3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Aleksa Sarai asarai@suse.de

commit 6c6b5a39c4bf3dbd8cf629c9f5450e983c19dbb9 upstream.

Several distributions mount the "proper root" as ro during initrd and then remount it as rw before pivot_root(2). Thus, if a rescan had been aborted by a previous shutdown, the rescan would never be resumed.

This issue would manifest itself as several btrfs ioctl(2)s causing the entire machine to hang when btrfs_qgroup_wait_for_completion was hit (due to the fs_info->qgroup_rescan_running flag being set but the rescan itself not being resumed). Notably, Docker's btrfs storage driver makes regular use of BTRFS_QUOTA_CTL_DISABLE and BTRFS_IOC_QUOTA_RESCAN_WAIT (causing this problem to be manifested on boot for some machines).

Cc: Jeff Mahoney jeffm@suse.com Fixes: b382a324b60f ("Btrfs: fix qgroup rescan resume on mount") Signed-off-by: Aleksa Sarai asarai@suse.de Reviewed-by: Nikolay Borisov nborisov@suse.com Tested-by: Nikolay Borisov nborisov@suse.com Signed-off-by: David Sterba dsterba@suse.com [bwh: Backported to 3.16: add #include "qgroup.h"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c @@ -59,6 +59,7 @@ #include "free-space-cache.h" #include "backref.h" #include "tests/btrfs-tests.h" +#include "qgroup.h"

#define CREATE_TRACE_POINTS #include <trace/events/btrfs.h> @@ -1495,6 +1496,8 @@ static int btrfs_remount(struct super_bl goto restore; }

+ btrfs_qgroup_rescan_resume(fs_info); + if (!fs_info->uuid_root) { btrfs_info(fs_info, "creating UUID tree"); ret = btrfs_create_uuid_tree(fs_info);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Colin Ian King colin.king@canonical.com

commit 34ff1bf4920471cff66775dc39537b15c5f0feff upstream.

The mask of sns_key_info1 suggests the upper nybble is being extracted however the following shift of 8 bits is too large and always results in 0. Fix this by shifting only by 4 bits to correctly get the upper nybble.

Detected by CoverityScan, CID#142891 ("Operands don't affect result")

Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288") Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/rts5208/rtsx_scsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rts5208/rtsx_scsi.c +++ b/drivers/staging/rts5208/rtsx_scsi.c @@ -417,7 +417,7 @@ void set_sense_data(struct rtsx_chip *ch sense->ascq = ascq; if (sns_key_info0 != 0) { sense->sns_key_info[0] = SKSV | sns_key_info0; - sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 8; + sense->sns_key_info[1] = (sns_key_info1 & 0xf0) >> 4; sense->sns_key_info[2] = sns_key_info1 & 0x0f; } }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ravikumar Kattekola rk@ti.com

commit b5ca62a53d2df30432118edeff61acc8717d2515 upstream.

On DRA75x EVM, MMC2 vdd/ios are connected to a common supply fixed at 1.8V not 3.3V

Fixes: 6cf02dbb4b71 ("ARM: dts: dra7-evm: Add mmc2 node for eMMC support") Signed-off-by: Ravikumar Kattekola rk@ti.com Signed-off-by: Sekhar Nori nsekhar@ti.com Signed-off-by: Kishon Vijay Abraham I kishon@ti.com Signed-off-by: Tony Lindgren tony@atomide.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/boot/dts/dra7-evm.dts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/arch/arm/boot/dts/dra7-evm.dts +++ b/arch/arm/boot/dts/dra7-evm.dts @@ -18,6 +18,14 @@ reg = <0x80000000 0x60000000>; /* 1536 MB */ };

+ evm_1v8_sw: fixedregulator-evm_1v8 { + compatible = "regulator-fixed"; + regulator-name = "evm_1v8"; + vin-supply = <&smps9_reg>; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + }; + evm_3v3_sw: fixedregulator-evm_3v3_sw { compatible = "regulator-fixed"; regulator-name = "evm_3v3_sw"; @@ -325,7 +333,7 @@

&mmc2 { status = "okay"; - vmmc-supply = <&evm_3v3_sw>; + vmmc-supply = <&evm_1v8_sw>; bus-width = <8>; };

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thierry Reding treding@nvidia.com

commit 979559362516bb0f5424505c607210ac054e30ae upstream.

Add a helper to check if an object (given an address and a size) is part of a section (given beginning and end addresses). For convenience, also provide a helper that performs this check for __init data using the __init_begin and __init_end limits.

Signed-off-by: Thierry Reding treding@nvidia.com Cc: Arnd Bergmann arnd@arndb.de Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Joe Perches joe@perches.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/asm-generic/sections.h | 65 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+)

--- a/include/asm-generic/sections.h +++ b/include/asm-generic/sections.h @@ -4,6 +4,7 @@ /* References to section boundaries */

#include <linux/compiler.h> +#include <linux/types.h>

/* * Usage guidelines: @@ -63,4 +64,68 @@ static inline int arch_is_kernel_data(un } #endif

+/** + * memory_contains - checks if an object is contained within a memory region + * @begin: virtual address of the beginning of the memory region + * @end: virtual address of the end of the memory region + * @virt: virtual address of the memory object + * @size: size of the memory object + * + * Returns: true if the object specified by @virt and @size is entirely + * contained within the memory region defined by @begin and @end, false + * otherwise. + */ +static inline bool memory_contains(void *begin, void *end, void *virt, + size_t size) +{ + return virt >= begin && virt + size <= end; +} + +/** + * memory_intersects - checks if the region occupied by an object intersects + * with another memory region + * @begin: virtual address of the beginning of the memory regien + * @end: virtual address of the end of the memory region + * @virt: virtual address of the memory object + * @size: size of the memory object + * + * Returns: true if an object's memory region, specified by @virt and @size, + * intersects with the region specified by @begin and @end, false otherwise. + */ +static inline bool memory_intersects(void *begin, void *end, void *virt, + size_t size) +{ + void *vend = virt + size; + + return (virt >= begin && virt < end) || (vend >= begin && vend < end); +} + +/** + * init_section_contains - checks if an object is contained within the init + * section + * @virt: virtual address of the memory object + * @size: size of the memory object + * + * Returns: true if the object specified by @virt and @size is entirely + * contained within the init section, false otherwise. + */ +static inline bool init_section_contains(void *virt, size_t size) +{ + return memory_contains(__init_begin, __init_end, virt, size); +} + +/** + * init_section_intersects - checks if the region occupied by an object + * intersects with the init section + * @virt: virtual address of the memory object + * @size: size of the memory object + * + * Returns: true if an object's memory region, specified by @virt and @size, + * intersects with the init section, false otherwise. + */ +static inline bool init_section_intersects(void *virt, size_t size) +{ + return memory_intersects(__init_begin, __init_end, virt, size); +} + #endif /* _ASM_GENERIC_SECTIONS_H_ */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sean Young sean@mess.org

commit 89d8a2cc51d1f29ea24a0b44dde13253141190a0 upstream.

This driver cannot send pulse, it only accepts driver-dependent codes.

Signed-off-by: Sean Young sean@mess.org Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/media/lirc/lirc_zilog.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/staging/media/lirc/lirc_zilog.c +++ b/drivers/staging/media/lirc/lirc_zilog.c @@ -300,7 +300,7 @@ static void release_ir_tx(struct kref *r struct IR_tx *tx = container_of(ref, struct IR_tx, ref); struct IR *ir = tx->ir;

- ir->l.features &= ~LIRC_CAN_SEND_PULSE; + ir->l.features &= ~LIRC_CAN_SEND_LIRCCODE; /* Don't put_ir_device(tx->ir) here, so our lock doesn't get freed */ ir->tx = NULL; kfree(tx); @@ -1271,14 +1271,14 @@ static long ioctl(struct file *filep, un if (!(features&LIRC_CAN_SEND_MASK)) return -ENOSYS;

- result = put_user(LIRC_MODE_PULSE, uptr); + result = put_user(LIRC_MODE_LIRCCODE, uptr); break; case LIRC_SET_SEND_MODE: if (!(features&LIRC_CAN_SEND_MASK)) return -ENOSYS;

result = get_user(mode, uptr); - if (!result && mode != LIRC_MODE_PULSE) + if (!result && mode != LIRC_MODE_LIRCCODE) return -EINVAL; break; default: @@ -1516,7 +1516,7 @@ static int ir_probe(struct i2c_client *c kref_init(&tx->ref); ir->tx = tx;

- ir->l.features |= LIRC_CAN_SEND_PULSE; + ir->l.features |= LIRC_CAN_SEND_LIRCCODE; mutex_init(&tx->client_lock); tx->c = client; tx->need_boot = 1;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Steffen Maier maier@linux.vnet.ibm.com

commit 975171b4461be296a35e83ebd748946b81cf0635 upstream.

v4.9 commit aceeffbb59bb ("zfcp: trace full payload of all SAN records (req,resp,iels)") fixed trace data loss of 2.6.38 commit 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") necessary for problem determination, e.g. to see the currently active zone set during automatic port scan.

While it already saves space by not dumping any empty residual entries of the large successful GPN_FT response (4 pages), there are seldom cases where the GPN_FT response is unsuccessful and likely does not have FC_NS_FID_LAST set in fp_flags so we did not cap the trace record. We typically see such case for an initiator WWPN, which is not in any zone.

Cap unsuccessful responses to at least the actual basic CT_IU response plus whatever fits the SAN trace record built-in "payload" buffer just in case there's trailing information of which we would at least see the existence and its beginning.

In order not to erroneously cap successful responses, we need to swap calling the trace function and setting the CT / ELS status to success (0).

Example trace record pair formatted with zfcpdbf:

Timestamp : ... Area : SAN Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : fssct_1 Request ID : 0x<request_id> Destination ID : 0x00fffffc SAN req short : 01000000 fc020000 01720ffc 00000000 00000008 SAN req length : 20 | Timestamp : ... Area : SAN Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 2 Tag : fsscth2 Request ID : 0x<request_id> Destination ID : 0x00fffffc SAN resp short : 01000000 fc020000 80010000 00090700 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] SAN resp length: 16384 San resp info : 01000000 fc020000 80010000 00090700 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info] 00000000 00000000 00000000 00000000 [trailing info]

The fix saves all but one of the previously associated 64 PAYload trace record chunks of size 256 bytes each.

Signed-off-by: Steffen Maier maier@linux.vnet.ibm.com Fixes: aceeffbb59bb ("zfcp: trace full payload of all SAN records (req,resp,iels)") Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") Reviewed-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/scsi/zfcp_dbf.c | 10 +++++++++- drivers/s390/scsi/zfcp_fsf.c | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c +++ b/drivers/s390/scsi/zfcp_dbf.c @@ -3,7 +3,7 @@ * * Debug traces for zfcp. * - * Copyright IBM Corp. 2002, 2016 + * Copyright IBM Corp. 2002, 2017 */

#define KMSG_COMPONENT "zfcp" @@ -447,6 +447,7 @@ static u16 zfcp_dbf_san_res_cap_len_if_g struct fc_ct_hdr *reqh = sg_virt(ct_els->req); struct fc_ns_gid_ft *reqn = (struct fc_ns_gid_ft *)(reqh + 1); struct scatterlist *resp_entry = ct_els->resp; + struct fc_ct_hdr *resph; struct fc_gpn_ft_resp *acc; int max_entries, x, last = 0;

@@ -473,6 +474,13 @@ static u16 zfcp_dbf_san_res_cap_len_if_g return len; /* not GPN_FT response so do not cap */

acc = sg_virt(resp_entry); + + /* cap all but accept CT responses to at least the CT header */ + resph = (struct fc_ct_hdr *)acc; + if ((ct_els->status) || + (resph->ct_cmd != cpu_to_be16(FC_FS_ACC))) + return max(FC_CT_HDR_LEN, ZFCP_DBF_SAN_MAX_PAYLOAD); + max_entries = (reqh->ct_mr_size * 4 / sizeof(struct fc_gpn_ft_resp)) + 1 /* zfcp_fc_scan_ports: bytes correct, entries off-by-one * to account for header as 1st pseudo "entry" */; --- a/drivers/s390/scsi/zfcp_fsf.c +++ b/drivers/s390/scsi/zfcp_fsf.c @@ -928,8 +928,8 @@ static void zfcp_fsf_send_ct_handler(str

switch (header->fsf_status) { case FSF_GOOD: - zfcp_dbf_san_res("fsscth2", req); ct->status = 0; + zfcp_dbf_san_res("fsscth2", req); break; case FSF_SERVICE_CLASS_NOT_SUPPORTED: zfcp_fsf_class_not_supp(req); @@ -1109,8 +1109,8 @@ static void zfcp_fsf_send_els_handler(st

switch (header->fsf_status) { case FSF_GOOD: - zfcp_dbf_san_res("fsselh1", req); send_els->status = 0; + zfcp_dbf_san_res("fsselh1", req); break; case FSF_SERVICE_CLASS_NOT_SUPPORTED: zfcp_fsf_class_not_supp(req);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold johan@kernel.org

commit e2b5602af76dec75f474e4173afb4215007ecfa5 upstream.

Make sure to unprepare the clock before returning on late probe errors.

Fixes: b388f15fd14c ("pwm: pwm-tiehrpwm: Use clk_enable/disable instead clk_prepare/unprepare.") Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Thierry Reding thierry.reding@gmail.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/pwm/pwm-tiehrpwm.c +++ b/drivers/pwm/pwm-tiehrpwm.c @@ -483,7 +483,7 @@ static int ehrpwm_pwm_probe(struct platf ret = pwmchip_add(&pc->chip); if (ret < 0) { dev_err(&pdev->dev, "pwmchip_add() failed: %d\n", ret); - return ret; + goto err_clk_unprepare; }

pm_runtime_enable(&pdev->dev); @@ -506,7 +506,9 @@ pwmss_clk_failure: pm_runtime_put_sync(&pdev->dev); pm_runtime_disable(&pdev->dev); pwmchip_remove(&pc->chip); +err_clk_unprepare: clk_unprepare(pc->tbclk); + return ret; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold johan@kernel.org

commit 90de9634a5d57b92d8af4ec23aa2c9b297ec8168 upstream.

Since commit a8636c89648a ("PM / Runtime: Don't allow to suspend a device with an active child"), which went into 4.10, it is no longer permitted to set RPM_SUSPENDED state for a device with active children (unless power.ignore_children is set).

This specifically means that the attempts to do just that from the omap pm-domain suspend_noirq callback have since been failing whenever a child is active, for example:

am335x-usb-childs 47400000.usb: runtime PM trying to suspend device but active child

Silence this warning by dropping the broken pm_runtime_set_suspended() call from the omap suspend_noirq callback along with the redundant pm_runtime_set_active() in resume_noirq.

This effectively reverts commit 3522bf7bfa24 ("ARM: OMAP2+: omap_device: maintain sane runtime pm status around suspend/resume"), which started updating the RPM state after the runtime_suspend callback (!) for active omap devices had been called during system suspend. The rationale was that a later pm_runtime_get_sync() would then fail (even after runtime pm had been disabled) and that this in turn would avoid any external aborts when accessing registers with clocks disabled. (See also commit 6f3c77b040fc ("PM / Runtime: let rpm_resume() succeed if RPM_ACTIVE, even when disabled, v2").

But during the suspend_noirq phase all children would already have been suspended and their drivers would specifically not attempt any further register accesses. And if this was all just a workaround for random device drivers doing cross-tree calls during system suspend, those drivers should be fixed and updated to explicitly model such dependencies using device-links instead (and either way, any such calls have been causing crashes since 4.10).

Fixes: 3522bf7bfa24 ("ARM: OMAP2+: omap_device: maintain sane runtime pm status around suspend/resume") Fixes: a8636c89648a ("PM / Runtime: Don't allow to suspend a device with an active child") Cc: Alan Stern stern@rowland.harvard.edu Cc: Dave Gerlach d-gerlach@ti.com Cc: Kevin Hilman khilman@baylibre.com Cc: Nishanth Menon nm@ti.com Cc: Rafael J. Wysocki rjw@rjwysocki.net Cc: Tony Lindgren tony@atomide.com Cc: Ulf Hansson ulf.hansson@linaro.org Signed-off-by: Johan Hovold johan@kernel.org Tested-by: Grygorii Strashko grygorii.strashko@ti.com Signed-off-by: Tony Lindgren tony@atomide.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/mach-omap2/omap_device.c | 10 ---------- 1 file changed, 10 deletions(-)

--- a/arch/arm/mach-omap2/omap_device.c +++ b/arch/arm/mach-omap2/omap_device.c @@ -640,7 +640,6 @@ static int _od_suspend_noirq(struct devi

if (!ret && !pm_runtime_status_suspended(dev)) { if (pm_generic_runtime_suspend(dev) == 0) { - pm_runtime_set_suspended(dev); omap_device_idle(pdev); od->flags |= OMAP_DEVICE_SUSPENDED; } @@ -657,15 +656,6 @@ static int _od_resume_noirq(struct devic if (od->flags & OMAP_DEVICE_SUSPENDED) { od->flags &= ~OMAP_DEVICE_SUSPENDED; omap_device_enable(pdev); - /* - * XXX: we run before core runtime pm has resumed itself. At - * this point in time, we just restore the runtime pm state and - * considering symmetric operations in resume, we donot expect - * to fail. If we failed, something changed in core runtime_pm - * framework OR some device driver messed things up, hence, WARN - */ - WARN(pm_runtime_set_active(dev), - "Could not set %s runtime state active\n", dev_name(dev)); pm_generic_runtime_resume(dev); }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bart Van Assche bart.vanassche@wdc.com

commit 5fbd545cd3fd311ea1d6e8be4cedddd0ee5684c7 upstream.

Ensure that the members of struct skd_msg_buf have been transferred to the PCIe adapter before the doorbell is triggered. This patch avoids that I/O fails sporadically and that the following error message is reported:

(skd0:STM000196603:[0000:00:09.0]): Completion mismatch comp_id=0x0000 skreq=0x0400 new=0x0000

Signed-off-by: Bart Van Assche bart.vanassche@wdc.com Cc: Christoph Hellwig hch@lst.de Cc: Hannes Reinecke hare@suse.de Cc: Johannes Thumshirn jthumshirn@suse.de Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/block/skd_main.c | 6 ++++++ 1 file changed, 6 insertions(+)

--- a/drivers/block/skd_main.c +++ b/drivers/block/skd_main.c @@ -2214,6 +2214,9 @@ static void skd_send_fitmsg(struct skd_d */ qcmd |= FIT_QCMD_MSGSIZE_64;

+ /* Make sure skd_msg_buf is written before the doorbell is triggered. */ + smp_wmb(); + SKD_WRITEQ(skdev, qcmd, FIT_Q_COMMAND);

} @@ -2260,6 +2263,9 @@ static void skd_send_special_fitmsg(stru qcmd = skspcl->mb_dma_address; qcmd |= FIT_QCMD_QID_NORMAL + FIT_QCMD_MSGSIZE_128;

+ /* Make sure skd_msg_buf is written before the doorbell is triggered. */ + smp_wmb(); + SKD_WRITEQ(skdev, qcmd, FIT_Q_COMMAND); }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thierry Reding treding@nvidia.com

commit 81cc26f2bd11ba4421a17a2d5cebe4bba206c239 upstream.

Boot consoles are typically replaced by proper consoles during the boot process. This can be problematic if the boot console data is part of the init section that is reclaimed late during boot. If the proper console does not register before this point in time, the boot console will need to be removed (so that the freed memory is not accessed), leaving the system without output for some time.

There are various reasons why the proper console may not register early enough, such as deferred probe or the driver being a loadable module. If that happens, there is some amount of time where no console messages are visible to the user, which in turn can mean that they won't see crashes or other potentially useful information.

To avoid this situation, only remove the boot console when it resides in the init section. Code exists to replace the boot console by the proper console when it is registered, keeping a seamless transition between the boot and proper consoles.

