[PATCH 3.10 066/268] scsi: avoid a permanent stop of the scsi device's request queue

From: Wei Fang commit d2a145252c52792bc59e4767b486b26c430af4bb upstream. A race between scanning and fc_remote_port_delete() may result in a permanent stop if the device gets blocked before scsi_sysfs_add_sdev() and unblocked after. The reason is that blocking a device

[PATCH 3.10 066/268] scsi: avoid a permanent stop of the scsi device's request queue

From: Wei Fang commit d2a145252c52792bc59e4767b486b26c430af4bb upstream. A race between scanning and fc_remote_port_delete() may result in a permanent stop if the device gets blocked before scsi_sysfs_add_sdev() and unblocked after. The reason is that blocking a device sets both the

Re: [PATCH v4 2/5] perf config: Refactor the code using 'ret' variable in cmd_config()

Em Sat, Jun 17, 2017 at 12:46:42PM +0900, Taeung Song escreveu: > To simplify the code related to 'ret' variable in cmd_config(), > initialize 'ret' with -1 instead of 0. Thanks, applied. > Cc: Jiri Olsa > Cc: Namhyung Kim > Signed-off-by: Taeung Song

Re: [PATCH v4 2/5] perf config: Refactor the code using 'ret' variable in cmd_config()

Em Sat, Jun 17, 2017 at 12:46:42PM +0900, Taeung Song escreveu: > To simplify the code related to 'ret' variable in cmd_config(), > initialize 'ret' with -1 instead of 0. Thanks, applied. > Cc: Jiri Olsa > Cc: Namhyung Kim > Signed-off-by: Taeung Song > --- > tools/perf/builtin-config.c |

[PATCH 3.10 101/268] pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE

From: Niklas Söderlund commit 5d7400c4acbf7fe633a976a89ee845f7333de3e4 upstream. Always stating PIN_CONFIG_BIAS_DISABLE is supported gives untrue output when examining /sys/kernel/debug/pinctrl/e606.pfc/pinconf-pins if the operation get_bias() is

[PATCH 3.10 101/268] pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE

From: Niklas Söderlund commit 5d7400c4acbf7fe633a976a89ee845f7333de3e4 upstream. Always stating PIN_CONFIG_BIAS_DISABLE is supported gives untrue output when examining /sys/kernel/debug/pinctrl/e606.pfc/pinconf-pins if the operation get_bias() is implemented but the pin is not handled by

[PATCH 3.10 020/268] md linear: fix a race between linear_add() and linear_congested()

From: "col...@suse.de" commit 03a9e24ef2aaa5f1f9837356aed79c860521407a upstream. Recently I receive a bug report that on Linux v3.0 based kerenl, hot add disk to a md linear device causes kernel crash at linear_congested(). From the crash image analysis, I find in

[PATCH 3.10 020/268] md linear: fix a race between linear_add() and linear_congested()

From: "col...@suse.de" commit 03a9e24ef2aaa5f1f9837356aed79c860521407a upstream. Recently I receive a bug report that on Linux v3.0 based kerenl, hot add disk to a md linear device causes kernel crash at linear_congested(). From the crash image analysis, I find in linear_congested(),

[PATCH 3.10 100/268] sysrq: attach sysrq handler correctly for 32-bit kernel

From: Akinobu Mita commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream. The sysrq input handler should be attached to the input device which has a left alt key. On 32-bit kernels, some input devices which has a left alt key cannot attach sysrq handler. Because the

[PATCH 3.10 102/268] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F

From: Bjorn Helgaas commit 89e9f7bcd8744ea25fcf0ac671b8d72c10d7d790 upstream. Martin reported that the Supermicro X8DTH-i/6/iF/6F advertises incorrect host bridge windows via _CRS: pci_root PNP0A08:00: host bridge window [io 0xf000-0x] pci_root PNP0A08:01: host

[PATCH 3.10 100/268] sysrq: attach sysrq handler correctly for 32-bit kernel

From: Akinobu Mita commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream. The sysrq input handler should be attached to the input device which has a left alt key. On 32-bit kernels, some input devices which has a left alt key cannot attach sysrq handler. Because the keybit bitmap in struct

[PATCH 3.10 102/268] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F

From: Bjorn Helgaas commit 89e9f7bcd8744ea25fcf0ac671b8d72c10d7d790 upstream. Martin reported that the Supermicro X8DTH-i/6/iF/6F advertises incorrect host bridge windows via _CRS: pci_root PNP0A08:00: host bridge window [io 0xf000-0x] pci_root PNP0A08:01: host bridge window [io

