LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 3.14 00/96] 3.14.36-stable review
@ 2015-03-16 14:08 Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 01/96] pktgen: fix UDP checksum computation Greg Kroah-Hartman
                   ` (88 more replies)
  0 siblings, 89 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, satoru.takeuchi,
	shuah.kh, stable

This is the start of the stable review cycle for the 3.14.36 release.
There are 96 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Mar 18 14:08:22 UTC 2015.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.14.36-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 3.14.36-rc1

Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    clk-gate: fix bit # check in clk_register_gate()

Kalle Valo <kvalo@qca.qualcomm.com>
    ath6kl: fix struct hif_scatter_req list handling

Sergey Ryazanov <ryazanov.s.a@gmail.com>
    ath5k: fix spontaneus AR5312 freezes

Peter Ujfalusi <peter.ujfalusi@ti.com>
    ASoC: omap-pcm: Correct dma mask

Trond Myklebust <trond.myklebust@primarydata.com>
    NFSv4: Don't call put_rpccred() under the rcu_read_lock()

Chris Wilson <chris@chris-wilson.co.uk>
    ACPI / video: Load the module even if ACPI is disabled

Dan Carpenter <dan.carpenter@oracle.com>
    efi: Small leak on error in runtime map code

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: fix 1 RB harvest config setup for TN/RL

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh

Jason Gerecke <killertofu@gmail.com>
    HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid

Jiri Kosina <jkosina@suse.cz>
    HID: fixup the conflicting keyboard mappings quirk

David Herrmann <dh.herrmann@gmail.com>
    HID: input: fix confusion on conflicting mappings

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: cb_pcidas64: fix incorrect AI range code handling

Mikulas Patocka <mpatocka@redhat.com>
    dm snapshot: fix a possible invalid memory access on unload

Mikulas Patocka <mpatocka@redhat.com>
    dm: fix a race condition in dm_get_md

Darrick J. Wong <darrick.wong@oracle.com>
    dm io: reject unsupported DISCARD requests with EOPNOTSUPP

Mikulas Patocka <mpatocka@redhat.com>
    dm mirror: do not degrade the mirror on discard error

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back

Chen-Yu Tsai <wens@csie.org>
    clk: sunxi: Support factor clocks with N factor starting not from 0

Hans de Goede <hdegoede@redhat.com>
    sunxi: clk: Set sun6i-pll1 n_start = 1

Soren Brinkmann <soren.brinkmann@xilinx.com>
    clk: zynq: Force CPU_2X clock to be ungated

Minh Duc Tran <MinhDuc.Tran@Emulex.Com>
    fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit.

Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
    nilfs2: fix potential memory overrun on inode

Ilya Nelkenbaum <ilyan@mellanox.com>
    IB/core: When marshaling ucma path from user-space, clear unused fields

Moshe Lazer <moshel@mellanox.com>
    IB/core: Fix deadlock on uverbs modify_qp error flow

Or Gerlitz <ogerlitz@mellanox.com>
    IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach

Mitko Haralanov <mitko.haralanov@intel.com>
    IB/qib: Do not write EEPROM

Tony Battersby <tonyb@cybernetics.com>
    sg: fix read() error reporting

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Disable runtime PM for Panther Point again

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: Don't leave PREPARED state after draining

Jiri Slaby <jslaby@suse.cz>
    tty: fix up atime/mtime mess, take four

Vineet Gupta <vgupta@synopsys.com>
    ARC: Fix KSTK_ESP()

Al Viro <viro@ZenIV.linux.org.uk>
    sunrpc: fix braino in ->poll()

Al Viro <viro@zeniv.linux.org.uk>
    procfs: fix race between symlink removals and traversals

Al Viro <viro@zeniv.linux.org.uk>
    debugfs: leave freeing a symlink body until inode eviction

Al Viro <viro@zeniv.linux.org.uk>
    autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation

Johan Hovold <johan@kernel.org>
    USB: serial: fix tty-device error handling at probe

Johan Hovold <johan@kernel.org>
    USB: serial: fix potential use-after-free after failed probe

Johan Hovold <johan@kernel.org>
    TTY: fix tty_wait_until_sent on 64-bit machines

Johan Hovold <johan@kernel.org>
    USB: serial: fix infinite wait_until_sent timeout

Johan Hovold <johan@kernel.org>
    net: irda: fix wait_until_sent poll timeout

Jouni Malinen <jouni@qca.qualcomm.com>
    mac80211: Send EAPOL frames at lowest rate

Aleksander Morgado <aleksander@aleksander.es>
    xhci: fix reporting of 0-sized URBs in control endpoint

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Allocate correct amount of scratchpad buffers

George Cherian <george.cherian@ti.com>
    usb: dwc3: dwc3-omap: Fix disable IRQ

Max Mansfield <max.m.mansfield@gmail.com>
    usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards

Mark Glover <mark@actisense.com>
    USB: ftdi_sio: add PIDs for Actisense USB devices

Alan Stern <stern@rowland.harvard.edu>
    USB: usbfs: don't leak kernel data in siginfo

Johan Hovold <johan@kernel.org>
    USB: mxuport: fix null deref when used as a console

Michiel vd Garde <mgparser@gmail.com>
    USB: serial: cp210x: Adding Seletek device id's

James Hogan <james.hogan@imgtec.com>
    KVM: MIPS: Fix trace event to save PC directly

Paolo Bonzini <pbonzini@redhat.com>
    KVM: emulate: fix CMPXCHG8B on 32-bit hosts

Quentin Casasnovas <quentin.casasnovas@oracle.com>
    Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.

Filipe Manana <fdmanana@suse.com>
    Btrfs: fix data loss in the fast fsync path

David Sterba <dsterba@suse.cz>
    btrfs: fix lost return value due to variable shadowing

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: make device disabled on stop unconditionally

Angelo Compagnucci <angelo.compagnucci@gmail.com>
    iio:adc:mcp3422 Fix incorrect scales table

Urs Fässler <urs.fassler@bytesatwork.ch>
    iio: ad5686: fix optional reference voltage declaration

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: only update the buffer when its conversions have finished

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: make ADC reads not unschedule touchscreen conversions

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: make ADC reads not disable touchscreen interrupts

Kristina Martšenko <kristina.martsenko@gmail.com>
    iio: mxs-lradc: separate touchscreen and buffer virtual channels

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    iio: imu: adis16400: Fix sign extension

Stefan Wahren <stefan.wahren@i2se.com>
    iio: mxs-lradc: fix iio channel map regression

Andy Lutomirski <luto@amacapital.net>
    x86/asm/entry/64: Remove a bogus 'ret_from_fork' optimization

Nicholas Bellinger <nab@linux-iscsi.org>
    target: Check for LBA + sectors wrap-around in sbc_parse_cdb

Nicholas Bellinger <nab@linux-iscsi.org>
    target: Add missing WRITE_SAME end-of-device sanity check

Nicholas Bellinger <nab@linux-iscsi.org>
    target: Fix PR_APTPL_BUF_LEN buffer size limitation

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: fix voltage setup on hawaii

Christian König <christian.koenig@amd.com>
    drm/radeon: workaround for CP HW bug on CIK

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: only enable kv/kb dpm interrupts once v3

Grazvydas Ignotas <notasas@gmail.com>
    mm/memory.c: actually remap enough memory

Joonsoo Kim <iamjoonsoo.kim@lge.com>
    mm/compaction: fix wrong order check in compact_finished()

Roman Gushchin <klamm@yandex-team.ru>
    mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()

Roman Gushchin <klamm@yandex-team.ru>
    mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()

Vlastimil Babka <vbabka@suse.cz>
    mm: when stealing freepages, also take pages created by splitting buddy page

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm/hugetlb: add migration entry check in __unmap_hugepage_range

Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection

Jiri Pirko <jiri@resnulli.us>
    team: don't traverse port list using rcu in team_set_mac_address

Lorenzo Colitti <lorenzo@google.com>
    net: ping: Return EAFNOSUPPORT when appropriate.

Michal Kubeček <mkubecek@suse.cz>
    udp: only allow UFO for packets from SOCK_DGRAM sockets

Ben Shelton <ben.shelton@ni.com>
    usb: plusb: Add support for National Instruments host-to-host cable

Eric Dumazet <edumazet@google.com>
    macvtap: make sure neighbour code can push ethernet header

Catalin Marinas <catalin.marinas@arm.com>
    net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg

Jiri Pirko <jiri@resnulli.us>
    team: fix possible null pointer dereference in team_handle_frame

Matthew Thode <mthode@mthode.org>
    net: reject creation of netdev names with colons

Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
    ematch: Fix auto-loading of ematch modules.

Guenter Roeck <linux@roeck-us.net>
    net: phy: Fix verification of EEE support in phy_init_eee

Alexander Drozdov <al.drozdov@gmail.com>
    ipv4: ip_check_defrag should not assume that skb_network_offset is zero

Alexander Drozdov <al.drozdov@gmail.com>
    ipv4: ip_check_defrag should correctly check return value of skb_copy_bits

Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
    gen_stats.c: Duplicate xstats buffer for later use

WANG Cong <xiyou.wangcong@gmail.com>
    rtnetlink: call ->dellink on failure when ->newlink exists

Martin KaFai Lau <kafai@fb.com>
    ipv6: fix ipv6_cow_metrics for non DST_HOST case

Daniel Borkmann <daniel@iogearbox.net>
    rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY

Sabrina Dubroca <sd@queasysnail.net>
    pktgen: fix UDP checksum computation


-------------

Diffstat:

 Makefile                                     |   4 +-
 arch/arc/include/asm/processor.h             |   9 +-
 arch/arc/kernel/stacktrace.c                 |   6 +-
 arch/mips/kvm/trace.h                        |   6 +-
 arch/x86/kernel/entry_64.S                   |  13 +-
 arch/x86/kvm/emulate.c                       |   3 +-
 drivers/acpi/video.c                         |  11 ++
 drivers/clk/clk-gate.c                       |   2 +-
 drivers/clk/sunxi/clk-factors.c              |   2 +-
 drivers/clk/sunxi/clk-factors.h              |   1 +
 drivers/clk/sunxi/clk-sunxi.c                |   1 +
 drivers/clk/zynq/clkc.c                      |   1 +
 drivers/firmware/efi/runtime-map.c           |   2 +-
 drivers/gpu/drm/radeon/cik.c                 |  37 ++---
 drivers/gpu/drm/radeon/kv_dpm.c              |  17 ++-
 drivers/gpu/drm/radeon/ni.c                  |   8 +-
 drivers/gpu/drm/radeon/r600_dpm.c            |   2 +-
 drivers/gpu/drm/radeon/radeon_atombios.c     |   1 +
 drivers/hid/hid-input.c                      |  17 +++
 drivers/iio/adc/mcp3422.c                    |  17 +--
 drivers/iio/dac/ad5686.c                     |   2 +-
 drivers/iio/imu/adis16400_core.c             |   3 +-
 drivers/infiniband/core/ucma.c               |   3 +
 drivers/infiniband/core/uverbs_cmd.c         |   9 +-
 drivers/infiniband/hw/mlx4/main.c            |  10 +-
 drivers/infiniband/hw/qib/qib.h              |   9 +-
 drivers/infiniband/hw/qib/qib_eeprom.c       | 181 ------------------------
 drivers/infiniband/hw/qib/qib_iba6120.c      |   2 -
 drivers/infiniband/hw/qib/qib_iba7220.c      |   2 -
 drivers/infiniband/hw/qib/qib_iba7322.c      |   2 -
 drivers/infiniband/hw/qib/qib_init.c         |   1 -
 drivers/infiniband/hw/qib/qib_sysfs.c        |  24 ----
 drivers/input/tablet/wacom_wac.c             |   6 +
 drivers/md/dm-io.c                           |   6 +
 drivers/md/dm-raid1.c                        |   9 ++
 drivers/md/dm-snap.c                         |   4 +-
 drivers/md/dm.c                              |  27 ++--
 drivers/misc/mei/init.c                      |   2 +
 drivers/net/macvtap.c                        |   7 +-
 drivers/net/phy/phy.c                        |  23 ++-
 drivers/net/team/team.c                      |  10 +-
 drivers/net/usb/plusb.c                      |   5 +
 drivers/net/wireless/ath/ath5k/reset.c       |   2 +-
 drivers/net/wireless/ath/ath6kl/hif.h        |   4 +-
 drivers/net/wireless/ath/ath6kl/sdio.c       |   2 +-
 drivers/scsi/be2iscsi/be_main.c              |   1 -
 drivers/scsi/sg.c                            |   6 +-
 drivers/staging/comedi/comedi_compat32.c     |  12 +-
 drivers/staging/comedi/drivers/cb_pcidas64.c | 122 ++++++++++------
 drivers/staging/iio/adc/mxs-lradc.c          | 204 ++++++++++++++-------------
 drivers/target/target_core_pr.c              |  25 ++--
 drivers/target/target_core_sbc.c             |  15 +-
 drivers/tty/tty_io.c                         |   4 +-
 drivers/tty/tty_ioctl.c                      |  12 +-
 drivers/usb/core/devio.c                     |   2 +
 drivers/usb/dwc3/dwc3-omap.c                 |  30 +++-
 drivers/usb/host/xhci-ring.c                 |  10 +-
 drivers/usb/host/xhci.h                      |   8 +-
 drivers/usb/serial/bus.c                     |  13 +-
 drivers/usb/serial/cp210x.c                  |   2 +
 drivers/usb/serial/ftdi_sio.c                |  19 +++
 drivers/usb/serial/ftdi_sio_ids.h            |  23 +++
 drivers/usb/serial/generic.c                 |   5 +-
 drivers/usb/serial/mxuport.c                 |   3 +-
 fs/autofs4/dev-ioctl.c                       |   8 +-
 fs/btrfs/file.c                              |  56 ++++----
 fs/btrfs/inode.c                             |   1 -
 fs/btrfs/tree-log.c                          |   2 +-
 fs/debugfs/inode.c                           |  34 ++---
 fs/nfs/delegation.c                          |   2 +-
 fs/nilfs2/btree.c                            |  47 +++++-
 fs/proc/generic.c                            |  12 --
 fs/proc/inode.c                              |  21 +++
 fs/proc/internal.h                           |   1 +
 include/target/target_core_base.h            |   2 +-
 include/trace/events/kmem.h                  |   7 +-
 mm/compaction.c                              |   2 +-
 mm/hugetlb.c                                 |  26 +++-
 mm/memory.c                                  |   2 +-
 mm/mmap.c                                    |   4 +-
 mm/nommu.c                                   |   4 +-
 mm/page_alloc.c                              |  12 +-
 net/compat.c                                 |   9 --
 net/core/dev.c                               |   2 +-
 net/core/gen_stats.c                         |  15 +-
 net/core/pktgen.c                            |  16 +--
 net/core/rtnetlink.c                         |  24 ++--
 net/ipv4/ip_fragment.c                       |  11 +-
 net/ipv4/ip_output.c                         |   3 +-
 net/ipv4/ping.c                              |  13 +-
 net/ipv6/ip6_output.c                        |   3 +-
 net/ipv6/ping.c                              |   5 +-
 net/ipv6/route.c                             |   2 +-
 net/irda/ircomm/ircomm_tty.c                 |   4 +-
 net/mac80211/tx.c                            |   1 +
 net/sched/ematch.c                           |   1 +
 net/sunrpc/cache.c                           |   2 +-
 sound/core/pcm_native.c                      |   2 +
 sound/pci/hda/hda_intel.c                    |   2 +-
 sound/pci/hda/patch_sigmatel.c               |  17 ++-
 sound/soc/omap/omap-pcm.c                    |   2 +-
 101 files changed, 768 insertions(+), 640 deletions(-)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 01/96] pktgen: fix UDP checksum computation
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 02/96] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sabrina Dubroca, Thomas Graf,
	David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit 7744b5f3693cc06695cb9d6667671c790282730f ]

This patch fixes two issues in UDP checksum computation in pktgen.

First, the pseudo-header uses the source and destination IP
addresses. Currently, the ports are used for IPv4.

Second, the UDP checksum covers both header and data.  So we need to
generate the data earlier (move pktgen_finalize_skb up), and compute
the checksum for UDP header + data.

Fixes: c26bf4a51308c ("pktgen: Add UDPCSUM flag to support UDP checksums")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/pktgen.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2812,25 +2812,25 @@ static struct sk_buff *fill_packet_ipv4(
 	skb->dev = odev;
 	skb->pkt_type = PACKET_HOST;
 
+	pktgen_finalize_skb(pkt_dev, skb, datalen);
+
 	if (!(pkt_dev->flags & F_UDPCSUM)) {
 		skb->ip_summed = CHECKSUM_NONE;
 	} else if (odev->features & NETIF_F_V4_CSUM) {
 		skb->ip_summed = CHECKSUM_PARTIAL;
 		skb->csum = 0;
-		udp4_hwcsum(skb, udph->source, udph->dest);
+		udp4_hwcsum(skb, iph->saddr, iph->daddr);
 	} else {
-		__wsum csum = udp_csum(skb);
+		__wsum csum = skb_checksum(skb, skb_transport_offset(skb), datalen + 8, 0);
 
 		/* add protocol-dependent pseudo-header */
-		udph->check = csum_tcpudp_magic(udph->source, udph->dest,
+		udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
 						datalen + 8, IPPROTO_UDP, csum);
 
 		if (udph->check == 0)
 			udph->check = CSUM_MANGLED_0;
 	}
 
-	pktgen_finalize_skb(pkt_dev, skb, datalen);
-
 #ifdef CONFIG_XFRM
 	if (!process_ipsec(pkt_dev, skb, protocol))
 		return NULL;
@@ -2946,6 +2946,8 @@ static struct sk_buff *fill_packet_ipv6(
 	skb->dev = odev;
 	skb->pkt_type = PACKET_HOST;
 
+	pktgen_finalize_skb(pkt_dev, skb, datalen);
+
 	if (!(pkt_dev->flags & F_UDPCSUM)) {
 		skb->ip_summed = CHECKSUM_NONE;
 	} else if (odev->features & NETIF_F_V6_CSUM) {
@@ -2954,7 +2956,7 @@ static struct sk_buff *fill_packet_ipv6(
 		skb->csum_offset = offsetof(struct udphdr, check);
 		udph->check = ~csum_ipv6_magic(&iph->saddr, &iph->daddr, udplen, IPPROTO_UDP, 0);
 	} else {
-		__wsum csum = udp_csum(skb);
+		__wsum csum = skb_checksum(skb, skb_transport_offset(skb), udplen, 0);
 
 		/* add protocol-dependent pseudo-header */
 		udph->check = csum_ipv6_magic(&iph->saddr, &iph->daddr, udplen, IPPROTO_UDP, csum);
@@ -2963,8 +2965,6 @@ static struct sk_buff *fill_packet_ipv6(
 			udph->check = CSUM_MANGLED_0;
 	}
 
-	pktgen_finalize_skb(pkt_dev, skb, datalen);
-
 	return skb;
 }
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 02/96] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 01/96] pktgen: fix UDP checksum computation Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 03/96] ipv6: fix ipv6_cow_metrics for non DST_HOST case Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mitch Williams, Jeff Kirsher,
	Daniel Borkmann, Thomas Graf, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <daniel@iogearbox.net>

[ Upstream commit 364d5716a7adb91b731a35765d369602d68d2881 ]

ifla_vf_policy[] is wrong in advertising its individual member types as
NLA_BINARY since .type = NLA_BINARY in combination with .len declares the
len member as *max* attribute length [0, len].

The issue is that when do_setvfinfo() is being called to set up a VF
through ndo handler, we could set corrupted data if the attribute length
is less than the size of the related structure itself.

The intent is exactly the opposite, namely to make sure to pass at least
data of minimum size of len.

Fixes: ebc08a6f47ee ("rtnetlink: Add VF config code to rtnetlink")
Cc: Mitch Williams <mitch.a.williams@intel.com>
Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |   12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1264,14 +1264,10 @@ static const struct nla_policy ifla_vfin
 };
 
 static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
-	[IFLA_VF_MAC]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_mac) },
-	[IFLA_VF_VLAN]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_vlan) },
-	[IFLA_VF_TX_RATE]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_tx_rate) },
-	[IFLA_VF_SPOOFCHK]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_spoofchk) },
+	[IFLA_VF_MAC]		= { .len = sizeof(struct ifla_vf_mac) },
+	[IFLA_VF_VLAN]		= { .len = sizeof(struct ifla_vf_vlan) },
+	[IFLA_VF_TX_RATE]	= { .len = sizeof(struct ifla_vf_tx_rate) },
+	[IFLA_VF_SPOOFCHK]	= { .len = sizeof(struct ifla_vf_spoofchk) },
 };
 
 static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 03/96] ipv6: fix ipv6_cow_metrics for non DST_HOST case
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 01/96] pktgen: fix UDP checksum computation Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 02/96] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 04/96] rtnetlink: call ->dellink on failure when ->newlink exists Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin KaFai Lau, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin KaFai Lau <kafai@fb.com>

[ Upstream commit 3b4711757d7903ab6fa88a9e7ab8901b8227da60 ]

ipv6_cow_metrics() currently assumes only DST_HOST routes require
dynamic metrics allocation from inetpeer.  The assumption breaks
when ndisc discovered router with RTAX_MTU and RTAX_HOPLIMIT metric.
Refer to ndisc_router_discovery() in ndisc.c and note that dst_metric_set()
is called after the route is created.

This patch creates the metrics array (by calling dst_cow_metrics_generic) in
ipv6_cow_metrics().

Test:
radvd.conf:
interface qemubr0
{
	AdvLinkMTU 1300;
	AdvCurHopLimit 30;

	prefix fd00:face:face:face::/64
	{
		AdvOnLink on;
		AdvAutonomous on;
		AdvRouterAddr off;
	};
};

Before:
[root@qemu1 ~]# ip -6 r show | egrep -v unreachable
fd00:face:face:face::/64 dev eth0  proto kernel  metric 256  expires 27sec
fe80::/64 dev eth0  proto kernel  metric 256
default via fe80::74df:d0ff:fe23:8ef2 dev eth0  proto ra  metric 1024  expires 27sec

After:
[root@qemu1 ~]# ip -6 r show | egrep -v unreachable
fd00:face:face:face::/64 dev eth0  proto kernel  metric 256  expires 27sec mtu 1300
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1300
default via fe80::74df:d0ff:fe23:8ef2 dev eth0  proto ra  metric 1024  expires 27sec mtu 1300 hoplimit 30

Fixes: 8e2ec639173f325 (ipv6: don't use inetpeer to store metrics for routes.)
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/route.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -141,7 +141,7 @@ static u32 *ipv6_cow_metrics(struct dst_
 	u32 *p = NULL;
 
 	if (!(rt->dst.flags & DST_HOST))
-		return NULL;
+		return dst_cow_metrics_generic(dst, old);
 
 	peer = rt6_get_peer_create(rt);
 	if (peer) {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 04/96] rtnetlink: call ->dellink on failure when ->newlink exists
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 03/96] ipv6: fix ipv6_cow_metrics for non DST_HOST case Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 06/96] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ignacy Gawedzki, Cong Wang, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.wangcong@gmail.com>

[ Upstream commit 7afb8886a05be68e376655539a064ec672de8a8e ]

Ignacy reported that when eth0 is down and add a vlan device
on top of it like:

  ip link add link eth0 name eth0.1 up type vlan id 1

We will get a refcount leak:

  unregister_netdevice: waiting for eth0.1 to become free. Usage count = 2

The problem is when rtnl_configure_link() fails in rtnl_newlink(),
we simply call unregister_device(), but for stacked device like vlan,
we almost do nothing when we unregister the upper device, more work
is done when we unregister the lower device, so call its ->dellink().

Reported-by: Ignacy Gawedzki <ignacy.gawedzki@green-communications.fr>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2030,8 +2030,16 @@ replay:
 			}
 		}
 		err = rtnl_configure_link(dev, ifm);
-		if (err < 0)
-			unregister_netdevice(dev);
+		if (err < 0) {
+			if (ops->newlink) {
+				LIST_HEAD(list_kill);
+
+				ops->dellink(dev, &list_kill);
+				unregister_netdevice_many(&list_kill);
+			} else {
+				unregister_netdevice(dev);
+			}
+		}
 out:
 		put_net(dest_net);
 		return err;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 06/96] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 04/96] rtnetlink: call ->dellink on failure when ->newlink exists Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 07/96] ipv4: ip_check_defrag should not assume that skb_network_offset is zero Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Drozdov, Eric Dumazet,
	David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Drozdov <al.drozdov@gmail.com>

[ Upstream commit fba04a9e0c869498889b6445fd06cbe7da9bb834 ]

skb_copy_bits() returns zero on success and negative value on error,
so it is needed to invert the condition in ip_check_defrag().

Fixes: 1bf3751ec90c ("ipv4: ip_check_defrag must not modify skb before unsharing")
Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_fragment.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -684,7 +684,7 @@ struct sk_buff *ip_check_defrag(struct s
 	if (skb->protocol != htons(ETH_P_IP))
 		return skb;
 
-	if (!skb_copy_bits(skb, 0, &iph, sizeof(iph)))
+	if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0)
 		return skb;
 
 	if (iph.ihl < 5 || iph.version != 4)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 07/96] ipv4: ip_check_defrag should not assume that skb_network_offset is zero
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 06/96] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 08/96] net: phy: Fix verification of EEE support in phy_init_eee Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Drozdov, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Drozdov <al.drozdov@gmail.com>

[ Upstream commit 3e32e733d1bbb3f227259dc782ef01d5706bdae0 ]

ip_check_defrag() may be used by af_packet to defragment outgoing packets.
skb_network_offset() of af_packet's outgoing packets is not zero.

Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_fragment.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -679,27 +679,30 @@ EXPORT_SYMBOL(ip_defrag);
 struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
 {
 	struct iphdr iph;
+	int netoff;
 	u32 len;
 
 	if (skb->protocol != htons(ETH_P_IP))
 		return skb;
 
-	if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0)
+	netoff = skb_network_offset(skb);
+
+	if (skb_copy_bits(skb, netoff, &iph, sizeof(iph)) < 0)
 		return skb;
 
 	if (iph.ihl < 5 || iph.version != 4)
 		return skb;
 
 	len = ntohs(iph.tot_len);
-	if (skb->len < len || len < (iph.ihl * 4))
+	if (skb->len < netoff + len || len < (iph.ihl * 4))
 		return skb;
 
 	if (ip_is_fragment(&iph)) {
 		skb = skb_share_check(skb, GFP_ATOMIC);
 		if (skb) {
-			if (!pskb_may_pull(skb, iph.ihl*4))
+			if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
 				return skb;
-			if (pskb_trim_rcsum(skb, len))
+			if (pskb_trim_rcsum(skb, netoff + len))
 				return skb;
 			memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
 			if (ip_defrag(skb, user))



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 08/96] net: phy: Fix verification of EEE support in phy_init_eee
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 07/96] ipv4: ip_check_defrag should not assume that skb_network_offset is zero Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 10/96] net: reject creation of netdev names with colons Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Giuseppe Cavallaro, Guenter Roeck,
	Florian Fainelli, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

[ Upstream commit 54da5a8be3c1e924c35480eb44c6e9b275f6444e ]

phy_init_eee uses phy_find_setting(phydev->speed, phydev->duplex)
to find a valid entry in the settings array for the given speed
and duplex value. For full duplex 1000baseT, this will return
the first matching entry, which is the entry for 1000baseKX_Full.

If the phy eee does not support 1000baseKX_Full, this entry will not
match, causing phy_init_eee to fail for no good reason.

