LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 3.19 000/177] 3.19.2-stable review
@ 2015-03-16 14:06 Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 002/177] ipv6: addrconf: add missing validate_link_af handler Greg Kroah-Hartman
                   ` (161 more replies)
  0 siblings, 162 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, satoru.takeuchi,
	shuah.kh, stable

This is the start of the stable review cycle for the 3.19.2 release.
There are 177 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Mar 18 14:07:12 UTC 2015.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.19.2-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 3.19.2-rc1

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "netfilter: xt_recent: relax ip_pkt_list_tot restrictions"

Ian Munsie <imunsie@au1.ibm.com>
    cxl: Add missing return statement after handling AFU errror

Ryan Grimm <grimm@linux.vnet.ibm.com>
    cxl: Fix device_node reference counting

Ryan Grimm <grimm@linux.vnet.ibm.com>
    cxl: Use image state defaults for reloading FPGA

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    clk-gate: fix bit # check in clk_register_gate()

Peter Zijlstra <peterz@infradead.org>
    sched/autogroup: Fix failure to set cpu.rt_runtime_us

Michal Hocko <mhocko@suse.cz>
    vmstat: do not use deferrable delayed work for vmstat_update

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pinctrl: imx25: fix numbering for pins

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pinctrl: pinctrl-imx: don't use invalid value of conf_reg

Sergey Ryazanov <ryazanov.s.a@gmail.com>
    ath5k: fix spontaneus AR5312 freezes

Andrew Elble <aweits@rit.edu>
    GFS2: Fix crash during ACL deletion in acl max entry check in gfs2_set_acl()

Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    of/pci: Free resources on failure in of_pci_get_host_bridge_resources()

Wanpeng Li <wanpeng.li@linux.intel.com>
    sched: Fix hrtick_start() on UP

Dan Carpenter <dan.carpenter@oracle.com>
    coresight-etm: unlock on error paths in mode_store()

Brian Norris <computersforpeace@gmail.com>
    stable_kernel_rules: reorganize and update submission options

Bard Liao <bardliao@realtek.com>
    ASoC: rt5670: Set RT5670_IRQ_CTRL1 non volatile

Peter Ujfalusi <peter.ujfalusi@ti.com>
    ASoC: omap-pcm: Correct dma mask

Trond Myklebust <trond.myklebust@primarydata.com>
    NFSv4: Don't call put_rpccred() under the rcu_read_lock()

Trond Myklebust <trond.myklebust@primarydata.com>
    NFS: Don't invalidate a submounted dentry in nfs_prime_dcache()

Heikki Krogerus <heikki.krogerus@linux.intel.com>
    ACPI / LPSS: provide con_id for the clkdev

Chris Wilson <chris@chris-wilson.co.uk>
    ACPI / video: Load the module even if ACPI is disabled

Tyler Hicks <tyhicks@canonical.com>
    eCryptfs: don't pass fs-specific ioctl commands through

Yinghai Lu <yinghai@kernel.org>
    efi/libstub: Fix boundary checking in efi_high_alloc()

Dan Carpenter <dan.carpenter@oracle.com>
    efi: Small leak on error in runtime map code

Andrew Elble <aweits@rit.edu>
    nfsd: fix clp->cl_revoked list deletion causing softlock in nfsd

Michel Dänzer <michel.daenzer@amd.com>
    reservation: Remove shadowing local variable 'ret'

Chris Wilson <chris@chris-wilson.co.uk>
    drm/i915: Check for driver readyness before handling an underrun interrupt

Imre Deak <imre.deak@intel.com>
    drm/i915: avoid processing spurious/shared interrupts in low-power states

Jani Nikula <jani.nikula@intel.com>
    drm/i915: Dell Chromebook 11 has PWM backlight

Chris Wilson <chris@chris-wilson.co.uk>
    drm/i915: Check obj->vma_list under the struct_mutex

Rodrigo Vivi <rodrigo.vivi@intel.com>
    drm/i915/bdw: PCI IDs ending in 0xb are ULT.

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: fix 1 RB harvest config setup for TN/RL

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh

Nathan-J. Hirschauer <nathanhi@deepserve.info>
    drm/radeon: enable native backlight control on old macs

Jason Gerecke <killertofu@gmail.com>
    HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid

Jiri Kosina <jkosina@suse.cz>
    HID: fixup the conflicting keyboard mappings quirk

David Herrmann <dh.herrmann@gmail.com>
    HID: input: fix confusion on conflicting mappings

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: cb_pcidas64: fix incorrect AI range code handling

Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
    firmware: dmi_scan: Fix dmi scan to handle "End of Table" structure

Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
    firmware: dmi_scan: Fix dmi_len type

Mikulas Patocka <mpatocka@redhat.com>
    dm snapshot: fix a possible invalid memory access on unload

Mikulas Patocka <mpatocka@redhat.com>
    dm: fix a race condition in dm_get_md

Darrick J. Wong <darrick.wong@oracle.com>
    dm io: reject unsupported DISCARD requests with EOPNOTSUPP

Mikulas Patocka <mpatocka@redhat.com>
    dm mirror: do not degrade the mirror on discard error

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back

Hans de Goede <hdegoede@redhat.com>
    sunxi: clk: Set sun6i-pll1 n_start = 1

Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    clk: Fix debugfs clk removal before inited

Soren Brinkmann <soren.brinkmann@xilinx.com>
    clk: zynq: Force CPU_2X clock to be ungated

Minh Duc Tran <MinhDuc.Tran@Emulex.Com>
    fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit.

Ondrej Zary <linux@rainbow-software.org>
    wd719x: add missing .module to wd719x_template

Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    nilfs2: fix potential memory overrun on inode

Ilya Nelkenbaum <ilyan@mellanox.com>
    IB/core: When marshaling ucma path from user-space, clear unused fields

Haggai Eran <haggaie@mellanox.com>
    IB/core: Properly handle registration of on-demand paging MRs after dereg

Moshe Lazer <moshel@mellanox.com>
    IB/core: Fix deadlock on uverbs modify_qp error flow

Or Gerlitz <ogerlitz@mellanox.com>
    IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach

Majd Dibbiny <majd@mellanox.com>
    IB/mlx4: Fix memory leak in __mlx4_ib_modify_qp

Dan Carpenter <dan.carpenter@oracle.com>
    IB/mlx5: Fix error code in get_port_caps()

Roi Dayan <roid@mellanox.com>
    IB/iser: Use correct dma direction when unmapping SGs

Sagi Grimberg <sagig@mellanox.com>
    IB/iser: Fix memory regions possible leak

Mitko Haralanov <mitko.haralanov@intel.com>
    IB/qib: Do not write EEPROM

Tony Battersby <tonyb@cybernetics.com>
    sg: fix read() error reporting

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    locking/rtmutex: Avoid a NULL pointer dereference on deadlock

Hui Wang <hui.wang@canonical.com>
    ALSA: hda - One more Dell macine needs DELL1_MIC_NO_PRESENCE quirk

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: oxfw: fix a condition and return code in start_stream()

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Disable runtime PM for Panther Point again

Jaroslav Kysela <perex@perex.cz>
    ALSA: hda: controller code - do not export static functions

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: fireworks/bebob/dice/oxfw: make it possible to shutdown safely

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: fireworks/bebob/dice/oxfw: allow stream destructor after releasing runtime

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: firewire-lib: remove reference counting

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: fireworks/bebob/dice/oxfw: add reference-counting for FireWire unit

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: Don't leave PREPARED state after draining

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    serial: 8250: Revert "tty: serial: 8250_core: read only RX if there is something in the FIFO"

Jiri Slaby <jslaby@suse.cz>
    tty: fix up atime/mtime mess, take four

Vineet Gupta <vgupta@synopsys.com>
    ARC: Fix KSTK_ESP()

Chuck Lever <chuck.lever@oracle.com>
    SUNRPC: Always manipulate rpc_rqst::rq_bc_pa_list under xprt->bc_pa_lock

Al Viro <viro@ZenIV.linux.org.uk>
    sunrpc: fix braino in ->poll()

Al Viro <viro@zeniv.linux.org.uk>
    procfs: fix race between symlink removals and traversals

Al Viro <viro@zeniv.linux.org.uk>
    debugfs: leave freeing a symlink body until inode eviction

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    autofs4: Wrong format for printing dentry

Al Viro <viro@zeniv.linux.org.uk>
    autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation

Johan Hovold <johan@kernel.org>
    USB: serial: fix tty-device error handling at probe

Johan Hovold <johan@kernel.org>
    USB: serial: fix potential use-after-free after failed probe

Johan Hovold <johan@kernel.org>
    TTY: fix tty_wait_until_sent on 64-bit machines

Johan Hovold <johan@kernel.org>
    USB: serial: fix infinite wait_until_sent timeout

Johan Hovold <johan@kernel.org>
    net: irda: fix wait_until_sent poll timeout

Luciano Coelho <luciano.coelho@intel.com>
    mac80211: notify channel switch at the end of ieee80211_chswitch_post_beacon()

Jouni Malinen <jouni@qca.qualcomm.com>
    mac80211: Send EAPOL frames at lowest rate

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Workaround for PME stuck issues in Intel xhci

Aleksander Morgado <aleksander@aleksander.es>
    xhci: fix reporting of 0-sized URBs in control endpoint

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Allocate correct amount of scratchpad buffers

Maxime Ripard <maxime.ripard@free-electrons.com>
    usb: XHCI: platform: Move the Marvell quirks after the enabling the clocks

Andrzej Pietrasiewicz <andrzej.p@samsung.com>
    usb: gadget: configfs: don't NUL-terminate (sub)compatible ids

George Cherian <george.cherian@ti.com>
    usb: dwc3: dwc3-omap: Fix disable IRQ

Max Mansfield <max.m.mansfield@gmail.com>
    usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards

Mark Glover <mark@actisense.com>
    USB: ftdi_sio: add PIDs for Actisense USB devices

Alan Stern <stern@rowland.harvard.edu>
    USB: usbfs: don't leak kernel data in siginfo

Johan Hovold <johan@kernel.org>
    USB: mxuport: fix null deref when used as a console

Michiel vd Garde <mgparser@gmail.com>
    USB: serial: cp210x: Adding Seletek device id's

Johan Hovold <johan@kernel.org>
    Revert "USB: serial: make bulk_out_size a lower limit"

Hans de Goede <hdegoede@redhat.com>
    uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS539

James Hogan <james.hogan@imgtec.com>
    KVM: MIPS: Fix trace event to save PC directly

Paolo Bonzini <pbonzini@redhat.com>
    KVM: emulate: fix CMPXCHG8B on 32-bit hosts

Quentin Casasnovas <quentin.casasnovas@oracle.com>
    Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix data loss in the fast fsync path

David Sterba <dsterba@suse.cz>
    btrfs: fix lost return value due to variable shadowing

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix fsync race leading to ordered extent memory leaks

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: make device disabled on stop unconditionally

Jonathan Cameron <jic23@kernel.org>
    Revert "iio:humidity:si7020: fix pointer to i2c client"

Andrey Smirnov <andrew.smirnov@gmail.com>
    IIO: si7020: Allocate correct amount of memory in devm_iio_device_alloc

Angelo Compagnucci <angelo.compagnucci@gmail.com>
    iio:adc:mcp3422 Fix incorrect scales table

Urs Fässler <urs.fassler@bytesatwork.ch>
    iio: ad5686: fix optional reference voltage declaration

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: only update the buffer when its conversions have finished

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: make ADC reads not unschedule touchscreen conversions

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: make ADC reads not disable touchscreen interrupts

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: separate touchscreen and buffer virtual channels

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    iio: imu: adis16400: Fix sign extension

Stefan Wahren <stefan.wahren@i2se.com>
    iio: mxs-lradc: fix iio channel map regression

Quentin Casasnovas <quentin.casasnovas@oracle.com>
    x86/fpu/xsaves: Fix improper uses of __ex_table

Andy Lutomirski <luto@amacapital.net>
    x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization

Nicholas Bellinger <nab@linux-iscsi.org>
    target: Check for LBA + sectors wrap-around in sbc_parse_cdb

Nicholas Bellinger <nab@linux-iscsi.org>
    target: Add missing WRITE_SAME end-of-device sanity check

Nicholas Bellinger <nab@linux-iscsi.org>
    target: Fix PR_APTPL_BUF_LEN buffer size limitation

Tom O'Rourke <Tom.O'Rourke@intel.com>
    drm/i915: Clamp efficient frequency to valid range

Shobhit Kumar <shobhit.kumar@intel.com>
    drm/i915: Correct the IOSF Dev_FN field for IOSF transfers

Michał Winiarski <michal.winiarski@intel.com>
    drm/i915: Prevent use-after-free in invalidate_range_start callback

Daniel Vetter <daniel.vetter@ffwll.ch>
    drm/i915: Drop vblank wait from intel_dp_link_down

Chris Wilson <chris@chris-wilson.co.uk>
    drm/i915: Insert a command barrier on BLT/BSD cache flushes

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: fix voltage setup on hawaii

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary

Christian König <christian.koenig@amd.com>
    drm/radeon: workaround for CP HW bug on CIK

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: only enable kv/kb dpm interrupts once v3

Michel Dänzer <michel.daenzer@amd.com>
    drm/radeon: Don't try to enable write-combining without PAT

David Ung <davidu@nvidia.com>
    drm/tegra: Use correct relocation target offsets

Johannes Weiner <hannes@cmpxchg.org>
    mm: page_alloc: revert inadvertent !__GFP_FS retry behavior change

Joonsoo Kim <js1304@gmail.com>
    mm/nommu: fix memory leak

Hugh Dickins <hughd@google.com>
    mm: fix negative nr_isolated counts

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page()

Grazvydas Ignotas <notasas@gmail.com>
    mm/memory.c: actually remap enough memory

Joonsoo Kim <iamjoonsoo.kim@lge.com>
    mm/compaction: fix wrong order check in compact_finished()

Roman Gushchin <klamm@yandex-team.ru>
    mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()

Roman Gushchin <klamm@yandex-team.ru>
    mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()

Vlastimil Babka <vbabka@suse.cz>
    mm: when stealing freepages, also take pages created by splitting buddy page

Andrey Ryabinin <a.ryabinin@samsung.com>
    mm, hugetlb: remove unnecessary lower bound on sysctl handlers"?

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm/hugetlb: add migration entry check in __unmap_hugepage_range

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()

Jiri Pirko <jiri@resnulli.us>
    team: don't traverse port list using rcu in team_set_mac_address

Lorenzo Colitti <lorenzo@google.com>
    net: ping: Return EAFNOSUPPORT when appropriate.

Michal Kubeček <mkubecek@suse.cz>
    udp: only allow UFO for packets from SOCK_DGRAM sockets

Ben Shelton <ben.shelton@ni.com>
    usb: plusb: Add support for National Instruments host-to-host cable

Eric Dumazet <edumazet@google.com>
    net: do not use rcu in rtnl_dump_ifinfo()

Geert Uytterhoeven <geert+renesas@glider.be>
    sh_eth: Fix lost MAC address on kexec

Florian Fainelli <f.fainelli@gmail.com>
    net: bcmgenet: fix software maintained statistics

Jaedon Shin <jaedon.shin@gmail.com>
    net: bcmgenet: fix throughtput regression

Eric Dumazet <edumazet@google.com>
    macvtap: make sure neighbour code can push ethernet header

Catalin Marinas <catalin.marinas@arm.com>
    net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg

Jiri Pirko <jiri@resnulli.us>
    team: fix possible null pointer dereference in team_handle_frame

Eric Dumazet <edumazet@google.com>
    net: pktgen: disable xmit_clone on virtual devices

David S. Miller <davem@davemloft.net>
    Revert "r8169: add support for Byte Queue Limits"

Matthew Thode <mthode@mthode.org>
    net: reject creation of netdev names with colons

Eric Dumazet <edumazet@google.com>
    sock: sock_dequeue_err_skb() needs hard irq safety

Pravin B Shelar <pshelar@nicira.com>
    openvswitch: Fix net exit.

Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
    ematch: Fix auto-loading of ematch modules.

Guenter Roeck <linux@roeck-us.net>
    net: phy: Fix verification of EEE support in phy_init_eee

Alexander Drozdov <al.drozdov@gmail.com>
    ipv4: ip_check_defrag should not assume that skb_network_offset is zero

Alexander Drozdov <al.drozdov@gmail.com>
    ipv4: ip_check_defrag should correctly check return value of skb_copy_bits

Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
    gen_stats.c: Duplicate xstats buffer for later use

WANG Cong <xiyou.wangcong@gmail.com>
    rtnetlink: call ->dellink on failure when ->newlink exists

Martin KaFai Lau <kafai@fb.com>
    ipv6: fix ipv6_cow_metrics for non DST_HOST case

Eric Dumazet <edumazet@google.com>
    tcp: make sure skb is not shared before using skb_get()

Vlad Yasevich <vyasevich@gmail.com>
    ipv6: Make __ipv6_select_ident static

Vlad Yasevich <vyasevich@gmail.com>
    ipv6: Fix fragment id assignment on LE arches.

Daniel Borkmann <daniel@iogearbox.net>
    rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY

Sabrina Dubroca <sd@queasysnail.net>
    pktgen: fix UDP checksum computation

Daniel Borkmann <daniel@iogearbox.net>
    ipv6: addrconf: add missing validate_link_af handler

Miroslav Urbanek <mu@miroslavurbanek.com>
    flowcache: Fix kernel panic in flow_cache_flush_task


-------------

Diffstat:

 Documentation/stable_kernel_rules.txt          |  44 +++-
 Makefile                                       |   4 +-
 arch/arc/include/asm/processor.h               |   9 +-
 arch/arc/kernel/stacktrace.c                   |   6 +-
 arch/mips/kvm/trace.h                          |   6 +-
 arch/powerpc/include/asm/pnv-pci.h             |   2 +-
 arch/powerpc/platforms/powernv/pci-ioda.c      |   6 +-
 arch/x86/include/asm/xsave.h                   |  28 +--
 arch/x86/kernel/entry_64.S                     |  13 +-
 arch/x86/kvm/emulate.c                         |   3 +-
 drivers/acpi/acpi_lpss.c                       |   5 +-
 drivers/acpi/video.c                           |  11 +
 drivers/clk/clk-gate.c                         |   2 +-
 drivers/clk/clk.c                              |   4 -
 drivers/clk/sunxi/clk-sunxi.c                  |   1 +
 drivers/clk/zynq/clkc.c                        |   1 +
 drivers/coresight/coresight-etm3x.c            |  10 +-
 drivers/dma-buf/reservation.c                  |   2 -
 drivers/firmware/dmi_scan.c                    |  17 +-
 drivers/firmware/efi/libstub/efi-stub-helper.c |   8 +-
 drivers/firmware/efi/runtime-map.c             |   2 +-
 drivers/gpu/drm/i915/i915_drv.h                |   1 +
 drivers/gpu/drm/i915/i915_gem_tiling.c         |   7 +-
 drivers/gpu/drm/i915/i915_gem_userptr.c        |  20 +-
 drivers/gpu/drm/i915/i915_irq.c                |  22 ++
 drivers/gpu/drm/i915/intel_display.c           |   3 +
 drivers/gpu/drm/i915/intel_dp.c                |  17 +-
 drivers/gpu/drm/i915/intel_fifo_underrun.c     |  18 +-
 drivers/gpu/drm/i915/intel_lrc.c               |  20 +-
 drivers/gpu/drm/i915/intel_pm.c                |   5 +-
 drivers/gpu/drm/i915/intel_ringbuffer.c        |  23 ++-
 drivers/gpu/drm/i915/intel_sideband.c          |  26 +--
 drivers/gpu/drm/radeon/atombios_dp.c           |   4 +-
 drivers/gpu/drm/radeon/cik.c                   |  37 ++--
 drivers/gpu/drm/radeon/kv_dpm.c                |  17 +-
 drivers/gpu/drm/radeon/ni.c                    |   8 +-
 drivers/gpu/drm/radeon/r600_dpm.c              |   2 +-
 drivers/gpu/drm/radeon/radeon_atombios.c       |   1 +
 drivers/gpu/drm/radeon/radeon_encoders.c       |   3 +
 drivers/gpu/drm/radeon/radeon_object.c         |  12 ++
 drivers/gpu/drm/tegra/drm.c                    |   2 +-
 drivers/hid/hid-input.c                        |  17 ++
 drivers/hid/wacom_wac.c                        |   6 +
 drivers/iio/adc/mcp3422.c                      |  17 +-
 drivers/iio/dac/ad5686.c                       |   2 +-
 drivers/iio/humidity/si7020.c                  |   6 +-
 drivers/iio/imu/adis16400_core.c               |   3 +-
 drivers/infiniband/core/ucma.c                 |   3 +
 drivers/infiniband/core/umem_odp.c             |   3 +-
 drivers/infiniband/core/uverbs_cmd.c           |   9 +-
 drivers/infiniband/hw/mlx4/main.c              |  10 +-
 drivers/infiniband/hw/mlx4/qp.c                |   6 +-
 drivers/infiniband/hw/mlx5/main.c              |   2 +-
 drivers/infiniband/hw/qib/qib.h                |   9 +-
 drivers/infiniband/hw/qib/qib_eeprom.c         | 181 ----------------
 drivers/infiniband/hw/qib/qib_iba6120.c        |   2 -
 drivers/infiniband/hw/qib/qib_iba7220.c        |   2 -
 drivers/infiniband/hw/qib/qib_iba7322.c        |   2 -
 drivers/infiniband/hw/qib/qib_init.c           |   1 -
 drivers/infiniband/hw/qib/qib_sysfs.c          |  24 ---
 drivers/infiniband/ulp/iser/iscsi_iser.h       |   4 +-
 drivers/infiniband/ulp/iser/iser_initiator.c   |  16 +-
 drivers/infiniband/ulp/iser/iser_memory.c      |   9 +-
 drivers/infiniband/ulp/iser/iser_verbs.c       |  25 ++-
 drivers/md/dm-io.c                             |   6 +
 drivers/md/dm-raid1.c                          |   9 +
 drivers/md/dm-snap.c                           |   4 +-
 drivers/md/dm.c                                |  27 +--
 drivers/misc/cxl/cxl.h                         |   1 +
 drivers/misc/cxl/irq.c                         |   1 +
 drivers/misc/cxl/pci.c                         |  44 +++-
 drivers/misc/mei/init.c                        |   2 +
 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 122 ++++++++---
 drivers/net/ethernet/broadcom/genet/bcmgenet.h |   2 +
 drivers/net/ethernet/realtek/r8169.c           |  18 +-
 drivers/net/ethernet/renesas/sh_eth.c          |   3 +
 drivers/net/macvtap.c                          |   7 +-
 drivers/net/phy/phy.c                          |  23 ++-
 drivers/net/team/team.c                        |  10 +-
 drivers/net/usb/plusb.c                        |   5 +
 drivers/net/wireless/ath/ath5k/reset.c         |   2 +-
 drivers/of/of_pci.c                            |   4 +
 drivers/pinctrl/freescale/pinctrl-imx.c        |   2 +-
 drivers/pinctrl/freescale/pinctrl-imx25.c      | 276 ++++++++++++-------------
 drivers/scsi/be2iscsi/be_main.c                |   1 -
 drivers/scsi/sg.c                              |   6 +-
 drivers/scsi/wd719x.c                          |   1 +
 drivers/staging/comedi/comedi_compat32.c       |  12 +-
 drivers/staging/comedi/drivers/cb_pcidas64.c   | 122 ++++++-----
 drivers/staging/iio/adc/mxs-lradc.c            | 207 ++++++++++---------
 drivers/target/target_core_pr.c                |  25 +--
 drivers/target/target_core_sbc.c               |  15 +-
 drivers/tty/serial/8250/8250_core.c            |  11 +-
 drivers/tty/tty_io.c                           |   4 +-
 drivers/tty/tty_ioctl.c                        |  12 +-
 drivers/usb/core/devio.c                       |   2 +
 drivers/usb/dwc3/dwc3-omap.c                   |  30 ++-
 drivers/usb/gadget/configfs.c                  |   2 -
 drivers/usb/host/xhci-pci.c                    |  30 +++
 drivers/usb/host/xhci-plat.c                   |  19 +-
 drivers/usb/host/xhci-ring.c                   |  10 +-
 drivers/usb/host/xhci.h                        |   9 +-
 drivers/usb/serial/bus.c                       |  13 +-
 drivers/usb/serial/cp210x.c                    |   2 +
 drivers/usb/serial/ftdi_sio.c                  |  19 ++
 drivers/usb/serial/ftdi_sio_ids.h              |  23 +++
 drivers/usb/serial/generic.c                   |   5 +-
 drivers/usb/serial/mxuport.c                   |   3 +-
 drivers/usb/serial/usb-serial.c                |   5 +-
 drivers/usb/storage/unusual_uas.h              |   7 +
 fs/autofs4/dev-ioctl.c                         |   8 +-
 fs/autofs4/root.c                              |   2 +-
 fs/btrfs/file.c                                |  56 ++---
 fs/btrfs/inode.c                               |   1 -
 fs/btrfs/ordered-data.c                        |   7 +-
 fs/btrfs/tree-log.c                            |   2 +-
 fs/debugfs/inode.c                             |  34 +--
 fs/ecryptfs/file.c                             |  34 ++-
 fs/gfs2/acl.c                                  |   2 +-
 fs/nfs/delegation.c                            |   2 +-
 fs/nfs/dir.c                                   |   6 +
 fs/nfsd/nfs4state.c                            |   2 +-
 fs/nilfs2/btree.c                              |  47 ++++-
 fs/proc/generic.c                              |  12 --
 fs/proc/inode.c                                |  21 ++
 fs/proc/internal.h                             |   1 +
 include/drm/i915_pciids.h                      |   4 +-
 include/linux/usb/serial.h                     |   3 +-
 include/net/ipv6.h                             |   2 -
 include/target/target_core_base.h              |   2 +-
 include/trace/events/kmem.h                    |   7 +-
 kernel/locking/rtmutex.c                       |   3 +-
 kernel/sched/auto_group.c                      |   6 +-
 kernel/sched/core.c                            |  11 +
 kernel/sysctl.c                                |   3 -
 mm/compaction.c                                |   6 +-
 mm/hugetlb.c                                   |  78 +++++--
 mm/memory-failure.c                            |   2 -
 mm/memory.c                                    |   2 +-
 mm/mmap.c                                      |   4 +-
 mm/nommu.c                                     |   8 +-
 mm/page_alloc.c                                |  21 +-
 mm/vmstat.c                                    |   2 +-
 net/compat.c                                   |   9 -
 net/core/dev.c                                 |   2 +-
 net/core/flow.c                                |   2 +-
 net/core/gen_stats.c                           |  15 +-
 net/core/pktgen.c                              |  19 +-
 net/core/rtnetlink.c                           |  34 +--
 net/core/skbuff.c                              |   5 +-
 net/ipv4/ip_fragment.c                         |  11 +-
 net/ipv4/ip_output.c                           |   3 +-
 net/ipv4/ping.c                                |  12 +-
 net/ipv4/tcp_fastopen.c                        |  32 ++-
 net/ipv6/addrconf.c                            |  17 ++
 net/ipv6/ip6_output.c                          |   3 +-
 net/ipv6/output_core.c                         |   5 +-
 net/ipv6/ping.c                                |   5 +-
 net/ipv6/route.c                               |   2 +-
 net/irda/ircomm/ircomm_tty.c                   |   4 +-
 net/mac80211/mlme.c                            |   4 +-
 net/mac80211/tx.c                              |   1 +
 net/netfilter/xt_recent.c                      |  64 ++----
 net/openvswitch/datapath.c                     |  45 +++-
 net/openvswitch/vport.h                        |   2 +
 net/sched/ematch.c                             |   1 +
 net/sunrpc/backchannel_rqst.c                  |   5 +-
 net/sunrpc/cache.c                             |   2 +-
 sound/core/pcm_native.c                        |   2 +
 sound/firewire/amdtp.c                         |   3 +-
 sound/firewire/bebob/bebob.c                   |  20 +-
 sound/firewire/bebob/bebob_stream.c            |  16 +-
 sound/firewire/dice/dice-stream.c              |  18 +-
 sound/firewire/dice/dice.c                     |  16 +-
 sound/firewire/fireworks/fireworks.c           |  20 +-
 sound/firewire/fireworks/fireworks_stream.c    |  19 +-
 sound/firewire/oxfw/oxfw-stream.c              |  11 +-
 sound/firewire/oxfw/oxfw.c                     |  21 +-
 sound/pci/hda/hda_controller.c                 |   5 -
 sound/pci/hda/hda_intel.c                      |   2 +-
 sound/pci/hda/patch_realtek.c                  |   7 +
 sound/pci/hda/patch_sigmatel.c                 |  17 +-
 sound/soc/codecs/rt5670.c                      |   1 -
 sound/soc/omap/omap-pcm.c                      |   2 +-
 184 files changed, 1665 insertions(+), 1174 deletions(-)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 002/177] ipv6: addrconf: add missing validate_link_af handler
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 003/177] pktgen: fix UDP checksum computation Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Pirko, Daniel Borkmann, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <daniel@iogearbox.net>

[ Upstream commit 11b1f8288d4341af5d755281c871bff6c3e270dd ]

We still need a validate_link_af() handler with an appropriate nla policy,
similarly as we have in IPv4 case, otherwise size validations are not being
done properly in that case.

Fixes: f53adae4eae5 ("net: ipv6: add tokenized interface identifier support")
Fixes: bc91b0f07ada ("ipv6: addrconf: implement address generation modes")
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/addrconf.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4572,6 +4572,22 @@ static int inet6_set_iftoken(struct inet
 	return 0;
 }
 
+static const struct nla_policy inet6_af_policy[IFLA_INET6_MAX + 1] = {
+	[IFLA_INET6_ADDR_GEN_MODE]	= { .type = NLA_U8 },
+	[IFLA_INET6_TOKEN]		= { .len = sizeof(struct in6_addr) },
+};
+
+static int inet6_validate_link_af(const struct net_device *dev,
+				  const struct nlattr *nla)
+{
+	struct nlattr *tb[IFLA_INET6_MAX + 1];
+
+	if (dev && !__in6_dev_get(dev))
+		return -EAFNOSUPPORT;
+
+	return nla_parse_nested(tb, IFLA_INET6_MAX, nla, inet6_af_policy);
+}
+
 static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla)
 {
 	int err = -EINVAL;
@@ -5393,6 +5409,7 @@ static struct rtnl_af_ops inet6_ops = {
 	.family		  = AF_INET6,
 	.fill_link_af	  = inet6_fill_link_af,
 	.get_link_af_size = inet6_get_link_af_size,
+	.validate_link_af = inet6_validate_link_af,
 	.set_link_af	  = inet6_set_link_af,
 };
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 003/177] pktgen: fix UDP checksum computation
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 002/177] ipv6: addrconf: add missing validate_link_af handler Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 004/177] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sabrina Dubroca, Thomas Graf,
	David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit 7744b5f3693cc06695cb9d6667671c790282730f ]

This patch fixes two issues in UDP checksum computation in pktgen.

First, the pseudo-header uses the source and destination IP
addresses. Currently, the ports are used for IPv4.

Second, the UDP checksum covers both header and data.  So we need to
generate the data earlier (move pktgen_finalize_skb up), and compute
the checksum for UDP header + data.

Fixes: c26bf4a51308c ("pktgen: Add UDPCSUM flag to support UDP checksums")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/pktgen.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2842,25 +2842,25 @@ static struct sk_buff *fill_packet_ipv4(
 	skb->dev = odev;
 	skb->pkt_type = PACKET_HOST;
 
+	pktgen_finalize_skb(pkt_dev, skb, datalen);
+
 	if (!(pkt_dev->flags & F_UDPCSUM)) {
 		skb->ip_summed = CHECKSUM_NONE;
 	} else if (odev->features & NETIF_F_V4_CSUM) {
 		skb->ip_summed = CHECKSUM_PARTIAL;
 		skb->csum = 0;
-		udp4_hwcsum(skb, udph->source, udph->dest);
+		udp4_hwcsum(skb, iph->saddr, iph->daddr);
 	} else {
-		__wsum csum = udp_csum(skb);
+		__wsum csum = skb_checksum(skb, skb_transport_offset(skb), datalen + 8, 0);
 
 		/* add protocol-dependent pseudo-header */
-		udph->check = csum_tcpudp_magic(udph->source, udph->dest,
+		udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
 						datalen + 8, IPPROTO_UDP, csum);
 
 		if (udph->check == 0)
 			udph->check = CSUM_MANGLED_0;
 	}
 
-	pktgen_finalize_skb(pkt_dev, skb, datalen);
-
 #ifdef CONFIG_XFRM
 	if (!process_ipsec(pkt_dev, skb, protocol))
 		return NULL;
@@ -2976,6 +2976,8 @@ static struct sk_buff *fill_packet_ipv6(
 	skb->dev = odev;
 	skb->pkt_type = PACKET_HOST;
 
+	pktgen_finalize_skb(pkt_dev, skb, datalen);
+
 	if (!(pkt_dev->flags & F_UDPCSUM)) {
 		skb->ip_summed = CHECKSUM_NONE;
 	} else if (odev->features & NETIF_F_V6_CSUM) {
@@ -2984,7 +2986,7 @@ static struct sk_buff *fill_packet_ipv6(
 		skb->csum_offset = offsetof(struct udphdr, check);
 		udph->check = ~csum_ipv6_magic(&iph->saddr, &iph->daddr, udplen, IPPROTO_UDP, 0);
 	} else {
-		__wsum csum = udp_csum(skb);
+		__wsum csum = skb_checksum(skb, skb_transport_offset(skb), udplen, 0);
 
 		/* add protocol-dependent pseudo-header */
 		udph->check = csum_ipv6_magic(&iph->saddr, &iph->daddr, udplen, IPPROTO_UDP, csum);
@@ -2993,8 +2995,6 @@ static struct sk_buff *fill_packet_ipv6(
 			udph->check = CSUM_MANGLED_0;
 	}
 
-	pktgen_finalize_skb(pkt_dev, skb, datalen);
-
 	return skb;
 }
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 004/177] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 002/177] ipv6: addrconf: add missing validate_link_af handler Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 003/177] pktgen: fix UDP checksum computation Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 005/177] ipv6: Fix fragment id assignment on LE arches Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mitch Williams, Jeff Kirsher,
	Daniel Borkmann, Thomas Graf, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <daniel@iogearbox.net>

[ Upstream commit 364d5716a7adb91b731a35765d369602d68d2881 ]

ifla_vf_policy[] is wrong in advertising its individual member types as
NLA_BINARY since .type = NLA_BINARY in combination with .len declares the
len member as *max* attribute length [0, len].

The issue is that when do_setvfinfo() is being called to set up a VF
through ndo handler, we could set corrupted data if the attribute length
is less than the size of the related structure itself.

The intent is exactly the opposite, namely to make sure to pass at least
data of minimum size of len.

Fixes: ebc08a6f47ee ("rtnetlink: Add VF config code to rtnetlink")
Cc: Mitch Williams <mitch.a.williams@intel.com>
Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |   18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1237,18 +1237,12 @@ static const struct nla_policy ifla_vfin
 };
 
 static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
-	[IFLA_VF_MAC]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_mac) },
-	[IFLA_VF_VLAN]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_vlan) },
-	[IFLA_VF_TX_RATE]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_tx_rate) },
-	[IFLA_VF_SPOOFCHK]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_spoofchk) },
-	[IFLA_VF_RATE]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_rate) },
-	[IFLA_VF_LINK_STATE]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_link_state) },
+	[IFLA_VF_MAC]		= { .len = sizeof(struct ifla_vf_mac) },
+	[IFLA_VF_VLAN]		= { .len = sizeof(struct ifla_vf_vlan) },
+	[IFLA_VF_TX_RATE]	= { .len = sizeof(struct ifla_vf_tx_rate) },
+	[IFLA_VF_SPOOFCHK]	= { .len = sizeof(struct ifla_vf_spoofchk) },
+	[IFLA_VF_RATE]		= { .len = sizeof(struct ifla_vf_rate) },
+	[IFLA_VF_LINK_STATE]	= { .len = sizeof(struct ifla_vf_link_state) },
 };
 
 static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 005/177] ipv6: Fix fragment id assignment on LE arches.
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 004/177] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 006/177] ipv6: Make __ipv6_select_ident static Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladislav Yasevich, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlad Yasevich <vyasevich@gmail.com>

[ Upstream commit 51f30770e50eb787200f30a79105e2615b379334 ]

Recent commit:
0508c07f5e0c94f38afd5434e8b2a55b84553077
Author: Vlad Yasevich <vyasevich@gmail.com>
Date:   Tue Feb 3 16:36:15 2015 -0500

    ipv6: Select fragment id during UFO segmentation if not set.

Introduced a bug on LE in how ipv6 fragment id is assigned.
This was cought by nightly sparce check:

Resolve the following sparce error:
 net/ipv6/output_core.c:57:38: sparse: incorrect type in assignment
 (different base types)
   net/ipv6/output_core.c:57:38:    expected restricted __be32
[usertype] ip6_frag_id
   net/ipv6/output_core.c:57:38:    got unsigned int [unsigned]
[assigned] [usertype] id

Fixes: 0508c07f5e0c9 (ipv6: Select fragment id during UFO segmentation if not set.)
Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/output_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -54,7 +54,7 @@ void ipv6_proxy_select_ident(struct sk_b
 
 	id = __ipv6_select_ident(ip6_proxy_idents_hashrnd,
 				 &addrs[1], &addrs[0]);
-	skb_shinfo(skb)->ip6_frag_id = id;
+	skb_shinfo(skb)->ip6_frag_id = htonl(id);
 }
 EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 006/177] ipv6: Make __ipv6_select_ident static
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 005/177] ipv6: Fix fragment id assignment on LE arches Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 007/177] tcp: make sure skb is not shared before using skb_get() Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladislav Yasevich, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlad Yasevich <vyasevich@gmail.com>

[ Upstream commit 8381eacf5c3b35cf7755f4bc521c4d56d24c1cd9 ]

Make __ipv6_select_ident() static as it isn't used outside
the file.

Fixes: 0508c07f5e0c9 (ipv6: Select fragment id during UFO segmentation if not set.)
Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/ipv6.h     |    2 --
 net/ipv6/output_core.c |    3 ++-
 2 files changed, 2 insertions(+), 3 deletions(-)

--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -671,8 +671,6 @@ static inline int ipv6_addr_diff(const s
 	return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
 }
 
-u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst,
-			struct in6_addr *src);
 void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
 void ipv6_proxy_select_ident(struct sk_buff *skb);
 
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -9,7 +9,8 @@
 #include <net/addrconf.h>
 #include <net/secure_seq.h>
 
-u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst, struct in6_addr *src)
+static u32 __ipv6_select_ident(u32 hashrnd, struct in6_addr *dst,
+			       struct in6_addr *src)
 {
 	u32 hash, id;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 007/177] tcp: make sure skb is not shared before using skb_get()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 006/177] ipv6: Make __ipv6_select_ident static Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 008/177] ipv6: fix ipv6_cow_metrics for non DST_HOST case Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Yuchung Cheng, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit ba34e6d9d346fe4e05d7e417b9edf5140772d34c ]

IPv6 can keep a copy of SYN message using skb_get() in
tcp_v6_conn_request() so that caller wont free the skb when calling
kfree_skb() later.

Therefore TCP fast open has to clone the skb it is queuing in
child->sk_receive_queue, as all skbs consumed from receive_queue are
freed using __kfree_skb() (ie assuming skb->users == 1)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Fixes: 5b7ed0892f2af ("tcp: move fastopen functions to tcp_fastopen.c")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_fastopen.c |   32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -134,6 +134,7 @@ static bool tcp_fastopen_create_child(st
 	struct tcp_sock *tp;
 	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
 	struct sock *child;
+	u32 end_seq;
 
 	req->num_retrans = 0;
 	req->num_timeout = 0;
@@ -185,20 +186,35 @@ static bool tcp_fastopen_create_child(st
 
 	/* Queue the data carried in the SYN packet. We need to first
 	 * bump skb's refcnt because the caller will attempt to free it.
+	 * Note that IPv6 might also have used skb_get() trick
+	 * in tcp_v6_conn_request() to keep this SYN around (treq->pktopts)
+	 * So we need to eventually get a clone of the packet,
+	 * before inserting it in sk_receive_queue.
 	 *
 	 * XXX (TFO) - we honor a zero-payload TFO request for now,
 	 * (any reason not to?) but no need to queue the skb since
 	 * there is no data. How about SYN+FIN?
 	 */
-	if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1) {
-		skb = skb_get(skb);
-		skb_dst_drop(skb);
-		__skb_pull(skb, tcp_hdr(skb)->doff * 4);
-		skb_set_owner_r(skb, child);
-		__skb_queue_tail(&child->sk_receive_queue, skb);
-		tp->syn_data_acked = 1;
+	end_seq = TCP_SKB_CB(skb)->end_seq;
+	if (end_seq != TCP_SKB_CB(skb)->seq + 1) {
+		struct sk_buff *skb2;
+
+		if (unlikely(skb_shared(skb)))
+			skb2 = skb_clone(skb, GFP_ATOMIC);
+		else
+			skb2 = skb_get(skb);
+
+		if (likely(skb2)) {
+			skb_dst_drop(skb2);
+			__skb_pull(skb2, tcp_hdrlen(skb));
+			skb_set_owner_r(skb2, child);
+			__skb_queue_tail(&child->sk_receive_queue, skb2);
+			tp->syn_data_acked = 1;
+		} else {
+			end_seq = TCP_SKB_CB(skb)->seq + 1;
+		}
 	}
-	tcp_rsk(req)->rcv_nxt = tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
+	tcp_rsk(req)->rcv_nxt = tp->rcv_nxt = end_seq;
 	sk->sk_data_ready(sk);
 	bh_unlock_sock(child);
 	sock_put(child);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 008/177] ipv6: fix ipv6_cow_metrics for non DST_HOST case
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 007/177] tcp: make sure skb is not shared before using skb_get() Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 009/177] rtnetlink: call ->dellink on failure when ->newlink exists Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin KaFai Lau, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin KaFai Lau <kafai@fb.com>

[ Upstream commit 3b4711757d7903ab6fa88a9e7ab8901b8227da60 ]

ipv6_cow_metrics() currently assumes only DST_HOST routes require
dynamic metrics allocation from inetpeer.  The assumption breaks
when ndisc discovered router with RTAX_MTU and RTAX_HOPLIMIT metric.
Refer to ndisc_router_discovery() in ndisc.c and note that dst_metric_set()
is called after the route is created.

This patch creates the metrics array (by calling dst_cow_metrics_generic) in
ipv6_cow_metrics().

Test:
radvd.conf:
interface qemubr0
{
	AdvLinkMTU 1300;
	AdvCurHopLimit 30;

	prefix fd00:face:face:face::/64
	{
		AdvOnLink on;
		AdvAutonomous on;
		AdvRouterAddr off;
	};
};

Before:
[root@qemu1 ~]# ip -6 r show | egrep -v unreachable
fd00:face:face:face::/64 dev eth0  proto kernel  metric 256  expires 27sec
fe80::/64 dev eth0  proto kernel  metric 256
default via fe80::74df:d0ff:fe23:8ef2 dev eth0  proto ra  metric 1024  expires 27sec

After:
[root@qemu1 ~]# ip -6 r show | egrep -v unreachable
fd00:face:face:face::/64 dev eth0  proto kernel  metric 256  expires 27sec mtu 1300
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1300
default via fe80::74df:d0ff:fe23:8ef2 dev eth0  proto ra  metric 1024  expires 27sec mtu 1300 hoplimit 30

Fixes: 8e2ec639173f325 (ipv6: don't use inetpeer to store metrics for routes.)
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/route.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -141,7 +141,7 @@ static u32 *ipv6_cow_metrics(struct dst_
 	u32 *p = NULL;
 
 	if (!(rt->dst.flags & DST_HOST))
-		return NULL;
+		return dst_cow_metrics_generic(dst, old);
 
 	peer = rt6_get_peer_create(rt);
 	if (peer) {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 009/177] rtnetlink: call ->dellink on failure when ->newlink exists
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 008/177] ipv6: fix ipv6_cow_metrics for non DST_HOST case Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 011/177] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ignacy Gawedzki, Cong Wang, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.wangcong@gmail.com>

[ Upstream commit 7afb8886a05be68e376655539a064ec672de8a8e ]

Ignacy reported that when eth0 is down and add a vlan device
on top of it like:

  ip link add link eth0 name eth0.1 up type vlan id 1

We will get a refcount leak:

  unregister_netdevice: waiting for eth0.1 to become free. Usage count = 2

The problem is when rtnl_configure_link() fails in rtnl_newlink(),
we simply call unregister_device(), but for stacked device like vlan,
we almost do nothing when we unregister the upper device, more work
is done when we unregister the lower device, so call its ->dellink().

Reported-by: Ignacy Gawedzki <ignacy.gawedzki@green-communications.fr>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2124,8 +2124,16 @@ replay:
 			}
 		}
 		err = rtnl_configure_link(dev, ifm);
-		if (err < 0)
-			unregister_netdevice(dev);
+		if (err < 0) {
+			if (ops->newlink) {
+				LIST_HEAD(list_kill);
+
+				ops->dellink(dev, &list_kill);
+				unregister_netdevice_many(&list_kill);
+			} else {
+				unregister_netdevice(dev);
+			}
+		}
 out:
 		put_net(dest_net);
 		return err;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 011/177] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 009/177] rtnetlink: call ->dellink on failure when ->newlink exists Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:06 ` [PATCH 3.19 012/177] ipv4: ip_check_defrag should not assume that skb_network_offset is zero Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Drozdov, Eric Dumazet,
	David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Drozdov <al.drozdov@gmail.com>

[ Upstream commit fba04a9e0c869498889b6445fd06cbe7da9bb834 ]

skb_copy_bits() returns zero on success and negative value on error,
so it is needed to invert the condition in ip_check_defrag().

Fixes: 1bf3751ec90c ("ipv4: ip_check_defrag must not modify skb before unsharing")
Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_fragment.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -664,7 +664,7 @@ struct sk_buff *ip_check_defrag(struct s
 	if (skb->protocol != htons(ETH_P_IP))
 		return skb;
 
-	if (!skb_copy_bits(skb, 0, &iph, sizeof(iph)))
+	if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0)
 		return skb;
 
 	if (iph.ihl < 5 || iph.version != 4)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 012/177] ipv4: ip_check_defrag should not assume that skb_network_offset is zero
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 011/177] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits Greg Kroah-Hartman
@ 2015-03-16 14:06 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 013/177] net: phy: Fix verification of EEE support in phy_init_eee Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:06 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Drozdov, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Drozdov <al.drozdov@gmail.com>

[ Upstream commit 3e32e733d1bbb3f227259dc782ef01d5706bdae0 ]

ip_check_defrag() may be used by af_packet to defragment outgoing packets.
skb_network_offset() of af_packet's outgoing packets is not zero.

Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_fragment.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -659,27 +659,30 @@ EXPORT_SYMBOL(ip_defrag);
 struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
 {
 	struct iphdr iph;
+	int netoff;
 	u32 len;
 
 	if (skb->protocol != htons(ETH_P_IP))
 		return skb;
 
-	if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0)
+	netoff = skb_network_offset(skb);
+
+	if (skb_copy_bits(skb, netoff, &iph, sizeof(iph)) < 0)
 		return skb;
 
 	if (iph.ihl < 5 || iph.version != 4)
 		return skb;
 
 	len = ntohs(iph.tot_len);
-	if (skb->len < len || len < (iph.ihl * 4))
+	if (skb->len < netoff + len || len < (iph.ihl * 4))
 		return skb;
 
 	if (ip_is_fragment(&iph)) {
 		skb = skb_share_check(skb, GFP_ATOMIC);
 		if (skb) {
-			if (!pskb_may_pull(skb, iph.ihl*4))
+			if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
 				return skb;
-			if (pskb_trim_rcsum(skb, len))
+			if (pskb_trim_rcsum(skb, netoff + len))
 				return skb;
 			memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
 			if (ip_defrag(skb, user))



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 013/177] net: phy: Fix verification of EEE support in phy_init_eee
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2015-03-16 14:06 ` [PATCH 3.19 012/177] ipv4: ip_check_defrag should not assume that skb_network_offset is zero Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 015/177] openvswitch: Fix net exit Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Giuseppe Cavallaro, Guenter Roeck,
	Florian Fainelli, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

[ Upstream commit 54da5a8be3c1e924c35480eb44c6e9b275f6444e ]

phy_init_eee uses phy_find_setting(phydev->speed, phydev->duplex)
to find a valid entry in the settings array for the given speed
and duplex value. For full duplex 1000baseT, this will return
the first matching entry, which is the entry for 1000baseKX_Full.

If the phy eee does not support 1000baseKX_Full, this entry will not
match, causing phy_init_eee to fail for no good reason.

Fixes: 9a9c56cb34e6 ("net: phy: fix a bug when verify the EEE support")
Fixes: 3e7077067e80c ("phy: Expand phy speed/duplex settings array")
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/phy.c |   23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -236,6 +236,25 @@ static inline unsigned int phy_find_vali
 }
 
 /**
+ * phy_check_valid - check if there is a valid PHY setting which matches
+ *		     speed, duplex, and feature mask
+ * @speed: speed to match
+ * @duplex: duplex to match
+ * @features: A mask of the valid settings
+ *
+ * Description: Returns true if there is a valid setting, false otherwise.
+ */
+static inline bool phy_check_valid(int speed, int duplex, u32 features)
+{
+	unsigned int idx;
+
+	idx = phy_find_valid(phy_find_setting(speed, duplex), features);
+
+	return settings[idx].speed == speed && settings[idx].duplex == duplex &&
+		(settings[idx].setting & features);
+}
+
+/**
  * phy_sanitize_settings - make sure the PHY is set to supported speed and duplex
  * @phydev: the target phy_device struct
  *
@@ -1042,7 +1061,6 @@ int phy_init_eee(struct phy_device *phyd
 		int eee_lp, eee_cap, eee_adv;
 		u32 lp, cap, adv;
 		int status;
-		unsigned int idx;
 
 		/* Read phy status to properly get the right settings */
 		status = phy_read_status(phydev);
@@ -1074,8 +1092,7 @@ int phy_init_eee(struct phy_device *phyd
 
 		adv = mmd_eee_adv_to_ethtool_adv_t(eee_adv);
 		lp = mmd_eee_adv_to_ethtool_adv_t(eee_lp);
-		idx = phy_find_setting(phydev->speed, phydev->duplex);
-		if (!(lp & adv & settings[idx].setting))
+		if (!phy_check_valid(phydev->speed, phydev->duplex, lp & adv))
 			goto eee_exit_err;
 
 		if (clk_stop_enable) {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 015/177] openvswitch: Fix net exit.
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 013/177] net: phy: Fix verification of EEE support in phy_init_eee Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 016/177] sock: sock_dequeue_err_skb() needs hard irq safety Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Assaf Muller, Pravin B Shelar,
	Thomas Graf, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pravin B Shelar <pshelar@nicira.com>

[ Upstream commit 7b4577a9da3702049650f7095506e9afd9f68849 ]

Open vSwitch allows moving internal vport to different namespace
while still connected to the bridge. But when namespace deleted
OVS does not detach these vports, that results in dangling
pointer to netdevice which causes kernel panic as follows.
This issue is fixed by detaching all ovs ports from the deleted
namespace at net-exit.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffffa0aadaa5>] ovs_vport_locate+0x35/0x80 [openvswitch]
Oops: 0000 [#1] SMP
Call Trace:
 [<ffffffffa0aa6391>] lookup_vport+0x21/0xd0 [openvswitch]
 [<ffffffffa0aa65f9>] ovs_vport_cmd_get+0x59/0xf0 [openvswitch]
 [<ffffffff8167e07c>] genl_family_rcv_msg+0x1bc/0x3e0
 [<ffffffff8167e319>] genl_rcv_msg+0x79/0xc0
 [<ffffffff8167d919>] netlink_rcv_skb+0xb9/0xe0
 [<ffffffff8167deac>] genl_rcv+0x2c/0x40
 [<ffffffff8167cffd>] netlink_unicast+0x12d/0x1c0
 [<ffffffff8167d3da>] netlink_sendmsg+0x34a/0x6b0
 [<ffffffff8162e140>] sock_sendmsg+0xa0/0xe0
 [<ffffffff8162e5e8>] ___sys_sendmsg+0x408/0x420
 [<ffffffff8162f541>] __sys_sendmsg+0x51/0x90
 [<ffffffff8162f592>] SyS_sendmsg+0x12/0x20
 [<ffffffff81764ee9>] system_call_fastpath+0x12/0x17

Reported-by: Assaf Muller <amuller@redhat.com>
Fixes: 46df7b81454("openvswitch: Add support for network namespaces.")
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Reviewed-by: Thomas Graf <tgraf@noironetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/openvswitch/datapath.c |   45 +++++++++++++++++++++++++++++++++++++++++++--
 net/openvswitch/vport.h    |    2 ++
 2 files changed, 45 insertions(+), 2 deletions(-)

--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -2113,14 +2113,55 @@ static int __net_init ovs_init_net(struc
 	return 0;
 }
 
-static void __net_exit ovs_exit_net(struct net *net)
+static void __net_exit list_vports_from_net(struct net *net, struct net *dnet,
+					    struct list_head *head)
 {
-	struct datapath *dp, *dp_next;
 	struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
+	struct datapath *dp;
+
+	list_for_each_entry(dp, &ovs_net->dps, list_node) {
+		int i;
+
+		for (i = 0; i < DP_VPORT_HASH_BUCKETS; i++) {
+			struct vport *vport;
+
+			hlist_for_each_entry(vport, &dp->ports[i], dp_hash_node) {
+				struct netdev_vport *netdev_vport;
+
+				if (vport->ops->type != OVS_VPORT_TYPE_INTERNAL)
+					continue;
+
+				netdev_vport = netdev_vport_priv(vport);
+				if (dev_net(netdev_vport->dev) == dnet)
+					list_add(&vport->detach_list, head);
+			}
+		}
+	}
+}
+
+static void __net_exit ovs_exit_net(struct net *dnet)
+{
+	struct datapath *dp, *dp_next;
+	struct ovs_net *ovs_net = net_generic(dnet, ovs_net_id);
+	struct vport *vport, *vport_next;
+	struct net *net;
+	LIST_HEAD(head);
 
 	ovs_lock();
 	list_for_each_entry_safe(dp, dp_next, &ovs_net->dps, list_node)
 		__dp_destroy(dp);
+
+	rtnl_lock();
+	for_each_net(net)
+		list_vports_from_net(net, dnet, &head);
+	rtnl_unlock();
+
+	/* Detach all vports from given namespace. */
+	list_for_each_entry_safe(vport, vport_next, &head, detach_list) {
+		list_del(&vport->detach_list);
+		ovs_dp_detach_port(vport);
+	}
+
 	ovs_unlock();
 
 	cancel_work_sync(&ovs_net->dp_notify_work);
--- a/net/openvswitch/vport.h
+++ b/net/openvswitch/vport.h
@@ -103,6 +103,7 @@ struct vport_portids {
  * @ops: Class structure.
  * @percpu_stats: Points to per-CPU statistics used and maintained by vport
  * @err_stats: Points to error statistics used and maintained by vport
+ * @detach_list: list used for detaching vport in net-exit call.
  */
 struct vport {
 	struct rcu_head rcu;
@@ -117,6 +118,7 @@ struct vport {
 	struct pcpu_sw_netstats __percpu *percpu_stats;
 
 	struct vport_err_stats err_stats;
+	struct list_head detach_list;
 };
 
 /**



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 016/177] sock: sock_dequeue_err_skb() needs hard irq safety
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 015/177] openvswitch: Fix net exit Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 017/177] net: reject creation of netdev names with colons Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 997d5c3f4427f38562cbe207ce05bb25fdcb993b ]

Non NAPI drivers can call skb_tstamp_tx() and then sock_queue_err_skb()
from hard IRQ context.

