[PATCH review for 4.4 31/47] net: core: Prevent from dereferencing null pointer when releasing SKB

From: Myungho Jung [ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ] Added NULL check to make __dev_kfree_skb_irq consistent with kfree family of functions. Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 Signed-off-by: Myungho Jung Signed-off-by: David S. Miller

[PATCH review for 4.4 34/47] usb: plusb: Add support for PL-27A1

From: Roman Spychała [ Upstream commit 6f2aee0c0de6501bbc26fe50c9c7b09a37f7 ] This patch adds support for the PL-27A1 by adding the appropriate USB ID's. This chip is used in the goobay Active USB 3.0 Data Link and Unitek Y-3501 cables. Signed-off-by: Roman Spychała Signed-off-by: David

[PATCH review for 4.4 41/47] parisc: perf: Fix potential NULL pointer dereference

From: Arvind Yadav [ Upstream commit 74e3f6e63da6c8e8246fba1689e040bc926b4a1a ] Fix potential NULL pointer dereference and clean up coding style errors (code indent, trailing whitespaces). Signed-off-by: Arvind Yadav Signed-off-by: Helge

[PATCH review for 4.4 41/47] parisc: perf: Fix potential NULL pointer dereference

From: Arvind Yadav [ Upstream commit 74e3f6e63da6c8e8246fba1689e040bc926b4a1a ] Fix potential NULL pointer dereference and clean up coding style errors (code indent, trailing whitespaces). Signed-off-by: Arvind Yadav Signed-off-by: Helge Deller Signed-off-by: Sasha Levin ---

[PATCH review for 3.18 09/30] tty: goldfish: Fix a parameter of a call to free_irq

From: Christophe JAILLET [ Upstream commit 1a5c2d1de7d35f5eb9793266237903348989502b ] 'request_irq()' and 'free_irq()' should be called with the same dev_id. Signed-off-by: Christophe JAILLET Signed-off-by: Greg Kroah-Hartman

[PATCH review for 3.18 09/30] tty: goldfish: Fix a parameter of a call to free_irq

From: Christophe JAILLET [ Upstream commit 1a5c2d1de7d35f5eb9793266237903348989502b ] 'request_irq()' and 'free_irq()' should be called with the same dev_id. Signed-off-by: Christophe JAILLET Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/tty/goldfish.c | 2 +- 1

[PATCH review for 4.4 17/47] tty: goldfish: Fix a parameter of a call to free_irq

From: Christophe JAILLET [ Upstream commit 1a5c2d1de7d35f5eb9793266237903348989502b ] 'request_irq()' and 'free_irq()' should be called with the same dev_id. Signed-off-by: Christophe JAILLET Signed-off-by: Greg Kroah-Hartman

[PATCH review for 4.4 17/47] tty: goldfish: Fix a parameter of a call to free_irq

From: Christophe JAILLET [ Upstream commit 1a5c2d1de7d35f5eb9793266237903348989502b ] 'request_irq()' and 'free_irq()' should be called with the same dev_id. Signed-off-by: Christophe JAILLET Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/tty/goldfish.c | 2 +- 1

[PATCH review for 4.4 45/47] i2c: meson: fix wrong variable usage in meson_i2c_put_data

From: Heiner Kallweit [ Upstream commit 3b0277f198ac928f323c42e180680d2f79aa980d ] Most likely a copy & paste error. Signed-off-by: Heiner Kallweit Acked-by: Jerome Brunet Signed-off-by: Wolfram Sang

[PATCH review for 4.4 45/47] i2c: meson: fix wrong variable usage in meson_i2c_put_data

From: Heiner Kallweit [ Upstream commit 3b0277f198ac928f323c42e180680d2f79aa980d ] Most likely a copy & paste error. Signed-off-by: Heiner Kallweit Acked-by: Jerome Brunet Signed-off-by: Wolfram Sang Fixes: 30021e3707a7 ("i2c: add support for Amlogic Meson I2C controller") Signed-off-by:

[PATCH review for 3.18 10/30] IB/ipoib: Fix deadlock over vlan_mutex

From: Feras Daoud [ Upstream commit 1c3098cdb05207e740715857df7b0998e372f527 ] This patch fixes Deadlock while executing ipoib_vlan_delete. The function takes the vlan_rwsem semaphore and calls unregister_netdevice. The later function calls ipoib_mcast_stop_thread that

[PATCH review for 3.18 10/30] IB/ipoib: Fix deadlock over vlan_mutex

From: Feras Daoud [ Upstream commit 1c3098cdb05207e740715857df7b0998e372f527 ] This patch fixes Deadlock while executing ipoib_vlan_delete. The function takes the vlan_rwsem semaphore and calls unregister_netdevice. The later function calls ipoib_mcast_stop_thread that cause workqueue flush.

