commit 276f96e2708c85496fd2e8af108caf5fe8882086 Author: Jiri Slaby Date: Wed Jun 10 15:27:29 2015 +0200 Linux 3.12.44 commit 18d22c77444fa5450526610f3763fec929e698b3 Author: Finn Thain Date: Mon Mar 30 12:22:30 2015 +1100 m68k/mac: Fix out-of-bounds array index in OSS IRQ source initialization commit b24f670b7f5b2058b95370caa9f104b3cefb9f1d upstream. Reported-by: David Binderman Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Signed-off-by: Jiri Slaby commit 44fa042f532c7f8ac3421456eaae4255297092e0 Author: Richard Guy Briggs Date: Tue Apr 14 11:01:02 2015 -0400 lsm: copy comm before calling audit_log to avoid race in string printing commit 5deeb5cece3f9b30c8129786726b9d02c412c8ca upstream. When task->comm is passed directly to audit_log_untrustedstring() without getting a copy or using the task_lock, there is a race that could happen that would output a NULL (\0) in the middle of the output string that would effectively truncate the rest of the report text after the comm= field in the audit log message, losing fields. Using get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm would incur potentially unacceptable overhead, considering that the value can be influenced by userspace and therefore untrusted anyways. Copy the value before passing it to audit_log_untrustedstring() ensures that a local copy is used to calculate the length *and* subsequently printed. Even if this value contains a mix of old and new values, it will only calculate and copy up to the first NULL, preventing the rest of the audit log message being truncated. Use a second local copy of comm to avoid a race between the first and second calls to audit_log_untrustedstring() with comm. Reported-by: Tetsuo Handa Signed-off-by: Richard Guy Briggs Signed-off-by: James Morris Signed-off-by: Jiri Slaby commit 62db23cfb6e7a4860684be9d328fd8e22b4f193a Author: Alexander Stein Date: Sat Oct 25 14:26:13 2014 +0200 W1: ds2490: Increase timeout when waiting for status commit d25221525e0e2cfd70e4ec7216549c06609a8bd2 upstream. Adjust the bulk message timeout to the other ones (1000ms). Otherwise the following dmesg errors can be seen on a Raspberry Pi: [ 31.492386] Failed to read 1-wire data from 0x81: err=-110. [ 31.504168] 0x81: count=-110, status: [ 31.613404] Failed to read 1-wire data from 0x81: err=-110. [ 31.621915] 0x81: count=-110, status: [ 43.260968] Failed to read 1-wire data from 0x81: err=-110. [ 43.270998] 0x81: count=-110, status: [ 43.379959] Failed to read 1-wire data from 0x81: err=-110. [ 43.388854] 0x81: count=-110, status: Signed-off-by: Alexander Stein Acked-by: Evgeniy Polyakov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 83de5204d38767e26524ad04e76fdc94ddd61bca Author: Nicholas Mc Guire Date: Thu May 7 14:47:50 2015 +0200 MIPS: KVM: Do not sign extend on unsigned MMIO load commit ed9244e6c534612d2b5ae47feab2f55a0d4b4ced upstream. Fix possible unintended sign extension in unsigned MMIO loads by casting to uint16_t in the case of mmio_needed != 2. Signed-off-by: Nicholas Mc Guire Reviewed-by: James Hogan Tested-by: James Hogan Cc: Gleb Natapov Cc: Paolo Bonzini Cc: kvm@vger.kernel.org Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/9985/ Signed-off-by: Ralf Baechle Signed-off-by: Jiri Slaby commit c7ca19969e7a75c3c2b08b1349b2f7ae9a90a6b0 Author: Michal Hocko Date: Thu Apr 16 12:47:38 2015 -0700 fork: report pid reservation failure properly commit 35f71bc0a09a45924bed268d8ccd0d3407bc476f upstream. copy_process will report any failure in alloc_pid as ENOMEM currently which is misleading because the pid allocation might fail not only when the memory is short but also when the pid space is consumed already. The current man page even mentions this case: : EAGAIN : : A system-imposed limit on the number of threads was encountered. : There are a number of limits that may trigger this error: the : RLIMIT_NPROC soft resource limit (set via setrlimit(2)), which : limits the number of processes and threads for a real user ID, was : reached; the kernel's system-wide limit on the number of processes : and threads, /proc/sys/kernel/threads-max, was reached (see : proc(5)); or the maximum number of PIDs, /proc/sys/kernel/pid_max, : was reached (see proc(5)). so the current behavior is also incorrect wrt. documentation. POSIX man page also suggest returing EAGAIN when the process count limit is reached. This patch simply propagates error code from alloc_pid and makes sure we return -EAGAIN due to reservation failure. This will make behavior of fork closer to both our documentation and POSIX. alloc_pid might alsoo fail when the reaper in the pid namespace is dead (the namespace basically disallows all new processes) and there is no good error code which would match documented ones. We have traditionally returned ENOMEM for this case which is misleading as well but as per Eric W. Biederman this behavior is documented in man pid_namespaces(7) : If the "init" process of a PID namespace terminates, the kernel : terminates all of the processes in the namespace via a SIGKILL signal. : This behavior reflects the fact that the "init" process is essential for : the correct operation of a PID namespace. In this case, a subsequent : fork(2) into this PID namespace will fail with the error ENOMEM; it is : not possible to create a new processes in a PID namespace whose "init" : process has terminated. and introducing a new error code would be too risky so let's stick to ENOMEM for this case. Signed-off-by: Michal Hocko Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Michael Kerrisk Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 56005f9a961016e2977e12f1c5bd69601234c77c Author: Stephan Mueller Date: Tue Mar 10 17:00:36 2015 +0100 crypto: testmgr - fix RNG return code enforcement commit 19e60e1392d110be03d794e2286dd6cfd779cbe3 upstream. Due to the change to RNGs to always return zero in success case, the invocation of the RNGs in the test manager must be updated as otherwise the RNG self tests are not properly executed any more. Signed-off-by: Stephan Mueller Signed-off-by: Alexander Bergmann Signed-off-by: Herbert Xu Signed-off-by: Jiri Slaby commit f60b0fa8bbddde66f1d197be07120264b555c84a Author: Stephan Mueller Date: Fri Mar 6 08:26:31 2015 +0100 crypto: rng - RNGs must return 0 in success case commit cde001e4c3c3625c60b68a83eb1f1c2572dee07a upstream. Change the RNGs to always return 0 in success case. This patch ensures that seqiv.c works with RNGs other than krng. seqiv expects that any return code other than 0 is an error. Without the patch, rfc4106(gcm(aes)) will not work when using a DRBG or an ANSI X9.31 RNG. Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu Signed-off-by: Jiri Slaby commit d7ef875d4e413eaccbd550f9b638e1b9e4201dc6 Author: Julia Lawall Date: Sun Apr 5 14:06:36 2015 +0200 NFC: pn533: fix error return code commit 5df848f37b1d20e5dd64bea16ba9f69ed321e11b upstream. Return a negative error code on failure. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ identifier ret; expression e1,e2; @@ ( if (\(ret < 0\|ret != 0\)) { ... return ret; } | ret = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // Signed-off-by: Julia Lawall Signed-off-by: Samuel Ortiz Signed-off-by: Jiri Slaby commit fd4420aba84b13da95605dfec7721d10dcdcad46 Author: Alexey Khoroshilov Date: Thu Feb 5 22:12:42 2015 -0800 EDAC: Properly unwind on failure path in edac_init() commit c6b97bcf8e3ee6643a7f90a54d1ef3f9e12ec245 upstream. edac_init() does not deallocate already allocated resources on failure path. Found by Linux Driver Verification project (linuxtesting.org). [ Boris: The unwind path functions have __exit annotation but are being used in an __init function, leading to section mismatches. Drop the section annotation and make them normal functions. ] Signed-off-by: Alexey Khoroshilov Link: http://lkml.kernel.org/r/1423203162-26368-1-git-send-email-khoroshilov@ispras.ru Signed-off-by: Borislav Petkov Signed-off-by: Jiri Slaby commit 5d557c9cc29b05fd281ce704070cd487723fc07c Author: Dan Carpenter Date: Sun Mar 15 13:48:03 2015 +0300 isdn: icn: use strlcpy() when parsing setup options commit 10640d34552ccd8fabe7b15b0c4e3a102247952d upstream. If you pass an invalid string here then you probably deserve the memory corruption, but it annoys static analysis tools so lets fix it. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 376ab7b755abd61296eeb1d5f46935a25e907f9f Author: Joerg Roedel Date: Wed Apr 1 14:58:52 2015 +0200 iommu/amd: Correctly encode huge pages in iommu page tables commit d4b036648402bb4ef6d4a0df51375a2fb705b6cc upstream. When a default page-size for given level should be mapped, the level encoding must be 0 rather than 7. This fixes an issue seen on IOMMUv2 hardware, where this encoding is enforced. Tested-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Jiri Slaby commit 253b6d09b48fb739305f0b37676f1de607558e24 Author: Joerg Roedel Date: Wed Apr 1 14:58:51 2015 +0200 iommu/amd: Optimize amd_iommu_iova_to_phys for new fetch_pte interface commit b24b1b63a37d05d61601d643ef30f95dd2452048 upstream. Now that fetch_pte returns the page-size of the pte, this function can be optimized too. Tested-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Jiri Slaby commit ab3a4a534cfc9c591d7708e0cc77b1db0e163631 Author: Joerg Roedel Date: Wed Apr 1 14:58:50 2015 +0200 iommu/amd: Optimize alloc_new_range for new fetch_pte interface commit 5d7c94c3f4f20964b217d64ee44a9a08320c315a upstream. Now that fetch_pte returns the page-size of the pte, the call in this function can also be optimized a little bit. Tested-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Jiri Slaby commit fb44979d5a19ba6c5ae86cc8922ea9e4b41bcace Author: Joerg Roedel Date: Wed Apr 1 14:58:49 2015 +0200 iommu/amd: Optimize iommu_unmap_page for new fetch_pte interface commit 71b390e9bec5121d25c45326ff0b0b96a143f9a8 upstream. Now that fetch_pte returns the page-size of the pte, this function can be optimized a lot. Tested-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Jiri Slaby commit 57bdeb720c85f309ffeb487963d3f46b370b551f Author: Joerg Roedel Date: Wed Apr 1 14:58:48 2015 +0200 iommu/amd: Return the pte page-size in fetch_pte commit 3039ca1b1c37e61cc9239dbb3903db55141ecabd upstream. Extend the fetch_pte function to also return the page-size that is mapped by the returned pte. Tested-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Jiri Slaby commit 8efd02c4eb48212294315514411a6e7a7e57e4da Author: Ian Campbell Date: Mon Jun 1 11:30:24 2015 +0100 xen: netback: read hotplug script once at start of day. [ Upstream commit 31a418986a5852034d520a5bab546821ff1ccf3d ] When we come to tear things down in netback_remove() and generate the uevent it is possible that the xenstore directory has already been removed (details below). In such cases netback_uevent() won't be able to read the hotplug script and will write a xenstore