Fixes: 9a9c56cb34e6 ("net: phy: fix a bug when verify the EEE support")
Fixes: 3e7077067e80c ("phy: Expand phy speed/duplex settings array")
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/phy.c |   23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -194,6 +194,25 @@ static inline unsigned int phy_find_vali
 }
 
 /**
+ * phy_check_valid - check if there is a valid PHY setting which matches
+ *		     speed, duplex, and feature mask
+ * @speed: speed to match
+ * @duplex: duplex to match
+ * @features: A mask of the valid settings
+ *
+ * Description: Returns true if there is a valid setting, false otherwise.
+ */
+static inline bool phy_check_valid(int speed, int duplex, u32 features)
+{
+	unsigned int idx;
+
+	idx = phy_find_valid(phy_find_setting(speed, duplex), features);
+
+	return settings[idx].speed == speed && settings[idx].duplex == duplex &&
+		(settings[idx].setting & features);
+}
+
+/**
  * phy_sanitize_settings - make sure the PHY is set to supported speed and duplex
  * @phydev: the target phy_device struct
  *
@@ -955,7 +974,6 @@ int phy_init_eee(struct phy_device *phyd
 		int eee_lp, eee_cap, eee_adv;
 		u32 lp, cap, adv;
 		int status;
-		unsigned int idx;
 
 		/* Read phy status to properly get the right settings */
 		status = phy_read_status(phydev);
@@ -987,8 +1005,7 @@ int phy_init_eee(struct phy_device *phyd
 
 		adv = mmd_eee_adv_to_ethtool_adv_t(eee_adv);
 		lp = mmd_eee_adv_to_ethtool_adv_t(eee_lp);
-		idx = phy_find_setting(phydev->speed, phydev->duplex);
-		if (!(lp & adv & settings[idx].setting))
+		if (!phy_check_valid(phydev->speed, phydev->duplex, lp & adv))
 			return -EPROTONOSUPPORT;
 
 		if (clk_stop_enable) {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 10/96] net: reject creation of netdev names with colons
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 08/96] net: phy: Fix verification of EEE support in phy_init_eee Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 11/96] team: fix possible null pointer dereference in team_handle_frame Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Matthew Thode, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matthew Thode <mthode@mthode.org>

[ Upstream commit a4176a9391868bfa87705bcd2e3b49e9b9dd2996 ]

colons are used as a separator in netdev device lookup in dev_ioctl.c

Specific functions are SIOCGIFTXQLEN SIOCETHTOOL SIOCSIFNAME

Signed-off-by: Matthew Thode <mthode@mthode.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -940,7 +940,7 @@ bool dev_valid_name(const char *name)
 		return false;
 
 	while (*name) {
-		if (*name == '/' || isspace(*name))
+		if (*name == '/' || *name == ':' || isspace(*name))
 			return false;
 		name++;
 	}



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 11/96] team: fix possible null pointer dereference in team_handle_frame
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 10/96] net: reject creation of netdev names with colons Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 12/96] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Pirko, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Pirko <jiri@resnulli.us>

[ Upstream commit 57e595631904c827cfa1a0f7bbd7cc9a49da5745 ]

Currently following race is possible in team:

CPU0                                        CPU1
                                            team_port_del
                                              team_upper_dev_unlink
                                                priv_flags &= ~IFF_TEAM_PORT
team_handle_frame
  team_port_get_rcu
    team_port_exists
      priv_flags & IFF_TEAM_PORT == 0
    return NULL (instead of port got
                 from rx_handler_data)
                                              netdev_rx_handler_unregister

The thing is that the flag is removed before rx_handler is unregistered.
If team_handle_frame is called in between, team_port_exists returns 0
and team_port_get_rcu will return NULL.
So do not check the flag here. It is guaranteed by netdev_rx_handler_unregister
that team_handle_frame will always see valid rx_handler_data pointer.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/team/team.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -42,9 +42,7 @@
 
 static struct team_port *team_port_get_rcu(const struct net_device *dev)
 {
-	struct team_port *port = rcu_dereference(dev->rx_handler_data);
-
-	return team_port_exists(dev) ? port : NULL;
+	return rcu_dereference(dev->rx_handler_data);
 }
 
 static struct team_port *team_port_get_rtnl(const struct net_device *dev)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 12/96] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 11/96] team: fix possible null pointer dereference in team_handle_frame Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 13/96] macvtap: make sure neighbour code can push ethernet header Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, David S. Miller,
	Catalin Marinas

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Catalin Marinas <catalin.marinas@arm.com>

[ Upstream commit d720d8cec563ce4e4fa44a613d4f2dcb1caf2998 ]

With commit a7526eb5d06b (net: Unbreak compat_sys_{send,recv}msg), the
MSG_CMSG_COMPAT flag is blocked at the compat syscall entry points,
changing the kernel compat behaviour from the one before the commit it
was trying to fix (1be374a0518a, net: Block MSG_CMSG_COMPAT in
send(m)msg and recv(m)msg).

On 32-bit kernels (!CONFIG_COMPAT), MSG_CMSG_COMPAT is 0 and the native
32-bit sys_sendmsg() allows flag 0x80000000 to be set (it is ignored by
the kernel). However, on a 64-bit kernel, the compat ABI is different
with commit a7526eb5d06b.

This patch changes the compat_sys_{send,recv}msg behaviour to the one
prior to commit 1be374a0518a.

The problem was found running 32-bit LTP (sendmsg01) binary on an arm64
kernel. Arguably, LTP should not pass 0xffffffff as flags to sendmsg()
but the general rule is not to break user ABI (even when the user
behaviour is not entirely sane).

Fixes: a7526eb5d06b (net: Unbreak compat_sys_{send,recv}msg)
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/compat.c |    9 ---------
 1 file changed, 9 deletions(-)

--- a/net/compat.c
+++ b/net/compat.c
@@ -738,24 +738,18 @@ static unsigned char nas[21] = {
 
 asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
 	return __sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
 				    unsigned int vlen, unsigned int flags)
 {
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
 	return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
 			      flags | MSG_CMSG_COMPAT);
 }
 
 asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
 	return __sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
 
@@ -778,9 +772,6 @@ asmlinkage long compat_sys_recvmmsg(int
 	int datagrams;
 	struct timespec ktspec;
 
-	if (flags & MSG_CMSG_COMPAT)
-		return -EINVAL;
-
 	if (timeout == NULL)
 		return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
 				      flags | MSG_CMSG_COMPAT, NULL);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 13/96] macvtap: make sure neighbour code can push ethernet header
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 12/96] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 14/96] usb: plusb: Add support for National Instruments host-to-host cable Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brian Rak, Eric Dumazet, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 2f1d8b9e8afa5a833d96afcd23abcb8cdf8d83ab ]

Brian reported crashes using IPv6 traffic with macvtap/veth combo.

I tracked the crashes in neigh_hh_output()

-> memcpy(skb->data - HH_DATA_MOD, hh->hh_data, HH_DATA_MOD);

Neighbour code assumes headroom to push Ethernet header is
at least 16 bytes.

It appears macvtap has only 14 bytes available on arches
where NET_IP_ALIGN is 0 (like x86)

Effect is a corruption of 2 bytes right before skb->head,
and possible crashes if accessing non existing memory.

This fix should also increase IPv4 performance, as paranoid code
in ip_finish_output2() wont have to call skb_realloc_headroom()

Reported-by: Brian Rak <brak@vultr.com>
Tested-by: Brian Rak <brak@vultr.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/macvtap.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -637,12 +637,15 @@ static void macvtap_skb_to_vnet_hdr(cons
 	} /* else everything is zero */
 }
 
+/* Neighbour code has some assumptions on HH_DATA_MOD alignment */
+#define MACVTAP_RESERVE HH_DATA_OFF(ETH_HLEN)
+
 /* Get packet from user space buffer */
 static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
 				const struct iovec *iv, unsigned long total_len,
 				size_t count, int noblock)
 {
-	int good_linear = SKB_MAX_HEAD(NET_IP_ALIGN);
+	int good_linear = SKB_MAX_HEAD(MACVTAP_RESERVE);
 	struct sk_buff *skb;
 	struct macvlan_dev *vlan;
 	unsigned long len = total_len;
@@ -701,7 +704,7 @@ static ssize_t macvtap_get_user(struct m
 			linear = vnet_hdr.hdr_len;
 	}
 
-	skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
+	skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen,
 				linear, noblock, &err);
 	if (!skb)
 		goto err;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 14/96] usb: plusb: Add support for National Instruments host-to-host cable
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 13/96] macvtap: make sure neighbour code can push ethernet header Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 15/96] udp: only allow UFO for packets from SOCK_DGRAM sockets Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Shelton, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Shelton <ben.shelton@ni.com>

[ Upstream commit 42c972a1f390e3bc51ca1e434b7e28764992067f ]

The National Instruments USB Host-to-Host Cable is based on the Prolific
PL-25A1 chipset.  Add its VID/PID so the plusb driver will recognize it.

Signed-off-by: Ben Shelton <ben.shelton@ni.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/plusb.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/usb/plusb.c
+++ b/drivers/net/usb/plusb.c
@@ -134,6 +134,11 @@ static const struct usb_device_id	produc
 }, {
 	USB_DEVICE(0x050d, 0x258a),     /* Belkin F5U258/F5U279 (PL-25A1) */
 	.driver_info =  (unsigned long) &prolific_info,
+}, {
+	USB_DEVICE(0x3923, 0x7825),     /* National Instruments USB
+					 * Host-to-Host Cable
+					 */
+	.driver_info =  (unsigned long) &prolific_info,
 },
 
 	{ },		// END



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 15/96] udp: only allow UFO for packets from SOCK_DGRAM sockets
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 14/96] usb: plusb: Add support for National Instruments host-to-host cable Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 16/96] net: ping: Return EAFNOSUPPORT when appropriate Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michal Kubecek, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek@suse.cz>

[ Upstream commit acf8dd0a9d0b9e4cdb597c2f74802f79c699e802 ]

If an over-MTU UDP datagram is sent through a SOCK_RAW socket to a
UFO-capable device, ip_ufo_append_data() sets skb->ip_summed to
CHECKSUM_PARTIAL unconditionally as all GSO code assumes transport layer
checksum is to be computed on segmentation. However, in this case,
skb->csum_start and skb->csum_offset are never set as raw socket
transmit path bypasses udp_send_skb() where they are usually set. As a
result, driver may access invalid memory when trying to calculate the
checksum and store the result (as observed in virtio_net driver).

Moreover, the very idea of modifying the userspace provided UDP header
is IMHO against raw socket semantics (I wasn't able to find a document
clearly stating this or the opposite, though). And while allowing
CHECKSUM_NONE in the UFO case would be more efficient, it would be a bit
too intrusive change just to handle a corner case like this. Therefore
disallowing UFO for packets from SOCK_DGRAM seems to be the best option.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_output.c  |    3 ++-
 net/ipv6/ip6_output.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -843,7 +843,8 @@ static int __ip_append_data(struct sock
 	cork->length += length;
 	if (((length > mtu) || (skb && skb_is_gso(skb))) &&
 	    (sk->sk_protocol == IPPROTO_UDP) &&
-	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
+	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+	    (sk->sk_type == SOCK_DGRAM)) {
 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
 					 hh_len, fragheaderlen, transhdrlen,
 					 maxfraglen, flags);
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1294,7 +1294,8 @@ emsgsize:
 	if (((length > mtu) ||
 	     (skb && skb_is_gso(skb))) &&
 	    (sk->sk_protocol == IPPROTO_UDP) &&
-	    (rt->dst.dev->features & NETIF_F_UFO)) {
+	    (rt->dst.dev->features & NETIF_F_UFO) &&
+	    (sk->sk_type == SOCK_DGRAM)) {
 		err = ip6_ufo_append_data(sk, getfrag, from, length,
 					  hh_len, fragheaderlen,
 					  transhdrlen, mtu, flags, rt);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 16/96] net: ping: Return EAFNOSUPPORT when appropriate.
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 15/96] udp: only allow UFO for packets from SOCK_DGRAM sockets Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 17/96] team: dont traverse port list using rcu in team_set_mac_address Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lorenzo Colitti, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lorenzo Colitti <lorenzo@google.com>

[ Upstream commit 9145736d4862145684009d6a72a6e61324a9439e ]

1. For an IPv4 ping socket, ping_check_bind_addr does not check
   the family of the socket address that's passed in. Instead,
   make it behave like inet_bind, which enforces either that the
   address family is AF_INET, or that the family is AF_UNSPEC and
   the address is 0.0.0.0.
2. For an IPv6 ping socket, ping_check_bind_addr returns EINVAL
   if the socket family is not AF_INET6. Return EAFNOSUPPORT
   instead, for consistency with inet6_bind.
3. Make ping_v4_sendmsg and ping_v6_sendmsg return EAFNOSUPPORT
   instead of EINVAL if an incorrect socket address structure is
   passed in.
4. Make IPv6 ping sockets be IPv6-only. The code does not support
   IPv4, and it cannot easily be made to support IPv4 because
   the protocol numbers for ICMP and ICMPv6 are different. This
   makes connect(::ffff:192.0.2.1) fail with EAFNOSUPPORT instead
   of making the socket unusable.

Among other things, this fixes an oops that can be triggered by:

    int s = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
    struct sockaddr_in6 sin6 = {
        .sin6_family = AF_INET6,
        .sin6_addr = in6addr_any,
    };
    bind(s, (struct sockaddr *) &sin6, sizeof(sin6));

Change-Id: If06ca86d9f1e4593c0d6df174caca3487c57a241
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ping.c |   13 +++++++++++--
 net/ipv6/ping.c |    5 +++--
 2 files changed, 14 insertions(+), 4 deletions(-)

--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -259,6 +259,10 @@ int ping_init_sock(struct sock *sk)
 	kgid_t low, high;
 	int ret = 0;
 
+#if IS_ENABLED(CONFIG_IPV6)
+	if (sk->sk_family == AF_INET6)
+		inet6_sk(sk)->ipv6only = 1;
+#endif
 	inet_get_ping_group_range_net(net, &low, &high);
 	if (gid_lte(low, group) && gid_lte(group, high))
 		return 0;
@@ -305,6 +309,11 @@ static int ping_check_bind_addr(struct s
 		if (addr_len < sizeof(*addr))
 			return -EINVAL;
 
+		if (addr->sin_family != AF_INET &&
+		    !(addr->sin_family == AF_UNSPEC &&
+		      addr->sin_addr.s_addr == htonl(INADDR_ANY)))
+			return -EAFNOSUPPORT;
+
 		pr_debug("ping_check_bind_addr(sk=%p,addr=%pI4,port=%d)\n",
 			 sk, &addr->sin_addr.s_addr, ntohs(addr->sin_port));
 
@@ -330,7 +339,7 @@ static int ping_check_bind_addr(struct s
 			return -EINVAL;
 
 		if (addr->sin6_family != AF_INET6)
-			return -EINVAL;
+			return -EAFNOSUPPORT;
 
 		pr_debug("ping_check_bind_addr(sk=%p,addr=%pI6c,port=%d)\n",
 			 sk, addr->sin6_addr.s6_addr, ntohs(addr->sin6_port));
@@ -716,7 +725,7 @@ static int ping_v4_sendmsg(struct kiocb
 		if (msg->msg_namelen < sizeof(*usin))
 			return -EINVAL;
 		if (usin->sin_family != AF_INET)
-			return -EINVAL;
+			return -EAFNOSUPPORT;
 		daddr = usin->sin_addr.s_addr;
 		/* no remote port */
 	} else {
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -103,9 +103,10 @@ int ping_v6_sendmsg(struct kiocb *iocb,
 
 	if (msg->msg_name) {
 		DECLARE_SOCKADDR(struct sockaddr_in6 *, u, msg->msg_name);
-		if (msg->msg_namelen < sizeof(struct sockaddr_in6) ||
-		    u->sin6_family != AF_INET6) {
+		if (msg->msg_namelen < sizeof(*u))
 			return -EINVAL;
+		if (u->sin6_family != AF_INET6) {
+			return -EAFNOSUPPORT;
 		}
 		if (sk->sk_bound_dev_if &&
 		    sk->sk_bound_dev_if != u->sin6_scope_id) {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 17/96] team: dont traverse port list using rcu in team_set_mac_address
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 16/96] net: ping: Return EAFNOSUPPORT when appropriate Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 18/96] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Pirko, David S. Miller

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Pirko <jiri@resnulli.us>

[ Upstream commit 9215f437b85da339a7dfe3db6e288637406f88b2 ]

Currently the list is traversed using rcu variant. That is not correct
since dev_set_mac_address can be called which eventually calls
rtmsg_ifinfo_build_skb and there, skb allocation can sleep. So fix this
by remove the rcu usage here.

Fixes: 3d249d4ca7 "net: introduce ethernet teaming device"
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/team/team.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1723,11 +1723,11 @@ static int team_set_mac_address(struct n
 	if (dev->type == ARPHRD_ETHER && !is_valid_ether_addr(addr->sa_data))
 		return -EADDRNOTAVAIL;
 	memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
-	rcu_read_lock();
-	list_for_each_entry_rcu(port, &team->port_list, list)
+	mutex_lock(&team->lock);
+	list_for_each_entry(port, &team->port_list, list)
 		if (team->ops.port_change_dev_addr)
 			team->ops.port_change_dev_addr(team, port);
-	rcu_read_unlock();
+	mutex_unlock(&team->lock);
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 18/96] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 17/96] team: dont traverse port list using rcu in team_set_mac_address Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 19/96] mm/hugetlb: add migration entry check in __unmap_hugepage_range Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Hugh Dickins,
	James Hogan, David Rientjes, Mel Gorman, Johannes Weiner,
	Michal Hocko, Rik van Riel, Andrea Arcangeli, Luiz Capitulino,
	Nishanth Aravamudan, Lee Schermerhorn, Steve Capper,
	Andrew Morton, Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit a8bda28d87c38c6aa93de28ba5d30cc18e865a11 upstream.

There is a race condition between hugepage migration and
change_protection(), where hugetlb_change_protection() doesn't care about
migration entries and wrongly overwrites them.  That causes unexpected
results like kernel crash.  HWPoison entries also can cause the same
problem.

This patch adds is_hugetlb_entry_(migration|hwpoisoned) check in this
function to do proper actions.

Fixes: 290408d4a2 ("hugetlb: hugepage migration core")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/hugetlb.c |   21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3163,7 +3163,26 @@ unsigned long hugetlb_change_protection(
 			spin_unlock(ptl);
 			continue;
 		}
-		if (!huge_pte_none(huge_ptep_get(ptep))) {
+		pte = huge_ptep_get(ptep);
+		if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) {
+			spin_unlock(ptl);
+			continue;
+		}
+		if (unlikely(is_hugetlb_entry_migration(pte))) {
+			swp_entry_t entry = pte_to_swp_entry(pte);
+
+			if (is_write_migration_entry(entry)) {
+				pte_t newpte;
+
+				make_migration_entry_read(&entry);
+				newpte = swp_entry_to_pte(entry);
+				set_huge_pte_at(mm, address, ptep, newpte);
+				pages++;
+			}
+			spin_unlock(ptl);
+			continue;
+		}
+		if (!huge_pte_none(pte)) {
 			pte = huge_ptep_get_and_clear(mm, address, ptep);
 			pte = pte_mkhuge(huge_pte_modify(pte, newprot));
 			pte = arch_make_huge_pte(pte, vma, NULL, 0);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 19/96] mm/hugetlb: add migration entry check in __unmap_hugepage_range
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 18/96] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 20/96] mm: when stealing freepages, also take pages created by splitting buddy page Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naoya Horiguchi, Hugh Dickins,
	James Hogan, David Rientjes, Mel Gorman, Johannes Weiner,
	Michal Hocko, Rik van Riel, Andrea Arcangeli, Luiz Capitulino,
	Nishanth Aravamudan, Lee Schermerhorn, Steve Capper,
	Andrew Morton, Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

commit 9fbc1f635fd0bd28cb32550211bf095753ac637a upstream.

If __unmap_hugepage_range() tries to unmap the address range over which
hugepage migration is on the way, we get the wrong page because pte_page()
doesn't work for migration entries.  This patch simply clears the pte for
migration entries as we do for hwpoison entries.

Fixes: 290408d4a2 ("hugetlb: hugepage migration core")
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Rik van Riel <riel@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Steve Capper <steve.capper@linaro.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/hugetlb.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2488,9 +2488,10 @@ again:
 			goto unlock;
 
 		/*
-		 * HWPoisoned hugepage is already unmapped and dropped reference
+		 * Migrating hugepage or HWPoisoned hugepage is already
+		 * unmapped and its refcount is dropped, so just clear pte here.
 		 */
-		if (unlikely(is_hugetlb_entry_hwpoisoned(pte))) {
+		if (unlikely(!pte_present(pte))) {
 			huge_pte_clear(mm, address, ptep);
 			goto unlock;
 		}



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 20/96] mm: when stealing freepages, also take pages created by splitting buddy page
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 19/96] mm/hugetlb: add migration entry check in __unmap_hugepage_range Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 21/96] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vlastimil Babka, Mel Gorman,
	Zhang Yanfei, Minchan Kim, David Rientjes, Rik van Riel,
	Aneesh Kumar K.V, Kirill A. Shutemov, Johannes Weiner,
	Joonsoo Kim, Michal Hocko, KOSAKI Motohiro, Andrew Morton,
	Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit 99592d598eca62bdbbf62b59941c189176dfc614 upstream.

When studying page stealing, I noticed some weird looking decisions in
try_to_steal_freepages().  The first I assume is a bug (Patch 1), the
following two patches were driven by evaluation.

Testing was done with stress-highalloc of mmtests, using the
mm_page_alloc_extfrag tracepoint and postprocessing to get counts of how
often page stealing occurs for individual migratetypes, and what
migratetypes are used for fallbacks.  Arguably, the worst case of page
stealing is when UNMOVABLE allocation steals from MOVABLE pageblock.
RECLAIMABLE allocation stealing from MOVABLE allocation is also not ideal,
so the goal is to minimize these two cases.

The evaluation of v2 wasn't always clear win and Joonsoo questioned the
results.  Here I used different baseline which includes RFC compaction
improvements from [1].  I found that the compaction improvements reduce
variability of stress-highalloc, so there's less noise in the data.

First, let's look at stress-highalloc configured to do sync compaction,
and how these patches reduce page stealing events during the test.  First
column is after fresh reboot, other two are reiterations of test without
reboot.  That was all accumulater over 5 re-iterations (so the benchmark
was run 5x3 times with 5 fresh restarts).

Baseline:

                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  5-nothp-1       5-nothp-2       5-nothp-3
Page alloc extfrag event                               10264225     8702233    10244125
Extfrag fragmenting                                    10263271     8701552    10243473
Extfrag fragmenting for unmovable                         13595       17616       15960
Extfrag fragmenting unmovable placed with movable          7989       12193        8447
Extfrag fragmenting for reclaimable                         658        1840        1817
Extfrag fragmenting reclaimable placed with movable         558        1677        1679
Extfrag fragmenting for movable                        10249018     8682096    10225696

With Patch 1:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  6-nothp-1       6-nothp-2       6-nothp-3
Page alloc extfrag event                               11834954     9877523     9774860
Extfrag fragmenting                                    11833993     9876880     9774245
Extfrag fragmenting for unmovable                          7342       16129       11712
Extfrag fragmenting unmovable placed with movable          4191       10547        6270
Extfrag fragmenting for reclaimable                         373        1130         923
Extfrag fragmenting reclaimable placed with movable         302         906         738
Extfrag fragmenting for movable                        11826278     9859621     9761610

With Patch 2:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  7-nothp-1       7-nothp-2       7-nothp-3
Page alloc extfrag event                                4725990     3668793     3807436
Extfrag fragmenting                                     4725104     3668252     3806898
Extfrag fragmenting for unmovable                          6678        7974        7281
Extfrag fragmenting unmovable placed with movable          2051        3829        4017
Extfrag fragmenting for reclaimable                         429        1208        1278
Extfrag fragmenting reclaimable placed with movable         369         976        1034
Extfrag fragmenting for movable                         4717997     3659070     3798339

With Patch 3:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                  8-nothp-1       8-nothp-2       8-nothp-3
Page alloc extfrag event                                5016183     4700142     3850633
Extfrag fragmenting                                     5015325     4699613     3850072
Extfrag fragmenting for unmovable                          1312        3154        3088
Extfrag fragmenting unmovable placed with movable          1115        2777        2714
Extfrag fragmenting for reclaimable                         437        1193        1097
Extfrag fragmenting reclaimable placed with movable         330         969         879
Extfrag fragmenting for movable                         5013576     4695266     3845887

In v2 we've seen apparent regression with Patch 1 for unmovable events,
this is now gone, suggesting it was indeed noise.  Here, each patch
improves the situation for unmovable events.  Reclaimable is improved by
patch 1 and then either the same modulo noise, or perhaps sligtly worse -
a small price for unmovable improvements, IMHO.  The number of movable
allocations falling back to other migratetypes is most noisy, but it's
reduced to half at Patch 2 nevertheless.  These are least critical as
compaction can move them around.

If we look at success rates, the patches don't affect them, that didn't change.

Baseline:
                             3.19-rc4              3.19-rc4              3.19-rc4
                            5-nothp-1             5-nothp-2             5-nothp-3
Success 1 Min         49.00 (  0.00%)       42.00 ( 14.29%)       41.00 ( 16.33%)
Success 1 Mean        51.00 (  0.00%)       45.00 ( 11.76%)       42.60 ( 16.47%)
Success 1 Max         55.00 (  0.00%)       51.00 (  7.27%)       46.00 ( 16.36%)
Success 2 Min         53.00 (  0.00%)       47.00 ( 11.32%)       44.00 ( 16.98%)
Success 2 Mean        59.60 (  0.00%)       50.80 ( 14.77%)       48.20 ( 19.13%)
Success 2 Max         64.00 (  0.00%)       56.00 ( 12.50%)       52.00 ( 18.75%)
Success 3 Min         84.00 (  0.00%)       82.00 (  2.38%)       78.00 (  7.14%)
Success 3 Mean        85.60 (  0.00%)       82.80 (  3.27%)       79.40 (  7.24%)
Success 3 Max         86.00 (  0.00%)       83.00 (  3.49%)       80.00 (  6.98%)

Patch 1:
                             3.19-rc4              3.19-rc4              3.19-rc4
                            6-nothp-1             6-nothp-2             6-nothp-3
Success 1 Min         49.00 (  0.00%)       44.00 ( 10.20%)       44.00 ( 10.20%)
Success 1 Mean        51.80 (  0.00%)       46.00 ( 11.20%)       45.80 ( 11.58%)
Success 1 Max         54.00 (  0.00%)       49.00 (  9.26%)       49.00 (  9.26%)
Success 2 Min         58.00 (  0.00%)       49.00 ( 15.52%)       48.00 ( 17.24%)
Success 2 Mean        60.40 (  0.00%)       51.80 ( 14.24%)       50.80 ( 15.89%)
Success 2 Max         63.00 (  0.00%)       54.00 ( 14.29%)       55.00 ( 12.70%)
Success 3 Min         84.00 (  0.00%)       81.00 (  3.57%)       79.00 (  5.95%)
Success 3 Mean        85.00 (  0.00%)       81.60 (  4.00%)       79.80 (  6.12%)
Success 3 Max         86.00 (  0.00%)       82.00 (  4.65%)       82.00 (  4.65%)

Patch 2:

                             3.19-rc4              3.19-rc4              3.19-rc4
                            7-nothp-1             7-nothp-2             7-nothp-3
Success 1 Min         50.00 (  0.00%)       44.00 ( 12.00%)       39.00 ( 22.00%)
Success 1 Mean        52.80 (  0.00%)       45.60 ( 13.64%)       42.40 ( 19.70%)
Success 1 Max         55.00 (  0.00%)       46.00 ( 16.36%)       47.00 ( 14.55%)
Success 2 Min         52.00 (  0.00%)       48.00 (  7.69%)       45.00 ( 13.46%)
Success 2 Mean        53.40 (  0.00%)       49.80 (  6.74%)       48.80 (  8.61%)
Success 2 Max         57.00 (  0.00%)       52.00 (  8.77%)       52.00 (  8.77%)
Success 3 Min         84.00 (  0.00%)       81.00 (  3.57%)       79.00 (  5.95%)
Success 3 Mean        85.00 (  0.00%)       82.40 (  3.06%)       79.60 (  6.35%)
Success 3 Max         86.00 (  0.00%)       83.00 (  3.49%)       80.00 (  6.98%)

Patch 3:
                             3.19-rc4              3.19-rc4              3.19-rc4
                            8-nothp-1             8-nothp-2             8-nothp-3
Success 1 Min         46.00 (  0.00%)       44.00 (  4.35%)       42.00 (  8.70%)
Success 1 Mean        50.20 (  0.00%)       45.60 (  9.16%)       44.00 ( 12.35%)
Success 1 Max         52.00 (  0.00%)       47.00 (  9.62%)       47.00 (  9.62%)
Success 2 Min         53.00 (  0.00%)       49.00 (  7.55%)       48.00 (  9.43%)
Success 2 Mean        55.80 (  0.00%)       50.60 (  9.32%)       49.00 ( 12.19%)
Success 2 Max         59.00 (  0.00%)       52.00 ( 11.86%)       51.00 ( 13.56%)
Success 3 Min         84.00 (  0.00%)       80.00 (  4.76%)       79.00 (  5.95%)
Success 3 Mean        85.40 (  0.00%)       81.60 (  4.45%)       80.40 (  5.85%)
Success 3 Max         87.00 (  0.00%)       83.00 (  4.60%)       82.00 (  5.75%)

While there's no improvement here, I consider reduced fragmentation events
to be worth on its own.  Patch 2 also seems to reduce scanning for free
pages, and migrations in compaction, suggesting it has somewhat less work
to do:

Patch 1:

Compaction stalls                 4153        3959        3978
Compaction success                1523        1441        1446
Compaction failures               2630        2517        2531
Page migrate success           4600827     4943120     5104348
Page migrate failure             19763       16656       17806
Compaction pages isolated      9597640    10305617    10653541
Compaction migrate scanned    77828948    86533283    87137064
Compaction free scanned      517758295   521312840   521462251
Compaction cost                   5503        5932        6110

Patch 2:

Compaction stalls                 3800        3450        3518
Compaction success                1421        1316        1317
Compaction failures               2379        2134        2201
Page migrate success           4160421     4502708     4752148
Page migrate failure             19705       14340       14911
Compaction pages isolated      8731983     9382374     9910043
Compaction migrate scanned    98362797    96349194    98609686
Compaction free scanned      496512560   469502017   480442545
Compaction cost                   5173        5526        5811

As with v2, /proc/pagetypeinfo appears unaffected with respect to numbers
of unmovable and reclaimable pageblocks.

