commit a342a4648f43553bd52de3cc8d15487bbb4ef25b Author: Ben Hutchings Date: Fri Jan 22 21:40:13 2016 +0000 Linux 3.2.76 commit 1f15736874bc07aaf94ee98dbca9f31338b0fb89 Author: Maciej Zuk Date: Thu Sep 3 21:46:39 2015 +0200 HID: dragonrise: fix HID Descriptor for 0x0006 PID commit 18339f59c3a6698ee17d32970c9e1e450b16e7c3 upstream. Fixed HID descriptor for DragonRise Joystick. Replaced default descriptor which doubles Z axis and causes mixing values of X and Z axes. Signed-off-by: Maciej Zuk Signed-off-by: Jiri Kosina Signed-off-by: Ben Hutchings commit 742c7795ea2854f36215d4a328608c17085bdff1 Author: Georgios Toptsidis Date: Fri Sep 25 10:50:08 2015 +0300 cdrom: Random writing support for BD-RE media commit f7e7868b4743f1cc5e59e6e0ddd3ccf9cfe53a1b upstream. Recently, i bought a blu-ray writer and noticed that while cdrecord worked perfectly, random writing didn't work on rewritable bd-re media. For example, dd if=/dev/zero of=/dev/sr0 bs=32768 count=2 gave the usual "read-only file system" message. After checking if the problem lies with my burner or firmware, i grep-ed the kernel source for EROFS. One of the results was in the cdrom driver. I tried to follow the function chain and ended in the cdrom_is_dvd_rw function where writing is permitted only for DVD-RAM and DVD+RW media. I added a new case label for 0x43 which is the profile name of BD-RE and now it works correctly for BD-RE too. Maybe there is a better way of implementing this, like a new function checking for blu-ray support and called from cdrom_open_write like it happens for mrw and dvdram media, but adding the case label worked. Thank you for your time. Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings commit 28aa0aafcdb7c908682765ab6def7c8febda04f3 Author: Alexandra Yates Date: Thu Nov 5 11:40:25 2015 -0800 i2c: i801: add Intel Lewisburg device IDs commit cdc5a3110e7c3ae793f367285789a6bc39c962dc upstream. Adding Intel codename Lewisburg platform device IDs for SMBus. Signed-off-by: Alexandra Yates Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 0ad361197a87788b8b6c5c0664b9366fe5d09e36 Author: Jarkko Nikula Date: Mon Oct 26 13:26:56 2015 +0200 i2c: i801: Document Intel DNV and Broxton commit 2b630df721ee4c286d286ab5d5d958d34c86f067 upstream. Add missing entries into i2c-i801 documentation and Kconfig about recently added Intel DNV and Broxton. Reported-by: Jean Delvare Signed-off-by: Jarkko Nikula Reviewed-by: Mika Westerberg Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 49f9c1f8b9137200702cab85563158cfb556982d Author: Jarkko Nikula Date: Thu Oct 22 17:16:58 2015 +0300 i2c: i801: Add support for Intel Broxton commit dd77f423e516293c37c2370b44fd700900409c48 upstream. This patch adds the SMBUS PCI ID of Intel Broxton. Signed-off-by: Jarkko Nikula Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 7109b1f3db7c4699d1cc0aa97e75405ef5f8fa01 Author: Mika Westerberg Date: Tue Oct 13 15:41:39 2015 +0300 i2c: i801: Add support for Intel DNV commit 84d7f2ebd70d36e9d83e0973d2f4dac56a671f4f upstream. Intel DNV SoC has the same legacy SMBus host controller than Intel Sunrisepoint PCH. It also has same iTCO watchdog on the bus. Add DNV PCI ID to the list of supported devices. Signed-off-by: Mika Westerberg Signed-off-by: Wolfram Sang [bwh: Backported to 3.2: no FEATURE_IRQ or FEATURE_TCO here] Signed-off-by: Ben Hutchings commit 7e117569f075f91070420d748fe226b521f277a0 Author: Devin Ryles Date: Wed Nov 5 16:30:03 2014 -0500 i2c: i801: Add DeviceIDs for SunrisePoint LP commit 3eee1799aed90e990e02a73a89bfcff1982c74dd upstream. Signed-off-by: Devin Ryles Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 8abf6e2f5fc03baab01b72958b3c0b47de727acd Author: james.d.ralston@intel.com Date: Mon Oct 13 15:20:24 2014 -0700 i2c: i801: Add Device IDs for Intel Sunrise Point PCH commit 3e27a8445c21f8056517f188303827450590d868 upstream. This patch adds the I2C/SMBus Device IDs for the Intel Sunrise Point PCH. Signed-off-by: James Ralston Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 4fc5bf98f9a4bc091de0ded143882c45387f69b8 Author: Alan Cox Date: Tue Aug 19 17:37:28 2014 +0300 i2c: i801: Add PCI ID for Intel Braswell commit 39e8e30ee544a62c148033d64a979028b958ca05 upstream. The SMBus host controller is the same as used in Baytrail so add the new PCI ID to the driver's list of supported IDs. Signed-off-by: Alan Cox Signed-off-by: Mika Westerberg Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit a55ebb104f761fd8dbd0da3ad0121e4aeaed3abd Author: Jean Delvare Date: Thu Jul 17 15:04:41 2014 +0200 i2c: i801: Add device ID for Intel Wildcat Point PCH commit b299de839157852c563b9f133c8b7e630545a9c3 upstream. Signed-off-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit ce5dac6cdf2d11b8364ef55d266aee66b0e47c91 Author: Jean Delvare Date: Thu Jul 17 15:03:24 2014 +0200 i2c: i801: Fix the alignment of the device table commit ce3161106ab57afbfbe1c33d95bf4a569405983a upstream. A long name broke the alignment, shift the columns a bit to fix it and make the table look nice again. While we're here, switch to the standard comment style to make checkpatch happy, and use tabs instead of spaces for column alignment. Signed-off-by: Jean Delvare Signed-off-by: Wolfram Sang [bwh: Backported to 3.2: "Interrupt processing" isn't mentioned] Signed-off-by: Ben Hutchings commit 314be5a9a7211ed0c5615b824a33ca62473805b5 Author: Chew, Kean ho Date: Sat Mar 1 00:03:56 2014 +0800 i2c: i801: enable Intel BayTrail SMBUS commit 1b31e9b76ef8c62291e698dfdb973499986a7f68 upstream. Add Device ID of Intel BayTrail SMBus Controller. Signed-off-by: Chew, Kean ho Signed-off-by: Chew, Chiau Ee Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 1235e897620d37504912b8972edc9cbeda48ccc8 Author: James Ralston Date: Mon Nov 4 09:29:48 2013 -0800 i2c: i801: Add Device IDs for Intel Wildcat Point-LP PCH commit afc659241258b40b683998ec801d25d276529f43 upstream. This patch adds the SMBus Device IDs for the Intel Wildcat Point-LP PCH. Signed-off-by: James Ralston Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit ed2fcf282c644456d765d98792185a9c5756d191 Author: Seth Heasley Date: Wed Jun 19 16:59:57 2013 -0700 i2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs commit f39901c1befa556bc91902516a3e2e460000b4a8 upstream. This patch adds the i801 SMBus Controller DeviceIDs for the Intel Coleto Creek PCH. Signed-off-by: Seth Heasley Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 1ba6cb0129fff0f6103c9b6cfdbf18bdbee4e991 Author: James Ralston Date: Thu Feb 14 09:15:33 2013 +0000 i2c: i801: Add Device IDs for Intel Wellsburg PCH commit a3fc0ff00a46c4b32e7214961a5be9a1dc39b60e upstream. This patch adds the SMBus Device IDs for the Intel Wellsburg PCH Signed-off-by: James Ralston Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 88e2c893cb3ba14717018888827426fff9fd418c Author: Seth Heasley Date: Wed Jan 30 15:25:32 2013 +0000 i2c: i801: SMBus patch for Intel Avoton DeviceIDs