[PATCH review for 4.4 44/47] md/raid10: submit bio directly to replacement disk

From: Shaohua Li [ Upstream commit 6d399783e9d4e9bd44931501948059d24ad96ff8 ] Commit 57c67df(md/raid10: submit IO from originating thread instead of md thread) submits bio directly for normal disks but not for replacement disks. There is no point we shouldn't do this for

[PATCH review for 4.4 44/47] md/raid10: submit bio directly to replacement disk

From: Shaohua Li [ Upstream commit 6d399783e9d4e9bd44931501948059d24ad96ff8 ] Commit 57c67df(md/raid10: submit IO from originating thread instead of md thread) submits bio directly for normal disks but not for replacement disks. There is no point we shouldn't do this for replacement disks. Cc:

[PATCH review for 3.18 02/30] RDS: RDMA: Fix the composite message user notification

From: Santosh Shilimkar [ Upstream commit 941f8d55f6d613a460a5e080d25a38509f45eb75 ] When application sends an RDS RDMA composite message consist of RDMA transfer to be followed up by non RDMA payload, it expect to be notified *only* when the full message gets

[PATCH review for 3.18 02/30] RDS: RDMA: Fix the composite message user notification

From: Santosh Shilimkar [ Upstream commit 941f8d55f6d613a460a5e080d25a38509f45eb75 ] When application sends an RDS RDMA composite message consist of RDMA transfer to be followed up by non RDMA payload, it expect to be notified *only* when the full message gets delivered. RDS RDMA notification

[PATCH review for 3.18 04/30] MIPS: kexec: Do not reserve invalid crashkernel memory on boot

From: Marcin Nowakowski [ Upstream commit a8f108d70c74d83574c157648383eb2e4285a190 ] Do not reserve memory for the crashkernel if the commandline argument points to a wrong location. This can happen if the location is specified wrong or if the same commandline is

[PATCH review for 3.18 04/30] MIPS: kexec: Do not reserve invalid crashkernel memory on boot

From: Marcin Nowakowski [ Upstream commit a8f108d70c74d83574c157648383eb2e4285a190 ] Do not reserve memory for the crashkernel if the commandline argument points to a wrong location. This can happen if the location is specified wrong or if the same commandline is reused when starting the

[PATCH review for 3.18 07/30] hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes

From: Guenter Roeck [ Upstream commit 87cdfa9d60f4f40e6d71b04b10b36d9df3c89282 ] Writes into limit attributes can overflow due to multplications and additions with unbound input values. Writing into fan limit attributes can result in a crash with a division by zero if very

[PATCH review for 3.18 07/30] hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes

From: Guenter Roeck [ Upstream commit 87cdfa9d60f4f40e6d71b04b10b36d9df3c89282 ] Writes into limit attributes can overflow due to multplications and additions with unbound input values. Writing into fan limit attributes can result in a crash with a division by zero if very large values are

[PATCH review for 3.18 11/30] IB/ipoib: rtnl_unlock can not come after free_netdev

From: Feras Daoud [ Upstream commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 ] The ipoib_vlan_add function calls rtnl_unlock after free_netdev, rtnl_unlock not only releases the lock, but also calls netdev_run_todo. The latter function browses the net_todo_list array and

[PATCH review for 3.18 11/30] IB/ipoib: rtnl_unlock can not come after free_netdev

From: Feras Daoud [ Upstream commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 ] The ipoib_vlan_add function calls rtnl_unlock after free_netdev, rtnl_unlock not only releases the lock, but also calls netdev_run_todo. The latter function browses the net_todo_list array and completes the

[PATCH review for 3.18 06/30] clk: wm831x: fix usleep_range with bad range

From: Nicholas Mc Guire [ Upstream commit ed784c532a3d0959db488f40a96c5127f63d42dc ] The delay here is not in atomic context and does not seem critical with respect to precision, but usleep_range(min,max) with min==max results in giving the timer subsystem no room to optimize

[PATCH review for 3.18 06/30] clk: wm831x: fix usleep_range with bad range

From: Nicholas Mc Guire [ Upstream commit ed784c532a3d0959db488f40a96c5127f63d42dc ] The delay here is not in atomic context and does not seem critical with respect to precision, but usleep_range(min,max) with min==max results in giving the timer subsystem no room to optimize uncritical delays.