Therefore, sock_dequeue_err_skb() needs to block hard irq or
corruptions or hangs can happen.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 364a9e93243d1 ("sock: deduplicate errqueue dequeue")
Fixes: cb820f8e4b7f7 ("net: Provide a generic socket error queue delivery method for Tx time stamps.")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/skbuff.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3623,13 +3623,14 @@ struct sk_buff *sock_dequeue_err_skb(str
 {
 	struct sk_buff_head *q = &sk->sk_error_queue;
 	struct sk_buff *skb, *skb_next;
+	unsigned long flags;
 	int err = 0;
 
-	spin_lock_bh(&q->lock);
+	spin_lock_irqsave(&q->lock, flags);
 	skb = __skb_dequeue(q);
 	if (skb && (skb_next = skb_peek(q)))
 		err = SKB_EXT_ERR(skb_next)->ee.ee_errno;
-	spin_unlock_bh(&q->lock);
+	spin_unlock_irqrestore(&q->lock, flags);
 
 	sk->sk_err = err;
 	if (err)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 017/177] net: reject creation of netdev names with colons
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 016/177] sock: sock_dequeue_err_skb() needs hard irq safety Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 018/177] Revert "r8169: add support for Byte Queue Limits" Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Matthew Thode, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthew Thode <mthode@mthode.org>

[ Upstream commit a4176a9391868bfa87705bcd2e3b49e9b9dd2996 ]

colons are used as a separator in netdev device lookup in dev_ioctl.c

Specific functions are SIOCGIFTXQLEN SIOCETHTOOL SIOCSIFNAME

Signed-off-by: Matthew Thode <mthode@mthode.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -945,7 +945,7 @@ bool dev_valid_name(const char *name)
 		return false;
 
 	while (*name) {
-		if (*name == '/' || isspace(*name))
+		if (*name == '/' || *name == ':' || isspace(*name))
 			return false;
 		name++;
 	}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 018/177] Revert "r8169: add support for Byte Queue Limits"
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 017/177] net: reject creation of netdev names with colons Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 019/177] net: pktgen: disable xmit_clone on virtual devices Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "David S. Miller" <davem@davemloft.net>

This reverts commit 1e918876853aa85435e0f17fd8b4a92dcfff53d6.

Revert BQL support in r8169 driver as several regressions
point to this commit and we cannot figure out the real
cause yet.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/realtek/r8169.c |   18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -5067,8 +5067,6 @@ static void rtl_hw_reset(struct rtl8169_
 	RTL_W8(ChipCmd, CmdReset);
 
 	rtl_udelay_loop_wait_low(tp, &rtl_chipcmd_cond, 100, 100);
-
-	netdev_reset_queue(tp->dev);
 }
 
 static void rtl_request_uncached_firmware(struct rtl8169_private *tp)
@@ -7089,8 +7087,6 @@ static netdev_tx_t rtl8169_start_xmit(st
 
 	txd->opts2 = cpu_to_le32(opts[1]);
 
-	netdev_sent_queue(dev, skb->len);
-
 	skb_tx_timestamp(skb);
 
 	/* Force memory writes to complete before releasing descriptor */
@@ -7192,7 +7188,6 @@ static void rtl8169_pcierr_interrupt(str
 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp)
 {
 	unsigned int dirty_tx, tx_left;
-	unsigned int bytes_compl = 0, pkts_compl = 0;
 
 	dirty_tx = tp->dirty_tx;
 	smp_rmb();
@@ -7216,8 +7211,10 @@ static void rtl_tx(struct net_device *de
 		rtl8169_unmap_tx_skb(&tp->pci_dev->dev, tx_skb,
 				     tp->TxDescArray + entry);
 		if (status & LastFrag) {
-			pkts_compl++;
-			bytes_compl += tx_skb->skb->len;
+			u64_stats_update_begin(&tp->tx_stats.syncp);
+			tp->tx_stats.packets++;
+			tp->tx_stats.bytes += tx_skb->skb->len;
+			u64_stats_update_end(&tp->tx_stats.syncp);
 			dev_kfree_skb_any(tx_skb->skb);
 			tx_skb->skb = NULL;
 		}
@@ -7226,13 +7223,6 @@ static void rtl_tx(struct net_device *de
 	}
 
 	if (tp->dirty_tx != dirty_tx) {
-		netdev_completed_queue(tp->dev, pkts_compl, bytes_compl);
-
-		u64_stats_update_begin(&tp->tx_stats.syncp);
-		tp->tx_stats.packets += pkts_compl;
-		tp->tx_stats.bytes += bytes_compl;
-		u64_stats_update_end(&tp->tx_stats.syncp);
-
 		tp->dirty_tx = dirty_tx;
 		/* Sync with rtl8169_start_xmit:
 		 * - publish dirty_tx ring index (write barrier)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 019/177] net: pktgen: disable xmit_clone on virtual devices
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 018/177] Revert "r8169: add support for Byte Queue Limits" Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 020/177] team: fix possible null pointer dereference in team_handle_frame Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Alexei Starovoitov,
	David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 52d6c8c6ca125872459054daa70f2f1c698c8e75 ]

Trying to use burst capability (aka xmit_more) on a virtual device
like bonding is not supported.

For example, skb might be queued multiple times on a qdisc, with
various list corruptions.

Fixes: 38b2cf2982dc ("net: pktgen: packet bursting via skb->xmit_more")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/pktgen.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1134,6 +1134,9 @@ static ssize_t pktgen_if_write(struct fi
 			return len;
 
 		i += len;
+		if ((value > 1) &&
+		    (!(pkt_dev->odev->priv_flags & IFF_TX_SKB_SHARING)))
+			return -ENOTSUPP;
 		pkt_dev->burst = value < 1 ? 1 : value;
 		sprintf(pg_result, "OK: burst=%d", pkt_dev->burst);
 		return count;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 020/177] team: fix possible null pointer dereference in team_handle_frame
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 019/177] net: pktgen: disable xmit_clone on virtual devices Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 021/177] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Pirko, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Pirko <jiri@resnulli.us>

[ Upstream commit 57e595631904c827cfa1a0f7bbd7cc9a49da5745 ]

Currently following race is possible in team:

CPU0                                        CPU1
                                            team_port_del
                                              team_upper_dev_unlink
                                                priv_flags &= ~IFF_TEAM_PORT
team_handle_frame
  team_port_get_rcu
    team_port_exists
      priv_flags & IFF_TEAM_PORT == 0
    return NULL (instead of port got
                 from rx_handler_data)
                                              netdev_rx_handler_unregister

The thing is that the flag is removed before rx_handler is unregistered.
If team_handle_frame is called in between, team_port_exists returns 0
and team_port_get_rcu will return NULL.
So do not check the flag here. It is guaranteed by netdev_rx_handler_unregister
that team_handle_frame will always see valid rx_handler_data pointer.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/team/team.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -42,9 +42,7 @@
 
 static struct team_port *team_port_get_rcu(const struct net_device *dev)
 {
-	struct team_port *port = rcu_dereference(dev->rx_handler_data);
-
-	return team_port_exists(dev) ? port : NULL;
+	return rcu_dereference(dev->rx_handler_data);
 }
 
 static struct team_port *team_port_get_rtnl(const struct net_device *dev)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 021/177] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 020/177] team: fix possible null pointer dereference in team_handle_frame Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 022/177] macvtap: make sure neighbour code can push ethernet header Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, David S. Miller,
	Catalin Marinas

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Catalin Marinas <catalin.marinas@arm.com>

[ Upstream commit d720d8cec563ce4e4fa44a613d4f2dcb1caf2998 ]

With commit a7526eb5d06b (net: Unbreak compat_sys_{send,recv}msg), the
MSG_CMSG_COMPAT flag is blocked at the compat syscall entry points,
changing the kernel compat behaviour from the one before the commit it
was trying to fix (1be374a0518a, net: Block MSG_CMSG_COMPAT in
send(m)msg and recv(m)msg).

On 32-bit kernels (!CONFIG_COMPAT), MSG_CMSG_COMPAT is 0 and the native
32-bit sys_sendmsg() allows flag 0x80000000 to be set (it is ignored by
the kernel). However, on a 64-bit kernel, the compat ABI is different
with commit a7526eb5d06b.

This patch changes the compat_sys_{send,recv}msg behaviour to the one
prior to commit 1be374a0518a.

The problem was found running 32-bit LTP (sendmsg01) binary on an arm64
kernel. Arguably, LTP should not pass 0xffffffff as flags to sendmsg()
but the general rule is not to break user ABI (even when the user
behaviour is not entirely sane).

Fixes: a7526eb5d06b (net: Unbreak compat_sys_{send,recv}msg)
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/compat.c |    9 ---------
 1 file changed, 9 deletions(-)

--- a/net/compat.c
+++ b/net/compat.c
@@ -711,24 +711,18 @@ static unsigned char nas[21] = {
 
 COMPAT_SYSCALL_DEFINE3(sendmsg, int, fd, struct compat_msghdr __user *, msg, unsigned int, flags)
 {
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
 	return __sys_sendmsg(fd, (struct user_msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
 COMPAT_SYSCALL_DEFINE4(sendmmsg, int, fd, struct compat_mmsghdr __user *, mmsg,
 		       unsigned int, vlen, unsigned int, flags)
 {
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
 	return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
 			      flags | MSG_CMSG_COMPAT);
 }
 
 COMPAT_SYSCALL_DEFINE3(recvmsg, int, fd, struct compat_msghdr __user *, msg, unsigned int, flags)
 {
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
 	return __sys_recvmsg(fd, (struct user_msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
@@ -751,9 +745,6 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd
 	int datagrams;
 	struct timespec ktspec;
 
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
-
 	if (timeout == NULL)
 		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
 				      flags | MSG_CMSG_COMPAT, NULL);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 022/177] macvtap: make sure neighbour code can push ethernet header
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 021/177] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 023/177] net: bcmgenet: fix throughtput regression Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Rak, Eric Dumazet, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 2f1d8b9e8afa5a833d96afcd23abcb8cdf8d83ab ]

Brian reported crashes using IPv6 traffic with macvtap/veth combo.

I tracked the crashes in neigh_hh_output()

-> memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD);

Neighbour code assumes headroom to push Ethernet header is
at least 16 bytes.

It appears macvtap has only 14 bytes available on arches
where NET_IP_ALIGN is 0 (like x86)

Effect is a corruption of 2 bytes right before skb->head,
and possible crashes if accessing non existing memory.

This fix should also increase IPv4 performance, as paranoid code
in ip_finish_output2() wont have to call skb_realloc_headroom()

Reported-by: Brian Rak <brak@vultr.com>
Tested-by: Brian Rak <brak@vultr.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/macvtap.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -654,11 +654,14 @@ static void macvtap_skb_to_vnet_hdr(stru
 	} /* else everything is zero */
 }
 
+/* Neighbour code has some assumptions on HH_DATA_MOD alignment */
+#define MACVTAP_RESERVE HH_DATA_OFF(ETH_HLEN)
+
 /* Get packet from user space buffer */
 static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
 				struct iov_iter *from, int noblock)
 {
-	int good_linear = SKB_MAX_HEAD(NET_IP_ALIGN);
+	int good_linear = SKB_MAX_HEAD(MACVTAP_RESERVE);
 	struct sk_buff *skb;
 	struct macvlan_dev *vlan;
 	unsigned long total_len = iov_iter_count(from);
@@ -722,7 +725,7 @@ static ssize_t macvtap_get_user(struct m
 			linear = macvtap16_to_cpu(q, vnet_hdr.hdr_len);
 	}
 
-	skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
+	skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen,
 				linear, noblock, &err);
 	if (!skb)
 		goto err;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 023/177] net: bcmgenet: fix throughtput regression
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 022/177] macvtap: make sure neighbour code can push ethernet header Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 024/177] net: bcmgenet: fix software maintained statistics Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jaedon Shin, Florian Fainelli,
	David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jaedon Shin <jaedon.shin@gmail.com>

[ Upstream commit 4092e6acf5cb16f56154e2dd22d647023dc3d646 ]

This patch adds bcmgenet_tx_poll for the tx_rings. This can reduce the
interrupt load and send xmit in network stack on time. This also
separated for the completion of tx_ring16 from bcmgenet_poll.

The bcmgenet_tx_reclaim of tx_ring[{0,1,2,3}] operative by an interrupt
is to be not more than a certain number TxBDs. It is caused by too
slowly reclaiming the transmitted skb. Therefore, performance
degradation of xmit after 605ad7f ("tcp: refine TSO autosizing").

Signed-off-by: Jaedon Shin <jaedon.shin@gmail.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c |  113 +++++++++++++++++++------
 drivers/net/ethernet/broadcom/genet/bcmgenet.h |    2 
 2 files changed, 88 insertions(+), 27 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -971,13 +971,14 @@ static inline void bcmgenet_tx_ring_int_
 }
 
 /* Unlocked version of the reclaim routine */
-static void __bcmgenet_tx_reclaim(struct net_device *dev,
-				  struct bcmgenet_tx_ring *ring)
+static unsigned int __bcmgenet_tx_reclaim(struct net_device *dev,
+					  struct bcmgenet_tx_ring *ring)
 {
 	struct bcmgenet_priv *priv = netdev_priv(dev);
 	int last_tx_cn, last_c_index, num_tx_bds;
 	struct enet_cb *tx_cb_ptr;
 	struct netdev_queue *txq;
+	unsigned int pkts_compl = 0;
 	unsigned int bds_compl;
 	unsigned int c_index;
 
@@ -1005,6 +1006,7 @@ static void __bcmgenet_tx_reclaim(struct
 		tx_cb_ptr = ring->cbs + last_c_index;
 		bds_compl = 0;
 		if (tx_cb_ptr->skb) {
+			pkts_compl++;
 			bds_compl = skb_shinfo(tx_cb_ptr->skb)->nr_frags + 1;
 			dev->stats.tx_bytes += tx_cb_ptr->skb->len;
 			dma_unmap_single(&dev->dev,
@@ -1028,23 +1030,45 @@ static void __bcmgenet_tx_reclaim(struct
 		last_c_index &= (num_tx_bds - 1);
 	}
 
-	if (ring->free_bds > (MAX_SKB_FRAGS + 1))
-		ring->int_disable(priv, ring);
-
-	if (netif_tx_queue_stopped(txq))
-		netif_tx_wake_queue(txq);
+	if (ring->free_bds > (MAX_SKB_FRAGS + 1)) {
+		if (netif_tx_queue_stopped(txq))
+			netif_tx_wake_queue(txq);
+	}
 
 	ring->c_index = c_index;
+
+	return pkts_compl;
 }
 
-static void bcmgenet_tx_reclaim(struct net_device *dev,
+static unsigned int bcmgenet_tx_reclaim(struct net_device *dev,
 				struct bcmgenet_tx_ring *ring)
 {
+	unsigned int released;
 	unsigned long flags;
 
 	spin_lock_irqsave(&ring->lock, flags);
-	__bcmgenet_tx_reclaim(dev, ring);
+	released = __bcmgenet_tx_reclaim(dev, ring);
 	spin_unlock_irqrestore(&ring->lock, flags);
+
+	return released;
+}
+
+static int bcmgenet_tx_poll(struct napi_struct *napi, int budget)
+{
+	struct bcmgenet_tx_ring *ring =
+		container_of(napi, struct bcmgenet_tx_ring, napi);
+	unsigned int work_done = 0;
+
+	work_done = bcmgenet_tx_reclaim(ring->priv->dev, ring);
+
+	if (work_done == 0) {
+		napi_complete(napi);
+		ring->int_enable(ring->priv, ring);
+
+		return 0;
+	}
+
+	return budget;
 }
 
 static void bcmgenet_tx_reclaim_all(struct net_device *dev)
@@ -1302,10 +1326,8 @@ static netdev_tx_t bcmgenet_xmit(struct
 	bcmgenet_tdma_ring_writel(priv, ring->index,
 				  ring->prod_index, TDMA_PROD_INDEX);
 
-	if (ring->free_bds <= (MAX_SKB_FRAGS + 1)) {
+	if (ring->free_bds <= (MAX_SKB_FRAGS + 1))
 		netif_tx_stop_queue(txq);
-		ring->int_enable(priv, ring);
-	}
 
 out:
 	spin_unlock_irqrestore(&ring->lock, flags);
@@ -1621,6 +1643,7 @@ static int init_umac(struct bcmgenet_pri
 	struct device *kdev = &priv->pdev->dev;
 	int ret;
 	u32 reg, cpu_mask_clear;
+	int index;
 
 	dev_dbg(&priv->pdev->dev, "bcmgenet: init_umac\n");
 
@@ -1647,7 +1670,7 @@ static int init_umac(struct bcmgenet_pri
 
 	bcmgenet_intr_disable(priv);
 
-	cpu_mask_clear = UMAC_IRQ_RXDMA_BDONE;
+	cpu_mask_clear = UMAC_IRQ_RXDMA_BDONE | UMAC_IRQ_TXDMA_BDONE;
 
 	dev_dbg(kdev, "%s:Enabling RXDMA_BDONE interrupt\n", __func__);
 
@@ -1674,6 +1697,10 @@ static int init_umac(struct bcmgenet_pri
 
 	bcmgenet_intrl2_0_writel(priv, cpu_mask_clear, INTRL2_CPU_MASK_CLEAR);
 
+	for (index = 0; index < priv->hw_params->tx_queues; index++)
+		bcmgenet_intrl2_1_writel(priv, (1 << index),
+					 INTRL2_CPU_MASK_CLEAR);
+
 	/* Enable rx/tx engine.*/
 	dev_dbg(kdev, "done init umac\n");
 
@@ -1693,6 +1720,8 @@ static void bcmgenet_init_tx_ring(struct
 	unsigned int first_bd;
 
 	spin_lock_init(&ring->lock);
+	ring->priv = priv;
+	netif_napi_add(priv->dev, &ring->napi, bcmgenet_tx_poll, 64);
 	ring->index = index;
 	if (index == DESC_INDEX) {
 		ring->queue = 0;
@@ -1738,6 +1767,17 @@ static void bcmgenet_init_tx_ring(struct
 				  TDMA_WRITE_PTR);
 	bcmgenet_tdma_ring_writel(priv, index, end_ptr * words_per_bd - 1,
 				  DMA_END_ADDR);
+
+	napi_enable(&ring->napi);
+}
+
+static void bcmgenet_fini_tx_ring(struct bcmgenet_priv *priv,
+				  unsigned int index)
+{
+	struct bcmgenet_tx_ring *ring = &priv->tx_rings[index];
+
+	napi_disable(&ring->napi);
+	netif_napi_del(&ring->napi);
 }
 
 /* Initialize a RDMA ring */
@@ -1907,7 +1947,7 @@ static int bcmgenet_dma_teardown(struct
 	return ret;
 }
 
-static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
+static void __bcmgenet_fini_dma(struct bcmgenet_priv *priv)
 {
 	int i;
 
@@ -1926,6 +1966,18 @@ static void bcmgenet_fini_dma(struct bcm
 	kfree(priv->tx_cbs);
 }
 
+static void bcmgenet_fini_dma(struct bcmgenet_priv *priv)
+{
+	int i;
+
+	bcmgenet_fini_tx_ring(priv, DESC_INDEX);
+
+	for (i = 0; i < priv->hw_params->tx_queues; i++)
+		bcmgenet_fini_tx_ring(priv, i);
+
+	__bcmgenet_fini_dma(priv);
+}
+
 /* init_edma: Initialize DMA control register */
 static int bcmgenet_init_dma(struct bcmgenet_priv *priv)
 {
@@ -1952,7 +2004,7 @@ static int bcmgenet_init_dma(struct bcmg
 	priv->tx_cbs = kcalloc(priv->num_tx_bds, sizeof(struct enet_cb),
 			       GFP_KERNEL);
 	if (!priv->tx_cbs) {
-		bcmgenet_fini_dma(priv);
+		__bcmgenet_fini_dma(priv);
 		return -ENOMEM;
 	}
 
@@ -1975,9 +2027,6 @@ static int bcmgenet_poll(struct napi_str
 			struct bcmgenet_priv, napi);
 	unsigned int work_done;
 
-	/* tx reclaim */
-	bcmgenet_tx_reclaim(priv->dev, &priv->tx_rings[DESC_INDEX]);
-
 	work_done = bcmgenet_desc_rx(priv, budget);
 
 	/* Advancing our consumer index*/
@@ -2022,28 +2071,34 @@ static void bcmgenet_irq_task(struct wor
 static irqreturn_t bcmgenet_isr1(int irq, void *dev_id)
 {
 	struct bcmgenet_priv *priv = dev_id;
+	struct bcmgenet_tx_ring *ring;
 	unsigned int index;
 
 	/* Save irq status for bottom-half processing. */
 	priv->irq1_stat =
 		bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_STAT) &
-		~priv->int1_mask;
+		~bcmgenet_intrl2_1_readl(priv, INTRL2_CPU_MASK_STATUS);
 	/* clear interrupts */
 	bcmgenet_intrl2_1_writel(priv, priv->irq1_stat, INTRL2_CPU_CLEAR);
 
 	netif_dbg(priv, intr, priv->dev,
 		  "%s: IRQ=0x%x\n", __func__, priv->irq1_stat);
+
 	/* Check the MBDONE interrupts.
 	 * packet is done, reclaim descriptors
 	 */
-	if (priv->irq1_stat & 0x0000ffff) {
-		index = 0;
-		for (index = 0; index < 16; index++) {
-			if (priv->irq1_stat & (1 << index))
-				bcmgenet_tx_reclaim(priv->dev,
-						    &priv->tx_rings[index]);
+	for (index = 0; index < priv->hw_params->tx_queues; index++) {
+		if (!(priv->irq1_stat & BIT(index)))
+			continue;
+
+		ring = &priv->tx_rings[index];
+
+		if (likely(napi_schedule_prep(&ring->napi))) {
+			ring->int_disable(priv, ring);
+			__napi_schedule(&ring->napi);
 		}
 	}
+
 	return IRQ_HANDLED;
 }
 
@@ -2075,8 +2130,12 @@ static irqreturn_t bcmgenet_isr0(int irq
 	}
 	if (priv->irq0_stat &
 			(UMAC_IRQ_TXDMA_BDONE | UMAC_IRQ_TXDMA_PDONE)) {
-		/* Tx reclaim */
-		bcmgenet_tx_reclaim(priv->dev, &priv->tx_rings[DESC_INDEX]);
+		struct bcmgenet_tx_ring *ring = &priv->tx_rings[DESC_INDEX];
+
+		if (likely(napi_schedule_prep(&ring->napi))) {
+			ring->int_disable(priv, ring);
+			__napi_schedule(&ring->napi);
+		}
 	}
 	if (priv->irq0_stat & (UMAC_IRQ_PHY_DET_R |
 				UMAC_IRQ_PHY_DET_F |
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
@@ -520,6 +520,7 @@ struct bcmgenet_hw_params {
 
 struct bcmgenet_tx_ring {
 	spinlock_t	lock;		/* ring lock */
+	struct napi_struct napi;	/* NAPI per tx queue */
 	unsigned int	index;		/* ring index */
 	unsigned int	queue;		/* queue index */
 	struct enet_cb	*cbs;		/* tx ring buffer control block*/
@@ -534,6 +535,7 @@ struct bcmgenet_tx_ring {
 			   struct bcmgenet_tx_ring *);
 	void (*int_disable)(struct bcmgenet_priv *priv,
 			    struct bcmgenet_tx_ring *);
+	struct bcmgenet_priv *priv;
 };
 
 /* device context */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 024/177] net: bcmgenet: fix software maintained statistics
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 023/177] net: bcmgenet: fix throughtput regression Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 025/177] sh_eth: Fix lost MAC address on kexec Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit f62ba9c14b85a682b64a4c421f91de0bd2aa8538 ]

Commit 44c8bc3ce39f ("net: bcmgenet: log RX buffer allocation and RX/TX dma
failures") added a few software maintained statistics using
BCMGENET_STAT_MIB_RX and BCMGENET_STAT_MIB_TX. These statistics are read from
the hardware MIB counters, such that bcmgenet_update_mib_counters() was trying
to read from a non-existing MIB offset for these counters.

Fix this by introducing a special type: BCMGENET_STAT_SOFT, similar to
BCMGENET_STAT_NETDEV, such that bcmgenet_get_ethtool_stats will read from the
software mib.

Fixes: 44c8bc3ce39f ("net: bcmgenet: log RX buffer allocation and RX/TX dma failures")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/genet/bcmgenet.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -487,6 +487,7 @@ enum bcmgenet_stat_type {
 	BCMGENET_STAT_MIB_TX,
 	BCMGENET_STAT_RUNT,
 	BCMGENET_STAT_MISC,
+	BCMGENET_STAT_SOFT,
 };
 
 struct bcmgenet_stats {
@@ -515,6 +516,7 @@ struct bcmgenet_stats {
 #define STAT_GENET_MIB_RX(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_MIB_RX)
 #define STAT_GENET_MIB_TX(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_MIB_TX)
 #define STAT_GENET_RUNT(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_RUNT)
+#define STAT_GENET_SOFT_MIB(str, m) STAT_GENET_MIB(str, m, BCMGENET_STAT_SOFT)
 
 #define STAT_GENET_MISC(str, m, offset) { \
 	.stat_string = str, \
@@ -614,9 +616,9 @@ static const struct bcmgenet_stats bcmge
 			UMAC_RBUF_OVFL_CNT),
 	STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt, UMAC_RBUF_ERR_CNT),
 	STAT_GENET_MISC("mdf_err_cnt", mib.mdf_err_cnt, UMAC_MDF_ERR_CNT),
-	STAT_GENET_MIB_RX("alloc_rx_buff_failed", mib.alloc_rx_buff_failed),
-	STAT_GENET_MIB_RX("rx_dma_failed", mib.rx_dma_failed),
-	STAT_GENET_MIB_TX("tx_dma_failed", mib.tx_dma_failed),
+	STAT_GENET_SOFT_MIB("alloc_rx_buff_failed", mib.alloc_rx_buff_failed),
+	STAT_GENET_SOFT_MIB("rx_dma_failed", mib.rx_dma_failed),
+	STAT_GENET_SOFT_MIB("tx_dma_failed", mib.tx_dma_failed),
 };
 
 #define BCMGENET_STATS_LEN	ARRAY_SIZE(bcmgenet_gstrings_stats)
@@ -668,6 +670,7 @@ static void bcmgenet_update_mib_counters
 		s = &bcmgenet_gstrings_stats[i];
 		switch (s->type) {
 		case BCMGENET_STAT_NETDEV:
+		case BCMGENET_STAT_SOFT:
 			continue;
 		case BCMGENET_STAT_MIB_RX:
 		case BCMGENET_STAT_MIB_TX:



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 025/177] sh_eth: Fix lost MAC address on kexec
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 024/177] net: bcmgenet: fix software maintained statistics Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 026/177] net: do not use rcu in rtnl_dump_ifinfo() Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

[ Upstream commit a14c7d15ca91b444e77df08b916befdce77562ab ]

Commit 740c7f31c094703c ("sh_eth: Ensure DMA engines are stopped before
freeing buffers") added a call to sh_eth_reset() to the
sh_eth_set_ringparam() and sh_eth_close() paths.

However, setting the software reset bit(s) in the EDMR register resets
the MAC Address Registers to zero. Hence after kexec, the new kernel
doesn't detect a valid MAC address and assigns a random MAC address,
breaking DHCP.

Set the MAC address again after the reset in sh_eth_dev_exit() to fix
this.

Tested on r8a7740/armadillo (GETHER) and r8a7791/koelsch (FAST_RCAR).

Fixes: 740c7f31c094703c ("sh_eth: Ensure DMA engines are stopped before freeing buffers")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/renesas/sh_eth.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -1392,6 +1392,9 @@ static void sh_eth_dev_exit(struct net_d
 	msleep(2); /* max frame time at 10 Mbps < 1250 us */
 	sh_eth_get_stats(ndev);
 	sh_eth_reset(ndev);
+
+	/* Set MAC address again */
+	update_mac_address(ndev);
 }
 
 /* free Tx skb function */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 026/177] net: do not use rcu in rtnl_dump_ifinfo()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 025/177] sh_eth: Fix lost MAC address on kexec Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 027/177] usb: plusb: Add support for National Instruments host-to-host cable Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Nicolas Dichtel,
	Cong Wang, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit cac5e65e8a7ea074f2626d2eaa53aa308452dec4 ]

We did a failed attempt in the past to only use rcu in rtnl dump
operations (commit e67f88dd12f6 "net: dont hold rtnl mutex during
netlink dump callbacks")

Now that dumps are holding RTNL anyway, there is no need to also
use rcu locking, as it forbids any scheduling ability, like
GFP_KERNEL allocations that controlling path should use instead
of GFP_ATOMIC whenever possible.

This should fix following splat Cong Wang reported :

 [ INFO: suspicious RCU usage. ]
 3.19.0+ #805 Tainted: G        W

 include/linux/rcupdate.h:538 Illegal context switch in RCU read-side critical section!

 other info that might help us debug this:

 rcu_scheduler_active = 1, debug_locks = 0
 2 locks held by ip/771:
  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff8182b8f4>] netlink_dump+0x21/0x26c
  #1:  (rcu_read_lock){......}, at: [<ffffffff817d785b>] rcu_read_lock+0x0/0x6e

 stack backtrace:
 CPU: 3 PID: 771 Comm: ip Tainted: G        W       3.19.0+ #805
 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
  0000000000000001 ffff8800d51e7718 ffffffff81a27457 0000000029e729e6
  ffff8800d6108000 ffff8800d51e7748 ffffffff810b539b ffffffff820013dd
  00000000000001c8 0000000000000000 ffff8800d7448088 ffff8800d51e7758
 Call Trace:
  [<ffffffff81a27457>] dump_stack+0x4c/0x65
  [<ffffffff810b539b>] lockdep_rcu_suspicious+0x107/0x110
  [<ffffffff8109796f>] rcu_preempt_sleep_check+0x45/0x47
  [<ffffffff8109e457>] ___might_sleep+0x1d/0x1cb
  [<ffffffff8109e67d>] __might_sleep+0x78/0x80
  [<ffffffff814b9b1f>] idr_alloc+0x45/0xd1
  [<ffffffff810cb7ab>] ? rcu_read_lock_held+0x3b/0x3d
  [<ffffffff814b9f9d>] ? idr_for_each+0x53/0x101
  [<ffffffff817c1383>] alloc_netid+0x61/0x69
  [<ffffffff817c14c3>] __peernet2id+0x79/0x8d
  [<ffffffff817c1ab7>] peernet2id+0x13/0x1f
  [<ffffffff817d8673>] rtnl_fill_ifinfo+0xa8d/0xc20
  [<ffffffff810b17d9>] ? __lock_is_held+0x39/0x52
  [<ffffffff817d894f>] rtnl_dump_ifinfo+0x149/0x213
  [<ffffffff8182b9c2>] netlink_dump+0xef/0x26c
  [<ffffffff8182bcba>] netlink_recvmsg+0x17b/0x2c5
  [<ffffffff817b0adc>] __sock_recvmsg+0x4e/0x59
  [<ffffffff817b1b40>] sock_recvmsg+0x3f/0x51
  [<ffffffff817b1f9a>] ___sys_recvmsg+0xf6/0x1d9
  [<ffffffff8115dc67>] ? handle_pte_fault+0x6e1/0xd3d
  [<ffffffff8100a3a0>] ? native_sched_clock+0x35/0x37
  [<ffffffff8109f45b>] ? sched_clock_local+0x12/0x72
  [<ffffffff8109f6ac>] ? sched_clock_cpu+0x9e/0xb7
  [<ffffffff810cb7ab>] ? rcu_read_lock_held+0x3b/0x3d
  [<ffffffff811abde8>] ? __fcheck_files+0x4c/0x58
  [<ffffffff811ac556>] ? __fget_light+0x2d/0x52
  [<ffffffff817b376f>] __sys_recvmsg+0x42/0x60
  [<ffffffff817b379f>] SyS_recvmsg+0x12/0x1c

Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 0c7aecd4bde4b7302 ("netns: add rtnl cmd to add and get peer netns ids")
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1274,7 +1274,6 @@ static int rtnl_dump_ifinfo(struct sk_bu
 	s_h = cb->args[0];
 	s_idx = cb->args[1];
 
-	rcu_read_lock();
 	cb->seq = net->dev_base_seq;
 
 	/* A hack to preserve kernel<->userspace interface.
@@ -1296,7 +1295,7 @@ static int rtnl_dump_ifinfo(struct sk_bu
 	for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
 		idx = 0;
 		head = &net->dev_index_head[h];
-		hlist_for_each_entry_rcu(dev, head, index_hlist) {
+		hlist_for_each_entry(dev, head, index_hlist) {
 			if (idx < s_idx)
 				goto cont;
 			err = rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
@@ -1318,7 +1317,6 @@ cont:
 		}
 	}
 out:
-	rcu_read_unlock();
 	cb->args[1] = idx;
 	cb->args[0] = h;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 027/177] usb: plusb: Add support for National Instruments host-to-host cable
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 026/177] net: do not use rcu in rtnl_dump_ifinfo() Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 028/177] udp: only allow UFO for packets from SOCK_DGRAM sockets Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Shelton, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Shelton <ben.shelton@ni.com>

[ Upstream commit 42c972a1f390e3bc51ca1e434b7e28764992067f ]

The National Instruments USB Host-to-Host Cable is based on the Prolific
PL-25A1 chipset.  Add its VID/PID so the plusb driver will recognize it.

Signed-off-by: Ben Shelton <ben.shelton@ni.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/plusb.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/usb/plusb.c
+++ b/drivers/net/usb/plusb.c
@@ -134,6 +134,11 @@ static const struct usb_device_id	produc
 }, {
 	USB_DEVICE(0x050d, 0x258a),     /* Belkin F5U258/F5U279 (PL-25A1) */
 	.driver_info =  (unsigned long) &prolific_info,
+}, {
+	USB_DEVICE(0x3923, 0x7825),     /* National Instruments USB
+					 * Host-to-Host Cable
+					 */
+	.driver_info =  (unsigned long) &prolific_info,
 },
 
 	{ },		// END



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 028/177] udp: only allow UFO for packets from SOCK_DGRAM sockets
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 027/177] usb: plusb: Add support for National Instruments host-to-host cable Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 029/177] net: ping: Return EAFNOSUPPORT when appropriate Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michal Kubecek, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz>

[ Upstream commit acf8dd0a9d0b9e4cdb597c2f74802f79c699e802 ]

If an over-MTU UDP datagram is sent through a SOCK_RAW socket to a
UFO-capable device, ip_ufo_append_data() sets skb->ip_summed to
CHECKSUM_PARTIAL unconditionally as all GSO code assumes transport layer
checksum is to be computed on segmentation. However, in this case,
skb->csum_start and skb->csum_offset are never set as raw socket
transmit path bypasses udp_send_skb() where they are usually set. As a
result, driver may access invalid memory when trying to calculate the
checksum and store the result (as observed in virtio_net driver).

Moreover, the very idea of modifying the userspace provided UDP header
is IMHO against raw socket semantics (I wasn't able to find a document
clearly stating this or the opposite, though). And while allowing
CHECKSUM_NONE in the UFO case would be more efficient, it would be a bit
too intrusive change just to handle a corner case like this. Therefore
disallowing UFO for packets from SOCK_DGRAM seems to be the best option.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_output.c  |    3 ++-
 net/ipv6/ip6_output.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -890,7 +890,8 @@ static int __ip_append_data(struct sock
 	cork->length += length;
 	if (((length > mtu) || (skb && skb_is_gso(skb))) &&
 	    (sk->sk_protocol == IPPROTO_UDP) &&
-	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
+	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+	    (sk->sk_type == SOCK_DGRAM)) {
 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
 					 hh_len, fragheaderlen, transhdrlen,
 					 maxfraglen, flags);
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1283,7 +1283,8 @@ emsgsize:
 	if (((length > mtu) ||
 	     (skb && skb_is_gso(skb))) &&
 	    (sk->sk_protocol == IPPROTO_UDP) &&
-	    (rt->dst.dev->features & NETIF_F_UFO)) {
+	    (rt->dst.dev->features & NETIF_F_UFO) &&
+	    (sk->sk_type == SOCK_DGRAM)) {
 		err = ip6_ufo_append_data(sk, getfrag, from, length,
 					  hh_len, fragheaderlen,
 					  transhdrlen, mtu, flags, rt);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 029/177] net: ping: Return EAFNOSUPPORT when appropriate.
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 028/177] udp: only allow UFO for packets from SOCK_DGRAM sockets Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 030/177] team: dont traverse port list using rcu in team_set_mac_address Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lorenzo Colitti, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lorenzo Colitti <lorenzo@google.com>

[ Upstream commit 9145736d4862145684009d6a72a6e61324a9439e ]

1. For an IPv4 ping socket, ping_check_bind_addr does not check
   the family of the socket address that's passed in. Instead,
   make it behave like inet_bind, which enforces either that the
   address family is AF_INET, or that the family is AF_UNSPEC and
   the address is 0.0.0.0.
2. For an IPv6 ping socket, ping_check_bind_addr returns EINVAL
   if the socket family is not AF_INET6. Return EAFNOSUPPORT
   instead, for consistency with inet6_bind.
3. Make ping_v4_sendmsg and ping_v6_sendmsg return EAFNOSUPPORT
   instead of EINVAL if an incorrect socket address structure is
   passed in.
4. Make IPv6 ping sockets be IPv6-only. The code does not support
   IPv4, and it cannot easily be made to support IPv4 because
   the protocol numbers for ICMP and ICMPv6 are different. This
   makes connect(::ffff:192.0.2.1) fail with EAFNOSUPPORT instead
   of making the socket unusable.

Among other things, this fixes an oops that can be triggered by:

    int s = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
    struct sockaddr_in6 sin6 = {
        .sin6_family = AF_INET6,
        .sin6_addr = in6addr_any,
    };
    bind(s, (struct sockaddr *) &sin6, sizeof(sin6));

Change-Id: If06ca86d9f1e4593c0d6df174caca3487c57a241
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ping.c |   12 ++++++++++--
 net/ipv6/ping.c |    5 +++--
 2 files changed, 13 insertions(+), 4 deletions(-)

--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -259,6 +259,9 @@ int ping_init_sock(struct sock *sk)
 	kgid_t low, high;
 	int ret = 0;
 
+	if (sk->sk_family == AF_INET6)
+		sk->sk_ipv6only = 1;
+
 	inet_get_ping_group_range_net(net, &low, &high);
 	if (gid_lte(low, group) && gid_lte(group, high))
 		return 0;
@@ -305,6 +308,11 @@ static int ping_check_bind_addr(struct s
 		if (addr_len < sizeof(*addr))
 			return -EINVAL;
 
+		if (addr->sin_family != AF_INET &&
+		    !(addr->sin_family == AF_UNSPEC &&
+		      addr->sin_addr.s_addr == htonl(INADDR_ANY)))
+			return -EAFNOSUPPORT;
+
 		pr_debug("ping_check_bind_addr(sk=%p,addr=%pI4,port=%d)\n",
 			 sk, &addr->sin_addr.s_addr, ntohs(addr->sin_port));
 
@@ -330,7 +338,7 @@ static int ping_check_bind_addr(struct s
 			return -EINVAL;
 
 		if (addr->sin6_family != AF_INET6)
-			return -EINVAL;
+			return -EAFNOSUPPORT;
 
 		pr_debug("ping_check_bind_addr(sk=%p,addr=%pI6c,port=%d)\n",
 			 sk, addr->sin6_addr.s6_addr, ntohs(addr->sin6_port));
@@ -716,7 +724,7 @@ static int ping_v4_sendmsg(struct kiocb
 		if (msg->msg_namelen < sizeof(*usin))
 			return -EINVAL;
 		if (usin->sin_family != AF_INET)
-			return -EINVAL;
+			return -EAFNOSUPPORT;
 		daddr = usin->sin_addr.s_addr;
 		/* no remote port */
 	} else {
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -102,9 +102,10 @@ int ping_v6_sendmsg(struct kiocb *iocb,
 
 	if (msg->msg_name) {
 		DECLARE_SOCKADDR(struct sockaddr_in6 *, u, msg->msg_name);
-		if (msg->msg_namelen < sizeof(struct sockaddr_in6) ||
-		    u->sin6_family != AF_INET6) {
+		if (msg->msg_namelen < sizeof(*u))
 			return -EINVAL;
+		if (u->sin6_family != AF_INET6) {
+			return -EAFNOSUPPORT;
 		}
 		if (sk->sk_bound_dev_if &&
 		    sk->sk_bound_dev_if != u->sin6_scope_id) {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 030/177] team: dont traverse port list using rcu in team_set_mac_address
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 029/177] net: ping: Return EAFNOSUPPORT when appropriate Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 031/177] mm/hugetlb: fix getting refcount 0 page in hugetlb_fault() Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Pirko, David S. Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Pirko <jiri@resnulli.us>

[ Upstream commit 9215f437b85da339a7dfe3db6e288637406f88b2 ]

Currently the list is traversed using rcu variant. That is not correct
since dev_set_mac_address can be called which eventually calls
rtmsg_ifinfo_build_skb and there, skb allocation can sleep. So fix this
by remove the rcu usage here.

Fixes: 3d249d4ca7 "net: introduce ethernet teaming device"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/team/team.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1736,11 +1736,11 @@ static int team_set_mac_address(struct n
 	if (dev->type == ARPHRD_ETHER && !is_valid_ether_addr(addr->sa_data))
 		return -EADDRNOTAVAIL;
 	memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
-	rcu_read_lock();
-	list_for_each_entry_rcu(port, &team->port_list, list)
+	mutex_lock(&team->lock);
+	list_for_each_entry(port, &team->port_list, list)
 		if (team->ops.port_change_dev_addr)
 			team->ops.port_change_dev_addr(team, port);
-	rcu_read_unlock();
+	mutex_unlock(&team->lock);
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 031/177] mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 030/177] team: dont traverse port list using rcu in team_set_mac_address Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 032/177] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Hugh Dickins,
	James Hogan, David Rientjes, Mel Gorman, Johannes Weiner,
	Michal Hocko, Rik van Riel, Andrea Arcangeli, Luiz Capitulino,
	Nishanth Aravamudan, Lee Schermerhorn, Steve Capper,
	Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit 0f792cf949a0be506c2aa8bfac0605746b146dda upstream.

When running the test which causes the race as shown in the previous patch,
we can hit the BUG "get_page() on refcount 0 page" in hugetlb_fault().

This race happens when pte turns into migration entry just after the first
check of is_hugetlb_entry_migration() in hugetlb_fault() passed with false.
To fix this, we need to check pte_present() again after huge_ptep_get().

This patch also reorders taking ptl and doing pte_page(), because
pte_page() should be done in ptl.  Due to this reordering, we need use
trylock_page() in page != pagecache_page case to respect locking order.

Fixes: 66aebce747ea ("hugetlb: fix race condition in hugetlb_fault()")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/hugetlb.c |   52 ++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 16 deletions(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3134,6 +3134,7 @@ int hugetlb_fault(struct mm_struct *mm,
 	struct page *pagecache_page = NULL;
 	struct hstate *h = hstate_vma(vma);
 	struct address_space *mapping;
+	int need_wait_lock = 0;
 
 	address &= huge_page_mask(h);
 
@@ -3172,6 +3173,16 @@ int hugetlb_fault(struct mm_struct *mm,
 	ret = 0;
 
 	/*
+	 * entry could be a migration/hwpoison entry at this point, so this
+	 * check prevents the kernel from going below assuming that we have
+	 * a active hugepage in pagecache. This goto expects the 2nd page fault,
+	 * and is_hugetlb_entry_(migration|hwpoisoned) check will properly
+	 * handle it.
+	 */
+	if (!pte_present(entry))
+		goto out_mutex;
+
+	/*
 	 * If we are going to COW the mapping later, we examine the pending
 	 * reservations for this page now. This will ensure that any
 	 * allocations necessary to record that reservation occur outside the
@@ -3190,30 +3201,31 @@ int hugetlb_fault(struct mm_struct *mm,
 								vma, address);
 	}
 
+	ptl = huge_pte_lock(h, mm, ptep);
+
+	/* Check for a racing update before calling hugetlb_cow */
+	if (unlikely(!pte_same(entry, huge_ptep_get(ptep))))
+		goto out_ptl;
+
 	/*
 	 * hugetlb_cow() requires page locks of pte_page(entry) and
 	 * pagecache_page, so here we need take the former one
 	 * when page != pagecache_page or !pagecache_page.
-	 * Note that locking order is always pagecache_page -> page,
-	 * so no worry about deadlock.
 	 */
 	page = pte_page(entry);
-	get_page(page);
 	if (page != pagecache_page)
-		lock_page(page);
-
-	ptl = huge_pte_lockptr(h, mm, ptep);
-	spin_lock(ptl);
-	/* Check for a racing update before calling hugetlb_cow */
-	if (unlikely(!pte_same(entry, huge_ptep_get(ptep))))
-		goto out_ptl;
+		if (!trylock_page(page)) {
+			need_wait_lock = 1;
+			goto out_ptl;
+		}
 
+	get_page(page);
 
 	if (flags & FAULT_FLAG_WRITE) {
 		if (!huge_pte_write(entry)) {
 			ret = hugetlb_cow(mm, vma, address, ptep, entry,
 					pagecache_page, ptl);
-			goto out_ptl;
+			goto out_put_page;
 		}
 		entry = huge_pte_mkdirty(entry);
 	}
@@ -3221,7 +3233,10 @@ int hugetlb_fault(struct mm_struct *mm,
 	if (huge_ptep_set_access_flags(vma, address, ptep, entry,
 						flags & FAULT_FLAG_WRITE))
 		update_mmu_cache(vma, address, ptep);
-
+out_put_page:
+	if (page != pagecache_page)
+		unlock_page(page);
+	put_page(page);
 out_ptl:
 	spin_unlock(ptl);
 
@@ -3229,12 +3244,17 @@ out_ptl:
 		unlock_page(pagecache_page);
 		put_page(pagecache_page);
 	}
-	if (page != pagecache_page)
-		unlock_page(page);
-	put_page(page);
-
 out_mutex:
 	mutex_unlock(&htlb_fault_mutex_table[hash]);
+	/*
+	 * Generally it's safe to hold refcount during waiting page lock. But
+	 * here we just wait to defer the next page fault to avoid busy loop and
+	 * the page is not used after unlocked before returning from the current
+	 * page fault. So we are safe from accessing freed page, even if we wait
+	 * here without taking refcount.
+	 */
+	if (need_wait_lock)
+		wait_on_page_locked(page);
 	return ret;
 }
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 032/177] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 031/177] mm/hugetlb: fix getting refcount 0 page in hugetlb_fault() Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 033/177] mm/hugetlb: add migration entry check in __unmap_hugepage_range Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Hugh Dickins,
	James Hogan, David Rientjes, Mel Gorman, Johannes Weiner,
	Michal Hocko, Rik van Riel, Andrea Arcangeli, Luiz Capitulino,
	Nishanth Aravamudan, Lee Schermerhorn, Steve Capper,
	Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit a8bda28d87c38c6aa93de28ba5d30cc18e865a11 upstream.

There is a race condition between hugepage migration and
change_protection(), where hugetlb_change_protection() doesn't care about
migration entries and wrongly overwrites them.  That causes unexpected
results like kernel crash.  HWPoison entries also can cause the same
problem.

This patch adds is_hugetlb_entry_(migration|hwpoisoned) check in this
function to do proper actions.

Fixes: 290408d4a2 ("hugetlb: hugepage migration core")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/hugetlb.c |   21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3384,7 +3384,26 @@ unsigned long hugetlb_change_protection(
 			spin_unlock(ptl);
 			continue;
 		}
-		if (!huge_pte_none(huge_ptep_get(ptep))) {
+		pte = huge_ptep_get(ptep);
+		if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) {
+			spin_unlock(ptl);
+			continue;
+		}
+		if (unlikely(is_hugetlb_entry_migration(pte))) {
+			swp_entry_t entry = pte_to_swp_entry(pte);
+
+			if (is_write_migration_entry(entry)) {
+				pte_t newpte;
+
+				make_migration_entry_read(&entry);
+				newpte = swp_entry_to_pte(entry);
+				set_huge_pte_at(mm, address, ptep, newpte);
+				pages++;
+			}
+			spin_unlock(ptl);
+			continue;
+		}
+		if (!huge_pte_none(pte)) {
 			pte = huge_ptep_get_and_clear(mm, address, ptep);
 			pte = pte_mkhuge(huge_pte_modify(pte, newprot));
 			pte = arch_make_huge_pte(pte, vma, NULL, 0);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 033/177] mm/hugetlb: add migration entry check in __unmap_hugepage_range
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 032/177] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 034/177] mm, hugetlb: remove unnecessary lower bound on sysctl handlers"? Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Hugh Dickins,
	James Hogan, David Rientjes, Mel Gorman, Johannes Weiner,
	Michal Hocko, Rik van Riel, Andrea Arcangeli, Luiz Capitulino,
	Nishanth Aravamudan, Lee Schermerhorn, Steve Capper,
	Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit 9fbc1f635fd0bd28cb32550211bf095753ac637a upstream.

If __unmap_hugepage_range() tries to unmap the address range over which
hugepage migration is on the way, we get the wrong page because pte_page()
doesn't work for migration entries.  This patch simply clears the pte for
migration entries as we do for hwpoison entries.

Fixes: 290408d4a2 ("hugetlb: hugepage migration core")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/hugetlb.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2657,9 +2657,10 @@ again:
 			goto unlock;
 
 		/*
-		 * HWPoisoned hugepage is already unmapped and dropped reference
+		 * Migrating hugepage or HWPoisoned hugepage is already
+		 * unmapped and its refcount is dropped, so just clear pte here.
 		 */
-		if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) {
+		if (unlikely(!pte_present(pte))) {
 			huge_pte_clear(mm, address, ptep);
 			goto unlock;
 		}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 034/177] mm, hugetlb: remove unnecessary lower bound on sysctl handlers"?
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 033/177] mm/hugetlb: add migration entry check in __unmap_hugepage_range Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 035/177] mm: when stealing freepages, also take pages created by splitting buddy page Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Ryabinin, Dmitry Vyukov,
	Manfred Spraul, David Rientjes, Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrey Ryabinin <a.ryabinin@samsung.com>

commit 3cd7645de624939c38f5124b4ac15f8b35a1a8b7 upstream.

Commit ed4d4902ebdd ("mm, hugetlb: remove hugetlb_zero and
hugetlb_infinity") replaced 'unsigned long hugetlb_zero' with 'int zero'
leading to out-of-bounds access in proc_doulongvec_minmax().  Use
'.extra1 = NULL' instead of '.extra1 = &zero'.  Passing NULL is
equivalent to passing minimal value, which is 0 for unsigned types.

Fixes: ed4d4902ebdd ("mm, hugetlb: remove hugetlb_zero and hugetlb_infinity")
Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Suggested-by: Manfred Spraul <manfred@colorfullife.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sysctl.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1248,7 +1248,6 @@ static struct ctl_table vm_table[] = {
 		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
 		.proc_handler	= hugetlb_sysctl_handler,
-		.extra1		= &zero,
 	},
 #ifdef CONFIG_NUMA
 	{
@@ -1257,7 +1256,6 @@ static struct ctl_table vm_table[] = {
 		.maxlen         = sizeof(unsigned long),
 		.mode           = 0644,
 		.proc_handler   = &hugetlb_mempolicy_sysctl_handler,
-		.extra1		= &zero,
 	},
 #endif
 	 {
@@ -1280,7 +1278,6 @@ static struct ctl_table vm_table[] = {
 		.maxlen		= sizeof(unsigned long),
 		.mode		= 0644,
 		.proc_handler	= hugetlb_overcommit_handler,
-		.extra1		= &zero,
 	},
 #endif
 	{



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 035/177] mm: when stealing freepages, also take pages created by splitting buddy page
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 034/177] mm, hugetlb: remove unnecessary lower bound on sysctl handlers"? Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 036/177] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vlastimil Babka, Mel Gorman,
	Zhang Yanfei, Minchan Kim, David Rientjes, Rik van Riel,
	Aneesh Kumar K.V, Kirill A. Shutemov, Johannes Weiner,
	Joonsoo Kim, Michal Hocko, KOSAKI Motohiro, Andrew Morton,
	Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit 99592d598eca62bdbbf62b59941c189176dfc614 upstream.

When studying page stealing, I noticed some weird looking decisions in
try_to_steal_freepages().  The first I assume is a bug (Patch 1), the
following two patches were driven by evaluation.

Testing was done with stress-highalloc of mmtests, using the
mm_page_alloc_extfrag tracepoint and postprocessing to get counts of how
often page stealing occurs for individual migratetypes, and what
migratetypes are used for fallbacks.  Arguably, the worst case of page
stealing is when UNMOVABLE allocation steals from MOVABLE pageblock.
RECLAIMABLE allocation stealing from MOVABLE allocation is also not ideal,
so the goal is to minimize these two cases.

The evaluation of v2 wasn't always clear win and Joonsoo questioned the
results.  Here I used different baseline which includes RFC compaction
improvements from [1].  I found that the compaction improvements reduce
variability of stress-highalloc, so there's less noise in the data.

First, let's look at stress-highalloc configured to do sync compaction,
and how these patches reduce page stealing events during the test.  First
column is after fresh reboot, other two are reiterations of test without
reboot.  That was all accumulater over 5 re-iterations (so the benchmark
was run 5x3 times with 5 fresh restarts).

