[PATCH 4.4 02/66] ipv6: add rcu grace period before freeing fib6_node

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Wei Wang 


[ Upstream commit c5cff8561d2d0006e972bd114afd51f082fee77c ]

We currently keep rt->rt6i_node pointing to the fib6_node for the route.
And some functions make use of this pointer to dereference the fib6_node
from rt structure, e.g. rt6_check(). However, as there is neither
refcount nor rcu taken when dereferencing rt->rt6i_node, it could
potentially cause crashes as rt->rt6i_node could be set to NULL by other
CPUs when doing a route deletion.
This patch introduces an rcu grace period before freeing fib6_node and
makes sure the functions that dereference it takes rcu_read_lock().

Note: there is no "Fixes" tag because this bug was there in a very
early stage.

Signed-off-by: Wei Wang 
Acked-by: Eric Dumazet 
Acked-by: Martin KaFai Lau 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/ip6_fib.h |   30 +-
 net/ipv6/ip6_fib.c|   20 
 net/ipv6/route.c  |   14 +++---
 3 files changed, 56 insertions(+), 8 deletions(-)

--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -68,6 +68,7 @@ struct fib6_node {
__u16   fn_flags;
int fn_sernum;
struct rt6_info *rr_ptr;
+   struct rcu_head rcu;
 };
 
 #ifndef CONFIG_IPV6_SUBTREES
@@ -165,13 +166,40 @@ static inline void rt6_update_expires(st
rt0->rt6i_flags |= RTF_EXPIRES;
 }
 
+/* Function to safely get fn->sernum for passed in rt
+ * and store result in passed in cookie.
+ * Return true if we can get cookie safely
+ * Return false if not
+ */
+static inline bool rt6_get_cookie_safe(const struct rt6_info *rt,
+  u32 *cookie)
+{
+   struct fib6_node *fn;
+   bool status = false;
+
+   rcu_read_lock();
+   fn = rcu_dereference(rt->rt6i_node);
+
+   if (fn) {
+   *cookie = fn->fn_sernum;
+   status = true;
+   }
+
+   rcu_read_unlock();
+   return status;
+}
+
 static inline u32 rt6_get_cookie(const struct rt6_info *rt)
 {
+   u32 cookie = 0;
+
if (rt->rt6i_flags & RTF_PCPU ||
(unlikely(rt->dst.flags & DST_NOCACHE) && rt->dst.from))
rt = (struct rt6_info *)(rt->dst.from);
 
-   return rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
+   rt6_get_cookie_safe(rt, );
+
+   return cookie;
 }
 
 static inline void ip6_rt_put(struct rt6_info *rt)
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -150,11 +150,23 @@ static struct fib6_node *node_alloc(void
return fn;
 }
 
-static void node_free(struct fib6_node *fn)
+static void node_free_immediate(struct fib6_node *fn)
+{
+   kmem_cache_free(fib6_node_kmem, fn);
+}
+
+static void node_free_rcu(struct rcu_head *head)
 {
+   struct fib6_node *fn = container_of(head, struct fib6_node, rcu);
+
kmem_cache_free(fib6_node_kmem, fn);
 }
 
+static void node_free(struct fib6_node *fn)
+{
+   call_rcu(>rcu, node_free_rcu);
+}
+
 static void rt6_rcu_free(struct rt6_info *rt)
 {
call_rcu(>dst.rcu_head, dst_rcu_free);
@@ -588,9 +600,9 @@ insert_above:
 
if (!in || !ln) {
if (in)
-   node_free(in);
+   node_free_immediate(in);
if (ln)
-   node_free(ln);
+   node_free_immediate(ln);
return ERR_PTR(-ENOMEM);
}
 
@@ -1015,7 +1027,7 @@ int fib6_add(struct fib6_node *root, str
   root, and then (in failure) stale node
   in main tree.
 */
-   node_free(sfn);
+   node_free_immediate(sfn);
err = PTR_ERR(sn);
goto failure;
}
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1248,7 +1248,9 @@ static void rt6_dst_from_metrics_check(s
 
 static struct dst_entry *rt6_check(struct rt6_info *rt, u32 cookie)
 {
-   if (!rt->rt6i_node || (rt->rt6i_node->fn_sernum != cookie))
+   u32 rt_cookie;
+
+   if (!rt6_get_cookie_safe(rt, _cookie) || rt_cookie != cookie)
return NULL;
 
if (rt6_check_expired(rt))
@@ -1316,8 +1318,14 @@ static void ip6_link_failure(struct sk_b
if (rt->rt6i_flags & RTF_CACHE) {
dst_hold(>dst);
ip6_del_rt(rt);
-   } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) {
-   rt->rt6i_node->fn_sernum = -1;
+   } else {
+   struct fib6_node *fn;
+
+   rcu_read_lock();
+   fn = rcu_dereference(rt->rt6i_node);
+  

[PATCH 4.4 16/66] mm: prevent double decrease of nr_reserved_highatomic

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Minchan Kim 

commit 4855e4a7f29d6d10b0b9c84e189c770c9a94e91e upstream.

There is race between page freeing and unreserved highatomic.

 CPU 0  CPU 1

free_hot_cold_page
  mt = get_pfnblock_migratetype
  set_pcppage_migratetype(page, mt)
unreserve_highatomic_pageblock
spin_lock_irqsave(>lock)
move_freepages_block
set_pageblock_migratetype(page)
spin_unlock_irqrestore(>lock)
  free_pcppages_bulk
__free_one_page(mt) <- mt is stale

By above race, a page on CPU 0 could go non-highorderatomic free list
since the pageblock's type is changed.  By that, unreserve logic of
highorderatomic can decrease reserved count on a same pageblock severak
times and then it will make mismatch between nr_reserved_highatomic and
the number of reserved pageblock.

So, this patch verifies whether the pageblock is highatomic or not and
decrease the count only if the pageblock is highatomic.

Link: 
http://lkml.kernel.org/r/1476259429-18279-3-git-send-email-minc...@kernel.org
Signed-off-by: Minchan Kim 
Acked-by: Vlastimil Babka 
Acked-by: Mel Gorman 
Cc: Joonsoo Kim 
Cc: Sangseok Lee 
Cc: Michal Hocko 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Cc: Miles Chen 
Signed-off-by: Greg Kroah-Hartman 

---
 mm/page_alloc.c |   24 ++--
 1 file changed, 18 insertions(+), 6 deletions(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1748,13 +1748,25 @@ static void unreserve_highatomic_pageblo
struct page, lru);
 
/*
-* It should never happen but changes to locking could
-* inadvertently allow a per-cpu drain to add pages
-* to MIGRATE_HIGHATOMIC while unreserving so be safe
-* and watch for underflows.
+* In page freeing path, migratetype change is racy so
+* we can counter several free pages in a pageblock
+* in this loop althoug we changed the pageblock type
+* from highatomic to ac->migratetype. So we should
+* adjust the count once.
 */
-   zone->nr_reserved_highatomic -= min(pageblock_nr_pages,
-   zone->nr_reserved_highatomic);
+   if (get_pageblock_migratetype(page) ==
+   MIGRATE_HIGHATOMIC) {
+   /*
+* It should never happen but changes to
+* locking could inadvertently allow a per-cpu
+* drain to add pages to MIGRATE_HIGHATOMIC
+* while unreserving so be safe and watch for
+* underflows.
+*/
+   zone->nr_reserved_highatomic -= min(
+   pageblock_nr_pages,
+   zone->nr_reserved_highatomic);
+   }
 
/*
 * Convert to ac->migratetype and avoid the normal

[PATCH 4.4 22/66] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 15560a58bfd4ff82cdd16b2270d4ef9b06d2cc4d upstream.

Fix the value returned by ., if both inputs
are zeros. The right behavior in such cases is stated in instruction
reference manual and is as follows:

   fs  ft   MAX MIN   MAXAMINA
  -
0   00   0 0   0
0  -00  -0 0  -0
   -0   00  -0 0  -0
   -0  -0   -0  -0-0  -0

Prior to this patch, some of the above cases were yielding correct
results. However, for the sake of code consistency, all such cases
are rewritten in this patch.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains +0.0, and ft contains -0.0, fd is going to contain
  +0.0 (without this patch, it used to contain -0.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16881/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |8 ++--
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |8 ++--
 4 files changed, 8 insertions(+), 24 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmina(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
@@ -204,9 +202,7 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
- 

[PATCH 4.4 22/66] MIPS: math-emu: .: Fix cases of both inputs zero

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 15560a58bfd4ff82cdd16b2270d4ef9b06d2cc4d upstream.

Fix the value returned by ., if both inputs
are zeros. The right behavior in such cases is stated in instruction
reference manual and is as follows:

   fs  ft   MAX MIN   MAXAMINA
  -
0   00   0 0   0
0  -00  -0 0  -0
   -0   00  -0 0  -0
   -0  -0   -0  -0-0  -0

Prior to this patch, some of the above cases were yielding correct
results. However, for the sake of code consistency, all such cases
are rewritten in this patch.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains +0.0, and ft contains -0.0, fd is going to contain
  +0.0 (without this patch, it used to contain -0.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16881/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |8 ++--
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |8 ++--
 4 files changed, 8 insertions(+), 24 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmina(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
@@ -204,9 +202,7 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
@@ -204,9 +202,7 @@ union ieee754sp ieee754sp_fmina(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
- 

[PATCH 4.4 23/66] MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit aabf5cf02e22ebc4e541adf835910f388b6c3e65 upstream.

Fix the value returned by ., if both inputs are negative
normal fp numbers. The previous logic did not take into account that
if both inputs have the same sign, there should be separate treatment
of the cases when both inputs are negative and when both inputs are
positive.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains -5.0, and ft contains -7.0, fd is going to contain
  -5.0 (without this patch, it used to contain -7.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16882/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 96 insertions(+), 32 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return y;
+   return x;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return y;
-   return x;
+   return x;
+   return y;
 }
 
 union ieee754dp ieee754dp_fmaxa(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmin(union iee
else if (xs < ys)
return y;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return y;
-   else if (xe < ye)
-   return x;
+   /* Signs of inputs are the same, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return x;
+   return y;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return x;
-   return y;
+   return y;
+   return x;
 }
 
 union ieee754dp ieee754dp_fmina(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -116,16 +116,32 @@ union ieee754sp ieee754sp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */

[PATCH 4.4 25/66] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 3444c4eb534c20e44f0d6670b34263efaf8b531f upstream.

Fix the value returned by . fd,fs,ft, if both inputs
are infinite. The previous implementation returned always the value
contained in ft in such cases. The correct behavior is specified
in Mips instruction set manual and is as follows:

fsftMAXA MINA
  -
inf   infinf  inf
inf  -infinf -inf
   -inf   infinf -inf
   -inf  -inf   -inf -inf

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains +inf, and ft contains -inf, fd is going to contain
  +inf (without this patch, it used to contain -inf).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16884/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |4 +++-
 arch/mips/math-emu/dp_fmin.c |4 +++-
 arch/mips/math-emu/sp_fmax.c |4 +++-
 arch/mips/math-emu/sp_fmin.c |4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754sp ieee754sp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):

[PATCH 4.4 21/66] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit e78bf0dc4789bdea1453595ae89e8db65918e22e upstream.

Fix the value returned by . fd,fs,ft, if both
inputs are quiet NaNs. The . specifications
state that the returned value in such cases should be the quiet NaN
contained in register fs.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains qNaN1, and ft contains qNaN2, fd is going to contain
  qNaN1 (without this patch, it used to contain qNaN2).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16880/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 112 insertions(+), 16 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmax(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
@@ -147,14 +159,26 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmin(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
   

[PATCH 4.4 04/66] qlge: avoid memcpy buffer overflow

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 


[ Upstream commit e58f95831e7468d25eb6e41f234842ecfe6f014f ]

gcc-8.0.0 (snapshot) points out that we copy a variable-length string
into a fixed length field using memcpy() with the destination length,
and that ends up copying whatever follows the string:

inlined from 'ql_core_dump' at 
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 
bytes from a region of size 14 [-Werror=stringop-overflow=]
  memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);

Changing it to use strncpy() will instead zero-pad the destination,
which seems to be the right thing to do here.

The bug is probably harmless, but it seems like a good idea to address
it in stable kernels as well, if only for the purpose of building with
gcc-8 without warnings.

Fixes: a61f80261306 ("qlge: Add ethtool register dump function.")
Signed-off-by: Arnd Bergmann 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/qlogic/qlge/qlge_dbg.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
+++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
@@ -724,7 +724,7 @@ static void ql_build_coredump_seg_header
seg_hdr->cookie = MPI_COREDUMP_COOKIE;
seg_hdr->segNum = seg_number;
seg_hdr->segSize = seg_size;
-   memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
+   strncpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
 }
 
 /*

[PATCH 4.4 03/66] ipv6: fix sparse warning on rt6i_node

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Wei Wang 


[ Upstream commit 4e587ea71bf924f7dac621f1351653bd41e446cb ]

Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This
generates a new sparse warning on rt->rt6i_node related code:
  net/ipv6/route.c:1394:30: error: incompatible types in comparison
  expression (different address spaces)
  ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
  expression (different address spaces)

This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
rcu API is used for it.
After this fix, sparse no longer generates the above warning.

Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Wei Wang 
Acked-by: Eric Dumazet 
Acked-by: Martin KaFai Lau 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/ip6_fib.h |2 +-
 net/ipv6/addrconf.c   |2 +-
 net/ipv6/ip6_fib.c|   11 +++
 net/ipv6/route.c  |3 ++-
 4 files changed, 11 insertions(+), 7 deletions(-)

--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -103,7 +103,7 @@ struct rt6_info {
 * the same cache line.
 */
struct fib6_table   *rt6i_table;
-   struct fib6_node*rt6i_node;
+   struct fib6_node __rcu  *rt6i_node;
 
struct in6_addr rt6i_gateway;
 
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5152,7 +5152,7 @@ static void __ipv6_ifa_notify(int event,
 * our DAD process, so we don't need
 * to do it again
 */
-   if (!(ifp->rt->rt6i_node))
+   if (!rcu_access_pointer(ifp->rt->rt6i_node))
ip6_ins_rt(ifp->rt);
if (ifp->idev->cnf.forwarding)
addrconf_join_anycast(ifp);
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -869,7 +869,7 @@ add:
 
rt->dst.rt6_next = iter;
*ins = rt;
-   rt->rt6i_node = fn;
+   rcu_assign_pointer(rt->rt6i_node, fn);
atomic_inc(>rt6i_ref);
inet6_rt_notify(RTM_NEWROUTE, rt, info, 0);
info->nl_net->ipv6.rt6_stats->fib_rt_entries++;
@@ -894,7 +894,7 @@ add:
return err;
 
*ins = rt;
-   rt->rt6i_node = fn;
+   rcu_assign_pointer(rt->rt6i_node, fn);
rt->dst.rt6_next = iter->dst.rt6_next;
atomic_inc(>rt6i_ref);
inet6_rt_notify(RTM_NEWROUTE, rt, info, NLM_F_REPLACE);
@@ -1454,8 +1454,9 @@ static void fib6_del_route(struct fib6_n
 
 int fib6_del(struct rt6_info *rt, struct nl_info *info)
 {
+   struct fib6_node *fn = rcu_dereference_protected(rt->rt6i_node,
+   lockdep_is_held(>rt6i_table->tb6_lock));
struct net *net = info->nl_net;
-   struct fib6_node *fn = rt->rt6i_node;
struct rt6_info **rtp;
 
 #if RT6_DEBUG >= 2
@@ -1644,7 +1645,9 @@ static int fib6_clean_node(struct fib6_w
if (res) {
 #if RT6_DEBUG >= 2
pr_debug("%s: del failed: rt=%p@%p err=%d\n",
-__func__, rt, rt->rt6i_node, res);
+__func__, rt,
+rcu_access_pointer(rt->rt6i_node),
+res);
 #endif
continue;
}
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1342,7 +1342,8 @@ static void rt6_do_update_pmtu(struct rt
 static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt)
 {
return !(rt->rt6i_flags & RTF_CACHE) &&
-   (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node);
+   (rt->rt6i_flags & RTF_PCPU ||
+rcu_access_pointer(rt->rt6i_node));
 }
 
 static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,

[PATCH 4.4 23/66] MIPS: math-emu: .: Fix cases of both inputs negative

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit aabf5cf02e22ebc4e541adf835910f388b6c3e65 upstream.

Fix the value returned by ., if both inputs are negative
normal fp numbers. The previous logic did not take into account that
if both inputs have the same sign, there should be separate treatment
of the cases when both inputs are negative and when both inputs are
positive.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains -5.0, and ft contains -7.0, fd is going to contain
  -5.0 (without this patch, it used to contain -7.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16882/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 96 insertions(+), 32 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return y;
+   return x;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return y;
-   return x;
+   return x;
+   return y;
 }
 
 union ieee754dp ieee754dp_fmaxa(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmin(union iee
else if (xs < ys)
return y;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return y;
-   else if (xe < ye)
-   return x;
+   /* Signs of inputs are the same, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return x;
+   return y;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return x;
-   return y;
+   return y;
+   return x;
 }
 
 union ieee754dp ieee754dp_fmina(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -116,16 +116,32 @@ union ieee754sp ieee754sp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return y;
+   

[PATCH 4.4 25/66] MIPS: math-emu: .: Fix cases of both infinite inputs

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 3444c4eb534c20e44f0d6670b34263efaf8b531f upstream.

Fix the value returned by . fd,fs,ft, if both inputs
are infinite. The previous implementation returned always the value
contained in ft in such cases. The correct behavior is specified
in Mips instruction set manual and is as follows:

fsftMAXA MINA
  -
inf   infinf  inf
inf  -infinf -inf
   -inf   infinf -inf
   -inf  -inf   -inf -inf

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains +inf, and ft contains -inf, fd is going to contain
  +inf (without this patch, it used to contain -inf).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16884/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |4 +++-
 arch/mips/math-emu/dp_fmin.c |4 +++-
 arch/mips/math-emu/sp_fmax.c |4 +++-
 arch/mips/math-emu/sp_fmin.c |4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754sp ieee754sp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754sp ieee754sp_fmina(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case 

[PATCH 4.4 21/66] MIPS: math-emu: .: Fix quiet NaN propagation

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit e78bf0dc4789bdea1453595ae89e8db65918e22e upstream.

Fix the value returned by . fd,fs,ft, if both
inputs are quiet NaNs. The . specifications
state that the returned value in such cases should be the quiet NaN
contained in register fs.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains qNaN1, and ft contains qNaN2, fd is going to contain
  qNaN1 (without this patch, it used to contain qNaN2).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16880/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 112 insertions(+), 16 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmax(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
@@ -147,14 +159,26 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmin(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
@@ -147,14 +159,26 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_SNAN, 

[PATCH 4.4 04/66] qlge: avoid memcpy buffer overflow

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 


[ Upstream commit e58f95831e7468d25eb6e41f234842ecfe6f014f ]

gcc-8.0.0 (snapshot) points out that we copy a variable-length string
into a fixed length field using memcpy() with the destination length,
and that ends up copying whatever follows the string:

inlined from 'ql_core_dump' at 
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 
bytes from a region of size 14 [-Werror=stringop-overflow=]
  memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);

Changing it to use strncpy() will instead zero-pad the destination,
which seems to be the right thing to do here.

The bug is probably harmless, but it seems like a good idea to address
it in stable kernels as well, if only for the purpose of building with
gcc-8 without warnings.

Fixes: a61f80261306 ("qlge: Add ethtool register dump function.")
Signed-off-by: Arnd Bergmann 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/qlogic/qlge/qlge_dbg.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
+++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c
@@ -724,7 +724,7 @@ static void ql_build_coredump_seg_header
seg_hdr->cookie = MPI_COREDUMP_COOKIE;
seg_hdr->segNum = seg_number;
seg_hdr->segSize = seg_size;
-   memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
+   strncpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
 }
 
 /*

[PATCH 4.4 03/66] ipv6: fix sparse warning on rt6i_node

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Wei Wang 


[ Upstream commit 4e587ea71bf924f7dac621f1351653bd41e446cb ]

Commit c5cff8561d2d adds rcu grace period before freeing fib6_node. This
generates a new sparse warning on rt->rt6i_node related code:
  net/ipv6/route.c:1394:30: error: incompatible types in comparison
  expression (different address spaces)
  ./include/net/ip6_fib.h:187:14: error: incompatible types in comparison
  expression (different address spaces)

This commit adds "__rcu" tag for rt6i_node and makes sure corresponding
rcu API is used for it.
After this fix, sparse no longer generates the above warning.

Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Wei Wang 
Acked-by: Eric Dumazet 
Acked-by: Martin KaFai Lau 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/ip6_fib.h |2 +-
 net/ipv6/addrconf.c   |2 +-
 net/ipv6/ip6_fib.c|   11 +++
 net/ipv6/route.c  |3 ++-
 4 files changed, 11 insertions(+), 7 deletions(-)

--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -103,7 +103,7 @@ struct rt6_info {
 * the same cache line.
 */
struct fib6_table   *rt6i_table;
-   struct fib6_node*rt6i_node;
+   struct fib6_node __rcu  *rt6i_node;
 
struct in6_addr rt6i_gateway;
 
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -5152,7 +5152,7 @@ static void __ipv6_ifa_notify(int event,
 * our DAD process, so we don't need
 * to do it again
 */
-   if (!(ifp->rt->rt6i_node))
+   if (!rcu_access_pointer(ifp->rt->rt6i_node))
ip6_ins_rt(ifp->rt);
if (ifp->idev->cnf.forwarding)
addrconf_join_anycast(ifp);
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -869,7 +869,7 @@ add:
 
rt->dst.rt6_next = iter;
*ins = rt;
-   rt->rt6i_node = fn;
+   rcu_assign_pointer(rt->rt6i_node, fn);
atomic_inc(>rt6i_ref);
inet6_rt_notify(RTM_NEWROUTE, rt, info, 0);
info->nl_net->ipv6.rt6_stats->fib_rt_entries++;
@@ -894,7 +894,7 @@ add:
return err;
 
*ins = rt;
-   rt->rt6i_node = fn;
+   rcu_assign_pointer(rt->rt6i_node, fn);
rt->dst.rt6_next = iter->dst.rt6_next;
atomic_inc(>rt6i_ref);
inet6_rt_notify(RTM_NEWROUTE, rt, info, NLM_F_REPLACE);
@@ -1454,8 +1454,9 @@ static void fib6_del_route(struct fib6_n
 
 int fib6_del(struct rt6_info *rt, struct nl_info *info)
 {
+   struct fib6_node *fn = rcu_dereference_protected(rt->rt6i_node,
+   lockdep_is_held(>rt6i_table->tb6_lock));
struct net *net = info->nl_net;
-   struct fib6_node *fn = rt->rt6i_node;
struct rt6_info **rtp;
 
 #if RT6_DEBUG >= 2
@@ -1644,7 +1645,9 @@ static int fib6_clean_node(struct fib6_w
if (res) {
 #if RT6_DEBUG >= 2
pr_debug("%s: del failed: rt=%p@%p err=%d\n",
-__func__, rt, rt->rt6i_node, res);
+__func__, rt,
+rcu_access_pointer(rt->rt6i_node),
+res);
 #endif
continue;
}
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1342,7 +1342,8 @@ static void rt6_do_update_pmtu(struct rt
 static bool rt6_cache_allowed_for_pmtu(const struct rt6_info *rt)
 {
return !(rt->rt6i_flags & RTF_CACHE) &&
-   (rt->rt6i_flags & RTF_PCPU || rt->rt6i_node);
+   (rt->rt6i_flags & RTF_PCPU ||
+rcu_access_pointer(rt->rt6i_node));
 }
 
 static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,

[PATCH 4.4 07/66] Revert "net: use lib/percpu_counter API for fragmentation mem accounting"

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jesper Dangaard Brouer 


[ Upstream commit fb452a1aa3fd4034d7999e309c5466ff2d7005aa ]

This reverts commit 6d7b857d541ecd1d9bd997c97242d4ef94b19de2.

There is a bug in fragmentation codes use of the percpu_counter API,
that can cause issues on systems with many CPUs.

The frag_mem_limit() just reads the global counter (fbc->count),
without considering other CPUs can have upto batch size (130K) that
haven't been subtracted yet.  Due to the 3MBytes lower thresh limit,
this become dangerous at >=24 CPUs (3*1024*1024/13=24).

The correct API usage would be to use __percpu_counter_compare() which
does the right thing, and takes into account the number of (online)
CPUs and batch size, to account for this and call __percpu_counter_sum()
when needed.

We choose to revert the use of the lib/percpu_counter API for frag
memory accounting for several reasons:

1) On systems with CPUs > 24, the heavier fully locked
   __percpu_counter_sum() is always invoked, which will be more
   expensive than the atomic_t that is reverted to.

Given systems with more than 24 CPUs are becoming common this doesn't
seem like a good option.  To mitigate this, the batch size could be
decreased and thresh be increased.

2) The add_frag_mem_limit+sub_frag_mem_limit pairs happen on the RX
   CPU, before SKBs are pushed into sockets on remote CPUs.  Given
   NICs can only hash on L2 part of the IP-header, the NIC-RXq's will
   likely be limited.  Thus, a fair chance that atomic add+dec happen
   on the same CPU.

Revert note that commit 1d6119baf061 ("net: fix percpu memory leaks")
removed init_frag_mem_limit() and instead use inet_frags_init_net().
After this revert, inet_frags_uninit_net() becomes empty.