commit c2db409cbc8751ccc7e6d2cc2e41af0d12ea637f upstream. This patch adds the PCU SMBus DeviceID for the Intel Avoton SOC. Signed-off-by: Seth Heasley Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Ben Hutchings commit 7f97fb193743242c055316cbfc3e0c0e141d764d Author: Alexandra Yates Date: Mon Nov 16 11:22:16 2015 -0500 ahci: Order SATA device IDs for codename Lewisburg commit 4d92f0099a06ef0e36c7673f7c090f1a448b2d1b upstream. This change was to preserve the ascending order of device IDs. There was an exception with the first two Lewisburg device IDs to keep all device IDs of the same kind grouped by code name. Signed-off-by: Alexandra Yates signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit 545df47d60e8e4d94a52c598a75369a08465047c Author: Charles_Rose@Dell.com Date: Fri Nov 6 14:18:56 2015 -0600 ahci: Add Device ID for Intel Sunrise Point PCH commit c5967b79ecabe2baca40658d9073e28b30d7f6cf upstream. This patch adds missing AHCI RAID SATA Device IDs for the Intel Sunrise Point PCH. Signed-off-by: Nanda Kishore Chinna Signed-off-by: Charles Rose Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit 265ed762635ceeedc9ef23a5538eb6fe9955a6c0 Author: Alexandra Yates Date: Tue Nov 3 14:14:18 2015 -0800 ahci: add new Intel device IDs commit 56e74338a535cbcc2f2da08b1ea1a92920194364 upstream. Adding Intel codename Lewisburg platform device IDs for SATA. Signed-off-by: Alexandra Yates Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit 598dfa6be13d83a91dd195e7f17bc08e92a5a971 Author: Johannes Thumshirn Date: Tue Oct 20 09:31:22 2015 +0200 ahci: Add Marvell 88se91a2 device id commit a40cf3f38881ce8543ceb9667150b4f2ead4c437 upstream. Add device id for Marvell 88se91a2 Signed-off-by: Johannes Thumshirn Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit e0dbfc009e9d35a4ac0d17ad3b1be2d045fff210 Author: James Ralston Date: Mon Jan 12 16:13:52 2015 -0800 ahci: Remove Device ID for Intel Sunrise Point PCH commit 46319e13581a6c442b0a0e5a3bd5d9af4496f252 upstream. This patch removes a duplicate AHCI-mode SATA Device ID for the Intel Sunrise Point PCH. Signed-off-by: James Ralston Signed-off-by: Tejun Heo Signed-off-by: Ben Hutchings commit 6507e05f10625f06bdd8027062a4298d22369601 Author: Ben Hutchings Date: Mon Sep 10 01:09:04 2012 +0100 ahci: Add JMicron 362 device IDs commit 1fefb8fdc6562057a0e4e4542f3d4323981c9686 upstream. The JMicron JMB362 controller supports AHCI only, but some revisions use the IDE class code. These need to be matched by device ID. These additions have apparently been included by QNAP in their NAS devices using these controllers. References: http://bugs.debian.org/634180 Signed-off-by: Ben Hutchings Signed-off-by: Jeff Garzik commit 34a2a4493bb5398a23974f734d480133a2b08266 Author: James Ralston Date: Thu Feb 21 11:08:51 2013 -0800 ahci: Add Device IDs for Intel Wellsburg PCH commit efda332cb66d78d6fdf6f98e7b067480f43624f2 upstream. This patch adds the RAID-mode SATA Device IDs for the Intel Wellsburg PCH Signed-off-by: James Ralston Signed-off-by: Jeff Garzik [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 065bc97edc4bc250ec4d6dcc716c9a3e1e1c602c Author: Michal Hocko Date: Fri Jan 8 11:18:29 2016 +0100 vmstat: allocate vmstat_wq before it is used commit 751e5f5c753e8d447bcf89f9e96b9616ac081628 upstream. kernel test robot has reported the following crash: BUG: unable to handle kernel NULL pointer dereference at 00000100 IP: [] __queue_work+0x26/0x390 *pdpt = 0000000000000000 *pde = f000ff53f000ff53 *pde = f000ff53f000ff53 Oops: 0000 [#1] PREEMPT PREEMPT SMP SMP CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.4.0-rc4-00139-g373ccbe #1 Workqueue: events vmstat_shepherd task: cb684600 ti: cb7ba000 task.ti: cb7ba000 EIP: 0060:[] EFLAGS: 00010046 CPU: 0 EIP is at __queue_work+0x26/0x390 EAX: 00000046 EBX: cbb37800 ECX: cbb37800 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: cb7bbe68 ESP: cb7bbe38 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 CR0: 8005003b CR2: 00000100 CR3: 01fd5000 CR4: 000006b0 Stack: Call Trace: __queue_delayed_work+0xa1/0x160 queue_delayed_work_on+0x36/0x60 vmstat_shepherd+0xad/0xf0 process_one_work+0x1aa/0x4c0 worker_thread+0x41/0x440 kthread+0xb0/0xd0 ret_from_kernel_thread+0x21/0x40 The reason is that start_shepherd_timer schedules the shepherd work item which uses vmstat_wq (vmstat_shepherd) before setup_vmstat allocates that workqueue so if the further initialization takes more than HZ we might end up scheduling on a NULL vmstat_wq. This is really unlikely but not impossible. Fixes: 373ccbe59270 ("mm, vmstat: allow WQ concurrency to discover memory reclaim doesn't make any progress") Reported-by: kernel test robot Signed-off-by: Michal Hocko Tested-by: Tetsuo Handa Cc: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: This precise race condition doesn't exist, but there is a similar potential race with CPU hotplug. So move the alloc_workqueue() above register_cpu_notifier().] Signed-off-by: Ben Hutchings commit 18a6eba2eabbcb50a78210b16f7dd43d888a537b Author: Eric Dumazet Date: Wed Dec 30 08:51:12 2015 -0500 udp: properly support MSG_PEEK with truncated buffers commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream. Backport of this upstream commit into stable kernels : 89c22d8c3b27 ("net: Fix skb csum races when peeking") exposed a bug in udp stack vs MSG_PEEK support, when user provides a buffer smaller than skb payload. In this case, skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov); returns -EFAULT. This bug does not happen in upstream kernels since Al Viro did a great job to replace this into : skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); This variant is safe vs short buffers. For the time being, instead reverting Herbert Xu patch and add back skb->ip_summed invalid changes, simply store the result of udp_lib_checksum_complete() so that we avoid computing the checksum a second time, and avoid the problematic skb_copy_and_csum_datagram_iovec() call. This patch can be applied on recent kernels as it avoids a double checksumming, then backported to stable kernels as a bug fix. Signed-off-by: Eric Dumazet Acked-by: Herbert Xu Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 414d4d9d3354c8e4aa58dc51cea5768f145e5275 Author: Ben Hutchings Date: Sat Jan 2 01:11:55 2016 +0000 Revert "net: add length argument to skb_copy_and_csum_datagram_iovec" This reverts commit 127500d724f8c43f452610c9080444eedb5eaa6c. That fixed the problem of buffer over-reads introduced by backporting commit 89c22d8c3b27 ("net: Fix skb csum races when peeking"), but resulted in incorrect checksumming for short reads. It will be replaced with a complete fix. Signed-off-by: Ben Hutchings commit ef90cf3d0b59e3b1dcfe94d1a241107667e6e96a Author: Paolo Bonzini Date: Thu Jan 7 13:50:38 2016 +0100 kvm: x86: only channel 0 of the i8254 is linked to the HPET commit e5e57e7a03b1cdcb98e4aed135def2a08cbf3257 upstream. While