Signed-off-by: Thierry Reding treding@nvidia.com Cc: Arnd Bergmann arnd@arndb.de Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Joe Perches joe@perches.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/printk/printk.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-)

--- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -47,6 +47,7 @@ #include <linux/utsname.h>

#include <asm/uaccess.h> +#include <asm-generic/sections.h>

#define CREATE_TRACE_POINTS #include <trace/events/printk.h> @@ -2558,13 +2559,36 @@ int unregister_console(struct console *c } EXPORT_SYMBOL(unregister_console);

+/* + * Some boot consoles access data that is in the init section and which will + * be discarded after the initcalls have been run. To make sure that no code + * will access this data, unregister the boot consoles in a late initcall. + * + * If for some reason, such as deferred probe or the driver being a loadable + * module, the real console hasn't registered yet at this point, there will + * be a brief interval in which no messages are logged to the console, which + * makes it difficult to diagnose problems that occur during this time. + * + * To mitigate this problem somewhat, only unregister consoles whose memory + * intersects with the init section. Note that code exists elsewhere to get + * rid of the boot console as soon as the proper console shows up, so there + * won't be side-effects from postponing the removal. + */ static int __init printk_late_init(void) { struct console *con;

for_each_console(con) { if (!keep_bootcon && con->flags & CON_BOOT) { - unregister_console(con); + /* + * Make sure to unregister boot consoles whose data + * resides in the init section before the init section + * is discarded. Boot consoles whose data will stick + * around will automatically be unregistered when the + * proper console replaces them. + */ + if (init_section_intersects(con, sizeof(*con))) + unregister_console(con); } } hotcpu_notifier(console_cpu_notify, 0);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lorenzo Bianconi lorenzo.bianconi83@gmail.com

commit ef0bc2e83966b5aed055acb6d16a3788de5205f4 upstream.

Remove int2 configuration parameter for LPS22HB and LPS25H since these devices export just int1 as data-ready line

Fixes: 931878405b86 (iio:pressure: Add support for LPS25H pressure sensor) Fixes: e039e2f5b4da (iio:st_pressure:initial lps22hb sensor support) Signed-off-by: Lorenzo Bianconi lorenzo.bianconi@st.com Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com [bwh: Backported to 3.16: - Update the macro used to fill in this field - Drop change for LPS22HB] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/iio/pressure/st_pressure_core.c +++ b/drivers/iio/pressure/st_pressure_core.c @@ -104,7 +104,7 @@ #define ST_PRESS_LPS25H_BDU_MASK 0x04 #define ST_PRESS_LPS25H_DRDY_IRQ_ADDR 0x23 #define ST_PRESS_LPS25H_DRDY_IRQ_INT1_MASK 0x01 -#define ST_PRESS_LPS25H_DRDY_IRQ_INT2_MASK 0x10 +#define ST_PRESS_LPS25H_DRDY_IRQ_INT2_MASK 0x00 #define ST_PRESS_LPS25H_MULTIREAD_BIT true #define ST_PRESS_LPS25H_OUT_XL_ADDR 0x28 #define ST_TEMP_LPS25H_OUT_L_ADDR 0x2b

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: stephen hemminger stephen@networkplumber.org

commit d0d6683716791b2a2761a1bb025c613eb73da6c3 upstream.

If kobject_init_and_add failed, then the failure path would decrement the reference count of the queue kobject whose reference count was already zero.

Fixes: 114cf5802165 ("bql: Byte queue limits") Signed-off-by: Stephen Hemminger sthemmin@microsoft.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/core/net-sysfs.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-)

--- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -786,21 +786,20 @@ static int rx_queue_add_kobject(struct n error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL, "rx-%u", index); if (error) - goto exit; + return error;

if (net->sysfs_rx_queue_group) { error = sysfs_create_group(kobj, net->sysfs_rx_queue_group); - if (error) - goto exit; + if (error) { + kobject_put(kobj); + return error; + } }

kobject_uevent(kobj, KOBJ_ADD); dev_hold(queue->dev);

return error; -exit: - kobject_put(kobj); - return error; } #endif /* CONFIG_SYSFS */

@@ -1145,21 +1144,20 @@ static int netdev_queue_add_kobject(stru error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL, "tx-%u", index); if (error) - goto exit; + return error;

#ifdef CONFIG_BQL error = sysfs_create_group(kobj, &dql_group); - if (error) - goto exit; + if (error) { + kobject_put(kobj); + return error; + } #endif

kobject_uevent(kobj, KOBJ_ADD); dev_hold(queue->dev);

return 0; -exit: - kobject_put(kobj); - return error; } #endif /* CONFIG_SYSFS */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lorenzo Bianconi lorenzo.bianconi83@gmail.com

commit 4303741f99d617c1fc3c9069195d3d620c2f88c4 upstream.

Remove int2 configuration parameter for LIS3DH, LSM303DLHC, LSM330D, LSM330DL, LSM330DLC, LSM303AGR, LIS2DH12 and LNG2DM since these devices export just int1 as data-ready line

Fixes: 23cde4d65cc7 (iio: Added platform data to select the DRDY pin) Fixes: dcdb0a78cab3 (iio: accel: st_accel: add support to lng2dm) Signed-off-by: Lorenzo Bianconi lorenzo.bianconi@st.com Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com [bwh: Backported to 3.16: - Update the macro used to fill in this field - Drop change for LNG2DM] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/iio/accel/st_accel_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/accel/st_accel_core.c +++ b/drivers/iio/accel/st_accel_core.c @@ -66,7 +66,7 @@ #define ST_ACCEL_1_BDU_MASK 0x80 #define ST_ACCEL_1_DRDY_IRQ_ADDR 0x22 #define ST_ACCEL_1_DRDY_IRQ_INT1_MASK 0x10 -#define ST_ACCEL_1_DRDY_IRQ_INT2_MASK 0x08 +#define ST_ACCEL_1_DRDY_IRQ_INT2_MASK 0x00 #define ST_ACCEL_1_MULTIREAD_BIT true

/* CUSTOM VALUES FOR SENSOR 2 */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Edwin Török edvin.torok@citrix.com

commit 55acdd926f6b21a5cdba23da98a48aedf19ac9c3 upstream.

Can be reproduced when running dlm_controld (tested on 4.4.x, 4.12.4): # seq 1 100 | xargs -P0 -n1 dlm_tool join # seq 1 100 | xargs -P0 -n1 dlm_tool leave

misc_register fails due to duplicate sysfs entry, which causes dlm_device_register to free ls->ls_device.name. In dlm_device_deregister the name was freed again, causing memory corruption.

According to the comment in dlm_device_deregister the name should've been set to NULL when registration fails, so this patch does that.

sysfs: cannot create duplicate filename '/dev/char/10:1' ------------[ cut here ]------------ warning: cpu: 1 pid: 4450 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x56/0x70 modules linked in: msr rfcomm dlm ccm bnep dm_crypt uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core videodev btusb media btrtl btbcm btintel bluetooth ecdh_generic intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm snd_hda_codec_hdmi irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel thinkpad_acpi pcbc nvram snd_seq_midi snd_seq_midi_event aesni_intel snd_hda_codec_realtek snd_hda_codec_generic snd_rawmidi aes_x86_64 crypto_simd glue_helper snd_hda_intel snd_hda_codec cryptd intel_cstate arc4 snd_hda_core snd_seq snd_seq_device snd_hwdep iwldvm intel_rapl_perf mac80211 joydev input_leds iwlwifi serio_raw cfg80211 snd_pcm shpchp snd_timer snd mac_hid mei_me lpc_ich mei soundcore sunrpc parport_pc ppdev lp parport autofs4 i915 psmouse e1000e ahci libahci i2c_algo_bit sdhci_pci ptp drm_kms_helper sdhci pps_core syscopyarea sysfillrect sysimgblt fb_sys_fops drm wmi video cpu: 1 pid: 4450 comm: dlm_test.exe not tainted 4.12.4-041204-generic hardware name: lenovo 232425u/232425u, bios g2et82ww (2.02 ) 09/11/2012 task: ffff96b0cbabe140 task.stack: ffffb199027d0000 rip: 0010:sysfs_warn_dup+0x56/0x70 rsp: 0018:ffffb199027d3c58 eflags: 00010282 rax: 0000000000000038 rbx: ffff96b0e2c49158 rcx: 0000000000000006 rdx: 0000000000000000 rsi: 0000000000000086 rdi: ffff96b15e24dcc0 rbp: ffffb199027d3c70 r08: 0000000000000001 r09: 0000000000000721 r10: ffffb199027d3c00 r11: 0000000000000721 r12: ffffb199027d3cd1 r13: ffff96b1592088f0 r14: 0000000000000001 r15: ffffffffffffffef fs: 00007f78069c0700(0000) gs:ffff96b15e240000(0000) knlgs:0000000000000000 cs: 0010 ds: 0000 es: 0000 cr0: 0000000080050033 cr2: 000000178625ed28 cr3: 0000000091d3e000 cr4: 00000000001406e0 call trace: sysfs_do_create_link_sd.isra.2+0x9e/0xb0 sysfs_create_link+0x25/0x40 device_add+0x5a9/0x640 device_create_groups_vargs+0xe0/0xf0 device_create_with_groups+0x3f/0x60 ? snprintf+0x45/0x70 misc_register+0x140/0x180 device_write+0x6a8/0x790 [dlm] __vfs_write+0x37/0x160 ? apparmor_file_permission+0x1a/0x20 ? security_file_permission+0x3b/0xc0 vfs_write+0xb5/0x1a0 sys_write+0x55/0xc0 ? sys_fcntl+0x5d/0xb0 entry_syscall_64_fastpath+0x1e/0xa9 rip: 0033:0x7f78083454bd rsp: 002b:00007f78069bbd30 eflags: 00000293 orig_rax: 0000000000000001 rax: ffffffffffffffda rbx: 0000000000000006 rcx: 00007f78083454bd rdx: 000000000000009c rsi: 00007f78069bee00 rdi: 0000000000000005 rbp: 00007f77f8000a20 r08: 000000000000fcf0 r09: 0000000000000032 r10: 0000000000000024 r11: 0000000000000293 r12: 00007f78069bde00 r13: 00007f78069bee00 r14: 000000000000000a r15: 00007f78069bbd70 code: 85 c0 48 89 c3 74 12 b9 00 10 00 00 48 89 c2 31 f6 4c 89 ef e8 2c c8 ff ff 4c 89 e2 48 89 de 48 c7 c7 b0 8e 0c a8 e8 41 e8 ed ff <0f> ff 48 89 df e8 00 d5 f4 ff 5b 41 5c 41 5d 5d c3 66 0f 1f 84 ---[ end trace 40412246357cc9e0 ]---

dlm: 59f24629-ae39-44e2-9030-397ebc2eda26: leaving the lockspace group... bug: unable to handle kernel null pointer dereference at 0000000000000001 ip: [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140 pgd 0 oops: 0000 [#1] smp modules linked in: dlm 8021q garp mrp stp llc openvswitch nf_defrag_ipv6 nf_conntrack libcrc32c iptable_filter dm_multipath crc32_pclmul dm_mod aesni_intel psmouse aes_x86_64 sg ablk_helper cryptd lrw gf128mul glue_helper i2c_piix4 nls_utf8 tpm_tis tpm isofs nfsd auth_rpcgss oid_registry nfs_acl lockd grace sunrpc xen_wdt ip_tables x_tables autofs4 hid_generic usbhid hid sr_mod cdrom sd_mod ata_generic pata_acpi 8139too serio_raw ata_piix 8139cp mii uhci_hcd ehci_pci ehci_hcd libata scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_mod ipv6 cpu: 0 pid: 394 comm: systemd-udevd tainted: g w 4.4.0+0 #1 hardware name: xen hvm domu, bios 4.7.2-2.2 05/11/2017 task: ffff880002410000 ti: ffff88000243c000 task.ti: ffff88000243c000 rip: e030:[<ffffffff811a3b4a>] [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140 rsp: e02b:ffff88000243fd90 eflags: 00010202 rax: 0000000000000000 rbx: ffff8800029864d0 rcx: 000000000007b36c rdx: 000000000007b36b rsi: 00000000024000c0 rdi: ffff880036801c00 rbp: ffff88000243fdc0 r08: 0000000000018880 r09: 0000000000000054 r10: 000000000000004a r11: ffff880034ace6c0 r12: 00000000024000c0 r13: ffff880036801c00 r14: 0000000000000001 r15: ffffffff8118dcc2 fs: 00007f0ab77548c0(0000) gs:ffff880036e00000(0000) knlgs:0000000000000000 cs: e033 ds: 0000 es: 0000 cr0: 0000000080050033 cr2: 0000000000000001 cr3: 000000000332d000 cr4: 0000000000040660 stack: ffffffff8118dc90 ffff8800029864d0 0000000000000000 ffff88003430b0b0 ffff880034b78320 ffff88003430b0b0 ffff88000243fdf8 ffffffff8118dcc2 ffff8800349c6700 ffff8800029864d0 000000000000000b 00007f0ab7754b90 call trace: [<ffffffff8118dc90>] ? anon_vma_fork+0x60/0x140 [<ffffffff8118dcc2>] anon_vma_fork+0x92/0x140 [<ffffffff8107033e>] copy_process+0xcae/0x1a80 [<ffffffff8107128b>] _do_fork+0x8b/0x2d0 [<ffffffff81071579>] sys_clone+0x19/0x20 [<ffffffff815a30ae>] entry_syscall_64_fastpath+0x12/0x71 ] code: f6 75 1c 4c 89 fa 44 89 e6 4c 89 ef e8 a7 e4 00 00 41 f7 c4 00 80 00 00 49 89 c6 74 47 eb 32 49 63 45 20 48 8d 4a 01 4d 8b 45 00 <49> 8b 1c 06 4c 89 f0 65 49 0f c7 08 0f 94 c0 84 c0 74 ac 49 63 rip [<ffffffff811a3b4a>] kmem_cache_alloc+0x7a/0x140 rsp <ffff88000243fd90> cr2: 0000000000000001 --[ end trace 70cb9fd1b164a0e8 ]--

Signed-off-by: Edwin Török edvin.torok@citrix.com Signed-off-by: David Teigland teigland@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/dlm/user.c | 4 ++++ 1 file changed, 4 insertions(+)

--- a/fs/dlm/user.c +++ b/fs/dlm/user.c @@ -346,6 +346,10 @@ static int dlm_device_register(struct dl error = misc_register(&ls->ls_device); if (error) { kfree(ls->ls_device.name); + /* this has to be set to NULL + * to avoid a double-free in dlm_device_deregister + */ + ls->ls_device.name = NULL; } fail: return error;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" ebiederm@xmission.com

commit d08477aa975e97f1dc64c0ae59cebf98520456ce upstream.

We have a weird and problematic intersection of features that when they all come together result in ambiguous siginfo values, that we can not support properly.

- Supporting fcntl(F_SETSIG,...) with arbitrary valid signals.

- Using positive values for POLL_IN, POLL_OUT, POLL_MSG, ..., etc that imply they are signal specific si_codes and using the aforementioned arbitrary signal to deliver them.

- Supporting injection of arbitrary siginfo values for debugging and checkpoint/restore.

The result is that just looking at siginfo si_codes of 1 to 6 are ambigious. It could either be a signal specific si_code or it could be a generic si_code.

For most of the kernel this is a non-issue but for sending signals with siginfo it is impossible to play back the kernel signals and get the same result.

Strictly speaking when the si_code was changed from SI_SIGIO to POLL_IN and friends between 2.2 and 2.4 this functionality was not ambiguous, as only real time signals were supported. Before 2.4 was released the kernel began supporting siginfo with non realtime signals so they could give details of why the signal was sent.

The result is that if F_SETSIG is set to one of the signals with signal specific si_codes then user space can not know why the signal was sent.

I grepped through a bunch of userspace programs using debian code search to get a feel for how often people choose a signal that results in an ambiguous si_code. I only found one program doing so and it was using SIGCHLD to test the F_SETSIG functionality, and did not appear to be a real world usage.

Therefore the ambiguity does not appears to be a real world problem in practice. Remove the ambiguity while introducing the smallest chance of breakage by changing the si_code to SI_SIGIO when signals with signal specific si_codes are targeted.

Fixes: v2.3.40 -- Added support for queueing non-rt signals Fixes: v2.3.21 -- Changed the si_code from SI_SIGIO Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/fcntl.c | 13 ++++++++++++- include/linux/signal.h | 8 ++++++++ include/uapi/asm-generic/siginfo.h | 4 ++-- 3 files changed, 22 insertions(+), 3 deletions(-)

--- a/fs/fcntl.c +++ b/fs/fcntl.c @@ -472,10 +472,21 @@ static void send_sigio_to_task(struct ta si.si_signo = signum; si.si_errno = 0; si.si_code = reason; + /* + * Posix definies POLL_IN and friends to be signal + * specific si_codes for SIG_POLL. Linux extended + * these si_codes to other signals in a way that is + * ambiguous if other signals also have signal + * specific si_codes. In that case use SI_SIGIO instead + * to remove the ambiguity. + */ + if (sig_specific_sicodes(signum)) + si.si_code = SI_SIGIO; + /* Make sure we are called with one of the POLL_* reasons, otherwise we could leak kernel stack into userspace. */ - BUG_ON((reason & __SI_MASK) != __SI_POLL); + BUG_ON((reason < POLL_IN) || ((reason - POLL_IN) >= NSIGPOLL)); if (reason - POLL_IN >= NSIGPOLL) si.si_band = ~0L; else --- a/include/linux/signal.h +++ b/include/linux/signal.h @@ -424,10 +424,18 @@ int unhandled_signal(struct task_struct rt_sigmask(SIGCONT) | rt_sigmask(SIGCHLD) | \ rt_sigmask(SIGWINCH) | rt_sigmask(SIGURG) )

+#define SIG_SPECIFIC_SICODES_MASK (\ + rt_sigmask(SIGILL) | rt_sigmask(SIGFPE) | \ + rt_sigmask(SIGSEGV) | rt_sigmask(SIGBUS) | \ + rt_sigmask(SIGTRAP) | rt_sigmask(SIGCHLD) | \ + rt_sigmask(SIGPOLL) | rt_sigmask(SIGSYS) | \ + SIGEMT_MASK ) + #define sig_kernel_only(sig) siginmask(sig, SIG_KERNEL_ONLY_MASK) #define sig_kernel_coredump(sig) siginmask(sig, SIG_KERNEL_COREDUMP_MASK) #define sig_kernel_ignore(sig) siginmask(sig, SIG_KERNEL_IGNORE_MASK) #define sig_kernel_stop(sig) siginmask(sig, SIG_KERNEL_STOP_MASK) +#define sig_specific_sicodes(sig) siginmask(sig, SIG_SPECIFIC_SICODES_MASK)

#define sig_user_defined(t, signr) \ (((t)->sighand->action[(signr)-1].sa.sa_handler != SIG_DFL) && \ --- a/include/uapi/asm-generic/siginfo.h +++ b/include/uapi/asm-generic/siginfo.h @@ -161,7 +161,7 @@ typedef struct siginfo { #define SI_TIMER __SI_CODE(__SI_TIMER,-2) /* sent by timer expiration */ #define SI_MESGQ __SI_CODE(__SI_MESGQ,-3) /* sent by real time mesq state change */ #define SI_ASYNCIO -4 /* sent by AIO completion */ -#define SI_SIGIO -5 /* sent by queued SIGIO */ +#define SI_SIGIO __SI_CODE(__SI_POLL,-5) /* sent by queued SIGIO */ #define SI_TKILL -6 /* sent by tkill system call */ #define SI_DETHREAD -7 /* sent by execve() killing subsidiary threads */

@@ -234,7 +234,7 @@ typedef struct siginfo { #define NSIGCHLD 6

/* - * SIGPOLL si_codes + * SIGPOLL (or any other signal without signal specific si_codes) si_codes */ #define POLL_IN (__SI_POLL|1) /* data input available */ #define POLL_OUT (__SI_POLL|2) /* output buffers available */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Steffen Maier maier@linux.vnet.ibm.com

commit 9fe5d2b2fd30aa8c7827ec62cbbe6d30df4fe3e3 upstream.

Without this fix we get SCSI trace records on task management functions which cannot be correlated to HBA trace records because all fields related to the FSF request are empty (zero). Also, the FCP_RSP_IU is missing as well as any sense data if available.