Configuring the benchmark to allocate like THP page fault (i.e.  no sync
compaction) gives much noisier results for iterations 2 and 3 after
reboot.  This is not so surprising given how [1] offers lower improvements
in this scenario due to less restarts after deferred compaction which
would change compaction pivot.

Baseline:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    5-thp-1         5-thp-2         5-thp-3
Page alloc extfrag event                                8148965     6227815     6646741
Extfrag fragmenting                                     8147872     6227130     6646117
Extfrag fragmenting for unmovable                         10324       12942       15975
Extfrag fragmenting unmovable placed with movable          5972        8495       10907
Extfrag fragmenting for reclaimable                         601        1707        2210
Extfrag fragmenting reclaimable placed with movable         520        1570        2000
Extfrag fragmenting for movable                         8136947     6212481     6627932

Patch 1:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    6-thp-1         6-thp-2         6-thp-3
Page alloc extfrag event                                8345457     7574471     7020419
Extfrag fragmenting                                     8343546     7573777     7019718
Extfrag fragmenting for unmovable                         10256       18535       30716
Extfrag fragmenting unmovable placed with movable          6893       11726       22181
Extfrag fragmenting for reclaimable                         465        1208        1023
Extfrag fragmenting reclaimable placed with movable         353         996         843
Extfrag fragmenting for movable                         8332825     7554034     6987979

Patch 2:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    7-thp-1         7-thp-2         7-thp-3
Page alloc extfrag event                                3512847     3020756     2891625
Extfrag fragmenting                                     3511940     3020185     2891059
Extfrag fragmenting for unmovable                          9017        6892        6191
Extfrag fragmenting unmovable placed with movable          1524        3053        2435
Extfrag fragmenting for reclaimable                         445        1081        1160
Extfrag fragmenting reclaimable placed with movable         375         918         986
Extfrag fragmenting for movable                         3502478     3012212     2883708

Patch 3:
                                                   3.19-rc4        3.19-rc4        3.19-rc4
                                                    8-thp-1         8-thp-2         8-thp-3
Page alloc extfrag event                                3181699     3082881     2674164
Extfrag fragmenting                                     3180812     3082303     2673611
Extfrag fragmenting for unmovable                          1201        4031        4040
Extfrag fragmenting unmovable placed with movable           974        3611        3645
Extfrag fragmenting for reclaimable                         478        1165        1294
Extfrag fragmenting reclaimable placed with movable         387         985        1030
Extfrag fragmenting for movable                         3179133     3077107     2668277

The improvements for first iteration are clear, the rest is much noisier
and can appear like regression for Patch 1.  Anyway, patch 2 rectifies it.

Allocation success rates are again unaffected so there's no point in
making this e-mail any longer.

[1] http://marc.info/?l=linux-mm&m=142166196321125&w=2

This patch (of 3):

When __rmqueue_fallback() is called to allocate a page of order X, it will
find a page of order Y >= X of a fallback migratetype, which is different
from the desired migratetype.  With the help of try_to_steal_freepages(),
it may change the migratetype (to the desired one) also of:

1) all currently free pages in the pageblock containing the fallback page
2) the fallback pageblock itself
3) buddy pages created by splitting the fallback page (when Y > X)

These decisions take the order Y into account, as well as the desired
migratetype, with the goal of preventing multiple fallback allocations
that could e.g.  distribute UNMOVABLE allocations among multiple
pageblocks.

Originally, decision for 1) has implied the decision for 3).  Commit
47118af076f6 ("mm: mmzone: MIGRATE_CMA migration type added") changed that
(probably unintentionally) so that the buddy pages in case 3) are always
changed to the desired migratetype, except for CMA pageblocks.

Commit fef903efcf0c ("mm/page_allo.c: restructure free-page stealing code
and fix a bug") did some refactoring and added a comment that the case of
3) is intended.  Commit 0cbef29a7821 ("mm: __rmqueue_fallback() should
respect pageblock type") removed the comment and tried to restore the
original behavior where 1) implies 3), but due to the previous
refactoring, the result is instead that only 2) implies 3) - and the
conditions for 2) are less frequently met than conditions for 1).  This
may increase fragmentation in situations where the code decides to steal
all free pages from the pageblock (case 1)), but then gives back the buddy
pages produced by splitting.

This patch restores the original intended logic where 1) implies 3).
During testing with stress-highalloc from mmtests, this has shown to
decrease the number of events where UNMOVABLE and RECLAIMABLE allocations
steal from MOVABLE pageblocks, which can lead to permanent fragmentation.
In some cases it has increased the number of events when MOVABLE
allocations steal from UNMOVABLE or RECLAIMABLE pageblocks, but these are
fixable by sync compaction and thus less harmful.

Note that evaluation has shown that the behavior introduced by
47118af076f6 for buddy pages in case 3) is actually even better than the
original logic, so the following patch will introduce it properly once
again.  For stable backports of this patch it makes thus sense to only fix
versions containing 0cbef29a7821.

[iamjoonsoo.kim@lge.com: tracepoint fix]
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Mel Gorman <mgorman@suse.de>
Cc: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/trace/events/kmem.h |    7 ++++---
 mm/page_alloc.c             |   12 +++++-------
 2 files changed, 9 insertions(+), 10 deletions(-)

--- a/include/trace/events/kmem.h
+++ b/include/trace/events/kmem.h
@@ -268,11 +268,11 @@ TRACE_EVENT(mm_page_alloc_extfrag,
 
 	TP_PROTO(struct page *page,
 		int alloc_order, int fallback_order,
-		int alloc_migratetype, int fallback_migratetype, int new_migratetype),
+		int alloc_migratetype, int fallback_migratetype),
 
 	TP_ARGS(page,
 		alloc_order, fallback_order,
-		alloc_migratetype, fallback_migratetype, new_migratetype),
+		alloc_migratetype, fallback_migratetype),
 
 	TP_STRUCT__entry(
 		__field(	struct page *,	page			)
@@ -289,7 +289,8 @@ TRACE_EVENT(mm_page_alloc_extfrag,
 		__entry->fallback_order		= fallback_order;
 		__entry->alloc_migratetype	= alloc_migratetype;
 		__entry->fallback_migratetype	= fallback_migratetype;
-		__entry->change_ownership	= (new_migratetype == alloc_migratetype);
+		__entry->change_ownership	= (alloc_migratetype ==
+					get_pageblock_migratetype(page));
 	),
 
 	TP_printk("page=%p pfn=%lu alloc_order=%d fallback_order=%d pageblock_order=%d alloc_migratetype=%d fallback_migratetype=%d fragmenting=%d change_ownership=%d",
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1081,8 +1081,8 @@ static void change_pageblock_range(struc
  * nor move CMA pages to different free lists. We don't want unmovable pages
  * to be allocated from MIGRATE_CMA areas.
  *
- * Returns the new migratetype of the pageblock (or the same old migratetype
- * if it was unchanged).
+ * Returns the allocation migratetype if free pages were stolen, or the
+ * fallback migratetype if it was decided not to steal.
  */
 static int try_to_steal_freepages(struct zone *zone, struct page *page,
 				  int start_type, int fallback_type)
@@ -1113,12 +1113,10 @@ static int try_to_steal_freepages(struct
 
 		/* Claim the whole block if over half of it is free */
 		if (pages >= (1 << (pageblock_order-1)) ||
-				page_group_by_mobility_disabled) {
-
+				page_group_by_mobility_disabled)
 			set_pageblock_migratetype(page, start_type);
-			return start_type;
-		}
 
+		return start_type;
 	}
 
 	return fallback_type;
@@ -1170,7 +1168,7 @@ __rmqueue_fallback(struct zone *zone, un
 			set_freepage_migratetype(page, new_type);
 
 			trace_mm_page_alloc_extfrag(page, order, current_order,
-				start_migratetype, migratetype, new_type);
+				start_migratetype, migratetype);
 
 			return page;
 		}



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 21/96] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 20/96] mm: when stealing freepages, also take pages created by splitting buddy page Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 22/96] mm/nommu.c: " Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Gushchin, Andrew Shewmaker,
	Rik van Riel, Konstantin Khlebnikov, Michal Hocko, Andrew Morton,
	Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roman Gushchin <klamm@yandex-team.ru>

commit 5703b087dc8eaf47bfb399d6cf512d471beff405 upstream.

I noticed, that "allowed" can easily overflow by falling below 0,
because (total_vm / 32) can be larger than "allowed".  The problem
occurs in OVERCOMMIT_NONE mode.

In this case, a huge allocation can success and overcommit the system
(despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
(system-wide), so system become unusable.

The problem was masked out by commit c9b1d0981fcc
("mm: limit growth of 3% hardcoded other user reserve"),
but it's easy to reproduce it on older kernels:
1) set overcommit_memory sysctl to 2
2) mmap() large file multiple times (with VM_SHARED flag)
3) try to malloc() large amount of memory

It also can be reproduced on newer kernels, but miss-configured
sysctl_user_reserve_kbytes is required.

Fix this issue by switching to signed arithmetic here.

[akpm@linux-foundation.org: use min_t]
Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Cc: Andrew Shewmaker <agshew@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/mmap.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -129,7 +129,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed);
  */
 int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
 {
-	unsigned long free, allowed, reserve;
+	long free, allowed, reserve;
 
 	vm_acct_memory(pages);
 
@@ -193,7 +193,7 @@ int __vm_enough_memory(struct mm_struct
 	 */
 	if (mm) {
 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
-		allowed -= min(mm->total_vm / 32, reserve);
+		allowed -= min_t(long, mm->total_vm / 32, reserve);
 	}
 
 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 22/96] mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 21/96] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 23/96] mm/compaction: fix wrong order check in compact_finished() Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Gushchin, Andrew Shewmaker,
	Rik van Riel, Konstantin Khlebnikov, Andrew Morton,
	Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roman Gushchin <klamm@yandex-team.ru>

commit 8138a67a5557ffea3a21dfd6f037842d4e748513 upstream.

I noticed that "allowed" can easily overflow by falling below 0, because
(total_vm / 32) can be larger than "allowed".  The problem occurs in
OVERCOMMIT_NONE mode.

In this case, a huge allocation can success and overcommit the system
(despite OVERCOMMIT_NONE mode).  All subsequent allocations will fall
(system-wide), so system become unusable.

The problem was masked out by commit c9b1d0981fcc
("mm: limit growth of 3% hardcoded other user reserve"),
but it's easy to reproduce it on older kernels:
1) set overcommit_memory sysctl to 2
2) mmap() large file multiple times (with VM_SHARED flag)
3) try to malloc() large amount of memory

It also can be reproduced on newer kernels, but miss-configured
sysctl_user_reserve_kbytes is required.

Fix this issue by switching to signed arithmetic here.

Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
Cc: Andrew Shewmaker <agshew@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/nommu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -1905,7 +1905,7 @@ EXPORT_SYMBOL(unmap_mapping_range);
  */
 int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
 {
-	unsigned long free, allowed, reserve;
+	long free, allowed, reserve;
 
 	vm_acct_memory(pages);
 
@@ -1969,7 +1969,7 @@ int __vm_enough_memory(struct mm_struct
 	 */
 	if (mm) {
 		reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
-		allowed -= min(mm->total_vm / 32, reserve);
+		allowed -= min_t(long, mm->total_vm / 32, reserve);
 	}
 
 	if (percpu_counter_read_positive(&vm_committed_as) < allowed)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 23/96] mm/compaction: fix wrong order check in compact_finished()
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 22/96] mm/nommu.c: " Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 24/96] mm/memory.c: actually remap enough memory Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joonsoo Kim, Vlastimil Babka,
	Zhang Yanfei, Mel Gorman, David Rientjes, Rik van Riel,
	Andrew Morton, Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joonsoo Kim <iamjoonsoo.kim@lge.com>

commit 372549c2a3778fd3df445819811c944ad54609ca upstream.

What we want to check here is whether there is highorder freepage in buddy
list of other migratetype in order to steal it without fragmentation.
But, current code just checks cc->order which means allocation request
order.  So, this is wrong.

Without this fix, non-movable synchronous compaction below pageblock order
would not stopped until compaction is complete, because migratetype of
most pageblocks are movable and high order freepage made by compaction is
usually on movable type buddy list.

There is some report related to this bug. See below link.

  http://www.spinics.net/lists/linux-mm/msg81666.html

Although the issued system still has load spike comes from compaction,
this makes that system completely stable and responsive according to his
report.

stress-highalloc test in mmtests with non movable order 7 allocation
doesn't show any notable difference in allocation success rate, but, it
shows more compaction success rate.

Compaction success rate (Compaction success * 100 / Compaction stalls, %)
18.47 : 28.94

Fixes: 1fb3f8ca0e92 ("mm: compaction: capture a suitable high-order page immediately when it is made available")
Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/compaction.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -937,7 +937,7 @@ static int compact_finished(struct zone
 			return COMPACT_PARTIAL;
 
 		/* Job done if allocation would set block type */
-		if (cc->order >= pageblock_order && area->nr_free)
+		if (order >= pageblock_order && area->nr_free)
 			return COMPACT_PARTIAL;
 	}
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 24/96] mm/memory.c: actually remap enough memory
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 23/96] mm/compaction: fix wrong order check in compact_finished() Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 27/96] drm/radeon: fix voltage setup on hawaii Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Grazvydas Ignotas, Rik van Riel,
	Andrew Morton, Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Grazvydas Ignotas <notasas@gmail.com>

commit 9cb12d7b4ccaa976f97ce0c5fd0f1b6a83bc2a75 upstream.

For whatever reason, generic_access_phys() only remaps one page, but
actually allows to access arbitrary size.  It's quite easy to trigger
large reads, like printing out large structure with gdb, which leads to a
crash.  Fix it by remapping correct size.

Fixes: 28b2ee20c7cb ("access_process_vm device memory infrastructure")
Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/memory.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -4024,7 +4024,7 @@ int generic_access_phys(struct vm_area_s
 	if (follow_phys(vma, addr, write, &prot, &phys_addr))
 		return -EINVAL;
 
-	maddr = ioremap_prot(phys_addr, PAGE_SIZE, prot);
+	maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot);
 	if (write)
 		memcpy_toio(maddr + offset, buf, len);
 	else



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 27/96] drm/radeon: fix voltage setup on hawaii
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 24/96] mm/memory.c: actually remap enough memory Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:08 ` [PATCH 3.14 28/96] target: Fix PR_APTPL_BUF_LEN buffer size limitation Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 09b6e85fc868568e1b2820235a2a851aecbccfcc upstream.

Missing parameter when fetching the real voltage values
from atom.  Fixes problems with dynamic clocking on
certain boards.

bug:
https://bugs.freedesktop.org/show_bug.cgi?id=87457

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_atombios.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -3272,6 +3272,7 @@ int radeon_atom_get_voltage_evv(struct r
 
 	args.in.ucVoltageType = VOLTAGE_TYPE_VDDC;
 	args.in.ucVoltageMode = ATOM_GET_VOLTAGE_EVV_VOLTAGE;
+	args.in.usVoltageLevel = cpu_to_le16(virtual_voltage_id);
 	args.in.ulSCLKFreq =
 		cpu_to_le32(rdev->pm.dpm.dyn_state.vddc_dependency_on_sclk.entries[entry_id].clk);
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 28/96] target: Fix PR_APTPL_BUF_LEN buffer size limitation
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 27/96] drm/radeon: fix voltage setup on hawaii Greg Kroah-Hartman
@ 2015-03-16 14:08 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 29/96] target: Add missing WRITE_SAME end-of-device sanity check Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Svec, Nicholas Bellinger

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit f161d4b44d7cc1dc66b53365215227db356378b1 upstream.

This patch addresses the original PR_APTPL_BUF_LEN = 8k limitiation
for write-out of PR APTPL metadata that Martin has recently been
running into.

It changes core_scsi3_update_and_write_aptpl() to use vzalloc'ed
memory instead of kzalloc, and increases the default hardcoded
length to 256k.

It also adds logic in core_scsi3_update_and_write_aptpl() to double
the original length upon core_scsi3_update_aptpl_buf() failure, and
retries until the vzalloc'ed buffer is large enough to accommodate
the outgoing APTPL metadata.

Reported-by: Martin Svec <martin.svec@zoner.cz>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_pr.c   |   25 +++++++++++++------------
 include/target/target_core_base.h |    2 +-
 2 files changed, 14 insertions(+), 13 deletions(-)

--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -1877,8 +1877,8 @@ static int core_scsi3_update_aptpl_buf(
 		}
 
 		if ((len + strlen(tmp) >= pr_aptpl_buf_len)) {
-			pr_err("Unable to update renaming"
-				" APTPL metadata\n");
+			pr_err("Unable to update renaming APTPL metadata,"
+			       " reallocating larger buffer\n");
 			ret = -EMSGSIZE;
 			goto out;
 		}
@@ -1895,8 +1895,8 @@ static int core_scsi3_update_aptpl_buf(
 			lun->lun_sep->sep_rtpi, lun->unpacked_lun, reg_count);
 
 		if ((len + strlen(tmp) >= pr_aptpl_buf_len)) {
-			pr_err("Unable to update renaming"
-				" APTPL metadata\n");
+			pr_err("Unable to update renaming APTPL metadata,"
+			       " reallocating larger buffer\n");
 			ret = -EMSGSIZE;
 			goto out;
 		}
@@ -1959,7 +1959,7 @@ static int __core_scsi3_write_aptpl_to_f
 static sense_reason_t core_scsi3_update_and_write_aptpl(struct se_device *dev, bool aptpl)
 {
 	unsigned char *buf;
-	int rc;
+	int rc, len = PR_APTPL_BUF_LEN;
 
 	if (!aptpl) {
 		char *null_buf = "No Registrations or Reservations\n";
@@ -1973,25 +1973,26 @@ static sense_reason_t core_scsi3_update_
 
 		return 0;
 	}
-
-	buf = kzalloc(PR_APTPL_BUF_LEN, GFP_KERNEL);
+retry:
+	buf = vzalloc(len);
 	if (!buf)
 		return TCM_OUT_OF_RESOURCES;
 
-	rc = core_scsi3_update_aptpl_buf(dev, buf, PR_APTPL_BUF_LEN);
+	rc = core_scsi3_update_aptpl_buf(dev, buf, len);
 	if (rc < 0) {
-		kfree(buf);
-		return TCM_OUT_OF_RESOURCES;
+		vfree(buf);
+		len *= 2;
+		goto retry;
 	}
 
 	rc = __core_scsi3_write_aptpl_to_file(dev, buf);
 	if (rc != 0) {
 		pr_err("SPC-3 PR: Could not update APTPL\n");
-		kfree(buf);
+		vfree(buf);
 		return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
 	}
 	dev->t10_pr.pr_aptpl_active = 1;
-	kfree(buf);
+	vfree(buf);
 	pr_debug("SPC-3 PR: Set APTPL Bit Activated\n");
 	return 0;
 }
--- a/include/target/target_core_base.h
+++ b/include/target/target_core_base.h
@@ -407,7 +407,7 @@ struct t10_reservation {
 	/* Activate Persistence across Target Power Loss enabled
 	 * for SCSI device */
 	int pr_aptpl_active;
-#define PR_APTPL_BUF_LEN			8192
+#define PR_APTPL_BUF_LEN			262144
 	u32 pr_generation;
 	spinlock_t registration_lock;
 	spinlock_t aptpl_reg_lock;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 29/96] target: Add missing WRITE_SAME end-of-device sanity check
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2015-03-16 14:08 ` [PATCH 3.14 28/96] target: Fix PR_APTPL_BUF_LEN buffer size limitation Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 30/96] target: Check for LBA + sectors wrap-around in sbc_parse_cdb Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Martin Petersen,
	Christoph Hellwig, Nicholas Bellinger

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit 8e575c50a171f2579e367a7f778f86477dfdaf49 upstream.

This patch adds a check to sbc_setup_write_same() to verify
the incoming WRITE_SAME LBA + number of blocks does not exceed
past the end-of-device.

Also check for potential LBA wrap-around as well.

Reported-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Martin Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_sbc.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -266,6 +266,8 @@ static inline unsigned long long transpo
 static sense_reason_t
 sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
 {
+	struct se_device *dev = cmd->se_dev;
+	sector_t end_lba = dev->transport->get_blocks(dev) + 1;
 	unsigned int sectors = sbc_get_write_same_sectors(cmd);
 
 	if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
@@ -279,6 +281,16 @@ sbc_setup_write_same(struct se_cmd *cmd,
 			sectors, cmd->se_dev->dev_attrib.max_write_same_len);
 		return TCM_INVALID_CDB_FIELD;
 	}
+	/*
+	 * Sanity check for LBA wrap and request past end of device.
+	 */
+	if (((cmd->t_task_lba + sectors) < cmd->t_task_lba) ||
+	    ((cmd->t_task_lba + sectors) > end_lba)) {
+		pr_err("WRITE_SAME exceeds last lba %llu (lba %llu, sectors %u)\n",
+		       (unsigned long long)end_lba, cmd->t_task_lba, sectors);
+		return TCM_ADDRESS_OUT_OF_RANGE;
+	}
+
 	/* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
 	if (flags[0] & 0x10) {
 		pr_warn("WRITE SAME with ANCHOR not supported\n");



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 30/96] target: Check for LBA + sectors wrap-around in sbc_parse_cdb
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 29/96] target: Add missing WRITE_SAME end-of-device sanity check Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 31/96] x86/asm/entry/64: Remove a bogus ret_from_fork optimization Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Petersen, Christoph Hellwig,
	Nicholas Bellinger

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <nab@linux-iscsi.org>

commit aa179935edea9a64dec4b757090c8106a3907ffa upstream.

This patch adds a check to sbc_parse_cdb() in order to detect when
an LBA + sector vs. end-of-device calculation wraps when the LBA is
sufficently large enough (eg: 0xFFFFFFFFFFFFFFFF).

Cc: Martin Petersen <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_sbc.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/target/target_core_sbc.c
+++ b/drivers/target/target_core_sbc.c
@@ -923,7 +923,8 @@ sbc_parse_cdb(struct se_cmd *cmd, struct
 		unsigned long long end_lba;
 
 		end_lba = dev->transport->get_blocks(dev) + 1;
-		if (cmd->t_task_lba + sectors > end_lba) {
+		if (((cmd->t_task_lba + sectors) < cmd->t_task_lba) ||
+		    ((cmd->t_task_lba + sectors) > end_lba)) {
 			pr_err("cmd exceeds last lba %llu "
 				"(lba %llu, sectors %u)\n",
 				end_lba, cmd->t_task_lba, sectors);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 31/96] x86/asm/entry/64: Remove a bogus ret_from_fork optimization
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 30/96] target: Check for LBA + sectors wrap-around in sbc_parse_cdb Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 32/96] iio: mxs-lradc: fix iio channel map regression Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Borislav Petkov,
	Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Oleg Nesterov,
	Thomas Gleixner, Ingo Molnar

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@amacapital.net>

commit 956421fbb74c3a6261903f3836c0740187cf038b upstream.

'ret_from_fork' checks TIF_IA32 to determine whether 'pt_regs' and
the related state make sense for 'ret_from_sys_call'.  This is
entirely the wrong check.  TS_COMPAT would make a little more
sense, but there's really no point in keeping this optimization
at all.

This fixes a return to the wrong user CS if we came from int
0x80 in a 64-bit task.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/4710be56d76ef994ddf59087aad98c000fbab9a4.1424989793.git.luto@amacapital.net
[ Backported from tip:x86/asm. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/entry_64.S |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -542,11 +542,14 @@ ENTRY(ret_from_fork)
 	testl $3, CS-ARGOFFSET(%rsp)		# from kernel_thread?
 	jz   1f
 
-	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-	jnz  int_ret_from_sys_call
-
-	RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET
-	jmp ret_from_sys_call			# go to the SYSRET fastpath
+	/*
+	 * By the time we get here, we have no idea whether our pt_regs,
+	 * ti flags, and ti status came from the 64-bit SYSCALL fast path,
+	 * the slow path, or one of the ia32entry paths.
+	 * Use int_ret_from_sys_call to return, since it can safely handle
+	 * all of the above.
+	 */
+	jmp  int_ret_from_sys_call
 
 1:
 	subq $REST_SKIP, %rsp	# leave space for volatiles



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 32/96] iio: mxs-lradc: fix iio channel map regression
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 31/96] x86/asm/entry/64: Remove a bogus ret_from_fork optimization Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 33/96] iio: imu: adis16400: Fix sign extension Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Wahren, Alexandre Belloni,
	Marek Vasut, Jonathan Cameron

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Wahren <stefan.wahren@i2se.com>

commit 03305e535cd5cdc1079b32909bf4b2dd67d46f7f upstream.

Since commit c8231a9af8147f8a ("iio: mxs-lradc: compute temperature
from channel 8 and 9") with the removal of adc channel 9 there is
no 1-1 mapping in the channel spec.

All hwmon channel values above 9 are accessible via there index minus
one. So add a hidden iio channel 9 to fix this issue.

Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/iio/adc/mxs-lradc.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/staging/iio/adc/mxs-lradc.c
+++ b/drivers/staging/iio/adc/mxs-lradc.c
@@ -1412,6 +1412,13 @@ static const struct iio_chan_spec mxs_lr
 		.channel = 8,
 		.scan_type = {.sign = 'u', .realbits = 18, .storagebits = 32,},
 	},
+	/* Hidden channel to keep indexes */
+	{
+		.type = IIO_TEMP,
+		.indexed = 1,
+		.scan_index = -1,
+		.channel = 9,
+	},
 	MXS_ADC_CHAN(10, IIO_VOLTAGE),	/* VDDIO */
 	MXS_ADC_CHAN(11, IIO_VOLTAGE),	/* VTH */
 	MXS_ADC_CHAN(12, IIO_VOLTAGE),	/* VDDA */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 33/96] iio: imu: adis16400: Fix sign extension
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 32/96] iio: mxs-lradc: fix iio channel map regression Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 39/96] iio:adc:mcp3422 Fix incorrect scales table Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Lars-Peter Clausen,
	Jonathan Cameron

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

commit 19e353f2b344ad86cea6ebbc0002e5f903480a90 upstream.

The intention is obviously to sign-extend a 12 bit quantity. But
because of C's promotion rules, the assignment is equivalent to "val16
&= 0xfff;". Use the proper API for this.

Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/imu/adis16400_core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/iio/imu/adis16400_core.c
+++ b/drivers/iio/imu/adis16400_core.c
@@ -26,6 +26,7 @@
 #include <linux/list.h>
 #include <linux/module.h>
 #include <linux/debugfs.h>
+#include <linux/bitops.h>
 
 #include <linux/iio/iio.h>
 #include <linux/iio/sysfs.h>
@@ -447,7 +448,7 @@ static int adis16400_read_raw(struct iio
 		mutex_unlock(&indio_dev->mlock);
 		if (ret)
 			return ret;
-		val16 = ((val16 & 0xFFF) << 4) >> 4;
+		val16 = sign_extend32(val16, 11);
 		*val = val16;
 		return IIO_VAL_INT;
 	case IIO_CHAN_INFO_OFFSET:



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 39/96] iio:adc:mcp3422 Fix incorrect scales table
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 33/96] iio: imu: adis16400: Fix sign extension Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 40/96] mei: make device disabled on stop unconditionally Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Angelo Compagnucci, Jonathan Cameron

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Angelo Compagnucci <angelo.compagnucci@gmail.com>

commit 9e128ced3851d2802b6db870f6b2e93f449ce013 upstream.

This patch fixes uncorrect order of mcp3422_scales table, the values
was erroneously transposed.
It removes also an unused array and a wrong comment.

Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/mcp3422.c |   17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

--- a/drivers/iio/adc/mcp3422.c
+++ b/drivers/iio/adc/mcp3422.c
@@ -57,20 +57,11 @@
 		.info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SAMP_FREQ), \
 	}
 
-/* LSB is in nV to eliminate floating point */
-static const u32 rates_to_lsb[] = {1000000, 250000, 62500, 15625};
-
-/*
- *  scales calculated as:
- *  rates_to_lsb[sample_rate] / (1 << pga);
- *  pga is 1 for 0, 2
- */
-
 static const int mcp3422_scales[4][4] = {
-	{ 1000000, 250000, 62500, 15625 },
-	{ 500000 , 125000, 31250, 7812 },
-	{ 250000 , 62500 , 15625, 3906 },
-	{ 125000 , 31250 , 7812 , 1953 } };
+	{ 1000000, 500000, 250000, 125000 },
+	{ 250000 , 125000, 62500 , 31250  },
+	{ 62500  , 31250 , 15625 , 7812   },
+	{ 15625  , 7812  , 3906  , 1953   } };
 
 /* Constant msleep times for data acquisitions */
 static const int mcp3422_read_times[4] = {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 40/96] mei: make device disabled on stop unconditionally
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 39/96] iio:adc:mcp3422 Fix incorrect scales table Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 41/96] btrfs: fix lost return value due to variable shadowing Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 6c15a8516b8118eb19a59fd0bd22df41b9101c32 upstream.