setting the KVM PIT counters in 'kvm_pit_load_count', if 'hpet_legacy_start' is set, the function disables the timer on channel[0], instead of the respective index 'channel'. This is because channels 1-3 are not linked to the HPET. Fix the caller to only activate the special HPET processing for channel 0. Reported-by: P J P Fixes: 0185604c2d82c560dab2f2933a18f797e74ab5a8 Signed-off-by: Paolo Bonzini Signed-off-by: Ben Hutchings commit 08b8d1a6ccdefd3d517d04c472b7f42f51b3059b Author: Andrew Honig Date: Wed Nov 18 14:50:23 2015 -0800 KVM: x86: Reload pit counters for all channels when restoring state commit 0185604c2d82c560dab2f2933a18f797e74ab5a8 upstream. Currently if userspace restores the pit counters with a count of 0 on channels 1 or 2 and the guest attempts to read the count on those channels, then KVM will perform a mod of 0 and crash. This will ensure that 0 values are converted to 65536 as per the spec. This is CVE-2015-7513. Signed-off-by: Andy Honig Signed-off-by: Paolo Bonzini [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit ccf8b3948a05d0ac28fecfefde3ec9e75d43a1bd Author: Francesco Ruggeri Date: Wed Jan 6 00:18:48 2016 -0800 net: possible use after free in dst_release commit 07a5d38453599052aff0877b16bb9c1585f08609 upstream. dst_release should not access dst->flags after decrementing __refcnt to 0. The dst_entry may be in dst_busy_list and dst_gc_task may dst_destroy it before dst_release gets a chance to access dst->flags. Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()") Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst") Signed-off-by: Francesco Ruggeri Acked-by: Eric Dumazet Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit e02539e109eb34597cd9a92ae1842d2b2181696c Author: Colin Ian King Date: Wed Dec 30 23:06:41 2015 +0000 ftrace/scripts: Fix incorrect use of sprintf in recordmcount commit 713a3e4de707fab49d5aa4bceb77db1058572a7b upstream. Fix build warning: scripts/recordmcount.c:589:4: warning: format not a string literal and no format arguments [-Wformat-security] sprintf("%s: failed\n", file); Fixes: a50bd43935586 ("ftrace/scripts: Have recordmcount copy the object file") Link: http://lkml.kernel.org/r/1451516801-16951-1-git-send-email-colin.king@canonical.com Cc: Li Bin Cc: Russell King Cc: Will Deacon Signed-off-by: Colin Ian King Signed-off-by: Steven Rostedt Signed-off-by: Ben Hutchings commit 18020036abfe56b51b08f2e337482ce8b2237eea Author: Thomas Gleixner Date: Sun Dec 13 18:12:30 2015 +0100 genirq: Prevent chip buslock deadlock commit abc7e40c81d113ef4bacb556f0a77ca63ac81d85 upstream. If a interrupt chip utilizes chip->buslock then free_irq() can deadlock in the following way: CPU0 CPU1 interrupt(X) (Shared or spurious) free_irq(X) interrupt_thread(X) chip_bus_lock(X) irq_finalize_oneshot(X) chip_bus_lock(X) synchronize_irq(X) synchronize_irq() waits for the interrupt thread to complete, i.e. forever. Solution is simple: Drop chip_bus_lock() before calling synchronize_irq() as we do with the irq_desc lock. There is nothing to be protected after the point where irq_desc lock has been released. This adds chip_bus_lock/unlock() to the remove_irq() code path, but that's actually correct in the case where remove_irq() is called on such an interrupt. The current users of remove_irq() are not affected as none of those interrupts is on a chip which requires buslock. Reported-by: Fredrik Markström Signed-off-by: Thomas Gleixner Signed-off-by: Ben Hutchings commit 89d3665e83412ed0d58b3345a613c55ffc40977a Author: Nikolay Aleksandrov Date: Tue Nov 17 15:49:06 2015 +0100 net/core: revert "net: fix __netdev_update_features return.." and add comment commit 17b85d29e82cc3c874a497a8bc5764d6a2b043e2 upstream. This reverts commit 00ee59271777 ("net: fix __netdev_update_features return on ndo_set_features failure") and adds a comment explaining why it's okay to return a value other than 0 upon error. Some drivers might actually change flags and return an error so it's better to fire a spurious notification rather than miss these. CC: Michał Mirosław Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit f9886587f589c03f657ce7a0663adf0f509ac4b7 Author: Dave Airlie Date: Thu Aug 20 10:13:55 2015 +1000 drm/radeon: fix hotplug race at startup commit 7f98ca454ad373fc1b76be804fa7138ff68c1d27 upstream. We apparantly get a hotplug irq before we've initialised modesetting, [drm] Loading R100 Microcode BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] __mutex_lock_slowpath+0x23/0x91 *pde = 00000000 Oops: 0002 [#1] Modules linked in: radeon(+) drm_kms_helper ttm drm i2c_algo_bit backlight pcspkr psmouse evdev sr_mod input_leds led_class cdrom sg parport_pc parport floppy intel_agp intel_gtt lpc_ich acpi_cpufreq processor button mfd_core agpgart uhci_hcd ehci_hcd rng_core snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm usbcore usb_common i2c_i801 i2c_core snd_timer snd soundcore thermal_sys CPU: 0 PID: 15 Comm: kworker/0:1 Not tainted 4.2.0-rc7-00015-gbf67402 #111 Hardware name: MicroLink /D850MV , BIOS MV85010A.86A.0067.P24.0304081124 04/08/2003 Workqueue: events radeon_hotplug_work_func [radeon] task: f6ca5900 ti: f6d3e000 task.ti: f6d3e000 EIP: 0060:[] EFLAGS: 00010282 CPU: 0 EIP is at __mutex_lock_slowpath+0x23/0x91 EAX: 00000000 EBX: f5e900fc ECX: 00000000 EDX: fffffffe ESI: f6ca5900 EDI: f5e90100 EBP: f5e90000 ESP: f6d3ff0c DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 CR0: 8005003b CR2: 00000000 CR3: 36f61000 CR4: 000006d0 Stack: f5e90100 00000000 c103c4c1 f6d2a5a0 f5e900fc f6df394c c125f162 f8b0faca f6d2a5a0 c138ca00 f6df394c f7395600 c1034741 00d40000 00000000 f6d2a5a0 c138ca00 f6d2a5b8 c138ca10 c1034b58 00000001 f6d40000 f6ca5900 f6d0c940 Call Trace: [] ? dequeue_task_fair+0xa4/0xb7 [] ? mutex_lock+0x9/0xa [] ? radeon_hotplug_work_func+0x17/0x57 [radeon] [] ? process_one_work+0xfc/0x194 [] ? worker_thread+0x18d/0x218 [] ? rescuer_thread+0x1d5/0x1d5 [] ? kthread+0x7b/0x80 [] ? ret_from_kernel_thread+0x20/0x30 [] ? init_completion+0x18/0x18 Code: 42 08 e8 8e a6 dd ff c3 57 56 53 83 ec 0c 8b 35 48 f7 37 c1 8b 10 4a 74 1a 89 c3 8d 78 04 8b 40 08 89 63 Reported-and-Tested-by: Meelis Roos Signed-off-by: Dave Airlie Signed-off-by: Ben Hutchings commit 08f865bba9c705aef95268a33393698e5385587e Author: Ed Swierk Date: Mon Jan 12 21:10:30 2015 -0800 MIPS: Fix restart of indirect syscalls commit e967ef022e00bb7c2e5b1a42007abfdd52055050 upstream. When 32-bit MIPS userspace invokes a syscall indirectly via syscall(number, arg1, ..., arg7), the kernel looks up the actual syscall based on the given number, shifts the other arguments to the left, and jumps to the syscall. If the syscall is interrupted by a signal and indicates it needs to be restarted by the kernel (by returning ERESTARTNOINTR for example), the syscall must be called directly, since the number is no longer the first argument, and the other arguments are now staged for a direct call. Before shifting