Fixes: 6d7b857d541e ("net: use lib/percpu_counter API for fragmentation mem 
accounting")
Fixes: 1d6119baf061 ("net: fix percpu memory leaks")
Signed-off-by: Jesper Dangaard Brouer 
Acked-by: Florian Westphal 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/inet_frag.h  |   36 +---
 net/ipv4/inet_fragment.c |4 +---
 2 files changed, 10 insertions(+), 30 deletions(-)

--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -1,14 +1,9 @@
 #ifndef __NET_FRAG_H__
 #define __NET_FRAG_H__
 
-#include 
-
 struct netns_frags {
-   /* The percpu_counter "mem" need to be cacheline aligned.
-*  mem.count must not share cacheline with other writers
-*/
-   struct percpu_counter   mem cacheline_aligned_in_smp;
-
+   /* Keep atomic mem on separate cachelines in structs that include it */
+   atomic_tmem cacheline_aligned_in_smp;
/* sysctls */
int timeout;
int high_thresh;
@@ -110,11 +105,11 @@ void inet_frags_fini(struct inet_frags *
 
 static inline int inet_frags_init_net(struct netns_frags *nf)
 {
-   return percpu_counter_init(>mem, 0, GFP_KERNEL);
+   atomic_set(>mem, 0);
+   return 0;
 }
 static inline void inet_frags_uninit_net(struct netns_frags *nf)
 {
-   percpu_counter_destroy(>mem);
 }
 
 void inet_frags_exit_net(struct netns_frags *nf, struct inet_frags *f);
@@ -140,37 +135,24 @@ static inline bool inet_frag_evicting(st
 
 /* Memory Tracking Functions. */
 
-/* The default percpu_counter batch size is not big enough to scale to
- * fragmentation mem acct sizes.
- * The mem size of a 64K fragment is approx:
- *  (44 fragments * 2944 truesize) + frag_queue struct(200) = 129736 bytes
- */
-static unsigned int frag_percpu_counter_batch = 13;
-
 static inline int frag_mem_limit(struct netns_frags *nf)
 {
-   return percpu_counter_read(>mem);
+   return atomic_read(>mem);
 }
 
 static inline void sub_frag_mem_limit(struct netns_frags *nf, int i)
 {
-   __percpu_counter_add(>mem, -i, frag_percpu_counter_batch);
+   atomic_sub(i, >mem);
 }
 
 static inline void add_frag_mem_limit(struct netns_frags *nf, int i)
 {
-   __percpu_counter_add(>mem, i, frag_percpu_counter_batch);
+   atomic_add(i, >mem);
 }
 
-static inline unsigned int sum_frag_mem_limit(struct netns_frags *nf)
+static inline int sum_frag_mem_limit(struct netns_frags *nf)
 {
-   unsigned int res;
-
-   local_bh_disable();
-   res = percpu_counter_sum_positive(>mem);
-   local_bh_enable();
-
-   return res;
+   return atomic_read(>mem);
 }
 
 /* RFC 3168 support :
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -234,10 +234,8 @@ evict_again:
cond_resched();
 
if (read_seqretry(>rnd_seqlock, seq) ||
-   percpu_counter_sum(>mem))
+   sum_frag_mem_limit(nf))
goto evict_again;
-
-   percpu_counter_destroy(>mem);
 }
 EXPORT_SYMBOL(inet_frags_exit_net);
 

[PATCH 4.4 07/66] Revert "net: use lib/percpu_counter API for fragmentation mem accounting"

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jesper Dangaard Brouer 


[ Upstream commit fb452a1aa3fd4034d7999e309c5466ff2d7005aa ]

This reverts commit 6d7b857d541ecd1d9bd997c97242d4ef94b19de2.

There is a bug in fragmentation codes use of the percpu_counter API,
that can cause issues on systems with many CPUs.

The frag_mem_limit() just reads the global counter (fbc->count),
without considering other CPUs can have upto batch size (130K) that
haven't been subtracted yet.  Due to the 3MBytes lower thresh limit,
this become dangerous at >=24 CPUs (3*1024*1024/13=24).

The correct API usage would be to use __percpu_counter_compare() which
does the right thing, and takes into account the number of (online)
CPUs and batch size, to account for this and call __percpu_counter_sum()
when needed.

We choose to revert the use of the lib/percpu_counter API for frag
memory accounting for several reasons:

1) On systems with CPUs > 24, the heavier fully locked
   __percpu_counter_sum() is always invoked, which will be more
   expensive than the atomic_t that is reverted to.

Given systems with more than 24 CPUs are becoming common this doesn't
seem like a good option.  To mitigate this, the batch size could be
decreased and thresh be increased.

2) The add_frag_mem_limit+sub_frag_mem_limit pairs happen on the RX
   CPU, before SKBs are pushed into sockets on remote CPUs.  Given
   NICs can only hash on L2 part of the IP-header, the NIC-RXq's will
   likely be limited.  Thus, a fair chance that atomic add+dec happen
   on the same CPU.

Revert note that commit 1d6119baf061 ("net: fix percpu memory leaks")
removed init_frag_mem_limit() and instead use inet_frags_init_net().
After this revert, inet_frags_uninit_net() becomes empty.

Fixes: 6d7b857d541e ("net: use lib/percpu_counter API for fragmentation mem 
accounting")
Fixes: 1d6119baf061 ("net: fix percpu memory leaks")
Signed-off-by: Jesper Dangaard Brouer 
Acked-by: Florian Westphal 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/inet_frag.h  |   36 +---
 net/ipv4/inet_fragment.c |4 +---
 2 files changed, 10 insertions(+), 30 deletions(-)

--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -1,14 +1,9 @@
 #ifndef __NET_FRAG_H__
 #define __NET_FRAG_H__
 
-#include 
-
 struct netns_frags {
-   /* The percpu_counter "mem" need to be cacheline aligned.
-*  mem.count must not share cacheline with other writers
-*/
-   struct percpu_counter   mem cacheline_aligned_in_smp;
-
+   /* Keep atomic mem on separate cachelines in structs that include it */
+   atomic_tmem cacheline_aligned_in_smp;
/* sysctls */
int timeout;
int high_thresh;
@@ -110,11 +105,11 @@ void inet_frags_fini(struct inet_frags *
 
 static inline int inet_frags_init_net(struct netns_frags *nf)
 {
-   return percpu_counter_init(>mem, 0, GFP_KERNEL);
+   atomic_set(>mem, 0);
+   return 0;
 }
 static inline void inet_frags_uninit_net(struct netns_frags *nf)
 {
-   percpu_counter_destroy(>mem);
 }
 
 void inet_frags_exit_net(struct netns_frags *nf, struct inet_frags *f);
@@ -140,37 +135,24 @@ static inline bool inet_frag_evicting(st
 
 /* Memory Tracking Functions. */
 
-/* The default percpu_counter batch size is not big enough to scale to
- * fragmentation mem acct sizes.
- * The mem size of a 64K fragment is approx:
- *  (44 fragments * 2944 truesize) + frag_queue struct(200) = 129736 bytes
- */
-static unsigned int frag_percpu_counter_batch = 13;
-
 static inline int frag_mem_limit(struct netns_frags *nf)
 {
-   return percpu_counter_read(>mem);
+   return atomic_read(>mem);
 }
 
 static inline void sub_frag_mem_limit(struct netns_frags *nf, int i)
 {
-   __percpu_counter_add(>mem, -i, frag_percpu_counter_batch);
+   atomic_sub(i, >mem);
 }
 
 static inline void add_frag_mem_limit(struct netns_frags *nf, int i)
 {
-   __percpu_counter_add(>mem, i, frag_percpu_counter_batch);
+   atomic_add(i, >mem);
 }
 
-static inline unsigned int sum_frag_mem_limit(struct netns_frags *nf)
+static inline int sum_frag_mem_limit(struct netns_frags *nf)
 {
-   unsigned int res;
-
-   local_bh_disable();
-   res = percpu_counter_sum_positive(>mem);
-   local_bh_enable();
-
-   return res;
+   return atomic_read(>mem);
 }
 
 /* RFC 3168 support :
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -234,10 +234,8 @@ evict_again:
cond_resched();
 
if (read_seqretry(>rnd_seqlock, seq) ||
-   percpu_counter_sum(>mem))
+   sum_frag_mem_limit(nf))
goto evict_again;
-
-   percpu_counter_destroy(>mem);
 }
 EXPORT_SYMBOL(inet_frags_exit_net);
 

[PATCH 4.4 08/66] Revert "net: fix percpu memory leaks"

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jesper Dangaard Brouer 


[ Upstream commit 5a63643e583b6a9789d7a225ae076fb4e603991c ]

This reverts commit 1d6119baf0610f813eb9d9580eb4fd16de5b4ceb.

After reverting commit 6d7b857d541e ("net: use lib/percpu_counter API
for fragmentation mem accounting") then here is no need for this
fix-up patch.  As percpu_counter is no longer used, it cannot
memory leak it any-longer.

Fixes: 6d7b857d541e ("net: use lib/percpu_counter API for fragmentation mem 
accounting")
Fixes: 1d6119baf061 ("net: fix percpu memory leaks")
Signed-off-by: Jesper Dangaard Brouer 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/inet_frag.h |7 +--
 net/ieee802154/6lowpan/reassembly.c |   11 +++
 net/ipv4/ip_fragment.c  |   12 +++-
 net/ipv6/netfilter/nf_conntrack_reasm.c |   12 +++-
 net/ipv6/reassembly.c   |   12 +++-
 5 files changed, 13 insertions(+), 41 deletions(-)

--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -103,15 +103,10 @@ struct inet_frags {
 int inet_frags_init(struct inet_frags *);
 void inet_frags_fini(struct inet_frags *);
 
-static inline int inet_frags_init_net(struct netns_frags *nf)
+static inline void inet_frags_init_net(struct netns_frags *nf)
 {
atomic_set(>mem, 0);
-   return 0;
 }
-static inline void inet_frags_uninit_net(struct netns_frags *nf)
-{
-}
-
 void inet_frags_exit_net(struct netns_frags *nf, struct inet_frags *f);
 
 void inet_frag_kill(struct inet_frag_queue *q, struct inet_frags *f);
--- a/net/ieee802154/6lowpan/reassembly.c
+++ b/net/ieee802154/6lowpan/reassembly.c
@@ -580,19 +580,14 @@ static int __net_init lowpan_frags_init_
 {
struct netns_ieee802154_lowpan *ieee802154_lowpan =
net_ieee802154_lowpan(net);
-   int res;
 
ieee802154_lowpan->frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
ieee802154_lowpan->frags.low_thresh = IPV6_FRAG_LOW_THRESH;
ieee802154_lowpan->frags.timeout = IPV6_FRAG_TIMEOUT;
 
-   res = inet_frags_init_net(_lowpan->frags);
-   if (res)
-   return res;
-   res = lowpan_frags_ns_sysctl_register(net);
-   if (res)
-   inet_frags_uninit_net(_lowpan->frags);
-   return res;
+   inet_frags_init_net(_lowpan->frags);
+
+   return lowpan_frags_ns_sysctl_register(net);
 }
 
 static void __net_exit lowpan_frags_exit_net(struct net *net)
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -840,8 +840,6 @@ static void __init ip4_frags_ctl_registe
 
 static int __net_init ipv4_frags_init_net(struct net *net)
 {
-   int res;
-
/* Fragment cache limits.
 *
 * The fragment memory accounting code, (tries to) account for
@@ -865,13 +863,9 @@ static int __net_init ipv4_frags_init_ne
 */
net->ipv4.frags.timeout = IP_FRAG_TIME;
 
-   res = inet_frags_init_net(>ipv4.frags);
-   if (res)
-   return res;
-   res = ip4_frags_ns_ctl_register(net);
-   if (res)
-   inet_frags_uninit_net(>ipv4.frags);
-   return res;
+   inet_frags_init_net(>ipv4.frags);
+
+   return ip4_frags_ns_ctl_register(net);
 }
 
 static void __net_exit ipv4_frags_exit_net(struct net *net)
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -649,18 +649,12 @@ EXPORT_SYMBOL_GPL(nf_ct_frag6_consume_or
 
 static int nf_ct_net_init(struct net *net)
 {
-   int res;
-
net->nf_frag.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
net->nf_frag.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
net->nf_frag.frags.timeout = IPV6_FRAG_TIMEOUT;
-   res = inet_frags_init_net(>nf_frag.frags);
-   if (res)
-   return res;
-   res = nf_ct_frag6_sysctl_register(net);
-   if (res)
-   inet_frags_uninit_net(>nf_frag.frags);
-   return res;
+   inet_frags_init_net(>nf_frag.frags);
+
+   return nf_ct_frag6_sysctl_register(net);
 }
 
 static void nf_ct_net_exit(struct net *net)
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -708,19 +708,13 @@ static void ip6_frags_sysctl_unregister(
 
 static int __net_init ipv6_frags_init_net(struct net *net)
 {
-   int res;
-
net->ipv6.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
net->ipv6.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
net->ipv6.frags.timeout = IPV6_FRAG_TIMEOUT;
 
-   res = inet_frags_init_net(>ipv6.frags);
-   if (res)
-   return res;
-   res = ip6_frags_ns_sysctl_register(net);
-   if (res)
-   inet_frags_uninit_net(>ipv6.frags);
-   return res;
+   inet_frags_init_net(>ipv6.frags);
+
+   return ip6_frags_ns_sysctl_register(net);
 }
 
 static void __net_exit 

[PATCH 4.4 08/66] Revert "net: fix percpu memory leaks"

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jesper Dangaard Brouer 


[ Upstream commit 5a63643e583b6a9789d7a225ae076fb4e603991c ]

This reverts commit 1d6119baf0610f813eb9d9580eb4fd16de5b4ceb.

After reverting commit 6d7b857d541e ("net: use lib/percpu_counter API
for fragmentation mem accounting") then here is no need for this
fix-up patch.  As percpu_counter is no longer used, it cannot
memory leak it any-longer.

Fixes: 6d7b857d541e ("net: use lib/percpu_counter API for fragmentation mem 
accounting")
Fixes: 1d6119baf061 ("net: fix percpu memory leaks")
Signed-off-by: Jesper Dangaard Brouer 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 include/net/inet_frag.h |7 +--
 net/ieee802154/6lowpan/reassembly.c |   11 +++
 net/ipv4/ip_fragment.c  |   12 +++-
 net/ipv6/netfilter/nf_conntrack_reasm.c |   12 +++-
 net/ipv6/reassembly.c   |   12 +++-
 5 files changed, 13 insertions(+), 41 deletions(-)

--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -103,15 +103,10 @@ struct inet_frags {
 int inet_frags_init(struct inet_frags *);
 void inet_frags_fini(struct inet_frags *);
 
-static inline int inet_frags_init_net(struct netns_frags *nf)
+static inline void inet_frags_init_net(struct netns_frags *nf)
 {
atomic_set(>mem, 0);
-   return 0;
 }
-static inline void inet_frags_uninit_net(struct netns_frags *nf)
-{
-}
-
 void inet_frags_exit_net(struct netns_frags *nf, struct inet_frags *f);
 
 void inet_frag_kill(struct inet_frag_queue *q, struct inet_frags *f);
--- a/net/ieee802154/6lowpan/reassembly.c
+++ b/net/ieee802154/6lowpan/reassembly.c
@@ -580,19 +580,14 @@ static int __net_init lowpan_frags_init_
 {
struct netns_ieee802154_lowpan *ieee802154_lowpan =
net_ieee802154_lowpan(net);
-   int res;
 
ieee802154_lowpan->frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
ieee802154_lowpan->frags.low_thresh = IPV6_FRAG_LOW_THRESH;
ieee802154_lowpan->frags.timeout = IPV6_FRAG_TIMEOUT;
 
-   res = inet_frags_init_net(_lowpan->frags);
-   if (res)
-   return res;
-   res = lowpan_frags_ns_sysctl_register(net);
-   if (res)
-   inet_frags_uninit_net(_lowpan->frags);
-   return res;
+   inet_frags_init_net(_lowpan->frags);
+
+   return lowpan_frags_ns_sysctl_register(net);
 }
 
 static void __net_exit lowpan_frags_exit_net(struct net *net)
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -840,8 +840,6 @@ static void __init ip4_frags_ctl_registe
 
 static int __net_init ipv4_frags_init_net(struct net *net)
 {
-   int res;
-
/* Fragment cache limits.
 *
 * The fragment memory accounting code, (tries to) account for
@@ -865,13 +863,9 @@ static int __net_init ipv4_frags_init_ne
 */
net->ipv4.frags.timeout = IP_FRAG_TIME;
 
-   res = inet_frags_init_net(>ipv4.frags);
-   if (res)
-   return res;
-   res = ip4_frags_ns_ctl_register(net);
-   if (res)
-   inet_frags_uninit_net(>ipv4.frags);
-   return res;
+   inet_frags_init_net(>ipv4.frags);
+
+   return ip4_frags_ns_ctl_register(net);
 }
 
 static void __net_exit ipv4_frags_exit_net(struct net *net)
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -649,18 +649,12 @@ EXPORT_SYMBOL_GPL(nf_ct_frag6_consume_or
 
 static int nf_ct_net_init(struct net *net)
 {
-   int res;
-
net->nf_frag.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
net->nf_frag.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
net->nf_frag.frags.timeout = IPV6_FRAG_TIMEOUT;
-   res = inet_frags_init_net(>nf_frag.frags);
-   if (res)
-   return res;
-   res = nf_ct_frag6_sysctl_register(net);
-   if (res)
-   inet_frags_uninit_net(>nf_frag.frags);
-   return res;
+   inet_frags_init_net(>nf_frag.frags);
+
+   return nf_ct_frag6_sysctl_register(net);
 }
 
 static void nf_ct_net_exit(struct net *net)
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -708,19 +708,13 @@ static void ip6_frags_sysctl_unregister(
 
 static int __net_init ipv6_frags_init_net(struct net *net)
 {
-   int res;
-
net->ipv6.frags.high_thresh = IPV6_FRAG_HIGH_THRESH;
net->ipv6.frags.low_thresh = IPV6_FRAG_LOW_THRESH;
net->ipv6.frags.timeout = IPV6_FRAG_TIMEOUT;
 
-   res = inet_frags_init_net(>ipv6.frags);
-   if (res)
-   return res;
-   res = ip6_frags_ns_sysctl_register(net);
-   if (res)
-   inet_frags_uninit_net(>ipv6.frags);
-   return res;
+   inet_frags_init_net(>ipv6.frags);
+
+   return ip6_frags_ns_sysctl_register(net);
 }
 
 static void __net_exit ipv6_frags_exit_net(struct net *net)

[PATCH 4.4 00/66] 4.4.89-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.4.89 release.
There are 66 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Sep 26 20:29:06 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.89-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.4.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.4.89-rc1

Avraham Stern 
mac80211: flush hw_roc_start work before cancelling the ROC

Steven Rostedt (VMware) 
ftrace: Fix memleak when unregistering dynamic ops when tracing disabled

Michael Lyle 
bcache: fix bch_hprint crash and improve output

Tang Junhui 
bcache: fix for gc and write-back race

Tony Asleson 
bcache: Correct return value for sysfs attach errors

Tang Junhui 
bcache: correct cache_dirty_target in __update_writeback_rate()

Tang Junhui 
bcache: do not subtract sectors_to_gc for bypassed IO

Jan Kara 
bcache: Fix leak of bdev reference

Tang Junhui 
bcache: initialize dirty stripes in flash_dev_run()

Guenter Roeck 
media: uvcvideo: Prevent heap overflow when accessing mapped controls

Daniel Mentz 
media: v4l2-compat-ioctl32: Fix timespec conversion

Aleksandr Bezzubikov 
PCI: shpchp: Enable bridge bus mastering if MSI is enabled

Jose Abreu 
ARC: Re-enable MMU upon Machine Check exception

Baohong Liu 
tracing: Apply trace_clock changes to instance max buffer

Steven Rostedt (VMware) 
ftrace: Fix selftest goto location on error

Dan Carpenter 
scsi: qla2xxx: Fix an integer overflow in sysfs code

Hannes Reinecke 
scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

Hannes Reinecke 
scsi: sg: factor out sg_fill_request_table()

Dan Carpenter 
scsi: sg: off by one in sg_ioctl()

Hannes Reinecke 
scsi: sg: use standard lists for sg_requests

Hannes Reinecke 
scsi: sg: remove 'save_scat_len'

Long Li 
scsi: storvsc: fix memory leak on ring buffer busy

Shivasharan S 
scsi: megaraid_sas: Return pended IOCTLs with cmd_status 
MFI_STAT_WRONG_STATE in case adapter is dead

Shivasharan S 
scsi: megaraid_sas: Check valid aen class range to avoid kernel panic

Steffen Maier 
scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

Steffen Maier 
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late 
response

Steffen Maier 
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records

Steffen Maier 
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers

Steffen Maier 
scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

Steffen Maier 
scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

Benjamin Block 
scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path

Steffen Maier 
scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled

Bart Van Assche 
skd: Submit requests to firmware before triggering the doorbell

Bart Van Assche 
skd: Avoid that module unloading triggers a use-after-free

NeilBrown 
md/bitmap: disable bitmap_resize for file-backed bitmaps.

Bart Van Assche 
block: Relax a check in blk_start_queue()

Michael Ellerman 
powerpc: Fix DAR reporting when alignment handler faults

zhangyi (F) 
ext4: fix quota inconsistency during orphan cleanup for read-only mounts

zhangyi (F) 
ext4: fix incorrect quotaoff if the quota feature is enabled

Stephan Mueller 
crypto: AF_ALG - remove SGL terminator indicator when chaining

Aleksandar Markovic 
MIPS: math-emu: MINA.: Fix some cases of infinity and zero inputs

Aleksandar Markovic 

[PATCH 4.4 00/66] 4.4.89-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.4.89 release.
There are 66 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Sep 26 20:29:06 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.89-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.4.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.4.89-rc1

Avraham Stern 
mac80211: flush hw_roc_start work before cancelling the ROC

Steven Rostedt (VMware) 
ftrace: Fix memleak when unregistering dynamic ops when tracing disabled

Michael Lyle 
bcache: fix bch_hprint crash and improve output

Tang Junhui 
bcache: fix for gc and write-back race

Tony Asleson 
bcache: Correct return value for sysfs attach errors

Tang Junhui 
bcache: correct cache_dirty_target in __update_writeback_rate()

Tang Junhui 
bcache: do not subtract sectors_to_gc for bypassed IO

Jan Kara 
bcache: Fix leak of bdev reference

Tang Junhui 
bcache: initialize dirty stripes in flash_dev_run()

Guenter Roeck 
media: uvcvideo: Prevent heap overflow when accessing mapped controls

Daniel Mentz 
media: v4l2-compat-ioctl32: Fix timespec conversion

Aleksandr Bezzubikov 
PCI: shpchp: Enable bridge bus mastering if MSI is enabled

Jose Abreu 
ARC: Re-enable MMU upon Machine Check exception

Baohong Liu 
tracing: Apply trace_clock changes to instance max buffer

Steven Rostedt (VMware) 
ftrace: Fix selftest goto location on error

Dan Carpenter 
scsi: qla2xxx: Fix an integer overflow in sysfs code

Hannes Reinecke 
scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

Hannes Reinecke 
scsi: sg: factor out sg_fill_request_table()

Dan Carpenter 
scsi: sg: off by one in sg_ioctl()

Hannes Reinecke 
scsi: sg: use standard lists for sg_requests

Hannes Reinecke 
scsi: sg: remove 'save_scat_len'

Long Li 
scsi: storvsc: fix memory leak on ring buffer busy

Shivasharan S 
scsi: megaraid_sas: Return pended IOCTLs with cmd_status 
MFI_STAT_WRONG_STATE in case adapter is dead

Shivasharan S 
scsi: megaraid_sas: Check valid aen class range to avoid kernel panic

Steffen Maier 
scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

Steffen Maier 
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late 
response

Steffen Maier 
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records

Steffen Maier 
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers

Steffen Maier 
scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

Steffen Maier 
scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

Benjamin Block 
scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path

Steffen Maier 
scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled

Bart Van Assche 
skd: Submit requests to firmware before triggering the doorbell

Bart Van Assche 
skd: Avoid that module unloading triggers a use-after-free

NeilBrown 
md/bitmap: disable bitmap_resize for file-backed bitmaps.

Bart Van Assche 
block: Relax a check in blk_start_queue()

Michael Ellerman 
powerpc: Fix DAR reporting when alignment handler faults

zhangyi (F) 
ext4: fix quota inconsistency during orphan cleanup for read-only mounts

zhangyi (F) 
ext4: fix incorrect quotaoff if the quota feature is enabled

Stephan Mueller 
crypto: AF_ALG - remove SGL terminator indicator when chaining

Aleksandar Markovic 
MIPS: math-emu: MINA.: Fix some cases of infinity and zero inputs

Aleksandar Markovic 
MIPS: math-emu: .: Fix cases of both infinite inputs

Aleksandar Markovic 
MIPS: math-emu: .: Fix cases of input values with opposite 
signs

Aleksandar Markovic 
MIPS: math-emu: .: Fix cases of both inputs negative

Aleksandar Markovic 
MIPS: math-emu: .: Fix cases of both inputs zero

Aleksandar Markovic 
MIPS: math-emu: .: Fix quiet NaN propagation

Kai-Heng Feng 
Input: i8042 - add Gigabyte P57 to the keyboard reset table

Arnd Bergmann 
tty: fix __tty_insert_flip_char regression

Arnd Bergmann 
tty: improve tty_insert_flip_char() slow path

Arnd Bergmann 
tty: improve tty_insert_flip_char() fast path

Minchan Kim 
mm: prevent double decrease of nr_reserved_highatomic

Chuck Lever 
nfsd: Fix general protection fault in release_lock_stateid()

Song Liu 
md/raid5: release/flush io in raid5_do_work()

Andy Lutomirski 
x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps

Jaegeuk Kim 
f2fs: check hot_data for 

Re: [PATCH v2 2/2] pidmap(2)

[Andy Lutomirski]

On Sun, Sep 24, 2017 at 1:08 PM, Alexey Dobriyan  wrote:
> From: Tatsiana Brouka 
>
> Implement system call for bulk retrieveing of pids in binary form.
>
> Using /proc is slower than necessary: 3 syscalls + another 3 for each thread +
> converting with atoi() + instantiating dentries and inodes.
>
> /proc may be not mounted especially in containers. Natural extension of
> hidepid=2 efforts is to not mount /proc at all.
>
> It could be used by programs like ps, top or CRIU. Speed increase will
> become more drastic once combined with bulk retrieval of process statistics.
>
> Benchmark:
>
> N=1<<16 times
> ~130 processes (~250 task_structs) on a regular desktop system
> opendir + readdir + closedir /proc + the same for every 
> /proc/$PID/task
> (roughly what htop(1) does) vs pidmap
>
> /proc 16.80 ± 0.73%
> pidmap 0.06 ± 0.31%
>
> PIDMAP_* flags are modelled after /proc/task_diag patchset.
>
>
> PIDMAP(2)  Linux Programmer's Manual PIDMAP(2)
>
> NAME
>pidmap - get allocated PIDs
>
> SYNOPSIS
>long pidmap(pid_t pid, int *pids, unsigned int count , unsigned int 
> start, int flags);

I think we will seriously regret a syscall that does this.  Djalal is
working on fixing the turd that is hidepid, and this syscall is
basically incompatible with ever fixing hidepids.  I think that, to
make it less regrettable, it needs to take an fd to a proc mount as a
parameter.  This makes me wonder why it's a syscall at all -- why not
just create a new file like /proc/pids?

--Andy

Re: [PATCH v2 2/2] pidmap(2)

[Andy Lutomirski]

On Sun, Sep 24, 2017 at 1:08 PM, Alexey Dobriyan  wrote:
> From: Tatsiana Brouka 
>
> Implement system call for bulk retrieveing of pids in binary form.
>
> Using /proc is slower than necessary: 3 syscalls + another 3 for each thread +
> converting with atoi() + instantiating dentries and inodes.
>
> /proc may be not mounted especially in containers. Natural extension of
> hidepid=2 efforts is to not mount /proc at all.
>
> It could be used by programs like ps, top or CRIU. Speed increase will
> become more drastic once combined with bulk retrieval of process statistics.
>
> Benchmark:
>
> N=1<<16 times
> ~130 processes (~250 task_structs) on a regular desktop system
> opendir + readdir + closedir /proc + the same for every 
> /proc/$PID/task
> (roughly what htop(1) does) vs pidmap
>
> /proc 16.80 ± 0.73%
> pidmap 0.06 ± 0.31%
>
> PIDMAP_* flags are modelled after /proc/task_diag patchset.
>
>
> PIDMAP(2)  Linux Programmer's Manual PIDMAP(2)
>
> NAME
>pidmap - get allocated PIDs
>
> SYNOPSIS
>long pidmap(pid_t pid, int *pids, unsigned int count , unsigned int 
> start, int flags);

I think we will seriously regret a syscall that does this.  Djalal is
working on fixing the turd that is hidepid, and this syscall is
basically incompatible with ever fixing hidepids.  I think that, to
make it less regrettable, it needs to take an fd to a proc mount as a
parameter.  This makes me wonder why it's a syscall at all -- why not
just create a new file like /proc/pids?

