysfs attribute file functions
to propagate settings from the root kmem_cache to a newly created
kmem_cache. It does that with:

attr->show(root, buf);
attr->store(new, buf, strlen(bug);

Aside of being a lazy and absurd hackery this is broken because it does
not check the return value of the show() function.

Some of the show() functions return 0 w/o touching the buffer. That
means in such a case the store function is called with the stale content
of the previous show(). That causes nonsense like invoking
kmem_cache_shrink() on a newly created kmem_cache. In the worst case it
would cause handing in an uninitialized buffer.

This should be rewritten proper by adding a propagate() callback to
those slub_attributes which must be propagated and avoid that insane
conversion to and from ASCII, but that's too large for a hot fix.

Check at least the return value of the show() function, so calling
store() with stale content is prevented.

Steven said:
"It can cause a deadlock with get_online_cpus() that has been uncovered
by recent cpu hotplug and lockdep changes that Thomas and Peter have
been doing.

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(cpu_hotplug.lock);
lock(slab_mutex);
lock(cpu_hotplug.lock);
lock(slab_mutex);

*** DEADLOCK ***"

Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1705201244540.2255@nanos
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
Reported-by: Steven Rostedt <ros...@goodmis.org>
Acked-by: David Rientjes <rien...@google.com>
Cc: Johannes Weiner <han...@cmpxchg.org>
Cc: Michal Hocko <mho...@kernel.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Christoph Lameter <c...@linux.com>
Cc: Pekka Enberg <pen...@kernel.org>
Cc: Joonsoo Kim <iamjoon...@lge.com>
Cc: Christoph Hellwig <h...@infradead.org>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

mm/slub.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5066,6 +5066,7 @@ static void memcg_propagate_slab_attrs(s
char mbuf[64];
char *buf;
struct slab_attribute *attr = to_slab_attr(slab_attrs[i]);
+ ssize_t len;

if (!attr || !attr->store || !attr->show)
continue;
@@ -5090,8 +5091,9 @@ static void memcg_propagate_slab_attrs(s
buf = buffer;
}

- attr->show(root_cache, buf);
- attr->store(s, buf, strlen(buf));
+ len = attr->show(root_cache, buf);
+ if (len > 0)
+ attr->store(s, buf, len);
}

if (buffer)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <vi...@zeniv.linux.org.uk>

commit 414cf7186dbec29bd946c138d6b5c09da5955a08 upstream.

Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ufs/util.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

--- a/fs/ufs/util.h
+++ b/fs/ufs/util.h
@@ -473,15 +473,19 @@ static inline unsigned _ubh_find_last_ze
static inline int _ubh_isblockset_(struct ufs_sb_private_info * uspi,
struct ufs_buffer_head * ubh, unsigned begin, unsigned block)
{
+ u8 mask;
switch (uspi->s_fpb) {
case 8:
return (*ubh_get_addr (ubh, begin + block) == 0xff);
case 4:
- return (*ubh_get_addr (ubh, begin + (block >> 1)) == (0x0f << ((block & 0x01) << 2)));
+ mask = 0x0f << ((block & 0x01) << 2);
+ return (*ubh_get_addr (ubh, begin + (block >> 1)) & mask) == mask;
case 2:
- return (*ubh_get_addr (ubh, begin + (block >> 2)) == (0x03 << ((block & 0x03) << 1)));
+ mask = 0x03 << ((block & 0x03) << 1);
+ return (*ubh_get_addr (ubh, begin + (block >> 2)) & mask) == mask;
case 1:
- return (*ubh_get_addr (ubh, begin + (block >> 3)) == (0x01 << (block & 0x07)));
+ mask = 0x01 << (block & 0x07);
+ return (*ubh_get_addr (ubh, begin + (block >> 3)) & mask) == mask;
}
return 0;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oleg Drokin <gr...@linuxhacker.ru>

commit 0a33252e060e97ed3fbdcec9517672f1e91aaef3 upstream.

lov_getstripe() calls set_fs(KERNEL_DS) so that it can handle a struct
lov_user_md pointer from user- or kernel-space. This changes the
behavior of copy_from_user() on SPARC and may result in a misaligned
access exception which in turn oopses the kernel. In fact the
relevant argument to lov_getstripe() is never called with a
kernel-space pointer and so changing the address limits is unnecessary
and so we remove the calls to save, set, and restore the address
limits.

Signed-off-by: John L. Hammond <john.h...@intel.com>
Reviewed-on: http://review.whamcloud.com/6150
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3221
Reviewed-by: Andreas Dilger <andreas...@intel.com>
Reviewed-by: Li Wei <wei....@intel.com>
Signed-off-by: Oleg Drokin <gr...@linuxhacker.ru>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/staging/lustre/lustre/lov/lov_pack.c | 9 ---------
1 file changed, 9 deletions(-)

--- a/drivers/staging/lustre/lustre/lov/lov_pack.c
+++ b/drivers/staging/lustre/lustre/lov/lov_pack.c
@@ -592,18 +592,10 @@ int lov_getstripe(struct obd_export *exp
struct lov_mds_md *lmmk = NULL;
int rc, lmm_size;
int lum_size;
- mm_segment_t seg;

if (!lsm)
return -ENODATA;

- /*
- * "Switch to kernel segment" to allow copying from kernel space by
- * copy_{to,from}_user().
- */
- seg = get_fs();
- set_fs(KERNEL_DS);
-
/* we only need the header part from user space to get lmm_magic and
* lmm_stripe_count, (the header part is common to v1 and v3) */
lum_size = sizeof(struct lov_user_md_v1);
@@ -672,6 +664,5 @@ int lov_getstripe(struct obd_export *exp

obd_free_diskmd(exp, &lmmk);
out_set:
- set_fs(seg);
return rc;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Jason A. Donenfeld" <Ja...@zx2c4.com>

commit 98c67d187db7808b1f3c95f2110dd4392d034182 upstream.

Otherwise, we enable all sorts of forgeries via timing attack.

Signed-off-by: Jason A. Donenfeld <Ja...@zx2c4.com>
Cc: Johannes Berg <joha...@sipsolutions.net>
Cc: linux-w...@vger.kernel.org
Signed-off-by: Johannes Berg <johann...@intel.com>
[bwh: Backported to 3.16: drop changes in
ieee80211_crypto_aes_{cmac_256,mac}_decrypt()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/mac80211/wpa.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -16,6 +16,7 @@
#include <asm/unaligned.h>
#include <net/mac80211.h>
#include <crypto/aes.h>
+#include <crypto/algapi.h>

#include "ieee80211_i.h"
#include "michael.h"
@@ -147,7 +148,7 @@ ieee80211_rx_h_michael_mic_verify(struct
data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
michael_mic(key, hdr, data, data_len, mic);
- if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
+ if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN))
goto mic_fail;

/* remove Michael MIC from payload */
@@ -768,7 +769,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct
bip_aad(skb, aad);
ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
skb->data + 24, skb->len - 24, mic);
- if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
+ if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
key->u.aes_cmac.icverrors++;
return RX_DROP_UNUSABLE;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Bristot de Oliveira <bri...@redhat.com>

commit c14022bfd2eb2d2ece74a405dfbdb02a829c07bc upstream.

The device which identifies itself as a "USB Keykoard" (no typo)
with VID:PID 1a2c:0027 does not seem to be handling the reports
initialization very well.

This results in a "usb_submit_urb(ctrl) failed: -1" message from the
kernel when connected, and a delay before its initialization. It can
also cause the hang the system.

This patch adds the quirk for this device, which causes the delay
to disappear. It is named as "USB Keykoard2" because the "USB Keykoard"
already exists.

Signed-off-by: Daniel Bristot de Oliveira <bri...@redhat.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -811,6 +811,7 @@

#define USB_VENDOR_ID_SEMICO 0x1a2c
#define USB_DEVICE_ID_SEMICO_USB_KEYKOARD 0x0023
+#define USB_DEVICE_ID_SEMICO_USB_KEYKOARD2 0x0027

#define USB_VENDOR_ID_SENNHEISER 0x1395
#define USB_DEVICE_ID_SENNHEISER_BTD500USB 0x002c
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -143,6 +143,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_PENSKETCH_M912, HID_QUIRK_MULTI_INPUT },
{ USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_DUOSENSE, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD2, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS1, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_LTS2, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_HD, HID_QUIRK_NO_INIT_REPORTS },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Thumshirn <jthum...@suse.de>

commit ddff7ed45edce4a4c92949d3c61cd25d229c4a14 upstream.

When pci_enable_device() or pci_enable_device_mem() fail in
qla2x00_probe_one() we bail out but do a call to
pci_disable_device(). This causes the dev_WARN_ON() in
pci_disable_device() to trigger, as the device wasn't enabled
previously.

So instead of taking the 'probe_out' error path we can directly return
*iff* one of the pci_enable_device() calls fails.

Additionally rename the 'probe_out' goto label's name to the more
descriptive 'disable_device'.

Signed-off-by: Johannes Thumshirn <jthum...@suse.de>
Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring")
Reviewed-by: Bart Van Assche <bart.va...@sandisk.com>
Reviewed-by: Giridhar Malavali <giridhar...@cavium.com>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/scsi/qla2xxx/qla_os.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -2362,10 +2362,10 @@ qla2x00_probe_one(struct pci_dev *pdev,

if (mem_only) {
if (pci_enable_device_mem(pdev))
- goto probe_out;
+ return ret;
} else {
if (pci_enable_device(pdev))
- goto probe_out;
+ return ret;
}

/* This may fail but that's ok */
@@ -2375,7 +2375,7 @@ qla2x00_probe_one(struct pci_dev *pdev,
if (!ha) {
ql_log_pci(ql_log_fatal, pdev, 0x0009,
"Unable to allocate memory for ha.\n");
- goto probe_out;
+ goto disable_device;
}
ql_dbg_pci(ql_dbg_init, pdev, 0x000a,
"Memory allocated for ha=%p.\n", ha);
@@ -2972,7 +2972,7 @@ iospace_config_failed:
kfree(ha);
ha = NULL;

-probe_out:
+disable_device:
pci_disable_device(pdev);
return ret;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Radim Krčmář <rkr...@redhat.com>

commit f0367ee1d64d27fa08be2407df5c125442e885e3 upstream.

Static checker noticed that base3 could be used uninitialized if the
segment was not present (useable). Random stack values probably would
not pass VMCS entry checks.

Reported-by: Dan Carpenter <dan.ca...@oracle.com>
Fixes: 1aa366163b8b ("KVM: x86 emulator: consolidate segment accessors")
Reviewed-by: Paolo Bonzini <pbon...@redhat.com>
Reviewed-by: David Hildenbrand <da...@redhat.com>
Signed-off-by: Radim Krčmář <rkr...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/kvm/x86.c | 2 ++

1 file changed, 2 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4749,6 +4749,8 @@ static bool emulator_get_segment(struct

if (var.unusable) {
memset(desc, 0, sizeof(*desc));
+ if (base3)
+ *base3 = 0;
return false;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Mackerras <pau...@ozlabs.org>

commit 46a704f8409f79fd66567ad3f8a7304830a84293 upstream.

If userspace attempts to call the KVM_RUN ioctl when it has hardware
transactional memory (HTM) enabled, the values that it has put in the
HTM-related SPRs TFHAR, TFIAR and TEXASR will get overwritten by
guest values. To fix this, we detect this condition and save those
SPR values in the thread struct, and disable HTM for the task. If
userspace goes to access those SPRs or the HTM facility in future,
a TM-unavailable interrupt will occur and the handler will reload
those SPRs and re-enable HTM.

If userspace has started a transaction and suspended it, we would
currently lose the transactional state in the guest entry path and
would almost certainly get a "TM Bad Thing" interrupt, which would
cause the host to crash. To avoid this, we detect this case and
return from the KVM_RUN ioctl with an EINVAL error, with the KVM
exit reason set to KVM_EXIT_FAIL_ENTRY.

Fixes: b005255e12a3 ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08)
Signed-off-by: Paul Mackerras <pau...@ozlabs.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kvm/book3s_hv.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -1802,6 +1802,27 @@ static int kvmppc_vcpu_run_hv(struct kvm
return -EINVAL;
}

+ /*
+ * Don't allow entry with a suspended transaction, because
+ * the guest entry/exit code will lose it.
+ * If the guest has TM enabled, save away their TM-related SPRs
+ * (they will get restored by the TM unavailable interrupt).
+ */
+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ if (cpu_has_feature(CPU_FTR_TM) && current->thread.regs &&
+ (current->thread.regs->msr & MSR_TM)) {
+ if (MSR_TM_ACTIVE(current->thread.regs->msr)) {
+ run->exit_reason = KVM_EXIT_FAIL_ENTRY;
+ run->fail_entry.hardware_entry_failure_reason = 0;
+ return -EINVAL;
+ }
+ current->thread.tm_tfhar = mfspr(SPRN_TFHAR);
+ current->thread.tm_tfiar = mfspr(SPRN_TFIAR);
+ current->thread.tm_texasr = mfspr(SPRN_TEXASR);
+ current->thread.regs->msr &= ~MSR_TM;
+ }
+#endif
+
kvmppc_core_prepare_to_enter(vcpu);

/* No need to go into the guest when all we'll do is come back out */

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oscar Campos <oscar....@member.fsf.org>

commit deaba636997557fce46ca7bcb509bff5ea1b0558 upstream.

Add quirks for several corsair gaming devices to avoid long delays on
report initialization

Supported devices:

- Corsair K65RGB Rapidfire Gaming Keyboard
- Corsair K70RGB Rapidfire Gaming Keyboard
- Corsair Scimitar Pro RGB Gaming Mouse

Signed-off-by: Oscar Campos <oscar....@member.fsf.org>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 3 +++
drivers/hid/usbhid/hid-quirks.c | 3 +++
2 files changed, 6 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -255,6 +255,9 @@
#define USB_DEVICE_ID_CORSAIR_K70RGB 0x1b13
#define USB_DEVICE_ID_CORSAIR_STRAFE 0x1b15
#define USB_DEVICE_ID_CORSAIR_K65RGB 0x1b17
+#define USB_DEVICE_ID_CORSAIR_K70RGB_RAPIDFIRE 0x1b38
+#define USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE 0x1b39
+#define USB_DEVICE_ID_CORSAIR_SCIMITAR_PRO_RGB 0x1b3e

#define USB_VENDOR_ID_CREATIVELABS 0x041e
#define USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51 0x322c
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -80,6 +80,9 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_STRAFE, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB_RAPIDFIRE, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_SCIMITAR_PRO_RGB, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jimmy Berry <ji...@boombatower.com>

commit 0d51571d51ea8eb72b903b2a4f3f43a38e7bc718 upstream.

Without quirk keyboard repeats '6' until volume control is used since it
indicates the key is pressed without ever releasing.

Signed-off-by: Jimmy Berry <ji...@boombatower.com>

Signed-off-by: Jiri Kosina <jko...@suse.cz>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +

2 files changed, 2 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -591,6 +591,7 @@
#define USB_DEVICE_ID_LOGITECH_HARMONY_FIRST 0xc110
#define USB_DEVICE_ID_LOGITECH_HARMONY_LAST 0xc14f
#define USB_DEVICE_ID_LOGITECH_HARMONY_PS3 0x0306
+#define USB_DEVICE_ID_LOGITECH_KEYBOARD_G710_PLUS 0xc24d
#define USB_DEVICE_ID_LOGITECH_MOUSE_C01A 0xc01a
#define USB_DEVICE_ID_LOGITECH_MOUSE_C05A 0xc05a
#define USB_DEVICE_ID_LOGITECH_MOUSE_C06A 0xc06a
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -85,6 +85,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_KEYBOARD_G710_PLUS, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C01A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A, HID_QUIRK_ALWAYS_POLL },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbon...@redhat.com>

commit 1123a6041654e8f889014659593bad4168e542c2 upstream.

Linu Cherian reported a WARN in cleanup_srcu_struct() when shutting
down a guest running iperf on a VFIO assigned device. This happens
because irqfd_wakeup() calls srcu_read_lock(&kvm->irq_srcu) in interrupt
context, while a worker thread does the same inside kvm_set_irq(). If the
interrupt happens while the worker thread is executing __srcu_read_lock(),
updates to the Classic SRCU ->lock_count[] field or the Tree SRCU
->srcu_lock_count[] field can be lost.

The docs say you are not supposed to call srcu_read_lock() and
srcu_read_unlock() from irq context, but KVM interrupt injection happens
from (host) interrupt context and it would be nice if SRCU supported the
use case. KVM is using SRCU here not really for the "sleepable" part,
but rather due to its IPI-free fast detection of grace periods. It is
therefore not desirable to switch back to RCU, which would effectively
revert commit 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING",
2014-01-16).