the arguments, store the syscall number in pt_regs->regs[2]. This gets copied temporarily into pt_regs->regs[0] after the syscall returns. If the syscall needs to be restarted, handle_signal()/do_signal() copies the number back to pt_regs->reg[2], which ends up in $v0 once control returns to userspace. Signed-off-by: Ed Swierk Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/8929/ Signed-off-by: Ralf Baechle [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 17f6a291c98199d7ce15a850ce5f548ceef628bc Author: Andrew Banman Date: Tue Dec 29 14:54:25 2015 -0800 mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone() commit 5f0f2887f4de9508dcf438deab28f1de8070c271 upstream. test_pages_in_a_zone() does not account for the possibility of missing sections in the given pfn range. pfn_valid_within always returns 1 when CONFIG_HOLES_IN_ZONE is not set, allowing invalid pfns from missing sections to pass the test, leading to a kernel oops. Wrap an additional pfn loop with PAGES_PER_SECTION granularity to check for missing sections before proceeding into the zone-check code. This also prevents a crash from offlining memory devices with missing sections. Despite this, it may be a good idea to keep the related patch '[PATCH 3/3] drivers: memory: prohibit offlining of memory blocks with missing sections' because missing sections in a memory block may lead to other problems not covered by the scope of this fix. Signed-off-by: Andrew Banman Acked-by: Alex Thorlton Cc: Russ Anderson Cc: Alex Thorlton Cc: Yinghai Lu Cc: Greg KH Cc: Seth Jennings Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings commit b0fab23d2f70d52defacaa280152b64a4fbc5c95 Author: Joseph Qi Date: Tue Dec 29 14:54:06 2015 -0800 ocfs2: fix BUG when calculate new backup super commit 5c9ee4cbf2a945271f25b89b137f2c03bbc3be33 upstream. When resizing, it firstly extends the last gd. Once it should backup super in the gd, it calculates new backup super and update the corresponding value. But it currently doesn't consider the situation that the backup super is already done. And in this case, it still sets the bit in gd bitmap and then decrease from bg_free_bits_count, which leads to a corrupted gd and trigger the BUG in ocfs2_block_group_set_bits: BUG_ON(le16_to_cpu(bg->bg_free_bits_count) < num_bits); So check whether the backup super is done and then do the updates. Signed-off-by: Joseph Qi Reviewed-by: Jiufei Xue Reviewed-by: Yiwen Jiang Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 39b214ba1a357359f9c0be6ef8d21f2e5187567a Author: Andrey Ryabinin Date: Mon Dec 21 12:54:45 2015 +0300 ipv6/addrlabel: fix ip6addrlbl_get() commit e459dfeeb64008b2d23bdf600f03b3605dbb8152 upstream. ip6addrlbl_get() has never worked. If ip6addrlbl_hold() succeeded, ip6addrlbl_get() will exit with '-ESRCH'. If ip6addrlbl_hold() failed, ip6addrlbl_get() will use about to be free ip6addrlbl_entry pointer. Fix this by inverting ip6addrlbl_hold() check. Fixes: 2a8cc6c89039 ("[IPV6] ADDRCONF: Support RFC3484 configurable address selection policy table.") Signed-off-by: Andrey Ryabinin Reviewed-by: Cong Wang Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 9f2dcffefc599c424ad1dd402e3a96da60639308 Author: Helge Deller Date: Mon Dec 21 10:03:30 2015 +0100 parisc: Fix syscall restarts commit 71a71fb5374a23be36a91981b5614590b9e722c3 upstream. On parisc syscalls which are interrupted by signals sometimes failed to restart and instead returned -ENOSYS which in the worst case lead to userspace crashes. A similiar problem existed on MIPS and was fixed by commit e967ef02 ("MIPS: Fix restart of indirect syscalls"). On parisc the current syscall restart code assumes that all syscall callers load the syscall number in the delay slot of the ble instruction. That's how it is e.g. done in the unistd.h header file: ble 0x100(%sr2, %r0) ldi #syscall_nr, %r20 Because of that assumption the current code never restored %r20 before returning to userspace. This assumption is at least not true for code which uses the glibc syscall() function, which instead uses this syntax: ble 0x100(%sr2, %r0) copy regX, %r20 where regX depend on how the compiler optimizes the code and register usage. This patch fixes this problem by adding code to analyze how the syscall number is loaded in the delay branch and - if needed - copy the syscall number to regX prior returning to userspace for the syscall restart. Signed-off-by: Helge Deller Cc: Mathieu Desnoyers [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 027466a78ea676dcb831fef6ec9092f25b8fa624 Author: David Howells Date: Fri Dec 18 01:34:26 2015 +0000 KEYS: Fix race between read and revoke commit b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream. This fixes CVE-2015-7550. There's a race between keyctl_read() and keyctl_revoke(). If the revoke happens between keyctl_read() checking the validity of a key and the key's semaphore being taken, then the key type read method will see a revoked key. This causes a problem for the user-defined key type because it assumes in its read method that there will always be a payload in a non-revoked key and doesn't check for a NULL pointer. Fix this by making keyctl_read() check the validity of a key after taking semaphore instead of before. I think the bug was introduced with the original keyrings code. This was discovered by a multithreaded test program generated by syzkaller (http://github.com/google/syzkaller). Here's a cleaned up version: #include #include #include void *thr0(void *arg) { key_serial_t key = (unsigned long)arg; keyctl_revoke(key); return 0; } void *thr1(void *arg) { key_serial_t key = (unsigned long)arg; char buffer[16]; keyctl_read(key, buffer, 16); return 0; } int main() { key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); pthread_t th[5]; pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); pthread_join(th[0], 0); pthread_join(th[1], 0); pthread_join(th[2], 0); pthread_join(th[3], 0); return 0; } Build as: cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread Run as: while keyctl-race; do :; done as it may need several iterations to crash the kernel. The crash can be summarised as: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [] user_read+0x56/0xa3 ... Call Trace: [] keyctl_read_key+0xb6/0xd7 [] SyS_keyctl+0x83/0xe0 [] entry_SYSCALL_64_fastpath+0x12/0x6f Reported-by: Dmitry Vyukov Signed-off-by: David Howells Tested-by: Dmitry Vyukov Signed-off-by: James Morris Signed-off-by: Ben Hutchings commit 10037421b529bc1fc18994e94e37d745184c4ea9 Author: Alan Stern Date: Wed Dec 16 13:32:38 2015 -0500 USB: fix invalid memory access in hub_activate() commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea upstream. Commit 8520f38099cc ("USB: change hub initialization sleeps to delayed_work") changed the hub_activate() routine to make part of it run in a workqueue. However, the commit failed to take a reference to the usb_hub structure or to lock the