--Andy

[PATCH 4.4 40/66] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 12c3e5754c8022a4f2fd1e9f00d19e99ee0d3cc1 upstream.

If the FCP_RSP UI has optional parts (FCP_SNS_INFO or FCP_RSP_INFO) and
thus does not fit into the fsp_rsp field built into a SCSI trace record,
trace the full FCP_RSP UI with all optional parts as payload record
instead of just FCP_SNS_INFO as payload and
a 1 byte RSP_INFO_CODE part of FCP_RSP_INFO built into the SCSI record.

That way we would also get the full FCP_SNS_INFO in case a
target would ever send more than
min(SCSI_SENSE_BUFFERSIZE==96, ZFCP_DBF_PAY_MAX_REC==256)==96.

The mandatory part of FCP_RSP IU is only 24 bytes.
PAYload costs at least one full PAY record of 256 bytes anyway.
We cap to the hardware response size which is only FSF_FCP_RSP_SIZE==128.
So we can just put the whole FCP_RSP IU with any optional parts into
PAYload similarly as we do for SAN PAY since v4.9 commit aceeffbb59bb
("zfcp: trace full payload of all SAN records (req,resp,iels)").
This does not cause any additional trace records wasting memory.

Decoded trace records were confusing because they showed a hard-coded
sense data length of 96 even if the FCP_RSP_IU field FCP_SNS_LEN showed
actually less.

Since the same commit, we set pl_len for SAN traces to the full length of a
request/response even if we cap the corresponding trace.
In contrast, here for SCSI traces we set pl_len to the pre-computed
length of FCP_RSP IU considering SNS_LEN or RSP_LEN if valid.
Nonetheless we trace a hardcoded payload of length FSF_FCP_RSP_SIZE==128
if there were optional parts.
This makes it easier for the zfcpdbf tool to format only the relevant
part of the long FCP_RSP UI buffer. And any trailing information is still
available in the payload trace record just in case.

Rename the payload record tag from "fcp_sns" to "fcp_riu" to make the new
content explicit to zfcpdbf which can then pick a suitable field name such
as "FCP rsp IU all:" instead of "Sense info :"
Also, the same zfcpdbf can still be backwards compatible with "fcp_sns".

Old example trace record before this fix, formatted with the tool zfcpdbf
from s390-tools:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 3
Exception  : -
CPU id : ..
Caller : 0x...
Record id  : 1
Tag: rsl_err
Request id : 0x
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x0002
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode:    
FCP rsp inf cod: 0x00
FCP rsp IU :   0202 
   ^^==FCP_SNS_LEN_VALID
 0020 
 ==FCP_SNS_LEN==32
Sense len  : 96 <==min(SCSI_SENSE_BUFFERSIZE,ZFCP_DBF_PAY_MAX_REC)
Sense info : 7600 0018  2900
 0400   
    <==superfluous
    <==superfluous
    <==superfluous
    <==superfluous

New example trace records with this fix:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 3
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_err
Request ID : 0x
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x0002
SCSI retries   : 0x00
SCSI allowed   : 0x03
SCSI scribble  : 0x
SCSI opcode: a30c0112  0200 
FCP rsp inf cod: 0x00
FCP rsp IU :   0a02 0200
 0020 
FCP rsp IU len : 56
FCP rsp IU all :   0a02 0200
   ^^=FCP_RESID_UNDER|FCP_SNS_LEN_VALID
 0020  7500 0018
 ==FCP_SNS_LEN
   ^
  24cb 00011100 
 ^^^
  
 ^==FCP_SNS_INFO

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: lr_okay
Request ID : 0x
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode: 
FCP rsp inf cod: 0x00
FCP rsp IU :   0100 
  0008
FCP rsp IU len : 32
FCP rsp IU all :   0100 
   ^^==FCP_RSP_LEN_VALID
  0008  
   

[PATCH 4.4 38/66] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 9fe5d2b2fd30aa8c7827ec62cbbe6d30df4fe3e3 upstream.

Without this fix we get SCSI trace records on task management functions
which cannot be correlated to HBA trace records because all fields
related to the FSF request are empty (zero).
Also, the FCP_RSP_IU is missing as well as any sense data if available.

This was caused by v2.6.14 commit 8a36e4532ea1 ("[SCSI] zfcp: enhancement
of zfcp debug features") introducing trace records for TMFs but
hard coding NULL for a possibly existing TMF FSF request.
The scsi_cmnd scribble is also zero or unrelated for the TMF request
so it also could not lookup a suitable FSF request from there.

A broken example trace record formatted with zfcpdbf from the s390-tools
package:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: lr_fail
Request ID : 0x
    no correlation to HBA record
SCSI ID: 0x
SCSI LUN   : 0x
SCSI result: 0x000e
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode: 2a17 3bb8 0800 
FCP rsp inf cod: 0x00
   ^^ no TMF response
FCP rsp IU :    
 ^^^
  
 ^ no interesting FCP_RSP_IU
Sense len  : ...
 no sense data length
Sense info : ...
 no sense data content, even if present

There are some true cases where we really do not have an FSF request:
"rsl_fai" from zfcp_dbf_scsi_fail_send() called for early
returns / completions in zfcp_scsi_queuecommand(),
"abrt_or", "abrt_bl", "abrt_ru", "abrt_ar" from
zfcp_scsi_eh_abort_handler() where we did not get as far,
"lr_nres", "tr_nres" from zfcp_task_mgmt_function() where we're
successful and do not need to do anything because adapter stopped.
For these cases it's correct to pass NULL for fsf_req to _zfcp_dbf_scsi().

Signed-off-by: Steffen Maier 
Fixes: 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.h  |7 ---
 drivers/s390/scsi/zfcp_scsi.c |8 
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
  * zfcp device driver
  * debug feature declarations
  *
- * Copyright IBM Corp. 2008, 2016
+ * Copyright IBM Corp. 2008, 2017
  */
 
 #ifndef ZFCP_DBF_H
@@ -401,7 +401,8 @@ void zfcp_dbf_scsi_abort(char *tag, stru
  * @flag: indicates type of reset (Target Reset, Logical Unit Reset)
  */
 static inline
-void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag)
+void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag,
+   struct zfcp_fsf_req *fsf_req)
 {
char tmp_tag[ZFCP_DBF_TAG_LEN];
 
@@ -411,7 +412,7 @@ void zfcp_dbf_scsi_devreset(char *tag, s
memcpy(tmp_tag, "lr_", 3);
 
memcpy(_tag[3], tag, 4);
-   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
+   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, fsf_req);
 }
 
 /**
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
  *
  * Interface to Linux SCSI midlayer.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -278,7 +278,7 @@ static int zfcp_task_mgmt_function(struc
 
if (!(atomic_read(>status) &
  ZFCP_STATUS_COMMON_RUNNING)) {
-   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags, NULL);
return SUCCESS;
}
}
@@ -288,10 +288,10 @@ static int zfcp_task_mgmt_function(struc
wait_for_completion(_req->completion);
 
if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
-   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags, fsf_req);
retval = FAILED;
} else {
-   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags, fsf_req);
zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
}
 

[PATCH 4.4 37/66] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 975171b4461be296a35e83ebd748946b81cf0635 upstream.

v4.9 commit aceeffbb59bb ("zfcp: trace full payload of all SAN records
(req,resp,iels)") fixed trace data loss of 2.6.38 commit 2c55b750a884
("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
necessary for problem determination, e.g. to see the
currently active zone set during automatic port scan.

While it already saves space by not dumping any empty residual entries
of the large successful GPN_FT response (4 pages), there are seldom cases
where the GPN_FT response is unsuccessful and likely does not have
FC_NS_FID_LAST set in fp_flags so we did not cap the trace record.
We typically see such case for an initiator WWPN, which is not in any zone.

Cap unsuccessful responses to at least the actual basic CT_IU response
plus whatever fits the SAN trace record built-in "payload" buffer
just in case there's trailing information
of which we would at least see the existence and its beginning.

In order not to erroneously cap successful responses, we need to swap
calling the trace function and setting the CT / ELS status to success (0).

Example trace record pair formatted with zfcpdbf:

Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fssct_1
Request ID : 0x
Destination ID : 0x00fc
SAN req short  : 0100 fc02 01720ffc 
 0008
SAN req length : 20
|
Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 2
Tag: fsscth2
Request ID : 0x
Destination ID : 0x00fc
SAN resp short : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
SAN resp length: 16384
San resp info  : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]

The fix saves all but one of the previously associated 64 PAYload trace
record chunks of size 256 bytes each.

Signed-off-by: Steffen Maier 
Fixes: aceeffbb59bb ("zfcp: trace full payload of all SAN records 
(req,resp,iels)")
Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN 
records.")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |   10 +-
 drivers/s390/scsi/zfcp_fsf.c |4 ++--
 2 files changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -3,7 +3,7 @@
  *
  * Debug traces for zfcp.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -447,6 +447,7 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
struct fc_ct_hdr *reqh = sg_virt(ct_els->req);
struct fc_ns_gid_ft *reqn = (struct fc_ns_gid_ft *)(reqh + 1);
struct scatterlist *resp_entry = ct_els->resp;
+   struct fc_ct_hdr *resph;
struct fc_gpn_ft_resp *acc;
int max_entries, x, last = 0;
 
@@ -473,6 +474,13 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
return len; /* not GPN_FT response so do not cap */
 
acc = sg_virt(resp_entry);
+
+   /* cap all but accept CT responses to at least the CT header */
+   resph = (struct fc_ct_hdr *)acc;
+   if ((ct_els->status) ||
+   (resph->ct_cmd != cpu_to_be16(FC_FS_ACC)))
+   return max(FC_CT_HDR_LEN, ZFCP_DBF_SAN_MAX_PAYLOAD);
+
max_entries = (reqh->ct_mr_size * 4 / sizeof(struct 

[PATCH 4.4 42/66] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 5d4a3d0a2ff23799b956e5962b886287614e7fad upstream.

Complements debugging aspects of the otherwise functionally complete
v3.17 commit 9cb78c16f5da ("scsi: use 64-bit LUNs").

While I don't have access to a target exporting 3 or 4 level LUNs,
I did test it by explicitly attaching a non-existent fake 4 level LUN
by means of zfcp sysfs attribute "unit_add".
In order to see corresponding trace records of otherwise successful
events, we had to increase the trace level of area SCSI and HBA to 6.

$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_scsi/level
$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_hba/level

$ echo 0x4011402240334044 > \
  /sys/bus/ccw/drivers/zfcp/0.0.1880/0x50050763031bd327/unit_add

Example output formatted by an updated zfcpdbf from the s390-tools
package interspersed with kernel messages at scsi_logging_level=4605:

Timestamp  : ...
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: scsla_1
LUN: 0x4011402240334044
WWPN   : 0x50050763031bd327
D_ID   : 0x00..
Adapter status : 0x5400050b
Port status: 0x5401
LUN status : 0x4100
Ready count: 0x0001
Running count  : 0x
ERP want   : 0x01
ERP need   : 0x01

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 1 length 36
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0

Timestamp  : ...
Area   : HBA
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fs_norm
Request ID : 0x
Request status : 0x0010
FSF cmnd   : 0x0001
FSF sequence no: 0x...
FSF issued : ...
FSF stat   : 0x
FSF stat qual  :    
Prot stat  : 0x0001
Prot stat qual :    
Port handle: 0x...
LUN handle : 0x...
|
Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_nor
Request ID : 0x
SCSI ID: 0x
SCSI LUN   : 0x40224011
SCSI LUN high  : 0x40444033 <===
SCSI result: 0x
SCSI retries   : 0x00
SCSI allowed   : 0x03
SCSI scribble  : 0x
SCSI opcode: 1200 a400  
FCP rsp inf cod: 0x00
FCP rsp IU :    
  

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 2 length 164
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0
scsi 2:0:0:4630896905707208721: scsi scan: peripheral device type of 31, \
no device added

Signed-off-by: Steffen Maier 
Fixes: 9cb78c16f5da ("scsi: use 64-bit LUNs")
Reviewed-by: Benjamin Block 
Reviewed-by: Jens Remus 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |2 +-
 drivers/s390/scsi/zfcp_dbf.h |4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -563,8 +563,8 @@ void zfcp_dbf_scsi(char *tag, int level,
rec->scsi_retries = sc->retries;
rec->scsi_allowed = sc->allowed;
rec->scsi_id = sc->device->id;
-   /* struct zfcp_dbf_scsi needs to be updated to handle 64bit LUNs */
rec->scsi_lun = (u32)sc->device->lun;
+   rec->scsi_lun_64_hi = (u32)(sc->device->lun >> 32);
rec->host_scribble = (unsigned long)sc->host_scribble;
 
memcpy(rec->scsi_opcode, sc->cmnd,
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -204,7 +204,7 @@ enum zfcp_dbf_scsi_id {
  * @id: unique number of recovery record type
  * @tag: identifier string specifying the location of initiation
  * @scsi_id: scsi device id
- * @scsi_lun: scsi device logical unit number
+ * @scsi_lun: scsi device logical unit number, low part of 64 bit, old 32 bit
  * @scsi_result: scsi result
  * @scsi_retries: current retry number of scsi request
  * @scsi_allowed: allowed retries
@@ -214,6 +214,7 @@ enum zfcp_dbf_scsi_id {
  * @host_scribble: LLD specific data attached to SCSI request
  * @pl_len: length of paload stored as zfcp_dbf_pay
  * @fsf_rsp: response for fsf request
+ * @scsi_lun_64_hi: scsi device logical unit number, high part of 64 bit
  */
 struct zfcp_dbf_scsi {
u8 id;
@@ -230,6 +231,7 @@ struct zfcp_dbf_scsi {
u64 host_scribble;
u16 pl_len;
struct fcp_resp_with_ext fcp_rsp;
+   u32 

[PATCH 4.4 40/66] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 12c3e5754c8022a4f2fd1e9f00d19e99ee0d3cc1 upstream.

If the FCP_RSP UI has optional parts (FCP_SNS_INFO or FCP_RSP_INFO) and
thus does not fit into the fsp_rsp field built into a SCSI trace record,
trace the full FCP_RSP UI with all optional parts as payload record
instead of just FCP_SNS_INFO as payload and
a 1 byte RSP_INFO_CODE part of FCP_RSP_INFO built into the SCSI record.

That way we would also get the full FCP_SNS_INFO in case a
target would ever send more than
min(SCSI_SENSE_BUFFERSIZE==96, ZFCP_DBF_PAY_MAX_REC==256)==96.

The mandatory part of FCP_RSP IU is only 24 bytes.
PAYload costs at least one full PAY record of 256 bytes anyway.
We cap to the hardware response size which is only FSF_FCP_RSP_SIZE==128.
So we can just put the whole FCP_RSP IU with any optional parts into
PAYload similarly as we do for SAN PAY since v4.9 commit aceeffbb59bb
("zfcp: trace full payload of all SAN records (req,resp,iels)").
This does not cause any additional trace records wasting memory.

Decoded trace records were confusing because they showed a hard-coded
sense data length of 96 even if the FCP_RSP_IU field FCP_SNS_LEN showed
actually less.

Since the same commit, we set pl_len for SAN traces to the full length of a
request/response even if we cap the corresponding trace.
In contrast, here for SCSI traces we set pl_len to the pre-computed
length of FCP_RSP IU considering SNS_LEN or RSP_LEN if valid.
Nonetheless we trace a hardcoded payload of length FSF_FCP_RSP_SIZE==128
if there were optional parts.
This makes it easier for the zfcpdbf tool to format only the relevant
part of the long FCP_RSP UI buffer. And any trailing information is still
available in the payload trace record just in case.

Rename the payload record tag from "fcp_sns" to "fcp_riu" to make the new
content explicit to zfcpdbf which can then pick a suitable field name such
as "FCP rsp IU all:" instead of "Sense info :"
Also, the same zfcpdbf can still be backwards compatible with "fcp_sns".

Old example trace record before this fix, formatted with the tool zfcpdbf
from s390-tools:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 3
Exception  : -
CPU id : ..
Caller : 0x...
Record id  : 1
Tag: rsl_err
Request id : 0x
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x0002
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode:    
FCP rsp inf cod: 0x00
FCP rsp IU :   0202 
   ^^==FCP_SNS_LEN_VALID
 0020 
 ==FCP_SNS_LEN==32
Sense len  : 96 <==min(SCSI_SENSE_BUFFERSIZE,ZFCP_DBF_PAY_MAX_REC)
Sense info : 7600 0018  2900
 0400   
    <==superfluous
    <==superfluous
    <==superfluous
    <==superfluous

New example trace records with this fix:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 3
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_err
Request ID : 0x
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x0002
SCSI retries   : 0x00
SCSI allowed   : 0x03
SCSI scribble  : 0x
SCSI opcode: a30c0112  0200 
FCP rsp inf cod: 0x00
FCP rsp IU :   0a02 0200
 0020 
FCP rsp IU len : 56
FCP rsp IU all :   0a02 0200
   ^^=FCP_RESID_UNDER|FCP_SNS_LEN_VALID
 0020  7500 0018
 ==FCP_SNS_LEN
   ^
  24cb 00011100 
 ^^^
  
 ^==FCP_SNS_INFO

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: lr_okay
Request ID : 0x
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode: 
FCP rsp inf cod: 0x00
FCP rsp IU :   0100 
  0008
FCP rsp IU len : 32
FCP rsp IU all :   0100 
   ^^==FCP_RSP_LEN_VALID
  0008  
  

[PATCH 4.4 38/66] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 9fe5d2b2fd30aa8c7827ec62cbbe6d30df4fe3e3 upstream.

Without this fix we get SCSI trace records on task management functions
which cannot be correlated to HBA trace records because all fields
related to the FSF request are empty (zero).
Also, the FCP_RSP_IU is missing as well as any sense data if available.

This was caused by v2.6.14 commit 8a36e4532ea1 ("[SCSI] zfcp: enhancement
of zfcp debug features") introducing trace records for TMFs but
hard coding NULL for a possibly existing TMF FSF request.
The scsi_cmnd scribble is also zero or unrelated for the TMF request
so it also could not lookup a suitable FSF request from there.

A broken example trace record formatted with zfcpdbf from the s390-tools
package:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: lr_fail
Request ID : 0x
    no correlation to HBA record
SCSI ID: 0x
SCSI LUN   : 0x
SCSI result: 0x000e
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode: 2a17 3bb8 0800 
FCP rsp inf cod: 0x00
   ^^ no TMF response
FCP rsp IU :    
 ^^^
  
 ^ no interesting FCP_RSP_IU
Sense len  : ...
 no sense data length
Sense info : ...
 no sense data content, even if present

There are some true cases where we really do not have an FSF request:
"rsl_fai" from zfcp_dbf_scsi_fail_send() called for early
returns / completions in zfcp_scsi_queuecommand(),
"abrt_or", "abrt_bl", "abrt_ru", "abrt_ar" from
zfcp_scsi_eh_abort_handler() where we did not get as far,
"lr_nres", "tr_nres" from zfcp_task_mgmt_function() where we're
successful and do not need to do anything because adapter stopped.
For these cases it's correct to pass NULL for fsf_req to _zfcp_dbf_scsi().

Signed-off-by: Steffen Maier 
Fixes: 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.h  |7 ---
 drivers/s390/scsi/zfcp_scsi.c |8 
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
  * zfcp device driver
  * debug feature declarations
  *
- * Copyright IBM Corp. 2008, 2016
+ * Copyright IBM Corp. 2008, 2017
  */
 
 #ifndef ZFCP_DBF_H
@@ -401,7 +401,8 @@ void zfcp_dbf_scsi_abort(char *tag, stru
  * @flag: indicates type of reset (Target Reset, Logical Unit Reset)
  */
 static inline
-void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag)
+void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag,
+   struct zfcp_fsf_req *fsf_req)
 {
char tmp_tag[ZFCP_DBF_TAG_LEN];
 
@@ -411,7 +412,7 @@ void zfcp_dbf_scsi_devreset(char *tag, s
memcpy(tmp_tag, "lr_", 3);
 
memcpy(_tag[3], tag, 4);
-   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
+   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, fsf_req);
 }
 
 /**
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
  *
  * Interface to Linux SCSI midlayer.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -278,7 +278,7 @@ static int zfcp_task_mgmt_function(struc
 
if (!(atomic_read(>status) &
  ZFCP_STATUS_COMMON_RUNNING)) {
-   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags, NULL);
return SUCCESS;
}
}
@@ -288,10 +288,10 @@ static int zfcp_task_mgmt_function(struc
wait_for_completion(_req->completion);
 
if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
-   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags, fsf_req);
retval = FAILED;
} else {
-   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags, fsf_req);
zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
}
 

[PATCH 4.4 37/66] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 975171b4461be296a35e83ebd748946b81cf0635 upstream.

v4.9 commit aceeffbb59bb ("zfcp: trace full payload of all SAN records
(req,resp,iels)") fixed trace data loss of 2.6.38 commit 2c55b750a884
("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
necessary for problem determination, e.g. to see the
currently active zone set during automatic port scan.

While it already saves space by not dumping any empty residual entries
of the large successful GPN_FT response (4 pages), there are seldom cases
where the GPN_FT response is unsuccessful and likely does not have
FC_NS_FID_LAST set in fp_flags so we did not cap the trace record.
We typically see such case for an initiator WWPN, which is not in any zone.

Cap unsuccessful responses to at least the actual basic CT_IU response
plus whatever fits the SAN trace record built-in "payload" buffer
just in case there's trailing information
of which we would at least see the existence and its beginning.

In order not to erroneously cap successful responses, we need to swap
calling the trace function and setting the CT / ELS status to success (0).

Example trace record pair formatted with zfcpdbf:

Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fssct_1
Request ID : 0x
Destination ID : 0x00fc
SAN req short  : 0100 fc02 01720ffc 
 0008
SAN req length : 20
|
Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 2
Tag: fsscth2
Request ID : 0x
Destination ID : 0x00fc
SAN resp short : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
SAN resp length: 16384
San resp info  : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]

The fix saves all but one of the previously associated 64 PAYload trace
record chunks of size 256 bytes each.

Signed-off-by: Steffen Maier 
Fixes: aceeffbb59bb ("zfcp: trace full payload of all SAN records 
(req,resp,iels)")
Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN 
records.")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |   10 +-
 drivers/s390/scsi/zfcp_fsf.c |4 ++--
 2 files changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -3,7 +3,7 @@
  *
  * Debug traces for zfcp.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -447,6 +447,7 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
struct fc_ct_hdr *reqh = sg_virt(ct_els->req);
struct fc_ns_gid_ft *reqn = (struct fc_ns_gid_ft *)(reqh + 1);
struct scatterlist *resp_entry = ct_els->resp;
+   struct fc_ct_hdr *resph;
struct fc_gpn_ft_resp *acc;
int max_entries, x, last = 0;
 
@@ -473,6 +474,13 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
return len; /* not GPN_FT response so do not cap */
 
acc = sg_virt(resp_entry);
+
+   /* cap all but accept CT responses to at least the CT header */
+   resph = (struct fc_ct_hdr *)acc;
+   if ((ct_els->status) ||
+   (resph->ct_cmd != cpu_to_be16(FC_FS_ACC)))
+   return max(FC_CT_HDR_LEN, ZFCP_DBF_SAN_MAX_PAYLOAD);
+
max_entries = (reqh->ct_mr_size * 4 / sizeof(struct fc_gpn_ft_resp))
+ 1 /* zfcp_fc_scan_ports: bytes correct, entries off-by-one
 * to account for header as 1st pseudo "entry" */;
--- 

[PATCH 4.4 42/66] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 5d4a3d0a2ff23799b956e5962b886287614e7fad upstream.

Complements debugging aspects of the otherwise functionally complete
v3.17 commit 9cb78c16f5da ("scsi: use 64-bit LUNs").

While I don't have access to a target exporting 3 or 4 level LUNs,
I did test it by explicitly attaching a non-existent fake 4 level LUN
by means of zfcp sysfs attribute "unit_add".
In order to see corresponding trace records of otherwise successful
events, we had to increase the trace level of area SCSI and HBA to 6.

$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_scsi/level
$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_hba/level

$ echo 0x4011402240334044 > \
  /sys/bus/ccw/drivers/zfcp/0.0.1880/0x50050763031bd327/unit_add

Example output formatted by an updated zfcpdbf from the s390-tools
package interspersed with kernel messages at scsi_logging_level=4605:

Timestamp  : ...
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: scsla_1
LUN: 0x4011402240334044
WWPN   : 0x50050763031bd327
D_ID   : 0x00..
Adapter status : 0x5400050b
Port status: 0x5401
LUN status : 0x4100
Ready count: 0x0001
Running count  : 0x
ERP want   : 0x01
ERP need   : 0x01

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 1 length 36
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0

Timestamp  : ...
Area   : HBA
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fs_norm
Request ID : 0x
Request status : 0x0010
FSF cmnd   : 0x0001
FSF sequence no: 0x...
FSF issued : ...
FSF stat   : 0x
FSF stat qual  :    
Prot stat  : 0x0001
Prot stat qual :    
Port handle: 0x...
LUN handle : 0x...
|
Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_nor
Request ID : 0x
SCSI ID: 0x
SCSI LUN   : 0x40224011
SCSI LUN high  : 0x40444033 <===
SCSI result: 0x
SCSI retries   : 0x00
SCSI allowed   : 0x03
SCSI scribble  : 0x
SCSI opcode: 1200 a400  
FCP rsp inf cod: 0x00
FCP rsp IU :    
  

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 2 length 164
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0
scsi 2:0:0:4630896905707208721: scsi scan: peripheral device type of 31, \
no device added

Signed-off-by: Steffen Maier 
Fixes: 9cb78c16f5da ("scsi: use 64-bit LUNs")
Reviewed-by: Benjamin Block 
Reviewed-by: Jens Remus 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |2 +-
 drivers/s390/scsi/zfcp_dbf.h |4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -563,8 +563,8 @@ void zfcp_dbf_scsi(char *tag, int level,
rec->scsi_retries = sc->retries;
rec->scsi_allowed = sc->allowed;
rec->scsi_id = sc->device->id;
-   /* struct zfcp_dbf_scsi needs to be updated to handle 64bit LUNs */
rec->scsi_lun = (u32)sc->device->lun;
+   rec->scsi_lun_64_hi = (u32)(sc->device->lun >> 32);
rec->host_scribble = (unsigned long)sc->host_scribble;
 
memcpy(rec->scsi_opcode, sc->cmnd,
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -204,7 +204,7 @@ enum zfcp_dbf_scsi_id {
  * @id: unique number of recovery record type
  * @tag: identifier string specifying the location of initiation
  * @scsi_id: scsi device id
- * @scsi_lun: scsi device logical unit number
+ * @scsi_lun: scsi device logical unit number, low part of 64 bit, old 32 bit
  * @scsi_result: scsi result
  * @scsi_retries: current retry number of scsi request
  * @scsi_allowed: allowed retries
@@ -214,6 +214,7 @@ enum zfcp_dbf_scsi_id {
  * @host_scribble: LLD specific data attached to SCSI request
  * @pl_len: length of paload stored as zfcp_dbf_pay
  * @fsf_rsp: response for fsf request
+ * @scsi_lun_64_hi: scsi device logical unit number, high part of 64 bit
  */
 struct zfcp_dbf_scsi {
u8 id;
@@ -230,6 +231,7 @@ struct zfcp_dbf_scsi {
u64 host_scribble;
u16 pl_len;
struct fcp_resp_with_ext fcp_rsp;
+   u32 scsi_lun_64_hi;
 } __packed;
 
 /**

[PATCH 4.4 41/66] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit fdb7cee3b9e3c561502e58137a837341f10cbf8b upstream.