However, the docs are overly conservative. You can have an SRCU instance
only has users in irq context, and you can mix process and irq context
as long as process context users disable interrupts. In addition,
__srcu_read_unlock() actually uses this_cpu_dec() on both Tree SRCU and
Classic SRCU. For those two implementations, only srcu_read_lock()
is unsafe.

When Classic SRCU's __srcu_read_unlock() was changed to use this_cpu_dec(),
in commit 5a41344a3d83 ("srcu: Simplify __srcu_read_unlock() via
this_cpu_dec()", 2012-11-29), __srcu_read_lock() did two increments.
Therefore it kept __this_cpu_inc(), with preempt_disable/enable in
the caller. Tree SRCU however only does one increment, so on most
architectures it is more efficient for __srcu_read_lock() to use
this_cpu_inc(), and any performance differences appear to be down in
the noise.

Fixes: 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING")
Reported-by: Linu Cherian <linuc....@gmail.com>
Suggested-by: Linu Cherian <linuc....@gmail.com>
Cc: k...@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Paul E. McKenney <pau...@linux.vnet.ibm.com>

[bwh: Backported to 3.16: __srcu_read_lock() still updates two different
counters. So follow what _this_cpu_generic_to_op() does and use
raw_local_irq_{save,restore}() and raw_cpu_ptr().]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/include/linux/srcu.h
+++ b/include/linux/srcu.h
@@ -219,9 +219,7 @@ static inline int srcu_read_lock(struct
{
int retval;

- preempt_disable();
retval = __srcu_read_lock(sp);
- preempt_enable();

rcu_lock_acquire(&(sp)->dep_map);
return retval;
}
--- a/kernel/rcu/srcu.c
+++ b/kernel/rcu/srcu.c

@@ -289,17 +289,20 @@ EXPORT_SYMBOL_GPL(cleanup_srcu_struct);

/*
* Counts the new reader in the appropriate per-CPU element of the
- * srcu_struct. Must be called from process context.
+ * srcu_struct.
* Returns an index that must be passed to the matching srcu_read_unlock().
*/
int __srcu_read_lock(struct srcu_struct *sp)
{
+ unsigned long flags;

int idx;

idx = ACCESS_ONCE(sp->completed) & 0x1;

- ACCESS_ONCE(this_cpu_ptr(sp->per_cpu_ref)->c[idx]) += 1;
+ raw_local_irq_save(flags);
+ ACCESS_ONCE(raw_cpu_ptr(sp->per_cpu_ref)->c[idx]) += 1;

smp_mb(); /* B */ /* Avoid leaking the critical section. */

- ACCESS_ONCE(this_cpu_ptr(sp->per_cpu_ref)->seq[idx]) += 1;
+ ACCESS_ONCE(raw_cpu_ptr(sp->per_cpu_ref)->seq[idx]) += 1;
+ raw_local_irq_restore(flags);
return idx;
}
EXPORT_SYMBOL_GPL(__srcu_read_lock);
@@ -308,7 +311,6 @@ EXPORT_SYMBOL_GPL(__srcu_read_lock);
* Removes the count for the old reader from the appropriate per-CPU
* element of the srcu_struct. Note that this may well be a different
* CPU than that which was incremented by the corresponding srcu_read_lock().
- * Must be called from process context.
*/
void __srcu_read_unlock(struct srcu_struct *sp, int idx)
{

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 93491ced3c87c94b12220dbac0527e1356702179 upstream.

Add define for the maximum number of ports on a SuperSpeed hub as per
USB 3.1 spec Table 10-5, and use it when verifying the retrieved hub
descriptor.

This specifically avoids benign attempts to update the DeviceRemovable
mask for non-existing ports (should we get that far).

Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
Acked-by: Alan Stern <st...@rowland.harvard.edu>
Signed-off-by: Johan Hovold <jo...@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/core/hub.c | 8 +++++++-
include/uapi/linux/usb/ch11.h | 3 +++
2 files changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1316,7 +1316,13 @@ static int hub_configure(struct usb_hub
if (ret < 0) {
message = "can't read hub descriptor";
goto fail;
- } else if (hub->descriptor->bNbrPorts > USB_MAXCHILDREN) {
+ }
+
+ maxchild = USB_MAXCHILDREN;
+ if (hub_is_superspeed(hdev))
+ maxchild = min_t(unsigned, maxchild, USB_SS_MAXPORTS);
+
+ if (hub->descriptor->bNbrPorts > maxchild) {
message = "hub has too many ports!";
ret = -ENODEV;
goto fail;
--- a/include/uapi/linux/usb/ch11.h
+++ b/include/uapi/linux/usb/ch11.h
@@ -22,6 +22,9 @@
*/
#define USB_MAXCHILDREN 31

+/* See USB 3.1 spec Table 10-5 */
+#define USB_SS_MAXPORTS 15
+
/*
* Hub request types
*/

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <wanpe...@hotmail.com>

commit 9bc1f09f6fa76fdf31eb7d6a4a4df43574725f93 upstream.

INFO: task gnome-terminal-:1734 blocked for more than 120 seconds.
Not tainted 4.12.0-rc4+ #8
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
gnome-terminal- D 0 1734 1015 0x00000000
Call Trace:
__schedule+0x3cd/0xb30
schedule+0x40/0x90
kvm_async_pf_task_wait+0x1cc/0x270
? __vfs_read+0x37/0x150
? prepare_to_swait+0x22/0x70
do_async_page_fault+0x77/0xb0
? do_async_page_fault+0x77/0xb0
async_page_fault+0x28/0x30

This is triggered by running both win7 and win2016 on L1 KVM simultaneously,
and then gives stress to memory on L1, I can observed this hang on L1 when
at least ~70% swap area is occupied on L0.

This is due to async pf was injected to L2 which should be injected to L1,
L2 guest starts receiving pagefault w/ bogus %cr2(apf token from the host
actually), and L1 guest starts accumulating tasks stuck in D state in
kvm_async_pf_task_wait() since missing PAGE_READY async_pfs.

This patch fixes the hang by doing async pf when executing L1 guest.

Cc: Paolo Bonzini <pbon...@redhat.com>
Cc: Radim Krčmář <rkr...@redhat.com>

Signed-off-by: Wanpeng Li <wanpe...@hotmail.com>
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/kvm/mmu.c | 7 +++++--
arch/x86/kvm/mmu.h | 1 +
arch/x86/kvm/x86.c | 3 +--
3 files changed, 7 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3292,12 +3292,15 @@ static int kvm_arch_setup_async_pf(struc
return kvm_setup_async_pf(vcpu, gva, gfn_to_hva(vcpu->kvm, gfn), &arch);
}

-static bool can_do_async_pf(struct kvm_vcpu *vcpu)
+bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu)
{
if (unlikely(!irqchip_in_kernel(vcpu->kvm) ||
kvm_event_needs_reinjection(vcpu)))
return false;

+ if (is_guest_mode(vcpu))
+ return false;
+
return kvm_x86_ops->interrupt_allowed(vcpu);
}

@@ -3311,7 +3314,7 @@ static bool try_async_pf(struct kvm_vcpu
if (!async)
return false; /* *pfn has correct page already */

- if (!prefault && can_do_async_pf(vcpu)) {
+ if (!prefault && kvm_can_do_async_pf(vcpu)) {
trace_kvm_try_async_get_page(gva, gfn);
if (kvm_find_async_pf_gfn(vcpu, gfn)) {
trace_kvm_async_pf_doublefault(gva, gfn);
--- a/arch/x86/kvm/mmu.h
+++ b/arch/x86/kvm/mmu.h
@@ -79,6 +79,7 @@ int handle_mmio_page_fault_common(struct
void kvm_init_shadow_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context);
void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *context,
bool execonly);
+bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu);

static inline unsigned int kvm_mmu_available_pages(struct kvm *kvm)
{
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7612,8 +7612,7 @@ bool kvm_arch_can_inject_async_page_pres
if (!(vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED))
return true;
else
- return !kvm_event_needs_reinjection(vcpu) &&
- kvm_x86_ops->interrupt_allowed(vcpu);
+ return kvm_can_do_async_pf(vcpu);
}

void kvm_arch_register_noncoherent_dma(struct kvm *kvm)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Naveen N. Rao" <naveen...@linux.vnet.ibm.com>

commit a9f8553e935f26cb5447f67e280946b0923cd2dc upstream.

This fixes a crash when function_graph and jprobes are used together.
This is essentially commit 237d28db036e ("ftrace/jprobes/x86: Fix
conflict between jprobes and function graph tracing"), but for powerpc.

Jprobes breaks function_graph tracing since the jprobe hook needs to use
jprobe_return(), which never returns back to the hook, but instead to
the original jprobe'd function. The solution is to momentarily pause
function_graph tracing before invoking the jprobe hook and re-enable it
when returning back to the original jprobe'd function.

Fixes: 6794c78243bf ("powerpc64: port of the function graph tracer")
Signed-off-by: Naveen N. Rao <naveen...@linux.vnet.ibm.com>
Acked-by: Masami Hiramatsu <mhir...@kernel.org>
Acked-by: Steven Rostedt (VMware) <ros...@goodmis.org>
Signed-off-by: Michael Ellerman <m...@ellerman.id.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/powerpc/kernel/kprobes.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/arch/powerpc/kernel/kprobes.c
+++ b/arch/powerpc/kernel/kprobes.c
@@ -514,6 +514,15 @@ int __kprobes setjmp_pre_handler(struct
#endif
#endif

+ /*
+ * jprobes use jprobe_return() which skips the normal return
+ * path of the function, and this messes up the accounting of the
+ * function graph tracer.
+ *
+ * Pause function graph tracing while performing the jprobe function.
+ */
+ pause_graph_tracing();
+
return 1;
}

@@ -536,6 +545,8 @@ int __kprobes longjmp_break_handler(stru
* saved regs...
*/
memcpy(regs, &kcb->jprobe_saved_regs, sizeof(struct pt_regs));
+ /* It's OK to start function graph tracing again */
+ unpause_graph_tracing();
preempt_enable_no_resched();
return 1;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <n...@linux-iscsi.org>

commit 73d4e580ccc5c3e05cea002f18111f66c9c07034 upstream.

This patch fixes a se_cmd->cmd_kref underflow during CMD_T_ABORTED
when a fabric driver drops it's second reference from below the
target_core_tmr.c based callers of transport_cmd_finish_abort().

Recently with the conversion of kref to refcount_t, this bug was
manifesting itself as:

[705519.601034] refcount_t: underflow; use-after-free.
[705519.604034] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 20116.512 msecs
[705539.719111] ------------[ cut here ]------------
[705539.719117] WARNING: CPU: 3 PID: 26510 at lib/refcount.c:184 refcount_sub_and_test+0x33/0x51

Since the original kref atomic_t based kref_put() didn't check for
underflow and only invoked the final callback when zero was reached,
this bug did not manifest in practice since all se_cmd memory is
using preallocated tags.

To address this, go ahead and propigate the existing return from
transport_put_cmd() up via transport_cmd_finish_abort(), and
change transport_cmd_finish_abort() + core_tmr_handle_tas_abort()
callers to only do their local target_put_sess_cmd() if necessary.

Reported-by: Bart Van Assche <bart.va...@sandisk.com>
Tested-by: Bart Van Assche <bart.va...@sandisk.com>
Cc: Mike Christie <mchr...@redhat.com>
Cc: Hannes Reinecke <ha...@suse.de>
Cc: Christoph Hellwig <h...@lst.de>
Cc: Himanshu Madhani <himanshu...@qlogic.com>
Cc: Sagi Grimberg <sa...@mellanox.com>
Tested-by: Gary Guo <g...@datera.io>
Tested-by: Chu Yuan Lin <c...@datera.io>
Signed-off-by: Nicholas Bellinger <n...@linux-iscsi.org>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/target/target_core_internal.h | 2 +-
drivers/target/target_core_tmr.c | 16 ++++++++--------
drivers/target/target_core_transport.c | 9 ++++++---
3 files changed, 15 insertions(+), 12 deletions(-)

--- a/drivers/target/target_core_internal.h
+++ b/drivers/target/target_core_internal.h
@@ -92,7 +92,7 @@ int init_se_kmem_caches(void);
void release_se_kmem_caches(void);
u32 scsi_get_new_index(scsi_index_t);
void transport_subsystem_check_init(void);
-void transport_cmd_finish_abort(struct se_cmd *, int);
+int transport_cmd_finish_abort(struct se_cmd *, int);
unsigned char *transport_dump_cmd_direction(struct se_cmd *);
void transport_dump_dev_state(struct se_device *, char *, int *);
void transport_dump_dev_info(struct se_device *, struct se_lun *,
--- a/drivers/target/target_core_tmr.c
+++ b/drivers/target/target_core_tmr.c
@@ -82,7 +82,7 @@ void core_tmr_release_req(
kfree(tmr);
}

-static void core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas)
+static int core_tmr_handle_tas_abort(struct se_cmd *cmd, int tas)
{
unsigned long flags;
bool remove = true, send_tas;
@@ -98,7 +98,7 @@ static void core_tmr_handle_tas_abort(st
transport_send_task_abort(cmd);
}

- transport_cmd_finish_abort(cmd, remove);
+ return transport_cmd_finish_abort(cmd, remove);
}

static int target_check_cdb_and_preempt(struct list_head *list,
@@ -195,8 +195,8 @@ void core_tmr_abort_task(
cancel_work_sync(&se_cmd->work);
transport_wait_for_tasks(se_cmd);

- transport_cmd_finish_abort(se_cmd, true);
- target_put_sess_cmd(se_sess, se_cmd);
+ if (!transport_cmd_finish_abort(se_cmd, true))
+ target_put_sess_cmd(se_sess, se_cmd);

printk("ABORT_TASK: Sending TMR_FUNCTION_COMPLETE for"
" ref_tag: %d\n", ref_tag);
@@ -296,8 +296,8 @@ static void core_tmr_drain_tmr_list(
cancel_work_sync(&cmd->work);
transport_wait_for_tasks(cmd);

- transport_cmd_finish_abort(cmd, 1);
- target_put_sess_cmd(cmd->se_sess, cmd);
+ if (!transport_cmd_finish_abort(cmd, 1))
+ target_put_sess_cmd(cmd->se_sess, cmd);
}
}

@@ -395,8 +395,8 @@ static void core_tmr_drain_state_list(
cancel_work_sync(&cmd->work);
transport_wait_for_tasks(cmd);

- core_tmr_handle_tas_abort(cmd, tas);
- target_put_sess_cmd(cmd->se_sess, cmd);
+ if (!core_tmr_handle_tas_abort(cmd, tas))
+ target_put_sess_cmd(cmd->se_sess, cmd);
}
}

--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -600,9 +600,10 @@ static void transport_lun_remove_cmd(str
percpu_ref_put(&lun->lun_ref);
}

-void transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
+int transport_cmd_finish_abort(struct se_cmd *cmd, int remove)
{
bool ack_kref = (cmd->se_cmd_flags & SCF_ACK_KREF);
+ int ret = 0;

if (cmd->se_cmd_flags & SCF_SE_LUN_CMD)
transport_lun_remove_cmd(cmd);
@@ -614,9 +615,11 @@ void transport_cmd_finish_abort(struct s
cmd->se_tfo->aborted_task(cmd);

if (transport_cmd_check_stop_to_fabric(cmd))
- return;
+ return 1;
if (remove && ack_kref)
- transport_put_cmd(cmd);
+ ret = transport_put_cmd(cmd);
+
+ return ret;
}

static void target_complete_failure_work(struct work_struct *work)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Pavel Shilovsky <psh...@microsoft.com>

commit dcd87838c06f05ab7650b249ebf0d5b57ae63e1e upstream.

Downgrade the loglevel for SMB2 to prevent filling the log
with messages if e.g. readdir was interrupted. Also make SMB2
and SMB1 codepaths do the same logging during readdir.