hub interface while doing so. As a result, if a hub is plugged in and quickly unplugged before the work routine can run, the routine will try to access memory that has been deallocated. Or, if the hub is unplugged while the routine is running, the memory may be deallocated while it is in active use. This patch fixes the problem by taking a reference to the usb_hub at the start of hub_activate() and releasing it at the end (when the work is finished), and by locking the hub interface while the work routine is running. It also adds a check at the start of the routine to see if the hub has already been disconnected, in which nothing should be done. Signed-off-by: Alan Stern Reported-by: Alexandru Cornea Tested-by: Alexandru Cornea Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work") Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: add prototype for hub_release() before first use] Signed-off-by: Ben Hutchings commit 53a68d3f1629de82ddeb4e0882b0727fc230a6f3 Author: Dan Carpenter Date: Wed Dec 16 14:06:37 2015 +0300 USB: ipaq.c: fix a timeout loop commit abdc9a3b4bac97add99e1d77dc6d28623afe682b upstream. The code expects the loop to end with "retries" set to zero but, because it is a post-op, it will end set to -1. I have fixed this by moving the decrement inside the loop. Fixes: 014aa2a3c32e ('USB: ipaq: minor ipaq_open() cleanup.') Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings commit 16f592aba4a0e7741823a37b0e5064f08c5f6dc1 Author: Konrad Rzeszutek Wilk Date: Mon Nov 2 18:13:27 2015 -0500 xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set. commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 upstream. commit f598282f51 ("PCI: Fix the NIU MSI-X problem in a better way") teaches us that dealing with MSI-X can be troublesome. Further checks in the MSI-X architecture shows that if the PCI_COMMAND_MEMORY bit is turned of in the PCI_COMMAND we may not be able to access the BAR (since they are memory regions). Since the MSI-X tables are located in there.. that can lead to us causing PCIe errors. Inhibit us performing any operation on the MSI-X unless the MEMORY bit is set. Note that Xen hypervisor with: "x86/MSI-X: access MSI-X table only after having enabled MSI-X" will return: xen_pciback: 0000:0a:00.1: error -6 enabling MSI-X for guest 3! When the generic MSI code tries to setup the PIRQ without MEMORY bit set. Which means with later versions of Xen (4.6) this patch is not neccessary. This is part of XSA-157 Reviewed-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 5a08e0db712f72ee8645ec8f38c6f0a937f26304 Author: Konrad Rzeszutek Wilk Date: Wed Apr 1 10:49:47 2015 -0400 xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled. commit 7cfb905b9638982862f0331b36ccaaca5d383b49 upstream. Otherwise just continue on, returning the same values as previously (return of 0, and op->result has the PIRQ value). This does not change the behavior of XEN_PCI_OP_disable_msi[|x]. The pci_disable_msi or pci_disable_msix have the checks for msi_enabled or msix_enabled so they will error out immediately. However the guest can still call these operations and cause us to disable the 'ack_intr'. That means the backend IRQ handler for the legacy interrupt will not respond to interrupts anymore. This will lead to (if the device is causing an interrupt storm) for the Linux generic code to disable the interrupt line. Naturally this will only happen if the device in question is plugged in on the motherboard on shared level interrupt GSI. This is part of XSA-157 Reviewed-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit b5f917bfab481c485ec5f8ae1bc71b01076bcad1 Author: Konrad Rzeszutek Wilk Date: Mon Nov 2 17:24:08 2015 -0500 xen/pciback: Do not install an IRQ handler for MSI interrupts. commit a396f3a210c3a61e94d6b87ec05a75d0be2a60d0 upstream. Otherwise an guest can subvert the generic MSI code to trigger an BUG_ON condition during MSI interrupt freeing: for (i = 0; i < entry->nvec_used; i++) BUG_ON(irq_has_action(entry->irq + i)); Xen PCI backed installs an IRQ handler (request_irq) for the dev->irq whenever the guest writes PCI_COMMAND_MEMORY (or PCI_COMMAND_IO) to the PCI_COMMAND register. This is done in case the device has legacy interrupts the GSI line is shared by the backend devices. To subvert the backend the guest needs to make the backend to change the dev->irq from the GSI to the MSI interrupt line, make the backend allocate an interrupt handler, and then command the backend to free the MSI interrupt and hit the BUG_ON. Since the backend only calls 'request_irq' when the guest writes to the PCI_COMMAND register the guest needs to call XEN_PCI_OP_enable_msi before any other operation. This will cause the generic MSI code to setup an MSI entry and populate dev->irq with the new PIRQ value. Then the guest can write to PCI_COMMAND PCI_COMMAND_MEMORY and cause the backend to setup an IRQ handler for dev->irq (which instead of the GSI value has the MSI pirq). See 'xen_pcibk_control_isr'. Then the guest disables the MSI: XEN_PCI_OP_disable_msi which ends up triggering the BUG_ON condition in 'free_msi_irqs' as there is an IRQ handler for the entry->irq (dev->irq). Note that this cannot be done using MSI-X as the generic code does not over-write dev->irq with the MSI-X PIRQ values. The patch inhibits setting up the IRQ handler if MSI or MSI-X (for symmetry reasons) code had been called successfully. P.S. Xen PCIBack when it sets up the device for the guest consumption ends up writting 0 to the PCI_COMMAND (see xen_pcibk_reset_device). XSA-120 addendum patch removed that - however when upstreaming said addendum we found that it caused issues with qemu upstream. That has now been fixed in qemu upstream. This is part of XSA-157 Reviewed-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit b1c1eb79f39fe1b9f5c56e75d585faed9d30f61d Author: Konrad Rzeszutek Wilk Date: Mon Nov 2 18:07:44 2015 -0500 xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled commit 5e0ce1455c09dd61d029b8ad45d82e1ac0b6c4c9 upstream. The guest sequence of: a) XEN_PCI_OP_enable_msix b) XEN_PCI_OP_enable_msix results in hitting an NULL pointer due to using freed pointers. The device passed in the guest MUST have MSI-X capability. The a) constructs and SysFS representation of MSI and MSI groups. The b) adds a second set of them but adding in to SysFS fails (duplicate entry). 