Baseline:

                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  5-nothp-1       5-nothp-2       5-nothp-3
Page alloc extfrag event                               10264225     8702233    10244125
Extfrag fragmenting                                    10263271     8701552    10243473
Extfrag fragmenting for unmovable                         13595       17616       15960
Extfrag fragmenting unmovable placed with movable          7989       12193        8447
Extfrag fragmenting for reclaimable                         658        1840        1817
Extfrag fragmenting reclaimable placed with movable         558        1677        1679
Extfrag fragmenting for movable                        10249018     8682096    10225696

With Patch 1:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  6-nothp-1       6-nothp-2       6-nothp-3
Page alloc extfrag event                               11834954     9877523     9774860
Extfrag fragmenting                                    11833993     9876880     9774245
Extfrag fragmenting for unmovable                          7342       16129       11712
Extfrag fragmenting unmovable placed with movable          4191       10547        6270
Extfrag fragmenting for reclaimable                         373        1130         923
Extfrag fragmenting reclaimable placed with movable         302         906         738
Extfrag fragmenting for movable                        11826278     9859621     9761610

With Patch 2:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  7-nothp-1       7-nothp-2       7-nothp-3
Page alloc extfrag event                                4725990     3668793     3807436
Extfrag fragmenting                                     4725104     3668252     3806898
Extfrag fragmenting for unmovable                          6678        7974        7281
Extfrag fragmenting unmovable placed with movable          2051        3829        4017
Extfrag fragmenting for reclaimable                         429        1208        1278
Extfrag fragmenting reclaimable placed with movable         369         976        1034
Extfrag fragmenting for movable                         4717997     3659070     3798339

With Patch 3:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  8-nothp-1       8-nothp-2       8-nothp-3
Page alloc extfrag event                                5016183     4700142     3850633
Extfrag fragmenting                                     5015325     4699613     3850072
Extfrag fragmenting for unmovable                          1312        3154        3088
Extfrag fragmenting unmovable placed with movable          1115        2777        2714
Extfrag fragmenting for reclaimable                         437        1193        1097
Extfrag fragmenting reclaimable placed with movable         330         969         879
Extfrag fragmenting for movable                         5013576     4695266     3845887

In v2 we've seen apparent regression with Patch 1 for unmovable events,
this is now gone, suggesting it was indeed noise.  Here, each patch
improves the situation for unmovable events.  Reclaimable is improved by
patch 1 and then either the same modulo noise, or perhaps sligtly worse -
a small price for unmovable improvements, IMHO.  The number of movable
allocations falling back to other migratetypes is most noisy, but it's
reduced to half at Patch 2 nevertheless.  These are least critical as
compaction can move them around.

If we look at success rates, the patches don't affect them, that didn't change.

Baseline:
                             3.19-rc4              3.19-rc4              3.19-rc4
                            5-nothp-1             5-nothp-2             5-nothp-3
Success 1 Min         49.00 (  0.00%)       42.00 ( 14.29%)       41.00 ( 16.33%)
Success 1 Mean        51.00 (  0.00%)       45.00 ( 11.76%)       42.60 ( 16.47%)
Success 1 Max         55.00 (  0.00%)       51.00 (  7.27%)       46.00 ( 16.36%)
Success 2 Min         53.00 (  0.00%)       47.00 ( 11.32%)       44.00 ( 16.98%)
Success 2 Mean        59.60 (  0.00%)       50.80 ( 14.77%)       48.20 ( 19.13%)
Success 2 Max         64.00 (  0.00%)       56.00 ( 12.50%)       52.00 ( 18.75%)
Success 3 Min         84.00 (  0.00%)       82.00 (  2.38%)       78.00 (  7.14%)
Success 3 Mean        85.60 (  0.00%)       82.80 (  3.27%)       79.40 (  7.24%)
Success 3 Max         86.00 (  0.00%)       83.00 (  3.49%)       80.00 (  6.98%)

Patch 1:
                             3.19-rc4              3.19-rc4              3.19-rc4
                            6-nothp-1             6-nothp-2             6-nothp-3
Success 1 Min         49.00 (  0.00%)       44.00 ( 10.20%)       44.00 ( 10.20%)
Success 1 Mean        51.80 (  0.00%)       46.00 ( 11.20%)       45.80 ( 11.58%)
Success 1 Max         54.00 (  0.00%)       49.00 (  9.26%)       49.00 (  9.26%)
Success 2 Min         58.00 (  0.00%)       49.00 ( 15.52%)       48.00 ( 17.24%)
Success 2 Mean        60.40 (  0.00%)       51.80 ( 14.24%)       50.80 ( 15.89%)
Success 2 Max         63.00 (  0.00%)       54.00 ( 14.29%)       55.00 ( 12.70%)
Success 3 Min         84.00 (  0.00%)       81.00 (  3.57%)       79.00 (  5.95%)
Success 3 Mean        85.00 (  0.00%)       81.60 (  4.00%)       79.80 (  6.12%)
Success 3 Max         86.00 (  0.00%)       82.00 (  4.65%)       82.00 (  4.65%)

Patch 2:

                             3.19-rc4              3.19-rc4              3.19-rc4
                            7-nothp-1             7-nothp-2             7-nothp-3
Success 1 Min         50.00 (  0.00%)       44.00 ( 12.00%)       39.00 ( 22.00%)
Success 1 Mean        52.80 (  0.00%)       45.60 ( 13.64%)       42.40 ( 19.70%)
Success 1 Max         55.00 (  0.00%)       46.00 ( 16.36%)       47.00 ( 14.55%)
Success 2 Min         52.00 (  0.00%)       48.00 (  7.69%)       45.00 ( 13.46%)
Success 2 Mean        53.40 (  0.00%)       49.80 (  6.74%)       48.80 (  8.61%)
Success 2 Max         57.00 (  0.00%)       52.00 (  8.77%)       52.00 (  8.77%)
Success 3 Min         84.00 (  0.00%)       81.00 (  3.57%)       79.00 (  5.95%)
Success 3 Mean        85.00 (  0.00%)       82.40 (  3.06%)       79.60 (  6.35%)
Success 3 Max         86.00 (  0.00%)       83.00 (  3.49%)       80.00 (  6.98%)

Patch 3:
                             3.19-rc4              3.19-rc4              3.19-rc4
                            8-nothp-1             8-nothp-2             8-nothp-3
Success 1 Min         46.00 (  0.00%)       44.00 (  4.35%)       42.00 (  8.70%)
Success 1 Mean        50.20 (  0.00%)       45.60 (  9.16%)       44.00 ( 12.35%)
Success 1 Max         52.00 (  0.00%)       47.00 (  9.62%)       47.00 (  9.62%)
Success 2 Min         53.00 (  0.00%)       49.00 (  7.55%)       48.00 (  9.43%)
Success 2 Mean        55.80 (  0.00%)       50.60 (  9.32%)       49.00 ( 12.19%)
Success 2 Max         59.00 (  0.00%)       52.00 ( 11.86%)       51.00 ( 13.56%)
Success 3 Min         84.00 (  0.00%)       80.00 (  4.76%)       79.00 (  5.95%)
Success 3 Mean        85.40 (  0.00%)       81.60 (  4.45%)       80.40 (  5.85%)
Success 3 Max         87.00 (  0.00%)       83.00 (  4.60%)       82.00 (  5.75%)

While there's no improvement here, I consider reduced fragmentation events
to be worth on its own.  Patch 2 also seems to reduce scanning for free
pages, and migrations in compaction, suggesting it has somewhat less work
to do:

Patch 1:

Compaction stalls                 4153        3959        3978
Compaction success                1523        1441        1446
Compaction failures               2630        2517        2531
Page migrate success           4600827     4943120     5104348
Page migrate failure             19763       16656       17806
Compaction pages isolated      9597640    10305617    10653541
Compaction migrate scanned    77828948    86533283    87137064
Compaction free scanned      517758295   521312840   521462251
Compaction cost                   5503        5932        6110

Patch 2:

Compaction stalls                 3800        3450        3518
Compaction success                1421        1316        1317
Compaction failures               2379        2134        2201
Page migrate success           4160421     4502708     4752148
Page migrate failure             19705       14340       14911
Compaction pages isolated      8731983     9382374     9910043
Compaction migrate scanned    98362797    96349194    98609686
Compaction free scanned      496512560   469502017   480442545
Compaction cost                   5173        5526        5811

As with v2, /proc/pagetypeinfo appears unaffected with respect to numbers
of unmovable and reclaimable pageblocks.

Configuring the benchmark to allocate like THP page fault (i.e.  no sync
compaction) gives much noisier results for iterations 2 and 3 after
reboot.  This is not so surprising given how [1] offers lower improvements
in this scenario due to less restarts after deferred compaction which
would change compaction pivot.

Baseline:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    5-thp-1         5-thp-2         5-thp-3
Page alloc extfrag event                                8148965     6227815     6646741
Extfrag fragmenting                                     8147872     6227130     6646117
Extfrag fragmenting for unmovable                         10324       12942       15975
Extfrag fragmenting unmovable placed with movable          5972        8495       10907
Extfrag fragmenting for reclaimable                         601        1707        2210
Extfrag fragmenting reclaimable placed with movable         520        1570        2000
Extfrag fragmenting for movable                         8136947     6212481     6627932

Patch 1:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    6-thp-1         6-thp-2         6-thp-3
Page alloc extfrag event                                8345457     7574471     7020419
Extfrag fragmenting                                     8343546     7573777     7019718
Extfrag fragmenting for unmovable                         10256       18535       30716
Extfrag fragmenting unmovable placed with movable          6893       11726       22181
Extfrag fragmenting for reclaimable                         465        1208        1023
Extfrag fragmenting reclaimable placed with movable         353         996         843
Extfrag fragmenting for movable                         8332825     7554034     6987979

Patch 2:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    7-thp-1         7-thp-2         7-thp-3
Page alloc extfrag event                                3512847     3020756     2891625
Extfrag fragmenting                                     3511940     3020185     2891059
Extfrag fragmenting for unmovable                          9017        6892        6191
Extfrag fragmenting unmovable placed with movable          1524        3053        2435
Extfrag fragmenting for reclaimable                         445        1081        1160
Extfrag fragmenting reclaimable placed with movable         375         918         986
Extfrag fragmenting for movable                         3502478     3012212     2883708

Patch 3:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    8-thp-1         8-thp-2         8-thp-3
Page alloc extfrag event                                3181699     3082881     2674164
Extfrag fragmenting                                     3180812     3082303     2673611
Extfrag fragmenting for unmovable                          1201        4031        4040
Extfrag fragmenting unmovable placed with movable           974        3611        3645
Extfrag fragmenting for reclaimable                         478        1165        1294
Extfrag fragmenting reclaimable placed with movable         387         985        1030
Extfrag fragmenting for movable                         3179133     3077107     2668277

The improvements for first iteration are clear, the rest is much noisier
and can appear like regression for Patch 1.  Anyway, patch 2 rectifies it.

Allocation success rates are again unaffected so there's no point in
making this e-mail any longer.

[1] http://marc.info/?l=linux-mm&m=142166196321125&w=2

This patch (of 3):

When __rmqueue_fallback() is called to allocate a page of order X, it will
find a page of order Y >= X of a fallback migratetype, which is different
from the desired migratetype.  With the help of try_to_steal_freepages(),
it may change the migratetype (to the desired one) also of:

1) all currently free pages in the pageblock containing the fallback page
2) the fallback pageblock itself
3) buddy pages created by splitting the fallback page (when Y > X)

These decisions take the order Y into account, as well as the desired
migratetype, with the goal of preventing multiple fallback allocations
that could e.g.  distribute UNMOVABLE allocations among multiple
pageblocks.

Originally, decision for 1) has implied the decision for 3).  Commit
47118af076f6 ("mm: mmzone: MIGRATE_CMA migration type added") changed that
(probably unintentionally) so that the buddy pages in case 3) are always
changed to the desired migratetype, except for CMA pageblocks.

Commit fef903efcf0c ("mm/page_allo.c: restructure free-page stealing code
and fix a bug") did some refactoring and added a comment that the case of
3) is intended.  Commit 0cbef29a7821 ("mm: __rmqueue_fallback() should
respect pageblock type") removed the comment and tried to restore the
original behavior where 1) implies 3), but due to the previous
refactoring, the result is instead that only 2) implies 3) - and the
conditions for 2) are less frequently met than conditions for 1).  This
may increase fragmentation in situations where the code decides to steal
all free pages from the pageblock (case 1)), but then gives back the buddy
pages produced by splitting.

This patch restores the original intended logic where 1) implies 3).
During testing with stress-highalloc from mmtests, this has shown to
decrease the number of events where UNMOVABLE and RECLAIMABLE allocations
steal from MOVABLE pageblocks, which can lead to permanent fragmentation.
In some cases it has increased the number of events when MOVABLE
allocations steal from UNMOVABLE or RECLAIMABLE pageblocks, but these are
fixable by sync compaction and thus less harmful.

Note that evaluation has shown that the behavior introduced by
47118af076f6 for buddy pages in case 3) is actually even better than the
original logic, so the following patch will introduce it properly once
again.  For stable backports of this patch it makes thus sense to only fix
versions containing 0cbef29a7821.

[iamjoonsoo.kim@lge.com: tracepoint fix]
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Mel Gorman <mgorman@suse.de>
Cc: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/trace/events/kmem.h |    7 ++++---
 mm/page_alloc.c             |   12 +++++-------
 2 files changed, 9 insertions(+), 10 deletions(-)

--- a/include/trace/events/kmem.h
+++ b/include/trace/events/kmem.h
@@ -268,11 +268,11 @@ TRACE_EVENT(mm_page_alloc_extfrag,
 
 	TP_PROTO(struct page *page,
 		int alloc_order, int fallback_order,
-		int alloc_migratetype, int fallback_migratetype, int new_migratetype),
+		int alloc_migratetype, int fallback_migratetype),
 
 	TP_ARGS(page,
 		alloc_order, fallback_order,
-		alloc_migratetype, fallback_migratetype, new_migratetype),
+		alloc_migratetype, fallback_migratetype),
 
 	TP_STRUCT__entry(
 		__field(	struct page *,	page			)
@@ -289,7 +289,8 @@ TRACE_EVENT(mm_page_alloc_extfrag,
 		__entry->fallback_order		= fallback_order;
 		__entry->alloc_migratetype	= alloc_migratetype;
 		__entry->fallback_migratetype	= fallback_migratetype;
-		__entry->change_ownership	= (new_migratetype == alloc_migratetype);
+		__entry->change_ownership	= (alloc_migratetype ==
+					get_pageblock_migratetype(page));
 	),
 
 	TP_printk("page=%p pfn=%lu alloc_order=%d fallback_order=%d pageblock_order=%d alloc_migratetype=%d fallback_migratetype=%d fragmenting=%d change_ownership=%d",
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1138,8 +1138,8 @@ static void change_pageblock_range(struc
  * nor move CMA pages to different free lists. We don't want unmovable pages
  * to be allocated from MIGRATE_CMA areas.
  *
- * Returns the new migratetype of the pageblock (or the same old migratetype
- * if it was unchanged).
+ * Returns the allocation migratetype if free pages were stolen, or the
+ * fallback migratetype if it was decided not to steal.
  */
 static int try_to_steal_freepages(struct zone *zone, struct page *page,
 				  int start_type, int fallback_type)
@@ -1170,12 +1170,10 @@ static int try_to_steal_freepages(struct
 
 		/* Claim the whole block if over half of it is free */
 		if (pages >= (1 << (pageblock_order-1)) ||
-				page_group_by_mobility_disabled) {
-
+				page_group_by_mobility_disabled)
 			set_pageblock_migratetype(page, start_type);
-			return start_type;
-		}
 
+		return start_type;
 	}
 
 	return fallback_type;
@@ -1227,7 +1225,7 @@ __rmqueue_fallback(struct zone *zone, un
 			set_freepage_migratetype(page, new_type);
 
 			trace_mm_page_alloc_extfrag(page, order, current_order,
-				start_migratetype, migratetype, new_type);
+				start_migratetype, migratetype);
 
 			return page;
 		}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 036/177] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 035/177] mm: when stealing freepages, also take pages created by splitting buddy page Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 037/177] mm/nommu.c: " Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Gushchin, Andrew Shewmaker,
	Rik van Riel, Konstantin Khlebnikov, Michal Hocko, Andrew Morton,
	Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roman Gushchin <klamm@yandex-team.ru>

commit 5703b087dc8eaf47bfb399d6cf512d471beff405 upstream.

I noticed, that "allowed" can easily overflow by falling below 0,
because (total_vm / 32) can be larger than "allowed".  The problem
occurs in OVERCOMMIT_NONE mode.

In this case, a huge allocation can success and overcommit the system
(despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
(system-wide), so system become unusable.

The problem was masked out by commit c9b1d0981fcc
("mm: limit growth of 3% hardcoded other user reserve"),
but it's easy to reproduce it on older kernels:
1) set overcommit_memory sysctl to 2
2) mmap() large file multiple times (with VM_SHARED flag)
3) try to malloc() large amount of memory

It also can be reproduced on newer kernels, but miss-configured
sysctl_user_reserve_kbytes is required.

Fix this issue by switching to signed arithmetic here.

[akpm@linux-foundation.org: use min_t]
Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Cc: Andrew Shewmaker <agshew@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/mmap.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -152,7 +152,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed);
  */
 int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
 {
-	unsigned long free, allowed, reserve;
+	long free, allowed, reserve;
 
 	VM_WARN_ONCE(percpu_counter_read(&vm_committed_as) <
 			-(s64)vm_committed_as_batch * num_online_cpus(),
@@ -220,7 +220,7 @@ int __vm_enough_memory(struct mm_struct
 	 */
 	if (mm) {
 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
-		allowed -= min(mm->total_vm / 32, reserve);
+		allowed -= min_t(long, mm->total_vm / 32, reserve);
 	}
 
 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 037/177] mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 036/177] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 038/177] mm/compaction: fix wrong order check in compact_finished() Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Gushchin, Andrew Shewmaker,
	Rik van Riel, Konstantin Khlebnikov, Andrew Morton,
	Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roman Gushchin <klamm@yandex-team.ru>

commit 8138a67a5557ffea3a21dfd6f037842d4e748513 upstream.

I noticed that "allowed" can easily overflow by falling below 0, because
(total_vm / 32) can be larger than "allowed".  The problem occurs in
OVERCOMMIT_NONE mode.

In this case, a huge allocation can success and overcommit the system
(despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
(system-wide), so system become unusable.

The problem was masked out by commit c9b1d0981fcc
("mm: limit growth of 3% hardcoded other user reserve"),
but it's easy to reproduce it on older kernels:
1) set overcommit_memory sysctl to 2
2) mmap() large file multiple times (with VM_SHARED flag)
3) try to malloc() large amount of memory

It also can be reproduced on newer kernels, but miss-configured
sysctl_user_reserve_kbytes is required.

Fix this issue by switching to signed arithmetic here.

Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Cc: Andrew Shewmaker <agshew@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/nommu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -1895,7 +1895,7 @@ EXPORT_SYMBOL(unmap_mapping_range);
  */
 int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
 {
-	unsigned long free, allowed, reserve;
+	long free, allowed, reserve;
 
 	vm_acct_memory(pages);
 
@@ -1959,7 +1959,7 @@ int __vm_enough_memory(struct mm_struct
 	 */
 	if (mm) {
 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
-		allowed -= min(mm->total_vm / 32, reserve);
+		allowed -= min_t(long, mm->total_vm / 32, reserve);
 	}
 
 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 038/177] mm/compaction: fix wrong order check in compact_finished()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 037/177] mm/nommu.c: " Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 039/177] mm/memory.c: actually remap enough memory Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joonsoo Kim, Vlastimil Babka,
	Zhang Yanfei, Mel Gorman, David Rientjes, Rik van Riel,
	Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joonsoo Kim <iamjoonsoo.kim@lge.com>

commit 372549c2a3778fd3df445819811c944ad54609ca upstream.

What we want to check here is whether there is highorder freepage in buddy
list of other migratetype in order to steal it without fragmentation.
But, current code just checks cc->order which means allocation request
order.  So, this is wrong.

Without this fix, non-movable synchronous compaction below pageblock order
would not stopped until compaction is complete, because migratetype of
most pageblocks are movable and high order freepage made by compaction is
usually on movable type buddy list.

There is some report related to this bug. See below link.

  http://www.spinics.net/lists/linux-mm/msg81666.html

Although the issued system still has load spike comes from compaction,
this makes that system completely stable and responsive according to his
report.

stress-highalloc test in mmtests with non movable order 7 allocation
doesn't show any notable difference in allocation success rate, but, it
shows more compaction success rate.

Compaction success rate (Compaction success * 100 / Compaction stalls, %)
18.47 : 28.94

Fixes: 1fb3f8ca0e92 ("mm: compaction: capture a suitable high-order page immediately when it is made available")
Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/compaction.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -1088,7 +1088,7 @@ static int compact_finished(struct zone
 			return COMPACT_PARTIAL;
 
 		/* Job done if allocation would set block type */
-		if (cc->order >= pageblock_order && area->nr_free)
+		if (order >= pageblock_order && area->nr_free)
 			return COMPACT_PARTIAL;
 	}
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 039/177] mm/memory.c: actually remap enough memory
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 038/177] mm/compaction: fix wrong order check in compact_finished() Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 040/177] mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page() Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Grazvydas Ignotas, Rik van Riel,
	Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Grazvydas Ignotas <notasas@gmail.com>

commit 9cb12d7b4ccaa976f97ce0c5fd0f1b6a83bc2a75 upstream.

For whatever reason, generic_access_phys() only remaps one page, but
actually allows to access arbitrary size.  It's quite easy to trigger
large reads, like printing out large structure with gdb, which leads to a
crash.  Fix it by remapping correct size.

Fixes: 28b2ee20c7cb ("access_process_vm device memory infrastructure")
Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/memory.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3561,7 +3561,7 @@ int generic_access_phys(struct vm_area_s
 	if (follow_phys(vma, addr, write, &prot, &phys_addr))
 		return -EINVAL;
 
-	maddr = ioremap_prot(phys_addr, PAGE_SIZE, prot);
+	maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
 	if (write)
 		memcpy_toio(maddr + offset, buf, len);
 	else



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 040/177] mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 039/177] mm/memory.c: actually remap enough memory Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 041/177] mm: fix negative nr_isolated counts Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Andi Kleen,
	Tony Luck, Chen Gong, Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit 9ab3b598d2dfbdb0153ffa7e4b1456bbff59a25d upstream.

A race condition starts to be visible in recent mmotm, where a PG_hwpoison
flag is set on a migration source page *before* it's back in buddy page
poo= l.

This is problematic because no page flag is supposed to be set when
freeing (see __free_one_page().) So the user-visible effect of this race
is that it could trigger the BUG_ON() when soft-offlining is called.

The root cause is that we call lru_add_drain_all() to make sure that the
page is in buddy, but that doesn't work because this function just
schedule= s a work item and doesn't wait its completion.
drain_all_pages() does drainin= g directly, so simply dropping
lru_add_drain_all() solves this problem.

Fixes: f15bdfa802bf ("mm/memory-failure.c: fix memory leak in successful soft offlining")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Chen Gong <gong.chen@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/memory-failure.c |    2 --
 1 file changed, 2 deletions(-)

--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1654,8 +1654,6 @@ static int __soft_offline_page(struct pa
 			 * setting PG_hwpoison.
 			 */
 			if (!is_free_buddy_page(page))
-				lru_add_drain_all();
-			if (!is_free_buddy_page(page))
 				drain_all_pages(page_zone(page));
 			SetPageHWPoison(page);
 			if (!is_free_buddy_page(page))



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 041/177] mm: fix negative nr_isolated counts
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 040/177] mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page() Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 042/177] mm/nommu: fix memory leak Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hugh Dickins, Vlastimil Babka,
	Joonsoo Kim, Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hugh Dickins <hughd@google.com>

commit ff59909a077b3c51c168cb658601c6b63136a347 upstream.

The vmstat interfaces are good at hiding negative counts (at least when
CONFIG_SMP); but if you peer behind the curtain, you find that
nr_isolated_anon and nr_isolated_file soon go negative, and grow ever
more negative: so they can absorb larger and larger numbers of isolated
pages, yet still appear to be zero.

I'm happy to avoid a congestion_wait() when too_many_isolated() myself;
but I guess it's there for a good reason, in which case we ought to get
too_many_isolated() working again.

The imbalance comes from isolate_migratepages()'s ISOLATE_ABORT case:
putback_movable_pages() decrements the NR_ISOLATED counts, but we forgot
to call acct_isolated() to increment them.

It is possible that the bug whcih this patch fixes could cause OOM kills
when the system still has a lot of reclaimable page cache.

Fixes: edc2ca612496 ("mm, compaction: move pageblock checks up from isolate_migratepages_range()")
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/compaction.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -1015,8 +1015,10 @@ static isolate_migrate_t isolate_migrate
 		low_pfn = isolate_migratepages_block(cc, low_pfn, end_pfn,
 								isolate_mode);
 
-		if (!low_pfn || cc->contended)
+		if (!low_pfn || cc->contended) {
+			acct_isolated(zone, cc);
 			return ISOLATE_ABORT;
+		}
 
 		/*
 		 * Either we isolated something and proceed with migration. Or



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 042/177] mm/nommu: fix memory leak
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 041/177] mm: fix negative nr_isolated counts Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 043/177] mm: page_alloc: revert inadvertent !__GFP_FS retry behavior change Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Coquelin, Joonsoo Kim,
	Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joonsoo Kim <js1304@gmail.com>

commit da616534ed7f6e8ffaab699258b55c8d78d0b4ea upstream.

Maxime reported the following memory leak regression due to commit
dbc8358c7237 ("mm/nommu: use alloc_pages_exact() rather than its own
implementation").

On v3.19, I am facing a memory leak.  Each time I run a command one page
is lost.  Here an example with busybox's free command:

  / # free
               total       used       free     shared    buffers     cached
  Mem:          7928       1972       5956          0          0        492
  -/+ buffers/cache:       1480       6448
  / # free
               total       used       free     shared    buffers     cached
  Mem:          7928       1976       5952          0          0        492
  -/+ buffers/cache:       1484       6444
  / # free
               total       used       free     shared    buffers     cached
  Mem:          7928       1980       5948          0          0        492
  -/+ buffers/cache:       1488       6440
  / # free
               total       used       free     shared    buffers     cached
  Mem:          7928       1984       5944          0          0        492
  -/+ buffers/cache:       1492       6436
  / # free
               total       used       free     shared    buffers     cached
  Mem:          7928       1988       5940          0          0        492
  -/+ buffers/cache:       1496       6432

At some point, the system fails to sastisfy 256KB allocations:

  free: page allocation failure: order:6, mode:0xd0
  CPU: 0 PID: 67 Comm: free Not tainted 3.19.0-05389-gacf2cf1-dirty #64
  Hardware name: STM32 (Device Tree Support)
    show_stack+0xb/0xc
    warn_alloc_failed+0x97/0xbc
    __alloc_pages_nodemask+0x295/0x35c
    __get_free_pages+0xb/0x24
    alloc_pages_exact+0x19/0x24
    do_mmap_pgoff+0x423/0x658
    vm_mmap_pgoff+0x3f/0x4e
    load_flat_file+0x20d/0x4f8
    load_flat_binary+0x3f/0x26c
    search_binary_handler+0x51/0xe4
    do_execveat_common+0x271/0x35c
    do_execve+0x19/0x1c
    ret_fast_syscall+0x1/0x4a
  Mem-info:
  Normal per-cpu:
  CPU    0: hi:    0, btch:   1 usd:   0
  active_anon:0 inactive_anon:0 isolated_anon:0
   active_file:0 inactive_file:0 isolated_file:0
   unevictable:123 dirty:0 writeback:0 unstable:0
   free:1515 slab_reclaimable:17 slab_unreclaimable:139
   mapped:0 shmem:0 pagetables:0 bounce:0
   free_cma:0
  Normal free:6060kB min:352kB low:440kB high:528kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:492kB isolated(anon):0ks
  lowmem_reserve[]: 0 0
  Normal: 23*4kB (U) 22*8kB (U) 24*16kB (U) 23*32kB (U) 23*64kB (U) 23*128kB (U) 1*256kB (U) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 6060kB
  123 total pagecache pages
  2048 pages of RAM
  1538 free pages
  66 reserved pages
  109 slab pages
  -46 pages shared
  0 pages swap cached
  nommu: Allocation of length 221184 from process 67 (free) failed
  Normal per-cpu:
  CPU    0: hi:    0, btch:   1 usd:   0
  active_anon:0 inactive_anon:0 isolated_anon:0
   active_file:0 inactive_file:0 isolated_file:0
   unevictable:123 dirty:0 writeback:0 unstable:0
   free:1515 slab_reclaimable:17 slab_unreclaimable:139
   mapped:0 shmem:0 pagetables:0 bounce:0
   free_cma:0
  Normal free:6060kB min:352kB low:440kB high:528kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:492kB isolated(anon):0ks
  lowmem_reserve[]: 0 0
  Normal: 23*4kB (U) 22*8kB (U) 24*16kB (U) 23*32kB (U) 23*64kB (U) 23*128kB (U) 1*256kB (U) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 6060kB
  123 total pagecache pages
  Unable to allocate RAM for process text/data, errno 12 SEGV

This problem happens because we allocate ordered page through
__get_free_pages() in do_mmap_private() in some cases and we try to free
individual pages rather than ordered page in free_page_series().  In
this case, freeing pages whose refcount is not 0 won't be freed to the
page allocator so memory leak happens.

To fix the problem, this patch changes __get_free_pages() to
alloc_pages_exact() since alloc_pages_exact() returns
physically-contiguous pages but each pages are refcounted.

Fixes: dbc8358c7237 ("mm/nommu: use alloc_pages_exact() rather than its own implementation").
Reported-by: Maxime Coquelin <mcoquelin.stm32@gmail.com>
Tested-by: Maxime Coquelin <mcoquelin.stm32@gmail.com>
Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/nommu.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -1189,11 +1189,9 @@ static int do_mmap_private(struct vm_are
 	if (sysctl_nr_trim_pages && total - point >= sysctl_nr_trim_pages) {
 		total = point;
 		kdebug("try to alloc exact %lu pages", total);
-		base = alloc_pages_exact(len, GFP_KERNEL);
-	} else {
-		base = (void *)__get_free_pages(GFP_KERNEL, order);
 	}
 
+	base = alloc_pages_exact(total << PAGE_SHIFT, GFP_KERNEL);
 	if (!base)
 		goto enomem;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 043/177] mm: page_alloc: revert inadvertent !__GFP_FS retry behavior change
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 042/177] mm/nommu: fix memory leak Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 044/177] drm/tegra: Use correct relocation target offsets Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Weiner, Michal Hocko,
	Tetsuo Handa, Theodore Tso, Dave Chinner, David Rientjes,
	Oleg Nesterov, Mel Gorman, Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Weiner <hannes@cmpxchg.org>

commit cc87317726f851531ae8422e0c2d3d6e2d7b1955 upstream.

Historically, !__GFP_FS allocations were not allowed to invoke the OOM
killer once reclaim had failed, but nevertheless kept looping in the
allocator.

Commit 9879de7373fc ("mm: page_alloc: embed OOM killing naturally into
allocation slowpath"), which should have been a simple cleanup patch,
accidentally changed the behavior to aborting the allocation at that
point.  This creates problems with filesystem callers (?) that currently
rely on the allocator waiting for other tasks to intervene.

Revert the behavior as it shouldn't have been changed as part of a
cleanup patch.

Fixes: 9879de7373fc ("mm: page_alloc: embed OOM killing naturally into allocation slowpath")
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: Dave Chinner <david@fromorbit.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Mel Gorman <mgorman@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/page_alloc.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2380,8 +2380,15 @@ __alloc_pages_may_oom(gfp_t gfp_mask, un
 		if (high_zoneidx < ZONE_NORMAL)
 			goto out;
 		/* The OOM killer does not compensate for light reclaim */
-		if (!(gfp_mask & __GFP_FS))
+		if (!(gfp_mask & __GFP_FS)) {
+			/*
+			 * XXX: Page reclaim didn't yield anything,
+			 * and the OOM killer can't be invoked, but
+			 * keep looping as per should_alloc_retry().
+			 */
+			*did_some_progress = 1;
 			goto out;
+		}
 		/*
 		 * GFP_THISNODE contains __GFP_NORETRY and we never hit this.
 		 * Sanity check for bare calls of __GFP_THISNODE, not real OOM.



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 044/177] drm/tegra: Use correct relocation target offsets
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 043/177] mm: page_alloc: revert inadvertent !__GFP_FS retry behavior change Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 048/177] drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Ung, Thierry Reding

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Ung <davidu@nvidia.com>

commit 31f40f86526b71009973854c1dfe799ee70f7588 upstream.

When copying a relocation from userspace, copy the correct target
offset.

Signed-off-by: David Ung <davidu@nvidia.com>
Fixes: 961e3beae3b2 ("drm/tegra: Make job submission 64-bit safe")
[treding@nvidia.com: provide a better commit message]
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/tegra/drm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -190,7 +190,7 @@ static int host1x_reloc_copy_from_user(s
 	if (err < 0)
 		return err;
 
-	err = get_user(dest->target.offset, &src->cmdbuf.offset);
+	err = get_user(dest->target.offset, &src->target.offset);
 	if (err < 0)
 		return err;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 048/177] drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 044/177] drm/tegra: Use correct relocation target offsets Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 049/177] drm/radeon: fix voltage setup on hawaii Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 66c2b84ba6256bc5399eed45582af9ebb3ba2c15 upstream.

Don't restrict it to just eDP panels.  Some LVDS bridge chips require
this.  Fixes blank panels on resume on certain laptops.  Noticed
by mrnuke on IRC.

bug:
https://bugs.freedesktop.org/show_bug.cgi?id=42960

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/atombios_dp.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/gpu/drm/radeon/atombios_dp.c
+++ b/drivers/gpu/drm/radeon/atombios_dp.c
@@ -623,10 +623,8 @@ static int radeon_dp_link_train_init(str
 		drm_dp_dpcd_writeb(dp_info->aux,
 				   DP_DOWNSPREAD_CTRL, 0);
 
-	if ((dp_info->connector->connector_type == DRM_MODE_CONNECTOR_eDP) &&
-	    (dig->panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE)) {
+	if (dig->panel_mode == DP_PANEL_MODE_INTERNAL_DP2_MODE)
 		drm_dp_dpcd_writeb(dp_info->aux, DP_EDP_CONFIGURATION_SET, 1);
-	}
 
 	/* set the lane count on the sink */
 	tmp = dp_info->dp_lane_count;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 049/177] drm/radeon: fix voltage setup on hawaii
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 048/177] drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 050/177] drm/i915: Insert a command barrier on BLT/BSD cache flushes Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 09b6e85fc868568e1b2820235a2a851aecbccfcc upstream.

Missing parameter when fetching the real voltage values
from atom.  Fixes problems with dynamic clocking on
certain boards.

bug:
https://bugs.freedesktop.org/show_bug.cgi?id=87457

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_atombios.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -3289,6 +3289,7 @@ int radeon_atom_get_voltage_evv(struct r
 
 	args.in.ucVoltageType = VOLTAGE_TYPE_VDDC;
 	args.in.ucVoltageMode = ATOM_GET_VOLTAGE_EVV_VOLTAGE;
+	args.in.usVoltageLevel = cpu_to_le16(virtual_voltage_id);
 	args.in.ulSCLKFreq =
 		cpu_to_le32(rdev->pm.dpm.dyn_state.vddc_dependency_on_sclk.entries[entry_id].clk);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 050/177] drm/i915: Insert a command barrier on BLT/BSD cache flushes
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 049/177] drm/radeon: fix voltage setup on hawaii Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 051/177] drm/i915: Drop vblank wait from intel_dp_link_down Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Wilson, Daniel Vetter, Jani Nikula

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit f0a1fb10e5f79f5aaf8d7e94b9fa6bf2fa9aeebf upstream.

This looked like an odd regression from

commit ec5cc0f9b019af95e4571a9fa162d94294c8d90b
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Jun 12 10:28:55 2014 +0100

    drm/i915: Restrict GPU boost to the RCS engine

but in reality it undercovered a much older coherency bug. The issue that
boosting the GPU frequency on the BCS ring was masking was that we could
wake the CPU up after completion of a BCS batch and inspect memory prior
to the write cache being fully evicted. In order to serialise the
breadcrumb interrupt (and so ensure that the CPU's view of memory is
coherent) we need to perform a post-sync operation in the MI_FLUSH_DW.

v2: Fix all the MI_FLUSH_DW (bsd plus the duplication in execlists).

Also fix the invalidate_domains mask in gen8_emit_flush() for ring !=
VCS.

Testcase: gpuX-rcs-gpu-read-after-write
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Acked-by: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_lrc.c        |   20 +++++++++++---------
 drivers/gpu/drm/i915/intel_ringbuffer.c |   23 +++++++++++++++++++----
 2 files changed, 30 insertions(+), 13 deletions(-)

--- a/drivers/gpu/drm/i915/intel_lrc.c
+++ b/drivers/gpu/drm/i915/intel_lrc.c
@@ -1237,15 +1237,17 @@ static int gen8_emit_flush(struct intel_
 
 	cmd = MI_FLUSH_DW + 1;
 
-	if (ring == &dev_priv->ring[VCS]) {
-		if (invalidate_domains & I915_GEM_GPU_DOMAINS)
-			cmd |= MI_INVALIDATE_TLB | MI_INVALIDATE_BSD |
-				MI_FLUSH_DW_STORE_INDEX |
-				MI_FLUSH_DW_OP_STOREDW;
-	} else {
-		if (invalidate_domains & I915_GEM_DOMAIN_RENDER)
-			cmd |= MI_INVALIDATE_TLB | MI_FLUSH_DW_STORE_INDEX |
-				MI_FLUSH_DW_OP_STOREDW;
+	/* We always require a command barrier so that subsequent
+	 * commands, such as breadcrumb interrupts, are strictly ordered
+	 * wrt the contents of the write cache being flushed to memory
+	 * (and thus being coherent from the CPU).
+	 */
+	cmd |= MI_FLUSH_DW_STORE_INDEX | MI_FLUSH_DW_OP_STOREDW;
+
+	if (invalidate_domains & I915_GEM_GPU_DOMAINS) {
+		cmd |= MI_INVALIDATE_TLB;
+		if (ring == &dev_priv->ring[VCS])
+			cmd |= MI_INVALIDATE_BSD;
 	}
 
 	intel_logical_ring_emit(ringbuf, cmd);
--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
@@ -2178,6 +2178,14 @@ static int gen6_bsd_ring_flush(struct in
 	cmd = MI_FLUSH_DW;
 	if (INTEL_INFO(ring->dev)->gen >= 8)
 		cmd += 1;
+
+	/* We always require a command barrier so that subsequent
+	 * commands, such as breadcrumb interrupts, are strictly ordered
+	 * wrt the contents of the write cache being flushed to memory
+	 * (and thus being coherent from the CPU).
+	 */
+	cmd |= MI_FLUSH_DW_STORE_INDEX | MI_FLUSH_DW_OP_STOREDW;
+
 	/*
 	 * Bspec vol 1c.5 - video engine command streamer:
 	 * "If ENABLED, all TLBs will be invalidated once the flush
@@ -2185,8 +2193,8 @@ static int gen6_bsd_ring_flush(struct in
 	 * Post-Sync Operation field is a value of 1h or 3h."
 	 */
 	if (invalidate & I915_GEM_GPU_DOMAINS)
-		cmd |= MI_INVALIDATE_TLB | MI_INVALIDATE_BSD |
-			MI_FLUSH_DW_STORE_INDEX | MI_FLUSH_DW_OP_STOREDW;
+		cmd |= MI_INVALIDATE_TLB | MI_INVALIDATE_BSD;
+
 	intel_ring_emit(ring, cmd);
 	intel_ring_emit(ring, I915_GEM_HWS_SCRATCH_ADDR | MI_FLUSH_DW_USE_GTT);
 	if (INTEL_INFO(ring->dev)->gen >= 8) {
@@ -2282,6 +2290,14 @@ static int gen6_ring_flush(struct intel_
 	cmd = MI_FLUSH_DW;
 	if (INTEL_INFO(ring->dev)->gen >= 8)
 		cmd += 1;
+
+	/* We always require a command barrier so that subsequent
+	 * commands, such as breadcrumb interrupts, are strictly ordered
+	 * wrt the contents of the write cache being flushed to memory
+	 * (and thus being coherent from the CPU).
+	 */
+	cmd |= MI_FLUSH_DW_STORE_INDEX | MI_FLUSH_DW_OP_STOREDW;
+
 	/*
 	 * Bspec vol 1c.3 - blitter engine command streamer:
 	 * "If ENABLED, all TLBs will be invalidated once the flush
@@ -2289,8 +2305,7 @@ static int gen6_ring_flush(struct intel_
 	 * Post-Sync Operation field is a value of 1h or 3h."
 	 */
 	if (invalidate & I915_GEM_DOMAIN_RENDER)
-		cmd |= MI_INVALIDATE_TLB | MI_FLUSH_DW_STORE_INDEX |
-			MI_FLUSH_DW_OP_STOREDW;
+		cmd |= MI_INVALIDATE_TLB;
 	intel_ring_emit(ring, cmd);
 	intel_ring_emit(ring, I915_GEM_HWS_SCRATCH_ADDR | MI_FLUSH_DW_USE_GTT);
 	if (INTEL_INFO(ring->dev)->gen >= 8) {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 051/177] drm/i915: Drop vblank wait from intel_dp_link_down
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 050/177] drm/i915: Insert a command barrier on BLT/BSD cache flushes Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 054/177] drm/i915: Clamp efficient frequency to valid range Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Vetter, Paulo Zanoni, Jani Nikula

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Vetter <daniel.vetter@ffwll.ch>

commit 0ca09685546fed5fc8f0535204f0626f352140f4 upstream.

Nothing in Bspec seems to indicate that we actually needs this, and it
looks like can't work since by this point the pipe is off and so
vblanks won't really happen any more.

Note that Bspec mentions that it takes a vblank for this bit to
change, but _only_ when enabling.

Dropping this code quenches an annoying backtrace introduced by the
more anal checking since

commit 51e31d49c89055299e34b8f44d13f70e19aaaad1
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Mon Sep 15 12:36:02 2014 +0200

    drm/i915: Use generic vblank wait

Note: This fixes the fallout from the above commit, but does not address
the shortcomings of the IBX transcoder select workaround implementation
discussed during review [1].

[1] http://mid.gmane.org/87y4o7usxf.fsf@intel.com

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86095
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_dp.c |   17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

--- a/drivers/gpu/drm/i915/intel_dp.c
+++ b/drivers/gpu/drm/i915/intel_dp.c
@@ -3515,8 +3515,6 @@ intel_dp_link_down(struct intel_dp *inte
 	enum port port = intel_dig_port->port;
 	struct drm_device *dev = intel_dig_port->base.base.dev;
 	struct drm_i915_private *dev_priv = dev->dev_private;
-	struct intel_crtc *intel_crtc =
-		to_intel_crtc(intel_dig_port->base.base.crtc);
 	uint32_t DP = intel_dp->DP;
 
 	if (WARN_ON(HAS_DDI(dev)))
@@ -3541,8 +3539,6 @@ intel_dp_link_down(struct intel_dp *inte
 
 	if (HAS_PCH_IBX(dev) &&
 	    I915_READ(intel_dp->output_reg) & DP_PIPEB_SELECT) {
-		struct drm_crtc *crtc = intel_dig_port->base.base.crtc;
-
 		/* Hardware workaround: leaving our transcoder select
 		 * set to transcoder B while it's off will prevent the
 		 * corresponding HDMI output on transcoder A.
@@ -3553,18 +3549,7 @@ intel_dp_link_down(struct intel_dp *inte
 		 */
 		DP &= ~DP_PIPEB_SELECT;
 		I915_WRITE(intel_dp->output_reg, DP);
-
-		/* Changes to enable or select take place the vblank
-		 * after being written.
-		 */
-		if (WARN_ON(crtc == NULL)) {
-			/* We should never try to disable a port without a crtc
-			 * attached. For paranoia keep the code around for a
-			 * bit. */
-			POSTING_READ(intel_dp->output_reg);
-			msleep(50);
-		} else
-			intel_wait_for_vblank(dev, intel_crtc->pipe);
+		POSTING_READ(intel_dp->output_reg);
 	}
 
 	DP &= ~DP_AUDIO_OUTPUT_ENABLE;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 054/177] drm/i915: Clamp efficient frequency to valid range
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 051/177] drm/i915: Drop vblank wait from intel_dp_link_down Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 055/177] target: Fix PR_APTPL_BUF_LEN buffer size limitation Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Auchter, Chris Wilson,
	Tom ORourke, Jani Nikula, Tom O'Rourke

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tom O'Rourke <Tom.O'Rourke@intel.com>

commit 46efa4abe5712276494adbce102f46e3214632fd upstream.

The efficient frequency (RPe) should stay in the range
RPn <= RPe <= RP0.  The pcode clamps the returned value
internally on Broadwell but not on Haswell.

Fix for missing range check in
commit 93ee29203f506582cca2bcec5f05041526d9ab0a
Author: Tom O'Rourke <Tom.O'Rourke@intel.com>
Date:   Wed Nov 19 14:21:52 2014 -0800

    drm/i915: Use efficient frequency for HSW/BDW

Reference: http://lists.freedesktop.org/archives/intel-gfx/2015-February/059802.html
Reported-by: Michael Auchter <a@phire.org>
Suggested-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Tom O'Rourke <Tom.O'Rourke@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_pm.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -4625,7 +4625,10 @@ static void gen6_init_rps_frequencies(st
 					&ddcc_status);
 		if (0 == ret)
 			dev_priv->rps.efficient_freq =
-				(ddcc_status >> 8) & 0xff;
+				clamp_t(u8,
+					((ddcc_status >> 8) & 0xff),
+					dev_priv->rps.min_freq,
+					dev_priv->rps.max_freq);
 	}
 
 	/* Preserve min/max settings in case of re-init */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 055/177] target: Fix PR_APTPL_BUF_LEN buffer size limitation
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 054/177] drm/i915: Clamp efficient frequency to valid range Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 056/177] target: Add missing WRITE_SAME end-of-device sanity check Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Svec, Nicholas Bellinger

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit f161d4b44d7cc1dc66b53365215227db356378b1 upstream.

This patch addresses the original PR_APTPL_BUF_LEN = 8k limitiation
for write-out of PR APTPL metadata that Martin has recently been
running into.

It changes core_scsi3_update_and_write_aptpl() to use vzalloc'ed
memory instead of kzalloc, and increases the default hardcoded
length to 256k.

It also adds logic in core_scsi3_update_and_write_aptpl() to double
the original length upon core_scsi3_update_aptpl_buf() failure, and
retries until the vzalloc'ed buffer is large enough to accommodate
the outgoing APTPL metadata.

Reported-by: Martin Svec <martin.svec@zoner.cz>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_pr.c   |   25 +++++++++++++------------
 include/target/target_core_base.h |    2 +-
 2 files changed, 14 insertions(+), 13 deletions(-)

--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -1874,8 +1874,8 @@ static int core_scsi3_update_aptpl_buf(
 		}
 
 		if ((len + strlen(tmp) >= pr_aptpl_buf_len)) {
-			pr_err("Unable to update renaming"
-				" APTPL metadata\n");
+			pr_err("Unable to update renaming APTPL metadata,"
+			       " reallocating larger buffer\n");
 			ret = -EMSGSIZE;
 			goto out;
 		}
@@ -1892,8 +1892,8 @@ static int core_scsi3_update_aptpl_buf(
 			lun->lun_sep->sep_rtpi, lun->unpacked_lun, reg_count);
 
 		if ((len + strlen(tmp) >= pr_aptpl_buf_len)) {
-			pr_err("Unable to update renaming"
-				" APTPL metadata\n");
+			pr_err("Unable to update renaming APTPL metadata,"
+			       " reallocating larger buffer\n");
 			ret = -EMSGSIZE;
 			goto out;
 		}
@@ -1956,7 +1956,7 @@ static int __core_scsi3_write_aptpl_to_f
 static sense_reason_t core_scsi3_update_and_write_aptpl(struct se_device *dev, bool aptpl)
 {
 	unsigned char *buf;
-	int rc;
+	int rc, len = PR_APTPL_BUF_LEN;
 
 	if (!aptpl) {
 		char *null_buf = "No Registrations or Reservations\n";
@@ -1970,25 +1970,26 @@ static sense_reason_t core_scsi3_update_
 
 		return 0;
 	}
-
-	buf = kzalloc(PR_APTPL_BUF_LEN, GFP_KERNEL);
+retry:
+	buf = vzalloc(len);
 	if (!buf)
 		return TCM_OUT_OF_RESOURCES;
 
-	rc = core_scsi3_update_aptpl_buf(dev, buf, PR_APTPL_BUF_LEN);
+	rc = core_scsi3_update_aptpl_buf(dev, buf, len);
 	if (rc < 0) {
-		kfree(buf);
-		return TCM_OUT_OF_RESOURCES;
+		vfree(buf);
+		len *= 2;
+		goto retry;
 	}
 
 	rc = __core_scsi3_write_aptpl_to_file(dev, buf);
 	if (rc != 0) {
 		pr_err("SPC-3 PR: Could not update APTPL\n");
-		kfree(buf);
+		vfree(buf);
 		return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
 	}
 	dev->t10_pr.pr_aptpl_active = 1;
-	kfree(buf);
+	vfree(buf);
 	pr_debug("SPC-3 PR: Set APTPL Bit Activated\n");
 	return 0;
 }
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -407,7 +407,7 @@ struct t10_reservation {
 	/* Activate Persistence across Target Power Loss enabled
 	 * for SCSI device */
 	int pr_aptpl_active;
-#define PR_APTPL_BUF_LEN			8192
+#define PR_APTPL_BUF_LEN			262144
 	u32 pr_generation;
 	spinlock_t registration_lock;
 	spinlock_t aptpl_reg_lock;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 056/177] target: Add missing WRITE_SAME end-of-device sanity check
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 055/177] target: Fix PR_APTPL_BUF_LEN buffer size limitation Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 057/177] target: Check for LBA + sectors wrap-around in sbc_parse_cdb Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Martin Petersen,
	Christoph Hellwig, Nicholas Bellinger

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit 8e575c50a171f2579e367a7f778f86477dfdaf49 upstream.

This patch adds a check to sbc_setup_write_same() to verify
the incoming WRITE_SAME LBA + number of blocks does not exceed
past the end-of-device.

Also check for potential LBA wrap-around as well.

Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Martin Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_sbc.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -251,6 +251,8 @@ static inline unsigned long long transpo
 static sense_reason_t
 sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
 {
+	struct se_device *dev = cmd->se_dev;
+	sector_t end_lba = dev->transport->get_blocks(dev) + 1;
 	unsigned int sectors = sbc_get_write_same_sectors(cmd);
 
 	if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
@@ -264,6 +266,16 @@ sbc_setup_write_same(struct se_cmd *cmd,
 			sectors, cmd->se_dev->dev_attrib.max_write_same_len);
 		return TCM_INVALID_CDB_FIELD;
 	}
+	/*
+	 * Sanity check for LBA wrap and request past end of device.
+	 */
+	if (((cmd->t_task_lba + sectors) < cmd->t_task_lba) ||
+	    ((cmd->t_task_lba + sectors) > end_lba)) {
+		pr_err("WRITE_SAME exceeds last lba %llu (lba %llu, sectors %u)\n",
+		       (unsigned long long)end_lba, cmd->t_task_lba, sectors);
+		return TCM_ADDRESS_OUT_OF_RANGE;
+	}
+
 	/* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
 	if (flags[0] & 0x10) {
 		pr_warn("WRITE SAME with ANCHOR not supported\n");



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 057/177] target: Check for LBA + sectors wrap-around in sbc_parse_cdb
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 056/177] target: Add missing WRITE_SAME end-of-device sanity check Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 058/177] x86/asm/entry/64: Remove a bogus ret_from_fork optimization Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Petersen, Christoph Hellwig,
	Nicholas Bellinger

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit aa179935edea9a64dec4b757090c8106a3907ffa upstream.

This patch adds a check to sbc_parse_cdb() in order to detect when
an LBA + sector vs. end-of-device calculation wraps when the LBA is
sufficently large enough (eg: 0xFFFFFFFFFFFFFFFF).

Cc: Martin Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_sbc.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -967,7 +967,8 @@ sbc_parse_cdb(struct se_cmd *cmd, struct
 		unsigned long long end_lba;
 check_lba:
 		end_lba = dev->transport->get_blocks(dev) + 1;
-		if (cmd->t_task_lba + sectors > end_lba) {
+		if (((cmd->t_task_lba + sectors) < cmd->t_task_lba) ||
+		    ((cmd->t_task_lba + sectors) > end_lba)) {
 			pr_err("cmd exceeds last lba %llu "
 				"(lba %llu, sectors %u)\n",
 				end_lba, cmd->t_task_lba, sectors);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 058/177] x86/asm/entry/64: Remove a bogus ret_from_fork optimization
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 057/177] target: Check for LBA + sectors wrap-around in sbc_parse_cdb Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 059/177] x86/fpu/xsaves: Fix improper uses of __ex_table Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Borislav Petkov,
	Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Oleg Nesterov,
	Thomas Gleixner, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@amacapital.net>

commit 956421fbb74c3a6261903f3836c0740187cf038b upstream.

'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and
the related state make sense for 'ret_from_sys_call'.  This is
entirely the wrong check.  TS_COMPAT would make a little more
sense, but there's really no point in keeping this optimization
at all.

This fixes a return to the wrong user CS if we came from int
0x80 in a 64-bit task.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net
[ Backported from tip:x86/asm. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/entry_64.S |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -334,11 +334,14 @@ ENTRY(ret_from_fork)
 	testl $3, CS-ARGOFFSET(%rsp)		# from kernel_thread?
 	jz   1f
 
-	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-	jnz  int_ret_from_sys_call
-
-	RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET
-	jmp ret_from_sys_call			# go to the SYSRET fastpath
+	/*
+	 * By the time we get here, we have no idea whether our pt_regs,
+	 * ti flags, and ti status came from the 64-bit SYSCALL fast path,
+	 * the slow path, or one of the ia32entry paths.
+	 * Use int_ret_from_sys_call to return, since it can safely handle
+	 * all of the above.
+	 */
+	jmp  int_ret_from_sys_call
 
 1:
 	subq $REST_SKIP, %rsp	# leave space for volatiles



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 059/177] x86/fpu/xsaves: Fix improper uses of __ex_table
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 058/177] x86/asm/entry/64: Remove a bogus ret_from_fork optimization Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 060/177] iio: mxs-lradc: fix iio channel map regression Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Casasnovas, Jamie Iles,
	Borislav Petkov, Linus Torvalds, Allan Xavier, H. Peter Anvin,
	Thomas Gleixner, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Quentin Casasnovas <quentin.casasnovas@oracle.com>

commit 06c8173eb92bbfc03a0fe8bb64315857d0badd06 upstream.

Commit:

  f31a9f7c7169 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area")

introduced alternative instructions for XSAVES/XRSTORS and commit:

  adb9d526e982 ("x86/xsaves: Add xsaves and xrstors support for booting time")

added support for the XSAVES/XRSTORS instructions at boot time.