At the default trace level, we only trace unsuccessful events including
FSF responses.

zfcp_dbf_hba_fsf_response() only used protocol status and FSF status to
decide on an unsuccessful response. However, this is only one of multiple
possible sources determining a failed struct zfcp_fsf_req.

An FSF request can also "fail" if its response runs into an ERP timeout
or if it gets dismissed because a higher level recovery was triggered
[trace tags "erscf_1" or "erscf_2" in zfcp_erp_strategy_check_fsfreq()].
FSF requests with ERP timeout are:
FSF_QTCB_EXCHANGE_CONFIG_DATA, FSF_QTCB_EXCHANGE_PORT_DATA,
FSF_QTCB_OPEN_PORT_WITH_DID or FSF_QTCB_CLOSE_PORT or
FSF_QTCB_CLOSE_PHYSICAL_PORT for target ports,
FSF_QTCB_OPEN_LUN, FSF_QTCB_CLOSE_LUN.
One example is slow queue processing which can cause follow-on errors,
e.g. FSF_PORT_ALREADY_OPEN after FSF_QTCB_OPEN_PORT_WITH_DID timed out.
In order to see the root cause, we need to see late responses even if the
channel presented them successfully with FSF_PROT_GOOD and FSF_GOOD.
Example trace records formatted with zfcpdbf from the s390-tools package:

Timestamp  : ...
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : ...
Record ID  : 1
Tag: fcegpf1
LUN: 0x
WWPN   : 0x
D_ID   : 0x00
Adapter status : 0x5400050b
Port status: 0x4120
LUN status : 0x
Ready count: 0x0001
Running count  : 0x...
ERP want   : 0x02   ZFCP_ERP_ACTION_REOPEN_PORT
ERP need   : 0x02   ZFCP_ERP_ACTION_REOPEN_PORT
|
Timestamp  : ...30 seconds later
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : ...
Record ID  : 2
Tag: erscf_2
LUN: 0x
WWPN   : 0x
D_ID   : 0x00
Adapter status : 0x5400050b
Port status: 0x4120
LUN status : 0x
Request ID : 0x
ERP status : 0x1000 ZFCP_STATUS_ERP_TIMEDOUT
ERP step   : 0x0800 ZFCP_ERP_STEP_PORT_OPENING
ERP action : 0x02   ZFCP_ERP_ACTION_REOPEN_PORT
ERP count  : 0x00
|
Timestamp  : ...later than previous record
Area   : HBA
Subarea: 00
Level  : 5  > default level => 3<= default level
Exception  : -
CPU ID : 00
Caller : ...
Record ID  : 1
Tag: fs_qtcb=> fs_rerr
Request ID : 0x
Request status : 0x1010 ZFCP_STATUS_FSFREQ_DISMISSED
| ZFCP_STATUS_FSFREQ_CLEANUP
FSF cmnd   : 0x0005
FSF sequence no: 0x...
FSF issued : ...> 30 seconds ago
FSF stat   : 0x FSF_GOOD
FSF stat qual  :    
Prot stat  : 0x0001 FSF_PROT_GOOD
Prot stat qual :    
Port handle: 0x...
LUN handle : 0x
QTCB log length: ...
QTCB log info  : ...

In case of problems detecting that new responses are waiting on the input
queue, we sooner or later trigger adapter recovery due to an FSF request
timeout (trace tag "fsrth_1").
FSF requests with FSF request timeout are:
typically FSF_QTCB_ABORT_FCP_CMND; but theoretically also
FSF_QTCB_EXCHANGE_CONFIG_DATA or FSF_QTCB_EXCHANGE_PORT_DATA via sysfs,
FSF_QTCB_OPEN_PORT_WITH_DID or FSF_QTCB_CLOSE_PORT for WKA ports,
FSF_QTCB_FCP_CMND for task management function (LUN / target reset).
One or more pending requests can meanwhile have FSF_PROT_GOOD and FSF_GOOD
because the channel filled in the response via DMA into the request's QTCB.

In a theroretical case, inject code can create an erroneous FSF request
on purpose. If data router is enabled, it uses deferred error reporting.
A READ SCSI command can succeed with FSF_PROT_GOOD, FSF_GOOD, and
SAM_STAT_GOOD. But on writing the read data to host memory via DMA,
it can still fail, e.g. if an intentionally wrong scatter list does not
provide enough space. Rather than getting an unsuccessful response,
we get a QDIO activate check which in turn triggers adapter recovery.
One or more pending requests can meanwhile have FSF_PROT_GOOD and FSF_GOOD
because the channel filled in the response via DMA into the request's QTCB.
Example trace records formatted with zfcpdbf from the s390-tools package:

Timestamp  : ...
Area   : HBA
Subarea: 00
Level  : 6  > default level => 3<= default level
Exception  : -
CPU ID : ..
Caller 

[PATCH 4.4 41/66] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit fdb7cee3b9e3c561502e58137a837341f10cbf8b upstream.

At the default trace level, we only trace unsuccessful events including
FSF responses.

zfcp_dbf_hba_fsf_response() only used protocol status and FSF status to
decide on an unsuccessful response. However, this is only one of multiple
possible sources determining a failed struct zfcp_fsf_req.

An FSF request can also "fail" if its response runs into an ERP timeout
or if it gets dismissed because a higher level recovery was triggered
[trace tags "erscf_1" or "erscf_2" in zfcp_erp_strategy_check_fsfreq()].
FSF requests with ERP timeout are:
FSF_QTCB_EXCHANGE_CONFIG_DATA, FSF_QTCB_EXCHANGE_PORT_DATA,
FSF_QTCB_OPEN_PORT_WITH_DID or FSF_QTCB_CLOSE_PORT or
FSF_QTCB_CLOSE_PHYSICAL_PORT for target ports,
FSF_QTCB_OPEN_LUN, FSF_QTCB_CLOSE_LUN.
One example is slow queue processing which can cause follow-on errors,
e.g. FSF_PORT_ALREADY_OPEN after FSF_QTCB_OPEN_PORT_WITH_DID timed out.
In order to see the root cause, we need to see late responses even if the
channel presented them successfully with FSF_PROT_GOOD and FSF_GOOD.
Example trace records formatted with zfcpdbf from the s390-tools package:

Timestamp  : ...
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : ...
Record ID  : 1
Tag: fcegpf1
LUN: 0x
WWPN   : 0x
D_ID   : 0x00
Adapter status : 0x5400050b
Port status: 0x4120
LUN status : 0x
Ready count: 0x0001
Running count  : 0x...
ERP want   : 0x02   ZFCP_ERP_ACTION_REOPEN_PORT
ERP need   : 0x02   ZFCP_ERP_ACTION_REOPEN_PORT
|
Timestamp  : ...30 seconds later
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : ...
Record ID  : 2
Tag: erscf_2
LUN: 0x
WWPN   : 0x
D_ID   : 0x00
Adapter status : 0x5400050b
Port status: 0x4120
LUN status : 0x
Request ID : 0x
ERP status : 0x1000 ZFCP_STATUS_ERP_TIMEDOUT
ERP step   : 0x0800 ZFCP_ERP_STEP_PORT_OPENING
ERP action : 0x02   ZFCP_ERP_ACTION_REOPEN_PORT
ERP count  : 0x00
|
Timestamp  : ...later than previous record
Area   : HBA
Subarea: 00
Level  : 5  > default level => 3<= default level
Exception  : -
CPU ID : 00
Caller : ...
Record ID  : 1
Tag: fs_qtcb=> fs_rerr
Request ID : 0x
Request status : 0x1010 ZFCP_STATUS_FSFREQ_DISMISSED
| ZFCP_STATUS_FSFREQ_CLEANUP
FSF cmnd   : 0x0005
FSF sequence no: 0x...
FSF issued : ...> 30 seconds ago
FSF stat   : 0x FSF_GOOD
FSF stat qual  :    
Prot stat  : 0x0001 FSF_PROT_GOOD
Prot stat qual :    
Port handle: 0x...
LUN handle : 0x
QTCB log length: ...
QTCB log info  : ...

In case of problems detecting that new responses are waiting on the input
queue, we sooner or later trigger adapter recovery due to an FSF request
timeout (trace tag "fsrth_1").
FSF requests with FSF request timeout are:
typically FSF_QTCB_ABORT_FCP_CMND; but theoretically also
FSF_QTCB_EXCHANGE_CONFIG_DATA or FSF_QTCB_EXCHANGE_PORT_DATA via sysfs,
FSF_QTCB_OPEN_PORT_WITH_DID or FSF_QTCB_CLOSE_PORT for WKA ports,
FSF_QTCB_FCP_CMND for task management function (LUN / target reset).
One or more pending requests can meanwhile have FSF_PROT_GOOD and FSF_GOOD
because the channel filled in the response via DMA into the request's QTCB.

In a theroretical case, inject code can create an erroneous FSF request
on purpose. If data router is enabled, it uses deferred error reporting.
A READ SCSI command can succeed with FSF_PROT_GOOD, FSF_GOOD, and
SAM_STAT_GOOD. But on writing the read data to host memory via DMA,
it can still fail, e.g. if an intentionally wrong scatter list does not
provide enough space. Rather than getting an unsuccessful response,
we get a QDIO activate check which in turn triggers adapter recovery.
One or more pending requests can meanwhile have FSF_PROT_GOOD and FSF_GOOD
because the channel filled in the response via DMA into the request's QTCB.
Example trace records formatted with zfcpdbf from the s390-tools package:

Timestamp  : ...
Area   : HBA
Subarea: 00
Level  : 6  > default level => 3<= default level
Exception  : -
CPU ID : ..
Caller : ...
Record ID  : 1

[PATCH 4.4 46/66] scsi: sg: remove save_scat_len

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 136e57bf43dc4babbfb8783abbf707d483cacbe3 upstream.

Unused.

Signed-off-by: Hannes Reinecke 
Reviewed-by: Johannes Thumshirn 
Tested-by: Johannes Thumshirn 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |2 --
 1 file changed, 2 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -157,7 +157,6 @@ typedef struct sg_fd {  /* holds the sta
int timeout;/* defaults to SG_DEFAULT_TIMEOUT  */
int timeout_user;   /* defaults to SG_DEFAULT_TIMEOUT_USER */
Sg_scatter_hold reserve;/* buffer held for this file descriptor 
*/
-   unsigned save_scat_len; /* original length of trunc. scat. element */
Sg_request *headrp; /* head of request slist, NULL->empty */
struct fasync_struct *async_qp; /* used by asynchronous notification */
Sg_request req_arr[SG_MAX_QUEUE];   /* used as singly-linked list */
@@ -2059,7 +2058,6 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_reques
req_schp->pages = NULL;
req_schp->page_order = 0;
req_schp->sglist_len = 0;
-   sfp->save_scat_len = 0;
srp->res_used = 0;
/* Called without mutex lock to avoid deadlock */
sfp->res_in_use = 0;

[PATCH 4.4 47/66] scsi: sg: use standard lists for sg_requests

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 109bade9c625c89bb5ea753aaa1a0a97e6fbb548 upstream.

'Sg_request' is using a private list implementation; convert it to
standard lists.

Signed-off-by: Hannes Reinecke 
Reviewed-by: Johannes Thumshirn 
Tested-by: Johannes Thumshirn 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |  147 ++
 1 file changed, 61 insertions(+), 86 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -133,7 +133,7 @@ struct sg_device;   /* forward declaratio
 struct sg_fd;
 
 typedef struct sg_request {/* SG_MAX_QUEUE requests outstanding per file */
-   struct sg_request *nextrp;  /* NULL -> tail request (slist) */
+   struct list_head entry; /* list entry */
struct sg_fd *parentfp; /* NULL -> not in use */
Sg_scatter_hold data;   /* hold buffer, perhaps scatter list */
sg_io_hdr_t header; /* scsi command+info, see  */
@@ -157,7 +157,7 @@ typedef struct sg_fd {  /* holds the sta
int timeout;/* defaults to SG_DEFAULT_TIMEOUT  */
int timeout_user;   /* defaults to SG_DEFAULT_TIMEOUT_USER */
Sg_scatter_hold reserve;/* buffer held for this file descriptor 
*/
-   Sg_request *headrp; /* head of request slist, NULL->empty */
+   struct list_head rq_list; /* head of request list */
struct fasync_struct *async_qp; /* used by asynchronous notification */
Sg_request req_arr[SG_MAX_QUEUE];   /* used as singly-linked list */
char low_dma;   /* as in parent but possibly overridden to 1 */
@@ -950,7 +950,7 @@ sg_ioctl(struct file *filp, unsigned int
if (!access_ok(VERIFY_WRITE, ip, sizeof (int)))
return -EFAULT;
read_lock_irqsave(>rq_list_lock, iflags);
-   for (srp = sfp->headrp; srp; srp = srp->nextrp) {
+   list_for_each_entry(srp, >rq_list, entry) {
if ((1 == srp->done) && (!srp->sg_io_owned)) {
read_unlock_irqrestore(>rq_list_lock,
   iflags);
@@ -963,7 +963,8 @@ sg_ioctl(struct file *filp, unsigned int
return 0;
case SG_GET_NUM_WAITING:
read_lock_irqsave(>rq_list_lock, iflags);
-   for (val = 0, srp = sfp->headrp; srp; srp = srp->nextrp) {
+   val = 0;
+   list_for_each_entry(srp, >rq_list, entry) {
if ((1 == srp->done) && (!srp->sg_io_owned))
++val;
}
@@ -1038,35 +1039,33 @@ sg_ioctl(struct file *filp, unsigned int
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);
-   for (srp = sfp->headrp, val = 0; val < SG_MAX_QUEUE;
-++val, srp = srp ? srp->nextrp : srp) {
+   val = 0;
+   list_for_each_entry(srp, >rq_list, entry) {
+   if (val > SG_MAX_QUEUE)
+   break;
memset([val], 0, SZ_SG_REQ_INFO);
-   if (srp) {
-   rinfo[val].req_state = srp->done + 1;
-   rinfo[val].problem =
-   srp->header.masked_status & 
-   srp->header.host_status & 
-   srp->header.driver_status;
-   if (srp->done)
-   rinfo[val].duration =
-   srp->header.duration;
-   else {
-   ms = jiffies_to_msecs(jiffies);
-   rinfo[val].duration =
-   (ms > srp->header.duration) 
?
-   (ms - srp->header.duration) 
: 0;
-   }
-   rinfo[val].orphan = srp->orphan;
-   rinfo[val].sg_io_owned =
-   srp->sg_io_owned;
-   rinfo[val].pack_id =
-   srp->header.pack_id;
-   

[PATCH 4.4 46/66] scsi: sg: remove save_scat_len

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 136e57bf43dc4babbfb8783abbf707d483cacbe3 upstream.

Unused.

Signed-off-by: Hannes Reinecke 
Reviewed-by: Johannes Thumshirn 
Tested-by: Johannes Thumshirn 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |2 --
 1 file changed, 2 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -157,7 +157,6 @@ typedef struct sg_fd {  /* holds the sta
int timeout;/* defaults to SG_DEFAULT_TIMEOUT  */
int timeout_user;   /* defaults to SG_DEFAULT_TIMEOUT_USER */
Sg_scatter_hold reserve;/* buffer held for this file descriptor 
*/
-   unsigned save_scat_len; /* original length of trunc. scat. element */
Sg_request *headrp; /* head of request slist, NULL->empty */
struct fasync_struct *async_qp; /* used by asynchronous notification */
Sg_request req_arr[SG_MAX_QUEUE];   /* used as singly-linked list */
@@ -2059,7 +2058,6 @@ sg_unlink_reserve(Sg_fd * sfp, Sg_reques
req_schp->pages = NULL;
req_schp->page_order = 0;
req_schp->sglist_len = 0;
-   sfp->save_scat_len = 0;
srp->res_used = 0;
/* Called without mutex lock to avoid deadlock */
sfp->res_in_use = 0;

[PATCH 4.4 47/66] scsi: sg: use standard lists for sg_requests

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 109bade9c625c89bb5ea753aaa1a0a97e6fbb548 upstream.

'Sg_request' is using a private list implementation; convert it to
standard lists.

Signed-off-by: Hannes Reinecke 
Reviewed-by: Johannes Thumshirn 
Tested-by: Johannes Thumshirn 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |  147 ++
 1 file changed, 61 insertions(+), 86 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -133,7 +133,7 @@ struct sg_device;   /* forward declaratio
 struct sg_fd;
 
 typedef struct sg_request {/* SG_MAX_QUEUE requests outstanding per file */
-   struct sg_request *nextrp;  /* NULL -> tail request (slist) */
+   struct list_head entry; /* list entry */
struct sg_fd *parentfp; /* NULL -> not in use */
Sg_scatter_hold data;   /* hold buffer, perhaps scatter list */
sg_io_hdr_t header; /* scsi command+info, see  */
@@ -157,7 +157,7 @@ typedef struct sg_fd {  /* holds the sta
int timeout;/* defaults to SG_DEFAULT_TIMEOUT  */
int timeout_user;   /* defaults to SG_DEFAULT_TIMEOUT_USER */
Sg_scatter_hold reserve;/* buffer held for this file descriptor 
*/
-   Sg_request *headrp; /* head of request slist, NULL->empty */
+   struct list_head rq_list; /* head of request list */
struct fasync_struct *async_qp; /* used by asynchronous notification */
Sg_request req_arr[SG_MAX_QUEUE];   /* used as singly-linked list */
char low_dma;   /* as in parent but possibly overridden to 1 */
@@ -950,7 +950,7 @@ sg_ioctl(struct file *filp, unsigned int
if (!access_ok(VERIFY_WRITE, ip, sizeof (int)))
return -EFAULT;
read_lock_irqsave(>rq_list_lock, iflags);
-   for (srp = sfp->headrp; srp; srp = srp->nextrp) {
+   list_for_each_entry(srp, >rq_list, entry) {
if ((1 == srp->done) && (!srp->sg_io_owned)) {
read_unlock_irqrestore(>rq_list_lock,
   iflags);
@@ -963,7 +963,8 @@ sg_ioctl(struct file *filp, unsigned int
return 0;
case SG_GET_NUM_WAITING:
read_lock_irqsave(>rq_list_lock, iflags);
-   for (val = 0, srp = sfp->headrp; srp; srp = srp->nextrp) {
+   val = 0;
+   list_for_each_entry(srp, >rq_list, entry) {
if ((1 == srp->done) && (!srp->sg_io_owned))
++val;
}
@@ -1038,35 +1039,33 @@ sg_ioctl(struct file *filp, unsigned int
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);
-   for (srp = sfp->headrp, val = 0; val < SG_MAX_QUEUE;
-++val, srp = srp ? srp->nextrp : srp) {
+   val = 0;
+   list_for_each_entry(srp, >rq_list, entry) {
+   if (val > SG_MAX_QUEUE)
+   break;
memset([val], 0, SZ_SG_REQ_INFO);
-   if (srp) {
-   rinfo[val].req_state = srp->done + 1;
-   rinfo[val].problem =
-   srp->header.masked_status & 
-   srp->header.host_status & 
-   srp->header.driver_status;
-   if (srp->done)
-   rinfo[val].duration =
-   srp->header.duration;
-   else {
-   ms = jiffies_to_msecs(jiffies);
-   rinfo[val].duration =
-   (ms > srp->header.duration) 
?
-   (ms - srp->header.duration) 
: 0;
-   }
-   rinfo[val].orphan = srp->orphan;
-   rinfo[val].sg_io_owned =
-   srp->sg_io_owned;
-   rinfo[val].pack_id =
-   srp->header.pack_id;
-   rinfo[val].usr_ptr =
-   srp->header.usr_ptr;
+   

[PATCH 4.4 43/66] scsi: megaraid_sas: Check valid aen class range to avoid kernel panic

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Shivasharan S 

commit 91b3d9f0069c8307d0b3a4c6843b65a439183318 upstream.

Signed-off-by: Kashyap Desai 
Signed-off-by: Shivasharan S 
Reviewed-by: Hannes Reinecke 
Reviewed-by: Tomas Henzl 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/megaraid/megaraid_sas_base.c |8 
 1 file changed, 8 insertions(+)

--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -5094,6 +5094,14 @@ megasas_register_aen(struct megasas_inst
prev_aen.word =
le32_to_cpu(instance->aen_cmd->frame->dcmd.mbox.w[1]);
 
+   if ((curr_aen.members.class < MFI_EVT_CLASS_DEBUG) ||
+   (curr_aen.members.class > MFI_EVT_CLASS_DEAD)) {
+   dev_info(>pdev->dev,
+"%s %d out of range class %d send by 
application\n",
+__func__, __LINE__, curr_aen.members.class);
+   return 0;
+   }
+
/*
 * A class whose enum value is smaller is inclusive of all
 * higher values. If a PROGRESS (= -1) was previously

[PATCH 4.4 44/66] scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Shivasharan S 

commit eb3fe263a48b0d27b229c213929c4cb3b1b39a0f upstream.

After a kill adapter, since the cmd_status is not set, the IOCTLs will
be hung in driver resulting in application hang.  Set cmd_status
MFI_STAT_WRONG_STATE when completing pended IOCTLs.

Signed-off-by: Kashyap Desai 
Signed-off-by: Shivasharan S 
Reviewed-by: Hannes Reinecke 
Reviewed-by: Tomas Henzl 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/megaraid/megaraid_sas_base.c |5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -1824,9 +1824,12 @@ static void megasas_complete_outstanding
if (cmd_fusion->sync_cmd_idx != (u32)ULONG_MAX) {
cmd_mfi = 
instance->cmd_list[cmd_fusion->sync_cmd_idx];
if (cmd_mfi->sync_cmd &&
-   cmd_mfi->frame->hdr.cmd != 
MFI_CMD_ABORT)
+   (cmd_mfi->frame->hdr.cmd != MFI_CMD_ABORT)) 
{
+   cmd_mfi->frame->hdr.cmd_status =
+   MFI_STAT_WRONG_STATE;
megasas_complete_cmd(instance,
 cmd_mfi, DID_OK);
+   }
}
}
} else {

[PATCH 4.4 28/66] ext4: fix incorrect quotaoff if the quota feature is enabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: zhangyi (F) 

commit b0a5a9589decd07db755d6a8d9c0910d96ff7992 upstream.

Current ext4 quota should always "usage enabled" if the
quota feautre is enabled. But in ext4_orphan_cleanup(), it
turn quotas off directly (used for the older journaled
quota), so we cannot turn it on again via "quotaon" unless
umount and remount ext4.

Simple reproduce:

  mkfs.ext4 -O project,quota /dev/vdb1
  mount -o prjquota /dev/vdb1 /mnt
  chattr -p 123 /mnt
  chattr +P /mnt
  touch /mnt/aa /mnt/bb
  exec 100<>/mnt/aa
  rm -f /mnt/aa
  sync
  echo c > /proc/sysrq-trigger

  #reboot and mount
  mount -o prjquota /dev/vdb1 /mnt
  #query status
  quotaon -Ppv /dev/vdb1
  #output
  quotaon: Cannot find mountpoint for device /dev/vdb1
  quotaon: No correct mountpoint specified.

This patch add check for journaled quotas to avoid incorrect
quotaoff when ext4 has quota feautre.

Signed-off-by: zhangyi (F) 
Signed-off-by: Theodore Ts'o 
Reviewed-by: Jan Kara 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/ext4/super.c |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2243,7 +2243,7 @@ static void ext4_orphan_cleanup(struct s
 #ifdef CONFIG_QUOTA
/* Needed for iput() to work correctly and not trash data */
sb->s_flags |= MS_ACTIVE;
-   /* Turn on quotas so that they are updated correctly */
+   /* Turn on journaled quotas so that they are updated correctly */
for (i = 0; i < EXT4_MAXQUOTAS; i++) {
if (EXT4_SB(sb)->s_qf_names[i]) {
int ret = ext4_quota_on_mount(sb, i);
@@ -2309,9 +2309,9 @@ static void ext4_orphan_cleanup(struct s
ext4_msg(sb, KERN_INFO, "%d truncate%s cleaned up",
   PLURAL(nr_truncates));
 #ifdef CONFIG_QUOTA
-   /* Turn quotas off */
+   /* Turn off journaled quotas if they were enabled for orphan cleanup */
for (i = 0; i < EXT4_MAXQUOTAS; i++) {
-   if (sb_dqopt(sb)->files[i])
+   if (EXT4_SB(sb)->s_qf_names[i] && sb_dqopt(sb)->files[i])
dquot_quota_off(sb, i);
}
 #endif

[PATCH 4.4 44/66] scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Shivasharan S 

commit eb3fe263a48b0d27b229c213929c4cb3b1b39a0f upstream.

After a kill adapter, since the cmd_status is not set, the IOCTLs will
be hung in driver resulting in application hang.  Set cmd_status
MFI_STAT_WRONG_STATE when completing pended IOCTLs.

Signed-off-by: Kashyap Desai 
Signed-off-by: Shivasharan S 
Reviewed-by: Hannes Reinecke 
Reviewed-by: Tomas Henzl 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/megaraid/megaraid_sas_base.c |5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -1824,9 +1824,12 @@ static void megasas_complete_outstanding
if (cmd_fusion->sync_cmd_idx != (u32)ULONG_MAX) {
cmd_mfi = 
instance->cmd_list[cmd_fusion->sync_cmd_idx];
if (cmd_mfi->sync_cmd &&
-   cmd_mfi->frame->hdr.cmd != 
MFI_CMD_ABORT)
+   (cmd_mfi->frame->hdr.cmd != MFI_CMD_ABORT)) 
{
+   cmd_mfi->frame->hdr.cmd_status =
+   MFI_STAT_WRONG_STATE;
megasas_complete_cmd(instance,
 cmd_mfi, DID_OK);
+   }
}
}
} else {

[PATCH 4.4 28/66] ext4: fix incorrect quotaoff if the quota feature is enabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: zhangyi (F) 

commit b0a5a9589decd07db755d6a8d9c0910d96ff7992 upstream.

Current ext4 quota should always "usage enabled" if the
quota feautre is enabled. But in ext4_orphan_cleanup(), it
turn quotas off directly (used for the older journaled
quota), so we cannot turn it on again via "quotaon" unless
umount and remount ext4.