[PATCH review for 3.18 08/30] ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM

From: Afzal Mohammed [ Upstream commit 8a792e9afbce84a0fdaf213fe42bb97382487094 ] REMAP_VECTORS_TO_RAM depends on DRAM_BASE, but since DRAM_BASE is a hex, REMAP_VECTORS_TO_RAM could never get enabled. Also depending on DRAM_BASE is redundant as whenever

[PATCH review for 3.18 08/30] ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM

From: Afzal Mohammed [ Upstream commit 8a792e9afbce84a0fdaf213fe42bb97382487094 ] REMAP_VECTORS_TO_RAM depends on DRAM_BASE, but since DRAM_BASE is a hex, REMAP_VECTORS_TO_RAM could never get enabled. Also depending on DRAM_BASE is redundant as whenever REMAP_VECTORS_TO_RAM makes itself

[PATCH review for 4.4 36/47] bridge: netlink: register netdevice before executing changelink

From: Ido Schimmel [ Upstream commit 5b8d5429daa05bebef6ffd3297df3b502cc6f184 ] Peter reported a kernel oops when executing the following command: $ ip link add name test type bridge vlan_default_pvid 1 [13634.939408] BUG: unable to handle kernel NULL pointer dereference

[PATCH review for 4.4 36/47] bridge: netlink: register netdevice before executing changelink

From: Ido Schimmel [ Upstream commit 5b8d5429daa05bebef6ffd3297df3b502cc6f184 ] Peter reported a kernel oops when executing the following command: $ ip link add name test type bridge vlan_default_pvid 1 [13634.939408] BUG: unable to handle kernel NULL pointer dereference at 0190

[PATCH review for 4.4 10/47] extcon: axp288: Use vbus-valid instead of -present to determine cable presence

From: Hans de Goede [ Upstream commit 5757aca10146061befd168dab37fb0db1ccd8f73 ] The vbus-present bit in the power status register also gets set to 1 when a usb-host cable (id-pin shorted to ground) is plugged in and a 5v boost converter is supplying 5v to the otg usb bus.

[PATCH review for 4.4 10/47] extcon: axp288: Use vbus-valid instead of -present to determine cable presence

From: Hans de Goede [ Upstream commit 5757aca10146061befd168dab37fb0db1ccd8f73 ] The vbus-present bit in the power status register also gets set to 1 when a usb-host cable (id-pin shorted to ground) is plugged in and a 5v boost converter is supplying 5v to the otg usb bus. This causes a

[PATCH review for 4.4 32/47] net/packet: check length in getsockopt() called with PACKET_HDRLEN

From: Alexander Potapenko [ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ] In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 |val| remains uninitialized and the syscall may behave differently depending on its value, and even copy garbage to

[PATCH review for 4.4 32/47] net/packet: check length in getsockopt() called with PACKET_HDRLEN

From: Alexander Potapenko [ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ] In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 |val| remains uninitialized and the syscall may behave differently depending on its value, and even copy garbage to userspace on certain

[PATCH review for 3.18 01/30] drm: bridge: add DT bindings for TI ths8135

From: Bartosz Golaszewski [ Upstream commit 2e644be30fcc08c736f66b60f4898d274d4873ab ] THS8135 is a configurable video DAC. Add DT bindings for this chip. Signed-off-by: Bartosz Golaszewski Reviewed-by: Laurent Pinchart

[PATCH review for 4.4 47/47] libata: transport: Remove circular dependency at free time

From: Gwendal Grignou [ Upstream commit d85fc67dd11e9a32966140677d4d6429ca540b25 ] Without this patch, failed probe would not free resources like irq. ata port tdev object currently hold a reference to the ata port object. Therefore the ata port object release function

[PATCH review for 3.18 01/30] drm: bridge: add DT bindings for TI ths8135

From: Bartosz Golaszewski [ Upstream commit 2e644be30fcc08c736f66b60f4898d274d4873ab ] THS8135 is a configurable video DAC. Add DT bindings for this chip. Signed-off-by: Bartosz Golaszewski Reviewed-by: Laurent Pinchart Acked-by: Rob Herring Signed-off-by: Archit Taneja Link:

[PATCH review for 4.4 47/47] libata: transport: Remove circular dependency at free time

From: Gwendal Grignou [ Upstream commit d85fc67dd11e9a32966140677d4d6429ca540b25 ] Without this patch, failed probe would not free resources like irq. ata port tdev object currently hold a reference to the ata port object. Therefore the ata port object release function will not get called

[PATCH review for 4.4 43/47] rds: ib: add error handle

From: Zhu Yanjun [ Upstream commit 3b12f73a5c2977153f28a224392fd4729b50d1dc ] In the function rds_ib_setup_qp, the error handle is missing. When some error occurs, it is possible that memory leak occurs. As such, error handle is added. Cc: Joe Jin

[PATCH review for 4.4 43/47] rds: ib: add error handle

From: Zhu Yanjun [ Upstream commit 3b12f73a5c2977153f28a224392fd4729b50d1dc ] In the function rds_ib_setup_qp, the error handle is missing. When some error occurs, it is possible that memory leak occurs. As such, error handle is added. Cc: Joe Jin Reviewed-by: Junxiao Bi Reviewed-by:

[PATCH review for 3.18 13/30] USB: serial: mos7720: fix control-message error handling

From: Johan Hovold [ Upstream commit 0d130367abf582e7cbf60075c2a7ab53817b1d14 ] Make sure to log an error on short transfers when reading a device register. Also clear the provided buffer (which if often an uninitialised automatic variable) on errors as the driver currently

[PATCH review for 4.4 46/47] xfs: remove kmem_zalloc_greedy

From: "Darrick J. Wong" [ Upstream commit 08b005f1333154ae5b404ca28766e0ffb9f1c150 ] The sole remaining caller of kmem_zalloc_greedy is bulkstat, which uses it to grab 1-4 pages for staging of inobt records. The infinite loop in the greedy allocation function is

[PATCH review for 4.4 46/47] xfs: remove kmem_zalloc_greedy

From: "Darrick J. Wong" [ Upstream commit 08b005f1333154ae5b404ca28766e0ffb9f1c150 ] The sole remaining caller of kmem_zalloc_greedy is bulkstat, which uses it to grab 1-4 pages for staging of inobt records. The infinite loop in the greedy allocation function is causing hangs[1] in

[PATCH review for 3.18 13/30] USB: serial: mos7720: fix control-message error handling

From: Johan Hovold [ Upstream commit 0d130367abf582e7cbf60075c2a7ab53817b1d14 ] Make sure to log an error on short transfers when reading a device register. Also clear the provided buffer (which if often an uninitialised automatic variable) on errors as the driver currently does not bother to

[PATCH review for 4.4 09/47] igb: re-assign hw address pointer on reset after PCI error

From: Guilherme G Piccoli [ Upstream commit 69b97cf6dbce7403845a28bbc75d57f5be7b12ac ] Whenever the igb driver detects the result of a read operation returns a value composed only by F's (like 0x), it will detach the net_device, clear the hw_addr pointer and

[PATCH review for 4.4 20/47] IB/ipoib: Replace list_del of the neigh->list with list_del_init

From: Feras Daoud [ Upstream commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 ] In order to resolve a situation where a few process delete the same list element in sequence and cause panic, list_del is replaced with list_del_init. In this case if the first process that

[PATCH review for 4.4 09/47] igb: re-assign hw address pointer on reset after PCI error

From: Guilherme G Piccoli [ Upstream commit 69b97cf6dbce7403845a28bbc75d57f5be7b12ac ] Whenever the igb driver detects the result of a read operation returns a value composed only by F's (like 0x), it will detach the net_device, clear the hw_addr pointer and warn to the user that

[PATCH review for 4.4 20/47] IB/ipoib: Replace list_del of the neigh->list with list_del_init

From: Feras Daoud [ Upstream commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 ] In order to resolve a situation where a few process delete the same list element in sequence and cause panic, list_del is replaced with list_del_init. In this case if the first process that calls list_del releases

[PATCH review for 3.18 14/30] USB: serial: mos7840: fix control-message error handling

From: Johan Hovold [ Upstream commit cd8db057e93ddaacbec025b567490555d2bca280 ] Make sure to detect short transfers when reading a device register. The modem-status handling had sufficient error checks in place, but move handling of short transfers into the register accessor

[PATCH review for 3.18 14/30] USB: serial: mos7840: fix control-message error handling

From: Johan Hovold [ Upstream commit cd8db057e93ddaacbec025b567490555d2bca280 ] Make sure to detect short transfers when reading a device register. The modem-status handling had sufficient error checks in place, but move handling of short transfers into the register accessor function itself

[PATCH review for 3.18 30/30] libata: transport: Remove circular dependency at free time

From: Gwendal Grignou [ Upstream commit d85fc67dd11e9a32966140677d4d6429ca540b25 ] Without this patch, failed probe would not free resources like irq. ata port tdev object currently hold a reference to the ata port object. Therefore the ata port object release function

[PATCH review for 3.18 30/30] libata: transport: Remove circular dependency at free time

From: Gwendal Grignou [ Upstream commit d85fc67dd11e9a32966140677d4d6429ca540b25 ] Without this patch, failed probe would not free resources like irq. ata port tdev object currently hold a reference to the ata port object. Therefore the ata port object release function will not get called

[PATCH review for 3.18 26/30] parisc: perf: Fix potential NULL pointer dereference

From: Arvind Yadav [ Upstream commit 74e3f6e63da6c8e8246fba1689e040bc926b4a1a ] Fix potential NULL pointer dereference and clean up coding style errors (code indent, trailing whitespaces). Signed-off-by: Arvind Yadav Signed-off-by: Helge

