Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

scripts/tags.sh: Fix regex syntax for etags. #108

Closed
wants to merge 1 commit into from

Conversation

rhapsodist
Copy link

Fix regexp syntax to run TAGS command correctly regarding below patches.

  • [79c704a] add regular expression replacement pattern for memcg
  • [3005286] add pattern for DEFINE_HASHTABLE

Signed-off-by: Sungwook Jung [email protected]

Fix regexp syntax to run TAGS command correctly regarding below patches.
- [79c704a] add regular expression replacement pattern for memcg                                                - [3005286] add pattern for DEFINE_HASHTABLE

Signed-off-by: Sungwook Jung <[email protected]>
hauke pushed a commit to hauke/linux that referenced this pull request Jul 28, 2014
Turn it into (for example):

[    0.073380] x86: Booting SMP configuration:
[    0.074005] .... node   #0, CPUs:          #1   #2   #3   #4   #5   torvalds#6   torvalds#7
[    0.603005] .... node   #1, CPUs:     torvalds#8   torvalds#9  torvalds#10  torvalds#11  torvalds#12  torvalds#13  torvalds#14  torvalds#15
[    1.200005] .... node   #2, CPUs:    torvalds#16  torvalds#17  torvalds#18  torvalds#19  torvalds#20  torvalds#21  torvalds#22  torvalds#23
[    1.796005] .... node   #3, CPUs:    torvalds#24  torvalds#25  torvalds#26  torvalds#27  torvalds#28  torvalds#29  torvalds#30  torvalds#31
[    2.393005] .... node   #4, CPUs:    torvalds#32  torvalds#33  torvalds#34  torvalds#35  torvalds#36  torvalds#37  torvalds#38  torvalds#39
[    2.996005] .... node   #5, CPUs:    torvalds#40  torvalds#41  torvalds#42  torvalds#43  torvalds#44  torvalds#45  torvalds#46  torvalds#47
[    3.600005] .... node   torvalds#6, CPUs:    torvalds#48  torvalds#49  torvalds#50  torvalds#51  #52  #53  torvalds#54  torvalds#55
[    4.202005] .... node   torvalds#7, CPUs:    torvalds#56  torvalds#57  #58  torvalds#59  torvalds#60  torvalds#61  torvalds#62  torvalds#63
[    4.811005] .... node   torvalds#8, CPUs:    torvalds#64  torvalds#65  torvalds#66  torvalds#67  torvalds#68  torvalds#69  #70  torvalds#71
[    5.421006] .... node   torvalds#9, CPUs:    torvalds#72  torvalds#73  torvalds#74  torvalds#75  torvalds#76  torvalds#77  torvalds#78  torvalds#79
[    6.032005] .... node  torvalds#10, CPUs:    torvalds#80  torvalds#81  torvalds#82  torvalds#83  torvalds#84  torvalds#85  torvalds#86  torvalds#87
[    6.648006] .... node  torvalds#11, CPUs:    torvalds#88  torvalds#89  torvalds#90  torvalds#91  torvalds#92  torvalds#93  torvalds#94  torvalds#95
[    7.262005] .... node  torvalds#12, CPUs:    torvalds#96  torvalds#97  torvalds#98  torvalds#99 torvalds#100 torvalds#101 torvalds#102 torvalds#103
[    7.865005] .... node  torvalds#13, CPUs:   torvalds#104 torvalds#105 torvalds#106 torvalds#107 torvalds#108 torvalds#109 torvalds#110 torvalds#111
[    8.466005] .... node  torvalds#14, CPUs:   torvalds#112 torvalds#113 torvalds#114 torvalds#115 torvalds#116 torvalds#117 torvalds#118 torvalds#119
[    9.073006] .... node  torvalds#15, CPUs:   torvalds#120 torvalds#121 torvalds#122 torvalds#123 torvalds#124 torvalds#125 torvalds#126 torvalds#127
[    9.679901] x86: Booted up 16 nodes, 128 CPUs

and drop useless elements.

Change num_digits() to hpa's division-avoiding, cell-phone-typed
version which he went at great lengths and pains to submit on a
Saturday evening.

Signed-off-by: Borislav Petkov <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: Linus Torvalds <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
hauke pushed a commit to hauke/linux that referenced this pull request Jul 28, 2014
Array 'g_iommus' may be freed twice on error recovery path in function
init_dmars() and free_dmar_iommu(), thus cause random system crash as
below.

