LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 3.18 000/151] 3.18.9-stable review
@ 2015-03-04  6:12 Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 001/151] Bluetooth: ath3k: workaround the compatibility issue with xHCI controller Greg Kroah-Hartman
                   ` (140 more replies)
  0 siblings, 141 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, satoru.takeuchi,
	shuah.kh, stable

This is the start of the stable review cycle for the 3.18.9 release.
There are 151 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Mar  6 05:53:55 UTC 2015.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.18.9-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 3.18.9-rc1

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    x86: pmc-atom: Assign debugfs node as soon as possible

Hector Marco-Gisbert <hecmargi@upv.es>
    x86, mm/ASLR: Fix stack randomization on 64-bit systems

Matt Fleming <matt.fleming@intel.com>
    x86/efi: Avoid triple faults during EFI mixed mode calls

Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
    blk-throttle: check stats_cpu before reading it from sysfs

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix fsync data loss after adding hard link to inode

David Sterba <dsterba@suse.cz>
    btrfs: fix leak of path in btrfs_find_item

David Sterba <dsterba@suse.cz>
    btrfs: set proper message level for skinny metadata

Ilya Dryomov <idryomov@gmail.com>
    libceph: fix double __remove_osd() problem

Hans de Goede <hdegoede@redhat.com>
    samsung-laptop: Add use_native_backlight quirk, and enable it on some models

Chen Jie <chenjie6@huawei.com>
    jffs2: fix handling of corrupted summary length

Daniel J Blueman <daniel@numascale.com>
    EDAC, amd64_edac: Prevent OOPS with >16 memory controllers

Borislav Petkov <bp@suse.de>
    sb_edac: Fix detection on SNB machines

Tomáš Hodek <tomas.hodek@volny.cz>
    md/raid1: fix read balance when a drive is write-mostly.

NeilBrown <neilb@suse.de>
    md/raid5: Fix livelock when array is both resyncing and degraded.

Adrian Hunter <adrian.hunter@intel.com>
    perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag

Matthias Brugger <matthias.bgg@gmail.com>
    clocksource: mtk: Fix race conditions in probe code

James Hogan <james.hogan@imgtec.com>
    metag: Fix KSTK_EIP() and KSTK_ESP() macros

Jan Kara <jack@suse.cz>
    xfs: Fix quota type in quota structures when reusing quota file

Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
    gpio: tps65912: fix wrong container_of arguments

Hans Holmberg <hans.holmberg@intel.com>
    gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node

Catalin Marinas <catalin.marinas@arm.com>
    arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian

Martin Vajnar <martin.vajnar@gmail.com>
    hx4700: regulator: declare full constraints

Jiang Liu <jiang.liu@linux.intel.com>
    x86/xen: Treat SCI interrupt as normal GSI interrupt

David Hildenbrand <dahi@linux.vnet.ibm.com>
    KVM: s390: avoid memory leaks if __inject_vm() fails

David Hildenbrand <dahi@linux.vnet.ibm.com>
    KVM: s390: floating irqs: fix user triggerable endless loop

David Hildenbrand <dahi@linux.vnet.ibm.com>
    KVM: s390: base hrtimer on a monotonic clock

David Hildenbrand <dahi@linux.vnet.ibm.com>
    KVM: s390: forward hrtimer if guest ckc not pending yet

Marcelo Tosatti <mtosatti@redhat.com>
    KVM: x86: update masterclock values on TSC writes

Jan Kara <jack@suse.cz>
    udf: Check length of extended attributes and allocation descriptors

Jan Kara <jack@suse.cz>
    udf: Remove repeated loads blocksize

Markos Chandras <markos.chandras@imgtec.com>
    MIPS: HTW: Prevent accidental HTW start due to nested htw_{start, stop}

Alexey Brodkin <abrodkin@synopsys.com>
    ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE

Stefan Agner <stefan@agner.ch>
    serial: fsl_lpuart: avoid new transfer while DMA is running

Stefan Agner <stefan@agner.ch>
    serial: fsl_lpuart: delete timer on shutdown

John Stultz <john.stultz@linaro.org>
    ntp: Fixup adjtimex freq validation on 32-bit systems

Jay Lan <jlan@sgi.com>
    kdb: fix incorrect counts in KDB summary command output

Arnd Bergmann <arnd@arndb.de>
    ARM: mvebu: build armada375-smp code conditionally

Arnd Bergmann <arnd@arndb.de>
    ARM: vexpress: use ARM_CPU_SUSPEND if needed

Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
    ARM: pxa: add regulator_has_full_constraints to poodle board file

Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
    ARM: pxa: add regulator_has_full_constraints to corgi board file

Nicolas Pitre <nicolas.pitre@linaro.org>
    vt: provide notifications on selection changes

Alan Stern <stern@rowland.harvard.edu>
    USB: add flag for HCDs that can't receive wakeup requests (isp1760-hcd)

Alan Stern <stern@rowland.harvard.edu>
    USB: don't cancel queued resets when unbinding drivers

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN

Alan Stern <stern@rowland.harvard.edu>
    USB: fix use-after-free bug in usb_hcd_unlink_urb()

Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
    USB: cp210x: add ID for RUGGEDCOM USB Serial Console

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: me: release hw from reset only during the reset flow

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: mask interrupt set bit on clean reset bit

Cyrille Pitchen <cyrille.pitchen@atmel.com>
    tty/serial: at91: fix error handling in atmel_serial_probe()

Peter Hurley <peter@hurleysoftware.com>
    tty: Prevent untrappable signals from malicious program

Matthew Wilcox <matthew.r.wilcox@intel.com>
    axonram: Fix bug in direct_access

Andrey Ryabinin <a.ryabinin@samsung.com>
    smack: fix possible use after frees in task_security() callers

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    ring-buffer: Do not wake up a splice waiter when page is not full

Paul Moore <pmoore@redhat.com>
    cipso: don't use IPCB() to locate the CIPSO IP option

Jeff Moyer <jmoyer@redhat.com>
    cfq-iosched: fix incorrect filing of rt async cfqq

Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    cfq-iosched: handle failure of cfq group allocation

Nicholas Bellinger <nab@linux-iscsi.org>
    iscsi-target: Drop problematic active_ts_list usage

Tony Battersby <tonyb@cybernetics.com>
    sg: fix EWOULDBLOCK errors with scsi-mq

Tony Battersby <tonyb@cybernetics.com>
    sg: fix unkillable I/O wait deadlock with scsi-mq

Trond Myklebust <trond.myklebust@primarydata.com>
    NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args

Trond Myklebust <trond.myklebust@primarydata.com>
    NFSv4: Ensure we reference the inode for return-on-close in delegreturn

Trond Myklebust <trond.myklebust@primarydata.com>
    SUNRPC: NULL utsname dereference on NFS umount during namespace cleanup

Peng Tao <tao.peng@primarydata.com>
    nfs41: .init_read and .init_write can be called with valid pg_lseg

honclo <honclo@imap.linux.ibm.com>
    Added Little Endian support to vtpm module

Christophe Ricard <christophe.ricard@gmail.com>
    tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send

Hon Ching (Vicky) Lo <honclo@linux.vnet.ibm.com>
    tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma

Kiran Padwal <kiran.padwal@smartplayin.com>
    char: tpm: Add missing error check for devm_kzalloc

David Howells <dhowells@redhat.com>
    TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev

Scot Doyle <lkml14@scotdoyle.com>
    tpm_tis: verify interrupt during init

Florian Fainelli <f.fainelli@gmail.com>
    ARM: dts: BCM63xx: fix L2 cache properties

Robert Nelson <robertcnelson@gmail.com>
    ARM: dts: am335x-bone*: usb0 is hardwired for peripheral

Dmitry Osipenko <digetx@gmail.com>
    ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses

Lokesh Vutla <lokeshvutla@ti.com>
    ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3

Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
    ARM: 8284/1: sa1100: clear RCSR_SMR on resume

Tony Battersby <tonyb@cybernetics.com>
    blk-mq: fix double-free in error path

Vikram Mulukutla <markivx@codeaurora.org>
    tracing: Fix unmapping loop in tracing_mark_write

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm/hugetlb: pmd_huge() returns true for non-present hugepage

James Hogan <james.hogan@imgtec.com>
    MIPS: Export MSA functions used by lose_fpu(1) for KVM

James Hogan <james.hogan@imgtec.com>
    MIPS: Export FP functions used by lose_fpu(1) for KVM

Markos Chandras <markos.chandras@imgtec.com>
    MIPS: asm: pgtable: Prevent HTW race when updating PTEs

Markos Chandras <markos.chandras@imgtec.com>
    MIPS: asm: pgtable: Add c0 hazards on HTW start/stop sequences

Markos Chandras <markos.chandras@imgtec.com>
    MIPS: asm: asmmacro: Replace "add" instructions with "addu"

Markos Chandras <markos.chandras@imgtec.com>
    MIPS: kernel: cps-vec: Replace "addi" with "addiu"

Manuel Lauss <manuel.lauss@gmail.com>
    MIPS: Alchemy: Fix cpu clock calculation

James Hogan <james.hogan@imgtec.com>
    KVM: MIPS: Don't leak FPU/DSP to guest

James Hogan <james.hogan@imgtec.com>
    KVM: MIPS: Disable HTW while in guest

Trond Myklebust <trond.myklebust@primarydata.com>
    NFS: struct nfs_commit_info.lock must always point to inode->i_lock

Jeff Layton <jlayton@primarydata.com>
    nfs: don't call blocking operations while !TASK_RUNNING

Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    proc/pagemap: walk page tables under pte lock

Marcin Wojtas <mw@semihalf.com>
    mmc: sdhci-pxav3: Fix Armada 38x controller's caps according to erratum ERR-7878951

Gregory CLEMENT <gregory.clement@free-electrons.com>
    mmc: sdhci-pxav3: Fix SDR50 and DDR50 capabilities for the Armada 38x flavor

Jisheng Zhang <jszhang@marvell.com>
    mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles

Jisheng Zhang <jszhang@marvell.com>
    mmc: sdhci-pxav3: fix unbalanced clock issues during probe

Russell King <rmk+kernel@arm.linux.org.uk>
    em28xx-audio: fix missing newlines, again

Russell King <rmk+kernel@arm.linux.org.uk>
    em28xx-dvb: fix missing newlines

Russell King <rmk+kernel@arm.linux.org.uk>
    em28xx-video: fix missing newlines

Russell King <rmk+kernel@arm.linux.org.uk>
    em28xx-core: fix missing newlines

Russell King <rmk+kernel@arm.linux.org.uk>
    em28xx-audio: fix missing newlines

Russell King <rmk+kernel@arm.linux.org.uk>
    em28xx-input: fix missing newlines

Russell King <rmk+kernel@arm.linux.org.uk>
    em28xx: ensure "closing" messages terminate with a newline

Arnd Bergmann <arnd@arndb.de>
    timberdale: do not select TIMB_DMA

James Hogan <james.hogan@imgtec.com>
    rc-main: Re-apply filter for no-op protocol change

Sumit.Saxena@avagotech.com <Sumit.Saxena@avagotech.com>
    megaraid_sas: disable interrupt_mask before enabling hardware interrupts

Sumit.Saxena@avagotech.com <Sumit.Saxena@avagotech.com>
    megaraid_sas: fix the problem of non-existing VD exposed to host

Sumit.Saxena@avagotech.com <Sumit.Saxena@avagotech.com>
    megaraid_sas: endianness related bug fixes and code optimization

Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
    power: gpio-charger: balance enable/disable_irq_wake calls

Krzysztof Kozlowski <k.kozlowski@samsung.com>
    power: bq24190: Fix ignored supplicants

Krzysztof Kozlowski <k.kozlowski@samsung.com>
    power_supply: 88pm860x: Fix leaked power supply on probe fail

Adrian Knoth <adi@drcomp.erfurt.thur.de>
    ALSA: hdspm - Constrain periods to 2 on older cards

Hui Wang <hui.wang@canonical.com>
    ALSA: hda - enable mute led quirk for one more hp machine.

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Set up GPIO for Toshiba Satellite S50D

Dan Carpenter <dan.carpenter@oracle.com>
    ALSA: off by one bug in snd_riptide_joystick_probe()

Antti Palosaari <crope@iki.fi>
    si2168: define symbol rate limits

Malcolm Priestley <tvboxspy@gmail.com>
    lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb

Malcolm Priestley <tvboxspy@gmail.com>
    lmedm04: Increase Interupt due time to 200 msec

Mika Westerberg <mika.westerberg@linux.intel.com>
    ACPI / LPSS: Deassert resets for SPI host controllers on Braswell

Mika Westerberg <mika.westerberg@linux.intel.com>
    ACPI / LPSS: Always disable I2C host controllers

Juergen Gross <jgross@suse.com>
    xen-scsiback: mark pvscsi frontend request consumed only after last read

Ross Lagerwall <ross.lagerwall@citrix.com>
    xen/manage: Fix USB interaction issues when resuming

Arnd Bergmann <arnd@arndb.de>
    cpufreq: s3c: remove last use of resume_clocks callback

Arnd Bergmann <arnd@arndb.de>
    cpufreq: s3c: remove incorrect __init annotations

Mikulas Patocka <mpatocka@redhat.com>
    cpufreq: speedstep-smi: enable interrupts when waiting

Viresh Kumar <viresh.kumar@linaro.org>
    cpufreq: Set cpufreq_cpu_data to NULL before putting kobject

Larry Finger <Larry.Finger@lwfinger.net>
    rtlwifi: Remove logging statement that is no longer needed

Larry Finger <Larry.Finger@lwfinger.net>
    rtlwifi: rtl8192ee: Fix problems with calculating free space in FIFO

Troy Tan <troy_tan@realsil.com.cn>
    rtlwifi: rtl8192ee: Fix DMA stalls

Troy Tan <troy_tan@realsil.com.cn>
    rtlwifi: rtl8192ee: Fix parsing of received packet

Troy Tan <troy_tan@realsil.com.cn>
    rtlwifi: rtl8192ee: Fix TX hang due to failure to update TX write point

Troy Tan <troy_tan@realsil.com.cn>
    rtlwifi: rtl8192ee: Fix adhoc fail

Arnd Bergmann <arnd@arndb.de>
    ASoC: davinci: fix DM365_EVM codec selection

Lars-Peter Clausen <lars@metafoo.de>
    ASoC: mioa701_wm9713: Fix speaker event

Bard Liao <bardliao@realtek.com>
    ASoC: rt5670: Set use_single_rw flag for regmap

Michel Dänzer <michel.daenzer@amd.com>
    PCI: Fix infinite loop with ROM image of size 0

Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
    PCI: Generate uppercase hex for modalias var in uevent

Seth Forshee <seth.forshee@canonical.com>
    HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events

Luciano Coelho <luciano.coelho@intel.com>
    iwlwifi: mvm: always use mac color zero

Luciano Coelho <luciano.coelho@intel.com>
    iwlwifi: mvm: fix failure path when power_update fails in add_interface

Eyal Shapira <eyal@wizery.com>
    iwlwifi: mvm: validate tid and sta_id in ba_notif

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN

Jan Kara <jack@suse.cz>
    fsnotify: fix handling of renames in audit

Dave Chinner <dchinner@redhat.com>
    xfs: set superblock buffer type correctly

Dave Chinner <dchinner@redhat.com>
    xfs: set buf types when converting extent formats

Dave Chinner <dchinner@redhat.com>
    xfs: inode unlink does not set AGI buffer type

Dave Chinner <dchinner@redhat.com>
    xfs: ensure buffer types are set correctly

George Spelvin <linux@horizon.com>
    random: Fix fast_mix() function

Matej Dubovy <matej.dubovy@gmail.com>
    Bluetooth: btusb: Add support for Lite-On (04ca) Broadcom based, BCM43142

Marcel Holtmann <marcel@holtmann.org>
    Bluetooth: btusb: Add support for Dynex/Insignia USB dongles

Rick Dunn <rick@rickdunn.com>
    Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices

Johan Hedberg <johan.hedberg@intel.com>
    Bluetooth: Fix valid Identity Address check

Dmitry Tunin <hanipouspilot@gmail.com>
    Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device

Adam Lee <adam.lee@canonical.com>
    Bluetooth: ath3k: workaround the compatibility issue with xHCI controller


-------------

Diffstat:

 Makefile                                     |   4 +-
 arch/arc/include/asm/pgtable.h               |   3 +-
 arch/arm/boot/dts/am335x-bone-common.dtsi    |   1 +
 arch/arm/boot/dts/bcm63138.dtsi              |   5 +-
 arch/arm/boot/dts/tegra20.dtsi               |   8 +-
 arch/arm/mach-mvebu/system-controller.c      |   2 +-
 arch/arm/mach-omap2/omap_hwmod_7xx_data.c    |   2 +-
 arch/arm/mach-pxa/corgi.c                    |   3 +
 arch/arm/mach-pxa/hx4700.c                   |   2 +
 arch/arm/mach-pxa/poodle.c                   |   2 +
 arch/arm/mach-sa1100/pm.c                    |   1 +
 arch/arm/mach-vexpress/Kconfig               |   1 +
 arch/arm64/kernel/signal32.c                 |   5 +-
 arch/metag/include/asm/processor.h           |   4 +-
 arch/mips/alchemy/common/clock.c             |   2 +
 arch/mips/include/asm/asmmacro.h             |   4 +-
 arch/mips/include/asm/cpu-info.h             |   5 +
 arch/mips/include/asm/mmu_context.h          |   7 +-
 arch/mips/include/asm/pgtable.h              |  42 +++---
 arch/mips/kernel/cps-vec.S                   |  16 +--
 arch/mips/kernel/cpu-probe.c                 |   4 +-
 arch/mips/kernel/mips_ksyms.c                |  10 ++
 arch/mips/kvm/locore.S                       |   2 +-
 arch/mips/kvm/mips.c                         |  19 ++-
 arch/powerpc/sysdev/axonram.c                |   2 +-
 arch/s390/kvm/interrupt.c                    |  22 ++-
 arch/s390/kvm/kvm-s390.c                     |   2 +-
 arch/x86/boot/compressed/Makefile            |   1 +
 arch/x86/boot/compressed/efi_stub_64.S       |  25 ----
 arch/x86/boot/compressed/efi_thunk_64.S      | 196 +++++++++++++++++++++++++++
 arch/x86/kernel/acpi/boot.c                  |  23 ++--
 arch/x86/kernel/pmc_atom.c                   |   4 +-
 arch/x86/kvm/x86.c                           |  19 +--
 arch/x86/mm/gup.c                            |   2 +-
 arch/x86/mm/hugetlbpage.c                    |   8 +-
 arch/x86/mm/mmap.c                           |   6 +-
 arch/x86/pci/xen.c                           |  47 -------
 arch/x86/platform/efi/efi_stub_64.S          | 161 ----------------------
 arch/x86/platform/efi/efi_thunk_64.S         | 121 ++++++++++++++---
 block/blk-mq-tag.c                           |   1 +
 block/blk-throttle.c                         |   3 +
 block/cfq-iosched.c                          |  16 ++-
 drivers/acpi/acpi_lpss.c                     |  19 ++-
 drivers/bluetooth/ath3k.c                    |  10 ++
 drivers/bluetooth/btusb.c                    |  11 +-
 drivers/char/random.c                        |   8 +-
 drivers/char/tpm/tpm-interface.c             |   2 +-
 drivers/char/tpm/tpm_i2c_atmel.c             |   4 +
 drivers/char/tpm/tpm_i2c_nuvoton.c           |   5 +
 drivers/char/tpm/tpm_i2c_stm_st33.c          |   2 +-
 drivers/char/tpm/tpm_ibmvtpm.c               |  28 ++--
 drivers/char/tpm/tpm_tis.c                   |  76 +++++++++--
 drivers/clocksource/mtk_timer.c              |   9 +-
 drivers/cpufreq/cpufreq.c                    |   6 +-
 drivers/cpufreq/s3c2416-cpufreq.c            |   4 +-
 drivers/cpufreq/s3c24xx-cpufreq.c            |  10 +-
 drivers/cpufreq/speedstep-lib.c              |   3 +
 drivers/cpufreq/speedstep-smi.c              |  12 ++
 drivers/edac/amd64_edac.c                    |  10 +-
 drivers/edac/sb_edac.c                       |   9 +-
 drivers/gpio/gpio-tps65912.c                 |  14 +-
 drivers/gpio/gpiolib-of.c                    |   9 +-
 drivers/hid/i2c-hid/i2c-hid.c                |   5 +-
 drivers/md/raid1.c                           |   5 +-
 drivers/md/raid5.c                           |   3 +-
 drivers/media/dvb-frontends/si2168.c         |   2 +
 drivers/media/platform/Kconfig               |   6 +-
 drivers/media/rc/rc-main.c                   |  14 +-
 drivers/media/usb/dvb-usb-v2/lmedm04.c       |  14 +-
 drivers/media/usb/em28xx/em28xx-audio.c      |   8 +-
 drivers/media/usb/em28xx/em28xx-core.c       |   4 +-
 drivers/media/usb/em28xx/em28xx-dvb.c        |  14 +-
 drivers/media/usb/em28xx/em28xx-input.c      |   6 +-
 drivers/media/usb/em28xx/em28xx-video.c      |   6 +-
 drivers/misc/mei/hw-me.c                     |   5 +-
 drivers/mmc/host/sdhci-pxav3.c               |  52 +++++--
 drivers/net/wireless/iwlwifi/mvm/mac80211.c  |   5 +-
 drivers/net/wireless/iwlwifi/mvm/tx.c        |   5 +
 drivers/net/wireless/iwlwifi/pcie/tx.c       |   7 +-
 drivers/net/wireless/rtlwifi/pci.c           |   5 +-
 drivers/net/wireless/rtlwifi/pci.h           |   7 +
 drivers/net/wireless/rtlwifi/rtl8192ee/fw.c  |   6 +-
 drivers/net/wireless/rtlwifi/rtl8192ee/hw.c  | 166 +++++++++++++++++++----
 drivers/net/wireless/rtlwifi/rtl8192ee/reg.h |   2 +
 drivers/net/wireless/rtlwifi/rtl8192ee/trx.c |  16 +--
 drivers/net/wireless/rtlwifi/rtl8192ee/trx.h |   2 +
 drivers/pci/pci-driver.c                     |   2 +-
 drivers/pci/rom.c                            |   7 +-
 drivers/platform/x86/samsung-laptop.c        |  20 ++-
 drivers/power/88pm860x_charger.c             |   1 +
 drivers/power/bq24190_charger.c              |   2 +-
 drivers/power/gpio-charger.c                 |   4 +-
 drivers/scsi/megaraid/megaraid_sas_base.c    |  24 ++--
 drivers/scsi/megaraid/megaraid_sas_fp.c      |  17 ++-
 drivers/scsi/megaraid/megaraid_sas_fusion.c  |  24 +++-
 drivers/scsi/megaraid/megaraid_sas_fusion.h  |   9 +-
 drivers/scsi/sg.c                            |  34 ++++-
 drivers/target/iscsi/iscsi_target_tq.c       |  28 +---
 drivers/tty/pty.c                            |   3 +
 drivers/tty/serial/atmel_serial.c            |   4 +-
 drivers/tty/serial/fsl_lpuart.c              |  16 ++-
 drivers/tty/vt/vt.c                          |   4 +-
 drivers/usb/core/buffer.c                    |  26 ++--
 drivers/usb/core/driver.c                    |  29 ++--
 drivers/usb/core/hcd.c                       |  16 +--
 drivers/usb/core/hub.c                       |  25 ++--
 drivers/usb/core/message.c                   |  23 +---
 drivers/usb/core/usb.c                       |   1 +
 drivers/usb/host/isp1760-hcd.c               |   3 +
 drivers/usb/serial/cp210x.c                  |   1 +
 drivers/xen/manage.c                         |   8 +-
 drivers/xen/xen-scsiback.c                   |  14 +-
 fs/binfmt_elf.c                              |   5 +-
 fs/btrfs/ctree.c                             |  17 +--
 fs/btrfs/disk-io.c                           |  11 +-
 fs/btrfs/tree-log.c                          |  93 +++++++++++--
 fs/jffs2/scan.c                              |   5 +
 fs/lockd/mon.c                               |  13 +-
 fs/nfs/callback.c                            |   8 +-
 fs/nfs/callback_xdr.c                        |   4 +-
 fs/nfs/direct.c                              |   2 +-
 fs/nfs/internal.h                            |  22 ++-
 fs/nfs/nfs4proc.c                            |  14 +-
 fs/nfs/pnfs.c                                |  41 +++---
 fs/nfs/super.c                               |   9 +-
 fs/proc/task_mmu.c                           |  14 +-
 fs/udf/inode.c                               |  28 ++--
 fs/xfs/libxfs/xfs_bmap.c                     |   6 +-
 fs/xfs/libxfs/xfs_symlink_remote.c           |   2 +
 fs/xfs/xfs_buf_item.c                        |   4 +
 fs/xfs/xfs_inode.c                           |   2 +
 fs/xfs/xfs_qm.c                              |   5 +
 fs/xfs/xfs_trans.c                           |   1 +
 include/linux/fsnotify.h                     |   6 +-
 include/linux/nfs_xdr.h                      |   2 +-
 include/linux/sunrpc/clnt.h                  |   3 +-
 include/linux/usb.h                          |   5 -
 include/linux/usb/hcd.h                      |   3 +
 include/net/cipso_ipv4.h                     |  25 ++--
 kernel/debug/kdb/kdb_main.c                  |   2 +-
 kernel/time/ntp.c                            |  10 +-
 kernel/trace/ring_buffer.c                   |  40 +++++-
 kernel/trace/trace.c                         |   2 +-
 mm/hugetlb.c                                 |   2 +
 net/bluetooth/smp.c                          |   6 +-
 net/ceph/osd_client.c                        |  26 ++--
 net/ipv4/cipso_ipv4.c                        |  51 ++++---
 net/netlabel/netlabel_kapi.c                 |  15 +-
 net/sunrpc/clnt.c                            |  12 +-
 net/sunrpc/rpcb_clnt.c                       |   8 +-
 security/smack/smack.h                       |  10 ++
 security/smack/smack_lsm.c                   |  24 ++--
 sound/pci/hda/patch_realtek.c                |   1 +
 sound/pci/hda/patch_sigmatel.c               |  20 +++
 sound/pci/riptide/riptide.c                  |  27 ++--
 sound/pci/rme9652/hdspm.c                    |   6 +
 sound/soc/codecs/rt5670.c                    |   1 +
 sound/soc/davinci/Kconfig                    |   3 +-
 sound/soc/pxa/mioa701_wm9713.c               |   2 +-
 tools/perf/util/cloexec.c                    |  18 ++-
 160 files changed, 1581 insertions(+), 829 deletions(-)



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 001/151] Bluetooth: ath3k: workaround the compatibility issue with xHCI controller
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 002/151] Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Adam Lee, Marcel Holtmann

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adam Lee <adam.lee@canonical.com>

commit c561a5753dd631920c4459a067d22679b3d110d6 upstream.

BugLink: https://bugs.launchpad.net/bugs/1400215

ath3k devices fail to load firmwares on xHCI buses, but work well on
EHCI, this might be a compatibility issue between xHCI and ath3k chips.
As my testing result, those chips will work on xHCI buses again with
this patch.

This workaround is from Qualcomm, they also did some workarounds in
Windows driver.

Signed-off-by: Adam Lee <adam.lee@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/ath3k.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -170,6 +170,8 @@ static const struct usb_device_id ath3k_
 #define USB_REQ_DFU_DNLOAD	1
 #define BULK_SIZE		4096
 #define FW_HDR_SIZE		20
+#define TIMEGAP_USEC_MIN	50
+#define TIMEGAP_USEC_MAX	100
 
 static int ath3k_load_firmware(struct usb_device *udev,
 				const struct firmware *firmware)
@@ -201,6 +203,9 @@ static int ath3k_load_firmware(struct us
 	pipe = usb_sndbulkpipe(udev, 0x02);
 
 	while (count) {
+		/* workaround the compatibility issue with xHCI controller*/
+		usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX);
+
 		size = min_t(uint, count, BULK_SIZE);
 		memcpy(send_buf, firmware->data + sent, size);
 
@@ -298,6 +303,9 @@ static int ath3k_load_fwfile(struct usb_
 	pipe = usb_sndbulkpipe(udev, 0x02);
 
 	while (count) {
+		/* workaround the compatibility issue with xHCI controller*/
+		usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX);
+
 		size = min_t(uint, count, BULK_SIZE);
 		memcpy(send_buf, firmware->data + sent, size);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 002/151] Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 001/151] Bluetooth: ath3k: workaround the compatibility issue with xHCI controller Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 003/151] Bluetooth: Fix valid Identity Address check Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Tunin, Marcel Holtmann

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <hanipouspilot@gmail.com>

commit 033efa920a7f22a8caf7a38d851a2f451781bbf7 upstream.

Add support of 13d3:3423 device.

BugLink: https://bugs.launchpad.net/bugs/1411193

T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3423 Rev= 0.01
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/ath3k.c |    2 ++
 drivers/bluetooth/btusb.c |    1 +
 2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -106,6 +106,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x13d3, 0x3393) },
 	{ USB_DEVICE(0x13d3, 0x3402) },
 	{ USB_DEVICE(0x13d3, 0x3408) },
+	{ USB_DEVICE(0x13d3, 0x3423) },
 	{ USB_DEVICE(0x13d3, 0x3432) },
 
 	/* Atheros AR5BBU12 with sflash firmware */
@@ -158,6 +159,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
 
 	/* Atheros AR5BBU22 with sflash firmware */
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -183,6 +183,7 @@ static const struct usb_device_id blackl
 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
 
 	/* Atheros AR5BBU12 with sflash firmware */



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 003/151] Bluetooth: Fix valid Identity Address check
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 001/151] Bluetooth: ath3k: workaround the compatibility issue with xHCI controller Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 002/151] Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 004/151] Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hedberg, Marcel Holtmann

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hedberg <johan.hedberg@intel.com>

commit e12af489b91d47a806f4e96e4edc20df612482e7 upstream.

According to the Bluetooth core specification valid identity addresses
are either Public Device Addresses or Static Random Addresses. IRKs
received with any other type of address should be discarded since we
cannot assume to know the permanent identity of the peer device.

This patch fixes a missing check for the Identity Address when receiving
the Identity Address Information SMP PDU.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/smp.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1392,8 +1392,12 @@ static int smp_cmd_ident_addr_info(struc
 	 * implementations are not known of and in order to not over
 	 * complicate our implementation, simply pretend that we never
 	 * received an IRK for such a device.
+	 *
+	 * The Identity Address must also be a Static Random or Public
+	 * Address, which hci_is_identity_address() checks for.
 	 */
-	if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
+	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
+	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
 		BT_ERR("Ignoring IRK with no identity address");
 		goto distribute;
 	}



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 004/151] Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 003/151] Bluetooth: Fix valid Identity Address check Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 005/151] Bluetooth: btusb: Add support for Dynex/Insignia USB dongles Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rick Dunn, Marcel Holtmann

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rick Dunn <rick@rickdunn.com>

commit 9a5abdaaf9d2e80e157c7a756f9d9fd933dee48e upstream.

T:  Bus=03 Lev=01 Prnt=01 Port=06 Cnt=02 Dev#=  3 Spd=12   MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0b05 ProdID=17cf Rev= 1.12
S:  Manufacturer=Broadcom Corp
S:  Product=BCM20702A0
S:  SerialNumber=54271E3298CD
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)

Firmware is extracted from the latest Broadcom BCM4352 Windows driver
by extracting the zip and searching the .hex file names for '17cf'.

The hex file must then be converted to hcd format using the hex2hcd
utility and then moved to /lib/firmware/brcm/.

Signed-off-by: Rick Dunn <rick@rickdunn.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/btusb.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -115,7 +115,8 @@ static const struct usb_device_id btusb_
 	  .driver_info = BTUSB_BCM_PATCHRAM },
 
 	/* ASUSTek Computer - Broadcom based */
-	{ USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) },
+	{ USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
+	  .driver_info = BTUSB_BCM_PATCHRAM },
 
 	/* Belkin F8065bf - Broadcom based */
 	{ USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 005/151] Bluetooth: btusb: Add support for Dynex/Insignia USB dongles
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 004/151] Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 006/151] Bluetooth: btusb: Add support for Lite-On (04ca) Broadcom based, BCM43142 Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcel Holtmann, Johan Hedberg

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marcel Holtmann <marcel@holtmann.org>

commit d049f4e513e861167361b06c7ca85f9e872c8cde upstream.

The Dynex/Insignia USB dongles are Broadcom BCM20702B0 based and require
firmware update before operation.

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=19ff ProdID=0239 Rev= 1.12
S:  Manufacturer=Broadcom Corp
S:  Product=BCM20702A0
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)

Since this is an unsual USB vendor ID (0x19ff), these dongles are added
via USB_DEVICE macro and not USB_VENDOR_AND_INTERFACE_INFO as done for
mainstream Broadcom based dongles.

The latest known working firmware is BCM20702B0_002.001.014.0527.0557.hex
which needs to be converted using hex2hcd utility and then installed
as /lib/firmware/brcm/BCM20702A0-19ff-0239.hcd to make this device fully
operational.

Bluetooth: hci0: BCM: patching hci_ver=06 hci_rev=2000 lmp_ver=06 lmp_subver=410e
Bluetooth: hci0: BCM: firmware hci_ver=06 hci_rev=222d lmp_ver=06 lmp_subver=410e

With this firmware the device reports support for connectionless slave
broadcast (master and slave) feature used by 3D Glasses and TVs.

  < HCI Command: Read Local Extended Features (0x04|0x0004) plen 1
          Page: 2
  > HCI Event: Command Complete (0x0e) plen 14
        Read Local Extended Features (0x04|0x0004) ncmd 1
          Status: Success (0x00)
          Page: 2/2
          Features: 0x0f 0x00 0x00 0x00 0x00 0x00 0x00 0x00
            Connectionless Slave Broadcast - Master
            Connectionless Slave Broadcast - Slave
            Synchronization Train
            Synchronization Scan

However there are some flaws with this feature. The Set Event Mask Page 2
command is actually not supported and with that all connectionless slave
broadcast events are always enabled.

  < HCI Command: Set Event Mask Page 2 (0x03|0x0063) plen 8
          Mask: 0x00000000000f0000
            Synchronization Train Received
            Connectionless Slave Broadcast Receive
            Connectionless Slave Broadcast Timeout
            Truncated Page Complete
  > HCI Event: Command Complete (0x0e) plen 4
        Set Event Mask Page 2 (0x03|0x0063) ncmd 1
          Status: Unknown HCI Command (0x01)

In addition the Synchronization Train Received event is actually broken
on this controller. It mixes up the order of parameters. According to the
Bluetooth Core specification the fields are like this:

  struct hci_ev_sync_train_received {
          __u8     status;
          bdaddr_t bdaddr;
          __le32   offset;
          __u8     map[10];
          __u8     lt_addr;
          __le32   instant;
          __le16   interval;
          __u8     service_data;
  } __packed;

This controller however sends the service_data as 5th parameter instead
of having it as last parameter.

  struct hci_ev_sync_train_received {
          __u8     status;
          bdaddr_t bdaddr;
          __le32   offset;
          __u8     map[10];
          __u8     service_data;
          __u8     lt_addr;
          __le32   instant;
          __le16   interval;
  } __packed;

So anybody trying to use this hardware for utilizing connectionless slave
broadcast receivers (aka 3D Glasses), be warned about this shortcoming.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/btusb.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -107,6 +107,9 @@ static const struct usb_device_id btusb_
 	{ USB_DEVICE(0x0b05, 0x17cb) },
 	{ USB_DEVICE(0x413c, 0x8197) },
 
+	/* Broadcom BCM20702B0 (Dynex/Insignia) */
+	{ USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
+
 	/* Foxconn - Hon Hai */
 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 006/151] Bluetooth: btusb: Add support for Lite-On (04ca) Broadcom based, BCM43142
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 005/151] Bluetooth: btusb: Add support for Dynex/Insignia USB dongles Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 007/151] random: Fix fast_mix() function Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Matej Dubovy, Marcel Holtmann

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matej Dubovy <matej.dubovy@gmail.com>

commit 8f0c304c693c5a9759ed6ae50d07d4590dad5ae7 upstream.

Please add support for sub BT chip on the combo card
Broadcom 43142A0 (in Lenovo E145), 04ca:2007

/sys/kernel/debug/usb/devices

T:  Bus=05 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#=  3 Spd=12   MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=04ca ProdID=2007 Rev= 1.12
S:  Manufacturer=Broadcom Corp
S:  Product=BCM43142A0
S:  SerialNumber=28E347EC73BD
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=  0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=02(Bulk) MxPS=  32 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS=  32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)

Firmware for 04ca:2007 can be extracted from the latest Lenovo E145
Bluetooth driver for Windows (driver is however described as BCM20702
but contains also firwmare for BCM43142).
Search for BCM43142A0_001.001.011.0122.0153.hex within hex files, then
it must be converted using hex2hcd utility. Rename file to
BCM43142A0-04ca-2007.hcd, then move to /lib/firmware/brcm/.

Signed-off-by: Matej Dubovy <matej.dubovy@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/btusb.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -113,6 +113,10 @@ static const struct usb_device_id btusb_
 	/* Foxconn - Hon Hai */
 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
 
+	/* Lite-On Technology - Broadcom based */
+	{ USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),
+	  .driver_info = BTUSB_BCM_PATCHRAM },
+
 	/* Broadcom devices with vendor specific id */
 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
 	  .driver_info = BTUSB_BCM_PATCHRAM },



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 007/151] random: Fix fast_mix() function
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 006/151] Bluetooth: btusb: Add support for Lite-On (04ca) Broadcom based, BCM43142 Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 008/151] xfs: ensure buffer types are set correctly Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, George Spelvin, Theodore Tso, Linus Torvalds

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: George Spelvin <linux@horizon.com>

commit 19acc77a36970958a4a0e4daeb2c8cb2aab0ffd4 upstream.

There was a bad typo in commit 43759d4f429c ("random: use an improved
fast_mix() function") and I didn't notice because it "looked right", so
I saw what I expected to see when I reviewed it.

Only months later did I look and notice it's not the Threefish-inspired
mix function that I had designed and optimized.

Mea Culpa.  Each input bit still has a chance to affect each output bit,
and the fast pool is spilled *long* before it fills, so it's not a total
disaster, but it's definitely not the intended great improvement.

I'm still working on finding better rotation constants.  These are good
enough, but since it's unrolled twice, it's possible to get better
mixing for free by using eight different constants rather than repeating
the same four.

Signed-off-by: George Spelvin <linux@horizon.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/random.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -569,19 +569,19 @@ static void fast_mix(struct fast_pool *f
 	__u32 c = f->pool[2],	d = f->pool[3];
 
 	a += b;			c += d;
-	b = rol32(a, 6);	d = rol32(c, 27);
+	b = rol32(b, 6);	d = rol32(d, 27);
 	d ^= a;			b ^= c;
 
 	a += b;			c += d;
-	b = rol32(a, 16);	d = rol32(c, 14);
+	b = rol32(b, 16);	d = rol32(d, 14);
 	d ^= a;			b ^= c;
 
 	a += b;			c += d;
-	b = rol32(a, 6);	d = rol32(c, 27);
+	b = rol32(b, 6);	d = rol32(d, 27);
 	d ^= a;			b ^= c;
 
 	a += b;			c += d;
-	b = rol32(a, 16);	d = rol32(c, 14);
+	b = rol32(b, 16);	d = rol32(d, 14);
 	d ^= a;			b ^= c;
 
 	f->pool[0] = a;  f->pool[1] = b;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 008/151] xfs: ensure buffer types are set correctly
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 007/151] random: Fix fast_mix() function Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 009/151] xfs: inode unlink does not set AGI buffer type Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kara, Dave Chinner, Brian Foster,
	Dave Chinner

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Chinner <dchinner@redhat.com>

commit 0d612fb570b71ea2e49554a770cff4c489018b2c upstream.

Jan Kara reported that log recovery was finding buffers with invalid
types in them. This should not happen, and indicates a bug in the
logging of buffers. To catch this, add asserts to the buffer
formatting code to ensure that the buffer type is in range when the
transaction is committed.

We don't set a type on buffers being marked stale - they are not
going to get replayed, the format item exists only for recovery to
be able to prevent replay of the buffer, so the type does not
matter. Hence that needs special casing here.

Reported-by: Jan Kara <jack@suse.cz>
Tested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/xfs_buf_item.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -319,6 +319,10 @@ xfs_buf_item_format(
 	ASSERT(atomic_read(&bip->bli_refcount) > 0);
 	ASSERT((bip->bli_flags & XFS_BLI_LOGGED) ||
 	       (bip->bli_flags & XFS_BLI_STALE));
+	ASSERT((bip->bli_flags & XFS_BLI_STALE) ||
+	       (xfs_blft_from_flags(&bip->__bli_format) > XFS_BLFT_UNKNOWN_BUF
+	        && xfs_blft_from_flags(&bip->__bli_format) < XFS_BLFT_MAX_BUF));
+
 
 	/*
 	 * If it is an inode buffer, transfer the in-memory state to the



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 009/151] xfs: inode unlink does not set AGI buffer type
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 008/151] xfs: ensure buffer types are set correctly Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 010/151] xfs: set buf types when converting extent formats Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kara, Dave Chinner, Brian Foster,
	Dave Chinner

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Chinner <dchinner@redhat.com>

commit f19b872b086711bb4b22c3a0f52f16aa920bcc61 upstream.

This leads to log recovery throwing errors like:

XFS (md0): Mounting V5 Filesystem
XFS (md0): Starting recovery (logdev: internal)
XFS (md0): Unknown buffer type 0!
XFS (md0): _xfs_buf_ioapply: no ops on block 0xaea8802/0x1
ffff8800ffc53800: 58 41 47 49 .....

Which is the AGI buffer magic number.

Ensure that we set the type appropriately in both unlink list
addition and removal.

Tested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/xfs_inode.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -2000,6 +2000,7 @@ xfs_iunlink(
 	agi->agi_unlinked[bucket_index] = cpu_to_be32(agino);
 	offset = offsetof(xfs_agi_t, agi_unlinked) +
 		(sizeof(xfs_agino_t) * bucket_index);
+	xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF);
 	xfs_trans_log_buf(tp, agibp, offset,
 			  (offset + sizeof(xfs_agino_t) - 1));
 	return 0;
@@ -2091,6 +2092,7 @@ xfs_iunlink_remove(
 		agi->agi_unlinked[bucket_index] = cpu_to_be32(next_agino);
 		offset = offsetof(xfs_agi_t, agi_unlinked) +
 			(sizeof(xfs_agino_t) * bucket_index);
+		xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF);
 		xfs_trans_log_buf(tp, agibp, offset,
 				  (offset + sizeof(xfs_agino_t) - 1));
 	} else {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 010/151] xfs: set buf types when converting extent formats
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 009/151] xfs: inode unlink does not set AGI buffer type Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 011/151] xfs: set superblock buffer type correctly Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kara, Dave Chinner, Brian Foster,
	Dave Chinner

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Chinner <dchinner@redhat.com>

commit fe22d552b82d7cc7de1851233ae8bef579198637 upstream.

Conversion from local to extent format does not set the buffer type
correctly on the new extent buffer when a symlink data is moved out
of line.

Fix the symlink code and leave a comment in the generic bmap code
reminding us that the format-specific data copy needs to set the
destination buffer type appropriately.

Tested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/libxfs/xfs_bmap.c           |    6 +++++-
 fs/xfs/libxfs/xfs_symlink_remote.c |    2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

--- a/fs/xfs/libxfs/xfs_bmap.c
+++ b/fs/xfs/libxfs/xfs_bmap.c
@@ -976,7 +976,11 @@ xfs_bmap_local_to_extents(
 	*firstblock = args.fsbno;
 	bp = xfs_btree_get_bufl(args.mp, tp, args.fsbno, 0);
 
-	/* initialise the block and copy the data */
+	/*
+	 * Initialise the block and copy the data
+	 *
+	 * Note: init_fn must set the buffer log item type correctly!
+	 */
 	init_fn(tp, bp, ip, ifp);
 
 	/* account for the change in fork size and log everything */
--- a/fs/xfs/libxfs/xfs_symlink_remote.c
+++ b/fs/xfs/libxfs/xfs_symlink_remote.c
@@ -180,6 +180,8 @@ xfs_symlink_local_to_remote(
 	struct xfs_mount	*mp = ip->i_mount;
 	char			*buf;
 
+	xfs_trans_buf_set_type(tp, bp, XFS_BLFT_SYMLINK_BUF);
+
 	if (!xfs_sb_version_hascrc(&mp->m_sb)) {
 		bp->b_ops = NULL;
 		memcpy(bp->b_addr, ifp->if_u1.if_data, ifp->if_bytes);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 011/151] xfs: set superblock buffer type correctly
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 010/151] xfs: set buf types when converting extent formats Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 012/151] fsnotify: fix handling of renames in audit Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kara, Dave Chinner, Brian Foster,
	Dave Chinner

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Chinner <dchinner@redhat.com>

commit 3443a3bca54588f43286b725d8648d33a38c86f1 upstream.

When the superblock is modified in a transaction, the commonly
modified fields are not actually copied to the superblock buffer to
avoid the buffer lock becoming a serialisation point. However, there
are some other operations that modify the superblock fields within
the transaction that don't directly log to the superblock but rely
on the changes to be applied during the transaction commit (to
minimise the buffer lock hold time).

When we do this, we fail to mark the buffer log item as being a
superblock buffer and that can lead to the buffer not being marked
with the corect type in the log and hence causing recovery issues.
Fix it by setting the type correctly, similar to xfs_mod_sb()...

Tested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/xfs_trans.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/xfs/xfs_trans.c
+++ b/fs/xfs/xfs_trans.c
@@ -474,6 +474,7 @@ xfs_trans_apply_sb_deltas(
 		whole = 1;
 	}
 
+	xfs_trans_buf_set_type(tp, bp, XFS_BLFT_SB_BUF);
 	if (whole)
 		/*
 		 * Log the whole thing, the fields are noncontiguous.



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 012/151] fsnotify: fix handling of renames in audit
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 011/151] xfs: set superblock buffer type correctly Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 013/151] iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kara, Paul Moore, Eric Paris,
	Andrew Morton, Linus Torvalds

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 6ee8e25fc3e916193bce4ebb43d5439e1e2144ab upstream.

Commit e9fd702a58c4 ("audit: convert audit watches to use fsnotify
instead of inotify") broke handling of renames in audit.  Audit code
wants to update inode number of an inode corresponding to watched name
in a directory.  When something gets renamed into a directory to a
watched name, inotify previously passed moved inode to audit code
however new fsnotify code passes directory inode where the change
happened.  That confuses audit and it starts watching parent directory
instead of a file in a directory.

This can be observed for example by doing:

  cd /tmp
  touch foo bar
  auditctl -w /tmp/foo
  touch foo
  mv bar foo
  touch foo

In audit log we see events like:

  type=CONFIG_CHANGE msg=audit(1423563584.155:90): auid=1000 ses=2 op="updated rules" path="/tmp/foo" key=(null) list=4 res=1
  ...
  type=PATH msg=audit(1423563584.155:91): item=2 name="bar" inode=1046884 dev=08:0 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
  type=PATH msg=audit(1423563584.155:91): item=3 name="foo" inode=1046842 dev=08:0 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE
  type=PATH msg=audit(1423563584.155:91): item=4 name="foo" inode=1046884 dev=08:0 2 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
  ...

and that's it - we see event for the first touch after creating the
audit rule, we see events for rename but we don't see any event for the
last touch.  However we start seeing events for unrelated stuff
happening in /tmp.

Fix the problem by passing moved inode as data in the FS_MOVED_FROM and
FS_MOVED_TO events instead of the directory where the change happens.
This doesn't introduce any new problems because noone besides
audit_watch.c cares about the passed value:

  fs/notify/fanotify/fanotify.c cares only about FSNOTIFY_EVENT_PATH events.
  fs/notify/dnotify/dnotify.c doesn't care about passed 'data' value at all.
  fs/notify/inotify/inotify_fsnotify.c uses 'data' only for FSNOTIFY_EVENT_PATH.
  kernel/audit_tree.c doesn't care about passed 'data' at all.
  kernel/audit_watch.c expects moved inode as 'data'.

Fixes: e9fd702a58c49db ("audit: convert audit watches to use fsnotify instead of inotify")
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/fsnotify.h |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -101,8 +101,10 @@ static inline void fsnotify_move(struct
 		new_dir_mask |= FS_ISDIR;
 	}
 
-	fsnotify(old_dir, old_dir_mask, old_dir, FSNOTIFY_EVENT_INODE, old_name, fs_cookie);
-	fsnotify(new_dir, new_dir_mask, new_dir, FSNOTIFY_EVENT_INODE, new_name, fs_cookie);
+	fsnotify(old_dir, old_dir_mask, source, FSNOTIFY_EVENT_INODE, old_name,
+		 fs_cookie);
+	fsnotify(new_dir, new_dir_mask, source, FSNOTIFY_EVENT_INODE, new_name,
+		 fs_cookie);
 
 	if (target)
 		fsnotify_link_count(target);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 013/151] iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 012/151] fsnotify: fix handling of renames in audit Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 014/151] iwlwifi: mvm: validate tid and sta_id in ba_notif Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Emmanuel Grumbach

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit cd8f438405032ac8ff88bd8f2eca5e0c0063b14b upstream.

The base address of the scheduler in the device's memory
(SRAM) comes from two different sources. The periphery
register and the alive notification from the firmware.
We have a check in iwl_pcie_tx_start that ensures that
they are the same.
When we resume from WoWLAN, the firmware may have crashed
for whatever reason. In that case, the whole device may be
reset which means that the periphery register will hold a
meaningless value. When we come to compare
trans_pcie->scd_base_addr (which really holds the value we
had when we loaded the WoWLAN firmware upon suspend) and
the current value of the register, we don't see a match
unsurprisingly.
Trick the check to avoid a loud yet harmless WARN.
Note that when the WoWLAN has crashed, we will see that
in iwl_trans_pcie_d3_resume which will let the op_mode
know. Once the op_mode is informed that the WowLAN firmware
has crashed, it can't do much besides resetting the whole
device.

Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/iwlwifi/pcie/tx.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
@@ -722,7 +722,12 @@ void iwl_trans_pcie_tx_reset(struct iwl_
 	iwl_write_direct32(trans, FH_KW_MEM_ADDR_REG,
 			   trans_pcie->kw.dma >> 4);
 
-	iwl_pcie_tx_start(trans, trans_pcie->scd_base_addr);
+	/*
+	 * Send 0 as the scd_base_addr since the device may have be reset
+	 * while we were in WoWLAN in which case SCD_SRAM_BASE_ADDR will
+	 * contain garbage.
+	 */
+	iwl_pcie_tx_start(trans, 0);
 }
 
 /*



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 014/151] iwlwifi: mvm: validate tid and sta_id in ba_notif
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 013/151] iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 015/151] iwlwifi: mvm: fix failure path when power_update fails in add_interface Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eyal Shapira, Emmanuel Grumbach

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eyal Shapira <eyal@wizery.com>

commit 2cee4762c528a9bd2cdff793197bf591a2196c11 upstream.

These are coming from the FW and are used to access arrays.
Bad values can cause an out of bounds access so discard
such ba_notifs and warn.

Signed-off-by: Eyal Shapira <eyalx.shapira@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/iwlwifi/mvm/tx.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/wireless/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
@@ -902,6 +902,11 @@ int iwl_mvm_rx_ba_notif(struct iwl_mvm *
 	sta_id = ba_notif->sta_id;
 	tid = ba_notif->tid;
 
+	if (WARN_ONCE(sta_id >= IWL_MVM_STATION_COUNT ||
+		      tid >= IWL_MAX_TID_COUNT,
+		      "sta_id %d tid %d", sta_id, tid))
+		return 0;
+
 	rcu_read_lock();
 
 	sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 015/151] iwlwifi: mvm: fix failure path when power_update fails in add_interface
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 014/151] iwlwifi: mvm: validate tid and sta_id in ba_notif Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 016/151] iwlwifi: mvm: always use mac color zero Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luciano Coelho, Johannes Berg,
	Emmanuel Grumbach

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Luciano Coelho <luciano.coelho@intel.com>

commit fd66fc1cafd72ddf27dbec3a5e29e99839d1bc84 upstream.

When iwl_mvm_power_update_mac() is called, we have already added the
mac context, so if this call fails we should remove the mac.

Fixes: commit e5e7aa8e2561 ('iwlwifi: mvm: refactor power code')
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/iwlwifi/mvm/mac80211.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
@@ -1014,7 +1014,7 @@ static int iwl_mvm_mac_add_interface(str
 
 	ret = iwl_mvm_power_update_mac(mvm);
 	if (ret)
-		goto out_release;
+		goto out_remove_mac;
 
 	/* beacon filtering */
 	ret = iwl_mvm_disable_beacon_filter(mvm, vif, 0);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 016/151] iwlwifi: mvm: always use mac color zero
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 015/151] iwlwifi: mvm: fix failure path when power_update fails in add_interface Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 017/151] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luciano Coelho, Johannes Berg,
	Emmanuel Grumbach

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Luciano Coelho <luciano.coelho@intel.com>

commit 5523d11cc46393a1e61b7ef4a0b2d4e7ed9521e4 upstream.