error node. A recent change to the hypervisor exposed this race such that we now sometimes lose it (where apparently we didn't ever before). Instead read the hotplug script configuration during setup and use it for the lifetime of the backend device. The apparently more obvious fix of moving the transition to state=Closed in netback_remove() to after the uevent does not work because it is possible that we are already in state=Closed (in reaction to the guest having disconnected as it shutdown). Being already in Closed means the toolstack is at liberty to start tearing down the xenstore directories. In principal it might be possible to arrange to unregister the device sooner (e.g on transition to Closing) such that xenstore would still be there but this state machine is fragile and prone to anger... A modern Xen system only relies on the hotplug uevent for driver domains, when the backend is in the same domain as the toolstack it will run the necessary setup/teardown directly in the correct sequence wrt xenstore changes. Signed-off-by: Ian Campbell Acked-by: Wei Liu Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit a97b54dd69cb05df4c57f5d5b40c761f7835ce4e Author: Eric Dumazet Date: Sat May 30 09:16:53 2015 -0700 udp: fix behavior of wrong checksums [ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ] We have two problems in UDP stack related to bogus checksums : 1) We return -EAGAIN to application even if receive queue is not empty. This breaks applications using edge trigger epoll() 2) Under UDP flood, we can loop forever without yielding to other processes, potentially hanging the host, especially on non SMP. This patch is an attempt to make things better. We might in the future add extra support for rt applications wanting to better control time spent doing a recv() in a hostile environment. For example we could validate checksums before queuing packets in socket receive queue. Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 5c3604e1e9d83241bd2255cfb8fac1374d26fc50 Author: WANG Cong Date: Tue May 26 16:08:48 2015 -0700 net_sched: invoke ->attach() after setting dev->qdisc [ Upstream commit 86e363dc3b50bfd50a1f315934583fbda673ab8d ] For mq qdisc, we add per tx queue qdisc to root qdisc for display purpose, however, that happens too early, before the new dev->qdisc is finally set, this causes q->list points to an old root qdisc which is going to be freed right before assigning with a new one. Fix this by moving ->attach() after setting dev->qdisc. For the record, this fixes the following crash: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 975 at lib/list_debug.c:59 __list_del_entry+0x5a/0x98() list_del corruption. prev->next should be ffff8800d1998ae8, but was 6b6b6b6b6b6b6b6b CPU: 1 PID: 975 Comm: tc Not tainted 4.1.0-rc4+ #1019 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 0000000000000009 ffff8800d73fb928 ffffffff81a44e7f 0000000047574756 ffff8800d73fb978 ffff8800d73fb968 ffffffff810790da ffff8800cfc4cd20 ffffffff814e725b ffff8800d1998ae8 ffffffff82381250 0000000000000000 Call Trace: [] dump_stack+0x4c/0x65 [] warn_slowpath_common+0x9c/0xb6 [] ? __list_del_entry+0x5a/0x98 [] warn_slowpath_fmt+0x46/0x48 [] ? dev_graft_qdisc+0x5e/0x6a [] __list_del_entry+0x5a/0x98 [] list_del+0xe/0x2d [] qdisc_list_del+0x1e/0x20 [] qdisc_destroy+0x30/0xd6 [] qdisc_graft+0x11d/0x243 [] tc_get_qdisc+0x1a6/0x1d4 [] ? mark_lock+0x2e/0x226 [] rtnetlink_rcv_msg+0x181/0x194 [] ? rtnl_lock+0x17/0x19 [] ? rtnl_lock+0x17/0x19 [] ? __rtnl_unlock+0x17/0x17 [] netlink_rcv_skb+0x4d/0x93 [] rtnetlink_rcv+0x26/0x2d [] netlink_unicast+0xcb/0x150 [] ? might_fault+0x59/0xa9 [] netlink_sendmsg+0x4fa/0x51c [] sock_sendmsg_nosec+0x12/0x1d [] sock_sendmsg+0x29/0x2e [] ___sys_sendmsg+0x1b4/0x23a [] ? native_sched_clock+0x35/0x37 [] ? sched_clock_local+0x12/0x72 [] ? sched_clock_cpu+0x9e/0xb7 [] ? current_kernel_time+0xe/0x32 [] ? lock_release_holdtime.part.29+0x71/0x7f [] ? read_seqcount_begin.constprop.27+0x5f/0x76 [] ? trace_hardirqs_on_caller+0x17d/0x199 [] ? __fget_light+0x50/0x78 [] __sys_sendmsg+0x42/0x60 [] SyS_sendmsg+0x12/0x1c [] system_call_fastpath+0x12/0x6f ---[ end trace ef29d3fb28e97ae7 ]--- For long term, we probably need to clean up the qdisc_graft() code in case it hides other bugs like this. Fixes: 95dc19299f74 ("pkt_sched: give visibility to mq slave qdiscs") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 285826880cc0cb378a31903b863dc4cb2b4342b2 Author: Mark Salyzyn Date: Tue May 26 08:22:19 2015 -0700 unix/caif: sk_socket can disappear when state is unlocked [ Upstream commit b48732e4a48d80ed4a14812f0bab09560846514e ] got a rare NULL pointer dereference in clear_bit Signed-off-by: Mark Salyzyn Acked-by: Hannes Frederic Sowa ---- v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 170ba4f7460901954e41d5915356dfb10247ff63 Author: Richard Cochran Date: Mon May 25 11:55:43 2015 +0200 net: dp83640: fix broken calibration routine. [ Upstream commit 397a253af5031de4a4612210055935309af4472c ] Currently, the calibration function that corrects the initial offsets among multiple devices only works the first time. If the function is called more than once, the calibration fails and bogus offsets will be programmed into the devices. In a well hidden spot, the device documentation tells that trigger indexes 0 and 1 are special in allowing the TRIG_IF_LATE flag to actually work. This patch fixes the issue by using one of the special triggers during the recalibration method. Signed-off-by: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 144b2988119e8b58bdb7bef0e51d07dc66b06254 Author: Thadeu Lima de Souza Cascardo Date: Fri May 22 12:18:59 2015 -0300 bridge: fix parsing of MLDv2 reports [ Upstream commit 47cc84ce0c2fe75c99ea5963c4b5704dd78ead54 ] When more than a multicast address is present in a MLDv2 report, all but the first address is ignored, because the code breaks out of the loop if there has not been an error adding that address. This has caused failures when two guests connected through the bridge tried to communicate using IPv6. Neighbor discoveries would not be transmitted to the other guest when both used a link-local address and a static address. This only happens when there is a MLDv2 querier in the network. The fix will only break out of the loop when there is a failure adding a multicast address. The mdb before the patch: dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp dev ovirtmgmt port bond0.86 grp ff02::2 temp After the patch: dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp dev ovirtmgmt port bond0.86 grp ff02::fb temp dev ovirtmgmt port bond0.86 grp ff02::2 temp dev ovirtmgmt port bond0.86 grp ff02::d temp dev ovirtmgmt port vnet0 grp ff02::1:ff00:76 temp dev ovirtmgmt port bond0.86 grp ff02::16 temp dev ovirtmgmt port vnet1 grp ff02::1:ff00:77 temp dev ovirtmgmt port bond0.86 grp ff02::1:ff00:def temp dev ovirtmgmt port bond0.86 grp ff02::1:ffa1:40bf temp Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.") Reported-by: Rik Theys Signed-off-by: Thadeu Lima de Souza Cascardo Tested-by: Rik Theys Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 420431c6299144276e9098b5ea45e610c87cfa0d Author: Eric W. Biederman Date: Fri May 22 04:58:12 2015 -0500 ipv4: Avoid crashing in ip_error [ Upstream commit 381c759d9916c42959515ad34a6d467e24a88e93 ] ip_error does not check if in_dev is NULL before dereferencing it. IThe following sequence of calls is possible: CPU A CPU B ip_rcv_finish ip_route_input_noref() ip_route_input_slow() inetdev_destroy() dst_input() With the result that a network device can be destroyed while processing an input packet. A crash was triggered with only unicast packets in flight, and forwarding enabled on the only network device. The error condition was created by the removal of the network device. As such it is likely the that error code was -EHOSTUNREACH, and the action taken by ip_error (if in_dev had been accessible) would have been to not increment any counters and to have tried and likely failed to send an icmp error as the network device is going away. Therefore handle this weird case by just dropping the packet if !in_dev. It will result in dropping the packet sooner, and will not result in an actual change of behavior. Fixes: 251da4130115b ("ipv4: Cache ip_error() routes even when not forwarding.") Reported-by: Vittorio Gambaletta Tested-by: Vittorio Gambaletta Signed-off-by: Vittorio Gambaletta Signed-off-by: "Eric W. Biederman" Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 0fa9520e7b08f00138cf9a4a95d066492cbcc18d Author: Alexei Starovoitov Date: Fri May 22 15:42:55 2015 -0700 x86: bpf_jit: fix compilation of large bpf programs [ Upstream commit 3f7352bf21f8fd7ba3e2fcef9488756f188e12be ] x86 has variable length encoding. x86 JIT compiler is trying to pick the shortest encoding for given bpf instruction. While doing so the jump targets are changing, so JIT is doing multiple passes over the program. Typical program needs 3 passes. Some very short programs converge with 2 passes. Large programs may need 4 or 5. But specially crafted bpf programs may hit the pass limit and if the program converges on the last iteration the JIT compiler will be producing an image full of 'int 3' insns. Fix this corner case by doing final iteration over bpf program. Fixes: 0a14842f5a3c ("net: filter: Just In Time compiler for x86-64") Reported-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Tested-by: Daniel Borkmann Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 8c35200a686d3647b1ed44c2e803019b529a3ee2 Author: Cass May Date: Sun Feb 15 23:40:18 2015 +0000 dgnc: Move DG_PART definition from Makefile to dgnc_driver.h commit f11cc568758f23088c1f7a8369100c59e4c07bd6 upstream. Avoid deprecated usage of EXTRA_CFLAGS by moving definition of DG_PART into dgnc_driver.h Signed-off-by: Cass May Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit dba21826fae5822a8cc09e041d47f3adf96eab04 Author: Chen Gang Date: Thu Oct 24 09:55:17 2013 +0800 drivers: staging: rtl8188eu: use 'ccflags-y' instead of EXTRA_CFLAGS in Makefile commit 97b0b6ca4c0f0f964d3c6918301ca45353ef8bc5 upstream. If command line use EXTRA_CFLAGS (e.g. "EXTRA_CFLAGS=-mmedium-calls" for arc architecture, with allmodconfig), it can not pass compiling, the related error: drivers/staging/rtl8188eu/core/rtw_ap.c:22:27: fatal error: osdep_service.h: No such file or directory Signed-off-by: Chen Gang Acked-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit d5b7aee1b3f1a0263b2c9266ecf08b5293e13139 Author: Chen Gang Date: Sat Sep 21 20:38:30 2013 +0800 drivers: staging: dgap: move DG_NAME and DG_PART from "Makefile" to "dgap_driver.h" commit 6319c61aecc7acaf39a1dc0e81a8aac6a17499ee upstream. Normally, the macros from command line are system specific macros (e.g __linux, __KERNEL__ ...), and module own macros are usually defined in their header files. DG_NAME and