[    6.774301] IOMMU: dmar init failed
[    6.778310] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[    6.785615] software IO TLB [mem 0x76bcf000-0x7abcf000] (64MB) mapped at [ffff880076bcf000-ffff88007abcefff]
[    6.796887] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
[    6.804173] Modules linked in:
[    6.807731] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.0-rc1+ torvalds#108
[    6.815122] Hardware name: Intel Corporation BRICKLAND/BRICKLAND, BIOS BRIVTIN1.86B.0047.R00.1402050741 02/05/2014
[    6.836000] task: ffff880455a80000 ti: ffff880455a88000 task.ti: ffff880455a88000
[    6.844487] RIP: 0010:[<ffffffff8143eea6>]  [<ffffffff8143eea6>] memcpy+0x6/0x110
[    6.853039] RSP: 0000:ffff880455a89cc8  EFLAGS: 00010293
[    6.859064] RAX: ffff006568636163 RBX: ffff00656863616a RCX: 0000000000000005
[    6.867134] RDX: 0000000000000005 RSI: ffffffff81cdc439 RDI: ffff006568636163
[    6.875205] RBP: ffff880455a89d30 R08: 000000000001bc3b R09: 0000000000000000
[    6.883275] R10: 0000000000000000 R11: ffffffff81cdc43e R12: ffff880455a89da8
[    6.891338] R13: ffff006568636163 R14: 0000000000000005 R15: ffffffff81cdc439
[    6.899408] FS:  0000000000000000(0000) GS:ffff88045b800000(0000) knlGS:0000000000000000
[    6.908575] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    6.915088] CR2: ffff88047e1ff000 CR3: 0000000001e0e000 CR4: 00000000001407f0
[    6.923160] Stack:
[    6.925487]  ffffffff8143c904 ffff88045b407e00 ffff006568636163 ffff006568636163
[    6.934113]  ffffffff8120a1a9 ffffffff81cdc43e 0000000000000007 0000000000000000
[    6.942747]  ffff880455a89da8 ffff006568636163 0000000000000007 ffffffff81cdc439
[    6.951382] Call Trace:
[    6.954197]  [<ffffffff8143c904>] ? vsnprintf+0x124/0x6f0
[    6.960323]  [<ffffffff8120a1a9>] ? __kmalloc_track_caller+0x169/0x360
[    6.967716]  [<ffffffff81440e1b>] kvasprintf+0x6b/0x80
[    6.973552]  [<ffffffff81432bf1>] kobject_set_name_vargs+0x21/0x70
[    6.980552]  [<ffffffff8143393d>] kobject_init_and_add+0x4d/0x90
[    6.987364]  [<ffffffff812067c9>] ? __kmalloc+0x169/0x370
[    6.993492]  [<ffffffff8102dbbc>] ? cache_add_dev+0x17c/0x4f0
[    7.000005]  [<ffffffff8102ddfa>] cache_add_dev+0x3ba/0x4f0
[    7.006327]  [<ffffffff821a87ca>] ? i8237A_init_ops+0x14/0x14
[    7.012842]  [<ffffffff821a87f8>] cache_sysfs_init+0x2e/0x61
[    7.019260]  [<ffffffff81002162>] do_one_initcall+0xf2/0x220
[    7.025679]  [<ffffffff810a4a29>] ? parse_args+0x2c9/0x450
[    7.031903]  [<ffffffff8219d1b1>] kernel_init_freeable+0x1c9/0x25b
[    7.038904]  [<ffffffff8219c8d2>] ? do_early_param+0x8a/0x8a
[    7.045322]  [<ffffffff8184d5e0>] ? rest_init+0x150/0x150
[    7.051447]  [<ffffffff8184d5ee>] kernel_init+0xe/0x100
[    7.057380]  [<ffffffff8187b87c>] ret_from_fork+0x7c/0xb0
[    7.063503]  [<ffffffff8184d5e0>] ? rest_init+0x150/0x150
[    7.069628] Code: 89 e5 53 48 89 fb 75 16 80 7f 3c 00 75 05 e8 d2 f9 ff ff 48 8b 43 58 48 2b 43 50 88 43 4e 5b 5d c3 90 90 90 90 48 89 f8 48 89 d1 <f3> a4 c3 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 4c 8b 06 4c 8b
[    7.094960] RIP  [<ffffffff8143eea6>] memcpy+0x6/0x110
[    7.100856]  RSP <ffff880455a89cc8>
[    7.104864] ---[ end trace b5d3fdc6c6c28083 ]---
[    7.110142] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    7.110142]
[    7.120540] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)

Signed-off-by: Jiang Liu <[email protected]>
Signed-off-by: Joerg Roedel <[email protected]>
@rhapsodist rhapsodist closed this Aug 11, 2014
tom3q pushed a commit to tom3q/linux that referenced this pull request Oct 2, 2014
"Helps debug funky firmware issues".

After:
  Starting Linux PPC64 torvalds#108 SMP Wed Aug 6 19:04:51 EST 2014
  -----------------------------------------------------
  ppc64_pft_size    = 0x1a
  phys_mem_size     = 0x200000000
  cpu_features      = 0x17fc7a6c18500249
    possible        = 0x1fffffff18700649
    always          = 0x0000000000000040
  cpu_user_features = 0xdc0065c2 0xee000000
  mmu_features      = 0x5a000001
  firmware_features = 0x00000001405a440b
  htab_hash_mask    = 0x7ffff
  -----------------------------------------------------

Signed-off-by: Benjamin Herrenschmidt <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
aryabinin pushed a commit to aryabinin/linux that referenced this pull request Oct 3, 2014
WARNING: Missing a blank line after declarations
torvalds#108: FILE: arch/arm64/mm/flush.c:114:
+	pmd_t pmd = pmd_mksplitting(*pmdp);
+	VM_BUG_ON(address & ~PMD_MASK);

total: 0 errors, 1 warnings, 72 lines checked

./patches/arm64-mm-enable-rcu-fast_gup.patch has style problems, please review.

If any of these errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Steve Capper <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
aryabinin referenced this pull request in aryabinin/linux Oct 3, 2014
GIT 6fe676b243e5a0cb4cc4d9a4b094de8db0cdbf74

commit e500f488c27659bb6f5d313b336621f3daa67701
Author: Fabian Frederick <[email protected]>
Date:   Wed Oct 1 06:52:06 2014 +0200

    net/dccp/ccid.c: add __init to ccid_activate
    
    ccid_activate is only called by __init ccid_initialize_builtins in same module.
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 0c5b8a46294d43fc63788839d3c18de0961ec1bc
Author: Fabian Frederick <[email protected]>
Date:   Wed Oct 1 06:48:03 2014 +0200

    net/dccp/proto.c: add __init to dccp_mib_init
    
    dccp_mib_init is only called by __init dccp_init in same module.
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 082f58ac4a48d3f5cb4597232cb2ac6823a96f43
Author: Quinn Tran <[email protected]>
Date:   Thu Sep 25 06:22:28 2014 -0400

    target: Fix queue full status NULL pointer for SCF_TRANSPORT_TASK_SENSE
    
    During temporary resource starvation at lower transport layer, command
    is placed on queue full retry path, which expose this problem.  The TCM
    queue full handling of SCF_TRANSPORT_TASK_SENSE currently sends the same
    cmd twice to lower layer.  The 1st time led to cmd normal free path.
    The 2nd time cause Null pointer access.
    