[PATCH review for 3.18 26/30] parisc: perf: Fix potential NULL pointer dereference

From: Arvind Yadav [ Upstream commit 74e3f6e63da6c8e8246fba1689e040bc926b4a1a ] Fix potential NULL pointer dereference and clean up coding style errors (code indent, trailing whitespaces). Signed-off-by: Arvind Yadav Signed-off-by: Helge Deller Signed-off-by: Sasha Levin ---

[PATCH review for 3.18 28/30] md/raid10: submit bio directly to replacement disk

From: Shaohua Li [ Upstream commit 6d399783e9d4e9bd44931501948059d24ad96ff8 ] Commit 57c67df(md/raid10: submit IO from originating thread instead of md thread) submits bio directly for normal disks but not for replacement disks. There is no point we shouldn't do this for

[PATCH review for 3.18 28/30] md/raid10: submit bio directly to replacement disk

From: Shaohua Li [ Upstream commit 6d399783e9d4e9bd44931501948059d24ad96ff8 ] Commit 57c67df(md/raid10: submit IO from originating thread instead of md thread) submits bio directly for normal disks but not for replacement disks. There is no point we shouldn't do this for replacement disks. Cc:

[PATCH review for 3.18 17/30] audit: log 32-bit socketcalls

From: Richard Guy Briggs [ Upstream commit 62bc306e2083436675e33b5bdeb6a77907d35971 ] 32-bit socketcalls were not being logged by audit on x86_64 systems. Log them. This is basically a duplicate of the call from net/socket.c:sys_socketcall(), but it addresses the impedance

[PATCH review for 3.18 17/30] audit: log 32-bit socketcalls

From: Richard Guy Briggs [ Upstream commit 62bc306e2083436675e33b5bdeb6a77907d35971 ] 32-bit socketcalls were not being logged by audit on x86_64 systems. Log them. This is basically a duplicate of the call from net/socket.c:sys_socketcall(), but it addresses the impedance mismatch between

[PATCH review for 3.18 29/30] xfs: remove kmem_zalloc_greedy

From: "Darrick J. Wong" [ Upstream commit 08b005f1333154ae5b404ca28766e0ffb9f1c150 ] The sole remaining caller of kmem_zalloc_greedy is bulkstat, which uses it to grab 1-4 pages for staging of inobt records. The infinite loop in the greedy allocation function is

[PATCH review for 3.18 29/30] xfs: remove kmem_zalloc_greedy

From: "Darrick J. Wong" [ Upstream commit 08b005f1333154ae5b404ca28766e0ffb9f1c150 ] The sole remaining caller of kmem_zalloc_greedy is bulkstat, which uses it to grab 1-4 pages for staging of inobt records. The infinite loop in the greedy allocation function is causing hangs[1] in

[PATCH review for 3.18 16/30] partitions/efi: Fix integer overflow in GPT size calculation

From: Alden Tondettar [ Upstream commit c5082b70adfe8e1ea1cf4a8eff92c9f260e364d2 ] If a GUID Partition Table claims to have more than 2**25 entries, the calculation of the partition table size in alloc_read_gpt_entries() will overflow a 32-bit integer and not enough

[PATCH review for 3.18 16/30] partitions/efi: Fix integer overflow in GPT size calculation

From: Alden Tondettar [ Upstream commit c5082b70adfe8e1ea1cf4a8eff92c9f260e364d2 ] If a GUID Partition Table claims to have more than 2**25 entries, the calculation of the partition table size in alloc_read_gpt_entries() will overflow a 32-bit integer and not enough space will be allocated for

[PATCH review for 3.18 19/30] net/packet: check length in getsockopt() called with PACKET_HDRLEN

From: Alexander Potapenko [ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ] In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 |val| remains uninitialized and the syscall may behave differently depending on its value, and even copy garbage to

[PATCH review for 3.18 19/30] net/packet: check length in getsockopt() called with PACKET_HDRLEN

From: Alexander Potapenko [ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ] In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4 |val| remains uninitialized and the syscall may behave differently depending on its value, and even copy garbage to userspace on certain

[PATCH review for 3.18 25/30] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

From: Liping Zhang [ Upstream commit ae5c682113f9f94cc5e76f92cf041ee624c173ee ] The helper->expect_class_max must be set to the total number of expect_policy minus 1, since we will use the statement "if (class > helper->expect_class_max)" to validate the CTA_EXPECT_CLASS

[PATCH review for 3.18 25/30] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

From: Liping Zhang [ Upstream commit ae5c682113f9f94cc5e76f92cf041ee624c173ee ] The helper->expect_class_max must be set to the total number of expect_policy minus 1, since we will use the statement "if (class > helper->expect_class_max)" to validate the CTA_EXPECT_CLASS attr in