Unfortunately both failed to properly protect them against faulting:

The 'xstate_fault' macro will use the closest label named '1'
backward and that ends up in the .altinstr_replacement section
rather than in .text. This means that the kernel will never find
in the __ex_table the .text address where this instruction might
fault, leading to serious problems if userspace manages to
trigger the fault.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
[ Improved the changelog, fixed some whitespace noise. ]
Acked-by: Borislav Petkov <bp@alien8.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Allan Xavier <mr.a.xavier@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: adb9d526e982 ("x86/xsaves: Add xsaves and xrstors support for booting time")
Fixes: f31a9f7c7169 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/xsave.h |   28 +++++++++++-----------------
 1 file changed, 11 insertions(+), 17 deletions(-)

--- a/arch/x86/include/asm/xsave.h
+++ b/arch/x86/include/asm/xsave.h
@@ -82,18 +82,15 @@ static inline int xsave_state_booting(st
 	if (boot_cpu_has(X86_FEATURE_XSAVES))
 		asm volatile("1:"XSAVES"\n\t"
 			"2:\n\t"
-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+			     xstate_fault
+			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
 			:   "memory");
 	else
 		asm volatile("1:"XSAVE"\n\t"
 			"2:\n\t"
-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+			     xstate_fault
+			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
 			:   "memory");
-
-	asm volatile(xstate_fault
-		     : "0" (0)
-		     : "memory");
-
 	return err;
 }
 
@@ -112,18 +109,15 @@ static inline int xrstor_state_booting(s
 	if (boot_cpu_has(X86_FEATURE_XSAVES))
 		asm volatile("1:"XRSTORS"\n\t"
 			"2:\n\t"
-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+			     xstate_fault
+			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
 			:   "memory");
 	else
 		asm volatile("1:"XRSTOR"\n\t"
 			"2:\n\t"
-			: : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
+			     xstate_fault
+			: "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
 			:   "memory");
-
-	asm volatile(xstate_fault
-		     : "0" (0)
-		     : "memory");
-
 	return err;
 }
 
@@ -149,9 +143,9 @@ static inline int xsave_state(struct xsa
 	 */
 	alternative_input_2(
 		"1:"XSAVE,
-		"1:"XSAVEOPT,
+		XSAVEOPT,
 		X86_FEATURE_XSAVEOPT,
-		"1:"XSAVES,
+		XSAVES,
 		X86_FEATURE_XSAVES,
 		[fx] "D" (fx), "a" (lmask), "d" (hmask) :
 		"memory");
@@ -178,7 +172,7 @@ static inline int xrstor_state(struct xs
 	 */
 	alternative_input(
 		"1: " XRSTOR,
-		"1: " XRSTORS,
+		XRSTORS,
 		X86_FEATURE_XSAVES,
 		"D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
 		: "memory");



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 060/177] iio: mxs-lradc: fix iio channel map regression
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 059/177] x86/fpu/xsaves: Fix improper uses of __ex_table Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 061/177] iio: imu: adis16400: Fix sign extension Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Wahren, Alexandre Belloni,
	Marek Vasut, Jonathan Cameron

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Wahren <stefan.wahren@i2se.com>

commit 03305e535cd5cdc1079b32909bf4b2dd67d46f7f upstream.

Since commit c8231a9af8147f8a ("iio: mxs-lradc: compute temperature
from channel 8 and 9") with the removal of adc channel 9 there is
no 1-1 mapping in the channel spec.

All hwmon channel values above 9 are accessible via there index minus
one. So add a hidden iio channel 9 to fix this issue.

Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/iio/adc/mxs-lradc.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/staging/iio/adc/mxs-lradc.c
+++ b/drivers/staging/iio/adc/mxs-lradc.c
@@ -1406,6 +1406,13 @@ static const struct iio_chan_spec mxs_lr
 		.channel = 8,
 		.scan_type = {.sign = 'u', .realbits = 18, .storagebits = 32,},
 	},
+	/* Hidden channel to keep indexes */
+	{
+		.type = IIO_TEMP,
+		.indexed = 1,
+		.scan_index = -1,
+		.channel = 9,
+	},
 	MXS_ADC_CHAN(10, IIO_VOLTAGE),	/* VDDIO */
 	MXS_ADC_CHAN(11, IIO_VOLTAGE),	/* VTH */
 	MXS_ADC_CHAN(12, IIO_VOLTAGE),	/* VDDA */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 061/177] iio: imu: adis16400: Fix sign extension
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 060/177] iio: mxs-lradc: fix iio channel map regression Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 067/177] iio:adc:mcp3422 Fix incorrect scales table Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Lars-Peter Clausen,
	Jonathan Cameron

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

commit 19e353f2b344ad86cea6ebbc0002e5f903480a90 upstream.

The intention is obviously to sign-extend a 12 bit quantity. But
because of C's promotion rules, the assignment is equivalent to "val16
&= 0xfff;". Use the proper API for this.

Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/imu/adis16400_core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/iio/imu/adis16400_core.c
+++ b/drivers/iio/imu/adis16400_core.c
@@ -26,6 +26,7 @@
 #include <linux/list.h>
 #include <linux/module.h>
 #include <linux/debugfs.h>
+#include <linux/bitops.h>
 
 #include <linux/iio/iio.h>
 #include <linux/iio/sysfs.h>
@@ -414,7 +415,7 @@ static int adis16400_read_raw(struct iio
 		mutex_unlock(&indio_dev->mlock);
 		if (ret)
 			return ret;
-		val16 = ((val16 & 0xFFF) << 4) >> 4;
+		val16 = sign_extend32(val16, 11);
 		*val = val16;
 		return IIO_VAL_INT;
 	case IIO_CHAN_INFO_OFFSET:



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 067/177] iio:adc:mcp3422 Fix incorrect scales table
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 061/177] iio: imu: adis16400: Fix sign extension Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 068/177] IIO: si7020: Allocate correct amount of memory in devm_iio_device_alloc Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Angelo Compagnucci, Jonathan Cameron

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Angelo Compagnucci <angelo.compagnucci@gmail.com>

commit 9e128ced3851d2802b6db870f6b2e93f449ce013 upstream.

This patch fixes uncorrect order of mcp3422_scales table, the values
was erroneously transposed.
It removes also an unused array and a wrong comment.

Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/mcp3422.c |   17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

--- a/drivers/iio/adc/mcp3422.c
+++ b/drivers/iio/adc/mcp3422.c
@@ -58,20 +58,11 @@
 		.info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SAMP_FREQ), \
 	}
 
-/* LSB is in nV to eliminate floating point */
-static const u32 rates_to_lsb[] = {1000000, 250000, 62500, 15625};
-
-/*
- *  scales calculated as:
- *  rates_to_lsb[sample_rate] / (1 << pga);
- *  pga is 1 for 0, 2
- */
-
 static const int mcp3422_scales[4][4] = {
-	{ 1000000, 250000, 62500, 15625 },
-	{ 500000 , 125000, 31250, 7812 },
-	{ 250000 , 62500 , 15625, 3906 },
-	{ 125000 , 31250 , 7812 , 1953 } };
+	{ 1000000, 500000, 250000, 125000 },
+	{ 250000 , 125000, 62500 , 31250  },
+	{ 62500  , 31250 , 15625 , 7812   },
+	{ 15625  , 7812  , 3906  , 1953   } };
 
 /* Constant msleep times for data acquisitions */
 static const int mcp3422_read_times[4] = {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 068/177] IIO: si7020: Allocate correct amount of memory in devm_iio_device_alloc
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 067/177] iio:adc:mcp3422 Fix incorrect scales table Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 069/177] Revert "iio:humidity:si7020: fix pointer to i2c client" Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andrey Smirnov, Jonathan Cameron

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrey Smirnov <andrew.smirnov@gmail.com>

commit e01becbad300712a28f29b666e685536f45e83bc upstream.

Since only a pointer to struct i2c_client is stored in a private area
of IIO device created by the driver there's no need to allocate
sizeof(struct i2c_client) worth of storage.

Pushed to stable as this is linked to the revert patch previously.
Without this followup the original patch looks sensible.

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/humidity/si7020.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/humidity/si7020.c
+++ b/drivers/iio/humidity/si7020.c
@@ -126,7 +126,7 @@ static int si7020_probe(struct i2c_clien
 	/* Wait the maximum power-up time after software reset. */
 	msleep(15);
 
-	indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*client));
+	indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*data));
 	if (!indio_dev)
 		return -ENOMEM;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 069/177] Revert "iio:humidity:si7020: fix pointer to i2c client"
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 068/177] IIO: si7020: Allocate correct amount of memory in devm_iio_device_alloc Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 070/177] mei: make device disabled on stop unconditionally Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jonathan Cameron

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jonathan Cameron <jic23@kernel.org>

commit e765537add38cf7967efa11999bb5daf84a6517d upstream.

This reverts commit e0922e5e3ccb78aa0152e93dfbd1755ac39c8582.
Requested by Andrey Smirnov.

It incorrectly assumes that the level of indirection is not needed
which is not true(probably because the driver incorrectly allocates
sizeof(*client) instead of sizeof(*data) via devm_iio_device_alloc).
If you look at the code of the probe function(see below) it is easy to
see that what is being stored in the private memory of the IIO device
instance is not a copy of a 'struct i2c_client' but a pointer to an
instance passed as an argument to the probe function.

struct i2c_client **data;
int ret;

< Some code skipped >

indio_dev = devm_iio_device_alloc(&client->dev, sizeof(*client));
if (!indio_dev)
return -ENOMEM;

data = iio_priv(indio_dev);
*data = client;

Without reverting this change any read of a raw value of this sensor
leads to a kernel oops due to a NULL pointer de-reference on my
hardware setup.

Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/humidity/si7020.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/humidity/si7020.c
+++ b/drivers/iio/humidity/si7020.c
@@ -45,12 +45,12 @@ static int si7020_read_raw(struct iio_de
 			   struct iio_chan_spec const *chan, int *val,
 			   int *val2, long mask)
 {
-	struct i2c_client *client = iio_priv(indio_dev);
+	struct i2c_client **client = iio_priv(indio_dev);
 	int ret;
 
 	switch (mask) {
 	case IIO_CHAN_INFO_RAW:
-		ret = i2c_smbus_read_word_data(client,
+		ret = i2c_smbus_read_word_data(*client,
 					       chan->type == IIO_TEMP ?
 					       SI7020CMD_TEMP_HOLD :
 					       SI7020CMD_RH_HOLD);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 070/177] mei: make device disabled on stop unconditionally
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 069/177] Revert "iio:humidity:si7020: fix pointer to i2c client" Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 071/177] Btrfs: fix fsync race leading to ordered extent memory leaks Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 6c15a8516b8118eb19a59fd0bd22df41b9101c32 upstream.

Set the internal device state to to disabled after hardware reset in stop flow.
This will cover cases when driver was not brought to disabled state because of
an error and in stop flow we wish not to retry the reset.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mei/init.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/misc/mei/init.c
+++ b/drivers/misc/mei/init.c
@@ -341,6 +341,8 @@ void mei_stop(struct mei_device *dev)
 
 	dev->dev_state = MEI_DEV_POWER_DOWN;
 	mei_reset(dev);
+	/* move device to disabled state unconditionally */
+	dev->dev_state = MEI_DEV_DISABLED;
 
 	mutex_unlock(&dev->device_lock);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 071/177] Btrfs: fix fsync race leading to ordered extent memory leaks
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 070/177] mei: make device disabled on stop unconditionally Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:07 ` [PATCH 3.19 072/177] btrfs: fix lost return value due to variable shadowing Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, Chris Mason

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 4d884fceaa2c838abb598778813e93f6d9fea723 upstream.

We can have multiple fsync operations against the same file during the
same transaction and they can collect the same ordered extents while they
don't complete (still accessible from the inode's ordered tree). If this
happens, those ordered extents will never get their reference counts
decremented to 0, leading to memory leaks and inode leaks (an iput for an
ordered extent's inode is scheduled only when the ordered extent's refcount
drops to 0). The following sequence diagram explains this race:

         CPU 1                                         CPU 2

btrfs_sync_file()

                                                 btrfs_sync_file()

  mutex_lock(inode->i_mutex)
  btrfs_log_inode()
    btrfs_get_logged_extents()
      --> collects ordered extent X
      --> increments ordered
          extent X's refcount
    btrfs_submit_logged_extents()
  mutex_unlock(inode->i_mutex)

                                                   mutex_lock(inode->i_mutex)
  btrfs_sync_log()
     btrfs_wait_logged_extents()
       --> list_del_init(&ordered->log_list)
                                                     btrfs_log_inode()
                                                       btrfs_get_logged_extents()
                                                         --> Adds ordered extent X
                                                             to logged_list because
                                                             at this point:
                                                             list_empty(&ordered->log_list)
                                                             && test_bit(BTRFS_ORDERED_LOGGED,
                                                                         &ordered->flags) == 0
                                                         --> Increments ordered extent
                                                             X's refcount
       --> check if ordered extent's io is
           finished or not, start it if
           necessary and wait for it to finish
       --> sets bit BTRFS_ORDERED_LOGGED
           on ordered extent X's flags
           and adds it to trans->ordered
  btrfs_sync_log() finishes

                                                       btrfs_submit_logged_extents()
                                                     btrfs_log_inode() finishes
                                                   mutex_unlock(inode->i_mutex)

btrfs_sync_file() finishes

                                                   btrfs_sync_log()
                                                      btrfs_wait_logged_extents()
                                                        --> Sees ordered extent X has the
                                                            bit BTRFS_ORDERED_LOGGED set in
                                                            its flags
                                                        --> X's refcount is untouched
                                                   btrfs_sync_log() finishes

                                                 btrfs_sync_file() finishes

btrfs_commit_transaction()
  --> called by transaction kthread for e.g.
  btrfs_wait_pending_ordered()
    --> waits for ordered extent X to
        complete
    --> decrements ordered extent X's
        refcount by 1 only, corresponding
        to the increment done by the fsync
        task ran by CPU 1

In the scenario of the above diagram, after the transaction commit,
the ordered extent will remain with a refcount of 1 forever, leaking
the ordered extent structure and preventing the i_count of its inode
from ever decreasing to 0, since the delayed iput is scheduled only
when the ordered extent's refcount drops to 0, preventing the inode
from ever being evicted by the VFS.

Fix this by using the flag BTRFS_ORDERED_LOGGED differently. Use it to
mean that an ordered extent is already being processed by an fsync call,
which will attach it to the current transaction, preventing it from being
collected by subsequent fsync operations against the same inode.

This race was introduced with the following change (added in 3.19 and
backported to stable 3.18 and 3.17):

  Btrfs: make sure logged extents complete in the current transaction V3
  commit 50d9aa99bd35c77200e0e3dd7a72274f8304701f

I ran into this issue while running xfstests/generic/113 in a loop, which
failed about 1 out of 10 runs with the following warning in dmesg:

[ 2612.440038] WARNING: CPU: 4 PID: 22057 at fs/btrfs/disk-io.c:3558 free_fs_root+0x36/0x133 [btrfs]()
[ 2612.442810] Modules linked in: btrfs crc32c_generic xor raid6_pq nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscache sunrpc loop processor parport_pc parport psmouse therma
l_sys i2c_piix4 serio_raw pcspkr evdev microcode button i2c_core ext4 crc16 jbd2 mbcache sd_mod sg sr_mod cdrom virtio_scsi ata_generic virtio_pci ata_piix virtio_ring libata virtio flo
ppy e1000 scsi_mod [last unloaded: btrfs]
[ 2612.452711] CPU: 4 PID: 22057 Comm: umount Tainted: G        W      3.19.0-rc5-btrfs-next-4+ #1
[ 2612.454921] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[ 2612.457709]  0000000000000009 ffff8801342c3c78 ffffffff8142425e ffff88023ec8f2d8
[ 2612.459829]  0000000000000000 ffff8801342c3cb8 ffffffff81045308 ffff880046460000
[ 2612.461564]  ffffffffa036da56 ffff88003d07b000 ffff880046460000 ffff880046460068
[ 2612.463163] Call Trace:
[ 2612.463719]  [<ffffffff8142425e>] dump_stack+0x4c/0x65
[ 2612.464789]  [<ffffffff81045308>] warn_slowpath_common+0xa1/0xbb
[ 2612.466026]  [<ffffffffa036da56>] ? free_fs_root+0x36/0x133 [btrfs]
[ 2612.467247]  [<ffffffff810453c5>] warn_slowpath_null+0x1a/0x1c
[ 2612.468416]  [<ffffffffa036da56>] free_fs_root+0x36/0x133 [btrfs]
[ 2612.469625]  [<ffffffffa036f2a7>] btrfs_drop_and_free_fs_root+0x93/0x9b [btrfs]
[ 2612.471251]  [<ffffffffa036f353>] btrfs_free_fs_roots+0xa4/0xd6 [btrfs]
[ 2612.472536]  [<ffffffff8142612e>] ? wait_for_completion+0x24/0x26
[ 2612.473742]  [<ffffffffa0370bbc>] close_ctree+0x1f3/0x33c [btrfs]
[ 2612.475477]  [<ffffffff81059d1d>] ? destroy_workqueue+0x148/0x1ba
[ 2612.476695]  [<ffffffffa034e3da>] btrfs_put_super+0x19/0x1b [btrfs]
[ 2612.477911]  [<ffffffff81153e53>] generic_shutdown_super+0x73/0xef
[ 2612.479106]  [<ffffffff811540e2>] kill_anon_super+0x13/0x1e
[ 2612.480226]  [<ffffffffa034e1e3>] btrfs_kill_super+0x17/0x23 [btrfs]
[ 2612.481471]  [<ffffffff81154307>] deactivate_locked_super+0x3b/0x50
[ 2612.482686]  [<ffffffff811547a7>] deactivate_super+0x3f/0x43
[ 2612.483791]  [<ffffffff8116b3ed>] cleanup_mnt+0x59/0x78
[ 2612.484842]  [<ffffffff8116b44c>] __cleanup_mnt+0x12/0x14
[ 2612.485900]  [<ffffffff8105d019>] task_work_run+0x8f/0xbc
[ 2612.486960]  [<ffffffff810028d8>] do_notify_resume+0x5a/0x6b
[ 2612.488083]  [<ffffffff81236e5b>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 2612.489333]  [<ffffffff8142a17f>] int_signal+0x12/0x17
[ 2612.490353] ---[ end trace 54a960a6bdcb8d93 ]---
[ 2612.557253] VFS: Busy inodes after unmount of sdb. Self-destruct in 5 seconds.  Have a nice day...

Kmemleak confirmed the ordered extent leak (and btrfs inode specific
structures such as delayed nodes):

$ cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff880154290db0 (size 576):
  comm "btrfsck", pid 21980, jiffies 4295542503 (age 1273.412s)
  hex dump (first 32 bytes):
    01 40 00 00 01 00 00 00 b0 1d f1 4e 01 88 ff ff  .@.........N....
    00 00 00 00 00 00 00 00 c8 0d 29 54 01 88 ff ff  ..........)T....
  backtrace:
    [<ffffffff8141d74d>] kmemleak_update_trace+0x4c/0x6a
    [<ffffffff8122f2c0>] radix_tree_node_alloc+0x6d/0x83
    [<ffffffff8122fb26>] __radix_tree_create+0x109/0x190
    [<ffffffff8122fbdd>] radix_tree_insert+0x30/0xac
    [<ffffffffa03b9bde>] btrfs_get_or_create_delayed_node+0x130/0x187 [btrfs]
    [<ffffffffa03bb82d>] btrfs_delayed_delete_inode_ref+0x32/0xac [btrfs]
    [<ffffffffa0379dae>] __btrfs_unlink_inode+0xee/0x288 [btrfs]
    [<ffffffffa037c715>] btrfs_unlink_inode+0x1e/0x40 [btrfs]
    [<ffffffffa037c797>] btrfs_unlink+0x60/0x9b [btrfs]
    [<ffffffff8115d7f0>] vfs_unlink+0x9c/0xed
    [<ffffffff8115f5de>] do_unlinkat+0x12c/0x1fa
    [<ffffffff811601a7>] SyS_unlinkat+0x29/0x2b
    [<ffffffff81429e92>] system_call_fastpath+0x12/0x17
    [<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffff88014ef11db0 (size 576):
  comm "rm", pid 22009, jiffies 4295542593 (age 1273.052s)
  hex dump (first 32 bytes):
    02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 c8 1d f1 4e 01 88 ff ff  ...........N....
  backtrace:
    [<ffffffff8141d74d>] kmemleak_update_trace+0x4c/0x6a
    [<ffffffff8122f2c0>] radix_tree_node_alloc+0x6d/0x83
    [<ffffffff8122fb26>] __radix_tree_create+0x109/0x190
    [<ffffffff8122fbdd>] radix_tree_insert+0x30/0xac
    [<ffffffffa03b9bde>] btrfs_get_or_create_delayed_node+0x130/0x187 [btrfs]
    [<ffffffffa03bb82d>] btrfs_delayed_delete_inode_ref+0x32/0xac [btrfs]
    [<ffffffffa0379dae>] __btrfs_unlink_inode+0xee/0x288 [btrfs]
    [<ffffffffa037c715>] btrfs_unlink_inode+0x1e/0x40 [btrfs]
    [<ffffffffa037c797>] btrfs_unlink+0x60/0x9b [btrfs]
    [<ffffffff8115d7f0>] vfs_unlink+0x9c/0xed
    [<ffffffff8115f5de>] do_unlinkat+0x12c/0x1fa
    [<ffffffff811601a7>] SyS_unlinkat+0x29/0x2b
    [<ffffffff81429e92>] system_call_fastpath+0x12/0x17
    [<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffff8800336feda8 (size 584):
  comm "aio-stress", pid 22031, jiffies 4295543006 (age 1271.400s)
  hex dump (first 32 bytes):
    00 40 3e 00 00 00 00 00 00 00 8f 42 00 00 00 00  .@>........B....
    00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
  backtrace:
    [<ffffffff8114eb34>] create_object+0x172/0x29a
    [<ffffffff8141d790>] kmemleak_alloc+0x25/0x41
    [<ffffffff81141ae6>] kmemleak_alloc_recursive.constprop.52+0x16/0x18
    [<ffffffff81145288>] kmem_cache_alloc+0xf7/0x198
    [<ffffffffa0389243>] __btrfs_add_ordered_extent+0x43/0x309 [btrfs]
    [<ffffffffa038968b>] btrfs_add_ordered_extent_dio+0x12/0x14 [btrfs]
    [<ffffffffa03810e2>] btrfs_get_blocks_direct+0x3ef/0x571 [btrfs]
    [<ffffffff81181349>] do_blockdev_direct_IO+0x62a/0xb47
    [<ffffffff8118189a>] __blockdev_direct_IO+0x34/0x36
    [<ffffffffa03776e5>] btrfs_direct_IO+0x16a/0x1e8 [btrfs]
    [<ffffffff81100373>] generic_file_direct_write+0xb8/0x12d
    [<ffffffffa038615c>] btrfs_file_write_iter+0x24b/0x42f [btrfs]
    [<ffffffff8118bb0d>] aio_run_iocb+0x2b7/0x32e
    [<ffffffff8118c99a>] do_io_submit+0x26e/0x2ff
    [<ffffffff8118ca3b>] SyS_io_submit+0x10/0x12
    [<ffffffff81429e92>] system_call_fastpath+0x12/0x17

Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ordered-data.c |    7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/fs/btrfs/ordered-data.c
+++ b/fs/btrfs/ordered-data.c
@@ -452,9 +452,7 @@ void btrfs_get_logged_extents(struct ino
 			continue;
 		if (entry_end(ordered) <= start)
 			break;
-		if (!list_empty(&ordered->log_list))
-			continue;
-		if (test_bit(BTRFS_ORDERED_LOGGED, &ordered->flags))
+		if (test_and_set_bit(BTRFS_ORDERED_LOGGED, &ordered->flags))
 			continue;
 		list_add(&ordered->log_list, logged_list);
 		atomic_inc(&ordered->refs);
@@ -511,8 +509,7 @@ void btrfs_wait_logged_extents(struct bt
 		wait_event(ordered->wait, test_bit(BTRFS_ORDERED_IO_DONE,
 						   &ordered->flags));
 
-		if (!test_and_set_bit(BTRFS_ORDERED_LOGGED, &ordered->flags))
-			list_add_tail(&ordered->trans_list, &trans->ordered);
+		list_add_tail(&ordered->trans_list, &trans->ordered);
 		spin_lock_irq(&log->log_extents_lock[index]);
 	}
 	spin_unlock_irq(&log->log_extents_lock[index]);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 072/177] btrfs: fix lost return value due to variable shadowing
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 071/177] Btrfs: fix fsync race leading to ordered extent memory leaks Greg Kroah-Hartman
@ 2015-03-16 14:07 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 073/177] Btrfs: fix data loss in the fast fsync path Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:07 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Sterba, Chris Mason

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Sterba <dsterba@suse.cz>

commit 1932b7be973b554ffe20a5bba6ffaed6fa995cdc upstream.

A block-local variable stores error code but btrfs_get_blocks_direct may
not return it in the end as there's a ret defined in the function scope.

Fixes: d187663ef24c ("Btrfs: lock extents as we map them in DIO")
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |    1 -
 1 file changed, 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -7208,7 +7208,6 @@ static int btrfs_get_blocks_direct(struc
 	    ((BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW) &&
 	     em->block_start != EXTENT_MAP_HOLE)) {
 		int type;
-		int ret;
 		u64 block_start, orig_start, orig_block_len, ram_bytes;
 
 		if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags))



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 073/177] Btrfs: fix data loss in the fast fsync path
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2015-03-16 14:07 ` [PATCH 3.19 072/177] btrfs: fix lost return value due to variable shadowing Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 074/177] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, Chris Mason

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 3a8b36f378060d20062a0918e99fae39ff077bf0 upstream.

When using the fast file fsync code path we can miss the fact that new
writes happened since the last file fsync and therefore return without
waiting for the IO to finish and write the new extents to the fsync log.

Here's an example scenario where the fsync will miss the fact that new
file data exists that wasn't yet durably persisted:

1. fs_info->last_trans_committed == N - 1 and current transaction is
   transaction N (fs_info->generation == N);

2. do a buffered write;

3. fsync our inode, this clears our inode's full sync flag, starts
   an ordered extent and waits for it to complete - when it completes
   at btrfs_finish_ordered_io(), the inode's last_trans is set to the
   value N (via btrfs_update_inode_fallback -> btrfs_update_inode ->
   btrfs_set_inode_last_trans);

4. transaction N is committed, so fs_info->last_trans_committed is now
   set to the value N and fs_info->generation remains with the value N;

5. do another buffered write, when this happens btrfs_file_write_iter
   sets our inode's last_trans to the value N + 1 (that is
   fs_info->generation + 1 == N + 1);

6. transaction N + 1 is started and fs_info->generation now has the
   value N + 1;

7. transaction N + 1 is committed, so fs_info->last_trans_committed
   is set to the value N + 1;

8. fsync our inode - because it doesn't have the full sync flag set,
   we only start the ordered extent, we don't wait for it to complete
   (only in a later phase) therefore its last_trans field has the
   value N + 1 set previously by btrfs_file_write_iter(), and so we
   have:

       inode->last_trans <= fs_info->last_trans_committed
           (N + 1)              (N + 1)

   Which made us not log the last buffered write and exit the fsync
   handler immediately, returning success (0) to user space and resulting
   in data loss after a crash.

This can actually be triggered deterministically and the following excerpt
from a testcase I made for xfstests triggers the issue. It moves a dummy
file across directories and then fsyncs the old parent directory - this
is just to trigger a transaction commit, so moving files around isn't
directly related to the issue but it was chosen because running 'sync' for
example does more than just committing the current transaction, as it
flushes/waits for all file data to be persisted. The issue can also happen
at random periods, since the transaction kthread periodicaly commits the
current transaction (about every 30 seconds by default).
The body of the test is:

  _scratch_mkfs >> $seqres.full 2>&1
  _init_flakey
  _mount_flakey

  # Create our main test file 'foo', the one we check for data loss.
  # By doing an fsync against our file, it makes btrfs clear the 'needs_full_sync'
  # bit from its flags (btrfs inode specific flags).
  $XFS_IO_PROG -f -c "pwrite -S 0xaa 0 8K" \
                  -c "fsync" $SCRATCH_MNT/foo | _filter_xfs_io

  # Now create one other file and 2 directories. We will move this second file
  # from one directory to the other later because it forces btrfs to commit its
  # currently open transaction if we fsync the old parent directory. This is
  # necessary to trigger the data loss bug that affected btrfs.
  mkdir $SCRATCH_MNT/testdir_1
  touch $SCRATCH_MNT/testdir_1/bar
  mkdir $SCRATCH_MNT/testdir_2

  # Make sure everything is durably persisted.
  sync

  # Write more 8Kb of data to our file.
  $XFS_IO_PROG -c "pwrite -S 0xbb 8K 8K" $SCRATCH_MNT/foo | _filter_xfs_io

  # Move our 'bar' file into a new directory.
  mv $SCRATCH_MNT/testdir_1/bar $SCRATCH_MNT/testdir_2/bar

  # Fsync our first directory. Because it had a file moved into some other
  # directory, this made btrfs commit the currently open transaction. This is
  # a condition necessary to trigger the data loss bug.
  $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/testdir_1

  # Now fsync our main test file. If the fsync succeeds, we expect the 8Kb of
  # data we wrote previously to be persisted and available if a crash happens.
  # This did not happen with btrfs, because of the transaction commit that
  # happened when we fsynced the parent directory.
  $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo

  # Simulate a crash/power loss.
  _load_flakey_table $FLAKEY_DROP_WRITES
  _unmount_flakey

  _load_flakey_table $FLAKEY_ALLOW_WRITES
  _mount_flakey

  # Now check that all data we wrote before are available.
  echo "File content after log replay:"
  od -t x1 $SCRATCH_MNT/foo

  status=0
  exit

The expected golden output for the test, which is what we get with this
fix applied (or when running against ext3/4 and xfs), is:

  wrote 8192/8192 bytes at offset 0
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  wrote 8192/8192 bytes at offset 8192
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  File content after log replay:
  0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
  *
  0020000 bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb
  *
  0040000

Without this fix applied, the output shows the test file does not have
the second 8Kb extent that we successfully fsynced:

  wrote 8192/8192 bytes at offset 0
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  wrote 8192/8192 bytes at offset 8192
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  File content after log replay:
  0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
  *
  0020000

So fix this by skipping the fsync only if we're doing a full sync and
if the inode's last_trans is <= fs_info->last_trans_committed, or if
the inode is already in the log. Also remove setting the inode's
last_trans in btrfs_file_write_iter since it's useless/unreliable.

Also because btrfs_file_write_iter no longer sets inode->last_trans to
fs_info->generation + 1, don't set last_trans to 0 if we bail out and don't
bail out if last_trans is 0, otherwise something as simple as the following
example wouldn't log the second write on the last fsync:

  1. write to file

  2. fsync file

  3. fsync file
       |--> btrfs_inode_in_log() returns true and it set last_trans to 0

  4. write to file
       |--> btrfs_file_write_iter() no longers sets last_trans, so it
            remained with a value of 0
  5. fsync
       |--> inode->last_trans == 0, so it bails out without logging the
            second write

A test case for xfstests will be sent soon.

Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/file.c |   56 ++++++++++++++++++++++++++++----------------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1811,22 +1811,10 @@ static ssize_t btrfs_file_write_iter(str
 	mutex_unlock(&inode->i_mutex);
 
 	/*
-	 * we want to make sure fsync finds this change
-	 * but we haven't joined a transaction running right now.
-	 *
-	 * Later on, someone is sure to update the inode and get the
-	 * real transid recorded.
-	 *
-	 * We set last_trans now to the fs_info generation + 1,
-	 * this will either be one more than the running transaction
-	 * or the generation used for the next transaction if there isn't
-	 * one running right now.
-	 *
 	 * We also have to set last_sub_trans to the current log transid,
 	 * otherwise subsequent syncs to a file that's been synced in this
 	 * transaction will appear to have already occured.
 	 */
-	BTRFS_I(inode)->last_trans = root->fs_info->generation + 1;
 	BTRFS_I(inode)->last_sub_trans = root->log_transid;
 	if (num_written > 0) {
 		err = generic_write_sync(file, pos, num_written);
@@ -1959,25 +1947,37 @@ int btrfs_sync_file(struct file *file, l
 	atomic_inc(&root->log_batch);
 
 	/*
-	 * check the transaction that last modified this inode
-	 * and see if its already been committed
-	 */
-	if (!BTRFS_I(inode)->last_trans) {
-		mutex_unlock(&inode->i_mutex);
-		goto out;
-	}
-
-	/*
-	 * if the last transaction that changed this file was before
-	 * the current transaction, we can bail out now without any
-	 * syncing
+	 * If the last transaction that changed this file was before the current
+	 * transaction and we have the full sync flag set in our inode, we can
+	 * bail out now without any syncing.
+	 *
+	 * Note that we can't bail out if the full sync flag isn't set. This is
+	 * because when the full sync flag is set we start all ordered extents
+	 * and wait for them to fully complete - when they complete they update
+	 * the inode's last_trans field through:
+	 *
+	 *     btrfs_finish_ordered_io() ->
+	 *         btrfs_update_inode_fallback() ->
+	 *             btrfs_update_inode() ->
+	 *                 btrfs_set_inode_last_trans()
+	 *
+	 * So we are sure that last_trans is up to date and can do this check to
+	 * bail out safely. For the fast path, when the full sync flag is not
+	 * set in our inode, we can not do it because we start only our ordered
+	 * extents and don't wait for them to complete (that is when
+	 * btrfs_finish_ordered_io runs), so here at this point their last_trans
+	 * value might be less than or equals to fs_info->last_trans_committed,
+	 * and setting a speculative last_trans for an inode when a buffered
+	 * write is made (such as fs_info->generation + 1 for example) would not
+	 * be reliable since after setting the value and before fsync is called
+	 * any number of transactions can start and commit (transaction kthread
+	 * commits the current transaction periodically), and a transaction
+	 * commit does not start nor waits for ordered extents to complete.
 	 */
 	smp_mb();
 	if (btrfs_inode_in_log(inode, root->fs_info->generation) ||
-	    BTRFS_I(inode)->last_trans <=
-	    root->fs_info->last_trans_committed) {
-		BTRFS_I(inode)->last_trans = 0;
-
+	    (full_sync && BTRFS_I(inode)->last_trans <=
+	     root->fs_info->last_trans_committed)) {
 		/*
 		 * We'v had everything committed since the last time we were
 		 * modified so clear this flag in case it was set for whatever



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 074/177] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 073/177] Btrfs: fix data loss in the fast fsync path Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 075/177] KVM: emulate: fix CMPXCHG8B on 32-bit hosts Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Casasnovas, David Sterba,
	Chris Mason

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Quentin Casasnovas <quentin.casasnovas@oracle.com>

commit dd9ef135e3542ffc621c4eb7f0091870ec7a1504 upstream.

Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1010,7 +1010,7 @@ again:
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);
 
 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);
 
 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 075/177] KVM: emulate: fix CMPXCHG8B on 32-bit hosts
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 074/177] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 076/177] KVM: MIPS: Fix trace event to save PC directly Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Erik Rull, Paolo Bonzini

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit 4ff6f8e61eb7f96d3ca535c6d240f863ccd6fb7d upstream.

This has been broken for a long time: it broke first in 2.6.35, then was
almost fixed in 2.6.36 but this one-liner slipped through the cracks.
The bug shows up as an infinite loop in Windows 7 (and newer) boot on
32-bit hosts without EPT.

Windows uses CMPXCHG8B to write to page tables, which causes a
page fault if running without EPT; the emulator is then called from
kvm_mmu_page_fault.  The loop then happens if the higher 4 bytes are
not 0; the common case for this is that the NX bit (bit 63) is 1.

Fixes: 6550e1f165f384f3a46b60a1be9aba4bc3c2adad
Fixes: 16518d5ada690643453eb0aef3cc7841d3623c2d
Reported-by: Erik Rull <erik.rull@rdsoftware.de>
Tested-by: Erik Rull <erik.rull@rdsoftware.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/emulate.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4863,7 +4863,8 @@ int x86_emulate_insn(struct x86_emulate_
 		if (rc != X86EMUL_CONTINUE)
 			goto done;
 	}
-	ctxt->dst.orig_val = ctxt->dst.val;
+	/* Copy full 64-bit value for CMPXCHG8B.  */
+	ctxt->dst.orig_val64 = ctxt->dst.val64;
 
 special_insn:
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 076/177] KVM: MIPS: Fix trace event to save PC directly
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 075/177] KVM: emulate: fix CMPXCHG8B on 32-bit hosts Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 077/177] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS539 Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Hogan, Paolo Bonzini,
	Ralf Baechle, Marcelo Tosatti, Gleb Natapov, Steven Rostedt,
	Ingo Molnar, linux-mips, kvm

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit b3cffac04eca9af46e1e23560a8ee22b1bd36d43 upstream.

Currently the guest exit trace event saves the VCPU pointer to the
structure, and the guest PC is retrieved by dereferencing it when the
event is printed rather than directly from the trace record. This isn't
safe as the printing may occur long afterwards, after the PC has changed
and potentially after the VCPU has been freed. Usually this results in
the same (wrong) PC being printed for multiple trace events. It also
isn't portable as userland has no way to access the VCPU data structure
when interpreting the trace record itself.

Lets save the actual PC in the structure so that the correct value is
accessible later.

Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kvm/trace.h |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/mips/kvm/trace.h
+++ b/arch/mips/kvm/trace.h
@@ -24,18 +24,18 @@ TRACE_EVENT(kvm_exit,
 	    TP_PROTO(struct kvm_vcpu *vcpu, unsigned int reason),
 	    TP_ARGS(vcpu, reason),
 	    TP_STRUCT__entry(
-			__field(struct kvm_vcpu *, vcpu)
+			__field(unsigned long, pc)
 			__field(unsigned int, reason)
 	    ),
 
 	    TP_fast_assign(
-			__entry->vcpu = vcpu;
+			__entry->pc = vcpu->arch.pc;
 			__entry->reason = reason;
 	    ),
 
 	    TP_printk("[%s]PC: 0x%08lx",
 		      kvm_mips_exit_types_str[__entry->reason],
-		      __entry->vcpu->arch.pc)
+		      __entry->pc)
 );
 
 #endif /* _TRACE_KVM_H */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 077/177] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS539
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 076/177] KVM: MIPS: Fix trace event to save PC directly Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 078/177] Revert "USB: serial: make bulk_out_size a lower limit" Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 59e980efafd27df83a5c85c054f906d82bcbf752 upstream.

Like the JMicron JMS567 enclosures with the JMS539 choke on report-opcodes,
so avoid it.

Tested-and-reported-by: Tom Arild Naess <tanaess@gmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/storage/unusual_uas.h |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -113,6 +113,13 @@ UNUSUAL_DEV(0x0bc2, 0xab2a, 0x0000, 0x99
 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
 		US_FL_NO_ATA_1X),
 
+/* Reported-by: Tom Arild Naess <tanaess@gmail.com> */
+UNUSUAL_DEV(0x152d, 0x0539, 0x0000, 0x9999,
+		"JMicron",
+		"JMS539",
+		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+		US_FL_NO_REPORT_OPCODES),
+
 /* Reported-by: Claudio Bizzarri <claudio.bizzarri@gmail.com> */
 UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999,
 		"JMicron",



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 078/177] Revert "USB: serial: make bulk_out_size a lower limit"
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 077/177] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS539 Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 079/177] USB: serial: cp210x: Adding Seletek device ids Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Li, Elvin, Johan Hovold

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit bc4b1f486fe69b86769e07c8edce472327a8462b upstream.

This reverts commit 5083fd7bdfe6760577235a724cf6dccae13652c2.

A bulk-out size smaller than the end-point size is indeed valid. The
offending commit broke the usb-debug driver for EHCI debug devices,
which use 8-byte buffers.

Fixes: 5083fd7bdfe6 ("USB: serial: make bulk_out_size a lower limit")
Reported-by: "Li, Elvin" <elvin.li@intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/usb-serial.c |    5 +++--
 include/linux/usb/serial.h      |    3 +--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -940,8 +940,9 @@ static int usb_serial_probe(struct usb_i
 		port = serial->port[i];
 		if (kfifo_alloc(&port->write_fifo, PAGE_SIZE, GFP_KERNEL))
 			goto probe_error;
-		buffer_size = max_t(int, serial->type->bulk_out_size,
-						usb_endpoint_maxp(endpoint));
+		buffer_size = serial->type->bulk_out_size;
+		if (!buffer_size)
+			buffer_size = usb_endpoint_maxp(endpoint);
 		port->bulk_out_size = buffer_size;
 		port->bulk_out_endpointAddress = endpoint->bEndpointAddress;
 
--- a/include/linux/usb/serial.h
+++ b/include/linux/usb/serial.h
@@ -190,8 +190,7 @@ static inline void usb_set_serial_data(s
  * @num_ports: the number of different ports this device will have.
  * @bulk_in_size: minimum number of bytes to allocate for bulk-in buffer
  *	(0 = end-point size)
- * @bulk_out_size: minimum number of bytes to allocate for bulk-out buffer
- *	(0 = end-point size)
+ * @bulk_out_size: bytes to allocate for bulk-out buffer (0 = end-point size)
  * @calc_num_ports: pointer to a function to determine how many ports this
  *	device has dynamically.  It will be called after the probe()
  *	callback is called, but before attach()



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 079/177] USB: serial: cp210x: Adding Seletek device ids
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 078/177] Revert "USB: serial: make bulk_out_size a lower limit" Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 080/177] USB: mxuport: fix null deref when used as a console Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michiel van de Garde, Johan Hovold

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michiel vd Garde <mgparser@gmail.com>

commit 675af70856d7cc026be8b6ea7a8b9db10b8b38a1 upstream.

These device ID's are not associated with the cp210x module currently,
but should be. This patch allows the devices to operate upon connecting
them to the usb bus as intended.

Signed-off-by: Michiel van de Garde <mgparser@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cp210x.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -147,6 +147,8 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x166A, 0x0305) }, /* Clipsal C-5000CT2 C-Bus Spectrum Colour Touchscreen */
 	{ USB_DEVICE(0x166A, 0x0401) }, /* Clipsal L51xx C-Bus Architectural Dimmer */
 	{ USB_DEVICE(0x166A, 0x0101) }, /* Clipsal 5560884 C-Bus Multi-room Audio Matrix Switcher */
+	{ USB_DEVICE(0x16C0, 0x09B0) }, /* Lunatico Seletek */
+	{ USB_DEVICE(0x16C0, 0x09B1) }, /* Lunatico Seletek */
 	{ USB_DEVICE(0x16D6, 0x0001) }, /* Jablotron serial interface */
 	{ USB_DEVICE(0x16DC, 0x0010) }, /* W-IE-NE-R Plein & Baus GmbH PL512 Power Supply */
 	{ USB_DEVICE(0x16DC, 0x0011) }, /* W-IE-NE-R Plein & Baus GmbH RCM Remote Control for MARATON Power Supply */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 080/177] USB: mxuport: fix null deref when used as a console
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 079/177] USB: serial: cp210x: Adding Seletek device ids Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 081/177] USB: usbfs: dont leak kernel data in siginfo Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Greg Kroah-Hartman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit db81de767e375743ebb0ad2bcad3326962c2b67e upstream.

Fix null-pointer dereference at probe when the device is used as a
console, in which case the tty argument to open will be NULL.

Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX
driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/mxuport.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -1284,7 +1284,8 @@ static int mxuport_open(struct tty_struc
 	}
 
 	/* Initial port termios */
-	mxuport_set_termios(tty, port, NULL);
+	if (tty)
+		mxuport_set_termios(tty, port, NULL);
 
 	/*
 	 * TODO: use RQ_VENDOR_GET_MSR, once we know what it



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 081/177] USB: usbfs: dont leak kernel data in siginfo
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 080/177] USB: mxuport: fix null deref when used as a console Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 082/177] USB: ftdi_sio: add PIDs for Actisense USB devices Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Dave Mielke

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit f0c2b68198589249afd2b1f2c4e8de8c03e19c16 upstream.

When a signal is delivered, the information in the siginfo structure
is copied to userspace.  Good security practice dicatates that the
unused fields in this structure should be initialized to 0 so that
random kernel stack data isn't exposed to the user.  This patch adds
such an initialization to the two places where usbfs raises signals.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Dave Mielke <dave@mielke.cc>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/devio.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -501,6 +501,7 @@ static void async_completed(struct urb *
 	as->status = urb->status;
 	signr = as->signr;
 	if (signr) {
+		memset(&sinfo, 0, sizeof(sinfo));
 		sinfo.si_signo = as->signr;
 		sinfo.si_errno = as->status;
 		sinfo.si_code = SI_ASYNCIO;
@@ -2371,6 +2372,7 @@ static void usbdev_remove(struct usb_dev
 		wake_up_all(&ps->wait);
 		list_del_init(&ps->list);
 		if (ps->discsignr) {
+			memset(&sinfo, 0, sizeof(sinfo));
 			sinfo.si_signo = ps->discsignr;
 			sinfo.si_errno = EPIPE;
 			sinfo.si_code = SI_ASYNCIO;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 082/177] USB: ftdi_sio: add PIDs for Actisense USB devices
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 081/177] USB: usbfs: dont leak kernel data in siginfo Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 083/177] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mark Glover, Johan Hovold

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Glover <mark@actisense.com>

commit f6950344d3cf4a1e231b5828b50c4ac168db3886 upstream.

These product identifiers (PID) all deal with marine NMEA format data
used on motor boats and yachts. We supply the programmed devices to
Chetco, for use inside their equipment. The PIDs are a direct copy of
our Windows device drivers (FTDI drivers with altered PIDs).

Signed-off-by: Mark Glover <mark@actisense.com>
[johan: edit commit message slightly ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |   17 +++++++++++++++++
 drivers/usb/serial/ftdi_sio_ids.h |   20 ++++++++++++++++++++
 2 files changed, 37 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -978,6 +978,23 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE_INTERFACE_NUMBER(INFINEON_VID, INFINEON_TRIBOARD_PID, 1) },
 	/* GE Healthcare devices */
 	{ USB_DEVICE(GE_HEALTHCARE_VID, GE_HEALTHCARE_NEMO_TRACKER_PID) },
+	/* Active Research (Actisense) devices */
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_NDC_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_USG_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_NGT_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_NGW_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AC_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AD_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AE_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AF_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEAGAUGE_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASWITCH_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_NMEA2000_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ETHERNET_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_WIFI_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
 	{ }					/* Terminating entry */
 };
 
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1438,3 +1438,23 @@
  */
 #define GE_HEALTHCARE_VID		0x1901
 #define GE_HEALTHCARE_NEMO_TRACKER_PID	0x0015
+
+/*
+ * Active Research (Actisense) devices
+ */
+#define ACTISENSE_NDC_PID		0xD9A8 /* NDC USB Serial Adapter */
+#define ACTISENSE_USG_PID		0xD9A9 /* USG USB Serial Adapter */
+#define ACTISENSE_NGT_PID		0xD9AA /* NGT NMEA2000 Interface */
+#define ACTISENSE_NGW_PID		0xD9AB /* NGW NMEA2000 Gateway */
+#define ACTISENSE_D9AC_PID		0xD9AC /* Actisense Reserved */
+#define ACTISENSE_D9AD_PID		0xD9AD /* Actisense Reserved */
+#define ACTISENSE_D9AE_PID		0xD9AE /* Actisense Reserved */
+#define ACTISENSE_D9AF_PID		0xD9AF /* Actisense Reserved */
+#define CHETCO_SEAGAUGE_PID		0xA548 /* SeaGauge USB Adapter */
+#define CHETCO_SEASWITCH_PID		0xA549 /* SeaSwitch USB Adapter */
+#define CHETCO_SEASMART_NMEA2000_PID	0xA54A /* SeaSmart NMEA2000 Gateway */
+#define CHETCO_SEASMART_ETHERNET_PID	0xA54B /* SeaSmart Ethernet Gateway */
+#define CHETCO_SEASMART_WIFI_PID	0xA5AC /* SeaSmart Wifi Gateway */
+#define CHETCO_SEASMART_DISPLAY_PID	0xA5AD /* SeaSmart NMEA2000 Display */
+#define CHETCO_SEASMART_LITE_PID	0xA5AE /* SeaSmart Lite USB Adapter */
+#define CHETCO_SEASMART_ANALOG_PID	0xA5AF /* SeaSmart Analog Adapter */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 083/177] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 082/177] USB: ftdi_sio: add PIDs for Actisense USB devices Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 084/177] usb: dwc3: dwc3-omap: Fix disable IRQ Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Mansfield, Johan Hovold

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Mansfield <max.m.mansfield@gmail.com>

commit c7d373c3f0da2b2b78c4b1ce5ae41485b3ef848c upstream.

This patch integrates Cyber Cortex AV boards with the existing
ftdi_jtag_quirk in order to use serial port 0 with JTAG which is
required by the manufacturers' software.

Steps: 2

[ftdi_sio_ids.h]
1. Defined the device PID

[ftdi_sio.c]
2. Added a macro declaration to the ids array, in order to enable the
jtag quirk for the device.

Signed-off-by: Max Mansfield <max.m.mansfield@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |    2 ++
 drivers/usb/serial/ftdi_sio_ids.h |    3 +++
 2 files changed, 5 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -799,6 +799,8 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) },
+	{ USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID),
+		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID),
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID),
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -38,6 +38,9 @@
 
 #define FTDI_LUMEL_PD12_PID	0x6002
 
+/* Cyber Cortex AV by Fabulous Silicon (http://fabuloussilicon.com) */
+#define CYBER_CORTEX_AV_PID	0x8698
+
 /*
  * Marvell OpenRD Base, Client
  * http://www.open-rd.org



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 084/177] usb: dwc3: dwc3-omap: Fix disable IRQ
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 083/177] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 085/177] usb: gadget: configfs: dont NUL-terminate (sub)compatible ids Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, George Cherian, Felipe Balbi

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: George Cherian <george.cherian@ti.com>

commit 96e5d31244c5542f5b2ea81d76f14ba4b8a7d440 upstream.

In the wrapper the IRQ disable should be done by writing 1's to the
IRQ*_CLR register. Existing code is broken because it instead writes
zeros to IRQ*_SET register.

Fix this by adding functions dwc3_omap_write_irqmisc_clr() and
dwc3_omap_write_irq0_clr() which do the right thing.

Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Signed-off-by: George Cherian <george.cherian@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc3/dwc3-omap.c |   30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

--- a/drivers/usb/dwc3/dwc3-omap.c
+++ b/drivers/usb/dwc3/dwc3-omap.c
@@ -205,6 +205,18 @@ static void dwc3_omap_write_irq0_set(str
 						omap->irq0_offset, value);
 }
 
+static void dwc3_omap_write_irqmisc_clr(struct dwc3_omap *omap, u32 value)
+{
+	dwc3_omap_writel(omap->base, USBOTGSS_IRQENABLE_CLR_MISC +
+						omap->irqmisc_offset, value);
+}
+
+static void dwc3_omap_write_irq0_clr(struct dwc3_omap *omap, u32 value)
+{
+	dwc3_omap_writel(omap->base, USBOTGSS_IRQENABLE_CLR_0 -
+						omap->irq0_offset, value);
+}
+
 static void dwc3_omap_set_mailbox(struct dwc3_omap *omap,
 	enum omap_dwc3_vbus_id_status status)
 {
@@ -345,9 +357,23 @@ static void dwc3_omap_enable_irqs(struct
 
 static void dwc3_omap_disable_irqs(struct dwc3_omap *omap)
 {
+	u32			reg;
+
 	/* disable all IRQs */
-	dwc3_omap_write_irqmisc_set(omap, 0x00);
-	dwc3_omap_write_irq0_set(omap, 0x00);
+	reg = USBOTGSS_IRQO_COREIRQ_ST;
+	dwc3_omap_write_irq0_clr(omap, reg);
+
+	reg = (USBOTGSS_IRQMISC_OEVT |
+			USBOTGSS_IRQMISC_DRVVBUS_RISE |
+			USBOTGSS_IRQMISC_CHRGVBUS_RISE |
+			USBOTGSS_IRQMISC_DISCHRGVBUS_RISE |
+			USBOTGSS_IRQMISC_IDPULLUP_RISE |
+			USBOTGSS_IRQMISC_DRVVBUS_FALL |
+			USBOTGSS_IRQMISC_CHRGVBUS_FALL |
+			USBOTGSS_IRQMISC_DISCHRGVBUS_FALL |
+			USBOTGSS_IRQMISC_IDPULLUP_FALL);
+
+	dwc3_omap_write_irqmisc_clr(omap, reg);
 }
 
 static u64 dwc3_omap_dma_mask = DMA_BIT_MASK(32);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 085/177] usb: gadget: configfs: dont NUL-terminate (sub)compatible ids
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 084/177] usb: dwc3: dwc3-omap: Fix disable IRQ Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 086/177] usb: XHCI: platform: Move the Marvell quirks after the enabling the clocks Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Andrzej Pietrasiewicz,
	Felipe Balbi

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrzej Pietrasiewicz <andrzej.p@samsung.com>

commit a0456399fb07155637a2b597b91cc1c63bc25141 upstream.

The "Extended Compat ID OS Feature Descriptor Specification" does not
require the (sub)compatible ids to be NUL-terminated, because they
are placed in a fixed-size buffer and only unused parts of it should
contain NULs. If the buffer is fully utilized, there is no place for NULs.

Consequently, the code which uses desc->ext_compat_id never expects the
data contained to be NUL terminated.

If the compatible id is stored after sub-compatible id, and the compatible
id is full length (8 bytes), the (useless) NUL terminator overwrites the
first byte of the sub-compatible id.

If the sub-compatible id is full length (8 bytes), the (useless) NUL
terminator ends up out of the buffer. The situation can happen in the RNDIS
function, where the buffer is a part of struct f_rndis_opts. The next
member of struct f_rndis_opts is a mutex, so its first byte gets
overwritten. The said byte is a part of a mutex'es member which contains
the information on whether the muext is locked or not. This can lead to a
deadlock, because, in a configfs-composed gadget when a function is linked
into a configuration with config_usb_cfg_link(), usb_get_function()
is called, which then calls rndis_alloc(), which tries locking the same
mutex and (wrongly) finds it already locked.

This patch eliminates NUL terminating of the (sub)compatible id.

Fixes: da4243145fb1: "usb: gadget: configfs: OS Extended Compatibility descriptors support"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/configfs.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1161,7 +1161,6 @@ static ssize_t interf_grp_compatible_id_
 	if (desc->opts_mutex)
 		mutex_lock(desc->opts_mutex);
 	memcpy(desc->ext_compat_id, page, l);
-	desc->ext_compat_id[l] = '\0';
 
 	if (desc->opts_mutex)
 		mutex_unlock(desc->opts_mutex);
@@ -1192,7 +1191,6 @@ static ssize_t interf_grp_sub_compatible
 	if (desc->opts_mutex)
 		mutex_lock(desc->opts_mutex);
 	memcpy(desc->ext_compat_id + 8, page, l);
-	desc->ext_compat_id[l + 8] = '\0';
 
 	if (desc->opts_mutex)
 		mutex_unlock(desc->opts_mutex);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 086/177] usb: XHCI: platform: Move the Marvell quirks after the enabling the clocks
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 085/177] usb: gadget: configfs: dont NUL-terminate (sub)compatible ids Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 087/177] xhci: Allocate correct amount of scratchpad buffers Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maxime Ripard, Mathias Nyman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxime Ripard <maxime.ripard@free-electrons.com>

commit 1e7e4fb66489cc84366656ca5318f1cb61afd4ba upstream.

The commit 973747928514 ("usb: host: xhci-plat: add support for the Armada
375/38x XHCI controllers") extended the xhci-plat driver to support the Armada
375/38x SoCs, mostly by adding a quirk configuring the MBUS window.

However, that quirk was run before the clock the controllers needs has been
enabled. This usually worked because the clock was first enabled by the
bootloader, and left as such until the driver is probe, where it tries to
access the MBUS configuration registers before enabling the clock.

Things get messy when EPROBE_DEFER is involved during the probe, since as part
of its error path, the driver will rightfully disable the clock. When the
driver will be reprobed, it will retry to access the MBUS registers, but this
time with the clock disabled, which hangs forever.