We don't really need to use different mac colors when adding mac
contexts, because they're not used anywhere.  In fact, the firmware
doesn't accept 255 as a valid color, so we get into a SYSASSERT 0x3401
when we reach that.

Remove the color increment to use always zero and avoid reaching 255.

Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/iwlwifi/mvm/mac80211.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
@@ -668,9 +668,6 @@ static void iwl_mvm_cleanup_iterator(voi
 	mvmvif->uploaded = false;
 	mvmvif->ap_sta_id = IWL_MVM_STATION_COUNT;
 
-	/* does this make sense at all? */
-	mvmvif->color++;
-
 	spin_lock_bh(&mvm->time_event_lock);
 	iwl_mvm_te_clear_data(mvm, &mvmvif->time_event_data);
 	spin_unlock_bh(&mvm->time_event_lock);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 017/151] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 016/151] iwlwifi: mvm: always use mac color zero Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 018/151] PCI: Generate uppercase hex for modalias var in uevent Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Seth Forshee, Benjamin Tissoires,
	Jiri Kosina

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Seth Forshee <seth.forshee@canonical.com>

commit 6d00f37e49d95e640a3937a4a1ae07dbe92a10cb upstream.

d1c7e29e8d27 (HID: i2c-hid: prevent buffer overflow in early IRQ)
changed hid_get_input() to read ihid->bufsize bytes, which can be
more than wMaxInputLength. This is the case with the Dell XPS 13
9343, and it is causing events to be missed. In some cases the
missed events are releases, which can cause the cursor to jump or
freeze, among other problems. Limit the number of bytes read to
min(wMaxInputLength, ihid->bufsize) to prevent such problems.

Fixes: d1c7e29e8d27 "HID: i2c-hid: prevent buffer overflow in early IRQ"
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/i2c-hid/i2c-hid.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -370,7 +370,10 @@ static int i2c_hid_hwreset(struct i2c_cl
 static void i2c_hid_get_input(struct i2c_hid *ihid)
 {
 	int ret, ret_size;
-	int size = ihid->bufsize;
+	int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
+
+	if (size > ihid->bufsize)
+		size = ihid->bufsize;
 
 	ret = i2c_master_recv(ihid->client, ihid->inbuf, size);
 	if (ret != size) {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 018/151] PCI: Generate uppercase hex for modalias var in uevent
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 017/151] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 020/151] ASoC: rt5670: Set use_single_rw flag for regmap Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ricardo Ribalda Delgado, Bjorn Helgaas

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>

commit 145b3fe579db66fbe999a2bc3fd5b63dffe9636d upstream.

Some implementations of modprobe fail to load the driver for a PCI device
automatically because the "interface" part of the modalias from the kernel
is lowercase, and the modalias from file2alias is uppercase.

The "interface" is the low-order byte of the Class Code, defined in PCI
r3.0, Appendix D.  Most interface types defined in the spec do not use
alpha characters, so they won't be affected.  For example, 00h, 01h, 10h,
20h, etc. are unaffected.

Print the "interface" byte of the Class Code in uppercase hex, as we
already do for the Vendor ID, Device ID, Class, etc.

Commit 89ec3dcf17fd ("PCI: Generate uppercase hex for modalias interface
class") fixed only half of the problem.  Some udev implementations rely on
the uevent file and not the modalias file.

Fixes: d1ded203adf1 ("PCI: add MODALIAS to hotplug event for pci devices")
Fixes: 89ec3dcf17fd ("PCI: Generate uppercase hex for modalias interface class")
Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/pci-driver.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -1389,7 +1389,7 @@ static int pci_uevent(struct device *dev
 	if (add_uevent_var(env, "PCI_SLOT_NAME=%s", pci_name(pdev)))
 		return -ENOMEM;
 
-	if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02x",
+	if (add_uevent_var(env, "MODALIAS=pci:v%08Xd%08Xsv%08Xsd%08Xbc%02Xsc%02Xi%02X",
 			   pdev->vendor, pdev->device,
 			   pdev->subsystem_vendor, pdev->subsystem_device,
 			   (u8)(pdev->class >> 16), (u8)(pdev->class >> 8),



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 020/151] ASoC: rt5670: Set use_single_rw flag for regmap
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 018/151] PCI: Generate uppercase hex for modalias var in uevent Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 021/151] ASoC: mioa701_wm9713: Fix speaker event Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bard Liao, Mark Brown

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bard Liao <bardliao@realtek.com>

commit 92b133f251b5f914f3ed28bc83e5b7a40d4e22ed upstream.

RT5670 doesn't support auto incrementing writes so driver should
set the use_single_rw flag for regmap.

Signed-off-by: Bard Liao <bardliao@realtek.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/rt5670.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/soc/codecs/rt5670.c
+++ b/sound/soc/codecs/rt5670.c
@@ -2439,6 +2439,7 @@ static struct snd_soc_codec_driver soc_c
 static const struct regmap_config rt5670_regmap = {
 	.reg_bits = 8,
 	.val_bits = 16,
+	.use_single_rw = true,
 	.max_register = RT5670_VENDOR_ID2 + 1 + (ARRAY_SIZE(rt5670_ranges) *
 					       RT5670_PR_SPACING),
 	.volatile_reg = rt5670_volatile_register,



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 021/151] ASoC: mioa701_wm9713: Fix speaker event
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 020/151] ASoC: rt5670: Set use_single_rw flag for regmap Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 022/151] ASoC: davinci: fix DM365_EVM codec selection Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Mark Brown

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lars-Peter Clausen <lars@metafoo.de>

commit 7331ea474e9e7a348541c207bdb6aa518c6403f4 upstream.

Commit f6b2a04590bb ("ASoC: pxa: mioa701_wm9713: Convert to table based DAPM
setup") converted the driver to register the board level DAPM elements with
the card's DAPM context rather than the CODEC's DAPM context. The change
overlooked that the speaker widget event callback accesses the widget's
codec field which is only valid if the widget has been registered in a CODEC
DAPM context. This patch modifies the callback to take an alternative route
to get the CODEC.

Fixes: f6b2a04590bb ("ASoC: pxa: mioa701_wm9713: Convert to table based DAPM
setup")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/pxa/mioa701_wm9713.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/pxa/mioa701_wm9713.c
+++ b/sound/soc/pxa/mioa701_wm9713.c
@@ -81,7 +81,7 @@ static int rear_amp_power(struct snd_soc
 static int rear_amp_event(struct snd_soc_dapm_widget *widget,
 			  struct snd_kcontrol *kctl, int event)
 {
-	struct snd_soc_codec *codec = widget->codec;
+	struct snd_soc_codec *codec = widget->dapm->card->rtd[0].codec;
 
 	return rear_amp_power(codec, SND_SOC_DAPM_EVENT_ON(event));
 }



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 022/151] ASoC: davinci: fix DM365_EVM codec selection
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 021/151] ASoC: mioa701_wm9713: Fix speaker event Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 023/151] rtlwifi: rtl8192ee: Fix adhoc fail Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Mark Brown

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit f9a7ba326938f03b9305af8d31c360fce10cd4df upstream.

An earlier bug fix of mine made the SND_DM365_VOICE_CODEC symbol
tristate to avoid creating an undefined reference from the
davinci-vcif.c driver to the davinci_soc_platform_register
function that may be in a module.

However, this may now lead to a different error on randconfig
kernels:

"warning: SND_DM365_VOICE_CODEC creates inconsistent choice state"

This happens because we now have a choice statement with
one bool and one tristate option, and the latter might not
support being set to 'y' because of dependencies.

This new change turns the other option into 'tristate' as well,
which avoids the problem.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 19926c6de0c3 ("ASoC: davinci: vcif must be a module if SND_DAVINCI_SOC is")
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/davinci/Kconfig |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/sound/soc/davinci/Kconfig
+++ b/sound/soc/davinci/Kconfig
@@ -58,13 +58,12 @@ choice
 	depends on MACH_DAVINCI_DM365_EVM
 
 config SND_DM365_AIC3X_CODEC
-	bool "Audio Codec - AIC3101"
+	tristate "Audio Codec - AIC3101"
 	help
 	  Say Y if you want to add support for AIC3101 audio codec
 
 config SND_DM365_VOICE_CODEC
 	tristate "Voice Codec - CQ93VC"
-	depends on SND_DAVINCI_SOC
 	select MFD_DAVINCI_VOICECODEC
 	select SND_DAVINCI_SOC_VCIF
 	select SND_SOC_CQ0093VC



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 023/151] rtlwifi: rtl8192ee: Fix adhoc fail
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 022/151] ASoC: davinci: fix DM365_EVM codec selection Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 024/151] rtlwifi: rtl8192ee: Fix TX hang due to failure to update TX write point Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Troy Tan, Larry Finger, Kalle Valo

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Troy Tan <troy_tan@realsil.com.cn>

commit b661a5da57766f4f565d64238b753d6efc0f5499 upstream.

When the buffer descriptor index exceeds 2, then a TX HANG condition
will result.

Signed-off-by: Troy Tan <troy_tan@realsil.com.cn>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rtlwifi/rtl8192ee/fw.c |    6 +-----
 drivers/net/wireless/rtlwifi/rtl8192ee/hw.c |   26 --------------------------
 2 files changed, 1 insertion(+), 31 deletions(-)

--- a/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/fw.c
@@ -666,7 +666,6 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i
 	struct sk_buff *skb = NULL;
 
 	u32 totalpacketlen;
-	bool rtstatus;
 	u8 u1rsvdpageloc[5] = { 0 };
 	bool b_dlok = false;
 
@@ -728,10 +727,7 @@ void rtl92ee_set_fw_rsvdpagepkt(struct i
 	memcpy((u8 *)skb_put(skb, totalpacketlen),
 	       &reserved_page_packet, totalpacketlen);
 
-	rtstatus = rtl_cmd_send_packet(hw, skb);
-
-	if (rtstatus)
-		b_dlok = true;
+	b_dlok = true;
 
 	if (b_dlok) {
 		RT_TRACE(rtlpriv, COMP_POWER, DBG_LOUD ,
--- a/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c
@@ -85,29 +85,6 @@ static void _rtl92ee_enable_bcn_sub_func
 	_rtl92ee_set_bcn_ctrl_reg(hw, 0, BIT(1));
 }
 
-static void _rtl92ee_return_beacon_queue_skb(struct ieee80211_hw *hw)
-{
-	struct rtl_priv *rtlpriv = rtl_priv(hw);
-	struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
-	struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[BEACON_QUEUE];
-	unsigned long flags;
-
-	spin_lock_irqsave(&rtlpriv->locks.irq_th_lock, flags);
-	while (skb_queue_len(&ring->queue)) {
-		struct rtl_tx_buffer_desc *entry =
-						&ring->buffer_desc[ring->idx];
-		struct sk_buff *skb = __skb_dequeue(&ring->queue);
-
-		pci_unmap_single(rtlpci->pdev,
-				 rtlpriv->cfg->ops->get_desc(
-				 (u8 *)entry, true, HW_DESC_TXBUFF_ADDR),
-				 skb->len, PCI_DMA_TODEVICE);
-		kfree_skb(skb);
-		ring->idx = (ring->idx + 1) % ring->entries;
-	}
-	spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags);
-}
-
 static void _rtl92ee_disable_bcn_sub_func(struct ieee80211_hw *hw)
 {
 	_rtl92ee_set_bcn_ctrl_reg(hw, BIT(1), 0);
@@ -403,9 +380,6 @@ static void _rtl92ee_download_rsvd_page(
 		rtl_write_byte(rtlpriv, REG_DWBCN0_CTRL + 2,
 			       bcnvalid_reg | BIT(0));
 
-		/* Return Beacon TCB */
-		_rtl92ee_return_beacon_queue_skb(hw);
-
 		/* download rsvd page */
 		rtl92ee_set_fw_rsvdpagepkt(hw, false);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 024/151] rtlwifi: rtl8192ee: Fix TX hang due to failure to update TX write point
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 023/151] rtlwifi: rtl8192ee: Fix adhoc fail Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 025/151] rtlwifi: rtl8192ee: Fix parsing of received packet Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Troy Tan, Larry Finger, Kalle Valo

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Troy Tan <troy_tan@realsil.com.cn>

commit 6e5f4436162848289f071be38ee6b87dc8ea653d upstream.

Initially, the routine to update the write point in the FIFO buffer was
coded to save CPU time by not doing the calculation every interrupt. This
was an error and results in TX hangs.

Signed-off-by: Troy Tan <troy_tan@realsil.com.cn>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rtlwifi/rtl8192ee/trx.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c
@@ -1207,8 +1207,7 @@ bool rtl92ee_is_tx_desc_closed(struct ie
 	static u8 stop_report_cnt;
 	struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[hw_queue];
 
-	/*checking Read/Write Point each interrupt wastes CPU */
-	if (stop_report_cnt > 15 || !rtlpriv->link_info.busytraffic) {
+	{
 		u16 point_diff = 0;
 		u16 cur_tx_rp, cur_tx_wp;
 		u32 tmpu32 = 0;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 025/151] rtlwifi: rtl8192ee: Fix parsing of received packet
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 024/151] rtlwifi: rtl8192ee: Fix TX hang due to failure to update TX write point Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 026/151] rtlwifi: rtl8192ee: Fix DMA stalls Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Troy Tan, Larry Finger, Kalle Valo

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Troy Tan <troy_tan@realsil.com.cn>

commit 92ff754240b892cbc16dee5aa080322f3db88b68 upstream.

The firmware supplies two kinds of packets via the RX mechanism. Besides the
normal data received over the air, these packets may contain bluetooth status
and other information. The present code fails to detect which kind of
information was received.

Signed-off-by: Troy Tan <troy_tan@realsil.com.cn>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rtlwifi/rtl8192ee/trx.c |    4 ++++
 drivers/net/wireless/rtlwifi/rtl8192ee/trx.h |    2 ++
 2 files changed, 6 insertions(+)

--- a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c
@@ -512,6 +512,10 @@ bool rtl92ee_rx_query_desc(struct ieee80
 	struct ieee80211_hdr *hdr;
 	u32 phystatus = GET_RX_DESC_PHYST(pdesc);
 
+	if (GET_RX_STATUS_DESC_RPT_SEL(pdesc) == 0)
+		status->packet_report_type = NORMAL_RX;
+	else
+		status->packet_report_type = C2H_PACKET;
 	status->length = (u16)GET_RX_DESC_PKT_LEN(pdesc);
 	status->rx_drvinfo_size = (u8)GET_RX_DESC_DRV_INFO_SIZE(pdesc) *
 				  RX_DRV_INFO_SIZE_UNIT;
--- a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.h
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.h
@@ -542,6 +542,8 @@
 	LE_BITS_TO_4BYTE(__pdesc+8, 12, 4)
 #define GET_RX_DESC_RX_IS_QOS(__pdesc)			\
 	LE_BITS_TO_4BYTE(__pdesc+8, 16, 1)
+#define GET_RX_STATUS_DESC_RPT_SEL(__pdesc)		\
+	LE_BITS_TO_4BYTE(__pdesc+8, 28, 1)
 
 #define GET_RX_DESC_RXMCS(__pdesc)			\
 	LE_BITS_TO_4BYTE(__pdesc+12, 0, 7)



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 026/151] rtlwifi: rtl8192ee: Fix DMA stalls
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 025/151] rtlwifi: rtl8192ee: Fix parsing of received packet Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 027/151] rtlwifi: rtl8192ee: Fix problems with calculating free space in FIFO Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Troy Tan, Larry Finger, Kalle Valo

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Troy Tan <troy_tan@realsil.com.cn>

commit 21b39ddb5bb2294fe64fbd29045591fe0707825f upstream.

There are instances where the DMA engine stalls. The new code detects
such stalls and restarts DMA without needing a power reset.

Signed-off-by: Troy Tan <troy_tan@realsil.com.cn>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rtlwifi/rtl8192ee/hw.c  |  140 +++++++++++++++++++++++++++
 drivers/net/wireless/rtlwifi/rtl8192ee/reg.h |    2 
 2 files changed, 142 insertions(+)

--- a/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/hw.c
@@ -1137,6 +1137,139 @@ void rtl92ee_enable_hw_security_config(s
 	rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_WPA_CONFIG, &sec_reg_value);
 }
 
+static bool _rtl8192ee_check_pcie_dma_hang(struct rtl_priv *rtlpriv)
+{
+	u8 tmp;
+
+	/* write reg 0x350 Bit[26]=1. Enable debug port. */
+	tmp = rtl_read_byte(rtlpriv, REG_BACKDOOR_DBI_DATA + 3);
+	if (!(tmp & BIT(2))) {
+		rtl_write_byte(rtlpriv, REG_BACKDOOR_DBI_DATA + 3,
+			       tmp | BIT(2));
+		mdelay(100); /* Suggested by DD Justin_tsai. */
+	}
+
+	/* read reg 0x350 Bit[25] if 1 : RX hang
+	 * read reg 0x350 Bit[24] if 1 : TX hang
+	 */
+	tmp = rtl_read_byte(rtlpriv, REG_BACKDOOR_DBI_DATA + 3);
+	if ((tmp & BIT(0)) || (tmp & BIT(1))) {
+		RT_TRACE(rtlpriv, COMP_INIT, DBG_LOUD,
+			 "CheckPcieDMAHang8192EE(): true!!\n");
+		return true;
+	}
+	return false;
+}
+
+static void _rtl8192ee_reset_pcie_interface_dma(struct rtl_priv *rtlpriv,
+						bool mac_power_on)
+{
+	u8 tmp;
+	bool release_mac_rx_pause;
+	u8 backup_pcie_dma_pause;
+
+	RT_TRACE(rtlpriv, COMP_INIT, DBG_LOUD,
+		 "ResetPcieInterfaceDMA8192EE()\n");
+
+	/* Revise Note: Follow the document "PCIe RX DMA Hang Reset Flow_v03"
+	 * released by SD1 Alan.
+	 */
+
+	/* 1. disable register write lock
+	 *	write 0x1C bit[1:0] = 2'h0
+	 *	write 0xCC bit[2] = 1'b1
+	 */
+	tmp = rtl_read_byte(rtlpriv, REG_RSV_CTRL);
+	tmp &= ~(BIT(1) | BIT(0));
+	rtl_write_byte(rtlpriv, REG_RSV_CTRL, tmp);
+	tmp = rtl_read_byte(rtlpriv, REG_PMC_DBG_CTRL2);
+	tmp |= BIT(2);
+	rtl_write_byte(rtlpriv, REG_PMC_DBG_CTRL2, tmp);
+
+	/* 2. Check and pause TRX DMA
+	 *	write 0x284 bit[18] = 1'b1
+	 *	write 0x301 = 0xFF
+	 */
+	tmp = rtl_read_byte(rtlpriv, REG_RXDMA_CONTROL);
+	if (tmp & BIT(2)) {
+		/* Already pause before the function for another reason. */
+		release_mac_rx_pause = false;
+	} else {
+		rtl_write_byte(rtlpriv, REG_RXDMA_CONTROL, (tmp | BIT(2)));
+		release_mac_rx_pause = true;
+	}
+
+	backup_pcie_dma_pause = rtl_read_byte(rtlpriv, REG_PCIE_CTRL_REG + 1);
+	if (backup_pcie_dma_pause != 0xFF)
+		rtl_write_byte(rtlpriv, REG_PCIE_CTRL_REG + 1, 0xFF);
+
+	if (mac_power_on) {
+		/* 3. reset TRX function
+		 *	write 0x100 = 0x00
+		 */
+		rtl_write_byte(rtlpriv, REG_CR, 0);
+	}
+
+	/* 4. Reset PCIe DMA
+	 *	write 0x003 bit[0] = 0
+	 */
+	tmp = rtl_read_byte(rtlpriv, REG_SYS_FUNC_EN + 1);
+	tmp &= ~(BIT(0));
+	rtl_write_byte(rtlpriv, REG_SYS_FUNC_EN + 1, tmp);
+
+	/* 5. Enable PCIe DMA
+	 *	write 0x003 bit[0] = 1
+	 */
+	tmp = rtl_read_byte(rtlpriv, REG_SYS_FUNC_EN + 1);
+	tmp |= BIT(0);
+	rtl_write_byte(rtlpriv, REG_SYS_FUNC_EN + 1, tmp);
+
+	if (mac_power_on) {
+		/* 6. enable TRX function
+		 *	write 0x100 = 0xFF
+		 */
+		rtl_write_byte(rtlpriv, REG_CR, 0xFF);
+
+		/* We should init LLT & RQPN and
+		 * prepare Tx/Rx descrptor address later
+		 * because MAC function is reset.
+		 */
+	}
+
+	/* 7. Restore PCIe autoload down bit
+	 *	write 0xF8 bit[17] = 1'b1
+	 */
+	tmp = rtl_read_byte(rtlpriv, REG_MAC_PHY_CTRL_NORMAL + 2);
+	tmp |= BIT(1);
+	rtl_write_byte(rtlpriv, REG_MAC_PHY_CTRL_NORMAL + 2, tmp);
+
+	/* In MAC power on state, BB and RF maybe in ON state,
+	 * if we release TRx DMA here
+	 * it will cause packets to be started to Tx/Rx,
+	 * so we release Tx/Rx DMA later.
+	 */
+	if (!mac_power_on) {
+		/* 8. release TRX DMA
+		 *	write 0x284 bit[18] = 1'b0
+		 *	write 0x301 = 0x00
+		 */
+		if (release_mac_rx_pause) {
+			tmp = rtl_read_byte(rtlpriv, REG_RXDMA_CONTROL);
+			rtl_write_byte(rtlpriv, REG_RXDMA_CONTROL,
+				       (tmp & (~BIT(2))));
+		}
+		rtl_write_byte(rtlpriv, REG_PCIE_CTRL_REG + 1,
+			       backup_pcie_dma_pause);
+	}
+
+	/* 9. lock system register
+	 *	write 0xCC bit[2] = 1'b0
+	 */
+	tmp = rtl_read_byte(rtlpriv, REG_PMC_DBG_CTRL2);
+	tmp &= ~(BIT(2));
+	rtl_write_byte(rtlpriv, REG_PMC_DBG_CTRL2, tmp);
+}
+
 int rtl92ee_hw_init(struct ieee80211_hw *hw)
 {
 	struct rtl_priv *rtlpriv = rtl_priv(hw);
@@ -1162,6 +1295,13 @@ int rtl92ee_hw_init(struct ieee80211_hw
 		rtlhal->fw_ps_state = FW_PS_STATE_ALL_ON_92E;
 	}
 
+	if (_rtl8192ee_check_pcie_dma_hang(rtlpriv)) {
+		RT_TRACE(rtlpriv, COMP_INIT, DBG_DMESG, "92ee dma hang!\n");
+		_rtl8192ee_reset_pcie_interface_dma(rtlpriv,
+						    rtlhal->mac_func_enable);
+		rtlhal->mac_func_enable = false;
+	}
+
 	rtstatus = _rtl92ee_init_mac(hw);
 
 	rtl_write_byte(rtlpriv, 0x577, 0x03);
--- a/drivers/net/wireless/rtlwifi/rtl8192ee/reg.h
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/reg.h
@@ -77,9 +77,11 @@
 #define REG_HIMRE				0x00B8
 #define REG_HISRE				0x00BC
 
+#define REG_PMC_DBG_CTRL2			0x00CC
 #define REG_EFUSE_ACCESS			0x00CF
 #define REG_HPON_FSM				0x00EC
 #define REG_SYS_CFG1				0x00F0
+#define REG_MAC_PHY_CTRL_NORMAL			0x00F8
 #define REG_SYS_CFG2				0x00FC
 
 #define REG_CR					0x0100



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 027/151] rtlwifi: rtl8192ee: Fix problems with calculating free space in FIFO
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 026/151] rtlwifi: rtl8192ee: Fix DMA stalls Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 028/151] rtlwifi: Remove logging statement that is no longer needed Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Larry Finger, Kalle Valo

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Larry Finger <Larry.Finger@lwfinger.net>

commit 6d4beca3775222884e1ee9d48ef586c438c3dfa1 upstream.

This driver utilizes a FIFO buffer for RX descriptors. There are four places
in the code where it calculates the number of free slots. Several of those
locations do the calculation incorrectly. To fix these and to prevent future
mistakes, a common inline routine is created.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rtlwifi/pci.h           |    7 +++++++
 drivers/net/wireless/rtlwifi/rtl8192ee/trx.c |    9 +--------
 2 files changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/net/wireless/rtlwifi/pci.h
+++ b/drivers/net/wireless/rtlwifi/pci.h
@@ -325,4 +325,11 @@ static inline void pci_write32_async(str
 	writel(val, (u8 __iomem *) rtlpriv->io.pci_mem_start + addr);
 }
 
+static inline u16 calc_fifo_space(u16 rp, u16 wp)
+{
+	if (rp <= wp)
+		return RTL_PCI_MAX_RX_COUNT - 1 + rp - wp;
+	return rp - wp - 1;
+}
+
 #endif
--- a/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192ee/trx.c
@@ -658,14 +658,7 @@ u16 rtl92ee_rx_desc_buff_remained_cnt(st
 	if (!start_rx)
 		return 0;
 
-	if ((last_read_point > (RX_DESC_NUM_92E / 2)) &&
-	    (read_point <= (RX_DESC_NUM_92E / 2))) {
-		remind_cnt = RX_DESC_NUM_92E - write_point;
-	} else {
-		remind_cnt = (read_point >= write_point) ?
-			     (read_point - write_point) :
-			     (RX_DESC_NUM_92E - write_point + read_point);
-	}
+	remind_cnt = calc_fifo_space(read_point, write_point);
 
 	if (remind_cnt == 0)
 		return 0;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 028/151] rtlwifi: Remove logging statement that is no longer needed
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 027/151] rtlwifi: rtl8192ee: Fix problems with calculating free space in FIFO Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 029/151] cpufreq: Set cpufreq_cpu_data to NULL before putting kobject Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Larry Finger, Kalle Valo

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Larry Finger <Larry.Finger@lwfinger.net>

commit aeb2d2a4c0ae1739a6e1782bd8c1c96aee8db4e1 upstream.

In commit e9538cf4f907 ("rtlwifi: Fix error when accessing unmapped memory
in skb"), a printk was included to indicate that the condition had been
reached. There is now enough evidence from other users that the fix is
working. That logging statement can now be removed.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rtlwifi/pci.c |    5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/net/wireless/rtlwifi/pci.c
+++ b/drivers/net/wireless/rtlwifi/pci.c
@@ -816,11 +816,8 @@ static void _rtl_pci_rx_interrupt(struct
 
 		/* get a new skb - if fail, old one will be reused */
 		new_skb = dev_alloc_skb(rtlpci->rxbuffersize);
-		if (unlikely(!new_skb)) {
-			pr_err("Allocation of new skb failed in %s\n",
-			       __func__);
+		if (unlikely(!new_skb))
 			goto no_new;
-		}
 		if (rtlpriv->use_new_trx_flow) {
 			buffer_desc =
 			  &rtlpci->rx_ring[rxring_idx].buffer_desc



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 029/151] cpufreq: Set cpufreq_cpu_data to NULL before putting kobject
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 028/151] rtlwifi: Remove logging statement that is no longer needed Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 031/151] cpufreq: s3c: remove incorrect __init annotations Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ethan Zhao, Santosh Shilimkar,
	Viresh Kumar, Rafael J. Wysocki

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Viresh Kumar <viresh.kumar@linaro.org>

commit 6ffae8c06fab058d6c3f8ecb7f921327721034e7 upstream.

In __cpufreq_remove_dev_finish(), per-cpu 'cpufreq_cpu_data' needs
to be cleared before calling kobject_put(&policy->kobj) and under
cpufreq_driver_lock. Otherwise, if someone else calls cpufreq_cpu_get()
in parallel with it, they can obtain a non-NULL policy from that after
kobject_put(&policy->kobj) was executed.

Consider this case:

Thread A				Thread B
cpufreq_cpu_get()
  acquire cpufreq_driver_lock
  read-per-cpu cpufreq_cpu_data
					kobject_put(&policy->kobj);
  kobject_get(&policy->kobj);
					...
					per_cpu(&cpufreq_cpu_data, cpu) = NULL

And this will result in a warning like this one:

 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 4 at include/linux/kref.h:47
 kobject_get+0x41/0x50()
 Modules linked in: acpi_cpufreq(+) nfsd auth_rpcgss nfs_acl
 lockd grace sunrpc xfs libcrc32c sd_mod ixgbe igb mdio ahci hwmon
 ...
 Call Trace:
  [<ffffffff81661b14>] dump_stack+0x46/0x58
  [<ffffffff81072b61>] warn_slowpath_common+0x81/0xa0
  [<ffffffff81072c7a>] warn_slowpath_null+0x1a/0x20
  [<ffffffff812e16d1>] kobject_get+0x41/0x50
  [<ffffffff815262a5>] cpufreq_cpu_get+0x75/0xc0
  [<ffffffff81527c3e>] cpufreq_update_policy+0x2e/0x1f0
  [<ffffffff810b8cb2>] ? up+0x32/0x50
  [<ffffffff81381aa9>] ? acpi_ns_get_node+0xcb/0xf2
  [<ffffffff81381efd>] ? acpi_evaluate_object+0x22c/0x252
  [<ffffffff813824f6>] ? acpi_get_handle+0x95/0xc0
  [<ffffffff81360967>] ? acpi_has_method+0x25/0x40
  [<ffffffff81391e08>] acpi_processor_ppc_has_changed+0x77/0x82
  [<ffffffff81089566>] ? move_linked_works+0x66/0x90
  [<ffffffff8138e8ed>] acpi_processor_notify+0x58/0xe7
  [<ffffffff8137410c>] acpi_ev_notify_dispatch+0x44/0x5c
  [<ffffffff8135f293>] acpi_os_execute_deferred+0x15/0x22
  [<ffffffff8108c910>] process_one_work+0x160/0x410
  [<ffffffff8108d05b>] worker_thread+0x11b/0x520
  [<ffffffff8108cf40>] ? rescuer_thread+0x380/0x380
  [<ffffffff81092421>] kthread+0xe1/0x100
  [<ffffffff81092340>] ? kthread_create_on_node+0x1b0/0x1b0
  [<ffffffff81669ebc>] ret_from_fork+0x7c/0xb0
  [<ffffffff81092340>] ? kthread_create_on_node+0x1b0/0x1b0
 ---[ end trace 89e66eb9795efdf7 ]---

The actual code flow is as follows:

 Thread A: Workqueue: kacpi_notify

 acpi_processor_notify()
   acpi_processor_ppc_has_changed()
         cpufreq_update_policy()
           cpufreq_cpu_get()
             kobject_get()

 Thread B: xenbus_thread()

 xenbus_thread()
   msg->u.watch.handle->callback()
     handle_vcpu_hotplug_event()
       vcpu_hotplug()
         cpu_down()
           __cpu_notify(CPU_POST_DEAD..)
             cpufreq_cpu_callback()
               __cpufreq_remove_dev_finish()
                 cpufreq_policy_put_kobj()
                   kobject_put()

cpufreq_cpu_get() gets the policy from per-cpu variable cpufreq_cpu_data
under cpufreq_driver_lock, and once it gets a valid policy it expects it
to not be freed until cpufreq_cpu_put() is called.

But the race happens when another thread puts the kobject first and updates
cpufreq_cpu_data before or later. And so the first thread gets a valid policy
structure and before it does kobject_get() on it, the second one has already
done kobject_put().

Fix this by setting cpufreq_cpu_data to NULL before putting the kobject and that
too under locks.

Reported-by: Ethan Zhao <ethan.zhao@oracle.com>
Reported-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpufreq/cpufreq.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1409,9 +1409,10 @@ static int __cpufreq_remove_dev_finish(s
 	unsigned long flags;
 	struct cpufreq_policy *policy;
 
-	read_lock_irqsave(&cpufreq_driver_lock, flags);
+	write_lock_irqsave(&cpufreq_driver_lock, flags);
 	policy = per_cpu(cpufreq_cpu_data, cpu);
-	read_unlock_irqrestore(&cpufreq_driver_lock, flags);
+	per_cpu(cpufreq_cpu_data, cpu) = NULL;
+	write_unlock_irqrestore(&cpufreq_driver_lock, flags);
 
 	if (!policy) {
 		pr_debug("%s: No cpu_data found\n", __func__);
@@ -1466,7 +1467,6 @@ static int __cpufreq_remove_dev_finish(s
 		}
 	}
 
-	per_cpu(cpufreq_cpu_data, cpu) = NULL;
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 031/151] cpufreq: s3c: remove incorrect __init annotations
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 029/151] cpufreq: Set cpufreq_cpu_data to NULL before putting kobject Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 032/151] cpufreq: s3c: remove last use of resume_clocks callback Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Viresh Kumar,
	Rafael J. Wysocki

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 61882b63171736571e1139ab5aa929e3bb336016 upstream.

The two functions s3c2416_cpufreq_driver_init and s3c_cpufreq_register
are marked init but are called from a context that might be run after
the __init sections are discarded, as the compiler points out:

WARNING: vmlinux.o(.data+0x1ad9dc): Section mismatch in reference from the variable s3c2416_cpufreq_driver to the function .init.text:s3c2416_cpufreq_driver_init()
WARNING: drivers/built-in.o(.text+0x35b5dc): Section mismatch in reference from the function s3c2410a_cpufreq_add() to the function .init.text:s3c_cpufreq_register()

This removes the __init markings.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpufreq/s3c2416-cpufreq.c |    4 ++--
 drivers/cpufreq/s3c24xx-cpufreq.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/cpufreq/s3c2416-cpufreq.c
+++ b/drivers/cpufreq/s3c2416-cpufreq.c
@@ -263,7 +263,7 @@ out:
 }
 
 #ifdef CONFIG_ARM_S3C2416_CPUFREQ_VCORESCALE
-static void __init s3c2416_cpufreq_cfg_regulator(struct s3c2416_data *s3c_freq)
+static void s3c2416_cpufreq_cfg_regulator(struct s3c2416_data *s3c_freq)
 {
 	int count, v, i, found;
 	struct cpufreq_frequency_table *pos;
@@ -333,7 +333,7 @@ static struct notifier_block s3c2416_cpu
 	.notifier_call = s3c2416_cpufreq_reboot_notifier_evt,
 };
 
-static int __init s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy)
+static int s3c2416_cpufreq_driver_init(struct cpufreq_policy *policy)
 {
 	struct s3c2416_data *s3c_freq = &s3c2416_cpufreq;
 	struct cpufreq_frequency_table *pos;
--- a/drivers/cpufreq/s3c24xx-cpufreq.c
+++ b/drivers/cpufreq/s3c24xx-cpufreq.c
@@ -454,7 +454,7 @@ static struct cpufreq_driver s3c24xx_dri
 };
 
 
-int __init s3c_cpufreq_register(struct s3c_cpufreq_info *info)
+int s3c_cpufreq_register(struct s3c_cpufreq_info *info)
 {
 	if (!info || !info->name) {
 		printk(KERN_ERR "%s: failed to pass valid information\n",



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 032/151] cpufreq: s3c: remove last use of resume_clocks callback
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 031/151] cpufreq: s3c: remove incorrect __init annotations Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 033/151] xen/manage: Fix USB interaction issues when resuming Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Viresh Kumar,
	Rafael J. Wysocki

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 67fadaa2768716209ee19a8b8bf05bc3ac399445 upstream.

Commit 32726d2d550 ("ARM: SAMSUNG: Remove legacy clock code")
already removed the callback pointer, but there was one remaining
user:

drivers/cpufreq/s3c24xx-cpufreq.c: In function 's3c_cpufreq_resume_clocks':
drivers/cpufreq/s3c24xx-cpufreq.c:149:14: error: 'struct s3c_cpufreq_info' has no member named 'resume_clocks'
  cpu_cur.info->resume_clocks();
              ^

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 32726d2d550 ("ARM: SAMSUNG: Remove legacy clock code")
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/cpufreq/s3c24xx-cpufreq.c |    8 --------
 1 file changed, 8 deletions(-)

--- a/drivers/cpufreq/s3c24xx-cpufreq.c
+++ b/drivers/cpufreq/s3c24xx-cpufreq.c
@@ -144,11 +144,6 @@ static void s3c_cpufreq_setfvco(struct s
 	(cfg->info->set_fvco)(cfg);
 }
 
-static inline void s3c_cpufreq_resume_clocks(void)
-{
-	cpu_cur.info->resume_clocks();
-}
-
 static inline void s3c_cpufreq_updateclk(struct clk *clk,
 					 unsigned int freq)
 {
@@ -417,9 +412,6 @@ static int s3c_cpufreq_resume(struct cpu
 
 	last_target = ~0;	/* invalidate last_target setting */
 
-	/* first, find out what speed we resumed at. */
-	s3c_cpufreq_resume_clocks();
-
 	/* whilst we will be called later on, we try and re-set the
 	 * cpu frequencies as soon as possible so that we do not end
 	 * up resuming devices and then immediately having to re-set



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 033/151] xen/manage: Fix USB interaction issues when resuming
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 032/151] cpufreq: s3c: remove last use of resume_clocks callback Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 034/151] xen-scsiback: mark pvscsi frontend request consumed only after last read Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ross Lagerwall, David Vrabel

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ross Lagerwall <ross.lagerwall@citrix.com>

commit 72978b2fe2f2cdf9f319c6c6dcdbe92b38de2be2 upstream.

Commit 61a734d305e1 ("xen/manage: Always freeze/thaw processes when
suspend/resuming") ensured that userspace processes were always frozen
before suspending to reduce interaction issues when resuming devices.
However, freeze_processes() does not freeze kernel threads.  Freeze
kernel threads as well to prevent deadlocks with the khubd thread when
resuming devices.

This is what native suspend and resume does.

Example deadlock:
[ 7279.648010]  [<ffffffff81446bde>] ? xen_poll_irq_timeout+0x3e/0x50
[ 7279.648010]  [<ffffffff81448d60>] xen_poll_irq+0x10/0x20
[ 7279.648010]  [<ffffffff81011723>] xen_lock_spinning+0xb3/0x120
[ 7279.648010]  [<ffffffff810115d1>] __raw_callee_save_xen_lock_spinning+0x11/0x20
[ 7279.648010]  [<ffffffff815620b6>] ? usb_control_msg+0xe6/0x120
[ 7279.648010]  [<ffffffff81747e50>] ? _raw_spin_lock_irq+0x50/0x60
[ 7279.648010]  [<ffffffff8174522c>] wait_for_completion+0xac/0x160
[ 7279.648010]  [<ffffffff8109c520>] ? try_to_wake_up+0x2c0/0x2c0
[ 7279.648010]  [<ffffffff814b60f2>] dpm_wait+0x32/0x40
[ 7279.648010]  [<ffffffff814b6eb0>] device_resume+0x90/0x210
[ 7279.648010]  [<ffffffff814b7d71>] dpm_resume+0x121/0x250
[ 7279.648010]  [<ffffffff8144c570>] ? xenbus_dev_request_and_reply+0xc0/0xc0
[ 7279.648010]  [<ffffffff814b80d5>] dpm_resume_end+0x15/0x30
[ 7279.648010]  [<ffffffff81449fba>] do_suspend+0x10a/0x200
[ 7279.648010]  [<ffffffff8144a2f0>] ? xen_pre_suspend+0x20/0x20
[ 7279.648010]  [<ffffffff8144a1d0>] shutdown_handler+0x120/0x150
[ 7279.648010]  [<ffffffff8144c60f>] xenwatch_thread+0x9f/0x160
[ 7279.648010]  [<ffffffff810ac510>] ? finish_wait+0x80/0x80
[ 7279.648010]  [<ffffffff8108d189>] kthread+0xc9/0xe0
[ 7279.648010]  [<ffffffff8108d0c0>] ? flush_kthread_worker+0x80/0x80
[ 7279.648010]  [<ffffffff8175087c>] ret_from_fork+0x7c/0xb0
[ 7279.648010]  [<ffffffff8108d0c0>] ? flush_kthread_worker+0x80/0x80

[ 7441.216287] INFO: task khubd:89 blocked for more than 120 seconds.
[ 7441.219457]       Tainted: G            X 3.13.11-ckt12.kz #1
[ 7441.222176] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 7441.225827] khubd           D ffff88003f433440     0    89      2 0x00000000
[ 7441.229258]  ffff88003ceb9b98 0000000000000046 ffff88003ce83000 0000000000013440
[ 7441.232959]  ffff88003ceb9fd8 0000000000013440 ffff88003cd13000 ffff88003ce83000
[ 7441.236658]  0000000000000286 ffff88003d3e0000 ffff88003ceb9bd0 00000001001aa01e
[ 7441.240415] Call Trace:
[ 7441.241614]  [<ffffffff817442f9>] schedule+0x29/0x70
[ 7441.243930]  [<ffffffff81743406>] schedule_timeout+0x166/0x2c0
[ 7441.246681]  [<ffffffff81075b80>] ? call_timer_fn+0x110/0x110
[ 7441.249339]  [<ffffffff8174357e>] schedule_timeout_uninterruptible+0x1e/0x20
[ 7441.252644]  [<ffffffff81077710>] msleep+0x20/0x30
[ 7441.254812]  [<ffffffff81555f00>] hub_port_reset+0xf0/0x580
[ 7441.257400]  [<ffffffff81558465>] hub_port_init+0x75/0xb40
[ 7441.259981]  [<ffffffff814bb3c9>] ? update_autosuspend+0x39/0x60
[ 7441.262817]  [<ffffffff814bb4f0>] ? pm_runtime_set_autosuspend_delay+0x50/0xa0
[ 7441.266212]  [<ffffffff8155a64a>] hub_thread+0x71a/0x1750
[ 7441.268728]  [<ffffffff810ac510>] ? finish_wait+0x80/0x80
[ 7441.271272]  [<ffffffff81559f30>] ? usb_port_resume+0x670/0x670
[ 7441.274067]  [<ffffffff8108d189>] kthread+0xc9/0xe0
[ 7441.276305]  [<ffffffff8108d0c0>] ? flush_kthread_worker+0x80/0x80
[ 7441.279131]  [<ffffffff8175087c>] ret_from_fork+0x7c/0xb0
[ 7441.281659]  [<ffffffff8108d0c0>] ? flush_kthread_worker+0x80/0x80

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/manage.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/xen/manage.c
+++ b/drivers/xen/manage.c
@@ -105,10 +105,16 @@ static void do_suspend(void)
 
 	err = freeze_processes();
 	if (err) {
-		pr_err("%s: freeze failed %d\n", __func__, err);
+		pr_err("%s: freeze processes failed %d\n", __func__, err);
 		goto out;
 	}
 
+	err = freeze_kernel_threads();
+	if (err) {
+		pr_err("%s: freeze kernel threads failed %d\n", __func__, err);
+		goto out_thaw;
+	}
+
 	err = dpm_suspend_start(PMSG_FREEZE);
 	if (err) {
 		pr_err("%s: dpm_suspend_start %d\n", __func__, err);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 034/151] xen-scsiback: mark pvscsi frontend request consumed only after last read
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 033/151] xen/manage: Fix USB interaction issues when resuming Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 035/151] ACPI / LPSS: Always disable I2C host controllers Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, David Vrabel

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Juergen Gross <jgross@suse.com>

commit facb5732b0bb59ebbc11b5d5abc249e677ddbeb6 upstream.

A request in the ring buffer mustn't be read after it has been marked
as consumed. Otherwise it might already have been reused by the
frontend without violating the ring protocol.

To avoid inconsistencies in the backend only work on a private copy
of the request. This will ensure a malicious guest not being able to
bypass consistency checks of the backend by modifying an active
request.

Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/xen/xen-scsiback.c |   14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

--- a/drivers/xen/xen-scsiback.c
+++ b/drivers/xen/xen-scsiback.c
@@ -712,12 +712,11 @@ static int prepare_pending_reqs(struct v
 static int scsiback_do_cmd_fn(struct vscsibk_info *info)
 {
 	struct vscsiif_back_ring *ring = &info->ring;
-	struct vscsiif_request *ring_req;
+	struct vscsiif_request ring_req;
 	struct vscsibk_pend *pending_req;
 	RING_IDX rc, rp;
 	int err, more_to_do;
 	uint32_t result;
-	uint8_t act;
 
 	rc = ring->req_cons;
 	rp = ring->sring->req_prod;
@@ -738,11 +737,10 @@ static int scsiback_do_cmd_fn(struct vsc
 		if (!pending_req)
 			return 1;
 
-		ring_req = RING_GET_REQUEST(ring, rc);
+		ring_req = *RING_GET_REQUEST(ring, rc);
 		ring->req_cons = ++rc;
 
-		act = ring_req->act;
-		err = prepare_pending_reqs(info, ring_req, pending_req);
+		err = prepare_pending_reqs(info, &ring_req, pending_req);
 		if (err) {
 			switch (err) {
 			case -ENODEV:
@@ -758,9 +756,9 @@ static int scsiback_do_cmd_fn(struct vsc
 			return 1;
 		}
 
-		switch (act) {
+		switch (ring_req.act) {
 		case VSCSIIF_ACT_SCSI_CDB:
-			if (scsiback_gnttab_data_map(ring_req, pending_req)) {
+			if (scsiback_gnttab_data_map(&ring_req, pending_req)) {
 				scsiback_fast_flush_area(pending_req);
 				scsiback_do_resp_with_sense(NULL,
 					DRIVER_ERROR << 24, 0, pending_req);
@@ -771,7 +769,7 @@ static int scsiback_do_cmd_fn(struct vsc
 			break;
 		case VSCSIIF_ACT_SCSI_ABORT:
 			scsiback_device_action(pending_req, TMR_ABORT_TASK,
-				ring_req->ref_rqid);
+				ring_req.ref_rqid);
 			break;
 		case VSCSIIF_ACT_SCSI_RESET:
 			scsiback_device_action(pending_req, TMR_LUN_RESET, 0);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 035/151] ACPI / LPSS: Always disable I2C host controllers
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 034/151] xen-scsiback: mark pvscsi frontend request consumed only after last read Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 036/151] ACPI / LPSS: Deassert resets for SPI host controllers on Braswell Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yu Chen, Mika Westerberg, Rafael J. Wysocki

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 3293c7b8ec213a640f5ea2e5efeaa2b7559b1e19 upstream.

On Baytrail and Braswell the BIOS might leave the I2C host controllers
enabled, probably because it uses them for its own purposes. This is fine
in normal cases because the I2C driver will disable the hardware when it
is probed anyway.

However, in case of suspend to disk it is different story. If the driver
happens to be compiled as a module the boot kernel never loads the driver
thus leaving host controllers enabled upon loading the hibernation image.

The I2C host controller interrupt mask register has default value of 0x8ff,
in other words it has most of the interrupts unmasked. When combined with
the fact that the host controller is enabled, the driver immediately starts
getting interrupts even before its resume hook is called (once IO-APIC is
resumed). Since the driver is not prepared for this it will crash the
kernel due to NULL pointer derefence because dev->msgs is NULL.

Unfortunately we were not able to get full backtrace to from the console
which could be reproduced here.

In order to fix this even when the driver is compiled as module, we disable
the I2C host controllers in byt_i2c_setup() before devices are created.

Reported-by: Yu Chen <yu.c.chen@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/acpi_lpss.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -105,6 +105,8 @@ static void lpss_uart_setup(struct lpss_
 	}
 }
 
+#define LPSS_I2C_ENABLE			0x6c
+
 static void byt_i2c_setup(struct lpss_private_data *pdata)
 {
 	unsigned int offset;
@@ -117,6 +119,8 @@ static void byt_i2c_setup(struct lpss_pr
 
 	if (readl(pdata->mmio_base + pdata->dev_desc->prv_offset))
 		pdata->fixed_clk_rate = 133000000;
+
+	writel(0, pdata->mmio_base + LPSS_I2C_ENABLE);
 }
 
 static struct lpss_device_desc lpt_dev_desc = {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 036/151] ACPI / LPSS: Deassert resets for SPI host controllers on Braswell
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 035/151] ACPI / LPSS: Always disable I2C host controllers Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 037/151] [media] lmedm04: Increase Interupt due time to 200 msec Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang A Fang, Mika Westerberg,
	Rafael J. Wysocki

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 3095794ae972bc6fc76af6cb3b864d6686b96094 upstream.

On some Braswell systems BIOS leaves resets for SPI host controllers
active. This prevents the SPI driver from transferring messages on wire.

Fix this in similar way that we do for I2C already by deasserting resets
for the SPI host controllers.

Reported-by: Yang A Fang <yang.a.fang@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/acpi_lpss.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -105,9 +105,7 @@ static void lpss_uart_setup(struct lpss_
 	}
 }
 
-#define LPSS_I2C_ENABLE			0x6c
-
-static void byt_i2c_setup(struct lpss_private_data *pdata)
+static void lpss_deassert_reset(struct lpss_private_data *pdata)
 {
 	unsigned int offset;
 	u32 val;
@@ -116,6 +114,13 @@ static void byt_i2c_setup(struct lpss_pr
 	val = readl(pdata->mmio_base + offset);
 	val |= LPSS_RESETS_RESET_APB | LPSS_RESETS_RESET_FUNC;
 	writel(val, pdata->mmio_base + offset);
+}
+
+#define LPSS_I2C_ENABLE			0x6c
+
+static void byt_i2c_setup(struct lpss_private_data *pdata)
+{
+	lpss_deassert_reset(pdata);
 
 	if (readl(pdata->mmio_base + pdata->dev_desc->prv_offset))
 		pdata->fixed_clk_rate = 133000000;
@@ -170,6 +175,12 @@ static struct lpss_device_desc byt_i2c_d
 	.setup = byt_i2c_setup,
 };
 
+static struct lpss_device_desc bsw_spi_dev_desc = {
+	.flags = LPSS_CLK | LPSS_CLK_GATE | LPSS_CLK_DIVIDER | LPSS_SAVE_CTX,
+	.prv_offset = 0x400,
+	.setup = lpss_deassert_reset,
+};
+
 #else
 
 #define LPSS_ADDR(desc) (0UL)
@@ -202,7 +213,7 @@ static const struct acpi_device_id acpi_
 	/* Braswell LPSS devices */
 	{ "80862288", LPSS_ADDR(byt_pwm_dev_desc) },
 	{ "8086228A", LPSS_ADDR(byt_uart_dev_desc) },
-	{ "8086228E", LPSS_ADDR(byt_spi_dev_desc) },
+	{ "8086228E", LPSS_ADDR(bsw_spi_dev_desc) },
 	{ "808622C1", LPSS_ADDR(byt_i2c_dev_desc) },
 
 	{ "INT3430", LPSS_ADDR(lpt_dev_desc) },



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 037/151] [media] lmedm04: Increase Interupt due time to 200 msec
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 036/151] ACPI / LPSS: Deassert resets for SPI host controllers on Braswell Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 038/151] [media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Malcolm Priestley, Mauro Carvalho Chehab

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvboxspy@gmail.com>

commit cfcd7b825892cb498c6bcb13257f2141f7eacb76 upstream.

Ocassionally the device fails to report back an interrupt urb status which
results in false no lock trigger on the RS2000 demodulator.

Increase time from 60 msecs to 200 msecs.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb-v2/lmedm04.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -344,9 +344,10 @@ static void lme2510_int_response(struct
 
 	usb_submit_urb(lme_urb, GFP_ATOMIC);
 
-	/* interrupt urb is due every 48 msecs while streaming
-	 *	add 12msecs for system lag */
-	st->int_urb_due = jiffies + msecs_to_jiffies(60);
+	/* Interrupt urb is due every 48 msecs while streaming the buffer
+	 * stores up to 4 periods if missed. Allow 200 msec for next interrupt.
+	 */
+	st->int_urb_due = jiffies + msecs_to_jiffies(200);
 }
 
 static int lme2510_int_read(struct dvb_usb_adapter *adap)



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 038/151] [media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 037/151] [media] lmedm04: Increase Interupt due time to 200 msec Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 039/151] [media] si2168: define symbol rate limits Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Malcolm Priestley, Mauro Carvalho Chehab

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvboxspy@gmail.com>

commit 15e1ce33182d1d5dbd8efe8d382b9352dc857527 upstream.

A quirk of some older firmwares that report endpoint pipe type as PIPE_BULK
but the endpoint otheriwse functions as interrupt.

Check if usb_endpoint_type is USB_ENDPOINT_XFER_BULK and set as usb_rcvbulkpipe.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb-v2/lmedm04.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -354,6 +354,7 @@ static int lme2510_int_read(struct dvb_u
 {
 	struct dvb_usb_device *d = adap_to_d(adap);
 	struct lme2510_state *lme_int = adap_to_priv(adap);
+	struct usb_host_endpoint *ep;
 
 	lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC);
 
@@ -375,6 +376,12 @@ static int lme2510_int_read(struct dvb_u
 				adap,
 				8);
 
+	/* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */
+	ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe);
+
+	if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
+		lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa),
+
 	lme_int->lme_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
 
 	usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 039/151] [media] si2168: define symbol rate limits
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 038/151] [media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 040/151] ALSA: off by one bug in snd_riptide_joystick_probe() Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Antti Palosaari, Mauro Carvalho Chehab

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Antti Palosaari <crope@iki.fi>

commit f1ecc5d119530fce01094307e029ed7f2c9067d8 upstream.

w_scan complains about missing symbol rate limits:
This dvb driver is *buggy*: the symbol rate limits are undefined - please report to linuxtv.org

Chip supports 1 to 7.2 MSymbol/s on DVB-C.

Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/dvb-frontends/si2168.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/media/dvb-frontends/si2168.c
+++ b/drivers/media/dvb-frontends/si2168.c
@@ -605,6 +605,8 @@ static const struct dvb_frontend_ops si2
 	.delsys = {SYS_DVBT, SYS_DVBT2, SYS_DVBC_ANNEX_A},
 	.info = {
 		.name = "Silicon Labs Si2168",
+		.symbol_rate_min = 1000000,
+		.symbol_rate_max = 7200000,
 		.caps =	FE_CAN_FEC_1_2 |
 			FE_CAN_FEC_2_3 |
 			FE_CAN_FEC_3_4 |



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 040/151] ALSA: off by one bug in snd_riptide_joystick_probe()
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 039/151] [media] si2168: define symbol rate limits Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 041/151] ALSA: hda - Set up GPIO for Toshiba Satellite S50D Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Takashi Iwai

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit e4940626defdf6c92da1052ad3f12741c1a28c90 upstream.

The problem here is that we check:

	if (dev >= SNDRV_CARDS)

Then we increment "dev".

       if (!joystick_port[dev++])

Then we use it as an offset into a array with SNDRV_CARDS elements.

	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {

This has 3 effects:
1) If you use the module option to specify the joystick port then it has
   to be shifted one space over.
2) The wrong error message will be printed on failure if you have over
   32 cards.
3) Static checkers will correctly complain that are off by one.

Fixes: db1005ec6ff8 ('ALSA: riptide - Fix joystick resource handling')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/riptide/riptide.c |   27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

--- a/sound/pci/riptide/riptide.c
+++ b/sound/pci/riptide/riptide.c
@@ -2030,32 +2030,43 @@ snd_riptide_joystick_probe(struct pci_de
 {
 	static int dev;
 	struct gameport *gameport;
+	int ret;
 
 	if (dev >= SNDRV_CARDS)
 		return -ENODEV;
+
 	if (!enable[dev]) {
-		dev++;
-		return -ENOENT;
+		ret = -ENOENT;
+		goto inc_dev;
 	}
 
-	if (!joystick_port[dev++])
-		return 0;
+	if (!joystick_port[dev]) {
+		ret = 0;
+		goto inc_dev;
+	}
 
 	gameport = gameport_allocate_port();
-	if (!gameport)
-		return -ENOMEM;
+	if (!gameport) {
+		ret = -ENOMEM;
+		goto inc_dev;
+	}
 	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {
 		snd_printk(KERN_WARNING
 			   "Riptide: cannot grab gameport 0x%x\n",
 			   joystick_port[dev]);
 		gameport_free_port(gameport);
-		return -EBUSY;
+		ret = -EBUSY;
+		goto inc_dev;
 	}
 
 	gameport->io = joystick_port[dev];
 	gameport_register_port(gameport);
 	pci_set_drvdata(pci, gameport);
-	return 0;
+
+	ret = 0;
+inc_dev:
+	dev++;
+	return ret;
 }
 
 static void snd_riptide_joystick_remove(struct pci_dev *pci)



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 041/151] ALSA: hda - Set up GPIO for Toshiba Satellite S50D
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 040/151] ALSA: off by one bug in snd_riptide_joystick_probe() Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 042/151] ALSA: hda - enable mute led quirk for one more hp machine Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 4227de2a7e5f0ff6a58e919a9c4f2bb06e882f48 upstream.

Toshiba Satellite S50D laptop with an IDT codec uses the GPIO4 (0x10)
as the master EAPD.

Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=915858
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_sigmatel.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/sound/pci/hda/patch_sigmatel.c
+++ b/sound/pci/hda/patch_sigmatel.c
@@ -99,6 +99,7 @@ enum {
 	STAC_HP_ENVY_BASS,
 	STAC_HP_BNB13_EQ,
 	STAC_HP_ENVY_TS_BASS,
+	STAC_92HD83XXX_GPIO10_EAPD,
 	STAC_92HD83XXX_MODELS
 };
 
@@ -2141,6 +2142,19 @@ static void stac92hd83xxx_fixup_headset_
 		spec->headset_jack = 1;
 }
 
+static void stac92hd83xxx_fixup_gpio10_eapd(struct hda_codec *codec,
+					    const struct hda_fixup *fix,
+					    int action)
+{
+	struct sigmatel_spec *spec = codec->spec;
+
+	if (action != HDA_FIXUP_ACT_PRE_PROBE)
+		return;
+	spec->eapd_mask = spec->gpio_mask = spec->gpio_dir =
+		spec->gpio_data = 0x10;
+	spec->eapd_switch = 0;
+}
+
 static const struct hda_verb hp_bnb13_eq_verbs[] = {
 	/* 44.1KHz base */
 	{ 0x22, 0x7A6, 0x3E },
@@ -2656,6 +2670,10 @@ static const struct hda_fixup stac92hd83
 			{}
 		},
 	},
+	[STAC_92HD83XXX_GPIO10_EAPD] = {
+		.type = HDA_FIXUP_FUNC,
+		.v.func = stac92hd83xxx_fixup_gpio10_eapd,
+	},
 };
 
 static const struct hda_model_fixup stac92hd83xxx_models[] = {
@@ -2861,6 +2879,8 @@ static const struct snd_pci_quirk stac92
 	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x148a,
 		      "HP Mini", STAC_92HD83XXX_HP_LED),
 	SND_PCI_QUIRK_VENDOR(PCI_VENDOR_ID_HP, "HP", STAC_92HD83XXX_HP),
+	SND_PCI_QUIRK(PCI_VENDOR_ID_TOSHIBA, 0xfa91,
+		      "Toshiba Satellite S50D", STAC_92HD83XXX_GPIO10_EAPD),
 	{} /* terminator */
 };
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 042/151] ALSA: hda - enable mute led quirk for one more hp machine.
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 041/151] ALSA: hda - Set up GPIO for Toshiba Satellite S50D Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 043/151] ALSA: hdspm - Constrain periods to 2 on older cards Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Taihsiang Ho, Hui Wang, Takashi Iwai

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hui Wang <hui.wang@canonical.com>

commit 7976eb49cbd138d8014fa02682d8f969ad1e9ff2 upstream.

Otherwise, the mute led can't work at all.

Tested-by: Taihsiang Ho <taihsiang.ho@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1410704
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4805,6 +4805,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x18e6, "HP", ALC269_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x218b, "HP", ALC269_FIXUP_LIMIT_INT_MIC_BOOST_MUTE_LED),
 	/* ALC282 */
+	SND_PCI_QUIRK(0x103c, 0x21f9, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
 	SND_PCI_QUIRK(0x103c, 0x2210, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
 	SND_PCI_QUIRK(0x103c, 0x2214, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
 	SND_PCI_QUIRK(0x103c, 0x2236, "HP", ALC269_FIXUP_HP_LINE1_MIC1_LED),



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 043/151] ALSA: hdspm - Constrain periods to 2 on older cards
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 042/151] ALSA: hda - enable mute led quirk for one more hp machine Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 044/151] power_supply: 88pm860x: Fix leaked power supply on probe fail Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Adrian Knoth, Takashi Iwai

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Knoth <adi@drcomp.erfurt.thur.de>

commit f0153c3d948c1764f6c920a0675d86fc1d75813e upstream.

RME RayDAT and AIO use a fixed buffer size of 16384 samples. With period
sizes of 32-4096, this translates to 4-512 periods.

The older RME cards have a variable buffer size but require exactly two
periods.

This patch enforces nperiods=2 on those cards.

Signed-off-by: Adrian Knoth <adi@drcomp.erfurt.thur.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/rme9652/hdspm.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -6114,6 +6114,9 @@ static int snd_hdspm_playback_open(struc
 		snd_pcm_hw_constraint_minmax(runtime,
 					     SNDRV_PCM_HW_PARAM_PERIOD_SIZE,
 					     64, 8192);
+		snd_pcm_hw_constraint_minmax(runtime,
+					     SNDRV_PCM_HW_PARAM_PERIODS,
+					     2, 2);
 		break;
 	}
 
@@ -6188,6 +6191,9 @@ static int snd_hdspm_capture_open(struct
 		snd_pcm_hw_constraint_minmax(runtime,
 					     SNDRV_PCM_HW_PARAM_PERIOD_SIZE,
 					     64, 8192);
+		snd_pcm_hw_constraint_minmax(runtime,
+					     SNDRV_PCM_HW_PARAM_PERIODS,
+					     2, 2);
 		break;
 	}
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 044/151] power_supply: 88pm860x: Fix leaked power supply on probe fail
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 043/151] ALSA: hdspm - Constrain periods to 2 on older cards Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:12 ` [PATCH 3.18 045/151] power: bq24190: Fix ignored supplicants Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Sebastian Reichel

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <k.kozlowski@samsung.com>

commit 24727b45b484e8937dcde53fa8d1aa70ac30ec0c upstream.

Driver forgot to unregister power supply if request_threaded_irq()
failed in probe(). In such case the memory associated with power supply
leaked.

Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Fixes: a830d28b48bf ("power_supply: Enable battery-charger for 88pm860x")
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/power/88pm860x_charger.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/power/88pm860x_charger.c
+++ b/drivers/power/88pm860x_charger.c
@@ -711,6 +711,7 @@ static int pm860x_charger_probe(struct p
 	return 0;
 
 out_irq:
+	power_supply_unregister(&info->usb);
 	while (--i >= 0)
 		free_irq(info->irq[i], info);
 out:



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 045/151] power: bq24190: Fix ignored supplicants
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 044/151] power_supply: 88pm860x: Fix leaked power supply on probe fail Greg Kroah-Hartman
@ 2015-03-04  6:12 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 046/151] power: gpio-charger: balance enable/disable_irq_wake calls Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Sebastian Reichel

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <k.kozlowski@samsung.com>

commit 478913fdbdfd4a781d91c993eb86838620fe7421 upstream.

The driver mismatched 'num_supplicants' with 'num_supplies' of
power_supply structure.

It provided list of supplicants (power_supply.supplied_to) but did
not set the number of supplicants. Instead it set the num_supplies which
is used when iterating over number of supplies (power_supply.supplied_from).

As a result the list of supplicants was ignored by core because its size
was 0.

Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Fixes: d7bf353fd0aa ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/power/bq24190_charger.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -929,7 +929,7 @@ static void bq24190_charger_init(struct
 	charger->properties = bq24190_charger_properties;
 	charger->num_properties = ARRAY_SIZE(bq24190_charger_properties);
 	charger->supplied_to = bq24190_charger_supplied_to;
-	charger->num_supplies = ARRAY_SIZE(bq24190_charger_supplied_to);
+	charger->num_supplicants = ARRAY_SIZE(bq24190_charger_supplied_to);
 	charger->get_property = bq24190_charger_get_property;
 	charger->set_property = bq24190_charger_set_property;
 	charger->property_is_writeable = bq24190_charger_property_is_writeable;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 046/151] power: gpio-charger: balance enable/disable_irq_wake calls
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2015-03-04  6:12 ` [PATCH 3.18 045/151] power: bq24190: Fix ignored supplicants Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 047/151] megaraid_sas: endianness related bug fixes and code optimization Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Eremin-Solenikov, Sebastian Reichel

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

commit faeed51bb65ce0241052d8dc24ac331ade12e976 upstream.

enable_irq_wakeup returns 0 in case it correctly enabled the IRQ to
generate the wakeup event (and thus resume should call disable_irq_wake).
Currently gpio-charger driver has this logic inverted. Correct that thus
correcting enable/disable_irq_wake() calls balance.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/power/gpio-charger.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/power/gpio-charger.c
+++ b/drivers/power/gpio-charger.c
@@ -168,7 +168,7 @@ static int gpio_charger_suspend(struct d
 
 	if (device_may_wakeup(dev))
 		gpio_charger->wakeup_enabled =
-			enable_irq_wake(gpio_charger->irq);
+			!enable_irq_wake(gpio_charger->irq);
 
 	return 0;
 }
@@ -178,7 +178,7 @@ static int gpio_charger_resume(struct de
 	struct platform_device *pdev = to_platform_device(dev);
 	struct gpio_charger *gpio_charger = platform_get_drvdata(pdev);
 
-	if (gpio_charger->wakeup_enabled)
+	if (device_may_wakeup(dev) && gpio_charger->wakeup_enabled)
 		disable_irq_wake(gpio_charger->irq);
 	power_supply_changed(&gpio_charger->charger);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 047/151] megaraid_sas: endianness related bug fixes and code optimization
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 046/151] power: gpio-charger: balance enable/disable_irq_wake calls Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 048/151] megaraid_sas: fix the problem of non-existing VD exposed to host Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kashyap Desai, Sumit Saxena,
	Chaitra Basappa, Martin K. Petersen, Christoph Hellwig

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Sumit.Saxena@avagotech.com" <Sumit.Saxena@avagotech.com>

commit 200aed582d6170a2687cd69095469b663f69f16f upstream.

This patch addresses below issues:

1) Few endianness bug fixes.
2) Break the iteration after (MAX_LOGICAL_DRIVES_EXT - 1)),
   instead of MAX_LOGICAL_DRIVES_EXT.
3) Optimization in MFI INIT frame before firing.
4) MFI IO frame should be 256bytes aligned.  Code is optimized to reduce
   the size of frame for fusion adapters and make the MFI frame size
   calculation a bit transparent and readable.

Signed-off-by: Kashyap Desai <kashyap.desai@avagotech.com>
Signed-off-by: Sumit Saxena <sumit.saxena@avagotech.com>
Signed-off-by: Chaitra Basappa <chaitra.basappa@avagotech.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/megaraid/megaraid_sas_base.c   |   24 +++++++++++-------------
 drivers/scsi/megaraid/megaraid_sas_fp.c     |   14 ++++++++------
 drivers/scsi/megaraid/megaraid_sas_fusion.c |    7 +++----
 drivers/scsi/megaraid/megaraid_sas_fusion.h |    9 ++-------
 4 files changed, 24 insertions(+), 30 deletions(-)

--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3556,7 +3556,6 @@ static int megasas_create_frame_pool(str
 	int i;
 	u32 max_cmd;
 	u32 sge_sz;
-	u32 sgl_sz;
 	u32 total_sz;
 	u32 frame_count;
 	struct megasas_cmd *cmd;
@@ -3575,24 +3574,23 @@ static int megasas_create_frame_pool(str
 	}
 
 	/*
-	 * Calculated the number of 64byte frames required for SGL
+	 * For MFI controllers.
+	 * max_num_sge = 60
+	 * max_sge_sz  = 16 byte (sizeof megasas_sge_skinny)
+	 * Total 960 byte (15 MFI frame of 64 byte)
+	 *
+	 * Fusion adapter require only 3 extra frame.
+	 * max_num_sge = 16 (defined as MAX_IOCTL_SGE)
+	 * max_sge_sz  = 12 byte (sizeof  megasas_sge64)
+	 * Total 192 byte (3 MFI frame of 64 byte)
 	 */
-	sgl_sz = sge_sz * instance->max_num_sge;
-	frame_count = (sgl_sz + MEGAMFI_FRAME_SIZE - 1) / MEGAMFI_FRAME_SIZE;
-	frame_count = 15;
-
-	/*
-	 * We need one extra frame for the MFI command
-	 */
-	frame_count++;
-
+	frame_count = instance->ctrl_context ? (3 + 1) : (15 + 1);
 	total_sz = MEGAMFI_FRAME_SIZE * frame_count;
 	/*
 	 * Use DMA pool facility provided by PCI layer
 	 */
 	instance->frame_dma_pool = pci_pool_create("megasas frame pool",
-						   instance->pdev, total_sz, 64,
-						   0);
+					instance->pdev, total_sz, 256, 0);
 
 	if (!instance->frame_dma_pool) {
 		printk(KERN_DEBUG "megasas: failed to setup frame pool\n");
--- a/drivers/scsi/megaraid/megaraid_sas_fp.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fp.c
@@ -170,6 +170,7 @@ void MR_PopulateDrvRaidMap(struct megasa
 	struct MR_FW_RAID_MAP_ALL     *fw_map_old    = NULL;
 	struct MR_FW_RAID_MAP         *pFwRaidMap    = NULL;
 	int i;
+	u16 ld_count;
 
 
 	struct MR_DRV_RAID_MAP_ALL *drv_map =
@@ -189,9 +190,10 @@ void MR_PopulateDrvRaidMap(struct megasa
 		fw_map_old = (struct MR_FW_RAID_MAP_ALL *)
 			fusion->ld_map[(instance->map_id & 1)];
 		pFwRaidMap = &fw_map_old->raidMap;
+		ld_count = (u16)le32_to_cpu(pFwRaidMap->ldCount);
 
 #if VD_EXT_DEBUG
-		for (i = 0; i < le16_to_cpu(pFwRaidMap->ldCount); i++) {
+		for (i = 0; i < ld_count; i++) {
 			dev_dbg(&instance->pdev->dev, "(%d) :Index 0x%x "
 				"Target Id 0x%x Seq Num 0x%x Size 0/%llx\n",
 				instance->unique_id, i,
@@ -203,12 +205,12 @@ void MR_PopulateDrvRaidMap(struct megasa
 
 		memset(drv_map, 0, fusion->drv_map_sz);
 		pDrvRaidMap->totalSize = pFwRaidMap->totalSize;
-		pDrvRaidMap->ldCount = (__le16)pFwRaidMap->ldCount;
+		pDrvRaidMap->ldCount = (__le16)cpu_to_le16(ld_count);
 		pDrvRaidMap->fpPdIoTimeoutSec = pFwRaidMap->fpPdIoTimeoutSec;
 		for (i = 0; i < MAX_RAIDMAP_LOGICAL_DRIVES + MAX_RAIDMAP_VIEWS; i++)
 			pDrvRaidMap->ldTgtIdToLd[i] =
 				(u8)pFwRaidMap->ldTgtIdToLd[i];
-		for (i = 0; i < le16_to_cpu(pDrvRaidMap->ldCount); i++) {
+		for (i = 0; i < ld_count; i++) {
 			pDrvRaidMap->ldSpanMap[i] = pFwRaidMap->ldSpanMap[i];
 #if VD_EXT_DEBUG
 			dev_dbg(&instance->pdev->dev,
@@ -250,7 +252,7 @@ u8 MR_ValidateMapInfo(struct megasas_ins
 	struct LD_LOAD_BALANCE_INFO *lbInfo;
 	PLD_SPAN_INFO ldSpanInfo;
 	struct MR_LD_RAID         *raid;
-	int ldCount, num_lds;
+	u16 ldCount, num_lds;
 	u16 ld;
 	u32 expected_size;
 
@@ -354,7 +356,7 @@ static int getSpanInfo(struct MR_DRV_RAI
 
 	for (ldCount = 0; ldCount < MAX_LOGICAL_DRIVES_EXT; ldCount++) {
 		ld = MR_TargetIdToLdGet(ldCount, map);
-			if (ld >= MAX_LOGICAL_DRIVES_EXT)
+			if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1))
 				continue;
 		raid = MR_LdRaidGet(ld, map);
 		dev_dbg(&instance->pdev->dev, "LD %x: span_depth=%x\n",
@@ -1155,7 +1157,7 @@ void mr_update_span_set(struct MR_DRV_RA
 
 	for (ldCount = 0; ldCount < MAX_LOGICAL_DRIVES_EXT; ldCount++) {
 		ld = MR_TargetIdToLdGet(ldCount, map);
-		if (ld >= MAX_LOGICAL_DRIVES_EXT)
+		if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1))
 			continue;
 		raid = MR_LdRaidGet(ld, map);
 		for (element = 0; element < MAX_QUAD_DEPTH; element++) {
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -696,12 +696,11 @@ megasas_ioc_init_fusion(struct megasas_i
 		cpu_to_le32(lower_32_bits(ioc_init_handle));
 	init_frame->data_xfer_len = cpu_to_le32(sizeof(struct MPI2_IOC_INIT_REQUEST));
 
-	req_desc.Words = 0;
+	req_desc.u.low = cpu_to_le32(lower_32_bits(cmd->frame_phys_addr));
+	req_desc.u.high = cpu_to_le32(upper_32_bits(cmd->frame_phys_addr));
 	req_desc.MFAIo.RequestFlags =
 		(MEGASAS_REQ_DESCRIPT_FLAGS_MFA <<
-		 MEGASAS_REQ_DESCRIPT_FLAGS_TYPE_SHIFT);
-	cpu_to_le32s((u32 *)&req_desc.MFAIo);
-	req_desc.Words |= cpu_to_le64(cmd->frame_phys_addr);
+		MEGASAS_REQ_DESCRIPT_FLAGS_TYPE_SHIFT);
 
 	/*
 	 * disable the intr before firing the init frame
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.h
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.h
@@ -304,14 +304,9 @@ struct MPI2_RAID_SCSI_IO_REQUEST {
  * MPT RAID MFA IO Descriptor.
  */
 struct MEGASAS_RAID_MFA_IO_REQUEST_DESCRIPTOR {
-#if   defined(__BIG_ENDIAN_BITFIELD)
-	u32     MessageAddress1:24; /* bits 31:8*/
 	u32     RequestFlags:8;
-#else
-	u32     RequestFlags:8;
-	u32     MessageAddress1:24; /* bits 31:8*/
-#endif
-	u32     MessageAddress2;      /* bits 61:32 */
+	u32     MessageAddress1:24;
+	u32     MessageAddress2;
 };
 
 /* Default Request Descriptor */



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 048/151] megaraid_sas: fix the problem of non-existing VD exposed to host
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 047/151] megaraid_sas: endianness related bug fixes and code optimization Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 049/151] megaraid_sas: disable interrupt_mask before enabling hardware interrupts Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kashyap Desai, Sumit Saxena,
	Martin K. Petersen, Christoph Hellwig

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Sumit.Saxena@avagotech.com" <Sumit.Saxena@avagotech.com>

commit ab2f0608e16d64a23a2dcc8d83b966a0e0a281f3 upstream.

This patch will address the issue of SCSI device created at OS level for
non existing VD. ldTgtIdtoLd[] array has size 256 for Extended VD firmware
and 128 for legacy firmware. Accessing indices beyond array size (OS will
send TUR, INQUIRY.. commands upto device index 255), may return valid LD
value and that particular SCSI command will be SUCCESS and creating SCSI
device for non existing target(VD).

For legacy firmware (64 VD firmware), invalidates LD (by setting LD value
to 0xff) in LdTgtIdtoLd[] array for device index beyond 127, so that
invalid LD(0xff) value should be returned beyond device index beyond 127.

Signed-off-by: Kashyap Desai <kashyap.desai@avagotech.com>
Signed-off-by: Sumit Saxena <sumit.saxena@avagotech.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/megaraid/megaraid_sas_fp.c     |    3 +++
 drivers/scsi/megaraid/megaraid_sas_fusion.c |   14 ++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

--- a/drivers/scsi/megaraid/megaraid_sas_fp.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fp.c
@@ -210,6 +210,9 @@ void MR_PopulateDrvRaidMap(struct megasa
 		for (i = 0; i < MAX_RAIDMAP_LOGICAL_DRIVES + MAX_RAIDMAP_VIEWS; i++)
 			pDrvRaidMap->ldTgtIdToLd[i] =
 				(u8)pFwRaidMap->ldTgtIdToLd[i];
+		for (i = (MAX_RAIDMAP_LOGICAL_DRIVES + MAX_RAIDMAP_VIEWS);
+			i < MAX_LOGICAL_DRIVES_EXT; i++)
+			pDrvRaidMap->ldTgtIdToLd[i] = 0xff;
 		for (i = 0; i < ld_count; i++) {
 			pDrvRaidMap->ldSpanMap[i] = pFwRaidMap->ldSpanMap[i];
 #if VD_EXT_DEBUG
--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -1752,9 +1752,19 @@ megasas_build_dcdb_fusion(struct megasas
 		if (scmd->device->channel < MEGASAS_MAX_PD_CHANNELS)
 			goto NonFastPath;
 
+		/*
+		 * For older firmware, Driver should not access ldTgtIdToLd
+		 * beyond index 127 and for Extended VD firmware, ldTgtIdToLd
+		 * should not go beyond 255.
+		 */
+
+		if ((!fusion->fast_path_io) ||
+			(device_id >= instance->fw_supported_vd_count))
+			goto NonFastPath;
+
 		ld = MR_TargetIdToLdGet(device_id, local_map_ptr);
-		if ((ld >= instance->fw_supported_vd_count) ||
-			(!fusion->fast_path_io))
+
+		if (ld >= instance->fw_supported_vd_count)
 			goto NonFastPath;
 
 		raid = MR_LdRaidGet(ld, local_map_ptr);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 049/151] megaraid_sas: disable interrupt_mask before enabling hardware interrupts
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 048/151] megaraid_sas: fix the problem of non-existing VD exposed to host Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 051/151] [media] timberdale: do not select TIMB_DMA Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sumit Saxena, Chaitra Basappa,
	Martin K. Petersen, Christoph Hellwig

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Sumit.Saxena@avagotech.com" <Sumit.Saxena@avagotech.com>

commit c2ced1719a1b903350955a511e1666e6d05a7f5b upstream.

Update driver "mask_interrupts" before enable/disable hardware interrupt
in order to avoid missing interrupts because of "mask_interrupts" still
set to 1 and hardware interrupts are enabled.

Signed-off-by: Sumit Saxena <sumit.saxena@avagotech.com>
Signed-off-by: Chaitra Basappa <chaitra.basappa@avagotech.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/megaraid/megaraid_sas_fusion.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
@@ -101,6 +101,8 @@ megasas_enable_intr_fusion(struct megasa
 {
 	struct megasas_register_set __iomem *regs;
 	regs = instance->reg_set;
+
+	instance->mask_interrupts = 0;
 	/* For Thunderbolt/Invader also clear intr on enable */
 	writel(~0, &regs->outbound_intr_status);
 	readl(&regs->outbound_intr_status);
@@ -109,7 +111,6 @@ megasas_enable_intr_fusion(struct megasa
 
 	/* Dummy readl to force pci flush */
 	readl(&regs->outbound_intr_mask);
-	instance->mask_interrupts = 0;
 }
 
 /**



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 051/151] [media] timberdale: do not select TIMB_DMA
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 049/151] megaraid_sas: disable interrupt_mask before enabling hardware interrupts Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 059/151] mmc: sdhci-pxav3: fix unbalanced clock issues during probe Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Hans Verkuil,
	Mauro Carvalho Chehab

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 244829226f47ffb4d6009a2ccd2771cd149d8114 upstream.

The timberdale media driver requires the use of the respective
dma engine driver, but that may not be enabled, causing a
Kconfig warning:

warning: (VIDEO_TIMBERDALE) selects TIMB_DMA which has unmet direct dependencies (DMADEVICES && MFD_TIMBERDALE)

This fixes the dependency by removing the inappropriate 'select'
statement and replacing it with a direct dependency on the
drivers that provide the services this needs.

Fixes: 7155043c2d027 ("[media] enable COMPILE_TEST for media drivers")

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/Kconfig |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/media/platform/Kconfig
+++ b/drivers/media/platform/Kconfig
@@ -56,10 +56,8 @@ config VIDEO_VIU
 
 config VIDEO_TIMBERDALE
 	tristate "Support for timberdale Video In/LogiWIN"
-	depends on VIDEO_V4L2 && I2C && DMADEVICES
-	depends on MFD_TIMBERDALE || COMPILE_TEST
-	select DMA_ENGINE
-	select TIMB_DMA
+	depends on VIDEO_V4L2 && I2C
+	depends on (MFD_TIMBERDALE && TIMB_DMA) || COMPILE_TEST
 	select VIDEO_ADV7180
 	select VIDEOBUF_DMA_CONTIG
 	---help---



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 059/151] mmc: sdhci-pxav3: fix unbalanced clock issues during probe
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 051/151] [media] timberdale: do not select TIMB_DMA Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 060/151] mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jisheng Zhang, Ulf Hansson

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jisheng Zhang <jszhang@marvell.com>

commit 62cf983ad84275f8580c807e5e596216c46773cf upstream.

Commit 0dcaa2499b7d ("sdhci-pxav3: Fix runtime PM initialization") tries
to fix one hang issue caused by calling sdhci_add_host() on a suspended
device. The fix enables the clock twice, once by clk_prepare_enable() and
another by pm_runtime_get_sync(), meaning that the clock will never be
gated at runtime PM suspend. I observed the power consumption regression on
Marvell BG2Q SoCs.

In fact, the fix is not correct. There still be a very small window
during which a runtime suspend might somehow occur after pm_runtime_enable()
but before pm_runtime_get_sync().

This patch fixes all of the two problems by just incrementing the usage
counter before pm_runtime_enable(). It also adjust the order of disabling
runtime pm and storing the usage count in the error path to handle clock
gating properly.

Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-pxav3.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -355,10 +355,11 @@ static int sdhci_pxav3_probe(struct plat
 		}
 	}
 
-	pm_runtime_enable(&pdev->dev);
-	pm_runtime_get_sync(&pdev->dev);
+	pm_runtime_get_noresume(&pdev->dev);
+	pm_runtime_set_active(&pdev->dev);
 	pm_runtime_set_autosuspend_delay(&pdev->dev, PXAV3_RPM_DELAY_MS);
 	pm_runtime_use_autosuspend(&pdev->dev);
+	pm_runtime_enable(&pdev->dev);
 	pm_suspend_ignore_children(&pdev->dev, 1);
 
 	ret = sdhci_add_host(host);
@@ -381,8 +382,8 @@ static int sdhci_pxav3_probe(struct plat
 	return 0;
 
 err_add_host:
-	pm_runtime_put_sync(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
+	pm_runtime_put_noidle(&pdev->dev);
 err_of_parse:
 err_cd_req:
 	clk_disable_unprepare(clk);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 060/151] mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 059/151] mmc: sdhci-pxav3: fix unbalanced clock issues during probe Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 061/151] mmc: sdhci-pxav3: Fix SDR50 and DDR50 capabilities for the Armada 38x flavor Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jisheng Zhang, Ulf Hansson

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jisheng Zhang <jszhang@marvell.com>

commit 14460dbaf7a5a0488963fdb8232ad5c8a8cca7b7 upstream.

Current code checks "clk_delay_cycles > 0" to know whether the optional
"mrvl,clk_delay_cycles" is set or not. But of_property_read_u32() doesn't
touch clk_delay_cycles if the property is not set. And type of
clk_delay_cycles is u32, so we may always set pdata->clk_delay_cycles as a
random value.

This patch fix this problem by check the return value of of_property_read_u32()
to know whether the optional clk-delay-cycles is set or not.

Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-pxav3.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -261,8 +261,8 @@ static struct sdhci_pxa_platdata *pxav3_
 	if (!pdata)
 		return NULL;
 
-	of_property_read_u32(np, "mrvl,clk-delay-cycles", &clk_delay_cycles);
-	if (clk_delay_cycles > 0)
+	if (!of_property_read_u32(np, "mrvl,clk-delay-cycles",
+				  &clk_delay_cycles))
 		pdata->clk_delay_cycles = clk_delay_cycles;
 
 	return pdata;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 061/151] mmc: sdhci-pxav3: Fix SDR50 and DDR50 capabilities for the Armada 38x flavor
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 060/151] mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 062/151] mmc: sdhci-pxav3: Fix Armada 38x controllers caps according to erratum ERR-7878951 Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gregory CLEMENT, Marcin Wojtas, Ulf Hansson

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gregory CLEMENT <gregory.clement@free-electrons.com>

commit d4b803c559843e3774736e5108cf6331cf75f64c upstream.

According to erratum 'FE-2946959' both SDR50 and DDR50 modes require
specific clock adjustments in SDIO3 Configuration register. However,
this register was not part of the device tree binding. Even if the
binding can (and will) be extended we still need handling the case
where this register was not available. In this case we use the
SDHCI_QUIRK_MISSING_CAPS quirk remove them from the capabilities.

This commit is based on the work done by Marcin Wojtas<mw@semihalf.com>

Fixes: 5491ce3f79ee ("mmc: sdhci-pxav3: add support for the Armada 38x SDHCI controller")
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Marcin Wojtas <mw@semihalf.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-pxav3.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -112,6 +112,20 @@ static int mv_conf_mbus_windows(struct p
 	return 0;
 }
 
+static int armada_38x_quirks(struct sdhci_host *host)
+{
+	host->quirks |= SDHCI_QUIRK_MISSING_CAPS;
+	/*
+	 * According to erratum 'FE-2946959' both SDR50 and DDR50
+	 * modes require specific clock adjustments in SDIO3
+	 * Configuration register, if the adjustment is not done,
+	 * remove them from the capabilities.
+	 */
+	host->caps1 = sdhci_readl(host, SDHCI_CAPABILITIES_1);
+	host->caps1 &= ~(SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50);
+	return 0;
+}
+
 static void pxav3_reset(struct sdhci_host *host, u8 mask)
 {
 	struct platform_device *pdev = to_platform_device(mmc_dev(host->mmc));
@@ -296,6 +310,9 @@ static int sdhci_pxav3_probe(struct plat
 		return PTR_ERR(host);
 
 	if (of_device_is_compatible(np, "marvell,armada-380-sdhci")) {
+		ret = armada_38x_quirks(host);
+		if (ret < 0)
+			goto err_clk_get;
 		ret = mv_conf_mbus_windows(pdev, mv_mbus_dram_info());
 		if (ret < 0)
 			goto err_mbus_win;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 062/151] mmc: sdhci-pxav3: Fix Armada 38x controllers caps according to erratum ERR-7878951
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 061/151] mmc: sdhci-pxav3: Fix SDR50 and DDR50 capabilities for the Armada 38x flavor Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 063/151] proc/pagemap: walk page tables under pte lock Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gregory CLEMENT, Ulf Hansson

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marcin Wojtas <mw@semihalf.com>

commit a39128bcd6f1e56c6514abf489b40b67d226093b upstream.

According to erratum 'ERR-7878951' Armada 38x SDHCI controller has
different capabilities than the ones shown in its registers:

- it doesn't support the voltage switching: it can work either with
  3.3V or 1.8V supply
- it doesn't support the SDR104 mode
- SDR50 mode doesn't need tuning

The SDHCI_QUIRK_MISSING_CAPS quirk is used for updating the
capabilities accordingly.

[gregory.clement@free-electrons.com: port from 3.10]

Fixes: 5491ce3f79ee ("mmc: sdhci-pxav3: add support for the Armada 38x SDHCI controller")

Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-pxav3.c |   28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -112,8 +112,11 @@ static int mv_conf_mbus_windows(struct p
 	return 0;
 }
 
-static int armada_38x_quirks(struct sdhci_host *host)
+static int armada_38x_quirks(struct platform_device *pdev,
+			     struct sdhci_host *host)
 {
+	struct device_node *np = pdev->dev.of_node;
+
 	host->quirks |= SDHCI_QUIRK_MISSING_CAPS;
 	/*
 	 * According to erratum 'FE-2946959' both SDR50 and DDR50
@@ -123,6 +126,21 @@ static int armada_38x_quirks(struct sdhc
 	 */
 	host->caps1 = sdhci_readl(host, SDHCI_CAPABILITIES_1);
 	host->caps1 &= ~(SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50);
+
+	/*
+	 * According to erratum 'ERR-7878951' Armada 38x SDHCI
+	 * controller has different capabilities than the ones shown
+	 * in its registers
+	 */
+	host->caps = sdhci_readl(host, SDHCI_CAPABILITIES);
+	if (of_property_read_bool(np, "no-1-8-v")) {
+		host->caps &= ~SDHCI_CAN_VDD_180;
+		host->mmc->caps &= ~MMC_CAP_1_8V_DDR;
+	} else {
+		host->caps &= ~SDHCI_CAN_VDD_330;
+	}
+	host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_USE_SDR50_TUNING);
+
 	return 0;
 }
 
@@ -309,8 +327,11 @@ static int sdhci_pxav3_probe(struct plat
 	if (IS_ERR(host))
 		return PTR_ERR(host);
 
+	/* enable 1/8V DDR capable */
+	host->mmc->caps |= MMC_CAP_1_8V_DDR;
+
 	if (of_device_is_compatible(np, "marvell,armada-380-sdhci")) {
-		ret = armada_38x_quirks(host);
+		ret = armada_38x_quirks(pdev, host);
 		if (ret < 0)
 			goto err_clk_get;
 		ret = mv_conf_mbus_windows(pdev, mv_mbus_dram_info());
@@ -331,9 +352,6 @@ static int sdhci_pxav3_probe(struct plat
 	pltfm_host->clk = clk;
 	clk_prepare_enable(clk);
 
-	/* enable 1/8V DDR capable */
-	host->mmc->caps |= MMC_CAP_1_8V_DDR;
-
 	match = of_match_device(of_match_ptr(sdhci_pxav3_of_match), &pdev->dev);
 	if (match) {
 		ret = mmc_of_parse(host->mmc);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 063/151] proc/pagemap: walk page tables under pte lock
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 062/151] mmc: sdhci-pxav3: Fix Armada 38x controllers caps according to erratum ERR-7878951 Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 064/151] nfs: dont call blocking operations while !TASK_RUNNING Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov,
	Andrey Ryabinin, Cyrill Gorcunov, Naoya Horiguchi,
	Kirill A. Shutemov, Andrew Morton, Linus Torvalds

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit 05fbf357d94152171bc50f8a369390f1f16efd89 upstream.

Lockless access to pte in pagemap_pte_range() might race with page
migration and trigger BUG_ON(!PageLocked()) in migration_entry_to_page():

CPU A (pagemap)                           CPU B (migration)
                                          lock_page()
                                          try_to_unmap(page, TTU_MIGRATION...)
                                               make_migration_entry()
                                               set_pte_at()
<read *pte>
pte_to_pagemap_entry()
                                          remove_migration_ptes()
                                          unlock_page()
    if(is_migration_entry())
        migration_entry_to_page()
            BUG_ON(!PageLocked(page))

Also lockless read might be non-atomic if pte is larger than wordsize.
Other pte walkers (smaps, numa_maps, clear_refs) already lock ptes.

Fixes: 052fb0d635df ("proc: report file/anon bit in /proc/pid/pagemap")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reported-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/task_mmu.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -1034,7 +1034,7 @@ static int pagemap_pte_range(pmd_t *pmd,
 	struct vm_area_struct *vma;
 	struct pagemapread *pm = walk->private;
 	spinlock_t *ptl;
-	pte_t *pte;
+	pte_t *pte, *orig_pte;
 	int err = 0;
 
 	/* find the first VMA at or above 'addr' */
@@ -1095,15 +1095,19 @@ static int pagemap_pte_range(pmd_t *pmd,
 		BUG_ON(is_vm_hugetlb_page(vma));
 
 		/* Addresses in the VMA. */
-		for (; addr < min(end, vma->vm_end); addr += PAGE_SIZE) {
+		orig_pte = pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl);
+		for (; addr < min(end, vma->vm_end); pte++, addr += PAGE_SIZE) {
 			pagemap_entry_t pme;
-			pte = pte_offset_map(pmd, addr);
+
 			pte_to_pagemap_entry(&pme, pm, vma, addr, *pte);
-			pte_unmap(pte);
 			err = add_to_pagemap(addr, &pme, pm);
 			if (err)
-				return err;
+				break;
 		}
+		pte_unmap_unlock(orig_pte, ptl);
+
+		if (err)
+			return err;
 
 		if (addr == end)
 			break;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 064/151] nfs: dont call blocking operations while !TASK_RUNNING
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 063/151] proc/pagemap: walk page tables under pte lock Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 065/151] NFS: struct nfs_commit_info.lock must always point to inode->i_lock Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, J. Bruce Fields, Jeff Layton,
	Trond Myklebust

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@primarydata.com>

commit 6ffa30d3f734d4f6b478081dfc09592021028f90 upstream.

Bruce reported seeing this warning pop when mounting using v4.1:

     ------------[ cut here ]------------
     WARNING: CPU: 1 PID: 1121 at kernel/sched/core.c:7300 __might_sleep+0xbd/0xd0()
    do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff810ff58f>] prepare_to_wait+0x2f/0x90
    Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw snd_hda_codec_generic snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_pcm snd_timer ppdev joydev snd virtio_console virtio_balloon pcspkr serio_raw parport_pc parport pvpanic floppy soundcore i2c_piix4 virtio_blk virtio_net qxl drm_kms_helper ttm drm virtio_pci virtio_ring ata_generic virtio pata_acpi
    CPU: 1 PID: 1121 Comm: nfsv4.1-svc Not tainted 3.19.0-rc4+ #25
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140709_153950- 04/01/2014
     0000000000000000 000000004e5e3f73 ffff8800b998fb48 ffffffff8186ac78
     0000000000000000 ffff8800b998fba0 ffff8800b998fb88 ffffffff810ac9da
     ffff8800b998fb68 ffffffff81c923e7 00000000000004d9 0000000000000000
    Call Trace:
     [<ffffffff8186ac78>] dump_stack+0x4c/0x65
     [<ffffffff810ac9da>] warn_slowpath_common+0x8a/0xc0
     [<ffffffff810aca65>] warn_slowpath_fmt+0x55/0x70
     [<ffffffff810ff58f>] ? prepare_to_wait+0x2f/0x90
     [<ffffffff810ff58f>] ? prepare_to_wait+0x2f/0x90
     [<ffffffff810dd2ad>] __might_sleep+0xbd/0xd0
     [<ffffffff8124c973>] kmem_cache_alloc_trace+0x243/0x430
     [<ffffffff810d941e>] ? groups_alloc+0x3e/0x130
     [<ffffffff810d941e>] groups_alloc+0x3e/0x130
     [<ffffffffa0301b1e>] svcauth_unix_accept+0x16e/0x290 [sunrpc]
     [<ffffffffa0300571>] svc_authenticate+0xe1/0xf0 [sunrpc]
     [<ffffffffa02fc564>] svc_process_common+0x244/0x6a0 [sunrpc]
     [<ffffffffa02fd044>] bc_svc_process+0x1c4/0x260 [sunrpc]
     [<ffffffffa03d5478>] nfs41_callback_svc+0x128/0x1f0 [nfsv4]
     [<ffffffff810ff970>] ? wait_woken+0xc0/0xc0
     [<ffffffffa03d5350>] ? nfs4_callback_svc+0x60/0x60 [nfsv4]
     [<ffffffff810d45bf>] kthread+0x11f/0x140
     [<ffffffff810ea815>] ? local_clock+0x15/0x30
     [<ffffffff810d44a0>] ? kthread_create_on_node+0x250/0x250
     [<ffffffff81874bfc>] ret_from_fork+0x7c/0xb0
     [<ffffffff810d44a0>] ? kthread_create_on_node+0x250/0x250
    ---[ end trace 675220a11e30f4f2 ]---

nfs41_callback_svc does most of its work while in TASK_INTERRUPTIBLE,
which is just wrong. Fix that by finishing the wait immediately if we've
found that the list has something on it.

Also, we don't expect this kthread to accept signals, so we should be
using a TASK_UNINTERRUPTIBLE sleep instead. That however, opens us up
hung task warnings from the watchdog, so have the schedule_timeout
wake up every 60s if there's no callback activity.

Reported-by: "J. Bruce Fields" <bfields@fieldses.org>
Signed-off-by: Jeff Layton <jlayton@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/callback.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -128,22 +128,24 @@ nfs41_callback_svc(void *vrqstp)
 		if (try_to_freeze())
 			continue;
 
-		prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE);
+		prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_UNINTERRUPTIBLE);
 		spin_lock_bh(&serv->sv_cb_lock);
 		if (!list_empty(&serv->sv_cb_list)) {
 			req = list_first_entry(&serv->sv_cb_list,
 					struct rpc_rqst, rq_bc_list);
 			list_del(&req->rq_bc_list);
 			spin_unlock_bh(&serv->sv_cb_lock);
+			finish_wait(&serv->sv_cb_waitq, &wq);
 			dprintk("Invoking bc_svc_process()\n");
 			error = bc_svc_process(serv, req, rqstp);
 			dprintk("bc_svc_process() returned w/ error code= %d\n",
 				error);
 		} else {
 			spin_unlock_bh(&serv->sv_cb_lock);
-			schedule();
+			/* schedule_timeout to game the hung task watchdog */
+			schedule_timeout(60 * HZ);
+			finish_wait(&serv->sv_cb_waitq, &wq);
 		}
-		finish_wait(&serv->sv_cb_waitq, &wq);
 	}
 	return 0;
 }



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 065/151] NFS: struct nfs_commit_info.lock must always point to inode->i_lock
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 064/151] nfs: dont call blocking operations while !TASK_RUNNING Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 066/151] KVM: MIPS: Disable HTW while in guest Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Weston Andros Adamson, Trond Myklebust

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit f4086a3d789dbe18949862276d83b8f49fce6d2f upstream.

Commit 411a99adffb4f (nfs: clear_request_commit while holding i_lock)
assumes that the nfs_commit_info always points to the inode->i_lock.
For historical reasons, that is not the case for O_DIRECT writes.

Cc: Weston Andros Adamson <dros@primarydata.com>
Fixes: 411a99adffb4f ("nfs: clear_request_commit while holding i_lock")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/direct.c         |    2 +-
 include/linux/nfs_xdr.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/fs/nfs/direct.c
+++ b/fs/nfs/direct.c
@@ -242,7 +242,7 @@ static void nfs_direct_release_pages(str
 void nfs_init_cinfo_from_dreq(struct nfs_commit_info *cinfo,
 			      struct nfs_direct_req *dreq)
 {
-	cinfo->lock = &dreq->lock;
+	cinfo->lock = &dreq->inode->i_lock;
 	cinfo->mds = &dreq->mds_cinfo;
 	cinfo->ds = &dreq->ds_cinfo;
 	cinfo->dreq = dreq;
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -1328,7 +1328,7 @@ struct nfs_commit_completion_ops {
 };
 
 struct nfs_commit_info {
-	spinlock_t			*lock;
+	spinlock_t			*lock;	/* inode->i_lock */
 	struct nfs_mds_commit_info	*mds;
 	struct pnfs_ds_commit_info	*ds;
 	struct nfs_direct_req		*dreq;	/* O_DIRECT request */



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 066/151] KVM: MIPS: Disable HTW while in guest
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 065/151] NFS: struct nfs_commit_info.lock must always point to inode->i_lock Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 067/151] KVM: MIPS: Dont leak FPU/DSP to guest Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Hogan, Paolo Bonzini,
	Ralf Baechle, Markos Chandras, Gleb Natapov, kvm, linux-mips

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit c4c6f2cad9e1d4cc076bc183c3689cc9e7019c75 upstream.

Ensure any hardware page table walker (HTW) is disabled while in KVM
guest mode, as KVM doesn't yet set up hardware page table walking for
guest mappings so the wrong mappings would get loaded, resulting in the
guest hanging or crashing once it reaches userland.

The HTW is disabled and re-enabled around the call to
__kvm_mips_vcpu_run() which does the initial switch into guest mode and
the final switch out of guest context. Additionally it is enabled for
the duration of guest exits (i.e. kvm_mips_handle_exit()), getting
disabled again before returning back to guest or host.

In all cases the HTW is only disabled in normal kernel mode while
interrupts are disabled, so that the HTW doesn't get left disabled if
the process is preempted.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: kvm@vger.kernel.org
Cc: linux-mips@linux-mips.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kvm/mips.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -18,6 +18,7 @@
 #include <asm/page.h>
 #include <asm/cacheflush.h>
 #include <asm/mmu_context.h>
+#include <asm/pgtable.h>
 
 #include <linux/kvm_host.h>
 
@@ -385,8 +386,14 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v
 
 	kvm_guest_enter();
 
+	/* Disable hardware page table walking while in guest */
+	htw_stop();
+
 	r = __kvm_mips_vcpu_run(run, vcpu);
 
+	/* Re-enable HTW before enabling interrupts */
+	htw_start();
+
 	kvm_guest_exit();
 	local_irq_enable();
 
@@ -1002,6 +1009,9 @@ int kvm_mips_handle_exit(struct kvm_run
 	enum emulation_result er = EMULATE_DONE;
 	int ret = RESUME_GUEST;
 
+	/* re-enable HTW before enabling interrupts */
+	htw_start();
+
 	/* Set a default exit reason */
 	run->exit_reason = KVM_EXIT_UNKNOWN;
 	run->ready_for_interrupt_injection = 1;
@@ -1136,6 +1146,9 @@ skip_emul:
 		}
 	}
 
+	/* Disable HTW before returning to guest or host */
+	htw_stop();
+
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 067/151] KVM: MIPS: Dont leak FPU/DSP to guest
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 066/151] KVM: MIPS: Disable HTW while in guest Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 068/151] MIPS: Alchemy: Fix cpu clock calculation Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Hogan, Paolo Bonzini,
	Ralf Baechle, Sanjay Lal, Gleb Natapov, kvm, linux-mips

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit f798217dfd038af981a18bbe4bc57027a08bb182 upstream.

The FPU and DSP are enabled via the CP0 Status CU1 and MX bits by
kvm_mips_set_c0_status() on a guest exit, presumably in case there is
active state that needs saving if pre-emption occurs. However neither of
these bits are cleared again when returning to the guest.

This effectively gives the guest access to the FPU/DSP hardware after
the first guest exit even though it is not aware of its presence,
allowing FP instructions in guest user code to intermittently actually
execute instead of trapping into the guest OS for emulation. It will
then read & manipulate the hardware FP registers which technically
belong to the user process (e.g. QEMU), or are stale from another user
process. It can also crash the guest OS by causing an FP exception, for
which a guest exception handler won't have been registered.

First lets save and disable the FPU (and MSA) state with lose_fpu(1)
before entering the guest. This simplifies the problem, especially for
when guest FPU/MSA support is added in the future, and prevents FR=1 FPU
state being live when the FR bit gets cleared for the guest, which
according to the architecture causes the contents of the FPU and vector
registers to become UNPREDICTABLE.

We can then safely remove the enabling of the FPU in
kvm_mips_set_c0_status(), since there should never be any active FPU or
MSA state to save at pre-emption, which should plug the FPU leak.

DSP state is always live rather than being lazily restored, so for that
it is simpler to just clear the MX bit again when re-entering the guest.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Sanjay Lal <sanjayl@kymasys.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: kvm@vger.kernel.org
Cc: linux-mips@linux-mips.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kvm/locore.S |    2 +-
 arch/mips/kvm/mips.c   |    6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/arch/mips/kvm/locore.S
+++ b/arch/mips/kvm/locore.S
@@ -434,7 +434,7 @@ __kvm_mips_return_to_guest:
 	/* Setup status register for running guest in UM */
 	.set	at
 	or	v1, v1, (ST0_EXL | KSU_USER | ST0_IE)
-	and	v1, v1, ~ST0_CU0
+	and	v1, v1, ~(ST0_CU0 | ST0_MX)
 	.set	noat
 	mtc0	v1, CP0_STATUS
 	ehb
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -15,6 +15,7 @@
 #include <linux/vmalloc.h>
 #include <linux/fs.h>
 #include <linux/bootmem.h>
+#include <asm/fpu.h>
 #include <asm/page.h>
 #include <asm/cacheflush.h>
 #include <asm/mmu_context.h>
@@ -379,6 +380,8 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_v
 		vcpu->mmio_needed = 0;
 	}
 
+	lose_fpu(1);
+
 	local_irq_disable();
 	/* Check if we have any exceptions/interrupts pending */
 	kvm_mips_deliver_interrupts(vcpu,
@@ -987,9 +990,6 @@ static void kvm_mips_set_c0_status(void)
 {
 	uint32_t status = read_c0_status();
 
-	if (cpu_has_fpu)
-		status |= (ST0_CU1);
-
 	if (cpu_has_dsp)
 		status |= (ST0_MX);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 068/151] MIPS: Alchemy: Fix cpu clock calculation
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 067/151] KVM: MIPS: Dont leak FPU/DSP to guest Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 069/151] MIPS: kernel: cps-vec: Replace "addi" with "addiu" Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manuel Lauss, John Crispin,
	Bruno Randolf, Linux-MIPS, Ralf Baechle

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Manuel Lauss <manuel.lauss@gmail.com>

commit 69e4e63ec816a7e22cc3aa14bc7ef4ac734d370c upstream.

The current code uses bits 0-6 of the sys_cpupll register to calculate
core clock speed.  However this is only valid on Au1300, on all earlier
models the hardware only uses bits 0-5 to generate core clock.

This fixes clock calculation on the MTX1 (Au1500), where bit 6 of cpupll
is set as well, which ultimately lead the code to calculate a bogus cpu
core clock and also uart base clock down the line.

Signed-off-by: Manuel Lauss <manuel.lauss@gmail.com>
Reported-by: John Crispin <blogic@openwrt.org>
Tested-by: Bruno Randolf <br1@einfach.org>
Cc: Linux-MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/9279/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/alchemy/common/clock.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/mips/alchemy/common/clock.c
+++ b/arch/mips/alchemy/common/clock.c
@@ -128,6 +128,8 @@ static unsigned long alchemy_clk_cpu_rec
 		t = 396000000;
 	else {
 		t = alchemy_rdsys(AU1000_SYS_CPUPLL) & 0x7f;
+		if (alchemy_get_cputype() < ALCHEMY_CPU_AU1300)
+			t &= 0x3f;
 		t *= parent_rate;
 	}
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 069/151] MIPS: kernel: cps-vec: Replace "addi" with "addiu"
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 068/151] MIPS: Alchemy: Fix cpu clock calculation Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 070/151] MIPS: asm: asmmacro: Replace "add" instructions with "addu" Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Paul Burton,
	Markos Chandras

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos.chandras@imgtec.com>

commit acac4108df6029c03195513ead7073bbb0cb9718 upstream.