Signed-off-by: Pavel Shilovsky <psh...@microsoft.com>
Signed-off-by: Steve French <smfr...@gmail.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/cifs/smb1ops.c | 9 +++++++--
fs/cifs/smb2ops.c | 4 ++--
2 files changed, 9 insertions(+), 4 deletions(-)

--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -856,8 +856,13 @@ cifs_query_dir_first(const unsigned int
struct cifs_fid *fid, __u16 search_flags,
struct cifs_search_info *srch_inf)
{
- return CIFSFindFirst(xid, tcon, path, cifs_sb,
- &fid->netfid, search_flags, srch_inf, true);
+ int rc;
+
+ rc = CIFSFindFirst(xid, tcon, path, cifs_sb,
+ &fid->netfid, search_flags, srch_inf, true);
+ if (rc)
+ cifs_dbg(FYI, "find first failed=%d\n", rc);
+ return rc;
}

static int
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -729,7 +729,7 @@ smb2_query_dir_first(const unsigned int
rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL);
kfree(utf16_path);
if (rc) {
- cifs_dbg(VFS, "open dir failed\n");
+ cifs_dbg(FYI, "open dir failed rc=%d\n", rc);
return rc;
}

@@ -739,7 +739,7 @@ smb2_query_dir_first(const unsigned int
rc = SMB2_query_directory(xid, tcon, fid->persistent_fid,
fid->volatile_fid, 0, srch_inf);
if (rc) {
- cifs_dbg(VFS, "query directory failed\n");
+ cifs_dbg(FYI, "query directory failed rc=%d\n", rc);
SMB2_close(xid, tcon, fid->persistent_fid, fid->volatile_fid);
}
return rc;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ulrik De Bie <ulrik.d...@e2big.org>

commit 47eb0c8b4d9eb6368941c6a9bb443f00847a46d7 upstream.

The Lifebook E546 and E557 touchpad were also not functioning and
worked after running:

echo "1" > /sys/devices/platform/i8042/serio2/crc_enabled

Add them to the list of machines that need this workaround.

Signed-off-by: Ulrik De Bie <ulrik.d...@e2big.org>
Reviewed-by: Arjan Opmeer <ar...@opmeer.net>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/input/mouse/elantech.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1036,8 +1036,10 @@ static int elantech_get_resolution_v4(st
* Asus UX32VD 0x361f02 00, 15, 0e clickpad
* Avatar AVIU-145A2 0x361f00 ? clickpad
* Fujitsu LIFEBOOK E544 0x470f00 d0, 12, 09 2 hw buttons
+ * Fujitsu LIFEBOOK E546 0x470f00 50, 12, 09 2 hw buttons
* Fujitsu LIFEBOOK E547 0x470f00 50, 12, 09 2 hw buttons
* Fujitsu LIFEBOOK E554 0x570f01 40, 14, 0c 2 hw buttons
+ * Fujitsu LIFEBOOK E557 0x570f01 40, 14, 0c 2 hw buttons
* Gigabyte U2442 0x450f01 58, 17, 0c 2 hw buttons
* Lenovo L430 0x350f02 b9, 15, 0c 2 hw buttons (*)
* Samsung NF210 0x150b00 78, 14, 0a 2 hw buttons
@@ -1397,6 +1399,13 @@ static const struct dmi_system_id elante
},
},
{
+ /* Fujitsu LIFEBOOK E546 does not work with crc_enabled == 0 */

+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),

+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E546"),
+ },
+ },
+ {
/* Fujitsu LIFEBOOK E547 does not work with crc_enabled == 0 */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
@@ -1418,6 +1427,13 @@ static const struct dmi_system_id elante
},
},
{
+ /* Fujitsu LIFEBOOK E557 does not work with crc_enabled == 0 */

+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),

+ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E557"),
+ },
+ },
+ {
/* Fujitsu LIFEBOOK U745 does not work with crc_enabled == 0 */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Schmitt <volt...@gmx.net>

commit b6ad9a26e7c6fae74062baa9b8a7f583a803e092 upstream.

The WiiU adapter from Mayflash (see
http://www.mayflash.com/Products/NINTENDOWiiU/W009.html) is not
working correctly.

The "XInput" mode works fine, the controller is recognized as a xbox
controller. But it is only possible to connect one controller with this method.

In "DInput" mode the device is recognized as some kind of mouse input but no
joystick is created. This commit will change this behavior with
HID_QUIRK_MULTI_INPUT to split the device into 4 input devices so that it will
also create joysticks in /dev/input/js*.

Signed-off-by: Oliver Schmitt <volt...@gmx.net>
Reviewed-by: Felipe Balbi <ba...@ti.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h

@@ -276,6 +276,7 @@
#define USB_DEVICE_ID_DMI_ENC 0x5fab

#define USB_VENDOR_ID_DRAGONRISE 0x0079
+#define USB_DEVICE_ID_DRAGONRISE_WIIU 0x1800

#define USB_VENDOR_ID_DWAV 0x0eef
#define USB_DEVICE_ID_EGALAX_TOUCHCONTROLLER 0x0001
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -72,6 +72,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },
{ USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_009B, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_0103, HID_QUIRK_ALWAYS_POLL },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yuta Kobayashi <alu...@outlook.com>

commit b490a8537df60d449199e162417da74ee9262515 upstream.

Adding support for the Microsoft Surface 4 Type Cover Pro (JP).

Signed-off-by: Yuta Kobayashi <alu...@outlook.com>

Signed-off-by: Jiri Kosina <jko...@suse.cz>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-core.c | 2 ++
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-microsoft.c | 2 ++
drivers/hid/usbhid/hid-quirks.c | 1 +
4 files changed, 6 insertions(+)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -707,6 +707,7 @@ static void hid_scan_collection(struct h
(hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3 ||
hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2 ||
hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP ||
+ hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP ||
hid->product == USB_DEVICE_ID_MS_TYPE_COVER_3 ||
hid->product == USB_DEVICE_ID_MS_POWER_COVER) &&
hid->group == HID_GROUP_MULTITOUCH)
@@ -1863,6 +1864,7 @@ static const struct hid_device_id hid_ha
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MONTEREY, USB_DEVICE_ID_GENIUS_KB29E) },
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -672,6 +672,7 @@
#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3 0x07dc
#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2 0x07e2
#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP 0x07dd
+#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP 0x07e9
#define USB_DEVICE_ID_MS_TYPE_COVER_3 0x07de
#define USB_DEVICE_ID_MS_POWER_COVER 0x07da

--- a/drivers/hid/hid-microsoft.c
+++ b/drivers/hid/hid-microsoft.c
@@ -282,6 +282,8 @@ static const struct hid_device_id ms_dev
.driver_data = MS_HIDINPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP),
.driver_data = MS_HIDINPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP),
+ .driver_data = MS_HIDINPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3),
.driver_data = MS_HIDINPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER),
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -99,6 +99,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GX680R_LED_PANEL, HID_QUIRK_NO_INIT_REPORTS },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.w...@gmail.com>

commit 76da0704507bbc51875013f6557877ab308cfd0a upstream.

In commit 242d3a49a2a1 ("ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf")
I assumed NETDEV_REGISTER and NETDEV_UNREGISTER are paired,
unfortunately, as reported by jeffy, netdev_wait_allrefs()
could rebroadcast NETDEV_UNREGISTER event until all refs are
gone.

We have to add an additional check to avoid this corner case.
For netdev_wait_allrefs() dev->reg_state is NETREG_UNREGISTERED,
for dev_change_net_namespace(), dev->reg_state is
NETREG_REGISTERED. So check for dev->reg_state != NETREG_UNREGISTERED.

Fixes: 242d3a49a2a1 ("ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf")
Reported-by: jeffy <jeffy...@rock-chips.com>
Cc: David Ahern <dsa...@gmail.com>
Signed-off-by: Cong Wang <xiyou.w...@gmail.com>
Acked-by: David Ahern <dsa...@gmail.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv6/route.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2835,7 +2835,11 @@ static int ip6_route_dev_notify(struct n
net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
#endif
- } else if (event == NETDEV_UNREGISTER) {
+ } else if (event == NETDEV_UNREGISTER &&
+ dev->reg_state != NETREG_UNREGISTERED) {
+ /* NETDEV_UNREGISTER could be fired for multiple times by
+ * netdev_wait_allrefs(). Make sure we only call this once.
+ */
in6_dev_put(net->ipv6.ip6_null_entry->rt6i_idev);
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
in6_dev_put(net->ipv6.ip6_prohibit_entry->rt6i_idev);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yu Zhao <yuz...@google.com>

commit ef70762948dde012146926720b70e79736336764 upstream.

I saw need_resched() warnings when swapping on large swapfile (TBs)
because continuously allocating many pages in swap_cgroup_prepare() took
too long.

We already cond_resched when freeing page in swap_cgroup_swapoff(). Do
the same for the page allocation.

Link: http://lkml.kernel.org/r/20170604200109...@google.com
Signed-off-by: Yu Zhao <yuz...@google.com>
Acked-by: Michal Hocko <mho...@suse.com>
Acked-by: Vladimir Davydov <vdavyd...@gmail.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

[bwh: Backported to 3.16: adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

mm/page_cgroup.c | 3 +++
1 file changed, 3 insertions(+)

--- a/mm/page_cgroup.c
+++ b/mm/page_cgroup.c
@@ -368,6 +368,9 @@ static int swap_cgroup_prepare(int type)
if (!page)
goto not_enough_page;
ctrl->map[idx] = page;
+
+ if (!(idx % SWAP_CLUSTER_MAX))
+ cond_resched();
}
return 0;
not_enough_page:

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <felipe...@linux.intel.com>

commit 76a35293b901915c5dcb4a87a4a0da8d7caf39fe upstream.

Instead of having several return points, let's use a local variable and
a single place to return. This makes the code slightly easier to read.

[set ret = IRQ_HANDLED in default working case -Mathias]
Signed-off-by: Felipe Balbi <felipe...@linux.intel.com>
Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci-ring.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2688,27 +2688,28 @@ static int xhci_handle_event(struct xhci
irqreturn_t xhci_irq(struct usb_hcd *hcd)
{
struct xhci_hcd *xhci = hcd_to_xhci(hcd);
- u32 status;
- u64 temp_64;
union xhci_trb *event_ring_deq;
+ irqreturn_t ret = IRQ_NONE;
dma_addr_t deq;
+ u64 temp_64;
+ u32 status;

spin_lock(&xhci->lock);
/* Check if the xHC generated the interrupt, or the irq is shared */
status = readl(&xhci->op_regs->status);
- if (status == 0xffffffff)
- goto hw_died;
-
- if (!(status & STS_EINT)) {
- spin_unlock(&xhci->lock);
- return IRQ_NONE;
+ if (status == 0xffffffff) {
+ ret = IRQ_HANDLED;
+ goto out;
}
+
+ if (!(status & STS_EINT))
+ goto out;
+
if (status & STS_FATAL) {
xhci_warn(xhci, "WARNING: Host System Error\n");
xhci_halt(xhci);
-hw_died:
- spin_unlock(&xhci->lock);
- return IRQ_HANDLED;
+ ret = IRQ_HANDLED;
+ goto out;
}

/*
@@ -2738,9 +2739,8 @@ hw_died:
temp_64 = xhci_read_64(xhci, &xhci->ir_set->erst_dequeue);
xhci_write_64(xhci, temp_64 | ERST_EHB,
&xhci->ir_set->erst_dequeue);
- spin_unlock(&xhci->lock);
-
- return IRQ_HANDLED;
+ ret = IRQ_HANDLED;
+ goto out;
}

event_ring_deq = xhci->event_ring->dequeue;
@@ -2765,10 +2765,12 @@ hw_died:
/* Clear the event handler busy flag (RW1C); event ring is empty. */
temp_64 |= ERST_EHB;
xhci_write_64(xhci, temp_64, &xhci->ir_set->erst_dequeue);
+ ret = IRQ_HANDLED;

+out:
spin_unlock(&xhci->lock);

- return IRQ_HANDLED;
+ return ret;
}

irqreturn_t xhci_msi_irq(int irq, void *hcd)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: SeongJae Park <sj38...@gmail.com>

commit c76132dc5182776b98e946d674cb41c421661ea9 upstream.

Script generated by the '--gen-script' option contains an outdated
comment. It mentions a 'perf-trace-python' document while it has been
renamed to 'perf-script-python'. Fix it.

Signed-off-by: SeongJae Park <sj38...@gmail.com>
Cc: Alexander Shishkin <alexander...@linux.intel.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Fixes: 133dc4c39c57 ("perf: Rename 'perf trace' to 'perf script'")
Link: http://lkml.kernel.org/r/20170530111827.2...@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

tools/perf/util/scripting-engines/trace-event-python.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/scripting-engines/trace-event-python.c
+++ b/tools/perf/util/scripting-engines/trace-event-python.c
@@ -563,7 +563,7 @@ static int python_generate_script(struct
fprintf(ofp, "# be retrieved using Python functions of the form "
"common_*(context).\n");

- fprintf(ofp, "# See the perf-trace-python Documentation for the list "
+ fprintf(ofp, "# See the perf-script-python Documentation for the list "
"of available functions.\n\n");

fprintf(ofp, "import os\n");

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Suzuki K Poulose <suzuki....@arm.com>

commit 2952a6070e07ebdd5896f1f5b861acad677caded upstream.

Make sure we don't use a cached value of the KVM stage2 PGD while
resetting the PGD.

Cc: Marc Zyngier <marc.z...@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki....@arm.com>
Reviewed-by: Christoffer Dall <cd...@linaro.org>
Signed-off-by: Christoffer Dall <cd...@linaro.org>
[bwh: Backported to 3.16:
- s/READ_ONCE/ACCESS_ONCE/
- Adjust filename]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/arm/kvm/mmu.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -643,7 +643,7 @@ void kvm_free_stage2_pgd(struct kvm *kvm
spin_lock(&kvm->mmu_lock);
if (kvm->arch.pgd) {
unmap_stage2_range(kvm, 0, KVM_PHYS_SIZE);
- pgd = kvm->arch.pgd;
+ pgd = ACCESS_ONCE(kvm->arch.pgd);
kvm->arch.pgd = NULL;
}
spin_unlock(&kvm->mmu_lock);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sebastian Reichel <sebastia...@collabora.co.uk>

commit 5165da5923d6c7df6f2927b0113b2e4d9288661e upstream.

Since v4.9 i2c-tiny-usb generates the below call trace
and longer works, since it can't communicate with the
USB device. The reason is, that since v4.9 the USB
stack checks, that the buffer it should transfer is DMA
capable. This was a requirement since v2.2 days, but it
usually worked nevertheless.

[ 17.504959] ------------[ cut here ]------------
[ 17.505488] WARNING: CPU: 0 PID: 93 at drivers/usb/core/hcd.c:1587 usb_hcd_map_urb_for_dma+0x37c/0x570
[ 17.506545] transfer buffer not dma capable
[ 17.507022] Modules linked in:
[ 17.507370] CPU: 0 PID: 93 Comm: i2cdetect Not tainted 4.11.0-rc8+ #10
[ 17.508103] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 17.509039] Call Trace:
[ 17.509320] ? dump_stack+0x5c/0x78
[ 17.509714] ? __warn+0xbe/0xe0
[ 17.510073] ? warn_slowpath_fmt+0x5a/0x80
[ 17.510532] ? nommu_map_sg+0xb0/0xb0
[ 17.510949] ? usb_hcd_map_urb_for_dma+0x37c/0x570
[ 17.511482] ? usb_hcd_submit_urb+0x336/0xab0
[ 17.511976] ? wait_for_completion_timeout+0x12f/0x1a0
[ 17.512549] ? wait_for_completion_timeout+0x65/0x1a0
[ 17.513125] ? usb_start_wait_urb+0x65/0x160
[ 17.513604] ? usb_control_msg+0xdc/0x130
[ 17.514061] ? usb_xfer+0xa4/0x2a0
[ 17.514445] ? __i2c_transfer+0x108/0x3c0
[ 17.514899] ? i2c_transfer+0x57/0xb0
[ 17.515310] ? i2c_smbus_xfer_emulated+0x12f/0x590
[ 17.515851] ? _raw_spin_unlock_irqrestore+0x11/0x20
[ 17.516408] ? i2c_smbus_xfer+0x125/0x330
[ 17.516876] ? i2c_smbus_xfer+0x125/0x330
[ 17.517329] ? i2cdev_ioctl_smbus+0x1c1/0x2b0
[ 17.517824] ? i2cdev_ioctl+0x75/0x1c0
[ 17.518248] ? do_vfs_ioctl+0x9f/0x600
[ 17.518671] ? vfs_write+0x144/0x190
[ 17.519078] ? SyS_ioctl+0x74/0x80
[ 17.519463] ? entry_SYSCALL_64_fastpath+0x1e/0xad
[ 17.519959] ---[ end trace d047c04982f5ac50 ]---

Signed-off-by: Sebastian Reichel <sebastia...@collabora.co.uk>
Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Acked-by: Till Harbaum <ti...@harbaum.org>
Signed-off-by: Wolfram Sang <w...@the-dreams.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/i2c/busses/i2c-tiny-usb.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)

--- a/drivers/i2c/busses/i2c-tiny-usb.c
+++ b/drivers/i2c/busses/i2c-tiny-usb.c
@@ -178,22 +178,39 @@ static int usb_read(struct i2c_adapter *
int value, int index, void *data, int len)
{
struct i2c_tiny_usb *dev = (struct i2c_tiny_usb *)adapter->algo_data;
+ void *dmadata = kmalloc(len, GFP_KERNEL);
+ int ret;
+
+ if (!dmadata)
+ return -ENOMEM;

/* do control transfer */
- return usb_control_msg(dev->usb_dev, usb_rcvctrlpipe(dev->usb_dev, 0),
+ ret = usb_control_msg(dev->usb_dev, usb_rcvctrlpipe(dev->usb_dev, 0),
cmd, USB_TYPE_VENDOR | USB_RECIP_INTERFACE |
- USB_DIR_IN, value, index, data, len, 2000);
+ USB_DIR_IN, value, index, dmadata, len, 2000);
+
+ memcpy(data, dmadata, len);
+ kfree(dmadata);
+ return ret;
}

static int usb_write(struct i2c_adapter *adapter, int cmd,
int value, int index, void *data, int len)
{
struct i2c_tiny_usb *dev = (struct i2c_tiny_usb *)adapter->algo_data;
+ void *dmadata = kmemdup(data, len, GFP_KERNEL);
+ int ret;
+
+ if (!dmadata)
+ return -ENOMEM;

/* do control transfer */
- return usb_control_msg(dev->usb_dev, usb_sndctrlpipe(dev->usb_dev, 0),
+ ret = usb_control_msg(dev->usb_dev, usb_sndctrlpipe(dev->usb_dev, 0),
cmd, USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
- value, index, data, len, 2000);
+ value, index, dmadata, len, 2000);
+
+ kfree(dmadata);
+ return ret;
}

static void i2c_tiny_usb_free(struct i2c_tiny_usb *dev)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sui Chen <suic...@gmail.com>

commit 8bfd174312629866efa535193d9e563768ff4307 upstream.