Set the internal device state to to disabled after hardware reset in stop flow.
This will cover cases when driver was not brought to disabled state because of
an error and in stop flow we wish not to retry the reset.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mei/init.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/misc/mei/init.c
+++ b/drivers/misc/mei/init.c
@@ -275,6 +275,8 @@ void mei_stop(struct mei_device *dev)
 
 	dev->dev_state = MEI_DEV_POWER_DOWN;
 	mei_reset(dev);
+	/* move device to disabled state unconditionally */
+	dev->dev_state = MEI_DEV_DISABLED;
 
 	mutex_unlock(&dev->device_lock);
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 41/96] btrfs: fix lost return value due to variable shadowing
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 40/96] mei: make device disabled on stop unconditionally Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 42/96] Btrfs: fix data loss in the fast fsync path Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Sterba, Chris Mason

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Sterba <dsterba@suse.cz>

commit 1932b7be973b554ffe20a5bba6ffaed6fa995cdc upstream.

A block-local variable stores error code but btrfs_get_blocks_direct may
not return it in the end as there's a ret defined in the function scope.

Fixes: d187663ef24c ("Btrfs: lock extents as we map them in DIO")
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |    1 -
 1 file changed, 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6870,7 +6870,6 @@ static int btrfs_get_blocks_direct(struc
 	    ((BTRFS_I(inode)->flags & BTRFS_INODE_NODATACOW) &&
 	     em->block_start != EXTENT_MAP_HOLE)) {
 		int type;
-		int ret;
 		u64 block_start, orig_start, orig_block_len, ram_bytes;
 
 		if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags))



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 42/96] Btrfs: fix data loss in the fast fsync path
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 41/96] btrfs: fix lost return value due to variable shadowing Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 43/96] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, Chris Mason

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Filipe Manana <fdmanana@suse.com>

commit 3a8b36f378060d20062a0918e99fae39ff077bf0 upstream.

When using the fast file fsync code path we can miss the fact that new
writes happened since the last file fsync and therefore return without
waiting for the IO to finish and write the new extents to the fsync log.

Here's an example scenario where the fsync will miss the fact that new
file data exists that wasn't yet durably persisted:

1. fs_info->last_trans_committed == N - 1 and current transaction is
   transaction N (fs_info->generation == N);

2. do a buffered write;

3. fsync our inode, this clears our inode's full sync flag, starts
   an ordered extent and waits for it to complete - when it completes
   at btrfs_finish_ordered_io(), the inode's last_trans is set to the
   value N (via btrfs_update_inode_fallback -> btrfs_update_inode ->
   btrfs_set_inode_last_trans);

4. transaction N is committed, so fs_info->last_trans_committed is now
   set to the value N and fs_info->generation remains with the value N;

5. do another buffered write, when this happens btrfs_file_write_iter
   sets our inode's last_trans to the value N + 1 (that is
   fs_info->generation + 1 == N + 1);

6. transaction N + 1 is started and fs_info->generation now has the
   value N + 1;

7. transaction N + 1 is committed, so fs_info->last_trans_committed
   is set to the value N + 1;

8. fsync our inode - because it doesn't have the full sync flag set,
   we only start the ordered extent, we don't wait for it to complete
   (only in a later phase) therefore its last_trans field has the
   value N + 1 set previously by btrfs_file_write_iter(), and so we
   have:

       inode->last_trans <= fs_info->last_trans_committed
           (N + 1)              (N + 1)

   Which made us not log the last buffered write and exit the fsync
   handler immediately, returning success (0) to user space and resulting
   in data loss after a crash.

This can actually be triggered deterministically and the following excerpt
from a testcase I made for xfstests triggers the issue. It moves a dummy
file across directories and then fsyncs the old parent directory - this
is just to trigger a transaction commit, so moving files around isn't
directly related to the issue but it was chosen because running 'sync' for
example does more than just committing the current transaction, as it
flushes/waits for all file data to be persisted. The issue can also happen
at random periods, since the transaction kthread periodicaly commits the
current transaction (about every 30 seconds by default).
The body of the test is:

  _scratch_mkfs >> $seqres.full 2>&1
  _init_flakey
  _mount_flakey

  # Create our main test file 'foo', the one we check for data loss.
  # By doing an fsync against our file, it makes btrfs clear the 'needs_full_sync'
  # bit from its flags (btrfs inode specific flags).
  $XFS_IO_PROG -f -c "pwrite -S 0xaa 0 8K" \
                  -c "fsync" $SCRATCH_MNT/foo | _filter_xfs_io

  # Now create one other file and 2 directories. We will move this second file
  # from one directory to the other later because it forces btrfs to commit its
  # currently open transaction if we fsync the old parent directory. This is
  # necessary to trigger the data loss bug that affected btrfs.
  mkdir $SCRATCH_MNT/testdir_1
  touch $SCRATCH_MNT/testdir_1/bar
  mkdir $SCRATCH_MNT/testdir_2

  # Make sure everything is durably persisted.
  sync

  # Write more 8Kb of data to our file.
  $XFS_IO_PROG -c "pwrite -S 0xbb 8K 8K" $SCRATCH_MNT/foo | _filter_xfs_io

  # Move our 'bar' file into a new directory.
  mv $SCRATCH_MNT/testdir_1/bar $SCRATCH_MNT/testdir_2/bar

  # Fsync our first directory. Because it had a file moved into some other
  # directory, this made btrfs commit the currently open transaction. This is
  # a condition necessary to trigger the data loss bug.
  $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/testdir_1

  # Now fsync our main test file. If the fsync succeeds, we expect the 8Kb of
  # data we wrote previously to be persisted and available if a crash happens.
  # This did not happen with btrfs, because of the transaction commit that
  # happened when we fsynced the parent directory.
  $XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo

  # Simulate a crash/power loss.
  _load_flakey_table $FLAKEY_DROP_WRITES
  _unmount_flakey

  _load_flakey_table $FLAKEY_ALLOW_WRITES
  _mount_flakey

  # Now check that all data we wrote before are available.
  echo "File content after log replay:"
  od -t x1 $SCRATCH_MNT/foo

  status=0
  exit

The expected golden output for the test, which is what we get with this
fix applied (or when running against ext3/4 and xfs), is:

  wrote 8192/8192 bytes at offset 0
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  wrote 8192/8192 bytes at offset 8192
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  File content after log replay:
  0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
  *
  0020000 bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb
  *
  0040000

Without this fix applied, the output shows the test file does not have
the second 8Kb extent that we successfully fsynced:

  wrote 8192/8192 bytes at offset 0
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  wrote 8192/8192 bytes at offset 8192
  XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
  File content after log replay:
  0000000 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
  *
  0020000

So fix this by skipping the fsync only if we're doing a full sync and
if the inode's last_trans is <= fs_info->last_trans_committed, or if
the inode is already in the log. Also remove setting the inode's
last_trans in btrfs_file_write_iter since it's useless/unreliable.

Also because btrfs_file_write_iter no longer sets inode->last_trans to
fs_info->generation + 1, don't set last_trans to 0 if we bail out and don't
bail out if last_trans is 0, otherwise something as simple as the following
example wouldn't log the second write on the last fsync:

  1. write to file

  2. fsync file

  3. fsync file
       |--> btrfs_inode_in_log() returns true and it set last_trans to 0

  4. write to file
       |--> btrfs_file_write_iter() no longers sets last_trans, so it
            remained with a value of 0
  5. fsync
       |--> inode->last_trans == 0, so it bails out without logging the
            second write

A test case for xfstests will be sent soon.

Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/file.c |   56 ++++++++++++++++++++++++++++----------------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1774,22 +1774,10 @@ static ssize_t btrfs_file_aio_write(stru
 	mutex_unlock(&inode->i_mutex);
 
 	/*
-	 * we want to make sure fsync finds this change
-	 * but we haven't joined a transaction running right now.
-	 *
-	 * Later on, someone is sure to update the inode and get the
-	 * real transid recorded.
-	 *
-	 * We set last_trans now to the fs_info generation + 1,
-	 * this will either be one more than the running transaction
-	 * or the generation used for the next transaction if there isn't
-	 * one running right now.
-	 *
 	 * We also have to set last_sub_trans to the current log transid,
 	 * otherwise subsequent syncs to a file that's been synced in this
 	 * transaction will appear to have already occured.
 	 */
-	BTRFS_I(inode)->last_trans = root->fs_info->generation + 1;
 	BTRFS_I(inode)->last_sub_trans = root->log_transid;
 	if (num_written > 0) {
 		err = generic_write_sync(file, pos, num_written);
@@ -1892,25 +1880,37 @@ int btrfs_sync_file(struct file *file, l
 	atomic_inc(&root->log_batch);
 
 	/*
-	 * check the transaction that last modified this inode
-	 * and see if its already been committed
-	 */
-	if (!BTRFS_I(inode)->last_trans) {
-		mutex_unlock(&inode->i_mutex);
-		goto out;
-	}
-
-	/*
-	 * if the last transaction that changed this file was before
-	 * the current transaction, we can bail out now without any
-	 * syncing
+	 * If the last transaction that changed this file was before the current
+	 * transaction and we have the full sync flag set in our inode, we can
+	 * bail out now without any syncing.
+	 *
+	 * Note that we can't bail out if the full sync flag isn't set. This is
+	 * because when the full sync flag is set we start all ordered extents
+	 * and wait for them to fully complete - when they complete they update
+	 * the inode's last_trans field through:
+	 *
+	 *     btrfs_finish_ordered_io() ->
+	 *         btrfs_update_inode_fallback() ->
+	 *             btrfs_update_inode() ->
+	 *                 btrfs_set_inode_last_trans()
+	 *
+	 * So we are sure that last_trans is up to date and can do this check to
+	 * bail out safely. For the fast path, when the full sync flag is not
+	 * set in our inode, we can not do it because we start only our ordered
+	 * extents and don't wait for them to complete (that is when
+	 * btrfs_finish_ordered_io runs), so here at this point their last_trans
+	 * value might be less than or equals to fs_info->last_trans_committed,
+	 * and setting a speculative last_trans for an inode when a buffered
+	 * write is made (such as fs_info->generation + 1 for example) would not
+	 * be reliable since after setting the value and before fsync is called
+	 * any number of transactions can start and commit (transaction kthread
+	 * commits the current transaction periodically), and a transaction
+	 * commit does not start nor waits for ordered extents to complete.
 	 */
 	smp_mb();
 	if (btrfs_inode_in_log(inode, root->fs_info->generation) ||
-	    BTRFS_I(inode)->last_trans <=
-	    root->fs_info->last_trans_committed) {
-		BTRFS_I(inode)->last_trans = 0;
-
+	    (full_sync && BTRFS_I(inode)->last_trans <=
+	     root->fs_info->last_trans_committed)) {
 		/*
 		 * We'v had everything committed since the last time we were
 		 * modified so clear this flag in case it was set for whatever



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 43/96] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref.
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 42/96] Btrfs: fix data loss in the fast fsync path Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 44/96] KVM: emulate: fix CMPXCHG8B on 32-bit hosts Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quentin Casasnovas, David Sterba,
	Chris Mason

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Quentin Casasnovas <quentin.casasnovas@oracle.com>

commit dd9ef135e3542ffc621c4eb7f0091870ec7a1504 upstream.

Improper arithmetics when calculting the address of the extended ref could
lead to an out of bounds memory read and kernel panic.

Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Chris Mason <clm@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/tree-log.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -979,7 +979,7 @@ again:
 		base = btrfs_item_ptr_offset(leaf, path->slots[0]);
 
 		while (cur_offset < item_size) {
-			extref = (struct btrfs_inode_extref *)base + cur_offset;
+			extref = (struct btrfs_inode_extref *)(base + cur_offset);
 
 			victim_name_len = btrfs_inode_extref_name_len(leaf, extref);
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 44/96] KVM: emulate: fix CMPXCHG8B on 32-bit hosts
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 43/96] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 45/96] KVM: MIPS: Fix trace event to save PC directly Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Erik Rull, Paolo Bonzini

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit 4ff6f8e61eb7f96d3ca535c6d240f863ccd6fb7d upstream.

This has been broken for a long time: it broke first in 2.6.35, then was
almost fixed in 2.6.36 but this one-liner slipped through the cracks.
The bug shows up as an infinite loop in Windows 7 (and newer) boot on
32-bit hosts without EPT.

Windows uses CMPXCHG8B to write to page tables, which causes a
page fault if running without EPT; the emulator is then called from
kvm_mmu_page_fault.  The loop then happens if the higher 4 bytes are
not 0; the common case for this is that the NX bit (bit 63) is 1.

Fixes: 6550e1f165f384f3a46b60a1be9aba4bc3c2adad
Fixes: 16518d5ada690643453eb0aef3cc7841d3623c2d
Reported-by: Erik Rull <erik.rull@rdsoftware.de>
Tested-by: Erik Rull <erik.rull@rdsoftware.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/emulate.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4646,7 +4646,8 @@ int x86_emulate_insn(struct x86_emulate_
 		if (rc != X86EMUL_CONTINUE)
 			goto done;
 	}
-	ctxt->dst.orig_val = ctxt->dst.val;
+	/* Copy full 64-bit value for CMPXCHG8B.  */
+	ctxt->dst.orig_val64 = ctxt->dst.val64;
 
 special_insn:
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 45/96] KVM: MIPS: Fix trace event to save PC directly
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 44/96] KVM: emulate: fix CMPXCHG8B on 32-bit hosts Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 46/96] USB: serial: cp210x: Adding Seletek device ids Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Hogan, Paolo Bonzini,
	Ralf Baechle, Marcelo Tosatti, Gleb Natapov, Steven Rostedt,
	Ingo Molnar, linux-mips, kvm

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Hogan <james.hogan@imgtec.com>

commit b3cffac04eca9af46e1e23560a8ee22b1bd36d43 upstream.

Currently the guest exit trace event saves the VCPU pointer to the
structure, and the guest PC is retrieved by dereferencing it when the
event is printed rather than directly from the trace record. This isn't
safe as the printing may occur long afterwards, after the PC has changed
and potentially after the VCPU has been freed. Usually this results in
the same (wrong) PC being printed for multiple trace events. It also
isn't portable as userland has no way to access the VCPU data structure
when interpreting the trace record itself.

Lets save the actual PC in the structure so that the correct value is
accessible later.

Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@kernel.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kvm/trace.h |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/mips/kvm/trace.h
+++ b/arch/mips/kvm/trace.h
@@ -26,18 +26,18 @@ TRACE_EVENT(kvm_exit,
 	    TP_PROTO(struct kvm_vcpu *vcpu, unsigned int reason),
 	    TP_ARGS(vcpu, reason),
 	    TP_STRUCT__entry(
-			__field(struct kvm_vcpu *, vcpu)
+			__field(unsigned long, pc)
 			__field(unsigned int, reason)
 	    ),
 
 	    TP_fast_assign(
-			__entry->vcpu = vcpu;
+			__entry->pc = vcpu->arch.pc;
 			__entry->reason = reason;
 	    ),
 
 	    TP_printk("[%s]PC: 0x%08lx",
 		      kvm_mips_exit_types_str[__entry->reason],
-		      __entry->vcpu->arch.pc)
+		      __entry->pc)
 );
 
 #endif /* _TRACE_KVM_H */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 46/96] USB: serial: cp210x: Adding Seletek device ids
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 45/96] KVM: MIPS: Fix trace event to save PC directly Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 47/96] USB: mxuport: fix null deref when used as a console Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michiel van de Garde, Johan Hovold

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michiel vd Garde <mgparser@gmail.com>

commit 675af70856d7cc026be8b6ea7a8b9db10b8b38a1 upstream.

These device ID's are not associated with the cp210x module currently,
but should be. This patch allows the devices to operate upon connecting
them to the usb bus as intended.

Signed-off-by: Michiel van de Garde <mgparser@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cp210x.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -147,6 +147,8 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x166A, 0x0305) }, /* Clipsal C-5000CT2 C-Bus Spectrum Colour Touchscreen */
 	{ USB_DEVICE(0x166A, 0x0401) }, /* Clipsal L51xx C-Bus Architectural Dimmer */
 	{ USB_DEVICE(0x166A, 0x0101) }, /* Clipsal 5560884 C-Bus Multi-room Audio Matrix Switcher */
+	{ USB_DEVICE(0x16C0, 0x09B0) }, /* Lunatico Seletek */
+	{ USB_DEVICE(0x16C0, 0x09B1) }, /* Lunatico Seletek */
 	{ USB_DEVICE(0x16D6, 0x0001) }, /* Jablotron serial interface */
 	{ USB_DEVICE(0x16DC, 0x0010) }, /* W-IE-NE-R Plein & Baus GmbH PL512 Power Supply */
 	{ USB_DEVICE(0x16DC, 0x0011) }, /* W-IE-NE-R Plein & Baus GmbH RCM Remote Control for MARATON Power Supply */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 47/96] USB: mxuport: fix null deref when used as a console
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 46/96] USB: serial: cp210x: Adding Seletek device ids Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 48/96] USB: usbfs: dont leak kernel data in siginfo Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Greg Kroah-Hartman

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit db81de767e375743ebb0ad2bcad3326962c2b67e upstream.

Fix null-pointer dereference at probe when the device is used as a
console, in which case the tty argument to open will be NULL.

Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX
driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/mxuport.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -1284,7 +1284,8 @@ static int mxuport_open(struct tty_struc
 	}
 
 	/* Initial port termios */
-	mxuport_set_termios(tty, port, NULL);
+	if (tty)
+		mxuport_set_termios(tty, port, NULL);
 
 	/*
 	 * TODO: use RQ_VENDOR_GET_MSR, once we know what it



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 48/96] USB: usbfs: dont leak kernel data in siginfo
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 47/96] USB: mxuport: fix null deref when used as a console Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 49/96] USB: ftdi_sio: add PIDs for Actisense USB devices Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Dave Mielke

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alan Stern <stern@rowland.harvard.edu>

commit f0c2b68198589249afd2b1f2c4e8de8c03e19c16 upstream.

When a signal is delivered, the information in the siginfo structure
is copied to userspace.  Good security practice dicatates that the
unused fields in this structure should be initialized to 0 so that
random kernel stack data isn't exposed to the user.  This patch adds
such an initialization to the two places where usbfs raises signals.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Dave Mielke <dave@mielke.cc>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/devio.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -501,6 +501,7 @@ static void async_completed(struct urb *
 	as->status = urb->status;
 	signr = as->signr;
 	if (signr) {
+		memset(&sinfo, 0, sizeof(sinfo));
 		sinfo.si_signo = as->signr;
 		sinfo.si_errno = as->status;
 		sinfo.si_code = SI_ASYNCIO;
@@ -2227,6 +2228,7 @@ static void usbdev_remove(struct usb_dev
 		wake_up_all(&ps->wait);
 		list_del_init(&ps->list);
 		if (ps->discsignr) {
+			memset(&sinfo, 0, sizeof(sinfo));
 			sinfo.si_signo = ps->discsignr;
 			sinfo.si_errno = EPIPE;
 			sinfo.si_code = SI_ASYNCIO;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 49/96] USB: ftdi_sio: add PIDs for Actisense USB devices
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 48/96] USB: usbfs: dont leak kernel data in siginfo Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 50/96] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mark Glover, Johan Hovold

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Glover <mark@actisense.com>

commit f6950344d3cf4a1e231b5828b50c4ac168db3886 upstream.

These product identifiers (PID) all deal with marine NMEA format data
used on motor boats and yachts. We supply the programmed devices to
Chetco, for use inside their equipment. The PIDs are a direct copy of
our Windows device drivers (FTDI drivers with altered PIDs).

Signed-off-by: Mark Glover <mark@actisense.com>
[johan: edit commit message slightly ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |   17 +++++++++++++++++
 drivers/usb/serial/ftdi_sio_ids.h |   20 ++++++++++++++++++++
 2 files changed, 37 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -991,6 +991,23 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE_INTERFACE_NUMBER(INFINEON_VID, INFINEON_TRIBOARD_PID, 1) },
 	/* GE Healthcare devices */
 	{ USB_DEVICE(GE_HEALTHCARE_VID, GE_HEALTHCARE_NEMO_TRACKER_PID) },
+	/* Active Research (Actisense) devices */
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_NDC_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_USG_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_NGT_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_NGW_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AC_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AD_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AE_PID) },
+	{ USB_DEVICE(FTDI_VID, ACTISENSE_D9AF_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEAGAUGE_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASWITCH_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_NMEA2000_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ETHERNET_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_WIFI_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
+	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
 	{ }					/* Terminating entry */
 };
 
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -1438,3 +1438,23 @@
  */
 #define GE_HEALTHCARE_VID		0x1901
 #define GE_HEALTHCARE_NEMO_TRACKER_PID	0x0015
+
+/*
+ * Active Research (Actisense) devices
+ */
+#define ACTISENSE_NDC_PID		0xD9A8 /* NDC USB Serial Adapter */
+#define ACTISENSE_USG_PID		0xD9A9 /* USG USB Serial Adapter */
+#define ACTISENSE_NGT_PID		0xD9AA /* NGT NMEA2000 Interface */
+#define ACTISENSE_NGW_PID		0xD9AB /* NGW NMEA2000 Gateway */
+#define ACTISENSE_D9AC_PID		0xD9AC /* Actisense Reserved */
+#define ACTISENSE_D9AD_PID		0xD9AD /* Actisense Reserved */
+#define ACTISENSE_D9AE_PID		0xD9AE /* Actisense Reserved */
+#define ACTISENSE_D9AF_PID		0xD9AF /* Actisense Reserved */
+#define CHETCO_SEAGAUGE_PID		0xA548 /* SeaGauge USB Adapter */
+#define CHETCO_SEASWITCH_PID		0xA549 /* SeaSwitch USB Adapter */
+#define CHETCO_SEASMART_NMEA2000_PID	0xA54A /* SeaSmart NMEA2000 Gateway */
+#define CHETCO_SEASMART_ETHERNET_PID	0xA54B /* SeaSmart Ethernet Gateway */
+#define CHETCO_SEASMART_WIFI_PID	0xA5AC /* SeaSmart Wifi Gateway */
+#define CHETCO_SEASMART_DISPLAY_PID	0xA5AD /* SeaSmart NMEA2000 Display */
+#define CHETCO_SEASMART_LITE_PID	0xA5AE /* SeaSmart Lite USB Adapter */
+#define CHETCO_SEASMART_ANALOG_PID	0xA5AF /* SeaSmart Analog Adapter */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 50/96] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 49/96] USB: ftdi_sio: add PIDs for Actisense USB devices Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 51/96] usb: dwc3: dwc3-omap: Fix disable IRQ Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Mansfield, Johan Hovold

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Mansfield <max.m.mansfield@gmail.com>

commit c7d373c3f0da2b2b78c4b1ce5ae41485b3ef848c upstream.

This patch integrates Cyber Cortex AV boards with the existing
ftdi_jtag_quirk in order to use serial port 0 with JTAG which is
required by the manufacturers' software.

Steps: 2

[ftdi_sio_ids.h]
1. Defined the device PID

[ftdi_sio.c]
2. Added a macro declaration to the ids array, in order to enable the
jtag quirk for the device.

Signed-off-by: Max Mansfield <max.m.mansfield@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |    2 ++
 drivers/usb/serial/ftdi_sio_ids.h |    3 +++
 2 files changed, 5 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -812,6 +812,8 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) },
+	{ USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID),
+		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID),
 		.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
 	{ USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID),
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -38,6 +38,9 @@
 
 #define FTDI_LUMEL_PD12_PID	0x6002
 
+/* Cyber Cortex AV by Fabulous Silicon (http://fabuloussilicon.com) */
+#define CYBER_CORTEX_AV_PID	0x8698
+
 /*
  * Marvell OpenRD Base, Client
  * http://www.open-rd.org



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 51/96] usb: dwc3: dwc3-omap: Fix disable IRQ
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 50/96] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 52/96] xhci: Allocate correct amount of scratchpad buffers Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, George Cherian, Felipe Balbi

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: George Cherian <george.cherian@ti.com>

commit 96e5d31244c5542f5b2ea81d76f14ba4b8a7d440 upstream.

In the wrapper the IRQ disable should be done by writing 1's to the
IRQ*_CLR register. Existing code is broken because it instead writes
zeros to IRQ*_SET register.

Fix this by adding functions dwc3_omap_write_irqmisc_clr() and
dwc3_omap_write_irq0_clr() which do the right thing.

Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Signed-off-by: George Cherian <george.cherian@ti.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc3/dwc3-omap.c |   30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

--- a/drivers/usb/dwc3/dwc3-omap.c
+++ b/drivers/usb/dwc3/dwc3-omap.c
@@ -211,6 +211,18 @@ static void dwc3_omap_write_irq0_set(str
 						omap->irq0_offset, value);
 }
 
+static void dwc3_omap_write_irqmisc_clr(struct dwc3_omap *omap, u32 value)
+{
+	dwc3_omap_writel(omap->base, USBOTGSS_IRQENABLE_CLR_MISC +
+						omap->irqmisc_offset, value);
+}
+
+static void dwc3_omap_write_irq0_clr(struct dwc3_omap *omap, u32 value)
+{
+	dwc3_omap_writel(omap->base, USBOTGSS_IRQENABLE_CLR_0 -
+						omap->irq0_offset, value);
+}
+
 static void dwc3_omap_set_mailbox(struct dwc3_omap *omap,
 	enum omap_dwc3_vbus_id_status status)
 {
@@ -351,9 +363,23 @@ static void dwc3_omap_enable_irqs(struct
 
 static void dwc3_omap_disable_irqs(struct dwc3_omap *omap)
 {
+	u32			reg;
+
 	/* disable all IRQs */
-	dwc3_omap_write_irqmisc_set(omap, 0x00);
-	dwc3_omap_write_irq0_set(omap, 0x00);
+	reg = USBOTGSS_IRQO_COREIRQ_ST;
+	dwc3_omap_write_irq0_clr(omap, reg);
+
+	reg = (USBOTGSS_IRQMISC_OEVT |
+			USBOTGSS_IRQMISC_DRVVBUS_RISE |
+			USBOTGSS_IRQMISC_CHRGVBUS_RISE |
+			USBOTGSS_IRQMISC_DISCHRGVBUS_RISE |
+			USBOTGSS_IRQMISC_IDPULLUP_RISE |
+			USBOTGSS_IRQMISC_DRVVBUS_FALL |
+			USBOTGSS_IRQMISC_CHRGVBUS_FALL |
+			USBOTGSS_IRQMISC_DISCHRGVBUS_FALL |
+			USBOTGSS_IRQMISC_IDPULLUP_FALL);
+
+	dwc3_omap_write_irqmisc_clr(omap, reg);
 }
 
 static u64 dwc3_omap_dma_mask = DMA_BIT_MASK(32);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 52/96] xhci: Allocate correct amount of scratchpad buffers
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 51/96] usb: dwc3: dwc3-omap: Fix disable IRQ Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 53/96] xhci: fix reporting of 0-sized URBs in control endpoint Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tim Chen, Mathias Nyman

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 6596a926b0b6c80b730a1dd2fa91908e0a539c37 upstream.

Include the high order bit fields for Max scratchpad buffers when
calculating how many scratchpad buffers are needed.

I'm suprised this hasn't caused more issues, we never allocated more than
32 buffers even if xhci needed more. Either we got lucky and xhci never
really used past that area, or then we got enough zeroed dma memory anyway.

Should be backported as far back as possible

Reported-by: Tim Chen <tim.c.chen@linux.intel.com>
Tested-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci.h |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -88,9 +88,10 @@ struct xhci_cap_regs {
 #define HCS_IST(p)		(((p) >> 0) & 0xf)
 /* bits 4:7, max number of Event Ring segments */
 #define HCS_ERST_MAX(p)		(((p) >> 4) & 0xf)
+/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */
 /* bit 26 Scratchpad restore - for save/restore HW state - not used yet */
-/* bits 27:31 number of Scratchpad buffers SW must allocate for the HW */
-#define HCS_MAX_SCRATCHPAD(p)   (((p) >> 27) & 0x1f)
+/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */
+#define HCS_MAX_SCRATCHPAD(p)   ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f))
 
 /* HCSPARAMS3 - hcs_params3 - bitmasks */
 /* bits 0:7, Max U1 to U0 latency for the roothub ports */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 53/96] xhci: fix reporting of 0-sized URBs in control endpoint
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 52/96] xhci: Allocate correct amount of scratchpad buffers Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 54/96] mac80211: Send EAPOL frames at lowest rate Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aleksander Morgado, Mathias Nyman

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aleksander Morgado <aleksander@aleksander.es>

commit 45ba2154d12fc43b70312198ec47085f10be801a upstream.

When a control transfer has a short data stage, the xHCI controller generates
two transfer events: a COMP_SHORT_TX event that specifies the untransferred
amount, and a COMP_SUCCESS event. But when the data stage is not short, only the
COMP_SUCCESS event occurs. Therefore, xhci-hcd must set urb->actual_length to
urb->transfer_buffer_length while processing the COMP_SUCCESS event, unless
urb->actual_length was set already by a previous COMP_SHORT_TX event.