Simple reproduce:

  mkfs.ext4 -O project,quota /dev/vdb1
  mount -o prjquota /dev/vdb1 /mnt
  chattr -p 123 /mnt
  chattr +P /mnt
  touch /mnt/aa /mnt/bb
  exec 100<>/mnt/aa
  rm -f /mnt/aa
  sync
  echo c > /proc/sysrq-trigger

  #reboot and mount
  mount -o prjquota /dev/vdb1 /mnt
  #query status
  quotaon -Ppv /dev/vdb1
  #output
  quotaon: Cannot find mountpoint for device /dev/vdb1
  quotaon: No correct mountpoint specified.

This patch add check for journaled quotas to avoid incorrect
quotaoff when ext4 has quota feautre.

Signed-off-by: zhangyi (F) 
Signed-off-by: Theodore Ts'o 
Reviewed-by: Jan Kara 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/ext4/super.c |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2243,7 +2243,7 @@ static void ext4_orphan_cleanup(struct s
 #ifdef CONFIG_QUOTA
/* Needed for iput() to work correctly and not trash data */
sb->s_flags |= MS_ACTIVE;
-   /* Turn on quotas so that they are updated correctly */
+   /* Turn on journaled quotas so that they are updated correctly */
for (i = 0; i < EXT4_MAXQUOTAS; i++) {
if (EXT4_SB(sb)->s_qf_names[i]) {
int ret = ext4_quota_on_mount(sb, i);
@@ -2309,9 +2309,9 @@ static void ext4_orphan_cleanup(struct s
ext4_msg(sb, KERN_INFO, "%d truncate%s cleaned up",
   PLURAL(nr_truncates));
 #ifdef CONFIG_QUOTA
-   /* Turn quotas off */
+   /* Turn off journaled quotas if they were enabled for orphan cleanup */
for (i = 0; i < EXT4_MAXQUOTAS; i++) {
-   if (sb_dqopt(sb)->files[i])
+   if (EXT4_SB(sb)->s_qf_names[i] && sb_dqopt(sb)->files[i])
dquot_quota_off(sb, i);
}
 #endif

[PATCH 4.4 43/66] scsi: megaraid_sas: Check valid aen class range to avoid kernel panic

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Shivasharan S 

commit 91b3d9f0069c8307d0b3a4c6843b65a439183318 upstream.

Signed-off-by: Kashyap Desai 
Signed-off-by: Shivasharan S 
Reviewed-by: Hannes Reinecke 
Reviewed-by: Tomas Henzl 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/megaraid/megaraid_sas_base.c |8 
 1 file changed, 8 insertions(+)

--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -5094,6 +5094,14 @@ megasas_register_aen(struct megasas_inst
prev_aen.word =
le32_to_cpu(instance->aen_cmd->frame->dcmd.mbox.w[1]);
 
+   if ((curr_aen.members.class < MFI_EVT_CLASS_DEBUG) ||
+   (curr_aen.members.class > MFI_EVT_CLASS_DEAD)) {
+   dev_info(>pdev->dev,
+"%s %d out of range class %d send by 
application\n",
+__func__, __LINE__, curr_aen.members.class);
+   return 0;
+   }
+
/*
 * A class whose enum value is smaller is inclusive of all
 * higher values. If a PROGRESS (= -1) was previously

[PATCH 4.4 49/66] scsi: sg: factor out sg_fill_request_table()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 4759df905a474d245752c9dc94288e779b8734dd upstream.

Factor out sg_fill_request_table() for better readability.

[mkp: typos, applied by hand]

Signed-off-by: Hannes Reinecke 
Reviewed-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |   61 ++
 1 file changed, 35 insertions(+), 26 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -839,6 +839,40 @@ static int max_sectors_bytes(struct requ
return max_sectors << 9;
 }
 
+static void
+sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
+{
+   Sg_request *srp;
+   int val;
+   unsigned int ms;
+
+   val = 0;
+   list_for_each_entry(srp, >rq_list, entry) {
+   if (val > SG_MAX_QUEUE)
+   break;
+   memset([val], 0, SZ_SG_REQ_INFO);
+   rinfo[val].req_state = srp->done + 1;
+   rinfo[val].problem =
+   srp->header.masked_status &
+   srp->header.host_status &
+   srp->header.driver_status;
+   if (srp->done)
+   rinfo[val].duration =
+   srp->header.duration;
+   else {
+   ms = jiffies_to_msecs(jiffies);
+   rinfo[val].duration =
+   (ms > srp->header.duration) ?
+   (ms - srp->header.duration) : 0;
+   }
+   rinfo[val].orphan = srp->orphan;
+   rinfo[val].sg_io_owned = srp->sg_io_owned;
+   rinfo[val].pack_id = srp->header.pack_id;
+   rinfo[val].usr_ptr = srp->header.usr_ptr;
+   val++;
+   }
+}
+
 static long
 sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 {
@@ -1032,38 +1066,13 @@ sg_ioctl(struct file *filp, unsigned int
return -EFAULT;
else {
sg_req_info_t *rinfo;
-   unsigned int ms;
 
rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
GFP_KERNEL);
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);
-   val = 0;
-   list_for_each_entry(srp, >rq_list, entry) {
-   if (val >= SG_MAX_QUEUE)
-   break;
-   memset([val], 0, SZ_SG_REQ_INFO);
-   rinfo[val].req_state = srp->done + 1;
-   rinfo[val].problem =
-   srp->header.masked_status &
-   srp->header.host_status &
-   srp->header.driver_status;
-   if (srp->done)
-   rinfo[val].duration =
-   srp->header.duration;
-   else {
-   ms = jiffies_to_msecs(jiffies);
-   rinfo[val].duration =
-   (ms > srp->header.duration) ?
-   (ms - srp->header.duration) : 0;
-   }
-   rinfo[val].orphan = srp->orphan;
-   rinfo[val].sg_io_owned = srp->sg_io_owned;
-   rinfo[val].pack_id = srp->header.pack_id;
-   rinfo[val].usr_ptr = srp->header.usr_ptr;
-   val++;
-   }
+   sg_fill_request_table(sfp, rinfo);
read_unlock_irqrestore(>rq_list_lock, iflags);
result = __copy_to_user(p, rinfo,
SZ_SG_REQ_INFO * SG_MAX_QUEUE);

[PATCH 4.4 52/66] ftrace: Fix selftest goto location on error

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steven Rostedt (VMware) 

commit 46320a6acc4fb58f04bcf78c4c942cc43b20f986 upstream.

In the second iteration of trace_selftest_ops(), the error goto label is
wrong in the case where trace_selftest_test_global_cnt is off. In the
case of error, it leaks the dynamic ops that was allocated.

Fixes: 95950c2e ("ftrace: Add self-tests for multiple function trace users")
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/trace_selftest.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace_selftest.c
+++ b/kernel/trace/trace_selftest.c
@@ -272,7 +272,7 @@ static int trace_selftest_ops(struct tra
goto out_free;
if (cnt > 1) {
if (trace_selftest_test_global_cnt == 0)
-   goto out;
+   goto out_free;
}
if (trace_selftest_test_dyn_cnt == 0)
goto out_free;

[PATCH 4.4 51/66] scsi: qla2xxx: Fix an integer overflow in sysfs code

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 

commit e6f77540c067b48dee10f1e33678415bfcc89017 upstream.

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking 
Signed-off-by: Dan Carpenter 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/qla2xxx/qla_attr.c |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -404,6 +404,8 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
return -EINVAL;
if (start > ha->optrom_size)
return -EINVAL;
+   if (size > ha->optrom_size - start)
+   size = ha->optrom_size - start;
 
mutex_lock(>optrom_mutex);
switch (val) {
@@ -429,8 +431,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
}
 
ha->optrom_region_start = start;
-   ha->optrom_region_size = start + size > ha->optrom_size ?
-   ha->optrom_size - start : size;
+   ha->optrom_region_size = start + size;
 
ha->optrom_state = QLA_SREADING;
ha->optrom_buffer = vmalloc(ha->optrom_region_size);
@@ -503,8 +504,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
}
 
ha->optrom_region_start = start;
-   ha->optrom_region_size = start + size > ha->optrom_size ?
-   ha->optrom_size - start : size;
+   ha->optrom_region_size = start + size;
 
ha->optrom_state = QLA_SWRITING;
ha->optrom_buffer = vmalloc(ha->optrom_region_size);

[PATCH 4.4 49/66] scsi: sg: factor out sg_fill_request_table()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 4759df905a474d245752c9dc94288e779b8734dd upstream.

Factor out sg_fill_request_table() for better readability.

[mkp: typos, applied by hand]

Signed-off-by: Hannes Reinecke 
Reviewed-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |   61 ++
 1 file changed, 35 insertions(+), 26 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -839,6 +839,40 @@ static int max_sectors_bytes(struct requ
return max_sectors << 9;
 }
 
+static void
+sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
+{
+   Sg_request *srp;
+   int val;
+   unsigned int ms;
+
+   val = 0;
+   list_for_each_entry(srp, >rq_list, entry) {
+   if (val > SG_MAX_QUEUE)
+   break;
+   memset([val], 0, SZ_SG_REQ_INFO);
+   rinfo[val].req_state = srp->done + 1;
+   rinfo[val].problem =
+   srp->header.masked_status &
+   srp->header.host_status &
+   srp->header.driver_status;
+   if (srp->done)
+   rinfo[val].duration =
+   srp->header.duration;
+   else {
+   ms = jiffies_to_msecs(jiffies);
+   rinfo[val].duration =
+   (ms > srp->header.duration) ?
+   (ms - srp->header.duration) : 0;
+   }
+   rinfo[val].orphan = srp->orphan;
+   rinfo[val].sg_io_owned = srp->sg_io_owned;
+   rinfo[val].pack_id = srp->header.pack_id;
+   rinfo[val].usr_ptr = srp->header.usr_ptr;
+   val++;
+   }
+}
+
 static long
 sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
 {
@@ -1032,38 +1066,13 @@ sg_ioctl(struct file *filp, unsigned int
return -EFAULT;
else {
sg_req_info_t *rinfo;
-   unsigned int ms;
 
rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
GFP_KERNEL);
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);
-   val = 0;
-   list_for_each_entry(srp, >rq_list, entry) {
-   if (val >= SG_MAX_QUEUE)
-   break;
-   memset([val], 0, SZ_SG_REQ_INFO);
-   rinfo[val].req_state = srp->done + 1;
-   rinfo[val].problem =
-   srp->header.masked_status &
-   srp->header.host_status &
-   srp->header.driver_status;
-   if (srp->done)
-   rinfo[val].duration =
-   srp->header.duration;
-   else {
-   ms = jiffies_to_msecs(jiffies);
-   rinfo[val].duration =
-   (ms > srp->header.duration) ?
-   (ms - srp->header.duration) : 0;
-   }
-   rinfo[val].orphan = srp->orphan;
-   rinfo[val].sg_io_owned = srp->sg_io_owned;
-   rinfo[val].pack_id = srp->header.pack_id;
-   rinfo[val].usr_ptr = srp->header.usr_ptr;
-   val++;
-   }
+   sg_fill_request_table(sfp, rinfo);
read_unlock_irqrestore(>rq_list_lock, iflags);
result = __copy_to_user(p, rinfo,
SZ_SG_REQ_INFO * SG_MAX_QUEUE);

[PATCH 4.4 52/66] ftrace: Fix selftest goto location on error

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steven Rostedt (VMware) 

commit 46320a6acc4fb58f04bcf78c4c942cc43b20f986 upstream.

In the second iteration of trace_selftest_ops(), the error goto label is
wrong in the case where trace_selftest_test_global_cnt is off. In the
case of error, it leaks the dynamic ops that was allocated.

Fixes: 95950c2e ("ftrace: Add self-tests for multiple function trace users")
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/trace_selftest.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace_selftest.c
+++ b/kernel/trace/trace_selftest.c
@@ -272,7 +272,7 @@ static int trace_selftest_ops(struct tra
goto out_free;
if (cnt > 1) {
if (trace_selftest_test_global_cnt == 0)
-   goto out;
+   goto out_free;
}
if (trace_selftest_test_dyn_cnt == 0)
goto out_free;

[PATCH 4.4 51/66] scsi: qla2xxx: Fix an integer overflow in sysfs code

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 

commit e6f77540c067b48dee10f1e33678415bfcc89017 upstream.

The value of "size" comes from the user.  When we add "start + size" it
could lead to an integer overflow bug.

It means we vmalloc() a lot more memory than we had intended.  I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers.  So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().

Only root can trigger this bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061

Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking 
Signed-off-by: Dan Carpenter 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/qla2xxx/qla_attr.c |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -404,6 +404,8 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
return -EINVAL;
if (start > ha->optrom_size)
return -EINVAL;
+   if (size > ha->optrom_size - start)
+   size = ha->optrom_size - start;
 
mutex_lock(>optrom_mutex);
switch (val) {
@@ -429,8 +431,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
}
 
ha->optrom_region_start = start;
-   ha->optrom_region_size = start + size > ha->optrom_size ?
-   ha->optrom_size - start : size;
+   ha->optrom_region_size = start + size;
 
ha->optrom_state = QLA_SREADING;
ha->optrom_buffer = vmalloc(ha->optrom_region_size);
@@ -503,8 +504,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
}
 
ha->optrom_region_start = start;
-   ha->optrom_region_size = start + size > ha->optrom_size ?
-   ha->optrom_size - start : size;
+   ha->optrom_region_size = start + size;
 
ha->optrom_state = QLA_SWRITING;
ha->optrom_buffer = vmalloc(ha->optrom_region_size);

[PATCH 4.4 50/66] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 3e0097499839e0fe3af380410eababe5a47c4cf9 upstream.

When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
returned; the remaining part will then contain stale kernel memory
information.  This patch zeroes out the entire table to avoid this
issue.

Signed-off-by: Hannes Reinecke 
Reviewed-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Reviewed-by: Eric Dumazet 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -850,7 +850,6 @@ sg_fill_request_table(Sg_fd *sfp, sg_req
list_for_each_entry(srp, >rq_list, entry) {
if (val > SG_MAX_QUEUE)
break;
-   memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;
rinfo[val].problem =
srp->header.masked_status &
@@ -1067,8 +1066,8 @@ sg_ioctl(struct file *filp, unsigned int
else {
sg_req_info_t *rinfo;
 
-   rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-   GFP_KERNEL);
+   rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+   GFP_KERNEL);
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);

[PATCH 4.4 50/66] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Hannes Reinecke 

commit 3e0097499839e0fe3af380410eababe5a47c4cf9 upstream.

When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
returned; the remaining part will then contain stale kernel memory
information.  This patch zeroes out the entire table to avoid this
issue.

Signed-off-by: Hannes Reinecke 
Reviewed-by: Bart Van Assche 
Reviewed-by: Christoph Hellwig 
Reviewed-by: Eric Dumazet 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -850,7 +850,6 @@ sg_fill_request_table(Sg_fd *sfp, sg_req
list_for_each_entry(srp, >rq_list, entry) {
if (val > SG_MAX_QUEUE)
break;
-   memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;
rinfo[val].problem =
srp->header.masked_status &
@@ -1067,8 +1066,8 @@ sg_ioctl(struct file *filp, unsigned int
else {
sg_req_info_t *rinfo;
 
-   rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-   GFP_KERNEL);
+   rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+   GFP_KERNEL);
if (!rinfo)
return -ENOMEM;
read_lock_irqsave(>rq_list_lock, iflags);

[PATCH 4.4 29/66] ext4: fix quota inconsistency during orphan cleanup for read-only mounts

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: zhangyi (F) 

commit 95f1fda47c9d8738f858c3861add7bf0a36a7c0b upstream.

Quota does not get enabled for read-only mounts if filesystem
has quota feature, so that quotas cannot updated during orphan
cleanup, which will lead to quota inconsistency.

This patch turn on quotas during orphan cleanup for this case,
make sure quotas can be updated correctly.

Reported-by: Jan Kara 
Signed-off-by: zhangyi (F) 
Signed-off-by: Theodore Ts'o 
Reviewed-by: Jan Kara 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/ext4/super.c |   38 +++---
 1 file changed, 31 insertions(+), 7 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2205,6 +2205,7 @@ static void ext4_orphan_cleanup(struct s
unsigned int s_flags = sb->s_flags;
int nr_orphans = 0, nr_truncates = 0;
 #ifdef CONFIG_QUOTA
+   int quota_update = 0;
int i;
 #endif
if (!es->s_last_orphan) {
@@ -2243,14 +2244,32 @@ static void ext4_orphan_cleanup(struct s
 #ifdef CONFIG_QUOTA
/* Needed for iput() to work correctly and not trash data */
sb->s_flags |= MS_ACTIVE;
-   /* Turn on journaled quotas so that they are updated correctly */
+
+   /*
+* Turn on quotas which were not enabled for read-only mounts if
+* filesystem has quota feature, so that they are updated correctly.
+*/
+   if (ext4_has_feature_quota(sb) && (s_flags & MS_RDONLY)) {
+   int ret = ext4_enable_quotas(sb);
+
+   if (!ret)
+   quota_update = 1;
+   else
+   ext4_msg(sb, KERN_ERR,
+   "Cannot turn on quotas: error %d", ret);
+   }
+
+   /* Turn on journaled quotas used for old sytle */
for (i = 0; i < EXT4_MAXQUOTAS; i++) {
if (EXT4_SB(sb)->s_qf_names[i]) {
int ret = ext4_quota_on_mount(sb, i);
-   if (ret < 0)
+
+   if (!ret)
+   quota_update = 1;
+   else
ext4_msg(sb, KERN_ERR,
"Cannot turn on journaled "
-   "quota: error %d", ret);
+   "quota: type %d: error %d", i, ret);
}
}
 #endif
@@ -2309,10 +2328,12 @@ static void ext4_orphan_cleanup(struct s
ext4_msg(sb, KERN_INFO, "%d truncate%s cleaned up",
   PLURAL(nr_truncates));
 #ifdef CONFIG_QUOTA
-   /* Turn off journaled quotas if they were enabled for orphan cleanup */
-   for (i = 0; i < EXT4_MAXQUOTAS; i++) {
-   if (EXT4_SB(sb)->s_qf_names[i] && sb_dqopt(sb)->files[i])
-   dquot_quota_off(sb, i);
+   /* Turn off quotas if they were enabled for orphan cleanup */
+   if (quota_update) {
+   for (i = 0; i < EXT4_MAXQUOTAS; i++) {
+   if (sb_dqopt(sb)->files[i])
+   dquot_quota_off(sb, i);
+   }
}
 #endif
sb->s_flags = s_flags; /* Restore MS_RDONLY status */
@@ -5120,6 +5141,9 @@ static int ext4_enable_quotas(struct sup
err = ext4_quota_enable(sb, type, QFMT_VFS_V1,
DQUOT_USAGE_ENABLED);
if (err) {
+   for (type--; type >= 0; type--)
+   dquot_quota_off(sb, type);
+
ext4_warning(sb,
"Failed to enable quota tracking "
"(type=%d, err=%d). Please run "

[PATCH 4.4 54/66] ARC: Re-enable MMU upon Machine Check exception

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jose Abreu 

commit 1ee55a8f7f6b7ca4c0c59e0b4b4e3584a085c2d3 upstream.

I recently came upon a scenario where I would get a double fault
machine check exception tiriggered by a kernel module.
However the ensuing crash stacktrace (ksym lookup) was not working
correctly.

Turns out that machine check auto-disables MMU while modules are allocated
in kernel vaddr spapce.

This patch re-enables the MMU before start printing the stacktrace
making stacktracing of modules work upon a fatal exception.

Signed-off-by: Jose Abreu 
Reviewed-by: Alexey Brodkin 
Signed-off-by: Vineet Gupta 
[vgupta: moved code into low level handler to avoid in 2 places]
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arc/kernel/entry.S |6 ++
 arch/arc/mm/tlb.c   |3 ---
 2 files changed, 6 insertions(+), 3 deletions(-)

--- a/arch/arc/kernel/entry.S
+++ b/arch/arc/kernel/entry.S
@@ -104,6 +104,12 @@ ENTRY(EV_MachineCheck)
lr  r0, [efa]
mov r1, sp
 
+   ; hardware auto-disables MMU, re-enable it to allow kernel vaddr
+   ; access for say stack unwinding of modules for crash dumps
+   lr  r3, [ARC_REG_PID]
+   or  r3, r3, MMU_ENABLE
+   sr  r3, [ARC_REG_PID]
+
lsr r3, r2, 8
bmskr3, r3, 7
brner3, ECR_C_MCHK_DUP_TLB, 1f
--- a/arch/arc/mm/tlb.c
+++ b/arch/arc/mm/tlb.c
@@ -885,9 +885,6 @@ void do_tlb_overlap_fault(unsigned long
 
local_irq_save(flags);
 
-   /* re-enable the MMU */
-   write_aux_reg(ARC_REG_PID, MMU_ENABLE | read_aux_reg(ARC_REG_PID));
-
/* loop thru all sets of TLB */
for (set = 0; set < mmu->sets; set++) {
 

[PATCH 4.4 57/66] media: uvcvideo: Prevent heap overflow when accessing mapped controls

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba upstream.

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Originally-from: Richard Simmons 

Signed-off-by: Guenter Roeck 
Reviewed-by: Laurent Pinchart 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/usb/uvc/uvc_ctrl.c |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2001,6 +2001,13 @@ int uvc_ctrl_add_mapping(struct uvc_vide
goto done;
}
 
+   /* Validate the user-provided bit-size and offset */
+   if (mapping->size > 32 ||
+   mapping->offset + mapping->size > ctrl->info.size * 8) {
+   ret = -EINVAL;
+   goto done;
+   }
+
list_for_each_entry(map, >info.mappings, list) {
if (mapping->id == map->id) {
uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "

[PATCH 4.4 54/66] ARC: Re-enable MMU upon Machine Check exception

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jose Abreu 

commit 1ee55a8f7f6b7ca4c0c59e0b4b4e3584a085c2d3 upstream.

I recently came upon a scenario where I would get a double fault
machine check exception tiriggered by a kernel module.
However the ensuing crash stacktrace (ksym lookup) was not working
correctly.

Turns out that machine check auto-disables MMU while modules are allocated
in kernel vaddr spapce.

This patch re-enables the MMU before start printing the stacktrace
making stacktracing of modules work upon a fatal exception.

Signed-off-by: Jose Abreu 
Reviewed-by: Alexey Brodkin 
Signed-off-by: Vineet Gupta 
[vgupta: moved code into low level handler to avoid in 2 places]
Signed-off-by: Greg Kroah-Hartman 

---
 arch/arc/kernel/entry.S |6 ++
 arch/arc/mm/tlb.c   |3 ---
 2 files changed, 6 insertions(+), 3 deletions(-)

--- a/arch/arc/kernel/entry.S
+++ b/arch/arc/kernel/entry.S
@@ -104,6 +104,12 @@ ENTRY(EV_MachineCheck)
lr  r0, [efa]
mov r1, sp
 
+   ; hardware auto-disables MMU, re-enable it to allow kernel vaddr
+   ; access for say stack unwinding of modules for crash dumps
+   lr  r3, [ARC_REG_PID]
+   or  r3, r3, MMU_ENABLE
+   sr  r3, [ARC_REG_PID]
+
lsr r3, r2, 8
bmskr3, r3, 7
brner3, ECR_C_MCHK_DUP_TLB, 1f
--- a/arch/arc/mm/tlb.c
+++ b/arch/arc/mm/tlb.c
@@ -885,9 +885,6 @@ void do_tlb_overlap_fault(unsigned long
 
local_irq_save(flags);
 
-   /* re-enable the MMU */
-   write_aux_reg(ARC_REG_PID, MMU_ENABLE | read_aux_reg(ARC_REG_PID));
-
/* loop thru all sets of TLB */
for (set = 0; set < mmu->sets; set++) {
 

[PATCH 4.4 57/66] media: uvcvideo: Prevent heap overflow when accessing mapped controls

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba upstream.

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Originally-from: Richard Simmons 

Signed-off-by: Guenter Roeck 
Reviewed-by: Laurent Pinchart 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/usb/uvc/uvc_ctrl.c |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2001,6 +2001,13 @@ int uvc_ctrl_add_mapping(struct uvc_vide
goto done;
}
 
+   /* Validate the user-provided bit-size and offset */
+   if (mapping->size > 32 ||
+   mapping->offset + mapping->size > ctrl->info.size * 8) {
+   ret = -EINVAL;
+   goto done;
+   }
+
list_for_each_entry(map, >info.mappings, list) {
if (mapping->id == map->id) {
uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "

[PATCH 4.4 29/66] ext4: fix quota inconsistency during orphan cleanup for read-only mounts

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: zhangyi (F) 

commit 95f1fda47c9d8738f858c3861add7bf0a36a7c0b upstream.

Quota does not get enabled for read-only mounts if filesystem
has quota feature, so that quotas cannot updated during orphan
cleanup, which will lead to quota inconsistency.

This patch turn on quotas during orphan cleanup for this case,
make sure quotas can be updated correctly.

Reported-by: Jan Kara 
Signed-off-by: zhangyi (F) 
Signed-off-by: Theodore Ts'o 
Reviewed-by: Jan Kara 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/ext4/super.c |   38 +++---
 1 file changed, 31 insertions(+), 7 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2205,6 +2205,7 @@ static void ext4_orphan_cleanup(struct s
unsigned int s_flags = sb->s_flags;
int nr_orphans = 0, nr_truncates = 0;
 #ifdef CONFIG_QUOTA
+   int quota_update = 0;
int i;
 #endif
if (!es->s_last_orphan) {
@@ -2243,14 +2244,32 @@ static void ext4_orphan_cleanup(struct s
 #ifdef CONFIG_QUOTA
/* Needed for iput() to work correctly and not trash data */
sb->s_flags |= MS_ACTIVE;
-   /* Turn on journaled quotas so that they are updated correctly */
+
+   /*
+* Turn on quotas which were not enabled for read-only mounts if
+* filesystem has quota feature, so that they are updated correctly.
+*/
+   if (ext4_has_feature_quota(sb) && (s_flags & MS_RDONLY)) {
+   int ret = ext4_enable_quotas(sb);
+
+   if (!ret)
+   quota_update = 1;
+   else
+   ext4_msg(sb, KERN_ERR,
+   "Cannot turn on quotas: error %d", ret);
+   }
+
+   /* Turn on journaled quotas used for old sytle */
for (i = 0; i < EXT4_MAXQUOTAS; i++) {
if (EXT4_SB(sb)->s_qf_names[i]) {
int ret = ext4_quota_on_mount(sb, i);
-   if (ret < 0)
+
+   if (!ret)
+   quota_update = 1;
+   else
ext4_msg(sb, KERN_ERR,
"Cannot turn on journaled "
-   "quota: error %d", ret);
+   "quota: type %d: error %d", i, ret);
}
}
 #endif
@@ -2309,10 +2328,12 @@ static void ext4_orphan_cleanup(struct s
ext4_msg(sb, KERN_INFO, "%d truncate%s cleaned up",
   PLURAL(nr_truncates));
 #ifdef CONFIG_QUOTA
-   /* Turn off journaled quotas if they were enabled for orphan cleanup */
-   for (i = 0; i < EXT4_MAXQUOTAS; i++) {
-   if (EXT4_SB(sb)->s_qf_names[i] && sb_dqopt(sb)->files[i])
-   dquot_quota_off(sb, i);
+   /* Turn off quotas if they were enabled for orphan cleanup */
+   if (quota_update) {
+   for (i = 0; i < EXT4_MAXQUOTAS; i++) {
+   if (sb_dqopt(sb)->files[i])
+   dquot_quota_off(sb, i);
+   }
}
 #endif
sb->s_flags = s_flags; /* Restore MS_RDONLY status */
@@ -5120,6 +5141,9 @@ static int ext4_enable_quotas(struct sup
err = ext4_quota_enable(sb, type, QFMT_VFS_V1,
DQUOT_USAGE_ENABLED);
if (err) {
+   for (type--; type >= 0; type--)
+   dquot_quota_off(sb, type);
+
ext4_warning(sb,
"Failed to enable quota tracking "
"(type=%d, err=%d). Please run "

[PATCH 4.4 59/66] bcache: Fix leak of bdev reference

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jan Kara 

commit 4b758df21ee7081ab41448d21d60367efaa625b3 upstream.