    This regression bug was originally introduced v3.1-rc code in the
    following commit:
    
    commit e057f53308a5f071556ee80586b99ee755bf07f5
    Author: Christoph Hellwig <[email protected]>
    Date:   Mon Oct 17 13:56:41 2011 -0400
    
        target: remove the transport_qf_callback se_cmd callback
    
    Signed-off-by: Quinn Tran <[email protected]>
    Signed-off-by: Saurav Kashyap <[email protected]>
    Cc: <[email protected]> # v3.1+
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit db3a99b9921f27fe71ca8c0f218ee810e0e7fb69
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:19 2014 -0400

    qla_target: rearrange struct qla_tgt_prm
    
    On most (non-x86) 64bit platforms this will remove 8 padding bytes
    from the structure.
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit f9b6721a9cef94908467abf7a2cacbd15a7d23cb
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:18 2014 -0400

    qla_target: improve qlt_unmap_sg()
    
    Remove the inline attribute.  Modern compilers ignore it and the
    function has grown beyond where inline made sense anyway.
    Remove the BUG_ON(!cmd->sg_mapped), and instead return if sg_mapped is
    not set.  Every caller is doing this check, so we might as well have it
    in one place instead of four.
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit 55a9066fffd2f533e7ed434b072469ef09d6c476
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:15 2014 -0400

    qla_target: make some global functions static
    
    Also removes the declarations from the header - including two
    declarations without function definitions or callers.
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit c57010420654aca179c500f61e86315a337244ca
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:14 2014 -0400

    qla_target: remove unused parameter
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit f81ccb489a7a641c1bed41b49cf8d72c199c68d5
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:13 2014 -0400

    target: simplify core_tmr_abort_task
    
    list_for_each_entry_safe is necessary if list objects are deleted from
    the list while traversing it.  Not the case here, so we can use the base
    list_for_each_entry variant.
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit 33940d09937276cd3c81f2874faf43e37c2db0e2
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:12 2014 -0400

    target: encapsulate smp_mb__after_atomic()
    
    The target code has a rather generous helping of smp_mb__after_atomic()
    throughout the code base.  Most atomic operations were followed by one
    and none were preceded by smp_mb__before_atomic(), nor accompanied by a
    comment explaining the need for a barrier.
    
    Instead of trying to prove for every case whether or not it is needed,
    this patch introduces atomic_inc_mb() and atomic_dec_mb(), which
    explicitly include the memory barriers before and after the atomic
    operation.  For now they are defined in a target header, although they
    could be of general use.
    
    Most of the existing atomic/mb combinations were replaced by the new
    helpers.  In a few cases the atomic was sandwiched in
    spin_lock/spin_unlock and I simply removed the barrier.
    
    I suspect that in most cases the correct conversion would have been to
    drop the barrier.  I also suspect that a few cases exist where a) the
    barrier was necessary and b) a second barrier before the atomic would
    have been necessary and got added by this patch.
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit 74ed7e62289dc6d388996d7c8f89c2e7e95b9657
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:11 2014 -0400

    target: remove some smp_mb__after_atomic()s
    
    atomic_inc_return() already does an implicit memory barrier and the
    second case was moved from an atomic to a plain flag operation.  If a
    barrier were needed in the second case, it would have to be smp_mb(),
    not a variant optimized away for x86 and other architectures.
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit 8f83269048628d7b139dacbfc6cc97befcbdd2e9
Author: Joern Engel <[email protected]>
Date:   Tue Sep 16 16:23:10 2014 -0400

    target: simplify core_tmr_release_req()
    
    And while at it, do minimal coding style fixes in the area.
    
    Signed-off-by: Joern Engel <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit 9c7d6154bc4b9dfefd580490cdca5f7c72321464
Author: Andy Grover <[email protected]>
Date:   Mon Jun 30 16:39:46 2014 -0700

    target: Remove core_tpg_release_virtual_lun0 function
    
    Simple and just called from one place.
    
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Andy Grover <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit cd9d7cbaec8b622eee4edcd8bf481c4047f74915
Author: Andy Grover <[email protected]>
Date:   Mon Jun 30 16:39:44 2014 -0700

    target: Change core_dev_del_lun to take a se_lun instead of unpacked_lun
    
    Remove core_tpg_pre_dellun entirely, since we don't need to get/check
    a pointer we already have.
    
    Nothing else can return an error, so core_dev_del_lun can return void.
    
    Rename core_tpg_post_dellun to remove_lun - a clearer name, now that
    pre_dellun is gone.
    
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Andy Grover <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit cc83881f2c57caaf4b14adaffa65595640a59661
Author: Andy Grover <[email protected]>
Date:   Mon Jun 30 16:39:43 2014 -0700

    target: core_tpg_post_dellun can return void
    
    Nothing in it can raise an error.
    
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Andy Grover <[email protected]>
    Signed-off-by: Nicholas Bellinger <[email protected]>

commit 49be17235c0acd96f2ff0fe282867fe3a83f554c
Author: hayeswang <[email protected]>
Date:   Wed Oct 1 13:25:11 2014 +0800

    r8152: disable power cut for RTL8153
    
    The firmware would be clear when the power cut is enabled for
    RTL8153.
    
    Signed-off-by: Hayes Wang <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 204c8704128943bf3f8b605f4b40bdc2b6bd89dc
Author: hayeswang <[email protected]>
Date:   Wed Oct 1 13:25:10 2014 +0800

    r8152: remove clearing bp
    
    The xxx_clear_bp() is used to halt the firmware. It only necessary
    for updating the new firmware. Besides, depend on the version of
    the current firmware, it may have problem to halt the firmware
    directly. Finally, halt the firmware would let the firmware code
    useless, and the bugs which are fixed by the firmware would occur.
    
    Signed-off-by: Hayes Wang <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit aa55c8e2f7a395dfc9e67fc6637321e19ce9bfe1
Author: Masahiro Yamada <[email protected]>
Date:   Tue Sep 9 20:02:24 2014 +0900

    kbuild: handle C=... and M=... after entering into build directory
    
    This commit avoids processing C=... and M=... twice
    when O=... is also given.
    