The "addi" instruction will trap on overflows which is not something
we need in this code, so we replace that with "addiu".

Link: http://www.linux-mips.org/archives/linux-mips/2015-01/msg00430.html
Cc: Maciej W. Rozycki <macro@linux-mips.org>
Cc: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kernel/cps-vec.S |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/arch/mips/kernel/cps-vec.S
+++ b/arch/mips/kernel/cps-vec.S
@@ -99,11 +99,11 @@ not_nmi:
 	xori	t2, t1, 0x7
 	beqz	t2, 1f
 	 li	t3, 32
-	addi	t1, t1, 1
+	addiu	t1, t1, 1
 	sllv	t1, t3, t1
 1:	/* At this point t1 == I-cache sets per way */
 	_EXT	t2, v0, MIPS_CONF1_IA_SHF, MIPS_CONF1_IA_SZ
-	addi	t2, t2, 1
+	addiu	t2, t2, 1
 	mul	t1, t1, t0
 	mul	t1, t1, t2
 
@@ -126,11 +126,11 @@ icache_done:
 	xori	t2, t1, 0x7
 	beqz	t2, 1f
 	 li	t3, 32
-	addi	t1, t1, 1
+	addiu	t1, t1, 1
 	sllv	t1, t3, t1
 1:	/* At this point t1 == D-cache sets per way */
 	_EXT	t2, v0, MIPS_CONF1_DA_SHF, MIPS_CONF1_DA_SZ
-	addi	t2, t2, 1
+	addiu	t2, t2, 1
 	mul	t1, t1, t0
 	mul	t1, t1, t2
 
@@ -250,7 +250,7 @@ LEAF(mips_cps_core_init)
 	mfc0	t0, CP0_MVPCONF0
 	srl	t0, t0, MVPCONF0_PVPE_SHIFT
 	andi	t0, t0, (MVPCONF0_PVPE >> MVPCONF0_PVPE_SHIFT)
-	addi	t7, t0, 1
+	addiu	t7, t0, 1
 
 	/* If there's only 1, we're done */
 	beqz	t0, 2f
@@ -280,7 +280,7 @@ LEAF(mips_cps_core_init)
 	mttc0	t0, CP0_TCHALT
 
 	/* Next VPE */
-	addi	t5, t5, 1
+	addiu	t5, t5, 1
 	slt	t0, t5, t7
 	bnez	t0, 1b
 	 nop
@@ -317,7 +317,7 @@ LEAF(mips_cps_boot_vpes)
 	mfc0	t1, CP0_MVPCONF0
 	srl	t1, t1, MVPCONF0_PVPE_SHIFT
 	andi	t1, t1, MVPCONF0_PVPE >> MVPCONF0_PVPE_SHIFT
-	addi	t1, t1, 1
+	addiu	t1, t1, 1
 
 	/* Calculate a mask for the VPE ID from EBase.CPUNum */
 	clz	t1, t1
@@ -424,7 +424,7 @@ LEAF(mips_cps_boot_vpes)
 
 	/* Next VPE */
 2:	srl	t6, t6, 1
-	addi	t5, t5, 1
+	addiu	t5, t5, 1
 	bnez	t6, 1b
 	 nop
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 070/151] MIPS: asm: asmmacro: Replace "add" instructions with "addu"
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 069/151] MIPS: kernel: cps-vec: Replace "addi" with "addiu" Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 071/151] MIPS: asm: pgtable: Add c0 hazards on HTW start/stop sequences Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Burton, Maciej W. Rozycki,
	Markos Chandras

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos.chandras@imgtec.com>

commit 98a833c1fa4de0695830f77b2d13fd86693da298 upstream.

The "add" instruction is actually a macro in binutils and depending on
the size of the immediate it can expand to an "addi" instruction.
However, the "addi" instruction traps on overflows which is not
something we want on address calculation.

Link: http://www.linux-mips.org/archives/linux-mips/2015-01/msg00121.html
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Maciej W. Rozycki <macro@linux-mips.org>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/include/asm/asmmacro.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/mips/include/asm/asmmacro.h
+++ b/arch/mips/include/asm/asmmacro.h
@@ -304,7 +304,7 @@
 	.set	push
 	.set	noat
 	SET_HARDFLOAT
-	add	$1, \base, \off
+	addu	$1, \base, \off
 	.word	LDD_MSA_INSN | (\wd << 6)
 	.set	pop
 	.endm
@@ -313,7 +313,7 @@
 	.set	push
 	.set	noat
 	SET_HARDFLOAT
-	add	$1, \base, \off
+	addu	$1, \base, \off
 	.word	STD_MSA_INSN | (\wd << 6)
 	.set	pop
 	.endm



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 071/151] MIPS: asm: pgtable: Add c0 hazards on HTW start/stop sequences
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 070/151] MIPS: asm: asmmacro: Replace "add" instructions with "addu" Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 072/151] MIPS: asm: pgtable: Prevent HTW race when updating PTEs Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Markos Chandras, linux-mips, Ralf Baechle

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos.chandras@imgtec.com>

commit 461d1597ffad7a826f8aaa63ab0727c37b632e34 upstream.

When we use htw_{start,stop}() outside of htw_reset(), we need
to ensure that c0 changes have been propagated properly before
we attempt to continue with subsequence memory operations.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9114/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/include/asm/pgtable.h |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/arch/mips/include/asm/pgtable.h
+++ b/arch/mips/include/asm/pgtable.h
@@ -99,16 +99,20 @@ extern void paging_init(void);
 
 #define htw_stop()							\
 do {									\
-	if (cpu_has_htw)						\
+	if (cpu_has_htw) {						\
 		write_c0_pwctl(read_c0_pwctl() &			\
 			       ~(1 << MIPS_PWCTL_PWEN_SHIFT));		\
+		back_to_back_c0_hazard();				\
+	}								\
 } while(0)
 
 #define htw_start()							\
 do {									\
-	if (cpu_has_htw)						\
+	if (cpu_has_htw) {						\
 		write_c0_pwctl(read_c0_pwctl() |			\
 			       (1 << MIPS_PWCTL_PWEN_SHIFT));		\
+		back_to_back_c0_hazard();				\
+	}								\
 } while(0)
 
 
@@ -116,9 +120,7 @@ do {									\
 do {									\
 	if (cpu_has_htw) {						\
 		htw_stop();						\
-		back_to_back_c0_hazard();				\
 		htw_start();						\
-		back_to_back_c0_hazard();				\
 	}								\
 } while(0)
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 072/151] MIPS: asm: pgtable: Prevent HTW race when updating PTEs
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 071/151] MIPS: asm: pgtable: Add c0 hazards on HTW start/stop sequences Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 073/151] MIPS: Export FP functions used by lose_fpu(1) for KVM Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Markos Chandras, linux-mips, Ralf Baechle

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos.chandras@imgtec.com>

commit fde3538a8a711aedf1173ecb2d45aed868f51c97 upstream.

Whenever we modify a page table entry, we need to ensure that the HTW
will not fetch a stable entry. And for that to happen we need to ensure
that HTW is stopped before we modify the said entry otherwise the HTW
may already be in the process of reading that entry and fetching the
old information. As a result of which, we replace the htw_reset() calls
with htw_{stop,start} in more appropriate places. This also removes the
remaining users of htw_reset() and as a result we drop that macro

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9116/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/include/asm/pgtable.h |   14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

--- a/arch/mips/include/asm/pgtable.h
+++ b/arch/mips/include/asm/pgtable.h
@@ -116,14 +116,6 @@ do {									\
 } while(0)
 
 
-#define htw_reset()							\
-do {									\
-	if (cpu_has_htw) {						\
-		htw_stop();						\
-		htw_start();						\
-	}								\
-} while(0)
-
 extern void set_pte_at(struct mm_struct *mm, unsigned long addr, pte_t *ptep,
 	pte_t pteval);
 
@@ -155,12 +147,13 @@ static inline void pte_clear(struct mm_s
 {
 	pte_t null = __pte(0);
 
+	htw_stop();
 	/* Preserve global status for the pair */
 	if (ptep_buddy(ptep)->pte_low & _PAGE_GLOBAL)
 		null.pte_low = null.pte_high = _PAGE_GLOBAL;
 
 	set_pte_at(mm, addr, ptep, null);
-	htw_reset();
+	htw_start();
 }
 #else
 
@@ -190,6 +183,7 @@ static inline void set_pte(pte_t *ptep,
 
 static inline void pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
 {
+	htw_stop();
 #if !defined(CONFIG_CPU_R3000) && !defined(CONFIG_CPU_TX39XX)
 	/* Preserve global status for the pair */
 	if (pte_val(*ptep_buddy(ptep)) & _PAGE_GLOBAL)
@@ -197,7 +191,7 @@ static inline void pte_clear(struct mm_s
 	else
 #endif
 		set_pte_at(mm, addr, ptep, __pte(0));
-	htw_reset();
+	htw_start();
 }
 #endif
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 073/151] MIPS: Export FP functions used by lose_fpu(1) for KVM
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 072/151] MIPS: asm: pgtable: Prevent HTW race when updating PTEs Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 074/151] MIPS: Export MSA " Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Hogan, Paolo Bonzini,
	Ralf Baechle, Paul Burton, Gleb Natapov, kvm, linux-mips

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit 3ce465e04bfd8de9956d515d6e9587faac3375dc upstream.

Export the _save_fp asm function used by the lose_fpu(1) macro to GPL
modules so that KVM can make use of it when it is built as a module.

This fixes the following build error when CONFIG_KVM=m due to commit
f798217dfd03 ("KVM: MIPS: Don't leak FPU/DSP to guest"):

ERROR: "_save_fp" [arch/mips/kvm/kvm.ko] undefined!

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Fixes: f798217dfd03 (KVM: MIPS: Don't leak FPU/DSP to guest)
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: kvm@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9260/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kernel/mips_ksyms.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/arch/mips/kernel/mips_ksyms.c
+++ b/arch/mips/kernel/mips_ksyms.c
@@ -14,6 +14,7 @@
 #include <linux/mm.h>
 #include <asm/uaccess.h>
 #include <asm/ftrace.h>
+#include <asm/fpu.h>
 
 extern void *__bzero(void *__s, size_t __count);
 extern long __strncpy_from_kernel_nocheck_asm(char *__to,
@@ -34,6 +35,11 @@ extern long __strnlen_user_nocheck_asm(c
 extern long __strnlen_user_asm(const char *s);
 
 /*
+ * Core architecture code
+ */
+EXPORT_SYMBOL_GPL(_save_fp);
+
+/*
  * String functions
  */
 EXPORT_SYMBOL(memset);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 074/151] MIPS: Export MSA functions used by lose_fpu(1) for KVM
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 073/151] MIPS: Export FP functions used by lose_fpu(1) for KVM Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 075/151] mm/hugetlb: pmd_huge() returns true for non-present hugepage Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Hogan, Paolo Bonzini,
	Ralf Baechle, Paul Burton, Gleb Natapov, kvm, linux-mips

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit ca5d25642e212f73492d332d95dc90ef46a0e8dc upstream.

Export the _save_msa asm function used by the lose_fpu(1) macro to GPL
modules so that KVM can make use of it when it is built as a module.

This fixes the following build error when CONFIG_KVM=m and
CONFIG_CPU_HAS_MSA=y due to commit f798217dfd03 ("KVM: MIPS: Don't leak
FPU/DSP to guest"):

ERROR: "_save_msa" [arch/mips/kvm/kvm.ko] undefined!

Fixes: f798217dfd03 (KVM: MIPS: Don't leak FPU/DSP to guest)
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: kvm@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9261/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kernel/mips_ksyms.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/mips/kernel/mips_ksyms.c
+++ b/arch/mips/kernel/mips_ksyms.c
@@ -15,6 +15,7 @@
 #include <asm/uaccess.h>
 #include <asm/ftrace.h>
 #include <asm/fpu.h>
+#include <asm/msa.h>
 
 extern void *__bzero(void *__s, size_t __count);
 extern long __strncpy_from_kernel_nocheck_asm(char *__to,
@@ -38,6 +39,9 @@ extern long __strnlen_user_asm(const cha
  * Core architecture code
  */
 EXPORT_SYMBOL_GPL(_save_fp);
+#ifdef CONFIG_CPU_HAS_MSA
+EXPORT_SYMBOL_GPL(_save_msa);
+#endif
 
 /*
  * String functions



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 075/151] mm/hugetlb: pmd_huge() returns true for non-present hugepage
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 074/151] MIPS: Export MSA " Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 076/151] tracing: Fix unmapping loop in tracing_mark_write Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Hugh Dickins,
	James Hogan, David Rientjes, Mel Gorman, Johannes Weiner,
	Michal Hocko, Rik van Riel, Andrea Arcangeli, Luiz Capitulino,
	Nishanth Aravamudan, Lee Schermerhorn, Steve Capper,
	Andrew Morton, Linus Torvalds

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit cbef8478bee55775ac312a574aad48af7bb9cf9f upstream.

Migrating hugepages and hwpoisoned hugepages are considered as non-present
hugepages, and they are referenced via migration entries and hwpoison
entries in their page table slots.

This behavior causes race condition because pmd_huge() doesn't tell
non-huge pages from migrating/hwpoisoned hugepages.  follow_page_mask() is
one example where the kernel would call follow_page_pte() for such
hugepage while this function is supposed to handle only normal pages.

To avoid this, this patch makes pmd_huge() return true when pmd_none() is
true *and* pmd_present() is false.  We don't have to worry about mixing up
non-present pmd entry with normal pmd (pointing to leaf level pte entry)
because pmd_present() is true in normal pmd.

The same race condition could happen in (x86-specific) gup_pmd_range(),
where this patch simply adds pmd_present() check instead of pmd_huge().
This is because gup_pmd_range() is fast path.  If we have non-present
hugepage in this function, we will go into gup_huge_pmd(), then return 0
at flag mask check, and finally fall back to the slow path.

Fixes: 290408d4a2 ("hugetlb: hugepage migration core")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/gup.c         |    2 +-
 arch/x86/mm/hugetlbpage.c |    8 +++++++-
 mm/hugetlb.c              |    2 ++
 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/arch/x86/mm/gup.c
+++ b/arch/x86/mm/gup.c
@@ -172,7 +172,7 @@ static int gup_pmd_range(pud_t pud, unsi
 		 */
 		if (pmd_none(pmd) || pmd_trans_splitting(pmd))
 			return 0;
-		if (unlikely(pmd_large(pmd))) {
+		if (unlikely(pmd_large(pmd) || !pmd_present(pmd))) {
 			/*
 			 * NUMA hinting faults need to be handled in the GUP
 			 * slowpath for accounting purposes and so that they
--- a/arch/x86/mm/hugetlbpage.c
+++ b/arch/x86/mm/hugetlbpage.c
@@ -66,9 +66,15 @@ follow_huge_addr(struct mm_struct *mm, u
 	return ERR_PTR(-EINVAL);
 }
 
+/*
+ * pmd_huge() returns 1 if @pmd is hugetlb related entry, that is normal
+ * hugetlb entry or non-present (migration or hwpoisoned) hugetlb entry.
+ * Otherwise, returns 0.
+ */
 int pmd_huge(pmd_t pmd)
 {
-	return !!(pmd_val(pmd) & _PAGE_PSE);
+	return !pmd_none(pmd) &&
+		(pmd_val(pmd) & (_PAGE_PRESENT|_PAGE_PSE)) != _PAGE_PRESENT;
 }
 
 int pud_huge(pud_t pud)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3659,6 +3659,8 @@ follow_huge_pmd(struct mm_struct *mm, un
 {
 	struct page *page;
 
+	if (!pmd_present(*pmd))
+		return NULL;
 	page = pte_page(*(pte_t *)pmd);
 	if (page)
 		page += ((address & ~PMD_MASK) >> PAGE_SHIFT);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 076/151] tracing: Fix unmapping loop in tracing_mark_write
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 075/151] mm/hugetlb: pmd_huge() returns true for non-present hugepage Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 077/151] blk-mq: fix double-free in error path Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Boyd, Lime Yang,
	Vikram Mulukutla, Steven Rostedt

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vikram Mulukutla <markivx@codeaurora.org>

commit 7215853e985a4bef1a6c14e00e89dfec84f1e457 upstream.

Commit 6edb2a8a385f0cdef51dae37ff23e74d76d8a6ce introduced
an array map_pages that contains the addresses returned by
kmap_atomic. However, when unmapping those pages, map_pages[0]
is unmapped before map_pages[1], breaking the nesting requirement
as specified in the documentation for kmap_atomic/kunmap_atomic.

This was caught by the highmem debug code present in kunmap_atomic.
Fix the loop to do the unmapping properly.

Link: http://lkml.kernel.org/r/1418871056-6614-1-git-send-email-markivx@codeaurora.org

Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Reported-by: Lime Yang <limey@codeaurora.org>
Signed-off-by: Vikram Mulukutla <markivx@codeaurora.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4916,7 +4916,7 @@ tracing_mark_write(struct file *filp, co
 	*fpos += written;
 
  out_unlock:
-	for (i = 0; i < nr_pages; i++){
+	for (i = nr_pages - 1; i >= 0; i--) {
 		kunmap_atomic(map_page[i]);
 		put_page(pages[i]);
 	}



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 077/151] blk-mq: fix double-free in error path
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 076/151] tracing: Fix unmapping loop in tracing_mark_write Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 078/151] ARM: 8284/1: sa1100: clear RCSR_SMR on resume Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tony Battersby, Jens Axboe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Battersby <tonyb@cybernetics.com>

commit 564e559f2baf6a868768d0cac286980b3cfd6e30 upstream.

If the allocation of bt->bs fails, then bt->map can be freed twice, once
in blk_mq_init_bitmap_tags() -> bt_alloc(), and once in
blk_mq_init_bitmap_tags() -> bt_free().  Fix by setting the pointer to
NULL after the first free.

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-mq-tag.c |    1 +
 1 file changed, 1 insertion(+)

--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -500,6 +500,7 @@ static int bt_alloc(struct blk_mq_bitmap
 	bt->bs = kzalloc(BT_WAIT_QUEUES * sizeof(*bt->bs), GFP_KERNEL);
 	if (!bt->bs) {
 		kfree(bt->map);
+		bt->map = NULL;
 		return -ENOMEM;
 	}
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 078/151] ARM: 8284/1: sa1100: clear RCSR_SMR on resume
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 077/151] blk-mq: fix double-free in error path Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 079/151] ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3 Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Eremin-Solenikov, Russell King

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

commit e461894dc2ce7778ccde1c3483c9b15a85a7fc5f upstream.

StrongARM core uses RCSR SMR bit to tell to bootloader that it was reset
by entering the sleep mode. After we have resumed, there is little point
in having that bit enabled. Moreover, if this bit is set before reboot,
the bootloader can become confused. Thus clear the SMR bit on resume
just before clearing the scratchpad (resume address) register.

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-sa1100/pm.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-sa1100/pm.c
+++ b/arch/arm/mach-sa1100/pm.c
@@ -81,6 +81,7 @@ static int sa11x0_pm_enter(suspend_state
 	/*
 	 * Ensure not to come back here if it wasn't intended
 	 */
+	RCSR = RCSR_SMR;
 	PSPR = 0;
 
 	/*



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 079/151] ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 078/151] ARM: 8284/1: sa1100: clear RCSR_SMR on resume Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 080/151] ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Lokesh Vutla, Paul Walmsley

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lokesh Vutla <lokeshvutla@ti.com>

commit 1c7e36bfc3e2fb2df5e2d1989a4b6fb9055a0f9b upstream.

With commit '7dedd34: ARM: OMAP2+: hwmod: Fix a crash in _setup_reset()
with DEBUG_LL' we moved from parsing cmdline to identify uart used
for earlycon to using the requsite hwmod CONFIG_DEBUG_OMAPxUARTy FLAGS.

On DRA7 UART3 hwmod doesn't have this flag enabled, and atleast on
BeagleBoard-X15, where we use UART3 for console, boot fails with
DEBUG_LL enabled. Enable DEBUG_OMAP4UART3_FLAGS for UART3 hwmod.

For using DEBUG_LL, enable CONFIG_DEBUG_OMAP4UART3 in menuconfig.

Fixes: 90020c7b2c5e ("ARM: OMAP: DRA7: hwmod: Create initial DRA7XX SoC data")
Reviewed-by: Felipe Balbi <balbi@ti.com>
Acked-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-omap2/omap_hwmod_7xx_data.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c
@@ -2017,7 +2017,7 @@ static struct omap_hwmod dra7xx_uart3_hw
 	.class		= &dra7xx_uart_hwmod_class,
 	.clkdm_name	= "l4per_clkdm",
 	.main_clk	= "uart3_gfclk_mux",
-	.flags		= HWMOD_SWSUP_SIDLE_ACT,
+	.flags		= HWMOD_SWSUP_SIDLE_ACT | DEBUG_OMAP4UART3_FLAGS,
 	.prcm = {
 		.omap4 = {
 			.clkctrl_offs = DRA7XX_CM_L4PER_UART3_CLKCTRL_OFFSET,



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 080/151] ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 079/151] ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3 Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 081/151] ARM: dts: am335x-bone*: usb0 is hardwired for peripheral Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Alexandre Courbot,
	Thierry Reding

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Osipenko <digetx@gmail.com>

commit de47699d005996b41cea590c6098078ac12058be upstream.

Commit 58ecb23f64ee ("ARM: tegra: add missing unit addresses to DT") added
unit address and changed reg base for GR3D and DSI host1x modules, but these
addresses belongs to GR2D and TVO modules respectively. Fix it by changing
modules unit and reg base addresses to proper ones.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Fixes: 58ecb23f64ee (ARM: tegra: add missing unit addresses to DT)
Reviewed-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/tegra20.dtsi |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/boot/dts/tegra20.dtsi
+++ b/arch/arm/boot/dts/tegra20.dtsi
@@ -68,9 +68,9 @@
 			reset-names = "2d";
 		};
 
-		gr3d@54140000 {
+		gr3d@54180000 {
 			compatible = "nvidia,tegra20-gr3d";
-			reg = <0x54140000 0x00040000>;
+			reg = <0x54180000 0x00040000>;
 			clocks = <&tegra_car TEGRA20_CLK_GR3D>;
 			resets = <&tegra_car 24>;
 			reset-names = "3d";
@@ -130,9 +130,9 @@
 			status = "disabled";
 		};
 
-		dsi@542c0000 {
+		dsi@54300000 {
 			compatible = "nvidia,tegra20-dsi";
-			reg = <0x542c0000 0x00040000>;
+			reg = <0x54300000 0x00040000>;
 			clocks = <&tegra_car TEGRA20_CLK_DSI>;
 			resets = <&tegra_car 48>;
 			reset-names = "dsi";



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 081/151] ARM: dts: am335x-bone*: usb0 is hardwired for peripheral
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 080/151] ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 082/151] ARM: dts: BCM63xx: fix L2 cache properties Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Nelson, Felipe Balbi, Tony Lindgren

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robert Nelson <robertcnelson@gmail.com>

commit 67fd14b3eca63b14429350e9eadc5fab709a8821 upstream.

Fixes: http://bugs.elinux.org/issues/127

the bb.org community was seeing random reboots before this change.

Signed-off-by: Robert Nelson <robertcnelson@gmail.com>
Reviewed-by: Felipe Balbi <balbi@ti.com>
Acked-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/am335x-bone-common.dtsi |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/am335x-bone-common.dtsi
+++ b/arch/arm/boot/dts/am335x-bone-common.dtsi
@@ -195,6 +195,7 @@
 
 &usb0 {
 	status = "okay";
+	dr_mode = "peripheral";
 };
 
 &usb1 {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 082/151] ARM: dts: BCM63xx: fix L2 cache properties
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 081/151] ARM: dts: am335x-bone*: usb0 is hardwired for peripheral Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 083/151] tpm_tis: verify interrupt during init Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Florian Fainelli

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

commit 9df11828d9b5665ddef81e45f83dd5376a8cd620 upstream.

The L2 cache properties were completely off with respect to what the
hardware is configured for. Fix the cache-size, cache-line-size and
cache-sets to reflect the L2 cache controller we have: 512KB, 16 ways
and 32 bytes per cache-line.

Fixes: 46d4bca0445a0 ("ARM: BCM63XX: add BCM63138 minimal Device Tree")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/bcm63138.dtsi |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/arm/boot/dts/bcm63138.dtsi
+++ b/arch/arm/boot/dts/bcm63138.dtsi
@@ -66,8 +66,9 @@
 			reg = <0x1d000 0x1000>;
 			cache-unified;
 			cache-level = <2>;
-			cache-sets = <16>;
-			cache-size = <0x80000>;
+			cache-size = <524288>;
+			cache-sets = <1024>;
+			cache-line-size = <32>;
 			interrupts = <GIC_PPI 0 IRQ_TYPE_LEVEL_HIGH>;
 		};
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 083/151] tpm_tis: verify interrupt during init
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 082/151] ARM: dts: BCM63xx: fix L2 cache properties Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 084/151] TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Scot Doyle, Michael Mullin,
	Jason Gunthorpe, Peter Huewe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Scot Doyle <lkml14@scotdoyle.com>

commit 448e9c55c12d6bd4fa90a7e31d802e045666d7c8 upstream.

Some machines, such as the Acer C720 and Toshiba CB35, have TPMs that do
not send IRQs while also having an ACPI TPM entry indicating that they
will be sent. These machines freeze on resume while the tpm_tis module
waits for an IRQ, eventually timing out.

When in interrupt mode, the tpm_tis module should receive an IRQ during
module init. Fall back to polling mode if none is received when expected.

Signed-off-by: Scot Doyle <lkml14@scotdoyle.com>
Tested-by: Michael Mullin <masmullin@gmail.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[phuewe: minor checkpatch fixed]
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_tis.c |   76 ++++++++++++++++++++++++++++++++++++---------
 1 file changed, 62 insertions(+), 14 deletions(-)

--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -75,6 +75,10 @@ enum tis_defaults {
 #define	TPM_DID_VID(l)			(0x0F00 | ((l) << 12))
 #define	TPM_RID(l)			(0x0F04 | ((l) << 12))
 
+struct priv_data {
+	bool irq_tested;
+};
+
 static LIST_HEAD(tis_chips);
 static DEFINE_MUTEX(tis_lock);
 
@@ -338,12 +342,27 @@ out_err:
 	return rc;
 }
 
+static void disable_interrupts(struct tpm_chip *chip)
+{
+	u32 intmask;
+
+	intmask =
+	    ioread32(chip->vendor.iobase +
+		     TPM_INT_ENABLE(chip->vendor.locality));
+	intmask &= ~TPM_GLOBAL_INT_ENABLE;
+	iowrite32(intmask,
+		  chip->vendor.iobase +
+		  TPM_INT_ENABLE(chip->vendor.locality));
+	free_irq(chip->vendor.irq, chip);
+	chip->vendor.irq = 0;
+}
+
 /*
  * If interrupts are used (signaled by an irq set in the vendor structure)
  * tpm.c can skip polling for the data to be available as the interrupt is
  * waited for here
  */
-static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len)
+static int tpm_tis_send_main(struct tpm_chip *chip, u8 *buf, size_t len)
 {
 	int rc;
 	u32 ordinal;
@@ -373,6 +392,30 @@ out_err:
 	return rc;
 }
 
+static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len)
+{
+	int rc, irq;
+	struct priv_data *priv = chip->vendor.priv;
+
+	if (!chip->vendor.irq || priv->irq_tested)
+		return tpm_tis_send_main(chip, buf, len);
+
+	/* Verify receipt of the expected IRQ */
+	irq = chip->vendor.irq;
+	chip->vendor.irq = 0;
+	rc = tpm_tis_send_main(chip, buf, len);
+	chip->vendor.irq = irq;
+	if (!priv->irq_tested)
+		msleep(1);
+	if (!priv->irq_tested) {
+		disable_interrupts(chip);
+		dev_err(chip->dev,
+			FW_BUG "TPM interrupt not working, polling instead\n");
+	}
+	priv->irq_tested = true;
+	return rc;
+}
+
 struct tis_vendor_timeout_override {
 	u32 did_vid;
 	unsigned long timeout_us[4];
@@ -505,6 +548,7 @@ static irqreturn_t tis_int_handler(int d
 	if (interrupt == 0)
 		return IRQ_NONE;
 
+	((struct priv_data *)chip->vendor.priv)->irq_tested = true;
 	if (interrupt & TPM_INTF_DATA_AVAIL_INT)
 		wake_up_interruptible(&chip->vendor.read_queue);
 	if (interrupt & TPM_INTF_LOCALITY_CHANGE_INT)
@@ -534,9 +578,14 @@ static int tpm_tis_init(struct device *d
 	u32 vendor, intfcaps, intmask;
 	int rc, i, irq_s, irq_e, probe;
 	struct tpm_chip *chip;
+	struct priv_data *priv;
 
+	priv = devm_kzalloc(dev, sizeof(struct priv_data), GFP_KERNEL);
+	if (priv == NULL)
+		return -ENOMEM;
 	if (!(chip = tpm_register_hardware(dev, &tpm_tis)))
 		return -ENODEV;
+	chip->vendor.priv = priv;
 
 	chip->vendor.iobase = ioremap(start, len);
 	if (!chip->vendor.iobase) {
@@ -605,19 +654,6 @@ static int tpm_tis_init(struct device *d
 	if (intfcaps & TPM_INTF_DATA_AVAIL_INT)
 		dev_dbg(dev, "\tData Avail Int Support\n");
 
-	/* get the timeouts before testing for irqs */
-	if (tpm_get_timeouts(chip)) {
-		dev_err(dev, "Could not get TPM timeouts and durations\n");
-		rc = -ENODEV;
-		goto out_err;
-	}
-
-	if (tpm_do_selftest(chip)) {
-		dev_err(dev, "TPM self test failed\n");
-		rc = -ENODEV;
-		goto out_err;
-	}
-
 	/* INTERRUPT Setup */
 	init_waitqueue_head(&chip->vendor.read_queue);
 	init_waitqueue_head(&chip->vendor.int_queue);
@@ -719,6 +755,18 @@ static int tpm_tis_init(struct device *d
 		}
 	}
 
+	if (tpm_get_timeouts(chip)) {
+		dev_err(dev, "Could not get TPM timeouts and durations\n");
+		rc = -ENODEV;
+		goto out_err;
+	}
+
+	if (tpm_do_selftest(chip)) {
+		dev_err(dev, "TPM self test failed\n");
+		rc = -ENODEV;
+		goto out_err;
+	}
+
 	INIT_LIST_HEAD(&chip->vendor.list);
 	mutex_lock(&tis_lock);
 	list_add(&chip->vendor.list, &tis_chips);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 084/151] TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 083/151] tpm_tis: verify interrupt during init Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 085/151] char: tpm: Add missing error check for devm_kzalloc Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Howells, Jason Gunthorpe, Peter Huewe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>

commit 398a1e71dc827b994b7f2f56c7c2186fea7f8d75 upstream.

Add newly registered TPMs to the tail of the list, not the beginning, so that
things that are specifying TPM_ANY_NUM don't find that the device they're
using has inadvertently changed.  Adding a second device would break IMA, for
instance.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm-interface.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -1122,7 +1122,7 @@ struct tpm_chip *tpm_register_hardware(s
 
 	/* Make chip available */
 	spin_lock(&driver_lock);
-	list_add_rcu(&chip->list, &tpm_chip_list);
+	list_add_tail_rcu(&chip->list, &tpm_chip_list);
 	spin_unlock(&driver_lock);
 
 	return chip;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 085/151] char: tpm: Add missing error check for devm_kzalloc
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 084/151] TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 086/151] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kiran Padwal, Jason Gunthorpe, Peter Huewe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kiran Padwal <kiran.padwal@smartplayin.com>

commit bb95cd34ba4c9467114acc78eeddd53ab1c10085 upstream.

Currently these driver are missing a check on the return value of devm_kzalloc,
which would cause a NULL pointer dereference in a OOM situation.

This patch adds a missing check for tpm_i2c_atmel.c and tpm_i2c_nuvoton.c

Signed-off-by: Kiran Padwal <kiran.padwal@smartplayin.com>
Reviewed-By: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_i2c_atmel.c   |    4 ++++
 drivers/char/tpm/tpm_i2c_nuvoton.c |    5 +++++
 2 files changed, 9 insertions(+)

--- a/drivers/char/tpm/tpm_i2c_atmel.c
+++ b/drivers/char/tpm/tpm_i2c_atmel.c
@@ -168,6 +168,10 @@ static int i2c_atmel_probe(struct i2c_cl
 
 	chip->vendor.priv = devm_kzalloc(dev, sizeof(struct priv_data),
 					 GFP_KERNEL);
+	if (!chip->vendor.priv) {
+		rc = -ENOMEM;
+		goto out_err;
+	}
 
 	/* Default timeouts */
 	chip->vendor.timeout_a = msecs_to_jiffies(TPM_I2C_SHORT_TIMEOUT);
--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
+++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
@@ -538,6 +538,11 @@ static int i2c_nuvoton_probe(struct i2c_
 
 	chip->vendor.priv = devm_kzalloc(dev, sizeof(struct priv_data),
 					 GFP_KERNEL);
+	if (!chip->vendor.priv) {
+		rc = -ENOMEM;
+		goto out_err;
+	}
+
 	init_waitqueue_head(&chip->vendor.read_queue);
 	init_waitqueue_head(&chip->vendor.int_queue);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 086/151] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 085/151] char: tpm: Add missing error check for devm_kzalloc Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 087/151] tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hon Ching (Vicky) Lo, Peter Huewe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Hon Ching (Vicky) Lo" <honclo@linux.vnet.ibm.com>

commit 84eb186bc37c0900b53077ca21cf6dd15823a232 upstream.

There was an oops in tpm_ibmvtpm_get_desired_dma, which caused
kernel panic during boot when vTPM is enabled in Power partition
configured in AMS mode.

vio_bus_probe calls vio_cmo_bus_probe which calls
tpm_ibmvtpm_get_desired_dma to get the size needed for DMA allocation.
The problem is, vio_cmo_bus_probe is called before calling probe, which
for vtpm is tpm_ibmvtpm_probe and it's this function that initializes
and sets up vtpm's CRQ and gets required data values.  Therefore,
since this has not yet been done, NULL is returned in attempt to get
the size for DMA allocation.

We added a NULL check.  In addition, a default buffer size will
be set when NULL is returned.

Signed-off-by: Hon Ching (Vicky) Lo <honclo@linux.vnet.ibm.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_ibmvtpm.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/char/tpm/tpm_ibmvtpm.c
+++ b/drivers/char/tpm/tpm_ibmvtpm.c
@@ -307,6 +307,14 @@ static int tpm_ibmvtpm_remove(struct vio
 static unsigned long tpm_ibmvtpm_get_desired_dma(struct vio_dev *vdev)
 {
 	struct ibmvtpm_dev *ibmvtpm = ibmvtpm_get_data(&vdev->dev);
+
+	/* ibmvtpm initializes at probe time, so the data we are
+	* asking for may not be set yet. Estimate that 4K required
+	* for TCE-mapped buffer in addition to CRQ.
+	*/
+	if (!ibmvtpm)
+		return CRQ_RES_BUF_SIZE + PAGE_SIZE;
+
 	return CRQ_RES_BUF_SIZE + ibmvtpm->rtce_size;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 087/151] tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 086/151] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 088/151] Added Little Endian support to vtpm module Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Christophe Ricard,
	Peter Huewe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe Ricard <christophe.ricard@gmail.com>

commit 1ba3b0b6f218072afe8372d12f1b6bf26a26008e upstream.

When sending data in tpm_stm_i2c_send, each loop iteration send buf.
Send buf + i instead as the goal of this for loop is to send a number
of byte from buf that fit in burstcnt. Once those byte are sent, we are
supposed to send the next ones.

The driver was working because the burstcount value returns always the maximum size for a TPM
command or response. (0x800 for a command and 0x400 for a response).

Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Christophe Ricard <christophe-h.ricard@st.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_i2c_stm_st33.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/tpm/tpm_i2c_stm_st33.c
+++ b/drivers/char/tpm/tpm_i2c_stm_st33.c
@@ -487,7 +487,7 @@ static int tpm_stm_i2c_send(struct tpm_c
 		if (burstcnt < 0)
 			return burstcnt;
 		size = min_t(int, len - i - 1, burstcnt);
-		ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf, size);
+		ret = I2C_WRITE_DATA(client, TPM_DATA_FIFO, buf + i, size);
 		if (ret < 0)
 			goto out_err;
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 088/151] Added Little Endian support to vtpm module
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 087/151] tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 089/151] nfs41: .init_read and .init_write can be called with valid pg_lseg Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hon Ching(Vicky) Lo, Joy Latten,
	Ashley Lai, Peter Huewe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: honclo <honclo@imap.linux.ibm.com>

commit eb71f8a5e33fa1066fb92f0111ab366a341e1f6c upstream.

The tpm_ibmvtpm module is affected by an unaligned access problem.
ibmvtpm_crq_get_version failed with rc=-4 during boot when vTPM is
enabled in Power partition, which supports both little endian and
big endian modes.

We added little endian support to fix this problem:
1) added cpu_to_be64 calls to ensure BE data is sent from an LE OS.
2) added be16_to_cpu and be32_to_cpu calls to make sure data received
   is in LE format on a LE OS.

Signed-off-by: Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
[phuewe: manually applied the patch :( ]
Reviewed-by: Ashley Lai <ashley@ahsleylai.com>
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_ibmvtpm.c |   20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

--- a/drivers/char/tpm/tpm_ibmvtpm.c
+++ b/drivers/char/tpm/tpm_ibmvtpm.c
@@ -148,7 +148,8 @@ static int tpm_ibmvtpm_send(struct tpm_c
 	crq.len = (u16)count;
 	crq.data = ibmvtpm->rtce_dma_handle;
 
-	rc = ibmvtpm_send_crq(ibmvtpm->vdev, word[0], word[1]);
+	rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(word[0]),
+			      cpu_to_be64(word[1]));
 	if (rc != H_SUCCESS) {
 		dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc);
 		rc = 0;
@@ -186,7 +187,8 @@ static int ibmvtpm_crq_get_rtce_size(str
 	crq.valid = (u8)IBMVTPM_VALID_CMD;
 	crq.msg = (u8)VTPM_GET_RTCE_BUFFER_SIZE;
 
-	rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]);
+	rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]),
+			      cpu_to_be64(buf[1]));
 	if (rc != H_SUCCESS)
 		dev_err(ibmvtpm->dev,
 			"ibmvtpm_crq_get_rtce_size failed rc=%d\n", rc);
@@ -212,7 +214,8 @@ static int ibmvtpm_crq_get_version(struc
 	crq.valid = (u8)IBMVTPM_VALID_CMD;
 	crq.msg = (u8)VTPM_GET_VERSION;
 
-	rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]);
+	rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]),
+			      cpu_to_be64(buf[1]));
 	if (rc != H_SUCCESS)
 		dev_err(ibmvtpm->dev,
 			"ibmvtpm_crq_get_version failed rc=%d\n", rc);
@@ -335,7 +338,8 @@ static int tpm_ibmvtpm_suspend(struct de
 	crq.valid = (u8)IBMVTPM_VALID_CMD;
 	crq.msg = (u8)VTPM_PREPARE_TO_SUSPEND;
 
-	rc = ibmvtpm_send_crq(ibmvtpm->vdev, buf[0], buf[1]);
+	rc = ibmvtpm_send_crq(ibmvtpm->vdev, cpu_to_be64(buf[0]),
+			      cpu_to_be64(buf[1]));
 	if (rc != H_SUCCESS)
 		dev_err(ibmvtpm->dev,
 			"tpm_ibmvtpm_suspend failed rc=%d\n", rc);
@@ -480,11 +484,11 @@ static void ibmvtpm_crq_process(struct i
 	case IBMVTPM_VALID_CMD:
 		switch (crq->msg) {
 		case VTPM_GET_RTCE_BUFFER_SIZE_RES:
-			if (crq->len <= 0) {
+			if (be16_to_cpu(crq->len) <= 0) {
 				dev_err(ibmvtpm->dev, "Invalid rtce size\n");
 				return;
 			}
-			ibmvtpm->rtce_size = crq->len;
+			ibmvtpm->rtce_size = be16_to_cpu(crq->len);
 			ibmvtpm->rtce_buf = kmalloc(ibmvtpm->rtce_size,
 						    GFP_KERNEL);
 			if (!ibmvtpm->rtce_buf) {
@@ -505,11 +509,11 @@ static void ibmvtpm_crq_process(struct i
 
 			return;
 		case VTPM_GET_VERSION_RES:
-			ibmvtpm->vtpm_version = crq->data;
+			ibmvtpm->vtpm_version = be32_to_cpu(crq->data);
 			return;
 		case VTPM_TPM_COMMAND_RES:
 			/* len of the data in rtce buffer */
-			ibmvtpm->res_len = crq->len;
+			ibmvtpm->res_len = be16_to_cpu(crq->len);
 			wake_up_interruptible(&ibmvtpm->wq);
 			return;
 		default:



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 089/151] nfs41: .init_read and .init_write can be called with valid pg_lseg
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 088/151] Added Little Endian support to vtpm module Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 091/151] NFSv4: Ensure we reference the inode for return-on-close in delegreturn Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peng Tao

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peng Tao <tao.peng@primarydata.com>

commit cb5d04bc39e914124e811ea55f3034d2379a5f6c upstream.

With pgio refactoring in v3.15, .init_read and .init_write can be
called with valid pgio->pg_lseg. file layout was fixed at that time
by commit c6194271f (pnfs: filelayout: support non page aligned
layouts). But the generic helper still needs to be fixed.

Signed-off-by: Peng Tao <tao.peng@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/pnfs.c |   41 ++++++++++++++++++++---------------------
 1 file changed, 20 insertions(+), 21 deletions(-)

--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1445,19 +1445,19 @@ pnfs_generic_pg_init_read(struct nfs_pag
 {
 	u64 rd_size = req->wb_bytes;
 
-	WARN_ON_ONCE(pgio->pg_lseg != NULL);
-
-	if (pgio->pg_dreq == NULL)
-		rd_size = i_size_read(pgio->pg_inode) - req_offset(req);
-	else
-		rd_size = nfs_dreq_bytes_left(pgio->pg_dreq);
-
-	pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode,
-					   req->wb_context,
-					   req_offset(req),
-					   rd_size,
-					   IOMODE_READ,
-					   GFP_KERNEL);
+	if (pgio->pg_lseg == NULL) {
+		if (pgio->pg_dreq == NULL)
+			rd_size = i_size_read(pgio->pg_inode) - req_offset(req);
+		else
+			rd_size = nfs_dreq_bytes_left(pgio->pg_dreq);
+
+		pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode,
+						   req->wb_context,
+						   req_offset(req),
+						   rd_size,
+						   IOMODE_READ,
+						   GFP_KERNEL);
+	}
 	/* If no lseg, fall back to read through mds */
 	if (pgio->pg_lseg == NULL)
 		nfs_pageio_reset_read_mds(pgio);
@@ -1469,14 +1469,13 @@ void
 pnfs_generic_pg_init_write(struct nfs_pageio_descriptor *pgio,
 			   struct nfs_page *req, u64 wb_size)
 {
-	WARN_ON_ONCE(pgio->pg_lseg != NULL);
-
-	pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode,
-					   req->wb_context,
-					   req_offset(req),
-					   wb_size,
-					   IOMODE_RW,
-					   GFP_NOFS);
+	if (pgio->pg_lseg == NULL)
+		pgio->pg_lseg = pnfs_update_layout(pgio->pg_inode,
+						   req->wb_context,
+						   req_offset(req),
+						   wb_size,
+						   IOMODE_RW,
+						   GFP_NOFS);
 	/* If no lseg, fall back to write through mds */
 	if (pgio->pg_lseg == NULL)
 		nfs_pageio_reset_write_mds(pgio);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 091/151] NFSv4: Ensure we reference the inode for return-on-close in delegreturn
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 089/151] nfs41: .init_read and .init_write can be called with valid pg_lseg Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 092/151] NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peng Tao, Trond Myklebust

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit ea7c38fef0b774a5dc16fb0ca5935f0ae8568176 upstream.

If we have to do a return-on-close in the delegreturn code, then
we must ensure that the inode and super block remain referenced.

Cc: Peng Tao <tao.peng@primarydata.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Reviewed-by: Peng Tao <tao.peng@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/internal.h |   22 +++++++++++++++++++++-
 fs/nfs/nfs4proc.c |   14 +++++++++-----
 fs/nfs/super.c    |    9 ++++++---
 3 files changed, 36 insertions(+), 9 deletions(-)

--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -377,7 +377,7 @@ extern struct rpc_stat nfs_rpcstat;
 
 extern int __init register_nfs_fs(void);
 extern void __exit unregister_nfs_fs(void);
-extern void nfs_sb_active(struct super_block *sb);
+extern bool nfs_sb_active(struct super_block *sb);
 extern void nfs_sb_deactive(struct super_block *sb);
 
 /* namespace.c */
@@ -495,6 +495,26 @@ extern int nfs41_walk_client_list(struct
 				struct nfs_client **result,
 				struct rpc_cred *cred);
 
+static inline struct inode *nfs_igrab_and_active(struct inode *inode)
+{
+	inode = igrab(inode);
+	if (inode != NULL && !nfs_sb_active(inode->i_sb)) {
+		iput(inode);
+		inode = NULL;
+	}
+	return inode;
+}
+
+static inline void nfs_iput_and_deactive(struct inode *inode)
+{
+	if (inode != NULL) {
+		struct super_block *sb = inode->i_sb;
+
+		iput(inode);
+		nfs_sb_deactive(sb);
+	}
+}
+
 /*
  * Determine the device name as a string
  */
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5130,9 +5130,13 @@ static void nfs4_delegreturn_done(struct
 static void nfs4_delegreturn_release(void *calldata)
 {
 	struct nfs4_delegreturndata *data = calldata;
+	struct inode *inode = data->inode;
 
-	if (data->roc)
-		pnfs_roc_release(data->inode);
+	if (inode) {
+		if (data->roc)
+			pnfs_roc_release(inode);
+		nfs_iput_and_deactive(inode);
+	}
 	kfree(calldata);
 }
 
@@ -5189,9 +5193,9 @@ static int _nfs4_proc_delegreturn(struct
 	nfs_fattr_init(data->res.fattr);
 	data->timestamp = jiffies;
 	data->rpc_status = 0;
-	data->inode = inode;
-	data->roc = list_empty(&NFS_I(inode)->open_files) ?
-		    pnfs_roc(inode) : false;
+	data->inode = nfs_igrab_and_active(inode);
+	if (data->inode)
+		data->roc = nfs4_roc(inode);
 
 	task_setup_data.callback_data = data;
 	msg.rpc_argp = &data->args;
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -405,12 +405,15 @@ void __exit unregister_nfs_fs(void)
 	unregister_filesystem(&nfs_fs_type);
 }
 
-void nfs_sb_active(struct super_block *sb)
+bool nfs_sb_active(struct super_block *sb)
 {
 	struct nfs_server *server = NFS_SB(sb);
 
-	if (atomic_inc_return(&server->active) == 1)
-		atomic_inc(&sb->s_active);
+	if (!atomic_inc_not_zero(&sb->s_active))
+		return false;
+	if (atomic_inc_return(&server->active) != 1)
+		atomic_dec(&sb->s_active);
+	return true;
 }
 EXPORT_SYMBOL_GPL(nfs_sb_active);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 092/151] NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 091/151] NFSv4: Ensure we reference the inode for return-on-close in delegreturn Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 093/151] sg: fix unkillable I/O wait deadlock with scsi-mq Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Ramos, Trond Myklebust

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit d8ba1f971497c19cf80da1ea5391a46a5f9fbd41 upstream.

If the call to decode_rc_list() fails due to a memory allocation error,
then we need to truncate the array size to ensure that we only call
kfree() on those pointer that were allocated.

Reported-by: David Ramos <daramos@stanford.edu>
Fixes: 4aece6a19cf7f ("nfs41: cb_sequence xdr implementation")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/callback_xdr.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/nfs/callback_xdr.c
+++ b/fs/nfs/callback_xdr.c
@@ -464,8 +464,10 @@ static __be32 decode_cb_sequence_args(st
 
 		for (i = 0; i < args->csa_nrclists; i++) {
 			status = decode_rc_list(xdr, &args->csa_rclists[i]);
-			if (status)
+			if (status) {
+				args->csa_nrclists = i;
 				goto out_free;
+			}
 		}
 	}
 	status = 0;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 093/151] sg: fix unkillable I/O wait deadlock with scsi-mq
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 092/151] NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 094/151] sg: fix EWOULDBLOCK errors " Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Battersby, Douglas Gilbert,
	James Bottomley

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Battersby <tonyb@cybernetics.com>

commit 7568615c1054907ea8c7701ab86dad51aa099888 upstream.

When using the write()/read() interface for submitting commands, the
SCSI generic driver does not call blk_put_request() on a completed SCSI
command until userspace calls read() to get the command completion.
Since scsi-mq uses a fixed number of preallocated requests, this makes
it possible for userspace to exhaust the entire preallocated supply of
requests.  For places in the kernel that call blk_get_request() with
GFP_KERNEL, this can cause the calling process to deadlock in a
permanent unkillable I/O wait in blk_get_request() -> ... -> bt_get().
For places in the kernel that call blk_get_request() with GFP_ATOMIC,
this can cause blk_get_request() always to return -EWOULDBLOCK.  Note
that these problems happen only if scsi-mq is enabled.  Prevent the
problems by calling blk_put_request() as soon as the SCSI command
completes instead of waiting for userspace to call read().

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Tested-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1376,6 +1376,17 @@ sg_rq_end_io(struct request *rq, int upt
 	}
 	/* Rely on write phase to clean out srp status values, so no "else" */
 
+	/*
+	 * Free the request as soon as it is complete so that its resources
+	 * can be reused without waiting for userspace to read() the
+	 * result.  But keep the associated bio (if any) around until
+	 * blk_rq_unmap_user() can be called from user context.
+	 */
+	srp->rq = NULL;
+	if (rq->cmd != rq->__cmd)
+		kfree(rq->cmd);
+	__blk_put_request(rq->q, rq);
+
 	write_lock_irqsave(&sfp->rq_list_lock, iflags);
 	if (unlikely(srp->orphan)) {
 		if (sfp->keep_orphan)
@@ -1803,10 +1814,10 @@ sg_finish_rem_req(Sg_request *srp)
 	SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
 				      "sg_finish_rem_req: res_used=%d\n",
 				      (int) srp->res_used));
-	if (srp->rq) {
-		if (srp->bio)
-			ret = blk_rq_unmap_user(srp->bio);
+	if (srp->bio)
+		ret = blk_rq_unmap_user(srp->bio);
 
+	if (srp->rq) {
 		if (srp->rq->cmd != srp->rq->__cmd)
 			kfree(srp->rq->cmd);
 		blk_put_request(srp->rq);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 094/151] sg: fix EWOULDBLOCK errors with scsi-mq
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 093/151] sg: fix unkillable I/O wait deadlock with scsi-mq Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 095/151] iscsi-target: Drop problematic active_ts_list usage Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Battersby, Douglas Gilbert,
	James Bottomley

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Battersby <tonyb@cybernetics.com>

commit 7772855a996ec6e16944b120ab5ce21050279821 upstream.

With scsi-mq enabled, userspace programs can get unexpected EWOULDBLOCK
(a.k.a. EAGAIN) errors when submitting commands to the SCSI generic
driver.  Fix by calling blk_get_request() with GFP_KERNEL instead of
GFP_ATOMIC.

Note: to avoid introducing a potential deadlock, this patch should be
applied after the patch titled "sg: fix unkillable I/O wait deadlock
with scsi-mq".

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Tested-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |   17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1721,7 +1721,22 @@ sg_start_req(Sg_request *srp, unsigned c
 			return -ENOMEM;
 	}
 
-	rq = blk_get_request(q, rw, GFP_ATOMIC);
+	/*
+	 * NOTE
+	 *
+	 * With scsi-mq enabled, there are a fixed number of preallocated
+	 * requests equal in number to shost->can_queue.  If all of the
+	 * preallocated requests are already in use, then using GFP_ATOMIC with
+	 * blk_get_request() will return -EWOULDBLOCK, whereas using GFP_KERNEL
+	 * will cause blk_get_request() to sleep until an active command
+	 * completes, freeing up a request.  Neither option is ideal, but
+	 * GFP_KERNEL is the better choice to prevent userspace from getting an
+	 * unexpected EWOULDBLOCK.
+	 *
+	 * With scsi-mq disabled, blk_get_request() with GFP_KERNEL usually
+	 * does not sleep except under memory pressure.
+	 */
+	rq = blk_get_request(q, rw, GFP_KERNEL);
 	if (IS_ERR(rq)) {
 		kfree(long_cmdp);
 		return PTR_ERR(rq);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 095/151] iscsi-target: Drop problematic active_ts_list usage
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 094/151] sg: fix EWOULDBLOCK errors " Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 096/151] cfq-iosched: handle failure of cfq group allocation Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gavin Guo, Moussa Ba, Nicholas Bellinger

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit 3fd7b60f2c7418239d586e359e0c6d8503e10646 upstream.