DG_PART are driver 'dgap' owned macros which are used by multiple files within driver, and need be defined in the driver main header file. So move DG_NAME and DG_PART to "dgap_driver.h", it not only can make code clearer, but also can avoid compiling failure when EXTRA_CFLAGS appended to make command line (e.g. "EXTRA_CFLAGS=-W"). Signed-off-by: Chen Gang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit bab6655ecb3ff43da784f5297ac04f5d991c1e23 Author: Andrew Morton Date: Thu May 28 15:44:24 2015 -0700 fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings commit 2b1d3ae940acd11be44c6eced5873d47c2e00ffa upstream. load_elf_binary() returns `retval', not `error'. Fixes: a87938b2e246b81b4fb ("fs/binfmt_elf.c: fix bug in loading of PIE binaries") Reported-by: James Hogan Cc: Michael Davidson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 330c542ff8f659055de1992935abaa18b121379e Author: Sasha Levin Date: Wed Jan 28 15:30:43 2015 -0500 vfs: read file_handle only once in handle_to_path commit 161f873b89136eb1e69477c847d5a5033239d9ba upstream. We used to read file_handle twice. Once to get the amount of extra bytes, and once to fetch the entire structure. This may be problematic since we do size verifications only after the first read, so if the number of extra bytes changes in userspace between the first and second calls, we'll have an incoherent view of file_handle. Instead, read the constant size once, and copy that over to the final structure without having to re-read it again. Signed-off-by: Sasha Levin Cc: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit c58fe902f9b36ae78496b32c0d2d7c05e1c301f5 Author: Christian König Date: Thu May 28 15:51:59 2015 +0200 drm/radeon: partially revert "fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling" commit 7c0411d2fabc2e2702c9871ffb603e251158b317 upstream. We have that bug for years and some users report side effects when fixing it on older hardware. So revert it for VM_CONTEXT0_PAGE_TABLE_END_ADDR, but keep it for VM 1-15. Signed-off-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby commit f798148dddfe30f6a90ab31111f758b6f4058c9b Author: Christian König Date: Tue May 12 14:56:17 2015 +0200 drm/radeon: fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling commit 607d48063512707a414e346972e2210dc71ab491 upstream. The mapping range is inclusive between starting and ending addresses. Signed-off-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby commit 064d3446c61b615ff1efa1baf14809f5ec2bf7e6 Author: Alex Deucher Date: Tue May 12 12:51:38 2015 -0400 drm/radeon: add new bonaire pci id commit fcf3b54282e4c5a95a1f45f67558bc105acdbc6a upstream. Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby commit 2f59a647d404e4bd485bbc52ffc961938ce23e37 Author: Rafael J. Wysocki Date: Thu May 7 21:19:39 2015 +0200 ACPI / init: Fix the ordering of acpi_reserve_resources() commit b9a5e5e18fbf223502c0b2264c15024e393da928 upstream. Since acpi_reserve_resources() is defined as a device_initcall(), there's no guarantee that it will be executed in the right order with respect to the rest of the ACPI initialization code. On some systems this leads to breakage if, for example, the address range that should be reserved for the ACPI fixed registers is given to the PCI host bridge instead if the race is won by the wrong code path. Fix this by turning acpi_reserve_resources() into a void function and calling it directly from within the ACPI initialization sequence. Reported-and-tested-by: George McCollister Link: http://marc.info/?t=143092384600002&r=1&w=2 Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 98ef5398009f2c2bbd58bebfe4f11fbc17b199df Author: Mark Hounschell Date: Wed May 13 10:49:09 2015 +0200 sd: Disable support for 256 byte/sector disks commit 74856fbf441929918c49ff262ace9835048e4e6a upstream. 256 bytes per sector support has been broken since 2.6.X, and no-one stepped up to fix this. So disable support for it. Signed-off-by: Mark Hounschell Signed-off-by: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Jiri Slaby commit 46ea90bbae1e7ead36a867dfefcbb1988d305861 Author: Benjamin Tissoires Date: Thu Apr 23 09:08:43 2015 -0700 Input: elantech - fix semi-mt protocol for v3 HW commit 3c0213d17a09601e0c6c0ae0e27caf70d988290f upstream. When the v3 hardware sees more than one finger, it uses the semi-mt protocol to report the touches. However, it currently works when num_fingers is 0, 1 or 2, but when it is 3 and above, it sends only 1 finger as if num_fingers was 1. This confuses userspace which knows how to deal with extra fingers when all the slots are used, but not when some are missing. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=90101 Signed-off-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 9ad2da11417ffe92aa2daba75c5d13b2481aa6c8 Author: NeilBrown Date: Fri May 8 18:19:34 2015 +1000 md/raid5: don't record new size if resize_stripes fails. commit 6e9eac2dcee5e19f125967dd2be3e36558c42fff upstream. If any memory allocation in resize_stripes fails we will return -ENOMEM, but in some cases we update conf->pool_size anyway. This means that if we try again, the allocations will be assumed to be larger than they are, and badness results. So only update pool_size if there is no error. This bug was introduced in 2.6.17 and the patch is suitable for -stable. Fixes: ad01c9e3752f ("[PATCH] md: Allow stripes to be expanded in preparation for expanding an array") Signed-off-by: NeilBrown Signed-off-by: Jiri Slaby commit bca746037a308e2fbe742248d34635f07be2bfd9 Author: Jean Delvare Date: Mon Apr 20 11:21:13 2015 +0200 thermal: step_wise: Revert optimization Commit 178c2490b99f898efc06d1ad75cadc84f13021a6 ("thermal: step_wise: cdev only needs update on a new target state") broke driver acerhdf. That driver abused the step_wise thermal governor until the bang_bang governor was available, and the optimization broke this usage model. Kernels v3.12 to v3.18 are affected. In v3.19 the acerhdf driver was switched to the bang_bang governor and that solved the problem. For kernels v3.12 to v3.17, the bang_bang governor isn't available yet so the easiest fix is to revert the optimization. Signed-off-by: Jean Delvare Reported-by: Dieter Jurzitza (https://bugzilla.opensuse.org/show_bug.cgi?id=925961) Tested-by: Peter Feuerer Tested-by: Dieter Jurzitza commit d07438719e3e56dc710695c4fe0ec93f6b8de8bc Author: Scott Mayhew Date: Tue Apr 28 16:29:53 2015 -0400 svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures commit 9507271d960a1911a51683888837d75c171cd91f upstream. In an environment where the KDC is running Active Directory, the exported composite name field returned in the context could be large enough to span a page boundary. Attaching a scratch buffer to the decoding xdr_stream helps deal with those cases. The case where we saw this was actually due to behavior that's been fixed in newer gss-proxy versions, but we're fixing it here too. Signed-off-by: Scott Mayhew Reviewed-by: Simo Sorce Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit caf4b0e71fe36cdfb9cafd01fd55da3a086f82cd Author: Mel Gorman Date: Thu May 14 15:17:09 2015 -0700 mm, numa: really disable NUMA balancing by default on single node machines commit b0dc2b9bb4ab782115b964310518ee0b17784277 upstream. NUMA balancing is meant to be disabled by default on UMA machines but the check is using nr_node_ids (highest node) instead of num_online_nodes (online nodes). The consequences are that a UMA machine with a node ID of 1 or higher will enable NUMA balancing. This will incur useless overhead due to minor faults with the impact depending on the workload. These are the impact on the stats when running a kernel build on a single node machine whose node ID happened to be 1: vanilla patched NUMA base PTE updates 5113158 0 NUMA huge PMD updates 643 0 NUMA page range updates 5442374 0 NUMA hint faults 2109622 0 NUMA hint local faults 2109622 0 NUMA hint local percent 100 100 NUMA pages migrated 0 0 Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 3968c39b59983259024faaf0746ab9a122c81e7e Author: Philippe Reynes Date: Wed May 13 00:18:26 2015 +0200 ARM: dts: imx27: only map 4 Kbyte for fec registers commit a29ef819f3f34f89a1b9b6a939b4c1cdfe1e85ce upstream. According to the imx27 documentation, fec has a 4 Kbyte memory space map. Moreover, the actual 16 Kbyte mapping overlaps the SCC (Security Controller) memory register space. So, we reduce the memory register space to 4 Kbyte. Signed-off-by: Philippe Reynes Acked-by: Uwe Kleine-König Fixes: 9f0749e3eb88 ("ARM i.MX27: Add devicetree support") Signed-off-by: Shawn Guo Signed-off-by: Jiri Slaby commit aee7e03ec16673bbd0710144da6295ff1fec1bb9 Author: Janusz Dziedzic Date: Mon May 11 11:31:15 2015 +0200 mac80211: move WEP tailroom size check commit 47b4e1fc4972cc43a19121bc2608a60aef3bf216 upstream. Remove checking tailroom when adding IV as it uses only headroom, and move the check to the ICV generation that actually needs the tailroom. In other case I hit such warning and datapath don't work, when testing: - IBSS + WEP - ath9k with hw crypt enabled - IPv6 data (ping6) WARNING: CPU: 3 PID: 13301 at net/mac80211/wep.c:102 ieee80211_wep_add_iv+0x129/0x190 [mac80211]() [...] Call Trace: [] dump_stack+0x45/0x57 [] warn_slowpath_common+0x8a/0xc0 [] warn_slowpath_null+0x1a/0x20 [] ieee80211_wep_add_iv+0x129/0x190 [mac80211] [] ieee80211_crypto_wep_encrypt+0x6b/0xd0 [mac80211] [] invoke_tx_handlers+0xc51/0xf30 [mac80211] [...] Signed-off-by: Janusz Dziedzic Signed-off-by: Johannes Berg Signed-off-by: Jiri Slaby commit 0f5a0fcfc6d8ca5d6ad53bbfef32f8b69db60ce9 Author: Harald Freudenberger Date: Thu May 21 10:01:11 2015 +0200 crypto: s390/ghash - Fix incorrect ghash icv buffer handling. commit a1cae34e23b1293eccbcc8ee9b39298039c3952a upstream. Multitheaded tests showed that the icv buffer in the current ghash implementation is not handled correctly. A move of this working ghash buffer value to the descriptor context fixed this. Code is tested and verified with an multithreaded application via af_alg interface. Signed-off-by: Harald Freudenberger Signed-off-by: Gerald Schaefer Reported-by: Herbert Xu Signed-off-by: Herbert Xu Signed-off-by: Jiri Slaby commit 9175da111a96a52fa90f7396f3fc9e0e170d85bc Author: Michael Brunner Date: Mon May 11 12:46:49 2015 +0200 gpio: gpio-kempld: Fix get_direction return value commit f230e8ffc03f17bd9d6b90ea890b8252a8cc1821 upstream. This patch fixes an inverted return value of the gpio get_direction function. The wrong value causes the direction sysfs entry and GPIO debugfs file to indicate incorrect GPIO direction settings. In some cases it also prevents setting GPIO output values. The problem is also present in all other stable kernel versions since linux-3.12. Reported-by: Jochen Henneberg Signed-off-by: Michael Brunner Reviewed-by: Guenter Roeck Signed-off-by: Linus Walleij