This was caused by v2.6.14 commit 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features") introducing trace records for TMFs but hard coding NULL for a possibly existing TMF FSF request. The scsi_cmnd scribble is also zero or unrelated for the TMF request so it also could not lookup a suitable FSF request from there.

A broken example trace record formatted with zfcpdbf from the s390-tools package:

Timestamp : ... Area : SCSI Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : lr_fail Request ID : 0x0000000000000000 ^^^^^^^^^^^^^^^^ no correlation to HBA record SCSI ID : 0x<scsitarget> SCSI LUN : 0x<scsilun> SCSI result : 0x000e0000 SCSI retries : 0x00 SCSI allowed : 0x05 SCSI scribble : 0x0000000000000000 SCSI opcode : 2a000017 3bb80000 08000000 00000000 FCP rsp inf cod: 0x00 ^^ no TMF response FCP rsp IU : 00000000 00000000 00000000 00000000 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 00000000 00000000 ^^^^^^^^^^^^^^^^^ no interesting FCP_RSP_IU Sense len : ... ^^^^^^^^^^^^^^^^^^^^ no sense data length Sense info : ... ^^^^^^^^^^^^^^^^^^^^ no sense data content, even if present

There are some true cases where we really do not have an FSF request: "rsl_fai" from zfcp_dbf_scsi_fail_send() called for early returns / completions in zfcp_scsi_queuecommand(), "abrt_or", "abrt_bl", "abrt_ru", "abrt_ar" from zfcp_scsi_eh_abort_handler() where we did not get as far, "lr_nres", "tr_nres" from zfcp_task_mgmt_function() where we're successful and do not need to do anything because adapter stopped. For these cases it's correct to pass NULL for fsf_req to _zfcp_dbf_scsi().

Signed-off-by: Steffen Maier maier@linux.vnet.ibm.com Fixes: 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features") Reviewed-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/scsi/zfcp_dbf.h | 7 ++++--- drivers/s390/scsi/zfcp_scsi.c | 8 ++++---- 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.h +++ b/drivers/s390/scsi/zfcp_dbf.h @@ -2,7 +2,7 @@ * zfcp device driver * debug feature declarations * - * Copyright IBM Corp. 2008, 2016 + * Copyright IBM Corp. 2008, 2017 */

#ifndef ZFCP_DBF_H @@ -401,7 +401,8 @@ void zfcp_dbf_scsi_abort(char *tag, stru * @flag: indicates type of reset (Target Reset, Logical Unit Reset) */ static inline -void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag) +void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag, + struct zfcp_fsf_req *fsf_req) { char tmp_tag[ZFCP_DBF_TAG_LEN];

@@ -411,7 +412,7 @@ void zfcp_dbf_scsi_devreset(char *tag, s memcpy(tmp_tag, "lr_", 3);

memcpy(&tmp_tag[3], tag, 4); - _zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL); + _zfcp_dbf_scsi(tmp_tag, 1, scmnd, fsf_req); }

/** --- a/drivers/s390/scsi/zfcp_scsi.c +++ b/drivers/s390/scsi/zfcp_scsi.c @@ -3,7 +3,7 @@ * * Interface to Linux SCSI midlayer. * - * Copyright IBM Corp. 2002, 2016 + * Copyright IBM Corp. 2002, 2017 */

#define KMSG_COMPONENT "zfcp" @@ -299,7 +299,7 @@ static int zfcp_task_mgmt_function(struc

if (!(atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_RUNNING)) { - zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags); + zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags, NULL); return SUCCESS; } } @@ -309,10 +309,10 @@ static int zfcp_task_mgmt_function(struc wait_for_completion(&fsf_req->completion);

if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) { - zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags); + zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags, fsf_req); retval = FAILED; } else { - zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags); + zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags, fsf_req); zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags); }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Matt Redfearn matt.redfearn@imgtec.com

commit 2b1be689f3aadcfe0a768314c80e43483c784659 upstream.

Commit 4c30c6f566c0 ("kernel/printk: do not turn off bootconsole in printk_late_init() if keep_bootcon") added a check on keep_bootcon to ensure that boot consoles were kept around until the real console is registered.

This can lead to problems if the boot console data and code are in the init section, since it can be freed before the boot console is unregistered.

Commit 81cc26f2bd11 ("printk: only unregister boot consoles when necessary") fixed this a better way. It allowed to keep boot consoles that did not use init data. Unfortunately it did not remove the check of keep_bootcon.

This can lead to crashes and weird panics when the bootconsole is accessed after free, especially if page poisoning is in use and the code / data have been overwritten with a poison value.

To prevent this, always free the boot console if it is within the init section. In addition, print a warning about that the console is removed prematurely.

Finally there is a new comment how to avoid the warning. It replaced an explanation that duplicated a more comprehensive function description few lines above.

Fixes: 4c30c6f566c0 ("kernel/printk: do not turn off bootconsole in printk_late_init() if keep_bootcon") Link: http://lkml.kernel.org/r/1500036673-7122-2-git-send-email-pmladek@suse.com Cc: Steven Rostedt rostedt@goodmis.org Cc: Andrew Morton akpm@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Jiri Slaby jslaby@suse.com Cc: "David S. Miller" davem@davemloft.net Cc: Alan Cox gnomes@lxorguk.ukuu.org.uk Cc: "Fabio M. Di Nitto" fdinitto@redhat.com Cc: linux-serial@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Matt Redfearn matt.redfearn@imgtec.com [pmladek@suse.com: print the warning, code and comments clean up] Reviewed-by: Sergey Senozhatsky sergey.senozhatsky@gmail.com Signed-off-by: Petr Mladek pmladek@suse.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/printk/printk.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-)

--- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -2570,25 +2570,23 @@ EXPORT_SYMBOL(unregister_console); * makes it difficult to diagnose problems that occur during this time. * * To mitigate this problem somewhat, only unregister consoles whose memory - * intersects with the init section. Note that code exists elsewhere to get - * rid of the boot console as soon as the proper console shows up, so there - * won't be side-effects from postponing the removal. + * intersects with the init section. Note that all other boot consoles will + * get unregistred when the real preferred console is registered. */ static int __init printk_late_init(void) { struct console *con;

for_each_console(con) { - if (!keep_bootcon && con->flags & CON_BOOT) { + if ((con->flags & CON_BOOT) && + init_section_intersects(con, sizeof(*con))) { /* - * Make sure to unregister boot consoles whose data - * resides in the init section before the init section - * is discarded. Boot consoles whose data will stick - * around will automatically be unregistered when the - * proper console replaces them. + * Please, consider moving the reported consoles out + * of the init section. */ - if (init_section_intersects(con, sizeof(*con))) - unregister_console(con); + pr_warn("bootconsole [%s%d] uses init memory and must be disabled even before the real one is ready\n", + con->name, con->index); + unregister_console(con); } } hotcpu_notifier(console_cpu_notify, 0);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Xiangliang.Yu" Xiangliang.Yu@amd.com

commit 9afae2719273fa1d406829bf3498f82dbdba71c7 upstream.

When fail to get needed page for pool, need to put allocated pages into pool. But current code has a miscalculation of allocated pages, correct it.

Signed-off-by: Xiangliang.Yu Xiangliang.Yu@amd.com Reviewed-by: Christian König christian.koenig@amd.com Reviewed-by: Monk Liu monk.liu@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/ttm/ttm_page_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c @@ -612,7 +612,7 @@ static void ttm_page_pool_fill_locked(st } else { pr_err("Failed to fill pool (%p)\n", pool); /* If we have any pages left put them to the pool. */ - list_for_each_entry(p, &pool->list, lru) { + list_for_each_entry(p, &new_pages, lru) { ++cpages; } list_splice(&new_pages, &pool->list);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bhushan Shah bshah@kde.org

commit 06168a64b1ae346816fcd0a0c3ea5276c778408b upstream.

In the lm3630a_chip_init we try to write to 0x50 register, which is higher value then the max_register value, this resulted in regmap_write return -EIO.

Fix this by bumping REG_MAX value to 0x50.

This code was introduced with the chip revision in commit 28e64a68a2ef, however setting filter strength was failing silently because it used unsigned int for storing and comparing the return values. Bug related to signedness was fixed in 2a0c316bf3cc, which made it error out correctly instead of failing silently.

I found this issue by using this driver on LGE Nexus 5 (hammerhead). After this commit lm3630a_chip_init succeeds instead of failing with -EIO.

Fixes: 28e64a68a2ef ("backlight: lm3630: apply chip revision") Fixes: 2a0c316bf3cc ("drivers/video/backlight/lm3630a_bl.c: fix signedness bug in lm3630a_chip_init()")

Suggested-by: Bjorn Andersson bjorn.andersson@linaro.org Signed-off-by: Bhushan Shah bshah@kde.org Acked-by: Daniel Thompson daniel.thompson@linaro.org Signed-off-by: Lee Jones lee.jones@linaro.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/video/backlight/lm3630a_bl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/video/backlight/lm3630a_bl.c +++ b/drivers/video/backlight/lm3630a_bl.c @@ -31,7 +31,8 @@ #define REG_FAULT 0x0B #define REG_PWM_OUTLOW 0x12 #define REG_PWM_OUTHIGH 0x13 -#define REG_MAX 0x1F +#define REG_FILTER_STRENGTH 0x50 +#define REG_MAX 0x50

#define INT_DEBOUNCE_MSEC 10 struct lm3630a_chip { @@ -80,7 +81,7 @@ static int lm3630a_chip_init(struct lm36

usleep_range(1000, 2000); /* set Filter Strength Register */ - rval = lm3630a_write(pchip, 0x50, 0x03); + rval = lm3630a_write(pchip, REG_FILTER_STRENGTH, 0x03); /* set Cofig. register */ rval |= lm3630a_update(pchip, REG_CONFIG, 0x07, pdata->pwm_ctrl); /* set boost control */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter dan.carpenter@oracle.com

commit d28ac7be15c70343cb270648e252f54d770eca6a upstream.

The cast here is wrong. We want to cast the pointer but we accidentally do a no-op cast of the value. We normally want to set us_nav_upper to WIFI_NAV_UPPER_US (30000) but because of this bug we instead set it to 184 on little endian systems and 0 on big endian ones.

Fixes: 3c05bedb5fef ("Staging: rtl8812ae: Add Realtek 8821 PCI WIFI driver") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Acked-by: Larry Finger Larry.Finger@lwfinger.net Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: adjust filename, context, indentation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/rtl8821ae/rtl8821ae/hw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8821ae/rtl8821ae/hw.c +++ b/drivers/staging/rtl8821ae/rtl8821ae/hw.c @@ -760,7 +760,7 @@ void rtl8821ae_set_hw_reg(struct ieee802

} case HW_VAR_NAV_UPPER: { - u32 us_nav_upper = ((u32)*val); + u32 us_nav_upper = *(u32 *)val;

if(us_nav_upper > HAL_92C_NAV_UPPER_UNIT * 0xFF) {

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Luca Coelho luciano.coelho@intel.com

commit 3f7a5e13e85026b6e460bbd6e87f87379421d272 upstream.

We have a new PCI subsystem ID for 7265D. Add it to the list.

Signed-off-by: Luca Coelho luciano.coelho@intel.com [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/iwlwifi/pcie/drv.c | 1 + 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/iwlwifi/pcie/drv.c +++ b/drivers/net/wireless/iwlwifi/pcie/drv.c @@ -403,6 +403,7 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_ca {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)}, {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)}, {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x9E10, iwl7265_2ac_cfg)},

/* 8000 Series */ {IWL_PCI_DEVICE(0x24F3, 0x0010, iwl8260_2ac_cfg)},

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo acme@redhat.com

commit d17d0878f456c8227345b6c76b918ec068fa0abd upstream.

Andi reported problems when parse errors were detected with vendor events (json), because in the yyparse/parse_events_parse function we dereferenced the _data parameter to two different structs, with different layouts, which ended up making parse_events_evlist->error to point to random stack addresses.

Fix it by making _data to always be struct parse_events_state, changing the only place where 'struct parse_events_term' was used in parse_events.y.

Reported-by: Andi Kleen ak@linux.intel.com Cc: Adrian Hunter adrian.hunter@intel.com Cc: David Ahern dsahern@gmail.com Cc: Jiri Olsa jolsa@kernel.org Cc: Namhyung Kim namhyung@kernel.org Cc: Wang Nan wangnan0@huawei.com Link: http://lkml.kernel.org/n/tip-bc27lshz823hxl8n9nkelcgh@git.kernel.org Fixes: 90e2b22dee90 ("perf/tool: Add support to reuse event grammar to parse out terms") Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- tools/perf/util/parse-events.c | 2 +- tools/perf/util/parse-events.h | 5 +---- tools/perf/util/parse-events.y | 2 +- 3 files changed, 3 insertions(+), 6 deletions(-)

--- a/tools/perf/util/parse-events.c +++ b/tools/perf/util/parse-events.c @@ -908,7 +908,7 @@ static int parse_events__scanner(const c */ int parse_events_terms(struct list_head *terms, const char *str) { - struct parse_events_terms data = { + struct parse_events_state data = { .terms = NULL, }; int ret; --- a/tools/perf/util/parse-events.h +++ b/tools/perf/util/parse-events.h @@ -65,10 +65,7 @@ struct parse_events_state { struct list_head list; int idx; int nr_groups; -}; - -struct parse_events_terms { - struct list_head *terms; + struct list_head *terms; };

int parse_events__is_hardcoded_term(struct parse_events_term *term); --- a/tools/perf/util/parse-events.y +++ b/tools/perf/util/parse-events.y @@ -346,7 +346,7 @@ PE_RAW

start_terms: event_config { - struct parse_events_terms *data = _data; + struct parse_events_state *data = _data; data->terms = $1; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Mentz danielmentz@google.com

commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream.

Certain syscalls like recvmmsg support 64 bit timespec values for the X32 ABI. The helper function compat_put_timespec converts a timespec value to a 32 bit or 64 bit value depending on what ABI is used. The v4l2 compat layer, however, is not designed to support 64 bit timespec values and always uses 32 bit values. Hence, compat_put_timespec must not be used.

Without this patch, user space will be provided with bad timestamp values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct v4l2_event32 that come immediately after timestamp get overwritten, namely the field named id.

Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)")

Cc: H. Peter Anvin hpa@linux.intel.com Cc: Laurent Pinchart laurent.pinchart+renesas@ideasonboard.com Cc: Tiffany Lin tiffany.lin@mediatek.com Cc: Ricardo Ribalda Delgado ricardo.ribalda@gmail.com Cc: Sakari Ailus sakari.ailus@linux.intel.com Signed-off-by: Daniel Mentz danielmentz@google.com Signed-off-by: Hans Verkuil hans.verkuil@cisco.com Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -731,7 +731,8 @@ static int put_v4l2_event32(struct v4l2_ copy_to_user(&up->u, &kp->u, sizeof(kp->u)) || put_user(kp->pending, &up->pending) || put_user(kp->sequence, &up->sequence) || - compat_put_timespec(&kp->timestamp, &up->timestamp) || + put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || + put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) || put_user(kp->id, &up->id) || copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32))) return -EFAULT;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn mike.marciniszyn@intel.com

commit 5b0ef650bd0f820e922fcc42f1985d4621ae19cf upstream.

Section 9.7.7.2.5 of the 1.3 IBTA spec clearly says that receive credits should never apply to RDMA write.

qib and hfi1 were doing that. The following situation will result in a QP hang: - A prior SEND or RDMA_WRITE with immmediate consumed the last credit for a QP using RC receive buffer credits - The prior op is acked so there are no more acks - The peer ULP fails to post receive for some reason - An RDMA write sees that the credits are exhausted and waits - The peer ULP posts receive buffers - The ULP posts a send or RDMA write that will be hung

The fix is to avoid the credit test for the RDMA write operation.

Reviewed-by: Kaike Wan kaike.wan@intel.com Signed-off-by: Mike Marciniszyn mike.marciniszyn@intel.com Signed-off-by: Dennis Dalessandro dennis.dalessandro@intel.com Signed-off-by: Doug Ledford dledford@redhat.com [bwh: Backported to 3.16: - Drop changes to hfi1 - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/infiniband/hw/qib/qib_rc.c +++ b/drivers/infiniband/hw/qib/qib_rc.c @@ -365,7 +365,7 @@ int qib_make_rc_req(struct qib_qp *qp) case IB_WR_RDMA_WRITE: if (newreq && !(qp->s_flags & QIB_S_UNLIMITED_CREDIT)) qp->s_lsn++; - /* FALLTHROUGH */ + goto no_flow_control; case IB_WR_RDMA_WRITE_WITH_IMM: /* If no credit, return. */ if (!(qp->s_flags & QIB_S_UNLIMITED_CREDIT) && @@ -373,6 +373,7 @@ int qib_make_rc_req(struct qib_qp *qp) qp->s_flags |= QIB_S_WAIT_SSN_CREDIT; goto bail; } +no_flow_control: ohdr->u.rc.reth.vaddr = cpu_to_be64(wqe->wr.wr.rdma.remote_addr); ohdr->u.rc.reth.rkey =

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Spinadel david.spinadel@intel.com

commit eb045e6e0389eabfd704dd7a76d8b2a892970e85 upstream.

Use bcast station for all non bufferable frames on AP and AD-HOC.

The host is no longer aware of STAs PS status because of buffer station offload, so we can't rely on mac80211 to toggle on IEEE80211_TX_CTL_NO_PS_BUFFER bit.

A possible issue with buffering such frames, beside the obvious spec violation, is when a station disconnects while in PS but the AP isn't aware of that. In such scenarios the AP won't be able to send probe responses or auth frames so the STA won't be able to reconnect and the AP will have a queue hang.

Fixes: 3e56eadfb6a1 ("iwlwifi: mvm: implement AP/GO uAPSD support") Signed-off-by: David Spinadel david.spinadel@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/iwlwifi/mvm/mac80211.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c +++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c @@ -485,10 +485,11 @@ static void iwl_mvm_mac_tx(struct ieee80 !test_bit(IWL_MVM_STATUS_ROC_RUNNING, &mvm->status)) goto drop;

- /* treat non-bufferable MMPDUs as broadcast if sta is sleeping */ - if (unlikely(info->flags & IEEE80211_TX_CTL_NO_PS_BUFFER && - ieee80211_is_mgmt(hdr->frame_control) && - !ieee80211_is_bufferable_mmpdu(hdr->frame_control))) + /* treat non-bufferable MMPDUs on AP interfaces as broadcast */ + if ((info->control.vif->type == NL80211_IFTYPE_AP || + info->control.vif->type == NL80211_IFTYPE_ADHOC) && + ieee80211_is_mgmt(hdr->frame_control) && + !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) sta = NULL;

if (sta) {

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Matt Redfearn matt.redfearn@imgtec.com

commit cea8cd498f4f1c30ea27e3664b3c671e495c4fce upstream.

When the immediate encoded in the instruction is accessed, it is sign extended due to being a signed value being assigned to a signed integer. The ISA specifies that this operation is an unsigned operation. The sign extension leads us to incorrectly decode:

801e9c8e: cbf1 sw ra,68(sp)

As having an immediate of 1073741809.

Since the instruction format does not specify signed/unsigned, and this is currently the only location to use this instuction format, change it to an unsigned immediate.

Fixes: bb9bc4689b9c ("MIPS: Calculate microMIPS ra properly when unwinding the stack") Suggested-by: Paul Burton paul.burton@imgtec.com Signed-off-by: Matt Redfearn matt.redfearn@imgtec.com Reviewed-by: James Hogan james.hogan@imgtec.com Cc: Marcin Nowakowski marcin.nowakowski@imgtec.com Cc: Miodrag Dinic miodrag.dinic@imgtec.com Cc: Ingo Molnar mingo@kernel.org Cc: David Daney david.daney@cavium.com Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16957/ Signed-off-by: Ralf Baechle ralf@linux-mips.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/include/uapi/asm/inst.h | 2 +- arch/mips/kernel/process.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/arch/mips/include/uapi/asm/inst.h +++ b/arch/mips/include/uapi/asm/inst.h @@ -808,7 +808,7 @@ struct mm16_r3_format { /* Load from gl struct mm16_r5_format { /* Load/store from stack pointer format */ __BITFIELD_FIELD(unsigned int opcode : 6, __BITFIELD_FIELD(unsigned int rt : 5, - __BITFIELD_FIELD(signed int simmediate : 5, + __BITFIELD_FIELD(unsigned int imm : 5, __BITFIELD_FIELD(unsigned int : 16, /* Ignored */ ;)))) }; --- a/arch/mips/kernel/process.c +++ b/arch/mips/kernel/process.c @@ -241,7 +241,7 @@ static inline int is_ra_save_ins(union m if (ip->mm16_r5_format.rt != 31) return 0;

- *poff = ip->mm16_r5_format.simmediate; + *poff = ip->mm16_r5_format.imm; *poff = (*poff << 2) / sizeof(ulong); return 1;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" mail@maciej.szmigiero.name

commit 169e86546f5712179709de23cd64bbb15f199fab upstream.