If blkdev_get_by_path() in register_bcache() fails, we try to lookup the
block device using lookup_bdev() to detect which situation we are in to
properly report error. However we never drop the reference returned to
us from lookup_bdev(). Fix that.

Signed-off-by: Jan Kara 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/super.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1960,6 +1960,8 @@ static ssize_t register_bcache(struct ko
else
err = "device busy";
mutex_unlock(_register_lock);
+   if (!IS_ERR(bdev))
+   bdput(bdev);
if (attr == _register_quiet)
goto out;
}

[PATCH 4.4 56/66] media: v4l2-compat-ioctl32: Fix timespec conversion

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniel Mentz 

commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream.

Certain syscalls like recvmmsg support 64 bit timespec values for the
X32 ABI. The helper function compat_put_timespec converts a timespec
value to a 32 bit or 64 bit value depending on what ABI is used. The
v4l2 compat layer, however, is not designed to support 64 bit timespec
values and always uses 32 bit values. Hence, compat_put_timespec must
not be used.

Without this patch, user space will be provided with bad timestamp
values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct
v4l2_event32 that come immediately after timestamp get overwritten,
namely the field named id.

Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)")
Cc: H. Peter Anvin 
Cc: Laurent Pinchart 
Cc: Tiffany Lin 
Cc: Ricardo Ribalda Delgado 
Cc: Sakari Ailus 
Signed-off-by: Daniel Mentz 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -773,7 +773,8 @@ static int put_v4l2_event32(struct v4l2_
copy_to_user(>u, >u, sizeof(kp->u)) ||
put_user(kp->pending, >pending) ||
put_user(kp->sequence, >sequence) ||
-   compat_put_timespec(>timestamp, >timestamp) ||
+   put_user(kp->timestamp.tv_sec, >timestamp.tv_sec) ||
+   put_user(kp->timestamp.tv_nsec, >timestamp.tv_nsec) ||
put_user(kp->id, >id) ||
copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
return -EFAULT;

[PATCH 4.4 59/66] bcache: Fix leak of bdev reference

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Jan Kara 

commit 4b758df21ee7081ab41448d21d60367efaa625b3 upstream.

If blkdev_get_by_path() in register_bcache() fails, we try to lookup the
block device using lookup_bdev() to detect which situation we are in to
properly report error. However we never drop the reference returned to
us from lookup_bdev(). Fix that.

Signed-off-by: Jan Kara 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/super.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1960,6 +1960,8 @@ static ssize_t register_bcache(struct ko
else
err = "device busy";
mutex_unlock(_register_lock);
+   if (!IS_ERR(bdev))
+   bdput(bdev);
if (attr == _register_quiet)
goto out;
}

[PATCH 4.4 56/66] media: v4l2-compat-ioctl32: Fix timespec conversion

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniel Mentz 

commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream.

Certain syscalls like recvmmsg support 64 bit timespec values for the
X32 ABI. The helper function compat_put_timespec converts a timespec
value to a 32 bit or 64 bit value depending on what ABI is used. The
v4l2 compat layer, however, is not designed to support 64 bit timespec
values and always uses 32 bit values. Hence, compat_put_timespec must
not be used.

Without this patch, user space will be provided with bad timestamp
values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct
v4l2_event32 that come immediately after timestamp get overwritten,
namely the field named id.

Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)")
Cc: H. Peter Anvin 
Cc: Laurent Pinchart 
Cc: Tiffany Lin 
Cc: Ricardo Ribalda Delgado 
Cc: Sakari Ailus 
Signed-off-by: Daniel Mentz 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -773,7 +773,8 @@ static int put_v4l2_event32(struct v4l2_
copy_to_user(>u, >u, sizeof(kp->u)) ||
put_user(kp->pending, >pending) ||
put_user(kp->sequence, >sequence) ||
-   compat_put_timespec(>timestamp, >timestamp) ||
+   put_user(kp->timestamp.tv_sec, >timestamp.tv_sec) ||
+   put_user(kp->timestamp.tv_nsec, >timestamp.tv_nsec) ||
put_user(kp->id, >id) ||
copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32)))
return -EFAULT;

[PATCH 4.4 58/66] bcache: initialize dirty stripes in flash_dev_run()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 175206cf9ab63161dec74d9cd7f9992e062491f5 upstream.

bcache uses a Proportion-Differentiation Controller algorithm to control
writeback rate to cached devices. In the PD controller algorithm, dirty
stripes of thin flash device should not be counted in, because flash only
volumes never write back dirty data.

Currently dirty stripe counter for thin flash device is not initialized
when the thin flash device starts. Which means the following calculation
in PD controller will reference an undefined dirty stripes number, and
all cached devices attached to the same cache set where the thin flash
device lies on may have an inaccurate writeback rate.

This patch calles bch_sectors_dirty_init() in flash_dev_run(), to
correctly initialize dirty stripe counter when the thin flash device
starts to run. This patch also does following parameter data type change,
 -void bch_sectors_dirty_init(struct cached_dev *dc);
 +void bch_sectors_dirty_init(struct bcache_device *);
to call this function conveniently in flash_dev_run().

(Commit log is composed by Coly Li)

Signed-off-by: Tang Junhui 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/super.c |3 ++-
 drivers/md/bcache/writeback.c |8 
 drivers/md/bcache/writeback.h |2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1023,7 +1023,7 @@ int bch_cached_dev_attach(struct cached_
}
 
if (BDEV_STATE(>sb) == BDEV_STATE_DIRTY) {
-   bch_sectors_dirty_init(dc);
+   bch_sectors_dirty_init(>disk);
atomic_set(>has_dirty, 1);
atomic_inc(>count);
bch_writeback_queue(dc);
@@ -1227,6 +1227,7 @@ static int flash_dev_run(struct cache_se
goto err;
 
bcache_device_attach(d, c, u - c->uuids);
+   bch_sectors_dirty_init(d);
bch_flash_dev_request_init(d);
add_disk(d->disk);
 
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -488,17 +488,17 @@ static int sectors_dirty_init_fn(struct
return MAP_CONTINUE;
 }
 
-void bch_sectors_dirty_init(struct cached_dev *dc)
+void bch_sectors_dirty_init(struct bcache_device *d)
 {
struct sectors_dirty_init op;
 
bch_btree_op_init(, -1);
-   op.inode = dc->disk.id;
+   op.inode = d->id;
 
-   bch_btree_map_keys(, dc->disk.c, (op.inode, 0, 0),
+   bch_btree_map_keys(, d->c, (op.inode, 0, 0),
   sectors_dirty_init_fn, 0);
 
-   dc->disk.sectors_dirty_last = bcache_dev_sectors_dirty(>disk);
+   d->sectors_dirty_last = bcache_dev_sectors_dirty(d);
 }
 
 void bch_cached_dev_writeback_init(struct cached_dev *dc)
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -85,7 +85,7 @@ static inline void bch_writeback_add(str
 
 void bcache_dev_sectors_dirty_add(struct cache_set *, unsigned, uint64_t, int);
 
-void bch_sectors_dirty_init(struct cached_dev *dc);
+void bch_sectors_dirty_init(struct bcache_device *);
 void bch_cached_dev_writeback_init(struct cached_dev *);
 int bch_cached_dev_writeback_start(struct cached_dev *);
 

[PATCH 4.4 58/66] bcache: initialize dirty stripes in flash_dev_run()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 175206cf9ab63161dec74d9cd7f9992e062491f5 upstream.

bcache uses a Proportion-Differentiation Controller algorithm to control
writeback rate to cached devices. In the PD controller algorithm, dirty
stripes of thin flash device should not be counted in, because flash only
volumes never write back dirty data.

Currently dirty stripe counter for thin flash device is not initialized
when the thin flash device starts. Which means the following calculation
in PD controller will reference an undefined dirty stripes number, and
all cached devices attached to the same cache set where the thin flash
device lies on may have an inaccurate writeback rate.

This patch calles bch_sectors_dirty_init() in flash_dev_run(), to
correctly initialize dirty stripe counter when the thin flash device
starts to run. This patch also does following parameter data type change,
 -void bch_sectors_dirty_init(struct cached_dev *dc);
 +void bch_sectors_dirty_init(struct bcache_device *);
to call this function conveniently in flash_dev_run().

(Commit log is composed by Coly Li)

Signed-off-by: Tang Junhui 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/super.c |3 ++-
 drivers/md/bcache/writeback.c |8 
 drivers/md/bcache/writeback.h |2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1023,7 +1023,7 @@ int bch_cached_dev_attach(struct cached_
}
 
if (BDEV_STATE(>sb) == BDEV_STATE_DIRTY) {
-   bch_sectors_dirty_init(dc);
+   bch_sectors_dirty_init(>disk);
atomic_set(>has_dirty, 1);
atomic_inc(>count);
bch_writeback_queue(dc);
@@ -1227,6 +1227,7 @@ static int flash_dev_run(struct cache_se
goto err;
 
bcache_device_attach(d, c, u - c->uuids);
+   bch_sectors_dirty_init(d);
bch_flash_dev_request_init(d);
add_disk(d->disk);
 
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -488,17 +488,17 @@ static int sectors_dirty_init_fn(struct
return MAP_CONTINUE;
 }
 
-void bch_sectors_dirty_init(struct cached_dev *dc)
+void bch_sectors_dirty_init(struct bcache_device *d)
 {
struct sectors_dirty_init op;
 
bch_btree_op_init(, -1);
-   op.inode = dc->disk.id;
+   op.inode = d->id;
 
-   bch_btree_map_keys(, dc->disk.c, (op.inode, 0, 0),
+   bch_btree_map_keys(, d->c, (op.inode, 0, 0),
   sectors_dirty_init_fn, 0);
 
-   dc->disk.sectors_dirty_last = bcache_dev_sectors_dirty(>disk);
+   d->sectors_dirty_last = bcache_dev_sectors_dirty(d);
 }
 
 void bch_cached_dev_writeback_init(struct cached_dev *dc)
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -85,7 +85,7 @@ static inline void bch_writeback_add(str
 
 void bcache_dev_sectors_dirty_add(struct cache_set *, unsigned, uint64_t, int);
 
-void bch_sectors_dirty_init(struct cached_dev *dc);
+void bch_sectors_dirty_init(struct bcache_device *);
 void bch_cached_dev_writeback_init(struct cached_dev *);
 int bch_cached_dev_writeback_start(struct cached_dev *);
 

[PATCH 4.4 62/66] bcache: Correct return value for sysfs attach errors

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tony Asleson 

commit 77fa100f27475d08a569b9d51c17722130f089e7 upstream.

If you encounter any errors in bch_cached_dev_attach it will return
a negative error code.  The variable 'v' which stores the result is
unsigned, thus user space sees a very large value returned for bytes
written which can cause incorrect user space behavior.  Utilize 1
signed variable to use throughout the function to preserve error return
capability.

Signed-off-by: Tony Asleson 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/sysfs.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -191,7 +191,7 @@ STORE(__cached_dev)
 {
struct cached_dev *dc = container_of(kobj, struct cached_dev,
 disk.kobj);
-   unsigned v = size;
+   ssize_t v = size;
struct cache_set *c;
struct kobj_uevent_env *env;
 
@@ -226,7 +226,7 @@ STORE(__cached_dev)
bch_cached_dev_run(dc);
 
if (attr == _cache_mode) {
-   ssize_t v = bch_read_string_list(buf, bch_cache_modes + 1);
+   v = bch_read_string_list(buf, bch_cache_modes + 1);
 
if (v < 0)
return v;

[PATCH 4.4 62/66] bcache: Correct return value for sysfs attach errors

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tony Asleson 

commit 77fa100f27475d08a569b9d51c17722130f089e7 upstream.

If you encounter any errors in bch_cached_dev_attach it will return
a negative error code.  The variable 'v' which stores the result is
unsigned, thus user space sees a very large value returned for bytes
written which can cause incorrect user space behavior.  Utilize 1
signed variable to use throughout the function to preserve error return
capability.

Signed-off-by: Tony Asleson 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/sysfs.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -191,7 +191,7 @@ STORE(__cached_dev)
 {
struct cached_dev *dc = container_of(kobj, struct cached_dev,
 disk.kobj);
-   unsigned v = size;
+   ssize_t v = size;
struct cache_set *c;
struct kobj_uevent_env *env;
 
@@ -226,7 +226,7 @@ STORE(__cached_dev)
bch_cached_dev_run(dc);
 
if (attr == _cache_mode) {
-   ssize_t v = bch_read_string_list(buf, bch_cache_modes + 1);
+   v = bch_read_string_list(buf, bch_cache_modes + 1);
 
if (v < 0)
return v;

[PATCH 4.4 60/66] bcache: do not subtract sectors_to_gc for bypassed IO

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 69daf03adef5f7bc13e0ac86b4b8007df1767aab upstream.

Since bypassed IOs use no bucket, so do not subtract sectors_to_gc to
trigger gc thread.

Signed-off-by: tang.junhui 
Acked-by: Coly Li 
Reviewed-by: Eric Wheeler 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/request.c |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -196,12 +196,12 @@ static void bch_data_insert_start(struct
struct data_insert_op *op = container_of(cl, struct data_insert_op, cl);
struct bio *bio = op->bio, *n;
 
-   if (atomic_sub_return(bio_sectors(bio), >c->sectors_to_gc) < 0)
-   wake_up_gc(op->c);
-
if (op->bypass)
return bch_data_invalidate(cl);
 
+   if (atomic_sub_return(bio_sectors(bio), >c->sectors_to_gc) < 0)
+   wake_up_gc(op->c);
+
/*
 * Journal writes are marked REQ_FLUSH; if the original write was a
 * flush, it'll wait on the journal write.

[PATCH 4.4 60/66] bcache: do not subtract sectors_to_gc for bypassed IO

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 69daf03adef5f7bc13e0ac86b4b8007df1767aab upstream.

Since bypassed IOs use no bucket, so do not subtract sectors_to_gc to
trigger gc thread.

Signed-off-by: tang.junhui 
Acked-by: Coly Li 
Reviewed-by: Eric Wheeler 
Reviewed-by: Christoph Hellwig 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/request.c |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -196,12 +196,12 @@ static void bch_data_insert_start(struct
struct data_insert_op *op = container_of(cl, struct data_insert_op, cl);
struct bio *bio = op->bio, *n;
 
-   if (atomic_sub_return(bio_sectors(bio), >c->sectors_to_gc) < 0)
-   wake_up_gc(op->c);
-
if (op->bypass)
return bch_data_invalidate(cl);
 
+   if (atomic_sub_return(bio_sectors(bio), >c->sectors_to_gc) < 0)
+   wake_up_gc(op->c);
+
/*
 * Journal writes are marked REQ_FLUSH; if the original write was a
 * flush, it'll wait on the journal write.

[PATCH 4.4 64/66] bcache: fix bch_hprint crash and improve output

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Michael Lyle 

commit 9276717b9e297a62d1151a43d1cd286213f68eb7 upstream.

Most importantly, solve a crash where %llu was used to format signed
numbers.  This would cause a buffer overflow when reading sysfs
writeback_rate_debug, as only 20 bytes were allocated for this and
%llu writes 20 characters plus a null.

Always use the units mechanism rather than having different output
paths for simplicity.

Also, correct problems with display output where 1.10 was a larger
number than 1.09, by multiplying by 10 and then dividing by 1024 instead
of dividing by 100.  (Remainders of >= 1000 would print as .10).

Minor changes: Always display the decimal point instead of trying to
omit it based on number of digits shown.  Decide what units to use
based on 1000 as a threshold, not 1024 (in other words, always print
at most 3 digits before the decimal point).

Signed-off-by: Michael Lyle 
Reported-by: Dmitry Yu Okunev 
Acked-by: Kent Overstreet 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/util.c |   46 +-
 1 file changed, 33 insertions(+), 13 deletions(-)

--- a/drivers/md/bcache/util.c
+++ b/drivers/md/bcache/util.c
@@ -73,24 +73,44 @@ STRTO_H(strtouint, unsigned int)
 STRTO_H(strtoll, long long)
 STRTO_H(strtoull, unsigned long long)
 
+/**
+ * bch_hprint() - formats @v to human readable string for sysfs.
+ *
+ * @v - signed 64 bit integer
+ * @buf - the (at least 8 byte) buffer to format the result into.
+ *
+ * Returns the number of bytes used by format.
+ */
 ssize_t bch_hprint(char *buf, int64_t v)
 {
static const char units[] = "?kMGTPEZY";
-   char dec[4] = "";
-   int u, t = 0;
+   int u = 0, t;
 
-   for (u = 0; v >= 1024 || v <= -1024; u++) {
-   t = v & ~(~0 << 10);
-   v >>= 10;
-   }
+   uint64_t q;
 
-   if (!u)
-   return sprintf(buf, "%llu", v);
-
-   if (v < 100 && v > -100)
-   snprintf(dec, sizeof(dec), ".%i", t / 100);
-
-   return sprintf(buf, "%lli%s%c", v, dec, units[u]);
+   if (v < 0)
+   q = -v;
+   else
+   q = v;
+
+   /* For as long as the number is more than 3 digits, but at least
+* once, shift right / divide by 1024.  Keep the remainder for
+* a digit after the decimal point.
+*/
+   do {
+   u++;
+
+   t = q & ~(~0 << 10);
+   q >>= 10;
+   } while (q >= 1000);
+
+   if (v < 0)
+   /* '-', up to 3 digits, '.', 1 digit, 1 character, null;
+* yields 8 bytes.
+*/
+   return sprintf(buf, "-%llu.%i%c", q, t * 10 / 1024, units[u]);
+   else
+   return sprintf(buf, "%llu.%i%c", q, t * 10 / 1024, units[u]);
 }
 
 ssize_t bch_snprint_string_list(char *buf, size_t size, const char * const 
list[],

[PATCH 4.4 66/66] mac80211: flush hw_roc_start work before cancelling the ROC

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Avraham Stern 

commit 6e46d8ce894374fc135c96a8d1057c6af1fef237 upstream.

When HW ROC is supported it is possible that after the HW notified
that the ROC has started, the ROC was cancelled and another ROC was
added while the hw_roc_start worker is waiting on the mutex (since
cancelling the ROC and adding another one also holds the same mutex).
As a result, the hw_roc_start worker will continue to run after the
new ROC is added but before it is actually started by the HW.
This may result in notifying userspace that the ROC has started before
it actually does, or in case of management tx ROC, in an attempt to
tx while not on the right channel.

In addition, when the driver will notify mac80211 that the second ROC
has started, mac80211 will warn that this ROC has already been
notified.

Fix this by flushing the hw_roc_start work before cancelling an ROC.

Signed-off-by: Avraham Stern 
Signed-off-by: Luca Coelho 
Signed-off-by: Johannes Berg 
Signed-off-by: Greg Kroah-Hartman 

---
 net/mac80211/offchannel.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -469,6 +469,8 @@ void ieee80211_roc_purge(struct ieee8021
struct ieee80211_roc_work *roc, *tmp;
LIST_HEAD(tmp_list);
 
+   flush_work(>hw_roc_start);
+
mutex_lock(>mtx);
list_for_each_entry_safe(roc, tmp, >roc_list, list) {
if (sdata && roc->sdata != sdata)

[PATCH 4.4 66/66] mac80211: flush hw_roc_start work before cancelling the ROC

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Avraham Stern 

commit 6e46d8ce894374fc135c96a8d1057c6af1fef237 upstream.

When HW ROC is supported it is possible that after the HW notified
that the ROC has started, the ROC was cancelled and another ROC was
added while the hw_roc_start worker is waiting on the mutex (since
cancelling the ROC and adding another one also holds the same mutex).
As a result, the hw_roc_start worker will continue to run after the
new ROC is added but before it is actually started by the HW.
This may result in notifying userspace that the ROC has started before
it actually does, or in case of management tx ROC, in an attempt to
tx while not on the right channel.

In addition, when the driver will notify mac80211 that the second ROC
has started, mac80211 will warn that this ROC has already been
notified.

Fix this by flushing the hw_roc_start work before cancelling an ROC.

Signed-off-by: Avraham Stern 
Signed-off-by: Luca Coelho 
Signed-off-by: Johannes Berg 
Signed-off-by: Greg Kroah-Hartman 

---
 net/mac80211/offchannel.c |2 ++
 1 file changed, 2 insertions(+)

--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -469,6 +469,8 @@ void ieee80211_roc_purge(struct ieee8021
struct ieee80211_roc_work *roc, *tmp;
LIST_HEAD(tmp_list);
 
+   flush_work(>hw_roc_start);
+
mutex_lock(>mtx);
list_for_each_entry_safe(roc, tmp, >roc_list, list) {
if (sdata && roc->sdata != sdata)

[PATCH 4.4 64/66] bcache: fix bch_hprint crash and improve output

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Michael Lyle 

commit 9276717b9e297a62d1151a43d1cd286213f68eb7 upstream.

Most importantly, solve a crash where %llu was used to format signed
numbers.  This would cause a buffer overflow when reading sysfs
writeback_rate_debug, as only 20 bytes were allocated for this and
%llu writes 20 characters plus a null.

Always use the units mechanism rather than having different output
paths for simplicity.

Also, correct problems with display output where 1.10 was a larger
number than 1.09, by multiplying by 10 and then dividing by 1024 instead
of dividing by 100.  (Remainders of >= 1000 would print as .10).

Minor changes: Always display the decimal point instead of trying to
omit it based on number of digits shown.  Decide what units to use
based on 1000 as a threshold, not 1024 (in other words, always print
at most 3 digits before the decimal point).

Signed-off-by: Michael Lyle 
Reported-by: Dmitry Yu Okunev 
Acked-by: Kent Overstreet 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/util.c |   46 +-
 1 file changed, 33 insertions(+), 13 deletions(-)

--- a/drivers/md/bcache/util.c
+++ b/drivers/md/bcache/util.c
@@ -73,24 +73,44 @@ STRTO_H(strtouint, unsigned int)
 STRTO_H(strtoll, long long)
 STRTO_H(strtoull, unsigned long long)
 
+/**
+ * bch_hprint() - formats @v to human readable string for sysfs.
+ *
+ * @v - signed 64 bit integer
+ * @buf - the (at least 8 byte) buffer to format the result into.
+ *
+ * Returns the number of bytes used by format.
+ */
 ssize_t bch_hprint(char *buf, int64_t v)
 {
static const char units[] = "?kMGTPEZY";
-   char dec[4] = "";
-   int u, t = 0;
+   int u = 0, t;
 
-   for (u = 0; v >= 1024 || v <= -1024; u++) {
-   t = v & ~(~0 << 10);
-   v >>= 10;
-   }
+   uint64_t q;
 
-   if (!u)
-   return sprintf(buf, "%llu", v);
-
-   if (v < 100 && v > -100)
-   snprintf(dec, sizeof(dec), ".%i", t / 100);
-
-   return sprintf(buf, "%lli%s%c", v, dec, units[u]);
+   if (v < 0)
+   q = -v;
+   else
+   q = v;
+
+   /* For as long as the number is more than 3 digits, but at least
+* once, shift right / divide by 1024.  Keep the remainder for
+* a digit after the decimal point.
+*/
+   do {
+   u++;
+
+   t = q & ~(~0 << 10);
+   q >>= 10;
+   } while (q >= 1000);
+
+   if (v < 0)
+   /* '-', up to 3 digits, '.', 1 digit, 1 character, null;
+* yields 8 bytes.
+*/
+   return sprintf(buf, "-%llu.%i%c", q, t * 10 / 1024, units[u]);
+   else
+   return sprintf(buf, "%llu.%i%c", q, t * 10 / 1024, units[u]);
 }
 
 ssize_t bch_snprint_string_list(char *buf, size_t size, const char * const 
list[],

[PATCH 4.4 65/66] ftrace: Fix memleak when unregistering dynamic ops when tracing disabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steven Rostedt (VMware) 

commit edb096e00724f02db5f6ec7900f3bbd465c6c76f upstream.

If function tracing is disabled by the user via the function-trace option or
the proc sysctl file, and a ftrace_ops that was allocated on the heap is
unregistered, then the shutdown code exits out without doing the proper
clean up. This was found via kmemleak and running the ftrace selftests, as
one of the tests unregisters with function tracing disabled.

 # cat kmemleak
unreferenced object 0xa002 (size 4096):
  comm "swapper/0", pid 1, jiffies 4294668889 (age 569.209s)
  hex dump (first 32 bytes):
55 ff 74 24 10 55 48 89 e5 ff 74 24 18 55 48 89  U.t$.UH...t$.UH.
e5 48 81 ec a8 00 00 00 48 89 44 24 50 48 89 4c  .H..H.D$PH.L
  backtrace:
[] kmemleak_vmalloc+0x85/0xf0
[] __vmalloc_node_range+0x281/0x3e0
[] module_alloc+0x4f/0x90
[] arch_ftrace_update_trampoline+0x160/0x420
[] ftrace_startup+0xe7/0x300
[] register_ftrace_function+0x72/0x90
[] trace_selftest_ops+0x204/0x397
[] trace_selftest_startup_function+0x394/0x624
[] run_tracer_selftest+0x15c/0x1d7
[] init_trace_selftests+0x75/0x192
[] do_one_initcall+0x90/0x1e2
[] kernel_init_freeable+0x350/0x3fe
[] kernel_init+0x13/0x122
[] ret_from_fork+0x2a/0x40
[] 0x

Fixes: 12cce594fa ("ftrace/x86: Allow !CONFIG_PREEMPT dynamic ops to use 
allocated trampolines")
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/ftrace.c |   10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -2667,13 +2667,14 @@ static int ftrace_shutdown(struct ftrace
 
if (!command || !ftrace_enabled) {
/*
-* If these are control ops, they still need their
-* per_cpu field freed. Since, function tracing is
+* If these are dynamic or control ops, they still
+* need their data freed. Since, function tracing is
 * not currently active, we can just free them
 * without synchronizing all CPUs.
 */
-   if (ops->flags & FTRACE_OPS_FL_CONTROL)
-   control_ops_free(ops);
+   if (ops->flags & (FTRACE_OPS_FL_DYNAMIC | 
FTRACE_OPS_FL_CONTROL))
+   goto free_ops;
+
return 0;
}
 
@@ -2728,6 +2729,7 @@ static int ftrace_shutdown(struct ftrace
if (ops->flags & (FTRACE_OPS_FL_DYNAMIC | FTRACE_OPS_FL_CONTROL)) {
schedule_on_each_cpu(ftrace_sync);
 
+ free_ops:
arch_ftrace_trampoline_free(ops);
 
if (ops->flags & FTRACE_OPS_FL_CONTROL)

[PATCH 4.4 65/66] ftrace: Fix memleak when unregistering dynamic ops when tracing disabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steven Rostedt (VMware) 

commit edb096e00724f02db5f6ec7900f3bbd465c6c76f upstream.