[PATCH review for 3.18 24/30] [media] exynos-gsc: Do not swap cb/cr for semi planar formats

From: Thibault Saunier [ Upstream commit d7f3e33df4fbdc9855fb151f4a328ec46447e3ba ] In the case of semi planar formats cb and cr are in the same plane in memory, meaning that will be set to 'cb' whatever the format is, and whatever the (packed) order of those

[PATCH review for 3.18 24/30] [media] exynos-gsc: Do not swap cb/cr for semi planar formats

From: Thibault Saunier [ Upstream commit d7f3e33df4fbdc9855fb151f4a328ec46447e3ba ] In the case of semi planar formats cb and cr are in the same plane in memory, meaning that will be set to 'cb' whatever the format is, and whatever the (packed) order of those components are. Suggested-by:

[PATCH review for 3.18 20/30] team: fix memory leaks

From: Pan Bian [ Upstream commit 72ec0bc64b9a5d8e0efcb717abfc757746b101b7 ] In functions team_nl_send_port_list_get() and team_nl_send_options_get(), pointer skb keeps the return value of nlmsg_new(). When the call to genlmsg_put() fails, the memory is not freed(). This

[PATCH review for 3.18 20/30] team: fix memory leaks

From: Pan Bian [ Upstream commit 72ec0bc64b9a5d8e0efcb717abfc757746b101b7 ] In functions team_nl_send_port_list_get() and team_nl_send_options_get(), pointer skb keeps the return value of nlmsg_new(). When the call to genlmsg_put() fails, the memory is not freed(). This will result in memory

[PATCH review for 3.18 23/30] netfilter: invoke synchronize_rcu after set the _hook_ to NULL

From: Liping Zhang [ Upstream commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b ] Otherwise, another CPU may access the invalid pointer. For example: CPU0CPU1 - rcu_read_lock(); - pfunc = _hook_; _hook_ = NULL;

[PATCH review for 3.18 15/30] pinctrl: mvebu: Use seq_puts() in mvebu_pinconf_group_dbg_show()

From: Markus Elfring [ Upstream commit 420dc61642920849d824a0de2aa853db59f5244f ] Strings which did not contain data format specifications should be put into a sequence. Thus use the corresponding function "seq_puts". This issue was detected by using the

[PATCH review for 3.18 23/30] netfilter: invoke synchronize_rcu after set the _hook_ to NULL

From: Liping Zhang [ Upstream commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b ] Otherwise, another CPU may access the invalid pointer. For example: CPU0CPU1 - rcu_read_lock(); - pfunc = _hook_; _hook_ = NULL; - mod unload

[PATCH review for 3.18 15/30] pinctrl: mvebu: Use seq_puts() in mvebu_pinconf_group_dbg_show()

From: Markus Elfring [ Upstream commit 420dc61642920849d824a0de2aa853db59f5244f ] Strings which did not contain data format specifications should be put into a sequence. Thus use the corresponding function "seq_puts". This issue was detected by using the Coccinelle software. Signed-off-by:

[PATCH review for 3.18 21/30] usb: plusb: Add support for PL-27A1

From: Roman Spychała [ Upstream commit 6f2aee0c0de6501bbc26fe50c9c7b09a37f7 ] This patch adds support for the PL-27A1 by adding the appropriate USB ID's. This chip is used in the goobay Active USB 3.0 Data Link and Unitek Y-3501 cables. Signed-off-by: Roman Spychała

[PATCH review for 3.18 27/30] rds: ib: add error handle

From: Zhu Yanjun [ Upstream commit 3b12f73a5c2977153f28a224392fd4729b50d1dc ] In the function rds_ib_setup_qp, the error handle is missing. When some error occurs, it is possible that memory leak occurs. As such, error handle is added. Cc: Joe Jin

[PATCH review for 3.18 21/30] usb: plusb: Add support for PL-27A1

From: Roman Spychała [ Upstream commit 6f2aee0c0de6501bbc26fe50c9c7b09a37f7 ] This patch adds support for the PL-27A1 by adding the appropriate USB ID's. This chip is used in the goobay Active USB 3.0 Data Link and Unitek Y-3501 cables. Signed-off-by: Roman Spychała Signed-off-by: David

[PATCH review for 3.18 27/30] rds: ib: add error handle

From: Zhu Yanjun [ Upstream commit 3b12f73a5c2977153f28a224392fd4729b50d1dc ] In the function rds_ib_setup_qp, the error handle is missing. When some error occurs, it is possible that memory leak occurs. As such, error handle is added. Cc: Joe Jin Reviewed-by: Junxiao Bi Reviewed-by:

[PATCH review for 3.18 18/30] net: core: Prevent from dereferencing null pointer when releasing SKB