[PATCH 3.10 025/268] fs/cifs: make share unaccessible at root level mountable

From: Aurelien Aptel commit a6b5058fafdf508904bbf16c29b24042cef3c496 upstream. if, when mounting //HOST/share/sub/dir/foo we can query /sub/dir/foo but not any of the path components above: - store the /sub/dir/foo prefix in the cifs super_block info - in the superblock, set

[PATCH 3.10 025/268] fs/cifs: make share unaccessible at root level mountable

From: Aurelien Aptel commit a6b5058fafdf508904bbf16c29b24042cef3c496 upstream. if, when mounting //HOST/share/sub/dir/foo we can query /sub/dir/foo but not any of the path components above: - store the /sub/dir/foo prefix in the cifs super_block info - in the superblock, set root dentry to the

[PATCH 3.10 136/268] drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval

From: Ilia Mirkin commit 24bf7ae359b8cca165bb30742d2b1c03a1eb23af upstream. Based on the xf86-video-nv code, NFORCE (NV1A) and NFORCE2 (NV1F) have a different way of retrieving clocks. See the nv_hw.c:nForceUpdateArbitrationSettings function in the original code for how

[PATCH 3.10 136/268] drm/nouveau/nv1a,nv1f/disp: fix memory clock rate retrieval

From: Ilia Mirkin commit 24bf7ae359b8cca165bb30742d2b1c03a1eb23af upstream. Based on the xf86-video-nv code, NFORCE (NV1A) and NFORCE2 (NV1F) have a different way of retrieving clocks. See the nv_hw.c:nForceUpdateArbitrationSettings function in the original code for how these clocks were

[PATCH 3.10 061/268] arm/xen: Use alloc_percpu rather than __alloc_percpu

From: Julien Grall commit 24d5373dda7c00a438d26016bce140299fae675e upstream. The function xen_guest_init is using __alloc_percpu with an alignment which are not power of two. However, the percpu allocator never supported alignments which are not power of two and has

[PATCH 3.10 061/268] arm/xen: Use alloc_percpu rather than __alloc_percpu

From: Julien Grall commit 24d5373dda7c00a438d26016bce140299fae675e upstream. The function xen_guest_init is using __alloc_percpu with an alignment which are not power of two. However, the percpu allocator never supported alignments which are not power of two and has always behaved incorectly

[PATCH 3.10 130/268] ISDN: eicon: silence misleading array-bounds warning

From: Arnd Bergmann commit 950eabbd6ddedc1b08350b9169a6a51b130ebaaf upstream. With some gcc versions, we get a warning about the eicon driver, and that currently shows up as the only remaining warning in one of the build bots: In file included from

[PATCH 3.10 130/268] ISDN: eicon: silence misleading array-bounds warning

From: Arnd Bergmann commit 950eabbd6ddedc1b08350b9169a6a51b130ebaaf upstream. With some gcc versions, we get a warning about the eicon driver, and that currently shows up as the only remaining warning in one of the build bots: In file included from

[PATCH 3.10 222/268] drm/vmwgfx: Remove getparam error message

From: Thomas Hellstrom commit 53e16798b0864464c5444a204e1bb93ae246c429 upstream. The mesa winsys sometimes uses unimplemented parameter requests to check for features. Remove the error message to avoid bloating the kernel log. Signed-off-by: Thomas Hellstrom

[PATCH 3.10 222/268] drm/vmwgfx: Remove getparam error message

From: Thomas Hellstrom commit 53e16798b0864464c5444a204e1bb93ae246c429 upstream. The mesa winsys sometimes uses unimplemented parameter requests to check for features. Remove the error message to avoid bloating the kernel log. Signed-off-by: Thomas Hellstrom Reviewed-by: Brian Paul

[PATCH 3.10 081/268] cred/userns: define current_user_ns() as a function

From: Arnd Bergmann commit 0335695dfa4df01edff5bb102b9a82a0668ee51e upstream. The current_user_ns() macro currently returns _user_ns when user namespaces are disabled, and that causes several warnings when building with gcc-6.0 in code that compares the result of the macro to