    Besides, we can also remove KBUILD_EXTMOD="$(KBUILD_EXTMOD)"
    in the sub-make target.
    
    Signed-off-by: Masahiro Yamada <[email protected]>
    Acked-by: Peter Foley <[email protected]>
    Signed-off-by: Michal Marek <[email protected]>

commit 745a254322c898dadf019342cd7140f7867d2d0f
Author: Masahiro Yamada <[email protected]>
Date:   Tue Sep 9 20:02:23 2014 +0900

    kbuild: use $(Q) for sub-make target
    
    Since commit 066b7ed9558087a7957a1128f27d7a3462ff117f
    (kbuild: Do not print the build directory with make -s),
    "Q" is defined above the sub-make target.
    
    This commit takes advantage of that and replaces
    "$(if $(KBUILD_VERBOSE:1=),@)" with "$(Q)".
    
    Signed-off-by: Masahiro Yamada <[email protected]>
    Acked-by: Peter Foley <[email protected]>
    Signed-off-by: Michal Marek <[email protected]>

commit 7ff525712acf9325e9acdb27bbc93049ea2e850c
Author: Masahiro Yamada <[email protected]>
Date:   Tue Sep 9 20:02:22 2014 +0900

    kbuild: fake the "Entering directory ..." message more simply
    
    Commit c2e28dc975ea87feed84415006ae143424912ac7
    (kbuild: Print the name of the build directory)
    added a gimmick to show the "Entering directory ...".
    
    Instead of echoing the hard-coded message (that is, we need to know
    the exact message), moving --no-print-directory would be easier.
    
    Signed-off-by: Masahiro Yamada <[email protected]>
    Acked-by: Peter Foley <[email protected]>
    Signed-off-by: Michal Marek <[email protected]>

commit 1b0ecb28b0cc216535ce6477d39aa610c3ff68a1
Author: Vlad Yasevich <[email protected]>
Date:   Tue Sep 30 19:39:37 2014 -0400

    bnx2: Correctly receive full sized 802.1ad fragmes
    
    This driver, similar to tg3, has a check that will
    cause full sized 802.1ad frames to be dropped.  The
    frame will be larger then the standard mtu due to the
    presense of vlan header that has not been stripped.
    The driver should not drop this frame and should process
    it just like it does for 802.1q.
    
    CC: Sony Chacko <[email protected]>
    CC: [email protected]
    Signed-off-by: Vladislav Yasevich <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 7d3083ee36b51e425b6abd76778a2046906b0fd3
Author: Vlad Yasevich <[email protected]>
Date:   Tue Sep 30 19:39:36 2014 -0400

    tg3: Allow for recieve of full-size 8021AD frames
    
    When receiving a vlan-tagged frame that still contains
    a vlan header, the length of the packet will be greater
    then MTU+ETH_HLEN since it will account of the extra
    vlan header.  TG3 checks this for the case for 802.1Q,
    but not for 802.1ad.  As a result, full sized 802.1ad
    frames get dropped by the card.
    
    Add a check for 802.1ad protocol when receving full
    sized frames.
    
    Suggested-by: Prashant Sreedharan <[email protected]>
    CC: Prashant Sreedharan <[email protected]>
    CC: Michael Chan <[email protected]>
    Signed-off-by: Vladislav Yasevich <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 1e918876853aa85435e0f17fd8b4a92dcfff53d6
Author: Florian Westphal <[email protected]>
Date:   Wed Oct 1 13:38:03 2014 +0200

    r8169: add support for Byte Queue Limits
    
    tested on RTL8168d/8111d model using 'super_netperf 40' with TCP/UDP_STREAM.
    
    Output of
    while true; do
        for n in inflight limit; do
              echo -n $n\ ; cat $n;
        done;
        sleep 1;
    done
    
    during netperf run, 100mbit peer:
    
    inflight 0
    limit 3028
    inflight 6056
    limit 4542
    
    [ trimmed output for brevity, no limit/inflight changes during
      test steady-state ]
    
    limit 4542
    inflight 3028
    limit 6122
    inflight 0
    limit 6122
    [ changed cable to 1gbit peer, restart netperf ]
    inflight 37850
    limit 36336
    inflight 33308
    limit 31794
    inflight 33308
    limit 31794
    inflight 27252
    limit 25738
    [ again, no changes during test ]
    inflight 27252
    limit 25738
    inflight 0
    limit 28766
    [ change cable to 100mbit peer, restart netperf ]
    limit 28766
    inflight 27370
    limit 28766
    inflight 4542
    limit 5990
    inflight 6056
    limit 4542
    [ .. ]
    inflight 6056
    limit 4542
    inflight 0
    
    [end of test]
    
    Cc: Francois Romieu <[email protected]>
    Cc: Hayes Wang <[email protected]>
    Signed-off-by: Florian Westphal <[email protected]>
    Acked-by: Eric Dumazet <[email protected]>
    Acked-by: Tom Herbert <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit d0bf4a9e92b9a93ffeeacbd7b6cb83e0ee3dc2ef
Author: Eric Dumazet <[email protected]>
Date:   Mon Sep 29 13:29:15 2014 -0700

    net: cleanup and document skb fclone layout
    
    Lets use a proper structure to clearly document and implement
    skb fast clones.
    
    Then, we might experiment more easily alternative layouts.
    
    This patch adds a new skb_fclone_busy() helper, used by tcp and xfrm,
    to stop leaking of implementation details.
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 0f1ca65ee50df042051e8fa3a14f73b0c71d45b9
Author: Arianna Avanzini <[email protected]>
Date:   Fri Aug 22 13:20:02 2014 +0200

    xen, blkfront: factor out flush-related checks from do_blkif_request()
    
    This commit factors out some checks related to the request insertion
    path, which can be done in an function instead of by itself.
    