This patch drops legacy active_ts_list usage within iscsi_target_tq.c
code.  It was originally used to track the active thread sets during
iscsi-target shutdown, and is no longer used by modern upstream code.

Two people have reported list corruption using traditional iscsi-target
and iser-target with the following backtrace, that appears to be related
to iscsi_thread_set->ts_list being used across both active_ts_list and
inactive_ts_list.

[   60.782534] ------------[ cut here ]------------
[   60.782543] WARNING: CPU: 0 PID: 9430 at lib/list_debug.c:53 __list_del_entry+0x63/0xd0()
[   60.782545] list_del corruption, ffff88045b00d180->next is LIST_POISON1 (dead000000100100)
[   60.782546] Modules linked in: ib_srpt tcm_qla2xxx qla2xxx tcm_loop
tcm_fc libfc scsi_transport_fc scsi_tgt ib_isert rdma_cm iw_cm ib_addr
iscsi_target_mod target_core_pscsi target_core_file target_core_iblock
target_core_mod configfs ebtable_nat ebtables ipt_MASQUERADE iptable_nat
nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT
xt_CHECKSUM iptable_mangle iptable_filter ip_tables bridge stp llc
autofs4 sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state
nf_conntrack ip6table_filter ip6_tables ipv6 ib_ipoib ib_cm ib_uverbs
ib_umad mlx4_en mlx4_ib ib_sa ib_mad ib_core mlx4_core dm_mirror
dm_region_hash dm_log dm_mod vhost_net macvtap macvlan vhost tun
kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support microcode serio_raw
pcspkr sb_edac edac_core sg i2c_i801 lpc_ich mfd_core mtip32xx igb
i2c_algo_bit i2c_core ptp pps_core ioatdma dca wmi ext3(F) jbd(F)
mbcache(F) sd_mod(F) crc_t10dif(F) crct10dif_common(F) ahci(F)
libahci(F) isci(F) libsas(F) scsi_transport_sas(F) [last unloaded:
speedstep_lib]
[   60.782597] CPU: 0 PID: 9430 Comm: iscsi_ttx Tainted: GF 3.12.19+ #2
[   60.782598] Hardware name: Supermicro X9DRX+-F/X9DRX+-F, BIOS 3.00 07/09/2013
[   60.782599]  0000000000000035 ffff88044de31d08 ffffffff81553ae7 0000000000000035
[   60.782602]  ffff88044de31d58 ffff88044de31d48 ffffffff8104d1cc 0000000000000002
[   60.782605]  ffff88045b00d180 ffff88045b00d0c0 ffff88045b00d0c0 ffff88044de31e58
[   60.782607] Call Trace:
[   60.782611]  [<ffffffff81553ae7>] dump_stack+0x49/0x62
[   60.782615]  [<ffffffff8104d1cc>] warn_slowpath_common+0x8c/0xc0
[   60.782618]  [<ffffffff8104d2b6>] warn_slowpath_fmt+0x46/0x50
[   60.782620]  [<ffffffff81280933>] __list_del_entry+0x63/0xd0
[   60.782622]  [<ffffffff812809b1>] list_del+0x11/0x40
[   60.782630]  [<ffffffffa06e7cf9>] iscsi_del_ts_from_active_list+0x29/0x50 [iscsi_target_mod]
[   60.782635]  [<ffffffffa06e87b1>] iscsi_tx_thread_pre_handler+0xa1/0x180 [iscsi_target_mod]
[   60.782642]  [<ffffffffa06fb9ae>] iscsi_target_tx_thread+0x4e/0x220 [iscsi_target_mod]
[   60.782647]  [<ffffffffa06fb960>] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod]
[   60.782652]  [<ffffffffa06fb960>] ? iscsit_handle_snack+0x190/0x190 [iscsi_target_mod]
[   60.782655]  [<ffffffff8106f99e>] kthread+0xce/0xe0
[   60.782657]  [<ffffffff8106f8d0>] ? kthread_freezable_should_stop+0x70/0x70
[   60.782660]  [<ffffffff8156026c>] ret_from_fork+0x7c/0xb0
[   60.782662]  [<ffffffff8106f8d0>] ? kthread_freezable_should_stop+0x70/0x70
[   60.782663] ---[ end trace 9662f4a661d33965 ]---

Since this code is no longer used, go ahead and drop the problematic usage
all-together.

Reported-by: Gavin Guo <gavin.guo@canonical.com>
Reported-by: Moussa Ba <moussaba@micron.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/iscsi/iscsi_target_tq.c |   28 +++++-----------------------
 1 file changed, 5 insertions(+), 23 deletions(-)

--- a/drivers/target/iscsi/iscsi_target_tq.c
+++ b/drivers/target/iscsi/iscsi_target_tq.c
@@ -24,36 +24,22 @@
 #include "iscsi_target_tq.h"
 #include "iscsi_target.h"
 
-static LIST_HEAD(active_ts_list);
 static LIST_HEAD(inactive_ts_list);
-static DEFINE_SPINLOCK(active_ts_lock);
 static DEFINE_SPINLOCK(inactive_ts_lock);
 static DEFINE_SPINLOCK(ts_bitmap_lock);
 
-static void iscsi_add_ts_to_active_list(struct iscsi_thread_set *ts)
-{
-	spin_lock(&active_ts_lock);
-	list_add_tail(&ts->ts_list, &active_ts_list);
-	iscsit_global->active_ts++;
-	spin_unlock(&active_ts_lock);
-}
-
 static void iscsi_add_ts_to_inactive_list(struct iscsi_thread_set *ts)
 {
+	if (!list_empty(&ts->ts_list)) {
+		WARN_ON(1);
+		return;
+	}
 	spin_lock(&inactive_ts_lock);
 	list_add_tail(&ts->ts_list, &inactive_ts_list);
 	iscsit_global->inactive_ts++;
 	spin_unlock(&inactive_ts_lock);
 }
 
-static void iscsi_del_ts_from_active_list(struct iscsi_thread_set *ts)
-{
-	spin_lock(&active_ts_lock);
-	list_del(&ts->ts_list);
-	iscsit_global->active_ts--;
-	spin_unlock(&active_ts_lock);
-}
-
 static struct iscsi_thread_set *iscsi_get_ts_from_inactive_list(void)
 {
 	struct iscsi_thread_set *ts;
@@ -66,7 +52,7 @@ static struct iscsi_thread_set *iscsi_ge
 
 	ts = list_first_entry(&inactive_ts_list, struct iscsi_thread_set, ts_list);
 
-	list_del(&ts->ts_list);
+	list_del_init(&ts->ts_list);
 	iscsit_global->inactive_ts--;
 	spin_unlock(&inactive_ts_lock);
 
@@ -204,8 +190,6 @@ static void iscsi_deallocate_extra_threa
 
 void iscsi_activate_thread_set(struct iscsi_conn *conn, struct iscsi_thread_set *ts)
 {
-	iscsi_add_ts_to_active_list(ts);
-
 	spin_lock_bh(&ts->ts_state_lock);
 	conn->thread_set = ts;
 	ts->conn = conn;
@@ -397,7 +381,6 @@ struct iscsi_conn *iscsi_rx_thread_pre_h
 
 	if (ts->delay_inactive && (--ts->thread_count == 0)) {
 		spin_unlock_bh(&ts->ts_state_lock);
-		iscsi_del_ts_from_active_list(ts);
 
 		if (!iscsit_global->in_shutdown)
 			iscsi_deallocate_extra_thread_sets();
@@ -452,7 +435,6 @@ struct iscsi_conn *iscsi_tx_thread_pre_h
 
 	if (ts->delay_inactive && (--ts->thread_count == 0)) {
 		spin_unlock_bh(&ts->ts_state_lock);
-		iscsi_del_ts_from_active_list(ts);
 
 		if (!iscsit_global->in_shutdown)
 			iscsi_deallocate_extra_thread_sets();



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 096/151] cfq-iosched: handle failure of cfq group allocation
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 095/151] iscsi-target: Drop problematic active_ts_list usage Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 097/151] cfq-iosched: fix incorrect filing of rt async cfqq Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov, Tejun Heo,
	Vivek Goyal, Jens Axboe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit 69abaffec7d47a083739b79e3066cb3730eba72e upstream.

Cfq_lookup_create_cfqg() allocates struct blkcg_gq using GFP_ATOMIC.
In cfq_find_alloc_queue() possible allocation failure is not handled.
As a result kernel oopses on NULL pointer dereference when
cfq_link_cfqq_cfqg() calls cfqg_get() for NULL pointer.

Bug was introduced in v3.5 in commit cd1604fab4f9 ("blkcg: factor
out blkio_group creation"). Prior to that commit cfq group lookup
had returned pointer to root group as fallback.

This patch handles this error using existing fallback oom_cfqq.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Fixes: cd1604fab4f9 ("blkcg: factor out blkio_group creation")
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/cfq-iosched.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -3590,6 +3590,11 @@ retry:
 
 	blkcg = bio_blkcg(bio);
 	cfqg = cfq_lookup_create_cfqg(cfqd, blkcg);
+	if (!cfqg) {
+		cfqq = &cfqd->oom_cfqq;
+		goto out;
+	}
+
 	cfqq = cic_to_cfqq(cic, is_sync);
 
 	/*
@@ -3626,7 +3631,7 @@ retry:
 		} else
 			cfqq = &cfqd->oom_cfqq;
 	}
-
+out:
 	if (new_cfqq)
 		kmem_cache_free(cfq_pool, new_cfqq);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 097/151] cfq-iosched: fix incorrect filing of rt async cfqq
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 096/151] cfq-iosched: handle failure of cfq group allocation Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 098/151] cipso: dont use IPCB() to locate the CIPSO IP option Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeff Moyer, Hidehiro Kawai, Jens Axboe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Moyer <jmoyer@redhat.com>

commit c6ce194325cef342313e3d27620411ce90a89c50 upstream.

Hi,

If you can manage to submit an async write as the first async I/O from
the context of a process with realtime scheduling priority, then a
cfq_queue is allocated, but filed into the wrong async_cfqq bucket.  It
ends up in the best effort array, but actually has realtime I/O
scheduling priority set in cfqq->ioprio.

The reason is that cfq_get_queue assumes the default scheduling class and
priority when there is no information present (i.e. when the async cfqq
is created):

static struct cfq_queue *
cfq_get_queue(struct cfq_data *cfqd, bool is_sync, struct cfq_io_cq *cic,
	      struct bio *bio, gfp_t gfp_mask)
{
	const int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
	const int ioprio = IOPRIO_PRIO_DATA(cic->ioprio);

cic->ioprio starts out as 0, which is "invalid".  So, class of 0
(IOPRIO_CLASS_NONE) is passed to cfq_async_queue_prio like so:

		async_cfqq = cfq_async_queue_prio(cfqd, ioprio_class, ioprio);

static struct cfq_queue **
cfq_async_queue_prio(struct cfq_data *cfqd, int ioprio_class, int ioprio)
{
        switch (ioprio_class) {
        case IOPRIO_CLASS_RT:
                return &cfqd->async_cfqq[0][ioprio];
        case IOPRIO_CLASS_NONE:
                ioprio = IOPRIO_NORM;
                /* fall through */
        case IOPRIO_CLASS_BE:
                return &cfqd->async_cfqq[1][ioprio];
        case IOPRIO_CLASS_IDLE:
                return &cfqd->async_idle_cfqq;
        default:
                BUG();
        }
}

Here, instead of returning a class mapped from the process' scheduling
priority, we get back the bucket associated with IOPRIO_CLASS_BE.

Now, there is no queue allocated there yet, so we create it:

		cfqq = cfq_find_alloc_queue(cfqd, is_sync, cic, bio, gfp_mask);

That function ends up doing this:

			cfq_init_cfqq(cfqd, cfqq, current->pid, is_sync);
			cfq_init_prio_data(cfqq, cic);

cfq_init_cfqq marks the priority as having changed.  Then, cfq_init_prio
data does this:

	ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
	switch (ioprio_class) {
	default:
		printk(KERN_ERR "cfq: bad prio %x\n", ioprio_class);
	case IOPRIO_CLASS_NONE:
		/*
		 * no prio set, inherit CPU scheduling settings
		 */
		cfqq->ioprio = task_nice_ioprio(tsk);
		cfqq->ioprio_class = task_nice_ioclass(tsk);
		break;

So we basically have two code paths that treat IOPRIO_CLASS_NONE
differently, which results in an RT async cfqq filed into a best effort
bucket.

Attached is a patch which fixes the problem.  I'm not sure how to make
it cleaner.  Suggestions would be welcome.

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Tested-by: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/cfq-iosched.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -3661,12 +3661,17 @@ static struct cfq_queue *
 cfq_get_queue(struct cfq_data *cfqd, bool is_sync, struct cfq_io_cq *cic,
 	      struct bio *bio, gfp_t gfp_mask)
 {
-	const int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
-	const int ioprio = IOPRIO_PRIO_DATA(cic->ioprio);
+	int ioprio_class = IOPRIO_PRIO_CLASS(cic->ioprio);
+	int ioprio = IOPRIO_PRIO_DATA(cic->ioprio);
 	struct cfq_queue **async_cfqq = NULL;
 	struct cfq_queue *cfqq = NULL;
 
 	if (!is_sync) {
+		if (!ioprio_valid(cic->ioprio)) {
+			struct task_struct *tsk = current;
+			ioprio = task_nice_ioprio(tsk);
+			ioprio_class = task_nice_ioclass(tsk);
+		}
 		async_cfqq = cfq_async_queue_prio(cfqd, ioprio_class, ioprio);
 		cfqq = *async_cfqq;
 	}



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 098/151] cipso: dont use IPCB() to locate the CIPSO IP option
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 097/151] cfq-iosched: fix incorrect filing of rt async cfqq Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 099/151] ring-buffer: Do not wake up a splice waiter when page is not full Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Casey Schaufler, Paul Moore

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Moore <pmoore@redhat.com>

commit 04f81f0154e4bf002be6f4d85668ce1257efa4d9 upstream.

Using the IPCB() macro to get the IPv4 options is convenient, but
unfortunately NetLabel often needs to examine the CIPSO option outside
of the scope of the IP layer in the stack.  While historically IPCB()
worked above the IP layer, due to the inclusion of the inet_skb_param
struct at the head of the {tcp,udp}_skb_cb structs, recent commit
971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
reordered the tcp_skb_cb struct and invalidated this IPCB() trick.

This patch fixes the problem by creating a new function,
cipso_v4_optptr(), which locates the CIPSO option inside the IP header
without calling IPCB().  Unfortunately, this isn't as fast as a simple
lookup so some additional tweaks were made to limit the use of this
new function.

Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/net/cipso_ipv4.h     |   25 +++++++++++++--------
 net/ipv4/cipso_ipv4.c        |   51 +++++++++++++++++++++++++------------------
 net/netlabel/netlabel_kapi.c |   15 ++++++++----
 3 files changed, 56 insertions(+), 35 deletions(-)

--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -121,13 +121,6 @@ extern int cipso_v4_rbm_strictvalid;
 #endif
 
 /*
- * Helper Functions
- */
-
-#define CIPSO_V4_OPTEXIST(x) (IPCB(x)->opt.cipso != 0)
-#define CIPSO_V4_OPTPTR(x) (skb_network_header(x) + IPCB(x)->opt.cipso)
-
-/*
  * DOI List Functions
  */
 
@@ -190,7 +183,7 @@ static inline int cipso_v4_doi_domhsh_re
 
 #ifdef CONFIG_NETLABEL
 void cipso_v4_cache_invalidate(void);
-int cipso_v4_cache_add(const struct sk_buff *skb,
+int cipso_v4_cache_add(const unsigned char *cipso_ptr,
 		       const struct netlbl_lsm_secattr *secattr);
 #else
 static inline void cipso_v4_cache_invalidate(void)
@@ -198,7 +191,7 @@ static inline void cipso_v4_cache_invali
 	return;
 }
 
-static inline int cipso_v4_cache_add(const struct sk_buff *skb,
+static inline int cipso_v4_cache_add(const unsigned char *cipso_ptr,
 				     const struct netlbl_lsm_secattr *secattr)
 {
 	return 0;
@@ -211,6 +204,8 @@ static inline int cipso_v4_cache_add(con
 
 #ifdef CONFIG_NETLABEL
 void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
+int cipso_v4_getattr(const unsigned char *cipso,
+		     struct netlbl_lsm_secattr *secattr);
 int cipso_v4_sock_setattr(struct sock *sk,
 			  const struct cipso_v4_doi *doi_def,
 			  const struct netlbl_lsm_secattr *secattr);
@@ -226,6 +221,7 @@ int cipso_v4_skbuff_setattr(struct sk_bu
 int cipso_v4_skbuff_delattr(struct sk_buff *skb);
 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
 			    struct netlbl_lsm_secattr *secattr);
+unsigned char *cipso_v4_optptr(const struct sk_buff *skb);
 int cipso_v4_validate(const struct sk_buff *skb, unsigned char **option);
 #else
 static inline void cipso_v4_error(struct sk_buff *skb,
@@ -235,6 +231,12 @@ static inline void cipso_v4_error(struct
 	return;
 }
 
+static inline int cipso_v4_getattr(const unsigned char *cipso,
+				   struct netlbl_lsm_secattr *secattr)
+{
+	return -ENOSYS;
+}
+
 static inline int cipso_v4_sock_setattr(struct sock *sk,
 				      const struct cipso_v4_doi *doi_def,
 				      const struct netlbl_lsm_secattr *secattr)
@@ -282,6 +284,11 @@ static inline int cipso_v4_skbuff_getatt
 	return -ENOSYS;
 }
 
+static inline unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+{
+	return NULL;
+}
+
 static inline int cipso_v4_validate(const struct sk_buff *skb,
 				    unsigned char **option)
 {
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -376,20 +376,18 @@ static int cipso_v4_cache_check(const un
  * negative values on failure.
  *
  */
-int cipso_v4_cache_add(const struct sk_buff *skb,
+int cipso_v4_cache_add(const unsigned char *cipso_ptr,
 		       const struct netlbl_lsm_secattr *secattr)
 {
 	int ret_val = -EPERM;
 	u32 bkt;
 	struct cipso_v4_map_cache_entry *entry = NULL;
 	struct cipso_v4_map_cache_entry *old_entry = NULL;
-	unsigned char *cipso_ptr;
 	u32 cipso_ptr_len;
 
 	if (!cipso_v4_cache_enabled || cipso_v4_cache_bucketsize <= 0)
 		return 0;
 
-	cipso_ptr = CIPSO_V4_OPTPTR(skb);
 	cipso_ptr_len = cipso_ptr[1];
 
 	entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
@@ -1577,6 +1575,33 @@ static int cipso_v4_parsetag_loc(const s
 }
 
 /**
+ * cipso_v4_optptr - Find the CIPSO option in the packet
+ * @skb: the packet
+ *
+ * Description:
+ * Parse the packet's IP header looking for a CIPSO option.  Returns a pointer
+ * to the start of the CIPSO option on success, NULL if one if not found.
+ *
+ */
+unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+{
+	const struct iphdr *iph = ip_hdr(skb);
+	unsigned char *optptr = (unsigned char *)&(ip_hdr(skb)[1]);
+	int optlen;
+	int taglen;
+
+	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+		if (optptr[0] == IPOPT_CIPSO)
+			return optptr;
+		taglen = optptr[1];
+		optlen -= taglen;
+		optptr += taglen;
+	}
+
+	return NULL;
+}
+
+/**
  * cipso_v4_validate - Validate a CIPSO option
  * @option: the start of the option, on error it is set to point to the error
  *
@@ -2117,8 +2142,8 @@ void cipso_v4_req_delattr(struct request
  * on success and negative values on failure.
  *
  */
-static int cipso_v4_getattr(const unsigned char *cipso,
-			    struct netlbl_lsm_secattr *secattr)
+int cipso_v4_getattr(const unsigned char *cipso,
+		     struct netlbl_lsm_secattr *secattr)
 {
 	int ret_val = -ENOMSG;
 	u32 doi;
@@ -2303,22 +2328,6 @@ int cipso_v4_skbuff_delattr(struct sk_bu
 	return 0;
 }
 
-/**
- * cipso_v4_skbuff_getattr - Get the security attributes from the CIPSO option
- * @skb: the packet
- * @secattr: the security attributes
- *
- * Description:
- * Parse the given packet's CIPSO option and return the security attributes.
- * Returns zero on success and negative values on failure.
- *
- */
-int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
-			    struct netlbl_lsm_secattr *secattr)
-{
-	return cipso_v4_getattr(CIPSO_V4_OPTPTR(skb), secattr);
-}
-
 /*
  * Setup Functions
  */
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1065,10 +1065,12 @@ int netlbl_skbuff_getattr(const struct s
 			  u16 family,
 			  struct netlbl_lsm_secattr *secattr)
 {
+	unsigned char *ptr;
+
 	switch (family) {
 	case AF_INET:
-		if (CIPSO_V4_OPTEXIST(skb) &&
-		    cipso_v4_skbuff_getattr(skb, secattr) == 0)
+		ptr = cipso_v4_optptr(skb);
+		if (ptr && cipso_v4_getattr(ptr, secattr) == 0)
 			return 0;
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
@@ -1094,7 +1096,7 @@ int netlbl_skbuff_getattr(const struct s
  */
 void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway)
 {
-	if (CIPSO_V4_OPTEXIST(skb))
+	if (cipso_v4_optptr(skb))
 		cipso_v4_error(skb, error, gateway);
 }
 
@@ -1126,11 +1128,14 @@ void netlbl_cache_invalidate(void)
 int netlbl_cache_add(const struct sk_buff *skb,
 		     const struct netlbl_lsm_secattr *secattr)
 {
+	unsigned char *ptr;
+
 	if ((secattr->flags & NETLBL_SECATTR_CACHE) == 0)
 		return -ENOMSG;
 
-	if (CIPSO_V4_OPTEXIST(skb))
-		return cipso_v4_cache_add(skb, secattr);
+	ptr = cipso_v4_optptr(skb);
+	if (ptr)
+		return cipso_v4_cache_add(ptr, secattr);
 
 	return -ENOMSG;
 }



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 099/151] ring-buffer: Do not wake up a splice waiter when page is not full
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 098/151] cipso: dont use IPCB() to locate the CIPSO IP option Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 100/151] smack: fix possible use after frees in task_security() callers Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rabin Vincent, Steven Rostedt

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

commit 1e0d6714aceb770b04161fbedd7765d0e1fc27bd upstream.

When an application connects to the ring buffer via splice, it can only
read full pages. Splice does not work with partial pages. If there is
not enough data to fill a page, the splice command will either block
or return -EAGAIN (if set to nonblock).

Code was added where if the page is not full, to just sleep again.
The problem is, it will get woken up again on the next event. That
is, when something is written into the ring buffer, if there is a waiter
it will wake it up. The waiter would then check the buffer, see that
it still does not have enough data to fill a page and go back to sleep.
To make matters worse, when the waiter goes back to sleep, it could
cause another event, which would wake it back up again to see it
doesn't have enough data and sleep again. This produces a tremendous
overhead and fills the ring buffer with noise.

For example, recording sched_switch on an idle system for 10 seconds
produces 25,350,475 events!!!

Create another wait queue for those waiters wanting full pages.
When an event is written, it only wakes up waiters if there's a full
page of data. It does not wake up the waiter if the page is not yet
full.

After this change, recording sched_switch on an idle system for 10
seconds produces only 800 events. Getting rid of 25,349,675 useless
events (99.9969% of events!!), is something to take seriously.

Cc: Rabin Vincent <rabin@rab.in>
Fixes: e30f53aad220 "tracing: Do not busy wait in buffer splice"
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/ring_buffer.c |   40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -450,7 +450,10 @@ int ring_buffer_print_page_header(struct
 struct rb_irq_work {
 	struct irq_work			work;
 	wait_queue_head_t		waiters;
+	wait_queue_head_t		full_waiters;
 	bool				waiters_pending;
+	bool				full_waiters_pending;
+	bool				wakeup_full;
 };
 
 /*
@@ -532,6 +535,10 @@ static void rb_wake_up_waiters(struct ir
 	struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work);
 
 	wake_up_all(&rbwork->waiters);
+	if (rbwork->wakeup_full) {
+		rbwork->wakeup_full = false;
+		wake_up_all(&rbwork->full_waiters);
+	}
 }
 
 /**
@@ -556,9 +563,11 @@ int ring_buffer_wait(struct ring_buffer
 	 * data in any cpu buffer, or a specific buffer, put the
 	 * caller on the appropriate wait queue.
 	 */
-	if (cpu == RING_BUFFER_ALL_CPUS)
+	if (cpu == RING_BUFFER_ALL_CPUS) {
 		work = &buffer->irq_work;
-	else {
+		/* Full only makes sense on per cpu reads */
+		full = false;
+	} else {
 		if (!cpumask_test_cpu(cpu, buffer->cpumask))
 			return -ENODEV;
 		cpu_buffer = buffer->buffers[cpu];
@@ -567,7 +576,10 @@ int ring_buffer_wait(struct ring_buffer
 
 
 	while (true) {
-		prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE);
+		if (full)
+			prepare_to_wait(&work->full_waiters, &wait, TASK_INTERRUPTIBLE);
+		else
+			prepare_to_wait(&work->waiters, &wait, TASK_INTERRUPTIBLE);
 
 		/*
 		 * The events can happen in critical sections where
@@ -589,7 +601,10 @@ int ring_buffer_wait(struct ring_buffer
 		 * that is necessary is that the wake up happens after
 		 * a task has been queued. It's OK for spurious wake ups.
 		 */
-		work->waiters_pending = true;
+		if (full)
+			work->full_waiters_pending = true;
+		else
+			work->waiters_pending = true;
 
 		if (signal_pending(current)) {
 			ret = -EINTR;
@@ -618,7 +633,10 @@ int ring_buffer_wait(struct ring_buffer
 		schedule();
 	}
 
-	finish_wait(&work->waiters, &wait);
+	if (full)
+		finish_wait(&work->full_waiters, &wait);
+	else
+		finish_wait(&work->waiters, &wait);
 
 	return ret;
 }
@@ -1233,6 +1251,7 @@ rb_allocate_cpu_buffer(struct ring_buffe
 	init_completion(&cpu_buffer->update_done);
 	init_irq_work(&cpu_buffer->irq_work.work, rb_wake_up_waiters);
 	init_waitqueue_head(&cpu_buffer->irq_work.waiters);
+	init_waitqueue_head(&cpu_buffer->irq_work.full_waiters);
 
 	bpage = kzalloc_node(ALIGN(sizeof(*bpage), cache_line_size()),
 			    GFP_KERNEL, cpu_to_node(cpu));
@@ -2804,6 +2823,8 @@ static void rb_commit(struct ring_buffer
 static __always_inline void
 rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer)
 {
+	bool pagebusy;
+
 	if (buffer->irq_work.waiters_pending) {
 		buffer->irq_work.waiters_pending = false;
 		/* irq_work_queue() supplies it's own memory barriers */
@@ -2815,6 +2836,15 @@ rb_wakeups(struct ring_buffer *buffer, s
 		/* irq_work_queue() supplies it's own memory barriers */
 		irq_work_queue(&cpu_buffer->irq_work.work);
 	}
+
+	pagebusy = cpu_buffer->reader_page == cpu_buffer->commit_page;
+
+	if (!pagebusy && cpu_buffer->irq_work.full_waiters_pending) {
+		cpu_buffer->irq_work.wakeup_full = true;
+		cpu_buffer->irq_work.full_waiters_pending = false;
+		/* irq_work_queue() supplies it's own memory barriers */
+		irq_work_queue(&cpu_buffer->irq_work.work);
+	}
 }
 
 /**



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 100/151] smack: fix possible use after frees in task_security() callers
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 099/151] ring-buffer: Do not wake up a splice waiter when page is not full Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 101/151] axonram: Fix bug in direct_access Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andrey Ryabinin

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrey Ryabinin <a.ryabinin@samsung.com>

commit 6d1cff2a885850b78b40c34777b46cf5da5d1050 upstream.

We hit use after free on dereferncing pointer to task_smack struct in
smk_of_task() called from smack_task_to_inode().

task_security() macro uses task_cred_xxx() to get pointer to the task_smack.
task_cred_xxx() could be used only for non-pointer members of task's
credentials. It cannot be used for pointer members since what they point
to may disapper after dropping RCU read lock.

Mainly task_security() used this way:
	smk_of_task(task_security(p))

Intead of this introduce function smk_of_task_struct() which
takes task_struct as argument and returns pointer to smk_known struct
and do this under RCU read lock.
Bogus task_security() macro is not used anymore, so remove it.

KASan's report for this:

	AddressSanitizer: use after free in smack_task_to_inode+0x50/0x70 at addr c4635600
	=============================================================================
	BUG kmalloc-64 (Tainted: PO): kasan error
	-----------------------------------------------------------------------------

	Disabling lock debugging due to kernel taint
	INFO: Allocated in new_task_smack+0x44/0xd8 age=39 cpu=0 pid=1866
		kmem_cache_alloc_trace+0x88/0x1bc
		new_task_smack+0x44/0xd8
		smack_cred_prepare+0x48/0x21c
		security_prepare_creds+0x44/0x4c
		prepare_creds+0xdc/0x110
		smack_setprocattr+0x104/0x150
		security_setprocattr+0x4c/0x54
		proc_pid_attr_write+0x12c/0x194
		vfs_write+0x1b0/0x370
		SyS_write+0x5c/0x94
		ret_fast_syscall+0x0/0x48
	INFO: Freed in smack_cred_free+0xc4/0xd0 age=27 cpu=0 pid=1564
		kfree+0x270/0x290
		smack_cred_free+0xc4/0xd0
		security_cred_free+0x34/0x3c
		put_cred_rcu+0x58/0xcc
		rcu_process_callbacks+0x738/0x998
		__do_softirq+0x264/0x4cc
		do_softirq+0x94/0xf4
		irq_exit+0xbc/0x120
		handle_IRQ+0x104/0x134
		gic_handle_irq+0x70/0xac
		__irq_svc+0x44/0x78
		_raw_spin_unlock+0x18/0x48
		sync_inodes_sb+0x17c/0x1d8
		sync_filesystem+0xac/0xfc
		vdfs_file_fsync+0x90/0xc0
		vfs_fsync_range+0x74/0x7c
	INFO: Slab 0xd3b23f50 objects=32 used=31 fp=0xc4635600 flags=0x4080
	INFO: Object 0xc4635600 @offset=5632 fp=0x  (null)

	Bytes b4 c46355f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
	Object c4635600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
	Object c4635610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
	Object c4635620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
	Object c4635630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
	Redzone c4635640: bb bb bb bb                                      ....
	Padding c46356e8: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
	Padding c46356f8: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
	CPU: 5 PID: 834 Comm: launchpad_prelo Tainted: PBO 3.10.30 #1
	Backtrace:
	[<c00233a4>] (dump_backtrace+0x0/0x158) from [<c0023dec>] (show_stack+0x20/0x24)
	 r7:c4634010 r6:d3b23f50 r5:c4635600 r4:d1002140
	[<c0023dcc>] (show_stack+0x0/0x24) from [<c06d6d7c>] (dump_stack+0x20/0x28)
	[<c06d6d5c>] (dump_stack+0x0/0x28) from [<c01c1d50>] (print_trailer+0x124/0x144)
	[<c01c1c2c>] (print_trailer+0x0/0x144) from [<c01c1e88>] (object_err+0x3c/0x44)
	 r7:c4635600 r6:d1002140 r5:d3b23f50 r4:c4635600
	[<c01c1e4c>] (object_err+0x0/0x44) from [<c01cac18>] (kasan_report_error+0x2b8/0x538)
	 r6:d1002140 r5:d3b23f50 r4:c6429cf8 r3:c09e1aa7
	[<c01ca960>] (kasan_report_error+0x0/0x538) from [<c01c9430>] (__asan_load4+0xd4/0xf8)
	[<c01c935c>] (__asan_load4+0x0/0xf8) from [<c031e168>] (smack_task_to_inode+0x50/0x70)
	 r5:c4635600 r4:ca9da000
	[<c031e118>] (smack_task_to_inode+0x0/0x70) from [<c031af64>] (security_task_to_inode+0x3c/0x44)
	 r5:cca25e80 r4:c0ba9780
	[<c031af28>] (security_task_to_inode+0x0/0x44) from [<c023d614>] (pid_revalidate+0x124/0x178)
	 r6:00000000 r5:cca25e80 r4:cbabe3c0 r3:00008124
	[<c023d4f0>] (pid_revalidate+0x0/0x178) from [<c01db98c>] (lookup_fast+0x35c/0x43y4)
	 r9:c6429efc r8:00000101 r7:c079d940 r6:c6429e90 r5:c6429ed8 r4:c83c4148
	[<c01db630>] (lookup_fast+0x0/0x434) from [<c01deec8>] (do_last.isra.24+0x1c0/0x1108)
	[<c01ded08>] (do_last.isra.24+0x0/0x1108) from [<c01dff04>] (path_openat.isra.25+0xf4/0x648)
	[<c01dfe10>] (path_openat.isra.25+0x0/0x648) from [<c01e1458>] (do_filp_open+0x3c/0x88)
	[<c01e141c>] (do_filp_open+0x0/0x88) from [<c01ccb28>] (do_sys_open+0xf0/0x198)
	 r7:00000001 r6:c0ea2180 r5:0000000b r4:00000000
	[<c01cca38>] (do_sys_open+0x0/0x198) from [<c01ccc00>] (SyS_open+0x30/0x34)
	[<c01ccbd0>] (SyS_open+0x0/0x34) from [<c001db80>] (ret_fast_syscall+0x0/0x48)
	Read of size 4 by thread T834:
	Memory state around the buggy address:
	 c4635380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	 c4635400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
	 c4635480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	 c4635500: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
	 c4635580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	>c4635600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	           ^
	 c4635680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	 c4635700: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
	 c4635780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	 c4635800: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
	 c4635880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	==================================================================

Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/smack/smack.h     |   10 ++++++++++
 security/smack/smack_lsm.c |   24 +++++++++++++-----------
 2 files changed, 23 insertions(+), 11 deletions(-)

--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -298,6 +298,16 @@ static inline struct smack_known *smk_of
 	return tsp->smk_task;
 }
 
+static inline struct smack_known *smk_of_task_struct(const struct task_struct *t)
+{
+	struct smack_known *skp;
+
+	rcu_read_lock();
+	skp = smk_of_task(__task_cred(t)->security);
+	rcu_read_unlock();
+	return skp;
+}
+
 /*
  * Present a pointer to the forked smack label entry in an task blob.
  */
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -43,8 +43,6 @@
 #include <linux/binfmts.h>
 #include "smack.h"
 
-#define task_security(task)	(task_cred_xxx((task), security))
-
 #define TRANS_TRUE	"TRUE"
 #define TRANS_TRUE_SIZE	4
 
@@ -119,7 +117,7 @@ static int smk_bu_current(char *note, st
 static int smk_bu_task(struct task_struct *otp, int mode, int rc)
 {
 	struct task_smack *tsp = current_security();
-	struct task_smack *otsp = task_security(otp);
+	struct smack_known *smk_task = smk_of_task_struct(otp);
 	char acc[SMK_NUM_ACCESS_TYPE + 1];
 
 	if (rc <= 0)
@@ -127,7 +125,7 @@ static int smk_bu_task(struct task_struc
 
 	smk_bu_mode(mode, acc);
 	pr_info("Smack Bringup: (%s %s %s) %s to %s\n",
-		tsp->smk_task->smk_known, otsp->smk_task->smk_known, acc,
+		tsp->smk_task->smk_known, smk_task->smk_known, acc,
 		current->comm, otp->comm);
 	return 0;
 }
@@ -344,7 +342,8 @@ static int smk_ptrace_rule_check(struct
 		saip = &ad;
 	}
 
-	tsp = task_security(tracer);
+	rcu_read_lock();
+	tsp = __task_cred(tracer)->security;
 	tracer_known = smk_of_task(tsp);
 
 	if ((mode & PTRACE_MODE_ATTACH) &&
@@ -364,11 +363,14 @@ static int smk_ptrace_rule_check(struct
 				  tracee_known->smk_known,
 				  0, rc, saip);
 
+		rcu_read_unlock();
 		return rc;
 	}
 
 	/* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
 	rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip);
+
+	rcu_read_unlock();
 	return rc;
 }
 
@@ -395,7 +397,7 @@ static int smack_ptrace_access_check(str
 	if (rc != 0)
 		return rc;
 
-	skp = smk_of_task(task_security(ctp));
+	skp = smk_of_task_struct(ctp);
 
 	rc = smk_ptrace_rule_check(current, skp, mode, __func__);
 	return rc;
@@ -1825,7 +1827,7 @@ static int smk_curacc_on_task(struct tas
 				const char *caller)
 {
 	struct smk_audit_info ad;
-	struct smack_known *skp = smk_of_task(task_security(p));
+	struct smack_known *skp = smk_of_task_struct(p);
 	int rc;
 
 	smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
@@ -1878,7 +1880,7 @@ static int smack_task_getsid(struct task
  */
 static void smack_task_getsecid(struct task_struct *p, u32 *secid)
 {
-	struct smack_known *skp = smk_of_task(task_security(p));
+	struct smack_known *skp = smk_of_task_struct(p);
 
 	*secid = skp->smk_secid;
 }
@@ -1985,7 +1987,7 @@ static int smack_task_kill(struct task_s
 {
 	struct smk_audit_info ad;
 	struct smack_known *skp;
-	struct smack_known *tkp = smk_of_task(task_security(p));
+	struct smack_known *tkp = smk_of_task_struct(p);
 	int rc;
 
 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
@@ -2039,7 +2041,7 @@ static int smack_task_wait(struct task_s
 static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
 {
 	struct inode_smack *isp = inode->i_security;
-	struct smack_known *skp = smk_of_task(task_security(p));
+	struct smack_known *skp = smk_of_task_struct(p);
 
 	isp->smk_inode = skp;
 }
@@ -3199,7 +3201,7 @@ unlockandout:
  */
 static int smack_getprocattr(struct task_struct *p, char *name, char **value)
 {
-	struct smack_known *skp = smk_of_task(task_security(p));
+	struct smack_known *skp = smk_of_task_struct(p);
 	char *cp;
 	int slen;
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 101/151] axonram: Fix bug in direct_access
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 100/151] smack: fix possible use after frees in task_security() callers Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 102/151] tty: Prevent untrappable signals from malicious program Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthew Wilcox, Jan Kara,
	Mathieu Desnoyers, Jens Axboe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthew Wilcox <matthew.r.wilcox@intel.com>

commit 91117a20245b59f70b563523edbf998a62fc6383 upstream.

The 'pfn' returned by axonram was completely bogus, and has been since
2008.

Signed-off-by: Matthew Wilcox <matthew.r.wilcox@intel.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/sysdev/axonram.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/sysdev/axonram.c
+++ b/arch/powerpc/sysdev/axonram.c
@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_devi
 	}
 
 	*kaddr = (void *)(bank->ph_addr + offset);
-	*pfn = virt_to_phys(kaddr) >> PAGE_SHIFT;
+	*pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 102/151] tty: Prevent untrappable signals from malicious program
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 101/151] axonram: Fix bug in direct_access Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 103/151] tty/serial: at91: fix error handling in atmel_serial_probe() Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Theodore Tso, Howard Chu,
	One Thousand Gnomes, Jiri Slaby, Peter Hurley

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit 37480a05685ed5b8e1b9bf5e5c53b5810258b149 upstream.

Commit 26df6d13406d1a5 ("tty: Add EXTPROC support for LINEMODE")
allows a process which has opened a pty master to send _any_ signal
to the process group of the pty slave. Although potentially
exploitable by a malicious program running a setuid program on
a pty slave, it's unknown if this exploit currently exists.

Limit to signals actually used.

Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Howard Chu <hyc@symas.com>
Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/pty.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -210,6 +210,9 @@ static int pty_signal(struct tty_struct
 	unsigned long flags;
 	struct pid *pgrp;
 
+	if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP)
+		return -EINVAL;
+
 	if (tty->link) {
 		spin_lock_irqsave(&tty->link->ctrl_lock, flags);
 		pgrp = get_pid(tty->link->pgrp);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 103/151] tty/serial: at91: fix error handling in atmel_serial_probe()
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 102/151] tty: Prevent untrappable signals from malicious program Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 104/151] mei: mask interrupt set bit on clean reset bit Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Cyrille Pitchen, Nicolas Ferre

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Cyrille Pitchen <cyrille.pitchen@atmel.com>

commit 6fbb9bdf0f3fbe23aeff806489791aa876adaffb upstream.

-EDEFER error wasn't handle properly by atmel_serial_probe().
As an example, when atmel_serial_probe() is called for the first time, we pass
the test_and_set_bit() test to check whether the port has already been
initalized. Then we call atmel_init_port(), which may return -EDEFER, possibly
returned before by clk_get(). Consequently atmel_serial_probe() used to return
this error code WITHOUT clearing the port bit in the "atmel_ports_in_use" mask.
When atmel_serial_probe() was called for the second time, it used to fail on
the test_and_set_bit() function then returning -EBUSY.

When atmel_serial_probe() fails, this patch make it clear the port bit in the
"atmel_ports_in_use" mask, if needed, before returning the error code.

Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/atmel_serial.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -2577,7 +2577,7 @@ static int atmel_serial_probe(struct pla
 
 	ret = atmel_init_port(port, pdev);
 	if (ret)
-		goto err;
+		goto err_clear_bit;
 
 	if (!atmel_use_pdc_rx(&port->uart)) {
 		ret = -ENOMEM;
@@ -2626,6 +2626,8 @@ err_alloc_ring:
 		clk_put(port->clk);
 		port->clk = NULL;
 	}
+err_clear_bit:
+	clear_bit(port->uart.line, atmel_ports_in_use);
 err:
 	return ret;
 }



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 104/151] mei: mask interrupt set bit on clean reset bit
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 103/151] tty/serial: at91: fix error handling in atmel_serial_probe() Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:13 ` [PATCH 3.18 105/151] mei: me: release hw from reset only during the reset flow Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 1ab1e79b9fd4b01331490bbe2e630a0fc0b25449 upstream.

We should mask interrupt set bit when writing back
hcsr value in reset bit clean-up.

This is refinement for
mei: clean reset bit before reset
commit b13a65ef190e488e2761d65bdd2e1fe8a3a125f5

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mei/hw-me.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/misc/mei/hw-me.c
+++ b/drivers/misc/mei/hw-me.c
@@ -242,7 +242,7 @@ static int mei_me_hw_reset(struct mei_de
 	if ((hcsr & H_RST) == H_RST) {
 		dev_warn(dev->dev, "H_RST is set = 0x%08X", hcsr);
 		hcsr &= ~H_RST;
-		mei_me_reg_write(hw, H_CSR, hcsr);
+		mei_hcsr_set(hw, hcsr);
 		hcsr = mei_hcsr_read(hw);
 	}
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 105/151] mei: me: release hw from reset only during the reset flow
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 104/151] mei: mask interrupt set bit on clean reset bit Greg Kroah-Hartman
@ 2015-03-04  6:13 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 106/151] USB: cp210x: add ID for RUGGEDCOM USB Serial Console Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:13 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 663b7ee9517eec6deea9a48c7a1392a9a34f7809 upstream.

We might enter the interrupt handler with hw_ready already set,
but prior we actually started the reset flow.
To soleve this we move the reset release from the interrupt handler
to the HW start wait function which is part of the reset sequence.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mei/hw-me.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/misc/mei/hw-me.c
+++ b/drivers/misc/mei/hw-me.c
@@ -335,6 +335,7 @@ static int mei_me_hw_ready_wait(struct m
 		return -ETIME;
 	}
 
+	mei_me_hw_reset_release(dev);
 	dev->recvd_hw_ready = false;
 	return 0;
 }
@@ -729,9 +730,7 @@ irqreturn_t mei_me_irq_thread_handler(in
 	/*  check if we need to start the dev */
 	if (!mei_host_is_ready(dev)) {
 		if (mei_hw_is_ready(dev)) {
-			mei_me_hw_reset_release(dev);
 			dev_dbg(dev->dev, "we need to start the dev.\n");
-
 			dev->recvd_hw_ready = true;
 			wake_up(&dev->wait_hw_ready);
 		} else {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 106/151] USB: cp210x: add ID for RUGGEDCOM USB Serial Console
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2015-03-04  6:13 ` [PATCH 3.18 105/151] mei: me: release hw from reset only during the reset flow Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 107/151] USB: fix use-after-free bug in usb_hcd_unlink_urb() Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Len Sorensen, Johan Hovold

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>

commit a6f0331236fa75afba14bbcf6668d42cebb55c43 upstream.

Added the USB serial console device ID for Siemens Ruggedcom devices
which have a USB port for their serial console.

Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cp210x.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -56,6 +56,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */
 	{ USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
 	{ USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */
+	{ USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */
 	{ USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */
 	{ USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */
 	{ USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 107/151] USB: fix use-after-free bug in usb_hcd_unlink_urb()
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 106/151] USB: cp210x: add ID for RUGGEDCOM USB Serial Console Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 108/151] usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Joe Lawrence, Greg Kroah-Hartman

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit c99197902da284b4b723451c1471c45b18537cde upstream.

The usb_hcd_unlink_urb() routine in hcd.c contains two possible
use-after-free errors.  The dev_dbg() statement at the end of the
routine dereferences urb and urb->dev even though both structures may
have been deallocated.

This patch fixes the problem by storing urb->dev in a local variable
(avoiding the dereference of urb) and moving the dev_dbg() up before
the usb_put_dev() call.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Joe Lawrence <joe.lawrence@stratus.com>
Tested-by: Joe Lawrence <joe.lawrence@stratus.com>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hcd.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1618,6 +1618,7 @@ static int unlink1(struct usb_hcd *hcd,
 int usb_hcd_unlink_urb (struct urb *urb, int status)
 {
 	struct usb_hcd		*hcd;
+	struct usb_device	*udev = urb->dev;
 	int			retval = -EIDRM;
 	unsigned long		flags;
 
@@ -1629,20 +1630,19 @@ int usb_hcd_unlink_urb (struct urb *urb,
 	spin_lock_irqsave(&hcd_urb_unlink_lock, flags);
 	if (atomic_read(&urb->use_count) > 0) {
 		retval = 0;
-		usb_get_dev(urb->dev);
+		usb_get_dev(udev);
 	}
 	spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags);
 	if (retval == 0) {
 		hcd = bus_to_hcd(urb->dev->bus);
 		retval = unlink1(hcd, urb, status);
-		usb_put_dev(urb->dev);
+		if (retval == 0)
+			retval = -EINPROGRESS;
+		else if (retval != -EIDRM && retval != -EBUSY)
+			dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n",
+					urb, retval);
+		usb_put_dev(udev);
 	}
-
-	if (retval == 0)
-		retval = -EINPROGRESS;
-	else if (retval != -EIDRM && retval != -EBUSY)
-		dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n",
-				urb, retval);
 	return retval;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 108/151] usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 107/151] USB: fix use-after-free bug in usb_hcd_unlink_urb() Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 109/151] USB: dont cancel queued resets when unbinding drivers Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior, Alan Stern

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

commit 5efd2ea8c9f4f12916ffc8ba636792ce052f6911 upstream.

the following error pops up during "testusb -a -t 10"
| musb-hdrc musb-hdrc.1.auto: dma_pool_free buffer-128,	f134e000/be842000 (bad dma)
hcd_buffer_create() creates a few buffers, the smallest has 32 bytes of
size. ARCH_KMALLOC_MINALIGN is set to 64 bytes. This combo results in
hcd_buffer_alloc() returning memory which is 32 bytes aligned and it
might by identified by buffer_offset() as another buffer. This means the
buffer which is on a 32 byte boundary will not get freed, instead it
tries to free another buffer with the error message.

This patch fixes the issue by creating the smallest DMA buffer with the
size of ARCH_KMALLOC_MINALIGN (or 32 in case ARCH_KMALLOC_MINALIGN is
smaller). This might be 32, 64 or even 128 bytes. The next three pools
will have the size 128, 512 and 2048.
In case the smallest pool is 128 bytes then we have only three pools
instead of four (and zero the first entry in the array).
The last pool size is always 2048 bytes which is the assumed PAGE_SIZE /
2 of 4096. I doubt it makes sense to continue using PAGE_SIZE / 2 where
we would end up with 8KiB buffer in case we have 16KiB pages.
Instead I think it makes sense to have a common size(s) and extend them
if there is need to.
There is a BUILD_BUG_ON() now in case someone has a minalign of more than
128 bytes.

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/buffer.c |   26 +++++++++++++++++---------
 drivers/usb/core/usb.c    |    1 +
 include/linux/usb/hcd.h   |    1 +
 3 files changed, 19 insertions(+), 9 deletions(-)

--- a/drivers/usb/core/buffer.c
+++ b/drivers/usb/core/buffer.c
@@ -22,17 +22,25 @@
  */
 
 /* FIXME tune these based on pool statistics ... */
-static const size_t	pool_max[HCD_BUFFER_POOLS] = {
-	/* platforms without dma-friendly caches might need to
-	 * prevent cacheline sharing...
-	 */
-	32,
-	128,
-	512,
-	PAGE_SIZE / 2
-	/* bigger --> allocate pages */
+static size_t pool_max[HCD_BUFFER_POOLS] = {
+	32, 128, 512, 2048,
 };
 
+void __init usb_init_pool_max(void)
+{
+	/*
+	 * The pool_max values must never be smaller than
+	 * ARCH_KMALLOC_MINALIGN.
+	 */
+	if (ARCH_KMALLOC_MINALIGN <= 32)
+		;			/* Original value is okay */
+	else if (ARCH_KMALLOC_MINALIGN <= 64)
+		pool_max[0] = 64;
+	else if (ARCH_KMALLOC_MINALIGN <= 128)
+		pool_max[0] = 0;	/* Don't use this pool */
+	else
+		BUILD_BUG();		/* We don't allow this */
+}
 
 /* SETUP primitives */
 
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -1051,6 +1051,7 @@ static int __init usb_init(void)
 		pr_info("%s: USB support disabled\n", usbcore_name);
 		return 0;
 	}
+	usb_init_pool_max();
 
 	retval = usb_debugfs_init();
 	if (retval)
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -450,6 +450,7 @@ extern const struct dev_pm_ops usb_hcd_p
 #endif /* CONFIG_PCI */
 
 /* pci-ish (pdev null is ok) buffer alloc/mapping support */
+void usb_init_pool_max(void);
 int hcd_buffer_create(struct usb_hcd *hcd);
 void hcd_buffer_destroy(struct usb_hcd *hcd);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 109/151] USB: dont cancel queued resets when unbinding drivers
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 108/151] usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 110/151] USB: add flag for HCDs that cant receive wakeup requests (isp1760-hcd) Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Russell King - ARM Linux,
	Olivier Sobrie

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 524134d422316a59d5464ccbc12036bbe90c5563 upstream.

The USB stack provides a mechanism for drivers to request an
asynchronous device reset (usb_queue_reset_device()).  The mechanism
uses a work item (reset_ws) embedded in the usb_interface structure
used by the driver, and the reset is carried out by a work queue
routine.

The asynchronous reset can race with driver unbinding.  When this
happens, we try to cancel the queued reset before unbinding the
driver, on the theory that the driver won't care about any resets once
it is unbound.

However, thanks to the fact that lockdep now tracks work queue
accesses, this can provoke a lockdep warning in situations where the
device reset causes another interface's driver to be unbound; see

	http://marc.info/?l=linux-usb&m=141893165203776&w=2

for an example.  The reason is that the work routine for reset_ws in
one interface calls cancel_queued_work() for the reset_ws in another
interface.  Lockdep thinks this might lead to a work routine trying to
cancel itself.  The simplest solution is not to cancel queued resets
when unbinding drivers.

This means we now need to acquire a reference to the usb_interface
when queuing a reset_ws work item and to drop the reference when the
work routine finishes.  We also need to make sure that the
usb_interface structure doesn't outlive its parent usb_device; this
means acquiring and dropping a reference when the interface is created
and destroyed.