[PATCH 3.10 081/268] cred/userns: define current_user_ns() as a function

From: Arnd Bergmann commit 0335695dfa4df01edff5bb102b9a82a0668ee51e upstream. The current_user_ns() macro currently returns _user_ns when user namespaces are disabled, and that causes several warnings when building with gcc-6.0 in code that compares the result of the macro to _user_ns itself:

[PATCH 3.10 055/268] usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers

From: Guenter Roeck commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream. Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI xhci controllers which can result in excessive

[PATCH 3.10 037/268] ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()

From: Takashi Iwai commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream. snd_seq_pool_done() syncs with closing of all opened threads, but it aborts the wait loop with a timeout, and proceeds to the release resource even if not all threads have been closed. The timeout was 5

[PATCH 3.10 055/268] usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers

From: Guenter Roeck commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream. Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI xhci controllers which can result in excessive timeouts, to the point

[PATCH 3.10 037/268] ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()

From: Takashi Iwai commit 37a7ea4a9b81f6a864c10a7cb0b96458df5310a3 upstream. snd_seq_pool_done() syncs with closing of all opened threads, but it aborts the wait loop with a timeout, and proceeds to the release resource even if not all threads have been closed. The timeout was 5 seconds, and

[PATCH 3.10 028/268] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()

From: Tariq Saeed commit 3d46a44a0c01b15d385ccaae24b56f619613c256 upstream. PID: 614TASK: 882a739da580 CPU: 3 COMMAND: "ocfs2dc" #0 [882ecc3759b0] machine_kexec at 8103b35d #1 [882ecc375a20] crash_kexec at 810b95b5 #2

Re: [PATCH v9 1/5] firmware: add extensible driver data params

On Sat, Jun 17, 2017 at 09:38:15PM +0200, Greg KH wrote: > On Tue, Jun 13, 2017 at 09:40:11PM +0200, Luis R. Rodriguez wrote: > > On Tue, Jun 13, 2017 at 11:05:48AM +0200, Greg KH wrote: > > > On Mon, Jun 05, 2017 at 02:39:33PM -0700, Luis R. Rodriguez wrote: > > > > As the firmware API evolves we

[PATCH 3.10 028/268] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()

From: Tariq Saeed commit 3d46a44a0c01b15d385ccaae24b56f619613c256 upstream. PID: 614TASK: 882a739da580 CPU: 3 COMMAND: "ocfs2dc" #0 [882ecc3759b0] machine_kexec at 8103b35d #1 [882ecc375a20] crash_kexec at 810b95b5 #2 [882ecc375af0] oops_end at

Re: [PATCH v9 1/5] firmware: add extensible driver data params

On Sat, Jun 17, 2017 at 09:38:15PM +0200, Greg KH wrote: > On Tue, Jun 13, 2017 at 09:40:11PM +0200, Luis R. Rodriguez wrote: > > On Tue, Jun 13, 2017 at 11:05:48AM +0200, Greg KH wrote: > > > On Mon, Jun 05, 2017 at 02:39:33PM -0700, Luis R. Rodriguez wrote: > > > > As the firmware API evolves we

[PATCH 3.10 115/268] apparmor: internal paths should be treated as disconnected

From: John Johansen commit bd35db8b8ca6e27fc17a9057ef78e1ddfc0de351 upstream. Internal mounts are not mounted anywhere and as such should be treated as disconnected paths. Signed-off-by: John Johansen Acked-by: Seth Arnold

[PATCH 3.10 115/268] apparmor: internal paths should be treated as disconnected

From: John Johansen commit bd35db8b8ca6e27fc17a9057ef78e1ddfc0de351 upstream. Internal mounts are not mounted anywhere and as such should be treated as disconnected paths. Signed-off-by: John Johansen Acked-by: Seth Arnold Signed-off-by: Jiri Slaby Signed-off-by: Willy Tarreau ---

[PATCH 3.10 086/268] drop_monitor: consider inserted data in genlmsg_end

From: Reiter Wolfgang commit 3b48ab2248e61408910e792fe84d6ec466084c1a upstream. Final nlmsg_len field update must reflect inserted net_dm_drop_point data. This patch depends on previous patch: "drop_monitor: add missing call to genlmsg_end" Signed-off-by: Reiter Wolfgang

[PATCH 3.10 106/268] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT

From: Trond Myklebust commit 809fd143de8805970eec02c27c0bc2622a6ecbda upstream. If the OPEN rpc call to the server fails with an ENOENT call, nfs_atomic_open will create a negative dentry for that file, however it currently fails to call nfs_set_verifier(), thus