(Correction in this resend: fixed function name acer_sa5_271_workaround; fixed
the always-true condition in the function; fixed description.)

On the Acer Switch Alpha 12 (model number: SA5-271), the internal SSD may not
get detected because the port_map and CAP.nr_ports combination causes the driver
to skip the port that is actually connected to the SSD. More specifically,
either all SATA ports are identified as DUMMY, or all ports get ``link down''
and never get up again.

This problem occurs occasionally. When this problem occurs, CAP may hold a
value of 0xC734FF00 or 0xC734FF01 and port_map may hold a value of 0x00 or 0x01.
When this problem does not occur, CAP holds a value of 0xC734FF02 and port_map
may hold a value of 0x07. Overriding the CAP value to 0xC734FF02 and port_map to
0x7 significantly reduces the occurrence of this problem.

Link: https://bugzilla.kernel.org/attachment.cgi?id=253091
Signed-off-by: Sui Chen <suic...@gmail.com>
Tested-by: Damian Ivanov <damian...@gmail.com>
Signed-off-by: Tejun Heo <t...@kernel.org>
[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/ata/ahci.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)

--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -1313,6 +1313,40 @@ static inline void ahci_gtf_filter_worka
{}
#endif

+/*
+ * On the Acer Aspire Switch Alpha 12, sometimes all SATA ports are detected
+ * as DUMMY, or detected but eventually get a "link down" and never get up
+ * again. When this happens, CAP.NP may hold a value of 0x00 or 0x01, and the
+ * port_map may hold a value of 0x00.
+ *
+ * Overriding CAP.NP to 0x02 and the port_map to 0x7 will reveal all 3 ports
+ * and can significantly reduce the occurrence of the problem.
+ *
+ * https://bugzilla.kernel.org/show_bug.cgi?id=189471
+ */
+static void acer_sa5_271_workaround(struct ahci_host_priv *hpriv,
+ struct pci_dev *pdev)
+{
+ static const struct dmi_system_id sysids[] = {
+ {
+ .ident = "Acer Switch Alpha 12",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Switch SA5-271")

+ },
+ },
+ { }

+ };
+
+ if (dmi_check_system(sysids)) {
+ dev_info(&pdev->dev, "enabling Acer Switch Alpha 12 workaround\n");
+ if ((hpriv->saved_cap & 0xC734FF00) == 0xC734FF00) {
+ hpriv->port_map = 0x7;
+ hpriv->cap = 0xC734FF02;
+ }
+ }
+}
+
static int ahci_init_interrupts(struct pci_dev *pdev, unsigned int n_ports,
struct ahci_host_priv *hpriv)
{
@@ -1565,6 +1599,10 @@ static int ahci_init_one(struct pci_dev
"online status unreliable, applying workaround\n");
}

+
+ /* Acer SA5-271 workaround modifies private_data */
+ acer_sa5_271_workaround(hpriv, pdev);
+
/* CAP.NP sometimes indicate the index of the last enabled
* port, at other times, that of the last possible port, so
* determining the maximum port number requires looking at

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Trent Lloyd <tr...@lloyd.id.au>

commit 282bf1fe6dca4b768d6bedc14aea1b82c36241c1 upstream.

These devices feature multiple interfaces/endpoints: a legacy BIOS/boot
interface (endpoint 0x81), as well as 2 corsair-specific keyboard interfaces
(endpoint 0x82, 0x83 IN/0x03 OUT) and an RGB LED control interface (endpoint
0x84 IN/0x04 OUT)

Because the extra 3 interfaces are not of subclass USB_INTERFACE_SUBCLASS_BOOT,
HID_QUIRK_NOGET is not automatically set on them and a 10s timeout per-endpoint
(30s per device) occurs initialising reports on boot. We configure
HID_QUIRK_NO_INIT_REPORTS for these devices.

Additionally the left-side G1-G18 macro keys on the K95RGB generate output on
the un-opened 0x82/0x83 endpoints which causes the keyboard to stop responding
waiting for this event to be collected. We enable HID_QUIRK_ALWAYS_POLL to
prevent this situation from occurring.

Signed-off-by: Trent Lloyd <tr...@lloyd.id.au>
Tested-by: SUGNIAUX Wilfried <w...@ppharm2k20.net>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 7 +++++++
drivers/hid/usbhid/hid-quirks.c | 5 +++++
2 files changed, 12 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -242,6 +242,13 @@
#define USB_DEVICE_ID_CODEMERCS_IOW_FIRST 0x1500
#define USB_DEVICE_ID_CODEMERCS_IOW_LAST 0x15ff

+#define USB_VENDOR_ID_CORSAIR 0x1b1c
+#define USB_DEVICE_ID_CORSAIR_K70R 0x1b09
+#define USB_DEVICE_ID_CORSAIR_K95RGB 0x1b11
+#define USB_DEVICE_ID_CORSAIR_M65RGB 0x1b12
+#define USB_DEVICE_ID_CORSAIR_K70RGB 0x1b13
+#define USB_DEVICE_ID_CORSAIR_K65RGB 0x1b17
+

#define USB_VENDOR_ID_CREATIVELABS 0x041e
#define USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51 0x322c

#define USB_DEVICE_ID_PRODIKEYS_PCMIDI 0x2801
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -72,6 +72,11 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_3AXIS_5BUTTON_STICK, HID_QUIRK_NOGET },

{ USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_AXIS_295, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },

+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70R, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_M65RGB, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K95RGB, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eryu Guan <eg...@redhat.com>

commit 8affebe16d79ebefb1d9d6d56a46dc89716f9453 upstream.

xfs_find_get_desired_pgoff() is used to search for offset of hole or
data in page range [index, end] (both inclusive), and the max number
of pages to search should be at least one, if end == index.
Otherwise the only page is missed and no hole or data is found,
which is not correct.

When block size is smaller than page size, this can be demonstrated
by preallocating a file with size smaller than page size and writing
data to the last block. E.g. run this xfs_io command on a 1k block
size XFS on x86_64 host.

# xfs_io -fc "falloc 0 3k" -c "pwrite 2k 1k" \
-c "seek -d 0" /mnt/xfs/testfile
wrote 1024/1024 bytes at offset 2048
1 KiB, 1 ops; 0.0000 sec (33.675 MiB/sec and 34482.7586 ops/sec)
Whence Result
DATA EOF

Data at offset 2k was missed, and lseek(2) returned ENXIO.

This is uncovered by generic/285 subtest 07 and 08 on ppc64 host,
where pagesize is 64k. Because a recent change to generic/285
reduced the preallocated file size to smaller than 64k.

Signed-off-by: Eryu Guan <eg...@redhat.com>
Reviewed-by: Jan Kara <ja...@suse.cz>
Reviewed-by: Darrick J. Wong <darric...@oracle.com>
Signed-off-by: Darrick J. Wong <darric...@oracle.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/xfs/xfs_file.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -1052,7 +1052,7 @@ xfs_find_get_desired_pgoff(
unsigned nr_pages;
unsigned int i;

- want = min_t(pgoff_t, end - index, PAGEVEC_SIZE);
+ want = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1;
nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index,
want);
/*

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.z...@arm.com>

commit 33b5c38852b29736f3b472dd095c9a18ec22746f upstream.

We currently have the HSCTLR.A bit set, trapping unaligned accesses
at HYP, but we're not really prepared to deal with it.

Since the rest of the kernel is pretty happy about that, let's follow
its example and set HSCTLR.A to zero. Modern CPUs don't really care.

Signed-off-by: Marc Zyngier <marc.z...@arm.com>
Signed-off-by: Christoffer Dall <cd...@linaro.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/arm/kvm/init.S | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/arch/arm/kvm/init.S
+++ b/arch/arm/kvm/init.S
@@ -109,7 +109,6 @@ __do_hyp_init:
@ - Write permission implies XN: disabled
@ - Instruction cache: enabled
@ - Data/Unified cache: enabled
- @ - Memory alignment checks: enabled
@ - MMU: enabled (this code must be run from an identity mapping)
mrc p15, 4, r0, c1, c0, 0 @ HSCR
ldr r2, =HSCTLR_MASK
@@ -117,8 +116,8 @@ __do_hyp_init:
mrc p15, 0, r1, c1, c0, 0 @ SCTLR
ldr r2, =(HSCTLR_EE | HSCTLR_FI | HSCTLR_I | HSCTLR_C)
and r1, r1, r2
- ARM( ldr r2, =(HSCTLR_M | HSCTLR_A) )
- THUMB( ldr r2, =(HSCTLR_M | HSCTLR_A | HSCTLR_TE) )
+ ARM( ldr r2, =(HSCTLR_M) )
+ THUMB( ldr r2, =(HSCTLR_M | HSCTLR_TE) )
orr r1, r1, r2
orr r0, r0, r1
isb

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Moore <pa...@paul-moore.com>

commit 023f108dcc187e34ef864bf10ed966cf25e14e2a upstream.

This patch is based on a discussion generated by an earlier patch
from Tetsuo Handa:

* https://marc.info/?t=149035659300001&r=1&w=2

The double free problem involves the mnt_opts field of the
security_mnt_opts struct, selinux_parse_opts_str() frees the memory
on error, but doesn't set the field to NULL so if the caller later
attempts to call security_free_mnt_opts() we trigger the problem.

In order to play it safe we change selinux_parse_opts_str() to call
security_free_mnt_opts() on error instead of free'ing the memory
directly. This should ensure that everything is handled correctly,
regardless of what the caller may do.

Fixes: e0007529893c1c06 ("LSM/SELinux: Interfaces to allow FS to control mount options")
Cc: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Paul Moore <pa...@paul-moore.com>
Signed-off-by: James Morris <james.l...@oracle.com>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

security/selinux/hooks.c | 5 ++---

1 file changed, 2 insertions(+), 3 deletions(-)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1000,10 +1000,8 @@ static int selinux_parse_opts_str(char *
goto out_err;

opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
- if (!opts->mnt_opts_flags) {
- kfree(opts->mnt_opts);
+ if (!opts->mnt_opts_flags)
goto out_err;
- }

if (fscontext) {
opts->mnt_opts[num_mnt_opts] = fscontext;
@@ -1026,6 +1024,7 @@ static int selinux_parse_opts_str(char *
return 0;

out_err:
+ security_free_mnt_opts(opts);
kfree(context);
kfree(defcontext);
kfree(fscontext);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marcel Hasler <maha...@gmail.com>

commit 8aa2cc7e747881d1fd52db28261b201d4e3e5565 upstream.

The DolphinBar by Mayflash (identified as Dragonrise) needs
HID_QUIRK_MULTI_INPUT to split it up into four input devices. Without this
quirk the adapter is falsely recognized as a tablet. See also bug 115841
(https://bugzilla.kernel.org/show_bug.cgi?id=115841).

Signed-off-by: Marcel Hasler <maha...@gmail.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +

2 files changed, 2 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -293,6 +293,7 @@
#define USB_VENDOR_ID_DRAGONRISE 0x0079
#define USB_DEVICE_ID_DRAGONRISE_WIIU 0x1800
#define USB_DEVICE_ID_DRAGONRISE_PS3 0x1801
+#define USB_DEVICE_ID_DRAGONRISE_DOLPHINBAR 0x1803
#define USB_DEVICE_ID_DRAGONRISE_GAMECUBE 0x1843

#define USB_VENDOR_ID_DWAV 0x0eef
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -83,6 +83,7 @@ static const struct hid_blacklist {

{ USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },

{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_DOLPHINBAR, HID_QUIRK_MULTI_INPUT },
{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_GAMECUBE, HID_QUIRK_MULTI_INPUT },
{ USB_VENDOR_ID_ELAN, HID_ANY_ID, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 46c319b848268dab3f0e7c4a5b6e9146d3bca8a4 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <jo...@kernel.org>
Reviewed-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Guenter Roeck <li...@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <w...@iguana.be>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/watchdog/pcwd_usb.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/watchdog/pcwd_usb.c
+++ b/drivers/watchdog/pcwd_usb.c
@@ -630,6 +630,9 @@ static int usb_pcwd_probe(struct usb_int
return -ENODEV;
}

+ if (iface_desc->desc.bNumEndpoints < 1)
+ return -ENODEV;
+
/* check out the endpoint: it has to be Interrupt & IN */
endpoint = &iface_desc->endpoint[0].desc;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.z...@arm.com>

commit d68c1f7fd1b7148dab5fe658321d511998969f2d upstream.

__do_hyp_init has the rather bad habit of ignoring RES1 bits and
writing them back as zero. On a v8.0-8.2 CPU, this doesn't do anything
bad, but may end-up being pretty nasty on future revisions of the
architecture.

Let's preserve those bits so that we don't have to fix this later on.

Signed-off-by: Marc Zyngier <marc.z...@arm.com>
Signed-off-by: Christoffer Dall <cd...@linaro.org>

[bwh: Backported to 3.16:
- s/ELx/EL2/
- Adjust filename, context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/arch/arm64/include/asm/kvm_arm.h
+++ b/arch/arm64/include/asm/kvm_arm.h
@@ -89,6 +89,11 @@
#define SCTLR_EL2_C (1 << 2)
#define SCTLR_EL2_A (1 << 1)
#define SCTLR_EL2_M 1
+
+#define SCTLR_EL2_RES1 ((1 << 4) | (1 << 5) | (1 << 11) | (1 << 16) | \
+ (1 << 16) | (1 << 18) | (1 << 22) | (1 << 23) | \
+ (1 << 28) | (1 << 29))
+
#define SCTLR_EL2_FLAGS (SCTLR_EL2_M | SCTLR_EL2_A | SCTLR_EL2_C | \
SCTLR_EL2_SA | SCTLR_EL2_I)

--- a/arch/arm64/kvm/hyp-init.S
+++ b/arch/arm64/kvm/hyp-init.S
@@ -84,10 +84,12 @@ __do_hyp_init:
tlbi alle2
dsb sy

- mrs x4, sctlr_el2
- and x4, x4, #SCTLR_EL2_EE // preserve endianness of EL2
- ldr x5, =SCTLR_EL2_FLAGS
- orr x4, x4, x5
+ /*
+ * Preserve all the RES1 bits while setting the default flags,
+ * as well as the EE bit on BE.
+ */
+ ldr x4, =(SCTLR_EL2_RES1 | SCTLR_EL2_FLAGS)
+CPU_BE( orr x4, x4, #SCTLR_EL2_EE)
msr sctlr_el2, x4
isb

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Keller <daniel...@gcd.de>

commit 2ae3986b84e9d325bc92a1efbcf0c6b0f5016b35 upstream.