    Reviewed-by: David Vrabel <[email protected]>
    Signed-off-by: Arianna Avanzini <[email protected]>
    Signed-off-by: Konrad Rzeszutek Wilk <[email protected]>

commit 61cecca865280bef4f8a9748d0a9afa5df351ac2
Author: Roger Pau Monné <[email protected]>
Date:   Mon Sep 15 11:55:27 2014 +0200

    xen-blkback: fix leak on grant map error path
    
    Fix leaking a page when a grant mapping has failed.
    
    CC: [email protected]
    Signed-off-by: Roger Pau Monné <[email protected]>
    Reported-and-Tested-by: Tao Chen <[email protected]>
    Signed-off-by: Konrad Rzeszutek Wilk <[email protected]>

commit 12ea729645ace01e08f9654df155622898d3aae6
Author: Vitaly Kuznetsov <[email protected]>
Date:   Mon Sep 8 15:21:33 2014 +0200

    xen/blkback: unmap all persistent grants when frontend gets disconnected
    
    blkback does not unmap persistent grants when frontend goes to Closed
    state (e.g. when blkfront module is being removed). This leads to the
    following in guest's dmesg:
    
    [  343.243825] xen:grant_table: WARNING: g.e. 0x445 still in use!
    [  343.243825] xen:grant_table: WARNING: g.e. 0x42a still in use!
    ...
    
    When load module -> use device -> unload module sequence is performed multiple times
    it is possible to hit BUG() condition in blkfront module:
    
    [  343.243825] kernel BUG at drivers/block/xen-blkfront.c:954!
    [  343.243825] invalid opcode: 0000 [#1] SMP
    [  343.243825] Modules linked in: xen_blkfront(-) ata_generic pata_acpi [last unloaded: xen_blkfront]
    ...
    [  343.243825] Call Trace:
    [  343.243825]  [<ffffffff814111ef>] ? unregister_xenbus_watch+0x16f/0x1e0
    [  343.243825]  [<ffffffffa0016fbf>] blkfront_remove+0x3f/0x140 [xen_blkfront]
    ...
    [  343.243825] RIP  [<ffffffffa0016aae>] blkif_free+0x34e/0x360 [xen_blkfront]
    [  343.243825]  RSP <ffff88001eb8fdc0>
    
    We don't need to keep these grants if we're disconnecting as frontend might already
    forgot about them. Solve the issue by moving xen_blkbk_free_caches() call from
    xen_blkif_free() to xen_blkif_disconnect().
    
    Now we can see the following:
    [  928.590893] xen:grant_table: WARNING: g.e. 0x587 still in use!
    [  928.591861] xen:grant_table: WARNING: g.e. 0x372 still in use!
    ...
    [  929.592146] xen:grant_table: freeing g.e. 0x587
    [  929.597174] xen:grant_table: freeing g.e. 0x372
    ...
    
    Backend does not keep persistent grants any more, reconnect works fine.
    
    CC: [email protected]
    Signed-off-by: Vitaly Kuznetsov <[email protected]>
    Signed-off-by: Konrad Rzeszutek Wilk <[email protected]>

commit b248230c34970a6c1c17c591d63b464e8d2cfc33
Author: Yuchung Cheng <[email protected]>
Date:   Mon Sep 29 13:20:38 2014 -0700

    tcp: abort orphan sockets stalling on zero window probes
    
    Currently we have two different policies for orphan sockets
    that repeatedly stall on zero window ACKs. If a socket gets
    a zero window ACK when it is transmitting data, the RTO is
    used to probe the window. The socket is aborted after roughly
    tcp_orphan_retries() retries (as in tcp_write_timeout()).
    
    But if the socket was idle when it received the zero window ACK,
    and later wants to send more data, we use the probe timer to
    probe the window. If the receiver always returns zero window ACKs,
    icsk_probes keeps getting reset in tcp_ack() and the orphan socket
    can stall forever until the system reaches the orphan limit (as
    commented in tcp_probe_timer()). This opens up a simple attack
    to create lots of hanging orphan sockets to burn the memory
    and the CPU, as demonstrated in the recent netdev post "TCP
    connection will hang in FIN_WAIT1 after closing if zero window is
    advertised." http://www.spinics.net/lists/netdev/msg296539.html
    
    This patch follows the design in RTO-based probe: we abort an orphan
    socket stalling on zero window when the probe timer reaches both
    the maximum backoff and the maximum RTO. For example, an 100ms RTT
    connection will timeout after roughly 153 seconds (0.3 + 0.6 +
    .... + 76.8) if the receiver keeps the window shut. If the orphan
    socket passes this check, but the system already has too many orphans
    (as in tcp_out_of_resources()), we still abort it but we'll also
    send an RST packet as the connection may still be active.
    
    In addition, we change TCP_USER_TIMEOUT to cover (life or dead)
    sockets stalled on zero-window probes. This changes the semantics
    of TCP_USER_TIMEOUT slightly because it previously only applies
    when the socket has pending transmission.
    
    Signed-off-by: Yuchung Cheng <[email protected]>
    Signed-off-by: Eric Dumazet <[email protected]>
    Signed-off-by: Neal Cardwell <[email protected]>
    Reported-by: Andrey Dmitrov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 3edfe0030bb7a82dab2a30a29ea6e1800e600c4b
Author: Helge Deller <[email protected]>
Date:   Wed Oct 1 22:11:01 2014 +0200

    parisc: Fix serial console for machines with serial port on superio chip
    
    Fix the serial console on machines where the serial port is located on
    the SuperIO chip.
    
    Signed-off-by: Helge Deller <[email protected]>
    Cc: Peter Hurley <[email protected]>

commit baf378126b08474de2e2428b16e62a69df0339d9
Author: Michael Opdenacker <[email protected]>
Date:   Wed Oct 1 14:07:39 2014 -0600

    rsxx: Remove deprecated IRQF_DISABLED
    
    This removes the use of the IRQF_DISABLED flag
    from drivers/block/rsxx/core.c
    
    It's a NOOP since 2.6.35 and it will be removed one day.
    