This commit adds support (an ID, really) for D-Link DWM-157 hardware version C1 USB modem to option driver.

According to manufacturer-provided Windows INF file the device has four serial ports: "D-Link HSPA+DataCard Diagnostics Interface" (interface 2; modem port), "D-Link HSPA+DataCard NMEA Device" (interface 3), "D-Link HSPA+DataCard Speech Port" (interface 4), "D-Link HSPA+DataCard Debug Port" (interface 5).

usb-devices output: T: Bus=05 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2001 ProdID=7d0e Rev=03.00 S: Manufacturer=D-Link,Inc S: Product=D-Link DWM-157 C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=02 Prot=01 Driver=option I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage

Signed-off-by: Maciej S. Szmigiero mail@maciej.szmigiero.name Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/option.c | 1 + 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -2034,6 +2034,7 @@ static const struct usb_device_id option { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) }, { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) }, { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d04, 0xff) }, /* D-Link DWM-158 */ + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d0e, 0xff) }, /* D-Link DWM-157 C1 */ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff), /* D-Link DWM-222 */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Yazen Ghannam yazen.ghannam@amd.com

commit 1d5d820b8fe83b5f859d1ebb028a09ada426447e upstream.

ACPI defines a number of instructions to use for triggering errors. However we are currently removing the address resources from the trigger resources for only the WRITE_REGISTER_VALUE instruction. This leads to a resource conflict for any other valid instruction.

Check that the instruction is less than or equal to the WRITE_REGISTER_VALUE instruction. This allows all valid memory access instructions and protects against invalid instructions.

Fixes: b4e008dc53a3 (ACPI, APEI, EINJ, Refine the fix of resource conflict) Signed-off-by: Yazen Ghannam yazen.ghannam@amd.com Acked-by: Tony Luck tony.luck@intel.com Signed-off-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/acpi/apei/einj.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -285,7 +285,7 @@ static struct acpi_generic_address *einj ((char *)trigger_tab + sizeof(struct acpi_einj_trigger)); for (i = 0; i < trigger_tab->entry_count; i++) { if (entry->action == ACPI_EINJ_TRIGGER_ERROR && - entry->instruction == ACPI_EINJ_WRITE_REGISTER_VALUE && + entry->instruction <= ACPI_EINJ_WRITE_REGISTER_VALUE && entry->register_region.space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY && (entry->register_region.address & param2) == (param1 & param2))

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky schwidefsky@de.ibm.com

commit 60f07c8ec5fae06c23e9fd7bab67dabce92b3414 upstream.

The order in __tlb_flush_mm_lazy is to flush TLB first and then clear the mm->context.flush_mm bit. This can lead to missed flushes as the bit can be set anytime, the order needs to be the other way aronud.

But this leads to a different race, __tlb_flush_mm_lazy may be called on two CPUs concurrently. If mm->context.flush_mm is cleared first then another CPU can bypass __tlb_flush_mm_lazy although the first CPU has not done the flush yet. In a virtualized environment the time until the flush is finally completed can be arbitrarily long.

Add a spinlock to serialize __tlb_flush_mm_lazy and use the function in finish_arch_post_lock_switch as well.

Reviewed-by: Heiko Carstens heiko.carstens@de.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/s390/include/asm/mmu.h | 2 ++ arch/s390/include/asm/mmu_context.h | 4 ++-- arch/s390/include/asm/tlbflush.h | 4 +++- 3 files changed, 7 insertions(+), 3 deletions(-)

--- a/arch/s390/include/asm/mmu.h +++ b/arch/s390/include/asm/mmu.h @@ -5,6 +5,7 @@ #include <linux/errno.h>

typedef struct { + spinlock_t lock; cpumask_t cpu_attach_mask; atomic_t attach_count; unsigned int flush_mm; @@ -21,6 +22,7 @@ typedef struct { } mm_context_t;

#define INIT_MM_CONTEXT(name) \ + .context.lock = __SPIN_LOCK_UNLOCKED(name.context.lock), \ .context.list_lock = __SPIN_LOCK_UNLOCKED(name.context.list_lock), \ .context.pgtable_list = LIST_HEAD_INIT(name.context.pgtable_list), \ .context.gmap_list = LIST_HEAD_INIT(name.context.gmap_list), --- a/arch/s390/include/asm/mmu_context.h +++ b/arch/s390/include/asm/mmu_context.h @@ -15,6 +15,7 @@ static inline int init_new_context(struct task_struct *tsk, struct mm_struct *mm) { + spin_lock_init(&mm->context.lock); spin_lock_init(&mm->context.list_lock); INIT_LIST_HEAD(&mm->context.pgtable_list); INIT_LIST_HEAD(&mm->context.gmap_list); @@ -95,8 +96,7 @@ static inline void finish_arch_post_lock cpu_relax();

cpumask_set_cpu(smp_processor_id(), mm_cpumask(mm)); - if (mm->context.flush_mm) - __tlb_flush_mm(mm); + __tlb_flush_mm_lazy(mm); preempt_enable(); } set_fs(current->thread.mm_segment); --- a/arch/s390/include/asm/tlbflush.h +++ b/arch/s390/include/asm/tlbflush.h @@ -164,10 +164,12 @@ static inline void __tlb_flush_mm(struct

static inline void __tlb_flush_mm_lazy(struct mm_struct * mm) { + spin_lock(&mm->context.lock); if (mm->context.flush_mm) { - __tlb_flush_mm(mm); mm->context.flush_mm = 0; + __tlb_flush_mm(mm); } + spin_unlock(&mm->context.lock); }

/*

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Beni Lev beni.lev@intel.com

commit 9de981f507474f326e42117858dc9a9321331ae5 upstream.

In struct ieee80211_tx_info, control.vif pointer and rate_driver_data[0] falls on the same place, depending on the union usage. During the whole TX process, the union is referred to as a control struct, which holds the vif that is later used in the tx flow, especially in order to derive the used tx power. Referring direcly to rate_driver_data[0] and assigning a value to it, overwrites the vif pointer, hence making all later references irrelevant. Moreover, rate_driver_data[0] isn't used later in the flow in order to retrieve the channel that it is pointing to.

Signed-off-by: Beni Lev beni.lev@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Signed-off-by: Johannes Berg johannes.berg@intel.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/mac80211_hwsim.c | 2 -- 1 file changed, 2 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -1122,7 +1122,6 @@ static void mac80211_hwsim_tx(struct iee txi->control.rates, ARRAY_SIZE(txi->control.rates));

- txi->rate_driver_data[0] = channel; mac80211_hwsim_monitor_rx(hw, skb, channel);

/* wmediumd mode check */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tang Junhui tang.junhui@zte.com.cn

commit c81ffa32a214c84b08900fbc9d432187bd948eba upstream.

Sequential write IOs were tested with bs=1M by FIO in writeback cache mode, these IOs were expected to be bypassed, but actually they did not. We debug the code, and find in check_should_bypass(): if (!congested && mode == CACHE_MODE_WRITEBACK && op_is_write(bio_op(bio)) && (bio-＞bi_opf & REQ_SYNC)) goto rescale that means, If in writeback mode, a write IO with REQ_SYNC flag will not be bypassed though it is a sequential large IO, It's not a correct thing to do actually, so this patch remove these codes.

Signed-off-by: tang.junhui tang.junhui@zte.com.cn Reviewed-by: Kent Overstreet kent.overstreet@gmail.com Reviewed-by: Eric Wheeler bcache@linux.ewheeler.net Signed-off-by: Jens Axboe axboe@kernel.dk [bwh: Backported to 3.16: deleted code is slightly different] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/md/bcache/request.c | 6 ------ 1 file changed, 6 deletions(-)

--- a/drivers/md/bcache/request.c +++ b/drivers/md/bcache/request.c @@ -395,12 +395,6 @@ static bool check_should_bypass(struct c if (!congested && !dc->sequential_cutoff) goto rescale;

- if (!congested && - mode == CACHE_MODE_WRITEBACK && - (bio->bi_rw & REQ_WRITE) && - (bio->bi_rw & REQ_SYNC)) - goto rescale; - spin_lock(&dc->io_lock);

hlist_for_each_entry(i, iohash(dc, bio->bi_iter.bi_sector), hash)

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jonas Gorski jonas.gorski@gmail.com

commit a18097b7676bf5fb2677bf5e6cc24e721d7c2596 upstream.

Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise.

Fixes: 3f0a06b0368d ("MIPS: ralink: adds clkdev code") Reported-by: Mathias Kresin dev@kresin.me Signed-off-by: Jonas Gorski jonas.gorski@gmail.com Cc: John Crispin john@phrozen.org Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16778/ Signed-off-by: Ralf Baechle ralf@linux-mips.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/ralink/clk.c | 3 +++ 1 file changed, 3 insertions(+)

--- a/arch/mips/ralink/clk.c +++ b/arch/mips/ralink/clk.c @@ -52,6 +52,9 @@ EXPORT_SYMBOL_GPL(clk_disable);

unsigned long clk_get_rate(struct clk *clk) { + if (!clk) + return 0; + return clk->rate; } EXPORT_SYMBOL_GPL(clk_get_rate);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Fleytman dmitry@daynix.com

commit a1279ef74eeeb5f627f091c71d80dd7ac766c99d upstream.

Commit e0429362ab15 ("usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e") introduced quirk to workaround an issue with some Logitech webcams.

Apparently model C920-C has the same issue so applying the same quirk as well.

See aforementioned commit message for detailed explanation of the problem.

Signed-off-by: Dmitry Fleytman dmitry@daynix.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/quirks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -57,8 +57,9 @@ static const struct usb_device_id usb_qu /* Microsoft LifeCam-VX700 v2.0 */ { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },

- /* Logitech HD Pro Webcams C920 and C930e */ + /* Logitech HD Pro Webcams C920, C920-C and C930e */ { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT }, { USB_DEVICE(0x046d, 0x0843), .driver_info = USB_QUIRK_DELAY_INIT },

/* Logitech ConferenceCam CC3000e */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Xin Long lucien.xin@gmail.com

commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 upstream.

Now when peeling off an association to the sock in another netns, all transports in this assoc are not to be rehashed and keep use the old key in hashtable.

As a transport uses sk->net as the hash key to insert into hashtable, it would miss removing these transports from hashtable due to the new netns when closing the sock and all transports are being freeed, then later an use-after-free issue could be caused when looking up an asoc and dereferencing those transports.

This is a very old issue since very beginning, ChunYu found it with syzkaller fuzz testing with this series:

socket$inet6_sctp() bind$inet6() sendto$inet6() unshare(0x40000000) getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST() getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()

This patch is to block this call when peeling one assoc off from one netns to another one, so that the netns of all transport would not go out-sync with the key in hashtable.

Note that this patch didn't fix it by rehashing transports, as it's difficult to handle the situation when the tuple is already in use in the new netns. Besides, no one would like to peel off one assoc to another netns, considering ipaddrs, ifaces, etc. are usually different.

Reported-by: ChunYu Wang chunwang@redhat.com Signed-off-by: Xin Long lucien.xin@gmail.com Acked-by: Marcelo Ricardo Leitner marcelo.leitner@gmail.com Acked-by: Neil Horman nhorman@tuxdriver.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/sctp/socket.c | 4 ++++ 1 file changed, 4 insertions(+)

--- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4328,6 +4328,10 @@ int sctp_do_peeloff(struct sock *sk, sct struct sctp_af *af; int err = 0;

+ /* Do not peel off from one netns to another one. */ + if (!net_eq(current->nsproxy->net_ns, sock_net(sk))) + return -EINVAL; + if (!asoc) return -EINVAL;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Colin Ian King colin.king@canonical.com

commit 801e3659bf2c87c31b7024087d61e89e172b5651 upstream.

The calculation of the left volume looks suspect, the value of 0x1f - ((val << 8) & 0x1f) is always 0x1f. The debug prior to the assignment of value[1] prints the left volume setting using the calculation 0x1f - (val >> 8) & 0x1f which looks correct to me. Fix the left volume by using the correct expression as used in the debug.

Detected by CoverityScan, CID#146140 ("Wrong operator used")

Fixes: 850d24a5a861 ("[media] em28xx-alsa: add mixer support for AC97 volume controls")

Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Hans Verkuil hansverk@cisco.com Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/usb/em28xx/em28xx-audio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/em28xx/em28xx-audio.c +++ b/drivers/media/usb/em28xx/em28xx-audio.c @@ -562,7 +562,7 @@ static int em28xx_vol_get(struct snd_kco val, (int)kcontrol->private_value);

value->value.integer.value[0] = 0x1f - (val & 0x1f); - value->value.integer.value[1] = 0x1f - ((val << 8) & 0x1f); + value->value.integer.value[1] = 0x1f - ((val >> 8) & 0x1f);

return 0; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jose Abreu Jose.Abreu@synopsys.com

commit 1ee55a8f7f6b7ca4c0c59e0b4b4e3584a085c2d3 upstream.

I recently came upon a scenario where I would get a double fault machine check exception tiriggered by a kernel module. However the ensuing crash stacktrace (ksym lookup) was not working correctly.

Turns out that machine check auto-disables MMU while modules are allocated in kernel vaddr spapce.

This patch re-enables the MMU before start printing the stacktrace making stacktracing of modules work upon a fatal exception.

Signed-off-by: Jose Abreu joabreu@synopsys.com Reviewed-by: Alexey Brodkin abrodkin@synopsys.com Signed-off-by: Vineet Gupta vgupta@synopsys.com [vgupta: moved code into low level handler to avoid in 2 places] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arc/kernel/entry.S | 6 ++++++ arch/arc/mm/tlb.c | 3 --- 2 files changed, 6 insertions(+), 3 deletions(-)

--- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -315,6 +315,12 @@ ENTRY(EV_MachineCheck) lr r0, [efa] mov r1, sp

+ ; hardware auto-disables MMU, re-enable it to allow kernel vaddr + ; access for say stack unwinding of modules for crash dumps + lr r3, [ARC_REG_PID] + or r3, r3, MMU_ENABLE + sr r3, [ARC_REG_PID] + lsr r3, r2, 8 bmsk r3, r3, 7 brne r3, ECR_C_MCHK_DUP_TLB, 1f --- a/arch/arc/mm/tlb.c +++ b/arch/arc/mm/tlb.c @@ -691,9 +691,6 @@ void do_tlb_overlap_fault(unsigned long

local_irq_save(flags);

- /* re-enable the MMU */ - write_aux_reg(ARC_REG_PID, MMU_ENABLE | read_aux_reg(ARC_REG_PID)); - /* loop thru all sets of TLB */ for (set = 0; set < mmu->sets; set++) {

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault g.nault@alphalink.fr

commit f026bc29a8e093edfbb2a77700454b285c97e8ad upstream.

Using l2tp_tunnel_find() in pppol2tp_session_create() and l2tp_eth_create() is racy, because no reference is held on the returned session. These functions are only used to implement the ->session_create callback which is run by l2tp_nl_cmd_session_create(). Therefore searching for the parent tunnel isn't necessary because l2tp_nl_cmd_session_create() already has a pointer to it and holds a reference.

This patch modifies ->session_create()'s prototype to directly pass the the parent tunnel as parameter, thus avoiding searching for it in pppol2tp_session_create() and l2tp_eth_create().

Since we have to touch the ->session_create() call in l2tp_nl_cmd_session_create(), let's also remove the useless conditional: we know that ->session_create isn't NULL at this point because it's already been checked earlier in this same function.

Finally, one might be tempted to think that the removed l2tp_tunnel_find() calls were harmless because they would return the same tunnel as the one held by l2tp_nl_cmd_session_create() anyway. But that tunnel might be removed and a new one created with same tunnel Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find() would return the new tunnel which wouldn't be protected by the reference held by l2tp_nl_cmd_session_create().

Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP") Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_core.h | 4 +++- net/l2tp/l2tp_eth.c | 11 +++-------- net/l2tp/l2tp_netlink.c | 8 ++++---- net/l2tp/l2tp_ppp.c | 19 +++++++------------ 4 files changed, 17 insertions(+), 25 deletions(-)

--- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -210,7 +210,9 @@ struct l2tp_tunnel { };

struct l2tp_nl_cmd_ops { - int (*session_create)(struct net *net, u32 tunnel_id, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg); + int (*session_create)(struct net *net, struct l2tp_tunnel *tunnel, + u32 session_id, u32 peer_session_id, + struct l2tp_session_cfg *cfg); int (*session_delete)(struct l2tp_session *session); };

--- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -206,23 +206,18 @@ static void l2tp_eth_show(struct seq_fil } #endif

-static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg) +static int l2tp_eth_create(struct net *net, struct l2tp_tunnel *tunnel, + u32 session_id, u32 peer_session_id, + struct l2tp_session_cfg *cfg) { struct net_device *dev; char name[IFNAMSIZ]; - struct l2tp_tunnel *tunnel; struct l2tp_session *session; struct l2tp_eth *priv; struct l2tp_eth_sess *spriv; int rc; struct l2tp_eth_net *pn;

- tunnel = l2tp_tunnel_find(net, tunnel_id); - if (!tunnel) { - rc = -ENODEV; - goto out; - } - if (cfg->ifname) { dev = dev_get_by_name(net, cfg->ifname); if (dev) { --- a/net/l2tp/l2tp_netlink.c +++ b/net/l2tp/l2tp_netlink.c @@ -540,10 +540,10 @@ static int l2tp_nl_cmd_session_create(st break; }

- ret = -EPROTONOSUPPORT; - if (l2tp_nl_cmd_ops[cfg.pw_type]->session_create) - ret = (*l2tp_nl_cmd_ops[cfg.pw_type]->session_create)(net, tunnel_id, - session_id, peer_session_id, &cfg); + ret = l2tp_nl_cmd_ops[cfg.pw_type]->session_create(net, tunnel, + session_id, + peer_session_id, + &cfg);

out_tunnel: l2tp_tunnel_dec_refcount(tunnel); --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -807,25 +807,20 @@ end:

#ifdef CONFIG_L2TP_V3

-/* Called when creating sessions via the netlink interface. - */ -static int pppol2tp_session_create(struct net *net, u32 tunnel_id, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg) +/* Called when creating sessions via the netlink interface. */ +static int pppol2tp_session_create(struct net *net, struct l2tp_tunnel *tunnel, + u32 session_id, u32 peer_session_id, + struct l2tp_session_cfg *cfg) { int error; - struct l2tp_tunnel *tunnel; struct l2tp_session *session; struct pppol2tp_session *ps;

- tunnel = l2tp_tunnel_find(net, tunnel_id); - - /* Error if we can't find the tunnel */ - error = -ENOENT; - if (tunnel == NULL) - goto out; - /* Error if tunnel socket is not prepped */ - if (tunnel->sock == NULL) + if (!tunnel->sock) { + error = -ENOENT; goto out; + }

/* Default MTU values. */ if (cfg->mtu == 0)

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Julien Grall julien.grall@arm.com

commit 22f12f0df802cea865672d8f39fbebdc03981050 upstream.