Signed-off-by: Jiri Slaby commit 2cf954cd3fb3047fc81e822f63d4067d4fffe01a Author: Scott Branden Date: Mon Mar 16 10:59:52 2015 -0700 rt2x00: add new rt2800usb device DWA 130 commit ea345c145ff23197eab34d0c4d0c8a93d7bea8c6 upstream. Add the USB Id to link the D-Link DWA 130 USB Wifi adapter to the rt2830 driver. Signed-off-by: Scott Branden Signed-off-by: Pieter Truter Signed-off-by: Kalle Valo Cc: Larry Finger Signed-off-by: Jiri Slaby commit 59f43abf797e35cd4d6d4ea9768250449d505b40 Author: Gabriele Mazzotta Date: Sat Apr 25 19:52:37 2015 +0200 libata: Ignore spurious PHY event on LPM policy change commit 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 upstream. When the LPM policy is set to ATA_LPM_MAX_POWER, the device might generate a spurious PHY event that cuases errors on the link. Ignore this event if it occured within 10s after the policy change. The timeout was chosen observing that on a Dell XPS13 9333 these spurious events can occur up to roughly 6s after the policy change. Link: http://lkml.kernel.org/g/3352987.ugV1Ipy7Z5@xps13 Signed-off-by: Gabriele Mazzotta Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit 4037866e8eb01c45631a093524c37e6b913bab97 Author: Gabriele Mazzotta Date: Sat Apr 25 19:52:36 2015 +0200 libata: Add helper to determine when PHY events should be ignored commit 8393b811f38acdf7fd8da2028708edad3e68ce1f upstream. This is a preparation commit that will allow to add other criteria according to which PHY events should be dropped. Signed-off-by: Gabriele Mazzotta Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit 8755ceb161645e0c3df97203994c20ee15bd8607 Author: Darrick J. Wong Date: Thu May 14 19:11:50 2015 -0400 jbd2: fix r_count overflows leading to buffer overflow in journal recovery commit e531d0bceb402e643a4499de40dd3fa39d8d2e43 upstream. The journal revoke block recovery code does not check r_count for sanity, which means that an evil value of r_count could result in the kernel reading off the end of the revoke table and into whatever garbage lies beyond. This could crash the kernel, so fix that. However, in testing this fix, I discovered that the code to write out the revoke tables also was not correctly checking to see if the block was full -- the current offset check is fine so long as the revoke table space size is a multiple of the record size, but this is not true when either journal_csum_v[23] are set. Signed-off-by: Darrick J. Wong Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Jiri Slaby commit 4db99fb4177d49120a3515b731705449fc06c611 Author: Eryu Guan Date: Thu May 14 19:00:45 2015 -0400 ext4: check for zero length extent explicitly commit 2f974865ffdfe7b9f46a9940836c8b167342563d upstream. The following commit introduced a bug when checking for zero length extent 5946d08 ext4: check for overlapping extents in ext4_valid_extent_entries() Zero length extent could pass the check if lblock is zero. Adding the explicit check for zero length back. Signed-off-by: Eryu Guan Signed-off-by: Theodore Ts'o Signed-off-by: Jiri Slaby commit d9923656e06dbd51ecdbca53fac8b314cce64e5a Author: Lukas Czerner Date: Thu May 14 18:55:18 2015 -0400 ext4: fix NULL pointer dereference when journal restart fails commit 9d506594069355d1fb2de3f9104667312ff08ed3 upstream. Currently when journal restart fails, we'll have the h_transaction of the handle set to NULL to indicate that the handle has been effectively aborted. We handle this situation quietly in the jbd2_journal_stop() and just free the handle and exit because everything else has been done before we attempted (and failed) to restart the journal. Unfortunately there are a number of problems with that approach introduced with commit 41a5b913197c "jbd2: invalidate handle if jbd2_journal_restart() fails" First of all in ext4 jbd2_journal_stop() will be called through __ext4_journal_stop() where we would try to get a hold of the superblock by dereferencing h_transaction which in this case would lead to NULL pointer dereference and crash. In addition we're going to free the handle regardless of the refcount which is bad as well, because others up the call chain will still reference the handle so we might potentially reference already freed memory. Moreover it's expected that we'll get aborted handle as well as detached handle in some of the journalling function as the error propagates up the stack, so it's unnecessary to call WARN_ON every time we get detached handle. And finally we might leak some memory by forgetting to free reserved handle in jbd2_journal_stop() in the case where handle was detached from the transaction (h_transaction is NULL). Fix the NULL pointer dereference in __ext4_journal_stop() by just calling jbd2_journal_stop() quietly as suggested by Jan Kara. Also fix the potential memory leak in jbd2_journal_stop() and use proper handle refcounting before we attempt to free it to avoid use-after-free issues. And finally remove all WARN_ON(!transaction) from the code so that we do not get random traces when something goes wrong because when journal restart fails we will get to some of those functions. Signed-off-by: Lukas Czerner Signed-off-by: Theodore Ts'o Reviewed-by: Jan Kara Signed-off-by: Jiri Slaby commit f52659df1a7abaddff8f86805983fd6e8a835f41 Author: Ludovic Desroches Date: Wed May 6 15:16:46 2015 +0200 mmc: atmel-mci: fix bad variable type for clkdiv commit 60c8f783a18feb95ad967c87e9660caf09fb4700 upstream. clkdiv is declared as an u32 but it can be set to a negative value causing a huge divisor value. Change its type to int to avoid this case. Signed-off-by: Ludovic Desroches Signed-off-by: Ulf Hansson Signed-off-by: Jiri Slaby commit 573993239da1d4f271f0a6f865e019c9bf525432 Author: Anton Blanchard Date: Thu May 14 14:45:40 2015 +1000 powerpc: Align TOC to 256 bytes commit 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 upstream. Recent toolchains force the TOC to be 256 byte aligned. We need to enforce this alignment in our linker script, otherwise pointers to our TOC variables (__toc_start, __prom_init_toc_start) could be incorrect. If they are bad, we die a few hundred instructions into boot. Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Signed-off-by: Jiri Slaby commit 4623c6e3424e683af46569b17038feb6ef50a4ad Author: Krzysztof Opasiak Date: Fri Mar 20 15:48:56 2015 +0100 usb: gadget: configfs: Fix interfaces array NULL-termination commit 903124fe1aa284f61745a9dd4fbfa0184e569fff upstream. memset() to 0 interfaces array before reusing usb_configuration structure. This commit fix bug: ln -s functions/acm.1 configs/c.1 ln -s functions/acm.2 configs/c.1 ln -s functions/acm.3 configs/c.1 echo "UDC name" > UDC echo "" > UDC rm configs/c.1/acm.* rmdir functions/* mkdir functions/ecm.usb0 ln -s functions/ecm.usb0 configs/c.1 echo "UDC name" > UDC [ 82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 82.229009] pgd = c0004000 [ 82.231698] [00000000] *pgd=00000000 [ 82.235260] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [ 82.240638] Modules linked in: [ 82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39 [ 82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [ 82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000 [ 82.261393] PC is at composite_setup+0xe3c/0x1674 [ 82.266073] LR is at composite_setup+0xf20/0x1674 [ 82.270760] pc : [] lr : [] psr: 600001d3 [ 82.270760] sp : c07c9df0 ip : c0806448 fp : ed8c9c9c [ 82.282216] r10: 00000001 r9 : 00000000 r8 : edaae918 [ 82.287425] r7 : ed551cc0 r6 : 00007fff r5 : 00000000 r4 : ed799634 [ 82.293934] r3 : 00000003 r2 : 00010002 r1 : edaae918 r0 : 0000002e [ 82.300446] Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment kernel [ 82.307910] Control: 10c5387d Table: 6bc1804a DAC: 00000015 [ 82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210) [ 82.319627] Stack: (0xc07c9df0 to 0xc07ca000) [ 82.323969] 9de0: 00000000 c06e65f4 00000000 c07c9f68 [ 82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3 [ 82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50 [ 82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0 [ 82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444 [ 82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010 [ 82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000 [ 82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000 [ 82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac [ 82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000 [ 82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057 [ 82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c [ 82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c [ 82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0 [ 82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8 [ 82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54 [ 82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000 [ 82.462689] [] (composite_setup) from [] (s3c_hsotg_complete_setup+0xb4/0x418) [ 82.471626] [] (s3c_hsotg_complete_setup) from [] (usb_gadget_giveback_request+0xc/0x10) [ 82.481429] [] (usb_gadget_giveback_request) from [] (s3c_hsotg_complete_request+0xcc/0x12c) [ 82.491583] [] (s3c_hsotg_complete_request) from [] (s3c_hsotg_irq+0x4fc/0x558) [ 82.500614] [] (s3c_hsotg_irq) from [] (handle_irq_event_percpu+0x50/0x150) [ 82.509291] [] (handle_irq_event_percpu) from [] (handle_irq_event+0x3c/0x5c) [ 82.518145] [] (handle_irq_event) from [] (handle_fasteoi_irq+0xd4/0x18c) [ 82.526650] [] (handle_fasteoi_irq) from [] (generic_handle_irq+0x20/0x30) [ 82.535242] [] (generic_handle_irq) from [] (__handle_domain_irq+0x6c/0xdc) [ 82.543923] [] (__handle_domain_irq) from [] (gic_handle_irq+0x2c/0x6c) [ 82.552256] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x74) [ 82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0) [ 82.564753] 9f60: 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c [ 82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0 [ 82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff [ 82.586113] [] (__irq_svc) from [] (arch_cpu_idle+0x30/0x3c) [ 82.593491] [] (arch_cpu_idle) from [] (cpu_startup_entry+0x128/0x1a4) [ 82.601740] [] (cpu_startup_entry) from [] (start_kernel+0x350/0x3bc) [ 82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000) [ 82.615965] ---[ end trace f57d5f599a5f1bfa ]--- Most of kernel code assume that interface array in struct usb_configuration is NULL terminated. When gadget is composed with configfs configuration structure may be reused for different functions set. This bug happens because purge_configs_funcs() sets only next_interface_id to 0. Interface array still contains pointers to already freed interfaces. If in second try we add less interfaces than earlier we may access unallocated memory when trying to get interface descriptors. Signed-off-by: Krzysztof Opasiak Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 7bf8bb8bad65b8fd000f874b7fd1750fceea25d0 