In addition, cancelling a queued reset can fail (if the device is in
the middle of an earlier reset), and this can cause usb_reset_device()
to try to rebind an interface that has been deallocated (see
http://marc.info/?l=linux-usb&m=142175717016628&w=2 for details).
Acquiring the extra references prevents this failure.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Russell King - ARM Linux <linux@arm.linux.org.uk>
Reported-by: Olivier Sobrie <olivier@sobrie.be>
Tested-by: Olivier Sobrie <olivier@sobrie.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/driver.c  |   17 -----------------
 drivers/usb/core/hub.c     |   25 +++++++++----------------
 drivers/usb/core/message.c |   23 +++--------------------
 include/linux/usb.h        |    5 -----
 4 files changed, 12 insertions(+), 58 deletions(-)

--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -275,21 +275,6 @@ static int usb_unbind_device(struct devi
 	return 0;
 }
 
-/*
- * Cancel any pending scheduled resets
- *
- * [see usb_queue_reset_device()]
- *
- * Called after unconfiguring / when releasing interfaces. See
- * comments in __usb_queue_reset_device() regarding
- * udev->reset_running.
- */
-static void usb_cancel_queued_reset(struct usb_interface *iface)
-{
-	if (iface->reset_running == 0)
-		cancel_work_sync(&iface->reset_ws);
-}
-
 /* called from driver core with dev locked */
 static int usb_probe_interface(struct device *dev)
 {
@@ -380,7 +365,6 @@ static int usb_probe_interface(struct de
 	usb_set_intfdata(intf, NULL);
 	intf->needs_remote_wakeup = 0;
 	intf->condition = USB_INTERFACE_UNBOUND;
-	usb_cancel_queued_reset(intf);
 
 	/* If the LPM disable succeeded, balance the ref counts. */
 	if (!lpm_disable_error)
@@ -425,7 +409,6 @@ static int usb_unbind_interface(struct d
 		usb_disable_interface(udev, intf, false);
 
 	driver->disconnect(intf);
-	usb_cancel_queued_reset(intf);
 
 	/* Free streams */
 	for (i = 0, j = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5591,26 +5591,19 @@ EXPORT_SYMBOL_GPL(usb_reset_device);
  *   possible; depending on how the driver attached to each interface
  *   handles ->pre_reset(), the second reset might happen or not.
  *
- * - If a driver is unbound and it had a pending reset, the reset will
- *   be cancelled.
+ * - If the reset is delayed so long that the interface is unbound from
+ *   its driver, the reset will be skipped.
  *
- * - This function can be called during .probe() or .disconnect()
- *   times. On return from .disconnect(), any pending resets will be
- *   cancelled.
- *
- * There is no no need to lock/unlock the @reset_ws as schedule_work()
- * does its own.
- *
- * NOTE: We don't do any reference count tracking because it is not
- *     needed. The lifecycle of the work_struct is tied to the
- *     usb_interface. Before destroying the interface we cancel the
- *     work_struct, so the fact that work_struct is queued and or
- *     running means the interface (and thus, the device) exist and
- *     are referenced.
+ * - This function can be called during .probe().  It can also be called
+ *   during .disconnect(), but doing so is pointless because the reset
+ *   will not occur.  If you really want to reset the device during
+ *   .disconnect(), call usb_reset_device() directly -- but watch out
+ *   for nested unbinding issues!
  */
 void usb_queue_reset_device(struct usb_interface *iface)
 {
-	schedule_work(&iface->reset_ws);
+	if (schedule_work(&iface->reset_ws))
+		usb_get_intf(iface);
 }
 EXPORT_SYMBOL_GPL(usb_queue_reset_device);
 
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1551,6 +1551,7 @@ static void usb_release_interface(struct
 			altsetting_to_usb_interface_cache(intf->altsetting);
 
 	kref_put(&intfc->ref, usb_release_interface_cache);
+	usb_put_dev(interface_to_usbdev(intf));
 	kfree(intf);
 }
 
@@ -1626,24 +1627,6 @@ static struct usb_interface_assoc_descri
 
 /*
  * Internal function to queue a device reset
- *
- * This is initialized into the workstruct in 'struct
- * usb_device->reset_ws' that is launched by
- * message.c:usb_set_configuration() when initializing each 'struct
- * usb_interface'.
- *
- * It is safe to get the USB device without reference counts because
- * the life cycle of @iface is bound to the life cycle of @udev. Then,
- * this function will be ran only if @iface is alive (and before
- * freeing it any scheduled instances of it will have been cancelled).
- *
- * We need to set a flag (usb_dev->reset_running) because when we call
- * the reset, the interfaces might be unbound. The current interface
- * cannot try to remove the queued work as it would cause a deadlock
- * (you cannot remove your work from within your executing
- * workqueue). This flag lets it know, so that
- * usb_cancel_queued_reset() doesn't try to do it.
- *
  * See usb_queue_reset_device() for more details
  */
 static void __usb_queue_reset_device(struct work_struct *ws)
@@ -1655,11 +1638,10 @@ static void __usb_queue_reset_device(str
 
 	rc = usb_lock_device_for_reset(udev, iface);
 	if (rc >= 0) {
-		iface->reset_running = 1;
 		usb_reset_device(udev);
-		iface->reset_running = 0;
 		usb_unlock_device(udev);
 	}
+	usb_put_intf(iface);	/* Undo _get_ in usb_queue_reset_device() */
 }
 
 
@@ -1854,6 +1836,7 @@ free_interfaces:
 		dev_set_name(&intf->dev, "%d-%s:%d.%d",
 			dev->bus->busnum, dev->devpath,
 			configuration, alt->desc.bInterfaceNumber);
+		usb_get_dev(dev);
 	}
 	kfree(new_interfaces);
 
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -127,10 +127,6 @@ enum usb_interface_condition {
  *	to the sysfs representation for that device.
  * @pm_usage_cnt: PM usage counter for this interface
  * @reset_ws: Used for scheduling resets from atomic context.
- * @reset_running: set to 1 if the interface is currently running a
- *      queued reset so that usb_cancel_queued_reset() doesn't try to
- *      remove from the workqueue when running inside the worker
- *      thread. See __usb_queue_reset_device().
  * @resetting_device: USB core reset the device, so use alt setting 0 as
  *	current; needs bandwidth alloc after reset.
  *
@@ -181,7 +177,6 @@ struct usb_interface {
 	unsigned needs_remote_wakeup:1;	/* driver requires remote wakeup */
 	unsigned needs_altsetting0:1;	/* switch to altsetting 0 is pending */
 	unsigned needs_binding:1;	/* needs delayed unbind/rebind */
-	unsigned reset_running:1;
 	unsigned resetting_device:1;	/* true: bandwidth alloc after reset */
 
 	struct device dev;		/* interface specific device info */



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 110/151] USB: add flag for HCDs that cant receive wakeup requests (isp1760-hcd)
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 109/151] USB: dont cancel queued resets when unbinding drivers Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 111/151] vt: provide notifications on selection changes Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Stern, Nicolas Pitre,
	Greg Kroah-Hartman

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit 074f9dd55f9cab1b82690ed7e44bcf38b9616ce0 upstream.

Currently the USB stack assumes that all host controller drivers are
capable of receiving wakeup requests from downstream devices.
However, this isn't true for the isp1760-hcd driver, which means that
it isn't safe to do a runtime suspend of any device attached to a
root-hub port if the device requires wakeup.

This patch adds a "cant_recv_wakeups" flag to the usb_hcd structure
and sets the flag in isp1760-hcd.  The core is modified to prevent a
direct child of the root hub from being put into runtime suspend with
wakeup enabled if the flag is set.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/driver.c      |   12 ++++++++++++
 drivers/usb/host/isp1760-hcd.c |    3 +++
 include/linux/usb/hcd.h        |    2 ++
 3 files changed, 17 insertions(+)

--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -1784,6 +1784,18 @@ static int autosuspend_check(struct usb_
 		dev_dbg(&udev->dev, "remote wakeup needed for autosuspend\n");
 		return -EOPNOTSUPP;
 	}
+
+	/*
+	 * If the device is a direct child of the root hub and the HCD
+	 * doesn't handle wakeup requests, don't allow autosuspend when
+	 * wakeup is needed.
+	 */
+	if (w && udev->parent == udev->bus->root_hub &&
+			bus_to_hcd(udev->bus)->cant_recv_wakeups) {
+		dev_dbg(&udev->dev, "HCD doesn't handle wakeup requests\n");
+		return -EOPNOTSUPP;
+	}
+
 	udev->do_remote_wakeup = w;
 	return 0;
 }
--- a/drivers/usb/host/isp1760-hcd.c
+++ b/drivers/usb/host/isp1760-hcd.c
@@ -2247,6 +2247,9 @@ struct usb_hcd *isp1760_register(phys_ad
 	hcd->rsrc_start = res_start;
 	hcd->rsrc_len = res_len;
 
+	/* This driver doesn't support wakeup requests */
+	hcd->cant_recv_wakeups = 1;
+
 	ret = usb_add_hcd(hcd, irq, irqflags);
 	if (ret)
 		goto err_unmap;
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -146,6 +146,8 @@ struct usb_hcd {
 	unsigned		amd_resume_bug:1; /* AMD remote wakeup quirk */
 	unsigned		can_do_streams:1; /* HC supports streams */
 	unsigned		tpl_support:1; /* OTG & EH TPL support */
+	unsigned		cant_recv_wakeups:1;
+			/* wakeup requests from downstream aren't received */
 
 	unsigned int		irq;		/* irq allocated */
 	void __iomem		*regs;		/* device memory/io */



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 111/151] vt: provide notifications on selection changes
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 110/151] USB: add flag for HCDs that cant receive wakeup requests (isp1760-hcd) Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 112/151] ARM: pxa: add regulator_has_full_constraints to corgi board file Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nicolas Pitre, Dave Mielke

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Pitre <nicolas.pitre@linaro.org>

commit 19e3ae6b4f07a87822c1c9e7ed99d31860e701af upstream.

The vcs device's poll/fasync support relies on the vt notifier to signal
changes to the screen content.  Notifier invocations were missing for
changes that comes through the selection interface though.  Fix that.

Tested with BRLTTY 5.2.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
Cc: Dave Mielke <dave@mielke.cc>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -498,6 +498,7 @@ void invert_screen(struct vc_data *vc, i
 #endif
 	if (DO_UPDATE(vc))
 		do_update_region(vc, (unsigned long) p, count);
+	notify_update(vc);
 }
 
 /* used by selection: complement pointer position */
@@ -514,6 +515,7 @@ void complement_pos(struct vc_data *vc,
 		scr_writew(old, screenpos(vc, old_offset, 1));
 		if (DO_UPDATE(vc))
 			vc->vc_sw->con_putc(vc, old, oldy, oldx);
+		notify_update(vc);
 	}
 
 	old_offset = offset;
@@ -531,8 +533,8 @@ void complement_pos(struct vc_data *vc,
 			oldy = (offset >> 1) / vc->vc_cols;
 			vc->vc_sw->con_putc(vc, new, oldy, oldx);
 		}
+		notify_update(vc);
 	}
-
 }
 
 static void insert_char(struct vc_data *vc, unsigned int nr)



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 112/151] ARM: pxa: add regulator_has_full_constraints to corgi board file
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 111/151] vt: provide notifications on selection changes Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 113/151] ARM: pxa: add regulator_has_full_constraints to poodle " Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Eremin-Solenikov, Mark Brown,
	Robert Jarzmik

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

commit 271e80176aae4e5b481f4bb92df9768c6075bbca upstream.

Add regulator_has_full_constraints() call to corgi board file to let
regulator core know that we do not have any additional regulators left.
This lets it substitute unprovided regulators with dummy ones.

This fixes the following warnings that can be seen on corgi if
regulators are enabled:

ads7846 spi1.0: unable to get regulator: -517
spi spi1.0: Driver ads7846 requests probe deferral
wm8731 0-001b: Failed to get supply 'AVDD': -517
wm8731 0-001b: Failed to request supplies: -517
wm8731 0-001b: ASoC: failed to probe component -517
corgi-audio corgi-audio: ASoC: failed to instantiate card -517

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Acked-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-pxa/corgi.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm/mach-pxa/corgi.c
+++ b/arch/arm/mach-pxa/corgi.c
@@ -26,6 +26,7 @@
 #include <linux/i2c.h>
 #include <linux/i2c/pxa-i2c.h>
 #include <linux/io.h>
+#include <linux/regulator/machine.h>
 #include <linux/spi/spi.h>
 #include <linux/spi/ads7846.h>
 #include <linux/spi/corgi_lcd.h>
@@ -752,6 +753,8 @@ static void __init corgi_init(void)
 		sharpsl_nand_partitions[1].size = 53 * 1024 * 1024;
 
 	platform_add_devices(devices, ARRAY_SIZE(devices));
+
+	regulator_has_full_constraints();
 }
 
 static void __init fixup_corgi(struct tag *tags, char **cmdline)



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 113/151] ARM: pxa: add regulator_has_full_constraints to poodle board file
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 112/151] ARM: pxa: add regulator_has_full_constraints to corgi board file Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 114/151] ARM: vexpress: use ARM_CPU_SUSPEND if needed Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Eremin-Solenikov, Mark Brown,
	Robert Jarzmik

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>

commit 9bc78f32c2e430aebf6def965b316aa95e37a20c upstream.

Add regulator_has_full_constraints() call to poodle board file to let
regulator core know that we do not have any additional regulators left.
This lets it substitute unprovided regulators with dummy ones.

This fixes the following warnings that can be seen on poodle if
regulators are enabled:

ads7846 spi1.0: unable to get regulator: -517
spi spi1.0: Driver ads7846 requests probe deferral
wm8731 0-001b: Failed to get supply 'AVDD': -517
wm8731 0-001b: Failed to request supplies: -517
wm8731 0-001b: ASoC: failed to probe component -517

Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Acked-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-pxa/poodle.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm/mach-pxa/poodle.c
+++ b/arch/arm/mach-pxa/poodle.c
@@ -25,6 +25,7 @@
 #include <linux/gpio.h>
 #include <linux/i2c.h>
 #include <linux/i2c/pxa-i2c.h>
+#include <linux/regulator/machine.h>
 #include <linux/spi/spi.h>
 #include <linux/spi/ads7846.h>
 #include <linux/spi/pxa2xx_spi.h>
@@ -455,6 +456,7 @@ static void __init poodle_init(void)
 	pxa_set_i2c_info(NULL);
 	i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices));
 	poodle_init_spi();
+	regulator_has_full_constraints();
 }
 
 static void __init fixup_poodle(struct tag *tags, char **cmdline)



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 114/151] ARM: vexpress: use ARM_CPU_SUSPEND if needed
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 113/151] ARM: pxa: add regulator_has_full_constraints to poodle " Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 115/151] ARM: mvebu: build armada375-smp code conditionally Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Nicolas Pitre,
	Liviu Dudau, Kevin Hilman, Sudeep Holla, Lorenzo Pieralisi

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 95fcedb027a27f32bf2434f9271635c380e57fb5 upstream.

The vexpress tc2 power management code calls mcpm_loopback, which
is only available if ARM_CPU_SUSPEND is enabled, otherwise we
get a link error:

arch/arm/mach-vexpress/built-in.o: In function `tc2_pm_init':
arch/arm/mach-vexpress/tc2_pm.c:389: undefined reference to `mcpm_loopback'

This explicitly selects ARM_CPU_SUSPEND like other platforms that
need it.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 3592d7e002438 ("ARM: 8082/1: TC2: test the MCPM loopback during boot")
Acked-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Liviu Dudau <liviu.dudau@arm.com>
Cc: Kevin Hilman <khilman@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-vexpress/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mach-vexpress/Kconfig
+++ b/arch/arm/mach-vexpress/Kconfig
@@ -75,6 +75,7 @@ config ARCH_VEXPRESS_TC2_PM
 	depends on MCPM
 	select ARM_CCI
 	select ARCH_VEXPRESS_SPC
+	select ARM_CPU_SUSPEND
 	help
 	  Support for CPU and cluster power management on Versatile Express
 	  with a TC2 (A15x2 A7x3) big.LITTLE core tile.



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 115/151] ARM: mvebu: build armada375-smp code conditionally
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 114/151] ARM: vexpress: use ARM_CPU_SUSPEND if needed Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 116/151] kdb: fix incorrect counts in KDB summary command output Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Andrew Lunn,
	Jason Cooper, Gregory Clement

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 165235180ff61f0012ea68a299e46daec43dcaa7 upstream.

mvebu_armada375_smp_wa_init is only used on armada 375 but is defined
for all mvebu machines. As it calls a function that is only provided
sometimes, this can result in a link error:

arch/arm/mach-mvebu/built-in.o: In function `mvebu_armada375_smp_wa_init':
:(.text+0x228): undefined reference to `mvebu_setup_boot_addr_wa'

To solve this, we can just change the existing #ifdef around the
function to also check for Armada375 SMP platforms.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 305969fb6292 ("ARM: mvebu: use the common function for Armada 375 SMP workaround")
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Gregory Clement <gregory.clement@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-mvebu/system-controller.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/mach-mvebu/system-controller.c
+++ b/arch/arm/mach-mvebu/system-controller.c
@@ -126,7 +126,7 @@ int mvebu_system_controller_get_soc_id(u
 		return -ENODEV;
 }
 
-#ifdef CONFIG_SMP
+#if defined(CONFIG_SMP) && defined(CONFIG_MACH_MVEBU_V7)
 void mvebu_armada375_smp_wa_init(void)
 {
 	u32 dev, rev;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 116/151] kdb: fix incorrect counts in KDB summary command output
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 115/151] ARM: mvebu: build armada375-smp code conditionally Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 117/151] ntp: Fixup adjtimex freq validation on 32-bit systems Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jay Lan, Jason Wessel

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jay Lan <jlan@sgi.com>

commit 146755923262037fc4c54abc28c04b1103f3cc51 upstream.

The output of KDB 'summary' command should report MemTotal, MemFree
and Buffers output in kB. Current codes report in unit of pages.

A define of K(x) as
is defined in the code, but not used.

This patch would apply the define to convert the values to kB.
Please include me on Cc on replies. I do not subscribe to linux-kernel.

Signed-off-by: Jay Lan <jlan@sgi.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/debug/kdb/kdb_main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -2535,7 +2535,7 @@ static int kdb_summary(int argc, const c
 #define K(x) ((x) << (PAGE_SHIFT - 10))
 	kdb_printf("\nMemTotal:       %8lu kB\nMemFree:        %8lu kB\n"
 		   "Buffers:        %8lu kB\n",
-		   val.totalram, val.freeram, val.bufferram);
+		   K(val.totalram), K(val.freeram), K(val.bufferram));
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 117/151] ntp: Fixup adjtimex freq validation on 32-bit systems
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 116/151] kdb: fix incorrect counts in KDB summary command output Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 118/151] serial: fsl_lpuart: delete timer on shutdown Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josh Boyer, George Joseph,
	John Stultz, Peter Zijlstra (Intel),
	Linus Torvalds, Sasha Levin, Ingo Molnar

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Stultz <john.stultz@linaro.org>

commit 29183a70b0b828500816bd794b3fe192fce89f73 upstream.

Additional validation of adjtimex freq values to avoid
potential multiplication overflows were added in commit
5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values)

Unfortunately the patch used LONG_MAX/MIN instead of
LLONG_MAX/MIN, which was fine on 64-bit systems, but being
much smaller on 32-bit systems caused false positives
resulting in most direct frequency adjustments to fail w/
EINVAL.

ntpd only does direct frequency adjustments at startup, so
the issue was not as easily observed there, but other time
sync applications like ptpd and chrony were more effected by
the bug.

See bugs:

  https://bugzilla.kernel.org/show_bug.cgi?id=92481
  https://bugzilla.redhat.com/show_bug.cgi?id=1188074

This patch changes the checks to use LLONG_MAX for
clarity, and additionally the checks are disabled
on 32-bit systems since LLONG_MAX/PPM_SCALE is always
larger then the 32-bit long freq value, so multiplication
overflows aren't possible there.

Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
Reported-by: George Joseph <george.joseph@fairview5.com>
Tested-by: George Joseph <george.joseph@fairview5.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Link: http://lkml.kernel.org/r/1423553436-29747-1-git-send-email-john.stultz@linaro.org
[ Prettified the changelog and the comments a bit. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/time/ntp.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/kernel/time/ntp.c
+++ b/kernel/time/ntp.c
@@ -633,10 +633,14 @@ int ntp_validate_timex(struct timex *txc
 	if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME)))
 		return -EPERM;
 
-	if (txc->modes & ADJ_FREQUENCY) {
-		if (LONG_MIN / PPM_SCALE > txc->freq)
+	/*
+	 * Check for potential multiplication overflows that can
+	 * only happen on 64-bit systems:
+	 */
+	if ((txc->modes & ADJ_FREQUENCY) && (BITS_PER_LONG == 64)) {
+		if (LLONG_MIN / PPM_SCALE > txc->freq)
 			return -EINVAL;
-		if (LONG_MAX / PPM_SCALE < txc->freq)
+		if (LLONG_MAX / PPM_SCALE < txc->freq)
 			return -EINVAL;
 	}
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 118/151] serial: fsl_lpuart: delete timer on shutdown
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 117/151] ntp: Fixup adjtimex freq validation on 32-bit systems Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 119/151] serial: fsl_lpuart: avoid new transfer while DMA is running Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Agner

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Agner <stefan@agner.ch>

commit 4a8588a1cf867333187d9ff071e6fbdab587d194 upstream.

If the serial port gets closed while a RX transfer is in progress,
the timer might fire after the serial port shutdown finished. This
leads in a NULL pointer dereference:

[    7.508324] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[    7.516590] pgd = 86348000
[    7.519445] [00000000] *pgd=86179831, *pte=00000000, *ppte=00000000
[    7.526145] Internal error: Oops: 17 [#1] ARM
[    7.530611] Modules linked in:
[    7.533876] CPU: 0 PID: 123 Comm: systemd Not tainted 3.19.0-rc3-00004-g5b11ea7 #1778
[    7.541827] Hardware name: Freescale Vybrid VF610 (Device Tree)
[    7.547862] task: 861c3400 ti: 86ac8000 task.ti: 86ac8000
[    7.553392] PC is at lpuart_timer_func+0x24/0xf8
[    7.558127] LR is at lpuart_timer_func+0x20/0xf8
[    7.562857] pc : [<802df99c>]    lr : [<802df998>]    psr: 600b0113
[    7.562857] sp : 86ac9b90  ip : 86ac9b90  fp : 86ac9bbc
[    7.574467] r10: 80817180  r9 : 80817b98  r8 : 80817998
[    7.579803] r7 : 807acee0  r6 : 86989000  r5 : 00000100  r4 : 86997210
[    7.586444] r3 : 86ac8000  r2 : 86ac9bc0  r1 : 86997210  r0 : 00000000
[    7.593085] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[    7.600341] Control: 10c5387d  Table: 86348059  DAC: 00000015
[    7.606203] Process systemd (pid: 123, stack limit = 0x86ac8230)

Setup the timer on UART startup which allows to delete the timer
unconditionally on shutdown. This also saves the initialization
on each transfer.

Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/fsl_lpuart.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -506,9 +506,6 @@ static inline void lpuart_prepare_rx(str
 
 	spin_lock_irqsave(&sport->port.lock, flags);
 
-	init_timer(&sport->lpuart_timer);
-	sport->lpuart_timer.function = lpuart_timer_func;
-	sport->lpuart_timer.data = (unsigned long)sport;
 	sport->lpuart_timer.expires = jiffies + sport->dma_rx_timeout;
 	add_timer(&sport->lpuart_timer);
 
@@ -1106,6 +1103,8 @@ static int lpuart_startup(struct uart_po
 		sport->lpuart_dma_use = false;
 	} else {
 		sport->lpuart_dma_use = true;
+		setup_timer(&sport->lpuart_timer, lpuart_timer_func,
+			    (unsigned long)sport);
 		temp = readb(port->membase + UARTCR5);
 		writeb(temp | UARTCR5_TDMAS, port->membase + UARTCR5);
 	}
@@ -1180,6 +1179,8 @@ static void lpuart_shutdown(struct uart_
 	devm_free_irq(port->dev, port->irq, sport);
 
 	if (sport->lpuart_dma_use) {
+		del_timer_sync(&sport->lpuart_timer);
+
 		lpuart_dma_tx_free(port);
 		lpuart_dma_rx_free(port);
 	}



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 119/151] serial: fsl_lpuart: avoid new transfer while DMA is running
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 118/151] serial: fsl_lpuart: delete timer on shutdown Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 120/151] ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Agner

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Agner <stefan@agner.ch>

commit 5f1437f61a0b351d25b528c159360da3d5e8c77b upstream.

When the UART is in DMA receive mode (RDMAS set) and one character
just arrived while another interrupt is handled (e.g. TX), the RDRF
(receiver data register full flag) is set due to the water level of
1. But since the DMA will take care of this character, there is no
need to handle it by calling lpuart_prepare_rx. Handling it leads to
adding the RX timeout timer twice:

[   74.336698] Kernel BUG at 80053070 [verbose debug info unavailable]
[   74.342999] Internal error: Oops - BUG: 0 [#1] ARM0:00.00 khungtaskd
[   74.347817] Modules linked in:    0 S  0.0  0.0   0:00.00 writeback
[   74.350926] CPU: 0 PID: 0 Comm: swapper Not tainted 3.19.0-rc3-00001-g39d78e2 #1788
[   74.358617] Hardware name: Freescale Vybrid VF610 (Device Tree)t
[   74.364563] task: 807a7678 ti: 8079c000 task.ti: 8079c000 kblockd
[   74.370002] PC is at add_timer+0x24/0x28.0  0.0   0:00.09 kworker/u2:1
[   74.373960] LR is at lpuart_int+0x15c/0x3d8
[   74.378171] pc : [<80053070>]    lr : [<802e0d88>]    psr: a0010193
[   74.378171] sp : 8079de10  ip : 8079de20  fp : 8079de1c
[   74.389694] r10: 807d44c0  r9 : 8688c300  r8 : 00000013
[   74.394943] r7 : 20010193  r6 : 00000000  r5 : 000000a0  r4 : 86997210
[   74.401498] r3 : ffffa7da  r2 : 80817868  r1 : 86997210  r0 : 86997344
[   74.408052] Flags: NzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[   74.415489] Control: 10c5387d  Table: 8611c059  DAC: 00000015
[   74.421265] Process swapper (pid: 0, stack limit = 0x8079c230)
...

Solve this by only execute the receiver path (lpuart_prepare_rx) if
the DMA receive mode (RDMAS) is not set. Also, make sure the flag is
cleared on initialization, in case it has been left set.

This can be best reproduced using UART as a serial console, then
running top while dd'ing data into the terminal.

Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/fsl_lpuart.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -755,18 +755,18 @@ out:
 static irqreturn_t lpuart_int(int irq, void *dev_id)
 {
 	struct lpuart_port *sport = dev_id;
-	unsigned char sts;
+	unsigned char sts, crdma;
 
 	sts = readb(sport->port.membase + UARTSR1);
+	crdma = readb(sport->port.membase + UARTCR5);
 
-	if (sts & UARTSR1_RDRF) {
+	if (sts & UARTSR1_RDRF && !(crdma & UARTCR5_RDMAS)) {
 		if (sport->lpuart_dma_use)
 			lpuart_prepare_rx(sport);
 		else
 			lpuart_rxint(irq, dev_id);
 	}
-	if (sts & UARTSR1_TDRE &&
-		!(readb(sport->port.membase + UARTCR5) & UARTCR5_TDMAS)) {
+	if (sts & UARTSR1_TDRE && !(crdma & UARTCR5_TDMAS)) {
 		if (sport->lpuart_dma_use)
 			lpuart_pio_tx(sport);
 		else
@@ -1106,6 +1106,7 @@ static int lpuart_startup(struct uart_po
 		setup_timer(&sport->lpuart_timer, lpuart_timer_func,
 			    (unsigned long)sport);
 		temp = readb(port->membase + UARTCR5);
+		temp &= ~UARTCR5_RDMAS;
 		writeb(temp | UARTCR5_TDMAS, port->membase + UARTCR5);
 	}
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 120/151] ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 119/151] serial: fsl_lpuart: avoid new transfer while DMA is running Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 121/151] MIPS: HTW: Prevent accidental HTW start due to nested htw_{start, stop} Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexey Brodkin, Vineet Gupta

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Brodkin <abrodkin@synopsys.com>

commit 06f34e1c28f3608b0ce5b310e41102d3fe7b65a1 upstream.

We used to calculate page address differently in 2 cases:

1. In virt_to_page(x) we do
 --->8---
 mem_map + (x - CONFIG_LINUX_LINK_BASE) >> PAGE_SHIFT
 --->8---

2. In in pte_page(x) we do
 --->8---
 mem_map + (pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT
 --->8---

That leads to problems in case PAGE_OFFSET != CONFIG_LINUX_LINK_BASE -
different pages will be selected depending on where and how we calculate
page address.

In particular in the STAR 9000853582 when gdb attempted to read memory
of another process it got improper page in get_user_pages() because this
is exactly one of the places where we search for a page by pte_page().

The fix is trivial - we need to calculate page address similarly in both
cases.

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arc/include/asm/pgtable.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/arc/include/asm/pgtable.h
+++ b/arch/arc/include/asm/pgtable.h
@@ -259,7 +259,8 @@ static inline void pmd_set(pmd_t *pmdp,
 #define pmd_clear(xp)			do { pmd_val(*(xp)) = 0; } while (0)
 
 #define pte_page(x) (mem_map + \
-		(unsigned long)(((pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT)))
+		(unsigned long)(((pte_val(x) - CONFIG_LINUX_LINK_BASE) >> \
+				PAGE_SHIFT)))
 
 #define mk_pte(page, pgprot)						\
 ({									\



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 121/151] MIPS: HTW: Prevent accidental HTW start due to nested htw_{start, stop}
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 120/151] ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 122/151] udf: Remove repeated loads blocksize Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Markos Chandras, linux-mips, Ralf Baechle

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Markos Chandras <markos.chandras@imgtec.com>

commit ed4cbc81addbc076b016c5b979fd1a02f0897f0a upstream.

activate_mm() and switch_mm() call get_new_mmu_context() which in turn
can enable the HTW before the entryhi is changed with the new ASID.
Since the latter will enable the HTW in local_flush_tlb_all(),
then there is a small timing window where the HTW is running with the
new ASID but with an old pgd since the TLBMISS_HANDLER_SETUP_PGD
hasn't assigned a new one yet. In order to prevent that, we introduce a
simple htw counter to avoid starting HTW accidentally due to nested
htw_{start,stop}() sequences. Moreover, since various IPI calls can
enforce TLB flushing operations on a different core, such an operation
may interrupt another htw_{stop,start} in progress leading inconsistent
updates of the htw_seq variable. In order to avoid that, we disable the
interrupts whenever we update that variable.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9118/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/include/asm/cpu-info.h    |    5 +++++
 arch/mips/include/asm/mmu_context.h |    7 ++++++-
 arch/mips/include/asm/pgtable.h     |   24 ++++++++++++++++++------
 arch/mips/kernel/cpu-probe.c        |    4 +++-
 4 files changed, 32 insertions(+), 8 deletions(-)

--- a/arch/mips/include/asm/cpu-info.h
+++ b/arch/mips/include/asm/cpu-info.h
@@ -84,6 +84,11 @@ struct cpuinfo_mips {
 	 * (shifted by _CACHE_SHIFT)
 	 */
 	unsigned int		writecombine;
+	/*
+	 * Simple counter to prevent enabling HTW in nested
+	 * htw_start/htw_stop calls
+	 */
+	unsigned int		htw_seq;
 } __attribute__((aligned(SMP_CACHE_BYTES)));
 
 extern struct cpuinfo_mips cpu_data[];
--- a/arch/mips/include/asm/mmu_context.h
+++ b/arch/mips/include/asm/mmu_context.h
@@ -25,7 +25,6 @@ do {									\
 	if (cpu_has_htw) {						\
 		write_c0_pwbase(pgd);					\
 		back_to_back_c0_hazard();				\
-		htw_reset();						\
 	}								\
 } while (0)
 
@@ -142,6 +141,7 @@ static inline void switch_mm(struct mm_s
 	unsigned long flags;
 	local_irq_save(flags);
 
+	htw_stop();
 	/* Check if our ASID is of an older version and thus invalid */
 	if ((cpu_context(cpu, next) ^ asid_cache(cpu)) & ASID_VERSION_MASK)
 		get_new_mmu_context(next, cpu);
@@ -154,6 +154,7 @@ static inline void switch_mm(struct mm_s
 	 */
 	cpumask_clear_cpu(cpu, mm_cpumask(prev));
 	cpumask_set_cpu(cpu, mm_cpumask(next));
+	htw_start();
 
 	local_irq_restore(flags);
 }
@@ -180,6 +181,7 @@ activate_mm(struct mm_struct *prev, stru
 
 	local_irq_save(flags);
 
+	htw_stop();
 	/* Unconditionally get a new ASID.  */
 	get_new_mmu_context(next, cpu);
 
@@ -189,6 +191,7 @@ activate_mm(struct mm_struct *prev, stru
 	/* mark mmu ownership change */
 	cpumask_clear_cpu(cpu, mm_cpumask(prev));
 	cpumask_set_cpu(cpu, mm_cpumask(next));
+	htw_start();
 
 	local_irq_restore(flags);
 }
@@ -203,6 +206,7 @@ drop_mmu_context(struct mm_struct *mm, u
 	unsigned long flags;
 
 	local_irq_save(flags);
+	htw_stop();
 
 	if (cpumask_test_cpu(cpu, mm_cpumask(mm)))  {
 		get_new_mmu_context(mm, cpu);
@@ -211,6 +215,7 @@ drop_mmu_context(struct mm_struct *mm, u
 		/* will get a new context next time */
 		cpu_context(cpu, mm) = 0;
 	}
+	htw_start();
 	local_irq_restore(flags);
 }
 
--- a/arch/mips/include/asm/pgtable.h
+++ b/arch/mips/include/asm/pgtable.h
@@ -99,19 +99,31 @@ extern void paging_init(void);
 
 #define htw_stop()							\
 do {									\
+	unsigned long flags;						\
+									\
 	if (cpu_has_htw) {						\
-		write_c0_pwctl(read_c0_pwctl() &			\
-			       ~(1 << MIPS_PWCTL_PWEN_SHIFT));		\
-		back_to_back_c0_hazard();				\
+		local_irq_save(flags);					\
+		if(!raw_current_cpu_data.htw_seq++) {			\
+			write_c0_pwctl(read_c0_pwctl() &		\
+				       ~(1 << MIPS_PWCTL_PWEN_SHIFT));	\
+			back_to_back_c0_hazard();			\
+		}							\
+		local_irq_restore(flags);				\
 	}								\
 } while(0)
 
 #define htw_start()							\
 do {									\
+	unsigned long flags;						\
+									\
 	if (cpu_has_htw) {						\
-		write_c0_pwctl(read_c0_pwctl() |			\
-			       (1 << MIPS_PWCTL_PWEN_SHIFT));		\
-		back_to_back_c0_hazard();				\
+		local_irq_save(flags);					\
+		if (!--raw_current_cpu_data.htw_seq) {			\
+			write_c0_pwctl(read_c0_pwctl() |		\
+				       (1 << MIPS_PWCTL_PWEN_SHIFT));	\
+			back_to_back_c0_hazard();			\
+		}							\
+		local_irq_restore(flags);				\
 	}								\
 } while(0)
 
--- a/arch/mips/kernel/cpu-probe.c
+++ b/arch/mips/kernel/cpu-probe.c
@@ -367,8 +367,10 @@ static inline unsigned int decode_config
 	if (config3 & MIPS_CONF3_MSA)
 		c->ases |= MIPS_ASE_MSA;
 	/* Only tested on 32-bit cores */
-	if ((config3 & MIPS_CONF3_PW) && config_enabled(CONFIG_32BIT))
+	if ((config3 & MIPS_CONF3_PW) && config_enabled(CONFIG_32BIT)) {
+		c->htw_seq = 0;
 		c->options |= MIPS_CPU_HTW;
+	}
 
 	return config3 & MIPS_CONF_M;
 }



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 122/151] udf: Remove repeated loads blocksize
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 121/151] MIPS: HTW: Prevent accidental HTW start due to nested htw_{start, stop} Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 123/151] udf: Check length of extended attributes and allocation descriptors Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jan Kara

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 79144954278d4bb5989f8b903adcac7a20ff2a5a upstream.

Store blocksize in a local variable in udf_fill_inode() since it is used
a lot of times.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/udf/inode.c |   19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1288,6 +1288,7 @@ static int udf_read_inode(struct inode *
 	struct kernel_lb_addr *iloc = &iinfo->i_location;
 	unsigned int link_count;
 	unsigned int indirections = 0;
+	int bs = inode->i_sb->s_blocksize;
 	int ret = -EIO;
 
 reread:
@@ -1374,38 +1375,35 @@ reread:
 	if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
 		iinfo->i_efe = 1;
 		iinfo->i_use = 0;
-		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+		ret = udf_alloc_i_data(inode, bs -
 					sizeof(struct extendedFileEntry));
 		if (ret)
 			goto out;
 		memcpy(iinfo->i_ext.i_data,
 		       bh->b_data + sizeof(struct extendedFileEntry),
-		       inode->i_sb->s_blocksize -
-					sizeof(struct extendedFileEntry));
+		       bs - sizeof(struct extendedFileEntry));
 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
 		iinfo->i_efe = 0;
 		iinfo->i_use = 0;
-		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
-						sizeof(struct fileEntry));
+		ret = udf_alloc_i_data(inode, bs - sizeof(struct fileEntry));
 		if (ret)
 			goto out;
 		memcpy(iinfo->i_ext.i_data,
 		       bh->b_data + sizeof(struct fileEntry),
-		       inode->i_sb->s_blocksize - sizeof(struct fileEntry));
+		       bs - sizeof(struct fileEntry));
 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
 		iinfo->i_efe = 0;
 		iinfo->i_use = 1;
 		iinfo->i_lenAlloc = le32_to_cpu(
 				((struct unallocSpaceEntry *)bh->b_data)->
 				 lengthAllocDescs);
-		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+		ret = udf_alloc_i_data(inode, bs -
 					sizeof(struct unallocSpaceEntry));
 		if (ret)
 			goto out;
 		memcpy(iinfo->i_ext.i_data,
 		       bh->b_data + sizeof(struct unallocSpaceEntry),
-		       inode->i_sb->s_blocksize -
-					sizeof(struct unallocSpaceEntry));
+		       bs - sizeof(struct unallocSpaceEntry));
 		return 0;
 	}
 
@@ -1498,8 +1496,7 @@ reread:
 		if (iinfo->i_lenAlloc != inode->i_size)
 			goto out;
 		/* File in ICB has to fit in there... */
-		if (inode->i_size > inode->i_sb->s_blocksize -
-					udf_file_entry_alloc_offset(inode))
+		if (inode->i_size > bs - udf_file_entry_alloc_offset(inode))
 			goto out;
 	}
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 123/151] udf: Check length of extended attributes and allocation descriptors
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 122/151] udf: Remove repeated loads blocksize Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 124/151] KVM: x86: update masterclock values on TSC writes Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Carl Henrik Lunde, Jan Kara

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.

Check length of extended attributes and allocation descriptors when
loading inodes from disk. Otherwise corrupted filesystems could confuse
the code and make the kernel oops.

Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/udf/inode.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1487,6 +1487,15 @@ reread:
 	}
 	inode->i_generation = iinfo->i_unique;
 
+	/*
+	 * Sanity check length of allocation descriptors and extended attrs to
+	 * avoid integer overflows
+	 */
+	if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs)
+		goto out;
+	/* Now do exact checks */
+	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs)
+		goto out;
 	/* Sanity checks for files in ICB so that we don't get confused later */
 	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
 		/*



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 124/151] KVM: x86: update masterclock values on TSC writes
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 123/151] udf: Check length of extended attributes and allocation descriptors Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 125/151] KVM: s390: forward hrtimer if guest ckc not pending yet Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcelo Tosatti, Paolo Bonzini

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marcelo Tosatti <mtosatti@redhat.com>

commit 7f187922ddf6b67f2999a76dcb71663097b75497 upstream.

When the guest writes to the TSC, the masterclock TSC copy must be
updated as well along with the TSC_OFFSET update, otherwise a negative
tsc_timestamp is calculated at kvm_guest_time_update.

Once "if (!vcpus_matched && ka->use_master_clock)" is simplified to
"if (ka->use_master_clock)", the corresponding "if (!ka->use_master_clock)"
becomes redundant, so remove the do_request boolean and collapse
everything into a single condition.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/x86.c |   19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1237,21 +1237,22 @@ void kvm_track_tsc_matching(struct kvm_v
 {
 #ifdef CONFIG_X86_64
 	bool vcpus_matched;
-	bool do_request = false;
 	struct kvm_arch *ka = &vcpu->kvm->arch;
 	struct pvclock_gtod_data *gtod = &pvclock_gtod_data;
 
 	vcpus_matched = (ka->nr_vcpus_matched_tsc + 1 ==
 			 atomic_read(&vcpu->kvm->online_vcpus));
 
-	if (vcpus_matched && gtod->clock.vclock_mode == VCLOCK_TSC)
-		if (!ka->use_master_clock)
-			do_request = 1;
-
-	if (!vcpus_matched && ka->use_master_clock)
-			do_request = 1;
-
-	if (do_request)
+	/*
+	 * Once the masterclock is enabled, always perform request in
+	 * order to update it.
+	 *
+	 * In order to enable masterclock, the host clocksource must be TSC
+	 * and the vcpus need to have matched TSCs.  When that happens,
+	 * perform request to enable masterclock.
+	 */
+	if (ka->use_master_clock ||
+	    (gtod->clock.vclock_mode == VCLOCK_TSC && vcpus_matched))
 		kvm_make_request(KVM_REQ_MASTERCLOCK_UPDATE, vcpu);
 
 	trace_kvm_track_tsc(vcpu->vcpu_id, ka->nr_vcpus_matched_tsc,



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 125/151] KVM: s390: forward hrtimer if guest ckc not pending yet
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 124/151] KVM: x86: update masterclock values on TSC writes Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 126/151] KVM: s390: base hrtimer on a monotonic clock Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Borntraeger,
	David Hildenbrand, Cornelia Huck

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

commit 2d00f759427bb3ed963b60f570830e9eca7e1c69 upstream.

Patch 0759d0681cae ("KVM: s390: cleanup handle_wait by reusing
kvm_vcpu_block") changed the way pending guest clock comparator
interrupts are detected. It was assumed that as soon as the hrtimer
wakes up, the condition for the guest ckc is satisfied.

This is however only true as long as adjclock() doesn't speed
up the monotonic clock. Reason is that the hrtimer is based on
CLOCK_MONOTONIC, the guest clock comparator detection is based
on the raw TOD clock. If CLOCK_MONOTONIC runs faster than the
TOD clock, the hrtimer wakes the target VCPU up too early and
the target VCPU will not detect any pending interrupts, therefore
going back to sleep. It will never be woken up again because the
hrtimer has finished. The VCPU is stuck.

As a quick fix, we have to forward the hrtimer until the guest
clock comparator is really due, to guarantee properly timed wake
ups.

As the hrtimer callback might be triggered on another cpu, we
have to make sure that the timer is really stopped and not currently
executing the callback on another cpu. This can happen if the vcpu
thread is scheduled onto another physical cpu, but the timer base
is not migrated. So lets use hrtimer_cancel instead of try_to_cancel.

A proper fix might be to introduce a RAW based hrtimer.

Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kvm/interrupt.c |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -613,7 +613,7 @@ no_timer:
 	__unset_cpu_idle(vcpu);
 	vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
 
-	hrtimer_try_to_cancel(&vcpu->arch.ckc_timer);
+	hrtimer_cancel(&vcpu->arch.ckc_timer);
 	return 0;
 }
 
@@ -633,10 +633,20 @@ void kvm_s390_vcpu_wakeup(struct kvm_vcp
 enum hrtimer_restart kvm_s390_idle_wakeup(struct hrtimer *timer)
 {
 	struct kvm_vcpu *vcpu;
+	u64 now, sltime;
 
 	vcpu = container_of(timer, struct kvm_vcpu, arch.ckc_timer);
-	kvm_s390_vcpu_wakeup(vcpu);
+	now = get_tod_clock_fast() + vcpu->arch.sie_block->epoch;
+	sltime = tod_to_ns(vcpu->arch.sie_block->ckc - now);
 
+	/*
+	 * If the monotonic clock runs faster than the tod clock we might be
+	 * woken up too early and have to go back to sleep to avoid deadlocks.
+	 */
+	if (vcpu->arch.sie_block->ckc > now &&
+	    hrtimer_forward_now(timer, ns_to_ktime(sltime)))
+		return HRTIMER_RESTART;
+	kvm_s390_vcpu_wakeup(vcpu);
 	return HRTIMER_NORESTART;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 126/151] KVM: s390: base hrtimer on a monotonic clock
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 125/151] KVM: s390: forward hrtimer if guest ckc not pending yet Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 127/151] KVM: s390: floating irqs: fix user triggerable endless loop Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Hildenbrand, Cornelia Huck,
	Christian Borntraeger

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

commit 0ac96caf0f9381088c673a16d910b1d329670edf upstream.

The hrtimer that handles the wait with enabled timer interrupts
should not be disturbed by changes of the host time.

This patch changes our hrtimer to be based on a monotonic clock.

Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kvm/kvm-s390.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -662,7 +662,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu
 		if (rc)
 			return rc;
 	}
-	hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS);
+	hrtimer_init(&vcpu->arch.ckc_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
 	vcpu->arch.ckc_timer.function = kvm_s390_idle_wakeup;
 	get_cpu_id(&vcpu->arch.cpu_id);
 	vcpu->arch.cpu_id.version = 0xff;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 127/151] KVM: s390: floating irqs: fix user triggerable endless loop
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 126/151] KVM: s390: base hrtimer on a monotonic clock Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 128/151] KVM: s390: avoid memory leaks if __inject_vm() fails Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dominik Dingel, Cornelia Huck,
	David Hildenbrand, Christian Borntraeger

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

commit 8e2207cdd087ebb031e9118d1fd0902c6533a5e5 upstream.

If a vm with no VCPUs is created, the injection of a floating irq
leads to an endless loop in the kernel.

Let's skip the search for a destination VCPU for a floating irq if no
VCPUs were created.

Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kvm/interrupt.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -850,6 +850,8 @@ static int __inject_vm(struct kvm *kvm,
 		list_add_tail(&inti->list, &iter->list);
 	}
 	atomic_set(&fi->active, 1);
+	if (atomic_read(&kvm->online_vcpus) == 0)
+		goto unlock_fi;
 	sigcpu = find_first_bit(fi->idle_mask, KVM_MAX_VCPUS);
 	if (sigcpu == KVM_MAX_VCPUS) {
 		do {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 128/151] KVM: s390: avoid memory leaks if __inject_vm() fails
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 127/151] KVM: s390: floating irqs: fix user triggerable endless loop Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 129/151] x86/xen: Treat SCI interrupt as normal GSI interrupt Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dominik Dingel, David Hildenbrand,
	Christian Borntraeger

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

commit 428d53be5e7468769d4e7899cca06ed5f783a6e1 upstream.

We have to delete the allocated interrupt info if __inject_vm() fails.

Otherwise user space can keep flooding kvm with floating interrupts and
provoke more and more memory leaks.

Reported-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kvm/interrupt.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -876,6 +876,7 @@ int kvm_s390_inject_vm(struct kvm *kvm,
 		       struct kvm_s390_interrupt *s390int)
 {
 	struct kvm_s390_interrupt_info *inti;
+	int rc;
 
 	inti = kzalloc(sizeof(*inti), GFP_KERNEL);
 	if (!inti)
@@ -923,7 +924,10 @@ int kvm_s390_inject_vm(struct kvm *kvm,
 	trace_kvm_s390_inject_vm(s390int->type, s390int->parm, s390int->parm64,
 				 2);
 
-	return __inject_vm(kvm, inti);
+	rc = __inject_vm(kvm, inti);
+	if (rc)
+		kfree(inti);
+	return rc;
 }
 
 void kvm_s390_reinject_io_int(struct kvm *kvm,



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 129/151] x86/xen: Treat SCI interrupt as normal GSI interrupt
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 128/151] KVM: s390: avoid memory leaks if __inject_vm() fails Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04 12:51   ` Stefan Bader
  2015-03-04  6:14 ` [PATCH 3.18 130/151] hx4700: regulator: declare full constraints Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  140 siblings, 1 reply; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiang Liu, Sander Eikelenboom,
	Tony Luck, xen-devel, Konrad Rzeszutek Wilk, David Vrabel,
	Rafael J. Wysocki, Len Brown, Pavel Machek, Bjorn Helgaas,
	Thomas Gleixner, Stefan Bader

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiang Liu <jiang.liu@linux.intel.com>

commit b568b8601f05a591a7ff09d8ee1cedb5b2e815fe upstream.

Currently Xen Domain0 has special treatment for ACPI SCI interrupt,
that is initialize irq for ACPI SCI at early stage in a special way as:
xen_init_IRQ()
	->pci_xen_initial_domain()
		->xen_setup_acpi_sci()
			Allocate and initialize irq for ACPI SCI

Function xen_setup_acpi_sci() calls acpi_gsi_to_irq() to get an irq
number for ACPI SCI. But unfortunately acpi_gsi_to_irq() depends on
IOAPIC irqdomains through following path
acpi_gsi_to_irq()
	->mp_map_gsi_to_irq()
		->mp_map_pin_to_irq()
			->check IOAPIC irqdomain

For PV domains, it uses Xen event based interrupt manangement and
doesn't make uses of native IOAPIC, so no irqdomains created for IOAPIC.
This causes Xen domain0 fail to install interrupt handler for ACPI SCI
and all ACPI events will be lost. Please refer to:
https://lkml.org/lkml/2014/12/19/178

So the fix is to get rid of special treatment for ACPI SCI, just treat
ACPI SCI as normal GSI interrupt as:
acpi_gsi_to_irq()
	->acpi_register_gsi()
		->acpi_register_gsi_xen()
			->xen_register_gsi()

With above change, there's no need for xen_setup_acpi_sci() anymore.
The above change also works with bare metal kernel too.

Signed-off-by: Jiang Liu <jiang.liu@linux.intel.com>
Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
Cc: Tony Luck <tony.luck@intel.com>
Cc: xen-devel@lists.xenproject.org
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
Cc: Len Brown <len.brown@intel.com>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Link: http://lkml.kernel.org/r/1421720467-7709-2-git-send-email-jiang.liu@linux.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/acpi/boot.c |   21 ++++++++++---------
 arch/x86/pci/xen.c          |   47 --------------------------------------------
 2 files changed, 11 insertions(+), 57 deletions(-)

--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -604,18 +604,19 @@ void __init acpi_pic_sci_set_trigger(uns
 
 int acpi_gsi_to_irq(u32 gsi, unsigned int *irqp)
 {
-	int irq;
+	int rc, irq, trigger, polarity;
 
-	if (acpi_irq_model == ACPI_IRQ_MODEL_PIC) {
-		*irqp = gsi;
-	} else {
-		irq = mp_map_gsi_to_irq(gsi,
-					IOAPIC_MAP_ALLOC | IOAPIC_MAP_CHECK);
-		if (irq < 0)
-			return -1;
-		*irqp = irq;
+	rc = acpi_get_override_irq(gsi, &trigger, &polarity);
+	if (rc == 0) {
+		trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
+		polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
+		irq = acpi_register_gsi(NULL, gsi, trigger, polarity);
+		if (irq >= 0) {
+			*irqp = irq;
+			return 0;
+		}
 	}
-	return 0;
+	return -1;
 }
 EXPORT_SYMBOL_GPL(acpi_gsi_to_irq);
 
--- a/arch/x86/pci/xen.c
+++ b/arch/x86/pci/xen.c
@@ -452,52 +452,6 @@ int __init pci_xen_hvm_init(void)
 }
 
 #ifdef CONFIG_XEN_DOM0
-static __init void xen_setup_acpi_sci(void)
-{
-	int rc;
-	int trigger, polarity;
-	int gsi = acpi_sci_override_gsi;
-	int irq = -1;
-	int gsi_override = -1;
-
-	if (!gsi)
-		return;
-
-	rc = acpi_get_override_irq(gsi, &trigger, &polarity);
-	if (rc) {
-		printk(KERN_WARNING "xen: acpi_get_override_irq failed for acpi"
-				" sci, rc=%d\n", rc);
-		return;
-	}
-	trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
-	polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
-
-	printk(KERN_INFO "xen: sci override: global_irq=%d trigger=%d "
-			"polarity=%d\n", gsi, trigger, polarity);
-
-	/* Before we bind the GSI to a Linux IRQ, check whether
-	 * we need to override it with bus_irq (IRQ) value. Usually for
-	 * IRQs below IRQ_LEGACY_IRQ this holds IRQ == GSI, as so:
-	 *  ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 low level)
-	 * but there are oddballs where the IRQ != GSI:
-	 *  ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 20 low level)
-	 * which ends up being: gsi_to_irq[9] == 20
-	 * (which is what acpi_gsi_to_irq ends up calling when starting the
-	 * the ACPI interpreter and keels over since IRQ 9 has not been
-	 * setup as we had setup IRQ 20 for it).
-	 */
-	if (acpi_gsi_to_irq(gsi, &irq) == 0) {
-		/* Use the provided value if it's valid. */
-		if (irq >= 0)
-			gsi_override = irq;
-	}
-
-	gsi = xen_register_gsi(gsi, gsi_override, trigger, polarity);
-	printk(KERN_INFO "xen: acpi sci %d\n", gsi);
-
-	return;
-}
-
 int __init pci_xen_initial_domain(void)
 {
 	int irq;
@@ -509,7 +463,6 @@ int __init pci_xen_initial_domain(void)
 	x86_msi.msi_mask_irq = xen_nop_msi_mask_irq;
 	x86_msi.msix_mask_irq = xen_nop_msix_mask_irq;
 #endif
-	xen_setup_acpi_sci();
 	__acpi_register_gsi = acpi_register_gsi_xen;
 	/* Pre-allocate legacy irqs */
 	for (irq = 0; irq < nr_legacy_irqs(); irq++) {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 130/151] hx4700: regulator: declare full constraints
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 129/151] x86/xen: Treat SCI interrupt as normal GSI interrupt Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 131/151] arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Vajnar, Robert Jarzmik

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Vajnar <martin.vajnar@gmail.com>

commit a52d209336f8fc7483a8c7f4a8a7d2a8e1692a6c upstream.