[PATCH 3.10 086/268] drop_monitor: consider inserted data in genlmsg_end

From: Reiter Wolfgang commit 3b48ab2248e61408910e792fe84d6ec466084c1a upstream. Final nlmsg_len field update must reflect inserted net_dm_drop_point data. This patch depends on previous patch: "drop_monitor: add missing call to genlmsg_end" Signed-off-by: Reiter Wolfgang Acked-by: Neil

[PATCH 3.10 106/268] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT

From: Trond Myklebust commit 809fd143de8805970eec02c27c0bc2622a6ecbda upstream. If the OPEN rpc call to the server fails with an ENOENT call, nfs_atomic_open will create a negative dentry for that file, however it currently fails to call nfs_set_verifier(), thus causing the dentry to be

[PATCH 3.10 078/268] powerpc/ps3: Fix system hang with GCC 5 builds

From: Geoff Levand commit 6dff5b67054e17c91bd630bcdda17cfca5aa4215 upstream. GCC 5 generates different code for this bootwrapper null check that causes the PS3 to hang very early in its bootup. This check is of limited value, so just get rid of it. Signed-off-by: Geoff

[PATCH 3.10 078/268] powerpc/ps3: Fix system hang with GCC 5 builds

From: Geoff Levand commit 6dff5b67054e17c91bd630bcdda17cfca5aa4215 upstream. GCC 5 generates different code for this bootwrapper null check that causes the PS3 to hang very early in its bootup. This check is of limited value, so just get rid of it. Signed-off-by: Geoff Levand Signed-off-by:

[PATCH 3.10 045/268] USB: gadgetfs: fix unbounded memory allocation bug

From: Alan Stern commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream. Andrey Konovalov reports that fuzz testing with syzkaller causes a KASAN warning in gadgetfs: BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr 88003c47e160 Write of size

[PATCH 3.10 045/268] USB: gadgetfs: fix unbounded memory allocation bug

From: Alan Stern commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream. Andrey Konovalov reports that fuzz testing with syzkaller causes a KASAN warning in gadgetfs: BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr 88003c47e160 Write of size 65537 by task

[PATCH 3.10 063/268] xfs: clear _XBF_PAGES from buffers when readahead page

From: "Darrick J. Wong" commit 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b upstream. If we try to allocate memory pages to back an xfs_buf that we're trying to read, it's possible that we'll be so short on memory that the page allocation fails. For a blocking read we'll

[PATCH 3.10 063/268] xfs: clear _XBF_PAGES from buffers when readahead page

From: "Darrick J. Wong" commit 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b upstream. If we try to allocate memory pages to back an xfs_buf that we're trying to read, it's possible that we'll be so short on memory that the page allocation fails. For a blocking read we'll just wait, but for

[PATCH 3.10 090/268] Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000

From: Kai-Heng Feng commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream. The aux port does not get detected without noloop quirk, so external PS/2 mouse cannot work as result. The PS/2 mouse can work with this quirk. BugLink:

[PATCH 3.10 060/268] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing

From: Boris Ostrovsky commit 30faaafdfa0c754c91bac60f216c9f34a2bfdf7e upstream. Commit 9c17d96500f7 ("xen/gntdev: Grant maps should not be subject to NUMA balancing") set VM_IO flag to prevent grant maps from being subjected to NUMA balancing. It was discovered

[PATCH 3.10 090/268] Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000

From: Kai-Heng Feng commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream. The aux port does not get detected without noloop quirk, so external PS/2 mouse cannot work as result. The PS/2 mouse can work with this quirk. BugLink: https://bugs.launchpad.net/bugs/1591053 Signed-off-by:

[PATCH 3.10 060/268] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing

From: Boris Ostrovsky commit 30faaafdfa0c754c91bac60f216c9f34a2bfdf7e upstream. Commit 9c17d96500f7 ("xen/gntdev: Grant maps should not be subject to NUMA balancing") set VM_IO flag to prevent grant maps from being subjected to NUMA balancing. It was discovered recently that this flag causes

[PATCH 3.10 206/268] sparc/ptrace: Preserve previous registers for short regset write

From: Dave Martin commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream. Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET to fill all the registers, the thread's old registers are preserved. Signed-off-by: Dave Martin

[PATCH 3.10 206/268] sparc/ptrace: Preserve previous registers for short regset write