The driver checks this by seeing whether urb->actual_length == 0, but this alone
is the wrong test, as it is entirely possible for a short transfer to have an
urb->actual_length = 0.

This patch changes the xhci driver to rely on a new td->urb_length_set flag,
which is set to true when a COMP_SHORT_TX event is received and the URB length
updated at that stage.

This fixes a bug which affected the HSO plugin, which relies on URBs with
urb->actual_length == 0 to halt re-submitting the RX URB in the control
endpoint.

Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-ring.c |   10 ++++++++--
 drivers/usb/host/xhci.h      |    3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2133,7 +2133,7 @@ static int process_ctrl_td(struct xhci_h
 	if (event_trb != ep_ring->dequeue) {
 		/* The event was for the status stage */
 		if (event_trb == td->last_trb) {
-			if (td->urb->actual_length != 0) {
+			if (td->urb_length_set) {
 				/* Don't overwrite a previously set error code
 				 */
 				if ((*status == -EINPROGRESS || *status == 0) &&
@@ -2147,7 +2147,13 @@ static int process_ctrl_td(struct xhci_h
 					td->urb->transfer_buffer_length;
 			}
 		} else {
-		/* Maybe the event was for the data stage? */
+			/*
+			 * Maybe the event was for the data stage? If so, update
+			 * already the actual_length of the URB and flag it as
+			 * set, so that it is not overwritten in the event for
+			 * the last TRB.
+			 */
+			td->urb_length_set = true;
 			td->urb->actual_length =
 				td->urb->transfer_buffer_length -
 				EVENT_TRB_LEN(le32_to_cpu(event->transfer_len));
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1,3 +1,4 @@
+
 /*
  * xHCI host controller driver
  *
@@ -1290,6 +1291,8 @@ struct xhci_td {
 	struct xhci_segment	*start_seg;
 	union xhci_trb		*first_trb;
 	union xhci_trb		*last_trb;
+	/* actual_length of the URB has already been set */
+	bool			urb_length_set;
 };
 
 /* xHCI command default timeout value */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 54/96] mac80211: Send EAPOL frames at lowest rate
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 53/96] xhci: fix reporting of 0-sized URBs in control endpoint Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 55/96] net: irda: fix wait_until_sent poll timeout Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Jouni Malinen, Johannes Berg

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jouni Malinen <jouni@qca.qualcomm.com>

commit 9c1c98a3bb7b7593b60264b9a07e001e68b46697 upstream.

The current minstrel_ht rate control behavior is somewhat optimistic in
trying to find optimum TX rate. While this is usually fine for normal
Data frames, there are cases where a more conservative set of retry
parameters would be beneficial to make the connection more robust.

EAPOL frames are critical to the authentication and especially the
EAPOL-Key message 4/4 (the last message in the 4-way handshake) is
important to get through to the AP. If that message is lost, the only
recovery mechanism in many cases is to reassociate with the AP and start
from scratch. This can often be avoided by trying to send the frame with
more conservative rate and/or with more link layer retries.

In most cases, minstrel_ht is currently using the initial EAPOL-Key
frames for probing higher rates and this results in only five link layer
transmission attempts (one at high(ish) MCS and four at MCS0). While
this works with most APs, it looks like there are some deployed APs that
may have issues with the EAPOL frames using HT MCS immediately after
association. Similarly, there may be issues in cases where the signal
strength or radio environment is not good enough to be able to get
frames through even at couple of MCS 0 tries.

The best approach for this would likely to be to reduce the TX rate for
the last rate (3rd rate parameter in the set) to a low basic rate (say,
6 Mbps on 5 GHz and 2 or 5.5 Mbps on 2.4 GHz), but doing that cleanly
requires some more effort. For now, we can start with a simple one-liner
that forces the minimum rate to be used for EAPOL frames similarly how
the TX rate is selected for the IEEE 802.11 Management frames. This does
result in a small extra latency added to the cases where the AP would be
able to receive the higher rate, but taken into account how small number
of EAPOL frames are used, this is likely to be insignificant. A future
optimization in the minstrel_ht design can also allow this patch to be
reverted to get back to the more optimized initial TX rate.

It should also be noted that many drivers that do not use minstrel as
the rate control algorithm are already doing similar workarounds by
forcing the lowest TX rate to be used for EAPOL frames.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/tx.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -562,6 +562,7 @@ ieee80211_tx_h_check_control_port_protoc
 		if (tx->sdata->control_port_no_encrypt)
 			info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
 		info->control.flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO;
+		info->flags |= IEEE80211_TX_CTL_USE_MINRATE;
 	}
 
 	return TX_CONTINUE;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 55/96] net: irda: fix wait_until_sent poll timeout
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 54/96] mac80211: Send EAPOL frames at lowest rate Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 56/96] USB: serial: fix infinite wait_until_sent timeout Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2c3fbe3cf28fbd7001545a92a83b4f8acfd9fa36 upstream.

In case an infinite timeout (0) is requested, the irda wait_until_sent
implementation would use a zero poll timeout rather than the default
200ms.

Note that wait_until_sent is currently never called with a 0-timeout
argument due to a bug in tty_wait_until_sent.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/irda/ircomm/ircomm_tty.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/irda/ircomm/ircomm_tty.c
+++ b/net/irda/ircomm/ircomm_tty.c
@@ -818,7 +818,9 @@ static void ircomm_tty_wait_until_sent(s
 	orig_jiffies = jiffies;
 
 	/* Set poll time to 200 ms */
-	poll_time = IRDA_MIN(timeout, msecs_to_jiffies(200));
+	poll_time = msecs_to_jiffies(200);
+	if (timeout)
+		poll_time = min_t(unsigned long, timeout, poll_time);
 
 	spin_lock_irqsave(&self->spinlock, flags);
 	while (self->tx_skb && self->tx_skb->len) {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 56/96] USB: serial: fix infinite wait_until_sent timeout
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 55/96] net: irda: fix wait_until_sent poll timeout Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 57/96] TTY: fix tty_wait_until_sent on 64-bit machines Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit f528bf4f57e43d1af4b2a5c97f09e43e0338c105 upstream.

Make sure to handle an infinite timeout (0).

Note that wait_until_sent is currently never called with a 0-timeout
argument due to a bug in tty_wait_until_sent.

Fixes: dcf010503966 ("USB: serial: add generic wait_until_sent
implementation")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/generic.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/generic.c
+++ b/drivers/usb/serial/generic.c
@@ -258,7 +258,8 @@ void usb_serial_generic_wait_until_sent(
 	 * character or at least one jiffy.
 	 */
 	period = max_t(unsigned long, (10 * HZ / bps), 1);
-	period = min_t(unsigned long, period, timeout);
+	if (timeout)
+		period = min_t(unsigned long, period, timeout);
 
 	dev_dbg(&port->dev, "%s - timeout = %u ms, period = %u ms\n",
 					__func__, jiffies_to_msecs(timeout),
@@ -268,7 +269,7 @@ void usb_serial_generic_wait_until_sent(
 		schedule_timeout_interruptible(period);
 		if (signal_pending(current))
 			break;
-		if (time_after(jiffies, expire))
+		if (timeout && time_after(jiffies, expire))
 			break;
 	}
 }



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 57/96] TTY: fix tty_wait_until_sent on 64-bit machines
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 56/96] USB: serial: fix infinite wait_until_sent timeout Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 58/96] USB: serial: fix potential use-after-free after failed probe Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, ZIV-Asier Llano Palacios,
	Johan Hovold, Peter Hurley

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 79fbf4a550ed6a22e1ae1516113e6c7fa5d56a53 upstream.

Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an
infinite timeout (0) would be passed to the underlying tty-driver's
wait_until_sent-operation as a negative timeout (-1), causing it to
return immediately.

This manifests itself for example as tcdrain() returning immediately,
drivers not honouring the drain flags when setting terminal attributes,
or even dropped data on close as a requested infinite closing-wait
timeout would be ignored.

The first symptom  was reported by Asier LLANO who noted that tcdrain()
returned prematurely when using the ftdi_sio usb-serial driver.

Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the
underlying tty driver.

Note that the serial-core wait_until_sent-implementation is not affected
by this bug due to a lucky chance (comparison to an unsigned maximum
timeout), and neither is the cyclades one that had an explicit check for
negative timeouts, but all other tty drivers appear to be affected.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: ZIV-Asier Llano Palacios <asier.llano@cgglobal.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/tty_ioctl.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/drivers/tty/tty_ioctl.c
+++ b/drivers/tty/tty_ioctl.c
@@ -217,11 +217,17 @@ void tty_wait_until_sent(struct tty_stru
 #endif
 	if (!timeout)
 		timeout = MAX_SCHEDULE_TIMEOUT;
+
 	if (wait_event_interruptible_timeout(tty->write_wait,
-			!tty_chars_in_buffer(tty), timeout) >= 0) {
-		if (tty->ops->wait_until_sent)
-			tty->ops->wait_until_sent(tty, timeout);
+			!tty_chars_in_buffer(tty), timeout) < 0) {
+		return;
 	}
+
+	if (timeout == MAX_SCHEDULE_TIMEOUT)
+		timeout = 0;
+
+	if (tty->ops->wait_until_sent)
+		tty->ops->wait_until_sent(tty, timeout);
 }
 EXPORT_SYMBOL(tty_wait_until_sent);
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 58/96] USB: serial: fix potential use-after-free after failed probe
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 57/96] TTY: fix tty_wait_until_sent on 64-bit machines Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 59/96] USB: serial: fix tty-device error handling at probe Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Greg Kroah-Hartman

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 07fdfc5e9f1c966be8722e8fa927e5ea140df5ce upstream.

Fix return value in probe error path, which could end up returning
success (0) on errors. This could in turn lead to use-after-free or
double free (e.g. in port_remove) when the port device is removed.

Fixes: c706ebdfc895 ("USB: usb-serial: call port_probe and port_remove
at the right times")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/bus.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/bus.c
+++ b/drivers/usb/serial/bus.c
@@ -75,7 +75,7 @@ static int usb_serial_device_probe(struc
 	retval = device_create_file(dev, &dev_attr_port_number);
 	if (retval) {
 		if (driver->port_remove)
-			retval = driver->port_remove(port);
+			driver->port_remove(port);
 		goto exit_with_autopm;
 	}
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 59/96] USB: serial: fix tty-device error handling at probe
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 58/96] USB: serial: fix potential use-after-free after failed probe Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 60/96] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Johan Hovold,
	Greg Kroah-Hartman

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit ca4383a3947a83286bc9b9c598a1f55e867871d7 upstream.

Add missing error handling when registering the tty device at port
probe. This avoids trying to remove an uninitialised character device
when the port device is removed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <greg@kroah.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/bus.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/bus.c
+++ b/drivers/usb/serial/bus.c
@@ -51,6 +51,7 @@ static int usb_serial_device_probe(struc
 {
 	struct usb_serial_driver *driver;
 	struct usb_serial_port *port;
+	struct device *tty_dev;
 	int retval = 0;
 	int minor;
 
@@ -80,7 +81,15 @@ static int usb_serial_device_probe(struc
 	}
 
 	minor = port->minor;
-	tty_register_device(usb_serial_tty_driver, minor, dev);
+	tty_dev = tty_register_device(usb_serial_tty_driver, minor, dev);
+	if (IS_ERR(tty_dev)) {
+		retval = PTR_ERR(tty_dev);
+		device_remove_file(dev, &dev_attr_port_number);
+		if (driver->port_remove)
+			driver->port_remove(port);
+		goto exit_with_autopm;
+	}
+
 	dev_info(&port->serial->dev->dev,
 		 "%s converter now attached to ttyUSB%d\n",
 		 driver->description, minor);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 60/96] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 59/96] USB: serial: fix tty-device error handling at probe Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 61/96] debugfs: leave freeing a symlink body until inode eviction Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 0a280962dc6e117e0e4baa668453f753579265d9 upstream.

X-Coverup: just ask spender
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/autofs4/dev-ioctl.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/fs/autofs4/dev-ioctl.c
+++ b/fs/autofs4/dev-ioctl.c
@@ -95,7 +95,7 @@ static int check_dev_ioctl_version(int c
  */
 static struct autofs_dev_ioctl *copy_dev_ioctl(struct autofs_dev_ioctl __user *in)
 {
-	struct autofs_dev_ioctl tmp;
+	struct autofs_dev_ioctl tmp, *res;
 
 	if (copy_from_user(&tmp, in, sizeof(tmp)))
 		return ERR_PTR(-EFAULT);
@@ -103,7 +103,11 @@ static struct autofs_dev_ioctl *copy_dev
 	if (tmp.size < sizeof(tmp))
 		return ERR_PTR(-EINVAL);
 
-	return memdup_user(in, tmp.size);
+	res = memdup_user(in, tmp.size);
+	if (!IS_ERR(res))
+		res->size = tmp.size;
+
+	return res;
 }
 
 static inline void free_dev_ioctl(struct autofs_dev_ioctl *param)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 61/96] debugfs: leave freeing a symlink body until inode eviction
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 60/96] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 62/96] procfs: fix race between symlink removals and traversals Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 0db59e59299f0b67450c5db21f7f316c8fb04e84 upstream.

As it is, we have debugfs_remove() racing with symlink traversals.
Supply ->evict_inode() and do freeing there - inode will remain
pinned until we are done with the symlink body.

And rip the idiocy with checking if dentry is positive right after
we'd verified debugfs_positive(), which is a stronger check...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/debugfs/inode.c |   34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -245,10 +245,19 @@ static int debugfs_show_options(struct s
 	return 0;
 }
 
+static void debugfs_evict_inode(struct inode *inode)
+{
+	truncate_inode_pages(&inode->i_data, 0);
+	clear_inode(inode);
+	if (S_ISLNK(inode->i_mode))
+		kfree(inode->i_private);
+}
+
 static const struct super_operations debugfs_super_operations = {
 	.statfs		= simple_statfs,
 	.remount_fs	= debugfs_remount,
 	.show_options	= debugfs_show_options,
+	.evict_inode	= debugfs_evict_inode,
 };
 
 static int debug_fill_super(struct super_block *sb, void *data, int silent)
@@ -465,23 +474,14 @@ static int __debugfs_remove(struct dentr
 	int ret = 0;
 
 	if (debugfs_positive(dentry)) {
-		if (dentry->d_inode) {
-			dget(dentry);
-			switch (dentry->d_inode->i_mode & S_IFMT) {
-			case S_IFDIR:
-				ret = simple_rmdir(parent->d_inode, dentry);
-				break;
-			case S_IFLNK:
-				kfree(dentry->d_inode->i_private);
-				/* fall through */
-			default:
-				simple_unlink(parent->d_inode, dentry);
-				break;
-			}
-			if (!ret)
-				d_delete(dentry);
-			dput(dentry);
-		}
+		dget(dentry);
+		if (S_ISDIR(dentry->d_inode->i_mode))
+			ret = simple_rmdir(parent->d_inode, dentry);
+		else
+			simple_unlink(parent->d_inode, dentry);
+		if (!ret)
+			d_delete(dentry);
+		dput(dentry);
 	}
 	return ret;
 }



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 62/96] procfs: fix race between symlink removals and traversals
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 61/96] debugfs: leave freeing a symlink body until inode eviction Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 63/96] sunrpc: fix braino in ->poll() Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 7e0e953bb0cf649f93277ac8fb67ecbb7f7b04a9 upstream.

use_pde()/unuse_pde() in ->follow_link()/->put_link() resp.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/generic.c  |   12 ------------
 fs/proc/inode.c    |   21 +++++++++++++++++++++
 fs/proc/internal.h |    1 +
 3 files changed, 22 insertions(+), 12 deletions(-)

--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -19,7 +19,6 @@
 #include <linux/mount.h>
 #include <linux/init.h>
 #include <linux/idr.h>
-#include <linux/namei.h>
 #include <linux/bitops.h>
 #include <linux/spinlock.h>
 #include <linux/completion.h>
@@ -162,17 +161,6 @@ void proc_free_inum(unsigned int inum)
 	spin_unlock_irqrestore(&proc_inum_lock, flags);
 }
 
-static void *proc_follow_link(struct dentry *dentry, struct nameidata *nd)
-{
-	nd_set_link(nd, __PDE_DATA(dentry->d_inode));
-	return NULL;
-}
-
-static const struct inode_operations proc_link_inode_operations = {
-	.readlink	= generic_readlink,
-	.follow_link	= proc_follow_link,
-};
-
 /*
  * Don't create negative dentries here, return -ENOENT by hand
  * instead.
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -23,6 +23,7 @@
 #include <linux/slab.h>
 #include <linux/mount.h>
 #include <linux/magic.h>
+#include <linux/namei.h>
 
 #include <asm/uaccess.h>
 
@@ -401,6 +402,26 @@ static const struct file_operations proc
 };
 #endif
 
+static void *proc_follow_link(struct dentry *dentry, struct nameidata *nd)
+{
+	struct proc_dir_entry *pde = PDE(dentry->d_inode);
+	if (unlikely(!use_pde(pde)))
+		return ERR_PTR(-EINVAL);
+	nd_set_link(nd, pde->data);
+	return pde;
+}
+
+static void proc_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
+{
+	unuse_pde(p);
+}
+
+const struct inode_operations proc_link_inode_operations = {
+	.readlink	= generic_readlink,
+	.follow_link	= proc_follow_link,
+	.put_link	= proc_put_link,
+};
+
 struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
 {
 	struct inode *inode = new_inode_pseudo(sb);
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -202,6 +202,7 @@ struct pde_opener {
 	int closing;
 	struct completion *c;
 };
+extern const struct inode_operations proc_link_inode_operations;
 
 extern const struct inode_operations proc_pid_link_inode_operations;
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 63/96] sunrpc: fix braino in ->poll()
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 62/96] procfs: fix race between symlink removals and traversals Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 64/96] ARC: Fix KSTK_ESP() Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Al Viro, Bruce Fields, Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@ZenIV.linux.org.uk>

commit 1711fd9addf214823b993468567cab1f8254fc51 upstream.

POLL_OUT isn't what callers of ->poll() are expecting to see; it's
actually __SI_POLL | 2 and it's a siginfo code, not a poll bitmap
bit...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Bruce Fields <bfields@fieldses.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/cache.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -920,7 +920,7 @@ static unsigned int cache_poll(struct fi
 	poll_wait(filp, &queue_wait, wait);
 
 	/* alway allow write */
-	mask = POLL_OUT | POLLWRNORM;
+	mask = POLLOUT | POLLWRNORM;
 
 	if (!rp)
 		return mask;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 64/96] ARC: Fix KSTK_ESP()
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 63/96] sunrpc: fix braino in ->poll() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 65/96] tty: fix up atime/mtime mess, take four Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vineet Gupta

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vineet Gupta <vgupta@synopsys.com>

commit 13648b0118a24f4fc76c34e6c7b6ccf447e46a2a upstream.

/proc/<pid>/maps currently don't annotate stack vma with "[stack]"
This is because KSTK_ESP ie expected to return usermode SP of tsk while
currently it returns the kernel mode SP of a sleeping tsk.

While the fix is trivial, we also need to adjust the ARC kernel stack
unwinder to not use KSTK_SP and friends any more.

Reported-and-suggested-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arc/include/asm/processor.h |    9 +++++----
 arch/arc/kernel/stacktrace.c     |    6 +++---
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/arch/arc/include/asm/processor.h
+++ b/arch/arc/include/asm/processor.h
@@ -69,18 +69,19 @@ unsigned long thread_saved_pc(struct tas
 #define release_segments(mm)        do { } while (0)
 
 #define KSTK_EIP(tsk)   (task_pt_regs(tsk)->ret)
+#define KSTK_ESP(tsk)   (task_pt_regs(tsk)->sp)
 
 /*
  * Where abouts of Task's sp, fp, blink when it was last seen in kernel mode.
  * Look in process.c for details of kernel stack layout
  */
-#define KSTK_ESP(tsk)   (tsk->thread.ksp)
+#define TSK_K_ESP(tsk)		(tsk->thread.ksp)
 
-#define KSTK_REG(tsk, off)	(*((unsigned int *)(KSTK_ESP(tsk) + \
+#define TSK_K_REG(tsk, off)	(*((unsigned int *)(TSK_K_ESP(tsk) + \
 					sizeof(struct callee_regs) + off)))
 
-#define KSTK_BLINK(tsk) KSTK_REG(tsk, 4)
-#define KSTK_FP(tsk)    KSTK_REG(tsk, 0)
+#define TSK_K_BLINK(tsk)	TSK_K_REG(tsk, 4)
+#define TSK_K_FP(tsk)		TSK_K_REG(tsk, 0)
 
 /*
  * Do necessary setup to start up a newly executed thread.
--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -64,9 +64,9 @@ static void seed_unwind_frame_info(struc
 
 		frame_info->task = tsk;
 
-		frame_info->regs.r27 = KSTK_FP(tsk);
-		frame_info->regs.r28 = KSTK_ESP(tsk);
-		frame_info->regs.r31 = KSTK_BLINK(tsk);
+		frame_info->regs.r27 = TSK_K_FP(tsk);
+		frame_info->regs.r28 = TSK_K_ESP(tsk);
+		frame_info->regs.r31 = TSK_K_BLINK(tsk);
 		frame_info->regs.r63 = (unsigned int)__switch_to;
 
 		/* In the prologue of __switch_to, first FP is saved on stack



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 65/96] tty: fix up atime/mtime mess, take four
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 64/96] ARC: Fix KSTK_ESP() Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 66/96] ALSA: pcm: Dont leave PREPARED state after draining Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, John Paul Perry, Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jslaby@suse.cz>

commit f0bf0bd07943bfde8f5ac39a32664810a379c7d3 upstream.

This problem was taken care of three times already in
* b0de59b5733d18b0d1974a060860a8b5c1b36a2e (TTY: do not update
  atime/mtime on read/write),
* 37b7f3c76595e23257f61bd80b223de8658617ee (TTY: fix atime/mtime
  regression), and
* b0b885657b6c8ef63a46bc9299b2a7715d19acde (tty: fix up atime/mtime
  mess, take three)

But it still misses one point. As John Paul correctly points out, we
do not care about setting date. If somebody ever changes wall
time backwards (by mistake for example), tty timestamps are never
updated until the original wall time passes.

So check the absolute difference of times and if it large than "8
seconds or so", always update the time. That means we will update
immediatelly when changing time. Ergo, CAP_SYS_TIME can foul the
check, but it was always that way.

Thanks John for serving me this so nicely debugged.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: John Paul Perry <john_paul.perry@alcatel-lucent.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/tty_io.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -996,8 +996,8 @@ EXPORT_SYMBOL(start_tty);
 /* We limit tty time update visibility to every 8 seconds or so. */
 static void tty_update_time(struct timespec *time)
 {
-	unsigned long sec = get_seconds() & ~7;
-	if ((long)(sec - time->tv_sec) > 0)
+	unsigned long sec = get_seconds();
+	if (abs(sec - time->tv_sec) & ~7)
 		time->tv_sec = sec;
 }
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 66/96] ALSA: pcm: Dont leave PREPARED state after draining
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 65/96] tty: fix up atime/mtime mess, take four Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 67/96] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 70372a7566b5e552dbe48abdac08c275081d8558 upstream.

When a PCM draining is performed to an empty stream that has been
already in PREPARED state, the current code just ignores and leaves as
it is, although the drain is supposed to set all such streams to SETUP
state.  This patch covers that overlooked case.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/pcm_native.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1404,6 +1404,8 @@ static int snd_pcm_do_drain_init(struct
 			if (! snd_pcm_playback_empty(substream)) {
 				snd_pcm_do_start(substream, SNDRV_PCM_STATE_DRAINING);
 				snd_pcm_post_start(substream, SNDRV_PCM_STATE_DRAINING);
+			} else {
+				runtime->status->state = SNDRV_PCM_STATE_SETUP;
 			}
 			break;
 		case SNDRV_PCM_STATE_RUNNING:



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 67/96] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 66/96] ALSA: pcm: Dont leave PREPARED state after draining Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 68/96] ALSA: hda - Disable runtime PM for Panther Point again Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 6426460e5d87810e042962281fe3c1e8fc256162 upstream.

BIOS doesn't seem to set up pins for 5.1 and the SPDIF out, so we need
to give explicitly here.

Reported-and-tested-by: Misan Thropos <misanthropos@gmx.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_sigmatel.c |   17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/patch_sigmatel.c
+++ b/sound/pci/hda/patch_sigmatel.c
@@ -85,6 +85,7 @@ enum {
 	STAC_ALIENWARE_M17X,
 	STAC_92HD89XX_HP_FRONT_JACK,
 	STAC_92HD89XX_HP_Z1_G2_RIGHT_MIC_JACK,
+	STAC_92HD73XX_ASUS_MOBO,
 	STAC_92HD73XX_MODELS
 };
 
@@ -1935,7 +1936,18 @@ static const struct hda_fixup stac92hd73
 	[STAC_92HD89XX_HP_Z1_G2_RIGHT_MIC_JACK] = {
 		.type = HDA_FIXUP_PINS,
 		.v.pins = stac92hd89xx_hp_z1_g2_right_mic_jack_pin_configs,
-	}
+	},
+	[STAC_92HD73XX_ASUS_MOBO] = {
+		.type = HDA_FIXUP_PINS,
+		.v.pins = (const struct hda_pintbl[]) {
+			/* enable 5.1 and SPDIF out */
+			{ 0x0c, 0x01014411 },
+			{ 0x0d, 0x01014410 },
+			{ 0x0e, 0x01014412 },
+			{ 0x22, 0x014b1180 },
+			{ }
+		}
+	},
 };
 
 static const struct hda_model_fixup stac92hd73xx_models[] = {
@@ -1947,6 +1959,7 @@ static const struct hda_model_fixup stac
 	{ .id = STAC_DELL_M6_BOTH, .name = "dell-m6" },
 	{ .id = STAC_DELL_EQ, .name = "dell-eq" },
 	{ .id = STAC_ALIENWARE_M17X, .name = "alienware" },
+	{ .id = STAC_92HD73XX_ASUS_MOBO, .name = "asus-mobo" },
 	{}
 };
 
@@ -1999,6 +2012,8 @@ static const struct snd_pci_quirk stac92
 				"HP Z1 G2", STAC_92HD89XX_HP_Z1_G2_RIGHT_MIC_JACK),
 	SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x2b17,
 				"unknown HP", STAC_92HD89XX_HP_FRONT_JACK),
+	SND_PCI_QUIRK(PCI_VENDOR_ID_ASUSTEK, 0x83f8, "ASUS AT4NM10",
+		      STAC_92HD73XX_ASUS_MOBO),
 	{} /* terminator */
 };
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 68/96] ALSA: hda - Disable runtime PM for Panther Point again
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 67/96] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 69/96] sg: fix read() error reporting Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dang Sananikone, Takashi Iwai

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit de5d0ad506cb10ab143e2ffb9def7607e3671f83 upstream.

This is essentially a partial revert of the commit [b1920c21102a:
'ALSA: hda - Enable runtime PM on Panther Point'].  There was a bug
report showing the HD-audio bus hang during runtime PM on HP Spectre
XT.

Reported-by: Dang Sananikone <dang.sananikone@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/hda_intel.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -3984,7 +3984,7 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids)
 	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH_NOPM },
 	/* Panther Point */
 	{ PCI_DEVICE(0x8086, 0x1e20),
-	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
+	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH_NOPM },
 	/* Lynx Point */
 	{ PCI_DEVICE(0x8086, 0x8c20),
 	  .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 69/96] sg: fix read() error reporting
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 68/96] ALSA: hda - Disable runtime PM for Panther Point again Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 70/96] IB/qib: Do not write EEPROM Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Battersby, Douglas Gilbert,
	James Bottomley

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Battersby <tonyb@cybernetics.com>

commit 3b524a683af8991b4eab4182b947c65f0ce1421b upstream.

Fix SCSI generic read() incorrectly returning success after detecting an
error.

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -522,7 +522,7 @@ static ssize_t
 sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
 {
 	sg_io_hdr_t *hp = &srp->header;
-	int err = 0;
+	int err = 0, err2;
 	int len;
 
 	if (count < SZ_SG_IO_HDR) {
@@ -551,8 +551,8 @@ sg_new_read(Sg_fd * sfp, char __user *bu
 		goto err_out;
 	}
 err_out:
-	err = sg_finish_rem_req(srp);
-	return (0 == err) ? count : err;
+	err2 = sg_finish_rem_req(srp);
+	return err ? : err2 ? : count;
 }
 
 static ssize_t



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 70/96] IB/qib: Do not write EEPROM
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 69/96] sg: fix read() error reporting Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 71/96] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, Mitko Haralanov,
	Roland Dreier

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mitko Haralanov <mitko.haralanov@intel.com>

commit 18c0b82a3e4501511b08d0e8676fb08ac08734a3 upstream.

This changeset removes all the code that allows the driver to write to
the EEPROM and update the recorded error counters and power on hours.