Adding support for not JP versions of the Microsoft Surface 4 Type Cover Pro

[jko...@suse.cz: The identical patch has been sent by Jeff Farthing, so I am
including his signoff as well]

Signed-off-by: Jeff Farthing <je...@jfarthing.com>
Signed-off-by: Daniel Keller <daniel...@gcd.de>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-core.c | 4 ++++
drivers/hid/hid-ids.h | 2 ++
drivers/hid/hid-microsoft.c | 4 ++++
drivers/hid/usbhid/hid-quirks.c | 2 ++
4 files changed, 12 insertions(+)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -707,6 +707,8 @@ static void hid_scan_collection(struct h

(hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3 ||
hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2 ||
hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP ||
+ hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_4 ||

+ hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_2 ||

hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP ||
hid->product == USB_DEVICE_ID_MS_TYPE_COVER_3 ||
hid->product == USB_DEVICE_ID_MS_POWER_COVER) &&

@@ -1864,6 +1866,8 @@ static const struct hid_device_id hid_ha

{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP) },

+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_2) },

{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER) },

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -678,6 +678,8 @@

#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3 0x07dc
#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2 0x07e2
#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP 0x07dd

+#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_4 0x07e4
+#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_2 0x07e8

#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP 0x07e9
#define USB_DEVICE_ID_MS_TYPE_COVER_3 0x07de
#define USB_DEVICE_ID_MS_POWER_COVER 0x07da
--- a/drivers/hid/hid-microsoft.c
+++ b/drivers/hid/hid-microsoft.c

@@ -282,6 +282,10 @@ static const struct hid_device_id ms_dev

.driver_data = MS_HIDINPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP),
.driver_data = MS_HIDINPUT },

+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4),

+ .driver_data = MS_HIDINPUT },

+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_2),

+ .driver_data = MS_HIDINPUT },

{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_JP),

.driver_data = MS_HIDINPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3),

--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -103,6 +103,8 @@ static const struct hid_blacklist {

{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_2, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP, HID_QUIRK_NO_INIT_REPORTS },

+ { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_4_2, HID_QUIRK_NO_INIT_REPORTS },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvbo...@gmail.com>

commit 867510bde14e7b7fc6dd0f50b48f6753cfbd227a upstream.

BSSIDR has two byte alignment on PCI ioremap correct the write
by swapping to 16 bits first.

This fixes a problem that the device associates fail because
the filter is not set correctly.

Signed-off-by: Malcolm Priestley <tvbo...@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
[bwh: Backported to 3.16: keep using write_nic_{word,dword}()]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
+++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
@@ -100,8 +100,9 @@ void rtl8192e_SetHwReg(struct net_device

switch (variable) {
case HW_VAR_BSSID:
- write_nic_dword(dev, BSSIDR, ((u32 *)(val))[0]);
- write_nic_word(dev, BSSIDR+2, ((u16 *)(val+2))[0]);
+ /* BSSIDR 2 byte alignment */
+ write_nic_word(dev, BSSIDR, *(u16 *)val);
+ write_nic_dword(dev, BSSIDR + 2, *(u32 *)(val + 2));
break;

case HW_VAR_MEDIA_STATUS:
@@ -965,8 +966,8 @@ static void rtl8192_net_update(struct ne
rtl8192_config_rate(dev, &rate_config);
priv->dot11CurrentPreambleMode = PREAMBLE_AUTO;
priv->basic_rate = rate_config &= 0x15f;
- write_nic_dword(dev, BSSIDR, ((u32 *)net->bssid)[0]);
- write_nic_word(dev, BSSIDR+4, ((u16 *)net->bssid)[2]);
+ write_nic_word(dev, BSSIDR, *(u16 *)net->bssid);
+ write_nic_dword(dev, BSSIDR + 2, *(u32 *)(net->bssid + 2));

if (priv->rtllib->iw_mode == IW_MODE_ADHOC) {
write_nic_word(dev, ATIMWND, 2);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Gilad Ben-Yossef <gi...@benyossef.com>

commit f3ad587070d6bd961ab942b3fd7a85d00dfc934b upstream.

crypto_gcm_setkey() was using wait_for_completion_interruptible() to
wait for completion of async crypto op but if a signal occurs it
may return before DMA ops of HW crypto provider finish, thus
corrupting the data buffer that is kfree'ed in this case.

Resolve this by using wait_for_completion() instead.

Reported-by: Eric Biggers <ebig...@gmail.com>
Signed-off-by: Gilad Ben-Yossef <gi...@benyossef.com>
Signed-off-by: Herbert Xu <her...@gondor.apana.org.au>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

crypto/gcm.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -146,10 +146,8 @@ static int crypto_gcm_setkey(struct cryp

err = crypto_ablkcipher_encrypt(&data->req);
if (err == -EINPROGRESS || err == -EBUSY) {
- err = wait_for_completion_interruptible(
- &data->result.completion);
- if (!err)
- err = data->result.err;
+ wait_for_completion(&data->result.completion);
+ err = data->result.err;
}

if (err)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Al Viro <vi...@zeniv.linux.org.uk>

commit 6b0d144fa758869bdd652c50aa41aaf601232550 upstream.

Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ufs/super.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

--- a/fs/ufs/super.c
+++ b/fs/ufs/super.c
@@ -767,6 +767,23 @@ static void ufs_put_super(struct super_b
return;
}

+static u64 ufs_max_bytes(struct super_block *sb)
+{
+ struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi;
+ int bits = uspi->s_apbshift;
+ u64 res;
+
+ if (bits > 21)
+ res = ~0ULL;
+ else
+ res = UFS_NDADDR + (1LL << bits) + (1LL << (2*bits)) +
+ (1LL << (3*bits));
+
+ if (res >= (MAX_LFS_FILESIZE >> uspi->s_bshift))
+ return MAX_LFS_FILESIZE;
+ return res << uspi->s_bshift;
+}
+
static int ufs_fill_super(struct super_block *sb, void *data, int silent)
{
struct ufs_sb_info * sbi;
@@ -1233,6 +1250,7 @@ magic_found:
"fast symlink size (%u)\n", uspi->s_maxsymlinklen);
uspi->s_maxsymlinklen = maxsymlen;
}
+ sb->s_maxbytes = ufs_max_bytes(sb);
sb->s_max_links = UFS_LINK_MAX;

inode = ufs_iget(sb, UFS_ROOTINO);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michael Thalmeier <michael....@hale.at>

commit 0340ff83cd4475261e7474033a381bc125b45244 upstream.

ci_role BUGs when the role is >= CI_ROLE_END.

Signed-off-by: Michael Thalmeier <michael....@hale.at>
Signed-off-by: Peter Chen <peter...@nxp.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/chipidea/debug.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/chipidea/debug.c
+++ b/drivers/usb/chipidea/debug.c
@@ -286,7 +286,8 @@ static int ci_role_show(struct seq_file
{
struct ci_hdrc *ci = s->private;

- seq_printf(s, "%s\n", ci_role(ci)->name);
+ if (ci->role != CI_ROLE_END)
+ seq_printf(s, "%s\n", ci_role(ci)->name);

return 0;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Serhey Popovych <serhe.p...@gmail.com>

commit 07f615574f8ac499875b21c1142f26308234a92c upstream.

While commit 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
does good job on error propagation to the fib_rules_lookup()
in fib rules core framework that also corrects throw routes
handling, it does not solve route reference leakage problem
happened when we return -EAGAIN to the fib_rules_lookup()
and leave routing table entry referenced in arg->result.

If rule with matched throw route isn't last matched in the
list we overwrite arg->result losing reference on throw
route stored previously forever.

We also partially revert commit ab997ad40839 ("ipv6: fix the
incorrect return value of throw route") since we never return
routing table entry with dst.error == -EAGAIN when
CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point
to check for RTF_REJECT flag since it is always set throw
route.

Fixes: 73ba57bfae4a ("ipv6: fix backtracking for throw routes")
Signed-off-by: Serhey Popovych <serhe.p...@gmail.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: commit ab997ad40839 was never applied here and does
not need to be reverted]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -105,7 +105,8 @@ static int fib6_rule_action(struct fib_r
flp6->saddr = saddr;
}
err = rt->dst.error;
- goto out;
+ if (err != -EAGAIN)
+ goto out;
}
again:
ip6_rt_put(rt);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Petazzoni <thomas.p...@free-electrons.com>

commit 4b148d5144d64ee135b8924350cb0b3a7fd21150 upstream.

platform_get_irq() returns an error code, but the xhci-plat driver
ignores it and always returns -ENODEV. This is not correct, and
prevents -EPROBE_DEFER from being propagated properly.

Signed-off-by: Thomas Petazzoni <thomas.p...@free-electrons.com>

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci-plat.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -109,7 +109,7 @@ static int xhci_plat_probe(struct platfo

irq = platform_get_irq(pdev, 0);
if (irq < 0)
- return -ENODEV;
+ return irq;

res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
if (!res)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <wanpe...@hotmail.com>

commit a575813bfe4bc15aba511a5e91e61d242bff8b9d upstream.

Reported by syzkaller:

BUG: unable to handle kernel paging request at ffffffffc07f6a2e
IP: report_bug+0x94/0x120
PGD 348e12067
P4D 348e12067
PUD 348e14067
PMD 3cbd84067
PTE 80000003f7e87161

Oops: 0003 [#1] SMP
CPU: 2 PID: 7091 Comm: kvm_load_guest_ Tainted: G OE 4.11.0+ #8
task: ffff92fdfb525400 task.stack: ffffbda6c3d04000
RIP: 0010:report_bug+0x94/0x120
RSP: 0018:ffffbda6c3d07b20 EFLAGS: 00010202
do_trap+0x156/0x170
do_error_trap+0xa3/0x170
? kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
? mark_held_locks+0x79/0xa0
? retint_kernel+0x10/0x10
? trace_hardirqs_off_thunk+0x1a/0x1c
do_invalid_op+0x20/0x30
invalid_op+0x1e/0x30
RIP: 0010:kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm]
? kvm_load_guest_fpu.part.175+0x1c/0x170 [kvm]
kvm_arch_vcpu_ioctl_run+0xed6/0x1b70 [kvm]
kvm_vcpu_ioctl+0x384/0x780 [kvm]
? kvm_vcpu_ioctl+0x384/0x780 [kvm]
? sched_clock+0x13/0x20
? __do_page_fault+0x2a0/0x550
do_vfs_ioctl+0xa4/0x700
? up_read+0x1f/0x40
? __do_page_fault+0x2a0/0x550
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x23/0xc2

SDM mentioned that "The MXCSR has several reserved bits, and attempting to write
a 1 to any of these bits will cause a general-protection exception(#GP) to be
generated". The syzkaller forks' testcase overrides xsave area w/ random values
and steps on the reserved bits of MXCSR register. The damaged MXCSR register
values of guest will be restored to SSEx MXCSR register before vmentry. This
patch fixes it by catching userspace override MXCSR register reserved bits w/
random values and bails out immediately.

Reported-by: Andrey Konovalov <andre...@google.com>
Reviewed-by: Paolo Bonzini <pbon...@redhat.com>
Cc: Paolo Bonzini <pbon...@redhat.com>
Cc: Radim Krčmář <rkr...@redhat.com>
Signed-off-by: Wanpeng Li <wanpe...@hotmail.com>
Signed-off-by: Radim Krčmář <rkr...@redhat.com>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/kernel/i387.c | 1 +
arch/x86/kvm/x86.c | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/i387.c
+++ b/arch/x86/kernel/i387.c
@@ -115,6 +115,7 @@ void unlazy_fpu(struct task_struct *tsk)
EXPORT_SYMBOL(unlazy_fpu);

unsigned int mxcsr_feature_mask __read_mostly = 0xffffffffu;
+EXPORT_SYMBOL_GPL(mxcsr_feature_mask);
unsigned int xstate_size;
EXPORT_SYMBOL_GPL(xstate_size);
static struct i387_fxsave_struct fx_scratch;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3110,11 +3110,14 @@ static void kvm_vcpu_ioctl_x86_get_xsave
}
}

+#define XSAVE_MXCSR_OFFSET 24
+
static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
struct kvm_xsave *guest_xsave)
{
u64 xstate_bv =
*(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)];
+ u32 mxcsr = *(u32 *)&guest_xsave->region[XSAVE_MXCSR_OFFSET / sizeof(u32)];

if (cpu_has_xsave) {
/*
@@ -3122,12 +3125,14 @@ static int kvm_vcpu_ioctl_x86_set_xsave(
* CPUID leaf 0xD, index 0, EDX:EAX. This is for compatibility
* with old userspace.
*/
- if (xstate_bv & ~kvm_supported_xcr0())
+ if (xstate_bv & ~kvm_supported_xcr0() ||
+ mxcsr & ~mxcsr_feature_mask)
return -EINVAL;
memcpy(&vcpu->arch.guest_fpu.state->xsave,
guest_xsave->region, vcpu->arch.guest_xstate_size);
} else {
- if (xstate_bv & ~XSTATE_FPSSE)
+ if (xstate_bv & ~XSTATE_FPSSE ||
+ mxcsr & ~mxcsr_feature_mask)
return -EINVAL;
memcpy(&vcpu->arch.guest_fpu.state->fxsave,
guest_xsave->region, sizeof(struct i387_fxsave_struct));

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marcin Nowakowski <marcin.n...@imgtec.com>

commit 698b851073ddf5a894910d63ca04605e0473414e upstream.

When ftrace is used with kprobes, it is possible for a kprobe to contain
an invalid location (ie. only initialised to 0 and not to a specific
location in the code). Trying to perform a cache flush on such location
leads to a crash r4k_flush_icache_range().

Fixes: c1bf207d6ee1 ("MIPS: kprobe: Add support.")
Signed-off-by: Marcin Nowakowski <marcin.n...@imgtec.com>
Cc: linux...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/16296/
Signed-off-by: Ralf Baechle <ra...@linux-mips.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/mips/include/asm/kprobes.h | 3 ++-

1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/mips/include/asm/kprobes.h
+++ b/arch/mips/include/asm/kprobes.h
@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_op

#define flush_insn_slot(p) \
do { \
- flush_icache_range((unsigned long)p->addr, \
+ if (p->addr) \
+ flush_icache_range((unsigned long)p->addr, \
(unsigned long)p->addr + \
(MAX_INSN_SIZE * sizeof(kprobe_opcode_t))); \
} while (0)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit ad0ccac76dcc92c3331f4c94c9fc54f8bf1ab20c upstream.

Add missing endianness conversion when printing the supported baud
rates.

Found using sparse:

warning: restricted __le16 degrades to integer

Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module")
Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/ir-usb.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)

--- a/drivers/usb/serial/ir-usb.c
+++ b/drivers/usb/serial/ir-usb.c
@@ -197,6 +197,7 @@ static u8 ir_xbof_change(u8 xbof)
static int ir_startup(struct usb_serial *serial)
{
struct usb_irda_cs_descriptor *irda_desc;
+ int rates;

irda_desc = irda_usb_find_class_desc(serial, 0);
if (!irda_desc) {
@@ -205,18 +206,20 @@ static int ir_startup(struct usb_serial
return -ENODEV;
}

+ rates = le16_to_cpu(irda_desc->wBaudRate);
+
dev_dbg(&serial->dev->dev,
"%s - Baud rates supported:%s%s%s%s%s%s%s%s%s\n",
__func__,
- (irda_desc->wBaudRate & USB_IRDA_BR_2400) ? " 2400" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_9600) ? " 9600" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_19200) ? " 19200" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_38400) ? " 38400" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_57600) ? " 57600" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_115200) ? " 115200" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_576000) ? " 576000" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_1152000) ? " 1152000" : "",
- (irda_desc->wBaudRate & USB_IRDA_BR_4000000) ? " 4000000" : "");
+ (rates & USB_IRDA_BR_2400) ? " 2400" : "",
+ (rates & USB_IRDA_BR_9600) ? " 9600" : "",
+ (rates & USB_IRDA_BR_19200) ? " 19200" : "",
+ (rates & USB_IRDA_BR_38400) ? " 38400" : "",
+ (rates & USB_IRDA_BR_57600) ? " 57600" : "",
+ (rates & USB_IRDA_BR_115200) ? " 115200" : "",
+ (rates & USB_IRDA_BR_576000) ? " 576000" : "",
+ (rates & USB_IRDA_BR_1152000) ? " 1152000" : "",
+ (rates & USB_IRDA_BR_4000000) ? " 4000000" : "");

switch (irda_desc->bmAdditionalBOFs) {
case USB_IRDA_AB_48:

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sean Young <se...@mess.org>

commit 963761a0b2e85663ee4a5630f72930885a06598a upstream.

A rc device can call ir_raw_event_handle() after rc_allocate_device(),
but before rc_register_device() has completed. This is racey because
rcdev->raw is set before rcdev->raw->thread has a valid value.