Fix this by running the quirks after the clock has been enabled by the driver.

Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-plat.c |   19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -83,16 +83,6 @@ static int xhci_plat_probe(struct platfo
 	if (irq < 0)
 		return -ENODEV;
 
-
-	if (of_device_is_compatible(pdev->dev.of_node,
-				    "marvell,armada-375-xhci") ||
-	    of_device_is_compatible(pdev->dev.of_node,
-				    "marvell,armada-380-xhci")) {
-		ret = xhci_mvebu_mbus_init_quirk(pdev);
-		if (ret)
-			return ret;
-	}
-
 	/* Initialize dma_mask and coherent_dma_mask to 32-bits */
 	ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
 	if (ret)
@@ -127,6 +117,15 @@ static int xhci_plat_probe(struct platfo
 			goto put_hcd;
 	}
 
+	if (of_device_is_compatible(pdev->dev.of_node,
+				    "marvell,armada-375-xhci") ||
+	    of_device_is_compatible(pdev->dev.of_node,
+				    "marvell,armada-380-xhci")) {
+		ret = xhci_mvebu_mbus_init_quirk(pdev);
+		if (ret)
+			goto disable_clk;
+	}
+
 	ret = usb_add_hcd(hcd, irq, IRQF_SHARED);
 	if (ret)
 		goto disable_clk;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 087/177] xhci: Allocate correct amount of scratchpad buffers
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 086/177] usb: XHCI: platform: Move the Marvell quirks after the enabling the clocks Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 088/177] xhci: fix reporting of 0-sized URBs in control endpoint Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tim Chen, Mathias Nyman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 6596a926b0b6c80b730a1dd2fa91908e0a539c37 upstream.

Include the high order bit fields for Max scratchpad buffers when
calculating how many scratchpad buffers are needed.

I'm suprised this hasn't caused more issues, we never allocated more than
32 buffers even if xhci needed more. Either we got lucky and xhci never
really used past that area, or then we got enough zeroed dma memory anyway.

Should be backported as far back as possible

Reported-by: Tim Chen <tim.c.chen@linux.intel.com>
Tested-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci.h |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -88,9 +88,10 @@ struct xhci_cap_regs {
 #define HCS_IST(p)		(((p) >> 0) & 0xf)
 /* bits 4:7, max number of Event Ring segments */
 #define HCS_ERST_MAX(p)		(((p) >> 4) & 0xf)
+/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */
 /* bit 26 Scratchpad restore - for save/restore HW state - not used yet */
-/* bits 27:31 number of Scratchpad buffers SW must allocate for the HW */
-#define HCS_MAX_SCRATCHPAD(p)   (((p) >> 27) & 0x1f)
+/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */
+#define HCS_MAX_SCRATCHPAD(p)   ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f))
 
 /* HCSPARAMS3 - hcs_params3 - bitmasks */
 /* bits 0:7, Max U1 to U0 latency for the roothub ports */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 088/177] xhci: fix reporting of 0-sized URBs in control endpoint
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 087/177] xhci: Allocate correct amount of scratchpad buffers Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 089/177] xhci: Workaround for PME stuck issues in Intel xhci Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aleksander Morgado, Mathias Nyman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aleksander Morgado <aleksander@aleksander.es>

commit 45ba2154d12fc43b70312198ec47085f10be801a upstream.

When a control transfer has a short data stage, the xHCI controller generates
two transfer events: a COMP_SHORT_TX event that specifies the untransferred
amount, and a COMP_SUCCESS event. But when the data stage is not short, only the
COMP_SUCCESS event occurs. Therefore, xhci-hcd must set urb->actual_length to
urb->transfer_buffer_length while processing the COMP_SUCCESS event, unless
urb->actual_length was set already by a previous COMP_SHORT_TX event.

The driver checks this by seeing whether urb->actual_length == 0, but this alone
is the wrong test, as it is entirely possible for a short transfer to have an
urb->actual_length = 0.

This patch changes the xhci driver to rely on a new td->urb_length_set flag,
which is set to true when a COMP_SHORT_TX event is received and the URB length
updated at that stage.

This fixes a bug which affected the HSO plugin, which relies on URBs with
urb->actual_length == 0 to halt re-submitting the RX URB in the control
endpoint.

Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-ring.c |   10 ++++++++--
 drivers/usb/host/xhci.h      |    3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1946,7 +1946,7 @@ static int process_ctrl_td(struct xhci_h
 	if (event_trb != ep_ring->dequeue) {
 		/* The event was for the status stage */
 		if (event_trb == td->last_trb) {
-			if (td->urb->actual_length != 0) {
+			if (td->urb_length_set) {
 				/* Don't overwrite a previously set error code
 				 */
 				if ((*status == -EINPROGRESS || *status == 0) &&
@@ -1960,7 +1960,13 @@ static int process_ctrl_td(struct xhci_h
 					td->urb->transfer_buffer_length;
 			}
 		} else {
-		/* Maybe the event was for the data stage? */
+			/*
+			 * Maybe the event was for the data stage? If so, update
+			 * already the actual_length of the URB and flag it as
+			 * set, so that it is not overwritten in the event for
+			 * the last TRB.
+			 */
+			td->urb_length_set = true;
 			td->urb->actual_length =
 				td->urb->transfer_buffer_length -
 				EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1,3 +1,4 @@
+
 /*
  * xHCI host controller driver
  *
@@ -1289,6 +1290,8 @@ struct xhci_td {
 	struct xhci_segment	*start_seg;
 	union xhci_trb		*first_trb;
 	union xhci_trb		*last_trb;
+	/* actual_length of the URB has already been set */
+	bool			urb_length_set;
 };
 
 /* xHCI command default timeout value */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 089/177] xhci: Workaround for PME stuck issues in Intel xhci
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 088/177] xhci: fix reporting of 0-sized URBs in control endpoint Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 090/177] mac80211: Send EAPOL frames at lowest rate Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathias Nyman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit b8cb91e058cd0c0f02059c1207293c5b31d350fa upstream.

The xhci in Intel Sunrisepoint and Cherryview platforms need a driver
workaround for a Stuck PME that might either block PME events in suspend,
or create spurious PME events preventing runtime suspend.

Workaround is to clear a internal PME flag, BIT(28) in a vendor specific
PMCTRL register at offset 0x80a4, in both suspend resume callbacks

Without this, xhci connected usb devices might never be able to wake up the
system from suspend, or prevent device from going to suspend (xhci d3)

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-pci.c |   30 ++++++++++++++++++++++++++++++
 drivers/usb/host/xhci.h     |    1 +
 2 files changed, 31 insertions(+)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -37,6 +37,9 @@
 
 #define PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI	0x8c31
 #define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI	0x9c31
+#define PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI		0x22b5
+#define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI		0xa12f
+#define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI	0x9d2f
 
 static const char hcd_name[] = "xhci_hcd";
 
@@ -133,6 +136,12 @@ static void xhci_pci_quirks(struct devic
 		pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) {
 		xhci->quirks |= XHCI_SPURIOUS_REBOOT;
 	}
+	if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+		(pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
+		 pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
+		 pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI)) {
+		xhci->quirks |= XHCI_PME_STUCK_QUIRK;
+	}
 	if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
 			pdev->device == PCI_DEVICE_ID_EJ168) {
 		xhci->quirks |= XHCI_RESET_ON_RESUME;
@@ -159,6 +168,21 @@ static void xhci_pci_quirks(struct devic
 				"QUIRK: Resetting on resume");
 }
 
+/*
+ * Make sure PME works on some Intel xHCI controllers by writing 1 to clear
+ * the Internal PME flag bit in vendor specific PMCTRL register at offset 0x80a4
+ */
+static void xhci_pme_quirk(struct xhci_hcd *xhci)
+{
+	u32 val;
+	void __iomem *reg;
+
+	reg = (void __iomem *) xhci->cap_regs + 0x80a4;
+	val = readl(reg);
+	writel(val | BIT(28), reg);
+	readl(reg);
+}
+
 /* called during probe() after chip reset completes */
 static int xhci_pci_setup(struct usb_hcd *hcd)
 {
@@ -283,6 +307,9 @@ static int xhci_pci_suspend(struct usb_h
 	if (xhci->quirks & XHCI_COMP_MODE_QUIRK)
 		pdev->no_d3cold = true;
 
+	if (xhci->quirks & XHCI_PME_STUCK_QUIRK)
+		xhci_pme_quirk(xhci);
+
 	return xhci_suspend(xhci, do_wakeup);
 }
 
@@ -313,6 +340,9 @@ static int xhci_pci_resume(struct usb_hc
 	if (pdev->vendor == PCI_VENDOR_ID_INTEL)
 		usb_enable_intel_xhci_ports(pdev);
 
+	if (xhci->quirks & XHCI_PME_STUCK_QUIRK)
+		xhci_pme_quirk(xhci);
+
 	retval = xhci_resume(xhci, hibernated);
 	return retval;
 }
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1564,6 +1564,7 @@ struct xhci_hcd {
 #define XHCI_SPURIOUS_WAKEUP	(1 << 18)
 /* For controllers with a broken beyond repair streams implementation */
 #define XHCI_BROKEN_STREAMS	(1 << 19)
+#define XHCI_PME_STUCK_QUIRK	(1 << 20)
 	unsigned int		num_active_eps;
 	unsigned int		limit_active_eps;
 	/* There are two roothubs to keep track of bus suspend info for */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 090/177] mac80211: Send EAPOL frames at lowest rate
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 089/177] xhci: Workaround for PME stuck issues in Intel xhci Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 091/177] mac80211: notify channel switch at the end of ieee80211_chswitch_post_beacon() Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Jouni Malinen, Johannes Berg

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jouni Malinen <jouni@qca.qualcomm.com>

commit 9c1c98a3bb7b7593b60264b9a07e001e68b46697 upstream.

The current minstrel_ht rate control behavior is somewhat optimistic in
trying to find optimum TX rate. While this is usually fine for normal
Data frames, there are cases where a more conservative set of retry
parameters would be beneficial to make the connection more robust.

EAPOL frames are critical to the authentication and especially the
EAPOL-Key message 4/4 (the last message in the 4-way handshake) is
important to get through to the AP. If that message is lost, the only
recovery mechanism in many cases is to reassociate with the AP and start
from scratch. This can often be avoided by trying to send the frame with
more conservative rate and/or with more link layer retries.

In most cases, minstrel_ht is currently using the initial EAPOL-Key
frames for probing higher rates and this results in only five link layer
transmission attempts (one at high(ish) MCS and four at MCS0). While
this works with most APs, it looks like there are some deployed APs that
may have issues with the EAPOL frames using HT MCS immediately after
association. Similarly, there may be issues in cases where the signal
strength or radio environment is not good enough to be able to get
frames through even at couple of MCS 0 tries.

The best approach for this would likely to be to reduce the TX rate for
the last rate (3rd rate parameter in the set) to a low basic rate (say,
6 Mbps on 5 GHz and 2 or 5.5 Mbps on 2.4 GHz), but doing that cleanly
requires some more effort. For now, we can start with a simple one-liner
that forces the minimum rate to be used for EAPOL frames similarly how
the TX rate is selected for the IEEE 802.11 Management frames. This does
result in a small extra latency added to the cases where the AP would be
able to receive the higher rate, but taken into account how small number
of EAPOL frames are used, this is likely to be insignificant. A future
optimization in the minstrel_ht design can also allow this patch to be
reverted to get back to the more optimized initial TX rate.

It should also be noted that many drivers that do not use minstrel as
the rate control algorithm are already doing similar workarounds by
forcing the lowest TX rate to be used for EAPOL frames.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/tx.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -566,6 +566,7 @@ ieee80211_tx_h_check_control_port_protoc
 		if (tx->sdata->control_port_no_encrypt)
 			info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
 		info->control.flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO;
+		info->flags |= IEEE80211_TX_CTL_USE_MINRATE;
 	}
 
 	return TX_CONTINUE;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 091/177] mac80211: notify channel switch at the end of ieee80211_chswitch_post_beacon()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 090/177] mac80211: Send EAPOL frames at lowest rate Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 092/177] net: irda: fix wait_until_sent poll timeout Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luciano Coelho, Emmanuel Grumbach,
	Johannes Berg

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Luciano Coelho <luciano.coelho@intel.com>

commit 688b1ecfb9ed0484754d2653386e3c44c58ede5c upstream.

The call to cfg80211_ch_switch_notify() should be at the end of the
ieee80211_chswitch_post_beacon() function, because it should only be
sent if everything succeeded.

Fixes: d04b5ac9e70b ("cfg80211/mac80211: allow any interface to send channel switch notifications")
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/mlme.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1054,8 +1054,6 @@ static void ieee80211_chswitch_post_beac
 		sdata->csa_block_tx = false;
 	}
 
-	cfg80211_ch_switch_notify(sdata->dev, &sdata->reserved_chandef);
-
 	sdata->vif.csa_active = false;
 	ifmgd->csa_waiting_bcn = false;
 
@@ -1067,6 +1065,8 @@ static void ieee80211_chswitch_post_beac
 				     &ifmgd->csa_connection_drop_work);
 		return;
 	}
+
+	cfg80211_ch_switch_notify(sdata->dev, &sdata->reserved_chandef);
 }
 
 void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 092/177] net: irda: fix wait_until_sent poll timeout
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 091/177] mac80211: notify channel switch at the end of ieee80211_chswitch_post_beacon() Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 093/177] USB: serial: fix infinite wait_until_sent timeout Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2c3fbe3cf28fbd7001545a92a83b4f8acfd9fa36 upstream.

In case an infinite timeout (0) is requested, the irda wait_until_sent
implementation would use a zero poll timeout rather than the default
200ms.

Note that wait_until_sent is currently never called with a 0-timeout
argument due to a bug in tty_wait_until_sent.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/irda/ircomm/ircomm_tty.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/irda/ircomm/ircomm_tty.c
+++ b/net/irda/ircomm/ircomm_tty.c
@@ -798,7 +798,9 @@ static void ircomm_tty_wait_until_sent(s
 	orig_jiffies = jiffies;
 
 	/* Set poll time to 200 ms */
-	poll_time = IRDA_MIN(timeout, msecs_to_jiffies(200));
+	poll_time = msecs_to_jiffies(200);
+	if (timeout)
+		poll_time = min_t(unsigned long, timeout, poll_time);
 
 	spin_lock_irqsave(&self->spinlock, flags);
 	while (self->tx_skb && self->tx_skb->len) {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 093/177] USB: serial: fix infinite wait_until_sent timeout
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 092/177] net: irda: fix wait_until_sent poll timeout Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 094/177] TTY: fix tty_wait_until_sent on 64-bit machines Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit f528bf4f57e43d1af4b2a5c97f09e43e0338c105 upstream.

Make sure to handle an infinite timeout (0).

Note that wait_until_sent is currently never called with a 0-timeout
argument due to a bug in tty_wait_until_sent.

Fixes: dcf010503966 ("USB: serial: add generic wait_until_sent
implementation")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/generic.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/generic.c
+++ b/drivers/usb/serial/generic.c
@@ -258,7 +258,8 @@ void usb_serial_generic_wait_until_sent(
 	 * character or at least one jiffy.
 	 */
 	period = max_t(unsigned long, (10 * HZ / bps), 1);
-	period = min_t(unsigned long, period, timeout);
+	if (timeout)
+		period = min_t(unsigned long, period, timeout);
 
 	dev_dbg(&port->dev, "%s - timeout = %u ms, period = %u ms\n",
 					__func__, jiffies_to_msecs(timeout),
@@ -268,7 +269,7 @@ void usb_serial_generic_wait_until_sent(
 		schedule_timeout_interruptible(period);
 		if (signal_pending(current))
 			break;
-		if (time_after(jiffies, expire))
+		if (timeout && time_after(jiffies, expire))
 			break;
 	}
 }



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 094/177] TTY: fix tty_wait_until_sent on 64-bit machines
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 093/177] USB: serial: fix infinite wait_until_sent timeout Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 095/177] USB: serial: fix potential use-after-free after failed probe Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, ZIV-Asier Llano Palacios,
	Johan Hovold, Peter Hurley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 79fbf4a550ed6a22e1ae1516113e6c7fa5d56a53 upstream.

Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an
infinite timeout (0) would be passed to the underlying tty-driver's
wait_until_sent-operation as a negative timeout (-1), causing it to
return immediately.

This manifests itself for example as tcdrain() returning immediately,
drivers not honouring the drain flags when setting terminal attributes,
or even dropped data on close as a requested infinite closing-wait
timeout would be ignored.

The first symptom  was reported by Asier LLANO who noted that tcdrain()
returned prematurely when using the ftdi_sio usb-serial driver.

Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the
underlying tty driver.

Note that the serial-core wait_until_sent-implementation is not affected
by this bug due to a lucky chance (comparison to an unsigned maximum
timeout), and neither is the cyclades one that had an explicit check for
negative timeouts, but all other tty drivers appear to be affected.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: ZIV-Asier Llano Palacios <asier.llano@cgglobal.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/tty_ioctl.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/drivers/tty/tty_ioctl.c
+++ b/drivers/tty/tty_ioctl.c
@@ -217,11 +217,17 @@ void tty_wait_until_sent(struct tty_stru
 #endif
 	if (!timeout)
 		timeout = MAX_SCHEDULE_TIMEOUT;
+
 	if (wait_event_interruptible_timeout(tty->write_wait,
-			!tty_chars_in_buffer(tty), timeout) >= 0) {
-		if (tty->ops->wait_until_sent)
-			tty->ops->wait_until_sent(tty, timeout);
+			!tty_chars_in_buffer(tty), timeout) < 0) {
+		return;
 	}
+
+	if (timeout == MAX_SCHEDULE_TIMEOUT)
+		timeout = 0;
+
+	if (tty->ops->wait_until_sent)
+		tty->ops->wait_until_sent(tty, timeout);
 }
 EXPORT_SYMBOL(tty_wait_until_sent);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 095/177] USB: serial: fix potential use-after-free after failed probe
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 094/177] TTY: fix tty_wait_until_sent on 64-bit machines Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 096/177] USB: serial: fix tty-device error handling at probe Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Greg Kroah-Hartman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 07fdfc5e9f1c966be8722e8fa927e5ea140df5ce upstream.

Fix return value in probe error path, which could end up returning
success (0) on errors. This could in turn lead to use-after-free or
double free (e.g. in port_remove) when the port device is removed.

Fixes: c706ebdfc895 ("USB: usb-serial: call port_probe and port_remove
at the right times")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/bus.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/bus.c
+++ b/drivers/usb/serial/bus.c
@@ -75,7 +75,7 @@ static int usb_serial_device_probe(struc
 	retval = device_create_file(dev, &dev_attr_port_number);
 	if (retval) {
 		if (driver->port_remove)
-			retval = driver->port_remove(port);
+			driver->port_remove(port);
 		goto exit_with_autopm;
 	}
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 096/177] USB: serial: fix tty-device error handling at probe
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 095/177] USB: serial: fix potential use-after-free after failed probe Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 097/177] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Johan Hovold,
	Greg Kroah-Hartman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit ca4383a3947a83286bc9b9c598a1f55e867871d7 upstream.

Add missing error handling when registering the tty device at port
probe. This avoids trying to remove an uninitialised character device
when the port device is removed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/bus.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/bus.c
+++ b/drivers/usb/serial/bus.c
@@ -51,6 +51,7 @@ static int usb_serial_device_probe(struc
 {
 	struct usb_serial_driver *driver;
 	struct usb_serial_port *port;
+	struct device *tty_dev;
 	int retval = 0;
 	int minor;
 
@@ -80,7 +81,15 @@ static int usb_serial_device_probe(struc
 	}
 
 	minor = port->minor;
-	tty_register_device(usb_serial_tty_driver, minor, dev);
+	tty_dev = tty_register_device(usb_serial_tty_driver, minor, dev);
+	if (IS_ERR(tty_dev)) {
+		retval = PTR_ERR(tty_dev);
+		device_remove_file(dev, &dev_attr_port_number);
+		if (driver->port_remove)
+			driver->port_remove(port);
+		goto exit_with_autopm;
+	}
+
 	dev_info(&port->serial->dev->dev,
 		 "%s converter now attached to ttyUSB%d\n",
 		 driver->description, minor);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 097/177] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 096/177] USB: serial: fix tty-device error handling at probe Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 098/177] autofs4: Wrong format for printing dentry Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 0a280962dc6e117e0e4baa668453f753579265d9 upstream.

X-Coverup: just ask spender
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/autofs4/dev-ioctl.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/autofs4/dev-ioctl.c
+++ b/fs/autofs4/dev-ioctl.c
@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int c
  */
 static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
 {
-	struct autofs_dev_ioctl tmp;
+	struct autofs_dev_ioctl tmp, *res;
 
 	if (copy_from_user(&tmp, in, sizeof(tmp)))
 		return ERR_PTR(-EFAULT);
@@ -106,7 +106,11 @@ static struct autofs_dev_ioctl *copy_dev
 	if (tmp.size > (PATH_MAX + sizeof(tmp)))
 		return ERR_PTR(-ENAMETOOLONG);
 
-	return memdup_user(in, tmp.size);
+	res = memdup_user(in, tmp.size);
+	if (!IS_ERR(res))
+		res->size = tmp.size;
+
+	return res;
 }
 
 static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 098/177] autofs4: Wrong format for printing dentry
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 097/177] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 099/177] debugfs: leave freeing a symlink body until inode eviction Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Al Viro

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

commit 76bf3f6b1d6ac4c770bb121b0461c460aa068e64 upstream.

%pD for struct file*, %pd for struct dentry*.

Fixes: a455589f181e ("assorted conversions to %p[dD]")
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/autofs4/root.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/autofs4/root.c
+++ b/fs/autofs4/root.c
@@ -108,7 +108,7 @@ static int autofs4_dir_open(struct inode
 	struct dentry *dentry = file->f_path.dentry;
 	struct autofs_sb_info *sbi = autofs4_sbi(dentry->d_sb);
 
-	DPRINTK("file=%p dentry=%p %pD", file, dentry, dentry);
+	DPRINTK("file=%p dentry=%p %pd", file, dentry, dentry);
 
 	if (autofs4_oz_mode(sbi))
 		goto out;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 099/177] debugfs: leave freeing a symlink body until inode eviction
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 098/177] autofs4: Wrong format for printing dentry Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 100/177] procfs: fix race between symlink removals and traversals Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 0db59e59299f0b67450c5db21f7f316c8fb04e84 upstream.

As it is, we have debugfs_remove() racing with symlink traversals.
Supply ->evict_inode() and do freeing there - inode will remain
pinned until we are done with the symlink body.

And rip the idiocy with checking if dentry is positive right after
we'd verified debugfs_positive(), which is a stronger check...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/debugfs/inode.c |   34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -246,10 +246,19 @@ static int debugfs_show_options(struct s
 	return 0;
 }
 
+static void debugfs_evict_inode(struct inode *inode)
+{
+	truncate_inode_pages_final(&inode->i_data);
+	clear_inode(inode);
+	if (S_ISLNK(inode->i_mode))
+		kfree(inode->i_private);
+}
+
 static const struct super_operations debugfs_super_operations = {
 	.statfs		= simple_statfs,
 	.remount_fs	= debugfs_remount,
 	.show_options	= debugfs_show_options,
+	.evict_inode	= debugfs_evict_inode,
 };
 
 static int debug_fill_super(struct super_block *sb, void *data, int silent)
@@ -466,23 +475,14 @@ static int __debugfs_remove(struct dentr
 	int ret = 0;
 
 	if (debugfs_positive(dentry)) {
-		if (dentry->d_inode) {
-			dget(dentry);
-			switch (dentry->d_inode->i_mode & S_IFMT) {
-			case S_IFDIR:
-				ret = simple_rmdir(parent->d_inode, dentry);
-				break;
-			case S_IFLNK:
-				kfree(dentry->d_inode->i_private);
-				/* fall through */
-			default:
-				simple_unlink(parent->d_inode, dentry);
-				break;
-			}
-			if (!ret)
-				d_delete(dentry);
-			dput(dentry);
-		}
+		dget(dentry);
+		if (S_ISDIR(dentry->d_inode->i_mode))
+			ret = simple_rmdir(parent->d_inode, dentry);
+		else
+			simple_unlink(parent->d_inode, dentry);
+		if (!ret)
+			d_delete(dentry);
+		dput(dentry);
 	}
 	return ret;
 }



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 100/177] procfs: fix race between symlink removals and traversals
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 099/177] debugfs: leave freeing a symlink body until inode eviction Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 101/177] sunrpc: fix braino in ->poll() Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 7e0e953bb0cf649f93277ac8fb67ecbb7f7b04a9 upstream.

use_pde()/unuse_pde() in ->follow_link()/->put_link() resp.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/generic.c  |   12 ------------
 fs/proc/inode.c    |   21 +++++++++++++++++++++
 fs/proc/internal.h |    1 +
 3 files changed, 22 insertions(+), 12 deletions(-)

--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -19,7 +19,6 @@
 #include <linux/mount.h>
 #include <linux/init.h>
 #include <linux/idr.h>
-#include <linux/namei.h>
 #include <linux/bitops.h>
 #include <linux/spinlock.h>
 #include <linux/completion.h>
@@ -223,17 +222,6 @@ void proc_free_inum(unsigned int inum)
 	spin_unlock_irqrestore(&proc_inum_lock, flags);
 }
 
-static void *proc_follow_link(struct dentry *dentry, struct nameidata *nd)
-{
-	nd_set_link(nd, __PDE_DATA(dentry->d_inode));
-	return NULL;
-}
-
-static const struct inode_operations proc_link_inode_operations = {
-	.readlink	= generic_readlink,
-	.follow_link	= proc_follow_link,
-};
-
 /*
  * Don't create negative dentries here, return -ENOENT by hand
  * instead.
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -23,6 +23,7 @@
 #include <linux/slab.h>
 #include <linux/mount.h>
 #include <linux/magic.h>
+#include <linux/namei.h>
 
 #include <asm/uaccess.h>
 
@@ -393,6 +394,26 @@ static const struct file_operations proc
 };
 #endif
 
+static void *proc_follow_link(struct dentry *dentry, struct nameidata *nd)
+{
+	struct proc_dir_entry *pde = PDE(dentry->d_inode);
+	if (unlikely(!use_pde(pde)))
+		return ERR_PTR(-EINVAL);
+	nd_set_link(nd, pde->data);
+	return pde;
+}
+
+static void proc_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
+{
+	unuse_pde(p);
+}
+
+const struct inode_operations proc_link_inode_operations = {
+	.readlink	= generic_readlink,
+	.follow_link	= proc_follow_link,
+	.put_link	= proc_put_link,
+};
+
 struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
 {
 	struct inode *inode = new_inode_pseudo(sb);
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -200,6 +200,7 @@ struct pde_opener {
 	int closing;
 	struct completion *c;
 };
+extern const struct inode_operations proc_link_inode_operations;
 
 extern const struct inode_operations proc_pid_link_inode_operations;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 101/177] sunrpc: fix braino in ->poll()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 100/177] procfs: fix race between symlink removals and traversals Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 102/177] SUNRPC: Always manipulate rpc_rqst::rq_bc_pa_list under xprt->bc_pa_lock Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Al Viro, Bruce Fields, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@ZenIV.linux.org.uk>

commit 1711fd9addf214823b993468567cab1f8254fc51 upstream.

POLL_OUT isn't what callers of ->poll() are expecting to see; it's
actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
bit...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Bruce Fields <bfields@fieldses.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/cache.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -921,7 +921,7 @@ static unsigned int cache_poll(struct fi
 	poll_wait(filp, &queue_wait, wait);
 
 	/* alway allow write */
-	mask = POLL_OUT | POLLWRNORM;
+	mask = POLLOUT | POLLWRNORM;
 
 	if (!rp)
 		return mask;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 102/177] SUNRPC: Always manipulate rpc_rqst::rq_bc_pa_list under xprt->bc_pa_lock
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 101/177] sunrpc: fix braino in ->poll() Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 103/177] ARC: Fix KSTK_ESP() Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuck Lever, Trond Myklebust

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>

commit 813b00d63f6ca1ed40a2f4f9c034d59bc424025e upstream.

Other code that accesses rq_bc_pa_list holds xprt->bc_pa_lock.
xprt_complete_bc_request() should do the same.

Fixes: 2ea24497a1b3 ("SUNRPC: RPC callbacks may be split . . .")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/backchannel_rqst.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/sunrpc/backchannel_rqst.c
+++ b/net/sunrpc/backchannel_rqst.c
@@ -309,12 +309,15 @@ void xprt_complete_bc_request(struct rpc
 	struct rpc_xprt *xprt = req->rq_xprt;
 	struct svc_serv *bc_serv = xprt->bc_serv;
 
+	spin_lock(&xprt->bc_pa_lock);
+	list_del(&req->rq_bc_pa_list);
+	spin_unlock(&xprt->bc_pa_lock);
+
 	req->rq_private_buf.len = copied;
 	set_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state);
 
 	dprintk("RPC:       add callback request to list\n");
 	spin_lock(&bc_serv->sv_cb_lock);
-	list_del(&req->rq_bc_pa_list);
 	list_add(&req->rq_bc_list, &bc_serv->sv_cb_list);
 	wake_up(&bc_serv->sv_cb_waitq);
 	spin_unlock(&bc_serv->sv_cb_lock);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 103/177] ARC: Fix KSTK_ESP()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 102/177] SUNRPC: Always manipulate rpc_rqst::rq_bc_pa_list under xprt->bc_pa_lock Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 104/177] tty: fix up atime/mtime mess, take four Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vineet Gupta

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vineet Gupta <vgupta@synopsys.com>

commit 13648b0118a24f4fc76c34e6c7b6ccf447e46a2a upstream.

/proc/<pid>/maps currently don't annotate stack vma with "[stack]"
This is because KSTK_ESP ie expected to return usermode SP of tsk while
currently it returns the kernel mode SP of a sleeping tsk.

While the fix is trivial, we also need to adjust the ARC kernel stack
unwinder to not use KSTK_SP and friends any more.

Reported-and-suggested-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arc/include/asm/processor.h |    9 +++++----
 arch/arc/kernel/stacktrace.c     |    6 +++---
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/arch/arc/include/asm/processor.h
+++ b/arch/arc/include/asm/processor.h
@@ -75,18 +75,19 @@ unsigned long thread_saved_pc(struct tas
 #define release_segments(mm)        do { } while (0)
 
 #define KSTK_EIP(tsk)   (task_pt_regs(tsk)->ret)
+#define KSTK_ESP(tsk)   (task_pt_regs(tsk)->sp)
 
 /*
  * Where abouts of Task's sp, fp, blink when it was last seen in kernel mode.
  * Look in process.c for details of kernel stack layout
  */
-#define KSTK_ESP(tsk)   (tsk->thread.ksp)
+#define TSK_K_ESP(tsk)		(tsk->thread.ksp)
 
-#define KSTK_REG(tsk, off)	(*((unsigned int *)(KSTK_ESP(tsk) + \
+#define TSK_K_REG(tsk, off)	(*((unsigned int *)(TSK_K_ESP(tsk) + \
 					sizeof(struct callee_regs) + off)))
 
-#define KSTK_BLINK(tsk) KSTK_REG(tsk, 4)
-#define KSTK_FP(tsk)    KSTK_REG(tsk, 0)
+#define TSK_K_BLINK(tsk)	TSK_K_REG(tsk, 4)
+#define TSK_K_FP(tsk)		TSK_K_REG(tsk, 0)
 
 extern void start_thread(struct pt_regs * regs, unsigned long pc,
 			 unsigned long usp);
--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -64,9 +64,9 @@ static void seed_unwind_frame_info(struc
 
 		frame_info->task = tsk;
 
-		frame_info->regs.r27 = KSTK_FP(tsk);
-		frame_info->regs.r28 = KSTK_ESP(tsk);
-		frame_info->regs.r31 = KSTK_BLINK(tsk);
+		frame_info->regs.r27 = TSK_K_FP(tsk);
+		frame_info->regs.r28 = TSK_K_ESP(tsk);
+		frame_info->regs.r31 = TSK_K_BLINK(tsk);
 		frame_info->regs.r63 = (unsigned int)__switch_to;
 
 		/* In the prologue of __switch_to, first FP is saved on stack



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 104/177] tty: fix up atime/mtime mess, take four
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 103/177] ARC: Fix KSTK_ESP() Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 105/177] serial: 8250: Revert "tty: serial: 8250_core: read only RX if there is something in the FIFO" Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, John Paul Perry, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit f0bf0bd07943bfde8f5ac39a32664810a379c7d3 upstream.

This problem was taken care of three times already in
* b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update
  atime/mtime on read/write),
* 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime
  regression), and
* b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime
  mess, take three)

But it still misses one point. As John Paul correctly points out, we
do not care about setting date. If somebody ever changes wall
time backwards (by mistake for example), tty timestamps are never
updated until the original wall time passes.

So check the absolute difference of times and if it large than "8
seconds or so", always update the time. That means we will update
immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the
check, but it was always that way.

Thanks John for serving me this so nicely debugged.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: John Paul Perry <john_paul.perry@alcatel-lucent.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/tty_io.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1028,8 +1028,8 @@ EXPORT_SYMBOL(start_tty);
 /* We limit tty time update visibility to every 8 seconds or so. */
 static void tty_update_time(struct timespec *time)
 {
-	unsigned long sec = get_seconds() & ~7;
-	if ((long)(sec - time->tv_sec) > 0)
+	unsigned long sec = get_seconds();
+	if (abs(sec - time->tv_sec) & ~7)
 		time->tv_sec = sec;
 }
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 105/177] serial: 8250: Revert "tty: serial: 8250_core: read only RX if there is something in the FIFO"
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 104/177] tty: fix up atime/mtime mess, take four Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 106/177] ALSA: pcm: Dont leave PREPARED state after draining Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicolas Schichan, Sebastian Andrzej Siewior

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

commit ca8bb4aefb932e3da105f28cbfba36d57a931081 upstream.

This reverts commit 0aa525d11859c1a4d5b78fdc704148e2ae03ae13.

The conditional RX-FIFO read seems to cause spurious interrupts and we
see just:
|serial8250: too much work for irq29

The previous behaviour was "default" for decades and Marvell's 88f6282 SoC
might not be the only that relies on it. Therefore the Omap fix is
reverted for now.

Fixes: 0aa525d11859 ("tty: serial: 8250_core: read only RX if there is
something in the FIFO")
Reported-By: Nicolas Schichan <nschichan@freebox.fr>
Debuged-By: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/8250_core.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/tty/serial/8250/8250_core.c
+++ b/drivers/tty/serial/8250/8250_core.c
@@ -2107,8 +2107,8 @@ int serial8250_do_startup(struct uart_po
 	/*
 	 * Clear the interrupt registers.
 	 */
-	if (serial_port_in(port, UART_LSR) & UART_LSR_DR)
-		serial_port_in(port, UART_RX);
+	serial_port_in(port, UART_LSR);
+	serial_port_in(port, UART_RX);
 	serial_port_in(port, UART_IIR);
 	serial_port_in(port, UART_MSR);
 
@@ -2269,8 +2269,8 @@ dont_test_tx_en:
 	 * saved flags to avoid getting false values from polling
 	 * routines or the previous session.
 	 */
-	if (serial_port_in(port, UART_LSR) & UART_LSR_DR)
-		serial_port_in(port, UART_RX);
+	serial_port_in(port, UART_LSR);
+	serial_port_in(port, UART_RX);
 	serial_port_in(port, UART_IIR);
 	serial_port_in(port, UART_MSR);
 	up->lsr_saved_flags = 0;
@@ -2363,8 +2363,7 @@ void serial8250_do_shutdown(struct uart_
 	 * Read data port to reset things, and then unlink from
 	 * the IRQ chain.
 	 */
-	if (serial_port_in(port, UART_LSR) & UART_LSR_DR)
-		serial_port_in(port, UART_RX);
+	serial_port_in(port, UART_RX);
 	serial8250_rpm_put(up);
 
 	del_timer_sync(&up->timer);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 106/177] ALSA: pcm: Dont leave PREPARED state after draining
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 105/177] serial: 8250: Revert "tty: serial: 8250_core: read only RX if there is something in the FIFO" Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 107/177] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 70372a7566b5e552dbe48abdac08c275081d8558 upstream.

When a PCM draining is performed to an empty stream that has been
already in PREPARED state, the current code just ignores and leaves as
it is, although the drain is supposed to set all such streams to SETUP
state.  This patch covers that overlooked case.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/pcm_native.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1546,6 +1546,8 @@ static int snd_pcm_do_drain_init(struct
 			if (! snd_pcm_playback_empty(substream)) {
 				snd_pcm_do_start(substream, SNDRV_PCM_STATE_DRAINING);
 				snd_pcm_post_start(substream, SNDRV_PCM_STATE_DRAINING);
+			} else {
+				runtime->status->state = SNDRV_PCM_STATE_SETUP;
 			}
 			break;
 		case SNDRV_PCM_STATE_RUNNING:



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 107/177] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 106/177] ALSA: pcm: Dont leave PREPARED state after draining Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 108/177] ALSA: fireworks/bebob/dice/oxfw: add reference-counting for FireWire unit Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 6426460e5d87810e042962281fe3c1e8fc256162 upstream.

BIOS doesn't seem to set up pins for 5.1 and the SPDIF out, so we need
to give explicitly here.

Reported-and-tested-by: Misan Thropos <misanthropos@gmx.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_sigmatel.c |   17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/patch_sigmatel.c
+++ b/sound/pci/hda/patch_sigmatel.c
@@ -79,6 +79,7 @@ enum {
 	STAC_ALIENWARE_M17X,
 	STAC_92HD89XX_HP_FRONT_JACK,
 	STAC_92HD89XX_HP_Z1_G2_RIGHT_MIC_JACK,
+	STAC_92HD73XX_ASUS_MOBO,
 	STAC_92HD73XX_MODELS
 };
 
@@ -1911,7 +1912,18 @@ static const struct hda_fixup stac92hd73
 	[STAC_92HD89XX_HP_Z1_G2_RIGHT_MIC_JACK] = {
 		.type = HDA_FIXUP_PINS,
 		.v.pins = stac92hd89xx_hp_z1_g2_right_mic_jack_pin_configs,
-	}
+	},
+	[STAC_92HD73XX_ASUS_MOBO] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			/* enable 5.1 and SPDIF out */
+			{ 0x0c, 0x01014411 },
+			{ 0x0d, 0x01014410 },
+			{ 0x0e, 0x01014412 },
+			{ 0x22, 0x014b1180 },
+			{ }
+		}
+	},
 };
 
 static const struct hda_model_fixup stac92hd73xx_models[] = {
@@ -1923,6 +1935,7 @@ static const struct hda_model_fixup stac
 	{ .id = STAC_DELL_M6_BOTH, .name = "dell-m6" },
 	{ .id = STAC_DELL_EQ, .name = "dell-eq" },
 	{ .id = STAC_ALIENWARE_M17X, .name = "alienware" },
+	{ .id = STAC_92HD73XX_ASUS_MOBO, .name = "asus-mobo" },
 	{}
 };
 
@@ -1975,6 +1988,8 @@ static const struct snd_pci_quirk stac92
 				"HP Z1 G2", STAC_92HD89XX_HP_Z1_G2_RIGHT_MIC_JACK),
 	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x2b17,
 				"unknown HP", STAC_92HD89XX_HP_FRONT_JACK),
+	SND_PCI_QUIRK(PCI_VENDOR_ID_ASUSTEK, 0x83f8, "ASUS AT4NM10",
+		      STAC_92HD73XX_ASUS_MOBO),
 	{} /* terminator */
 };
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 108/177] ALSA: fireworks/bebob/dice/oxfw: add reference-counting for FireWire unit
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 107/177] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 109/177] ALSA: firewire-lib: remove reference counting Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit 12ed719291a953d443921f9cdb0ffee41066c340 upstream.

Fireworks and Dice drivers try to touch instances of FireWire unit after
sound card object is released, while references to the unit is decremented
in .remove(). When unplugging during streaming, sound card object is
released after .remove(), thus Fireworks and Dice drivers causes GPF or
Null-pointer-dereferencing to application processes because an instance of
FireWire unit was already released.

This commit adds reference-counting for FireWire unit in drivers to allow
them to touch an instance of FireWire unit after .remove(). In most case,
any operations after .remove() may be failed safely.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/bebob/bebob.c         |   12 +++++++++++-
 sound/firewire/dice/dice.c           |   11 ++++++++++-
 sound/firewire/fireworks/fireworks.c |   12 +++++++++++-
 sound/firewire/oxfw/oxfw.c           |   11 ++++++++++-
 4 files changed, 42 insertions(+), 4 deletions(-)

--- a/sound/firewire/bebob/bebob.c
+++ b/sound/firewire/bebob/bebob.c
@@ -116,11 +116,19 @@ end:
 	return err;
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void
 bebob_card_free(struct snd_card *card)
 {
 	struct snd_bebob *bebob = card->private_data;
 
+	fw_unit_put(bebob->unit);
+
 	if (bebob->card_index >= 0) {
 		mutex_lock(&devices_mutex);
 		clear_bit(bebob->card_index, devices_used);
@@ -205,7 +213,7 @@ bebob_probe(struct fw_unit *unit,
 	card->private_free = bebob_card_free;
 
 	bebob->card = card;
-	bebob->unit = unit;
+	bebob->unit = fw_unit_get(unit);
 	bebob->spec = spec;
 	mutex_init(&bebob->mutex);
 	spin_lock_init(&bebob->lock);
@@ -310,6 +318,8 @@ static void bebob_remove(struct fw_unit
 
 	snd_bebob_stream_destroy_duplex(bebob);
 	snd_card_disconnect(bebob->card);
+
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(bebob->card);
 }
 
--- a/sound/firewire/dice/dice.c
+++ b/sound/firewire/dice/dice.c
@@ -226,11 +226,19 @@ static void dice_card_strings(struct snd
 	strcpy(card->mixername, "DICE");
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void dice_card_free(struct snd_card *card)
 {
 	struct snd_dice *dice = card->private_data;
 
 	snd_dice_transaction_destroy(dice);
+	fw_unit_put(dice->unit);
+
 	mutex_destroy(&dice->mutex);
 }
 
@@ -251,7 +259,7 @@ static int dice_probe(struct fw_unit *un
 
 	dice = card->private_data;
 	dice->card = card;
-	dice->unit = unit;
+	dice->unit = fw_unit_get(unit);
 	card->private_free = dice_card_free;
 
 	spin_lock_init(&dice->lock);
@@ -309,6 +317,7 @@ static void dice_remove(struct fw_unit *
 
 	snd_dice_stream_destroy_duplex(dice);
 
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(dice->card);
 }
 
--- a/sound/firewire/fireworks/fireworks.c
+++ b/sound/firewire/fireworks/fireworks.c
@@ -173,11 +173,19 @@ end:
 	return err;
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void
 efw_card_free(struct snd_card *card)
 {
 	struct snd_efw *efw = card->private_data;
 
+	fw_unit_put(efw->unit);
+
 	if (efw->card_index >= 0) {
 		mutex_lock(&devices_mutex);
 		clear_bit(efw->card_index, devices_used);
@@ -218,7 +226,7 @@ efw_probe(struct fw_unit *unit,
 	card->private_free = efw_card_free;
 
 	efw->card = card;
-	efw->unit = unit;
+	efw->unit = fw_unit_get(unit);
 	mutex_init(&efw->mutex);
 	spin_lock_init(&efw->lock);
 	init_waitqueue_head(&efw->hwdep_wait);
@@ -293,6 +301,8 @@ static void efw_remove(struct fw_unit *u
 	snd_efw_transaction_remove_instance(efw);
 
 	snd_card_disconnect(efw->card);
+
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(efw->card);
 }
 
--- a/sound/firewire/oxfw/oxfw.c
+++ b/sound/firewire/oxfw/oxfw.c
@@ -104,11 +104,19 @@ end:
 	return err;
 }
 
+/*
+ * This module releases the FireWire unit data after all ALSA character devices
+ * are released by applications. This is for releasing stream data or finishing
+ * transactions safely. Thus at returning from .remove(), this module still keep
+ * references for the unit.
+ */
 static void oxfw_card_free(struct snd_card *card)
 {
 	struct snd_oxfw *oxfw = card->private_data;
 	unsigned int i;
 
+	fw_unit_put(oxfw->unit);
+
 	for (i = 0; i < SND_OXFW_STREAM_FORMAT_ENTRIES; i++) {
 		kfree(oxfw->tx_stream_formats[i]);
 		kfree(oxfw->rx_stream_formats[i]);
@@ -136,7 +144,7 @@ static int oxfw_probe(struct fw_unit *un
 	oxfw = card->private_data;
 	oxfw->card = card;
 	mutex_init(&oxfw->mutex);
-	oxfw->unit = unit;
+	oxfw->unit = fw_unit_get(unit);
 	oxfw->device_info = (const struct device_info *)id->driver_data;
 	spin_lock_init(&oxfw->lock);
 	init_waitqueue_head(&oxfw->hwdep_wait);
@@ -218,6 +226,7 @@ static void oxfw_remove(struct fw_unit *
 	if (oxfw->has_output)
 		snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream);
 
+	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(oxfw->card);
 }
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 109/177] ALSA: firewire-lib: remove reference counting
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 108/177] ALSA: fireworks/bebob/dice/oxfw: add reference-counting for FireWire unit Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 110/177] ALSA: fireworks/bebob/dice/oxfw: allow stream destructor after releasing runtime Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit c6f224dc20ad959175c2dfec70b5a61c6503a793 upstream.

AMDTP helper functions increment/decrement reference counter for an
instance of FireWire unit, while it's complicated for each driver to
process error state.

In previous commit, each driver has the role of reference counting. This
commit removes this role from the helper function.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/amdtp.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/sound/firewire/amdtp.c
+++ b/sound/firewire/amdtp.c
@@ -78,7 +78,7 @@ static void pcm_period_tasklet(unsigned
 int amdtp_stream_init(struct amdtp_stream *s, struct fw_unit *unit,
 		      enum amdtp_stream_direction dir, enum cip_flags flags)
 {
-	s->unit = fw_unit_get(unit);
+	s->unit = unit;
 	s->direction = dir;
 	s->flags = flags;
 	s->context = ERR_PTR(-1);
@@ -102,7 +102,6 @@ void amdtp_stream_destroy(struct amdtp_s
 {
 	WARN_ON(amdtp_stream_running(s));
 	mutex_destroy(&s->mutex);
-	fw_unit_put(s->unit);
 }
 EXPORT_SYMBOL(amdtp_stream_destroy);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 110/177] ALSA: fireworks/bebob/dice/oxfw: allow stream destructor after releasing runtime
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 109/177] ALSA: firewire-lib: remove reference counting Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 111/177] ALSA: fireworks/bebob/dice/oxfw: make it possible to shutdown safely Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit d23c2cc4485d10f0cedfef99dd2961d9652b1b3f upstream.

Currently stream destructor in each driver has a problem to be called in
a context in which sound card object is released, because the destructors
call amdtp_stream_pcm_abort() and touch PCM runtime data.

The PCM runtime data is destroyed in application's context with
snd_pcm_close(), on the other hand PCM substream data is destroyed after
sound card object is released, in most case after all of ALSA character
devices are released. When PCM runtime is destroyed and PCM substream is
remained, amdtp_stream_pcm_abort() touches PCM runtime data and causes
Null-pointer-dereference.

This commit changes stream destructors and allows each driver to call
it after releasing runtime.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/bebob/bebob_stream.c         |   12 ++++--------
 sound/firewire/dice/dice-stream.c           |   18 ++++++++++++------
 sound/firewire/fireworks/fireworks_stream.c |   15 ++++++++++-----
 sound/firewire/oxfw/oxfw-stream.c           |    6 ++++--
 4 files changed, 30 insertions(+), 21 deletions(-)

--- a/sound/firewire/bebob/bebob_stream.c
+++ b/sound/firewire/bebob/bebob_stream.c
@@ -410,8 +410,6 @@ break_both_connections(struct snd_bebob
 static void
 destroy_both_connections(struct snd_bebob *bebob)
 {
-	break_both_connections(bebob);
-
 	cmp_connection_destroy(&bebob->in_conn);
 	cmp_connection_destroy(&bebob->out_conn);
 }
@@ -712,16 +710,14 @@ void snd_bebob_stream_update_duplex(stru
 	mutex_unlock(&bebob->mutex);
 }
 
+/*
+ * This function should be called before starting streams or after stopping
+ * streams.
+ */
 void snd_bebob_stream_destroy_duplex(struct snd_bebob *bebob)
 {
 	mutex_lock(&bebob->mutex);
 
-	amdtp_stream_pcm_abort(&bebob->rx_stream);
-	amdtp_stream_pcm_abort(&bebob->tx_stream);
-
-	amdtp_stream_stop(&bebob->rx_stream);
-	amdtp_stream_stop(&bebob->tx_stream);
-
 	amdtp_stream_destroy(&bebob->rx_stream);
 	amdtp_stream_destroy(&bebob->tx_stream);
 
--- a/sound/firewire/dice/dice-stream.c
+++ b/sound/firewire/dice/dice-stream.c
@@ -311,14 +311,21 @@ end:
 	return err;
 }
 
+/*
+ * This function should be called before starting streams or after stopping
+ * streams.
+ */
 static void destroy_stream(struct snd_dice *dice, struct amdtp_stream *stream)
 {
-	amdtp_stream_destroy(stream);
+	struct fw_iso_resources *resources;
 
 	if (stream == &dice->tx_stream)
-		fw_iso_resources_destroy(&dice->tx_resources);
+		resources = &dice->tx_resources;
 	else
-		fw_iso_resources_destroy(&dice->rx_resources);
+		resources = &dice->rx_resources;
+
+	amdtp_stream_destroy(stream);
+	fw_iso_resources_destroy(resources);
 }
 
 int snd_dice_stream_init_duplex(struct snd_dice *dice)
@@ -332,6 +339,8 @@ int snd_dice_stream_init_duplex(struct s
 		goto end;
 
 	err = init_stream(dice, &dice->rx_stream);
+	if (err < 0)
+		destroy_stream(dice, &dice->tx_stream);
 end:
 	return err;
 }
@@ -340,10 +349,7 @@ void snd_dice_stream_destroy_duplex(stru
 {
 	snd_dice_transaction_clear_enable(dice);
 
-	stop_stream(dice, &dice->tx_stream);
 	destroy_stream(dice, &dice->tx_stream);
-
-	stop_stream(dice, &dice->rx_stream);
 	destroy_stream(dice, &dice->rx_stream);
 
 	dice->substreams_counter = 0;
--- a/sound/firewire/fireworks/fireworks_stream.c
+++ b/sound/firewire/fireworks/fireworks_stream.c
@@ -100,17 +100,22 @@ end:
 	return err;
 }
 
+/*
+ * This function should be called before starting the stream or after stopping
+ * the streams.
+ */
 static void
 destroy_stream(struct snd_efw *efw, struct amdtp_stream *stream)
 {
-	stop_stream(efw, stream);
-
-	amdtp_stream_destroy(stream);
+	struct cmp_connection *conn;
 
 	if (stream == &efw->tx_stream)
-		cmp_connection_destroy(&efw->out_conn);
+		conn = &efw->out_conn;
 	else
-		cmp_connection_destroy(&efw->in_conn);
+		conn = &efw->in_conn;
+
+	amdtp_stream_destroy(stream);
+	cmp_connection_destroy(&efw->out_conn);
 }
 
 static int
--- a/sound/firewire/oxfw/oxfw-stream.c
+++ b/sound/firewire/oxfw/oxfw-stream.c
@@ -337,6 +337,10 @@ void snd_oxfw_stream_stop_simplex(struct
 	stop_stream(oxfw, stream);
 }
 
+/*
+ * This function should be called before starting the stream or after stopping
+ * the streams.
+ */
 void snd_oxfw_stream_destroy_simplex(struct snd_oxfw *oxfw,
 				     struct amdtp_stream *stream)
 {
@@ -347,8 +351,6 @@ void snd_oxfw_stream_destroy_simplex(str
 	else
 		conn = &oxfw->in_conn;
 
-	stop_stream(oxfw, stream);
-
 	amdtp_stream_destroy(stream);
 	cmp_connection_destroy(conn);
 }



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 111/177] ALSA: fireworks/bebob/dice/oxfw: make it possible to shutdown safely
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 110/177] ALSA: fireworks/bebob/dice/oxfw: allow stream destructor after releasing runtime Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 112/177] ALSA: hda: controller code - do not export static functions Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit dec84316dd53c90e93b4ee849483bd4bd1e9a585 upstream.

A part of these drivers, especially BeBoB driver, are programmed to wait
some events. Thus the drivers should not destroy any data in .remove()
context.