From: Dave Martin commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream. Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET to fill all the registers, the thread's old registers are preserved. Signed-off-by: Dave Martin Acked-by: David S. Miller Signed-off-by: Linus

[PATCH 3.10 196/268] igb: add i211 to i210 PHY workaround

From: Todd Fujinaka commit 5bc8c230e2a993b49244f9457499f17283da9ec7 upstream. i210 and i211 share the same PHY but have different PCI IDs. Don't forget i211 for any i210 workarounds. Signed-off-by: Todd Fujinaka Tested-by: Aaron Brown

[PATCH 3.10 162/268] bcma: use (get|put)_device when probing/removing device driver

From: Rafał Miłecki commit a971df0b9d04674e325346c17de9a895425ca5e1 upstream. This allows tracking device state and e.g. makes devm work as expected. Signed-off-by: Rafał Miłecki Signed-off-by: Kalle Valo Signed-off-by: Willy

[PATCH 3.10 196/268] igb: add i211 to i210 PHY workaround

From: Todd Fujinaka commit 5bc8c230e2a993b49244f9457499f17283da9ec7 upstream. i210 and i211 share the same PHY but have different PCI IDs. Don't forget i211 for any i210 workarounds. Signed-off-by: Todd Fujinaka Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Sasha Levin

[PATCH 3.10 162/268] bcma: use (get|put)_device when probing/removing device driver

From: Rafał Miłecki commit a971df0b9d04674e325346c17de9a895425ca5e1 upstream. This allows tracking device state and e.g. makes devm work as expected. Signed-off-by: Rafał Miłecki Signed-off-by: Kalle Valo Signed-off-by: Willy Tarreau --- drivers/bcma/main.c | 4 1 file changed, 4

[PATCH 3.10 170/268] drm/ttm: Make sure BOs being swapped out are cacheable

From: Michel Dänzer commit 239ac65fa5ffab71adf66e642750f940e7241d99 upstream. The current caching state may not be tt_cached, even though the placement contains TTM_PL_FLAG_CACHED, because placement can contain multiple caching flags. Trying to swap out such a BO would

[PATCH 3.10 170/268] drm/ttm: Make sure BOs being swapped out are cacheable

From: Michel Dänzer commit 239ac65fa5ffab71adf66e642750f940e7241d99 upstream. The current caching state may not be tt_cached, even though the placement contains TTM_PL_FLAG_CACHED, because placement can contain multiple caching flags. Trying to swap out such a BO would trip up the

[PATCH 3.10 008/268] ext4: fix fencepost in s_first_meta_bg validation

From: Theodore Ts'o commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream. It is OK for s_first_meta_bg to be equal to the number of block group descriptor blocks. (It rarely happens, but it shouldn't cause any problems.) https://bugzilla.kernel.org/show_bug.cgi?id=194567

[PATCH 3.10 008/268] ext4: fix fencepost in s_first_meta_bg validation

From: Theodore Ts'o commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream. It is OK for s_first_meta_bg to be equal to the number of block group descriptor blocks. (It rarely happens, but it shouldn't cause any problems.) https://bugzilla.kernel.org/show_bug.cgi?id=194567 Fixes:

[PATCH 3.10 129/268] sysctl: fix proc_doulongvec_ms_jiffies_minmax()

From: Eric Dumazet commit ff9f8a7cf935468a94d9927c68b00daae701667e upstream. We perform the conversion between kernel jiffies and ms only when exporting kernel value to user space. We need to do the opposite operation when value is written by user. Only matters when HZ !=

[PATCH 3.10 129/268] sysctl: fix proc_doulongvec_ms_jiffies_minmax()

From: Eric Dumazet commit ff9f8a7cf935468a94d9927c68b00daae701667e upstream. We perform the conversion between kernel jiffies and ms only when exporting kernel value to user space. We need to do the opposite operation when value is written by user. Only matters when HZ != 1000 Signed-off-by:

[PATCH 3.10 153/268] af_packet: remove a stray tab in packet_set_ring()

From: Dan Carpenter commit d7cf0c34af067555737193b6c1aa7abaa677f29c upstream. At first glance it looks like there is a missing curly brace but actually the code works the same either way. I have adjusted the indenting but left the code the same. Signed-off-by: Dan

[PATCH 3.10 153/268] af_packet: remove a stray tab in packet_set_ring()