Author: Hans de Goede Date: Thu Apr 30 11:09:44 2015 +0200 usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices commit 172115090f5e739660b97694618a2ba86457063a upstream. Without this flag some versions of these enclosures do not work. Reported-and-tested-by: Christian Schaller Signed-off-by: Hans de Goede Signed-off-by: Jiri Slaby commit b707e13c04b3f2323e63d2b67f666cb7c0fb1c04 Author: Mark Edwards Date: Tue Apr 14 08:52:34 2015 -0400 USB: cp210x: add ID for KCF Technologies PRN device commit c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 upstream. Added the USB serial console device ID for KCF Technologies PRN device which has a USB port for its serial console. Signed-off-by: Mark Edwards Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 65c675804e608267b58ee5e1b0a46aae9f716444 Author: Jason A. Donenfeld Date: Wed Apr 22 14:35:08 2015 +0200 USB: pl2303: Remove support for Samsung I330 commit 48ef23a4f686b1e4519d4193c20d26834ff810ff upstream. This phone is already supported by the visor driver. Signed-off-by: Jason A. Donenfeld Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit de7788481e8f2d7cd76f1715ead68b962d751b75 Author: Jason A. Donenfeld Date: Wed Apr 22 14:35:09 2015 +0200 USB: visor: Match I330 phone more precisely commit 82ee3aeb9295c5fc37fd2ddf20f13ac2b40ec97d upstream. Samsung has just released a portable USB3 SSD, coming in a very small and nice form factor. It's USB ID is 04e8:8001, which unfortunately is already used by the Palm Visor driver for the Samsung I330 phone cradle. Having pl2303 or visor pick up this device ID results in conflicts with the usb-storage driver, which handles the newly released portable USB3 SSD. To work around this conflict, I've dug up a mailing list post [1] from a long time ago, in which a user posts the full USB descriptor information. The most specific value in this appears to be the interface class, which has value 255 (0xff). Since usb-storage requires an interface class of 0x8, I believe it's correct to disambiguate the two devices by matching on 0xff inside visor. [1] http://permalink.gmane.org/gmane.linux.usb.user/4264 Signed-off-by: Jason A. Donenfeld Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 245ac1a15a1b1ba5ec60ca8479b6bd5451e55c0d Author: Joe Lawrence Date: Thu Apr 30 17:16:04 2015 +0300 xhci: gracefully handle xhci_irq dead device commit 948fa13504f80b9765d2b753691ab94c83a10341 upstream. If the xHCI host controller has died (ie, device removed) or suffered other serious fatal error (STS_FATAL), then xhci_irq should handle this condition with IRQ_HANDLED instead of -ESHUTDOWN. Signed-off-by: Joe Lawrence Signed-off-by: Mathias Nyman Signed-off-by: Jiri Slaby commit ef4a35936faac72268fe6ae7e97120ad85b7b72d Author: Mathias Nyman Date: Thu Apr 30 17:16:03 2015 +0300 xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 commit 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 upstream. Our event ring consists of only one segment, and we risk filling the event ring in case we get isoc transfers with short intervals such as webcams that fill a TD every microframe (125us) With 64 TRB segment size one usb camera could fill the event ring in 8ms. A setup with several cameras and other devices can fill up the event ring as it is shared between all devices. This has occurred when uvcvideo queues 5 * 32TD URBs which then get cancelled when the video mode changes. The cancelled URBs are returned in the xhci interrupt context and blocks the interrupt handler from handling the new events. A full event ring will block xhci from scheduling traffic and affect all devices conneted to the xhci, will see errors such as Missed Service Intervals for isoc devices, and and Split transaction errors for LS/FS interrupt devices. Increasing the TRB_PER_SEGMENT will also increase the default endpoint ring size, which is welcome as for most isoc transfer we had to dynamically expand the endpoint ring anyway to be able to queue the 5 * 32TDs uvcvideo queues. The default size used to be 64 TRBs per segment Signed-off-by: Mathias Nyman Signed-off-by: Jiri Slaby commit eb536420a4bf1dd6334867cf9c1343d105e070a8 Author: Mathias Nyman Date: Thu Apr 30 17:16:02 2015 +0300 xhci: fix isoc endpoint dequeue from advancing too far on transaction error commit d104d0152a97fade389f47635b73a9ccc7295d0b upstream. Isoc TDs usually consist of one TRB, sometimes two. When all goes well we receive only one success event for a TD, and move the dequeue pointer to the next TD. This fails if the TD consists of two TRBs and we get a transfer error on the first TRB, we will then see two events for that TD. Fix this by making sure the event we get is for the last TRB in that TD before moving the dequeue pointer to the next TD. This will resolve some of the uvc and dvb issues with the "ERROR Transfer event TRB DMA ptr not part of current TD" error message Signed-off-by: Mathias Nyman Signed-off-by: Jiri Slaby commit c9b036ca04b6b269d23fecb100b258b7bc6d4fd2 Author: Andy Grover Date: Fri May 22 14:07:44 2015 -0700 target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST commit 5a7125c64def3b21f8147eca8b54949a60963942 upstream. See https://bugzilla.redhat.com/show_bug.cgi?id=1025672 We need to put() the reference to the scsi host that we got in pscsi_configure_device(). In VIRTUAL_HOST mode it is associated with the dev_virt, not the hba_virt. Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 7e99e685f1e4eeddc6de8cd020eddb8deb32fcf1 Author: Zidan Wang Date: Tue May 12 14:58:50 2015 +0800 ASoC: wm8994: correct BCLK DIV 348 to 384 commit 17fc2e0a3db11889e942c5ab15a1fcb876638f25 upstream. According to the RM of wm8958, BCLK DIV 348 doesn't exist, correct it to 384. Signed-off-by: Zidan Wang Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 6ed3f9d0909d1b36e7feff9ddba7ca9f6d0bd3fc Author: Zidan Wang Date: Tue May 12 14:58:36 2015 +0800 ASoC: wm8960: fix "RINPUT3" audio route error commit 85e36a1f4a735d991ba5106781ea48e89a0b8901 upstream. It should be "RINPUT3" instead of "LINPUT3" route to "Right Input Mixer". Signed-off-by: Zidan Wang Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 3d17fe528ef422017016f9ebb2a7e896b1088bff Author: Axel Lin Date: Mon Apr 27 14:51:35 2015 +0800 ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls commit 545774bd6e1427d98dde77244329d2311c5eca6f upstream. mc13xxx_reg_rmw() won't change any bit if passing 0 to the mask field. Pass AUDIO_SSI_SEL instead of 0 for the mask field to set AUDIO_SSI_SEL bit. Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit e638b75d064def1c04d8b39042100192810da277 Author: Takashi Iwai Date: Fri May 1 09:20:34 2015 +0200 ALSA: hda - Add headphone quirk for Lifebook E752 commit 88776f366ede7d9cdce60bd2c9753dd6d6fa8b77 upstream. Fujitsu Lifebook E752 laptop needs a similar quirk done for Lifebook T731. Otherwise the headphone is always muted. Reported-and-tested-by: Christian Weber Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 9bf5b2bde0405de196bee79267aed2b14deca5b6 Author: David Henningsson Date: Wed May 13 13:28:54 2015 +0200 ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724 commit 6ffc0898b29a2811a6c0569c5dd9b581980110df upstream. This patch adds support for Conexant HD Audio codecs CX20721, CX20722, CX20723 and CX20724. BugLink: https://bugs.launchpad.net/bugs/1454656 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 7ab65a19e352f341efaa56a4ee4c5ac34dfc29fc Author: Al Viro Date: Thu May 28 23:09:19 2015 -0400 d_walk() might skip too much commit 2159184ea01e4ae7d15f2017e296d4bc82d5aeb0 upstream. when we find that a child has died while we'd been trying to ascend, we should go into the first live sibling itself, rather than its sibling. Off-by-one in question had been introduced in "deal with deadlock in d_walk()" and the fix needs to be backported to all branches this one has been backported to. Signed-off-by: Al Viro Signed-off-by: Jiri Slaby commit 1a3b140801f7ad16c40c5f170a0b77b92149c269 Author: Jan Kara Date: Tue Jun 2 17:10:28 2015 +0200 lib: Fix strnlen_user() to not touch memory after specified maximum commit f18c34e483ff6b1d9866472221e4015b3a4698e4 upstream. If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit ddafeade843ee16b8a7c9ef9ac8b3792a0b83048 Author: Guenter Roeck Date: Thu May 28 09:08:09 2015 -0700 hwmon: (nct6775) Add missing sysfs attribute initialization commit 1b63bf617206ff35b93c57c67bbe067ac735a85a upstream. The following error message is seen when loading the nct6775 driver with DEBUG_LOCK_ALLOC enabled. BUG: key ffff88040b2f0030 not in .data! ------------[ cut here ]------------ WARNING: CPU: 0 PID: 186 at kernel/locking/lockdep.c:2988 lockdep_init_map+0x469/0x630() DEBUG_LOCKS_WARN_ON(1) Caused by a missing call to sysfs_attr_init() when initializing sysfs attributes. Reported-by: Alexey Orishko Reviewed-by: Jean Delvare Signed-off-by: Guenter Roeck Signed-off-by: Jiri Slaby commit 6ca3b824c2d270188fbaf1a402b3f39ef803aeba Author: Chris Lesiak Date: Tue May 26 15:40:44 2015 -0500 hwmon: (ntc_thermistor) Ensure iio channel is of type IIO_VOLTAGE commit adba657533bdd255f7b78bc8a324091f46b294cd upstream. When configured via device tree, the associated iio device needs to be measuring voltage for the conversion to resistance to be correct. Return -EINVAL if that is not the case. Signed-off-by: Chris Lesiak Signed-off-by: Guenter Roeck Signed-off-by: Jiri Slaby commit db02077307011751a0225845664bb212d76e87bc Author: David Vrabel Date: Tue May 19 18:40:49 2015 +0100 xen/events: don't bind non-percpu VIRQs with percpu chip commit 77bb3dfdc0d554befad58fdefbc41be5bc3ed38a upstream. A non-percpu VIRQ (e.g., VIRQ_CONSOLE) may be freed on a different VCPU than it is bound to. This can result in a race between handle_percpu_irq() and removing the action in __free_irq() because handle_percpu_irq() does not take desc->lock. The interrupt handler sees a NULL action and oopses. Only use the percpu chip/handler for per-CPU VIRQs (like VIRQ_TIMER). # cat /proc/interrupts | grep virq 40: 87246 0 xen-percpu-virq timer0 44: 0 0 xen-percpu-virq debug0 47: 0 20995 xen-percpu-virq timer1 51: 0 0 xen-percpu-virq debug1 69: 0 0 xen-dyn-virq xen-pcpu 74: 0 0 xen-dyn-virq mce 75: 29 0 xen-dyn-virq hvc_console Signed-off-by: David Vrabel Signed-off-by: Jiri Slaby commit 74b65e99d99c940a7fa731a317d13bc0b3b34911 Author: Ilya Dryomov Date: Mon May 11 17:53:10 2015 +0300 libceph: request a new osdmap if lingering request maps to no osd commit b0494532214bdfbf241e94fabab5dd46f7b82631 upstream. This commit does two things. First, if there are any homeless lingering requests, we now request a new osdmap even if the osdmap that is being processed brought no changes, i.e. if a given lingering request turned homeless in one of the previous epochs and remained homeless in the current epoch. Not doing so leaves us with a stale osdmap and as a result we may miss our window for reestablishing the watch and lose notifies. MON=1 OSD=1: # cat linger-needmap.sh #!