This commit moves some destructors from 'struct fw_driver.remove()' to
'struct snd_card.private_free()' to shutdown safely.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/bebob/bebob.c                |   10 ++++++----
 sound/firewire/bebob/bebob_stream.c         |    4 ----
 sound/firewire/dice/dice.c                  |    5 +----
 sound/firewire/fireworks/fireworks.c        |   10 ++++------
 sound/firewire/fireworks/fireworks_stream.c |    4 ----
 sound/firewire/oxfw/oxfw.c                  |   10 ++++------
 6 files changed, 15 insertions(+), 28 deletions(-)

--- a/sound/firewire/bebob/bebob.c
+++ b/sound/firewire/bebob/bebob.c
@@ -127,8 +127,11 @@ bebob_card_free(struct snd_card *card)
 {
 	struct snd_bebob *bebob = card->private_data;
 
+	snd_bebob_stream_destroy_duplex(bebob);
 	fw_unit_put(bebob->unit);
 
+	kfree(bebob->maudio_special_quirk);
+
 	if (bebob->card_index >= 0) {
 		mutex_lock(&devices_mutex);
 		clear_bit(bebob->card_index, devices_used);
@@ -314,10 +317,9 @@ static void bebob_remove(struct fw_unit
 	if (bebob == NULL)
 		return;
 
-	kfree(bebob->maudio_special_quirk);
-
-	snd_bebob_stream_destroy_duplex(bebob);
-	snd_card_disconnect(bebob->card);
+	/* Awake bus-reset waiters. */
+	if (!completion_done(&bebob->bus_reset))
+		complete_all(&bebob->bus_reset);
 
 	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(bebob->card);
--- a/sound/firewire/bebob/bebob_stream.c
+++ b/sound/firewire/bebob/bebob_stream.c
@@ -716,14 +716,10 @@ void snd_bebob_stream_update_duplex(stru
  */
 void snd_bebob_stream_destroy_duplex(struct snd_bebob *bebob)
 {
-	mutex_lock(&bebob->mutex);
-
 	amdtp_stream_destroy(&bebob->rx_stream);
 	amdtp_stream_destroy(&bebob->tx_stream);
 
 	destroy_both_connections(bebob);
-
-	mutex_unlock(&bebob->mutex);
 }
 
 /*
--- a/sound/firewire/dice/dice.c
+++ b/sound/firewire/dice/dice.c
@@ -236,6 +236,7 @@ static void dice_card_free(struct snd_ca
 {
 	struct snd_dice *dice = card->private_data;
 
+	snd_dice_stream_destroy_duplex(dice);
 	snd_dice_transaction_destroy(dice);
 	fw_unit_put(dice->unit);
 
@@ -313,10 +314,6 @@ static void dice_remove(struct fw_unit *
 {
 	struct snd_dice *dice = dev_get_drvdata(&unit->device);
 
-	snd_card_disconnect(dice->card);
-
-	snd_dice_stream_destroy_duplex(dice);
-
 	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(dice->card);
 }
--- a/sound/firewire/fireworks/fireworks.c
+++ b/sound/firewire/fireworks/fireworks.c
@@ -184,8 +184,12 @@ efw_card_free(struct snd_card *card)
 {
 	struct snd_efw *efw = card->private_data;
 
+	snd_efw_stream_destroy_duplex(efw);
+	snd_efw_transaction_remove_instance(efw);
 	fw_unit_put(efw->unit);
 
+	kfree(efw->resp_buf);
+
 	if (efw->card_index >= 0) {
 		mutex_lock(&devices_mutex);
 		clear_bit(efw->card_index, devices_used);
@@ -193,7 +197,6 @@ efw_card_free(struct snd_card *card)
 	}
 
 	mutex_destroy(&efw->mutex);
-	kfree(efw->resp_buf);
 }
 
 static int
@@ -297,11 +300,6 @@ static void efw_remove(struct fw_unit *u
 {
 	struct snd_efw *efw = dev_get_drvdata(&unit->device);
 
-	snd_efw_stream_destroy_duplex(efw);
-	snd_efw_transaction_remove_instance(efw);
-
-	snd_card_disconnect(efw->card);
-
 	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(efw->card);
 }
--- a/sound/firewire/fireworks/fireworks_stream.c
+++ b/sound/firewire/fireworks/fireworks_stream.c
@@ -324,12 +324,8 @@ void snd_efw_stream_update_duplex(struct
 
 void snd_efw_stream_destroy_duplex(struct snd_efw *efw)
 {
-	mutex_lock(&efw->mutex);
-
 	destroy_stream(efw, &efw->rx_stream);
 	destroy_stream(efw, &efw->tx_stream);
-
-	mutex_unlock(&efw->mutex);
 }
 
 void snd_efw_stream_lock_changed(struct snd_efw *efw)
--- a/sound/firewire/oxfw/oxfw.c
+++ b/sound/firewire/oxfw/oxfw.c
@@ -115,6 +115,10 @@ static void oxfw_card_free(struct snd_ca
 	struct snd_oxfw *oxfw = card->private_data;
 	unsigned int i;
 
+	snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->rx_stream);
+	if (oxfw->has_output)
+		snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream);
+
 	fw_unit_put(oxfw->unit);
 
 	for (i = 0; i < SND_OXFW_STREAM_FORMAT_ENTRIES; i++) {
@@ -220,12 +224,6 @@ static void oxfw_remove(struct fw_unit *
 {
 	struct snd_oxfw *oxfw = dev_get_drvdata(&unit->device);
 
-	snd_card_disconnect(oxfw->card);
-
-	snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->rx_stream);
-	if (oxfw->has_output)
-		snd_oxfw_stream_destroy_simplex(oxfw, &oxfw->tx_stream);
-
 	/* No need to wait for releasing card object in this context. */
 	snd_card_free_when_closed(oxfw->card);
 }



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 112/177] ALSA: hda: controller code - do not export static functions
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 111/177] ALSA: fireworks/bebob/dice/oxfw: make it possible to shutdown safely Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 113/177] ALSA: hda - Disable runtime PM for Panther Point again Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaroslav Kysela, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jaroslav Kysela <perex@perex.cz>

commit 37ed398839fa3e0d2de77925097db7a370abb096 upstream.

It is a bad idea to export static functions. GCC for some platforms
shows errors like:

  error: __ksymtab_azx_get_response causes a section type conflict

Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_controller.c |    5 -----
 1 file changed, 5 deletions(-)

--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -957,7 +957,6 @@ static int azx_alloc_cmd_io(struct azx *
 		dev_err(chip->card->dev, "cannot allocate CORB/RIRB\n");
 	return err;
 }
-EXPORT_SYMBOL_GPL(azx_alloc_cmd_io);
 
 static void azx_init_cmd_io(struct azx *chip)
 {
@@ -1022,7 +1021,6 @@ static void azx_init_cmd_io(struct azx *
 	azx_writeb(chip, RIRBCTL, AZX_RBCTL_DMA_EN | AZX_RBCTL_IRQ_EN);
 	spin_unlock_irq(&chip->reg_lock);
 }
-EXPORT_SYMBOL_GPL(azx_init_cmd_io);
 
 static void azx_free_cmd_io(struct azx *chip)
 {
@@ -1032,7 +1030,6 @@ static void azx_free_cmd_io(struct azx *
 	azx_writeb(chip, CORBCTL, 0);
 	spin_unlock_irq(&chip->reg_lock);
 }
-EXPORT_SYMBOL_GPL(azx_free_cmd_io);
 
 static unsigned int azx_command_addr(u32 cmd)
 {
@@ -1312,7 +1309,6 @@ static int azx_send_cmd(struct hda_bus *
 	else
 		return azx_corb_send_cmd(bus, val);
 }
-EXPORT_SYMBOL_GPL(azx_send_cmd);
 
 /* get a response */
 static unsigned int azx_get_response(struct hda_bus *bus,
@@ -1326,7 +1322,6 @@ static unsigned int azx_get_response(str
 	else
 		return azx_rirb_get_response(bus, addr);
 }
-EXPORT_SYMBOL_GPL(azx_get_response);
 
 #ifdef CONFIG_SND_HDA_DSP_LOADER
 /*



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 113/177] ALSA: hda - Disable runtime PM for Panther Point again
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 112/177] ALSA: hda: controller code - do not export static functions Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 114/177] ALSA: oxfw: fix a condition and return code in start_stream() Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dang Sananikone, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit de5d0ad506cb10ab143e2ffb9def7607e3671f83 upstream.

This is essentially a partial revert of the commit [b1920c21102a:
'ALSA: hda - Enable runtime PM on Panther Point'].  There was a bug
report showing the HD-audio bus hang during runtime PM on HP Spectre
XT.

Reported-by: Dang Sananikone <dang.sananikone@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_intel.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2004,7 +2004,7 @@ static const struct pci_device_id azx_id
 	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH_NOPM },
 	/* Panther Point */
 	{ PCI_DEVICE(0x8086, 0x1e20),
-	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
+	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH_NOPM },
 	/* Lynx Point */
 	{ PCI_DEVICE(0x8086, 0x8c20),
 	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 114/177] ALSA: oxfw: fix a condition and return code in start_stream()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 113/177] ALSA: hda - Disable runtime PM for Panther Point again Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 115/177] ALSA: hda - One more Dell macine needs DELL1_MIC_NO_PRESENCE quirk Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Takashi Sakamoto,
	Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit f2b14c0bc510c6a8f67a4f36049deefe5d99a537 upstream.

The amdtp_stream_wait_callback() doesn't return minus value and
the return code is not for error code.

This commit fixes with a propper condition and an error code.

Fixes: f3699e2c7745 ('ALSA: oxfw: Change the way to start stream')
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/oxfw/oxfw-stream.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/sound/firewire/oxfw/oxfw-stream.c
+++ b/sound/firewire/oxfw/oxfw-stream.c
@@ -171,9 +171,10 @@ static int start_stream(struct snd_oxfw
 	}
 
 	/* Wait first packet */
-	err = amdtp_stream_wait_callback(stream, CALLBACK_TIMEOUT);
-	if (err < 0)
+	if (!amdtp_stream_wait_callback(stream, CALLBACK_TIMEOUT)) {
 		stop_stream(oxfw, stream);
+		err = -ETIMEDOUT;
+	}
 end:
 	return err;
 }



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 115/177] ALSA: hda - One more Dell macine needs DELL1_MIC_NO_PRESENCE quirk
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 114/177] ALSA: oxfw: fix a condition and return code in start_stream() Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 116/177] locking/rtmutex: Avoid a NULL pointer dereference on deadlock Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hui Wang, Takashi Iwai

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hui Wang <hui.wang@canonical.com>

commit 70658b99490dd86cfdbf4fca117bbe2ef9a80d03 upstream.

BugLink: https://bugs.launchpad.net/bugs/1428947
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5114,6 +5114,13 @@ static const struct snd_hda_pin_quirk al
 		{0x17, 0x40000000},
 		{0x1d, 0x40700001},
 		{0x21, 0x02211040}),
+	SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+		ALC255_STANDARD_PINS,
+		{0x12, 0x90a60170},
+		{0x14, 0x90170140},
+		{0x17, 0x40000000},
+		{0x1d, 0x40700001},
+		{0x21, 0x02211050}),
 	SND_HDA_PIN_QUIRK(0x10ec0280, 0x103c, "HP", ALC280_FIXUP_HP_GPIO4,
 		{0x12, 0x90a60130},
 		{0x13, 0x40000000},



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 116/177] locking/rtmutex: Avoid a NULL pointer dereference on deadlock
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 115/177] ALSA: hda - One more Dell macine needs DELL1_MIC_NO_PRESENCE quirk Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 117/177] sg: fix read() error reporting Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Andrzej Siewior,
	Peter Zijlstra, Thomas Gleixner, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

commit 8d1e5a1a1ccf5ae9d8a5a0ee7960202ccb0c5429 upstream.

With task_blocks_on_rt_mutex() returning early -EDEADLK we never
add the waiter to the waitqueue. Later, we try to remove it via
remove_waiter() and go boom in rt_mutex_top_waiter() because
rb_entry() gives a NULL pointer.

( Tested on v3.18-RT where rtmutex is used for regular mutex and I
  tried to get one twice in a row. )

Not sure when this started but I guess 397335f004f4 ("rtmutex: Fix
deadlock detector for real") or commit 3d5c9340d194 ("rtmutex:
Handle deadlock detection smarter").

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1424187823-19600-1-git-send-email-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/locking/rtmutex.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1193,7 +1193,8 @@ rt_mutex_slowlock(struct rt_mutex *lock,
 	set_current_state(TASK_RUNNING);
 
 	if (unlikely(ret)) {
-		remove_waiter(lock, &waiter);
+		if (rt_mutex_has_waiters(lock))
+			remove_waiter(lock, &waiter);
 		rt_mutex_handle_deadlock(ret, chwalk, &waiter);
 	}
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 117/177] sg: fix read() error reporting
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 116/177] locking/rtmutex: Avoid a NULL pointer dereference on deadlock Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 118/177] IB/qib: Do not write EEPROM Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Battersby, Douglas Gilbert,
	James Bottomley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Battersby <tonyb@cybernetics.com>

commit 3b524a683af8991b4eab4182b947c65f0ce1421b upstream.

Fix SCSI generic read() incorrectly returning success after detecting an
error.

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -546,7 +546,7 @@ static ssize_t
 sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
 {
 	sg_io_hdr_t *hp = &srp->header;
-	int err = 0;
+	int err = 0, err2;
 	int len;
 
 	if (count < SZ_SG_IO_HDR) {
@@ -575,8 +575,8 @@ sg_new_read(Sg_fd * sfp, char __user *bu
 		goto err_out;
 	}
 err_out:
-	err = sg_finish_rem_req(srp);
-	return (0 == err) ? count : err;
+	err2 = sg_finish_rem_req(srp);
+	return err ? : err2 ? : count;
 }
 
 static ssize_t



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 118/177] IB/qib: Do not write EEPROM
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 117/177] sg: fix read() error reporting Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 119/177] IB/iser: Fix memory regions possible leak Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Mitko Haralanov,
	Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mitko Haralanov <mitko.haralanov@intel.com>

commit 18c0b82a3e4501511b08d0e8676fb08ac08734a3 upstream.

This changeset removes all the code that allows the driver to write to
the EEPROM and update the recorded error counters and power on hours.

These two stats are unused and writing them exposes a timing risk
which could leave the EEPROM in a bad state preventing further normal
operation of the HCA.

Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Mitko Haralanov <mitko.haralanov@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/qib/qib.h         |    9 -
 drivers/infiniband/hw/qib/qib_eeprom.c  |  181 --------------------------------
 drivers/infiniband/hw/qib/qib_iba6120.c |    2 
 drivers/infiniband/hw/qib/qib_iba7220.c |    2 
 drivers/infiniband/hw/qib/qib_iba7322.c |    2 
 drivers/infiniband/hw/qib/qib_init.c    |    1 
 drivers/infiniband/hw/qib/qib_sysfs.c   |   24 ----
 7 files changed, 1 insertion(+), 220 deletions(-)

--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
@@ -1082,12 +1082,6 @@ struct qib_devdata {
 	/* control high-level access to EEPROM */
 	struct mutex eep_lock;
 	uint64_t traffic_wds;
-	/* active time is kept in seconds, but logged in hours */
-	atomic_t active_time;
-	/* Below are nominal shadow of EEPROM, new since last EEPROM update */
-	uint8_t eep_st_errs[QIB_EEP_LOG_CNT];
-	uint8_t eep_st_new_errs[QIB_EEP_LOG_CNT];
-	uint16_t eep_hrs;
 	/*
 	 * masks for which bits of errs, hwerrs that cause
 	 * each of the counters to increment.
@@ -1309,8 +1303,7 @@ int qib_twsi_blk_rd(struct qib_devdata *
 int qib_twsi_blk_wr(struct qib_devdata *dd, int dev, int addr,
 		    const void *buffer, int len);
 void qib_get_eeprom_info(struct qib_devdata *);
-int qib_update_eeprom_log(struct qib_devdata *dd);
-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr);
+#define qib_inc_eeprom_err(dd, eidx, incr)
 void qib_dump_lookup_output_queue(struct qib_devdata *);
 void qib_force_pio_avail_update(struct qib_devdata *);
 void qib_clear_symerror_on_linkup(unsigned long opaque);
--- a/drivers/infiniband/hw/qib/qib_eeprom.c
+++ b/drivers/infiniband/hw/qib/qib_eeprom.c
@@ -267,190 +267,9 @@ void qib_get_eeprom_info(struct qib_devd
 			"Board SN %s did not pass functional test: %s\n",
 			dd->serial, ifp->if_comment);
 
-	memcpy(&dd->eep_st_errs, &ifp->if_errcntp, QIB_EEP_LOG_CNT);
-	/*
-	 * Power-on (actually "active") hours are kept as little-endian value
-	 * in EEPROM, but as seconds in a (possibly as small as 24-bit)
-	 * atomic_t while running.
-	 */
-	atomic_set(&dd->active_time, 0);
-	dd->eep_hrs = ifp->if_powerhour[0] | (ifp->if_powerhour[1] << 8);
-
 done:
 	vfree(buf);
 
 bail:;
 }
 
-/**
- * qib_update_eeprom_log - copy active-time and error counters to eeprom
- * @dd: the qlogic_ib device
- *
- * Although the time is kept as seconds in the qib_devdata struct, it is
- * rounded to hours for re-write, as we have only 16 bits in EEPROM.
- * First-cut code reads whole (expected) struct qib_flash, modifies,
- * re-writes. Future direction: read/write only what we need, assuming
- * that the EEPROM had to have been "good enough" for driver init, and
- * if not, we aren't making it worse.
- *
- */
-int qib_update_eeprom_log(struct qib_devdata *dd)
-{
-	void *buf;
-	struct qib_flash *ifp;
-	int len, hi_water;
-	uint32_t new_time, new_hrs;
-	u8 csum;
-	int ret, idx;
-	unsigned long flags;
-
-	/* first, check if we actually need to do anything. */
-	ret = 0;
-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
-		if (dd->eep_st_new_errs[idx]) {
-			ret = 1;
-			break;
-		}
-	}
-	new_time = atomic_read(&dd->active_time);
-
-	if (ret == 0 && new_time < 3600)
-		goto bail;
-
-	/*
-	 * The quick-check above determined that there is something worthy
-	 * of logging, so get current contents and do a more detailed idea.
-	 * read full flash, not just currently used part, since it may have
-	 * been written with a newer definition
-	 */
-	len = sizeof(struct qib_flash);
-	buf = vmalloc(len);
-	ret = 1;
-	if (!buf) {
-		qib_dev_err(dd,
-			"Couldn't allocate memory to read %u bytes from eeprom for logging\n",
-			len);
-		goto bail;
-	}
-
-	/* Grab semaphore and read current EEPROM. If we get an
-	 * error, let go, but if not, keep it until we finish write.
-	 */
-	ret = mutex_lock_interruptible(&dd->eep_lock);
-	if (ret) {
-		qib_dev_err(dd, "Unable to acquire EEPROM for logging\n");
-		goto free_bail;
-	}
-	ret = qib_twsi_blk_rd(dd, dd->twsi_eeprom_dev, 0, buf, len);
-	if (ret) {
-		mutex_unlock(&dd->eep_lock);
-		qib_dev_err(dd, "Unable read EEPROM for logging\n");
-		goto free_bail;
-	}
-	ifp = (struct qib_flash *)buf;
-
-	csum = flash_csum(ifp, 0);
-	if (csum != ifp->if_csum) {
-		mutex_unlock(&dd->eep_lock);
-		qib_dev_err(dd, "EEPROM cks err (0x%02X, S/B 0x%02X)\n",
-			    csum, ifp->if_csum);
-		ret = 1;
-		goto free_bail;
-	}
-	hi_water = 0;
-	spin_lock_irqsave(&dd->eep_st_lock, flags);
-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
-		int new_val = dd->eep_st_new_errs[idx];
-		if (new_val) {
-			/*
-			 * If we have seen any errors, add to EEPROM values
-			 * We need to saturate at 0xFF (255) and we also
-			 * would need to adjust the checksum if we were
-			 * trying to minimize EEPROM traffic
-			 * Note that we add to actual current count in EEPROM,
-			 * in case it was altered while we were running.
-			 */
-			new_val += ifp->if_errcntp[idx];
-			if (new_val > 0xFF)
-				new_val = 0xFF;
-			if (ifp->if_errcntp[idx] != new_val) {
-				ifp->if_errcntp[idx] = new_val;
-				hi_water = offsetof(struct qib_flash,
-						    if_errcntp) + idx;
-			}
-			/*
-			 * update our shadow (used to minimize EEPROM
-			 * traffic), to match what we are about to write.
-			 */
-			dd->eep_st_errs[idx] = new_val;
-			dd->eep_st_new_errs[idx] = 0;
-		}
-	}
-	/*
-	 * Now update active-time. We would like to round to the nearest hour
-	 * but unless atomic_t are sure to be proper signed ints we cannot,
-	 * because we need to account for what we "transfer" to EEPROM and
-	 * if we log an hour at 31 minutes, then we would need to set
-	 * active_time to -29 to accurately count the _next_ hour.
-	 */
-	if (new_time >= 3600) {
-		new_hrs = new_time / 3600;
-		atomic_sub((new_hrs * 3600), &dd->active_time);
-		new_hrs += dd->eep_hrs;
-		if (new_hrs > 0xFFFF)
-			new_hrs = 0xFFFF;
-		dd->eep_hrs = new_hrs;
-		if ((new_hrs & 0xFF) != ifp->if_powerhour[0]) {
-			ifp->if_powerhour[0] = new_hrs & 0xFF;
-			hi_water = offsetof(struct qib_flash, if_powerhour);
-		}
-		if ((new_hrs >> 8) != ifp->if_powerhour[1]) {
-			ifp->if_powerhour[1] = new_hrs >> 8;
-			hi_water = offsetof(struct qib_flash, if_powerhour) + 1;
-		}
-	}
-	/*
-	 * There is a tiny possibility that we could somehow fail to write
-	 * the EEPROM after updating our shadows, but problems from holding
-	 * the spinlock too long are a much bigger issue.
-	 */
-	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
-	if (hi_water) {
-		/* we made some change to the data, uopdate cksum and write */
-		csum = flash_csum(ifp, 1);
-		ret = eeprom_write_with_enable(dd, 0, buf, hi_water + 1);
-	}
-	mutex_unlock(&dd->eep_lock);
-	if (ret)
-		qib_dev_err(dd, "Failed updating EEPROM\n");
-
-free_bail:
-	vfree(buf);
-bail:
-	return ret;
-}
-
-/**
- * qib_inc_eeprom_err - increment one of the four error counters
- * that are logged to EEPROM.
- * @dd: the qlogic_ib device
- * @eidx: 0..3, the counter to increment
- * @incr: how much to add
- *
- * Each counter is 8-bits, and saturates at 255 (0xFF). They
- * are copied to the EEPROM (aka flash) whenever qib_update_eeprom_log()
- * is called, but it can only be called in a context that allows sleep.
- * This function can be called even at interrupt level.
- */
-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr)
-{
-	uint new_val;
-	unsigned long flags;
-
-	spin_lock_irqsave(&dd->eep_st_lock, flags);
-	new_val = dd->eep_st_new_errs[eidx] + incr;
-	if (new_val > 255)
-		new_val = 255;
-	dd->eep_st_new_errs[eidx] = new_val;
-	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
-}
--- a/drivers/infiniband/hw/qib/qib_iba6120.c
+++ b/drivers/infiniband/hw/qib/qib_iba6120.c
@@ -2681,8 +2681,6 @@ static void qib_get_6120_faststats(unsig
 	spin_lock_irqsave(&dd->eep_st_lock, flags);
 	traffic_wds -= dd->traffic_wds;
 	dd->traffic_wds += traffic_wds;
-	if (traffic_wds  >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
-		atomic_add(5, &dd->active_time); /* S/B #define */
 	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
 
 	qib_chk_6120_errormask(dd);
--- a/drivers/infiniband/hw/qib/qib_iba7220.c
+++ b/drivers/infiniband/hw/qib/qib_iba7220.c
@@ -3297,8 +3297,6 @@ static void qib_get_7220_faststats(unsig
 	spin_lock_irqsave(&dd->eep_st_lock, flags);
 	traffic_wds -= dd->traffic_wds;
 	dd->traffic_wds += traffic_wds;
-	if (traffic_wds  >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
-		atomic_add(5, &dd->active_time); /* S/B #define */
 	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
 done:
 	mod_timer(&dd->stats_timer, jiffies + HZ * ACTIVITY_TIMER);
--- a/drivers/infiniband/hw/qib/qib_iba7322.c
+++ b/drivers/infiniband/hw/qib/qib_iba7322.c
@@ -5178,8 +5178,6 @@ static void qib_get_7322_faststats(unsig
 		spin_lock_irqsave(&ppd->dd->eep_st_lock, flags);
 		traffic_wds -= ppd->dd->traffic_wds;
 		ppd->dd->traffic_wds += traffic_wds;
-		if (traffic_wds >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
-			atomic_add(ACTIVITY_TIMER, &ppd->dd->active_time);
 		spin_unlock_irqrestore(&ppd->dd->eep_st_lock, flags);
 		if (ppd->cpspec->qdr_dfe_on && (ppd->link_speed_active &
 						QIB_IB_QDR) &&
--- a/drivers/infiniband/hw/qib/qib_init.c
+++ b/drivers/infiniband/hw/qib/qib_init.c
@@ -931,7 +931,6 @@ static void qib_shutdown_device(struct q
 		qib_free_pportdata(ppd);
 	}
 
-	qib_update_eeprom_log(dd);
 }
 
 /**
--- a/drivers/infiniband/hw/qib/qib_sysfs.c
+++ b/drivers/infiniband/hw/qib/qib_sysfs.c
@@ -611,28 +611,6 @@ bail:
 	return ret < 0 ? ret : count;
 }
 
-static ssize_t show_logged_errs(struct device *device,
-				struct device_attribute *attr, char *buf)
-{
-	struct qib_ibdev *dev =
-		container_of(device, struct qib_ibdev, ibdev.dev);
-	struct qib_devdata *dd = dd_from_dev(dev);
-	int idx, count;
-
-	/* force consistency with actual EEPROM */
-	if (qib_update_eeprom_log(dd) != 0)
-		return -ENXIO;
-
-	count = 0;
-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
-		count += scnprintf(buf + count, PAGE_SIZE - count, "%d%c",
-				   dd->eep_st_errs[idx],
-				   idx == (QIB_EEP_LOG_CNT - 1) ? '\n' : ' ');
-	}
-
-	return count;
-}
-
 /*
  * Dump tempsense regs. in decimal, to ease shell-scripts.
  */
@@ -679,7 +657,6 @@ static DEVICE_ATTR(nctxts, S_IRUGO, show
 static DEVICE_ATTR(nfreectxts, S_IRUGO, show_nfreectxts, NULL);
 static DEVICE_ATTR(serial, S_IRUGO, show_serial, NULL);
 static DEVICE_ATTR(boardversion, S_IRUGO, show_boardversion, NULL);
-static DEVICE_ATTR(logged_errors, S_IRUGO, show_logged_errs, NULL);
 static DEVICE_ATTR(tempsense, S_IRUGO, show_tempsense, NULL);
 static DEVICE_ATTR(localbus_info, S_IRUGO, show_localbus_info, NULL);
 static DEVICE_ATTR(chip_reset, S_IWUSR, NULL, store_chip_reset);
@@ -693,7 +670,6 @@ static struct device_attribute *qib_attr
 	&dev_attr_nfreectxts,
 	&dev_attr_serial,
 	&dev_attr_boardversion,
-	&dev_attr_logged_errors,
 	&dev_attr_tempsense,
 	&dev_attr_localbus_info,
 	&dev_attr_chip_reset,



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 119/177] IB/iser: Fix memory regions possible leak
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 118/177] IB/qib: Do not write EEPROM Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 120/177] IB/iser: Use correct dma direction when unmapping SGs Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Or Gerlitz, Sagi Grimberg, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sagi Grimberg <sagig@mellanox.com>

commit 6606e6a2ff2710b473838b291dc533cd8fc1471f upstream.

When teardown process starts during live IO, we need to keep the
memory regions pool (frmr/fmr) until all in-flight tasks are properly
released, since each task may return a memory region to the pool. In
order to do this, we pass a destroy flag to iser_free_ib_conn_res to
indicate we can destroy the device and the memory regions
pool. iser_conn_release will pass it as true and also DEVICE_REMOVAL
event (we need to let the device to properly remove).

Also, Since we conditionally call iser_free_rx_descriptors,
remove the extra check on iser_conn->rx_descs.

Fixes: 5426b1711fd0 ("IB/iser: Collapse cleanup and disconnect handlers")
Reported-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/iser/iser_initiator.c |    4 ----
 drivers/infiniband/ulp/iser/iser_verbs.c     |   25 ++++++++++++++-----------
 2 files changed, 14 insertions(+), 15 deletions(-)

--- a/drivers/infiniband/ulp/iser/iser_initiator.c
+++ b/drivers/infiniband/ulp/iser/iser_initiator.c
@@ -320,9 +320,6 @@ void iser_free_rx_descriptors(struct ise
 	struct ib_conn *ib_conn = &iser_conn->ib_conn;
 	struct iser_device *device = ib_conn->device;
 
-	if (!iser_conn->rx_descs)
-		goto free_login_buf;
-
 	if (device->iser_free_rdma_reg_res)
 		device->iser_free_rdma_reg_res(ib_conn);
 
@@ -334,7 +331,6 @@ void iser_free_rx_descriptors(struct ise
 	/* make sure we never redo any unmapping */
 	iser_conn->rx_descs = NULL;
 
-free_login_buf:
 	iser_free_login_buf(iser_conn);
 }
 
--- a/drivers/infiniband/ulp/iser/iser_verbs.c
+++ b/drivers/infiniband/ulp/iser/iser_verbs.c
@@ -600,16 +600,16 @@ void iser_release_work(struct work_struc
 /**
  * iser_free_ib_conn_res - release IB related resources
  * @iser_conn: iser connection struct
- * @destroy_device: indicator if we need to try to release
- *     the iser device (only iscsi shutdown and DEVICE_REMOVAL
- *     will use this.
+ * @destroy: indicator if we need to try to release the
+ *     iser device and memory regoins pool (only iscsi
+ *     shutdown and DEVICE_REMOVAL will use this).
  *
  * This routine is called with the iser state mutex held
  * so the cm_id removal is out of here. It is Safe to
  * be invoked multiple times.
  */
 static void iser_free_ib_conn_res(struct iser_conn *iser_conn,
-				  bool destroy_device)
+				  bool destroy)
 {
 	struct ib_conn *ib_conn = &iser_conn->ib_conn;
 	struct iser_device *device = ib_conn->device;
@@ -617,17 +617,20 @@ static void iser_free_ib_conn_res(struct
 	iser_info("freeing conn %p cma_id %p qp %p\n",
 		  iser_conn, ib_conn->cma_id, ib_conn->qp);
 
-	iser_free_rx_descriptors(iser_conn);
-
 	if (ib_conn->qp != NULL) {
 		ib_conn->comp->active_qps--;
 		rdma_destroy_qp(ib_conn->cma_id);
 		ib_conn->qp = NULL;
 	}
 
-	if (destroy_device && device != NULL) {
-		iser_device_try_release(device);
-		ib_conn->device = NULL;
+	if (destroy) {
+		if (iser_conn->rx_descs)
+			iser_free_rx_descriptors(iser_conn);
+
+		if (device != NULL) {
+			iser_device_try_release(device);
+			ib_conn->device = NULL;
+		}
 	}
 }
 
@@ -840,7 +843,7 @@ static void iser_disconnected_handler(st
 }
 
 static void iser_cleanup_handler(struct rdma_cm_id *cma_id,
-				 bool destroy_device)
+				 bool destroy)
 {
 	struct iser_conn *iser_conn = (struct iser_conn *)cma_id->context;
 
@@ -850,7 +853,7 @@ static void iser_cleanup_handler(struct
 	 * and flush errors.
 	 */
 	iser_disconnected_handler(cma_id);
-	iser_free_ib_conn_res(iser_conn, destroy_device);
+	iser_free_ib_conn_res(iser_conn, destroy);
 	complete(&iser_conn->ib_completion);
 };
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 120/177] IB/iser: Use correct dma direction when unmapping SGs
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 119/177] IB/iser: Fix memory regions possible leak Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 121/177] IB/mlx5: Fix error code in get_port_caps() Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roi Dayan, Or Gerlitz, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roi Dayan <roid@mellanox.com>

commit c6c95ef4cec680f7a10aa425a9970744b35b6489 upstream.

We always unmap SGs with the same direction instead of unmapping
with the direction the mapping was done, fix that.

Fixes: 9a8b08fad2ef ("IB/iser: Generalize iser_unmap_task_data and [...]")
Signed-off-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/iser/iscsi_iser.h     |    4 +++-
 drivers/infiniband/ulp/iser/iser_initiator.c |   12 ++++++++----
 drivers/infiniband/ulp/iser/iser_memory.c    |    9 ++++++---
 3 files changed, 17 insertions(+), 8 deletions(-)

--- a/drivers/infiniband/ulp/iser/iscsi_iser.h
+++ b/drivers/infiniband/ulp/iser/iscsi_iser.h
@@ -654,7 +654,9 @@ int iser_dma_map_task_data(struct iscsi_
 			   enum dma_data_direction dma_dir);
 
 void iser_dma_unmap_task_data(struct iscsi_iser_task *iser_task,
-			      struct iser_data_buf *data);
+			      struct iser_data_buf *data,
+			      enum dma_data_direction dir);
+
 int  iser_initialize_task_headers(struct iscsi_task *task,
 			struct iser_tx_desc *tx_desc);
 int iser_alloc_rx_descriptors(struct iser_conn *iser_conn,
--- a/drivers/infiniband/ulp/iser/iser_initiator.c
+++ b/drivers/infiniband/ulp/iser/iser_initiator.c
@@ -710,19 +710,23 @@ void iser_task_rdma_finalize(struct iscs
 		device->iser_unreg_rdma_mem(iser_task, ISER_DIR_IN);
 		if (is_rdma_data_aligned)
 			iser_dma_unmap_task_data(iser_task,
-						 &iser_task->data[ISER_DIR_IN]);
+						 &iser_task->data[ISER_DIR_IN],
+						 DMA_FROM_DEVICE);
 		if (prot_count && is_rdma_prot_aligned)
 			iser_dma_unmap_task_data(iser_task,
-						 &iser_task->prot[ISER_DIR_IN]);
+						 &iser_task->prot[ISER_DIR_IN],
+						 DMA_FROM_DEVICE);
 	}
 
 	if (iser_task->dir[ISER_DIR_OUT]) {
 		device->iser_unreg_rdma_mem(iser_task, ISER_DIR_OUT);
 		if (is_rdma_data_aligned)
 			iser_dma_unmap_task_data(iser_task,
-						 &iser_task->data[ISER_DIR_OUT]);
+						 &iser_task->data[ISER_DIR_OUT],
+						 DMA_TO_DEVICE);
 		if (prot_count && is_rdma_prot_aligned)
 			iser_dma_unmap_task_data(iser_task,
-						 &iser_task->prot[ISER_DIR_OUT]);
+						 &iser_task->prot[ISER_DIR_OUT],
+						 DMA_TO_DEVICE);
 	}
 }
--- a/drivers/infiniband/ulp/iser/iser_memory.c
+++ b/drivers/infiniband/ulp/iser/iser_memory.c
@@ -332,12 +332,13 @@ int iser_dma_map_task_data(struct iscsi_
 }
 
 void iser_dma_unmap_task_data(struct iscsi_iser_task *iser_task,
-			      struct iser_data_buf *data)
+			      struct iser_data_buf *data,
+			      enum dma_data_direction dir)
 {
 	struct ib_device *dev;
 
 	dev = iser_task->iser_conn->ib_conn.device->ib_device;
-	ib_dma_unmap_sg(dev, data->buf, data->size, DMA_FROM_DEVICE);
+	ib_dma_unmap_sg(dev, data->buf, data->size, dir);
 }
 
 static int fall_to_bounce_buf(struct iscsi_iser_task *iser_task,
@@ -357,7 +358,9 @@ static int fall_to_bounce_buf(struct isc
 		iser_data_buf_dump(mem, ibdev);
 
 	/* unmap the command data before accessing it */
-	iser_dma_unmap_task_data(iser_task, mem);
+	iser_dma_unmap_task_data(iser_task, mem,
+				 (cmd_dir == ISER_DIR_OUT) ?
+				 DMA_TO_DEVICE : DMA_FROM_DEVICE);
 
 	/* allocate copy buf, if we are writing, copy the */
 	/* unaligned scatterlist, dma map the copy        */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 121/177] IB/mlx5: Fix error code in get_port_caps()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 120/177] IB/iser: Use correct dma direction when unmapping SGs Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 122/177] IB/mlx4: Fix memory leak in __mlx4_ib_modify_qp Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit f614fc15ae39ceb531586e3969f2b99fd23182a0 upstream.

The current code returns success when kmalloc() fails.  It should
return an error code, -ENOMEM.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx5/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -997,7 +997,7 @@ static int get_port_caps(struct mlx5_ib_
 	struct ib_device_attr *dprops = NULL;
 	struct ib_port_attr *pprops = NULL;
 	struct mlx5_general_caps *gen;
-	int err = 0;
+	int err = -ENOMEM;
 	int port;
 
 	gen = &dev->mdev->caps.gen;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 122/177] IB/mlx4: Fix memory leak in __mlx4_ib_modify_qp
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 121/177] IB/mlx5: Fix error code in get_port_caps() Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 123/177] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Majd Dibbiny, Or Gerlitz, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Majd Dibbiny <majd@mellanox.com>

commit bede98e781747623ae170667694a71ef19c6ba7f upstream.

In case handle_eth_ud_smac_index fails, we need to free the allocated resources.

Fixes: 2f5bb473681b ("mlx4: Add ref counting to port MAC table for RoCE")
Signed-off-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx4/qp.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1674,8 +1674,10 @@ static int __mlx4_ib_modify_qp(struct ib
 			    qp->mlx4_ib_qp_type == MLX4_IB_QPT_PROXY_GSI ||
 			    qp->mlx4_ib_qp_type == MLX4_IB_QPT_TUN_GSI) {
 				err = handle_eth_ud_smac_index(dev, qp, (u8 *)attr->smac, context);
-				if (err)
-					return -EINVAL;
+				if (err) {
+					err = -EINVAL;
+					goto out;
+				}
 				if (qp->mlx4_ib_qp_type == MLX4_IB_QPT_PROXY_GSI)
 					dev->qp1_proxy[qp->port - 1] = qp;
 			}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 123/177] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 122/177] IB/mlx4: Fix memory leak in __mlx4_ib_modify_qp Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 124/177] IB/core: Fix deadlock on uverbs modify_qp error flow Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Carol Soto, Or Gerlitz, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Or Gerlitz <ogerlitz@mellanox.com>

commit e9a7faf11af94957e5107b40af46c2e329541510 upstream.

The MLX4_PROT_IB_IPV4 protocol should only be used with RoCEv2 and such.
Removing this wrong usage allows to run multicast applications over RoCE.

Fixes: d487ee77740c ("IB/mlx4: Use IBoE (RoCE) IP based GIDs in the port GID table")
Reported-by: Carol Soto <clsoto@linux.vnet.ibm.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx4/main.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1222,8 +1222,7 @@ static int mlx4_ib_mcg_attach(struct ib_
 	struct mlx4_ib_qp *mqp = to_mqp(ibqp);
 	u64 reg_id;
 	struct mlx4_ib_steering *ib_steering = NULL;
-	enum mlx4_protocol prot = (gid->raw[1] == 0x0e) ?
-		MLX4_PROT_IB_IPV4 : MLX4_PROT_IB_IPV6;
+	enum mlx4_protocol prot = MLX4_PROT_IB_IPV6;
 
 	if (mdev->dev->caps.steering_mode ==
 	    MLX4_STEERING_MODE_DEVICE_MANAGED) {
@@ -1236,8 +1235,10 @@ static int mlx4_ib_mcg_attach(struct ib_
 				    !!(mqp->flags &
 				       MLX4_IB_QP_BLOCK_MULTICAST_LOOPBACK),
 				    prot, &reg_id);
-	if (err)
+	if (err) {
+		pr_err("multicast attach op failed, err %d\n", err);
 		goto err_malloc;
+	}
 
 	err = add_gid_entry(ibqp, gid);
 	if (err)
@@ -1285,8 +1286,7 @@ static int mlx4_ib_mcg_detach(struct ib_
 	struct net_device *ndev;
 	struct mlx4_ib_gid_entry *ge;
 	u64 reg_id = 0;
-	enum mlx4_protocol prot = (gid->raw[1] == 0x0e) ?
-		MLX4_PROT_IB_IPV4 : MLX4_PROT_IB_IPV6;
+	enum mlx4_protocol prot =  MLX4_PROT_IB_IPV6;
 
 	if (mdev->dev->caps.steering_mode ==
 	    MLX4_STEERING_MODE_DEVICE_MANAGED) {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 124/177] IB/core: Fix deadlock on uverbs modify_qp error flow
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 123/177] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 125/177] IB/core: Properly handle registration of on-demand paging MRs after dereg Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Moshe Lazer, Or Gerlitz, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Moshe Lazer <moshel@mellanox.com>

commit 0fb8bcf022f19a375d7c4bd79ac513da8ae6d78b upstream.

The deadlock occurs in __uverbs_modify_qp: we take a lock (idr_read_qp)
and in case of failure in ib_resolve_eth_l2_attrs we don't release
it (put_qp_read).  Fix that.

Fixes: ed4c54e5b4ba ("IB/core: Resolve Ethernet L2 addresses when modifying QP")
Signed-off-by: Moshe Lazer <moshel@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/uverbs_cmd.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2091,20 +2091,21 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv
 	if (qp->real_qp == qp) {
 		ret = ib_resolve_eth_l2_attrs(qp, attr, &cmd.attr_mask);
 		if (ret)
-			goto out;
+			goto release_qp;
 		ret = qp->device->modify_qp(qp, attr,
 			modify_qp_mask(qp->qp_type, cmd.attr_mask), &udata);
 	} else {
 		ret = ib_modify_qp(qp, attr, modify_qp_mask(qp->qp_type, cmd.attr_mask));
 	}
 
-	put_qp_read(qp);
-
 	if (ret)
-		goto out;
+		goto release_qp;
 
 	ret = in_len;
 
+release_qp:
+	put_qp_read(qp);
+
 out:
 	kfree(attr);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 125/177] IB/core: Properly handle registration of on-demand paging MRs after dereg
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 124/177] IB/core: Fix deadlock on uverbs modify_qp error flow Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 126/177] IB/core: When marshaling ucma path from user-space, clear unused fields Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haggai Eran, Shachar Raindel, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Haggai Eran <haggaie@mellanox.com>

commit 4fc701ead77ede96df3e8b3de13fdf2b1326ee5b upstream.

When the last on-demand paging MR is released the notifier count is
left non-zero so that concurrent page faults will have to abort. If a
new MR is then registered, the counter is reset. However, the decision
is made to put the new MR in the list waiting for the notifier count
to reach zero, before the counter is reset. An invalidation or another
MR registration can release the MR to handle page faults, but without
such an event the MR can wait forever.

The patch fixes this issue by adding a check whether the MR is the
first on-demand paging MR when deciding whether it is ready to handle
page faults. If it is the first MR, we know that there are no mmu
notifiers running in parallel to the registration.

Fixes: 882214e2b128 ("IB/core: Implement support for MMU notifiers regarding on demand paging regions")
Signed-off-by: Haggai Eran <haggaie@mellanox.com>
Signed-off-by: Shachar Raindel <raindel@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/umem_odp.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/core/umem_odp.c
+++ b/drivers/infiniband/core/umem_odp.c
@@ -294,7 +294,8 @@ int ib_umem_odp_get(struct ib_ucontext *
 	if (likely(ib_umem_start(umem) != ib_umem_end(umem)))
 		rbt_ib_umem_insert(&umem->odp_data->interval_tree,
 				   &context->umem_tree);
-	if (likely(!atomic_read(&context->notifier_count)))
+	if (likely(!atomic_read(&context->notifier_count)) ||
+	    context->odp_mrs_count == 1)
 		umem->odp_data->mn_counters_active = true;
 	else
 		list_add(&umem->odp_data->no_private_counters,



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 126/177] IB/core: When marshaling ucma path from user-space, clear unused fields
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 125/177] IB/core: Properly handle registration of on-demand paging MRs after dereg Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 127/177] nilfs2: fix potential memory overrun on inode Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilya Nelkenbaum, Or Gerlitz, Roland Dreier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Nelkenbaum <ilyan@mellanox.com>

commit c2be9dc0e0fa59cc43c2c7084fc42b430809a0fe upstream.

When marshaling a user path to the kernel struct ib_sa_path, we need
to zero smac and dmac and set the vlan id to the "no vlan" value.

This is to ensure that Ethernet attributes are not used with
InfiniBand QPs.

Fixes: dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures")
Signed-off-by: Ilya Nelkenbaum <ilyan@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1124,6 +1124,9 @@ static int ucma_set_ib_path(struct ucma_
 	if (!optlen)
 		return -EINVAL;
 
+	memset(&sa_path, 0, sizeof(sa_path));
+	sa_path.vlan_id = 0xffff;
+
 	ib_sa_unpack_path(path_data->path_rec, &sa_path);
 	ret = rdma_set_ib_paths(ctx->cm_id, &sa_path, 1);
 	if (ret)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 127/177] nilfs2: fix potential memory overrun on inode
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 126/177] IB/core: When marshaling ucma path from user-space, clear unused fields Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 128/177] wd719x: add missing .module to wd719x_template Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ryusuke Konishi, Andrew Morton,
	Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>

commit 957ed60b53b519064a54988c4e31e0087e47d091 upstream.

Each inode of nilfs2 stores a root node of a b-tree, and it turned out to
have a memory overrun issue:

Each b-tree node of nilfs2 stores a set of key-value pairs and the number
of them (in "bn_nchildren" member of nilfs_btree_node struct), as well as
a few other "bn_*" members.

Since the value of "bn_nchildren" is used for operations on the key-values
within the b-tree node, it can cause memory access overrun if a large
number is incorrectly set to "bn_nchildren".

For instance, nilfs_btree_node_lookup() function determines the range of
binary search with it, and too large "bn_nchildren" leads
nilfs_btree_node_get_key() in that function to overrun.

As for intermediate b-tree nodes, this is prevented by a sanity check
performed when each node is read from a drive, however, no sanity check
has been done for root nodes stored in inodes.

This patch fixes the issue by adding missing sanity check against b-tree
root nodes so that it's called when on-memory inodes are read from ifile,
inode metadata file.

Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nilfs2/btree.c |   47 ++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 44 insertions(+), 3 deletions(-)

--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -31,6 +31,8 @@
 #include "alloc.h"
 #include "dat.h"
 
+static void __nilfs_btree_init(struct nilfs_bmap *bmap);
+
 static struct nilfs_btree_path *nilfs_btree_alloc_path(void)
 {
 	struct nilfs_btree_path *path;
@@ -368,6 +370,34 @@ static int nilfs_btree_node_broken(const
 	return ret;
 }
 
+/**
+ * nilfs_btree_root_broken - verify consistency of btree root node
+ * @node: btree root node to be examined
+ * @ino: inode number
+ *
+ * Return Value: If node is broken, 1 is returned. Otherwise, 0 is returned.
+ */
+static int nilfs_btree_root_broken(const struct nilfs_btree_node *node,
+				   unsigned long ino)
+{
+	int level, flags, nchildren;
+	int ret = 0;
+
+	level = nilfs_btree_node_get_level(node);
+	flags = nilfs_btree_node_get_flags(node);
+	nchildren = nilfs_btree_node_get_nchildren(node);
+
+	if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+		     level > NILFS_BTREE_LEVEL_MAX ||
+		     nchildren < 0 ||
+		     nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
+		pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n",
+			ino, level, flags, nchildren);
+		ret = 1;
+	}
+	return ret;
+}
+
 int nilfs_btree_broken_node_block(struct buffer_head *bh)
 {
 	int ret;
@@ -1713,7 +1743,7 @@ nilfs_btree_commit_convert_and_insert(st
 
 	/* convert and insert */
 	dat = NILFS_BMAP_USE_VBN(btree) ? nilfs_bmap_get_dat(btree) : NULL;
-	nilfs_btree_init(btree);
+	__nilfs_btree_init(btree);
 	if (nreq != NULL) {
 		nilfs_bmap_commit_alloc_ptr(btree, dreq, dat);
 		nilfs_bmap_commit_alloc_ptr(btree, nreq, dat);
@@ -2294,12 +2324,23 @@ static const struct nilfs_bmap_operation
 	.bop_gather_data	=	NULL,
 };
 
-int nilfs_btree_init(struct nilfs_bmap *bmap)
+static void __nilfs_btree_init(struct nilfs_bmap *bmap)
 {
 	bmap->b_ops = &nilfs_btree_ops;
 	bmap->b_nchildren_per_block =
 		NILFS_BTREE_NODE_NCHILDREN_MAX(nilfs_btree_node_size(bmap));
-	return 0;
+}
+
+int nilfs_btree_init(struct nilfs_bmap *bmap)
+{
+	int ret = 0;
+
+	__nilfs_btree_init(bmap);
+
+	if (nilfs_btree_root_broken(nilfs_btree_get_root(bmap),
+				    bmap->b_inode->i_ino))
+		ret = -EIO;
+	return ret;
 }
 
 void nilfs_btree_init_gc(struct nilfs_bmap *bmap)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 128/177] wd719x: add missing .module to wd719x_template
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 127/177] nilfs2: fix potential memory overrun on inode Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 129/177] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Zary, James Bottomley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ondrej Zary <linux@rainbow-software.org>

commit 2ecf8e0ae28cb22d434e628c351c6193fd75fafa upstream.

wd719x_template is missing the .module field, causing module refcount
not to work, allowing to rmmod the driver while in use (mounted filesystem),
causing an oops.

Set .module to THIS_MODULE to fix the problem.

Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/wd719x.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/wd719x.c
+++ b/drivers/scsi/wd719x.c
@@ -870,6 +870,7 @@ fail_free_params:
 }
 
 static struct scsi_host_template wd719x_template = {
+	.module				= THIS_MODULE,
 	.name				= "Western Digital 719x",
 	.queuecommand			= wd719x_queuecommand,
 	.eh_abort_handler		= wd719x_abort,



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 129/177] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit.
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 128/177] wd719x: add missing .module to wd719x_template Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 130/177] clk: zynq: Force CPU_2X clock to be ungated Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Minh Tran, James Bottomley

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Minh Duc Tran <MinhDuc.Tran@Emulex.Com>

commit f76a610a8b4b6280eaedf48f3af9d5d74e418b66 upstream.

In reference to bug https://bugzilla.redhat.com/show_bug.cgi?id=1097141
Assert is seen with AMD cpu whenever calling pci_alloc_consistent.

[   29.406183] ------------[ cut here ]------------
[   29.410505] kernel BUG at lib/iommu-helper.c:13!

Signed-off-by: Minh Tran <minh.tran@emulex.com>
Fixes: 6733b39a1301b0b020bbcbf3295852e93e624cb1
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/be2iscsi/be_main.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -586,7 +586,6 @@ static struct beiscsi_hba *beiscsi_hba_a
 			"beiscsi_hba_alloc - iscsi_host_alloc failed\n");
 		return NULL;
 	}
-	shost->dma_boundary = pcidev->dma_mask;
 	shost->max_id = BE2_MAX_SESSIONS;
 	shost->max_channel = 0;
 	shost->max_cmd_len = BEISCSI_MAX_CMD_LEN;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 130/177] clk: zynq: Force CPU_2X clock to be ungated
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 129/177] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 131/177] clk: Fix debugfs clk removal before inited Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Soren Brinkmann, Michael Turquette

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Soren Brinkmann <soren.brinkmann@xilinx.com>

commit 3dccfecdb867fe35b305a4e493ef5652b7d9d4cb upstream.

The CPU_2X clock does not have a classical in-kernel user, but is,
amongst other things, required for OCM and debug access. Make sure this
clock is not mistakenly disabled during boot up by enabling it in the
platform's clock driver.

Fixes: 0ee52b157b8e 'clk: zynq: Add clock controller driver'
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: Michael Turquette <mturquette@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/zynq/clkc.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/zynq/clkc.c
+++ b/drivers/clk/zynq/clkc.c
@@ -303,6 +303,7 @@ static void __init zynq_clk_setup(struct
 	clks[cpu_2x] = clk_register_gate(NULL, clk_output_name[cpu_2x],
 			"cpu_2x_div", CLK_IGNORE_UNUSED, SLCR_ARM_CLK_CTRL,
 			26, 0, &armclk_lock);
+	clk_prepare_enable(clks[cpu_2x]);
 
 	clk = clk_register_fixed_factor(NULL, "cpu_1x_div", "cpu_div", 0, 1,
 			4 + 2 * tmp);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 131/177] clk: Fix debugfs clk removal before inited
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 130/177] clk: zynq: Force CPU_2X clock to be ungated Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.19 132/177] sunxi: clk: Set sun6i-pll1 n_start = 1 Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Kandagatla, Stephen Boyd,
	Michael Turquette

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

commit 52bba9809a954d72bc77773bd560b9724b495eb7 upstream.

Some of the clks can be registered & unregistered before the clk related debugfs
entries are initialized at late_initcall. In the unregister path checking for only
dentry before clk_debug_init() would lead dangling pointers in the debug clk list,
because the list is already populated in register path and the clk pointer freed in
unregister path.
The side effect of not removing it from the list is either a null pointer
dereference or if lucky to boot the system, the number of clk entries in
debugfs disappear.

We could add more checks like if (inited && !clk->dentry) but just removing
the check for dentry made more sense as debugfs_remove_recursive() seems to be
safe with null pointers. This will ensure that the unregistering clk would be
removed from the debug list in all the code paths.

Without this patch kernel would crash with log:
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0204000
[00000000] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in:
CPU: 1 PID: 1 Comm: swapper/0 Tainted: G    B          3.19.0-rc3-00007-g412f9ba-dirty #840
Hardware name: Qualcomm (Flattened Device Tree)
task: ed948000 ti: ed944000 task.ti: ed944000
PC is at strlen+0xc/0x40
LR is at __create_file+0x64/0x1dc
pc : [<c04ee604>]    lr : [<c049f1c4>]    psr: 60000013
sp : ed945e40  ip : ed945e50  fp : ed945e4c
r10: 00000000  r9 : c1006094  r8 : 00000000
r7 : 000041ed  r6 : 00000000  r5 : ed4af998  r4 : c11b5e28
r3 : 00000000  r2 : ed945e38  r1 : a0000013  r0 : 00000000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 10c5787d  Table: 8020406a  DAC: 00000015
Process swapper/0 (pid: 1, stack limit = 0xed944248)
Stack: (0xed945e40 to 0xed946000)
5e40: ed945e7c ed945e50 c049f1c4 c04ee604 c0fc2fa4 00000000 ecb748c0 c11c2b80
5e60: c0beec04 0000011c c0fc2fa4 00000000 ed945e94 ed945e80 c049f3e0 c049f16c
5e80: 00000000 00000000 ed945eac ed945e98 c08cbc50 c049f3c0 ecb748c0 c11c2b80
5ea0: ed945ed4 ed945eb0 c0fc3080 c08cbc30 c0beec04 c107e1d8 ecdf0600 c107e1d8
5ec0: c107e1d8 ecdf0600 ed945f54 ed945ed8 c0208ed4 c0fc2fb0 c026a784 c04ee628
5ee0: ed945f0c ed945ef0 c0f5d600 c04ee604 c0f5d5ec ef7fcc7d c0b40ecc 0000011c
5f00: ed945f54 ed945f10 c026a994 c0f5d5f8 c04ecc00 00000007 ef7fcc95 00000007
5f20: c0e90744 c0dd0884 ed945f54 c106cde0 00000007 c117f8c0 0000011c c0f5d5ec
5f40: c1006094 c100609c ed945f94 ed945f58 c0f5de34 c0208e50 00000007 00000007
5f60: c0f5d5ec be9b5ae0 00000000 c117f8c0 c0af1680 00000000 00000000 00000000
5f80: 00000000 00000000 ed945fac ed945f98 c0af169c c0f5dd2c ed944000 00000000
5fa0: 00000000 ed945fb0 c020f298 c0af168c 00000000 00000000 00000000 00000000
5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ebcc6d33 bfffca73
[<c04ee604>] (strlen) from [<c049f1c4>] (__create_file+0x64/0x1dc)
[<c049f1c4>] (__create_file) from [<c049f3e0>] (debugfs_create_dir+0x2c/0x34)
[<c049f3e0>] (debugfs_create_dir) from [<c08cbc50>] (clk_debug_create_one+0x2c/0x16c)
[<c08cbc50>] (clk_debug_create_one) from [<c0fc3080>] (clk_debug_init+0xdc/0x144)
[<c0fc3080>] (clk_debug_init) from [<c0208ed4>] (do_one_initcall+0x90/0x1e0)
[<c0208ed4>] (do_one_initcall) from [<c0f5de34>] (kernel_init_freeable+0x114/0x1e0)
[<c0f5de34>] (kernel_init_freeable) from [<c0af169c>] (kernel_init+0x1c/0xfc)
[<c0af169c>] (kernel_init) from [<c020f298>] (ret_from_fork+0x14/0x3c)
Code: c0b40ecc e1a0c00d e92dd800 e24cb004 (e5d02000)
---[ end trace b940e45b5e25c1e7 ]---

Fixes: 6314b6796e3c "clk: Don't hold prepare_lock across debugfs creation"
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Michael Turquette <mturquette@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/clk.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -343,13 +343,9 @@ unlock:
 static void clk_debug_unregister(struct clk *clk)
 {
 	mutex_lock(&clk_debug_lock);
-	if (!clk->dentry)
-		goto out;
-
 	hlist_del_init(&clk->debug_node);
 	debugfs_remove_recursive(clk->dentry);
 	clk->dentry = NULL;
-out:
 	mutex_unlock(&clk_debug_lock);
 }
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 132/177] sunxi: clk: Set sun6i-pll1 n_start = 1
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 131/177] clk: Fix debugfs clk removal before inited Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 133/177] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Hans de Goede, Maxime Ripard

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 76820fcf7aa5a418b69cb7bed31b62d1feb1d6ad upstream.