From: Dan Carpenter commit d7cf0c34af067555737193b6c1aa7abaa677f29c upstream. At first glance it looks like there is a missing curly brace but actually the code works the same either way. I have adjusted the indenting but left the code the same. Signed-off-by: Dan Carpenter Acked-by: Daniel

[PATCH 3.10 256/268] MIPS: Fix crash registers on non-crashing CPUs

From: Corey Minyard commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream. As part of handling a crash on an SMP system, an IPI is send to all other CPUs to save their current registers and stop. It was using task_pt_regs(current) to get the registers, but that will

[PATCH 3.10 256/268] MIPS: Fix crash registers on non-crashing CPUs

From: Corey Minyard commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream. As part of handling a crash on an SMP system, an IPI is send to all other CPUs to save their current registers and stop. It was using task_pt_regs(current) to get the registers, but that will only be accurate if the

[PATCH 3.10 143/268] tcp: fix 0 divide in __tcp_select_window()

From: Eric Dumazet commit 06425c308b92eaf60767bc71d359f4cbc7a561f8 upstream. syszkaller fuzzer was able to trigger a divide by zero, when TCP window scaling is not enabled. SO_RCVBUF can be used not only to increase sk_rcvbuf, also to decrease it below current receive

[PATCH 3.10 156/268] ipc/shm: Fix shmat mmap nil-page protection

From: Davidlohr Bueso commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream. The issue is described here, with a nice testcase: https://bugzilla.kernel.org/show_bug.cgi?id=192931 The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the address

[PATCH 3.10 143/268] tcp: fix 0 divide in __tcp_select_window()

From: Eric Dumazet commit 06425c308b92eaf60767bc71d359f4cbc7a561f8 upstream. syszkaller fuzzer was able to trigger a divide by zero, when TCP window scaling is not enabled. SO_RCVBUF can be used not only to increase sk_rcvbuf, also to decrease it below current receive buffers utilization. If

[PATCH 3.10 156/268] ipc/shm: Fix shmat mmap nil-page protection

From: Davidlohr Bueso commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream. The issue is described here, with a nice testcase: https://bugzilla.kernel.org/show_bug.cgi?id=192931 The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the address rounded down to 0. For

Re: [PATCH 0/8] Isolate time_t data types for clock/timer syscalls

> Check the stuff already in tip/timers/core; at the very least it overlaps > considerably with your series. And your variant is a lot more convoluted - > there's no need to have a separate compat restart, etc. Thanks, I see there were updates last week to the tree. For the nanosleep part, I

Re: [PATCH 0/8] Isolate time_t data types for clock/timer syscalls

> Check the stuff already in tip/timers/core; at the very least it overlaps > considerably with your series. And your variant is a lot more convoluted - > there's no need to have a separate compat restart, etc. Thanks, I see there were updates last week to the tree. For the nanosleep part, I

[PATCH 3.10 043/268] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks

From: Con Kolivas commit 82ffb6fc637150b279f49e174166d2aa3853eaf4 upstream. The Logitech QuickCam Communicate Deluxe/S7500 microphone fails with the following warning. [6.778995] usb 2-1.2.2.2: Warning! Unlikely big volume range (=3072), cval->res is probably wrong. [

[PATCH 3.10 253/268] net: neigh: guard against NULL solicit() method

From: Eric Dumazet commit 48481c8fa16410ffa45939b13b6c53c2ca609e5f upstream. Dmitry posted a nice reproducer of a bug triggering in neigh_probe() when dereferencing a NULL neigh->ops->solicit method. This can happen for arp_direct_ops/ndisc_direct_ops and similar, which

[PATCH 3.10 043/268] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks

From: Con Kolivas commit 82ffb6fc637150b279f49e174166d2aa3853eaf4 upstream. The Logitech QuickCam Communicate Deluxe/S7500 microphone fails with the following warning. [6.778995] usb 2-1.2.2.2: Warning! Unlikely big volume range (=3072), cval->res is probably wrong. [6.778996] usb

[PATCH 3.10 253/268] net: neigh: guard against NULL solicit() method

From: Eric Dumazet commit 48481c8fa16410ffa45939b13b6c53c2ca609e5f upstream. Dmitry posted a nice reproducer of a bug triggering in neigh_probe() when dereferencing a NULL neigh->ops->solicit method. This can happen for arp_direct_ops/ndisc_direct_ops and similar, which can be used for

[PATCH 3.10 010/268] ext4: preserve the needs_recovery flag when the journal is aborted