Reported-by: kbuild test robot <fenggu...@intel.com>
Signed-off-by: Sean Young <se...@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>
[bwh: Backported to 3.16: adjust filename, context, indentation]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/media/rc/ir-raw.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/media/rc/ir-raw.c
+++ b/drivers/media/rc/ir-raw.c
@@ -220,7 +220,7 @@ void ir_raw_event_handle(struct rc_dev *
{
unsigned long flags;

- if (!dev->raw)
+ if (!dev->raw || !dev->raw->thread)
return;

spin_lock_irqsave(&dev->raw->lock, flags);
@@ -247,6 +247,7 @@ int ir_raw_event_register(struct rc_dev
{
int rc;
struct ir_raw_handler *handler;
+ struct task_struct *thread;

if (!dev)
return -EINVAL;
@@ -264,14 +265,16 @@ int ir_raw_event_register(struct rc_dev
goto out;

spin_lock_init(&dev->raw->lock);
- dev->raw->thread = kthread_run(ir_raw_event_thread, dev->raw,
- "rc%ld", dev->devno);
+ thread = kthread_run(ir_raw_event_thread, dev->raw, "rc%ld",
+ dev->devno);

- if (IS_ERR(dev->raw->thread)) {
- rc = PTR_ERR(dev->raw->thread);
+ if (IS_ERR(thread)) {
+ rc = PTR_ERR(thread);
goto out;
}

+ dev->raw->thread = thread;
+
mutex_lock(&ir_raw_handler_lock);
list_add_tail(&dev->raw->list, &ir_raw_client_list);
list_for_each_entry(handler, &ir_raw_handler_list, list)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Stephen Just <steph...@gmail.com>

commit 0439de75d32c249bd9f5824ffd5e40c4c2109d77 upstream.

Adding support for the Microsoft Surface 3 (non-pro) Type Cover.

The existing definitions and quirks are actually for the Surface
Pro 3 type covers. I've renamed the old constants to reflect that
they belong to the Surface Pro 3, and added a new constant and
matching code for the Surface 3.

Signed-off-by: Stephen Just <steph...@gmail.com>
Signed-off-by: Jiri Kosina <jko...@suse.com>
[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-core.c | 8 +++++---
drivers/hid/hid-ids.h | 5 +++--
drivers/hid/hid-microsoft.c | 6 ++++--
drivers/hid/usbhid/hid-quirks.c | 3 ++-
4 files changed, 14 insertions(+), 8 deletions(-)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -704,8 +704,9 @@ static void hid_scan_collection(struct h
hid->group = HID_GROUP_SENSOR_HUB;

if (hid->vendor == USB_VENDOR_ID_MICROSOFT &&
- (hid->product == USB_DEVICE_ID_MS_TYPE_COVER_3 ||
- hid->product == USB_DEVICE_ID_MS_TYPE_COVER_3_JP ||
+ (hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3 ||
+ hid->product == USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP ||
+ hid->product == USB_DEVICE_ID_MS_TYPE_COVER_3 ||

hid->product == USB_DEVICE_ID_MS_POWER_COVER) &&

hid->group == HID_GROUP_MULTITOUCH)
hid->group = HID_GROUP_GENERIC;
@@ -1858,8 +1859,9 @@ static const struct hid_device_id hid_ha
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_DIGITAL_MEDIA_3K) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_WIRELESS_OPTICAL_DESKTOP_3_0) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_OFFICE_KB) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3) },
- { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3_JP) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER) },
{ HID_USB_DEVICE(USB_VENDOR_ID_MONTEREY, USB_DEVICE_ID_GENIUS_KB29E) },
{ HID_USB_DEVICE(USB_VENDOR_ID_NTRIG, USB_DEVICE_ID_NTRIG_TOUCH_SCREEN) },
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -661,8 +661,9 @@
#define USB_DEVICE_ID_MS_SURFACE_PRO_2 0x0799
#define USB_DEVICE_ID_MS_TOUCH_COVER_2 0x07a7
#define USB_DEVICE_ID_MS_TYPE_COVER_2 0x07a9
-#define USB_DEVICE_ID_MS_TYPE_COVER_3 0x07dc
-#define USB_DEVICE_ID_MS_TYPE_COVER_3_JP 0x07dd
+#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3 0x07dc
+#define USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP 0x07dd
+#define USB_DEVICE_ID_MS_TYPE_COVER_3 0x07de
#define USB_DEVICE_ID_MS_POWER_COVER 0x07da

#define USB_VENDOR_ID_MOJO 0x8282
--- a/drivers/hid/hid-microsoft.c
+++ b/drivers/hid/hid-microsoft.c
@@ -276,9 +276,11 @@ static const struct hid_device_id ms_dev
.driver_data = MS_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_COMFORT_MOUSE_4500),
.driver_data = MS_DUPLICATE_USAGES },
- { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3),
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3),

+ .driver_data = MS_HIDINPUT },

+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP),
.driver_data = MS_HIDINPUT },
- { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3_JP),
+ { HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3),
.driver_data = MS_HIDINPUT },
{ HID_USB_DEVICE(USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER),
.driver_data = MS_HIDINPUT },
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -91,8 +91,9 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_SURFACE_PRO_2, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_2, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TOUCH_COVER_2, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_PRO_3_JP, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS },
- { USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3_JP, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_POWER_COVER, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GX680R_LED_PANEL, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_NEXIO, USB_DEVICE_ID_NEXIO_MULTITOUCH_PTI0750, HID_QUIRK_NO_INIT_REPORTS },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Richard Narron <comet.b...@gmail.com>

commit 239e250e4acbc0104d514307029c0839e834a51a upstream.

This fixes a problem with reading files larger than 2GB from a UFS-2
file system:

https://bugzilla.kernel.org/show_bug.cgi?id=195721

The incorrect UFS s_maxsize limit became a problem as of commit
c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
which started using s_maxbytes to avoid a page index overflow in
do_generic_file_read().

That caused files to be truncated on UFS-2 file systems because the
default maximum file size is 2GB (MAX_NON_LFS) and UFS didn't update it.

Here I simply increase the default to a common value used by other file
systems.

Signed-off-by: Richard Narron <comet.b...@gmail.com>
Cc: Al Viro <vi...@zeniv.linux.org.uk>
Cc: Will B <will.broke...@gmail.com>
Cc: Theodore Ts'o <ty...@mit.edu>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

fs/ufs/super.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/fs/ufs/super.c
+++ b/fs/ufs/super.c
@@ -835,9 +835,8 @@ static int ufs_fill_super(struct super_b
uspi->s_dirblksize = UFS_SECTOR_SIZE;
super_block_offset=UFS_SBLOCK;

- /* Keep 2Gig file limit. Some UFS variants need to override
- this but as I don't know which I'll let those in the know loosen
- the rules */
+ sb->s_maxbytes = MAX_LFS_FILESIZE;
+
switch (sbi->s_mount_opt & UFS_MOUNT_UFSTYPE) {
case UFS_MOUNT_UFSTYPE_44BSD:
UFSD("ufstype=44bsd\n");

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <ebie...@xmission.com>

commit 57db7e4a2d92c2d3dfbca4ef8057849b2682436b upstream.

Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.

This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.

The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.

Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.

Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.

Reported-by: Thomas Gleixner <tg...@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebie...@xmission.com>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

kernel/signal.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)

--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -543,7 +543,8 @@ unblock_all_signals(void)
spin_unlock_irqrestore(&current->sighand->siglock, flags);
}

-static void collect_signal(int sig, struct sigpending *list, siginfo_t *info)
+static void collect_signal(int sig, struct sigpending *list, siginfo_t *info,
+ bool *resched_timer)
{
struct sigqueue *q, *first = NULL;

@@ -565,6 +566,12 @@ static void collect_signal(int sig, stru
still_pending:
list_del_init(&first->list);
copy_siginfo(info, &first->info);
+
+ *resched_timer =
+ (first->flags & SIGQUEUE_PREALLOC) &&
+ (info->si_code == SI_TIMER) &&
+ (info->si_sys_private);
+
__sigqueue_free(first);
} else {
/*
@@ -581,7 +588,7 @@ still_pending:
}

static int __dequeue_signal(struct sigpending *pending, sigset_t *mask,
- siginfo_t *info)
+ siginfo_t *info, bool *resched_timer)
{
int sig = next_signal(pending, mask);

@@ -595,7 +602,7 @@ static int __dequeue_signal(struct sigpe
}
}

- collect_signal(sig, pending, info);
+ collect_signal(sig, pending, info, resched_timer);
}

return sig;
@@ -609,15 +616,16 @@ static int __dequeue_signal(struct sigpe
*/
int dequeue_signal(struct task_struct *tsk, sigset_t *mask, siginfo_t *info)
{
+ bool resched_timer = false;
int signr;

/* We only dequeue private signals from ourselves, we don't let
* signalfd steal them
*/
- signr = __dequeue_signal(&tsk->pending, mask, info);
+ signr = __dequeue_signal(&tsk->pending, mask, info, &resched_timer);
if (!signr) {
signr = __dequeue_signal(&tsk->signal->shared_pending,
- mask, info);
+ mask, info, &resched_timer);
/*
* itimer signal ?
*
@@ -662,7 +670,7 @@ int dequeue_signal(struct task_struct *t
*/
current->jobctl |= JOBCTL_STOP_DEQUEUED;
}
- if ((info->si_code & __SI_MASK) == __SI_TIMER && info->si_sys_private) {
+ if (resched_timer) {
/*
* Release the siglock to ensure proper locking order
* of timer locks outside of siglocks. Note, we leave

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <jo...@kernel.org>

commit 6aeb75e6adfaed16e58780309613a578fe1ee90b upstream.

Fix a division-by-zero in set_termios when debugging is enabled and a
high-enough speed has been requested so that the divisor value becomes
zero.

Instead of just fixing the offending debug statement, cap the baud rate
at the base as a zero divisor value also appears to crash the firmware.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Reviewed-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
Signed-off-by: Johan Hovold <jo...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/serial/io_ti.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -2215,8 +2215,11 @@ static void change_port_settings(struct
if (!baud) {
/* pick a default, any default... */
baud = 9600;
- } else
+ } else {
+ /* Avoid a zero divisor. */
+ baud = min(baud, 461550);
tty_encode_baud_rate(tty, baud, baud);
+ }

edge_port->baud_rate = baud;
config->wBaudRate = (__u16)((461550L + baud/2) / baud);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: SeongJae Park <sj38...@gmail.com>

commit 1bf8d5a4a5da19b1f6e7958fe67db4118fa7a1c1 upstream.

Default function signature of trace_unhandled() got changed to include a
field dict, but its documentation, perf-script-python.txt has not been
updated. Fix it.

Signed-off-by: SeongJae Park <sj38...@gmail.com>
Cc: Alexander Shishkin <alexander...@linux.intel.com>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Pierre Tardy <tar...@gmail.com>
Fixes: c02514850d67 ("perf scripts python: Give field dict to unhandled callback")
Link: http://lkml.kernel.org/r/20170530111827.2...@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <ac...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

tools/perf/Documentation/perf-script-python.txt | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)

--- a/tools/perf/Documentation/perf-script-python.txt
+++ b/tools/perf/Documentation/perf-script-python.txt
@@ -149,10 +149,8 @@ def raw_syscalls__sys_enter(event_name,
print "id=%d, args=%s\n" % \
(id, args),

-def trace_unhandled(event_name, context, common_cpu, common_secs, common_nsecs,
- common_pid, common_comm):
- print_header(event_name, common_cpu, common_secs, common_nsecs,
- common_pid, common_comm)
+def trace_unhandled(event_name, context, event_fields_dict):
+ print ' '.join(['%s=%s'%(k,str(v))for k,v in sorted(event_fields_dict.items())])

def print_header(event_name, cpu, secs, nsecs, pid, comm):
print "%-20s %5u %05u.%09u %8u %-20s " % \
@@ -550,8 +548,7 @@ def trace_end():
of common arguments are passed into it:

----
-def trace_unhandled(event_name, context, common_cpu, common_secs,
- common_nsecs, common_pid, common_comm):
+def trace_unhandled(event_name, context, event_fields_dict):
pass
----

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tg...@linutronix.de>

commit 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd upstream.

Enabling the tracer selftest triggers occasionally the warning in
text_poke(), which warns when the to be modified page is not marked
reserved.

The reason is that the tracer selftest installs kprobes on functions marked
__init for testing. These probes are removed after the tests, but that
removal schedules the delayed kprobes_optimizer work, which will do the
actual text poke. If the work is executed after the init text is freed,
then the warning triggers. The bug can be reproduced reliably when the work
delay is increased.

Flush the optimizer work and wait for the optimizing/unoptimizing lists to
become empty before returning from the kprobes tracer selftest. That
ensures that all operations which were queued due to the probes removal
have completed.

Link: http://lkml.kernel.org/r/20170516094...@gandalf.local.home

Signed-off-by: Thomas Gleixner <tg...@linutronix.de>
Acked-by: Masami Hiramatsu <mhir...@kernel.org>
Fixes: 6274de498 ("kprobes: Support delayed unoptimizing")
Signed-off-by: Steven Rostedt (VMware) <ros...@goodmis.org>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -327,7 +327,9 @@ extern int proc_kprobes_optimization_han
int write, void __user *buffer,
size_t *length, loff_t *ppos);
#endif
-
+extern void wait_for_kprobe_optimizer(void);
+#else
+static inline void wait_for_kprobe_optimizer(void) { }
#endif /* CONFIG_OPTPROBES */
#ifdef CONFIG_KPROBES_ON_FTRACE
extern void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip,
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -563,7 +563,7 @@ static void kprobe_optimizer(struct work
}

/* Wait for completing optimization and unoptimization */
-static void wait_for_kprobe_optimizer(void)
+void wait_for_kprobe_optimizer(void)
{
mutex_lock(&kprobe_mutex);

--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -1484,6 +1484,11 @@ static __init int kprobe_trace_self_test

end:
release_all_trace_kprobes();
+ /*
+ * Wait for the optimizer work to finish. Otherwise it might fiddle
+ * with probes in already freed __init text.
+ */
+ wait_for_kprobe_optimizer();
if (warn)
pr_cont("NG: Some tests are failed. Please check them.\n");
else

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbon...@redhat.com>

commit bbaf0e2b1c1b4f88abd6ef49576f0efb1734eae5 upstream.

native_safe_halt enables interrupts, and you just shouldn't
call rcu_irq_enter() with interrupts enabled. Reorder the
call with the following local_irq_disable() to respect the
invariant.

Reported-by: Ross Zwisler <ross.z...@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>
Acked-by: Paul E. McKenney <pau...@linux.vnet.ibm.com>
Tested-by: Wanpeng Li <wanpe...@hotmail.com>
Signed-off-by: Radim Krčmář <rkr...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/x86/kernel/kvm.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -160,8 +160,8 @@ void kvm_async_pf_task_wait(u32 token)
*/
rcu_irq_exit();
native_safe_halt();
- rcu_irq_enter();
local_irq_disable();
+ rcu_irq_enter();
}
}
if (!n.halted)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Chen <peter...@nxp.com>

commit 7480d912d549f414e0ce39331870899e89a5598c upstream.

According to xHCI ch4.20 Scratchpad Buffers, the Scratchpad
Buffer needs to be zeroed.

...
The following operations take place to allocate
Scratchpad Buffers to the xHC:
...
b. Software clears the Scratchpad Buffer to '0'

Signed-off-by: Peter Chen <peter...@nxp.com>

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci-mem.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1709,7 +1709,7 @@ static int scratchpad_alloc(struct xhci_
xhci->dcbaa->dev_context_ptrs[0] = cpu_to_le64(xhci->scratchpad->sp_dma);
for (i = 0; i < num_sp; i++) {
dma_addr_t dma;
- void *buf = dma_alloc_coherent(dev, xhci->page_size, &dma,
+ void *buf = dma_zalloc_coherent(dev, xhci->page_size, &dma,
flags);
if (!buf)
goto fail_sp5;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Stafford Horne <sho...@gmail.com>

commit a382c30c662a31dd8f51cc4b6dad82d39205d50c upstream.

The midi controller times-out while initializing reports, this
causes boot to take an extra 10 seconds. The device descriptor
advertises that it has an internal HID device but seems to not
actually do anything useful.

Signed-off-by: Stafford Horne <sho...@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin....@redhat.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 3 +++
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 4 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -61,6 +61,9 @@
#define USB_VENDOR_ID_AIREN 0x1a2c
#define USB_DEVICE_ID_AIREN_SLIMPLUS 0x0002

+#define USB_VENDOR_ID_AKAI 0x2011
+#define USB_DEVICE_ID_AKAI_MPKMINI2 0x0715
+
#define USB_VENDOR_ID_ALCOR 0x058f
#define USB_DEVICE_ID_ALCOR_USBRS232 0x9720

--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -55,6 +55,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_TOUCHPACK, USB_DEVICE_ID_TOUCHPACK_RTS, HID_QUIRK_MULTI_INPUT },

{ USB_VENDOR_ID_AIREN, USB_DEVICE_ID_AIREN_SLIMPLUS, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_AKAI, USB_DEVICE_ID_AKAI_MPKMINI2, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_UC100KM, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS124U, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_2PORTKVM, HID_QUIRK_NOGET },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit f0c62e9878024300319ba2438adc7b06c6b9c448 upstream.