/bin/bash rbd create --size 1 test DEV=$(rbd map test) ceph osd out 0 rbd map dne/dne # obtain a new osdmap as a side effect (!) sleep 1 ceph osd in 0 rbd resize --size 2 test # rbd info test | grep size -> 2M # blockdev --getsize $DEV -> 1M N.B.: Not obtaining a new osdmap in between "osd out" and "osd in" above is enough to make it miss that resize notify, but that is a bug^Wlimitation of ceph watch/notify v1. Second, homeless lingering requests are now kicked just like those lingering requests whose mapping has changed. This is mainly to recognize that a homeless lingering request makes no sense and to preserve the invariant that a registered lingering request is not sitting on any of r_req_lru_item lists. This spares us a WARN_ON, which commit ba9d114ec557 ("libceph: clear r_req_lru_item in __unregister_linger_request()") tried to fix the _wrong_ way. Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil Signed-off-by: Jiri Slaby commit cbcba3e43dc6f8b2643c4a098e55e75e4df413b8 Author: Rusty Russell Date: Wed May 27 10:59:26 2015 +0930 lguest: fix out-by-one error in address checking. commit 83a35114d0e4583e6b0ca39502e68b6a92e2910c upstream. This bug has been there since day 1; addresses in the top guest physical page weren't considered valid. You could map that page (the check in check_gpte() is correct), but if a guest tried to put a pagetable there we'd check that address manually when walking it, and kill the guest. Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 1f6a5cfb178e69cfd86018bb9a66675f1207f84f Author: Sasha Levin Date: Thu May 28 15:44:29 2015 -0700 fs, omfs: add NULL terminator in the end up the token list commit dcbff39da3d815f08750552fdd04f96b51751129 upstream. match_token() expects a NULL terminator at the end of the token list so that it would know where to stop. Not having one causes it to overrun to invalid memory. In practice, passing a mount option that omfs didn't recognize would sometimes panic the system. Signed-off-by: Sasha Levin Signed-off-by: Bob Copeland Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit af0cc4dcf7516ee72b6333a4172798e504c4ace3 Author: Junling Zheng Date: Mon Jun 1 09:28:00 2015 +0000 net: socket: Fix the wrong returns for recvmsg and sendmsg Based on 08adb7dabd4874cc5666b4490653b26534702ce0 upstream. We found that after v3.10.73, recvmsg might return -EFAULT while -EINVAL was expected. We tested it through the recvmsg01 testcase come from LTP testsuit. It set msg->msg_namelen to -1 and the recvmsg syscall returned errno 14, which is unexpected (errno 22 is expected): recvmsg01 4 TFAIL : invalid socket length ; returned -1 (expected -1), errno 14 (expected 22) Linux mainline has no this bug for commit 08adb7dab fixes it accidentally. However, it is too large and complex to be backported to LTS 3.10. Commit 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour) made get_compat_msghdr() return error if msg_sys->msg_namelen was negative, which changed the behaviors of recvmsg and sendmsg syscall in a lib32 system: Before commit 281c9c36, get_compat_msghdr() wouldn't fail and it would return -EINVAL in move_addr_to_user() or somewhere if msg_sys->msg_namelen was invalid and then syscall returned -EINVAL, which is correct. And now, when msg_sys->msg_namelen is negative, get_compat_msghdr() will fail and wants to return -EINVAL, however, the outer syscall will return -EFAULT directly, which is unexpected. This patch gets the return value of get_compat_msghdr() as well as copy_msghdr_from_user(), then returns this expected value if get_compat_msghdr() fails. Fixes: 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour) Signed-off-by: Junling Zheng Signed-off-by: Hanbing Xu Cc: Li Zefan Cc: Al Viro Cc: David Miller Signed-off-by: Jiri Slaby commit ea294409959184a82c482ca5becd408d9fe7aeb8 Author: Paolo Bonzini Date: Thu Apr 2 11:04:05 2015 +0200 KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages commit 898761158be7682082955e3efa4ad24725305fc7 upstream. smep_andnot_wp is initialized in kvm_init_shadow_mmu and shadow pages should not be reused for different values of it. Thus, it has to be added to the mask in kvm_mmu_pte_write. Reviewed-by: Xiao Guangrong Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 1a6d0d9797f71212b371fe7c288d1d28131e9010 Author: Mel Gorman Date: Wed Jan 29 14:05:42 2014 -0800 mm: numa: initialise numa balancing after jump label initialisation commit c297663c0b3930491a3cb2aba4b6e5a7159c3503 upstream. The command line parsing takes place before jump labels are initialised which generates a warning if numa_balancing= is specified and CONFIG_JUMP_LABEL is set. On older kernels before commit c4b2c0c5f647 ("static_key: WARN on usage before jump_label_init was called") the kernel would have crashed. This patch enables automatic numa balancing later in the initialisation process if numa_balancing= is specified. Signed-off-by: Mel Gorman Acked-by: Rik van Riel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit bd7044dfd8a3bcfd386d2cd7f0c01ba884a2cc88 Author: Russell King Date: Fri May 15 11:02:23 2015 +0100 ARM: fix missing syscall trace exit commit 1b97937246d8b97c0760d16d8992c7937bdf5e6a upstream. Josh Stone reports: I've discovered a case where both arm and arm64 will miss a ptrace syscall-exit that they should report. If the syscall is entered without TIF_SYSCALL_TRACE set, then it goes on the fast path. It's then possible to have TIF_SYSCALL_TRACE added in the middle of the syscall, but ret_fast_syscall doesn't check this flag again. Fix this by always checking for a syscall trace in the fast exit path. Reported-by: Josh Stone Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit 8657b17804d605d79cfa0d5aff080f15e787fbc1 Author: Larry Finger Date: Fri Apr 24 11:03:37 2015 -0500 rtlwifi: rtl8192cu: Fix kernel deadlock commit 414b7e3b9ce8b0577f613e656fdbc36b34b444dd upstream. The USB mini-driver in rtlwifi, which is used by rtl8192cu, issues a call to usb_control_msg() with a timeout value of 0. In some instances where the interface is shutting down, this infinite wait results in a CPU deadlock. A one second timeout fixes this problem without affecting any normal operations. This bug is reported at https://bugzilla.novell.com/show_bug.cgi?id=927786. Reported-by: Bernhard Wiedemann Tested-by: Bernhard Wiedemann Signed-off-by: Larry Finger Cc: Stable Cc: Bernhard Wiedemann Cc: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Jiri Slaby commit a8484fc37ca4d536e5327c6fc9072e4be40ac014 Author: Steve French Date: Mon Oct 14 00:44:19 2013 -0500 Fix corrupt SMB2 ioctl requests commit 7ff8d45c9dccf0744404d6fe44468ede7c1b9533 upstream. We were off by one calculating the length of ioctls in some cases because the protocol specification for SMB2 ioctl includes a mininum one byte payload but not all SMB2 ioctl requests actually have a data buffer to send. We were also not zeroing out the return buffer (in case of error this is helpful). Signed-off-by: Steve French Signed-off-by: Jiri Slaby commit 266ed50f2a81a882d54c4ff7452bca370f396bae Author: Dan Carpenter Date: Thu Feb 5 10:37:33 2015 +0300 vhost/scsi: potential memory corruption commit 59c816c1f24df0204e01851431d3bab3eb76719c upstream. This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt" to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16. I looked at the context and it turns out that in vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so anything higher than 255 then it is invalid. I have made that the limit now. In vhost_scsi_send_evt() we mask away values higher than 255, but now that the limit has changed, we don't need the mask. Signed-off-by: Dan Carpenter Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit ec61e07b4192d5bbc5fb3ef80d7e6e36e09ddf57 Author: jmarchan@redhat.com Date: Wed Jan 15 16:27:11 2014 +0100 powerpc/mm: Fix mmap errno when MAP_FIXED is set and mapping exceeds the allowed address space commit 19751c07b3728748c1253627ce94e6906fa5e273 upstream. According to Posix, if MAP_FIXED is specified mmap shall set ENOMEM if the requested mapping exceeds the allowed range for address space of the process. The generic code set it right, but the specific powerpc slice_get_unmapped_area() function currently returns -EINVAL in that case. This patch corrects it. Signed-off-by: Jerome Marchand Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Jiri Slaby commit dd1723e681b0aa529cc43d404339232a55067ad2 Author: Aravind Gopalakrishnan Date: Mon Nov 10 14:24:26 2014 -0600 perf/x86/amd/ibs: Update IBS MSRs and feature definitions commit 904cb3677f3adcd3d837be0a0d0b14251ba8d6f7 upstream. New Fam15h models carry extra feature bits and extend the MSR register space for IBS ops. Adding them here. While at it, add functionality to read IbsBrTarget and OpData4 depending on their availability if user wants a PERF_SAMPLE_RAW. Signed-off-by: Aravind Gopalakrishnan Acked-by: Borislav Petkov Cc: Paolo Bonzini Cc: Jan Kiszka Cc: Len Brown Cc: Fenghua Yu Cc: Peter Zijlstra Cc: Cc: Link: http://lkml.kernel.org/r/1415651066-13523-1-git-send-email-Aravind.Gopalakrishnan@amd.com Signed-off-by: Ingo Molnar Signed-off-by: Jiri Slaby commit 5ad7463fd6bf6187f15324c42337d9a5fbf2a1e9 Author: K. Y. Srinivasan Date: Fri May 1 11:03:02 2015 -0700 storvsc: Set the SRB flags correctly when no data transfer is needed commit dc45708ca9988656d706940df5fd102672c5de92 upstream. Set the SRB flags correctly when there is no data transfer. Without this change some IHV drivers will fail valid commands such as TEST_UNIT_READY. Cc: Signed-off-by: K. Y. Srinivasan Reviewed-by: Long Li Signed-off-by: James Bottomley Signed-off-by: Jiri Slaby commit 41771451c8448d5c4a7770b596c199e3ce0d5517 Author: Aravind Gopalakrishnan Date: Thu Aug 14 18:15:27 2014 -0500 hwmon: (k10temp) Add support for F15h M60h commit f89ce2706d8341c921b96e13a00b951a10eed308 upstream. This patch adds temperature monitoring support for F15h M60h processor. - Add new pci device id for the relevant processor - The functionality of REG_REPORTED_TEMPERATURE is moved to D0F0xBC_xD820_0CA4 [Reported Temperature Control] - So, use this to get CUR_TEMP value - Since we need an indirect register access, protect this with a mutex lock - Add Kconfig, Doc entries to indicate support for this processor. Signed-off-by: Aravind Gopalakrishnan Acked-by: Borislav Petkov Acked-by: Clemens Ladisch [Guenter Roeck: Declare new mutex and function static] Signed-off-by: Guenter Roeck Signed-off-by: Jiri Slaby commit 0fc90046c26f0deef817d6f25b8c32205af2b2af Author: Aravind Gopalakrishnan Date: Tue Mar 11 16:25:59 2014 -0500 hwmon: (k10temp) Add support for AMD F16 M30h processor commit ec0159503ae74aeb834e78366bdf4b9663ca1129 upstream. Adding new PCI ID to support AMD F16 M30h processor (Mullins). While at it, modify Kconfig