From: Theodore Ts'o commit 97abd7d4b5d9c48ec15c425485f054e1c15e591b upstream. If the journal is aborted, the needs_recovery feature flag should not be removed. Otherwise, it's the journal might not get replayed and this could lead to more data getting lost. Signed-off-by:

[PATCH 3.10 010/268] ext4: preserve the needs_recovery flag when the journal is aborted

From: Theodore Ts'o commit 97abd7d4b5d9c48ec15c425485f054e1c15e591b upstream. If the journal is aborted, the needs_recovery feature flag should not be removed. Otherwise, it's the journal might not get replayed and this could lead to more data getting lost. Signed-off-by: Theodore Ts'o

[PATCH 3.10 238/268] mm: Tighten x86 /dev/mem with zeroing reads

From: Kees Cook commit a4866aa812518ed1a37d8ea0c881dc946409de94 upstream. Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is disallowed. However, on x86, the first 1MB was always allowed for BIOS and similar things, regardless of it actually being System

[PATCH 3.10 238/268] mm: Tighten x86 /dev/mem with zeroing reads

From: Kees Cook commit a4866aa812518ed1a37d8ea0c881dc946409de94 upstream. Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is disallowed. However, on x86, the first 1MB was always allowed for BIOS and similar things, regardless of it actually being System RAM. It was possible for

[PATCH 3.10 004/268] ext4: fix in-superblock mount options processing

From: Theodore Ts'o commit 5aee0f8a3f42c94c5012f1673420aee96315925a upstream. Fix a large number of problems with how we handle mount options in the superblock. For one, if the string in the superblock is long enough that it is not null terminated, we could run off the end of

[PATCH 3.10 213/268] rtc: s35390a: make sure all members in the output are set

From: Uwe Kleine-König commit ac4d4f65bbcba478309de36929016d2618421ba1 upstream. The rtc core calls the .read_alarm with all fields initialized to 0. As the s35390a driver doesn't touch some fields the returned date is interpreted as a date in January 1900. So make sure

[PATCH 3.10 004/268] ext4: fix in-superblock mount options processing

From: Theodore Ts'o commit 5aee0f8a3f42c94c5012f1673420aee96315925a upstream. Fix a large number of problems with how we handle mount options in the superblock. For one, if the string in the superblock is long enough that it is not null terminated, we could run off the end of the string and

[PATCH 3.10 213/268] rtc: s35390a: make sure all members in the output are set

From: Uwe Kleine-König commit ac4d4f65bbcba478309de36929016d2618421ba1 upstream. The rtc core calls the .read_alarm with all fields initialized to 0. As the s35390a driver doesn't touch some fields the returned date is interpreted as a date in January 1900. So make sure all fields are set to

[PATCH 3.10 184/268] dccp: fix memory leak during tear-down of unsuccessful connection request

From: Hannes Frederic Sowa commit 72ef9c4125c7b257e3a714d62d778ab46583d6a3 upstream. This patch fixes a memory leak, which happens if the connection request is not fulfilled between parsing the DCCP options and handling the SYN (because e.g. the backlog is full),

[PATCH 3.10 254/268] sctp: listen on the sock only when it's state is listening or closed

From: Xin Long commit 34b2789f1d9bf8dcca9b5cb553d076ca2cd898ee upstream. Now sctp doesn't check sock's state before listening on it. It could even cause changing a sock with any state to become a listening sock when doing sctp_listen. This patch is to fix it by checking

[PATCH 3.10 216/268] padata: avoid race in reordering

From: "Jason A. Donenfeld" commit de5540d088fe97ad583cc7d396586437b32149a5 upstream. Under extremely heavy uses of padata, crashes occur, and with list debugging turned on, this happens instead: [87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33

[PATCH 3.10 184/268] dccp: fix memory leak during tear-down of unsuccessful connection request

From: Hannes Frederic Sowa commit 72ef9c4125c7b257e3a714d62d778ab46583d6a3 upstream. This patch fixes a memory leak, which happens if the connection request is not fulfilled between parsing the DCCP options and handling the SYN (because e.g. the backlog is full), because we forgot to free the

[PATCH 3.10 254/268] sctp: listen on the sock only when it's state is listening or closed

From: Xin Long commit 34b2789f1d9bf8dcca9b5cb553d076ca2cd898ee upstream. Now sctp doesn't check sock's state before listening on it. It could even cause changing a sock with any state to become a listening sock when doing sctp_listen. This patch is to fix it by checking sock's state in