When booting Linux as Xen guest with CONFIG_DEBUG_ATOMIC, the following splat appears:

[ 0.002323] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes) [ 0.019717] ASID allocator initialised with 65536 entries [ 0.020019] xen:grant_table: Grant tables using version 1 layout [ 0.020051] Grant table initialized [ 0.020069] BUG: sleeping function called from invalid context at /data/src/linux/mm/page_alloc.c:4046 [ 0.020100] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0 [ 0.020123] no locks held by swapper/0/1. [ 0.020143] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.13.0-rc5 #598 [ 0.020166] Hardware name: FVP Base (DT) [ 0.020182] Call trace: [ 0.020199] [<ffff00000808a5c0>] dump_backtrace+0x0/0x270 [ 0.020222] [<ffff00000808a95c>] show_stack+0x24/0x30 [ 0.020244] [<ffff000008c1ef20>] dump_stack+0xb8/0xf0 [ 0.020267] [<ffff0000081128c0>] ___might_sleep+0x1c8/0x1f8 [ 0.020291] [<ffff000008112948>] __might_sleep+0x58/0x90 [ 0.020313] [<ffff0000082171b8>] __alloc_pages_nodemask+0x1c0/0x12e8 [ 0.020338] [<ffff00000827a110>] alloc_page_interleave+0x38/0x88 [ 0.020363] [<ffff00000827a904>] alloc_pages_current+0xdc/0xf0 [ 0.020387] [<ffff000008211f38>] __get_free_pages+0x28/0x50 [ 0.020411] [<ffff0000086566a4>] evtchn_fifo_alloc_control_block+0x2c/0xa0 [ 0.020437] [<ffff0000091747b0>] xen_evtchn_fifo_init+0x38/0xb4 [ 0.020461] [<ffff0000091746c0>] xen_init_IRQ+0x44/0xc8 [ 0.020484] [<ffff000009128adc>] xen_guest_init+0x250/0x300 [ 0.020507] [<ffff000008083974>] do_one_initcall+0x44/0x130 [ 0.020531] [<ffff000009120df8>] kernel_init_freeable+0x120/0x288 [ 0.020556] [<ffff000008c31ca8>] kernel_init+0x18/0x110 [ 0.020578] [<ffff000008083710>] ret_from_fork+0x10/0x40 [ 0.020606] xen:events: Using FIFO-based ABI [ 0.020658] Xen: initializing cpu0 [ 0.027727] Hierarchical SRCU implementation. [ 0.036235] EFI services will not be available. [ 0.043810] smp: Bringing up secondary CPUs ...

This is because get_cpu() in xen_evtchn_fifo_init() will disable preemption, but __get_free_page() might sleep (GFP_ATOMIC is not set).

xen_evtchn_fifo_init() will always be called before SMP is initialized, so {get,put}_cpu() could be replaced by a simple smp_processor_id().

This also avoid to modify evtchn_fifo_alloc_control_block that will be called in other context.

Signed-off-by: Julien Grall julien.grall@arm.com Reported-by: Andre Przywara andre.przywara@arm.com Reviewed-by: Boris Ostrovsky boris.ostrovsky@oracle.com Fixes: 1fe565517b57 ("xen/events: use the FIFO-based ABI if available") Signed-off-by: Boris Ostrovsky boris.ostrovsky@oracle.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/xen/events/events_fifo.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/xen/events/events_fifo.c +++ b/drivers/xen/events/events_fifo.c @@ -445,19 +445,18 @@ static struct notifier_block evtchn_fifo

int __init xen_evtchn_fifo_init(void) { - int cpu = get_cpu(); + int cpu = smp_processor_id(); int ret;

ret = evtchn_fifo_alloc_control_block(cpu); if (ret < 0) - goto out; + return ret;

pr_info("Using FIFO-based ABI\n");

evtchn_ops = &evtchn_ops_fifo;

register_cpu_notifier(&evtchn_fifo_cpu_notifier); -out: - put_cpu(); + return ret; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michael Lyle mlyle@lyle.org

commit 9276717b9e297a62d1151a43d1cd286213f68eb7 upstream.

Most importantly, solve a crash where %llu was used to format signed numbers. This would cause a buffer overflow when reading sysfs writeback_rate_debug, as only 20 bytes were allocated for this and %llu writes 20 characters plus a null.

Always use the units mechanism rather than having different output paths for simplicity.

Also, correct problems with display output where 1.10 was a larger number than 1.09, by multiplying by 10 and then dividing by 1024 instead of dividing by 100. (Remainders of >= 1000 would print as .10).

Minor changes: Always display the decimal point instead of trying to omit it based on number of digits shown. Decide what units to use based on 1000 as a threshold, not 1024 (in other words, always print at most 3 digits before the decimal point).

Signed-off-by: Michael Lyle mlyle@lyle.org Reported-by: Dmitry Yu Okunev dyokunev@ut.mephi.ru Acked-by: Kent Overstreet kent.overstreet@gmail.com Reviewed-by: Coly Li colyli@suse.de Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/md/bcache/util.c | 50 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 15 deletions(-)

--- a/drivers/md/bcache/util.c +++ b/drivers/md/bcache/util.c @@ -73,24 +73,44 @@ STRTO_H(strtouint, unsigned int) STRTO_H(strtoll, long long) STRTO_H(strtoull, unsigned long long)

+/** + * bch_hprint() - formats @v to human readable string for sysfs. + * + * @v - signed 64 bit integer + * @buf - the (at least 8 byte) buffer to format the result into. + * + * Returns the number of bytes used by format. + */ ssize_t bch_hprint(char *buf, int64_t v) { static const char units[] = "?kMGTPEZY"; - char dec[4] = ""; - int u, t = 0; + int u = 0, t;

- for (u = 0; v >= 1024 || v <= -1024; u++) { - t = v & ~(~0 << 10); - v >>= 10; - } + uint64_t q;

- if (!u) - return sprintf(buf, "%llu", v); - - if (v < 100 && v > -100) - snprintf(dec, sizeof(dec), ".%i", t / 100); - - return sprintf(buf, "%lli%s%c", v, dec, units[u]); + if (v < 0) + q = -v; + else + q = v; + + /* For as long as the number is more than 3 digits, but at least + * once, shift right / divide by 1024. Keep the remainder for + * a digit after the decimal point. + */ + do { + u++; + + t = q & ~(~0 << 10); + q >>= 10; + } while (q >= 1000); + + if (v < 0) + /* '-', up to 3 digits, '.', 1 digit, 1 character, null; + * yields 8 bytes. + */ + return sprintf(buf, "-%llu.%i%c", q, t * 10 / 1024, units[u]); + else + return sprintf(buf, "%llu.%i%c", q, t * 10 / 1024, units[u]); }

ssize_t bch_snprint_string_list(char *buf, size_t size, const char * const list[],

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan H. Schönherr jschoenh@amazon.de

commit 49a8afca386ee1775519a4aa80f8e121bd227dd4 upstream.

Signed-off-by: Jan H. Schönherr jschoenh@amazon.de Fixes: f6511935f424 ("KVM: SVM: Add checks for IO instructions") Reviewed-by: David Hildenbrand david@redhat.com Signed-off-by: Radim Krčmář rkrcmar@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kvm/svm.c | 1 + 1 file changed, 1 insertion(+)

--- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -4248,6 +4248,7 @@ static int svm_check_intercept(struct kv */ if (info->rep_prefix != REPE_PREFIX) goto out; + break; case SVM_EXIT_IOIO: { u64 exit_info; u32 bytes;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tang Junhui tang.junhui@zte.com.cn

commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream.

__update_write_rate() uses a Proportion-Differentiation Controller algorithm to control writeback rate. A dirty target number is used in this PD controller to control writeback rate. A larger target number will make the writeback rate smaller, on the versus, a smaller target number will make the writeback rate larger.

bcache uses the following steps to calculate the target number, 1) cache_sectors = all-buckets-of-cache-set * buckets-size 2) cache_dirty_target = cache_sectors * cached-device-writeback_percent 3) target = cache_dirty_target * (sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set)

The calculation at step 1) for cache_sectors is incorrect, which does not consider dirty blocks occupied by flash only volume.

A flash only volume can be took as a bcache device without cached device. All data sectors allocated for it are persistent on cache device and marked dirty, they are not touched by bcache writeback and garbage collection code. So data blocks of flash only volume should be ignore when calculating cache_sectors of cache set.

Current code does not subtract dirty sectors of flash only volume, which results a larger target number from the above 3 steps. And in sequence the cache device's writeback rate is smaller then a correct value, writeback speed is slower on all cached devices.

This patch fixes the incorrect slower writeback rate by subtracting dirty sectors of flash only volumes in __update_writeback_rate().

(Commit log composed by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui tang.junhui@zte.com.cn Reviewed-by: Coly Li colyli@suse.de Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/md/bcache/writeback.c | 3 ++- drivers/md/bcache/writeback.h | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/writeback.c +++ b/drivers/md/bcache/writeback.c @@ -21,7 +21,8 @@ static void __update_writeback_rate(struct cached_dev *dc) { struct cache_set *c = dc->disk.c; - uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size; + uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size - + bcache_flash_devs_sectors_dirty(c); uint64_t cache_dirty_target = div_u64(cache_sectors * dc->writeback_percent, 100);

--- a/drivers/md/bcache/writeback.h +++ b/drivers/md/bcache/writeback.h @@ -14,6 +14,25 @@ static inline uint64_t bcache_dev_sector return ret; }

+static inline uint64_t bcache_flash_devs_sectors_dirty(struct cache_set *c) +{ + uint64_t i, ret = 0; + + mutex_lock(&bch_register_lock); + + for (i = 0; i < c->nr_uuids; i++) { + struct bcache_device *d = c->devices[i]; + + if (!d || !UUID_FLASH_ONLY(&c->uuids[i])) + continue; + ret += bcache_dev_sectors_dirty(d); + } + + mutex_unlock(&bch_register_lock); + + return ret; +} + static inline unsigned offset_to_stripe(struct bcache_device *d, uint64_t offset) {

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tang Junhui tang.junhui@zte.com.cn

commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream.

gc and write-back get raced (see the email "bcache get stucked" I sended before): gc thread write-back thread | |bch_writeback_thread() |bch_gc_thread() | | |==>read_dirty() |==>bch_btree_gc() | |==>btree_root() //get btree root | | //node write locker | |==>bch_btree_gc_root() | | |==>read_dirty_submit() | |==>write_dirty() | |==>continue_at(cl, | | write_dirty_finish, | | system_wq); | |==>write_dirty_finish()//excute | | //in system_wq | |==>bch_btree_insert() | |==>bch_btree_map_leaf_nodes() | |==>__bch_btree_map_nodes() | |==>btree_root //try to get btree | | //root node read | | //lock | |-----stuck here |==>bch_btree_set_root() |==>bch_journal_meta() |==>bch_journal() |==>journal_try_write() |==>journal_write_unlocked() //journal_full(&c->journal) | //condition satisfied |==>continue_at(cl, journal_write, system_wq); //try to excute | //journal_write in system_wq | //but work queue is excuting | //write_dirty_finish() |==>closure_sync(); //wait journal_write execute | //over and wake up gc, |-------------stuck here |==>release root node write locker

This patch alloc a separate work-queue for write-back thread to avoid such race.

(Commit log re-organized by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui tang.junhui@zte.com.cn Acked-by: Coly Li colyli@suse.de Signed-off-by: Jens Axboe axboe@kernel.dk [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/md/bcache/bcache.h | 1 + drivers/md/bcache/super.c | 2 ++ drivers/md/bcache/writeback.c | 9 +++++++-- 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/bcache.h +++ b/drivers/md/bcache/bcache.h @@ -348,6 +348,7 @@ struct cached_dev { /* Limit number of writeback bios in flight */ struct semaphore in_flight; struct task_struct *writeback_thread; + struct workqueue_struct *writeback_write_wq;

struct keybuf writeback_keys;

--- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1075,6 +1075,8 @@ static void cached_dev_free(struct closu cancel_delayed_work_sync(&dc->writeback_rate_update); if (!IS_ERR_OR_NULL(dc->writeback_thread)) kthread_stop(dc->writeback_thread); + if (dc->writeback_write_wq) + destroy_workqueue(dc->writeback_write_wq);

mutex_lock(&bch_register_lock);

--- a/drivers/md/bcache/writeback.c +++ b/drivers/md/bcache/writeback.c @@ -191,7 +191,7 @@ static void write_dirty(struct closure *

closure_bio_submit(&io->bio, cl, &io->dc->disk);

- continue_at(cl, write_dirty_finish, system_wq); + continue_at(cl, write_dirty_finish, io->dc->writeback_write_wq); }

static void read_dirty_endio(struct bio *bio, int error) @@ -211,7 +211,7 @@ static void read_dirty_submit(struct clo

closure_bio_submit(&io->bio, cl, &io->dc->disk);

- continue_at(cl, write_dirty, system_wq); + continue_at(cl, write_dirty, io->dc->writeback_write_wq); }

static void read_dirty(struct cached_dev *dc) @@ -518,6 +518,11 @@ int bch_cached_dev_writeback_init(struct dc->writeback_rate_d_term = 30; dc->writeback_rate_p_term_inverse = 6000;

+ dc->writeback_write_wq = alloc_workqueue("bcache_writeback_wq", + WQ_MEM_RECLAIM, 0); + if (!dc->writeback_write_wq) + return -ENOMEM; + dc->writeback_thread = kthread_create(bch_writeback_thread, dc, "bcache_writeback"); if (IS_ERR(dc->writeback_thread))

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Boqun Feng boqun.feng@gmail.com

commit a2b7861bb33b2538420bb5d8554153484d3f961f upstream.

Currently, in PREEMPT_COUNT=n kernel, kvm_async_pf_task_wait() could call schedule() to reschedule in some cases. This could result in accidentally ending the current RCU read-side critical section early, causing random memory corruption in the guest, or otherwise preempting the currently running task inside between preempt_disable and preempt_enable.

The difficulty to handle this well is because we don't know whether an async PF delivered in a preemptible section or RCU read-side critical section for PREEMPT_COUNT=n, since preempt_disable()/enable() and rcu_read_lock/unlock() are both no-ops in that case.

To cure this, we treat any async PF interrupting a kernel context as one that cannot be preempted, preventing kvm_async_pf_task_wait() from choosing the schedule() path in that case.

To do so, a second parameter for kvm_async_pf_task_wait() is introduced, so that we know whether it's called from a context interrupting the kernel, and the parameter is set properly in all the callsites.

Cc: "Paul E. McKenney" paulmck@linux.vnet.ibm.com Cc: Peter Zijlstra peterz@infradead.org Cc: Wanpeng Li wanpeng.li@hotmail.com Signed-off-by: Boqun Feng boqun.feng@gmail.com Signed-off-by: Radim Krčmář rkrcmar@redhat.com [bwh: Backported to 3.16: - Use user_mode_vm() as equivalent to upstream user_mode() - Adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/include/asm/kvm_para.h | 4 ++-- arch/x86/kernel/kvm.c | 14 ++++++++++---- arch/x86/kvm/svm.c | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-)

--- a/arch/x86/include/asm/kvm_para.h +++ b/arch/x86/include/asm/kvm_para.h @@ -95,7 +95,7 @@ static inline long kvm_hypercall4(unsign bool kvm_para_available(void); unsigned int kvm_arch_para_features(void); void __init kvm_guest_init(void); -void kvm_async_pf_task_wait(u32 token); +void kvm_async_pf_task_wait(u32 token, int interrupt_kernel); void kvm_async_pf_task_wake(u32 token); u32 kvm_read_and_reset_pf_reason(void); extern void kvm_disable_steal_time(void); @@ -110,7 +110,7 @@ static inline void kvm_spinlock_init(voi

#else /* CONFIG_KVM_GUEST */ #define kvm_guest_init() do {} while (0) -#define kvm_async_pf_task_wait(T) do {} while(0) +#define kvm_async_pf_task_wait(T, I) do {} while(0) #define kvm_async_pf_task_wake(T) do {} while(0)

static inline bool kvm_para_available(void) --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -116,7 +116,11 @@ static struct kvm_task_sleep_node *_find return NULL; }

-void kvm_async_pf_task_wait(u32 token) +/* + * @interrupt_kernel: Is this called from a routine which interrupts the kernel + * (other than user space)? + */ +void kvm_async_pf_task_wait(u32 token, int interrupt_kernel) { u32 key = hash_32(token, KVM_TASK_SLEEP_HASHBITS); struct kvm_task_sleep_head *b = &async_pf_sleepers[key]; @@ -139,8 +143,10 @@ void kvm_async_pf_task_wait(u32 token)

n.token = token; n.cpu = smp_processor_id(); - n.halted = is_idle_task(current) || preempt_count() > 1 || - rcu_preempt_depth(); + n.halted = is_idle_task(current) || + (IS_ENABLED(CONFIG_PREEMPT_COUNT) + ? preempt_count() > 1 || rcu_preempt_depth() + : interrupt_kernel); init_waitqueue_head(&n.wq); hlist_add_head(&n.link, &b->list); spin_unlock(&b->lock); @@ -269,7 +275,7 @@ do_async_page_fault(struct pt_regs *regs /* page is swapped out by the host. */ prev_state = exception_enter(); exit_idle(); - kvm_async_pf_task_wait((u32)read_cr2()); + kvm_async_pf_task_wait((u32)read_cr2(), !user_mode_vm(regs)); exception_exit(prev_state); break; case KVM_PV_REASON_PAGE_READY: --- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -1718,7 +1718,7 @@ static int pf_interception(struct vcpu_s case KVM_PV_REASON_PAGE_NOT_PRESENT: svm->apf_reason = 0; local_irq_disable(); - kvm_async_pf_task_wait(fault_address); + kvm_async_pf_task_wait(fault_address, 0); local_irq_enable(); break; case KVM_PV_REASON_PAGE_READY:

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter dan.carpenter@oracle.com

commit 8d046759f6ad75824fdf7b9c9a3da0272ea9ea92 upstream.

My static checker complains that 0x00001800 >> 13 is zero. Looking at the context, it seems like a copy and paste bug from the line below and probably 0x3 << 13 or 0x00006000 was intended.

Fixes: 2af59f7d5c3e ("[POWERPC] 4xx: Add 405GPr and 405EP support in boot wrapper") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Acked-by: Benjamin Herrenschmidt benh@kernel.crashing.org Signed-off-by: Michael Ellerman mpe@ellerman.id.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/boot/4xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/boot/4xx.c +++ b/arch/powerpc/boot/4xx.c @@ -564,7 +564,7 @@ void ibm405gp_fixup_clocks(unsigned int fbdv = 16; cbdv = ((pllmr & 0x00060000) >> 17) + 1; /* CPU:PLB */ opdv = ((pllmr & 0x00018000) >> 15) + 1; /* PLB:OPB */ - ppdv = ((pllmr & 0x00001800) >> 13) + 1; /* PLB:PCI */ + ppdv = ((pllmr & 0x00006000) >> 13) + 1; /* PLB:PCI */ epdv = ((pllmr & 0x00001800) >> 11) + 2; /* PLB:EBC */ udiv = ((cpc0_cr0 & 0x3e) >> 1) + 1;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter dan.carpenter@oracle.com

commit 092c3def24bb68a00ff58c76ed67b9ff448387ce upstream.

The copy_from_user() function returns the number of bytes which we weren't able to copy. We don't want to return that to the user but instead we want to return -EFAULT.

Fixes: d7e09d0397e8 ("staging: add Lustre file system client support") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/staging/lustre/lustre/obdclass/class_obd.c +++ b/drivers/staging/lustre/lustre/obdclass/class_obd.c @@ -232,8 +232,8 @@ int class_handle_ioctl(unsigned int cmd, OBD_ALLOC(lcfg, data->ioc_plen1); if (lcfg == NULL) GOTO(out, err = -ENOMEM); - err = copy_from_user(lcfg, data->ioc_pbuf1, - data->ioc_plen1); + if (copy_from_user(lcfg, data->ioc_pbuf1, data->ioc_plen1)) + err = -EFAULT; if (!err) err = lustre_cfg_sanity_check(lcfg, data->ioc_plen1); if (!err)

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Matt Redfearn matt.redfearn@imgtec.com

commit a0ae2b08331a9882150618e0c81ea837e4a37ace upstream.

Commit 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") added handling of microMIPS instructions to manipulate the stack pointer. Unfortunately the decoding of the addiusp instruction was incorrect, and performed a left shift by 2 bits to the raw immediate, rather than decoding the immediate and then performing the shift, as documented in the ISA.