    Signed-off-by: Michael Opdenacker <[email protected]>
    Acked-by Philip Kelleher <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>

commit cb57659a15c6c0576493cc8a10474ce7ffd44eb3
Author: Fabian Frederick <[email protected]>
Date:   Wed Oct 1 19:30:03 2014 +0200

    cipso: add __init to cipso_v4_cache_init
    
    cipso_v4_cache_init is only called by __init cipso_v4_init
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 57a02c39c1c20ed03a86f8014c11a8c18b94cac3
Author: Fabian Frederick <[email protected]>
Date:   Wed Oct 1 19:18:57 2014 +0200

    inet: frags: add __init to ip4_frags_ctl_register
    
    ip4_frags_ctl_register is only called by __init ipfrag_init
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 47d7a88c188f06ffaea3a539f84fe10cb4e77787
Author: Fabian Frederick <[email protected]>
Date:   Wed Oct 1 18:27:50 2014 +0200

    tcp: add __init to tcp_init_mem
    
    tcp_init_mem is only called by __init tcp_init.
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit ee7a1beb9759c94aea67dd887faf5e447a5c6710
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:21 2014 +0800

    r8169:call "rtl8168_driver_start" "rtl8168_driver_stop" only when hardware dash function is enabled
    
    These two functions are used to inform dash firmware that driver is been
    brought up or brought down. So call these two functions only when hardware dash
    function is enabled.
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 2a9b4d9670e71784896d95c41c9b0acd50db1dbb
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:20 2014 +0800

    r8169:modify the behavior of function "rtl8168_oob_notify"
    
    In function "rtl8168_oob_notify", using function "rtl_eri_write" to access
    eri register 0xe8, instead of using MAC register "ERIDR" and "ERIAR" to
    access it.
    
    For using function "rtl_eri_write" in function "rtl8168_oob_notify", need to
    move down "rtl8168_oob_notify" related functions under the function
    "rtl_eri_write".
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 2f8c040ce6791ef0477e6d59768ee3d5fd0df0fd
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:19 2014 +0800

    r8169:change the name of function "r8168dp_check_dash" to "r8168_check_dash"
    
    DASH function not only RTL8168DP can support, but also RTL8168EP.
    So change the name of function "r8168dp_check_dash" to "r8168_check_dash".
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 706123d06c18b55da5e9da21e2d138ee789bf8f4
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:18 2014 +0800

    r8169:change the name of function"rtl_w1w0_eri"
    
    Change the name of function "rtl_w1w0_eri" to "rtl_w0w1_eri".
    
    In this function, the local variable "val" is "write zeros then write ones".
    Please see below code.
    
    (val & ~m) | p
    
    In this patch, change the function name from "xx_w1w0_xx" to "xx_w0w1_xx".
    The changed function name is more suitable for it's behavior.
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 7656442824f6174b56a19c664fe560972df56ad4
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:17 2014 +0800

    r8169:for function "rtl_w1w0_phy" change its name and behavior
    
    Change function name from "rtl_w1w0_phy" to "rtl_w0w1_phy".
    And its behavior from "write ones then write zeros" to
    "write zeros then write ones".
    
    In Realtek internal driver, bitwise operations are almost "write zeros then
    write ones". For easy to port hardware parameters from Realtek internal driver
    to Linux kernal driver "r8169", we would like to change this function's
    behavior and its name.
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit ac85bcdbc0ffd3903d6db4abcd769ecacf98605b
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:16 2014 +0800

    r8169:add more chips to support magic packet v2
    
    For RTL8168F RTL8168FB RTL8168G RTL8168GU RTL8411 RTL8411B RTL8402 RTL8107E,
    the magic packet enable bit is changed to eri 0xde bit0.
    
    In this patch, change magic packet enable bit of these chips to eri 0xde bit0.
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 89cceb2729c752e6ff9b3bc8650a70f29884f116
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:15 2014 +0800

    r8169:add support more chips to get mac address from backup mac address register
    
    RTL8168FB RTL8168G RTL8168GU RTL8411 RTL8411B RTL8106EUS RTL8402 can
    support get mac address from backup mac address register.
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 42fde7371035144037844f41bd16950de9912bdb
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:14 2014 +0800

    r8169:add disable/enable RTL8411B pll function
    
    RTL8411B can support disable/enable pll function.
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit b8e5e6ad7115befef13a4493f1d2b8e438abc058
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:13 2014 +0800

    r8169:add disable/enable RTL8168G pll function
    
    RTL8168G also can disable/enable pll function.
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 05b9687bb3606190304f08c2e4cd63de8717e30b
Author: Chun-Hao Lin <[email protected]>
Date:   Wed Oct 1 23:17:12 2014 +0800

    r8169:change uppercase number to lowercase number
    
    Signed-off-by: Chun-Hao Lin <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit a29c9c43bb633a9965909cd548879fee4aa789a4
Author: David L Stevens <[email protected]>
Date:   Wed Oct 1 11:05:27 2014 -0400

    sunvnet: fix potential NULL pointer dereference
    
    One of the error cases for vnet_start_xmit()'s "out_dropped" label
    is port == NULL, so only mess with port->clean_timer when port is not NULL.
    
    Signed-off-by: David L Stevens <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit e506d405ac7d34d03996c97ac68aa2ac010be64a
Author: Thierry Reding <[email protected]>
Date:   Wed Oct 1 13:59:00 2014 +0200

    net: dsa: Fix build warning for !PM_SLEEP
    
    The dsa_switch_suspend() and dsa_switch_resume() functions are only used
    when PM_SLEEP is enabled, so they need #ifdef CONFIG_PM_SLEEP protection
    to avoid a compiler warning.
    
    Signed-off-by: Thierry Reding <[email protected]>
    Acked-by: Florian Fainelli <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 84ac1f2ca41f5888cc995944c073a5220f3ed549
Author: Tanmay Inamdar <[email protected]>
Date:   Fri Sep 26 14:08:25 2014 -0700

    arm64: dts: Add APM X-Gene PCIe device tree nodes
    
    Add the device tree nodes for APM X-Gene PCIe host controller and PCIe
    clock interface.  Since X-Gene SOC supports maximum 5 ports, 5 dts nodes
    are added.
    