These two stats are unused and writing them exposes a timing risk
which could leave the EEPROM in a bad state preventing further normal
operation of the HCA.

Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Mitko Haralanov <mitko.haralanov@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/qib/qib.h         |    9 -
 drivers/infiniband/hw/qib/qib_eeprom.c  |  181 --------------------------------
 drivers/infiniband/hw/qib/qib_iba6120.c |    2 
 drivers/infiniband/hw/qib/qib_iba7220.c |    2 
 drivers/infiniband/hw/qib/qib_iba7322.c |    2 
 drivers/infiniband/hw/qib/qib_init.c    |    1 
 drivers/infiniband/hw/qib/qib_sysfs.c   |   24 ----
 7 files changed, 1 insertion(+), 220 deletions(-)

--- a/drivers/infiniband/hw/qib/qib.h
+++ b/drivers/infiniband/hw/qib/qib.h
@@ -1080,12 +1080,6 @@ struct qib_devdata {
 	/* control high-level access to EEPROM */
 	struct mutex eep_lock;
 	uint64_t traffic_wds;
-	/* active time is kept in seconds, but logged in hours */
-	atomic_t active_time;
-	/* Below are nominal shadow of EEPROM, new since last EEPROM update */
-	uint8_t eep_st_errs[QIB_EEP_LOG_CNT];
-	uint8_t eep_st_new_errs[QIB_EEP_LOG_CNT];
-	uint16_t eep_hrs;
 	/*
 	 * masks for which bits of errs, hwerrs that cause
 	 * each of the counters to increment.
@@ -1307,8 +1301,7 @@ int qib_twsi_blk_rd(struct qib_devdata *
 int qib_twsi_blk_wr(struct qib_devdata *dd, int dev, int addr,
 		    const void *buffer, int len);
 void qib_get_eeprom_info(struct qib_devdata *);
-int qib_update_eeprom_log(struct qib_devdata *dd);
-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr);
+#define qib_inc_eeprom_err(dd, eidx, incr)
 void qib_dump_lookup_output_queue(struct qib_devdata *);
 void qib_force_pio_avail_update(struct qib_devdata *);
 void qib_clear_symerror_on_linkup(unsigned long opaque);
--- a/drivers/infiniband/hw/qib/qib_eeprom.c
+++ b/drivers/infiniband/hw/qib/qib_eeprom.c
@@ -267,190 +267,9 @@ void qib_get_eeprom_info(struct qib_devd
 			"Board SN %s did not pass functional test: %s\n",
 			dd->serial, ifp->if_comment);
 
-	memcpy(&dd->eep_st_errs, &ifp->if_errcntp, QIB_EEP_LOG_CNT);
-	/*
-	 * Power-on (actually "active") hours are kept as little-endian value
-	 * in EEPROM, but as seconds in a (possibly as small as 24-bit)
-	 * atomic_t while running.
-	 */
-	atomic_set(&dd->active_time, 0);
-	dd->eep_hrs = ifp->if_powerhour[0] | (ifp->if_powerhour[1] << 8);
-
 done:
 	vfree(buf);
 
 bail:;
 }
 
-/**
- * qib_update_eeprom_log - copy active-time and error counters to eeprom
- * @dd: the qlogic_ib device
- *
- * Although the time is kept as seconds in the qib_devdata struct, it is
- * rounded to hours for re-write, as we have only 16 bits in EEPROM.
- * First-cut code reads whole (expected) struct qib_flash, modifies,
- * re-writes. Future direction: read/write only what we need, assuming
- * that the EEPROM had to have been "good enough" for driver init, and
- * if not, we aren't making it worse.
- *
- */
-int qib_update_eeprom_log(struct qib_devdata *dd)
-{
-	void *buf;
-	struct qib_flash *ifp;
-	int len, hi_water;
-	uint32_t new_time, new_hrs;
-	u8 csum;
-	int ret, idx;
-	unsigned long flags;
-
-	/* first, check if we actually need to do anything. */
-	ret = 0;
-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
-		if (dd->eep_st_new_errs[idx]) {
-			ret = 1;
-			break;
-		}
-	}
-	new_time = atomic_read(&dd->active_time);
-
-	if (ret == 0 && new_time < 3600)
-		goto bail;
-
-	/*
-	 * The quick-check above determined that there is something worthy
-	 * of logging, so get current contents and do a more detailed idea.
-	 * read full flash, not just currently used part, since it may have
-	 * been written with a newer definition
-	 */
-	len = sizeof(struct qib_flash);
-	buf = vmalloc(len);
-	ret = 1;
-	if (!buf) {
-		qib_dev_err(dd,
-			"Couldn't allocate memory to read %u bytes from eeprom for logging\n",
-			len);
-		goto bail;
-	}
-
-	/* Grab semaphore and read current EEPROM. If we get an
-	 * error, let go, but if not, keep it until we finish write.
-	 */
-	ret = mutex_lock_interruptible(&dd->eep_lock);
-	if (ret) {
-		qib_dev_err(dd, "Unable to acquire EEPROM for logging\n");
-		goto free_bail;
-	}
-	ret = qib_twsi_blk_rd(dd, dd->twsi_eeprom_dev, 0, buf, len);
-	if (ret) {
-		mutex_unlock(&dd->eep_lock);
-		qib_dev_err(dd, "Unable read EEPROM for logging\n");
-		goto free_bail;
-	}
-	ifp = (struct qib_flash *)buf;
-
-	csum = flash_csum(ifp, 0);
-	if (csum != ifp->if_csum) {
-		mutex_unlock(&dd->eep_lock);
-		qib_dev_err(dd, "EEPROM cks err (0x%02X, S/B 0x%02X)\n",
-			    csum, ifp->if_csum);
-		ret = 1;
-		goto free_bail;
-	}
-	hi_water = 0;
-	spin_lock_irqsave(&dd->eep_st_lock, flags);
-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
-		int new_val = dd->eep_st_new_errs[idx];
-		if (new_val) {
-			/*
-			 * If we have seen any errors, add to EEPROM values
-			 * We need to saturate at 0xFF (255) and we also
-			 * would need to adjust the checksum if we were
-			 * trying to minimize EEPROM traffic
-			 * Note that we add to actual current count in EEPROM,
-			 * in case it was altered while we were running.
-			 */
-			new_val += ifp->if_errcntp[idx];
-			if (new_val > 0xFF)
-				new_val = 0xFF;
-			if (ifp->if_errcntp[idx] != new_val) {
-				ifp->if_errcntp[idx] = new_val;
-				hi_water = offsetof(struct qib_flash,
-						    if_errcntp) + idx;
-			}
-			/*
-			 * update our shadow (used to minimize EEPROM
-			 * traffic), to match what we are about to write.
-			 */
-			dd->eep_st_errs[idx] = new_val;
-			dd->eep_st_new_errs[idx] = 0;
-		}
-	}
-	/*
-	 * Now update active-time. We would like to round to the nearest hour
-	 * but unless atomic_t are sure to be proper signed ints we cannot,
-	 * because we need to account for what we "transfer" to EEPROM and
-	 * if we log an hour at 31 minutes, then we would need to set
-	 * active_time to -29 to accurately count the _next_ hour.
-	 */
-	if (new_time >= 3600) {
-		new_hrs = new_time / 3600;
-		atomic_sub((new_hrs * 3600), &dd->active_time);
-		new_hrs += dd->eep_hrs;
-		if (new_hrs > 0xFFFF)
-			new_hrs = 0xFFFF;
-		dd->eep_hrs = new_hrs;
-		if ((new_hrs & 0xFF) != ifp->if_powerhour[0]) {
-			ifp->if_powerhour[0] = new_hrs & 0xFF;
-			hi_water = offsetof(struct qib_flash, if_powerhour);
-		}
-		if ((new_hrs >> 8) != ifp->if_powerhour[1]) {
-			ifp->if_powerhour[1] = new_hrs >> 8;
-			hi_water = offsetof(struct qib_flash, if_powerhour) + 1;
-		}
-	}
-	/*
-	 * There is a tiny possibility that we could somehow fail to write
-	 * the EEPROM after updating our shadows, but problems from holding
-	 * the spinlock too long are a much bigger issue.
-	 */
-	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
-	if (hi_water) {
-		/* we made some change to the data, uopdate cksum and write */
-		csum = flash_csum(ifp, 1);
-		ret = eeprom_write_with_enable(dd, 0, buf, hi_water + 1);
-	}
-	mutex_unlock(&dd->eep_lock);
-	if (ret)
-		qib_dev_err(dd, "Failed updating EEPROM\n");
-
-free_bail:
-	vfree(buf);
-bail:
-	return ret;
-}
-
-/**
- * qib_inc_eeprom_err - increment one of the four error counters
- * that are logged to EEPROM.
- * @dd: the qlogic_ib device
- * @eidx: 0..3, the counter to increment
- * @incr: how much to add
- *
- * Each counter is 8-bits, and saturates at 255 (0xFF). They
- * are copied to the EEPROM (aka flash) whenever qib_update_eeprom_log()
- * is called, but it can only be called in a context that allows sleep.
- * This function can be called even at interrupt level.
- */
-void qib_inc_eeprom_err(struct qib_devdata *dd, u32 eidx, u32 incr)
-{
-	uint new_val;
-	unsigned long flags;
-
-	spin_lock_irqsave(&dd->eep_st_lock, flags);
-	new_val = dd->eep_st_new_errs[eidx] + incr;
-	if (new_val > 255)
-		new_val = 255;
-	dd->eep_st_new_errs[eidx] = new_val;
-	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
-}
--- a/drivers/infiniband/hw/qib/qib_iba6120.c
+++ b/drivers/infiniband/hw/qib/qib_iba6120.c
@@ -2682,8 +2682,6 @@ static void qib_get_6120_faststats(unsig
 	spin_lock_irqsave(&dd->eep_st_lock, flags);
 	traffic_wds -= dd->traffic_wds;
 	dd->traffic_wds += traffic_wds;
-	if (traffic_wds  >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
-		atomic_add(5, &dd->active_time); /* S/B #define */
 	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
 
 	qib_chk_6120_errormask(dd);
--- a/drivers/infiniband/hw/qib/qib_iba7220.c
+++ b/drivers/infiniband/hw/qib/qib_iba7220.c
@@ -3299,8 +3299,6 @@ static void qib_get_7220_faststats(unsig
 	spin_lock_irqsave(&dd->eep_st_lock, flags);
 	traffic_wds -= dd->traffic_wds;
 	dd->traffic_wds += traffic_wds;
-	if (traffic_wds  >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
-		atomic_add(5, &dd->active_time); /* S/B #define */
 	spin_unlock_irqrestore(&dd->eep_st_lock, flags);
 done:
 	mod_timer(&dd->stats_timer, jiffies + HZ * ACTIVITY_TIMER);
--- a/drivers/infiniband/hw/qib/qib_iba7322.c
+++ b/drivers/infiniband/hw/qib/qib_iba7322.c
@@ -5191,8 +5191,6 @@ static void qib_get_7322_faststats(unsig
 		spin_lock_irqsave(&ppd->dd->eep_st_lock, flags);
 		traffic_wds -= ppd->dd->traffic_wds;
 		ppd->dd->traffic_wds += traffic_wds;
-		if (traffic_wds >= QIB_TRAFFIC_ACTIVE_THRESHOLD)
-			atomic_add(ACTIVITY_TIMER, &ppd->dd->active_time);
 		spin_unlock_irqrestore(&ppd->dd->eep_st_lock, flags);
 		if (ppd->cpspec->qdr_dfe_on && (ppd->link_speed_active &
 						QIB_IB_QDR) &&
--- a/drivers/infiniband/hw/qib/qib_init.c
+++ b/drivers/infiniband/hw/qib/qib_init.c
@@ -922,7 +922,6 @@ static void qib_shutdown_device(struct q
 		}
 	}
 
-	qib_update_eeprom_log(dd);
 }
 
 /**
--- a/drivers/infiniband/hw/qib/qib_sysfs.c
+++ b/drivers/infiniband/hw/qib/qib_sysfs.c
@@ -611,28 +611,6 @@ bail:
 	return ret < 0 ? ret : count;
 }
 
-static ssize_t show_logged_errs(struct device *device,
-				struct device_attribute *attr, char *buf)
-{
-	struct qib_ibdev *dev =
-		container_of(device, struct qib_ibdev, ibdev.dev);
-	struct qib_devdata *dd = dd_from_dev(dev);
-	int idx, count;
-
-	/* force consistency with actual EEPROM */
-	if (qib_update_eeprom_log(dd) != 0)
-		return -ENXIO;
-
-	count = 0;
-	for (idx = 0; idx < QIB_EEP_LOG_CNT; ++idx) {
-		count += scnprintf(buf + count, PAGE_SIZE - count, "%d%c",
-				   dd->eep_st_errs[idx],
-				   idx == (QIB_EEP_LOG_CNT - 1) ? '\n' : ' ');
-	}
-
-	return count;
-}
-
 /*
  * Dump tempsense regs. in decimal, to ease shell-scripts.
  */
@@ -679,7 +657,6 @@ static DEVICE_ATTR(nctxts, S_IRUGO, show
 static DEVICE_ATTR(nfreectxts, S_IRUGO, show_nfreectxts, NULL);
 static DEVICE_ATTR(serial, S_IRUGO, show_serial, NULL);
 static DEVICE_ATTR(boardversion, S_IRUGO, show_boardversion, NULL);
-static DEVICE_ATTR(logged_errors, S_IRUGO, show_logged_errs, NULL);
 static DEVICE_ATTR(tempsense, S_IRUGO, show_tempsense, NULL);
 static DEVICE_ATTR(localbus_info, S_IRUGO, show_localbus_info, NULL);
 static DEVICE_ATTR(chip_reset, S_IWUSR, NULL, store_chip_reset);
@@ -693,7 +670,6 @@ static struct device_attribute *qib_attr
 	&dev_attr_nfreectxts,
 	&dev_attr_serial,
 	&dev_attr_boardversion,
-	&dev_attr_logged_errors,
 	&dev_attr_tempsense,
 	&dev_attr_localbus_info,
 	&dev_attr_chip_reset,



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 71/96] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 70/96] IB/qib: Do not write EEPROM Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 72/96] IB/core: Fix deadlock on uverbs modify_qp error flow Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Carol Soto, Or Gerlitz, Roland Dreier

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Or Gerlitz <ogerlitz@mellanox.com>

commit e9a7faf11af94957e5107b40af46c2e329541510 upstream.

The MLX4_PROT_IB_IPV4 protocol should only be used with RoCEv2 and such.
Removing this wrong usage allows to run multicast applications over RoCE.

Fixes: d487ee77740c ("IB/mlx4: Use IBoE (RoCE) IP based GIDs in the port GID table")
Reported-by: Carol Soto <clsoto@linux.vnet.ibm.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/hw/mlx4/main.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1161,8 +1161,7 @@ static int mlx4_ib_mcg_attach(struct ib_
 	struct mlx4_ib_qp *mqp = to_mqp(ibqp);
 	u64 reg_id;
 	struct mlx4_ib_steering *ib_steering = NULL;
-	enum mlx4_protocol prot = (gid->raw[1] == 0x0e) ?
-		MLX4_PROT_IB_IPV4 : MLX4_PROT_IB_IPV6;
+	enum mlx4_protocol prot = MLX4_PROT_IB_IPV6;
 
 	if (mdev->dev->caps.steering_mode ==
 	    MLX4_STEERING_MODE_DEVICE_MANAGED) {
@@ -1175,8 +1174,10 @@ static int mlx4_ib_mcg_attach(struct ib_
 				    !!(mqp->flags &
 				       MLX4_IB_QP_BLOCK_MULTICAST_LOOPBACK),
 				    prot, &reg_id);
-	if (err)
+	if (err) {
+		pr_err("multicast attach op failed, err %d\n", err);
 		goto err_malloc;
+	}
 
 	err = add_gid_entry(ibqp, gid);
 	if (err)
@@ -1224,8 +1225,7 @@ static int mlx4_ib_mcg_detach(struct ib_
 	struct net_device *ndev;
 	struct mlx4_ib_gid_entry *ge;
 	u64 reg_id = 0;
-	enum mlx4_protocol prot = (gid->raw[1] == 0x0e) ?
-		MLX4_PROT_IB_IPV4 : MLX4_PROT_IB_IPV6;
+	enum mlx4_protocol prot =  MLX4_PROT_IB_IPV6;
 
 	if (mdev->dev->caps.steering_mode ==
 	    MLX4_STEERING_MODE_DEVICE_MANAGED) {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 72/96] IB/core: Fix deadlock on uverbs modify_qp error flow
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 71/96] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 73/96] IB/core: When marshaling ucma path from user-space, clear unused fields Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Moshe Lazer, Or Gerlitz, Roland Dreier

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Moshe Lazer <moshel@mellanox.com>

commit 0fb8bcf022f19a375d7c4bd79ac513da8ae6d78b upstream.

The deadlock occurs in __uverbs_modify_qp: we take a lock (idr_read_qp)
and in case of failure in ib_resolve_eth_l2_attrs we don't release
it (put_qp_read).  Fix that.

Fixes: ed4c54e5b4ba ("IB/core: Resolve Ethernet L2 addresses when modifying QP")
Signed-off-by: Moshe Lazer <moshel@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/uverbs_cmd.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -1964,20 +1964,21 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv
 	if (qp->real_qp == qp) {
 		ret = ib_resolve_eth_l2_attrs(qp, attr, &cmd.attr_mask);
 		if (ret)
-			goto out;
+			goto release_qp;
 		ret = qp->device->modify_qp(qp, attr,
 			modify_qp_mask(qp->qp_type, cmd.attr_mask), &udata);
 	} else {
 		ret = ib_modify_qp(qp, attr, modify_qp_mask(qp->qp_type, cmd.attr_mask));
 	}
 
-	put_qp_read(qp);
-
 	if (ret)
-		goto out;
+		goto release_qp;
 
 	ret = in_len;
 
+release_qp:
+	put_qp_read(qp);
+
 out:
 	kfree(attr);
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 73/96] IB/core: When marshaling ucma path from user-space, clear unused fields
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 72/96] IB/core: Fix deadlock on uverbs modify_qp error flow Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 74/96] nilfs2: fix potential memory overrun on inode Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilya Nelkenbaum, Or Gerlitz, Roland Dreier

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Nelkenbaum <ilyan@mellanox.com>

commit c2be9dc0e0fa59cc43c2c7084fc42b430809a0fe upstream.

When marshaling a user path to the kernel struct ib_sa_path, we need
to zero smac and dmac and set the vlan id to the "no vlan" value.

This is to ensure that Ethernet attributes are not used with
InfiniBand QPs.

Fixes: dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures")
Signed-off-by: Ilya Nelkenbaum <ilyan@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/ucma.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1124,6 +1124,9 @@ static int ucma_set_ib_path(struct ucma_
 	if (!optlen)
 		return -EINVAL;
 
+	memset(&sa_path, 0, sizeof(sa_path));
+	sa_path.vlan_id = 0xffff;
+
 	ib_sa_unpack_path(path_data->path_rec, &sa_path);
 	ret = rdma_set_ib_paths(ctx->cm_id, &sa_path, 1);
 	if (ret)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 74/96] nilfs2: fix potential memory overrun on inode
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 73/96] IB/core: When marshaling ucma path from user-space, clear unused fields Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 75/96] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ryusuke Konishi, Andrew Morton,
	Linus Torvalds

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>

commit 957ed60b53b519064a54988c4e31e0087e47d091 upstream.

Each inode of nilfs2 stores a root node of a b-tree, and it turned out to
have a memory overrun issue:

Each b-tree node of nilfs2 stores a set of key-value pairs and the number
of them (in "bn_nchildren" member of nilfs_btree_node struct), as well as
a few other "bn_*" members.

Since the value of "bn_nchildren" is used for operations on the key-values
within the b-tree node, it can cause memory access overrun if a large
number is incorrectly set to "bn_nchildren".

For instance, nilfs_btree_node_lookup() function determines the range of
binary search with it, and too large "bn_nchildren" leads
nilfs_btree_node_get_key() in that function to overrun.

As for intermediate b-tree nodes, this is prevented by a sanity check
performed when each node is read from a drive, however, no sanity check
has been done for root nodes stored in inodes.

This patch fixes the issue by adding missing sanity check against b-tree
root nodes so that it's called when on-memory inodes are read from ifile,
inode metadata file.

Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nilfs2/btree.c |   47 ++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 44 insertions(+), 3 deletions(-)

--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -31,6 +31,8 @@
 #include "alloc.h"
 #include "dat.h"
 
+static void __nilfs_btree_init(struct nilfs_bmap *bmap);
+
 static struct nilfs_btree_path *nilfs_btree_alloc_path(void)
 {
 	struct nilfs_btree_path *path;
@@ -368,6 +370,34 @@ static int nilfs_btree_node_broken(const
 	return ret;
 }
 
+/**
+ * nilfs_btree_root_broken - verify consistency of btree root node
+ * @node: btree root node to be examined
+ * @ino: inode number
+ *
+ * Return Value: If node is broken, 1 is returned. Otherwise, 0 is returned.
+ */
+static int nilfs_btree_root_broken(const struct nilfs_btree_node *node,
+				   unsigned long ino)
+{
+	int level, flags, nchildren;
+	int ret = 0;
+
+	level = nilfs_btree_node_get_level(node);
+	flags = nilfs_btree_node_get_flags(node);
+	nchildren = nilfs_btree_node_get_nchildren(node);
+
+	if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+		     level > NILFS_BTREE_LEVEL_MAX ||
+		     nchildren < 0 ||
+		     nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
+		pr_crit("NILFS: bad btree root (inode number=%lu): level = %d, flags = 0x%x, nchildren = %d\n",
+			ino, level, flags, nchildren);
+		ret = 1;
+	}
+	return ret;
+}
+
 int nilfs_btree_broken_node_block(struct buffer_head *bh)
 {
 	int ret;
@@ -1713,7 +1743,7 @@ nilfs_btree_commit_convert_and_insert(st
 
 	/* convert and insert */
 	dat = NILFS_BMAP_USE_VBN(btree) ? nilfs_bmap_get_dat(btree) : NULL;
-	nilfs_btree_init(btree);
+	__nilfs_btree_init(btree);
 	if (nreq != NULL) {
 		nilfs_bmap_commit_alloc_ptr(btree, dreq, dat);
 		nilfs_bmap_commit_alloc_ptr(btree, nreq, dat);
@@ -2294,12 +2324,23 @@ static const struct nilfs_bmap_operation
 	.bop_gather_data	=	NULL,
 };
 
-int nilfs_btree_init(struct nilfs_bmap *bmap)
+static void __nilfs_btree_init(struct nilfs_bmap *bmap)
 {
 	bmap->b_ops = &nilfs_btree_ops;
 	bmap->b_nchildren_per_block =
 		NILFS_BTREE_NODE_NCHILDREN_MAX(nilfs_btree_node_size(bmap));
-	return 0;
+}
+
+int nilfs_btree_init(struct nilfs_bmap *bmap)
+{
+	int ret = 0;
+
+	__nilfs_btree_init(bmap);
+
+	if (nilfs_btree_root_broken(nilfs_btree_get_root(bmap),
+				    bmap->b_inode->i_ino))
+		ret = -EIO;
+	return ret;
 }
 
 void nilfs_btree_init_gc(struct nilfs_bmap *bmap)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 75/96] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit.
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 74/96] nilfs2: fix potential memory overrun on inode Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 76/96] clk: zynq: Force CPU_2X clock to be ungated Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Minh Tran, James Bottomley

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Minh Duc Tran <MinhDuc.Tran@Emulex.Com>

commit f76a610a8b4b6280eaedf48f3af9d5d74e418b66 upstream.

In reference to bug https://bugzilla.redhat.com/show_bug.cgi?id=1097141
Assert is seen with AMD cpu whenever calling pci_alloc_consistent.

[   29.406183] ------------[ cut here ]------------
[   29.410505] kernel BUG at lib/iommu-helper.c:13!

Signed-off-by: Minh Tran <minh.tran@emulex.com>
Fixes: 6733b39a1301b0b020bbcbf3295852e93e624cb1
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/be2iscsi/be_main.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -581,7 +581,6 @@ static struct beiscsi_hba *beiscsi_hba_a
 			"beiscsi_hba_alloc - iscsi_host_alloc failed\n");
 		return NULL;
 	}
-	shost->dma_boundary = pcidev->dma_mask;
 	shost->max_id = BE2_MAX_SESSIONS;
 	shost->max_channel = 0;
 	shost->max_cmd_len = BEISCSI_MAX_CMD_LEN;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 76/96] clk: zynq: Force CPU_2X clock to be ungated
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 75/96] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 77/96] sunxi: clk: Set sun6i-pll1 n_start = 1 Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Soren Brinkmann, Michael Turquette

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Soren Brinkmann <soren.brinkmann@xilinx.com>

commit 3dccfecdb867fe35b305a4e493ef5652b7d9d4cb upstream.

The CPU_2X clock does not have a classical in-kernel user, but is,
amongst other things, required for OCM and debug access. Make sure this
clock is not mistakenly disabled during boot up by enabling it in the
platform's clock driver.

Fixes: 0ee52b157b8e 'clk: zynq: Add clock controller driver'
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
Signed-off-by: Michael Turquette <mturquette@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/zynq/clkc.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/zynq/clkc.c
+++ b/drivers/clk/zynq/clkc.c
@@ -300,6 +300,7 @@ static void __init zynq_clk_setup(struct
 	clks[cpu_2x] = clk_register_gate(NULL, clk_output_name[cpu_2x],
 			"cpu_2x_div", CLK_IGNORE_UNUSED, SLCR_ARM_CLK_CTRL,
 			26, 0, &armclk_lock);
+	clk_prepare_enable(clks[cpu_2x]);
 
 	clk = clk_register_fixed_factor(NULL, "cpu_1x_div", "cpu_div", 0, 1,
 			4 + 2 * tmp);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 77/96] sunxi: clk: Set sun6i-pll1 n_start = 1
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 76/96] clk: zynq: Force CPU_2X clock to be ungated Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 78/96] clk: sunxi: Support factor clocks with N factor starting not from 0 Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Hans de Goede, Maxime Ripard

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 76820fcf7aa5a418b69cb7bed31b62d1feb1d6ad upstream.

For all pll-s on sun6i n == 0 means use a multiplier of 1, rather then 0 as
it means on sun4i / sun5i / sun7i. n_start = 1 is already correctly set
for sun6i pll6, but was missing for pll1, this commit fixes this.

Cc: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/sunxi/clk-sunxi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/sunxi/clk-sunxi.c
+++ b/drivers/clk/sunxi/clk-sunxi.c
@@ -407,6 +407,7 @@ static struct clk_factors_config sun6i_a
 	.kwidth = 2,
 	.mshift = 0,
 	.mwidth = 2,
+	.n_start = 1,
 };
 
 static struct clk_factors_config sun4i_pll5_config = {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 78/96] clk: sunxi: Support factor clocks with N factor starting not from 0
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 77/96] sunxi: clk: Set sun6i-pll1 n_start = 1 Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 79/96] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Maxime Ripard

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chen-Yu Tsai <wens@csie.org>

commit 9a5e6c7eb5ccbb5f0d3a1dffce135f0a727f40e1 upstream.

The PLLs on newer Allwinner SoC's, such as the A31 and A23, have a
N multiplier factor that starts from 1, not 0.

This patch adds an option to the factor clk driver's config data
structures to specify the base value of N.

Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/sunxi/clk-factors.c |    2 +-
 drivers/clk/sunxi/clk-factors.h |    1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/clk/sunxi/clk-factors.c
+++ b/drivers/clk/sunxi/clk-factors.c
@@ -62,7 +62,7 @@ static unsigned long clk_factors_recalc_
 		p = FACTOR_GET(config->pshift, config->pwidth, reg);
 
 	/* Calculate the rate */
-	rate = (parent_rate * n * (k + 1) >> p) / (m + 1);
+	rate = (parent_rate * (n + config->n_start) * (k + 1) >> p) / (m + 1);
 
 	return rate;
 }
--- a/drivers/clk/sunxi/clk-factors.h
+++ b/drivers/clk/sunxi/clk-factors.h
@@ -15,6 +15,7 @@ struct clk_factors_config {
 	u8 mwidth;
 	u8 pshift;
 	u8 pwidth;
+	u8 n_start;
 };
 
 struct clk_factors {



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 79/96] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 78/96] clk: sunxi: Support factor clocks with N factor starting not from 0 Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 80/96] dm mirror: do not degrade the mirror on discard error Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ian Abbott, H Hartley Sweeten

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit 42b8ce6f55facfa101462e694d33fc6bca471138 upstream.

`do_cmd_ioctl()` in "comedi_fops.c" handles the `COMEDI_CMD` ioctl.
This returns `-EAGAIN` if it has copied a modified `struct comedi_cmd`
back to user-space.  (This occurs when the low-level Comedi driver's
`do_cmdtest()` handler returns non-zero to indicate a problem with the
contents of the `struct comedi_cmd`, or when the `struct comedi_cmd` has
the `CMDF_BOGUS` flag set.)