and Doc files to reflect the support for newer processors Note: PCI ID for this processor will make it into pci_ids.h as part of this patch: http://marc.info/?l=linux-kernel&m=139291362126057&w=2 which should be pulled into 3.15 when merge window opens (It currently sits in 'for-next' branch of bp.git- https://git.kernel.org/cgit/linux/kernel/git/bp/bp.git/log/?h=for-next) Signed-off-by: Aravind Gopalakrishnan Signed-off-by: Guenter Roeck Signed-off-by: Jiri Slaby commit 2b419962df81739e1c643c37f01eea88761039b3 Author: Aravind Gopalakrishnan Date: Thu Feb 20 10:28:46 2014 -0600 amd64_edac: Add support for newer F16h models commit 85a8885bd0e00569108aa7b5e26b89c752e3cd51 upstream. Extend ECC decoding support for F16h M30h. Tested on F16h M30h with ECC turned on using mce_amd_inj module and the patch works fine. Signed-off-by: Aravind Gopalakrishnan Link: http://lkml.kernel.org/r/1392913726-16961-1-git-send-email-Aravind.Gopalakrishnan@amd.com Tested-by: Arindam Nath Acked-by: H. Peter Anvin Signed-off-by: Borislav Petkov Signed-off-by: Jiri Slaby commit c4f02d5466f24128c097d03752e4d1283058824b Author: Chen Gang Date: Sat Nov 1 19:46:12 2014 +0800 qla2xxx: remove redundant declaration in 'qla_gbl.h' commit 9493c2422cae272d6f1f567cbb424195defe4176 upstream. Remove 2 redundant extern inline functions: qla8044_set_qsnt_ready() and qla8044_need_reset_handler(). At present, within upstream next kernel source code, they are only used within "drivers/scsi/qla2xxx/qla_nx2.c". The related error and warnings (with allmodconfig under tile): CC [M] drivers/scsi/qla2xxx/qla_nx2.o drivers/scsi/qla2xxx/qla_nx2.c:1633:1: error: static declaration of 'qla8044_need_reset_handler' follows non-static declaration qla8044_need_reset_handler(struct scsi_qla_host *vha) ^ In file included from drivers/scsi/qla2xxx/qla_def.h:3706:0, from drivers/scsi/qla2xxx/qla_nx2.c:11: drivers/scsi/qla2xxx/qla_gbl.h:756:20: note: previous declaration of 'qla8044_need_reset_handler' was here extern inline void qla8044_need_reset_handler(struct scsi_qla_host *vha); ^ drivers/scsi/qla2xxx/qla_gbl.h:756:20: warning: inline function 'qla8044_need_reset_handler' declared but never defined make[3]: *** [drivers/scsi/qla2xxx/qla_nx2.o] Error 1 make[2]: *** [drivers/scsi/qla2xxx] Error 2 make[1]: *** [drivers/scsi] Error 2 make: *** [drivers] Error 2 CC [M] drivers/scsi/qla2xxx/qla_tmpl.o In file included from drivers/scsi/qla2xxx/qla_def.h:3706:0, from drivers/scsi/qla2xxx/qla_tmpl.c:7: drivers/scsi/qla2xxx/qla_gbl.h:755:20: warning: inline function 'qla8044_set_qsnt_ready' declared but never defined extern inline void qla8044_set_qsnt_ready(struct scsi_qla_host *vha); ^ Signed-off-by: Chen Gang Acked-by: Saurav Kashyap Signed-off-by: Christoph Hellwig Signed-off-by: Jiri Slaby commit d87c448139ad3042ffdf2f30372b6e0a75c2f742 Author: Kirill A. Shutemov Date: Mon Oct 20 12:23:12 2014 +0300 kernel: use the gnu89 standard explicitly commit 51b97e354ba9fce1890cf38ecc754aa49677fc89 upstream. Sasha Levin reports: "gcc5 changes the default standard to c11, which makes kernel build unhappy Explicitly define the kernel standard to be gnu89 which should keep everything working exactly like it was before gcc5" There are multiple small issues with the new default, but the biggest issue seems to be that the old - and very useful - GNU extension to allow a cast in front of an initializer has gone away. Patch updated by Kirill: "I'm pretty sure all gcc versions you can build kernel with supports -std=gnu89. cc-option is redunrant. We also need to adjust HOSTCFLAGS otherwise allmodconfig fails for me" Note by Andrew Pinski: "Yes it was reported and both problems relating to this extension has been added to gnu99 and gnu11. Though there are other issues with the kernel dealing with extern inline have different semantics between gnu89 and gnu99/11" End result: we may be able to move up to a newer stdc model eventually, but right now the newer models have some annoying deficiencies, so the traditional "gnu89" model ends up being the preferred one. Signed-off-by: Sasha Levin Singed-off-by: Kirill A. Shutemov Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 23cb03e4f0be8264f68d5d458755ee99dc8419b3 Author: Behan Webster Date: Wed Oct 29 15:42:21 2014 -0700 staging, rtl8192e, LLVMLinux: Remove unused inline prototype commit 62ec95f86d2850b7ce6d73fb236a6fcf48411aea upstream. rtllib_probe_req is defined as "static inline" in rtllib_softmac.c however it is declared differently as "extern inline" in rtllib_softmac.h. Since it isn't used outside of the scope of rtllib_softmac, it makes sense to remove the incorrect declaration. Signed-off-by: Behan Webster Suggested-by: Arnd Bergmann Cc: Arnd Bergmann Signed-off-by: Jiri Slaby commit 410dfdf95dcc0c6e2c8e955662db7c6beeb5bc06 Author: Arnd Bergmann Date: Thu Jun 5 22:48:15 2014 +0200 staging: rtl8712, rtl8712: avoid lots of build warnings commit 0c9f3a65c5eb7fe1fc611a22eb8a8b71ea865998 upstream. The rtl8712 driver has an 'extern inline' function that contains an 'if', which causes lots of warnings with CONFIG_PROFILE_ALL_BRANCHES overriding the definition of 'if': drivers/staging/rtl8712/ieee80211.h:759:229: warning: '______f' is static but declared in inline function 'ieee80211_get_hdrlen' which is not static [enabled by default] This changes the driver to use 'static inline' instead, which happens to be the correct annotation anyway. Signed-off-by: Arnd Bergmann Cc: Larry Finger Cc: Florian Schilhabel Signed-off-by: Jiri Slaby commit 0c26d88da9ef571abb0166b30f1b31ad0d171730 Author: Behan Webster Date: Wed Oct 29 15:42:20 2014 -0700 staging, rtl8192e, LLVMLinux: Change extern inline to static inline commit 6d91857d4826b382b3fd4fad95f52713be646f96 upstream. With compilers which follow the C99 standard (like modern versions of gcc and clang), "extern inline" does the opposite thing from older versions of gcc (emits code for an externally linkable version of the inline function). "static inline" does the intended behavior in all cases instead. Signed-off-by: Behan Webster Suggested-by: Arnd Bergmann Cc: Arnd Bergmann Signed-off-by: Jiri Slaby commit 50defa03f66e012438528be00a1ccca23c4c007e Author: Greg Kroah-Hartman Date: Sat May 23 13:26:23 2015 -0700 staging: wlags49_h2: fix extern inline functions Patch not upstream as this driver is deleted there. Fix up some "extern inline" functions as they break the build when using a "modern" complier (i.e. gcc5). Signed-off-by: Jiri Slaby commit 1ac03d64ccd7923fe6eebd87908f06700dbf1e37 Author: Logan Gunthorpe Date: Sat May 9 11:09:11 2015 -0600 Added another USB product ID for ELAN touchscreen quirks. commit dc703ec22074d9c71a12da20670369fac3ea4296 upstream. I've had the same issue as described in commit c68929f75dfcb6354918862b91b5778585de1fa5 Except my touchscreen's ID is ID 04f3:0125 Elan Microelectronics Corp. Signed-off-by: Logan Gunthorpe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit fb6af6cb768a33df9ecc7ace4481da155396bd04 Author: Heinrich Schuchardt Date: Tue Apr 28 19:30:47 2015 +0200 usb: chipidea: debug: avoid out of bound read commit bd5fb0aec3dd7cde7ec4c397b10e55d4c9626d8d upstream. A string written by the user may not be zero terminated. sscanf may read memory beyond the buffer if no zero byte is found. For testing build with CONFIG_USB_CHIPIDEA=y, CONFIG_USB_CHIPIDEA_DEBUG=y. Signed-off-by: Heinrich Schuchardt Signed-off-by: Peter Chen Signed-off-by: Jiri Slaby commit ae35eaa4844b87826202fb4ccd3483586d64c2d7 Author: Ming-ting Yao Wei Date: Tue Apr 14 16:59:11 2015 -0700 Input: xpad - add rumble support for Xbox One controller commit 0604949ce3b9a59cff419daf706272620a9a0df0 upstream. This adds rumble support for Xbox One controller by sending continuous rumble command. Trigger button rumbling is not yet implemented. Signed-off-by: Ming-ting Yao Wei Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 5c2747507dcd611da078fdf66be467bdef3975a2 Author: Tommi Rantala Date: Thu Oct 16 14:02:07 2014 -0700 Input: xpad - add Thrustmaster as Xbox 360 controller vendor commit 4dfb15cd5aaa6682e93854a74b394a1c95b82621 upstream. Add Thrustmaster as Xbox 360 controller vendor. This is required for example to make the GP XID (044f:b326) gamepad work. Signed-off-by: Tommi Rantala Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 9a30c06838feb1263b5cae05e7f871d99e7da94f Author: Ted Mielczarek Date: Fri Aug 8 11:21:59 2014 -0700 Input: xpad - add support for Xbox One controllers commit 1a48ff81b3912be5fadae3fafde6c2f632246a4c upstream. Xbox One controllers require an initialization message to start sending data, so xpad_init_output becomes a required function. The Xbox One controller does not have LEDs like the Xbox 360 controller, so that functionality is not implemented. The format of messages controlling rumble is currently undocumented, so rumble support is not yet implemented. Note that Xbox One controller advertises three interfaces with the same interface class, subclass and protocol, so we have to also match against interface number. Signed-off-by: Ted Mielczarek Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 8452773259cd552c289fa422209bcc12d59270e6 Author: Tomeu Vizoso Date: Mon Apr 6 09:44:59 2015 -0700 Input: cros_ec_keyb - fix clearing keyboard state on wakeup commit ef30a406468a3eae007210ae0dc5ed8d5eb59b7d upstream. As the comment right before explains, the keyboard state is to be cleared only if the EC wasn't a wakeup source in the last suspend. Without this commit, there's an unneeded delay when resuming from suspend and we also lose the key that was pressed while suspended. Signed-off-by: Tomeu Vizoso Reviewed-by: Javier Martinez Canillas Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 58afd668e242b6af089940d1b85eeb2be59fa691 Author: Lars Poeschel Date: Tue Mar 24 09:25:10 2015 -0700 Input: usbtouchscreen - add new model from IRTOUCHSYSTEMS commit dbea4032f8024e5ea886341f7c39cf023e30e828 upstream. This adds support for another model of IRTOUCH SYSTEMS Co.,LtD infrared touchscreens. The USB vendorID/deviceID is 6615/0012. It is also sold under the label "Elektrosil". The datasheet states that coordinates for x and y are in the range from 0 to 32767. Signed-off-by: Lars Poeschel Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 7b40fa9889ad0e2b54e5419b1e3a01ff6ab85f16 Author: Jiri Kosina Date: Thu Apr 9 13:32:35 2015 +0200 HID: debug: fix error handling in hid_debug_events_read() commit 8fec02a73e31407e14986fca67dab48d4f777f0e upstream. In the unlikely case of hdev vanishing while hid_debug_events_read() was sleeping, we can't really break out of the case switch as with other cases, as on the way out we'll try to remove ourselves from the hdev waitqueue. Fix this by taking a shortcut exit path and avoiding cleanup that doesn't make sense in case hdev doesn't exist any more anyway. Reported-by: Jiri Slaby Signed-off-by: Jiri