Since the removal of CONFIG_REGULATOR_DUMMY option, the touchscreen stopped
working. This patch enables the "replacement" for REGULATOR_DUMMY and
allows the touchscreen to work even though there is no regulator for "vcc".

Signed-off-by: Martin Vajnar <martin.vajnar@gmail.com>
Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-pxa/hx4700.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm/mach-pxa/hx4700.c
+++ b/arch/arm/mach-pxa/hx4700.c
@@ -893,6 +893,8 @@ static void __init hx4700_init(void)
 	mdelay(10);
 	gpio_set_value(GPIO71_HX4700_ASIC3_nRESET, 1);
 	mdelay(10);
+
+	regulator_has_full_constraints();
 }
 
 MACHINE_START(H4700, "HP iPAQ HX4700")



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 131/151] arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 130/151] hx4700: regulator: declare full constraints Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 132/151] gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bamvor Jian Zhang, Catalin Marinas

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Catalin Marinas <catalin.marinas@arm.com>

commit 9d42d48a342aee208c1154696196497fdc556bbf upstream.

The native (64-bit) sigval_t union contains sival_int (32-bit) and
sival_ptr (64-bit). When a compat application invokes a syscall that
takes a sigval_t value (as part of a larger structure, e.g.
compat_sys_mq_notify, compat_sys_timer_create), the compat_sigval_t
union is converted to the native sigval_t with sival_int overlapping
with either the least or the most significant half of sival_ptr,
depending on endianness. When the corresponding signal is delivered to a
compat application, on big endian the current (compat_uptr_t)sival_ptr
cast always returns 0 since sival_int corresponds to the top part of
sival_ptr. This patch fixes copy_siginfo_to_user32() so that sival_int
is copied to the compat_siginfo_t structure.

Reported-by: Bamvor Jian Zhang <bamvor.zhangjian@huawei.com>
Tested-by: Bamvor Jian Zhang <bamvor.zhangjian@huawei.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/signal32.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/arch/arm64/kernel/signal32.c
+++ b/arch/arm64/kernel/signal32.c
@@ -154,8 +154,7 @@ int copy_siginfo_to_user32(compat_siginf
 	case __SI_TIMER:
 		 err |= __put_user(from->si_tid, &to->si_tid);
 		 err |= __put_user(from->si_overrun, &to->si_overrun);
-		 err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr,
-				   &to->si_ptr);
+		 err |= __put_user(from->si_int, &to->si_int);
 		break;
 	case __SI_POLL:
 		err |= __put_user(from->si_band, &to->si_band);
@@ -184,7 +183,7 @@ int copy_siginfo_to_user32(compat_siginf
 	case __SI_MESGQ: /* But this is */
 		err |= __put_user(from->si_pid, &to->si_pid);
 		err |= __put_user(from->si_uid, &to->si_uid);
-		err |= __put_user((compat_uptr_t)(unsigned long)from->si_ptr, &to->si_ptr);
+		err |= __put_user(from->si_int, &to->si_int);
 		break;
 	default: /* this is just in case for now ... */
 		err |= __put_user(from->si_pid, &to->si_pid);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 132/151] gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 131/151] arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 133/151] gpio: tps65912: fix wrong container_of arguments Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Holmberg, Alexandre Courbot,
	Robert Jarzmik, Tyler Hall, Linus Walleij

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Holmberg <hans.holmberg@intel.com>

commit 9cf75e9e4ddd587ac12e88e8751c358b7b27e95f upstream.

The change:

7b8792bbdffdff3abda704f89c6a45ea97afdc62
gpiolib: of: Correct error handling in of_get_named_gpiod_flags

assumed that only one gpio-chip is registred per of-node.
Some drivers register more than one chip per of-node, so
adjust the matching function of_gpiochip_find_and_xlate to
not stop looking for chips if a node-match is found and
the translation fails.

Fixes: 7b8792bbdffd ("gpiolib: of: Correct error handling in of_get_named_gpiod_flags")
Signed-off-by: Hans Holmberg <hans.holmberg@intel.com>
Acked-by: Alexandre Courbot <acourbot@nvidia.com>
Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Tested-by: Tyler Hall <tylerwhall@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpiolib-of.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/gpio/gpiolib-of.c
+++ b/drivers/gpio/gpiolib-of.c
@@ -46,12 +46,13 @@ static int of_gpiochip_find_and_xlate(st
 
 	ret = gc->of_xlate(gc, &gg_data->gpiospec, gg_data->flags);
 	if (ret < 0) {
-		/* We've found the gpio chip, but the translation failed.
-		 * Return true to stop looking and return the translation
-		 * error via out_gpio
+		/* We've found a gpio chip, but the translation failed.
+		 * Store translation error in out_gpio.
+		 * Return false to keep looking, as more than one gpio chip
+		 * could be registered per of-node.
 		 */
 		gg_data->out_gpio = ERR_PTR(ret);
-		return true;
+		return false;
 	 }
 
 	gg_data->out_gpio = gpiochip_get_desc(gc, ret);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 133/151] gpio: tps65912: fix wrong container_of arguments
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 132/151] gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 134/151] xfs: Fix quota type in quota structures when reusing quota file Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Saenz Julienne, Linus Walleij

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>

commit 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 upstream.

The gpio_chip operations receive a pointer the gpio_chip struct which is
contained in the driver's private struct, yet the container_of call in those
functions point to the mfd struct defined in include/linux/mfd/tps65912.h.

Signed-off-by: Nicolas Saenz Julienne <nicolassaenzj@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpio-tps65912.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/gpio/gpio-tps65912.c
+++ b/drivers/gpio/gpio-tps65912.c
@@ -26,9 +26,12 @@ struct tps65912_gpio_data {
 	struct gpio_chip gpio_chip;
 };
 
+#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip)
+
 static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset)
 {
-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
+	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
+	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
 	int val;
 
 	val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset);
@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio
 static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset,
 			      int value)
 {
-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
+	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
+	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
 
 	if (value)
 		tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset,
@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpi
 static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset,
 				int value)
 {
-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
+	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
+	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
 
 	/* Set the initial value */
 	tps65912_gpio_set(gc, offset, value);
@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct g
 
 static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset)
 {
-	struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio);
+	struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc);
+	struct tps65912 *tps65912 = tps65912_gpio->tps65912;
 
 	return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset,
 								GPIO_CFG_MASK);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 134/151] xfs: Fix quota type in quota structures when reusing quota file
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 133/151] gpio: tps65912: fix wrong container_of arguments Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 135/151] metag: Fix KSTK_EIP() and KSTK_ESP() macros Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Al Viro, Jan Kara, Dave Chinner,
	Dave Chinner

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>

commit dfcc70a8c868fe03276fa59864149708fb41930b upstream.

For filesystems without separate project quota inode field in the
superblock we just reuse project quota file for group quotas (and vice
versa) if project quota file is allocated and we need group quota file.
When we reuse the file, quota structures on disk suddenly have wrong
type stored in d_flags though. Nobody really cares about this (although
structure type reported to userspace was wrong as well) except
that after commit 14bf61ffe6ac (quota: Switch ->get_dqblk() and
->set_dqblk() to use bytes as space units) assertion in
xfs_qm_scall_getquota() started to trigger on xfs/106 test (apparently I
was testing without XFS_DEBUG so I didn't notice when submitting the
above commit).

Fix the problem by properly resetting ddq->d_flags when running quotacheck
for a quota file.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/xfs_qm.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/xfs/xfs_qm.c
+++ b/fs/xfs/xfs_qm.c
@@ -844,6 +844,11 @@ xfs_qm_reset_dqcounts(
 		 */
 		xfs_dqcheck(mp, ddq, id+j, type, XFS_QMOPT_DQREPAIR,
 			    "xfs_quotacheck");
+		/*
+		 * Reset type in case we are reusing group quota file for
+		 * project quotas or vice versa
+		 */
+		ddq->d_flags = type;
 		ddq->d_bcount = 0;
 		ddq->d_icount = 0;
 		ddq->d_rtbcount = 0;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 135/151] metag: Fix KSTK_EIP() and KSTK_ESP() macros
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 134/151] xfs: Fix quota type in quota structures when reusing quota file Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 136/151] clocksource: mtk: Fix race conditions in probe code Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Brodkin, Vineet Gupta,
	James Hogan, linux-metag

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit c2996cb29bfb73927a79dc96e598a718e843f01a upstream.

The KSTK_EIP() and KSTK_ESP() macros should return the user program
counter (PC) and stack pointer (A0StP) of the given task. These are used
to determine which VMA corresponds to the user stack in
/proc/<pid>/maps, and for the user PC & A0StP in /proc/<pid>/stat.

However for Meta the PC & A0StP from the task's kernel context are used,
resulting in broken output. For example in following /proc/<pid>/maps
output, the 3afff000-3b021000 VMA should be described as the stack:

  # cat /proc/self/maps
  ...
  100b0000-100b1000 rwxp 00000000 00:00 0          [heap]
  3afff000-3b021000 rwxp 00000000 00:00 0

And in the following /proc/<pid>/stat output, the PC is in kernel code
(1074234964 = 0x40078654) and the A0StP is in the kernel heap
(1335981392 = 0x4fa17550):

  # cat /proc/self/stat
  51 (cat) R ... 1335981392 1074234964 ...

Fix the definitions of KSTK_EIP() and KSTK_ESP() to use
task_pt_regs(tsk)->ctx rather than (tsk)->thread.kernel_context. This
gets the registers from the user context stored after the thread info at
the base of the kernel stack, which is from the last entry into the
kernel from userland, regardless of where in the kernel the task may
have been interrupted, which results in the following more correct
/proc/<pid>/maps output:

  # cat /proc/self/maps
  ...
  0800b000-08070000 r-xp 00000000 00:02 207        /lib/libuClibc-0.9.34-git.so
  ...
  100b0000-100b1000 rwxp 00000000 00:00 0          [heap]
  3afff000-3b021000 rwxp 00000000 00:00 0          [stack]

And /proc/<pid>/stat now correctly reports the PC in libuClibc
(134320308 = 0x80190b4) and the A0StP in the [stack] region (989864576 =
0x3b002280):

  # cat /proc/self/stat
  51 (cat) R ... 989864576 134320308 ...

Reported-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Reported-by: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/metag/include/asm/processor.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/metag/include/asm/processor.h
+++ b/arch/metag/include/asm/processor.h
@@ -149,8 +149,8 @@ extern void exit_thread(void);
 
 unsigned long get_wchan(struct task_struct *p);
 
-#define	KSTK_EIP(tsk)	((tsk)->thread.kernel_context->CurrPC)
-#define	KSTK_ESP(tsk)	((tsk)->thread.kernel_context->AX[0].U0)
+#define	KSTK_EIP(tsk)	(task_pt_regs(tsk)->ctx.CurrPC)
+#define	KSTK_ESP(tsk)	(task_pt_regs(tsk)->ctx.AX[0].U0)
 
 #define user_stack_pointer(regs)        ((regs)->ctx.AX[0].U0)
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 136/151] clocksource: mtk: Fix race conditions in probe code
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 135/151] metag: Fix KSTK_EIP() and KSTK_ESP() macros Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 137/151] perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gongbae Park, Matthias Brugger,
	Daniel Lezcano

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthias Brugger <matthias.bgg@gmail.com>

commit d4a19eb3b15a4ba98f627182f48d5bc0cffae670 upstream.

We have two race conditions in the probe code which could lead to a null
pointer dereference in the interrupt handler.

The interrupt handler accesses the clockevent device, which may not yet be
registered.

First race condition happens when the interrupt handler gets registered before
the interrupts get disabled. The second race condition happens when the
interrupts get enabled, but the clockevent device is not yet registered.

Fix that by disabling the interrupts before we register the interrupt and enable
the interrupts after the clockevent device got registered.

Reported-by: Gongbae Park <yongbae2@gmail.com>
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clocksource/mtk_timer.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/clocksource/mtk_timer.c
+++ b/drivers/clocksource/mtk_timer.c
@@ -224,6 +224,8 @@ static void __init mtk_timer_init(struct
 	}
 	rate = clk_get_rate(clk);
 
+	mtk_timer_global_reset(evt);
+
 	if (request_irq(evt->dev.irq, mtk_timer_interrupt,
 			IRQF_TIMER | IRQF_IRQPOLL, "mtk_timer", evt)) {
 		pr_warn("failed to setup irq %d\n", evt->dev.irq);
@@ -232,8 +234,6 @@ static void __init mtk_timer_init(struct
 
 	evt->ticks_per_jiffy = DIV_ROUND_UP(rate, HZ);
 
-	mtk_timer_global_reset(evt);
-
 	/* Configure clock source */
 	mtk_timer_setup(evt, GPT_CLK_SRC, TIMER_CTRL_OP_FREERUN);
 	clocksource_mmio_init(evt->gpt_base + TIMER_CNT_REG(GPT_CLK_SRC),
@@ -241,10 +241,11 @@ static void __init mtk_timer_init(struct
 
 	/* Configure clock event */
 	mtk_timer_setup(evt, GPT_CLK_EVT, TIMER_CTRL_OP_REPEAT);
-	mtk_timer_enable_irq(evt, GPT_CLK_EVT);
-
 	clockevents_config_and_register(&evt->dev, rate, 0x3,
 					0xffffffff);
+
+	mtk_timer_enable_irq(evt, GPT_CLK_EVT);
+
 	return;
 
 err_clk_disable:



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 137/151] perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 136/151] clocksource: mtk: Fix race conditions in probe code Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 138/151] md/raid5: Fix livelock when array is both resyncing and degraded Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, David Ahern,
	David Ahern, Arnaldo Carvalho de Melo

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit 48536c9195ae8c2a00fd8f400bac72ab613feaab upstream.

Commit f6edb53c4993ffe92ce521fb449d1c146cea6ec2 converted the probe to
a CPU wide event first (pid == -1). For kernels that do not support
the PERF_FLAG_FD_CLOEXEC flag the probe fails with EINVAL. Since this
errno is not handled pid is not reset to 0 and the subsequent use of
pid = -1 as an argument brings in an additional failure path if
perf_event_paranoid > 0:

$ perf record -- sleep 1
perf_event_open(..., 0) failed unexpectedly with error 13 (Permission denied)
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.007 MB /tmp/perf.data (11 samples) ]

Also, ensure the fd of the confirmation check is closed and comment why
pid = -1 is used.

Needs to go to 3.18 stable tree as well.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Based-on-patch-by: David Ahern <david.ahern@oracle.com>
Acked-by: David Ahern <david.ahern@oracle.com>
Cc: David Ahern <dsahern@gmail.com>
Link: http://lkml.kernel.org/r/54EC610C.8000403@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/cloexec.c |   18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

--- a/tools/perf/util/cloexec.c
+++ b/tools/perf/util/cloexec.c
@@ -25,6 +25,10 @@ static int perf_flag_probe(void)
 	if (cpu < 0)
 		cpu = 0;
 
+	/*
+	 * Using -1 for the pid is a workaround to avoid gratuitous jump label
+	 * changes.
+	 */
 	while (1) {
 		/* check cloexec flag */
 		fd = sys_perf_event_open(&attr, pid, cpu, -1,
@@ -47,16 +51,24 @@ static int perf_flag_probe(void)
 		  err, strerror_r(err, sbuf, sizeof(sbuf)));
 
 	/* not supported, confirm error related to PERF_FLAG_FD_CLOEXEC */
-	fd = sys_perf_event_open(&attr, pid, cpu, -1, 0);
+	while (1) {
+		fd = sys_perf_event_open(&attr, pid, cpu, -1, 0);
+		if (fd < 0 && pid == -1 && errno == EACCES) {
+			pid = 0;
+			continue;
+		}
+		break;
+	}
 	err = errno;
 
+	if (fd >= 0)
+		close(fd);
+
 	if (WARN_ONCE(fd < 0 && err != EBUSY,
 		      "perf_event_open(..., 0) failed unexpectedly with error %d (%s)\n",
 		      err, strerror_r(err, sbuf, sizeof(sbuf))))
 		return -1;
 
-	close(fd);
-
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 138/151] md/raid5: Fix livelock when array is both resyncing and degraded.
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 137/151] perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 140/151] sb_edac: Fix detection on SNB machines Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manibalan P, Jes Sorensen, NeilBrown

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.de>

commit 26ac107378c4742978216be1005b7291b799c7b2 upstream.

Commit a7854487cd7128a30a7f4f5259de9f67d5efb95f:
  md: When RAID5 is dirty, force reconstruct-write instead of read-modify-write.

Causes an RCW cycle to be forced even when the array is degraded.
A degraded array cannot support RCW as that requires reading all data
blocks, and one may be missing.

Forcing an RCW when it is not possible causes a live-lock and the code
spins, repeatedly deciding to do something that cannot succeed.

So change the condition to only force RCW on non-degraded arrays.

Reported-by: Manibalan P <pmanibalan@amiindia.co.in>
Bisected-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Tested-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Fixes: a7854487cd7128a30a7f4f5259de9f67d5efb95f
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -3102,7 +3102,8 @@ static void handle_stripe_dirtying(struc
 	 * generate correct data from the parity.
 	 */
 	if (conf->max_degraded == 2 ||
-	    (recovery_cp < MaxSector && sh->sector >= recovery_cp)) {
+	    (recovery_cp < MaxSector && sh->sector >= recovery_cp &&
+	     s->failed == 0)) {
 		/* Calculate the real rcw later - for now make it
 		 * look like rcw is cheaper
 		 */



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 140/151] sb_edac: Fix detection on SNB machines
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 138/151] md/raid5: Fix livelock when array is both resyncing and degraded Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 141/151] EDAC, amd64_edac: Prevent OOPS with >16 memory controllers Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aristeu Rozanski, Tony Luck,
	Andy Lutomirski, Mauro Carvalho Chehab, Borislav Petkov

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <bp@suse.de>

commit 11249e73992981e31fd50e7231da24fad68e3320 upstream.

d0585cd815fa ("sb_edac: Claim a different PCI device") changed the
probing of sb_edac to look for PCI device 0x3ca0:

3f:0e.0 System peripheral: Intel Corporation Xeon E5/Core i7 Processor Home Agent (rev 07)
00: 86 80 a0 3c 00 00 00 00 07 00 80 08 00 00 80 00
...

but we're matching for 0x3ca8, i.e. PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TA
in sbridge_probe() therefore the probing fails.

Changing it to probe for 0x3ca0 (PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_HA0),
.i.e., the 14.0 device, fixes the issue and driver loads successfully
again:

[ 2449.013120] EDAC DEBUG: sbridge_init:
[ 2449.017029] EDAC sbridge: Seeking for: PCI ID 8086:3ca0
[ 2449.022368] EDAC DEBUG: sbridge_get_onedevice: Detected 8086:3ca0
[ 2449.028498] EDAC sbridge: Seeking for: PCI ID 8086:3ca0
[ 2449.033768] EDAC sbridge: Seeking for: PCI ID 8086:3ca8
[ 2449.039028] EDAC DEBUG: sbridge_get_onedevice: Detected 8086:3ca8
[ 2449.045155] EDAC sbridge: Seeking for: PCI ID 8086:3ca8
...

Add a debug printk while at it to be able to catch the failure in the
future and dump driver version on successful load.

Fixes: d0585cd815fa ("sb_edac: Claim a different PCI device")
Acked-by: Aristeu Rozanski <aris@redhat.com>
Cc: Tony Luck <tony.luck@intel.com>
Acked-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/edac/sb_edac.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/edac/sb_edac.c
+++ b/drivers/edac/sb_edac.c
@@ -2297,7 +2297,7 @@ static int sbridge_probe(struct pci_dev
 		rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_ibridge_table);
 		type = IVY_BRIDGE;
 		break;
-	case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_TA:
+	case PCI_DEVICE_ID_INTEL_SBRIDGE_IMC_HA0:
 		rc = sbridge_get_all_devices(&num_mc, pci_dev_descr_sbridge_table);
 		type = SANDY_BRIDGE;
 		break;
@@ -2306,8 +2306,11 @@ static int sbridge_probe(struct pci_dev
 		type = HASWELL;
 		break;
 	}
-	if (unlikely(rc < 0))
+	if (unlikely(rc < 0)) {
+		edac_dbg(0, "couldn't get all devices for 0x%x\n", pdev->device);
 		goto fail0;
+	}
+
 	mc = 0;
 
 	list_for_each_entry(sbridge_dev, &sbridge_edac_list, list) {
@@ -2320,7 +2323,7 @@ static int sbridge_probe(struct pci_dev
 			goto fail1;
 	}
 
-	sbridge_printk(KERN_INFO, "Driver loaded.\n");
+	sbridge_printk(KERN_INFO, "%s\n", SBRIDGE_REVISION);
 
 	mutex_unlock(&sbridge_edac_lock);
 	return 0;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 141/151] EDAC, amd64_edac: Prevent OOPS with >16 memory controllers
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 140/151] sb_edac: Fix detection on SNB machines Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 142/151] jffs2: fix handling of corrupted summary length Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel J Blueman, Borislav Petkov

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel J Blueman <daniel@numascale.com>

commit 0c510cc83bdbaac8406f4f7caef34f4da0ba35ea upstream.

When DRAM errors occur on memory controllers after EDAC_MAX_MCS (16),
the kernel fatally dereferences unallocated structures, see splat below;
this occurs on at least NumaConnect systems.

Fix by checking if a memory controller info structure was found.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000320
IP: [<ffffffff819f714f>] decode_bus_error+0x2f/0x2b0
PGD 2f8b5a3067 PUD 2f8b5a2067 PMD 0
Oops: 0000 [#2] SMP
Modules linked in:
CPU: 224 PID: 11930 Comm: stream_c.exe.gn Tainted: G   D    3.19.0 #1
Hardware name: Supermicro H8QGL/H8QGL, BIOS 3.5b    01/28/2015
task: ffff8807dbfb8c00 ti: ffff8807dd16c000 task.ti: ffff8807dd16c000
RIP: 0010:[<ffffffff819f714f>] [<ffffffff819f714f>] decode_bus_error+0x2f/0x2b0
RSP: 0000:ffff8907dfc03c48 EFLAGS: 00010297
RAX: 0000000000000001 RBX: 9c67400010080a13 RCX: 0000000000001dc6
RDX: 000000001dc61dc6 RSI: ffff8907dfc03df0 RDI: 000000000000001c
RBP: ffff8907dfc03ce8 R08: 0000000000000000 R09: 0000000000000022
R10: ffff891fffa30380 R11: 00000000001cfc90 R12: 0000000000000008
R13: 0000000000000000 R14: 000000000000001c R15: 00009c6740001000
FS: 00007fa97ee18700(0000) GS:ffff8907dfc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000320 CR3: 0000003f889b8000 CR4: 00000000000407e0
Stack:
 0000000000000000 ffff8907dfc03df0 0000000000000008 9c67400010080a13
 000000000000001c 00009c6740001000 ffff8907dfc03c88 ffffffff810e4f9a
 ffff8907dfc03ce8 ffffffff81b375b9 0000000000000000 0000000000000010
Call Trace:
 <IRQ>
 ? vprintk_default
 ? printk
 amd_decode_mce
 notifier_call_chain
 atomic_notifier_call_chain
 mce_log
 machine_check_poll
 mce_timer_fn
 ? mce_cpu_restart
 call_timer_fn.isra.29
 run_timer_softirq
 __do_softirq
 irq_exit
 smp_apic_timer_interrupt
 apic_timer_interrupt
 <EOI>
 ? down_read_trylock
 __do_page_fault
 ? __schedule
 do_page_fault
 page_fault

Signed-off-by: Daniel J Blueman <daniel@numascale.com>
Link: http://lkml.kernel.org/r/1424144078-24589-1-git-send-email-daniel@numascale.com
[ Boris: massage commit message ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/edac/amd64_edac.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/edac/amd64_edac.c
+++ b/drivers/edac/amd64_edac.c
@@ -2039,14 +2039,20 @@ static void __log_bus_error(struct mem_c
 
 static inline void decode_bus_error(int node_id, struct mce *m)
 {
-	struct mem_ctl_info *mci = mcis[node_id];
-	struct amd64_pvt *pvt = mci->pvt_info;
+	struct mem_ctl_info *mci;
+	struct amd64_pvt *pvt;
 	u8 ecc_type = (m->status >> 45) & 0x3;
 	u8 xec = XEC(m->status, 0x1f);
 	u16 ec = EC(m->status);
 	u64 sys_addr;
 	struct err_info err;
 
+	mci = edac_mc_find(node_id);
+	if (!mci)
+		return;
+
+	pvt = mci->pvt_info;
+
 	/* Bail out early if this was an 'observed' error */
 	if (PP(ec) == NBSL_PP_OBS)
 		return;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 142/151] jffs2: fix handling of corrupted summary length
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 141/151] EDAC, amd64_edac: Prevent OOPS with >16 memory controllers Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 143/151] samsung-laptop: Add use_native_backlight quirk, and enable it on some models Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen Jie, Andrew Morton, David Woodhouse

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chen Jie <chenjie6@huawei.com>

commit 164c24063a3eadee11b46575c5482b2f1417be49 upstream.

sm->offset maybe wrong but magic maybe right, the offset do not have CRC.

Badness at c00c7580 [verbose debug info unavailable]
NIP: c00c7580 LR: c00c718c CTR: 00000014
REGS: df07bb40 TRAP: 0700   Not tainted  (2.6.34.13-WR4.3.0.0_standard)
MSR: 00029000 <EE,ME,CE>  CR: 22084f84  XER: 00000000
TASK = df84d6e0[908] 'mount' THREAD: df07a000
GPR00: 00000001 df07bbf0 df84d6e0 00000000 00000001 00000000 df07bb58 00000041
GPR08: 00000041 c0638860 00000000 00000010 22084f88 100636c8 df814ff8 00000000
GPR16: df84d6e0 dfa558cc c05adb90 00000048 c0452d30 00000000 000240d0 000040d0
GPR24: 00000014 c05ae734 c05be2e0 00000000 00000001 00000000 00000000 c05ae730
NIP [c00c7580] __alloc_pages_nodemask+0x4d0/0x638
LR [c00c718c] __alloc_pages_nodemask+0xdc/0x638
Call Trace:
[df07bbf0] [c00c718c] __alloc_pages_nodemask+0xdc/0x638 (unreliable)
[df07bc90] [c00c7708] __get_free_pages+0x20/0x48
[df07bca0] [c00f4a40] __kmalloc+0x15c/0x1ec
[df07bcd0] [c01fc880] jffs2_scan_medium+0xa58/0x14d0
[df07bd70] [c01ff38c] jffs2_do_mount_fs+0x1f4/0x6b4
[df07bdb0] [c020144c] jffs2_do_fill_super+0xa8/0x260
[df07bdd0] [c020230c] jffs2_fill_super+0x104/0x184
[df07be00] [c0335814] get_sb_mtd_aux+0x9c/0xec
[df07be20] [c033596c] get_sb_mtd+0x84/0x1e8
[df07be60] [c0201ed0] jffs2_get_sb+0x1c/0x2c
[df07be70] [c0103898] vfs_kern_mount+0x78/0x1e8
[df07bea0] [c0103a58] do_kern_mount+0x40/0x100
[df07bec0] [c011fe90] do_mount+0x240/0x890
[df07bf10] [c0120570] sys_mount+0x90/0xd8
[df07bf40] [c00110d8] ret_from_syscall+0x0/0x4

=== Exception: c01 at 0xff61a34
    LR = 0x100135f0
Instruction dump:
38800005 38600000 48010f41 4bfffe1c 4bfc2d15 4bfffe8c 72e90200 4082fc28
3d20c064 39298860 8809000d 68000001 <0f000000> 2f800000 419efc0c 38000001
mount: mounting /dev/mtdblock3 on /common failed: Input/output error

Signed-off-by: Chen Jie <chenjie6@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/jffs2/scan.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -510,6 +510,10 @@ static int jffs2_scan_eraseblock (struct
 				sumlen = c->sector_size - je32_to_cpu(sm->offset);
 				sumptr = buf + buf_size - sumlen;
 
+				/* sm->offset maybe wrong but MAGIC maybe right */
+				if (sumlen > c->sector_size)
+					goto full_scan;
+
 				/* Now, make sure the summary itself is available */
 				if (sumlen > buf_size) {
 					/* Need to kmalloc for this. */
@@ -544,6 +548,7 @@ static int jffs2_scan_eraseblock (struct
 		}
 	}
 
+full_scan:
 	buf_ofs = jeb->offset;
 
 	if (!buf_size) {



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 143/151] samsung-laptop: Add use_native_backlight quirk, and enable it on some models
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 142/151] jffs2: fix handling of corrupted summary length Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 144/151] libceph: fix double __remove_osd() problem Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Darren Hart

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 4690555e13c48fef07f2762f6b0cd6b181e326d0 upstream.

Since kernel 3.14 the backlight control has been broken on various Samsung
Atom based netbooks. This has been bisected and this problem happens since
commit b35684b8fa94 ("drm/i915: do full backlight setup at enable time")

This has been reported and discussed in detail here:
http://lists.freedesktop.org/archives/intel-gfx/2014-July/049395.html

Unfortunately no-one has been able to fix this. This only affects Samsung
Atom netbooks, and the Linux kernel and the BIOS of those laptops have never
worked well together. All affected laptops already have a quirk to avoid using
the standard acpi-video interface and instead use the samsung specific SABI
interface which samsung-laptop uses. It seems that recent fixes to the i915
driver have also broken backlight control through the SABI interface.

The intel_backlight driver OTOH works fine, and also allows for finer grained
backlight control. So add a new use_native_backlight quirk, and replace the
broken_acpi_video quirk with this quirk for affected models. This new quirk
disables acpi-video as before and also stops samsung-laptop from registering
the SABI based samsung_laptop backlight interface, leaving only the working
intel_backlight interface.

This commit enables this new quirk for 3 models which are known to be affected,
chances are that it needs to be used on other models too.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1094948 # N145P
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1115713 # N250P
Reported-by: Bertrik Sikken <bertrik@sikken.nl> # N150P
Cc: stable@vger.kernel.org # 3.16
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/samsung-laptop.c |   20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

--- a/drivers/platform/x86/samsung-laptop.c
+++ b/drivers/platform/x86/samsung-laptop.c
@@ -353,6 +353,7 @@ struct samsung_quirks {
 	bool broken_acpi_video;
 	bool four_kbd_backlight_levels;
 	bool enable_kbd_backlight;
+	bool use_native_backlight;
 };
 
 static struct samsung_quirks samsung_unknown = {};
@@ -361,6 +362,10 @@ static struct samsung_quirks samsung_bro
 	.broken_acpi_video = true,
 };
 
+static struct samsung_quirks samsung_use_native_backlight = {
+	.use_native_backlight = true,
+};
+
 static struct samsung_quirks samsung_np740u3e = {
 	.four_kbd_backlight_levels = true,
 	.enable_kbd_backlight = true,
@@ -1507,7 +1512,7 @@ static struct dmi_system_id __initdata s
 		DMI_MATCH(DMI_PRODUCT_NAME, "N150P"),
 		DMI_MATCH(DMI_BOARD_NAME, "N150P"),
 		},
-	 .driver_data = &samsung_broken_acpi_video,
+	 .driver_data = &samsung_use_native_backlight,
 	},
 	{
 	 .callback = samsung_dmi_matched,
@@ -1517,7 +1522,7 @@ static struct dmi_system_id __initdata s
 		DMI_MATCH(DMI_PRODUCT_NAME, "N145P/N250P/N260P"),
 		DMI_MATCH(DMI_BOARD_NAME, "N145P/N250P/N260P"),
 		},
-	 .driver_data = &samsung_broken_acpi_video,
+	 .driver_data = &samsung_use_native_backlight,
 	},
 	{
 	 .callback = samsung_dmi_matched,
@@ -1557,7 +1562,7 @@ static struct dmi_system_id __initdata s
 		DMI_MATCH(DMI_PRODUCT_NAME, "N250P"),
 		DMI_MATCH(DMI_BOARD_NAME, "N250P"),
 		},
-	 .driver_data = &samsung_broken_acpi_video,
+	 .driver_data = &samsung_use_native_backlight,
 	},
 	{
 	 .callback = samsung_dmi_matched,
@@ -1616,6 +1621,15 @@ static int __init samsung_init(void)
 		pr_info("Disabling ACPI video driver\n");
 		acpi_video_unregister();
 	}
+
+	if (samsung->quirks->use_native_backlight) {
+		pr_info("Using native backlight driver\n");
+		/* Tell acpi-video to not handle the backlight */
+		acpi_video_dmi_promote_vendor();
+		acpi_video_unregister();
+		/* And also do not handle it ourselves */
+		samsung->handle_backlight = false;
+	}
 #endif
 
 	ret = samsung_platform_init(samsung);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 144/151] libceph: fix double __remove_osd() problem
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 143/151] samsung-laptop: Add use_native_backlight quirk, and enable it on some models Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 145/151] btrfs: set proper message level for skinny metadata Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sage Weil, Ilya Dryomov, Alex Elder

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Dryomov <idryomov@gmail.com>

commit 7eb71e0351fbb1b242ae70abb7bb17107fe2f792 upstream.

It turns out it's possible to get __remove_osd() called twice on the
same OSD.  That doesn't sit well with rb_erase() - depending on the
shape of the tree we can get a NULL dereference, a soft lockup or
a random crash at some point in the future as we end up touching freed
memory.  One scenario that I was able to reproduce is as follows:

            <osd3 is idle, on the osd lru list>
<con reset - osd3>
con_fault_finish()
  osd_reset()
                              <osdmap - osd3 down>
                              ceph_osdc_handle_map()
                                <takes map_sem>
                                kick_requests()
                                  <takes request_mutex>
                                  reset_changed_osds()
                                    __reset_osd()
                                      __remove_osd()
                                  <releases request_mutex>
                                <releases map_sem>
    <takes map_sem>
    <takes request_mutex>
    __kick_osd_requests()
      __reset_osd()
        __remove_osd() <-- !!!

A case can be made that osd refcounting is imperfect and reworking it
would be a proper resolution, but for now Sage and I decided to fix
this by adding a safe guard around __remove_osd().

Fixes: http://tracker.ceph.com/issues/8087

Cc: Sage Weil <sage@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ceph/osd_client.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1006,14 +1006,24 @@ static void put_osd(struct ceph_osd *osd
  */
 static void __remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
 {
-	dout("__remove_osd %p\n", osd);
+	dout("%s %p osd%d\n", __func__, osd, osd->o_osd);
 	WARN_ON(!list_empty(&osd->o_requests));
 	WARN_ON(!list_empty(&osd->o_linger_requests));
 
-	rb_erase(&osd->o_node, &osdc->osds);
 	list_del_init(&osd->o_osd_lru);
-	ceph_con_close(&osd->o_con);
-	put_osd(osd);
+	rb_erase(&osd->o_node, &osdc->osds);
+	RB_CLEAR_NODE(&osd->o_node);
+}
+
+static void remove_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
+{
+	dout("%s %p osd%d\n", __func__, osd, osd->o_osd);
+
+	if (!RB_EMPTY_NODE(&osd->o_node)) {
+		ceph_con_close(&osd->o_con);
+		__remove_osd(osdc, osd);
+		put_osd(osd);
+	}
 }
 
 static void remove_all_osds(struct ceph_osd_client *osdc)
@@ -1023,7 +1033,7 @@ static void remove_all_osds(struct ceph_
 	while (!RB_EMPTY_ROOT(&osdc->osds)) {
 		struct ceph_osd *osd = rb_entry(rb_first(&osdc->osds),
 						struct ceph_osd, o_node);
-		__remove_osd(osdc, osd);
+		remove_osd(osdc, osd);
 	}
 	mutex_unlock(&osdc->request_mutex);
 }
@@ -1064,7 +1074,7 @@ static void remove_old_osds(struct ceph_
 	list_for_each_entry_safe(osd, nosd, &osdc->osd_lru, o_osd_lru) {
 		if (time_before(jiffies, osd->lru_ttl))
 			break;
-		__remove_osd(osdc, osd);
+		remove_osd(osdc, osd);
 	}
 	mutex_unlock(&osdc->request_mutex);
 }
@@ -1079,8 +1089,7 @@ static int __reset_osd(struct ceph_osd_c
 	dout("__reset_osd %p osd%d\n", osd, osd->o_osd);
 	if (list_empty(&osd->o_requests) &&
 	    list_empty(&osd->o_linger_requests)) {
-		__remove_osd(osdc, osd);
-
+		remove_osd(osdc, osd);
 		return -ENODEV;
 	}
 
@@ -1884,6 +1893,7 @@ static void reset_changed_osds(struct ce
 {
 	struct rb_node *p, *n;
 
+	dout("%s %p\n", __func__, osdc);
 	for (p = rb_first(&osdc->osds); p; p = n) {
 		struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 145/151] btrfs: set proper message level for skinny metadata
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 144/151] libceph: fix double __remove_osd() problem Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 146/151] btrfs: fix leak of path in btrfs_find_item Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Sterba, Chris Mason

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Sterba <dsterba@suse.cz>

commit 5efa0490cc94aee06cd8d282683e22a8ce0a0026 upstream.

This has been confusing people for too long, the message is really just
informative.

Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/disk-io.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2496,7 +2496,7 @@ int open_ctree(struct super_block *sb,
 		features |= BTRFS_FEATURE_INCOMPAT_COMPRESS_LZO;
 
 	if (features & BTRFS_FEATURE_INCOMPAT_SKINNY_METADATA)
-		printk(KERN_ERR "BTRFS: has skinny extents\n");
+		printk(KERN_INFO "BTRFS: has skinny extents\n");
 
 	/*
 	 * flag our filesystem as having big metadata blocks if



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 146/151] btrfs: fix leak of path in btrfs_find_item
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 145/151] btrfs: set proper message level for skinny metadata Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 147/151] Btrfs: fix fsync data loss after adding hard link to inode Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Sterba

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Sterba <dsterba@suse.cz>

commit 381cf6587f8a8a8e981bc0c1aaaa8859b51dc756 upstream.

If btrfs_find_item is called with NULL path it allocates one locally but
does not free it. Affected paths are inserting an orphan item for a file
and for a subvol root.

Move the path allocation to the callers.

Fixes: 3f870c289900 ("btrfs: expand btrfs_find_item() to include find_orphan_item functionality")
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ctree.c    |   17 ++++-------------
 fs/btrfs/disk-io.c  |    9 ++++++++-
 fs/btrfs/tree-log.c |   11 ++++++++++-
 3 files changed, 22 insertions(+), 15 deletions(-)

--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -2609,32 +2609,23 @@ static int key_search(struct extent_buff
 	return 0;
 }
 
-int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *found_path,
+int btrfs_find_item(struct btrfs_root *fs_root, struct btrfs_path *path,
 		u64 iobjectid, u64 ioff, u8 key_type,
 		struct btrfs_key *found_key)
 {
 	int ret;
 	struct btrfs_key key;
 	struct extent_buffer *eb;
-	struct btrfs_path *path;
+
+	ASSERT(path);
 
 	key.type = key_type;
 	key.objectid = iobjectid;
 	key.offset = ioff;
 
-	if (found_path == NULL) {
-		path = btrfs_alloc_path();
-		if (!path)
-			return -ENOMEM;
-	} else
-		path = found_path;
-
 	ret = btrfs_search_slot(NULL, fs_root, &key, path, 0, 0);
-	if ((ret < 0) || (found_key == NULL)) {
-		if (path != found_path)
-			btrfs_free_path(path);
+	if ((ret < 0) || (found_key == NULL))
 		return ret;
-	}
 
 	eb = path->nodes[0];
 	if (ret && path->slots[0] >= btrfs_header_nritems(eb)) {
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1630,6 +1630,7 @@ struct btrfs_root *btrfs_get_fs_root(str
 				     bool check_ref)
 {
 	struct btrfs_root *root;
+	struct btrfs_path *path;
 	int ret;
 
 	if (location->objectid == BTRFS_ROOT_TREE_OBJECTID)
@@ -1669,8 +1670,14 @@ again:
 	if (ret)
 		goto fail;
 
-	ret = btrfs_find_item(fs_info->tree_root, NULL, BTRFS_ORPHAN_OBJECTID,
+	path = btrfs_alloc_path();
+	if (!path) {
+		ret = -ENOMEM;
+		goto fail;
+	}
+	ret = btrfs_find_item(fs_info->tree_root, path, BTRFS_ORPHAN_OBJECTID,
 			location->objectid, BTRFS_ORPHAN_ITEM_KEY, NULL);
+	btrfs_free_path(path);
 	if (ret < 0)
 		goto fail;
 	if (ret == 0)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1257,10 +1257,19 @@ static int insert_orphan_item(struct btr
 			      struct btrfs_root *root, u64 offset)
 {
 	int ret;
-	ret = btrfs_find_item(root, NULL, BTRFS_ORPHAN_OBJECTID,
+	struct btrfs_path *path;
+
+	path = btrfs_alloc_path();
+	if (!path)
+		return -ENOMEM;
+
+	ret = btrfs_find_item(root, path, BTRFS_ORPHAN_OBJECTID,
 			offset, BTRFS_ORPHAN_ITEM_KEY, NULL);
 	if (ret > 0)
 		ret = btrfs_insert_orphan_item(trans, root, offset);
+
+	btrfs_free_path(path);
+
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 147/151] Btrfs: fix fsync data loss after adding hard link to inode
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 146/151] btrfs: fix leak of path in btrfs_find_item Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 148/151] blk-throttle: check stats_cpu before reading it from sysfs Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, Chris Mason

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 1a4bcf470c886b955adf36486f4c86f2441d85cb upstream.

We have a scenario where after the fsync log replay we can lose file data
that had been previously fsync'ed if we added an hard link for our inode
and after that we sync'ed the fsync log (for example by fsync'ing some
other file or directory).

This is because when adding an hard link we updated the inode item in the
log tree with an i_size value of 0. At that point the new inode item was
in memory only and a subsequent fsync log replay would not make us lose
the file data. However if after adding the hard link we sync the log tree
to disk, by fsync'ing some other file or directory for example, we ended
up losing the file data after log replay, because the inode item in the
persisted log tree had an an i_size of zero.

This is easy to reproduce, and the following excerpt from my test for
xfstests shows this:

  _scratch_mkfs >> $seqres.full 2>&1
  _init_flakey
  _mount_flakey

  # Create one file with data and fsync it.
  # This made the btrfs fsync log persist the data and the inode metadata with
  # a correct inode->i_size (4096 bytes).
  $XFS_IO_PROG -f -c "pwrite -S 0xaa -b 4K 0 4K" -c "fsync" \
       $SCRATCH_MNT/foo | _filter_xfs_io

  # Now add one hard link to our file. This made the btrfs code update the fsync
  # log, in memory only, with an inode metadata having a size of 0.
  ln $SCRATCH_MNT/foo $SCRATCH_MNT/foo_link

  # Now force persistence of the fsync log to disk, for example, by fsyncing some
  # other file.
  touch $SCRATCH_MNT/bar
  $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/bar

  # Before a power loss or crash, we could read the 4Kb of data from our file as
  # expected.
  echo "File content before:"
  od -t x1 $SCRATCH_MNT/foo

  # Simulate a crash/power loss.
  _load_flakey_table $FLAKEY_DROP_WRITES
  _unmount_flakey

  _load_flakey_table $FLAKEY_ALLOW_WRITES
  _mount_flakey

  # After the fsync log replay, because the fsync log had a value of 0 for our
  # inode's i_size, we couldn't read anymore the 4Kb of data that we previously
  # wrote and fsync'ed. The size of the file became 0 after the fsync log replay.
  echo "File content after:"
  od -t x1 $SCRATCH_MNT/foo

Another alternative test, that doesn't need to fsync an inode in the same
transaction it was created, is:

  _scratch_mkfs >> $seqres.full 2>&1
  _init_flakey
  _mount_flakey

  # Create our test file with some data.
  $XFS_IO_PROG -f -c "pwrite -S 0xaa -b 8K 0 8K" \
       $SCRATCH_MNT/foo | _filter_xfs_io

  # Make sure the file is durably persisted.
  sync

  # Append some data to our file, to increase its size.
  $XFS_IO_PROG -f -c "pwrite -S 0xcc -b 4K 8K 4K" \
       $SCRATCH_MNT/foo | _filter_xfs_io

  # Fsync the file, so from this point on if a crash/power failure happens, our
  # new data is guaranteed to be there next time the fs is mounted.
  $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo

  # Add one hard link to our file. This made btrfs write into the in memory fsync
  # log a special inode with generation 0 and an i_size of 0 too. Note that this
  # didn't update the inode in the fsync log on disk.
  ln $SCRATCH_MNT/foo $SCRATCH_MNT/foo_link

  # Now make sure the in memory fsync log is durably persisted.
  # Creating and fsync'ing another file will do it.
  touch $SCRATCH_MNT/bar
  $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/bar

  # As expected, before the crash/power failure, we should be able to read the
  # 12Kb of file data.
  echo "File content before:"
  od -t x1 $SCRATCH_MNT/foo

  # Simulate a crash/power loss.
  _load_flakey_table $FLAKEY_DROP_WRITES
  _unmount_flakey

  _load_flakey_table $FLAKEY_ALLOW_WRITES
  _mount_flakey

  # After mounting the fs again, the fsync log was replayed.
  # The btrfs fsync log replay code didn't update the i_size of the persisted
  # inode because the inode item in the log had a special generation with a
  # value of 0 (and it couldn't know the correct i_size, since that inode item
  # had a 0 i_size too). This made the last 4Kb of file data inaccessible and
  # effectively lost.
  echo "File content after:"
  od -t x1 $SCRATCH_MNT/foo

This isn't a new issue/regression. This problem has been around since the
log tree code was added in 2008:

  Btrfs: Add a write ahead tree log to optimize synchronous operations
  (commit e02119d5a7b4396c5a872582fddc8bd6d305a70a)

Test cases for xfstests follow soon.

Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |   82 ++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 73 insertions(+), 9 deletions(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -488,8 +488,20 @@ insert:
 		src_item = (struct btrfs_inode_item *)src_ptr;
 		dst_item = (struct btrfs_inode_item *)dst_ptr;
 
-		if (btrfs_inode_generation(eb, src_item) == 0)
+		if (btrfs_inode_generation(eb, src_item) == 0) {
+			struct extent_buffer *dst_eb = path->nodes[0];
+
+			if (S_ISREG(btrfs_inode_mode(eb, src_item)) &&
+			    S_ISREG(btrfs_inode_mode(dst_eb, dst_item))) {
+				struct btrfs_map_token token;
+				u64 ino_size = btrfs_inode_size(eb, src_item);
+
+				btrfs_init_map_token(&token);
+				btrfs_set_token_inode_size(dst_eb, dst_item,
+							   ino_size, &token);
+			}
 			goto no_copy;
+		}
 
 		if (overwrite_root &&
 		    S_ISDIR(btrfs_inode_mode(eb, src_item)) &&
@@ -3218,7 +3230,8 @@ static int drop_objectid_items(struct bt
 static void fill_inode_item(struct btrfs_trans_handle *trans,
 			    struct extent_buffer *leaf,
 			    struct btrfs_inode_item *item,
-			    struct inode *inode, int log_inode_only)
+			    struct inode *inode, int log_inode_only,
+			    u64 logged_isize)
 {
 	struct btrfs_map_token token;
 
@@ -3231,7 +3244,7 @@ static void fill_inode_item(struct btrfs
 		 * to say 'update this inode with these values'
 		 */
 		btrfs_set_token_inode_generation(leaf, item, 0, &token);
-		btrfs_set_token_inode_size(leaf, item, 0, &token);
+		btrfs_set_token_inode_size(leaf, item, logged_isize, &token);
 	} else {
 		btrfs_set_token_inode_generation(leaf, item,
 						 BTRFS_I(inode)->generation,
@@ -3283,7 +3296,7 @@ static int log_inode_item(struct btrfs_t
 		return ret;
 	inode_item = btrfs_item_ptr(path->nodes[0], path->slots[0],
 				    struct btrfs_inode_item);
-	fill_inode_item(trans, path->nodes[0], inode_item, inode, 0);
+	fill_inode_item(trans, path->nodes[0], inode_item, inode, 0, 0);
 	btrfs_release_path(path);
 	return 0;
 }
@@ -3292,7 +3305,8 @@ static noinline int copy_items(struct bt
 			       struct inode *inode,
 			       struct btrfs_path *dst_path,
 			       struct btrfs_path *src_path, u64 *last_extent,
-			       int start_slot, int nr, int inode_only)
+			       int start_slot, int nr, int inode_only,
+			       u64 logged_isize)
 {
 	unsigned long src_offset;
 	unsigned long dst_offset;
@@ -3349,7 +3363,8 @@ static noinline int copy_items(struct bt
 						    dst_path->slots[0],
 						    struct btrfs_inode_item);
 			fill_inode_item(trans, dst_path->nodes[0], inode_item,
-					inode, inode_only == LOG_INODE_EXISTS);
+					inode, inode_only == LOG_INODE_EXISTS,
+					logged_isize);
 		} else {
 			copy_extent_buffer(dst_path->nodes[0], src, dst_offset,
 					   src_offset, ins_sizes[i]);
@@ -3895,6 +3910,33 @@ process:
 	return ret;
 }
 
+static int logged_inode_size(struct btrfs_root *log, struct inode *inode,
+			     struct btrfs_path *path, u64 *size_ret)
+{
+	struct btrfs_key key;
+	int ret;
+
+	key.objectid = btrfs_ino(inode);
+	key.type = BTRFS_INODE_ITEM_KEY;
+	key.offset = 0;
+
+	ret = btrfs_search_slot(NULL, log, &key, path, 0, 0);
+	if (ret < 0) {
+		return ret;
+	} else if (ret > 0) {
+		*size_ret = i_size_read(inode);
+	} else {
+		struct btrfs_inode_item *item;
+
+		item = btrfs_item_ptr(path->nodes[0], path->slots[0],
+				      struct btrfs_inode_item);
+		*size_ret = btrfs_inode_size(path->nodes[0], item);
+	}
+
+	btrfs_release_path(path);
+	return 0;
+}
+
 /* log a single inode in the tree log.
  * At least one parent directory for this inode must exist in the tree
  * or be logged already.
@@ -3932,6 +3974,7 @@ static int btrfs_log_inode(struct btrfs_
 	bool fast_search = false;
 	u64 ino = btrfs_ino(inode);
 	struct extent_map_tree *em_tree = &BTRFS_I(inode)->extent_tree;
+	u64 logged_isize = 0;
 
 	path = btrfs_alloc_path();
 	if (!path)
@@ -3985,6 +4028,25 @@ static int btrfs_log_inode(struct btrfs_
 			max_key_type = BTRFS_XATTR_ITEM_KEY;
 		ret = drop_objectid_items(trans, log, path, ino, max_key_type);
 	} else {
+		if (inode_only == LOG_INODE_EXISTS) {
+			/*
+			 * Make sure the new inode item we write to the log has
+			 * the same isize as the current one (if it exists).
+			 * This is necessary to prevent data loss after log
+			 * replay, and also to prevent doing a wrong expanding
+			 * truncate - for e.g. create file, write 4K into offset
+			 * 0, fsync, write 4K into offset 4096, add hard link,
+			 * fsync some other file (to sync log), power fail - if
+			 * we use the inode's current i_size, after log replay
+			 * we get a 8Kb file, with the last 4Kb extent as a hole
+			 * (zeroes), as if an expanding truncate happened,
+			 * instead of getting a file of 4Kb only.
+			 */
+			err = logged_inode_size(log, inode, path,
+						&logged_isize);
+			if (err)
+				goto out_unlock;
+		}
 		if (test_and_clear_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
 				       &BTRFS_I(inode)->runtime_flags)) {
 			clear_bit(BTRFS_INODE_COPY_EVERYTHING,
@@ -4040,7 +4102,8 @@ again:
 		}
 
 		ret = copy_items(trans, inode, dst_path, path, &last_extent,
-				 ins_start_slot, ins_nr, inode_only);
+				 ins_start_slot, ins_nr, inode_only,
+				 logged_isize);
 		if (ret < 0) {
 			err = ret;
 			goto out_unlock;
@@ -4064,7 +4127,7 @@ next_slot:
 		if (ins_nr) {
 			ret = copy_items(trans, inode, dst_path, path,
 					 &last_extent, ins_start_slot,
-					 ins_nr, inode_only);
+					 ins_nr, inode_only, logged_isize);
 			if (ret < 0) {
 				err = ret;
 				goto out_unlock;
@@ -4085,7 +4148,8 @@ next_slot:
 	}
 	if (ins_nr) {
 		ret = copy_items(trans, inode, dst_path, path, &last_extent,
-				 ins_start_slot, ins_nr, inode_only);
+				 ins_start_slot, ins_nr, inode_only,
+				 logged_isize);
 		if (ret < 0) {
 			err = ret;
 			goto out_unlock;



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 148/151] blk-throttle: check stats_cpu before reading it from sysfs
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 147/151] Btrfs: fix fsync data loss after adding hard link to inode Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 149/151] x86/efi: Avoid triple faults during EFI mixed mode calls Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ricardo Marin Matinata,
	Thadeu Lima de Souza Cascardo, Jens Axboe

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>

commit 045c47ca306acf30c740c285a77a4b4bda6be7c5 upstream.