From: Myungho Jung [ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ] Added NULL check to make __dev_kfree_skb_irq consistent with kfree family of functions. Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 Signed-off-by: Myungho Jung

[PATCH review for 3.18 18/30] net: core: Prevent from dereferencing null pointer when releasing SKB

From: Myungho Jung [ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ] Added NULL check to make __dev_kfree_skb_irq consistent with kfree family of functions. Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 Signed-off-by: Myungho Jung Signed-off-by: David S. Miller

[PATCH review for 3.18 22/30] mmc: sdio: fix alignment issue in struct sdio_func

From: Heiner Kallweit [ Upstream commit 5ef1ecf060f28ecef313b5723f1fd39bf5a35f56 ] Certain 64-bit systems (e.g. Amlogic Meson GX) require buffers to be used for DMA to be 8-byte-aligned. struct sdio_func has an embedded small DMA buffer not meeting this requirement. When

[PATCH review for 3.18 22/30] mmc: sdio: fix alignment issue in struct sdio_func

From: Heiner Kallweit [ Upstream commit 5ef1ecf060f28ecef313b5723f1fd39bf5a35f56 ] Certain 64-bit systems (e.g. Amlogic Meson GX) require buffers to be used for DMA to be 8-byte-aligned. struct sdio_func has an embedded small DMA buffer not meeting this requirement. When testing switching to

[PATCH review for 4.4 27/47] audit: log 32-bit socketcalls

From: Richard Guy Briggs [ Upstream commit 62bc306e2083436675e33b5bdeb6a77907d35971 ] 32-bit socketcalls were not being logged by audit on x86_64 systems. Log them. This is basically a duplicate of the call from net/socket.c:sys_socketcall(), but it addresses the impedance

[PATCH review for 4.4 27/47] audit: log 32-bit socketcalls

From: Richard Guy Briggs [ Upstream commit 62bc306e2083436675e33b5bdeb6a77907d35971 ] 32-bit socketcalls were not being logged by audit on x86_64 systems. Log them. This is basically a duplicate of the call from net/socket.c:sys_socketcall(), but it addresses the impedance mismatch between

[PATCH review for 3.18 12/30] IB/ipoib: Replace list_del of the neigh->list with list_del_init

From: Feras Daoud [ Upstream commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 ] In order to resolve a situation where a few process delete the same list element in sequence and cause panic, list_del is replaced with list_del_init. In this case if the first process that

[PATCH review for 3.18 12/30] IB/ipoib: Replace list_del of the neigh->list with list_del_init

From: Feras Daoud [ Upstream commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 ] In order to resolve a situation where a few process delete the same list element in sequence and cause panic, list_del is replaced with list_del_init. In this case if the first process that calls list_del releases

[PATCH review for 4.4 30/47] MIPS: Lantiq: Fix another request_mem_region() return code check

From: Arnd Bergmann [ Upstream commit 98ea51cb0c8ce009d9da1fd7b48f0ff1d7a9bbb0 ] Hauke already fixed a couple of them, but one instance remains that checks for a negative integer when it should check for a NULL pointer: arch/mips/lantiq/xway/sysctrl.c: In function

[PATCH review for 4.4 30/47] MIPS: Lantiq: Fix another request_mem_region() return code check

From: Arnd Bergmann [ Upstream commit 98ea51cb0c8ce009d9da1fd7b48f0ff1d7a9bbb0 ] Hauke already fixed a couple of them, but one instance remains that checks for a negative integer when it should check for a NULL pointer: arch/mips/lantiq/xway/sysctrl.c: In function 'ltq_soc_init':

[PATCH review for 4.4 03/47] GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next

From: Dan Carpenter [ Upstream commit 14d37564fa3dc4e5d4c6828afcd26ac14e6796c5 ] This patch fixes a place where function gfs2_glock_iter_next can reference an invalid error pointer. Signed-off-by: Dan Carpenter Signed-off-by: Bob Peterson

[PATCH review for 4.4 03/47] GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next

From: Dan Carpenter [ Upstream commit 14d37564fa3dc4e5d4c6828afcd26ac14e6796c5 ] This patch fixes a place where function gfs2_glock_iter_next can reference an invalid error pointer. Signed-off-by: Dan Carpenter Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin --- fs/gfs2/glock.c | 12

Re: [PATCH for 4.9 01/39] net: core: Prevent from dereferencing null pointer when releasing SKB

On Mon, Sep 18, 2017 at 10:13:21AM -0400, Sasha Levin wrote: >On Mon, Sep 18, 2017 at 08:41:02AM +0200, Greg KH wrote: >>On Mon, Sep 18, 2017 at 12:19:36AM +0000, Levin, Alexander (Sasha Levin) >>wrote: >>>From: Myungho Jung <mhju...@gmail.co