This led to incomplete stack traces, due to incorrect frame sizes being calculated. For example the instruction: 801faee0 <do_sys_poll>: 801faee0: 4e25 addiu sp,sp,-952

As decoded by objdump, would be interpreted by the existing code as having manipulated the stack pointer by +1096.

Fix this by changing the order of decoding the immediate and applying the left shift. Also change to accessing the instuction through the union to avoid the endianness problem of accesing halfword[0], which will fail on big endian systems.

Cope with the special behaviour of immediates 0x0, 0x1, 0x1fe and 0x1ff by XORing with 0x100 again if mod(immediate) < 4. This logic was tested with the following test code:

int main(int argc, char **argv) { unsigned int enc; int imm;

for (enc = 0; enc < 512; ++enc) { int tmp = enc << 2; imm = -(signed short)(tmp | ((tmp & 0x100) ? 0xfe00 : 0)); unsigned short tmp = enc; tmp = (tmp ^ 0x100) - 0x100; if ((unsigned short)(tmp + 2) < 4) tmp ^= 0x100; imm = -(signed short)(tmp << 2); printf("%#x\t%d\t->\t(%#x\t%d)\t%#x\t%d\n", enc, enc, (short)tmp, (short)tmp, imm, imm); } return EXIT_SUCCESS; }

Which generates the table:

input encoding -> tmp (matching manual) frame size ----------------------------------------------------------------------- 0 0 -> (0x100 256) 0xfffffc00 -1024 0x1 1 -> (0x101 257) 0xfffffbfc -1028 0x2 2 -> (0x2 2) 0xfffffff8 -8 0x3 3 -> (0x3 3) 0xfffffff4 -12 ... 0xfe 254 -> (0xfe 254) 0xfffffc08 -1016 0xff 255 -> (0xff 255) 0xfffffc04 -1020 0x100 256 -> (0xffffff00 -256) 0x400 1024 0x101 257 -> (0xffffff01 -255) 0x3fc 1020 ... 0x1fc 508 -> (0xfffffffc -4) 0x10 16 0x1fd 509 -> (0xfffffffd -3) 0xc 12 0x1fe 510 -> (0xfffffefe -258) 0x408 1032 0x1ff 511 -> (0xfffffeff -257) 0x404 1028

Thanks to James Hogan for the test code & verifying the logic.

Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") Suggested-by: James Hogan james.hogan@imgtec.com Signed-off-by: Matt Redfearn matt.redfearn@imgtec.com Cc: Marcin Nowakowski marcin.nowakowski@imgtec.com Cc: Ingo Molnar mingo@kernel.org Cc: Paul Burton paul.burton@imgtec.com Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16955/ Signed-off-by: Ralf Baechle ralf@linux-mips.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/kernel/process.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/arch/mips/kernel/process.c +++ b/arch/mips/kernel/process.c @@ -413,10 +413,14 @@ static int get_frame_info(struct mips_fr { unsigned short tmp;

- if (ip->halfword[0] & mm_addiusp_func) + if (ip->mm16_r3_format.simmediate & mm_addiusp_func) { - tmp = (((ip->halfword[0] >> 1) & 0x1ff) << 2); - info->frame_size = -(signed short)(tmp | ((tmp & 0x100) ? 0xfe00 : 0)); + tmp = ip->mm_b0_format.simmediate >> 1; + tmp = ((tmp & 0x1ff) ^ 0x100) - 0x100; + /* 0x0,0x1,0x1fe,0x1ff are special */ + if ((tmp + 2) < 4) + tmp ^= 0x100; + info->frame_size = -(signed short)(tmp << 2); } else { tmp = (ip->halfword[0] >> 1); info->frame_size = -(signed short)(tmp & 0xf);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner tglx@linutronix.de

commit 12ac1d0f6c3e95732d144ffa65c8b20fbd9aa462 upstream.

for_each_active_irq() iterates the sparse irq allocation bitmap. The caller must hold sparse_irq_lock. Several code pathes expect that an active bit in the sparse bitmap also has a valid interrupt descriptor.

Unfortunately that's not true. The (de)allocation is a two step process, which holds the sparse_irq_lock only across the queue/remove from the radix tree and the set/clear in the allocation bitmap.

If a iteration locks sparse_irq_lock between the two steps, then it might see an active bit but the corresponding irq descriptor is NULL. If that is dereferenced unconditionally, then the kernel oopses. Of course, all iterator sites could be audited and fixed, but....

There is no reason why the sparse_irq_lock needs to be dropped between the two steps, in fact the code becomes simpler when the mutex is held across both and the semantics become more straight forward, so future problems of missing NULL pointer checks in the iteration are avoided and all existing sites are fixed in one go.

Expand the lock held sections so both operations are covered and the bitmap and the radixtree are in sync.

Fixes: a05a900a51c7 ("genirq: Make sparse_lock a mutex") Reported-and-tested-by: Huang Ying ying.huang@intel.com Signed-off-by: Thomas Gleixner tglx@linutronix.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/irq/irqdesc.c | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-)

--- a/kernel/irq/irqdesc.c +++ b/kernel/irq/irqdesc.c @@ -183,9 +183,7 @@ static void free_desc(unsigned int irq) * sparse tree we can free it. Access in proc will fail to * lookup the descriptor. */ - mutex_lock(&sparse_irq_lock); delete_irq_desc(irq); - mutex_unlock(&sparse_irq_lock);

free_masks(desc); free_percpu(desc->kstat_irqs); @@ -202,19 +200,14 @@ static int alloc_descs(unsigned int star desc = alloc_desc(start + i, node, owner); if (!desc) goto err; - mutex_lock(&sparse_irq_lock); irq_insert_desc(start + i, desc); - mutex_unlock(&sparse_irq_lock); } + bitmap_set(allocated_irqs, start, cnt); return start;

err: for (i--; i >= 0; i--) free_desc(start + i); - - mutex_lock(&sparse_irq_lock); - bitmap_clear(allocated_irqs, start, cnt); - mutex_unlock(&sparse_irq_lock); return -ENOMEM; }

@@ -312,6 +305,7 @@ static inline int alloc_descs(unsigned i

desc->owner = owner; } + bitmap_set(allocated_irqs, start, cnt); return start; }

@@ -366,10 +360,10 @@ void irq_free_descs(unsigned int from, u if (from >= nr_irqs || (from + cnt) > nr_irqs) return;

+ mutex_lock(&sparse_irq_lock); for (i = 0; i < cnt; i++) free_desc(from + i);

- mutex_lock(&sparse_irq_lock); bitmap_clear(allocated_irqs, from, cnt); mutex_unlock(&sparse_irq_lock); } @@ -413,19 +407,15 @@ __irq_alloc_descs(int irq, unsigned int from, cnt, 0); ret = -EEXIST; if (irq >=0 && start != irq) - goto err; + goto unlock;

if (start + cnt > nr_irqs) { ret = irq_expand_nr_irqs(start + cnt); if (ret) - goto err; + goto unlock; } - - bitmap_set(allocated_irqs, start, cnt); - mutex_unlock(&sparse_irq_lock); - return alloc_descs(start, cnt, node, owner); - -err: + ret = alloc_descs(start, cnt, node, owner); +unlock: mutex_unlock(&sparse_irq_lock); return ret; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ted Mielczarek ted@mielczarek.org

commit 1a48ff81b3912be5fadae3fafde6c2f632246a4c upstream.

Xbox One controllers require an initialization message to start sending data, so xpad_init_output becomes a required function. The Xbox One controller does not have LEDs like the Xbox 360 controller, so that functionality is not implemented. The format of messages controlling rumble is currently undocumented, so rumble support is not yet implemented.

Note that Xbox One controller advertises three interfaces with the same interface class, subclass and protocol, so we have to also match against interface number.

Signed-off-by: Ted Mielczarek ted@mielczarek.org Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/input/joystick/xpad.c | 174 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 157 insertions(+), 17 deletions(-)

--- a/drivers/input/joystick/xpad.c +++ b/drivers/input/joystick/xpad.c @@ -95,7 +95,8 @@ #define XTYPE_XBOX 0 #define XTYPE_XBOX360 1 #define XTYPE_XBOX360W 2 -#define XTYPE_UNKNOWN 3 +#define XTYPE_XBOXONE 3 +#define XTYPE_UNKNOWN 4

static bool dpad_to_buttons; module_param(dpad_to_buttons, bool, S_IRUGO); @@ -121,6 +122,7 @@ static const struct xpad_device { { 0x045e, 0x0287, "Microsoft Xbox Controller S", 0, XTYPE_XBOX }, { 0x045e, 0x0289, "Microsoft X-Box pad v2 (US)", 0, XTYPE_XBOX }, { 0x045e, 0x028e, "Microsoft X-Box 360 pad", 0, XTYPE_XBOX360 }, + { 0x045e, 0x02d1, "Microsoft X-Box One pad", 0, XTYPE_XBOXONE }, { 0x045e, 0x0291, "Xbox 360 Wireless Receiver (XBOX)", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360W }, { 0x045e, 0x0719, "Xbox 360 Wireless Receiver", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360W }, { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, @@ -263,10 +265,12 @@ static const signed short xpad_abs_trigg -1 };

-/* Xbox 360 has a vendor-specific class, so we cannot match it with only +/* + * Xbox 360 has a vendor-specific class, so we cannot match it with only * USB_INTERFACE_INFO (also specifically refused by USB subsystem), so we * match against vendor id as well. Wired Xbox 360 devices have protocol 1, - * wireless controllers have protocol 129. */ + * wireless controllers have protocol 129. + */ #define XPAD_XBOX360_VENDOR_PROTOCOL(vend,pr) \ .match_flags = USB_DEVICE_ID_MATCH_VENDOR | USB_DEVICE_ID_MATCH_INT_INFO, \ .idVendor = (vend), \ @@ -277,9 +281,20 @@ static const signed short xpad_abs_trigg { XPAD_XBOX360_VENDOR_PROTOCOL(vend,1) }, \ { XPAD_XBOX360_VENDOR_PROTOCOL(vend,129) }

+/* The Xbox One controller uses subclass 71 and protocol 208. */ +#define XPAD_XBOXONE_VENDOR_PROTOCOL(vend, pr) \ + .match_flags = USB_DEVICE_ID_MATCH_VENDOR | USB_DEVICE_ID_MATCH_INT_INFO, \ + .idVendor = (vend), \ + .bInterfaceClass = USB_CLASS_VENDOR_SPEC, \ + .bInterfaceSubClass = 71, \ + .bInterfaceProtocol = (pr) +#define XPAD_XBOXONE_VENDOR(vend) \ + { XPAD_XBOXONE_VENDOR_PROTOCOL(vend, 208) } + static struct usb_device_id xpad_table[] = { { USB_INTERFACE_INFO('X', 'B', 0) }, /* X-Box USB-IF not approved class */ XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ XPAD_XBOX360_VENDOR(0x046d), /* Logitech X-Box 360 style controllers */ XPAD_XBOX360_VENDOR(0x0738), /* Mad Catz X-Box 360 controllers */ { USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */ @@ -313,12 +328,10 @@ struct usb_xpad { struct urb *bulk_out; unsigned char *bdata;

-#if defined(CONFIG_JOYSTICK_XPAD_FF) || defined(CONFIG_JOYSTICK_XPAD_LEDS) struct urb *irq_out; /* urb for interrupt out report */ unsigned char *odata; /* output data */ dma_addr_t odata_dma; struct mutex odata_mutex; -#endif

#if defined(CONFIG_JOYSTICK_XPAD_LEDS) struct xpad_led *led; @@ -509,6 +522,105 @@ static void xpad360w_process_packet(stru xpad360_process_packet(xpad, cmd, &data[4]); }

+/* + * xpadone_process_buttons + * + * Process a button update packet from an Xbox one controller. + */ +static void xpadone_process_buttons(struct usb_xpad *xpad, + struct input_dev *dev, + unsigned char *data) +{ + /* menu/view buttons */ + input_report_key(dev, BTN_START, data[4] & 0x04); + input_report_key(dev, BTN_SELECT, data[4] & 0x08); + + /* buttons A,B,X,Y */ + input_report_key(dev, BTN_A, data[4] & 0x10); + input_report_key(dev, BTN_B, data[4] & 0x20); + input_report_key(dev, BTN_X, data[4] & 0x40); + input_report_key(dev, BTN_Y, data[4] & 0x80); + + /* digital pad */ + if (xpad->mapping & MAP_DPAD_TO_BUTTONS) { + /* dpad as buttons (left, right, up, down) */ + input_report_key(dev, BTN_TRIGGER_HAPPY1, data[5] & 0x04); + input_report_key(dev, BTN_TRIGGER_HAPPY2, data[5] & 0x08); + input_report_key(dev, BTN_TRIGGER_HAPPY3, data[5] & 0x01); + input_report_key(dev, BTN_TRIGGER_HAPPY4, data[5] & 0x02); + } else { + input_report_abs(dev, ABS_HAT0X, + !!(data[5] & 0x08) - !!(data[5] & 0x04)); + input_report_abs(dev, ABS_HAT0Y, + !!(data[5] & 0x02) - !!(data[5] & 0x01)); + } + + /* TL/TR */ + input_report_key(dev, BTN_TL, data[5] & 0x10); + input_report_key(dev, BTN_TR, data[5] & 0x20); + + /* stick press left/right */ + input_report_key(dev, BTN_THUMBL, data[5] & 0x40); + input_report_key(dev, BTN_THUMBR, data[5] & 0x80); + + if (!(xpad->mapping & MAP_STICKS_TO_NULL)) { + /* left stick */ + input_report_abs(dev, ABS_X, + (__s16) le16_to_cpup((__le16 *)(data + 10))); + input_report_abs(dev, ABS_Y, + ~(__s16) le16_to_cpup((__le16 *)(data + 12))); + + /* right stick */ + input_report_abs(dev, ABS_RX, + (__s16) le16_to_cpup((__le16 *)(data + 14))); + input_report_abs(dev, ABS_RY, + ~(__s16) le16_to_cpup((__le16 *)(data + 16))); + } + + /* triggers left/right */ + if (xpad->mapping & MAP_TRIGGERS_TO_BUTTONS) { + input_report_key(dev, BTN_TL2, + (__u16) le16_to_cpup((__le16 *)(data + 6))); + input_report_key(dev, BTN_TR2, + (__u16) le16_to_cpup((__le16 *)(data + 8))); + } else { + input_report_abs(dev, ABS_Z, + (__u16) le16_to_cpup((__le16 *)(data + 6))); + input_report_abs(dev, ABS_RZ, + (__u16) le16_to_cpup((__le16 *)(data + 8))); + } + + input_sync(dev); +} + +/* + * xpadone_process_packet + * + * Completes a request by converting the data into events for the + * input subsystem. This version is for the Xbox One controller. + * + * The report format was gleaned from + * https://github.com/kylelemons/xbox/blob/master/xbox.go + */ + +static void xpadone_process_packet(struct usb_xpad *xpad, + u16 cmd, unsigned char *data) +{ + struct input_dev *dev = xpad->dev; + + switch (data[0]) { + case 0x20: + xpadone_process_buttons(xpad, dev, data); + break; + + case 0x07: + /* the xbox button has its own special report */ + input_report_key(dev, BTN_MODE, data[4] & 0x01); + input_sync(dev); + break; + } +} + static void xpad_irq_in(struct urb *urb) { struct usb_xpad *xpad = urb->context; @@ -541,6 +653,9 @@ static void xpad_irq_in(struct urb *urb) case XTYPE_XBOX360W: xpad360w_process_packet(xpad, 0, xpad->idata); break; + case XTYPE_XBOXONE: + xpadone_process_packet(xpad, 0, xpad->idata); + break; default: xpad_process_packet(xpad, 0, xpad->idata); } @@ -574,7 +689,6 @@ static void xpad_bulk_out(struct urb *ur } }

-#if defined(CONFIG_JOYSTICK_XPAD_FF) || defined(CONFIG_JOYSTICK_XPAD_LEDS) static void xpad_irq_out(struct urb *urb) { struct usb_xpad *xpad = urb->context; @@ -612,6 +726,7 @@ exit: static int xpad_init_output(struct usb_interface *intf, struct usb_xpad *xpad) { struct usb_endpoint_descriptor *ep_irq_out; + int ep_irq_out_idx; int error;

if (xpad->xtype == XTYPE_UNKNOWN) @@ -632,7 +747,10 @@ static int xpad_init_output(struct usb_i goto fail2; }

- ep_irq_out = &intf->cur_altsetting->endpoint[1].desc; + /* Xbox One controller has in/out endpoints swapped. */ + ep_irq_out_idx = xpad->xtype == XTYPE_XBOXONE ? 0 : 1; + ep_irq_out = &intf->cur_altsetting->endpoint[ep_irq_out_idx].desc; + usb_fill_int_urb(xpad->irq_out, xpad->udev, usb_sndintpipe(xpad->udev, ep_irq_out->bEndpointAddress), xpad->odata, XPAD_PKT_LEN, @@ -660,11 +778,6 @@ static void xpad_deinit_output(struct us xpad->odata, xpad->odata_dma); } } -#else -static int xpad_init_output(struct usb_interface *intf, struct usb_xpad *xpad) { return 0; } -static void xpad_deinit_output(struct usb_xpad *xpad) {} -static void xpad_stop_output(struct usb_xpad *xpad) {} -#endif

#ifdef CONFIG_JOYSTICK_XPAD_FF static int xpad_play_effect(struct input_dev *dev, void *data, struct ff_effect *effect) @@ -731,7 +844,7 @@ static int xpad_play_effect(struct input

static int xpad_init_ff(struct usb_xpad *xpad) { - if (xpad->xtype == XTYPE_UNKNOWN) + if (xpad->xtype == XTYPE_UNKNOWN || xpad->xtype == XTYPE_XBOXONE) return 0;

input_set_capability(xpad->dev, EV_FF, FF_RUMBLE); @@ -840,6 +953,14 @@ static int xpad_open(struct input_dev *d if (usb_submit_urb(xpad->irq_in, GFP_KERNEL)) return -EIO;

+ if (xpad->xtype == XTYPE_XBOXONE) { + /* Xbox one controller needs to be initialized. */ + xpad->odata[0] = 0x05; + xpad->odata[1] = 0x20; + xpad->irq_out->transfer_buffer_length = 2; + return usb_submit_urb(xpad->irq_out, GFP_KERNEL); + } + return 0; }

@@ -855,6 +976,7 @@ static void xpad_close(struct input_dev

static void xpad_set_up_abs(struct input_dev *input_dev, signed short abs) { + struct usb_xpad *xpad = input_get_drvdata(input_dev); set_bit(abs, input_dev->absbit);

switch (abs) { @@ -866,7 +988,10 @@ static void xpad_set_up_abs(struct input break; case ABS_Z: case ABS_RZ: /* the triggers (if mapped to axes) */ - input_set_abs_params(input_dev, abs, 0, 255, 0, 0); + if (xpad->xtype == XTYPE_XBOXONE) + input_set_abs_params(input_dev, abs, 0, 1023, 0, 0); + else + input_set_abs_params(input_dev, abs, 0, 255, 0, 0); break; case ABS_HAT0X: case ABS_HAT0Y: /* the d-pad (only if dpad is mapped to axes */ @@ -881,6 +1006,7 @@ static int xpad_probe(struct usb_interfa struct usb_xpad *xpad; struct input_dev *input_dev; struct usb_endpoint_descriptor *ep_irq_in; + int ep_irq_in_idx; int i, error;

if (intf->cur_altsetting->desc.bNumEndpoints != 2) @@ -892,6 +1018,16 @@ static int xpad_probe(struct usb_interfa break; }

+ if (xpad_device[i].xtype == XTYPE_XBOXONE && + intf->cur_altsetting->desc.bInterfaceNumber != 0) { + /* + * The Xbox One controller lists three interfaces all with the + * same interface class, subclass and protocol. Differentiate by + * interface number. + */ + return -ENODEV; + } + xpad = kzalloc(sizeof(struct usb_xpad), GFP_KERNEL); input_dev = input_allocate_device(); if (!xpad || !input_dev) { @@ -962,7 +1098,8 @@ static int xpad_probe(struct usb_interfa __set_bit(xpad_common_btn[i], input_dev->keybit);

/* set up model-specific ones */ - if (xpad->xtype == XTYPE_XBOX360 || xpad->xtype == XTYPE_XBOX360W) { + if (xpad->xtype == XTYPE_XBOX360 || xpad->xtype == XTYPE_XBOX360W || + xpad->xtype == XTYPE_XBOXONE) { for (i = 0; xpad360_btn[i] >= 0; i++) __set_bit(xpad360_btn[i], input_dev->keybit); } else { @@ -975,7 +1112,7 @@ static int xpad_probe(struct usb_interfa __set_bit(xpad_btn_pad[i], input_dev->keybit); } else { for (i = 0; xpad_abs_pad[i] >= 0; i++) - xpad_set_up_abs(input_dev, xpad_abs_pad[i]); + xpad_set_up_abs(input_dev, xpad_abs_pad[i]); }

if (xpad->mapping & MAP_TRIGGERS_TO_BUTTONS) { @@ -998,7 +1135,10 @@ static int xpad_probe(struct usb_interfa if (error) goto fail5;

- ep_irq_in = &intf->cur_altsetting->endpoint[0].desc; + /* Xbox One controller has in/out endpoints swapped. */ + ep_irq_in_idx = xpad->xtype == XTYPE_XBOXONE ? 1 : 0; + ep_irq_in = &intf->cur_altsetting->endpoint[ep_irq_in_idx].desc; + usb_fill_int_urb(xpad->irq_in, udev, usb_rcvintpipe(udev, ep_irq_in->bEndpointAddress), xpad->idata, XPAD_PKT_LEN, xpad_irq_in,

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Tang Junhui tang.junhui@zte.com.cn

commit 175206cf9ab63161dec74d9cd7f9992e062491f5 upstream.

bcache uses a Proportion-Differentiation Controller algorithm to control writeback rate to cached devices. In the PD controller algorithm, dirty stripes of thin flash device should not be counted in, because flash only volumes never write back dirty data.