[PATCH 3.10 216/268] padata: avoid race in reordering

From: "Jason A. Donenfeld" commit de5540d088fe97ad583cc7d396586437b32149a5 upstream. Under extremely heavy uses of padata, crashes occur, and with list debugging turned on, this happens instead: [87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33 __list_add+0xae/0x130 [87487.301868]

[PATCH 3.10 077/268] nfs_write_end(): fix handling of short copies

From: Al Viro commit c0cf3ef5e0f47e385920450b245d22bead93e7ad upstream. What matters when deciding if we should make a page uptodate is not how much we _wanted_ to copy, but how much we actually have copied. As it is, on architectures that do not zero tail on short

[PATCH 3.10 075/268] s390/vmlogrdr: fix IUCV buffer allocation

From: Gerald Schaefer commit 5457e03de918f7a3e294eb9d26a608ab8a579976 upstream. The buffer for iucv_message_receive() needs to be below 2 GB. In __iucv_message_receive(), the buffer address is casted to an u32, which would result in either memory corruption or an

[PATCH 3.10 077/268] nfs_write_end(): fix handling of short copies

From: Al Viro commit c0cf3ef5e0f47e385920450b245d22bead93e7ad upstream. What matters when deciding if we should make a page uptodate is not how much we _wanted_ to copy, but how much we actually have copied. As it is, on architectures that do not zero tail on short copy we can leave

[PATCH 3.10 075/268] s390/vmlogrdr: fix IUCV buffer allocation

From: Gerald Schaefer commit 5457e03de918f7a3e294eb9d26a608ab8a579976 upstream. The buffer for iucv_message_receive() needs to be below 2 GB. In __iucv_message_receive(), the buffer address is casted to an u32, which would result in either memory corruption or an addressing exception when using

[PATCH 3.10 163/268] powerpc/xmon: Fix data-breakpoint

From: Ravi Bangoria commit c21a493a2b44650707d06741601894329486f2ad upstream. Currently xmon data-breakpoint feature is broken. Whenever there is a watchpoint match occurs, hw_breakpoint_handler will be called by do_break via notifier chains mechanism. If

[PATCH 3.10 163/268] powerpc/xmon: Fix data-breakpoint

From: Ravi Bangoria commit c21a493a2b44650707d06741601894329486f2ad upstream. Currently xmon data-breakpoint feature is broken. Whenever there is a watchpoint match occurs, hw_breakpoint_handler will be called by do_break via notifier chains mechanism. If watchpoint is registered by xmon,

[PATCH 3.10 051/268] USB: cdc-acm: fix double usb_autopm_put_interface() in acm_port_activate()

From: Alexey Khoroshilov commit 070c0b17f6a1ba39dff9be112218127e7e8fd456 upstream. If acm_submit_read_urbs() fails in acm_port_activate(), error handling code calls usb_autopm_put_interface() while it is already called before acm_submit_read_urbs(). The patch reorganizes

[PATCH 3.10 268/268] mm: larger stack guard gap, between vmas

From: Hugh Dickins commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream. Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a

[PATCH 3.10 051/268] USB: cdc-acm: fix double usb_autopm_put_interface() in acm_port_activate()

From: Alexey Khoroshilov commit 070c0b17f6a1ba39dff9be112218127e7e8fd456 upstream. If acm_submit_read_urbs() fails in acm_port_activate(), error handling code calls usb_autopm_put_interface() while it is already called before acm_submit_read_urbs(). The patch reorganizes error handling code to

[PATCH 3.10 268/268] mm: larger stack guard gap, between vmas

From: Hugh Dickins commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream. Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a different mapping. But

[PATCH 3.10 058/268] usb: gadget: composite: correctly initialize ep->maxpacket

From: Felipe Balbi commit e8f29bb719b47a234f33b0af62974d7a9521a52c upstream. usb_endpoint_maxp() returns wMaxPacketSize in its raw form. Without taking into consideration that it also contains other bits reserved for isochronous endpoints. This patch fixes one

[PATCH 3.10 116/268] apparmor: check that xindex is in trans_table bounds

From: John Johansen commit 23ca7b640b4a55f8747301b6bd984dd05545f6a7 upstream. Signed-off-by: John Johansen Acked-by: Seth Arnold Signed-off-by: Jiri Slaby Signed-off-by: Willy Tarreau

<    5   6   7   8   9   10   11   12   13   14   >