If function tracing is disabled by the user via the function-trace option or
the proc sysctl file, and a ftrace_ops that was allocated on the heap is
unregistered, then the shutdown code exits out without doing the proper
clean up. This was found via kmemleak and running the ftrace selftests, as
one of the tests unregisters with function tracing disabled.

 # cat kmemleak
unreferenced object 0xa002 (size 4096):
  comm "swapper/0", pid 1, jiffies 4294668889 (age 569.209s)
  hex dump (first 32 bytes):
55 ff 74 24 10 55 48 89 e5 ff 74 24 18 55 48 89  U.t$.UH...t$.UH.
e5 48 81 ec a8 00 00 00 48 89 44 24 50 48 89 4c  .H..H.D$PH.L
  backtrace:
[] kmemleak_vmalloc+0x85/0xf0
[] __vmalloc_node_range+0x281/0x3e0
[] module_alloc+0x4f/0x90
[] arch_ftrace_update_trampoline+0x160/0x420
[] ftrace_startup+0xe7/0x300
[] register_ftrace_function+0x72/0x90
[] trace_selftest_ops+0x204/0x397
[] trace_selftest_startup_function+0x394/0x624
[] run_tracer_selftest+0x15c/0x1d7
[] init_trace_selftests+0x75/0x192
[] do_one_initcall+0x90/0x1e2
[] kernel_init_freeable+0x350/0x3fe
[] kernel_init+0x13/0x122
[] ret_from_fork+0x2a/0x40
[] 0x

Fixes: 12cce594fa ("ftrace/x86: Allow !CONFIG_PREEMPT dynamic ops to use 
allocated trampolines")
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/ftrace.c |   10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -2667,13 +2667,14 @@ static int ftrace_shutdown(struct ftrace
 
if (!command || !ftrace_enabled) {
/*
-* If these are control ops, they still need their
-* per_cpu field freed. Since, function tracing is
+* If these are dynamic or control ops, they still
+* need their data freed. Since, function tracing is
 * not currently active, we can just free them
 * without synchronizing all CPUs.
 */
-   if (ops->flags & FTRACE_OPS_FL_CONTROL)
-   control_ops_free(ops);
+   if (ops->flags & (FTRACE_OPS_FL_DYNAMIC | 
FTRACE_OPS_FL_CONTROL))
+   goto free_ops;
+
return 0;
}
 
@@ -2728,6 +2729,7 @@ static int ftrace_shutdown(struct ftrace
if (ops->flags & (FTRACE_OPS_FL_DYNAMIC | FTRACE_OPS_FL_CONTROL)) {
schedule_on_each_cpu(ftrace_sync);
 
+ free_ops:
arch_ftrace_trampoline_free(ops);
 
if (ops->flags & FTRACE_OPS_FL_CONTROL)

[PATCH 4.4 31/66] block: Relax a check in blk_start_queue()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 4ddd56b003f251091a67c15ae3fe4a5c5c5e390a upstream.

Calling blk_start_queue() from interrupt context with the queue
lock held and without disabling IRQs, as the skd driver does, is
safe. This patch avoids that loading the skd driver triggers the
following warning:

WARNING: CPU: 11 PID: 1348 at block/blk-core.c:283 blk_start_queue+0x84/0xa0
RIP: 0010:blk_start_queue+0x84/0xa0
Call Trace:
 skd_unquiesce_dev+0x12a/0x1d0 [skd]
 skd_complete_internal+0x1e7/0x5a0 [skd]
 skd_complete_other+0xc2/0xd0 [skd]
 skd_isr_completion_posted.isra.30+0x2a5/0x470 [skd]
 skd_isr+0x14f/0x180 [skd]
 irq_forced_thread_fn+0x2a/0x70
 irq_thread+0x144/0x1a0
 kthread+0x125/0x140
 ret_from_fork+0x2a/0x40

Fixes: commit a038e2536472 ("[PATCH] blk_start_queue() must be called with irq 
disabled - add warning")
Signed-off-by: Bart Van Assche 
Cc: Paolo 'Blaisorblade' Giarrusso 
Cc: Andrew Morton 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 block/blk-core.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -233,7 +233,7 @@ EXPORT_SYMBOL(blk_start_queue_async);
  **/
 void blk_start_queue(struct request_queue *q)
 {
-   WARN_ON(!irqs_disabled());
+   WARN_ON(!in_interrupt() && !irqs_disabled());
 
queue_flag_clear(QUEUE_FLAG_STOPPED, q);
__blk_run_queue(q);

[PATCH 4.4 31/66] block: Relax a check in blk_start_queue()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 4ddd56b003f251091a67c15ae3fe4a5c5c5e390a upstream.

Calling blk_start_queue() from interrupt context with the queue
lock held and without disabling IRQs, as the skd driver does, is
safe. This patch avoids that loading the skd driver triggers the
following warning:

WARNING: CPU: 11 PID: 1348 at block/blk-core.c:283 blk_start_queue+0x84/0xa0
RIP: 0010:blk_start_queue+0x84/0xa0
Call Trace:
 skd_unquiesce_dev+0x12a/0x1d0 [skd]
 skd_complete_internal+0x1e7/0x5a0 [skd]
 skd_complete_other+0xc2/0xd0 [skd]
 skd_isr_completion_posted.isra.30+0x2a5/0x470 [skd]
 skd_isr+0x14f/0x180 [skd]
 irq_forced_thread_fn+0x2a/0x70
 irq_thread+0x144/0x1a0
 kthread+0x125/0x140
 ret_from_fork+0x2a/0x40

Fixes: commit a038e2536472 ("[PATCH] blk_start_queue() must be called with irq 
disabled - add warning")
Signed-off-by: Bart Van Assche 
Cc: Paolo 'Blaisorblade' Giarrusso 
Cc: Andrew Morton 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 block/blk-core.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -233,7 +233,7 @@ EXPORT_SYMBOL(blk_start_queue_async);
  **/
 void blk_start_queue(struct request_queue *q)
 {
-   WARN_ON(!irqs_disabled());
+   WARN_ON(!in_interrupt() && !irqs_disabled());
 
queue_flag_clear(QUEUE_FLAG_STOPPED, q);
__blk_run_queue(q);

[PATCH 4.4 32/66] md/bitmap: disable bitmap_resize for file-backed bitmaps.

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: NeilBrown 

commit e8a27f836f165c26f867ece7f31eb5c811692319 upstream.

bitmap_resize() does not work for file-backed bitmaps.
The buffer_heads are allocated and initialized when
the bitmap is read from the file, but resize doesn't
read from the file, it loads from the internal bitmap.
When it comes time to write the new bitmap, the bh is
non-existent and we crash.

The common case when growing an array involves making the array larger,
and that normally means making the bitmap larger.  Doing
that inside the kernel is possible, but would need more code.
It is probably easier to require people who use file-backed
bitmaps to remove them and re-add after a reshape.

So this patch disables the resizing of arrays which have
file-backed bitmaps.  This is better than crashing.

Reported-by: Zhilong Liu 
Fixes: d60b479d177a ("md/bitmap: add bitmap_resize function to allow bitmap 
resizing.")
Signed-off-by: NeilBrown 
Signed-off-by: Shaohua Li 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bitmap.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
@@ -1960,6 +1960,11 @@ int bitmap_resize(struct bitmap *bitmap,
long pages;
struct bitmap_page *new_bp;
 
+   if (bitmap->storage.file && !init) {
+   pr_info("md: cannot resize file-based bitmap\n");
+   return -EINVAL;
+   }
+
if (chunksize == 0) {
/* If there is enough space, leave the chunk size unchanged,
 * else increase by factor of two until there is enough space.

[PATCH 4.4 32/66] md/bitmap: disable bitmap_resize for file-backed bitmaps.

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: NeilBrown 

commit e8a27f836f165c26f867ece7f31eb5c811692319 upstream.

bitmap_resize() does not work for file-backed bitmaps.
The buffer_heads are allocated and initialized when
the bitmap is read from the file, but resize doesn't
read from the file, it loads from the internal bitmap.
When it comes time to write the new bitmap, the bh is
non-existent and we crash.

The common case when growing an array involves making the array larger,
and that normally means making the bitmap larger.  Doing
that inside the kernel is possible, but would need more code.
It is probably easier to require people who use file-backed
bitmaps to remove them and re-add after a reshape.

So this patch disables the resizing of arrays which have
file-backed bitmaps.  This is better than crashing.

Reported-by: Zhilong Liu 
Fixes: d60b479d177a ("md/bitmap: add bitmap_resize function to allow bitmap 
resizing.")
Signed-off-by: NeilBrown 
Signed-off-by: Shaohua Li 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bitmap.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
@@ -1960,6 +1960,11 @@ int bitmap_resize(struct bitmap *bitmap,
long pages;
struct bitmap_page *new_bp;
 
+   if (bitmap->storage.file && !init) {
+   pr_info("md: cannot resize file-based bitmap\n");
+   return -EINVAL;
+   }
+
if (chunksize == 0) {
/* If there is enough space, leave the chunk size unchanged,
 * else increase by factor of two until there is enough space.

[PATCH 4.4 33/66] skd: Avoid that module unloading triggers a use-after-free

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 7277cc67b3916eed47558c64f9c9c0de00a35cda upstream.

Since put_disk() triggers a disk_release() call and since that
last function calls blk_put_queue() if disk->queue != NULL, clear
the disk->queue pointer before calling put_disk(). This avoids
that unloading the skd kernel module triggers the following
use-after-free:

WARNING: CPU: 8 PID: 297 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
refcount_t: underflow; use-after-free.
CPU: 8 PID: 297 Comm: kworker/8:1 Not tainted 4.11.10-300.fc26.x86_64 #1
Workqueue: events work_for_cpu_fn
Call Trace:
 dump_stack+0x63/0x84
 __warn+0xcb/0xf0
 warn_slowpath_fmt+0x5a/0x80
 refcount_sub_and_test+0x70/0x80
 refcount_dec_and_test+0x11/0x20
 kobject_put+0x1f/0x50
 blk_put_queue+0x15/0x20
 disk_release+0xae/0xf0
 device_release+0x32/0x90
 kobject_release+0x67/0x170
 kobject_put+0x2b/0x50
 put_disk+0x17/0x20
 skd_destruct+0x5c/0x890 [skd]
 skd_pci_probe+0x124d/0x13a0 [skd]
 local_pci_probe+0x42/0xa0
 work_for_cpu_fn+0x14/0x20
 process_one_work+0x19e/0x470
 worker_thread+0x1dc/0x4a0
 kthread+0x125/0x140
 ret_from_fork+0x25/0x30

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/block/skd_main.c |   15 ---
 1 file changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/block/skd_main.c
+++ b/drivers/block/skd_main.c
@@ -4679,15 +4679,16 @@ static void skd_free_disk(struct skd_dev
 {
struct gendisk *disk = skdev->disk;
 
-   if (disk != NULL) {
-   struct request_queue *q = disk->queue;
+   if (disk && (disk->flags & GENHD_FL_UP))
+   del_gendisk(disk);
 
-   if (disk->flags & GENHD_FL_UP)
-   del_gendisk(disk);
-   if (q)
-   blk_cleanup_queue(q);
-   put_disk(disk);
+   if (skdev->queue) {
+   blk_cleanup_queue(skdev->queue);
+   skdev->queue = NULL;
+   disk->queue = NULL;
}
+
+   put_disk(disk);
skdev->disk = NULL;
 }
 

[PATCH 4.4 33/66] skd: Avoid that module unloading triggers a use-after-free

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 7277cc67b3916eed47558c64f9c9c0de00a35cda upstream.

Since put_disk() triggers a disk_release() call and since that
last function calls blk_put_queue() if disk->queue != NULL, clear
the disk->queue pointer before calling put_disk(). This avoids
that unloading the skd kernel module triggers the following
use-after-free:

WARNING: CPU: 8 PID: 297 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80
refcount_t: underflow; use-after-free.
CPU: 8 PID: 297 Comm: kworker/8:1 Not tainted 4.11.10-300.fc26.x86_64 #1
Workqueue: events work_for_cpu_fn
Call Trace:
 dump_stack+0x63/0x84
 __warn+0xcb/0xf0
 warn_slowpath_fmt+0x5a/0x80
 refcount_sub_and_test+0x70/0x80
 refcount_dec_and_test+0x11/0x20
 kobject_put+0x1f/0x50
 blk_put_queue+0x15/0x20
 disk_release+0xae/0xf0
 device_release+0x32/0x90
 kobject_release+0x67/0x170
 kobject_put+0x2b/0x50
 put_disk+0x17/0x20
 skd_destruct+0x5c/0x890 [skd]
 skd_pci_probe+0x124d/0x13a0 [skd]
 local_pci_probe+0x42/0xa0
 work_for_cpu_fn+0x14/0x20
 process_one_work+0x19e/0x470
 worker_thread+0x1dc/0x4a0
 kthread+0x125/0x140
 ret_from_fork+0x25/0x30

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/block/skd_main.c |   15 ---
 1 file changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/block/skd_main.c
+++ b/drivers/block/skd_main.c
@@ -4679,15 +4679,16 @@ static void skd_free_disk(struct skd_dev
 {
struct gendisk *disk = skdev->disk;
 
-   if (disk != NULL) {
-   struct request_queue *q = disk->queue;
+   if (disk && (disk->flags & GENHD_FL_UP))
+   del_gendisk(disk);
 
-   if (disk->flags & GENHD_FL_UP)
-   del_gendisk(disk);
-   if (q)
-   blk_cleanup_queue(q);
-   put_disk(disk);
+   if (skdev->queue) {
+   blk_cleanup_queue(skdev->queue);
+   skdev->queue = NULL;
+   disk->queue = NULL;
}
+
+   put_disk(disk);
skdev->disk = NULL;
 }
 

[PATCH 4.4 30/66] powerpc: Fix DAR reporting when alignment handler faults

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Michael Ellerman 

commit f9effe925039cf54489b5c04e0d40073bb3a123d upstream.

Anton noticed that if we fault part way through emulating an unaligned
instruction, we don't update the DAR to reflect that.

The DAR value is eventually reported back to userspace as the address
in the SEGV signal, and if userspace is using that value to demand
fault then it can be confused by us not setting the value correctly.

This patch is ugly as hell, but is intended to be the minimal fix and
back ports easily.

Signed-off-by: Michael Ellerman 
Reviewed-by: Paul Mackerras 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/kernel/align.c |  119 +++-
 1 file changed, 74 insertions(+), 45 deletions(-)

--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -236,6 +236,28 @@ static int emulate_dcbz(struct pt_regs *
 
 #define SWIZ_PTR(p)((unsigned char __user *)((p) ^ swiz))
 
+#define __get_user_or_set_dar(_regs, _dest, _addr) \
+   ({  \
+   int rc = 0; \
+   typeof(_addr) __addr = (_addr); \
+   if (__get_user_inatomic(_dest, __addr)) {   \
+   _regs->dar = (unsigned long)__addr; \
+   rc = -EFAULT;   \
+   }   \
+   rc; \
+   })
+
+#define __put_user_or_set_dar(_regs, _src, _addr)  \
+   ({  \
+   int rc = 0; \
+   typeof(_addr) __addr = (_addr); \
+   if (__put_user_inatomic(_src, __addr)) {\
+   _regs->dar = (unsigned long)__addr; \
+   rc = -EFAULT;   \
+   }   \
+   rc; \
+   })
+
 static int emulate_multiple(struct pt_regs *regs, unsigned char __user *addr,
unsigned int reg, unsigned int nb,
unsigned int flags, unsigned int instr,
@@ -264,9 +286,10 @@ static int emulate_multiple(struct pt_re
} else {
unsigned long pc = regs->nip ^ (swiz & 4);
 
-   if (__get_user_inatomic(instr,
-   (unsigned int __user *)pc))
+   if (__get_user_or_set_dar(regs, instr,
+ (unsigned int __user *)pc))
return -EFAULT;
+
if (swiz == 0 && (flags & SW))
instr = cpu_to_le32(instr);
nb = (instr >> 11) & 0x1f;
@@ -310,31 +333,31 @@ static int emulate_multiple(struct pt_re
   ((nb0 + 3) / 4) * sizeof(unsigned long));
 
for (i = 0; i < nb; ++i, ++p)
-   if (__get_user_inatomic(REG_BYTE(rptr, i ^ bswiz),
-   SWIZ_PTR(p)))
+   if (__get_user_or_set_dar(regs, REG_BYTE(rptr, i ^ 
bswiz),
+ SWIZ_PTR(p)))
return -EFAULT;
if (nb0 > 0) {
rptr = >gpr[0];
addr += nb;
for (i = 0; i < nb0; ++i, ++p)
-   if (__get_user_inatomic(REG_BYTE(rptr,
-i ^ bswiz),
-   SWIZ_PTR(p)))
+   if (__get_user_or_set_dar(regs,
+ REG_BYTE(rptr, i ^ 
bswiz),
+ SWIZ_PTR(p)))
return -EFAULT;
}
 
} else {
for (i = 0; i < nb; ++i, ++p)
-   if (__put_user_inatomic(REG_BYTE(rptr, i ^ bswiz),
-   SWIZ_PTR(p)))
+   if (__put_user_or_set_dar(regs, REG_BYTE(rptr, i ^ 
bswiz),
+ SWIZ_PTR(p)))
return -EFAULT;
if (nb0 > 0) {
rptr = >gpr[0];
addr += nb;
for (i = 0; i < nb0; ++i, ++p)
-   if 

[PATCH 4.4 30/66] powerpc: Fix DAR reporting when alignment handler faults

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Michael Ellerman 

commit f9effe925039cf54489b5c04e0d40073bb3a123d upstream.

Anton noticed that if we fault part way through emulating an unaligned
instruction, we don't update the DAR to reflect that.

The DAR value is eventually reported back to userspace as the address
in the SEGV signal, and if userspace is using that value to demand
fault then it can be confused by us not setting the value correctly.

This patch is ugly as hell, but is intended to be the minimal fix and
back ports easily.

Signed-off-by: Michael Ellerman 
Reviewed-by: Paul Mackerras 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/powerpc/kernel/align.c |  119 +++-
 1 file changed, 74 insertions(+), 45 deletions(-)

--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -236,6 +236,28 @@ static int emulate_dcbz(struct pt_regs *
 
 #define SWIZ_PTR(p)((unsigned char __user *)((p) ^ swiz))
 
+#define __get_user_or_set_dar(_regs, _dest, _addr) \
+   ({  \
+   int rc = 0; \
+   typeof(_addr) __addr = (_addr); \
+   if (__get_user_inatomic(_dest, __addr)) {   \
+   _regs->dar = (unsigned long)__addr; \
+   rc = -EFAULT;   \
+   }   \
+   rc; \
+   })
+
+#define __put_user_or_set_dar(_regs, _src, _addr)  \
+   ({  \
+   int rc = 0; \
+   typeof(_addr) __addr = (_addr); \
+   if (__put_user_inatomic(_src, __addr)) {\
+   _regs->dar = (unsigned long)__addr; \
+   rc = -EFAULT;   \
+   }   \
+   rc; \
+   })
+
 static int emulate_multiple(struct pt_regs *regs, unsigned char __user *addr,
unsigned int reg, unsigned int nb,
unsigned int flags, unsigned int instr,
@@ -264,9 +286,10 @@ static int emulate_multiple(struct pt_re
} else {
unsigned long pc = regs->nip ^ (swiz & 4);
 
-   if (__get_user_inatomic(instr,
-   (unsigned int __user *)pc))
+   if (__get_user_or_set_dar(regs, instr,
+ (unsigned int __user *)pc))
return -EFAULT;
+
if (swiz == 0 && (flags & SW))
instr = cpu_to_le32(instr);
nb = (instr >> 11) & 0x1f;
@@ -310,31 +333,31 @@ static int emulate_multiple(struct pt_re
   ((nb0 + 3) / 4) * sizeof(unsigned long));
 
for (i = 0; i < nb; ++i, ++p)
-   if (__get_user_inatomic(REG_BYTE(rptr, i ^ bswiz),
-   SWIZ_PTR(p)))
+   if (__get_user_or_set_dar(regs, REG_BYTE(rptr, i ^ 
bswiz),
+ SWIZ_PTR(p)))
return -EFAULT;
if (nb0 > 0) {
rptr = >gpr[0];
addr += nb;
for (i = 0; i < nb0; ++i, ++p)
-   if (__get_user_inatomic(REG_BYTE(rptr,
-i ^ bswiz),
-   SWIZ_PTR(p)))
+   if (__get_user_or_set_dar(regs,
+ REG_BYTE(rptr, i ^ 
bswiz),
+ SWIZ_PTR(p)))
return -EFAULT;
}
 
} else {
for (i = 0; i < nb; ++i, ++p)
-   if (__put_user_inatomic(REG_BYTE(rptr, i ^ bswiz),
-   SWIZ_PTR(p)))
+   if (__put_user_or_set_dar(regs, REG_BYTE(rptr, i ^ 
bswiz),
+ SWIZ_PTR(p)))
return -EFAULT;
if (nb0 > 0) {
rptr = >gpr[0];
addr += nb;
for (i = 0; i < nb0; ++i, ++p)
-   if (__put_user_inatomic(REG_BYTE(rptr,
-  

[PATCH 4.4 35/66] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 71b8e45da51a7b64a23378221c0a5868bd79da4f upstream.

Since commit db007fc5e20c ("[SCSI] Command protection operation"),
scsi_eh_prep_cmnd() saves scmd->prot_op and temporarily resets it to
SCSI_PROT_NORMAL.
Other FCP LLDDs such as qla2xxx and lpfc shield their queuecommand()
to only access any of scsi_prot_sg...() if
(scsi_get_prot_op(cmd) != SCSI_PROT_NORMAL).

Do the same thing for zfcp, which introduced DIX support with
commit ef3eb71d8ba4 ("[SCSI] zfcp: Introduce experimental support for
DIF/DIX").

Otherwise, TUR SCSI commands as part of scsi_eh likely fail in zfcp,
because the regular SCSI command with DIX protection data, that scsi_eh
re-uses in scsi_send_eh_cmnd(), of course still has
(scsi_prot_sg_count() != 0) and so zfcp sends down bogus requests to the
FCP channel hardware.

This causes scsi_eh_test_devices() to have (finish_cmds == 0)
[not SCSI device is online or not scsi_eh_tur() failed]
so regular SCSI commands, that caused / were affected by scsi_eh,
are moved to work_q and scsi_eh_test_devices() itself returns false.
In turn, it unnecessarily escalates in our case in scsi_eh_ready_devs()
beyond host reset to finally scsi_eh_offline_sdevs()
which sets affected SCSI devices offline with the following kernel message:

"kernel: sd H:0:T:L: Device offlined - not ready after error recovery"

Signed-off-by: Steffen Maier 
Fixes: ef3eb71d8ba4 ("[SCSI] zfcp: Introduce experimental support for DIF/DIX")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_fsf.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -2258,7 +2258,8 @@ int zfcp_fsf_fcp_cmnd(struct scsi_cmnd *
fcp_cmnd = (struct fcp_cmnd *) >qtcb->bottom.io.fcp_cmnd;
zfcp_fc_scsi_to_fcp(fcp_cmnd, scsi_cmnd, 0);
 
-   if (scsi_prot_sg_count(scsi_cmnd)) {
+   if ((scsi_get_prot_op(scsi_cmnd) != SCSI_PROT_NORMAL) &&
+   scsi_prot_sg_count(scsi_cmnd)) {
zfcp_qdio_set_data_div(qdio, >qdio_req,
   scsi_prot_sg_count(scsi_cmnd));
retval = zfcp_qdio_sbals_from_sg(qdio, >qdio_req,

[PATCH 4.4 35/66] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 71b8e45da51a7b64a23378221c0a5868bd79da4f upstream.

Since commit db007fc5e20c ("[SCSI] Command protection operation"),
scsi_eh_prep_cmnd() saves scmd->prot_op and temporarily resets it to
SCSI_PROT_NORMAL.
Other FCP LLDDs such as qla2xxx and lpfc shield their queuecommand()
to only access any of scsi_prot_sg...() if
(scsi_get_prot_op(cmd) != SCSI_PROT_NORMAL).

Do the same thing for zfcp, which introduced DIX support with
commit ef3eb71d8ba4 ("[SCSI] zfcp: Introduce experimental support for
DIF/DIX").

Otherwise, TUR SCSI commands as part of scsi_eh likely fail in zfcp,
because the regular SCSI command with DIX protection data, that scsi_eh
re-uses in scsi_send_eh_cmnd(), of course still has
(scsi_prot_sg_count() != 0) and so zfcp sends down bogus requests to the
FCP channel hardware.

This causes scsi_eh_test_devices() to have (finish_cmds == 0)
[not SCSI device is online or not scsi_eh_tur() failed]
so regular SCSI commands, that caused / were affected by scsi_eh,
are moved to work_q and scsi_eh_test_devices() itself returns false.
In turn, it unnecessarily escalates in our case in scsi_eh_ready_devs()
beyond host reset to finally scsi_eh_offline_sdevs()
which sets affected SCSI devices offline with the following kernel message:

"kernel: sd H:0:T:L: Device offlined - not ready after error recovery"

Signed-off-by: Steffen Maier 
Fixes: ef3eb71d8ba4 ("[SCSI] zfcp: Introduce experimental support for DIF/DIX")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_fsf.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -2258,7 +2258,8 @@ int zfcp_fsf_fcp_cmnd(struct scsi_cmnd *
fcp_cmnd = (struct fcp_cmnd *) >qtcb->bottom.io.fcp_cmnd;
zfcp_fc_scsi_to_fcp(fcp_cmnd, scsi_cmnd, 0);
 
-   if (scsi_prot_sg_count(scsi_cmnd)) {
+   if ((scsi_get_prot_op(scsi_cmnd) != SCSI_PROT_NORMAL) &&
+   scsi_prot_sg_count(scsi_cmnd)) {
zfcp_qdio_set_data_div(qdio, >qdio_req,
   scsi_prot_sg_count(scsi_cmnd));
retval = zfcp_qdio_sbals_from_sg(qdio, >qdio_req,

[PATCH] MAINTAINERS: thermal: Remove Eduardo's git tree

[Florian Fainelli]

Eduardo's git tree at:
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal.git

has not been updated in months, remove it to avoid any confusing and
patch submissions to stall.