'populate_msi_sysfs' frees the newly allocated msi_irq_groups (note that in a) pdev->msi_irq_groups is still set) and also free's ALL of the MSI-X entries of the device (the ones allocated in step a) and b)). The unwind code: 'free_msi_irqs' deletes all the entries and tries to delete the pdev->msi_irq_groups (which hasn't been set to NULL). However the pointers in the SysFS are already freed and we hit an NULL pointer further on when 'strlen' is attempted on a freed pointer. The patch adds a simple check in the XEN_PCI_OP_enable_msix to guard against that. The check for msi_enabled is not stricly neccessary. This is part of XSA-157 Reviewed-by: David Vrabel Reviewed-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 9bb38c41353fa56c8d5c0a18becab89a503a514e Author: Konrad Rzeszutek Wilk Date: Fri Apr 3 11:08:22 2015 -0400 xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled commit 56441f3c8e5bd45aab10dd9f8c505dd4bec03b0d upstream. The guest sequence of: a) XEN_PCI_OP_enable_msi b) XEN_PCI_OP_enable_msi c) XEN_PCI_OP_disable_msi results in hitting an BUG_ON condition in the msi.c code. The MSI code uses an dev->msi_list to which it adds MSI entries. Under the above conditions an BUG_ON() can be hit. The device passed in the guest MUST have MSI capability. The a) adds the entry to the dev->msi_list and sets msi_enabled. The b) adds a second entry but adding in to SysFS fails (duplicate entry) and deletes all of the entries from msi_list and returns (with msi_enabled is still set). c) pci_disable_msi passes the msi_enabled checks and hits: BUG_ON(list_empty(dev_to_msi_list(&dev->dev))); and blows up. The patch adds a simple check in the XEN_PCI_OP_enable_msi to guard against that. The check for msix_enabled is not stricly neccessary. This is part of XSA-157. Reviewed-by: David Vrabel Reviewed-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 9cbc2b03e6d123d551db7e02c60545a1484fe5e2 Author: Konrad Rzeszutek Wilk Date: Mon Nov 16 12:40:48 2015 -0500 xen/pciback: Save xen_pci_op commands before processing it commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 upstream. Double fetch vulnerabilities that happen when a variable is fetched twice from shared memory but a security check is only performed the first time. The xen_pcibk_do_op function performs a switch statements on the op->cmd value which is stored in shared memory. Interestingly this can result in a double fetch vulnerability depending on the performed compiler optimization. This patch fixes it by saving the xen_pci_op command before processing it. We also use 'barrier' to make sure that the compiler does not perform any optimization. This is part of XSA155. Reviewed-by: Konrad Rzeszutek Wilk Signed-off-by: Jan Beulich Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit c25a100a2e2bf4ca34864f8123bf41e471addc49 Author: Roger Pau Monné Date: Tue Nov 3 16:34:09 2015 +0000 xen-blkback: only read request operation from shared ring once commit 1f13d75ccb806260079e0679d55d9253e370ec8a upstream. A compiler may load a switch statement value multiple times, which could be bad when the value is in memory shared with the frontend. When converting a non-native request to a native one, ensure that src->operation is only loaded once by using READ_ONCE(). This is part of XSA155. Signed-off-by: Roger Pau Monné Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk [bwh: Backported to 3.2: - s/READ_ONCE/ACCESS_ONCE/ - Adjust context] Signed-off-by: Ben Hutchings commit cbc4bd7f5ffddeff26a82f6e35baa6690f3e7474 Author: David Vrabel Date: Fri Oct 30 15:17:06 2015 +0000 xen-netback: use RING_COPY_REQUEST() throughout commit 68a33bfd8403e4e22847165d149823a2e0e67c9c upstream. Instead of open-coding memcpy()s and directly accessing Tx and Rx requests, use the new RING_COPY_REQUEST() that ensures the local copy is correct. This is more than is strictly necessary for guest Rx requests since only the id and gref fields are used and it is harmless if the frontend modifies these. This is part of XSA155. Reviewed-by: Wei Liu Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk [bwh: Backported to 3.2: - s/queue/vif/g - Adjust context] Signed-off-by: Ben Hutchings commit cbf0c8563f3eb28d65077242072dbc4d1ac88ce2 Author: David Vrabel Date: Fri Oct 30 15:16:01 2015 +0000 xen-netback: don't use last request to determine minimum Tx credit commit 0f589967a73f1f30ab4ac4dd9ce0bb399b4d6357 upstream. The last from guest transmitted request gives no indication about the minimum amount of credit that the guest might need to send a packet since the last packet might have been a small one. Instead allow for the worst case 128 KiB packet. This is part of XSA155. CC: stable@vger.kernel.org Reviewed-by: Wei Liu Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk [bwh: Backported to 3.2: s/queue/vif/g] Signed-off-by: Ben Hutchings commit a489a13bfc648d5d3764d2fe064135f83ff34ee8 Author: David Vrabel Date: Fri Oct 30 14:58:08 2015 +0000 xen: Add RING_COPY_REQUEST() commit 454d5d882c7e412b840e3c99010fe81a9862f6fb upstream. Using RING_GET_REQUEST() on a shared ring is easy to use incorrectly (i.e., by not considering that the other end may alter the data in the shared ring while it is being inspected). Safe usage of a request generally requires taking a local copy. Provide a RING_COPY_REQUEST() macro to use instead of RING_GET_REQUEST() and an open-coded memcpy(). This takes care of ensuring that the copy is done correctly regardless of any possible compiler optimizations. Use a volatile source to prevent the compiler from reordering or omitting the copy. This is part of XSA155. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Ben Hutchings commit 45f32e359d36dd045e4af0d1bea8bbbafd81eeb7 Author: Michael Holzheu Date: Thu Dec 17 19:06:02 2015 +0100 s390/dis: Fix handling of format specifiers commit 272fa59ccb4fc802af28b1d699c2463db6a71bf7 upstream. The print_insn() function returns strings like "lghi %r1,0". To escape the '%' character in sprintf() a second '%' is used. For example "lghi %%r1,0" is converted into "lghi %r1,0". After print_insn() the output string is passed to printk(). Because format specifiers like "%r" or "%f" are ignored by printk() this works by chance most of the time. But for instructions with control registers like "lctl %c6,%c6,780" this fails because printk() interprets "%c" as character format specifier. Fix this problem and escape the '%' characters twice. For example "lctl %%%%c6,%%%%c6,780" is then converted by sprintf() into "lctl %%c6,%%c6,780" and by printk() into "lctl %c6,%c6,780". Signed-off-by: Michael Holzheu Signed-off-by: Martin Schwidefsky [bwh: Backported to 3.2: drop the OPERAND_VR case] Signed-off-by: Ben Hutchings commit fa41a0adbc216e18afe7a2dd4386f614899a0653 Author: Steven Rostedt (Red Hat) Date: Tue Dec 15 16:06:10 2015 -0500 ftrace/scripts: Have recordmcount copy the object file commit a50bd43935586420fb75f4558369eb08566fac5e upstream. Russell King found that he had weird side effects when compiling the kernel with hard linked ccache. The reason was that recordmcount modified the kernel in place via mmap, and when a file gets modified twice by recordmcount, it will complain about it. To fix this issue, Russell wrote a patch that checked if the file was hard linked more than once and would unlink it if it was. Linus Torvalds was not happy with the fact that recordmcount does this in place modification. Instead of doing the unlink only if the file has two or more