Currently dirty stripe counter for thin flash device is not initialized when the thin flash device starts. Which means the following calculation in PD controller will reference an undefined dirty stripes number, and all cached devices attached to the same cache set where the thin flash device lies on may have an inaccurate writeback rate.

This patch calles bch_sectors_dirty_init() in flash_dev_run(), to correctly initialize dirty stripe counter when the thin flash device starts to run. This patch also does following parameter data type change, -void bch_sectors_dirty_init(struct cached_dev *dc); +void bch_sectors_dirty_init(struct bcache_device *); to call this function conveniently in flash_dev_run().

(Commit log is composed by Coly Li)

Signed-off-by: Tang Junhui tang.junhui@zte.com.cn Reviewed-by: Coly Li colyli@suse.de Signed-off-by: Jens Axboe axboe@kernel.dk [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/md/bcache/super.c | 3 ++- drivers/md/bcache/writeback.c | 8 ++++---- drivers/md/bcache/writeback.h | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1045,7 +1045,7 @@ int bch_cached_dev_attach(struct cached_ atomic_set(&dc->count, 1);

if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) { - bch_sectors_dirty_init(dc); + bch_sectors_dirty_init(&dc->disk); atomic_set(&dc->has_dirty, 1); atomic_inc(&dc->count); bch_writeback_queue(dc); @@ -1248,6 +1248,7 @@ static int flash_dev_run(struct cache_se goto err;

bcache_device_attach(d, c, u - c->uuids); + bch_sectors_dirty_init(d); bch_flash_dev_request_init(d); add_disk(d->disk);

--- a/drivers/md/bcache/writeback.c +++ b/drivers/md/bcache/writeback.c @@ -489,17 +489,17 @@ static int sectors_dirty_init_fn(struct return MAP_CONTINUE; }

-void bch_sectors_dirty_init(struct cached_dev *dc) +void bch_sectors_dirty_init(struct bcache_device *d) { struct sectors_dirty_init op;

bch_btree_op_init(&op.op, -1); - op.inode = dc->disk.id; + op.inode = d->id;

- bch_btree_map_keys(&op.op, dc->disk.c, &KEY(op.inode, 0, 0), + bch_btree_map_keys(&op.op, d->c, &KEY(op.inode, 0, 0), sectors_dirty_init_fn, 0);

- dc->disk.sectors_dirty_last = bcache_dev_sectors_dirty(&dc->disk); + d->sectors_dirty_last = bcache_dev_sectors_dirty(d); }

int bch_cached_dev_writeback_init(struct cached_dev *dc) --- a/drivers/md/bcache/writeback.h +++ b/drivers/md/bcache/writeback.h @@ -104,7 +104,7 @@ static inline void bch_writeback_add(str

void bcache_dev_sectors_dirty_add(struct cache_set *, unsigned, uint64_t, int);

-void bch_sectors_dirty_init(struct cached_dev *dc); +void bch_sectors_dirty_init(struct bcache_device *); int bch_cached_dev_writeback_init(struct cached_dev *);

#endif

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Wanpeng Li wanpeng.li@hotmail.com

commit 9a6e7c39810e4a8bc7fc95056cefb40583fe07ef upstream.

qemu-system-x86-8600 [004] d..1 7205.687530: kvm_entry: vcpu 2 qemu-system-x86-8600 [004] .... 7205.687532: kvm_exit: reason EXCEPTION_NMI rip 0xffffffffa921297d info ffffeb2c0e44e018 80000b0e qemu-system-x86-8600 [004] .... 7205.687532: kvm_page_fault: address ffffeb2c0e44e018 error_code 0 qemu-system-x86-8600 [004] .... 7205.687620: kvm_try_async_get_page: gva = 0xffffeb2c0e44e018, gfn = 0x427e4e qemu-system-x86-8600 [004] .N.. 7205.687628: kvm_async_pf_not_present: token 0x8b002 gva 0xffffeb2c0e44e018 kworker/4:2-7814 [004] .... 7205.687655: kvm_async_pf_completed: gva 0xffffeb2c0e44e018 address 0x7fcc30c4e000 qemu-system-x86-8600 [004] .... 7205.687703: kvm_async_pf_ready: token 0x8b002 gva 0xffffeb2c0e44e018 qemu-system-x86-8600 [004] d..1 7205.687711: kvm_entry: vcpu 2

After running some memory intensive workload in guest, I catch the kworker which completes the GUP too quickly, and queues an "Page Ready" #PF exception after the "Page not Present" exception before the next vmentry as the above trace which will result in #DF injected to guest.

This patch fixes it by clearing the queue for "Page not Present" if "Page Ready" occurs before the next vmentry since the GUP has already got the required page and shadow page table has already been fixed by "Page Ready" handler.

Cc: Paolo Bonzini pbonzini@redhat.com Cc: Radim Krčmář rkrcmar@redhat.com Signed-off-by: Wanpeng Li wanpeng.li@hotmail.com Fixes: 7c90705bf2a3 ("KVM: Inject asynchronous page fault into a PV guest if page is swapped out.") [Changed indentation and added clearing of injected. - Radim] Signed-off-by: Radim Krčmář rkrcmar@redhat.com [bwh: Backported to 3.16: Don't assign to kvm_queued_exception::injected or x86_exception::async_page_fault] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kvm/x86.c | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-)

--- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -7561,6 +7561,13 @@ static int apf_put_user(struct kvm_vcpu sizeof(val)); }

+static int apf_get_user(struct kvm_vcpu *vcpu, u32 *val) +{ + + return kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apf.data, val, + sizeof(u32)); +} + void kvm_arch_async_page_not_present(struct kvm_vcpu *vcpu, struct kvm_async_pf *work) { @@ -7587,6 +7594,7 @@ void kvm_arch_async_page_present(struct struct kvm_async_pf *work) { struct x86_exception fault; + u32 val;

trace_kvm_async_pf_ready(work->arch.token, work->gva); if (work->wakeup_all) @@ -7594,14 +7602,24 @@ void kvm_arch_async_page_present(struct else kvm_del_async_pf_gfn(vcpu, work->arch.gfn);

- if ((vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) && - !apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) { - fault.vector = PF_VECTOR; - fault.error_code_valid = true; - fault.error_code = 0; - fault.nested_page_fault = false; - fault.address = work->arch.token; - kvm_inject_page_fault(vcpu, &fault); + if (vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED && + !apf_get_user(vcpu, &val)) { + if (val == KVM_PV_REASON_PAGE_NOT_PRESENT && + vcpu->arch.exception.pending && + vcpu->arch.exception.nr == PF_VECTOR && + !apf_put_user(vcpu, 0)) { + vcpu->arch.exception.pending = false; + vcpu->arch.exception.nr = 0; + vcpu->arch.exception.has_error_code = false; + vcpu->arch.exception.error_code = 0; + } else if (!apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) { + fault.vector = PF_VECTOR; + fault.error_code_valid = true; + fault.error_code = 0; + fault.nested_page_fault = false; + fault.address = work->arch.token; + kvm_inject_page_fault(vcpu, &fault); + } } vcpu->arch.apf.halted = false; vcpu->arch.mp_state = KVM_MP_STATE_RUNNABLE;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexandre Belloni alexandre.belloni@free-electrons.com

commit 1cf85b2327a9b03bde5266e72ee64a38d085256d upstream.

In the error path of sa1100_rtc_open(), info->clk is disabled which will happen again in sa1100_rtc_remove() when the module is removed whereas it is only enabled once in sa1100_rtc_init().

Fixes: 0cc0c38e9139 ("drivers/rtc/rtc-sa1100.c: move clock enable/disable to probe/remove") Acked-by: Robert Jarzmik robert.jarzmik@free.fr Signed-off-by: Alexandre Belloni alexandre.belloni@free-electrons.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/rtc/rtc-sa1100.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/rtc/rtc-sa1100.c +++ b/drivers/rtc/rtc-sa1100.c @@ -111,7 +111,7 @@ static int sa1100_rtc_open(struct device ret = request_irq(info->irq_1hz, sa1100_rtc_interrupt, 0, "rtc 1Hz", dev); if (ret) { dev_err(dev, "IRQ %d already in use.\n", info->irq_1hz); - goto fail_ui; + return ret; } ret = request_irq(info->irq_alarm, sa1100_rtc_interrupt, 0, "rtc Alrm", dev); if (ret) { @@ -125,8 +125,6 @@ static int sa1100_rtc_open(struct device

fail_ai: free_irq(info->irq_1hz, dev); - fail_ui: - clk_disable_unprepare(info->clk); return ret; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ilya Lesokhin ilyal@mellanox.com

commit 7b4cdaae73ee833975a767cf54a3354d355b3f8d upstream.

Fix a bug where MR registration fails when mlx5_ib_cont_pages indicates that the MR can be mapped using 2GB pages (page_shift == 31).

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Ilya Lesokhin ilyal@mellanox.com Signed-off-by: Leon Romanovsky leon@kernel.org Signed-off-by: Doug Ledford dledford@redhat.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/hw/mlx5/mr.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/hw/mlx5/mr.c +++ b/drivers/infiniband/hw/mlx5/mr.c @@ -682,13 +682,14 @@ err_free: return ERR_PTR(err); }

-static int get_octo_len(u64 addr, u64 len, int page_size) +static int get_octo_len(u64 addr, u64 len, int page_shift) { + u64 page_size = 1ULL << page_shift; u64 offset; int npages;

offset = addr & (page_size - 1); - npages = ALIGN(len + offset, page_size) >> ilog2(page_size); + npages = ALIGN(len + offset, page_size) >> page_shift; return (npages + 1) / 2; }

@@ -870,11 +871,11 @@ static struct mlx5_ib_mr *reg_create(str in->seg.start_addr = cpu_to_be64(virt_addr); in->seg.len = cpu_to_be64(length); in->seg.bsfs_octo_size = 0; - in->seg.xlt_oct_size = cpu_to_be32(get_octo_len(virt_addr, length, 1 << page_shift)); + in->seg.xlt_oct_size = cpu_to_be32(get_octo_len(virt_addr, length, page_shift)); in->seg.log2_page_size = page_shift; in->seg.qpn_mkey7_0 = cpu_to_be32(0xffffff << 8); in->xlat_oct_act_size = cpu_to_be32(get_octo_len(virt_addr, length, - 1 << page_shift)); + page_shift)); err = mlx5_core_create_mkey(&dev->mdev, &mr->mmr, in, inlen, NULL, NULL, NULL); if (err) {

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guillaume Nault g.nault@alphalink.fr

commit f3c66d4e144a0904ea9b95d23ed9f8eb38c11bfb upstream.

l2tp_tunnel_destruct() sets tunnel->sock to NULL, then removes the tunnel from the pernet list and finally closes all its sessions. Therefore, it's possible to add a session to a tunnel that is still reachable, but for which tunnel->sock has already been reset. This can make l2tp_session_create() dereference a NULL pointer when calling sock_hold(tunnel->sock).

This patch adds the .acpt_newsess field to struct l2tp_tunnel, which is used by l2tp_tunnel_closeall() to prevent addition of new sessions to tunnels. Resetting tunnel->sock is done after l2tp_tunnel_closeall() returned, so that l2tp_session_add_to_tunnel() can safely take a reference on it when .acpt_newsess is true.

The .acpt_newsess field is modified in l2tp_tunnel_closeall(), rather than in l2tp_tunnel_destruct(), so that it benefits all tunnel removal mechanisms. E.g. on UDP tunnels, a session could be added to a tunnel after l2tp_udp_encap_destroy() proceeded. This would prevent the tunnel from being removed because of the references held by this new session on the tunnel and its socket. Even though the session could be removed manually later on, this defeats the purpose of commit 9980d001cec8 ("l2tp: add udp encap socket destroy handler").

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_core.c | 41 ++++++++++++++++++++++++++++------------- net/l2tp/l2tp_core.h | 4 ++++ 2 files changed, 32 insertions(+), 13 deletions(-)

--- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -377,13 +377,21 @@ static int l2tp_session_add_to_tunnel(st struct hlist_head *g_head; struct hlist_head *head; struct l2tp_net *pn; + int err;

head = l2tp_session_id_hash(tunnel, session->session_id);

write_lock_bh(&tunnel->hlist_lock); + if (!tunnel->acpt_newsess) { + err = -ENODEV; + goto err_tlock; + } + hlist_for_each_entry(session_walk, head, hlist) - if (session_walk->session_id == session->session_id) - goto exist; + if (session_walk->session_id == session->session_id) { + err = -EEXIST; + goto err_tlock; + }

if (tunnel->version == L2TP_HDR_VER_3) { pn = l2tp_pernet(tunnel->l2tp_net); @@ -391,12 +399,21 @@ static int l2tp_session_add_to_tunnel(st session->session_id);

spin_lock_bh(&pn->l2tp_session_hlist_lock); + hlist_for_each_entry(session_walk, g_head, global_hlist) - if (session_walk->session_id == session->session_id) - goto exist_glob; + if (session_walk->session_id == session->session_id) { + err = -EEXIST; + goto err_tlock_pnlock; + }

+ l2tp_tunnel_inc_refcount(tunnel); + sock_hold(tunnel->sock); hlist_add_head_rcu(&session->global_hlist, g_head); + spin_unlock_bh(&pn->l2tp_session_hlist_lock); + } else { + l2tp_tunnel_inc_refcount(tunnel); + sock_hold(tunnel->sock); }

hlist_add_head(&session->hlist, head); @@ -404,12 +421,12 @@ static int l2tp_session_add_to_tunnel(st

return 0;

-exist_glob: +err_tlock_pnlock: spin_unlock_bh(&pn->l2tp_session_hlist_lock); -exist: +err_tlock: write_unlock_bh(&tunnel->hlist_lock);

- return -EEXIST; + return err; }

/* Lookup a tunnel by id @@ -1299,7 +1316,6 @@ static void l2tp_tunnel_destruct(struct /* Remove hooks into tunnel socket */ sk->sk_destruct = tunnel->old_sk_destruct; sk->sk_user_data = NULL; - tunnel->sock = NULL;

/* Remove the tunnel struct from the tunnel list */ pn = l2tp_pernet(tunnel->l2tp_net); @@ -1309,6 +1325,8 @@ static void l2tp_tunnel_destruct(struct atomic_dec(&l2tp_tunnel_count);

l2tp_tunnel_closeall(tunnel); + + tunnel->sock = NULL; l2tp_tunnel_dec_refcount(tunnel);

/* Call the original destructor */ @@ -1333,6 +1351,7 @@ void l2tp_tunnel_closeall(struct l2tp_tu tunnel->name);

write_lock_bh(&tunnel->hlist_lock); + tunnel->acpt_newsess = false; for (hash = 0; hash < L2TP_HASH_SIZE; hash++) { again: hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) { @@ -1665,6 +1684,7 @@ int l2tp_tunnel_create(struct net *net, tunnel->magic = L2TP_TUNNEL_MAGIC; sprintf(&tunnel->name[0], "tunl %u", tunnel_id); rwlock_init(&tunnel->hlist_lock); + tunnel->acpt_newsess = true;

/* The net we belong to */ tunnel->l2tp_net = net; @@ -1915,11 +1935,6 @@ struct l2tp_session *l2tp_session_create return ERR_PTR(err); }

- l2tp_tunnel_inc_refcount(tunnel); - - /* Ensure tunnel socket isn't deleted */ - sock_hold(tunnel->sock); - /* Ignore management session in session count value */ if (session->session_id != 0) atomic_inc(&l2tp_session_count); --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -171,6 +171,10 @@ struct l2tp_tunnel { int magic; /* Should be L2TP_TUNNEL_MAGIC */ struct rcu_head rcu; rwlock_t hlist_lock; /* protect session_hlist */ + bool acpt_newsess; /* Indicates whether this + * tunnel accepts new sessions. + * Protected by hlist_lock. + */ struct hlist_head session_hlist[L2TP_HASH_SIZE]; /* hashed list of sessions, * hashed by id */

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: SeongJae Park sj38.park@gmail.com

commit f113e64121ba9f4791332248b315d9f57ee33a6b upstream.

Comment for pagetypeinfo_showblockcount() is mistakenly duplicated from pagetypeinfo_show_free()'s comment. This commit fixes it.

Link: http://lkml.kernel.org/r/20170809185816.11244-1-sj38.park@gmail.com Fixes: 467c996c1e19 ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo") Signed-off-by: SeongJae Park sj38.park@gmail.com Cc: Michal Hocko mhocko@kernel.org Cc: Vlastimil Babka vbabka@suse.cz Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- mm/vmstat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/vmstat.c +++ b/mm/vmstat.c @@ -975,7 +975,7 @@ static void pagetypeinfo_showblockcount_ seq_putc(m, '\n'); }

-/* Print out the free pages at each order for each migratetype */ +/* Print out the number of pageblocks for each migratetype */ static int pagetypeinfo_showblockcount(struct seq_file *m, void *arg) { int mtype;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kai-Heng Feng kai.heng.feng@canonical.com

commit de3af5bf259d7a0bfaac70441c8568ab5998d80c upstream.

Corsair Strafe RGB keyboard has trouble to initialize:

[ 1.679455] usb 3-6: new full-speed USB device number 4 using xhci_hcd [ 6.871136] usb 3-6: unable to read config index 0 descriptor/all [ 6.871138] usb 3-6: can't read configurations, error -110 [ 6.991019] usb 3-6: new full-speed USB device number 5 using xhci_hcd [ 12.246642] usb 3-6: unable to read config index 0 descriptor/all [ 12.246644] usb 3-6: can't read configurations, error -110 [ 12.366555] usb 3-6: new full-speed USB device number 6 using xhci_hcd [ 17.622145] usb 3-6: unable to read config index 0 descriptor/all [ 17.622147] usb 3-6: can't read configurations, error -110 [ 17.742093] usb 3-6: new full-speed USB device number 7 using xhci_hcd [ 22.997715] usb 3-6: unable to read config index 0 descriptor/all [ 22.997716] usb 3-6: can't read configurations, error -110

Although it may work after several times unpluging/pluging:

[ 68.195240] usb 3-6: new full-speed USB device number 11 using xhci_hcd [ 68.337459] usb 3-6: New USB device found, idVendor=1b1c, idProduct=1b20 [ 68.337463] usb 3-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 68.337466] usb 3-6: Product: Corsair STRAFE RGB Gaming Keyboard [ 68.337468] usb 3-6: Manufacturer: Corsair [ 68.337470] usb 3-6: SerialNumber: 0F013021AEB8046755A93ED3F5001941

Tried three quirks: USB_QUIRK_DELAY_INIT, USB_QUIRK_NO_LPM and USB_QUIRK_DEVICE_QUALIFIER, user confirmed that USB_QUIRK_DELAY_INIT alone can workaround this issue. Hence add the quirk for Corsair Strafe RGB.