For all pll-s on sun6i n == 0 means use a multiplier of 1, rather then 0 as
it means on sun4i / sun5i / sun7i. n_start = 1 is already correctly set
for sun6i pll6, but was missing for pll1, this commit fixes this.

Cc: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/sunxi/clk-sunxi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/sunxi/clk-sunxi.c
+++ b/drivers/clk/sunxi/clk-sunxi.c
@@ -413,6 +413,7 @@ static struct clk_factors_config sun6i_a
 	.kwidth = 2,
 	.mshift = 0,
 	.mwidth = 2,
+	.n_start = 1,
 };
 
 static struct clk_factors_config sun8i_a23_pll1_config = {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 133/177] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.19 132/177] sunxi: clk: Set sun6i-pll1 n_start = 1 Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 134/177] dm mirror: do not degrade the mirror on discard error Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ian Abbott, H Hartley Sweeten

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit 42b8ce6f55facfa101462e694d33fc6bca471138 upstream.

`do_cmd_ioctl()` in "comedi_fops.c" handles the `COMEDI_CMD` ioctl.
This returns `-EAGAIN` if it has copied a modified `struct comedi_cmd`
back to user-space.  (This occurs when the low-level Comedi driver's
`do_cmdtest()` handler returns non-zero to indicate a problem with the
contents of the `struct comedi_cmd`, or when the `struct comedi_cmd` has
the `CMDF_BOGUS` flag set.)

`compat_cmd()` in "comedi_compat32.c" handles the 32-bit compatible
version of the `COMEDI_CMD` ioctl.  Currently, it never copies a 32-bit
compatible version of `struct comedi_cmd` back to user-space, which is
at odds with the way the regular `COMEDI_CMD` ioctl is handled.  To fix
it, change `compat_cmd()` to copy a 32-bit compatible version of the
`struct comedi_cmd` back to user-space when the main ioctl handler
returns `-EAGAIN`.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/comedi_compat32.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/staging/comedi/comedi_compat32.c
+++ b/drivers/staging/comedi/comedi_compat32.c
@@ -262,7 +262,7 @@ static int compat_cmd(struct file *file,
 {
 	struct comedi_cmd __user *cmd;
 	struct comedi32_cmd_struct __user *cmd32;
-	int rc;
+	int rc, err;
 
 	cmd32 = compat_ptr(arg);
 	cmd = compat_alloc_user_space(sizeof(*cmd));
@@ -271,7 +271,15 @@ static int compat_cmd(struct file *file,
 	if (rc)
 		return rc;
 
-	return translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd);
+	rc = translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd);
+	if (rc == -EAGAIN) {
+		/* Special case: copy cmd back to user. */
+		err = put_compat_cmd(cmd32, cmd);
+		if (err)
+			rc = err;
+	}
+
+	return rc;
 }
 
 /* Handle 32-bit COMEDI_CMDTEST ioctl. */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 134/177] dm mirror: do not degrade the mirror on discard error
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 133/177] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 135/177] dm io: reject unsupported DISCARD requests with EOPNOTSUPP Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit f2ed51ac64611d717d1917820a01930174c2f236 upstream.

It may be possible that a device claims discard support but it rejects
discards with -EOPNOTSUPP.  It happens when using loopback on ext2/ext3
filesystem driven by the ext4 driver.  It may also happen if the
underlying devices are moved from one disk on another.

If discard error happens, we reject the bio with -EOPNOTSUPP, but we do
not degrade the array.

This patch fixes failed test shell/lvconvert-repair-transient.sh in the
lvm2 testsuite if the testsuite is extracted on an ext2 or ext3
filesystem and it is being driven by the ext4 driver.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-raid1.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -604,6 +604,15 @@ static void write_callback(unsigned long
 		return;
 	}
 
+	/*
+	 * If the bio is discard, return an error, but do not
+	 * degrade the array.
+	 */
+	if (bio->bi_rw & REQ_DISCARD) {
+		bio_endio(bio, -EOPNOTSUPP);
+		return;
+	}
+
 	for (i = 0; i < ms->nr_mirrors; i++)
 		if (test_bit(i, &error))
 			fail_mirror(ms->mirror + i, DM_RAID1_WRITE_ERROR);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 135/177] dm io: reject unsupported DISCARD requests with EOPNOTSUPP
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 134/177] dm mirror: do not degrade the mirror on discard error Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 136/177] dm: fix a race condition in dm_get_md Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Martin K. Petersen,
	Mike Snitzer

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Darrick J. Wong" <darrick.wong@oracle.com>

commit 37527b869207ad4c208b1e13967d69b8bba1fbf9 upstream.

I created a dm-raid1 device backed by a device that supports DISCARD
and another device that does NOT support DISCARD with the following
dm configuration:

 #  echo '0 2048 mirror core 1 512 2 /dev/sda 0 /dev/sdb 0' | dmsetup create moo
 # lsblk -D
 NAME         DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO
 sda                 0        4K       1G         0
 `-moo (dm-0)        0        4K       1G         0
 sdb                 0        0B       0B         0
 `-moo (dm-0)        0        4K       1G         0

Notice that the mirror device /dev/mapper/moo advertises DISCARD
support even though one of the mirror halves doesn't.

If I issue a DISCARD request (via fstrim, mount -o discard, or ioctl
BLKDISCARD) through the mirror, kmirrord gets stuck in an infinite
loop in do_region() when it tries to issue a DISCARD request to sdb.
The problem is that when we call do_region() against sdb, num_sectors
is set to zero because q->limits.max_discard_sectors is zero.
Therefore, "remaining" never decreases and the loop never terminates.

To fix this: before entering the loop, check for the combination of
REQ_DISCARD and no discard and return -EOPNOTSUPP to avoid hanging up
the mirror device.

This bug was found by the unfortunate coincidence of pvmove and a
discard operation in the RHEL 6.5 kernel; upstream is also affected.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Acked-by: "Martin K. Petersen" <martin.petersen@oracle.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-io.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -290,6 +290,12 @@ static void do_region(int rw, unsigned r
 	unsigned short logical_block_size = queue_logical_block_size(q);
 	sector_t num_sectors;
 
+	/* Reject unsupported discard requests */
+	if ((rw & REQ_DISCARD) && !blk_queue_discard(q)) {
+		dec_count(io, region, -EOPNOTSUPP);
+		return;
+	}
+
 	/*
 	 * where->count may be zero if rw holds a flush and we need to
 	 * send a zero-sized flush.



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 136/177] dm: fix a race condition in dm_get_md
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 135/177] dm io: reject unsupported DISCARD requests with EOPNOTSUPP Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 137/177] dm snapshot: fix a possible invalid memory access on unload Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 2bec1f4a8832e74ebbe859f176d8a9cb20dd97f4 upstream.

The function dm_get_md finds a device mapper device with a given dev_t,
increases the reference count and returns the pointer.

dm_get_md calls dm_find_md, dm_find_md takes _minor_lock, finds the
device, tests that the device doesn't have DMF_DELETING or DMF_FREEING
flag, drops _minor_lock and returns pointer to the device. dm_get_md then
calls dm_get. dm_get calls BUG if the device has the DMF_FREEING flag,
otherwise it increments the reference count.

There is a possible race condition - after dm_find_md exits and before
dm_get is called, there are no locks held, so the device may disappear or
DMF_FREEING flag may be set, which results in BUG.

To fix this bug, we need to call dm_get while we hold _minor_lock. This
patch renames dm_find_md to dm_get_md and changes it so that it calls
dm_get while holding the lock.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm.c |   27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2462,7 +2462,7 @@ int dm_setup_md_queue(struct mapped_devi
 	return 0;
 }
 
-static struct mapped_device *dm_find_md(dev_t dev)
+struct mapped_device *dm_get_md(dev_t dev)
 {
 	struct mapped_device *md;
 	unsigned minor = MINOR(dev);
@@ -2473,12 +2473,15 @@ static struct mapped_device *dm_find_md(
 	spin_lock(&_minor_lock);
 
 	md = idr_find(&_minor_idr, minor);
-	if (md && (md == MINOR_ALLOCED ||
-		   (MINOR(disk_devt(dm_disk(md))) != minor) ||
-		   dm_deleting_md(md) ||
-		   test_bit(DMF_FREEING, &md->flags))) {
-		md = NULL;
-		goto out;
+	if (md) {
+		if ((md == MINOR_ALLOCED ||
+		     (MINOR(disk_devt(dm_disk(md))) != minor) ||
+		     dm_deleting_md(md) ||
+		     test_bit(DMF_FREEING, &md->flags))) {
+			md = NULL;
+			goto out;
+		}
+		dm_get(md);
 	}
 
 out:
@@ -2486,16 +2489,6 @@ out:
 
 	return md;
 }
-
-struct mapped_device *dm_get_md(dev_t dev)
-{
-	struct mapped_device *md = dm_find_md(dev);
-
-	if (md)
-		dm_get(md);
-
-	return md;
-}
 EXPORT_SYMBOL_GPL(dm_get_md);
 
 void *dm_get_mdptr(struct mapped_device *md)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 137/177] dm snapshot: fix a possible invalid memory access on unload
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 136/177] dm: fix a race condition in dm_get_md Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 138/177] firmware: dmi_scan: Fix dmi_len type Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 22aa66a3ee5b61e0f4a0bfeabcaa567861109ec3 upstream.

When the snapshot target is unloaded, snapshot_dtr() waits until
pending_exceptions_count drops to zero.  Then, it destroys the snapshot.
Therefore, the function that decrements pending_exceptions_count
should not touch the snapshot structure after the decrement.

pending_complete() calls free_pending_exception(), which decrements
pending_exceptions_count, and then it performs up_write(&s->lock) and it
calls retry_origin_bios() which dereferences  s->origin.  These two
memory accesses to the fields of the snapshot may touch the dm_snapshot
struture after it is freed.

This patch moves the call to free_pending_exception() to the end of
pending_complete(), so that the snapshot will not be destroyed while
pending_complete() is in progress.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-snap.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -1432,8 +1432,6 @@ out:
 		full_bio->bi_private = pe->full_bio_private;
 		atomic_inc(&full_bio->bi_remaining);
 	}
-	free_pending_exception(pe);
-
 	increment_pending_exceptions_done_count();
 
 	up_write(&s->lock);
@@ -1450,6 +1448,8 @@ out:
 	}
 
 	retry_origin_bios(s, origin_bios);
+
+	free_pending_exception(pe);
 }
 
 static void commit_callback(void *context, int success)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 138/177] firmware: dmi_scan: Fix dmi_len type
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 137/177] dm snapshot: fix a possible invalid memory access on unload Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 139/177] firmware: dmi_scan: Fix dmi scan to handle "End of Table" structure Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Ivan Khoronzhuk,
	Matt Fleming

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>

commit 6d9ff473317245e3e5cd9922b4520411c2296388 upstream.

According to SMBIOSv3 specification the length of DMI table can be
up to 32bits wide. So use appropriate type to avoid overflow.

It's obvious that dmi_num theoretically can be more than u16 also,
so it's can be changed to u32 or at least it's better to use int
instead of u16, but on that moment I cannot imagine dmi structure
count more than 65535 and it can require changing type of vars that
work with it. So I didn't correct it.

Acked-by: Ard Biesheuvel <ard@linaro.org>
Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/dmi_scan.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
@@ -78,7 +78,7 @@ static const char * __init dmi_string(co
  *	We have to be cautious here. We have seen BIOSes with DMI pointers
  *	pointing to completely the wrong place for example
  */
-static void dmi_table(u8 *buf, int len, int num,
+static void dmi_table(u8 *buf, u32 len, int num,
 		      void (*decode)(const struct dmi_header *, void *),
 		      void *private_data)
 {
@@ -114,7 +114,7 @@ static void dmi_table(u8 *buf, int len,
 }
 
 static phys_addr_t dmi_base;
-static u16 dmi_len;
+static u32 dmi_len;
 static u16 dmi_num;
 
 static int __init dmi_walk_early(void (*decode)(const struct dmi_header *,



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 139/177] firmware: dmi_scan: Fix dmi scan to handle "End of Table" structure
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 138/177] firmware: dmi_scan: Fix dmi_len type Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 140/177] staging: comedi: cb_pcidas64: fix incorrect AI range code handling Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Ivan Khoronzhuk,
	Matt Fleming

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>

commit ce204e9a4bd82e9e6e7479bca8057e45aaac5c42 upstream.

The dmi-sysfs should create "End of Table" entry, that is type 127. But
after adding initial SMBIOS v3 support fc43026278b2 ("dmi: add support
for SMBIOS 3.0 64-bit entry point") the 127-0 entry is not handled any
more, as result it's not created in dmi sysfs for instance. This is
important because the size of whole DMI table must correspond to sum of
all DMI entry sizes.

So move the end-of-table check after it's handled by dmi_table.

Reviewed-by: Ard Biesheuvel <ard@linaro.org>
Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/dmi_scan.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/firmware/dmi_scan.c
+++ b/drivers/firmware/dmi_scan.c
@@ -93,12 +93,6 @@ static void dmi_table(u8 *buf, u32 len,
 		const struct dmi_header *dm = (const struct dmi_header *)data;
 
 		/*
-		 * 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0]
-		 */
-		if (dm->type == DMI_ENTRY_END_OF_TABLE)
-			break;
-
-		/*
 		 *  We want to know the total length (formatted area and
 		 *  strings) before decoding to make sure we won't run off the
 		 *  table in dmi_decode or dmi_string
@@ -108,6 +102,13 @@ static void dmi_table(u8 *buf, u32 len,
 			data++;
 		if (data - buf < len - 1)
 			decode(dm, private_data);
+
+		/*
+		 * 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0]
+		 */
+		if (dm->type == DMI_ENTRY_END_OF_TABLE)
+			break;
+
 		data += 2;
 		i++;
 	}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 140/177] staging: comedi: cb_pcidas64: fix incorrect AI range code handling
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 139/177] firmware: dmi_scan: Fix dmi scan to handle "End of Table" structure Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 141/177] HID: input: fix confusion on conflicting mappings Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ian Abbott

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit be8e89087ec2d2c8a1ad1e3db64bf4efdfc3c298 upstream.

The hardware range code values and list of valid ranges for the AI
subdevice is incorrect for several supported boards.  The hardware range
code values for all boards except PCI-DAS4020/12 is determined by
calling `ai_range_bits_6xxx()` based on the maximum voltage of the range
and whether it is bipolar or unipolar, however it only returns the
correct hardware range code for the PCI-DAS60xx boards.  For
PCI-DAS6402/16 (and /12) it returns the wrong code for the unipolar
ranges.  For PCI-DAS64/Mx/16 it returns the wrong code for all the
ranges and the comedi range table is incorrect.

Change `ai_range_bits_6xxx()` to use a look-up table pointed to by new
member `ai_range_codes` of `struct pcidas64_board` to map the comedi
range table indices to the hardware range codes.  Use a new comedi range
table for the PCI-DAS64/Mx/16 boards (and the commented out variants).

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/cb_pcidas64.c |  124 ++++++++++++++++-----------
 1 file changed, 76 insertions(+), 48 deletions(-)

--- a/drivers/staging/comedi/drivers/cb_pcidas64.c
+++ b/drivers/staging/comedi/drivers/cb_pcidas64.c
@@ -439,6 +439,29 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_64xx[8] = {
+	0x0, 0x1, 0x2, 0x3,	/* bipolar 10, 5, 2,5, 1.25 */
+	0x8, 0x9, 0xa, 0xb	/* unipolar 10, 5, 2.5, 1.25 */
+};
+
+/* analog input ranges for 64-Mx boards */
+static const struct comedi_lrange ai_ranges_64_mx = {
+	7, {
+		BIP_RANGE(5),
+		BIP_RANGE(2.5),
+		BIP_RANGE(1.25),
+		BIP_RANGE(0.625),
+		UNI_RANGE(5),
+		UNI_RANGE(2.5),
+		UNI_RANGE(1.25)
+	}
+};
+
+static const uint8_t ai_range_code_64_mx[7] = {
+	0x0, 0x1, 0x2, 0x3,	/* bipolar 5, 2.5, 1.25, 0.625 */
+	0x9, 0xa, 0xb		/* unipolar 5, 2.5, 1.25 */
+};
+
 /* analog input ranges for 60xx boards */
 static const struct comedi_lrange ai_ranges_60xx = {
 	4, {
@@ -449,6 +472,10 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_60xx[4] = {
+	0x0, 0x1, 0x4, 0x7	/* bipolar 10, 5, 0.5, 0.05 */
+};
+
 /* analog input ranges for 6030, etc boards */
 static const struct comedi_lrange ai_ranges_6030 = {
 	14, {
@@ -469,6 +496,11 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_6030[14] = {
+	0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, /* bip 10, 5, 2, 1, 0.5, 0.2, 0.1 */
+	0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf  /* uni 10, 5, 2, 1, 0.5, 0.2, 0.1 */
+};
+
 /* analog input ranges for 6052, etc boards */
 static const struct comedi_lrange ai_ranges_6052 = {
 	15, {
@@ -490,6 +522,11 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_6052[15] = {
+	0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,	/* bipolar 10 ... 0.05 */
+	0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf	/* unipolar 10 ... 0.1 */
+};
+
 /* analog input ranges for 4020 board */
 static const struct comedi_lrange ai_ranges_4020 = {
 	2, {
@@ -593,6 +630,7 @@ struct pcidas64_board {
 	int ai_bits;		/*  analog input resolution */
 	int ai_speed;		/*  fastest conversion period in ns */
 	const struct comedi_lrange *ai_range_table;
+	const uint8_t *ai_range_code;
 	int ao_nchan;		/*  number of analog out channels */
 	int ao_bits;		/*  analog output resolution */
 	int ao_scan_speed;	/*  analog output scan speed */
@@ -651,6 +689,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
 		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_code	= ai_range_code_64xx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -666,6 +705,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
 		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_code	= ai_range_code_64xx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -680,7 +720,8 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -695,7 +736,8 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -710,7 +752,8 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -725,6 +768,7 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -740,6 +784,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -754,6 +799,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -769,6 +815,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -784,6 +831,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -799,6 +847,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -812,6 +861,7 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
 		.has_8255	= 0,
 	},
@@ -823,6 +873,7 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
 		.has_8255	= 0,
 	},
@@ -835,6 +886,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 0,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
 		.has_8255	= 0,
 	},
@@ -848,6 +900,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -863,6 +916,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -878,6 +932,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 1000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -893,6 +948,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 3333,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -908,6 +964,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 1000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -923,6 +980,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 1000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -957,6 +1015,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
 		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_code	= ai_range_code_64xx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -968,7 +1027,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -980,7 +1040,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -992,7 +1053,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1004,7 +1066,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 2,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1016,7 +1079,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 2,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1028,7 +1092,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 2,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1115,45 +1180,8 @@ static unsigned int ai_range_bits_6xxx(c
 				       unsigned int range_index)
 {
 	const struct pcidas64_board *thisboard = dev->board_ptr;
-	const struct comedi_krange *range =
-		&thisboard->ai_range_table->range[range_index];
-	unsigned int bits = 0;
-
-	switch (range->max) {
-	case 10000000:
-		bits = 0x000;
-		break;
-	case 5000000:
-		bits = 0x100;
-		break;
-	case 2000000:
-	case 2500000:
-		bits = 0x200;
-		break;
-	case 1000000:
-	case 1250000:
-		bits = 0x300;
-		break;
-	case 500000:
-		bits = 0x400;
-		break;
-	case 200000:
-	case 250000:
-		bits = 0x500;
-		break;
-	case 100000:
-		bits = 0x600;
-		break;
-	case 50000:
-		bits = 0x700;
-		break;
-	default:
-		dev_err(dev->class_dev, "bug! in %s\n", __func__);
-		break;
-	}
-	if (range->min == 0)
-		bits += 0x900;
-	return bits;
+
+	return thisboard->ai_range_code[range_index] << 8;
 }
 
 static unsigned int hw_revision(const struct comedi_device *dev,



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 141/177] HID: input: fix confusion on conflicting mappings
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 140/177] staging: comedi: cb_pcidas64: fix incorrect AI range code handling Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 142/177] HID: fixup the conflicting keyboard mappings quirk Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adam Goode, Fredrik Hallenberg,
	David Herrmann, Jiri Kosina

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Herrmann <dh.herrmann@gmail.com>

commit 6ce901eb61aa30ba8565c62049ee80c90728ef14 upstream.

On an PC-101/103/104 keyboard (American layout) the 'Enter' key and its
neighbours look like this:

           +---+ +---+ +-------+
           | 1 | | 2 | |   5   |
           +---+ +---+ +-------+
             +---+ +-----------+
             | 3 | |     4     |
             +---+ +-----------+

On a PC-102/105 keyboard (European layout) it looks like this:

           +---+ +---+ +-------+
           | 1 | | 2 | |       |
           +---+ +---+ +-+  4  |
             +---+ +---+ |     |
             | 3 | | 5 | |     |
             +---+ +---+ +-----+

(Note that the number of keys is the same, but key '5' is moved down and
 the shape of key '4' is changed. Keys '1' to '3' are exactly the same.)

The keys 1-4 report the same scan-code in HID in both layouts, even though
the keysym they produce is usually different depending on the XKB-keymap
used by user-space.
However, key '5' (US 'backslash'/'pipe') reports 0x31 for the upper layout
and 0x32 for the lower layout, as defined by the HID spec. This is highly
confusing as the linux-input API uses a single keycode for both.

So far, this was never a problem as there never has been a keyboard with
both of those keys present at the same time. It would have to look
something like this:

           +---+ +---+ +-------+
           | 1 | | 2 | |  x31  |
           +---+ +---+ +-------+
             +---+ +---+ +-----+
             | 3 | |x32| |  4  |
             +---+ +---+ +-----+

HID can represent such a keyboard, but the linux-input API cannot.
Furthermore, any user-space mapping would be confused by this and,
luckily, no-one ever produced such hardware.

Now, the HID input layer fixed this mess by mapping both 0x31 and 0x32 to
the same keycode (KEY_BACKSLASH==0x2b). As only one of both physical keys
is present on a hardware, this works just fine.

Lets introduce hardware-vendors into this:
------------------------------------------

Unfortunately, it seems way to expensive to produce a different device for
American and European layouts. Therefore, hardware-vendors put both keys,
(0x31 and 0x32) on the same keyboard, but only one of them is hooked up
to the physical button, the other one is 'dead'.
This means, they can use the same hardware, with a different button-layout
and automatically produce the correct HID events for American *and*
European layouts. This is unproblematic for normal keyboards, as the
'dead' key will never report any KEY-DOWN events. But RollOver keyboards
send the whole matrix on each key-event, allowing n-key roll-over mode.
This means, we get a 0x31 and 0x32 event on each key-press. One of them
will always be 0, the other reports the real state. As we map both to the
same keycode, we will get spurious key-events, even though the real
key-state never changed.

The easiest way would be to blacklist 'dead' keys and never handle those.
We could simply read the 'country' tag of USB devices and blacklist either
key according to the layout. But... hardware vendors... want the same
device for all countries and thus many of them set 'country' to 0 for all
devices. Meh..

So we have to deal with this properly. As we cannot know which of the keys
is 'dead', we either need a heuristic and track those keys, or we simply
make use of our value-tracking for HID fields. We simply ignore HID events
for absolute data if the data didn't change. As HID tracks events on the
HID level, we haven't done the keycode translation, yet. Therefore, the
'dead' key is tracked independently of the real key, therefore, any events
on it will be ignored.

This patch simply discards any HID events for absolute data if it didn't
change compared to the last report. We need to ignore relative and
buffered-byte reports for obvious reasons. But those cannot be affected by
this bug, so we're fine.

Preferably, we'd do this filtering on the HID-core level. But this might
break a lot of custom drivers, if they do not follow the HID specs.
Therefore, we do this late in hid-input just before we inject it into the
input layer (which does the exact same filtering, but on the keycode
level).

If this turns out to break some devices, we might have to limit filtering
to EV_KEY events. But lets try to do the Right Thing first, and properly
filter any absolute data that didn't change.

This patch is tagged for 'stable' as it fixes a lot of n-key RollOver
hardware. We might wanna wait with backporting for a while, before we know
it doesn't break anything else, though.

Reported-by: Adam Goode <adam@spicenitz.org>
Reported-by: Fredrik Hallenberg <megahallon@gmail.com>
Tested-by: Fredrik Hallenberg <megahallon@gmail.com>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-input.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1104,6 +1104,22 @@ void hidinput_hid_event(struct hid_devic
 		return;
 	}
 
+	/*
+	 * Ignore reports for absolute data if the data didn't change. This is
+	 * not only an optimization but also fixes 'dead' key reports. Some
+	 * RollOver implementations for localized keys (like BACKSLASH/PIPE; HID
+	 * 0x31 and 0x32) report multiple keys, even though a localized keyboard
+	 * can only have one of them physically available. The 'dead' keys
+	 * report constant 0. As all map to the same keycode, they'd confuse
+	 * the input layer. If we filter the 'dead' keys on the HID level, we
+	 * skip the keycode translation and only forward real events.
+	 */
+	if (!(field->flags & (HID_MAIN_ITEM_RELATIVE |
+	                      HID_MAIN_ITEM_BUFFERED_BYTE)) &&
+	    usage->usage_index < field->maxusage &&
+	    value == field->value[usage->usage_index])
+		return;
+
 	/* report the usage code as scancode if the key status has changed */
 	if (usage->type == EV_KEY && !!test_bit(usage->code, input->key) != value)
 		input_event(input, EV_MSC, MSC_SCAN, usage->hid);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 142/177] HID: fixup the conflicting keyboard mappings quirk
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 141/177] HID: input: fix confusion on conflicting mappings Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 143/177] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fredrik Hallenberg, David Herrmann,
	Jiri Kosina

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Kosina <jkosina@suse.cz>

commit 8e7b341037db1835ee6eea64663013cbfcf33575 upstream.

The ignore check that got added in 6ce901eb61 ("HID: input: fix confusion
on conflicting mappings") needs to properly check for VARIABLE reports
as well (ARRAY reports should be ignored), otherwise legitimate keyboards
might break.

Fixes: 6ce901eb61 ("HID: input: fix confusion on conflicting mappings")
Reported-by: Fredrik Hallenberg <megahallon@gmail.com>
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-input.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1116,6 +1116,7 @@ void hidinput_hid_event(struct hid_devic
 	 */
 	if (!(field->flags & (HID_MAIN_ITEM_RELATIVE |
 	                      HID_MAIN_ITEM_BUFFERED_BYTE)) &&
+			      (field->flags & HID_MAIN_ITEM_VARIABLE) &&
 	    usage->usage_index < field->maxusage &&
 	    value == field->value[usage->usage_index])
 		return;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 143/177] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 142/177] HID: fixup the conflicting keyboard mappings quirk Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 144/177] drm/radeon: enable native backlight control on old macs Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gerecke, Benjamin Tissoires,
	Jiri Kosina

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Gerecke <killertofu@gmail.com>

commit 33e5df0e0e32027866e9fb00451952998fc957f2 upstream.

It appears that the Cintiq Companion Hybrid does not send an ABS_MISC event to
userspace when any of its ExpressKeys are pressed. This is not strictly
necessary now that the pad exists on its own device, but should be fixed for
consistency's sake.

Traditionally both the stylus and pad shared the same device node, and
xf86-input-wacom would use ABS_MISC for disambiguation. Not sending this causes
the Hybrid to behave incorrectly with xf86-input-wacom beginning with its
8f44f3 commit.

Signed-off-by: Jason Gerecke <killertofu@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/wacom_wac.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -760,6 +760,12 @@ static int wacom_intuos_irq(struct wacom
 			input_report_key(input, BTN_7, (data[4] & 0x40));  /* Left   */
 			input_report_key(input, BTN_8, (data[4] & 0x80));  /* Down   */
 			input_report_key(input, BTN_0, (data[3] & 0x01));  /* Center */
+
+			if (data[4] | (data[3] & 0x01)) {
+				input_report_abs(input, ABS_MISC, PAD_DEVICE_ID);
+			} else {
+				input_report_abs(input, ABS_MISC, 0);
+			}
 		} else if (features->type >= INTUOS5S && features->type <= INTUOSPL) {
 			int i;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 144/177] drm/radeon: enable native backlight control on old macs
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 143/177] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 145/177] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan-J. Hirschauer, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Nathan-J. Hirschauer" <nathanhi@deepserve.info>

commit 7a26f9ad1b5badfd0200ce2262ad696e2a6b7fbb upstream.

Commit b7bc596ebbe0 ("drm/radeon: disable native
backlight control on pre-r6xx asics (v2)") accidently
broke backlight control on old mac laptops that use the
on-GPU backlight controller.

Signed-off-by: Nathan-J. Hirschauer <nathanhi@deepserve.info>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_encoders.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/radeon/radeon_encoders.c
+++ b/drivers/gpu/drm/radeon/radeon_encoders.c
@@ -179,9 +179,12 @@ static void radeon_encoder_add_backlight
 		    (rdev->pdev->subsystem_vendor == 0x1734) &&
 		    (rdev->pdev->subsystem_device == 0x1107))
 			use_bl = false;
+/* Older PPC macs use on-GPU backlight controller */
+#ifndef CONFIG_PPC_PMAC
 		/* disable native backlight control on older asics */
 		else if (rdev->family < CHIP_R600)
 			use_bl = false;
+#endif
 		else
 			use_bl = true;
 	}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 145/177] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 144/177] drm/radeon: enable native backlight control on old macs Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 146/177] drm/radeon: fix 1 RB harvest config setup for TN/RL Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 3d2d98ee1af0cf6eebfbd6bff4c17d3601ac1284 upstream.

Just in case it hasn't been calculated for the mode.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/r600_dpm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/radeon/r600_dpm.c
+++ b/drivers/gpu/drm/radeon/r600_dpm.c
@@ -188,7 +188,7 @@ u32 r600_dpm_get_vrefresh(struct radeon_
 		list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) {
 			radeon_crtc = to_radeon_crtc(crtc);
 			if (crtc->enabled && radeon_crtc->enabled && radeon_crtc->hw_mode.clock) {
-				vrefresh = radeon_crtc->hw_mode.vrefresh;
+				vrefresh = drm_mode_vrefresh(&radeon_crtc->hw_mode);
 				break;
 			}
 		}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 146/177] drm/radeon: fix 1 RB harvest config setup for TN/RL
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 145/177] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 147/177] drm/i915/bdw: PCI IDs ending in 0xb are ULT Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit dbfb00c3e7e18439f2ebf67fe99bf7a50b5bae1e upstream.

The logic was reversed from what the hw actually exposed.
Fixes graphics corruption in certain harvest configurations.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/ni.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/gpu/drm/radeon/ni.c
+++ b/drivers/gpu/drm/radeon/ni.c
@@ -1085,12 +1085,12 @@ static void cayman_gpu_init(struct radeo
 
 	if ((rdev->config.cayman.max_backends_per_se == 1) &&
 	    (rdev->flags & RADEON_IS_IGP)) {
-		if ((disabled_rb_mask & 3) == 1) {
-			/* RB0 disabled, RB1 enabled */
-			tmp = 0x11111111;
-		} else {
+		if ((disabled_rb_mask & 3) == 2) {
 			/* RB1 disabled, RB0 enabled */
 			tmp = 0x00000000;
+		} else {
+			/* RB0 disabled, RB1 enabled */
+			tmp = 0x11111111;
 		}
 	} else {
 		tmp = gb_addr_config & NUM_PIPES_MASK;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 147/177] drm/i915/bdw: PCI IDs ending in 0xb are ULT.
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 146/177] drm/radeon: fix 1 RB harvest config setup for TN/RL Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 148/177] drm/i915: Check obj->vma_list under the struct_mutex Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jani Nikula, Rodrigo Vivi

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rodrigo Vivi <rodrigo.vivi@intel.com>

commit 0dc6f20b9803f09726bbb682649d35cda8ef5b5d upstream.

When reviewing patch that fixes VGA on BDW Halo Jani noticed that
we also had other ULT IDs that weren't listed there.

So this follow-up patch add these pci-ids as halo and fix comments
on i915_pciids.h

Cc: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_drv.h |    1 +
 include/drm/i915_pciids.h       |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i915/i915_drv.h
+++ b/drivers/gpu/drm/i915/i915_drv.h
@@ -2160,6 +2160,7 @@ struct drm_i915_cmd_table {
 				 (INTEL_DEVID(dev) & 0xFF00) == 0x0C00)
 #define IS_BDW_ULT(dev)		(IS_BROADWELL(dev) && \
 				 ((INTEL_DEVID(dev) & 0xf) == 0x6 ||	\
+				 (INTEL_DEVID(dev) & 0xf) == 0xb ||	\
 				 (INTEL_DEVID(dev) & 0xf) == 0xe))
 #define IS_BDW_GT3(dev)		(IS_BROADWELL(dev) && \
 				 (INTEL_DEVID(dev) & 0x00F0) == 0x0020)
--- a/include/drm/i915_pciids.h
+++ b/include/drm/i915_pciids.h
@@ -214,9 +214,9 @@
 	INTEL_VGA_DEVICE((((gt) - 1) << 4) | (id), info)
 
 #define _INTEL_BDW_M_IDS(gt, info) \
-	_INTEL_BDW_M(gt, 0x1602, info), /* ULT */ \
+	_INTEL_BDW_M(gt, 0x1602, info), /* Halo */ \
 	_INTEL_BDW_M(gt, 0x1606, info), /* ULT */ \
-	_INTEL_BDW_M(gt, 0x160B, info), /* Iris */ \
+	_INTEL_BDW_M(gt, 0x160B, info), /* ULT */ \
 	_INTEL_BDW_M(gt, 0x160E, info) /* ULX */
 
 #define _INTEL_BDW_D_IDS(gt, info) \



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 148/177] drm/i915: Check obj->vma_list under the struct_mutex
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 147/177] drm/i915/bdw: PCI IDs ending in 0xb are ULT Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 149/177] drm/i915: Dell Chromebook 11 has PWM backlight Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Wilson, Daniel Vetter, Jani Nikula

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit 6c31a614c43ae274546f736b2a33363e149c3dc2 upstream.

When we walk the list of vma, or even for protecting against concurrent
framebuffer creation, we must hold the struct_mutex or else a second
thread can corrupt the list as we walk it.

Fixes regression from
commit d7f46fc4e7323887494db13f063a8e59861fefb0
Author: Ben Widawsky <benjamin.widawsky@intel.com>
Date:   Fri Dec 6 14:10:55 2013 -0800

    drm/i915: Make pin count per VMA

References: https://bugs.freedesktop.org/show_bug.cgi?id=89085
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_gem_tiling.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/i915/i915_gem_tiling.c
+++ b/drivers/gpu/drm/i915/i915_gem_tiling.c
@@ -335,9 +335,10 @@ i915_gem_set_tiling(struct drm_device *d
 		return -EINVAL;
 	}
 
+	mutex_lock(&dev->struct_mutex);
 	if (i915_gem_obj_is_pinned(obj) || obj->framebuffer_references) {
-		drm_gem_object_unreference_unlocked(&obj->base);
-		return -EBUSY;
+		ret = -EBUSY;
+		goto err;
 	}
 
 	if (args->tiling_mode == I915_TILING_NONE) {
@@ -369,7 +370,6 @@ i915_gem_set_tiling(struct drm_device *d
 		}
 	}
 
-	mutex_lock(&dev->struct_mutex);
 	if (args->tiling_mode != obj->tiling_mode ||
 	    args->stride != obj->stride) {
 		/* We need to rebind the object if its current allocation
@@ -424,6 +424,7 @@ i915_gem_set_tiling(struct drm_device *d
 		obj->bit_17 = NULL;
 	}
 
+err:
 	drm_gem_object_unreference(&obj->base);
 	mutex_unlock(&dev->struct_mutex);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 149/177] drm/i915: Dell Chromebook 11 has PWM backlight
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 148/177] drm/i915: Check obj->vma_list under the struct_mutex Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 150/177] drm/i915: avoid processing spurious/shared interrupts in low-power states Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Damien Lespiau, Jani Nikula

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jani Nikula <jani.nikula@intel.com>

commit cf6f0af9fbdd90b81af14fa6375387131cd8adf1 upstream.

Add quirk for Dell Chromebook 11 backlight.

Reported-and-tested-by: Owen Garland <garland.owen@gmail.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=93451
Acked-by: Damien Lespiau <damien.lespiau@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_display.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -13019,6 +13019,9 @@ static struct intel_quirk intel_quirks[]
 
 	/* HP Chromebook 14 (Celeron 2955U) */
 	{ 0x0a06, 0x103c, 0x21ed, quirk_backlight_present },
+
+	/* Dell Chromebook 11 */
+	{ 0x0a06, 0x1028, 0x0a35, quirk_backlight_present },
 };
 
 static void intel_init_quirks(struct drm_device *dev)



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 150/177] drm/i915: avoid processing spurious/shared interrupts in low-power states
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 149/177] drm/i915: Dell Chromebook 11 has PWM backlight Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 151/177] drm/i915: Check for driver readyness before handling an underrun interrupt Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Imre Deak, Daniel Vetter, Jani Nikula

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Imre Deak <imre.deak@intel.com>

commit 2dd2a883aad7c852400027c2261bcab69d9e238e upstream.

Atm, it's possible that the interrupt handler is called when the device
is in D3 or some other low-power state. It can be due to another device
that is still in D0 state and shares the interrupt line with i915, or on
some platforms there could be spurious interrupts even without sharing
the interrupt line. The latter case was reported by Klaus Ethgen using a
Lenovo x61p machine (gen 4). He noticed this issue via a system
suspend/resume hang and bisected it to the following commit:

commit e11aa362308f5de467ce355a2a2471321b15a35c
Author: Jesse Barnes <jbarnes@virtuousgeek.org>
Date:   Wed Jun 18 09:52:55 2014 -0700

    drm/i915: use runtime irq suspend/resume in freeze/thaw

This is a problem, since in low-power states IIR will always read
0xffffffff resulting in an endless IRQ servicing loop.

Fix this by handling interrupts only when the driver explicitly enables
them and so it's guaranteed that the interrupt registers return a valid
value.

Note that this issue existed even before the above commit, since during
runtime suspend/resume we never unregistered the handler.

v2:
- clarify the purpose of smp_mb() vs. synchronize_irq() in the
  code comment (Chris)

v3:
- no need for an explicit smp_mb(), we can assume that synchronize_irq()
  and the mmio read/writes in the install hooks provide for this (Daniel)
- remove code comment as the remaining synchronize_irq() is self
  explanatory (Daniel)

v4:
- drm_irq_uninstall() implies synchronize_irq(), so no need to call it
  explicitly (Daniel)

Reference: https://lkml.org/lkml/2015/2/11/205
Reported-and-bisected-by: Klaus Ethgen <Klaus@Ethgen.ch>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/i915_irq.c |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -1884,6 +1884,9 @@ static irqreturn_t valleyview_irq_handle
 	u32 iir, gt_iir, pm_iir;
 	irqreturn_t ret = IRQ_NONE;
 
+	if (!intel_irqs_enabled(dev_priv))
+		return IRQ_NONE;
+
 	while (true) {
 		/* Find, clear, then process each source of interrupt */
 
@@ -1928,6 +1931,9 @@ static irqreturn_t cherryview_irq_handle
 	u32 master_ctl, iir;
 	irqreturn_t ret = IRQ_NONE;
 
+	if (!intel_irqs_enabled(dev_priv))
+		return IRQ_NONE;
+
 	for (;;) {
 		master_ctl = I915_READ(GEN8_MASTER_IRQ) & ~GEN8_MASTER_IRQ_CONTROL;
 		iir = I915_READ(VLV_IIR);
@@ -2200,6 +2206,9 @@ static irqreturn_t ironlake_irq_handler(
 	u32 de_iir, gt_iir, de_ier, sde_ier = 0;
 	irqreturn_t ret = IRQ_NONE;
 
+	if (!intel_irqs_enabled(dev_priv))
+		return IRQ_NONE;
+
 	/* We get interrupts on unclaimed registers, so check for this before we
 	 * do any I915_{READ,WRITE}. */
 	intel_uncore_check_errors(dev);
@@ -2271,6 +2280,9 @@ static irqreturn_t gen8_irq_handler(int
 	enum pipe pipe;
 	u32 aux_mask = GEN8_AUX_CHANNEL_A;
 
+	if (!intel_irqs_enabled(dev_priv))
+		return IRQ_NONE;
+
 	if (IS_GEN9(dev))
 		aux_mask |=  GEN9_AUX_CHANNEL_B | GEN9_AUX_CHANNEL_C |
 			GEN9_AUX_CHANNEL_D;
@@ -3770,6 +3782,9 @@ static irqreturn_t i8xx_irq_handler(int
 		I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
 		I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
 
+	if (!intel_irqs_enabled(dev_priv))
+		return IRQ_NONE;
+
 	iir = I915_READ16(IIR);
 	if (iir == 0)
 		return IRQ_NONE;
@@ -3950,6 +3965,9 @@ static irqreturn_t i915_irq_handler(int
 		I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
 	int pipe, ret = IRQ_NONE;
 
+	if (!intel_irqs_enabled(dev_priv))
+		return IRQ_NONE;
+
 	iir = I915_READ(IIR);
 	do {
 		bool irq_received = (iir & ~flip_mask) != 0;
@@ -4172,6 +4190,9 @@ static irqreturn_t i965_irq_handler(int
 		I915_DISPLAY_PLANE_A_FLIP_PENDING_INTERRUPT |
 		I915_DISPLAY_PLANE_B_FLIP_PENDING_INTERRUPT;
 
+	if (!intel_irqs_enabled(dev_priv))
+		return IRQ_NONE;
+
 	iir = I915_READ(IIR);
 
 	for (;;) {
@@ -4523,6 +4544,7 @@ void intel_runtime_pm_disable_interrupts
 {
 	dev_priv->dev->driver->irq_uninstall(dev_priv->dev);
 	dev_priv->pm.irqs_enabled = false;
+	synchronize_irq(dev_priv->dev->irq);
 }
 
 /**



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 151/177] drm/i915: Check for driver readyness before handling an underrun interrupt
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 150/177] drm/i915: avoid processing spurious/shared interrupts in low-power states Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 153/177] nfsd: fix clp->cl_revoked list deletion causing softlock in nfsd Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rob Clark, Chris Wilson,
	Daniel Vetter, Jani Nikula

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit 54fc7c1c961cb39edfe31f8a3f5ba6414e134b37 upstream.

When we takeover from the BIOS and install our interrupt handler, the
BIOS may have left us a few surprises in the form of spontaneous
interrupts. (This is especially likely on hardware like 965gm where
display fifo underruns are continuous and the GMCH cannot filter that
interrupt souce.) As we enable our IRQ early so that we can use it
during hardware probing, our interrupt handler must be prepared to
handle a few sources prior to being fully configured. As such, we need
to add a simple is-ready check prior to dereferencing our KMS state for
reporting underruns.

Reported-by: Rob Clark <rclark@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1193972
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[Jani: dropped the extra !]
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_fifo_underrun.c |   18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

--- a/drivers/gpu/drm/i915/intel_fifo_underrun.c
+++ b/drivers/gpu/drm/i915/intel_fifo_underrun.c
@@ -282,16 +282,6 @@ bool intel_set_cpu_fifo_underrun_reporti
 	return ret;
 }
 
-static bool
-__cpu_fifo_underrun_reporting_enabled(struct drm_i915_private *dev_priv,
-				      enum pipe pipe)
-{
-	struct drm_crtc *crtc = dev_priv->pipe_to_crtc_mapping[pipe];
-	struct intel_crtc *intel_crtc = to_intel_crtc(crtc);
-
-	return !intel_crtc->cpu_fifo_underrun_disabled;
-}
-
 /**
  * intel_set_pch_fifo_underrun_reporting - set PCH fifo underrun reporting state
  * @dev_priv: i915 device instance
@@ -352,9 +342,15 @@ bool intel_set_pch_fifo_underrun_reporti
 void intel_cpu_fifo_underrun_irq_handler(struct drm_i915_private *dev_priv,
 					 enum pipe pipe)
 {
+	struct drm_crtc *crtc = dev_priv->pipe_to_crtc_mapping[pipe];
+
+	/* We may be called too early in init, thanks BIOS! */
+	if (crtc == NULL)
+		return;
+
 	/* GMCH can't disable fifo underruns, filter them. */
 	if (HAS_GMCH_DISPLAY(dev_priv->dev) &&
-	    !__cpu_fifo_underrun_reporting_enabled(dev_priv, pipe))
+	    to_intel_crtc(crtc)->cpu_fifo_underrun_disabled)
 		return;
 
 	if (intel_set_cpu_fifo_underrun_reporting(dev_priv, pipe, false))



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 153/177] nfsd: fix clp->cl_revoked list deletion causing softlock in nfsd
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 151/177] drm/i915: Check for driver readyness before handling an underrun interrupt Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 154/177] efi: Small leak on error in runtime map code Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Meddaugh, Andrew Elble,
	Jeff Layton, J. Bruce Fields

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrew Elble <aweits@rit.edu>

commit c876486be17aeefe0da569f3d111cbd8de6f675d upstream.

commit 2d4a532d385f ("nfsd: ensure that clp->cl_revoked list is
protected by clp->cl_lock") removed the use of the reaplist to
clean out clp->cl_revoked. It failed to change list_entry() to
walk clp->cl_revoked.next instead of reaplist.next

Fixes: 2d4a532d385f ("nfsd: ensure that clp->cl_revoked list is protected by clp->cl_lock")
Reported-by: Eric Meddaugh <etmsys@rit.edu>
Tested-by: Eric Meddaugh <etmsys@rit.edu>
Signed-off-by: Andrew Elble <aweits@rit.edu>
Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfsd/nfs4state.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1653,7 +1653,7 @@ __destroy_client(struct nfs4_client *clp
 		nfs4_put_stid(&dp->dl_stid);
 	}
 	while (!list_empty(&clp->cl_revoked)) {
-		dp = list_entry(reaplist.next, struct nfs4_delegation, dl_recall_lru);
+		dp = list_entry(clp->cl_revoked.next, struct nfs4_delegation, dl_recall_lru);
 		list_del_init(&dp->dl_recall_lru);
 		nfs4_put_stid(&dp->dl_stid);
 	}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 154/177] efi: Small leak on error in runtime map code
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 153/177] nfsd: fix clp->cl_revoked list deletion causing softlock in nfsd Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 155/177] efi/libstub: Fix boundary checking in efi_high_alloc() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Dave Young, Matt Fleming

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 86d68a58d00db3770735b5919ef2c6b12d7f06f3 upstream.

The "> 0" here should ">= 0" so we free map_entries[0].

Fixes: 926172d46038 ('efi: Export EFI runtime memory mapping to sysfs')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/runtime-map.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/efi/runtime-map.c
+++ b/drivers/firmware/efi/runtime-map.c
@@ -191,7 +191,7 @@ int __init efi_runtime_map_init(struct k
 
 	return 0;
 out_add_entry:
-	for (j = i - 1; j > 0; j--) {
+	for (j = i - 1; j >= 0; j--) {
 		entry = *(map_entries + j);
 		kobject_put(&entry->kobj);
 	}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 155/177] efi/libstub: Fix boundary checking in efi_high_alloc()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 154/177] efi: Small leak on error in runtime map code Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 156/177] eCryptfs: dont pass fs-specific ioctl commands through Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yinghai Lu, Ard Biesheuvel,
	Mark Rutland, Matt Fleming

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yinghai Lu <yinghai@kernel.org>

commit 7ed620bb343f434f8a85f830020c04988df2a140 upstream.

While adding support loading kernel and initrd above 4G to grub2 in legacy
mode, I was referring to efi_high_alloc().
That will allocate buffer for kernel and then initrd, and initrd will
use kernel buffer start as limit.

During testing found two buffers will be overlapped when initrd size is
very big like 400M.

It turns out efi_high_alloc() boundary checking is not right.
end - size will be the new start, and should not compare new
start with max, we need to make sure end is smaller than max.

[ Basically, with the current efi_high_alloc() code it's possible to
  allocate memory above 'max', because efi_high_alloc() doesn't check
  that the tail of the allocation is below 'max'.

  If you have an EFI memory map with a single entry that looks like so,

   [0xc0000000-0xc0004000]

  And want to allocate 0x3000 bytes below 0xc0003000 the current code
  will allocate [0xc0001000-0xc0004000], not [0xc0000000-0xc0003000]
  like you would expect. - Matt ]

Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/libstub/efi-stub-helper.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -170,12 +170,12 @@ again:
 		start = desc->phys_addr;
 		end = start + desc->num_pages * (1UL << EFI_PAGE_SHIFT);
 
-		if ((start + size) > end || (start + size) > max)
-			continue;
-
-		if (end - size > max)
+		if (end > max)
 			end = max;
 
+		if ((start + size) > end)
+			continue;
+
 		if (round_down(end - size, align) < start)
 			continue;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 156/177] eCryptfs: dont pass fs-specific ioctl commands through
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 155/177] efi/libstub: Fix boundary checking in efi_high_alloc() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 157/177] ACPI / video: Load the module even if ACPI is disabled Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyler Hicks, Rocko, Colin Ian King

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tyler Hicks <tyhicks@canonical.com>

commit 6d65261a09adaa374c05de807f73a144d783669e upstream.

eCryptfs can't be aware of what to expect when after passing an
arbitrary ioctl command through to the lower filesystem. The ioctl
command may trigger an action in the lower filesystem that is
incompatible with eCryptfs.

One specific example is when one attempts to use the Btrfs clone
ioctl command when the source file is in the Btrfs filesystem that
eCryptfs is mounted on top of and the destination fd is from a new file
created in the eCryptfs mount. The ioctl syscall incorrectly returns
success because the command is passed down to Btrfs which thinks that it
was able to do the clone operation. However, the result is an empty
eCryptfs file.

This patch allows the trim, {g,s}etflags, and {g,s}etversion ioctl
commands through and then copies up the inode metadata from the lower
inode to the eCryptfs inode to catch any changes made to the lower
inode's metadata. Those five ioctl commands are mostly common across all
filesystems but the whitelist may need to be further pruned in the
future.

https://bugzilla.kernel.org/show_bug.cgi?id=93691
https://launchpad.net/bugs/1305335

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Rocko <rockorequin@hotmail.com>
Cc: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ecryptfs/file.c |   34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

--- a/fs/ecryptfs/file.c
+++ b/fs/ecryptfs/file.c
@@ -303,9 +303,22 @@ ecryptfs_unlocked_ioctl(struct file *fil
 	struct file *lower_file = ecryptfs_file_to_lower(file);
 	long rc = -ENOTTY;
 
-	if (lower_file->f_op->unlocked_ioctl)
+	if (!lower_file->f_op->unlocked_ioctl)
+		return rc;
+
+	switch (cmd) {
+	case FITRIM:
+	case FS_IOC_GETFLAGS:
+	case FS_IOC_SETFLAGS:
+	case FS_IOC_GETVERSION:
+	case FS_IOC_SETVERSION:
 		rc = lower_file->f_op->unlocked_ioctl(lower_file, cmd, arg);
-	return rc;
+		fsstack_copy_attr_all(file_inode(file), file_inode(lower_file));
+
+		return rc;
+	default:
+		return rc;
+	}
 }
 
 #ifdef CONFIG_COMPAT
@@ -315,9 +328,22 @@ ecryptfs_compat_ioctl(struct file *file,
 	struct file *lower_file = ecryptfs_file_to_lower(file);
 	long rc = -ENOIOCTLCMD;
 
-	if (lower_file->f_op->compat_ioctl)
+	if (!lower_file->f_op->compat_ioctl)
+		return rc;
+
+	switch (cmd) {
+	case FITRIM:
+	case FS_IOC32_GETFLAGS:
+	case FS_IOC32_SETFLAGS:
+	case FS_IOC32_GETVERSION:
+	case FS_IOC32_SETVERSION:
 		rc = lower_file->f_op->compat_ioctl(lower_file, cmd, arg);
-	return rc;
+		fsstack_copy_attr_all(file_inode(file), file_inode(lower_file));
+
+		return rc;
+	default:
+		return rc;
+	}
 }
 #endif
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 157/177] ACPI / video: Load the module even if ACPI is disabled
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 156/177] eCryptfs: dont pass fs-specific ioctl commands through Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 158/177] ACPI / LPSS: provide con_id for the clkdev Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bill Augur, Chris Wilson,
	Daniel Vetter, Jani Nikula, Aaron Lu, Rafael J. Wysocki

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit 6e17cb12881ba8d5e456b89f072dc6b70048af36 upstream.

i915.ko depends upon the acpi/video.ko module and so refuses to load if
ACPI is disabled at runtime if for example the BIOS is broken beyond
repair. acpi/video provides an optional service for i915.ko and so we
should just allow the modules to load, but do no nothing in order to let
the machines boot correctly.

Reported-by: Bill Augur <bill-auger@programmer.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Jani Nikula <jani.nikula@intel.com>
Acked-by: Aaron Lu <aaron.lu@intel.com>
[ rjw: Fixed up the new comment in acpi_video_init() ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/video.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/acpi/video.c
+++ b/drivers/acpi/video.c
@@ -2149,6 +2149,17 @@ EXPORT_SYMBOL(acpi_video_unregister_back
 
 static int __init acpi_video_init(void)
 {
+	/*
+	 * Let the module load even if ACPI is disabled (e.g. due to
+	 * a broken BIOS) so that i915.ko can still be loaded on such
+	 * old systems without an AcpiOpRegion.
+	 *
+	 * acpi_video_register() will report -ENODEV later as well due
+	 * to acpi_disabled when i915.ko tries to register itself afterwards.
+	 */
+	if (acpi_disabled)
+		return 0;
+
 	dmi_check_system(video_dmi_table);
 
 	if (intel_opregion_present())



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 158/177] ACPI / LPSS: provide con_id for the clkdev
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 157/177] ACPI / video: Load the module even if ACPI is disabled Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 159/177] NFS: Dont invalidate a submounted dentry in nfs_prime_dcache() Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Rafael J. Wysocki

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

commit fcf0789a96777d79d20290e08bf43943a5619387 upstream.

Commit 7d78cbefaa (serial: 8250_dw: add ability to handle
the peripheral clock) introduces handling for a second clk
to 8250_dw.c which is the driver also for LPSS UART. The
second clk forces us to provide identifier (con_id) for the
clkdev we create.

This fixes an issue where 8250_dw.c is getting the same
handler for both clocks.