    Signed-off-by: Tanmay Inamdar <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit 2896e4418b17363f211e084471b589e3c06a7248
Author: Bjorn Helgaas <[email protected]>
Date:   Wed Oct 1 13:01:35 2014 -0600

    PCI: xgene: Add APM X-Gene PCIe driver
    
    Add the AppliedMicro X-Gene SOC PCIe host controller driver.  The X-Gene
    PCIe controller supports up to 8 lanes and GEN3 speed.  The X-Gene SOC
    supports up to 5 PCIe ports.
    
    [bhelgaas: folded in MAINTAINERS and bindings updates]
    Tested-by: Ming Lei <[email protected]>
    Tested-by: Dann Frazier <[email protected]>
    Signed-off-by: Tanmay Inamdar <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Liviu Dudau <[email protected]> (driver)

commit 3c87dcbfb36ce6d3d9087f0163c02ba5690d9a85
Author: Subbaraya Sundeep Bhatta <[email protected]>
Date:   Wed Oct 1 11:01:17 2014 +0200

    net: ll_temac: Remove unnecessary ether_setup after alloc_etherdev
    
    Calling ether_setup is redundant since alloc_etherdev calls it.
    
    Signed-off-by: Subbaraya Sundeep Bhatta <[email protected]>
    Signed-off-by: Michal Simek <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 8493ecca74a7b4a66e19676de1a0f14194179941
Author: Benjamin Tissoires <[email protected]>
Date:   Wed Oct 1 11:59:47 2014 -0400

    HID: uHID: fix excepted report type
    
    When uhid_get_report() or uhid_set_report() are called, they emit on the
    char device a UHID_GET_REPORT or UHID_SET_REPORT message. Then, the
    protocol says that the user space asnwers with UHID_GET_REPORT_REPLY
    or UHID_SET_REPORT_REPLY.
    
    Unfortunatelly, the current code waits for an event of type UHID_GET_REPORT
    or UHID_SET_REPORT instead of the reply one.
    Add 1 to UHID_GET_REPORT or UHID_SET_REPORT to actually wait for the
    reply, and validate the reply.
    
    Signed-off-by: Benjamin Tissoires <[email protected]>
    Reviewed-by: David Herrmann <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>

commit c8df6ac9452e8f47a6f660993c526d13e858a6f3
Author: Lucas Stach <[email protected]>
Date:   Tue Sep 30 18:36:27 2014 +0200

    PCI: designware: Remove open-coded bitmap operations
    
    Replace them by using the standard kernel bitmap ops.  No functional
    change, but makes the code a lot cleaner.
    
    Signed-off-by: Lucas Stach <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Reviewed-by: Pratyush Anand <[email protected]>
    Acked-by: Jingoo Han <[email protected]>

commit 2199f0608864cf4e8c93d37842a5ee50c8d79843
Author: Mikulas Patocka <[email protected]>
Date:   Fri Mar 28 15:51:56 2014 -0400

    dm crypt: sort writes
    
    Write requests are sorted in a red-black tree structure and are
    submitted in the sorted order.
    
    In theory the sorting should be performed by the underlying disk
    scheduler, however, in practice the disk scheduler only accepts and
    sorts a finite number of requests.  To allow the sorting of all
    requests, dm-crypt needs to implement its own own sorting.
    
    The overhead associated with rbtree-based sorting is considered
    negligible so it is not used conditionally.  Even on SSD sorting can be
    beneficial since in-order request dispatch promotes lower latency IO
    completion to the upper layers.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit 648fee35be4c75667aa18bf513f7e7e65c01640b
Author: Mikulas Patocka <[email protected]>
Date:   Fri Mar 28 15:51:56 2014 -0400

    dm crypt: offload writes to thread
    
    Submitting write bios directly in the encryption thread caused serious
    performance degradation.  On a multiprocessor machine, encryption requests
    finish in a different order than they were submitted.  Consequently, write
    requests would be submitted in a different order and it could cause severe
    performance degradation.
    
    Move the submission of write requests to a separate thread so that the
    requests can be sorted before submitting.  But this commit improves
    dm-crypt performance even without having dm-crypt perform request
    sorting (in particular it enables IO schedulers like CFQ to sort more
    effectively).
    
    Note: it is required that a previous commit ("dm crypt: don't allocate
    pages for a partial request") be applied before applying this patch.
    Otherwise, this commit could introduce a crash.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit 4a0d7e0464226eee625a5b77484c339334453882
Author: Mikulas Patocka <[email protected]>
Date:   Fri Mar 28 15:51:55 2014 -0400

    dm crypt: use unbound workqueue for request processing
    
    Use unbound workqueue so that work is automatically balanced between
    available CPUs.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit 72bfc40ca3b393cb0bc6b5e2ce364e6c6ce0f390
Author: Mikulas Patocka <[email protected]>
Date:   Thu May 29 14:18:12 2014 -0400

    dm crypt: remove io_pending refcount member from dm_crypt_io
    
    Commit "dm crypt: don't allocate pages for a partial request" changed
    the code to allocate all pages for one request.  There is always just
    one pending request, so the io_pending refcount may be removed.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit 42196fec8945cc84c032b7f59deaffee82036245
Author: Mikulas Patocka <[email protected]>
Date:   Fri Mar 28 15:51:56 2014 -0400

    dm crypt: remove unused io_pool and _crypt_io_pool
    
    The previous commits ("dm crypt: use per-bio data") and ("dm crypt:
    don't allocate pages for a partial request") stopped using the
    io_pool slab mempool and backing _crypt_io_pool kmem cache.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit ebfda24b1e1bf483accdb900f8625151d8f01383
Author: Mikulas Patocka <[email protected]>
Date:   Fri Mar 28 15:51:56 2014 -0400

    dm crypt: avoid deadlock in mempools
    
    Fix a theoretical deadlock introduced in the previous commit ("dm crypt:
    don't allocate pages for a partial request").
    