If vmalloc() fails then we need to a bit of cleanup before returning.

Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU")
Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Reviewed-by: Sinclair Yeh <sy...@vmware.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
@@ -385,6 +385,8 @@ void *vmw_fifo_reserve(struct vmw_privat
return fifo_state->static_buffer;
else {
fifo_state->dynamic_buffer = vmalloc(bytes);
+ if (!fifo_state->dynamic_buffer)
+ goto out_err;
return fifo_state->dynamic_buffer;
}
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yisheng Xie <xieyi...@huawei.com>

commit 70feee0e1ef331b22cc51f383d532a0d043fbdcc upstream.

Kefeng reported that when running the follow test, the mlock count in
meminfo will increase permanently:

[1] testcase
linux:~ # cat test_mlockal
grep Mlocked /proc/meminfo
for j in `seq 0 10`
do
for i in `seq 4 15`
do
./p_mlockall >> log &
done
sleep 0.2
done
# wait some time to let mlock counter decrease and 5s may not enough
sleep 5
grep Mlocked /proc/meminfo

linux:~ # cat p_mlockall.c
#include <sys/mman.h>
#include <stdlib.h>
#include <stdio.h>

#define SPACE_LEN 4096

int main(int argc, char ** argv)
{
int ret;
void *adr = malloc(SPACE_LEN);
if (!adr)
return -1;

ret = mlockall(MCL_CURRENT | MCL_FUTURE);
printf("mlcokall ret = %d\n", ret);

ret = munlockall();
printf("munlcokall ret = %d\n", ret);

free(adr);
return 0;
}

In __munlock_pagevec() we should decrement NR_MLOCK for each page where
we clear the PageMlocked flag. Commit 1ebb7cc6a583 ("mm: munlock: batch
NR_MLOCK zone state updates") has introduced a bug where we don't
decrement NR_MLOCK for pages where we clear the flag, but fail to
isolate them from the lru list (e.g. when the pages are on some other
cpu's percpu pagevec). Since PageMlocked stays cleared, the NR_MLOCK
accounting gets permanently disrupted by this.

Fix it by counting the number of page whose PageMlock flag is cleared.

Fixes: 1ebb7cc6a583 (" mm: munlock: batch NR_MLOCK zone state updates")
Link: http://lkml.kernel.org/r/1495678405-54569-1-git...@huawei.com
Signed-off-by: Yisheng Xie <xieyi...@huawei.com>
Reported-by: Kefeng Wang <wangkef...@huawei.com>
Tested-by: Kefeng Wang <wangkef...@huawei.com>
Cc: Vlastimil Babka <vba...@suse.cz>
Cc: Joern Engel <jo...@logfs.org>
Cc: Mel Gorman <mgo...@suse.de>
Cc: Michel Lespinasse <wal...@google.com>
Cc: Hugh Dickins <hu...@google.com>
Cc: Rik van Riel <ri...@redhat.com>
Cc: Johannes Weiner <han...@cmpxchg.org>
Cc: Michal Hocko <mho...@suse.cz>
Cc: Xishi Qiu <qiux...@huawei.com>
Cc: zhongjiang <zhong...@huawei.com>
Cc: Hanjun Guo <guoh...@huawei.com>
Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

mm/mlock.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -326,7 +326,7 @@ static void __munlock_pagevec(struct pag
{
int i;
int nr = pagevec_count(pvec);
- int delta_munlocked;
+ int delta_munlocked = -nr;
struct pagevec pvec_putback;
int pgrescued = 0;

@@ -346,6 +346,8 @@ static void __munlock_pagevec(struct pag
continue;
else
__munlock_isolation_failed(page);
+ } else {
+ delta_munlocked++;
}

/*
@@ -357,7 +359,6 @@ static void __munlock_pagevec(struct pag
pagevec_add(&pvec_putback, pvec->pages[i]);
pvec->pages[i] = NULL;
}
- delta_munlocked = -nr + pagevec_count(&pvec_putback);
__mod_zone_page_state(zone, NR_MLOCK, delta_munlocked);
spin_unlock_irq(&zone->lru_lock);

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.de>

commit 43faadfe96d3f049f4ae2c4090d2e57b9aafb995 upstream.

The device exists with two device IDs instead of one as previously
believed.

Signed-off-by: Oliver Neukum <one...@suse.de>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 3 ++-
drivers/hid/usbhid/hid-quirks.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -458,7 +458,8 @@
#define USB_DEVICE_ID_UGCI_FIGHTING 0x0030

#define USB_VENDOR_ID_HP 0x03f0
-#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE 0x0a4a
+#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a
+#define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a
#define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a

#define USB_VENDOR_ID_HUION 0x256c
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -81,7 +81,8 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },
- { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C01A, HID_QUIRK_ALWAYS_POLL },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 63aea0dbab90a2461faaae357cbc8cfd6c8de9fe upstream.

With threaded interrupts, bottom-half handlers are called with
interrupts enabled. Therefore they can't safely use spin_lock(); they
have to use spin_lock_irqsave(). Lockdep warns about a violation
occurring in xhci_irq():

=========================================================
[ INFO: possible irq lock inversion dependency detected ]
4.11.0-rc8-dbg+ #1 Not tainted
---------------------------------------------------------
swapper/7/0 just changed the state of lock:
(&(&ehci->lock)->rlock){-.-...}, at: [<ffffffffa0130a69>]
ehci_hrtimer_func+0x29/0xc0 [ehci_hcd]
but this lock took another, HARDIRQ-unsafe lock in the past:
(hcd_urb_list_lock){+.....}

and interrupts could create inverse lock ordering between them.

other info that might help us debug this:
Possible interrupt unsafe locking scenario:

CPU0 CPU1
---- ----
lock(hcd_urb_list_lock);
local_irq_disable();
lock(&(&ehci->lock)->rlock);
lock(hcd_urb_list_lock);
<Interrupt>
lock(&(&ehci->lock)->rlock);
*** DEADLOCK ***

no locks held by swapper/7/0.
the shortest dependencies between 2nd lock and 1st lock:
-> (hcd_urb_list_lock){+.....} ops: 252 {
HARDIRQ-ON-W at:
__lock_acquire+0x602/0x1280
lock_acquire+0xd5/0x1c0
_raw_spin_lock+0x2f/0x40
usb_hcd_unlink_urb_from_ep+0x1b/0x60 [usbcore]
xhci_giveback_urb_in_irq.isra.45+0x70/0x1b0 [xhci_hcd]
finish_td.constprop.60+0x1d8/0x2e0 [xhci_hcd]
xhci_irq+0xdd6/0x1fa0 [xhci_hcd]
usb_hcd_irq+0x26/0x40 [usbcore]
irq_forced_thread_fn+0x2f/0x70
irq_thread+0x149/0x1d0
kthread+0x113/0x150
ret_from_fork+0x2e/0x40

This patch fixes the problem.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Reported-and-tested-by: Bart Van Assche <bart.va...@sandisk.com>

Signed-off-by: Mathias Nyman <mathia...@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/usb/host/xhci-ring.c | 5 +++--

1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2690,11 +2690,12 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd
struct xhci_hcd *xhci = hcd_to_xhci(hcd);
union xhci_trb *event_ring_deq;
irqreturn_t ret = IRQ_NONE;
+ unsigned long flags;
dma_addr_t deq;
u64 temp_64;
u32 status;

- spin_lock(&xhci->lock);
+ spin_lock_irqsave(&xhci->lock, flags);
/* Check if the xHC generated the interrupt, or the irq is shared */
status = readl(&xhci->op_regs->status);
if (status == 0xffffffff) {
@@ -2768,7 +2769,7 @@ irqreturn_t xhci_irq(struct usb_hcd *hcd
ret = IRQ_HANDLED;

out:
- spin_unlock(&xhci->lock);
+ spin_unlock_irqrestore(&xhci->lock, flags);

return ret;
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: zheng li <james...@ericsson.com>

commit 0a28cfd51e17f4f0a056bcf66bfbe492c3b99f38 upstream.

There is an inconsistent conditional judgement in __ip_append_data and
ip_finish_output functions, the variable length in __ip_append_data just
include the length of application's payload and udp header, don't include
the length of ip header, but in ip_finish_output use
(skb->len > ip_skb_dst_mtu(skb)) as judgement, and skb->len include the
length of ip header.

That causes some particular application's udp payload whose length is
between (MTU - IP Header) and MTU were fragmented by ip_fragment even
though the rst->dev support UFO feature.

Add the length of ip header to length in __ip_append_data to keep
consistent conditional judgement as ip_finish_output for ip fragment.

Signed-off-by: Zheng Li <james...@ericsson.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

[bwh: Backported to 3.16: adjust context to apply after "udp: consistently apply
ufo or fragmentation"]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

net/ipv4/ip_output.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -886,7 +886,7 @@ static int __ip_append_data(struct sock

cork->length += length;
if ((skb && skb_is_gso(skb)) ||
- ((length > mtu) &&
+ (((length + fragheaderlen) > mtu) &&
(skb_queue_len(queue) <= 1) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Wangzhao Cai <micro...@gmail.com>

commit 30c6fd4277ebab2a32ae5635d34283354b1bc8f2 upstream.

I am using a USB keyborad that give me "usb_submit_urb(ctrl) failed: -1" error
when I plugin it. and I need to wait for 10s for this device to be ready.

By adding this quirks, the usb keyborad is usable right after plugin

Signed-off-by: Wangzhao Cai <micro...@gmail.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -493,6 +493,7 @@
#define USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A070 0xa070
#define USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A072 0xa072
#define USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A081 0xa081
+#define USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A096 0xa096

#define USB_VENDOR_ID_IMATION 0x0718
#define USB_DEVICE_ID_DISC_STAKKA 0xd000
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -140,6 +140,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_HD, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_QUAD_HD, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_SYNAPTICS, USB_DEVICE_ID_SYNAPTICS_TP_V103, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A096, HID_QUIRK_NO_INIT_INPUT_REPORTS },

{ 0, 0 }
};

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liwei Song <liwei...@windriver.com>

commit 17e83549e199d89aace7788a9f11c108671eecf5 upstream.

Fix the following kernel bug:

kernel BUG at drivers/iommu/intel-iommu.c:3260!
invalid opcode: 0000 [#5] PREEMPT SMP
Hardware name: Intel Corp. Harcuvar/Server, BIOS HAVLCRB0.X64.0013.D39.1608311820 08/31/2016
task: ffff880175389950 ti: ffff880176bec000 task.ti: ffff880176bec000
RIP: 0010:[<ffffffff8150a83b>] [<ffffffff8150a83b>] intel_unmap+0x25b/0x260
RSP: 0018:ffff880176bef5e8 EFLAGS: 00010296
RAX: 0000000000000024 RBX: ffff8800773c7c88 RCX: 000000000000ce04
RDX: 0000000080000000 RSI: 0000000000000000 RDI: 0000000000000009
RBP: ffff880176bef638 R08: 0000000000000010 R09: 0000000000000004
R10: ffff880175389c78 R11: 0000000000000a4f R12: ffff8800773c7868
R13: 00000000ffffac88 R14: ffff8800773c7818 R15: 0000000000000001
FS: 00007fef21258700(0000) GS:ffff88017b5c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000066d6d8 CR3: 000000007118c000 CR4: 00000000003406e0
Stack:
00000000ffffac88 ffffffff8199867f ffff880176bef5f8 ffff880100000030
ffff880176bef668 ffff8800773c7c88 ffff880178288098 ffff8800772c0010
ffff8800773c7818 0000000000000001 ffff880176bef648 ffffffff8150a86e
Call Trace:
[<ffffffff8199867f>] ? printk+0x46/0x48
[<ffffffff8150a86e>] intel_unmap_page+0xe/0x10
[<ffffffffa039d99b>] ismt_access+0x27b/0x8fa [i2c_ismt]
[<ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
[<ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
[<ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
[<ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
[<ffffffff8143dfd0>] ? pci_bus_read_dev_vendor_id+0xf0/0xf0
[<ffffffff8172b36c>] i2c_smbus_xfer+0xec/0x4b0
[<ffffffff810aa4d5>] ? vprintk_emit+0x345/0x530
[<ffffffffa038936b>] i2cdev_ioctl_smbus+0x12b/0x240 [i2c_dev]
[<ffffffff810aa829>] ? vprintk_default+0x29/0x40
[<ffffffffa0389b33>] i2cdev_ioctl+0x63/0x1ec [i2c_dev]
[<ffffffff811b04c8>] do_vfs_ioctl+0x328/0x5d0
[<ffffffff8119d8ec>] ? vfs_write+0x11c/0x190
[<ffffffff8109d449>] ? rt_up_read+0x19/0x20
[<ffffffff811b07f1>] SyS_ioctl+0x81/0xa0
[<ffffffff819a351b>] system_call_fastpath+0x16/0x6e

This happen When run "i2cdetect -y 0" detect SMBus iSMT adapter.

After finished I2C block read/write, when unmap the data buffer,
a wrong device address was pass to dma_unmap_single().

To fix this, give dma_unmap_single() the "dev" parameter, just like
what dma_map_single() does, then unmap can find the right devices.

Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Liwei Song <liwei...@windriver.com>
Reviewed-by: Andy Shevchenko <andy.sh...@gmail.com>
Signed-off-by: Wolfram Sang <w...@the-dreams.de>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/i2c/busses/i2c-ismt.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -586,7 +586,7 @@ static int ismt_access(struct i2c_adapte

/* unmap the data buffer */
if (dma_size != 0)
- dma_unmap_single(&adap->dev, dma_addr, dma_size, dma_direction);
+ dma_unmap_single(dev, dma_addr, dma_size, dma_direction);

if (unlikely(!ret)) {
dev_err(dev, "completion wait timed out\n");

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Julius Werner <jwe...@chromium.org>

commit 32829da54d9368103a2f03269a5120aa9ee4d5da upstream.

A recent fix to /dev/mem prevents mappings from wrapping around the end
of physical address space. However, the check was written in a way that
also prevents a mapping reaching just up to the end of physical address
space, which may be a valid use case (especially on 32-bit systems).
This patch fixes it by checking the last mapped address (instead of the
first address behind that) for overflow.

Fixes: b299cde245 ("drivers: char: mem: Check for address space wraparound with mmap()")
Reported-by: Nico Huber <nic...@gmx.de>
Signed-off-by: Julius Werner <jwe...@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/char/mem.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -332,7 +332,7 @@ static int mmap_mem(struct file *file, s
phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT;

/* It's illegal to wrap around the end of the physical address space. */
- if (offset + (phys_addr_t)size < offset)
+ if (offset + (phys_addr_t)size - 1 < offset)
return -EINVAL;

if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Joe Thornber <e...@redhat.com>

commit 91bcdb92d39711d1adb40c26b653b7978d93eb98 upstream.

These calls were the wrong way round in __write_initial_superblock.

Signed-off-by: Joe Thornber <e...@redhat.com>
Signed-off-by: Mike Snitzer <sni...@redhat.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/md/dm-thin-metadata.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -484,11 +484,11 @@ static int __write_initial_superblock(st
if (r < 0)
return r;

- r = save_sm_roots(pmd);
+ r = dm_tm_pre_commit(pmd->tm);
if (r < 0)
return r;

- r = dm_tm_pre_commit(pmd->tm);
+ r = save_sm_roots(pmd);
if (r < 0)
return r;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tomasz Kramkowski <t...@the-tk.com>

commit 9547837bdccb4af127528b36a73377150658b4ac upstream.

The (1292:4745) Innomedia INNEX GENESIS/ATARI adapter needs
HID_QUIRK_MULTI_INPUT to split the device up into two controllers
instead of inputs from both being merged into one.