Signed-off-by: Florian Fainelli 
---
This is agains Rui's next branch

 MAINTAINERS | 1 -
 1 file changed, 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 209306019483..cc5bc8d0b48e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -13210,7 +13210,6 @@ M:  Zhang Rui 
 M: Eduardo Valentin 
 L: linux...@vger.kernel.org
 T: git git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux.git
-T: git 
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal.git
 Q: https://patchwork.kernel.org/project/linux-pm/list/
 S: Supported
 F: drivers/thermal/
-- 
2.11.0

[PATCH] MAINTAINERS: thermal: Remove Eduardo's git tree

[Florian Fainelli]

Eduardo's git tree at:
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal.git

has not been updated in months, remove it to avoid any confusing and
patch submissions to stall.

Signed-off-by: Florian Fainelli 
---
This is agains Rui's next branch

 MAINTAINERS | 1 -
 1 file changed, 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 209306019483..cc5bc8d0b48e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -13210,7 +13210,6 @@ M:  Zhang Rui 
 M: Eduardo Valentin 
 L: linux...@vger.kernel.org
 T: git git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux.git
-T: git 
git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal.git
 Q: https://patchwork.kernel.org/project/linux-pm/list/
 S: Supported
 F: drivers/thermal/
-- 
2.11.0

[PATCH 4.9 01/77] SUNRPC: Refactor svc_set_num_threads()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit 9e0d87680d689f1758185851c3da6eafb16e71e1 upstream.

Refactor to separate out the functions of starting and stopping threads
so that they can be used in other helpers.

Signed-off-by: Trond Myklebust 
Tested-and-reviewed-by: Kinglong Mee 
Signed-off-by: J. Bruce Fields 
Cc: Jan Hudoba 
Signed-off-by: Greg Kroah-Hartman 

---
 net/sunrpc/svc.c |   96 +--
 1 file changed, 58 insertions(+), 38 deletions(-)

--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -702,59 +702,32 @@ found_pool:
return task;
 }
 
-/*
- * Create or destroy enough new threads to make the number
- * of threads the given number.  If `pool' is non-NULL, applies
- * only to threads in that pool, otherwise round-robins between
- * all pools.  Caller must ensure that mutual exclusion between this and
- * server startup or shutdown.
- *
- * Destroying threads relies on the service threads filling in
- * rqstp->rq_task, which only the nfs ones do.  Assumes the serv
- * has been created using svc_create_pooled().
- *
- * Based on code that used to be in nfsd_svc() but tweaked
- * to be pool-aware.
- */
-int
-svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+/* create new threads */
+static int
+svc_start_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
 {
struct svc_rqst *rqstp;
struct task_struct *task;
struct svc_pool *chosen_pool;
-   int error = 0;
unsigned int state = serv->sv_nrthreads-1;
int node;
 
-   if (pool == NULL) {
-   /* The -1 assumes caller has done a svc_get() */
-   nrservs -= (serv->sv_nrthreads-1);
-   } else {
-   spin_lock_bh(>sp_lock);
-   nrservs -= pool->sp_nrthreads;
-   spin_unlock_bh(>sp_lock);
-   }
-
-   /* create new threads */
-   while (nrservs > 0) {
+   do {
nrservs--;
chosen_pool = choose_pool(serv, pool, );
 
node = svc_pool_map_get_node(chosen_pool->sp_id);
rqstp = svc_prepare_thread(serv, chosen_pool, node);
-   if (IS_ERR(rqstp)) {
-   error = PTR_ERR(rqstp);
-   break;
-   }
+   if (IS_ERR(rqstp))
+   return PTR_ERR(rqstp);
 
__module_get(serv->sv_ops->svo_module);
task = kthread_create_on_node(serv->sv_ops->svo_function, rqstp,
  node, "%s", serv->sv_name);
if (IS_ERR(task)) {
-   error = PTR_ERR(task);
module_put(serv->sv_ops->svo_module);
svc_exit_thread(rqstp);
-   break;
+   return PTR_ERR(task);
}
 
rqstp->rq_task = task;
@@ -763,15 +736,62 @@ svc_set_num_threads(struct svc_serv *ser
 
svc_sock_update_bufs(serv);
wake_up_process(task);
-   }
+   } while (nrservs > 0);
+
+   return 0;
+}
+
+
+/* destroy old threads */
+static int
+svc_signal_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+   struct task_struct *task;
+   unsigned int state = serv->sv_nrthreads-1;
+
/* destroy old threads */
-   while (nrservs < 0 &&
-  (task = choose_victim(serv, pool, )) != NULL) {
+   do {
+   task = choose_victim(serv, pool, );
+   if (task == NULL)
+   break;
send_sig(SIGINT, task, 1);
nrservs++;
+   } while (nrservs < 0);
+
+   return 0;
+}
+
+/*
+ * Create or destroy enough new threads to make the number
+ * of threads the given number.  If `pool' is non-NULL, applies
+ * only to threads in that pool, otherwise round-robins between
+ * all pools.  Caller must ensure that mutual exclusion between this and
+ * server startup or shutdown.
+ *
+ * Destroying threads relies on the service threads filling in
+ * rqstp->rq_task, which only the nfs ones do.  Assumes the serv
+ * has been created using svc_create_pooled().
+ *
+ * Based on code that used to be in nfsd_svc() but tweaked
+ * to be pool-aware.
+ */
+int
+svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+   if (pool == NULL) {
+   /* The -1 assumes caller has done a svc_get() */
+   nrservs -= (serv->sv_nrthreads-1);
+   } else {
+   spin_lock_bh(>sp_lock);
+   nrservs -= pool->sp_nrthreads;
+   spin_unlock_bh(>sp_lock);
}
 
-   return error;
+   if (nrservs > 0)
+ 

[PATCH 4.9 12/77] Input: i8042 - add Gigabyte P57 to the keyboard reset table

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Kai-Heng Feng 

commit 697c5d8a36768b36729533fb44622b35d56d6ad0 upstream.

Similar to other Gigabyte laptops, the touchpad on P57 requires a
keyboard reset to detect Elantech touchpad correctly.

BugLink: https://bugs.launchpad.net/bugs/1594214
Signed-off-by: Kai-Heng Feng 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/serio/i8042-x86ia64io.h |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -905,6 +905,13 @@ static const struct dmi_system_id __init
},
},
{
+   /* Gigabyte P57 - Elantech touchpad */
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
+   DMI_MATCH(DMI_PRODUCT_NAME, "P57"),
+   },
+   },
+   {
/* Schenker XMG C504 - Elantech touchpad */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "XMG"),

[PATCH 4.9 01/77] SUNRPC: Refactor svc_set_num_threads()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit 9e0d87680d689f1758185851c3da6eafb16e71e1 upstream.

Refactor to separate out the functions of starting and stopping threads
so that they can be used in other helpers.

Signed-off-by: Trond Myklebust 
Tested-and-reviewed-by: Kinglong Mee 
Signed-off-by: J. Bruce Fields 
Cc: Jan Hudoba 
Signed-off-by: Greg Kroah-Hartman 

---
 net/sunrpc/svc.c |   96 +--
 1 file changed, 58 insertions(+), 38 deletions(-)

--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -702,59 +702,32 @@ found_pool:
return task;
 }
 
-/*
- * Create or destroy enough new threads to make the number
- * of threads the given number.  If `pool' is non-NULL, applies
- * only to threads in that pool, otherwise round-robins between
- * all pools.  Caller must ensure that mutual exclusion between this and
- * server startup or shutdown.
- *
- * Destroying threads relies on the service threads filling in
- * rqstp->rq_task, which only the nfs ones do.  Assumes the serv
- * has been created using svc_create_pooled().
- *
- * Based on code that used to be in nfsd_svc() but tweaked
- * to be pool-aware.
- */
-int
-svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+/* create new threads */
+static int
+svc_start_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
 {
struct svc_rqst *rqstp;
struct task_struct *task;
struct svc_pool *chosen_pool;
-   int error = 0;
unsigned int state = serv->sv_nrthreads-1;
int node;
 
-   if (pool == NULL) {
-   /* The -1 assumes caller has done a svc_get() */
-   nrservs -= (serv->sv_nrthreads-1);
-   } else {
-   spin_lock_bh(>sp_lock);
-   nrservs -= pool->sp_nrthreads;
-   spin_unlock_bh(>sp_lock);
-   }
-
-   /* create new threads */
-   while (nrservs > 0) {
+   do {
nrservs--;
chosen_pool = choose_pool(serv, pool, );
 
node = svc_pool_map_get_node(chosen_pool->sp_id);
rqstp = svc_prepare_thread(serv, chosen_pool, node);
-   if (IS_ERR(rqstp)) {
-   error = PTR_ERR(rqstp);
-   break;
-   }
+   if (IS_ERR(rqstp))
+   return PTR_ERR(rqstp);
 
__module_get(serv->sv_ops->svo_module);
task = kthread_create_on_node(serv->sv_ops->svo_function, rqstp,
  node, "%s", serv->sv_name);
if (IS_ERR(task)) {
-   error = PTR_ERR(task);
module_put(serv->sv_ops->svo_module);
svc_exit_thread(rqstp);
-   break;
+   return PTR_ERR(task);
}
 
rqstp->rq_task = task;
@@ -763,15 +736,62 @@ svc_set_num_threads(struct svc_serv *ser
 
svc_sock_update_bufs(serv);
wake_up_process(task);
-   }
+   } while (nrservs > 0);
+
+   return 0;
+}
+
+
+/* destroy old threads */
+static int
+svc_signal_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+   struct task_struct *task;
+   unsigned int state = serv->sv_nrthreads-1;
+
/* destroy old threads */
-   while (nrservs < 0 &&
-  (task = choose_victim(serv, pool, )) != NULL) {
+   do {
+   task = choose_victim(serv, pool, );
+   if (task == NULL)
+   break;
send_sig(SIGINT, task, 1);
nrservs++;
+   } while (nrservs < 0);
+
+   return 0;
+}
+
+/*
+ * Create or destroy enough new threads to make the number
+ * of threads the given number.  If `pool' is non-NULL, applies
+ * only to threads in that pool, otherwise round-robins between
+ * all pools.  Caller must ensure that mutual exclusion between this and
+ * server startup or shutdown.
+ *
+ * Destroying threads relies on the service threads filling in
+ * rqstp->rq_task, which only the nfs ones do.  Assumes the serv
+ * has been created using svc_create_pooled().
+ *
+ * Based on code that used to be in nfsd_svc() but tweaked
+ * to be pool-aware.
+ */
+int
+svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+   if (pool == NULL) {
+   /* The -1 assumes caller has done a svc_get() */
+   nrservs -= (serv->sv_nrthreads-1);
+   } else {
+   spin_lock_bh(>sp_lock);
+   nrservs -= pool->sp_nrthreads;
+   spin_unlock_bh(>sp_lock);
}
 
-   return error;
+   if (nrservs > 0)
+   return svc_start_kthreads(serv, pool, nrservs);
+   if (nrservs < 0)
+   return svc_signal_kthreads(serv, pool, nrservs);

[PATCH 4.9 12/77] Input: i8042 - add Gigabyte P57 to the keyboard reset table

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Kai-Heng Feng 

commit 697c5d8a36768b36729533fb44622b35d56d6ad0 upstream.

Similar to other Gigabyte laptops, the touchpad on P57 requires a
keyboard reset to detect Elantech touchpad correctly.

BugLink: https://bugs.launchpad.net/bugs/1594214
Signed-off-by: Kai-Heng Feng 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/serio/i8042-x86ia64io.h |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -905,6 +905,13 @@ static const struct dmi_system_id __init
},
},
{
+   /* Gigabyte P57 - Elantech touchpad */
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
+   DMI_MATCH(DMI_PRODUCT_NAME, "P57"),
+   },
+   },
+   {
/* Schenker XMG C504 - Elantech touchpad */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "XMG"),

[PATCH 4.9 10/77] tty: fix __tty_insert_flip_char regression

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 8a5a90a2a477b86a3dc2eaa5a706db9bfdd647ca upstream.

Sergey noticed a small but fatal mistake in __tty_insert_flip_char,
leading to an oops in an interrupt handler when using any serial
port.

The problem is that I accidentally took the tty_buffer pointer
before calling __tty_buffer_request_room(), which replaces the
buffer. This moves the pointer lookup to the right place after
allocating the new buffer space.

Fixes: 979990c62848 ("tty: improve tty_insert_flip_char() fast path")
Reported-by: Sergey Senozhatsky 
Tested-by: Sergey Senozhatsky 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/tty_buffer.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -372,12 +372,13 @@ EXPORT_SYMBOL(tty_insert_flip_string_fla
  */
 int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag)
 {
-   struct tty_buffer *tb = port->buf.tail;
+   struct tty_buffer *tb;
int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
 
if (!__tty_buffer_request_room(port, 1, flags))
return 0;
 
+   tb = port->buf.tail;
if (~tb->flags & TTYB_NORMAL)
*flag_buf_ptr(tb, tb->used) = flag;
*char_buf_ptr(tb, tb->used++) = ch;

[PATCH 4.9 17/77] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 3444c4eb534c20e44f0d6670b34263efaf8b531f upstream.

Fix the value returned by . fd,fs,ft, if both inputs
are infinite. The previous implementation returned always the value
contained in ft in such cases. The correct behavior is specified
in Mips instruction set manual and is as follows:

fsftMAXA MINA
  -
inf   infinf  inf
inf  -infinf -inf
   -inf   infinf -inf
   -inf  -inf   -inf -inf

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains +inf, and ft contains -inf, fd is going to contain
  +inf (without this patch, it used to contain -inf).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16884/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |4 +++-
 arch/mips/math-emu/dp_fmin.c |4 +++-
 arch/mips/math-emu/sp_fmax.c |4 +++-
 arch/mips/math-emu/sp_fmin.c |4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754sp ieee754sp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):

[PATCH 4.9 16/77] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 1a41b3b441508ae63b1a9ec699ec94065739eb60 upstream.

Fix the value returned by ., if the inputs are normal
fp numbers of the same absolute value, but opposite signs.

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains -3.0, and ft contains +3.0, fd is going to contain
  +3.0 (without this patch, it used to contain -3.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16883/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |6 +-
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |6 +-
 4 files changed, 22 insertions(+), 6 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }

[PATCH 4.9 15/77] MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit aabf5cf02e22ebc4e541adf835910f388b6c3e65 upstream.

Fix the value returned by ., if both inputs are negative
normal fp numbers. The previous logic did not take into account that
if both inputs have the same sign, there should be separate treatment
of the cases when both inputs are negative and when both inputs are
positive.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains -5.0, and ft contains -7.0, fd is going to contain
  -5.0 (without this patch, it used to contain -7.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16882/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 96 insertions(+), 32 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return y;
+   return x;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return y;
-   return x;
+   return x;
+   return y;
 }
 
 union ieee754dp ieee754dp_fmaxa(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmin(union iee
else if (xs < ys)
return y;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return y;
-   else if (xe < ye)
-   return x;
+   /* Signs of inputs are the same, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return x;
+   return y;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return x;
-   return y;
+   return y;
+   return x;
 }
 
 union ieee754dp ieee754dp_fmina(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -116,16 +116,32 @@ union ieee754sp ieee754sp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */

[PATCH 4.4 26/66] MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 304bfe473e70523e591fb1c9223289d355e0bdcb upstream.

Fix following special cases for MINA>.:

  - if one of the inputs is zero, and the other is subnormal, normal,
or infinity, the  value of the former should be returned (that is,
a zero).
  - if one of the inputs is infinity, and the other input is normal,
or subnormal, the value of the latter should be returned.

The previous implementation's logic for such cases was incorrect - it
appears as if it implements MAXA, and not MINA instruction.

A relevant example:

MINA.S fd,fs,ft:
  If fs contains 100.0, and ft contains 0.0, fd is going to contain
  0.0 (without this patch, it used to contain 100.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16885/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmin.c |4 ++--
 arch/mips/math-emu/sp_fmin.c |4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -210,14 +210,14 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
-   return x;
+   return y;
 
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_DNORM):
-   return y;
+   return x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
return ieee754dp_zero(xs | ys);
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -210,14 +210,14 @@ union ieee754sp ieee754sp_fmina(union ie
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
-   return x;
+   return y;
 
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_DNORM):
-   return y;
+   return x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
return ieee754sp_zero(xs | ys);

[PATCH 4.9 10/77] tty: fix __tty_insert_flip_char regression

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 8a5a90a2a477b86a3dc2eaa5a706db9bfdd647ca upstream.

Sergey noticed a small but fatal mistake in __tty_insert_flip_char,
leading to an oops in an interrupt handler when using any serial
port.

The problem is that I accidentally took the tty_buffer pointer
before calling __tty_buffer_request_room(), which replaces the
buffer. This moves the pointer lookup to the right place after
allocating the new buffer space.

Fixes: 979990c62848 ("tty: improve tty_insert_flip_char() fast path")
Reported-by: Sergey Senozhatsky 
Tested-by: Sergey Senozhatsky 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/tty_buffer.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -372,12 +372,13 @@ EXPORT_SYMBOL(tty_insert_flip_string_fla
  */
 int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag)
 {
-   struct tty_buffer *tb = port->buf.tail;
+   struct tty_buffer *tb;
int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
 
if (!__tty_buffer_request_room(port, 1, flags))
return 0;
 
+   tb = port->buf.tail;
if (~tb->flags & TTYB_NORMAL)
*flag_buf_ptr(tb, tb->used) = flag;
*char_buf_ptr(tb, tb->used++) = ch;

[PATCH 4.9 17/77] MIPS: math-emu: .: Fix cases of both infinite inputs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 3444c4eb534c20e44f0d6670b34263efaf8b531f upstream.

Fix the value returned by . fd,fs,ft, if both inputs
are infinite. The previous implementation returned always the value
contained in ft in such cases. The correct behavior is specified
in Mips instruction set manual and is as follows:

fsftMAXA MINA
  -
inf   infinf  inf
inf  -infinf -inf
   -inf   infinf -inf
   -inf  -inf   -inf -inf

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains +inf, and ft contains -inf, fd is going to contain
  +inf (without this patch, it used to contain -inf).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16884/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |4 +++-
 arch/mips/math-emu/dp_fmin.c |4 +++-
 arch/mips/math-emu/sp_fmax.c |4 +++-
 arch/mips/math-emu/sp_fmin.c |4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -202,6 +202,9 @@ union ieee754dp ieee754dp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754dp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmaxa(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs & ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754sp ieee754sp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -202,6 +202,9 @@ union ieee754sp ieee754sp_fmina(union ie
/*
 * Infinity and zero handling
 */
+   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
+   return ieee754sp_inf(xs | ys);
+
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
@@ -209,7 +212,6 @@ union ieee754sp ieee754sp_fmina(union ie
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
return x;
 
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case 

[PATCH 4.9 16/77] MIPS: math-emu: .: Fix cases of input values with opposite signs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 1a41b3b441508ae63b1a9ec699ec94065739eb60 upstream.

Fix the value returned by ., if the inputs are normal
fp numbers of the same absolute value, but opposite signs.

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains -3.0, and ft contains +3.0, fd is going to contain
  +3.0 (without this patch, it used to contain -3.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16883/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |6 +-
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |6 +-
 4 files changed, 22 insertions(+), 6 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }

[PATCH 4.9 15/77] MIPS: math-emu: .: Fix cases of both inputs negative

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit aabf5cf02e22ebc4e541adf835910f388b6c3e65 upstream.

Fix the value returned by ., if both inputs are negative
normal fp numbers. The previous logic did not take into account that
if both inputs have the same sign, there should be separate treatment
of the cases when both inputs are negative and when both inputs are
positive.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains -5.0, and ft contains -7.0, fd is going to contain
  -5.0 (without this patch, it used to contain -7.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16882/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 96 insertions(+), 32 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return y;
+   return x;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return y;
-   return x;
+   return x;
+   return y;
 }
 
 union ieee754dp ieee754dp_fmaxa(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -116,16 +116,32 @@ union ieee754dp ieee754dp_fmin(union iee
else if (xs < ys)
return y;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return y;
-   else if (xe < ye)
-   return x;
+   /* Signs of inputs are the same, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return y;
+   else if (xe < ye)
+   return x;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   }
 
-   /* Compare mantissa */
+   /* Signs and exponents of inputs are equal, let's compare mantissas */
+   if (xs == 0) {
+   /* Inputs are both positive, with equal signs and exponents */
+   if (xm <= ym)
+   return x;
+   return y;
+   }
+   /* Inputs are both negative, with equal signs and exponents */
if (xm <= ym)
-   return x;
-   return y;
+   return y;
+   return x;
 }
 
 union ieee754dp ieee754dp_fmina(union ieee754dp x, union ieee754dp y)
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -116,16 +116,32 @@ union ieee754sp ieee754sp_fmax(union iee
else if (xs < ys)
return x;
 
-   /* Compare exponent */
-   if (xe > ye)
-   return x;
-   else if (xe < ye)
-   return y;
+   /* Signs of inputs are equal, let's compare exponents */
+   if (xs == 0) {
+   /* Inputs are both positive */
+   if (xe > ye)
+   return x;
+   else if (xe < ye)
+   return y;
+   } else {
+   /* Inputs are both negative */
+   if (xe > ye)
+   return y;
+   

[PATCH 4.4 26/66] MIPS: math-emu: MINA.: Fix some cases of infinity and zero inputs

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 304bfe473e70523e591fb1c9223289d355e0bdcb upstream.

Fix following special cases for MINA>.:

  - if one of the inputs is zero, and the other is subnormal, normal,
or infinity, the  value of the former should be returned (that is,
a zero).
  - if one of the inputs is infinity, and the other input is normal,
or subnormal, the value of the latter should be returned.

The previous implementation's logic for such cases was incorrect - it
appears as if it implements MAXA, and not MINA instruction.

A relevant example:

MINA.S fd,fs,ft:
  If fs contains 100.0, and ft contains 0.0, fd is going to contain
  0.0 (without this patch, it used to contain 100.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16885/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmin.c |4 ++--
 arch/mips/math-emu/sp_fmin.c |4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -210,14 +210,14 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
-   return x;
+   return y;
 
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_DNORM):
-   return y;
+   return x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
return ieee754dp_zero(xs | ys);
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -210,14 +210,14 @@ union ieee754sp ieee754sp_fmina(union ie
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
-   return x;
+   return y;
 
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_DNORM):
-   return y;
+   return x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
return ieee754sp_zero(xs | ys);

[PATCH 4.9 03/77] mm: prevent double decrease of nr_reserved_highatomic

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Minchan Kim 

commit 4855e4a7f29d6d10b0b9c84e189c770c9a94e91e upstream.

There is race between page freeing and unreserved highatomic.

 CPU 0  CPU 1

free_hot_cold_page
  mt = get_pfnblock_migratetype
  set_pcppage_migratetype(page, mt)
unreserve_highatomic_pageblock
spin_lock_irqsave(>lock)
move_freepages_block
set_pageblock_migratetype(page)
spin_unlock_irqrestore(>lock)
  free_pcppages_bulk
__free_one_page(mt) <- mt is stale

By above race, a page on CPU 0 could go non-highorderatomic free list
since the pageblock's type is changed.  By that, unreserve logic of
highorderatomic can decrease reserved count on a same pageblock severak
times and then it will make mismatch between nr_reserved_highatomic and
the number of reserved pageblock.

So, this patch verifies whether the pageblock is highatomic or not and
decrease the count only if the pageblock is highatomic.

Link: 
http://lkml.kernel.org/r/1476259429-18279-3-git-send-email-minc...@kernel.org
Signed-off-by: Minchan Kim 
Acked-by: Vlastimil Babka 
Acked-by: Mel Gorman 
Cc: Joonsoo Kim 
Cc: Sangseok Lee 
Cc: Michal Hocko 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Cc: Miles Chen 
Signed-off-by: Greg Kroah-Hartman 

---
 mm/page_alloc.c |   24 ++--
 1 file changed, 18 insertions(+), 6 deletions(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2100,13 +2100,25 @@ static void unreserve_highatomic_pageblo
continue;
 
/*
-* It should never happen but changes to locking could
-* inadvertently allow a per-cpu drain to add pages
-* to MIGRATE_HIGHATOMIC while unreserving so be safe
-* and watch for underflows.
+* In page freeing path, migratetype change is racy so
+* we can counter several free pages in a pageblock
+* in this loop althoug we changed the pageblock type
+* from highatomic to ac->migratetype. So we should
+* adjust the count once.
 */
-   zone->nr_reserved_highatomic -= min(pageblock_nr_pages,
-   zone->nr_reserved_highatomic);
+   if (get_pageblock_migratetype(page) ==
+   MIGRATE_HIGHATOMIC) {
+   /*
+* It should never happen but changes to
+* locking could inadvertently allow a per-cpu
+* drain to add pages to MIGRATE_HIGHATOMIC
+* while unreserving so be safe and watch for
+* underflows.
+*/
+   zone->nr_reserved_highatomic -= min(
+   pageblock_nr_pages,
+   zone->nr_reserved_highatomic);
+   }
 
/*
 * Convert to ac->migratetype and avoid the normal

Re: [PATCH] panel: display: Add support for Mitsubishi aa070mc01 TFT panel

[Łukasz Majewski]

On 09/08/2017 11:43 AM, Lukasz Majewski wrote:

This commit adds support for Mitsubishi aa070mc01 TFT panel working
with 8 bit ISP mode (pin 19 "mode" HIGH for 20 pin TFT connector).

Signed-off-by: Lukasz Majewski 


Gentle ping on this patch.

Anyone could express their opinion?

Thanks in advance,
Łukasz


---
  drivers/gpu/drm/panel/panel-simple.c | 35 +++
  1 file changed, 35 insertions(+)

diff --git a/drivers/gpu/drm/panel/panel-simple.c 
b/drivers/gpu/drm/panel/panel-simple.c
index 3d2cb8b..0c64ec6 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -1141,6 +1141,38 @@ static const struct panel_desc innolux_g121x1_l03 = {
},
  };
  
+static const struct drm_display_mode mitsubishi_aa070mc01_mode = {

+   .clock = 30400,
+   .hdisplay = 800,
+   .hsync_start = 800 + 0,
+   .hsync_end = 800 + 1,
+   .htotal = 800 + 0 + 1 + 160,
+   .vdisplay = 480,
+   .vsync_start = 480 + 0,
+   .vsync_end = 480 + 48 + 1,
+   .vtotal = 480 + 48 + 1 + 0,
+   .vrefresh = 60,
+   .flags = DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_NVSYNC,
+};
+
+static const struct panel_desc mitsubishi_aa070mc01 = {
+   .modes = _aa070mc01_mode,
+   .num_modes = 1,
+   .bpc = 8,
+   .size = {
+   .width = 152,
+   .height = 91,
+   },
+
+   .delay = {
+   .enable = 200,
+   .unprepare = 200,
+   .disable = 400,
+   },
+   .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG,
+   .bus_flags = DRM_BUS_FLAG_DE_HIGH,
+};
+
  static const struct drm_display_mode innolux_n116bge_mode = {
.clock = 76420,
.hdisplay = 1366,
@@ -2029,6 +2061,9 @@ static const struct of_device_id platform_of_match[] = {
.compatible = "innolux,g121x1-l03",
.data = _g121x1_l03,
}, {
+   .compatible = "mitsubishi,aa070mc01-ca1",
+   .data = _aa070mc01,
+   }, {
.compatible = "innolux,n116bge",
.data = _n116bge,
}, {




--
Best regards,

Lukasz Majewski

--

DENX Software Engineering GmbH,  Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de