Fixes: 7d78cbefaa (serial: 8250_dw: add ability to handle the peripheral clock)
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/acpi_lpss.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/acpi/acpi_lpss.c
+++ b/drivers/acpi/acpi_lpss.c
@@ -65,6 +65,7 @@ struct lpss_private_data;
 
 struct lpss_device_desc {
 	unsigned int flags;
+	const char *clk_con_id;
 	unsigned int prv_offset;
 	size_t prv_size_override;
 	void (*setup)(struct lpss_private_data *pdata);
@@ -140,6 +141,7 @@ static struct lpss_device_desc lpt_i2c_d
 
 static struct lpss_device_desc lpt_uart_dev_desc = {
 	.flags = LPSS_CLK | LPSS_CLK_GATE | LPSS_CLK_DIVIDER | LPSS_LTR,
+	.clk_con_id = "baudclk",
 	.prv_offset = 0x800,
 	.setup = lpss_uart_setup,
 };
@@ -156,6 +158,7 @@ static struct lpss_device_desc byt_pwm_d
 
 static struct lpss_device_desc byt_uart_dev_desc = {
 	.flags = LPSS_CLK | LPSS_CLK_GATE | LPSS_CLK_DIVIDER | LPSS_SAVE_CTX,
+	.clk_con_id = "baudclk",
 	.prv_offset = 0x800,
 	.setup = lpss_uart_setup,
 };
@@ -313,7 +316,7 @@ out:
 		return PTR_ERR(clk);
 
 	pdata->clk = clk;
-	clk_register_clkdev(clk, NULL, devname);
+	clk_register_clkdev(clk, dev_desc->clk_con_id, devname);
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 159/177] NFS: Dont invalidate a submounted dentry in nfs_prime_dcache()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 158/177] ACPI / LPSS: provide con_id for the clkdev Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 160/177] NFSv4: Dont call put_rpccred() under the rcu_read_lock() Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nix, Trond Myklebust

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit 6c441c254eea2354d686be7f5544bcd79fb6a61f upstream.

If we're traversing a directory which contains a submounted filesystem,
or one that has a referral, the NFS server that is processing the READDIR
request will often return information for the underlying (mounted-on)
directory. It may, or may not, also return filehandle information.

If this happens, and the lookup in nfs_prime_dcache() returns the
dentry for the submounted directory, the filehandle comparison will
fail, and we call d_invalidate(). Post-commit 8ed936b5671bf
("vfs: Lazily remove mounts on unlinked files and directories."), this
means the entire subtree is unmounted.

The following minimal patch addresses this problem by punting on
the invalidation if there is a submount.

Kudos to Neil Brown <neilb@suse.de> for having tracked down this
issue (see link).

Reported-by: Nix <nix@esperi.org.uk>
Link: http://lkml.kernel.org/r/87iofju9ht.fsf@spindle.srvr.nix
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/dir.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -469,6 +469,8 @@ void nfs_prime_dcache(struct dentry *par
 	struct inode *inode;
 	int status;
 
+	if (!(entry->fattr->valid & NFS_ATTR_FATTR_FSID))
+		return;
 	if (filename.name[0] == '.') {
 		if (filename.len == 1)
 			return;
@@ -479,6 +481,10 @@ void nfs_prime_dcache(struct dentry *par
 
 	dentry = d_lookup(parent, &filename);
 	if (dentry != NULL) {
+		/* Is there a mountpoint here? If so, just exit */
+		if (!nfs_fsid_equal(&NFS_SB(dentry->d_sb)->fsid,
+					&entry->fattr->fsid))
+			goto out;
 		if (nfs_same_file(dentry, entry)) {
 			nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
 			status = nfs_refresh_inode(dentry->d_inode, entry->fattr);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 160/177] NFSv4: Dont call put_rpccred() under the rcu_read_lock()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 159/177] NFS: Dont invalidate a submounted dentry in nfs_prime_dcache() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 161/177] ASoC: omap-pcm: Correct dma mask Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit 7c0af9ffb7bb4e5355470fa60b3eb711ddf226fa upstream.

put_rpccred() can sleep.

Fixes: 8f649c3762547 ("NFSv4: Fix the locking in nfs_inode_reclaim_delegation()")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/delegation.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/delegation.c
+++ b/fs/nfs/delegation.c
@@ -177,8 +177,8 @@ void nfs_inode_reclaim_delegation(struct
 				  &delegation->flags);
 			NFS_I(inode)->delegation_state = delegation->type;
 			spin_unlock(&delegation->lock);
-			put_rpccred(oldcred);
 			rcu_read_unlock();
+			put_rpccred(oldcred);
 			trace_nfs4_reclaim_delegation(inode, res->delegation_type);
 		} else {
 			/* We appear to have raced with a delegation return. */



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 161/177] ASoC: omap-pcm: Correct dma mask
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 160/177] NFSv4: Dont call put_rpccred() under the rcu_read_lock() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 162/177] ASoC: rt5670: Set RT5670_IRQ_CTRL1 non volatile Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Grygorii Strashko, Peter Ujfalusi,
	Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Ujfalusi <peter.ujfalusi@ti.com>

commit d51199a83a2cf82a291d19ee852c44caa511427d upstream.

DMA_BIT_MASK of 64 is not valid dma address mask for OMAPs, it should be
set to 32.
The 64 was introduced by commit (in 2009):
a152ff24b978 ASoC: OMAP: Make DMA 64 aligned

But the dma_mask and coherent_dma_mask can not be used to specify alignment.

Fixes: a152ff24b978 (ASoC: OMAP: Make DMA 64 aligned)
Reported-by: Grygorii Strashko <Grygorii.Strashko@linaro.org>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/omap/omap-pcm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/omap/omap-pcm.c
+++ b/sound/soc/omap/omap-pcm.c
@@ -201,7 +201,7 @@ static int omap_pcm_new(struct snd_soc_p
 	struct snd_pcm *pcm = rtd->pcm;
 	int ret;
 
-	ret = dma_coerce_mask_and_coherent(card->dev, DMA_BIT_MASK(64));
+	ret = dma_coerce_mask_and_coherent(card->dev, DMA_BIT_MASK(32));
 	if (ret)
 		return ret;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 162/177] ASoC: rt5670: Set RT5670_IRQ_CTRL1 non volatile
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 161/177] ASoC: omap-pcm: Correct dma mask Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 163/177] stable_kernel_rules: reorganize and update submission options Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bard Liao, Mark Brown

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bard Liao <bardliao@realtek.com>

commit 850529249d7cce02e9bfae9476d09c8c51410d28 upstream.

RT5670_IRQ_CTRL1(0xbd) is a non volatile register. And we need to
restore its value after suspend/resume.

Signed-off-by: Bard Liao <bardliao@realtek.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/codecs/rt5670.c |    1 -
 1 file changed, 1 deletion(-)

--- a/sound/soc/codecs/rt5670.c
+++ b/sound/soc/codecs/rt5670.c
@@ -223,7 +223,6 @@ static bool rt5670_volatile_register(str
 	case RT5670_ADC_EQ_CTRL1:
 	case RT5670_EQ_CTRL1:
 	case RT5670_ALC_CTRL_1:
-	case RT5670_IRQ_CTRL1:
 	case RT5670_IRQ_CTRL2:
 	case RT5670_INT_IRQ_ST:
 	case RT5670_IL_CMD:



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 163/177] stable_kernel_rules: reorganize and update submission options
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 162/177] ASoC: rt5670: Set RT5670_IRQ_CTRL1 non volatile Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 164/177] coresight-etm: unlock on error paths in mode_store() Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Brian Norris

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Brian Norris <computersforpeace@gmail.com>

commit 5de61e7aa1ba9ac3c7edbea375da2bc8eb1a89ae upstream.

The current organization of Documentation/stable_kernel_rules.txt
doesn't clearly differentiate the mutually exclusive options for
submission to the -stable review process. As I understand it, patches
are not actually required to be mailed directly to
stable@vger.kernel.org, but the instructions do not make this clear.

Also, there are some established processes that are not listed --
specifically, what I call Option 2 below.

This patch updates and reorganizes a bit, to make things clearer.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/stable_kernel_rules.txt |   44 ++++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 10 deletions(-)

--- a/Documentation/stable_kernel_rules.txt
+++ b/Documentation/stable_kernel_rules.txt
@@ -32,18 +32,42 @@ Procedure for submitting patches to the
  - If the patch covers files in net/ or drivers/net please follow netdev stable
    submission guidelines as described in
    Documentation/networking/netdev-FAQ.txt
- - Send the patch, after verifying that it follows the above rules, to
-   stable@vger.kernel.org.  You must note the upstream commit ID in the
-   changelog of your submission, as well as the kernel version you wish
-   it to be applied to.
- - To have the patch automatically included in the stable tree, add the tag
+ - Security patches should not be handled (solely) by the -stable review
+   process but should follow the procedures in Documentation/SecurityBugs.
+
+For all other submissions, choose one of the following procedures:
+
+   --- Option 1 ---
+
+   To have the patch automatically included in the stable tree, add the tag
      Cc: stable@vger.kernel.org
    in the sign-off area. Once the patch is merged it will be applied to
    the stable tree without anything else needing to be done by the author
    or subsystem maintainer.
- - If the patch requires other patches as prerequisites which can be
-   cherry-picked, then this can be specified in the following format in
-   the sign-off area:
+
+   --- Option 2 ---
+
+   After the patch has been merged to Linus' tree, send an email to
+   stable@vger.kernel.org containing the subject of the patch, the commit ID,
+   why you think it should be applied, and what kernel version you wish it to
+   be applied to.
+
+   --- Option 3 ---
+
+   Send the patch, after verifying that it follows the above rules, to
+   stable@vger.kernel.org.  You must note the upstream commit ID in the
+   changelog of your submission, as well as the kernel version you wish
+   it to be applied to.
+
+Option 1 is probably the easiest and most common. Options 2 and 3 are more
+useful if the patch isn't deemed worthy at the time it is applied to a public
+git tree (for instance, because it deserves more regression testing first).
+Option 3 is especially useful if the patch needs some special handling to apply
+to an older kernel (e.g., if API's have changed in the meantime).
+
+Additionally, some patches submitted via Option 1 may have additional patch
+prerequisites which can be cherry-picked. This can be specified in the following
+format in the sign-off area:
 
      Cc: <stable@vger.kernel.org> # 3.3.x: a1f84a3: sched: Check for idle
      Cc: <stable@vger.kernel.org> # 3.3.x: 1b9508f: sched: Rate-limit newidle
@@ -57,13 +81,13 @@ Procedure for submitting patches to the
      git cherry-pick fd21073
      git cherry-pick <this commit>
 
+Following the submission:
+
  - The sender will receive an ACK when the patch has been accepted into the
    queue, or a NAK if the patch is rejected.  This response might take a few
    days, according to the developer's schedules.
  - If accepted, the patch will be added to the -stable queue, for review by
    other developers and by the relevant subsystem maintainer.
- - Security patches should not be sent to this alias, but instead to the
-   documented security@kernel.org address.
 
 
 Review cycle:



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 164/177] coresight-etm: unlock on error paths in mode_store()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 163/177] stable_kernel_rules: reorganize and update submission options Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 165/177] sched: Fix hrtick_start() on UP Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Mathieu Poirier

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 6ad1095990328e7e4b3a0e260825ad4b6406785a upstream.

There are some missing unlocks on the error paths.

Fixes: a939fc5a71ad ('coresight-etm: add CoreSight ETM/PTM driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/coresight/coresight-etm3x.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/coresight/coresight-etm3x.c
+++ b/drivers/coresight/coresight-etm3x.c
@@ -573,7 +573,8 @@ static ssize_t mode_store(struct device
 	if (drvdata->mode & ETM_MODE_STALL) {
 		if (!(drvdata->etmccr & ETMCCR_FIFOFULL)) {
 			dev_warn(drvdata->dev, "stall mode not supported\n");
-			return -EINVAL;
+			ret = -EINVAL;
+			goto err_unlock;
 		}
 		drvdata->ctrl |= ETMCR_STALL_MODE;
 	 } else
@@ -582,7 +583,8 @@ static ssize_t mode_store(struct device
 	if (drvdata->mode & ETM_MODE_TIMESTAMP) {
 		if (!(drvdata->etmccer & ETMCCER_TIMESTAMP)) {
 			dev_warn(drvdata->dev, "timestamp not supported\n");
-			return -EINVAL;
+			ret = -EINVAL;
+			goto err_unlock;
 		}
 		drvdata->ctrl |= ETMCR_TIMESTAMP_EN;
 	} else
@@ -595,6 +597,10 @@ static ssize_t mode_store(struct device
 	spin_unlock(&drvdata->spinlock);
 
 	return size;
+
+err_unlock:
+	spin_unlock(&drvdata->spinlock);
+	return ret;
 }
 static DEVICE_ATTR_RW(mode);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 165/177] sched: Fix hrtick_start() on UP
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 164/177] coresight-etm: unlock on error paths in mode_store() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 166/177] of/pci: Free resources on failure in of_pci_get_host_bridge_resources() Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wanpeng Li, Peter Zijlstra (Intel),
	Juri Lelli, Kirill Tkhai, Linus Torvalds, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wanpeng Li <wanpeng.li@linux.intel.com>

commit 868933359a3bdda25b562e9d41bce7071edc1b08 upstream.

The commit 177ef2a6315e ("sched/deadline: Fix a precision problem in
the microseconds range") forgot to change the UP version of
hrtick_start(), do so now.

Signed-off-by: Wanpeng Li <wanpeng.li@linux.intel.com>
Fixes: 177ef2a6315e ("sched/deadline: Fix a precision problem in the microseconds range")
[ Fixed the changelog. ]
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Juri Lelli <juri.lelli@arm.com>
Cc: Kirill Tkhai <ktkhai@parallels.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/1416962647-76792-7-git-send-email-wanpeng.li@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sched/core.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -490,6 +490,11 @@ static __init void init_hrtick(void)
  */
 void hrtick_start(struct rq *rq, u64 delay)
 {
+	/*
+	 * Don't schedule slices shorter than 10000ns, that just
+	 * doesn't make sense. Rely on vruntime for fairness.
+	 */
+	delay = max_t(u64, delay, 10000LL);
 	__hrtimer_start_range_ns(&rq->hrtick_timer, ns_to_ktime(delay), 0,
 			HRTIMER_MODE_REL_PINNED, 0);
 }



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 166/177] of/pci: Free resources on failure in of_pci_get_host_bridge_resources()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 165/177] sched: Fix hrtick_start() on UP Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 167/177] GFS2: Fix crash during ACL deletion in acl max entry check in gfs2_set_acl() Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Pieralisi, Bjorn Helgaas,
	Liviu Dudau, Arnd Bergmann, Rob Herring

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>

commit d2be00c0fb5ae0794deffcdb0425cd5a8d823db0 upstream.

In the function of_pci_get_host_bridge_resources() if the parsing of ranges
fails, previously allocated resources inclusive of bus_range are not freed
and are not expected to be freed by the function caller on error return.

This patch fixes the issues by adding code that properly frees resources
and bus_range before exiting the function with an error return value.

Fixes: cbe4097f8ae6 ("of/pci: Add support for parsing PCI host bridge resources from DT")
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Liviu Dudau <liviu.dudau@arm.com>
CC: Arnd Bergmann <arnd@arndb.de>
CC: Rob Herring <robh+dt@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/of_pci.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/of/of_pci.c
+++ b/drivers/of/of_pci.c
@@ -140,6 +140,7 @@ int of_pci_get_host_bridge_resources(str
 			unsigned char busno, unsigned char bus_max,
 			struct list_head *resources, resource_size_t *io_base)
 {
+	struct pci_host_bridge_window *window;
 	struct resource *res;
 	struct resource *bus_range;
 	struct of_pci_range range;
@@ -225,7 +226,10 @@ int of_pci_get_host_bridge_resources(str
 conversion_failed:
 	kfree(res);
 parse_failed:
+	list_for_each_entry(window, resources, list)
+		kfree(window->res);
 	pci_free_resource_list(resources);
+	kfree(bus_range);
 	return err;
 }
 EXPORT_SYMBOL_GPL(of_pci_get_host_bridge_resources);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 167/177] GFS2: Fix crash during ACL deletion in acl max entry check in gfs2_set_acl()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 166/177] of/pci: Free resources on failure in of_pci_get_host_bridge_resources() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 168/177] ath5k: fix spontaneus AR5312 freezes Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Meddaugh, Andrew Elble,
	Steven Whitehouse

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrew Elble <aweits@rit.edu>

commit 278702074ff77b1a3fa2061267997095959f5e2c upstream.

Fixes: e01580bf9e ("gfs2: use generic posix ACL infrastructure")
Reported-by: Eric Meddaugh <etmsys@rit.edu>
Tested-by: Eric Meddaugh <etmsys@rit.edu>
Signed-off-by: Andrew Elble <aweits@rit.edu>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/gfs2/acl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -73,7 +73,7 @@ int gfs2_set_acl(struct inode *inode, st
 
 	BUG_ON(name == NULL);
 
-	if (acl->a_count > GFS2_ACL_MAX_ENTRIES(GFS2_SB(inode)))
+	if (acl && acl->a_count > GFS2_ACL_MAX_ENTRIES(GFS2_SB(inode)))
 		return -E2BIG;
 
 	if (type == ACL_TYPE_ACCESS) {



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 168/177] ath5k: fix spontaneus AR5312 freezes
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 167/177] GFS2: Fix crash during ACL deletion in acl max entry check in gfs2_set_acl() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 171/177] vmstat: do not use deferrable delayed work for vmstat_update Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Nick Kossifidis,
	Luis R. Rodriguez, Christophe Prevotaux, Eric Bree,
	Sergey Ryazanov, Kalle Valo

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sergey Ryazanov <ryazanov.s.a@gmail.com>

commit 8bfae4f9938b6c1f033a5159febe97e441d6d526 upstream.

Sometimes while CPU have some load and ath5k doing the wireless
interface reset the whole WiSoC completely freezes. Set of tests shows
that using atomic delay function while we wait interface reset helps to
avoid such freezes.

The easiest way to reproduce this issue: create a station interface,
start continous scan with wpa_supplicant and load CPU by something. Or
just create multiple station interfaces and put them all in continous
scan.

This patch partially reverts the commit 1846ac3dbec0 ("ath5k: Use
usleep_range where possible"), which replaces initial udelay()
by usleep_range().

I do not know actual source of this issue, but all looks like that HW
freeze is caused by transaction on internal SoC bus, while wireless
block is in reset state.

Also I should note that I do not know how many chips are affected, but I
did not see this issue with chips, other than AR5312.

CC: Jiri Slaby <jirislaby@gmail.com>
CC: Nick Kossifidis <mickflemm@gmail.com>
CC: Luis R. Rodriguez <mcgrof@do-not-panic.com>
Fixes: 1846ac3dbec0 ("ath5k: Use usleep_range where possible")
Reported-by: Christophe Prevotaux <c.prevotaux@rural-networks.com>
Tested-by: Christophe Prevotaux <c.prevotaux@rural-networks.com>
Tested-by: Eric Bree <ebree@nltinc.com>
Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath5k/reset.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ath5k/reset.c
+++ b/drivers/net/wireless/ath/ath5k/reset.c
@@ -478,7 +478,7 @@ ath5k_hw_wisoc_reset(struct ath5k_hw *ah
 	regval = ioread32(reg);
 	iowrite32(regval | val, reg);
 	regval = ioread32(reg);
-	usleep_range(100, 150);
+	udelay(100);	/* NB: should be atomic */
 
 	/* Bring BB/MAC out of reset */
 	iowrite32(regval & ~val, reg);



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 171/177] vmstat: do not use deferrable delayed work for vmstat_update
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 168/177] ath5k: fix spontaneus AR5312 freezes Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 172/177] sched/autogroup: Fix failure to set cpu.rt_runtime_us Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Hocko, Vinayak Menon,
	Christoph Lameter, Johannes Weiner, Vladimir Davydov, Mel Gorman,
	Minchan Kim, David Rientjes, Andrew Morton, Linus Torvalds

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Hocko <mhocko@suse.cz>

commit ba4877b9ca51f80b5d30f304a46762f0509e1635 upstream.

Vinayak Menon has reported that an excessive number of tasks was throttled
in the direct reclaim inside too_many_isolated() because NR_ISOLATED_FILE
was relatively high compared to NR_INACTIVE_FILE.  However it turned out
that the real number of NR_ISOLATED_FILE was 0 and the per-cpu
vm_stat_diff wasn't transferred into the global counter.

vmstat_work which is responsible for the sync is defined as deferrable
delayed work which means that the defined timeout doesn't wake up an idle
CPU.  A CPU might stay in an idle state for a long time and general effort
is to keep such a CPU in this state as long as possible which might lead
to all sorts of troubles for vmstat consumers as can be seen with the
excessive direct reclaim throttling.

This patch basically reverts 39bf6270f524 ("VM statistics: Make timer
deferrable") but it shouldn't cause any problems for idle CPUs because
only CPUs with an active per-cpu drift are woken up since 7cc36bbddde5
("vmstat: on-demand vmstat workers v8") and CPUs which are idle for a
longer time shouldn't have per-cpu drift.

Fixes: 39bf6270f524 (VM statistics: Make timer deferrable)
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Vinayak Menon <vinmenon@codeaurora.org>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Vladimir Davydov <vdavydov@parallels.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Minchan Kim <minchan@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/vmstat.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -1450,7 +1450,7 @@ static void __init start_shepherd_timer(
 	int cpu;
 
 	for_each_possible_cpu(cpu)
-		INIT_DEFERRABLE_WORK(per_cpu_ptr(&vmstat_work, cpu),
+		INIT_DELAYED_WORK(per_cpu_ptr(&vmstat_work, cpu),
 			vmstat_update);
 
 	if (!alloc_cpumask_var(&cpu_stat_off, GFP_KERNEL))



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 172/177] sched/autogroup: Fix failure to set cpu.rt_runtime_us
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 171/177] vmstat: do not use deferrable delayed work for vmstat_update Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 173/177] clk-gate: fix bit # check in clk_register_gate() Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zefan Li, Peter Zijlstra (Intel),
	Linus Torvalds, Mike Galbraith, Stefan Bader, Ingo Molnar

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>

commit 1fe89e1b6d270aa0d3452c60d38461ea589594e3 upstream.

Because task_group() uses a cache of autogroup_task_group(), whose
output depends on sched_class, switching classes can generate
problems.

In particular, when started as fair, the cache points to the
autogroup, so when switching to RT the tg_rt_schedulable() test fails
for every cpu.rt_{runtime,period}_us change because now the autogroup
has tasks and no runtime.

Furthermore, going back to the previous semantics of varying
task_group() with sched_class has the down-side that the sched_debug
output varies as well, even though the task really is in the
autogroup.

Therefore add an autogroup exception to tg_has_rt_tasks() -- such that
both (all) task_group() usages in sched/core now have one. And remove
all the remnants of the variable task_group() output.

Reported-by: Zefan Li <lizefan@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <umgwanakikbuti@gmail.com>
Cc: Stefan Bader <stefan.bader@canonical.com>
Fixes: 8323f26ce342 ("sched: Fix race in task_group()")
Link: http://lkml.kernel.org/r/20150209112237.GR5029@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sched/auto_group.c |    6 +-----
 kernel/sched/core.c       |    6 ++++++
 2 files changed, 7 insertions(+), 5 deletions(-)

--- a/kernel/sched/auto_group.c
+++ b/kernel/sched/auto_group.c
@@ -87,8 +87,7 @@ static inline struct autogroup *autogrou
 	 * so we don't have to move tasks around upon policy change,
 	 * or flail around trying to allocate bandwidth on the fly.
 	 * A bandwidth exception in __sched_setscheduler() allows
-	 * the policy change to proceed.  Thereafter, task_group()
-	 * returns &root_task_group, so zero bandwidth is required.
+	 * the policy change to proceed.
 	 */
 	free_rt_sched_group(tg);
 	tg->rt_se = root_task_group.rt_se;
@@ -115,9 +114,6 @@ bool task_wants_autogroup(struct task_st
 	if (tg != &root_task_group)
 		return false;
 
-	if (p->sched_class != &fair_sched_class)
-		return false;
-
 	/*
 	 * We can only assume the task group can't go away on us if
 	 * autogroup_move_group() can see us on ->thread_group list.
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -7618,6 +7618,12 @@ static inline int tg_has_rt_tasks(struct
 {
 	struct task_struct *g, *p;
 
+	/*
+	 * Autogroups do not have RT tasks; see autogroup_create().
+	 */
+	if (task_group_is_autogroup(tg))
+		return 0;
+
 	for_each_process_thread(g, p) {
 		if (rt_task(p) && task_group(p) == tg)
 			return 1;



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 173/177] clk-gate: fix bit # check in clk_register_gate()
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 172/177] sched/autogroup: Fix failure to set cpu.rt_runtime_us Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 174/177] cxl: Use image state defaults for reloading FPGA Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Michael Turquette

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 2e9dcdae4068460c45a308dd891be5248260251c upstream.

In case CLK_GATE_HIWORD_MASK flag is passed to clk_register_gate(), the bit #
should be no higher than 15, however the corresponding check is obviously off-
by-one.

Fixes: 045779942c04 ("clk: gate: add CLK_GATE_HIWORD_MASK")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Michael Turquette <mturquette@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/clk-gate.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/clk-gate.c
+++ b/drivers/clk/clk-gate.c
@@ -128,7 +128,7 @@ struct clk *clk_register_gate(struct dev
 	struct clk_init_data init;
 
 	if (clk_gate_flags & CLK_GATE_HIWORD_MASK) {
-		if (bit_idx > 16) {
+		if (bit_idx > 15) {
 			pr_err("gate bit exceeds LOWORD field\n");
 			return ERR_PTR(-EINVAL);
 		}



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 174/177] cxl: Use image state defaults for reloading FPGA
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 173/177] clk-gate: fix bit # check in clk_register_gate() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 175/177] cxl: Fix device_node reference counting Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ryan Grimm, Ian Munsie, Michael Ellerman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ryan Grimm <grimm@linux.vnet.ibm.com>

commit 4beb5421babee1204757b877622830c6aa31be6d upstream.

Select defaults such that a PERST causes flash image reload.  Select which
image based on what the card is set up to load.

CXL_VSEC_PERST_LOADS_IMAGE selects whether PERST assertion causes flash image
load.

CXL_VSEC_PERST_SELECT_USER selects which image is loaded on the next PERST.

cxl_update_image_control writes these bits into the VSEC.

Signed-off-by: Ryan Grimm <grimm@linux.vnet.ibm.com>
Acked-by: Ian Munsie <imunsie@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/cxl/cxl.h |    1 +
 drivers/misc/cxl/pci.c |   42 ++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 41 insertions(+), 2 deletions(-)

--- a/drivers/misc/cxl/cxl.h
+++ b/drivers/misc/cxl/cxl.h
@@ -481,6 +481,7 @@ void cxl_release_one_irq(struct cxl *ada
 int cxl_alloc_irq_ranges(struct cxl_irq_ranges *irqs, struct cxl *adapter, unsigned int num);
 void cxl_release_irq_ranges(struct cxl_irq_ranges *irqs, struct cxl *adapter);
 int cxl_setup_irq(struct cxl *adapter, unsigned int hwirq, unsigned int virq);
+int cxl_update_image_control(struct cxl *adapter);
 
 /* common == phyp + powernv */
 struct cxl_process_element_common {
--- a/drivers/misc/cxl/pci.c
+++ b/drivers/misc/cxl/pci.c
@@ -361,6 +361,41 @@ int cxl_setup_irq(struct cxl *adapter, u
 	return pnv_cxl_ioda_msi_setup(dev, hwirq, virq);
 }
 
+int cxl_update_image_control(struct cxl *adapter)
+{
+	struct pci_dev *dev = to_pci_dev(adapter->dev.parent);
+	int rc;
+	int vsec;
+	u8 image_state;
+
+	if (!(vsec = find_cxl_vsec(dev))) {
+		dev_err(&dev->dev, "ABORTING: CXL VSEC not found!\n");
+		return -ENODEV;
+	}
+
+	if ((rc = CXL_READ_VSEC_IMAGE_STATE(dev, vsec, &image_state))) {
+		dev_err(&dev->dev, "failed to read image state: %i\n", rc);
+		return rc;
+	}
+
+	if (adapter->perst_loads_image)
+		image_state |= CXL_VSEC_PERST_LOADS_IMAGE;
+	else
+		image_state &= ~CXL_VSEC_PERST_LOADS_IMAGE;
+
+	if (adapter->perst_select_user)
+		image_state |= CXL_VSEC_PERST_SELECT_USER;
+	else
+		image_state &= ~CXL_VSEC_PERST_SELECT_USER;
+
+	if ((rc = CXL_WRITE_VSEC_IMAGE_STATE(dev, vsec, image_state))) {
+		dev_err(&dev->dev, "failed to update image control: %i\n", rc);
+		return rc;
+	}
+
+	return 0;
+}
+
 int cxl_alloc_one_irq(struct cxl *adapter)
 {
 	struct pci_dev *dev = to_pci_dev(adapter->dev.parent);
@@ -770,8 +805,8 @@ static int cxl_read_vsec(struct cxl *ada
 	CXL_READ_VSEC_BASE_IMAGE(dev, vsec, &adapter->base_image);
 	CXL_READ_VSEC_IMAGE_STATE(dev, vsec, &image_state);
 	adapter->user_image_loaded = !!(image_state & CXL_VSEC_USER_IMAGE_LOADED);
-	adapter->perst_loads_image = !!(image_state & CXL_VSEC_PERST_LOADS_IMAGE);
-	adapter->perst_select_user = !!(image_state & CXL_VSEC_PERST_SELECT_USER);
+	adapter->perst_loads_image = true;
+	adapter->perst_select_user = !!(image_state & CXL_VSEC_USER_IMAGE_LOADED);
 
 	CXL_READ_VSEC_NAFUS(dev, vsec, &adapter->slices);
 	CXL_READ_VSEC_AFU_DESC_OFF(dev, vsec, &afu_desc_off);
@@ -879,6 +914,9 @@ static struct cxl *cxl_init_adapter(stru
 	if ((rc = cxl_vsec_looks_ok(adapter, dev)))
 		goto err2;
 
+	if ((rc = cxl_update_image_control(adapter)))
+		goto err2;
+
 	if ((rc = cxl_map_adapter_regs(adapter, dev)))
 		goto err2;
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 175/177] cxl: Fix device_node reference counting
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 174/177] cxl: Use image state defaults for reloading FPGA Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 176/177] cxl: Add missing return statement after handling AFU errror Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ryan Grimm, Ian Munsie, Michael Ellerman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ryan Grimm <grimm@linux.vnet.ibm.com>

commit 6f963ec2d6bf2476a16799eece920acb2100ff1c upstream.

When unbinding and rebinding the driver on a system with a card in PHB0, this
error condition is reached after a few attempts:

ERROR: Bad of_node_put() on /pciex@3fffe40000000
CPU: 0 PID: 3040 Comm: bash Not tainted 3.18.0-rc3-12545-g3627ffe #152
Call Trace:
[c000000721acb5c0] [c00000000086ef94] .dump_stack+0x84/0xb0 (unreliable)
[c000000721acb640] [c00000000073a0a8] .of_node_release+0xd8/0xe0
[c000000721acb6d0] [c00000000044bc44] .kobject_release+0x74/0xe0
[c000000721acb760] [c0000000007394fc] .of_node_put+0x1c/0x30
[c000000721acb7d0] [c000000000545cd8] .cxl_probe+0x1a98/0x1d50
[c000000721acb900] [c0000000004845a0] .local_pci_probe+0x40/0xc0
[c000000721acb980] [c000000000484998] .pci_device_probe+0x128/0x170
[c000000721acba30] [c00000000052400c] .driver_probe_device+0xac/0x2a0
[c000000721acbad0] [c000000000522468] .bind_store+0x108/0x160
[c000000721acbb70] [c000000000521448] .drv_attr_store+0x38/0x60
[c000000721acbbe0] [c000000000293840] .sysfs_kf_write+0x60/0xa0
[c000000721acbc50] [c000000000292500] .kernfs_fop_write+0x140/0x1d0
[c000000721acbcf0] [c000000000208648] .vfs_write+0xd8/0x260
[c000000721acbd90] [c000000000208b18] .SyS_write+0x58/0x100
[c000000721acbe30] [c000000000009258] syscall_exit+0x0/0x98

We are missing a call to of_node_get(). pnv_pci_to_phb_node() should
call of_node_get() otherwise np's reference count isn't incremented and
it might go away. Rename pnv_pci_to_phb_node() to pnv_pci_get_phb_node()
so it's clear it calls of_node_get().

Signed-off-by: Ryan Grimm <grimm@linux.vnet.ibm.com>
Acked-by: Ian Munsie <imunsie@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/include/asm/pnv-pci.h        |    2 +-
 arch/powerpc/platforms/powernv/pci-ioda.c |    6 +++---
 drivers/misc/cxl/pci.c                    |    2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

--- a/arch/powerpc/include/asm/pnv-pci.h
+++ b/arch/powerpc/include/asm/pnv-pci.h
@@ -19,7 +19,7 @@ int pnv_cxl_ioda_msi_setup(struct pci_de
 int pnv_cxl_alloc_hwirqs(struct pci_dev *dev, int num);
 void pnv_cxl_release_hwirqs(struct pci_dev *dev, int hwirq, int num);
 int pnv_cxl_get_irq_count(struct pci_dev *dev);
-struct device_node *pnv_pci_to_phb_node(struct pci_dev *dev);
+struct device_node *pnv_pci_get_phb_node(struct pci_dev *dev);
 
 #ifdef CONFIG_CXL_BASE
 int pnv_cxl_alloc_hwirq_ranges(struct cxl_irq_ranges *irqs,
--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -1460,13 +1460,13 @@ static void set_msi_irq_chip(struct pnv_
 
 #ifdef CONFIG_CXL_BASE
 
-struct device_node *pnv_pci_to_phb_node(struct pci_dev *dev)
+struct device_node *pnv_pci_get_phb_node(struct pci_dev *dev)
 {
 	struct pci_controller *hose = pci_bus_to_host(dev->bus);
 
-	return hose->dn;
+	return of_node_get(hose->dn);
 }
-EXPORT_SYMBOL(pnv_pci_to_phb_node);
+EXPORT_SYMBOL(pnv_pci_get_phb_node);
 
 int pnv_phb_to_cxl(struct pci_dev *dev)
 {
--- a/drivers/misc/cxl/pci.c
+++ b/drivers/misc/cxl/pci.c
@@ -316,7 +316,7 @@ static int init_implementation_adapter_r
 	u64 psl_dsnctl;
 	u64 chipid;
 
-	if (!(np = pnv_pci_to_phb_node(dev)))
+	if (!(np = pnv_pci_get_phb_node(dev)))
 		return -ENODEV;
 
 	while (np && !(prop = of_get_property(np, "ibm,chip-id", NULL)))



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 176/177] cxl: Add missing return statement after handling AFU errror
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 175/177] cxl: Fix device_node reference counting Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.19 177/177] Revert "netfilter: xt_recent: relax ip_pkt_list_tot restrictions" Greg Kroah-Hartman
  2015-03-16 19:59 ` [PATCH 3.19 000/177] 3.19.2-stable review Guenter Roeck
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ian Munsie, Michael Ellerman

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Munsie <imunsie@au1.ibm.com>

commit a6130ed253a931d2169c26ab0958d81b0dce4d6e upstream.

We were missing a return statement in the PSL interrupt handler in the
case of an AFU error, which would trigger an "Unhandled CXL PSL IRQ"
warning. We do actually handle these type of errors (by notifying
userspace), so add the missing return IRQ_HANDLED so we don't throw
unecessary warnings.

Signed-off-by: Ian Munsie <imunsie@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/cxl/irq.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/misc/cxl/irq.c
+++ b/drivers/misc/cxl/irq.c
@@ -167,6 +167,7 @@ static irqreturn_t cxl_irq(int irq, void
 		}
 
 		cxl_ack_irq(ctx, CXL_PSL_TFC_An_A, 0);
+		return IRQ_HANDLED;
 	}
 	if (dsisr & CXL_PSL_DSISR_An_OC)
 		pr_devel("CXL interrupt: OS Context Warning\n");



^ permalink raw reply	[flat|nested] 164+ messages in thread

* [PATCH 3.19 177/177] Revert "netfilter: xt_recent: relax ip_pkt_list_tot restrictions"
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 176/177] cxl: Add missing return statement after handling AFU errror Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 19:59 ` [PATCH 3.19 000/177] 3.19.2-stable review Guenter Roeck
  161 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Miller

3.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit abc86d0f99242b7f142b7cb8f90e30081dd3c256 as it is
broken in 3.19 and is easier to revert here than try to fix it.

Reported-by: Florian Westphal <fw@strlen.de
Reported-by: David Miller <davem@redhat.com>
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

---
 net/netfilter/xt_recent.c |   64 ++++++++++++----------------------------------
 1 file changed, 17 insertions(+), 47 deletions(-)

--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -43,29 +43,25 @@ MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_recent");
 MODULE_ALIAS("ip6t_recent");
 
-static unsigned int ip_list_tot __read_mostly = 100;
-static unsigned int ip_list_hash_size __read_mostly;
-static unsigned int ip_list_perms __read_mostly = 0644;
-static unsigned int ip_list_uid __read_mostly;
-static unsigned int ip_list_gid __read_mostly;
+static unsigned int ip_list_tot = 100;
+static unsigned int ip_pkt_list_tot = 20;
+static unsigned int ip_list_hash_size = 0;
+static unsigned int ip_list_perms = 0644;
+static unsigned int ip_list_uid = 0;
+static unsigned int ip_list_gid = 0;
 module_param(ip_list_tot, uint, 0400);
+module_param(ip_pkt_list_tot, uint, 0400);
 module_param(ip_list_hash_size, uint, 0400);
 module_param(ip_list_perms, uint, 0400);
 module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
 module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
+MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
 MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
 MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
 MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
 MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
 
-/* retained for backwards compatibility */
-static unsigned int ip_pkt_list_tot __read_mostly;
-module_param(ip_pkt_list_tot, uint, 0400);
-MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
-
-#define XT_RECENT_MAX_NSTAMPS	256
-
 struct recent_entry {
 	struct list_head	list;
 	struct list_head	lru_list;
@@ -83,7 +79,6 @@ struct recent_table {
 	union nf_inet_addr	mask;
 	unsigned int		refcnt;
 	unsigned int		entries;
-	u8			nstamps_max_mask;
 	struct list_head	lru_list;
 	struct list_head	iphash[0];
 };
@@ -95,8 +90,7 @@ struct recent_net {
 #endif
 };
 
-static int recent_net_id __read_mostly;
-
+static int recent_net_id;
 static inline struct recent_net *recent_pernet(struct net *net)
 {
 	return net_generic(net, recent_net_id);
@@ -177,15 +171,12 @@ recent_entry_init(struct recent_table *t
 		  u_int16_t family, u_int8_t ttl)
 {
 	struct recent_entry *e;
-	unsigned int nstamps_max = t->nstamps_max_mask;
 
 	if (t->entries >= ip_list_tot) {
 		e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
 		recent_entry_remove(t, e);
 	}
-
-	nstamps_max += 1;
-	e = kmalloc(sizeof(*e) + sizeof(e->stamps[0]) * nstamps_max,
+	e = kmalloc(sizeof(*e) + sizeof(e->stamps[0]) * ip_pkt_list_tot,
 		    GFP_ATOMIC);
 	if (e == NULL)
 		return NULL;
@@ -206,7 +197,7 @@ recent_entry_init(struct recent_table *t
 
 static void recent_entry_update(struct recent_table *t, struct recent_entry *e)
 {
-	e->index &= t->nstamps_max_mask;
+	e->index %= ip_pkt_list_tot;
 	e->stamps[e->index++] = jiffies;
 	if (e->index > e->nstamps)
 		e->nstamps = e->index;
@@ -335,7 +326,6 @@ static int recent_mt_check(const struct
 	kuid_t uid;
 	kgid_t gid;
 #endif
-	unsigned int nstamp_mask;
 	unsigned int i;
 	int ret = -EINVAL;
 	size_t sz;
@@ -359,33 +349,19 @@ static int recent_mt_check(const struct
 		return -EINVAL;
 	if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
 		return -EINVAL;
-	if (info->hit_count >= XT_RECENT_MAX_NSTAMPS) {
-		pr_info("hitcount (%u) is larger than allowed maximum (%u)\n",
-			info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
+	if (info->hit_count > ip_pkt_list_tot) {
+		pr_info("hitcount (%u) is larger than "
+			"packets to be remembered (%u)\n",
+			info->hit_count, ip_pkt_list_tot);
 		return -EINVAL;
 	}
 	if (info->name[0] == '\0' ||
 	    strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
 		return -EINVAL;
 
-	if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
-		nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;
-	else if (info->hit_count)
-		nstamp_mask = roundup_pow_of_two(info->hit_count) - 1;
-	else
-		nstamp_mask = 32 - 1;
-
 	mutex_lock(&recent_mutex);
 	t = recent_table_lookup(recent_net, info->name);
 	if (t != NULL) {
-		if (info->hit_count > t->nstamps_max_mask) {
-			pr_info("hitcount (%u) is larger than packets to be remembered (%u) for table %s\n",
-				info->hit_count, t->nstamps_max_mask + 1,
-				info->name);
-			ret = -EINVAL;
-			goto out;
-		}
-
 		t->refcnt++;
 		ret = 0;
 		goto out;
@@ -401,7 +377,6 @@ static int recent_mt_check(const struct
 		goto out;
 	}
 	t->refcnt = 1;
-	t->nstamps_max_mask = nstamp_mask;
 
 	memcpy(&t->mask, &info->mask, sizeof(t->mask));
 	strcpy(t->name, info->name);
@@ -522,12 +497,9 @@ static void recent_seq_stop(struct seq_f
 static int recent_seq_show(struct seq_file *seq, void *v)
 {
 	const struct recent_entry *e = v;
-	struct recent_iter_state *st = seq->private;
-	const struct recent_table *t = st->table;
 	unsigned int i;
 
-	i = (e->index - 1) & t->nstamps_max_mask;
-
+	i = (e->index - 1) % ip_pkt_list_tot;
 	if (e->family == NFPROTO_IPV4)
 		seq_printf(seq, "src=%pI4 ttl: %u last_seen: %lu oldest_pkt: %u",
 			   &e->addr.ip, e->ttl, e->stamps[i], e->index);
@@ -745,9 +717,7 @@ static int __init recent_mt_init(void)
 {
 	int err;
 
-	BUILD_BUG_ON_NOT_POWER_OF_2(XT_RECENT_MAX_NSTAMPS);
-
-	if (!ip_list_tot || ip_pkt_list_tot >= XT_RECENT_MAX_NSTAMPS)
+	if (!ip_list_tot || !ip_pkt_list_tot || ip_pkt_list_tot > 255)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 



^ permalink raw reply	[flat|nested] 164+ messages in thread

* Re: [PATCH 3.19 000/177] 3.19.2-stable review
  2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.19 177/177] Revert "netfilter: xt_recent: relax ip_pkt_list_tot restrictions" Greg Kroah-Hartman
@ 2015-03-16 19:59 ` Guenter Roeck
  2015-03-16 20:16   ` Greg Kroah-Hartman
  161 siblings, 1 reply; 164+ messages in thread
From: Guenter Roeck @ 2015-03-16 19:59 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, satoru.takeuchi, shuah.kh, stable

On Mon, Mar 16, 2015 at 03:06:47PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.19.2 release.
> There are 177 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Mar 18 14:07:12 UTC 2015.
> Anything received after that time might be too late.
> 
Build results:
	total: 121 pass: 121 fail: 0
Qemu test results:
        total: 30 pass: 30 fail: 0

Details are available at http://server.roeck-us.net:8010/builders.

Guenter

^ permalink raw reply	[flat|nested] 164+ messages in thread

* Re: [PATCH 3.19 000/177] 3.19.2-stable review
  2015-03-16 19:59 ` [PATCH 3.19 000/177] 3.19.2-stable review Guenter Roeck
@ 2015-03-16 20:16   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 164+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 20:16 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, satoru.takeuchi, shuah.kh, stable

On Mon, Mar 16, 2015 at 12:59:47PM -0700, Guenter Roeck wrote:
> On Mon, Mar 16, 2015 at 03:06:47PM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 3.19.2 release.
> > There are 177 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Wed Mar 18 14:07:12 UTC 2015.
> > Anything received after that time might be too late.
> > 
> Build results:
> 	total: 121 pass: 121 fail: 0
> Qemu test results:
>         total: 30 pass: 30 fail: 0
> 
> Details are available at http://server.roeck-us.net:8010/builders.

Great, thanks for letting me know that all 3 of these are good.

greg k-h

^ permalink raw reply	[flat|nested] 164+ messages in thread

end of thread, other threads:[~2015-03-16 20:16 UTC | newest]

Thread overview: 164+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-16 14:06 [PATCH 3.19 000/177] 3.19.2-stable review Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 002/177] ipv6: addrconf: add missing validate_link_af handler Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 003/177] pktgen: fix UDP checksum computation Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 004/177] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 005/177] ipv6: Fix fragment id assignment on LE arches Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 006/177] ipv6: Make __ipv6_select_ident static Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 007/177] tcp: make sure skb is not shared before using skb_get() Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 008/177] ipv6: fix ipv6_cow_metrics for non DST_HOST case Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 009/177] rtnetlink: call ->dellink on failure when ->newlink exists Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 011/177] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits Greg Kroah-Hartman
2015-03-16 14:06 ` [PATCH 3.19 012/177] ipv4: ip_check_defrag should not assume that skb_network_offset is zero Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 013/177] net: phy: Fix verification of EEE support in phy_init_eee Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 015/177] openvswitch: Fix net exit Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 016/177] sock: sock_dequeue_err_skb() needs hard irq safety Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 017/177] net: reject creation of netdev names with colons Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 018/177] Revert "r8169: add support for Byte Queue Limits" Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 019/177] net: pktgen: disable xmit_clone on virtual devices Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 020/177] team: fix possible null pointer dereference in team_handle_frame Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 021/177] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 022/177] macvtap: make sure neighbour code can push ethernet header Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 023/177] net: bcmgenet: fix throughtput regression Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 024/177] net: bcmgenet: fix software maintained statistics Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 025/177] sh_eth: Fix lost MAC address on kexec Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 026/177] net: do not use rcu in rtnl_dump_ifinfo() Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 027/177] usb: plusb: Add support for National Instruments host-to-host cable Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 028/177] udp: only allow UFO for packets from SOCK_DGRAM sockets Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 029/177] net: ping: Return EAFNOSUPPORT when appropriate Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 030/177] team: dont traverse port list using rcu in team_set_mac_address Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 031/177] mm/hugetlb: fix getting refcount 0 page in hugetlb_fault() Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 032/177] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 033/177] mm/hugetlb: add migration entry check in __unmap_hugepage_range Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 034/177] mm, hugetlb: remove unnecessary lower bound on sysctl handlers"? Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 035/177] mm: when stealing freepages, also take pages created by splitting buddy page Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 036/177] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 037/177] mm/nommu.c: " Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 038/177] mm/compaction: fix wrong order check in compact_finished() Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 039/177] mm/memory.c: actually remap enough memory Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 040/177] mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page() Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 041/177] mm: fix negative nr_isolated counts Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 042/177] mm/nommu: fix memory leak Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 043/177] mm: page_alloc: revert inadvertent !__GFP_FS retry behavior change Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 044/177] drm/tegra: Use correct relocation target offsets Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 048/177] drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 049/177] drm/radeon: fix voltage setup on hawaii Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 050/177] drm/i915: Insert a command barrier on BLT/BSD cache flushes Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 051/177] drm/i915: Drop vblank wait from intel_dp_link_down Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 054/177] drm/i915: Clamp efficient frequency to valid range Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 055/177] target: Fix PR_APTPL_BUF_LEN buffer size limitation Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 056/177] target: Add missing WRITE_SAME end-of-device sanity check Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 057/177] target: Check for LBA + sectors wrap-around in sbc_parse_cdb Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 058/177] x86/asm/entry/64: Remove a bogus ret_from_fork optimization Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 059/177] x86/fpu/xsaves: Fix improper uses of __ex_table Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 060/177] iio: mxs-lradc: fix iio channel map regression Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 061/177] iio: imu: adis16400: Fix sign extension Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 067/177] iio:adc:mcp3422 Fix incorrect scales table Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 068/177] IIO: si7020: Allocate correct amount of memory in devm_iio_device_alloc Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 069/177] Revert "iio:humidity:si7020: fix pointer to i2c client" Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 070/177] mei: make device disabled on stop unconditionally Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 071/177] Btrfs: fix fsync race leading to ordered extent memory leaks Greg Kroah-Hartman
2015-03-16 14:07 ` [PATCH 3.19 072/177] btrfs: fix lost return value due to variable shadowing Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 073/177] Btrfs: fix data loss in the fast fsync path Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 074/177] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 075/177] KVM: emulate: fix CMPXCHG8B on 32-bit hosts Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 076/177] KVM: MIPS: Fix trace event to save PC directly Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 077/177] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS539 Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 078/177] Revert "USB: serial: make bulk_out_size a lower limit" Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 079/177] USB: serial: cp210x: Adding Seletek device ids Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 080/177] USB: mxuport: fix null deref when used as a console Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 081/177] USB: usbfs: dont leak kernel data in siginfo Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 082/177] USB: ftdi_sio: add PIDs for Actisense USB devices Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 083/177] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 084/177] usb: dwc3: dwc3-omap: Fix disable IRQ Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 085/177] usb: gadget: configfs: dont NUL-terminate (sub)compatible ids Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 086/177] usb: XHCI: platform: Move the Marvell quirks after the enabling the clocks Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 087/177] xhci: Allocate correct amount of scratchpad buffers Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 088/177] xhci: fix reporting of 0-sized URBs in control endpoint Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 089/177] xhci: Workaround for PME stuck issues in Intel xhci Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 090/177] mac80211: Send EAPOL frames at lowest rate Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 091/177] mac80211: notify channel switch at the end of ieee80211_chswitch_post_beacon() Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 092/177] net: irda: fix wait_until_sent poll timeout Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 093/177] USB: serial: fix infinite wait_until_sent timeout Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 094/177] TTY: fix tty_wait_until_sent on 64-bit machines Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 095/177] USB: serial: fix potential use-after-free after failed probe Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 096/177] USB: serial: fix tty-device error handling at probe Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 097/177] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 098/177] autofs4: Wrong format for printing dentry Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 099/177] debugfs: leave freeing a symlink body until inode eviction Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 100/177] procfs: fix race between symlink removals and traversals Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 101/177] sunrpc: fix braino in ->poll() Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 102/177] SUNRPC: Always manipulate rpc_rqst::rq_bc_pa_list under xprt->bc_pa_lock Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 103/177] ARC: Fix KSTK_ESP() Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 104/177] tty: fix up atime/mtime mess, take four Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 105/177] serial: 8250: Revert "tty: serial: 8250_core: read only RX if there is something in the FIFO" Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 106/177] ALSA: pcm: Dont leave PREPARED state after draining Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 107/177] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 108/177] ALSA: fireworks/bebob/dice/oxfw: add reference-counting for FireWire unit Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 109/177] ALSA: firewire-lib: remove reference counting Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 110/177] ALSA: fireworks/bebob/dice/oxfw: allow stream destructor after releasing runtime Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 111/177] ALSA: fireworks/bebob/dice/oxfw: make it possible to shutdown safely Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 112/177] ALSA: hda: controller code - do not export static functions Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 113/177] ALSA: hda - Disable runtime PM for Panther Point again Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 114/177] ALSA: oxfw: fix a condition and return code in start_stream() Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 115/177] ALSA: hda - One more Dell macine needs DELL1_MIC_NO_PRESENCE quirk Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 116/177] locking/rtmutex: Avoid a NULL pointer dereference on deadlock Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 117/177] sg: fix read() error reporting Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 118/177] IB/qib: Do not write EEPROM Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 119/177] IB/iser: Fix memory regions possible leak Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 120/177] IB/iser: Use correct dma direction when unmapping SGs Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 121/177] IB/mlx5: Fix error code in get_port_caps() Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 122/177] IB/mlx4: Fix memory leak in __mlx4_ib_modify_qp Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 123/177] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 124/177] IB/core: Fix deadlock on uverbs modify_qp error flow Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 125/177] IB/core: Properly handle registration of on-demand paging MRs after dereg Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 126/177] IB/core: When marshaling ucma path from user-space, clear unused fields Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 127/177] nilfs2: fix potential memory overrun on inode Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 128/177] wd719x: add missing .module to wd719x_template Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 129/177] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 130/177] clk: zynq: Force CPU_2X clock to be ungated Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 131/177] clk: Fix debugfs clk removal before inited Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.19 132/177] sunxi: clk: Set sun6i-pll1 n_start = 1 Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 133/177] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 134/177] dm mirror: do not degrade the mirror on discard error Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 135/177] dm io: reject unsupported DISCARD requests with EOPNOTSUPP Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 136/177] dm: fix a race condition in dm_get_md Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 137/177] dm snapshot: fix a possible invalid memory access on unload Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 138/177] firmware: dmi_scan: Fix dmi_len type Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 139/177] firmware: dmi_scan: Fix dmi scan to handle "End of Table" structure Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 140/177] staging: comedi: cb_pcidas64: fix incorrect AI range code handling Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 141/177] HID: input: fix confusion on conflicting mappings Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 142/177] HID: fixup the conflicting keyboard mappings quirk Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 143/177] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 144/177] drm/radeon: enable native backlight control on old macs Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 145/177] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 146/177] drm/radeon: fix 1 RB harvest config setup for TN/RL Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 147/177] drm/i915/bdw: PCI IDs ending in 0xb are ULT Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 148/177] drm/i915: Check obj->vma_list under the struct_mutex Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 149/177] drm/i915: Dell Chromebook 11 has PWM backlight Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 150/177] drm/i915: avoid processing spurious/shared interrupts in low-power states Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 151/177] drm/i915: Check for driver readyness before handling an underrun interrupt Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 153/177] nfsd: fix clp->cl_revoked list deletion causing softlock in nfsd Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 154/177] efi: Small leak on error in runtime map code Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 155/177] efi/libstub: Fix boundary checking in efi_high_alloc() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 156/177] eCryptfs: dont pass fs-specific ioctl commands through Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 157/177] ACPI / video: Load the module even if ACPI is disabled Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 158/177] ACPI / LPSS: provide con_id for the clkdev Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 159/177] NFS: Dont invalidate a submounted dentry in nfs_prime_dcache() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 160/177] NFSv4: Dont call put_rpccred() under the rcu_read_lock() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 161/177] ASoC: omap-pcm: Correct dma mask Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 162/177] ASoC: rt5670: Set RT5670_IRQ_CTRL1 non volatile Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 163/177] stable_kernel_rules: reorganize and update submission options Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 164/177] coresight-etm: unlock on error paths in mode_store() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 165/177] sched: Fix hrtick_start() on UP Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 166/177] of/pci: Free resources on failure in of_pci_get_host_bridge_resources() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 167/177] GFS2: Fix crash during ACL deletion in acl max entry check in gfs2_set_acl() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 168/177] ath5k: fix spontaneus AR5312 freezes Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 171/177] vmstat: do not use deferrable delayed work for vmstat_update Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 172/177] sched/autogroup: Fix failure to set cpu.rt_runtime_us Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 173/177] clk-gate: fix bit # check in clk_register_gate() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 174/177] cxl: Use image state defaults for reloading FPGA Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 175/177] cxl: Fix device_node reference counting Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 176/177] cxl: Add missing return statement after handling AFU errror Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.19 177/177] Revert "netfilter: xt_recent: relax ip_pkt_list_tot restrictions" Greg Kroah-Hartman
2015-03-16 19:59 ` [PATCH 3.19 000/177] 3.19.2-stable review Guenter Roeck
2015-03-16 20:16   ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).