hard links, it does the unlink all the time. In otherwords, it always does a copy if it changed something. That is, it does the write out if a change was made. Signed-off-by: Steven Rostedt Signed-off-by: Ben Hutchings commit 35da6d62b608fd3beb576d72e48e2bc866d714c9 Author: Hannes Frederic Sowa Date: Mon Dec 14 23:30:43 2015 +0100 net: fix warnings in 'make htmldocs' by moving macro definition out of field declaration commit 7bbadd2d1009575dad675afc16650ebb5aa10612 upstream. Docbook does not like the definition of macros inside a field declaration and adds a warning. Move the definition out. Fixes: 79462ad02e86180 ("net: add validation for the socket syscall protocol argument") Reported-by: kbuild test robot Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller [bwh: Backported to 3.2: keep open-coding U8_MAX] Signed-off-by: Ben Hutchings commit 9475edfee93bc3e1b8b96de3bd4823210e39303c Author: Russell King Date: Fri Dec 11 12:09:03 2015 +0000 scripts: recordmcount: break hardlinks commit dd39a26538e37f6c6131e829a4a510787e43c783 upstream. recordmcount edits the file in-place, which can cause problems when using ccache in hardlink mode. Arrange for recordmcount to break a hardlinked object. Link: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk Signed-off-by: Russell King Signed-off-by: Steven Rostedt Signed-off-by: Ben Hutchings commit 40ddf30ca43b50019304303949c9b2676cfbd820 Author: Johan Hovold Date: Mon Dec 14 16:16:19 2015 +0100 spi: fix parent-device reference leak commit 157f38f993919b648187ba341bfb05d0e91ad2f6 upstream. Fix parent-device reference leak due to SPI-core taking an unnecessary reference to the parent when allocating the master structure, a reference that was never released. Note that driver core takes its own reference to the parent when the master device is registered. Fixes: 49dce689ad4e ("spi doesn't need class_device") Signed-off-by: Johan Hovold Signed-off-by: Mark Brown Signed-off-by: Ben Hutchings commit 521e4101aaf46b2f37088453a1e935604cdd7f2a Author: Tilman Schmidt Date: Tue Dec 15 18:11:30 2015 +0100 ser_gigaset: fix deallocation of platform device structure commit 4c5e354a974214dfb44cd23fa0429327693bc3ea upstream. When shutting down the device, the struct ser_cardstate must not be kfree()d immediately after the call to platform_device_unregister() since the embedded struct platform_device is still in use. Move the kfree() call to the release method instead. Signed-off-by: Tilman Schmidt Fixes: 2869b23e4b95 ("drivers/isdn/gigaset: new M101 driver (v2)") Reported-by: Sasha Levin Signed-off-by: Paul Bolle Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 7eb2a0151e7c8a95d1be33a923718fb690452c61 Author: Dan Carpenter Date: Tue Dec 15 13:07:52 2015 +0300 mISDN: fix a loop count commit 40d24c4d8a7430aa4dfd7a665fa3faf3b05b673f upstream. There are two issue here. 1) cnt starts as maxloop + 1 so all these loops iterate one more time than intended. 2) At the end of the loop we test for "if (maxloop && !cnt)" but for the first two loops, we end with cnt equal to -1. Changing this to a pre-op means we end with cnt set to 0. Fixes: cae86d4a4e56 ('mISDN: Add driver for Infineon ISDN chipset family') Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit b7c9785c48cd750d45823a21eb0d0270739d6c31 Author: Sergei Shtylyov Date: Sun Dec 13 21:27:04 2015 +0300 sh_eth: fix TX buffer byte-swapping commit 3e2309937f1e5d538ff13da5fb8de41196927c61 upstream. For the little-endian SH771x kernels the driver has to byte-swap the RX/TX buffers, however yet unset physcial address from the TX descriptor is used to call sh_eth_soft_swap(). Use 'skb->data' instead... Fixes: 31fcb99d9958 ("net: sh_eth: remove __flush_purge_region") Signed-off-by: Sergei Shtylyov Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings commit 973c0593a04478d6863a646e6a5ef8d206aceda5 Author: Anssi Hannula Date: Sun Dec 13 20:49:58 2015 +0200 ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly commit 42e3121d90f42e57f6dbd6083dff2f57b3ec7daa upstream. AudioQuest DragonFly DAC reports a volume control range of 0..50 (0x0000..0x0032) which in USB Audio means a range of 0 .. 0.2dB, which is obviously incorrect and would cause software using the dB information in e.g. volume sliders to have a massive volume difference in 100..102% range. Commit 2d1cb7f658fb ("ALSA: usb-audio: add dB range mapping for some devices") added a dB range mapping for it with range 0..50 dB. However, the actual volume mapping seems to be neither linear volume nor linear dB scale, but instead quite close to the cubic mapping e.g. alsamixer uses, with a range of approx. -53...0 dB. Replace the previous quirk with a custom dB mapping based on some basic output measurements, using a 10-item range TLV (which will still fit in alsa-lib MAX_TLV_RANGE_SIZE). Tested on AudioQuest DragonFly HW v1.2. The quirk is only applied if the range is 0..50, so if this gets fixed/changed in later HW revisions it will no longer be applied. v2: incorporated Takashi Iwai's suggestion for the quirk application method Signed-off-by: Anssi Hannula Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: open-code usb_audio_info()] Signed-off-by: Ben Hutchings commit d63757a5f8c048cfc6a4e14a38ee21006678e3c1 Author: Clemens Ladisch Date: Sun Nov 20 17:17:35 2011 +0100 ALSA: tlv: add DECLARE_TLV_DB_RANGE() commit bf1d1c9b6179faa3bc32cee882462bc8eebde25d upstream. Add a DECLARE_TLV_DB_RANGE() macro so that dB range information can be specified without having to count the items manually for TLV_DB_RANGE_HEAD(). Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit 56929bfbedb1fa88408d74e5d8a3a848020aa89f Author: Clemens Ladisch Date: Sun Nov 20 16:22:24 2011 +0100 ALSA: tlv: compute TLV_*_ITEM lengths automatically commit b5b9eb546762c4015c67c31364a6ec6f83fd2ada upstream. Add helper macros with a little bit of preprocessor magic to automatically compute the length of a TLV item. This lets us avoid having to compute this by hand, and will allow to use items that do not use a fixed length. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings commit b23324ffa8ef8cc96865db76db938905d61d949a Author: Peter Hurley Date: Fri Nov 27 14:25:08 2015 -0500 tty: Fix GPF in flush_to_ldisc() commit 9ce119f318ba1a07c29149301f1544b6c4bea52a upstream. A line discipline which does not define a receive_buf() method can can cause a GPF if data is ever received [1]. Oddly, this was known to the author of n_tracesink in 2011, but never fixed. [1] GPF report BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) PGD 3752d067 PUD 37a7b067 PMD 0 Oops: 0010 [#1] SMP KASAN Modules linked in: CPU: 2 PID: 148 Comm: kworker/u10:2 Not tainted 4.4.0-rc2+ #51 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: events_unbound flush_to_ldisc task: ffff88006da94440 ti: ffff88006db60000 task.ti: ffff88006db60000 RIP: 0010:[<0000000000000000>] [< (null)>] (null) RSP: 0018:ffff88006db67b50 EFLAGS: 00010246 RAX: 0000000000000102 RBX: ffff88003ab32f88 RCX: 0000000000000102 RDX: 0000000000000000 RSI: ffff88003ab330a6 RDI: ffff88003aabd388 RBP: ffff88006db67c48 R08: ffff88003ab32f9c R09: ffff88003ab31fb0 R10: ffff88003ab32fa8 R11: 0000000000000000 R12: dffffc0000000000 R13: ffff88006db67c20 R14: ffffffff863df820 R15: ffff88003ab31fb8 FS: 0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000037938000 CR4: 00000000000006e0 Stack: ffffffff829f46f1 ffff88006da94bf8 ffff88006da94bf8 0000000000000000 ffff88003ab31fb0 ffff88003aabd438 ffff88003ab31ff8 ffff88006430fd90 ffff88003ab32f9c ffffed0007557a87 1ffff1000db6cf78 ffff88003ab32078 Call Trace: [] process_one_work+0x8f1/0x17a0 kernel/workqueue.c:2030 [] worker_thread+0xd4/0x1180 kernel/workqueue.c:2162 [] kthread+0x1cf/0x270 drivers/block/aoe/aoecmd.c:1302 [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 Code: Bad RIP value. RIP [< (null)>] (null) RSP CR2: 0000000000000000 ---[ end trace a587f8947e54d6ea ]--- Reported-by: Dmitry Vyukov Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 344d6d02690a650607e6372bce8fe40e647a51b5 Author: James Bottomley Date: Fri Dec 11 09:16:38 2015 -0800 ses: fix additional element traversal bug commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream. KASAN found that our additional element processing scripts drop off the end of the VPD page into unallocated space. The reason is that not every element has additional information but our traversal routines think they do, leading to them expecting far more additional information than is present. Fix this by adding a gate to the traversal routine so that it only processes elements that are expected to have additional information (list is in SES-2 section 6.1.13.1: Additional Element Status diagnostic page overview) Reported-by: Pavel Tikhomirov Tested-by: Pavel Tikhomirov Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit 25ef938516d26c3db9cb1f5b927ad7ee95be1022 Author: James Bottomley Date: Tue Dec 8 09:00:31 2015 -0800 ses: Fix problems with simple enclosures commit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream. Simple enclosure implementations (mostly USB) are allowed to return only page 8 to every diagnostic query. That really confuses our implementation because we assume the return is the page we asked for and end up doing incorrect offsets based on bogus information leading to accesses outside of allocated ranges. Fix that by checking the page code of the return and giving an error if it isn't the one we asked for. This should fix reported bugs with USB storage by simply refusing to attach to enclosures that behave like this. It's also good defensive practise now that we're starting to see more USB enclosures. Reported-by: Andrea Gelmini Reviewed-by: Ewan D. Milne Reviewed-by: Tomas Henzl Signed-off-by: James Bottomley Signed-off-by: Ben Hutchings commit 6f23bc6f6be370267332a0278a4646126836baee Author: Johannes Berg Date: Thu Dec 10 10:37:51 2015 +0100 rfkill: copy the name into the rfkill struct commit b7bb110008607a915298bf0f47d25886ecb94477 upstream. Some users of rfkill, like NFC and cfg80211, use a dynamic name when allocating rfkill, in those cases dev_name(). Therefore, the pointer passed to rfkill_alloc() might not be valid forever, I specifically found the case that the rfkill name was quite obviously an invalid pointer (or at least garbage) when the wiphy had been renamed. Fix this by making a copy of the rfkill name in rfkill_alloc(). Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings commit f659a818a42f4be9cffdc8bda4afca8b7cc5d98d Author: Jason A. Donenfeld Date: Sun Dec 6 02:51:37 2015 +0100 crypto: skcipher - Copy iv from desc even for 0-len walks commit 70d906bc17500edfa9bdd8c8b7e59618c7911613 upstream. Some ciphers actually support encrypting zero length plaintexts. For example, many AEAD modes support this. The resulting ciphertext for those winds up being only the authentication tag, which is a result of the key, the iv, the additional data, and the fact that the plaintext had zero length. The blkcipher constructors won't copy the IV to the right place, however, when using a zero length input, resulting in some significant problems when ciphers call their initialization routines, only to find that the ->iv parameter is uninitialized. One such example of this would be using chacha20poly1305 with a zero length input, which then calls chacha20, which calls the key setup routine, which eventually OOPSes due to the uninitialized ->iv member. Signed-off-by: Jason A. Donenfeld Signed-off-by: Herbert Xu [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit 4942dccb5d2ca761c835dc2e07d3604f60771473 Author: Wang Dongsheng Date: Thu Dec 3 09:54:12 2015 +0800 video: fbdev: fsl: Fix kernel crash when diu_ops is not implemented commit acfc1cc13fe5bc6d7a10afa624f1e560850ddad3 upstream. If diu_ops is not implemented on platform, kernel will access a NULL pointer. We need to check this pointer in DIU initialization. Signed-off-by: Wang Dongsheng Acked-by: Timur Tabi Signed-off-by: Tomi Valkeinen [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings commit f41bb6edb46b30f79ae7fc5d714faa607758a8d5 Author: Eric Dumazet Date: Mon Dec 7 08:25:21 2015 -0800 ipv6: sctp: fix lockdep splat in sctp_v6_get_dst() commit 69ce6487dcd364245a3d26322fc8f4ffd1e8d947 upstream. While cooking the sctp np->opt rcu fixes, I forgot to move one rcu_read_unlock() after the added rcu_dereference() in sctp_v6_get_dst() This gave lockdep warnings reported by Dave Jones. Fixes: c836a8ba9386 ("ipv6: sctp: add rcu protection around np->opt") Reported-by: Dave Jones Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings commit f911e974deba4ecff3bb9c9aac616da8328f4a2b Author: lucien Date: Sat Dec 5 15:35:36 2015 +0800 sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING commit 8a0d19c5ed417c78d03f4e0fa7215e58c40896d8 upstream. when A sends a data to B, then A close() and enter into SHUTDOWN_PENDING state, if B neither claim his rwnd is 0 nor send SACK for this data, A will keep retransmitting this data until t5 timeout, Max.Retrans times can't work anymore, which is bad. if B's rwnd is not 0, it should send abort after Max.Retrans times, only when B's rwnd == 0 and A's retransmitting beyonds Max.Retrans times, A will start t5 timer, which is also commit f8d960524328 ("sctp: Enforce retransmission limit during shutdown") means, but it lacks the condition peer rwnd == 0. so fix it by adding a bit (zero_window_announced) in peer to record if the last rwnd is 0. If it was, zero_window_announced will be set. and use this bit to decide if start t5 timer when local.state is SHUTDOWN_PENDING. Fixes: commit f8d960524328 ("sctp: Enforce retransmission limit during shutdown") Signed-off-by: Xin Long Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller [bwh: Backported to 3.2: change sack_needed to bitfield as done earlier upstream] Signed-off-by: Ben Hutchings