When reading blkio.throttle.io_serviced in a recently created blkio
cgroup, it's possible to race against the creation of a throttle policy,
which delays the allocation of stats_cpu.

Like other functions in the throttle code, just checking for a NULL
stats_cpu prevents the following oops caused by that race.

[ 1117.285199] Unable to handle kernel paging request for data at address 0x7fb4d0020
[ 1117.285252] Faulting instruction address: 0xc0000000003efa2c
[ 1137.733921] Oops: Kernel access of bad area, sig: 11 [#1]
[ 1137.733945] SMP NR_CPUS=2048 NUMA PowerNV
[ 1137.734025] Modules linked in: bridge stp llc kvm_hv kvm binfmt_misc autofs4
[ 1137.734102] CPU: 3 PID: 5302 Comm: blkcgroup Not tainted 3.19.0 #5
[ 1137.734132] task: c000000f1d188b00 ti: c000000f1d210000 task.ti: c000000f1d210000
[ 1137.734167] NIP: c0000000003efa2c LR: c0000000003ef9f0 CTR: c0000000003ef980
[ 1137.734202] REGS: c000000f1d213500 TRAP: 0300   Not tainted  (3.19.0)
[ 1137.734230] MSR: 9000000000009032 <SF,HV,EE,ME,IR,DR,RI>  CR: 42008884  XER: 20000000
[ 1137.734325] CFAR: 0000000000008458 DAR: 00000007fb4d0020 DSISR: 40000000 SOFTE: 0
GPR00: c0000000003ed3a0 c000000f1d213780 c000000000c59538 0000000000000000
GPR04: 0000000000000800 0000000000000000 0000000000000000 0000000000000000
GPR08: ffffffffffffffff 00000007fb4d0020 00000007fb4d0000 c000000000780808
GPR12: 0000000022000888 c00000000fdc0d80 0000000000000000 0000000000000000
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 000001003e120200 c000000f1d5b0cc0 0000000000000200 0000000000000000
GPR24: 0000000000000001 c000000000c269e0 0000000000000020 c000000f1d5b0c80
GPR28: c000000000ca3a08 c000000000ca3dec c000000f1c667e00 c000000f1d213850
[ 1137.734886] NIP [c0000000003efa2c] .tg_prfill_cpu_rwstat+0xac/0x180
[ 1137.734915] LR [c0000000003ef9f0] .tg_prfill_cpu_rwstat+0x70/0x180
[ 1137.734943] Call Trace:
[ 1137.734952] [c000000f1d213780] [d000000005560520] 0xd000000005560520 (unreliable)
[ 1137.734996] [c000000f1d2138a0] [c0000000003ed3a0] .blkcg_print_blkgs+0xe0/0x1a0
[ 1137.735039] [c000000f1d213960] [c0000000003efb50] .tg_print_cpu_rwstat+0x50/0x70
[ 1137.735082] [c000000f1d2139e0] [c000000000104b48] .cgroup_seqfile_show+0x58/0x150
[ 1137.735125] [c000000f1d213a70] [c0000000002749dc] .kernfs_seq_show+0x3c/0x50
[ 1137.735161] [c000000f1d213ae0] [c000000000218630] .seq_read+0xe0/0x510
[ 1137.735197] [c000000f1d213bd0] [c000000000275b04] .kernfs_fop_read+0x164/0x200
[ 1137.735240] [c000000f1d213c80] [c0000000001eb8e0] .__vfs_read+0x30/0x80
[ 1137.735276] [c000000f1d213cf0] [c0000000001eb9c4] .vfs_read+0x94/0x1b0
[ 1137.735312] [c000000f1d213d90] [c0000000001ebb38] .SyS_read+0x58/0x100
[ 1137.735349] [c000000f1d213e30] [c000000000009218] syscall_exit+0x0/0x98
[ 1137.735383] Instruction dump:
[ 1137.735405] 7c6307b4 7f891800 409d00b8 60000000 60420000 3d420004 392a63b0 786a1f24
[ 1137.735471] 7d49502a e93e01c8 7d495214 7d2ad214 <7cead02a> e9090008 e9490010 e9290018

And here is one code that allows to easily reproduce this, although this
has first been found by running docker.

void run(pid_t pid)
{
	int n;
	int status;
	int fd;
	char *buffer;
	buffer = memalign(BUFFER_ALIGN, BUFFER_SIZE);
	n = snprintf(buffer, BUFFER_SIZE, "%d\n", pid);
	fd = open(CGPATH "/test/tasks", O_WRONLY);
	write(fd, buffer, n);
	close(fd);
	if (fork() > 0) {
		fd = open("/dev/sda", O_RDONLY | O_DIRECT);
		read(fd, buffer, 512);
		close(fd);
		wait(&status);
	} else {
		fd = open(CGPATH "/test/blkio.throttle.io_serviced", O_RDONLY);
		n = read(fd, buffer, BUFFER_SIZE);
		close(fd);
	}
	free(buffer);
	exit(0);
}

void test(void)
{
	int status;
	mkdir(CGPATH "/test", 0666);
	if (fork() > 0)
		wait(&status);
	else
		run(getpid());
	rmdir(CGPATH "/test");
}

int main(int argc, char **argv)
{
	int i;
	for (i = 0; i < NR_TESTS; i++)
		test();
	return 0;
}

Reported-by: Ricardo Marin Matinata <rmm@br.ibm.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-throttle.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -1292,6 +1292,9 @@ static u64 tg_prfill_cpu_rwstat(struct s
 	struct blkg_rwstat rwstat = { }, tmp;
 	int i, cpu;
 
+	if (tg->stats_cpu == NULL)
+		return 0;
+
 	for_each_possible_cpu(cpu) {
 		struct tg_stats_cpu *sc = per_cpu_ptr(tg->stats_cpu, cpu);
 



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 149/151] x86/efi: Avoid triple faults during EFI mixed mode calls
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 148/151] blk-throttle: check stats_cpu before reading it from sysfs Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 150/151] x86, mm/ASLR: Fix stack randomization on 64-bit systems Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Borislav Petkov,
	Matt Fleming

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matt Fleming <matt.fleming@intel.com>

commit 96738c69a7fcdbf0d7c9df0c8a27660011e82a7b upstream.

Andy pointed out that if an NMI or MCE is received while we're in the
middle of an EFI mixed mode call a triple fault will occur. This can
happen, for example, when issuing an EFI mixed mode call while running
perf.

The reason for the triple fault is that we execute the mixed mode call
in 32-bit mode with paging disabled but with 64-bit kernel IDT handlers
installed throughout the call.

At Andy's suggestion, stop playing the games we currently do at runtime,
such as disabling paging and installing a 32-bit GDT for __KERNEL_CS. We
can simply switch to the __KERNEL32_CS descriptor before invoking
firmware services, and run in compatibility mode. This way, if an
NMI/MCE does occur the kernel IDT handler will execute correctly, since
it'll jump to __KERNEL_CS automatically.

However, this change is only possible post-ExitBootServices(). Before
then the firmware "owns" the machine and expects for its 32-bit IDT
handlers to be left intact to service interrupts, etc.

So, we now need to distinguish between early boot and runtime
invocations of EFI services. During early boot, we need to restore the
GDT that the firmware expects to be present. We can only jump to the
__KERNEL32_CS code segment for mixed mode calls after ExitBootServices()
has been invoked.

A liberal sprinkling of comments in the thunking code should make the
differences in early and late environments more apparent.

Reported-by: Andy Lutomirski <luto@amacapital.net>
Tested-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/boot/compressed/Makefile       |    1 
 arch/x86/boot/compressed/efi_stub_64.S  |   25 ----
 arch/x86/boot/compressed/efi_thunk_64.S |  196 ++++++++++++++++++++++++++++++++
 arch/x86/platform/efi/efi_stub_64.S     |  161 --------------------------
 arch/x86/platform/efi/efi_thunk_64.S    |  121 ++++++++++++++++---
 5 files changed, 301 insertions(+), 203 deletions(-)

--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -36,6 +36,7 @@ vmlinux-objs-$(CONFIG_RANDOMIZE_BASE) +=
 $(obj)/eboot.o: KBUILD_CFLAGS += -fshort-wchar -mno-red-zone
 
 vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o
+vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
 
 $(obj)/vmlinux: $(vmlinux-objs-y) FORCE
 	$(call if_changed,ld)
--- a/arch/x86/boot/compressed/efi_stub_64.S
+++ b/arch/x86/boot/compressed/efi_stub_64.S
@@ -3,28 +3,3 @@
 #include <asm/processor-flags.h>
 
 #include "../../platform/efi/efi_stub_64.S"
-
-#ifdef CONFIG_EFI_MIXED
-	.code64
-	.text
-ENTRY(efi64_thunk)
-	push	%rbp
-	push	%rbx
-
-	subq	$16, %rsp
-	leaq	efi_exit32(%rip), %rax
-	movl	%eax, 8(%rsp)
-	leaq	efi_gdt64(%rip), %rax
-	movl	%eax, 4(%rsp)
-	movl	%eax, 2(%rax)		/* Fixup the gdt base address */
-	leaq	efi32_boot_gdt(%rip), %rax
-	movl	%eax, (%rsp)
-
-	call	__efi64_thunk
-
-	addq	$16, %rsp
-	pop	%rbx
-	pop	%rbp
-	ret
-ENDPROC(efi64_thunk)
-#endif /* CONFIG_EFI_MIXED */
--- /dev/null
+++ b/arch/x86/boot/compressed/efi_thunk_64.S
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2014, 2015 Intel Corporation; author Matt Fleming
+ *
+ * Early support for invoking 32-bit EFI services from a 64-bit kernel.
+ *
+ * Because this thunking occurs before ExitBootServices() we have to
+ * restore the firmware's 32-bit GDT before we make EFI serivce calls,
+ * since the firmware's 32-bit IDT is still currently installed and it
+ * needs to be able to service interrupts.
+ *
+ * On the plus side, we don't have to worry about mangling 64-bit
+ * addresses into 32-bits because we're executing with an identify
+ * mapped pagetable and haven't transitioned to 64-bit virtual addresses
+ * yet.
+ */
+
+#include <linux/linkage.h>
+#include <asm/msr.h>
+#include <asm/page_types.h>
+#include <asm/processor-flags.h>
+#include <asm/segment.h>
+
+	.code64
+	.text
+ENTRY(efi64_thunk)
+	push	%rbp
+	push	%rbx
+
+	subq	$8, %rsp
+	leaq	efi_exit32(%rip), %rax
+	movl	%eax, 4(%rsp)
+	leaq	efi_gdt64(%rip), %rax
+	movl	%eax, (%rsp)
+	movl	%eax, 2(%rax)		/* Fixup the gdt base address */
+
+	movl	%ds, %eax
+	push	%rax
+	movl	%es, %eax
+	push	%rax
+	movl	%ss, %eax
+	push	%rax
+
+	/*
+	 * Convert x86-64 ABI params to i386 ABI
+	 */
+	subq	$32, %rsp
+	movl	%esi, 0x0(%rsp)
+	movl	%edx, 0x4(%rsp)
+	movl	%ecx, 0x8(%rsp)
+	movq	%r8, %rsi
+	movl	%esi, 0xc(%rsp)
+	movq	%r9, %rsi
+	movl	%esi,  0x10(%rsp)
+
+	sgdt	save_gdt(%rip)
+
+	leaq	1f(%rip), %rbx
+	movq	%rbx, func_rt_ptr(%rip)
+
+	/*
+	 * Switch to gdt with 32-bit segments. This is the firmware GDT
+	 * that was installed when the kernel started executing. This
+	 * pointer was saved at the EFI stub entry point in head_64.S.
+	 */
+	leaq	efi32_boot_gdt(%rip), %rax
+	lgdt	(%rax)
+
+	pushq	$__KERNEL_CS
+	leaq	efi_enter32(%rip), %rax
+	pushq	%rax
+	lretq
+
+1:	addq	$32, %rsp
+
+	lgdt	save_gdt(%rip)
+
+	pop	%rbx
+	movl	%ebx, %ss
+	pop	%rbx
+	movl	%ebx, %es
+	pop	%rbx
+	movl	%ebx, %ds
+
+	/*
+	 * Convert 32-bit status code into 64-bit.
+	 */
+	test	%rax, %rax
+	jz	1f
+	movl	%eax, %ecx
+	andl	$0x0fffffff, %ecx
+	andl	$0xf0000000, %eax
+	shl	$32, %rax
+	or	%rcx, %rax
+1:
+	addq	$8, %rsp
+	pop	%rbx
+	pop	%rbp
+	ret
+ENDPROC(efi64_thunk)
+
+ENTRY(efi_exit32)
+	movq	func_rt_ptr(%rip), %rax
+	push	%rax
+	mov	%rdi, %rax
+	ret
+ENDPROC(efi_exit32)
+
+	.code32
+/*
+ * EFI service pointer must be in %edi.
+ *
+ * The stack should represent the 32-bit calling convention.
+ */
+ENTRY(efi_enter32)
+	movl	$__KERNEL_DS, %eax
+	movl	%eax, %ds
+	movl	%eax, %es
+	movl	%eax, %ss
+
+	/* Reload pgtables */
+	movl	%cr3, %eax
+	movl	%eax, %cr3
+
+	/* Disable paging */
+	movl	%cr0, %eax
+	btrl	$X86_CR0_PG_BIT, %eax
+	movl	%eax, %cr0
+
+	/* Disable long mode via EFER */
+	movl	$MSR_EFER, %ecx
+	rdmsr
+	btrl	$_EFER_LME, %eax
+	wrmsr
+
+	call	*%edi
+
+	/* We must preserve return value */
+	movl	%eax, %edi
+
+	/*
+	 * Some firmware will return with interrupts enabled. Be sure to
+	 * disable them before we switch GDTs.
+	 */
+	cli
+
+	movl	56(%esp), %eax
+	movl	%eax, 2(%eax)
+	lgdtl	(%eax)
+
+	movl	%cr4, %eax
+	btsl	$(X86_CR4_PAE_BIT), %eax
+	movl	%eax, %cr4
+
+	movl	%cr3, %eax
+	movl	%eax, %cr3
+
+	movl	$MSR_EFER, %ecx
+	rdmsr
+	btsl	$_EFER_LME, %eax
+	wrmsr
+
+	xorl	%eax, %eax
+	lldt	%ax
+
+	movl	60(%esp), %eax
+	pushl	$__KERNEL_CS
+	pushl	%eax
+
+	/* Enable paging */
+	movl	%cr0, %eax
+	btsl	$X86_CR0_PG_BIT, %eax
+	movl	%eax, %cr0
+	lret
+ENDPROC(efi_enter32)
+
+	.data
+	.balign	8
+	.global	efi32_boot_gdt
+efi32_boot_gdt:	.word	0
+		.quad	0
+
+save_gdt:	.word	0
+		.quad	0
+func_rt_ptr:	.quad	0
+
+	.global efi_gdt64
+efi_gdt64:
+	.word	efi_gdt64_end - efi_gdt64
+	.long	0			/* Filled out by user */
+	.word	0
+	.quad	0x0000000000000000	/* NULL descriptor */
+	.quad	0x00af9a000000ffff	/* __KERNEL_CS */
+	.quad	0x00cf92000000ffff	/* __KERNEL_DS */
+	.quad	0x0080890000000000	/* TS descriptor */
+	.quad   0x0000000000000000	/* TS continued */
+efi_gdt64_end:
--- a/arch/x86/platform/efi/efi_stub_64.S
+++ b/arch/x86/platform/efi/efi_stub_64.S
@@ -91,167 +91,6 @@ ENTRY(efi_call)
 	ret
 ENDPROC(efi_call)
 
-#ifdef CONFIG_EFI_MIXED
-
-/*
- * We run this function from the 1:1 mapping.
- *
- * This function must be invoked with a 1:1 mapped stack.
- */
-ENTRY(__efi64_thunk)
-	movl	%ds, %eax
-	push	%rax
-	movl	%es, %eax
-	push	%rax
-	movl	%ss, %eax
-	push	%rax
-
-	subq	$32, %rsp
-	movl	%esi, 0x0(%rsp)
-	movl	%edx, 0x4(%rsp)
-	movl	%ecx, 0x8(%rsp)
-	movq	%r8, %rsi
-	movl	%esi, 0xc(%rsp)
-	movq	%r9, %rsi
-	movl	%esi,  0x10(%rsp)
-
-	sgdt	save_gdt(%rip)
-
-	leaq	1f(%rip), %rbx
-	movq	%rbx, func_rt_ptr(%rip)
-
-	/* Switch to gdt with 32-bit segments */
-	movl	64(%rsp), %eax
-	lgdt	(%rax)
-
-	leaq	efi_enter32(%rip), %rax
-	pushq	$__KERNEL_CS
-	pushq	%rax
-	lretq
-
-1:	addq	$32, %rsp
-
-	lgdt	save_gdt(%rip)
-
-	pop	%rbx
-	movl	%ebx, %ss
-	pop	%rbx
-	movl	%ebx, %es
-	pop	%rbx
-	movl	%ebx, %ds
-
-	/*
-	 * Convert 32-bit status code into 64-bit.
-	 */
-	test	%rax, %rax
-	jz	1f
-	movl	%eax, %ecx
-	andl	$0x0fffffff, %ecx
-	andl	$0xf0000000, %eax
-	shl	$32, %rax
-	or	%rcx, %rax
-1:
-	ret
-ENDPROC(__efi64_thunk)
-
-ENTRY(efi_exit32)
-	movq	func_rt_ptr(%rip), %rax
-	push	%rax
-	mov	%rdi, %rax
-	ret
-ENDPROC(efi_exit32)
-
-	.code32
-/*
- * EFI service pointer must be in %edi.
- *
- * The stack should represent the 32-bit calling convention.
- */
-ENTRY(efi_enter32)
-	movl	$__KERNEL_DS, %eax
-	movl	%eax, %ds
-	movl	%eax, %es
-	movl	%eax, %ss
-
-	/* Reload pgtables */
-	movl	%cr3, %eax
-	movl	%eax, %cr3
-
-	/* Disable paging */
-	movl	%cr0, %eax
-	btrl	$X86_CR0_PG_BIT, %eax
-	movl	%eax, %cr0
-
-	/* Disable long mode via EFER */
-	movl	$MSR_EFER, %ecx
-	rdmsr
-	btrl	$_EFER_LME, %eax
-	wrmsr
-
-	call	*%edi
-
-	/* We must preserve return value */
-	movl	%eax, %edi
-
-	/*
-	 * Some firmware will return with interrupts enabled. Be sure to
-	 * disable them before we switch GDTs.
-	 */
-	cli
-
-	movl	68(%esp), %eax
-	movl	%eax, 2(%eax)
-	lgdtl	(%eax)
-
-	movl	%cr4, %eax
-	btsl	$(X86_CR4_PAE_BIT), %eax
-	movl	%eax, %cr4
-
-	movl	%cr3, %eax
-	movl	%eax, %cr3
-
-	movl	$MSR_EFER, %ecx
-	rdmsr
-	btsl	$_EFER_LME, %eax
-	wrmsr
-
-	xorl	%eax, %eax
-	lldt	%ax
-
-	movl	72(%esp), %eax
-	pushl	$__KERNEL_CS
-	pushl	%eax
-
-	/* Enable paging */
-	movl	%cr0, %eax
-	btsl	$X86_CR0_PG_BIT, %eax
-	movl	%eax, %cr0
-	lret
-ENDPROC(efi_enter32)
-
-	.data
-	.balign	8
-	.global	efi32_boot_gdt
-efi32_boot_gdt:	.word	0
-		.quad	0
-
-save_gdt:	.word	0
-		.quad	0
-func_rt_ptr:	.quad	0
-
-	.global efi_gdt64
-efi_gdt64:
-	.word	efi_gdt64_end - efi_gdt64
-	.long	0			/* Filled out by user */
-	.word	0
-	.quad	0x0000000000000000	/* NULL descriptor */
-	.quad	0x00af9a000000ffff	/* __KERNEL_CS */
-	.quad	0x00cf92000000ffff	/* __KERNEL_DS */
-	.quad	0x0080890000000000	/* TS descriptor */
-	.quad   0x0000000000000000	/* TS continued */
-efi_gdt64_end:
-#endif /* CONFIG_EFI_MIXED */
-
 	.data
 ENTRY(efi_scratch)
 	.fill 3,8,0
--- a/arch/x86/platform/efi/efi_thunk_64.S
+++ b/arch/x86/platform/efi/efi_thunk_64.S
@@ -1,9 +1,26 @@
 /*
  * Copyright (C) 2014 Intel Corporation; author Matt Fleming
+ *
+ * Support for invoking 32-bit EFI runtime services from a 64-bit
+ * kernel.
+ *
+ * The below thunking functions are only used after ExitBootServices()
+ * has been called. This simplifies things considerably as compared with
+ * the early EFI thunking because we can leave all the kernel state
+ * intact (GDT, IDT, etc) and simply invoke the the 32-bit EFI runtime
+ * services from __KERNEL32_CS. This means we can continue to service
+ * interrupts across an EFI mixed mode call.
+ *
+ * We do however, need to handle the fact that we're running in a full
+ * 64-bit virtual address space. Things like the stack and instruction
+ * addresses need to be accessible by the 32-bit firmware, so we rely on
+ * using the identity mappings in the EFI page table to access the stack
+ * and kernel text (see efi_setup_page_tables()).
  */
 
 #include <linux/linkage.h>
 #include <asm/page_types.h>
+#include <asm/segment.h>
 
 	.text
 	.code64
@@ -33,14 +50,6 @@ ENTRY(efi64_thunk)
 	leaq	efi_exit32(%rip), %rbx
 	subq	%rax, %rbx
 	movl	%ebx, 8(%rsp)
-	leaq	efi_gdt64(%rip), %rbx
-	subq	%rax, %rbx
-	movl	%ebx, 2(%ebx)
-	movl	%ebx, 4(%rsp)
-	leaq	efi_gdt32(%rip), %rbx
-	subq	%rax, %rbx
-	movl	%ebx, 2(%ebx)
-	movl	%ebx, (%rsp)
 
 	leaq	__efi64_thunk(%rip), %rbx
 	subq	%rax, %rbx
@@ -52,14 +61,92 @@ ENTRY(efi64_thunk)
 	retq
 ENDPROC(efi64_thunk)
 
-	.data
-efi_gdt32:
-	.word 	efi_gdt32_end - efi_gdt32
-	.long	0			/* Filled out above */
-	.word	0
-	.quad	0x0000000000000000	/* NULL descriptor */
-	.quad	0x00cf9a000000ffff	/* __KERNEL_CS */
-	.quad	0x00cf93000000ffff	/* __KERNEL_DS */
-efi_gdt32_end:
+/*
+ * We run this function from the 1:1 mapping.
+ *
+ * This function must be invoked with a 1:1 mapped stack.
+ */
+ENTRY(__efi64_thunk)
+	movl	%ds, %eax
+	push	%rax
+	movl	%es, %eax
+	push	%rax
+	movl	%ss, %eax
+	push	%rax
+
+	subq	$32, %rsp
+	movl	%esi, 0x0(%rsp)
+	movl	%edx, 0x4(%rsp)
+	movl	%ecx, 0x8(%rsp)
+	movq	%r8, %rsi
+	movl	%esi, 0xc(%rsp)
+	movq	%r9, %rsi
+	movl	%esi,  0x10(%rsp)
+
+	leaq	1f(%rip), %rbx
+	movq	%rbx, func_rt_ptr(%rip)
+
+	/* Switch to 32-bit descriptor */
+	pushq	$__KERNEL32_CS
+	leaq	efi_enter32(%rip), %rax
+	pushq	%rax
+	lretq
+
+1:	addq	$32, %rsp
+
+	pop	%rbx
+	movl	%ebx, %ss
+	pop	%rbx
+	movl	%ebx, %es
+	pop	%rbx
+	movl	%ebx, %ds
 
+	/*
+	 * Convert 32-bit status code into 64-bit.
+	 */
+	test	%rax, %rax
+	jz	1f
+	movl	%eax, %ecx
+	andl	$0x0fffffff, %ecx
+	andl	$0xf0000000, %eax
+	shl	$32, %rax
+	or	%rcx, %rax
+1:
+	ret
+ENDPROC(__efi64_thunk)
+
+ENTRY(efi_exit32)
+	movq	func_rt_ptr(%rip), %rax
+	push	%rax
+	mov	%rdi, %rax
+	ret
+ENDPROC(efi_exit32)
+
+	.code32
+/*
+ * EFI service pointer must be in %edi.
+ *
+ * The stack should represent the 32-bit calling convention.
+ */
+ENTRY(efi_enter32)
+	movl	$__KERNEL_DS, %eax
+	movl	%eax, %ds
+	movl	%eax, %es
+	movl	%eax, %ss
+
+	call	*%edi
+
+	/* We must preserve return value */
+	movl	%eax, %edi
+
+	movl	72(%esp), %eax
+	pushl	$__KERNEL_CS
+	pushl	%eax
+
+	lret
+ENDPROC(efi_enter32)
+
+	.data
+	.balign	8
+func_rt_ptr:		.quad 0
 efi_saved_sp:		.quad 0



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 150/151] x86, mm/ASLR: Fix stack randomization on 64-bit systems
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 149/151] x86/efi: Avoid triple faults during EFI mixed mode calls Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04  6:14 ` [PATCH 3.18 151/151] x86: pmc-atom: Assign debugfs node as soon as possible Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hector Marco-Gisbert, Ismael Ripoll,
	Kees Cook, Linus Torvalds, Andrew Morton, Al Viro,
	Borislav Petkov

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hector Marco-Gisbert <hecmargi@upv.es>

commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream.

The issue is that the stack for processes is not properly randomized on
64 bit architectures due to an integer overflow.

The affected function is randomize_stack_top() in file
"fs/binfmt_elf.c":

  static unsigned long randomize_stack_top(unsigned long stack_top)
  {
           unsigned int random_variable = 0;

           if ((current->flags & PF_RANDOMIZE) &&
                   !(current->personality & ADDR_NO_RANDOMIZE)) {
                   random_variable = get_random_int() & STACK_RND_MASK;
                   random_variable <<= PAGE_SHIFT;
           }
           return PAGE_ALIGN(stack_top) + random_variable;
           return PAGE_ALIGN(stack_top) - random_variable;
  }

Note that, it declares the "random_variable" variable as "unsigned int".
Since the result of the shifting operation between STACK_RND_MASK (which
is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):

	  random_variable <<= PAGE_SHIFT;

then the two leftmost bits are dropped when storing the result in the
"random_variable". This variable shall be at least 34 bits long to hold
the (22+12) result.

These two dropped bits have an impact on the entropy of process stack.
Concretely, the total stack entropy is reduced by four: from 2^28 to
2^30 (One fourth of expected entropy).

This patch restores back the entropy by correcting the types involved
in the operations in the functions randomize_stack_top() and
stack_maxrandom_size().

The successful fix can be tested with:

  $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
  7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0                          [stack]
  7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0                          [stack]
  7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0                          [stack]
  7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0                          [stack]
  ...

Once corrected, the leading bytes should be between 7ffc and 7fff,
rather than always being 7fff.

Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: CVE-2015-1593
Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/mmap.c |    6 +++---
 fs/binfmt_elf.c    |    5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_ali
 	.flags = -1,
 };
 
-static unsigned int stack_maxrandom_size(void)
+static unsigned long stack_maxrandom_size(void)
 {
-	unsigned int max = 0;
+	unsigned long max = 0;
 	if ((current->flags & PF_RANDOMIZE) &&
 		!(current->personality & ADDR_NO_RANDOMIZE)) {
-		max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT;
+		max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT;
 	}
 
 	return max;
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -554,11 +554,12 @@ out:
 
 static unsigned long randomize_stack_top(unsigned long stack_top)
 {
-	unsigned int random_variable = 0;
+	unsigned long random_variable = 0;
 
 	if ((current->flags & PF_RANDOMIZE) &&
 		!(current->personality & ADDR_NO_RANDOMIZE)) {
-		random_variable = get_random_int() & STACK_RND_MASK;
+		random_variable = (unsigned long) get_random_int();
+		random_variable &= STACK_RND_MASK;
 		random_variable <<= PAGE_SHIFT;
 	}
 #ifdef CONFIG_STACK_GROWSUP



^ permalink raw reply	[flat|nested] 145+ messages in thread

* [PATCH 3.18 151/151] x86: pmc-atom: Assign debugfs node as soon as possible
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 150/151] x86, mm/ASLR: Fix stack randomization on 64-bit systems Greg Kroah-Hartman
@ 2015-03-04  6:14 ` Greg Kroah-Hartman
  2015-03-04 14:13 ` [PATCH 3.18 000/151] 3.18.9-stable review Guenter Roeck
  2015-03-04 23:41 ` Shuah Khan
  140 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04  6:14 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Andy Shevchenko,
	Aubrey Li, Rafael J. Wysocki, Kumar P. Mahesh

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit 1b43d7125f3b6f7d46e72da64f65f3187a83b66b upstream.

pmc_dbgfs_unregister() will be called when pmc->dbgfs_dir is unconditionally
NULL on error path in pmc_dbgfs_register(). To prevent this we move the
assignment to where is should be.

Fixes: f855911c1f48 (x86/pmc_atom: Expose PMC device state and platform sleep state)
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Aubrey Li <aubrey.li@linux.intel.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Kumar P. Mahesh <mahesh.kumar.p@intel.com>
Link: http://lkml.kernel.org/r/1421253575-22509-2-git-send-email-andriy.shevchenko@linux.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/pmc_atom.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/pmc_atom.c
+++ b/arch/x86/kernel/pmc_atom.c
@@ -217,6 +217,8 @@ static int pmc_dbgfs_register(struct pmc
 	if (!dir)
 		return -ENOMEM;
 
+	pmc->dbgfs_dir = dir;
+
 	f = debugfs_create_file("dev_state", S_IFREG | S_IRUGO,
 				dir, pmc, &pmc_dev_state_ops);
 	if (!f) {
@@ -229,7 +231,7 @@ static int pmc_dbgfs_register(struct pmc
 		dev_err(&pdev->dev, "sleep_state register failed\n");
 		goto err;
 	}
-	pmc->dbgfs_dir = dir;
+
 	return 0;
 err:
 	pmc_dbgfs_unregister(pmc);



^ permalink raw reply	[flat|nested] 145+ messages in thread

* Re: [PATCH 3.18 129/151] x86/xen: Treat SCI interrupt as normal GSI interrupt
  2015-03-04  6:14 ` [PATCH 3.18 129/151] x86/xen: Treat SCI interrupt as normal GSI interrupt Greg Kroah-Hartman
@ 2015-03-04 12:51   ` Stefan Bader
  2015-03-04 18:14     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 145+ messages in thread
From: Stefan Bader @ 2015-03-04 12:51 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Jiang Liu, Sander Eikelenboom, Tony Luck, xen-devel,
	Konrad Rzeszutek Wilk, David Vrabel, Rafael J. Wysocki,
	Len Brown, Pavel Machek, Bjorn Helgaas, Thomas Gleixner

[-- Attachment #1: Type: text/plain, Size: 6358 bytes --]

On 04.03.2015 07:14, Greg Kroah-Hartman wrote:
> 3.18-stable review patch.  If anyone has any objections, please let me know.

I thought I replied earlier today but I cannot seem to find it coming back via
the mailing list. Hope this is not duplicating too much... There was a
regression with that patch and it requires the below commit as well to prevent that:

commit 1ea76fbadd667b19c4fa4466f3a3b55a505e83d9
Author: Jiang Liu <jiang.liu@linux.intel.com>
Date:   Mon Feb 16 10:11:13 2015 +0800

    x86/irq: Fix regression caused by commit b568b8601f05

    Commit b568b8601f05 ("Treat SCI interrupt as normal GSI interrupt")
    accidently removes support of legacy PIC interrupt when fixing a
    regression for Xen, which causes a nasty regression on HP/Compaq
    nc6000 where we fail to register the ACPI interrupt, and thus
    lose eg. thermal notifications leading a potentially overheated
    machine.

-Stefan


> 
> ------------------
> 
> From: Jiang Liu <jiang.liu@linux.intel.com>
> 
> commit b568b8601f05a591a7ff09d8ee1cedb5b2e815fe upstream.
> 
> Currently Xen Domain0 has special treatment for ACPI SCI interrupt,
> that is initialize irq for ACPI SCI at early stage in a special way as:
> xen_init_IRQ()
> 	->pci_xen_initial_domain()
> 		->xen_setup_acpi_sci()
> 			Allocate and initialize irq for ACPI SCI
> 
> Function xen_setup_acpi_sci() calls acpi_gsi_to_irq() to get an irq
> number for ACPI SCI. But unfortunately acpi_gsi_to_irq() depends on
> IOAPIC irqdomains through following path
> acpi_gsi_to_irq()
> 	->mp_map_gsi_to_irq()
> 		->mp_map_pin_to_irq()
> 			->check IOAPIC irqdomain
> 
> For PV domains, it uses Xen event based interrupt manangement and
> doesn't make uses of native IOAPIC, so no irqdomains created for IOAPIC.
> This causes Xen domain0 fail to install interrupt handler for ACPI SCI
> and all ACPI events will be lost. Please refer to:
> https://lkml.org/lkml/2014/12/19/178
> 
> So the fix is to get rid of special treatment for ACPI SCI, just treat
> ACPI SCI as normal GSI interrupt as:
> acpi_gsi_to_irq()
> 	->acpi_register_gsi()
> 		->acpi_register_gsi_xen()
> 			->xen_register_gsi()
> 
> With above change, there's no need for xen_setup_acpi_sci() anymore.
> The above change also works with bare metal kernel too.
> 
> Signed-off-by: Jiang Liu <jiang.liu@linux.intel.com>
> Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
> Cc: Tony Luck <tony.luck@intel.com>
> Cc: xen-devel@lists.xenproject.org
> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> Cc: David Vrabel <david.vrabel@citrix.com>
> Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
> Cc: Len Brown <len.brown@intel.com>
> Cc: Pavel Machek <pavel@ucw.cz>
> Cc: Bjorn Helgaas <bhelgaas@google.com>
> Link: http://lkml.kernel.org/r/1421720467-7709-2-git-send-email-jiang.liu@linux.intel.com
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  arch/x86/kernel/acpi/boot.c |   21 ++++++++++---------
>  arch/x86/pci/xen.c          |   47 --------------------------------------------
>  2 files changed, 11 insertions(+), 57 deletions(-)
> 
> --- a/arch/x86/kernel/acpi/boot.c
> +++ b/arch/x86/kernel/acpi/boot.c
> @@ -604,18 +604,19 @@ void __init acpi_pic_sci_set_trigger(uns
>  
>  int acpi_gsi_to_irq(u32 gsi, unsigned int *irqp)
>  {
> -	int irq;
> +	int rc, irq, trigger, polarity;
>  
> -	if (acpi_irq_model == ACPI_IRQ_MODEL_PIC) {
> -		*irqp = gsi;
> -	} else {
> -		irq = mp_map_gsi_to_irq(gsi,
> -					IOAPIC_MAP_ALLOC | IOAPIC_MAP_CHECK);
> -		if (irq < 0)
> -			return -1;
> -		*irqp = irq;
> +	rc = acpi_get_override_irq(gsi, &trigger, &polarity);
> +	if (rc == 0) {
> +		trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
> +		polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
> +		irq = acpi_register_gsi(NULL, gsi, trigger, polarity);
> +		if (irq >= 0) {
> +			*irqp = irq;
> +			return 0;
> +		}
>  	}
> -	return 0;
> +	return -1;
>  }
>  EXPORT_SYMBOL_GPL(acpi_gsi_to_irq);
>  
> --- a/arch/x86/pci/xen.c
> +++ b/arch/x86/pci/xen.c
> @@ -452,52 +452,6 @@ int __init pci_xen_hvm_init(void)
>  }
>  
>  #ifdef CONFIG_XEN_DOM0
> -static __init void xen_setup_acpi_sci(void)
> -{
> -	int rc;
> -	int trigger, polarity;
> -	int gsi = acpi_sci_override_gsi;
> -	int irq = -1;
> -	int gsi_override = -1;
> -
> -	if (!gsi)
> -		return;
> -
> -	rc = acpi_get_override_irq(gsi, &trigger, &polarity);
> -	if (rc) {
> -		printk(KERN_WARNING "xen: acpi_get_override_irq failed for acpi"
> -				" sci, rc=%d\n", rc);
> -		return;
> -	}
> -	trigger = trigger ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE;
> -	polarity = polarity ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH;
> -
> -	printk(KERN_INFO "xen: sci override: global_irq=%d trigger=%d "
> -			"polarity=%d\n", gsi, trigger, polarity);
> -
> -	/* Before we bind the GSI to a Linux IRQ, check whether
> -	 * we need to override it with bus_irq (IRQ) value. Usually for
> -	 * IRQs below IRQ_LEGACY_IRQ this holds IRQ == GSI, as so:
> -	 *  ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 low level)
> -	 * but there are oddballs where the IRQ != GSI:
> -	 *  ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 20 low level)
> -	 * which ends up being: gsi_to_irq[9] == 20
> -	 * (which is what acpi_gsi_to_irq ends up calling when starting the
> -	 * the ACPI interpreter and keels over since IRQ 9 has not been
> -	 * setup as we had setup IRQ 20 for it).
> -	 */
> -	if (acpi_gsi_to_irq(gsi, &irq) == 0) {
> -		/* Use the provided value if it's valid. */
> -		if (irq >= 0)
> -			gsi_override = irq;
> -	}
> -
> -	gsi = xen_register_gsi(gsi, gsi_override, trigger, polarity);
> -	printk(KERN_INFO "xen: acpi sci %d\n", gsi);
> -
> -	return;
> -}
> -
>  int __init pci_xen_initial_domain(void)
>  {
>  	int irq;
> @@ -509,7 +463,6 @@ int __init pci_xen_initial_domain(void)
>  	x86_msi.msi_mask_irq = xen_nop_msi_mask_irq;
>  	x86_msi.msix_mask_irq = xen_nop_msix_mask_irq;
>  #endif
> -	xen_setup_acpi_sci();
>  	__acpi_register_gsi = acpi_register_gsi_xen;
>  	/* Pre-allocate legacy irqs */
>  	for (irq = 0; irq < nr_legacy_irqs(); irq++) {
> 
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 145+ messages in thread

* Re: [PATCH 3.18 000/151] 3.18.9-stable review
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2015-03-04  6:14 ` [PATCH 3.18 151/151] x86: pmc-atom: Assign debugfs node as soon as possible Greg Kroah-Hartman
@ 2015-03-04 14:13 ` Guenter Roeck
  2015-03-04 18:12   ` Greg Kroah-Hartman
  2015-03-04 23:41 ` Shuah Khan
  140 siblings, 1 reply; 145+ messages in thread
From: Guenter Roeck @ 2015-03-04 14:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, satoru.takeuchi, shuah.kh, stable

On 03/03/2015 10:12 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.18.9 release.
> There are 151 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri Mar  6 05:53:55 UTC 2015.
> Anything received after that time might be too late.
>

Build results:
	total: 121 pass: 121 fail: 0
Qemu tests:
	total: 30 pass: 30 fail: 0

Details are available at http://server.roeck-us.net:8010/builders.

Guenter



^ permalink raw reply	[flat|nested] 145+ messages in thread

* Re: [PATCH 3.18 000/151] 3.18.9-stable review
  2015-03-04 14:13 ` [PATCH 3.18 000/151] 3.18.9-stable review Guenter Roeck
@ 2015-03-04 18:12   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04 18:12 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, satoru.takeuchi, shuah.kh, stable

On Wed, Mar 04, 2015 at 06:13:17AM -0800, Guenter Roeck wrote:
> On 03/03/2015 10:12 PM, Greg Kroah-Hartman wrote:
> >This is the start of the stable review cycle for the 3.18.9 release.
> >There are 151 patches in this series, all will be posted as a response
> >to this one.  If anyone has any issues with these being applied, please
> >let me know.
> >
> >Responses should be made by Fri Mar  6 05:53:55 UTC 2015.
> >Anything received after that time might be too late.
> >
> 
> Build results:
> 	total: 121 pass: 121 fail: 0
> Qemu tests:
> 	total: 30 pass: 30 fail: 0
> 
> Details are available at http://server.roeck-us.net:8010/builders.

Great, thanks for letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 145+ messages in thread

* Re: [PATCH 3.18 129/151] x86/xen: Treat SCI interrupt as normal GSI interrupt
  2015-03-04 12:51   ` Stefan Bader
@ 2015-03-04 18:14     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 145+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-04 18:14 UTC (permalink / raw)
  To: Stefan Bader
  Cc: linux-kernel, stable, Jiang Liu, Sander Eikelenboom, Tony Luck,
	xen-devel, Konrad Rzeszutek Wilk, David Vrabel,
	Rafael J. Wysocki, Len Brown, Pavel Machek, Bjorn Helgaas,
	Thomas Gleixner

On Wed, Mar 04, 2015 at 01:51:53PM +0100, Stefan Bader wrote:
> On 04.03.2015 07:14, Greg Kroah-Hartman wrote:
> > 3.18-stable review patch.  If anyone has any objections, please let me know.
> 
> I thought I replied earlier today but I cannot seem to find it coming back via
> the mailing list. Hope this is not duplicating too much... There was a
> regression with that patch and it requires the below commit as well to prevent that:
> 
> commit 1ea76fbadd667b19c4fa4466f3a3b55a505e83d9
> Author: Jiang Liu <jiang.liu@linux.intel.com>
> Date:   Mon Feb 16 10:11:13 2015 +0800
> 
>     x86/irq: Fix regression caused by commit b568b8601f05
> 
>     Commit b568b8601f05 ("Treat SCI interrupt as normal GSI interrupt")
>     accidently removes support of legacy PIC interrupt when fixing a
>     regression for Xen, which causes a nasty regression on HP/Compaq
>     nc6000 where we fail to register the ACPI interrupt, and thus
>     lose eg. thermal notifications leading a potentially overheated
>     machine.

Thanks for this, now applied.

greg k-h

^ permalink raw reply	[flat|nested] 145+ messages in thread

* Re: [PATCH 3.18 000/151] 3.18.9-stable review
  2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2015-03-04 14:13 ` [PATCH 3.18 000/151] 3.18.9-stable review Guenter Roeck
@ 2015-03-04 23:41 ` Shuah Khan
  140 siblings, 0 replies; 145+ messages in thread
From: Shuah Khan @ 2015-03-04 23:41 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, satoru.takeuchi, shuah.kh, stable

On 03/03/2015 11:12 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.18.9 release.
> There are 151 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Mar  6 05:53:55 UTC 2015.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.18.9-rc1.gz
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


-- 
Shuah Khan
Sr. Linux Kernel Developer
Open Source Innovation Group
Samsung Research America (Silicon Valley)
shuahkh@osg.samsung.com | (970) 217-8978

^ permalink raw reply	[flat|nested] 145+ messages in thread

end of thread, other threads:[~2015-03-04 23:41 UTC | newest]

Thread overview: 145+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-04  6:12 [PATCH 3.18 000/151] 3.18.9-stable review Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 001/151] Bluetooth: ath3k: workaround the compatibility issue with xHCI controller Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 002/151] Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 003/151] Bluetooth: Fix valid Identity Address check Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 004/151] Bluetooth: btusb: Add Broadcom patchram support for ASUSTek devices Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 005/151] Bluetooth: btusb: Add support for Dynex/Insignia USB dongles Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 006/151] Bluetooth: btusb: Add support for Lite-On (04ca) Broadcom based, BCM43142 Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 007/151] random: Fix fast_mix() function Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 008/151] xfs: ensure buffer types are set correctly Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 009/151] xfs: inode unlink does not set AGI buffer type Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 010/151] xfs: set buf types when converting extent formats Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 011/151] xfs: set superblock buffer type correctly Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 012/151] fsnotify: fix handling of renames in audit Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 013/151] iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 014/151] iwlwifi: mvm: validate tid and sta_id in ba_notif Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 015/151] iwlwifi: mvm: fix failure path when power_update fails in add_interface Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 016/151] iwlwifi: mvm: always use mac color zero Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 017/151] HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 018/151] PCI: Generate uppercase hex for modalias var in uevent Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 020/151] ASoC: rt5670: Set use_single_rw flag for regmap Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 021/151] ASoC: mioa701_wm9713: Fix speaker event Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 022/151] ASoC: davinci: fix DM365_EVM codec selection Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 023/151] rtlwifi: rtl8192ee: Fix adhoc fail Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 024/151] rtlwifi: rtl8192ee: Fix TX hang due to failure to update TX write point Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 025/151] rtlwifi: rtl8192ee: Fix parsing of received packet Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 026/151] rtlwifi: rtl8192ee: Fix DMA stalls Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 027/151] rtlwifi: rtl8192ee: Fix problems with calculating free space in FIFO Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 028/151] rtlwifi: Remove logging statement that is no longer needed Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 029/151] cpufreq: Set cpufreq_cpu_data to NULL before putting kobject Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 031/151] cpufreq: s3c: remove incorrect __init annotations Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 032/151] cpufreq: s3c: remove last use of resume_clocks callback Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 033/151] xen/manage: Fix USB interaction issues when resuming Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 034/151] xen-scsiback: mark pvscsi frontend request consumed only after last read Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 035/151] ACPI / LPSS: Always disable I2C host controllers Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 036/151] ACPI / LPSS: Deassert resets for SPI host controllers on Braswell Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 037/151] [media] lmedm04: Increase Interupt due time to 200 msec Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 038/151] [media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 039/151] [media] si2168: define symbol rate limits Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 040/151] ALSA: off by one bug in snd_riptide_joystick_probe() Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 041/151] ALSA: hda - Set up GPIO for Toshiba Satellite S50D Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 042/151] ALSA: hda - enable mute led quirk for one more hp machine Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 043/151] ALSA: hdspm - Constrain periods to 2 on older cards Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 044/151] power_supply: 88pm860x: Fix leaked power supply on probe fail Greg Kroah-Hartman
2015-03-04  6:12 ` [PATCH 3.18 045/151] power: bq24190: Fix ignored supplicants Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 046/151] power: gpio-charger: balance enable/disable_irq_wake calls Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 047/151] megaraid_sas: endianness related bug fixes and code optimization Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 048/151] megaraid_sas: fix the problem of non-existing VD exposed to host Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 049/151] megaraid_sas: disable interrupt_mask before enabling hardware interrupts Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 051/151] [media] timberdale: do not select TIMB_DMA Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 059/151] mmc: sdhci-pxav3: fix unbalanced clock issues during probe Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 060/151] mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 061/151] mmc: sdhci-pxav3: Fix SDR50 and DDR50 capabilities for the Armada 38x flavor Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 062/151] mmc: sdhci-pxav3: Fix Armada 38x controllers caps according to erratum ERR-7878951 Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 063/151] proc/pagemap: walk page tables under pte lock Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 064/151] nfs: dont call blocking operations while !TASK_RUNNING Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 065/151] NFS: struct nfs_commit_info.lock must always point to inode->i_lock Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 066/151] KVM: MIPS: Disable HTW while in guest Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 067/151] KVM: MIPS: Dont leak FPU/DSP to guest Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 068/151] MIPS: Alchemy: Fix cpu clock calculation Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 069/151] MIPS: kernel: cps-vec: Replace "addi" with "addiu" Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 070/151] MIPS: asm: asmmacro: Replace "add" instructions with "addu" Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 071/151] MIPS: asm: pgtable: Add c0 hazards on HTW start/stop sequences Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 072/151] MIPS: asm: pgtable: Prevent HTW race when updating PTEs Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 073/151] MIPS: Export FP functions used by lose_fpu(1) for KVM Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 074/151] MIPS: Export MSA " Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 075/151] mm/hugetlb: pmd_huge() returns true for non-present hugepage Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 076/151] tracing: Fix unmapping loop in tracing_mark_write Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 077/151] blk-mq: fix double-free in error path Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 078/151] ARM: 8284/1: sa1100: clear RCSR_SMR on resume Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 079/151] ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3 Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 080/151] ARM: dts: tegra20: fix GR3D, DSI unit and reg base addresses Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 081/151] ARM: dts: am335x-bone*: usb0 is hardwired for peripheral Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 082/151] ARM: dts: BCM63xx: fix L2 cache properties Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 083/151] tpm_tis: verify interrupt during init Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 084/151] TPM: Add new TPMs to the tail of the list to prevent inadvertent change of dev Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 085/151] char: tpm: Add missing error check for devm_kzalloc Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 086/151] tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 087/151] tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 088/151] Added Little Endian support to vtpm module Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 089/151] nfs41: .init_read and .init_write can be called with valid pg_lseg Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 091/151] NFSv4: Ensure we reference the inode for return-on-close in delegreturn Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 092/151] NFSv4.1: Fix a kfree() of uninitialised pointers in decode_cb_sequence_args Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 093/151] sg: fix unkillable I/O wait deadlock with scsi-mq Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 094/151] sg: fix EWOULDBLOCK errors " Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 095/151] iscsi-target: Drop problematic active_ts_list usage Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 096/151] cfq-iosched: handle failure of cfq group allocation Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 097/151] cfq-iosched: fix incorrect filing of rt async cfqq Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 098/151] cipso: dont use IPCB() to locate the CIPSO IP option Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 099/151] ring-buffer: Do not wake up a splice waiter when page is not full Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 100/151] smack: fix possible use after frees in task_security() callers Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 101/151] axonram: Fix bug in direct_access Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 102/151] tty: Prevent untrappable signals from malicious program Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 103/151] tty/serial: at91: fix error handling in atmel_serial_probe() Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 104/151] mei: mask interrupt set bit on clean reset bit Greg Kroah-Hartman
2015-03-04  6:13 ` [PATCH 3.18 105/151] mei: me: release hw from reset only during the reset flow Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 106/151] USB: cp210x: add ID for RUGGEDCOM USB Serial Console Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 107/151] USB: fix use-after-free bug in usb_hcd_unlink_urb() Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 108/151] usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 109/151] USB: dont cancel queued resets when unbinding drivers Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 110/151] USB: add flag for HCDs that cant receive wakeup requests (isp1760-hcd) Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 111/151] vt: provide notifications on selection changes Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 112/151] ARM: pxa: add regulator_has_full_constraints to corgi board file Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 113/151] ARM: pxa: add regulator_has_full_constraints to poodle " Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 114/151] ARM: vexpress: use ARM_CPU_SUSPEND if needed Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 115/151] ARM: mvebu: build armada375-smp code conditionally Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 116/151] kdb: fix incorrect counts in KDB summary command output Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 117/151] ntp: Fixup adjtimex freq validation on 32-bit systems Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 118/151] serial: fsl_lpuart: delete timer on shutdown Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 119/151] serial: fsl_lpuart: avoid new transfer while DMA is running Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 120/151] ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 121/151] MIPS: HTW: Prevent accidental HTW start due to nested htw_{start, stop} Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 122/151] udf: Remove repeated loads blocksize Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 123/151] udf: Check length of extended attributes and allocation descriptors Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 124/151] KVM: x86: update masterclock values on TSC writes Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 125/151] KVM: s390: forward hrtimer if guest ckc not pending yet Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 126/151] KVM: s390: base hrtimer on a monotonic clock Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 127/151] KVM: s390: floating irqs: fix user triggerable endless loop Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 128/151] KVM: s390: avoid memory leaks if __inject_vm() fails Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 129/151] x86/xen: Treat SCI interrupt as normal GSI interrupt Greg Kroah-Hartman
2015-03-04 12:51   ` Stefan Bader
2015-03-04 18:14     ` Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 130/151] hx4700: regulator: declare full constraints Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 131/151] arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big endian Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 132/151] gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one chip per node Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 133/151] gpio: tps65912: fix wrong container_of arguments Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 134/151] xfs: Fix quota type in quota structures when reusing quota file Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 135/151] metag: Fix KSTK_EIP() and KSTK_ESP() macros Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 136/151] clocksource: mtk: Fix race conditions in probe code Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 137/151] perf tools: Fix probing for PERF_FLAG_FD_CLOEXEC flag Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 138/151] md/raid5: Fix livelock when array is both resyncing and degraded Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 140/151] sb_edac: Fix detection on SNB machines Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 141/151] EDAC, amd64_edac: Prevent OOPS with >16 memory controllers Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 142/151] jffs2: fix handling of corrupted summary length Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 143/151] samsung-laptop: Add use_native_backlight quirk, and enable it on some models Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 144/151] libceph: fix double __remove_osd() problem Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 145/151] btrfs: set proper message level for skinny metadata Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 146/151] btrfs: fix leak of path in btrfs_find_item Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 147/151] Btrfs: fix fsync data loss after adding hard link to inode Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 148/151] blk-throttle: check stats_cpu before reading it from sysfs Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 149/151] x86/efi: Avoid triple faults during EFI mixed mode calls Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 150/151] x86, mm/ASLR: Fix stack randomization on 64-bit systems Greg Kroah-Hartman
2015-03-04  6:14 ` [PATCH 3.18 151/151] x86: pmc-atom: Assign debugfs node as soon as possible Greg Kroah-Hartman
2015-03-04 14:13 ` [PATCH 3.18 000/151] 3.18.9-stable review Guenter Roeck
2015-03-04 18:12   ` Greg Kroah-Hartman
2015-03-04 23:41 ` Shuah Khan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).