Kosina Signed-off-by: Jiri Slaby commit ef18ea6b22587c3778cc71e67a0297ebb0660f65 Author: David Fries Date: Mon Nov 10 20:19:36 2014 -0600 cn: verify msg->len before making callback commit a30cfa475d1a26c18f1998ba1e034a4e2ab4c7a8 upstream. The struct cn_msg len field comes from userspace and needs to be validated. More logical to do so here where the cn_msg pointer is pulled out of the sk_buff than the callback which is passed cn_msg * and might assume no validation is needed. Reported-by: Dan Carpenter Acked-by: Evgeniy Polyakov Signed-off-by: David Fries Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 6ab282fe6d43027b3b1ef820b3798aae8fdb432b Author: Eric W. Biederman Date: Wed Jan 7 14:28:26 2015 -0600 mnt: Fail collect_mounts when applied to unmounted mounts commit cd4a40174b71acd021877341684d8bb1dc8ea4ae upstream. The only users of collect_mounts are in audit_tree.c In audit_trim_trees and audit_add_tree_rule the path passed into collect_mounts is generated from kern_path passed an audit_tree pathname which is guaranteed to be an absolute path. In those cases collect_mounts is obviously intended to work on mounted paths and if a race results in paths that are unmounted when collect_mounts it is reasonable to fail early. The paths passed into audit_tag_tree don't have the absolute path check. But are used to play with fsnotify and otherwise interact with the audit_trees, so again operating only on mounted paths appears reasonable. Avoid having to worry about what happens when we try and audit unmounted filesystems by restricting collect_mounts to mounts that appear in the mount tree. Signed-off-by: "Eric W. Biederman" Signed-off-by: Jiri Slaby commit 0b8b97704fbe442b3bba7a2c7eba9113122abafd Author: Jens Axboe Date: Wed Apr 15 11:17:23 2015 -0600 aio: fix serial draining in exit_aio() commit dc48e56d761610da4ea1088d1bea0a030b8e3e43 upstream. exit_aio() currently serializes killing io contexts. Each context killing ends up having to do percpu_ref_kill(), which in turns has to wait for an RCU grace period. This can take a long time, depending on the number of contexts. And there's no point in doing them serially, when we could be waiting for all of them in one fell swoop. This patches makes my fio thread offload test case exit 0.2s instead of almost 6s. Reviewed-by: Jeff Moyer Signed-off-by: Jens Axboe Signed-off-by: Jiri Slaby commit eb18d4eed036ccf29e4c979d46661c16753f940c Author: Oleg Nesterov Date: Wed Apr 30 19:02:48 2014 +0200 aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock() commit 4b70ac5fd9b58bfaa5f25b4ea48f528aefbf3308 upstream. On 04/30, Benjamin LaHaise wrote: > > > - ctx->mmap_size = 0; > > - > > - kill_ioctx(mm, ctx, NULL); > > + if (ctx) { > > + ctx->mmap_size = 0; > > + kill_ioctx(mm, ctx, NULL); > > + } > > Rather than indenting and moving the two lines changing mmap_size and the > kill_ioctx() call, why not just do "if (!ctx) ... continue;"? That reduces > the number of lines changed and avoid excessive indentation. OK. To me the code looks better/simpler with "if (ctx)", but this is subjective of course, I won't argue. The patch still removes the empty line between mmap_size = 0 and kill_ioctx(), we reset mmap_size only for kill_ioctx(). But feel free to remove this change. ------------------------------------------------------------------------------- Subject: [PATCH v3 1/2] aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock() 1. We can read ->ioctx_table only once and we do not read rcu_read_lock() or even rcu_dereference(). This mm has no users, nobody else can play with ->ioctx_table. Otherwise the code is buggy anyway, if we need rcu_read_lock() in a loop because ->ioctx_table can be updated then kfree(table) is obviously wrong. 2. Update the comment. "exit_mmap(mm) is coming" is the good reason to avoid munmap(), but another reason is that we simply can't do vm_munmap() unless current->mm == mm and this is not true in general, the caller is mmput(). 3. We do not really need to nullify mm->ioctx_table before return, probably the current code does this to catch the potential problems. But in this case RCU_INIT_POINTER(NULL) looks better. Signed-off-by: Oleg Nesterov Signed-off-by: Benjamin LaHaise Signed-off-by: Jiri Slaby commit 4e922faea3afd26f09b1c4cb82c61fe8614c672d Author: Tomas Henzl Date: Fri Jan 23 16:41:20 2015 -0600 hpsa: turn off interrupts when kdump starts commit 3b747298786355c6934b0892fc9ae4ca44105192 upstream. Sometimes when the card is restarted it may cause - "irq 16: nobody cared (try booting with the "irqpoll" option)" that is likely caused so, that the card, after the hard reset finishes, pulls on the irq. Disabling the ints before or after the hpsa_kdump_hard_reset_controller fixes it. At this point we can't know in which state the card is, so using SA5_INTR_OFF + SA5_REPLY_INTR_MASK_OFFSET defines directly, instead of the function the drivers provides, seems to be apropriate. Reviewed-by: Scott Teel Signed-off-by: Don Brace Signed-off-by: Christoph Hellwig Signed-off-by: Jiri Slaby commit 8a26106c31b00766cc3671398b9bdd8d385fa817 Author: Tomas Henzl Date: Fri Sep 12 14:44:15 2014 +0200 hpsa: add missing pci_set_master in kdump path commit 859c75aba20264d87dd026bab0d0ca3bff385955 upstream. Add a call to pci_set_master(...) missing in the previous patch "hpsa: refine the pci enable/disable handling". Found thanks to Rob Elliot. Signed-off-by: Tomas Henzl Reviewed-by: Robert Elliott Tested-by: Robert Elliott Signed-off-by: Christoph Hellwig Signed-off-by: Jiri Slaby commit b30e0283beda471289c36157828db98066599d3d Author: Tomas Henzl Date: Thu Aug 14 16:12:39 2014 +0200 hpsa: refine the pci enable/disable handling commit 132aa220b45d60e9b20def1e9d8be9422eed9616 upstream. When a second(kdump) kernel starts and the hard reset method is used the driver calls pci_disable_device without previously enabling it, so the kernel shows a warning - [ 16.876248] WARNING: at drivers/pci/pci.c:1431 pci_disable_device+0x84/0x90() [ 16.882686] Device hpsa disabling already-disabled device ... This patch fixes it, in addition to this I tried to balance also some other pairs of enable/disable device in the driver. Unfortunately I wasn't able to verify the functionality for the case of a sw reset, because of a lack of proper hw. Signed-off-by: Tomas Henzl Reviewed-by: Stephen M. Cameron Signed-off-by: Christoph Hellwig Signed-off-by: Jiri Slaby commit 4d16cfbf033dac0876ddecf1b2947d1d7d74620c Author: Konrad Rzeszutek Wilk Date: Fri Apr 17 15:04:48 2015 -0400 config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected commit a6dfa128ce5c414ab46b1d690f7a1b8decb8526d upstream. A huge amount of NIC drivers use the DMA API, however if compiled under 32-bit an very important part of the DMA API can be ommitted leading to the drivers not working at all (especially if used with 'swiotlb=force iommu=soft'). As Prashant Sreedharan explains it: "the driver [tg3] uses DEFINE_DMA_UNMAP_ADDR(), dma_unmap_addr_set() to keep a copy of the dma "mapping" and dma_unmap_addr() to get the "mapping" value. On most of the platforms this is a no-op, but ... with "iommu=soft and swiotlb=force" this house keeping is required, ... otherwise we pass 0 while calling pci_unmap_/pci_dma_sync_ instead of the DMA address." As such enable this even when using 32-bit kernels. Reported-by: Ian Jackson Signed-off-by: Konrad Rzeszutek Wilk Acked-by: David S. Miller Acked-by: Prashant Sreedharan Cc: Borislav Petkov Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Michael Chan Cc: Thomas Gleixner Cc: boris.ostrovsky@oracle.com Cc: cascardo@linux.vnet.ibm.com Cc: david.vrabel@citrix.com Cc: sanjeevb@broadcom.com Cc: siva.kallam@broadcom.com Cc: vyasevich@gmail.com Cc: xen-devel@lists.xensource.com Link: http://lkml.kernel.org/r/20150417190448.GA9462@l.oracle.com Signed-off-by: Ingo Molnar Signed-off-by: Jiri Slaby commit 0c716d536970efa2efd0fd50eb04bbf45c95cee7 Author: Martin K. Petersen Date: Mon May 4 12:20:29 2015 -0400 libata: Blacklist queued TRIM on all Samsung 800-series commit 9a9324d3969678d44b330e1230ad2c8ae67acf81 upstream. The queued TRIM problems appear to be generic to Samsung's firmware and not tied to a particular model. A recent update to the 840 EVO firmware introduced the same issue as we saw on 850 Pro. Blacklist queued TRIM on all 800-series drives while we work this issue with Samsung. Reported-by: Günter Waller Reported-by: Sven Köhler Signed-off-by: Martin K. Petersen Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit a48f74a6f8eb9fc39bf7139f4f9f76ba2bbf4312 Author: Martin K. Petersen Date: Fri Mar 27 15:17:20 2015 -0400 libata: Update Crucial/Micron blacklist commit ff7f53fb82a7801a778e5902bdbbc5e195ab0de0 upstream. Micron has released an updated firmware (MU02) for M510/M550/MX100 drives to fix the issues with queued TRIM. Queued TRIM remains broken on M500 but is working fine on later drives such as M600 and MX200. Tweak our blacklist to reflect the above. Link: https://bugzilla.kernel.org/show_bug.cgi?id=71371 Signed-off-by: Martin K. Petersen Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit d4048629324687a62b0487b1430c7a2c019f715e Author: Martin Kaiser Date: Fri Jan 30 15:01:29 2015 +0100 gpio: squelch a compiler warning drivers/gpio/gpiolib-of.c: In function 'of_gpiochip_find_and_xlate': drivers/gpio/gpiolib-of.c:52:21: warning: assignment makes integer from pointer without a cast [enabled by default] gg_data->out_gpio = ERR_PTR(ret); ^ This was introduced in 72464765733575dc89c509f16caabc2af47fda79, a backport of upstream commit 7b8792bbdffdff3abda704f89c6a45ea97afdc62. The upstream kernel changed the type of out_gpio from int to struct gpio_desc * as part of a larger refactoring that wasn't backported Signed-off-by: Martin Kaiser Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 93091169a673f49c2574cddf1ef858cf0704f646 Author: Ian Wilson Date: Sat May 16 20:50:46 2015 +0200 netfilter: Zero the tuple in nfnl_cthelper_parse_tuple() [ upstream commit 78146572b9cd20452da47951812f35b1ad4906be ] nfnl_cthelper_parse_tuple() is called from nfnl_cthelper_new(), nfnl_cthelper_get() and nfnl_cthelper_del(). In each case they pass a pointer to an nf_conntrack_tuple data structure local variable: struct nf_conntrack_tuple tuple; ... ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]); The problem is that this local variable is not initialized, and nfnl_cthelper_parse_tuple() only initializes two fields: src.l3num and dst.protonum. This leaves all other fields with undefined values based on whatever is on the stack: tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM])); tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]); The symptom observed was that when the rpc and tns helpers were added then traffic to port 1536 was being sent to user-space. Signed-off-by: Ian Wilson Signed-off-by: Pablo Neira Ayuso Signed-off-by: Jiri Slaby