Re: [PATCH for 4.9 01/39] net: core: Prevent from dereferencing null pointer when releasing SKB

On Mon, Sep 18, 2017 at 10:13:21AM -0400, Sasha Levin wrote: >On Mon, Sep 18, 2017 at 08:41:02AM +0200, Greg KH wrote: >>On Mon, Sep 18, 2017 at 12:19:36AM +0000, Levin, Alexander (Sasha Levin) >>wrote: >>>From: Myungho Jung >>> >>>[ Upstream commi

Re: [PATCH for 4.9 01/39] net: core: Prevent from dereferencing null pointer when releasing SKB

On Mon, Sep 18, 2017 at 08:41:02AM +0200, Greg KH wrote: >On Mon, Sep 18, 2017 at 12:19:36AM +0000, Levin, Alexander (Sasha Levin) wrote: >> From: Myungho Jung <mhju...@gmail.com> >> >> [ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ] >> >> Added

Re: [PATCH for 4.9 01/39] net: core: Prevent from dereferencing null pointer when releasing SKB

On Mon, Sep 18, 2017 at 08:41:02AM +0200, Greg KH wrote: >On Mon, Sep 18, 2017 at 12:19:36AM +0000, Levin, Alexander (Sasha Levin) wrote: >> From: Myungho Jung >> >> [ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ] >> >> Added NULL check to ma

[PATCH for 4.9 26/39] cpufreq: intel_pstate: Update pid_params.sample_rate_ns in pid_param_set()

From: "Rafael J. Wysocki" [ Upstream commit 6e7408acd04d06c04981c0c0fb5a2462b16fae4f ] Fix the debugfs interface for PID tuning to actually update pid_params.sample_rate_ns on PID parameters updates, as changing pid_params.sample_rate_ms via debugfs has no effect

[PATCH for 4.9 26/39] cpufreq: intel_pstate: Update pid_params.sample_rate_ns in pid_param_set()

From: "Rafael J. Wysocki" [ Upstream commit 6e7408acd04d06c04981c0c0fb5a2462b16fae4f ] Fix the debugfs interface for PID tuning to actually update pid_params.sample_rate_ns on PID parameters updates, as changing pid_params.sample_rate_ms via debugfs has no effect now. Fixes: a4675fbc4a7a

[PATCH for 4.9 33/39] netfilter: nf_tables: set pktinfo->thoff at AH header if found

From: Pablo Neira Ayuso [ Upstream commit 568af6de058cb2b0c5b98d98ffcf37cdc6bc38a7 ] Phil Sutter reports that IPv6 AH header matching is broken. From userspace, nft generates bytecode that expects to find the AH header at NFT_PAYLOAD_TRANSPORT_HEADER both for IPv4 and IPv6.

[PATCH for 4.9 21/39] nvme-rdma: handle cpu unplug when re-establishing the controller

From: Sagi Grimberg [ Upstream commit c248c64387fac5a6b31b343d9acb78f478e8619c ] If a cpu unplug event has occured, we need to take the minimum of the provided nr_io_queues and the number of online cpus, otherwise we won't be able to connect them as blk-mq mapping won't

[PATCH for 4.9 33/39] netfilter: nf_tables: set pktinfo->thoff at AH header if found

From: Pablo Neira Ayuso [ Upstream commit 568af6de058cb2b0c5b98d98ffcf37cdc6bc38a7 ] Phil Sutter reports that IPv6 AH header matching is broken. From userspace, nft generates bytecode that expects to find the AH header at NFT_PAYLOAD_TRANSPORT_HEADER both for IPv4 and IPv6. However,

[PATCH for 4.9 21/39] nvme-rdma: handle cpu unplug when re-establishing the controller

From: Sagi Grimberg [ Upstream commit c248c64387fac5a6b31b343d9acb78f478e8619c ] If a cpu unplug event has occured, we need to take the minimum of the provided nr_io_queues and the number of online cpus, otherwise we won't be able to connect them as blk-mq mapping won't dispatch to those

[PATCH for 4.9 22/39] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

From: Liping Zhang [ Upstream commit ae5c682113f9f94cc5e76f92cf041ee624c173ee ] The helper->expect_class_max must be set to the total number of expect_policy minus 1, since we will use the statement "if (class > helper->expect_class_max)" to validate the CTA_EXPECT_CLASS

[PATCH for 4.9 22/39] netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max

From: Liping Zhang [ Upstream commit ae5c682113f9f94cc5e76f92cf041ee624c173ee ] The helper->expect_class_max must be set to the total number of expect_policy minus 1, since we will use the statement "if (class > helper->expect_class_max)" to validate the CTA_EXPECT_CLASS attr in

<    7   8   9   10   11   12   13   14   15   16   >