BugLink: https://bugs.launchpad.net/bugs/1678477 Signed-off-by: Kai-Heng Feng kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/quirks.c | 3 +++ 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -214,6 +214,9 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x1a0a, 0x0200), .driver_info = USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },

+ /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + /* Acer C120 LED Projector */ { USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM },

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky leonro@mellanox.com

commit 5d50f400e56fbc7a14ef3f8d42ba47710e455881 upstream.

Sparse tool complains with the following error: drivers/infiniband/hw/usnic/usnic_ib_main.c:445:16: warning: cast removes address space of expression

Fix it by doing casting on correct field and convert function helper which sets ifaddr to be void, because there are no users who are interested in returned value.

Fixes: c7845bcafe4d ("IB/usnic: Add UDP support in u*verbs.c, u*main.c and u*util.h") Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/hw/usnic/usnic_fwd.c | 12 ++---------- drivers/infiniband/hw/usnic/usnic_fwd.h | 2 +- drivers/infiniband/hw/usnic/usnic_ib_main.c | 10 ++++++---- 3 files changed, 9 insertions(+), 15 deletions(-)

--- a/drivers/infiniband/hw/usnic/usnic_fwd.c +++ b/drivers/infiniband/hw/usnic/usnic_fwd.c @@ -95,20 +95,12 @@ void usnic_fwd_set_mac(struct usnic_fwd_ spin_unlock(&ufdev->lock); }

-int usnic_fwd_add_ipaddr(struct usnic_fwd_dev *ufdev, __be32 inaddr) +void usnic_fwd_add_ipaddr(struct usnic_fwd_dev *ufdev, __be32 inaddr) { - int status; - spin_lock(&ufdev->lock); - if (ufdev->inaddr == 0) { + if (!ufdev->inaddr) ufdev->inaddr = inaddr; - status = 0; - } else { - status = -EFAULT; - } spin_unlock(&ufdev->lock); - - return status; }

void usnic_fwd_del_ipaddr(struct usnic_fwd_dev *ufdev) --- a/drivers/infiniband/hw/usnic/usnic_fwd.h +++ b/drivers/infiniband/hw/usnic/usnic_fwd.h @@ -59,7 +59,7 @@ struct usnic_fwd_dev *usnic_fwd_dev_allo void usnic_fwd_dev_free(struct usnic_fwd_dev *ufdev);

void usnic_fwd_set_mac(struct usnic_fwd_dev *ufdev, char mac[ETH_ALEN]); -int usnic_fwd_add_ipaddr(struct usnic_fwd_dev *ufdev, __be32 inaddr); +void usnic_fwd_add_ipaddr(struct usnic_fwd_dev *ufdev, __be32 inaddr); void usnic_fwd_del_ipaddr(struct usnic_fwd_dev *ufdev); void usnic_fwd_carrier_up(struct usnic_fwd_dev *ufdev); void usnic_fwd_carrier_down(struct usnic_fwd_dev *ufdev); --- a/drivers/infiniband/hw/usnic/usnic_ib_main.c +++ b/drivers/infiniband/hw/usnic/usnic_ib_main.c @@ -305,7 +305,7 @@ static void *usnic_ib_device_add(struct { struct usnic_ib_dev *us_ibdev; union ib_gid gid; - struct in_ifaddr *in; + struct in_device *ind; struct net_device *netdev;

usnic_dbg("\n"); @@ -393,9 +393,11 @@ static void *usnic_ib_device_add(struct if (netif_carrier_ok(us_ibdev->netdev)) usnic_fwd_carrier_up(us_ibdev->ufdev);

- in = ((struct in_device *)(netdev->ip_ptr))->ifa_list; - if (in != NULL) - usnic_fwd_add_ipaddr(us_ibdev->ufdev, in->ifa_address); + ind = in_dev_get(netdev); + if (ind->ifa_list) + usnic_fwd_add_ipaddr(us_ibdev->ufdev, + ind->ifa_list->ifa_address); + in_dev_put(ind);

usnic_mac_ip_to_gid(us_ibdev->netdev->perm_addr, us_ibdev->ufdev->inaddr, &gid.raw[0]);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Jason A. Donenfeld" Jason@zx2c4.com

commit 2bdd713b92a9cade239d3c7d15205a09f556624d upstream.

Otherwise we risk leaking information via timing side channel.

Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") Signed-off-by: Jason A. Donenfeld Jason@zx2c4.com Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/mac80211/key.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -18,6 +18,7 @@ #include <linux/slab.h> #include <linux/export.h> #include <net/mac80211.h> +#include <crypto/algapi.h> #include <asm/unaligned.h> #include "ieee80211_i.h" #include "driver-ops.h" @@ -503,7 +504,7 @@ int ieee80211_key_link(struct ieee80211_ * new version of the key to avoid nonce reuse or replay issues. */ if (old_key && key->conf.keylen == old_key->conf.keylen && - !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { + !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { ieee80211_key_free_unused(key); ret = 0; goto out;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara jack@suse.cz

commit 4b758df21ee7081ab41448d21d60367efaa625b3 upstream.

If blkdev_get_by_path() in register_bcache() fails, we try to lookup the block device using lookup_bdev() to detect which situation we are in to properly report error. However we never drop the reference returned to us from lookup_bdev(). Fix that.

Signed-off-by: Jan Kara jack@suse.cz Acked-by: Coly Li colyli@suse.de Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/md/bcache/super.c | 2 ++ 1 file changed, 2 insertions(+)

--- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1974,6 +1974,8 @@ static ssize_t register_bcache(struct ko else err = "device busy"; mutex_unlock(&bch_register_lock); + if (!IS_ERR(bdev)) + bdput(bdev); if (attr == &ksysfs_register_quiet) goto out; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann arnd@arndb.de

commit d0dbf771309fecd73f4ac1566c1400cb12807ee2 upstream.

gcc-7 points out that a negative port_num value would overflow the string buffer:

drivers/infiniband/hw/mlx4/sysfs.c: In function 'mlx4_ib_device_register_sysfs': drivers/infiniband/hw/mlx4/sysfs.c:251:16: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] drivers/infiniband/hw/mlx4/sysfs.c:251:2: note: 'sprintf' output between 2 and 11 bytes into a destination of size 10 drivers/infiniband/hw/mlx4/sysfs.c:303:17: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] drivers/infiniband/hw/mlx4/sysfs.c:303:3: note: 'sprintf' output between 2 and 11 bytes into a destination of size 10

While we should be able to assume that port_num is positive here, making the buffer one byte longer has no downsides and avoids the warning.

Fixes: c1e7e466120b ("IB/mlx4: Add iov directory in sysfs under the ib device") Link: http://lkml.kernel.org/r/20170714120720.906842-23-arnd@arndb.de Signed-off-by: Arnd Bergmann arnd@arndb.de Reviewed-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/hw/mlx4/sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/sysfs.c +++ b/drivers/infiniband/hw/mlx4/sysfs.c @@ -241,7 +241,7 @@ void del_sysfs_port_mcg_attr(struct mlx4 static int add_port_entries(struct mlx4_ib_dev *device, int port_num) { int i; - char buff[10]; + char buff[11]; struct mlx4_ib_iov_port *port = NULL; int ret = 0 ; struct ib_port_attr attr;

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET christophe.jaillet@wanadoo.fr

commit 0f9b011d3321ca1079c7a46c18cb1956fbdb7bcb upstream.

The .release function of driver_ktype is 'driver_release()'. This function frees the container_of this kobject.

So, this memory must not be freed explicitly in the error handling path of 'bus_add_driver()'. Otherwise a double free will occur.

Signed-off-by: Christophe JAILLET christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/base/bus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -722,7 +722,7 @@ int bus_add_driver(struct device_driver

out_unregister: kobject_put(&priv->kobj); - kfree(drv->p); + /* drv->p is freed in driver_release() */ drv->p = NULL; out_put_bus: bus_put(bus);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov khlebnikov@yandex-team.ru

commit 2826478a6660158d261bc49ad8954a8f5c39be07 upstream.

Target install-man builds them but forget to install.

Signed-off-by: Konstantin Khlebnikov khlebnikov@yandex-team.ru Cc: Alexander Shishkin alexander.shishkin@linux.intel.com Cc: Borislav Petkov borislav.petkov@amd.com Cc: Peter Zijlstra peterz@infradead.org Fixes: af3df2cf17f5 ("perf tools: Try to build Documentation when installing") Link: http://lkml.kernel.org/r/150322915300.129715.13645857235229756834.stgit@buzz Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- tools/perf/Documentation/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/Documentation/Makefile +++ b/tools/perf/Documentation/Makefile @@ -192,7 +192,7 @@ do-install-man: man # $(INSTALL) -m 644 $(DOC_MAN5) $(DESTDIR)$(man5dir); \ # $(INSTALL) -m 644 $(DOC_MAN7) $(DESTDIR)$(man7dir)

-install-man: check-man-tools man +install-man: check-man-tools man do-install-man

ifdef missing_tools DO_INSTALL_MAN = $(warning Please install $(missing_tools) to have the man pages installed)

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky leonro@mellanox.com

commit 187782eb58a89ea030731114c6ae37842a4472fe upstream.

The "lg" variable is declared as int so in all places where this variable is used as a shift operand, the output will be int too.

This produces the following smatch warning: drivers/net/ethernet/mellanox/mlx4/fw.c:1532 mlx4_map_cmd() warn: should '1 << lg' be a 64 bit type?

Simple declaration of "1" to be "1ULL" will fix the issue.

Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Tariq Toukan tariqt@mellanox.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/mellanox/mlx4/fw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx4/fw.c +++ b/drivers/net/ethernet/mellanox/mlx4/fw.c @@ -1084,7 +1084,7 @@ int mlx4_map_cmd(struct mlx4_dev *dev, u for (i = 0; i < mlx4_icm_size(&iter) >> lg; ++i) { if (virt != -1) { pages[nent * 2] = cpu_to_be64(virt); - virt += 1 << lg; + virt += 1ULL << lg; }

pages[nent * 2 + 1] =

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Mackerras paulus@ozlabs.org

commit 93b2d3cf3733b4060d3623161551f51ea1ab5499 upstream.

The instruction code for xxlor that commit 0016a4cf5582 ("powerpc: Emulate most Book I instructions in emulate_step()", 2010-06-15) added is actually the code for xxlnor. It is used in get_vsr() and put_vsr() and the effect of the error is that if emulate_step is used to emulate a VSX load or store from any register other than vsr0, the bitwise complement of the correct value will be loaded or stored. This corrects the error.

Fixes: 0016a4cf5582 ("powerpc: Emulate most Book I instructions in emulate_step()") Signed-off-by: Paul Mackerras paulus@ozlabs.org Signed-off-by: Michael Ellerman mpe@ellerman.id.au [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/include/asm/ppc-opcode.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/include/asm/ppc-opcode.h +++ b/arch/powerpc/include/asm/ppc-opcode.h @@ -182,7 +182,7 @@ #define PPC_INST_WAIT 0x7c00007c #define PPC_INST_TLBIVAX 0x7c000624 #define PPC_INST_TLBSRX_DOT 0x7c0006a5 -#define PPC_INST_XXLOR 0xf0000510 +#define PPC_INST_XXLOR 0xf0000490 #define PPC_INST_XXSWAPD 0xf0000250 #define PPC_INST_XVCPSGNDP 0xf0000780 #define PPC_INST_TRECHKPT 0x7c0007dd

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jonas Gorski jonas.gorski@gmail.com

commit 386787b1fcab2dd3d16ca3f46729aaafdef306e3 upstream.

Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter, as some device drivers rely on this.

Make the behaviour of clk_get_rate consistent with common clk's clk_get_rate by accepting NULL clocks as parameter. Some device drivers rely on this, and will cause an OOPS otherwise.

Fixes: f8ede0f700f5 ("MIPS: Loongson 2F: Add CPU frequency scaling support") Reported-by: Mathias Kresin dev@kresin.me Signed-off-by: Jonas Gorski jonas.gorski@gmail.com Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16777/ Signed-off-by: Ralf Baechle ralf@linux-mips.org [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/loongson/lemote-2f/clock.c | 3 +++ 1 file changed, 3 insertions(+)

--- a/arch/mips/loongson/lemote-2f/clock.c +++ b/arch/mips/loongson/lemote-2f/clock.c @@ -80,6 +80,9 @@ EXPORT_SYMBOL(clk_disable);

unsigned long clk_get_rate(struct clk *clk) { + if (!clk) + return 0; + return (unsigned long)clk->rate; } EXPORT_SYMBOL(clk_get_rate);

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sandeep Singh sandeep.singh@amd.com

commit e6b422b88b46353cf596e0db6dc0e39d50d90d6e upstream.

The following commit cause a regression on ATI chipsets. 'commit e788787ef4f9 ("usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume")'

This causes pinfo->smbus_dev to be wrongly set to NULL on systems with the ATI chipset that this function checks for first.

Added conditional check for AMD chipsets to avoid the overwriting pinfo->smbus_dev.

Reported-by: Ben Hutchings ben@decadent.org.uk Fixes: e788787ef4f9 ("usb:xhci:Add quirk for Certain failing HP keyboard on reset after resume") cc: Nehal Shah Nehal-bakulchandra.Shah@amd.com Signed-off-by: Sandeep Singh Sandeep.Singh@amd.com Signed-off-by: Shyam Sundar S K Shyam-sundar.S-k@amd.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/host/pci-quirks.c | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-)

--- a/drivers/usb/host/pci-quirks.c +++ b/drivers/usb/host/pci-quirks.c @@ -143,29 +143,30 @@ static int amd_chipset_sb_type_init(stru pinfo->sb_type.gen = AMD_CHIPSET_SB700; else if (rev >= 0x40 && rev <= 0x4f) pinfo->sb_type.gen = AMD_CHIPSET_SB800; - } - pinfo->smbus_dev = pci_get_device(PCI_VENDOR_ID_AMD, - 0x145c, NULL); - if (pinfo->smbus_dev) { - pinfo->sb_type.gen = AMD_CHIPSET_TAISHAN; } else { pinfo->smbus_dev = pci_get_device(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_HUDSON2_SMBUS, NULL);

- if (!pinfo->smbus_dev) { - pinfo->sb_type.gen = NOT_AMD_CHIPSET; - return 0; + if (pinfo->smbus_dev) { + rev = pinfo->smbus_dev->revision; + if (rev >= 0x11 && rev <= 0x14) + pinfo->sb_type.gen = AMD_CHIPSET_HUDSON2; + else if (rev >= 0x15 && rev <= 0x18) + pinfo->sb_type.gen = AMD_CHIPSET_BOLTON; + else if (rev >= 0x39 && rev <= 0x3a) + pinfo->sb_type.gen = AMD_CHIPSET_YANGTZE; + } else { + pinfo->smbus_dev = pci_get_device(PCI_VENDOR_ID_AMD, + 0x145c, NULL); + if (pinfo->smbus_dev) { + rev = pinfo->smbus_dev->revision; + pinfo->sb_type.gen = AMD_CHIPSET_TAISHAN; + } else { + pinfo->sb_type.gen = NOT_AMD_CHIPSET; + return 0; + } } - - rev = pinfo->smbus_dev->revision; - if (rev >= 0x11 && rev <= 0x14) - pinfo->sb_type.gen = AMD_CHIPSET_HUDSON2; - else if (rev >= 0x15 && rev <= 0x18) - pinfo->sb_type.gen = AMD_CHIPSET_BOLTON; - else if (rev >= 0x39 && rev <= 0x3a) - pinfo->sb_type.gen = AMD_CHIPSET_YANGTZE; } - pinfo->sb_type.rev = rev; return 1; }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Matt Redfearn matt.redfearn@imgtec.com

commit b332fec0489295ee7a0aab4a89bd7257cd126f7f upstream.

The addiusp instruction uses the pool16d opcode, with bit 0 of the immediate set. The test for the addiusp opcode erroneously did a logical and of the immediate with mm_addiusp_func, which has value 1, so this test always passes when the immediate is non-zero.

Fix the test by replacing the logical and with a bitwise and.

Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.") Signed-off-by: Matt Redfearn matt.redfearn@imgtec.com Cc: Marcin Nowakowski marcin.nowakowski@imgtec.com Cc: Ingo Molnar mingo@kernel.org Cc: Paul Burton paul.burton@imgtec.com Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16954/ Signed-off-by: Ralf Baechle ralf@linux-mips.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/kernel/process.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/kernel/process.c +++ b/arch/mips/kernel/process.c @@ -353,7 +353,7 @@ static inline int is_sp_move_ins(union m */ if (mm_insn_16bit(ip->halfword[1])) { return (ip->mm16_r3_format.opcode == mm_pool16d_op && - ip->mm16_r3_format.simmediate && mm_addiusp_func) || + ip->mm16_r3_format.simmediate & mm_addiusp_func) || (ip->mm16_r5_format.opcode == mm_pool16d_op && ip->mm16_r5_format.rt == 29); }

3.16.51-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Berg johannes.berg@intel.com

commit cfbb0d90a7abb289edc91833d0905931f8805f12 upstream.

For the reinstall prevention, the code I had added compares the whole key. It turns out though that iwlwifi firmware doesn't provide the TKIP TX MIC key as it's not needed in client mode, and thus the comparison will always return false.

For client mode, thus always zero out the TX MIC key part before doing the comparison in order to avoid accepting the reinstall of the key with identical encryption and RX MIC key, but not the same TX MIC key (since the supplicant provides the real one.)

Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything") Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/mac80211/key.c | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-)

--- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -475,6 +475,39 @@ void ieee80211_key_free_unused(struct ie ieee80211_key_free_common(key); }

+static bool ieee80211_key_identical(struct ieee80211_sub_if_data *sdata, + struct ieee80211_key *old, + struct ieee80211_key *new) +{ + u8 tkip_old[WLAN_KEY_LEN_TKIP], tkip_new[WLAN_KEY_LEN_TKIP]; + u8 *tk_old, *tk_new; + + if (!old || new->conf.keylen != old->conf.keylen) + return false; + + tk_old = old->conf.key; + tk_new = new->conf.key; + + /* + * In station mode, don't compare the TX MIC key, as it's never used + * and offloaded rekeying may not care to send it to the host. This + * is the case in iwlwifi, for example. + */ + if (sdata->vif.type == NL80211_IFTYPE_STATION && + new->conf.cipher == WLAN_CIPHER_SUITE_TKIP && + new->conf.keylen == WLAN_KEY_LEN_TKIP && + !(new->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE)) { + memcpy(tkip_old, tk_old, WLAN_KEY_LEN_TKIP); + memcpy(tkip_new, tk_new, WLAN_KEY_LEN_TKIP); + memset(tkip_old + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); + memset(tkip_new + NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY, 0, 8); + tk_old = tkip_old; + tk_new = tkip_new; + } + + return !crypto_memneq(tk_old, tk_new, new->conf.keylen); +} + int ieee80211_key_link(struct ieee80211_key *key, struct ieee80211_sub_if_data *sdata, struct sta_info *sta) @@ -503,8 +536,7 @@ int ieee80211_key_link(struct ieee80211_ * Silently accept key re-installation without really installing the * new version of the key to avoid nonce reuse or replay issues. */ - if (old_key && key->conf.keylen == old_key->conf.keylen && - !crypto_memneq(key->conf.key, old_key->conf.key, key->conf.keylen)) { + if (ieee80211_key_identical(sdata, old_key, key)) { ieee80211_key_free_unused(key); ret = 0; goto out;