Signed-off-by: Tomasz Kramkowski <t...@the-tk.com>
Acked-By: Benjamin Tissoires <benjamin....@redhat.com>
Signed-off-by: Jiri Kosina <jko...@suse.cz>
[bwh: Backported to 3.16: adjust context]

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 3 +++
drivers/hid/usbhid/hid-quirks.c | 1 +
2 files changed, 4 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -522,6 +522,9 @@
#define USB_VENDOR_ID_IRTOUCHSYSTEMS 0x6615
#define USB_DEVICE_ID_IRTOUCH_INFRARED_USB 0x0070

+#define USB_VENDOR_ID_INNOMEDIA 0x1292
+#define USB_DEVICE_ID_INNEX_GENESIS_ATARI 0x4745
+
#define USB_VENDOR_ID_JABRA 0x0b0e
#define USB_DEVICE_ID_JABRA_SPEAK_410 0x0412
#define USB_DEVICE_ID_JABRA_SPEAK_510 0x0420
@@ -545,6 +548,7 @@
#define USB_DEVICE_ID_KEYTOUCH_IEC 0x3333

#define USB_VENDOR_ID_KYE 0x0458
+
#define USB_DEVICE_ID_KYE_ERGO_525V 0x0087
#define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138
#define USB_DEVICE_ID_GENIUS_MANTICORE 0x0153
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -169,6 +169,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_MULTIPLE_1781, USB_DEVICE_ID_RAPHNET_4NES4SNES_OLD, HID_QUIRK_MULTI_INPUT },
{ USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_2NES2SNES, HID_QUIRK_MULTI_INPUT },
{ USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_4NES4SNES, HID_QUIRK_MULTI_INPUT },
+ { USB_VENDOR_ID_INNOMEDIA, USB_DEVICE_ID_INNEX_GENESIS_ATARI, HID_QUIRK_MULTI_INPUT },

{ 0, 0 }
};

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Adrien Vergé <adrie...@gmail.com>

commit 33bd2dd03dd0bfa1130d11062a9e5f40d0cf1d3f upstream.

All ELAN hid devices seem to require the ALWAYS_POLL quirk. Let's use
this quirk for all devices from this vendor, rather than maintaining a
list of all its known product IDs.

Tested-by: Adrien Vergé <adrie...@gmail.com>
Signed-off-by: Adrien Vergé <adrie...@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin....@redhat.com>
Reviewed-by: Jiri Kosina <jko...@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 5 -----
drivers/hid/usbhid/hid-quirks.c | 9 +++------
2 files changed, 3 insertions(+), 11 deletions(-)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -301,11 +301,6 @@
#define USB_DEVICE_ID_DWAV_EGALAX_MULTITOUCH_A001 0xa001

#define USB_VENDOR_ID_ELAN 0x04f3
-#define USB_DEVICE_ID_ELAN_TOUCHSCREEN 0x0089
-#define USB_DEVICE_ID_ELAN_TOUCHSCREEN_009B 0x009b
-#define USB_DEVICE_ID_ELAN_TOUCHSCREEN_0103 0x0103
-#define USB_DEVICE_ID_ELAN_TOUCHSCREEN_010c 0x010c
-#define USB_DEVICE_ID_ELAN_TOUCHSCREEN_016F 0x016f

#define USB_VENDOR_ID_ELECOM 0x056e
#define USB_DEVICE_ID_ELECOM_BM084 0x0061
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -73,11 +73,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },
- { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN, HID_QUIRK_ALWAYS_POLL },
- { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_009B, HID_QUIRK_ALWAYS_POLL },
- { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_0103, HID_QUIRK_ALWAYS_POLL },
- { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_010c, HID_QUIRK_ALWAYS_POLL },
- { USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ELAN_TOUCHSCREEN_016F, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_ELAN, HID_ANY_ID, HID_QUIRK_ALWAYS_POLL },

{ USB_VENDOR_ID_ELO, USB_DEVICE_ID_ELO_TS2700, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET },

@@ -341,7 +337,8 @@ static const struct hid_blacklist *usbhi

for (; hid_blacklist[n].idVendor; n++)
if (hid_blacklist[n].idVendor == idVendor &&
- hid_blacklist[n].idProduct == idProduct)
+ (hid_blacklist[n].idProduct == (__u16) HID_ANY_ID ||
+ hid_blacklist[n].idProduct == idProduct))
bl_entry = &hid_blacklist[n];

if (bl_entry != NULL)

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Robert Jarzmik <robert....@free.fr>

commit cbf52a3e6a8a92beec6e0c70abf4111cd8f8faf7 upstream.

When the kernel is compiled with an "O=" argument, the object files are
not in the source tree, but in the build tree.

This patch fixes O= build by looking for object files in the build tree.

Fixes: 923e02ecf3f8 ("scripts/tags.sh: Support compiled source")
Signed-off-by: Robert Jarzmik <robert....@free.fr>
Signed-off-by: Masahiro Yamada <yamada....@socionext.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

scripts/tags.sh | 1 +
1 file changed, 1 insertion(+)

--- a/scripts/tags.sh
+++ b/scripts/tags.sh
@@ -106,6 +106,7 @@ all_compiled_sources()
case "$i" in
*.[cS])
j=${i/\.[cS]/\.o}
+ j="${j#$tree}"
if [ -e $j ]; then
echo $i
fi

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <one...@suse.de>

commit 003e817a9ecf6cfded59630858bbf04056d71e9a upstream.

During a stress test these mice kept dropping and reappearing
in runlevel 1 as opposed to 5.

Signed-off-by: Oliver Neukum <one...@suse.de>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 4 ++++
drivers/hid/usbhid/hid-quirks.c | 4 ++++
2 files changed, 8 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -589,6 +589,9 @@
#define USB_DEVICE_ID_LOGITECH_HARMONY_FIRST 0xc110
#define USB_DEVICE_ID_LOGITECH_HARMONY_LAST 0xc14f
#define USB_DEVICE_ID_LOGITECH_HARMONY_PS3 0x0306
+#define USB_DEVICE_ID_LOGITECH_MOUSE_C01A 0xc01a
+#define USB_DEVICE_ID_LOGITECH_MOUSE_C05A 0xc05a
+#define USB_DEVICE_ID_LOGITECH_MOUSE_C06A 0xc06a
#define USB_DEVICE_ID_LOGITECH_RUMBLEPAD_CORD 0xc20a
#define USB_DEVICE_ID_LOGITECH_RUMBLEPAD 0xc211
#define USB_DEVICE_ID_LOGITECH_EXTREME_3D 0xc215
@@ -1004,6 +1007,7 @@
#define USB_DEVICE_ID_ZYTRONIC_ZXY100 0x0005

#define USB_VENDOR_ID_PRIMAX 0x0461
+#define USB_DEVICE_ID_PRIMAX_MOUSE_4D22 0x4d22
#define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05


--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -84,6 +84,9 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },

{ USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077, HID_QUIRK_ALWAYS_POLL },

+ { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C01A, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C05A, HID_QUIRK_ALWAYS_POLL },
+ { USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_MOUSE_C06A, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_MICROSOFT, USB_DEVICE_ID_MS_TYPE_COVER_3_JP, HID_QUIRK_NO_INIT_REPORTS },
@@ -97,6 +100,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN1, HID_QUIRK_NO_INIT_REPORTS },
{ USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN2, HID_QUIRK_NO_INIT_REPORTS },
+ { USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22, HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008, HID_QUIRK_NOGET },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Patrik Jakobsson <patrik.r....@gmail.com>

commit 82bc9a42cf854fdf63155759c0aa790bd1f361b0 upstream.

With LVDS we were incorrectly picking the pre-programmed mode instead of
the prefered mode provided by VBT. Make sure we pick the VBT mode if
one is provided. It is likely that the mode read-out code is still wrong
but this patch fixes the immediate problem on most machines.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=78562
Signed-off-by: Patrik Jakobsson <patrik.r....@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170418114332.12183...@gmail.com

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/gpu/drm/gma500/psb_intel_lvds.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)

--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c
@@ -783,20 +783,23 @@ void psb_intel_lvds_init(struct drm_devi
if (scan->type & DRM_MODE_TYPE_PREFERRED) {
mode_dev->panel_fixed_mode =
drm_mode_duplicate(dev, scan);
+ DRM_DEBUG_KMS("Using mode from DDC\n");
goto out; /* FIXME: check for quirks */
}
}

/* Failed to get EDID, what about VBT? do we need this? */
- if (mode_dev->vbt_mode)
+ if (dev_priv->lfp_lvds_vbt_mode) {
mode_dev->panel_fixed_mode =
- drm_mode_duplicate(dev, mode_dev->vbt_mode);
+ drm_mode_duplicate(dev, dev_priv->lfp_lvds_vbt_mode);

- if (!mode_dev->panel_fixed_mode)
- if (dev_priv->lfp_lvds_vbt_mode)
- mode_dev->panel_fixed_mode =
- drm_mode_duplicate(dev,
- dev_priv->lfp_lvds_vbt_mode);
+ if (mode_dev->panel_fixed_mode) {
+ mode_dev->panel_fixed_mode->type |=
+ DRM_MODE_TYPE_PREFERRED;
+ DRM_DEBUG_KMS("Using mode from VBT\n");
+ goto out;
+ }
+ }

/*
* If we didn't get EDID, try checking if the panel is already turned
@@ -813,6 +816,7 @@ void psb_intel_lvds_init(struct drm_devi
if (mode_dev->panel_fixed_mode) {
mode_dev->panel_fixed_mode->type |=
DRM_MODE_TYPE_PREFERRED;
+ DRM_DEBUG_KMS("Using pre-programmed mode\n");
goto out; /* FIXME: check for quirks */
}
}

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.ca...@oracle.com>

commit 0320a278b9ef80cfa44f74b7f9bb36781695f3ee upstream.

My static checker complains that "ret" could be uninitialized at the
end, which is true but it's more likely that it would be set to zero.

Signed-off-by: Dan Carpenter <dan.ca...@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/uio/uio.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/uio/uio.c
+++ b/drivers/uio/uio.c
@@ -283,12 +283,16 @@ static int uio_dev_add_attributes(struct
map_found = 1;
idev->map_dir = kobject_create_and_add("maps",
&idev->dev->kobj);
- if (!idev->map_dir)
+ if (!idev->map_dir) {
+ ret = -ENOMEM;
goto err_map;
+ }
}
map = kzalloc(sizeof(*map), GFP_KERNEL);
- if (!map)
+ if (!map) {
+ ret = -ENOMEM;
goto err_map_kobj;
+ }
kobject_init(&map->kobj, &map_attr_type);
map->mem = mem;
mem->map = map;
@@ -308,12 +312,16 @@ static int uio_dev_add_attributes(struct
portio_found = 1;
idev->portio_dir = kobject_create_and_add("portio",
&idev->dev->kobj);
- if (!idev->portio_dir)
+ if (!idev->portio_dir) {
+ ret = -ENOMEM;
goto err_portio;
+ }
}
portio = kzalloc(sizeof(*portio), GFP_KERNEL);
- if (!portio)
+ if (!portio) {
+ ret = -ENOMEM;
goto err_portio_kobj;
+ }
kobject_init(&portio->kobj, &portio_attr_type);
portio->port = port;
port->portio = portio;

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sebastian Parschauer <spars...@suse.de>

commit 3db28271f0feae129262d30e41384a7c4c767987 upstream.

This mouse is also known under other IDs. It needs the quirk
ALWAYS_POLL or will disconnect in runlevel 1 or 3.

Signed-off-by: Sebastian Parschauer <spars...@suse.de>
Signed-off-by: Jiri Kosina <jko...@suse.cz>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/hid/hid-ids.h | 3 +++
drivers/hid/usbhid/hid-quirks.c | 1 +

2 files changed, 4 insertions(+)

--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -290,6 +290,9 @@
#define USB_VENDOR_ID_DEALEXTREAME 0x10c5
#define USB_DEVICE_ID_DEALEXTREAME_RADIO_SI4701 0x819a

+#define USB_VENDOR_ID_DELL 0x413c
+#define USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE 0x301a
+
#define USB_VENDOR_ID_DELORME 0x1163
#define USB_DEVICE_ID_DELORME_EARTHMATE 0x0100
#define USB_DEVICE_ID_DELORME_EM_LT20 0x0200
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -85,6 +85,7 @@ static const struct hid_blacklist {
{ USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_SCIMITAR_PRO_RGB, HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
{ USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51, HID_QUIRK_NOGET },
+ { USB_VENDOR_ID_DELL, USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE, HID_QUIRK_ALWAYS_POLL },

{ USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC, HID_QUIRK_NOGET },
{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_WIIU, HID_QUIRK_MULTI_INPUT },

{ USB_VENDOR_ID_DRAGONRISE, USB_DEVICE_ID_DRAGONRISE_PS3, HID_QUIRK_MULTI_INPUT },

[Ben Hutchings]

3.16.48-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christian Lamparter <chun...@googlemail.com>

commit 19d90ece81da802207a9b91ce95a29fbdc40626e upstream.

This patch fixes a problem where the AR8035 PHY can't be
detected on an Cisco Meraki MR24, if the ethernet cable is
not connected on boot.

Russell Senior provided steps to reproduce the issue:
|Disconnect ethernet cable, apply power, wait until device has booted,
|plug in ethernet, check for interfaces, no eth0 is listed.
|
|This appears to be a problem during probing of the AR8035 Phy chip.
|When ethernet has no link, the phy detection fails, and eth0 is not
|created. Plugging ethernet later has no effect, because there is no
|interface as far as the kernel is concerned. The relevant part of
|the boot log looks like this:
|this is the failing case:
|
|[ 0.876611] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode
|[ 0.882532] /plb/opb/ethernet@ef600c00: reset timeout
|[ 0.888546] /plb/opb/ethernet@ef600c00: can't find PHY!
|and the succeeding case:
|
|[ 0.876672] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode
|[ 0.883952] eth0: EMAC-0 /plb/opb/ethernet@ef600c00, MAC 00:01:..
|[ 0.890822] eth0: found Atheros 8035 Gigabit Ethernet PHY (0x01)

Based on the comment and the commit message of
commit 23fbb5a87c56 ("emac: Fix EMAC soft reset on 460EX/GT").
This is because the AR8035 PHY doesn't provide the TX Clock,
if the ethernet cable is not attached. This causes the reset
to timeout and the PHY detection code in emac_init_phy() is
unable to detect the AR8035 PHY. As a result, the emac driver
bails out early and the user left with no ethernet.

In order to stay compatible with existing configurations, the driver
tries the current reset approach at first. Only if the first attempt
timed out, it does perform one more retry with the clock temporarily
switched to the internal source for just the duration of the reset.

LEDE-Bug: #687 <https://bugs.lede-project.org/index.php?do=details&task_id=687>

Cc: Chris Blake <chrisr...@gmail.com>
Reported-by: Russell Senior <rus...@personaltelco.net>
Fixes: 23fbb5a87c56e98 ("emac: Fix EMAC soft reset on 460EX/GT")
Signed-off-by: Christian Lamparter <chun...@googlemail.com>
Reviewed-by: Andrew Lunn <and...@lunn.ch>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/net/ethernet/ibm/emac/core.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/ibm/emac/core.c
+++ b/drivers/net/ethernet/ibm/emac/core.c
@@ -349,6 +349,7 @@ static int emac_reset(struct emac_instan
{
struct emac_regs __iomem *p = dev->emacp;
int n = 20;
+ bool __maybe_unused try_internal_clock = false;

DBG(dev, "reset" NL);

@@ -361,6 +362,7 @@ static int emac_reset(struct emac_instan
}

#ifdef CONFIG_PPC_DCR_NATIVE
+do_retry:
/*
* PPC460EX/GT Embedded Processor Advanced User's Manual
* section 28.10.1 Mode Register 0 (EMACx_MR0) states:
@@ -368,10 +370,19 @@ static int emac_reset(struct emac_instan
* of the EMAC. If none is present, select the internal clock
* (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1).
* After a soft reset, select the external clock.
+ *
+ * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the
+ * ethernet cable is not attached. This causes the reset to timeout
+ * and the PHY detection code in emac_init_phy() is unable to
+ * communicate and detect the AR8035-A PHY. As a result, the emac
+ * driver bails out early and the user has no ethernet.
+ * In order to stay compatible with existing configurations, the
+ * driver will temporarily switch to the internal clock, after
+ * the first reset fails.
*/
if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
- if (dev->phy_address == 0xffffffff &&
- dev->phy_map == 0xffffffff) {
+ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
+ dev->phy_map == 0xffffffff)) {
/* No PHY: select internal loop clock before reset */
dcri_clrset(SDR0, SDR0_ETH_CFG,
0, SDR0_ETH_CFG_ECS << dev->cell_index);
@@ -389,8 +400,15 @@ static int emac_reset(struct emac_instan

#ifdef CONFIG_PPC_DCR_NATIVE
if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) {
- if (dev->phy_address == 0xffffffff &&
- dev->phy_map == 0xffffffff) {
+ if (!n && !try_internal_clock) {
+ /* first attempt has timed out. */
+ n = 20;
+ try_internal_clock = true;
+ goto do_retry;
+ }
+
+ if (try_internal_clock || (dev->phy_address == 0xffffffff &&
+ dev->phy_map == 0xffffffff)) {
/* No PHY: restore external clock source after reset */
dcri_clrset(SDR0, SDR0_ETH_CFG,
SDR0_ETH_CFG_ECS << dev->cell_index, 0);