`compat_cmd()` in "comedi_compat32.c" handles the 32-bit compatible
version of the `COMEDI_CMD` ioctl.  Currently, it never copies a 32-bit
compatible version of `struct comedi_cmd` back to user-space, which is
at odds with the way the regular `COMEDI_CMD` ioctl is handled.  To fix
it, change `compat_cmd()` to copy a 32-bit compatible version of the
`struct comedi_cmd` back to user-space when the main ioctl handler
returns `-EAGAIN`.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/comedi_compat32.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/staging/comedi/comedi_compat32.c
+++ b/drivers/staging/comedi/comedi_compat32.c
@@ -262,7 +262,7 @@ static int compat_cmd(struct file *file,
 {
 	struct comedi_cmd __user *cmd;
 	struct comedi32_cmd_struct __user *cmd32;
-	int rc;
+	int rc, err;
 
 	cmd32 = compat_ptr(arg);
 	cmd = compat_alloc_user_space(sizeof(*cmd));
@@ -271,7 +271,15 @@ static int compat_cmd(struct file *file,
 	if (rc)
 		return rc;
 
-	return translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd);
+	rc = translated_ioctl(file, COMEDI_CMD, (unsigned long)cmd);
+	if (rc == -EAGAIN) {
+		/* Special case: copy cmd back to user. */
+		err = put_compat_cmd(cmd32, cmd);
+		if (err)
+			rc = err;
+	}
+
+	return rc;
 }
 
 /* Handle 32-bit COMEDI_CMDTEST ioctl. */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 80/96] dm mirror: do not degrade the mirror on discard error
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 79/96] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 81/96] dm io: reject unsupported DISCARD requests with EOPNOTSUPP Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit f2ed51ac64611d717d1917820a01930174c2f236 upstream.

It may be possible that a device claims discard support but it rejects
discards with -EOPNOTSUPP.  It happens when using loopback on ext2/ext3
filesystem driven by the ext4 driver.  It may also happen if the
underlying devices are moved from one disk on another.

If discard error happens, we reject the bio with -EOPNOTSUPP, but we do
not degrade the array.

This patch fixes failed test shell/lvconvert-repair-transient.sh in the
lvm2 testsuite if the testsuite is extracted on an ext2 or ext3
filesystem and it is being driven by the ext4 driver.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-raid1.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/md/dm-raid1.c
+++ b/drivers/md/dm-raid1.c
@@ -604,6 +604,15 @@ static void write_callback(unsigned long
 		return;
 	}
 
+	/*
+	 * If the bio is discard, return an error, but do not
+	 * degrade the array.
+	 */
+	if (bio->bi_rw & REQ_DISCARD) {
+		bio_endio(bio, -EOPNOTSUPP);
+		return;
+	}
+
 	for (i = 0; i < ms->nr_mirrors; i++)
 		if (test_bit(i, &error))
 			fail_mirror(ms->mirror + i, DM_RAID1_WRITE_ERROR);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 81/96] dm io: reject unsupported DISCARD requests with EOPNOTSUPP
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 80/96] dm mirror: do not degrade the mirror on discard error Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 82/96] dm: fix a race condition in dm_get_md Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Martin K. Petersen,
	Mike Snitzer

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Darrick J. Wong" <darrick.wong@oracle.com>

commit 37527b869207ad4c208b1e13967d69b8bba1fbf9 upstream.

I created a dm-raid1 device backed by a device that supports DISCARD
and another device that does NOT support DISCARD with the following
dm configuration:

 #  echo '0 2048 mirror core 1 512 2 /dev/sda 0 /dev/sdb 0' | dmsetup create moo
 # lsblk -D
 NAME         DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO
 sda                 0        4K       1G         0
 `-moo (dm-0)        0        4K       1G         0
 sdb                 0        0B       0B         0
 `-moo (dm-0)        0        4K       1G         0

Notice that the mirror device /dev/mapper/moo advertises DISCARD
support even though one of the mirror halves doesn't.

If I issue a DISCARD request (via fstrim, mount -o discard, or ioctl
BLKDISCARD) through the mirror, kmirrord gets stuck in an infinite
loop in do_region() when it tries to issue a DISCARD request to sdb.
The problem is that when we call do_region() against sdb, num_sectors
is set to zero because q->limits.max_discard_sectors is zero.
Therefore, "remaining" never decreases and the loop never terminates.

To fix this: before entering the loop, check for the combination of
REQ_DISCARD and no discard and return -EOPNOTSUPP to avoid hanging up
the mirror device.

This bug was found by the unfortunate coincidence of pvmove and a
discard operation in the RHEL 6.5 kernel; upstream is also affected.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Acked-by: "Martin K. Petersen" <martin.petersen@oracle.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-io.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -292,6 +292,12 @@ static void do_region(int rw, unsigned r
 	unsigned short logical_block_size = queue_logical_block_size(q);
 	sector_t num_sectors;
 
+	/* Reject unsupported discard requests */
+	if ((rw & REQ_DISCARD) && !blk_queue_discard(q)) {
+		dec_count(io, region, -EOPNOTSUPP);
+		return;
+	}
+
 	/*
 	 * where->count may be zero if rw holds a flush and we need to
 	 * send a zero-sized flush.



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 82/96] dm: fix a race condition in dm_get_md
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 81/96] dm io: reject unsupported DISCARD requests with EOPNOTSUPP Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 83/96] dm snapshot: fix a possible invalid memory access on unload Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 2bec1f4a8832e74ebbe859f176d8a9cb20dd97f4 upstream.

The function dm_get_md finds a device mapper device with a given dev_t,
increases the reference count and returns the pointer.

dm_get_md calls dm_find_md, dm_find_md takes _minor_lock, finds the
device, tests that the device doesn't have DMF_DELETING or DMF_FREEING
flag, drops _minor_lock and returns pointer to the device. dm_get_md then
calls dm_get. dm_get calls BUG if the device has the DMF_FREEING flag,
otherwise it increments the reference count.

There is a possible race condition - after dm_find_md exits and before
dm_get is called, there are no locks held, so the device may disappear or
DMF_FREEING flag may be set, which results in BUG.

To fix this bug, we need to call dm_get while we hold _minor_lock. This
patch renames dm_find_md to dm_get_md and changes it so that it calls
dm_get while holding the lock.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm.c |   27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2288,7 +2288,7 @@ int dm_setup_md_queue(struct mapped_devi
 	return 0;
 }
 
-static struct mapped_device *dm_find_md(dev_t dev)
+struct mapped_device *dm_get_md(dev_t dev)
 {
 	struct mapped_device *md;
 	unsigned minor = MINOR(dev);
@@ -2299,12 +2299,15 @@ static struct mapped_device *dm_find_md(
 	spin_lock(&_minor_lock);
 
 	md = idr_find(&_minor_idr, minor);
-	if (md && (md == MINOR_ALLOCED ||
-		   (MINOR(disk_devt(dm_disk(md))) != minor) ||
-		   dm_deleting_md(md) ||
-		   test_bit(DMF_FREEING, &md->flags))) {
-		md = NULL;
-		goto out;
+	if (md) {
+		if ((md == MINOR_ALLOCED ||
+		     (MINOR(disk_devt(dm_disk(md))) != minor) ||
+		     dm_deleting_md(md) ||
+		     test_bit(DMF_FREEING, &md->flags))) {
+			md = NULL;
+			goto out;
+		}
+		dm_get(md);
 	}
 
 out:
@@ -2312,16 +2315,6 @@ out:
 
 	return md;
 }
-
-struct mapped_device *dm_get_md(dev_t dev)
-{
-	struct mapped_device *md = dm_find_md(dev);
-
-	if (md)
-		dm_get(md);
-
-	return md;
-}
 EXPORT_SYMBOL_GPL(dm_get_md);
 
 void *dm_get_mdptr(struct mapped_device *md)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 83/96] dm snapshot: fix a possible invalid memory access on unload
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 82/96] dm: fix a race condition in dm_get_md Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 84/96] staging: comedi: cb_pcidas64: fix incorrect AI range code handling Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <mpatocka@redhat.com>

commit 22aa66a3ee5b61e0f4a0bfeabcaa567861109ec3 upstream.

When the snapshot target is unloaded, snapshot_dtr() waits until
pending_exceptions_count drops to zero.  Then, it destroys the snapshot.
Therefore, the function that decrements pending_exceptions_count
should not touch the snapshot structure after the decrement.

pending_complete() calls free_pending_exception(), which decrements
pending_exceptions_count, and then it performs up_write(&s->lock) and it
calls retry_origin_bios() which dereferences  s->origin.  These two
memory accesses to the fields of the snapshot may touch the dm_snapshot
struture after it is freed.

This patch moves the call to free_pending_exception() to the end of
pending_complete(), so that the snapshot will not be destroyed while
pending_complete() is in progress.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-snap.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -1440,8 +1440,6 @@ out:
 		full_bio->bi_private = pe->full_bio_private;
 		atomic_inc(&full_bio->bi_remaining);
 	}
-	free_pending_exception(pe);
-
 	increment_pending_exceptions_done_count();
 
 	up_write(&s->lock);
@@ -1458,6 +1456,8 @@ out:
 	}
 
 	retry_origin_bios(s, origin_bios);
+
+	free_pending_exception(pe);
 }
 
 static void commit_callback(void *context, int success)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 84/96] staging: comedi: cb_pcidas64: fix incorrect AI range code handling
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 83/96] dm snapshot: fix a possible invalid memory access on unload Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 85/96] HID: input: fix confusion on conflicting mappings Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ian Abbott

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ian Abbott <abbotti@mev.co.uk>

commit be8e89087ec2d2c8a1ad1e3db64bf4efdfc3c298 upstream.

The hardware range code values and list of valid ranges for the AI
subdevice is incorrect for several supported boards.  The hardware range
code values for all boards except PCI-DAS4020/12 is determined by
calling `ai_range_bits_6xxx()` based on the maximum voltage of the range
and whether it is bipolar or unipolar, however it only returns the
correct hardware range code for the PCI-DAS60xx boards.  For
PCI-DAS6402/16 (and /12) it returns the wrong code for the unipolar
ranges.  For PCI-DAS64/Mx/16 it returns the wrong code for all the
ranges and the comedi range table is incorrect.

Change `ai_range_bits_6xxx()` to use a look-up table pointed to by new
member `ai_range_codes` of `struct pcidas64_board` to map the comedi
range table indices to the hardware range codes.  Use a new comedi range
table for the PCI-DAS64/Mx/16 boards (and the commented out variants).

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/cb_pcidas64.c |  124 ++++++++++++++++-----------
 1 file changed, 76 insertions(+), 48 deletions(-)

--- a/drivers/staging/comedi/drivers/cb_pcidas64.c
+++ b/drivers/staging/comedi/drivers/cb_pcidas64.c
@@ -441,6 +441,29 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_64xx[8] = {
+	0x0, 0x1, 0x2, 0x3,	/* bipolar 10, 5, 2,5, 1.25 */
+	0x8, 0x9, 0xa, 0xb	/* unipolar 10, 5, 2.5, 1.25 */
+};
+
+/* analog input ranges for 64-Mx boards */
+static const struct comedi_lrange ai_ranges_64_mx = {
+	7, {
+		BIP_RANGE(5),
+		BIP_RANGE(2.5),
+		BIP_RANGE(1.25),
+		BIP_RANGE(0.625),
+		UNI_RANGE(5),
+		UNI_RANGE(2.5),
+		UNI_RANGE(1.25)
+	}
+};
+
+static const uint8_t ai_range_code_64_mx[7] = {
+	0x0, 0x1, 0x2, 0x3,	/* bipolar 5, 2.5, 1.25, 0.625 */
+	0x9, 0xa, 0xb		/* unipolar 5, 2.5, 1.25 */
+};
+
 /* analog input ranges for 60xx boards */
 static const struct comedi_lrange ai_ranges_60xx = {
 	4, {
@@ -451,6 +474,10 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_60xx[4] = {
+	0x0, 0x1, 0x4, 0x7	/* bipolar 10, 5, 0.5, 0.05 */
+};
+
 /* analog input ranges for 6030, etc boards */
 static const struct comedi_lrange ai_ranges_6030 = {
 	14, {
@@ -471,6 +498,11 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_6030[14] = {
+	0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, /* bip 10, 5, 2, 1, 0.5, 0.2, 0.1 */
+	0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf  /* uni 10, 5, 2, 1, 0.5, 0.2, 0.1 */
+};
+
 /* analog input ranges for 6052, etc boards */
 static const struct comedi_lrange ai_ranges_6052 = {
 	15, {
@@ -492,6 +524,11 @@ static const struct comedi_lrange ai_ran
 	}
 };
 
+static const uint8_t ai_range_code_6052[15] = {
+	0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7,	/* bipolar 10 ... 0.05 */
+	0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf	/* unipolar 10 ... 0.1 */
+};
+
 /* analog input ranges for 4020 board */
 static const struct comedi_lrange ai_ranges_4020 = {
 	2, {
@@ -595,6 +632,7 @@ struct pcidas64_board {
 	int ai_bits;		/*  analog input resolution */
 	int ai_speed;		/*  fastest conversion period in ns */
 	const struct comedi_lrange *ai_range_table;
+	const uint8_t *ai_range_code;
 	int ao_nchan;		/*  number of analog out channels */
 	int ao_bits;		/*  analog output resolution */
 	int ao_scan_speed;	/*  analog output scan speed */
@@ -653,6 +691,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
 		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_code	= ai_range_code_64xx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -668,6 +707,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
 		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_code	= ai_range_code_64xx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -682,7 +722,8 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -697,7 +738,8 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -712,7 +754,8 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ao_range_table	= &ao_ranges_64xx,
 		.ao_range_code	= ao_range_code_64xx,
 		.ai_fifo	= &ai_fifo_64xx,
@@ -727,6 +770,7 @@ static const struct pcidas64_board pcida
 		.ao_bits	= 16,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -742,6 +786,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -756,6 +801,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -771,6 +817,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -786,6 +833,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -801,6 +849,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -814,6 +863,7 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
 		.has_8255	= 0,
 	},
@@ -825,6 +875,7 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6030,
+		.ai_range_code	= ai_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
 		.has_8255	= 0,
 	},
@@ -837,6 +888,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 0,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
 		.has_8255	= 0,
 	},
@@ -850,6 +902,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -865,6 +918,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 100000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_60xx,
+		.ai_range_code	= ai_range_code_60xx,
 		.ao_range_table	= &range_bipolar10,
 		.ao_range_code	= ao_range_code_60xx,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -880,6 +934,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 1000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -895,6 +950,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 3333,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -910,6 +966,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 1000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -925,6 +982,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 1000,
 		.layout		= LAYOUT_60XX,
 		.ai_range_table	= &ai_ranges_6052,
+		.ai_range_code	= ai_range_code_6052,
 		.ao_range_table	= &ao_ranges_6030,
 		.ao_range_code	= ao_range_code_6030,
 		.ai_fifo	= &ai_fifo_60xx,
@@ -959,6 +1017,7 @@ static const struct pcidas64_board pcida
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
 		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_code	= ai_range_code_64xx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -970,7 +1029,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -982,7 +1042,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -994,7 +1055,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 0,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1006,7 +1068,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 2,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1018,7 +1081,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 2,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1030,7 +1094,8 @@ static const struct pcidas64_board pcida
 		.ao_nchan	= 2,
 		.ao_scan_speed	= 10000,
 		.layout		= LAYOUT_64XX,
-		.ai_range_table	= &ai_ranges_64xx,
+		.ai_range_table	= &ai_ranges_64_mx,
+		.ai_range_code	= ai_range_code_64_mx,
 		.ai_fifo	= ai_fifo_64xx,
 		.has_8255	= 1,
 	},
@@ -1127,45 +1192,8 @@ static unsigned int ai_range_bits_6xxx(c
 				       unsigned int range_index)
 {
 	const struct pcidas64_board *thisboard = comedi_board(dev);
-	const struct comedi_krange *range =
-		&thisboard->ai_range_table->range[range_index];
-	unsigned int bits = 0;
-
-	switch (range->max) {
-	case 10000000:
-		bits = 0x000;
-		break;
-	case 5000000:
-		bits = 0x100;
-		break;
-	case 2000000:
-	case 2500000:
-		bits = 0x200;
-		break;
-	case 1000000:
-	case 1250000:
-		bits = 0x300;
-		break;
-	case 500000:
-		bits = 0x400;
-		break;
-	case 200000:
-	case 250000:
-		bits = 0x500;
-		break;
-	case 100000:
-		bits = 0x600;
-		break;
-	case 50000:
-		bits = 0x700;
-		break;
-	default:
-		comedi_error(dev, "bug! in ai_range_bits_6xxx");
-		break;
-	}
-	if (range->min == 0)
-		bits += 0x900;
-	return bits;
+
+	return thisboard->ai_range_code[range_index] << 8;
 }
 
 static unsigned int hw_revision(const struct comedi_device *dev,



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 85/96] HID: input: fix confusion on conflicting mappings
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 84/96] staging: comedi: cb_pcidas64: fix incorrect AI range code handling Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 86/96] HID: fixup the conflicting keyboard mappings quirk Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adam Goode, Fredrik Hallenberg,
	David Herrmann, Jiri Kosina

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Herrmann <dh.herrmann@gmail.com>

commit 6ce901eb61aa30ba8565c62049ee80c90728ef14 upstream.

On an PC-101/103/104 keyboard (American layout) the 'Enter' key and its
neighbours look like this:

           +---+ +---+ +-------+
           | 1 | | 2 | |   5   |
           +---+ +---+ +-------+
             +---+ +-----------+
             | 3 | |     4     |
             +---+ +-----------+

On a PC-102/105 keyboard (European layout) it looks like this:

           +---+ +---+ +-------+
           | 1 | | 2 | |       |
           +---+ +---+ +-+  4  |
             +---+ +---+ |     |
             | 3 | | 5 | |     |
             +---+ +---+ +-----+

(Note that the number of keys is the same, but key '5' is moved down and
 the shape of key '4' is changed. Keys '1' to '3' are exactly the same.)

The keys 1-4 report the same scan-code in HID in both layouts, even though
the keysym they produce is usually different depending on the XKB-keymap
used by user-space.
However, key '5' (US 'backslash'/'pipe') reports 0x31 for the upper layout
and 0x32 for the lower layout, as defined by the HID spec. This is highly
confusing as the linux-input API uses a single keycode for both.

So far, this was never a problem as there never has been a keyboard with
both of those keys present at the same time. It would have to look
something like this:

           +---+ +---+ +-------+
           | 1 | | 2 | |  x31  |
           +---+ +---+ +-------+
             +---+ +---+ +-----+
             | 3 | |x32| |  4  |
             +---+ +---+ +-----+

HID can represent such a keyboard, but the linux-input API cannot.
Furthermore, any user-space mapping would be confused by this and,
luckily, no-one ever produced such hardware.

Now, the HID input layer fixed this mess by mapping both 0x31 and 0x32 to
the same keycode (KEY_BACKSLASH==0x2b). As only one of both physical keys
is present on a hardware, this works just fine.

Lets introduce hardware-vendors into this:
------------------------------------------

Unfortunately, it seems way to expensive to produce a different device for
American and European layouts. Therefore, hardware-vendors put both keys,
(0x31 and 0x32) on the same keyboard, but only one of them is hooked up
to the physical button, the other one is 'dead'.
This means, they can use the same hardware, with a different button-layout
and automatically produce the correct HID events for American *and*
European layouts. This is unproblematic for normal keyboards, as the
'dead' key will never report any KEY-DOWN events. But RollOver keyboards
send the whole matrix on each key-event, allowing n-key roll-over mode.
This means, we get a 0x31 and 0x32 event on each key-press. One of them
will always be 0, the other reports the real state. As we map both to the
same keycode, we will get spurious key-events, even though the real
key-state never changed.

The easiest way would be to blacklist 'dead' keys and never handle those.
We could simply read the 'country' tag of USB devices and blacklist either
key according to the layout. But... hardware vendors... want the same
device for all countries and thus many of them set 'country' to 0 for all
devices. Meh..

So we have to deal with this properly. As we cannot know which of the keys
is 'dead', we either need a heuristic and track those keys, or we simply
make use of our value-tracking for HID fields. We simply ignore HID events
for absolute data if the data didn't change. As HID tracks events on the
HID level, we haven't done the keycode translation, yet. Therefore, the
'dead' key is tracked independently of the real key, therefore, any events
on it will be ignored.

This patch simply discards any HID events for absolute data if it didn't
change compared to the last report. We need to ignore relative and
buffered-byte reports for obvious reasons. But those cannot be affected by
this bug, so we're fine.

Preferably, we'd do this filtering on the HID-core level. But this might
break a lot of custom drivers, if they do not follow the HID specs.
Therefore, we do this late in hid-input just before we inject it into the
input layer (which does the exact same filtering, but on the keycode
level).

If this turns out to break some devices, we might have to limit filtering
to EV_KEY events. But lets try to do the Right Thing first, and properly
filter any absolute data that didn't change.

This patch is tagged for 'stable' as it fixes a lot of n-key RollOver
hardware. We might wanna wait with backporting for a while, before we know
it doesn't break anything else, though.

Reported-by: Adam Goode <adam@spicenitz.org>
Reported-by: Fredrik Hallenberg <megahallon@gmail.com>
Tested-by: Fredrik Hallenberg <megahallon@gmail.com>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-input.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1066,6 +1066,22 @@ void hidinput_hid_event(struct hid_devic
 		return;
 	}
 
+	/*
+	 * Ignore reports for absolute data if the data didn't change. This is
+	 * not only an optimization but also fixes 'dead' key reports. Some
+	 * RollOver implementations for localized keys (like BACKSLASH/PIPE; HID
+	 * 0x31 and 0x32) report multiple keys, even though a localized keyboard
+	 * can only have one of them physically available. The 'dead' keys
+	 * report constant 0. As all map to the same keycode, they'd confuse
+	 * the input layer. If we filter the 'dead' keys on the HID level, we
+	 * skip the keycode translation and only forward real events.
+	 */
+	if (!(field->flags & (HID_MAIN_ITEM_RELATIVE |
+	                      HID_MAIN_ITEM_BUFFERED_BYTE)) &&
+	    usage->usage_index < field->maxusage &&
+	    value == field->value[usage->usage_index])
+		return;
+
 	/* report the usage code as scancode if the key status has changed */
 	if (usage->type == EV_KEY && !!test_bit(usage->code, input->key) != value)
 		input_event(input, EV_MSC, MSC_SCAN, usage->hid);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 86/96] HID: fixup the conflicting keyboard mappings quirk
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 85/96] HID: input: fix confusion on conflicting mappings Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 87/96] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fredrik Hallenberg, David Herrmann,
	Jiri Kosina

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Kosina <jkosina@suse.cz>

commit 8e7b341037db1835ee6eea64663013cbfcf33575 upstream.

The ignore check that got added in 6ce901eb61 ("HID: input: fix confusion
on conflicting mappings") needs to properly check for VARIABLE reports
as well (ARRAY reports should be ignored), otherwise legitimate keyboards
might break.

Fixes: 6ce901eb61 ("HID: input: fix confusion on conflicting mappings")
Reported-by: Fredrik Hallenberg <megahallon@gmail.com>
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-input.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -1078,6 +1078,7 @@ void hidinput_hid_event(struct hid_devic
 	 */
 	if (!(field->flags & (HID_MAIN_ITEM_RELATIVE |
 	                      HID_MAIN_ITEM_BUFFERED_BYTE)) &&
+			      (field->flags & HID_MAIN_ITEM_VARIABLE) &&
 	    usage->usage_index < field->maxusage &&
 	    value == field->value[usage->usage_index])
 		return;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 87/96] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 86/96] HID: fixup the conflicting keyboard mappings quirk Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:09 ` [PATCH 3.14 88/96] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Gerecke, Benjamin Tissoires,
	Jiri Kosina

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Gerecke <killertofu@gmail.com>

commit 33e5df0e0e32027866e9fb00451952998fc957f2 upstream.

It appears that the Cintiq Companion Hybrid does not send an ABS_MISC event to
userspace when any of its ExpressKeys are pressed. This is not strictly
necessary now that the pad exists on its own device, but should be fixed for
consistency's sake.

Traditionally both the stylus and pad shared the same device node, and
xf86-input-wacom would use ABS_MISC for disambiguation. Not sending this causes
the Hybrid to behave incorrectly with xf86-input-wacom beginning with its
8f44f3 commit.

Signed-off-by: Jason Gerecke <killertofu@gmail.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[killertofu@gmail.com: ported to drivers/input/tablet/wacom_wac.c]
Signed-off-by: Jason Gerecke <killertofu@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

---
 drivers/input/tablet/wacom_wac.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/input/tablet/wacom_wac.c
+++ b/drivers/input/tablet/wacom_wac.c
@@ -700,6 +700,12 @@ static int wacom_intuos_irq(struct wacom
 			input_report_key(input, BTN_7, (data[4] & 0x40));  /* Left   */
 			input_report_key(input, BTN_8, (data[4] & 0x80));  /* Down   */
 			input_report_key(input, BTN_0, (data[3] & 0x01));  /* Center */
+
+			if (data[4] | (data[3] & 0x01)) {
+				input_report_abs(input, ABS_MISC, PAD_DEVICE_ID);
+			} else {
+				input_report_abs(input, ABS_MISC, 0);
+			}
 		} else if (features->type >= INTUOS5S && features->type <= INTUOSPL) {
 			int i;
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 88/96] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 87/96] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid Greg Kroah-Hartman
@ 2015-03-16 14:09 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 89/96] drm/radeon: fix 1 RB harvest config setup for TN/RL Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit 3d2d98ee1af0cf6eebfbd6bff4c17d3601ac1284 upstream.

Just in case it hasn't been calculated for the mode.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/r600_dpm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/radeon/r600_dpm.c
+++ b/drivers/gpu/drm/radeon/r600_dpm.c
@@ -187,7 +187,7 @@ u32 r600_dpm_get_vrefresh(struct radeon_
 		list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) {
 			radeon_crtc = to_radeon_crtc(crtc);
 			if (crtc->enabled && radeon_crtc->enabled && radeon_crtc->hw_mode.clock) {
-				vrefresh = radeon_crtc->hw_mode.vrefresh;
+				vrefresh = drm_mode_vrefresh(&radeon_crtc->hw_mode);
 				break;
 			}
 		}



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 89/96] drm/radeon: fix 1 RB harvest config setup for TN/RL
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2015-03-16 14:09 ` [PATCH 3.14 88/96] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 90/96] efi: Small leak on error in runtime map code Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit dbfb00c3e7e18439f2ebf67fe99bf7a50b5bae1e upstream.

The logic was reversed from what the hw actually exposed.
Fixes graphics corruption in certain harvest configurations.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/ni.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/gpu/drm/radeon/ni.c
+++ b/drivers/gpu/drm/radeon/ni.c
@@ -1073,12 +1073,12 @@ static void cayman_gpu_init(struct radeo
 
 	if ((rdev->config.cayman.max_backends_per_se == 1) &&
 	    (rdev->flags & RADEON_IS_IGP)) {
-		if ((disabled_rb_mask & 3) == 1) {
-			/* RB0 disabled, RB1 enabled */
-			tmp = 0x11111111;
-		} else {
+		if ((disabled_rb_mask & 3) == 2) {
 			/* RB1 disabled, RB0 enabled */
 			tmp = 0x00000000;
+		} else {
+			/* RB0 disabled, RB1 enabled */
+			tmp = 0x11111111;
 		}
 	} else {
 		tmp = gb_addr_config & NUM_PIPES_MASK;



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 90/96] efi: Small leak on error in runtime map code
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 89/96] drm/radeon: fix 1 RB harvest config setup for TN/RL Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 91/96] ACPI / video: Load the module even if ACPI is disabled Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Dave Young, Matt Fleming

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 86d68a58d00db3770735b5919ef2c6b12d7f06f3 upstream.

The "> 0" here should ">= 0" so we free map_entries[0].

Fixes: 926172d46038 ('efi: Export EFI runtime memory mapping to sysfs')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/runtime-map.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/efi/runtime-map.c
+++ b/drivers/firmware/efi/runtime-map.c
@@ -170,7 +170,7 @@ int __init efi_runtime_map_init(struct k
 
 	return 0;
 out_add_entry:
-	for (j = i - 1; j > 0; j--) {
+	for (j = i - 1; j >= 0; j--) {
 		entry = *(map_entries + j);
 		kobject_put(&entry->kobj);
 	}



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 91/96] ACPI / video: Load the module even if ACPI is disabled
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 90/96] efi: Small leak on error in runtime map code Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 92/96] NFSv4: Dont call put_rpccred() under the rcu_read_lock() Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bill Augur, Chris Wilson,
	Daniel Vetter, Jani Nikula, Aaron Lu, Rafael J. Wysocki

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Wilson <chris@chris-wilson.co.uk>

commit 6e17cb12881ba8d5e456b89f072dc6b70048af36 upstream.

i915.ko depends upon the acpi/video.ko module and so refuses to load if
ACPI is disabled at runtime if for example the BIOS is broken beyond
repair. acpi/video provides an optional service for i915.ko and so we
should just allow the modules to load, but do no nothing in order to let
the machines boot correctly.

Reported-by: Bill Augur <bill-auger@programmer.net>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Jani Nikula <jani.nikula@intel.com>
Acked-by: Aaron Lu <aaron.lu@intel.com>
[ rjw: Fixed up the new comment in acpi_video_init() ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/video.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/acpi/video.c
+++ b/drivers/acpi/video.c
@@ -2064,6 +2064,17 @@ EXPORT_SYMBOL(acpi_video_unregister);
 
 static int __init acpi_video_init(void)
 {
+	/*
+	 * Let the module load even if ACPI is disabled (e.g. due to
+	 * a broken BIOS) so that i915.ko can still be loaded on such
+	 * old systems without an AcpiOpRegion.
+	 *
+	 * acpi_video_register() will report -ENODEV later as well due
+	 * to acpi_disabled when i915.ko tries to register itself afterwards.
+	 */
+	if (acpi_disabled)
+		return 0;
+
 	dmi_check_system(video_dmi_table);
 
 	if (intel_opregion_present())



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 92/96] NFSv4: Dont call put_rpccred() under the rcu_read_lock()
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 91/96] ACPI / video: Load the module even if ACPI is disabled Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 93/96] ASoC: omap-pcm: Correct dma mask Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit 7c0af9ffb7bb4e5355470fa60b3eb711ddf226fa upstream.

put_rpccred() can sleep.

Fixes: 8f649c3762547 ("NFSv4: Fix the locking in nfs_inode_reclaim_delegation()")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfs/delegation.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/delegation.c
+++ b/fs/nfs/delegation.c
@@ -161,8 +161,8 @@ void nfs_inode_reclaim_delegation(struct
 				  &delegation->flags);
 			NFS_I(inode)->delegation_state = delegation->type;
 			spin_unlock(&delegation->lock);
-			put_rpccred(oldcred);
 			rcu_read_unlock();
+			put_rpccred(oldcred);
 			trace_nfs4_reclaim_delegation(inode, res->delegation_type);
 		} else {
 			/* We appear to have raced with a delegation return. */



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 93/96] ASoC: omap-pcm: Correct dma mask
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 92/96] NFSv4: Dont call put_rpccred() under the rcu_read_lock() Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 94/96] ath5k: fix spontaneus AR5312 freezes Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Grygorii Strashko, Peter Ujfalusi,
	Mark Brown

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Ujfalusi <peter.ujfalusi@ti.com>

commit d51199a83a2cf82a291d19ee852c44caa511427d upstream.

DMA_BIT_MASK of 64 is not valid dma address mask for OMAPs, it should be
set to 32.
The 64 was introduced by commit (in 2009):
a152ff24b978 ASoC: OMAP: Make DMA 64 aligned

But the dma_mask and coherent_dma_mask can not be used to specify alignment.

Fixes: a152ff24b978 (ASoC: OMAP: Make DMA 64 aligned)
Reported-by: Grygorii Strashko <Grygorii.Strashko@linaro.org>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/omap/omap-pcm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/soc/omap/omap-pcm.c
+++ b/sound/soc/omap/omap-pcm.c
@@ -200,7 +200,7 @@ static int omap_pcm_new(struct snd_soc_p
 	struct snd_pcm *pcm = rtd->pcm;
 	int ret;
 
-	ret = dma_coerce_mask_and_coherent(card->dev, DMA_BIT_MASK(64));
+	ret = dma_coerce_mask_and_coherent(card->dev, DMA_BIT_MASK(32));
 	if (ret)
 		return ret;
 



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 94/96] ath5k: fix spontaneus AR5312 freezes
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 93/96] ASoC: omap-pcm: Correct dma mask Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 95/96] ath6kl: fix struct hif_scatter_req list handling Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Nick Kossifidis,
	Luis R. Rodriguez, Christophe Prevotaux, Eric Bree,
	Sergey Ryazanov, Kalle Valo

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sergey Ryazanov <ryazanov.s.a@gmail.com>

commit 8bfae4f9938b6c1f033a5159febe97e441d6d526 upstream.

Sometimes while CPU have some load and ath5k doing the wireless
interface reset the whole WiSoC completely freezes. Set of tests shows
that using atomic delay function while we wait interface reset helps to
avoid such freezes.

The easiest way to reproduce this issue: create a station interface,
start continous scan with wpa_supplicant and load CPU by something. Or
just create multiple station interfaces and put them all in continous
scan.

This patch partially reverts the commit 1846ac3dbec0 ("ath5k: Use
usleep_range where possible"), which replaces initial udelay()
by usleep_range().

I do not know actual source of this issue, but all looks like that HW
freeze is caused by transaction on internal SoC bus, while wireless
block is in reset state.

Also I should note that I do not know how many chips are affected, but I
did not see this issue with chips, other than AR5312.

CC: Jiri Slaby <jirislaby@gmail.com>
CC: Nick Kossifidis <mickflemm@gmail.com>
CC: Luis R. Rodriguez <mcgrof@do-not-panic.com>
Fixes: 1846ac3dbec0 ("ath5k: Use usleep_range where possible")
Reported-by: Christophe Prevotaux <c.prevotaux@rural-networks.com>
Tested-by: Christophe Prevotaux <c.prevotaux@rural-networks.com>
Tested-by: Eric Bree <ebree@nltinc.com>
Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath5k/reset.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ath5k/reset.c
+++ b/drivers/net/wireless/ath/ath5k/reset.c
@@ -478,7 +478,7 @@ ath5k_hw_wisoc_reset(struct ath5k_hw *ah
 	regval = ioread32(reg);
 	iowrite32(regval | val, reg);
 	regval = ioread32(reg);
-	usleep_range(100, 150);
+	udelay(100);	/* NB: should be atomic */
 
 	/* Bring BB/MAC out of reset */
 	iowrite32(regval & ~val, reg);



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 95/96] ath6kl: fix struct hif_scatter_req list handling
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 94/96] ath5k: fix spontaneus AR5312 freezes Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 14:10 ` [PATCH 3.14 96/96] clk-gate: fix bit # check in clk_register_gate() Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Liu, Kalle Valo, Josh Cartwright

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kalle Valo <kvalo@qca.qualcomm.com>

commit 31b9cc9a873dcab161999622314f98a75d838975 upstream.

Jason noticed that with Yocto GCC 4.8.1 ath6kl crashes with this iperf command:

iperf -c $TARGET_IP -i 5 -t 50 -w 1M

The crash was:

Unable to handle kernel paging request at virtual address 1a480000
pgd = 80004000
[1a480000] *pgd=00000000
Internal error: Oops: 805 [#1] SMP ARM
Modules linked in: ath6kl_sdio ath6kl_core [last unloaded: ath6kl_core]
CPU: 0 PID: 1953 Comm: kworker/u4:0 Not tainted 3.10.9-1.0.0_alpha+dbf364b #1
Workqueue: ath6kl ath6kl_sdio_write_async_work [ath6kl_sdio]
task: dcc9a680 ti: dc9ae000 task.ti: dc9ae000
PC is at v7_dma_clean_range+0x20/0x38
LR is at dma_cache_maint_page+0x50/0x54
pc : [<8001a6f8>]    lr : [<800170fc>]    psr: 20000093
sp : dc9afcf8  ip : 8001a748  fp : 00000004
r10: 00000000  r9 : 00000001  r8 : 00000000
r7 : 00000001  r6 : 00000000  r5 : 80cb7000  r4 : 03f9a480
r3 : 0000001f  r2 : 00000020  r1 : 1a480000  r0 : 1a480000
Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 10c53c7d  Table: 6cc5004a  DAC: 00000015
Process kworker/u4:0 (pid: 1953, stack limit = 0xdc9ae238)
Stack: (0xdc9afcf8 to 0xdc9b0000)
fce0:                                                       80c9b29c 00000000
fd00: 00000000 80017134 8001a748 dc302ac0 00000000 00000000 dc454a00 80c12ed8
fd20: dc115410 80017238 00000000 dc454a10 00000001 80017588 00000001 00000000
fd40: 00000000 dc302ac0 dc9afe38 dc9afe68 00000004 80c12ed8 00000000 dc454a00
fd60: 00000004 80436f88 00000000 00000000 00000600 0000ffff 0000000c 80c113c4
fd80: 80c9b29c 00000001 00000004 dc115470 60000013 dc302ac0 dc46e000 dc302800
fda0: dc9afe10 dc302b78 60000013 dc302ac0 dc46e000 00000035 dc46e5b0 80438c90
fdc0: dc9afe10 dc302800 dc302800 dc9afe68 dc9afe38 80424cb4 00000005 dc9afe10
fde0: dc9afe20 80424de8 dc9afe10 dc302800 dc46e910 80424e90 dc473c00 dc454f00
fe00: 000001b5 7f619d64 dcc7c830 00000000 00000000 dc9afe38 dc9afe68 00000000
fe20: 00000000 00000000 dc9afe28 dc9afe28 80424d80 00000000 00000035 9cac0034
fe40: 00000000 00000000 00000000 00000000 000001b5 00000000 00000000 00000000
fe60: dc9afe68 dc9afe10 3b9aca00 00000000 00000080 00000034 00000000 00000100
fe80: 00000000 00000000 dc9afe10 00000004 dc454a00 00000000 dc46e010 dc46e96c
fea0: dc46e000 dc46e964 00200200 00100100 dc46e910 7f619ec0 00000600 80c0e770
fec0: dc15a900 dcc7c838 00000000 dc46e954 8042d434 dcc44680 dc46e954 dc004400
fee0: dc454500 00000000 00000000 dc9ae038 dc004400 8003c450 dcc44680 dc004414
ff00: dc46e954 dc454500 00000001 dcc44680 dc004414 dcc44698 dc9ae000 dc9ae030
ff20: 00000001 dc9ae000 dc004400 8003d158 8003d020 00000000 00000000 80c53941
ff40: dc9aff64 dcb71ea0 00000000 dcc44680 8003d020 00000000 00000000 00000000
ff60: 00000000 80042480 00000000 00000000 000000f8 dcc44680 00000000 00000000
ff80: dc9aff80 dc9aff80 00000000 00000000 dc9aff90 dc9aff90 dc9affac dcb71ea0
ffa0: 800423cc 00000000 00000000 8000e018 00000000 00000000 00000000 00000000
ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[<8001a6f8>] (v7_dma_clean_range+0x20/0x38) from [<800170fc>] (dma_cache_maint_page+0x50/0x54)
[<800170fc>] (dma_cache_maint_page+0x50/0x54) from [<80017134>] (__dma_page_cpu_to_dev+0x34/0x9c)
[<80017134>] (__dma_page_cpu_to_dev+0x34/0x9c) from [<80017238>] (arm_dma_map_page+0x64/0x68)
[<80017238>] (arm_dma_map_page+0x64/0x68) from [<80017588>] (arm_dma_map_sg+0x7c/0xf4)
[<80017588>] (arm_dma_map_sg+0x7c/0xf4) from [<80436f88>] (sdhci_send_command+0x894/0xe00)
[<80436f88>] (sdhci_send_command+0x894/0xe00) from [<80438c90>] (sdhci_request+0xc0/0x1ec)
[<80438c90>] (sdhci_request+0xc0/0x1ec) from [<80424cb4>] (mmc_start_request+0xb8/0xd4)
[<80424cb4>] (mmc_start_request+0xb8/0xd4) from [<80424de8>] (__mmc_start_req+0x60/0x84)
[<80424de8>] (__mmc_start_req+0x60/0x84) from [<80424e90>] (mmc_wait_for_req+0x10/0x20)
[<80424e90>] (mmc_wait_for_req+0x10/0x20) from [<7f619d64>] (ath6kl_sdio_scat_rw.isra.10+0x1dc/0x240 [ath6kl_sdio])
[<7f619d64>] (ath6kl_sdio_scat_rw.isra.10+0x1dc/0x240 [ath6kl_sdio]) from [<7f619ec0>] (ath6kl_sdio_write_async_work+0x5c/0x104 [ath6kl_sdio])
[<7f619ec0>] (ath6kl_sdio_write_async_work+0x5c/0x104 [ath6kl_sdio]) from [<8003c450>] (process_one_work+0x10c/0x370)
[<8003c450>] (process_one_work+0x10c/0x370) from [<8003d158>] (worker_thread+0x138/0x3fc)
[<8003d158>] (worker_thread+0x138/0x3fc) from [<80042480>] (kthread+0xb4/0xb8)
[<80042480>] (kthread+0xb4/0xb8) from [<8000e018>] (ret_from_fork+0x14/0x3c)
Code: e1a02312 e2423001 e1c00003 f57ff04f (ee070f3a)
---[ end trace 0c038f0b8e0b67a3 ]---
Kernel panic - not syncing: Fatal exception

Jason's analysis:

  "The GCC 4.8.1 compiler will not do the for-loop till scat_entries, instead,
   it only run one round loop. This may be caused by that the GCC 4.8.1 thought
   that the scat_list only have one item and then no need to do full iteration,
   but this is simply wrong by looking at the assebly code. This will cause the sg
   buffer not get set when scat_entries > 1 and thus lead to kernel panic.

   Note: This issue not observed with GCC 4.7.2, only found on the GCC 4.8.1)"

Fix this by using the normal [0] style for defining unknown number of list
entries following the struct. This also fixes corruption with scat_q_depth, which
was mistankely added to the end of struct and overwritten if there were more
than item in the scat list.

Reported-by: Jason Liu <r64343@freescale.com>
Tested-by: Jason Liu <r64343@freescale.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Cc: Josh Cartwright <joshc@ni.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath6kl/hif.h  |    4 ++--
 drivers/net/wireless/ath/ath6kl/sdio.c |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/ath/ath6kl/hif.h
+++ b/drivers/net/wireless/ath/ath6kl/hif.h
@@ -197,9 +197,9 @@ struct hif_scatter_req {
 	/* bounce buffer for upper layers to copy to/from */
 	u8 *virt_dma_buf;
 
-	struct hif_scatter_item scat_list[1];
-
 	u32 scat_q_depth;
+
+	struct hif_scatter_item scat_list[0];
 };
 
 struct ath6kl_irq_proc_registers {
--- a/drivers/net/wireless/ath/ath6kl/sdio.c
+++ b/drivers/net/wireless/ath/ath6kl/sdio.c
@@ -348,7 +348,7 @@ static int ath6kl_sdio_alloc_prep_scat_r
 	int i, scat_req_sz, scat_list_sz, size;
 	u8 *virt_buf;
 
-	scat_list_sz = (n_scat_entry - 1) * sizeof(struct hif_scatter_item);
+	scat_list_sz = n_scat_entry * sizeof(struct hif_scatter_item);
 	scat_req_sz = sizeof(*s_req) + scat_list_sz;
 
 	if (!virt_scat)



^ permalink raw reply	[flat|nested] 91+ messages in thread

* [PATCH 3.14 96/96] clk-gate: fix bit # check in clk_register_gate()
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 95/96] ath6kl: fix struct hif_scatter_req list handling Greg Kroah-Hartman
@ 2015-03-16 14:10 ` Greg Kroah-Hartman
  2015-03-16 19:58 ` [PATCH 3.14 00/96] 3.14.36-stable review Guenter Roeck
       [not found] ` <20150316140856.907657028@linuxfoundation.org>
  88 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-16 14:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Shtylyov, Michael Turquette

3.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>

commit 2e9dcdae4068460c45a308dd891be5248260251c upstream.

In case CLK_GATE_HIWORD_MASK flag is passed to clk_register_gate(), the bit #
should be no higher than 15, however the corresponding check is obviously off-
by-one.

Fixes: 045779942c04 ("clk: gate: add CLK_GATE_HIWORD_MASK")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Michael Turquette <mturquette@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/clk-gate.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/clk-gate.c
+++ b/drivers/clk/clk-gate.c
@@ -128,7 +128,7 @@ struct clk *clk_register_gate(struct dev
 	struct clk_init_data init;
 
 	if (clk_gate_flags & CLK_GATE_HIWORD_MASK) {
-		if (bit_idx > 16) {
+		if (bit_idx > 15) {
 			pr_err("gate bit exceeds LOWORD field\n");
 			return ERR_PTR(-EINVAL);
 		}



^ permalink raw reply	[flat|nested] 91+ messages in thread

* Re: [PATCH 3.14 00/96] 3.14.36-stable review
  2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2015-03-16 14:10 ` [PATCH 3.14 96/96] clk-gate: fix bit # check in clk_register_gate() Greg Kroah-Hartman
@ 2015-03-16 19:58 ` Guenter Roeck
       [not found] ` <20150316140856.907657028@linuxfoundation.org>
  88 siblings, 0 replies; 91+ messages in thread
From: Guenter Roeck @ 2015-03-16 19:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, satoru.takeuchi, shuah.kh, stable

On Mon, Mar 16, 2015 at 03:08:31PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.14.36 release.
> There are 96 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Mar 18 14:08:22 UTC 2015.
> Anything received after that time might be too late.
> 
Build results:
	total: 123 pass: 123 fail: 0
Qemu test results:
	total: 30 pass: 30 fail: 0

Details are available at http://server.roeck-us.net:8010/builders.

Guenter

^ permalink raw reply	[flat|nested] 91+ messages in thread

* Re: [PATCH 3.14 37/96] iio: mxs-lradc: only update the buffer when its conversions have finished
       [not found] ` <20150316140856.907657028@linuxfoundation.org>
@ 2015-03-18 23:36   ` Kristina Martšenko
  2015-03-19 13:15     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 91+ messages in thread
From: Kristina Martšenko @ 2015-03-18 23:36 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Marek Vasut, Jonathan Cameron

On 16/03/15 16:09, Greg Kroah-Hartman wrote:
> 3.14-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Kristina Martšenko <kristina.martsenko@gmail.com>
> 
> commit 89bb35e200bee745c539a96666e0792301ca40f1 upstream.
> 
> Using the touchscreen while running buffered capture results in the
> buffer reporting lots of wrong values, often just zeros. This is because
> we push readings to the buffer every time a touchscreen interrupt
> arrives, including when the buffer's own conversions have not yet
> finished. So let's only push to the buffer when its conversions are
> ready.
> 
> Signed-off-by: Kristina Martšenko <kristina.martsenko@gmail.com>
> Reviewed-by: Marek Vasut <marex@denx.de>
> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  drivers/staging/iio/adc/mxs-lradc.c |    7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> --- a/drivers/staging/iio/adc/mxs-lradc.c
> +++ b/drivers/staging/iio/adc/mxs-lradc.c
> @@ -1160,9 +1160,12 @@ static irqreturn_t mxs_lradc_handle_irq(
>  	}
>  
>  	if (iio_buffer_enabled(iio))
> -		iio_trigger_poll(iio->trig, iio_get_time_ns());
> -	else if (reg & LRADC_CTRL1_LRADC_IRQ(0))
> +	if (iio_buffer_enabled(iio)) {
> +		if (reg & lradc->buffer_vchans)
> +			iio_trigger_poll(iio->trig, iio_get_time_ns());
> +	} else if (reg & LRADC_CTRL1_LRADC_IRQ(0)) {
>  		complete(&lradc->completion);
> +	}
>  
>  	mxs_lradc_reg_clear(lradc, reg & clr_irq, LRADC_CTRL1);

I think something got messed up here, this now has both these lines:

	if (iio_buffer_enabled(iio))
	if (iio_buffer_enabled(iio)) {

which makes the 'else' case unreachable, and breaks reading the ADC
through sysfs. It should just be the second line.

Greg, can you fix it up for the next version? Let me know if I need to
do something. And sorry for not looking at this sooner.

Kristina

^ permalink raw reply	[flat|nested] 91+ messages in thread

* Re: [PATCH 3.14 37/96] iio: mxs-lradc: only update the buffer when its conversions have finished
  2015-03-18 23:36   ` [PATCH 3.14 37/96] iio: mxs-lradc: only update the buffer when its conversions have finished Kristina Martšenko
@ 2015-03-19 13:15     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 91+ messages in thread
From: Greg Kroah-Hartman @ 2015-03-19 13:15 UTC (permalink / raw)
  To: Kristina Martšenko
  Cc: linux-kernel, stable, Marek Vasut, Jonathan Cameron

On Thu, Mar 19, 2015 at 01:36:13AM +0200, Kristina Martšenko wrote:
> On 16/03/15 16:09, Greg Kroah-Hartman wrote:
> > 3.14-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Kristina Martšenko <kristina.martsenko@gmail.com>
> > 
> > commit 89bb35e200bee745c539a96666e0792301ca40f1 upstream.
> > 
> > Using the touchscreen while running buffered capture results in the
> > buffer reporting lots of wrong values, often just zeros. This is because
> > we push readings to the buffer every time a touchscreen interrupt
> > arrives, including when the buffer's own conversions have not yet
> > finished. So let's only push to the buffer when its conversions are
> > ready.
> > 
> > Signed-off-by: Kristina Martšenko <kristina.martsenko@gmail.com>
> > Reviewed-by: Marek Vasut <marex@denx.de>
> > Signed-off-by: Jonathan Cameron <jic23@kernel.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > ---
> >  drivers/staging/iio/adc/mxs-lradc.c |    7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > --- a/drivers/staging/iio/adc/mxs-lradc.c
> > +++ b/drivers/staging/iio/adc/mxs-lradc.c
> > @@ -1160,9 +1160,12 @@ static irqreturn_t mxs_lradc_handle_irq(
> >  	}
> >  
> >  	if (iio_buffer_enabled(iio))
> > -		iio_trigger_poll(iio->trig, iio_get_time_ns());
> > -	else if (reg & LRADC_CTRL1_LRADC_IRQ(0))
> > +	if (iio_buffer_enabled(iio)) {
> > +		if (reg & lradc->buffer_vchans)
> > +			iio_trigger_poll(iio->trig, iio_get_time_ns());
> > +	} else if (reg & LRADC_CTRL1_LRADC_IRQ(0)) {
> >  		complete(&lradc->completion);
> > +	}
> >  
> >  	mxs_lradc_reg_clear(lradc, reg & clr_irq, LRADC_CTRL1);
> 
> I think something got messed up here, this now has both these lines:
> 
> 	if (iio_buffer_enabled(iio))
> 	if (iio_buffer_enabled(iio)) {
> 
> which makes the 'else' case unreachable, and breaks reading the ADC
> through sysfs. It should just be the second line.
> 
> Greg, can you fix it up for the next version? Let me know if I need to
> do something. And sorry for not looking at this sooner.

Ah crap, I messed this up when doing the backport, I'll fix it up, it's
my fault here.

Thanks for noticing this, I'll go make up a fix now...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 91+ messages in thread

end of thread, other threads:[~2015-03-19 13:15 UTC | newest]

Thread overview: 91+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-16 14:08 [PATCH 3.14 00/96] 3.14.36-stable review Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 01/96] pktgen: fix UDP checksum computation Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 02/96] rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 03/96] ipv6: fix ipv6_cow_metrics for non DST_HOST case Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 04/96] rtnetlink: call ->dellink on failure when ->newlink exists Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 06/96] ipv4: ip_check_defrag should correctly check return value of skb_copy_bits Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 07/96] ipv4: ip_check_defrag should not assume that skb_network_offset is zero Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 08/96] net: phy: Fix verification of EEE support in phy_init_eee Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 10/96] net: reject creation of netdev names with colons Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 11/96] team: fix possible null pointer dereference in team_handle_frame Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 12/96] net: compat: Ignore MSG_CMSG_COMPAT in compat_sys_{send, recv}msg Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 13/96] macvtap: make sure neighbour code can push ethernet header Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 14/96] usb: plusb: Add support for National Instruments host-to-host cable Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 15/96] udp: only allow UFO for packets from SOCK_DGRAM sockets Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 16/96] net: ping: Return EAFNOSUPPORT when appropriate Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 17/96] team: dont traverse port list using rcu in team_set_mac_address Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 18/96] mm/hugetlb: add migration/hwpoisoned entry check in hugetlb_change_protection Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 19/96] mm/hugetlb: add migration entry check in __unmap_hugepage_range Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 20/96] mm: when stealing freepages, also take pages created by splitting buddy page Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 21/96] mm/mmap.c: fix arithmetic overflow in __vm_enough_memory() Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 22/96] mm/nommu.c: " Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 23/96] mm/compaction: fix wrong order check in compact_finished() Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 24/96] mm/memory.c: actually remap enough memory Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 27/96] drm/radeon: fix voltage setup on hawaii Greg Kroah-Hartman
2015-03-16 14:08 ` [PATCH 3.14 28/96] target: Fix PR_APTPL_BUF_LEN buffer size limitation Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 29/96] target: Add missing WRITE_SAME end-of-device sanity check Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 30/96] target: Check for LBA + sectors wrap-around in sbc_parse_cdb Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 31/96] x86/asm/entry/64: Remove a bogus ret_from_fork optimization Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 32/96] iio: mxs-lradc: fix iio channel map regression Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 33/96] iio: imu: adis16400: Fix sign extension Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 39/96] iio:adc:mcp3422 Fix incorrect scales table Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 40/96] mei: make device disabled on stop unconditionally Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 41/96] btrfs: fix lost return value due to variable shadowing Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 42/96] Btrfs: fix data loss in the fast fsync path Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 43/96] Btrfs:__add_inode_ref: out of bounds memory read when looking for extended ref Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 44/96] KVM: emulate: fix CMPXCHG8B on 32-bit hosts Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 45/96] KVM: MIPS: Fix trace event to save PC directly Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 46/96] USB: serial: cp210x: Adding Seletek device ids Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 47/96] USB: mxuport: fix null deref when used as a console Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 48/96] USB: usbfs: dont leak kernel data in siginfo Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 49/96] USB: ftdi_sio: add PIDs for Actisense USB devices Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 50/96] usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 51/96] usb: dwc3: dwc3-omap: Fix disable IRQ Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 52/96] xhci: Allocate correct amount of scratchpad buffers Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 53/96] xhci: fix reporting of 0-sized URBs in control endpoint Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 54/96] mac80211: Send EAPOL frames at lowest rate Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 55/96] net: irda: fix wait_until_sent poll timeout Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 56/96] USB: serial: fix infinite wait_until_sent timeout Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 57/96] TTY: fix tty_wait_until_sent on 64-bit machines Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 58/96] USB: serial: fix potential use-after-free after failed probe Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 59/96] USB: serial: fix tty-device error handling at probe Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 60/96] autofs4 copy_dev_ioctl(): keep the value of ->size wed used for allocation Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 61/96] debugfs: leave freeing a symlink body until inode eviction Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 62/96] procfs: fix race between symlink removals and traversals Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 63/96] sunrpc: fix braino in ->poll() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 64/96] ARC: Fix KSTK_ESP() Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 65/96] tty: fix up atime/mtime mess, take four Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 66/96] ALSA: pcm: Dont leave PREPARED state after draining Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 67/96] ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 68/96] ALSA: hda - Disable runtime PM for Panther Point again Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 69/96] sg: fix read() error reporting Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 70/96] IB/qib: Do not write EEPROM Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 71/96] IB/mlx4: Fix wrong usage of IPv4 protocol for multicast attach/detach Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 72/96] IB/core: Fix deadlock on uverbs modify_qp error flow Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 73/96] IB/core: When marshaling ucma path from user-space, clear unused fields Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 74/96] nilfs2: fix potential memory overrun on inode Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 75/96] fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 76/96] clk: zynq: Force CPU_2X clock to be ungated Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 77/96] sunxi: clk: Set sun6i-pll1 n_start = 1 Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 78/96] clk: sunxi: Support factor clocks with N factor starting not from 0 Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 79/96] staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 80/96] dm mirror: do not degrade the mirror on discard error Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 81/96] dm io: reject unsupported DISCARD requests with EOPNOTSUPP Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 82/96] dm: fix a race condition in dm_get_md Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 83/96] dm snapshot: fix a possible invalid memory access on unload Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 84/96] staging: comedi: cb_pcidas64: fix incorrect AI range code handling Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 85/96] HID: input: fix confusion on conflicting mappings Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 86/96] HID: fixup the conflicting keyboard mappings quirk Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 87/96] HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid Greg Kroah-Hartman
2015-03-16 14:09 ` [PATCH 3.14 88/96] drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 89/96] drm/radeon: fix 1 RB harvest config setup for TN/RL Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 90/96] efi: Small leak on error in runtime map code Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 91/96] ACPI / video: Load the module even if ACPI is disabled Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 92/96] NFSv4: Dont call put_rpccred() under the rcu_read_lock() Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 93/96] ASoC: omap-pcm: Correct dma mask Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 94/96] ath5k: fix spontaneus AR5312 freezes Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 95/96] ath6kl: fix struct hif_scatter_req list handling Greg Kroah-Hartman
2015-03-16 14:10 ` [PATCH 3.14 96/96] clk-gate: fix bit # check in clk_register_gate() Greg Kroah-Hartman
2015-03-16 19:58 ` [PATCH 3.14 00/96] 3.14.36-stable review Guenter Roeck
     [not found] ` <20150316140856.907657028@linuxfoundation.org>
2015-03-18 23:36   ` [PATCH 3.14 37/96] iio: mxs-lradc: only update the buffer when its conversions have finished Kristina Martšenko
2015-03-19 13:15     ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).