    The function crypt_alloc_buffer may be called concurrently.  If we allocate
    from the mempool concurrently, there is a possibility of deadlock.  For
    example, if we have mempool of 256 pages, two processes, each wanting
    256, pages allocate from the mempool concurrently, it may deadlock in a
    situation where both processes have allocated 128 pages and the mempool
    is exhausted.
    
    In order to avoid such a scenario, we allocate the pages under a mutex.
    
    In order to not degrade performance with excessive locking, we try
    non-blocking allocations without a mutex first and if it fails, we
    fallback to a blocking allocation with a mutex.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit b9ea7cb3fb237078be400522880932008c630fb7
Author: Mikulas Patocka <[email protected]>
Date:   Fri Mar 28 15:51:56 2014 -0400

    dm crypt: don't allocate pages for a partial request
    
    Change crypt_alloc_buffer so that it only ever allocates pages for a
    full request.
    
    This change is a prerequisite for the commit "dm crypt: offload writes
    to thread".  Which implies this change is effectively required for the
    upcoming cpu parallelization changes.
    
    But this change simplifies the dm-crypt code at the expense of reduced
    throughput in low memory conditions (where allocation for a partial
    request is most useful).
    
    This change also enables the removal of the io_pending refcount.
    
    Note: the next commit ("dm-crypt: avoid deadlock in mempools") is needed
    to fix a theoretical deadlock.
    
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit 117cd3e12232afea97dd31489fbde8888ad22b3e
Author: Heinz Mauelshagen <[email protected]>
Date:   Wed Sep 24 17:47:19 2014 +0200

    dm raid: add discard support for RAID levels 4, 5 and 6
    
    In case of RAID levels 4, 5 and 6 we have to verify each RAID members'
    ability to zero data on discards to avoid stripe data corruption -- if
    discard_zeroes_data is not set for each RAID member discard support must
    be disabled.
    
    Also add an 'ignore_discard' table argument to the target in order to
    ignore discard processing completely on a RAID array, hence not passing
    down discards to MD personalities.
    
    This 'ignore_discard' control provides the ability to:
    - prohibit discards in case of _potential_ data corruptions in RAID4/5/6
      (e.g. if ability to zero data on discard is flawed in a RAID member)
    - avoid discard processing overhead
    
    Signed-off-by: Heinz Mauelshagen <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>

commit 04c308f43a90a9b3b84c344b324d6af29288da05
Author: Mikulas Patocka <[email protected]>
Date:   Wed Oct 1 13:29:48 2014 -0400

    dm bufio: when done scanning return from __scan immediately
    
    When __scan frees the required number of buffer entries that the
    shrinker requested (nr_to_scan becomes zero) it must return.  Before
    this fix the __scan code exited only the inner loop and continued in the
    outer loop.
    
    Also, move dm_bufio_cond_resched to __scan's inner loop, so that
    iterating the bufio client's lru lists doesn't result in scheduling
    latency.
    
    Reported-by: Joe Thornber <[email protected]>
    Signed-off-by: Mikulas Patocka <[email protected]>
    Signed-off-by: Mike Snitzer <[email protected]>
    Cc: [email protected] # 3.2+

commit 5ec094057c7df5ff80f5e7fe282f47ad205fb976
Author: Bjorn Helgaas <[email protected]>
Date:   Tue Sep 23 14:38:28 2014 -0600

    PCI/MSI: Remove unnecessary temporary variable
    
    The only use of "status" is to hold a value which is immediately returned,
    so just return and remove the variable directly.
    
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit 56b72b40957947f7c08771f030102351d4c906df
Author: Yijing Wang <[email protected]>
Date:   Mon Sep 29 18:35:16 2014 -0600

    PCI/MSI: Use __write_msi_msg() instead of write_msi_msg()
    
    default_restore_msi_irq() already has the struct msi_desc pointer required
    by __write_msi_msg(), so call it directly instead of having write_msi_msg()
    look it up from the IRQ.
    
    No functional change.
    
    [bhelgaas: split into separate patch]
    Signed-off-by: Yijing Wang <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit 1e8f4cc82eded0c3c97ef6e2f119782e42deda35
Author: Yijing Wang <[email protected]>
Date:   Wed Sep 24 11:09:45 2014 +0800

    MSI/powerpc: Use __read_msi_msg() instead of read_msi_msg()
    
    rtas_setup_msi_irqs() already has the struct msi_desc pointer required by
    __read_msi_msg(), so call it directly instead of having read_msi_msg() look
    it up from the IRQ.
    
    No functional change.
    
    [bhelgaas: changelog]
    Signed-off-by: Yijing Wang <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Acked-by: Michael Ellerman <[email protected]>
    CC: Benjamin Herrenschmidt <[email protected]>
    CC: [email protected]

commit 2b260085e466c345e78f23b1c9ad1d123d509ef8
Author: Yijing Wang <[email protected]>
Date:   Tue Sep 23 13:27:25 2014 +0800

    PCI/MSI: Use __get_cached_msi_msg() instead of get_cached_msi_msg()
    
    Both callers of get_cached_msi_msg() start with a struct irq_data pointer,
    look up the corresponding IRQ number, and pass it to get_cached_msi_msg(),
    which then uses irq_get_irq_data() to look up the struct irq_data again to
    call __get_cached_msi_msg().
    
    Since we already have the struct irq_data, call __get_cached_msi_msg()
    directly and skip the lookup work done by get_cached_msi_msg().
    
    No functional change.
    
    [bhelgaas: changelog]
    Signed-off-by: Yijing Wang <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    CC: Tony Luck <[email protected]>
    CC: [email protected]

commit 468ff15a3ab98ed7153c29c68229ffb97f15a251
Author: Yijing Wang <[email protected]>
Date:   Tue Sep 23 13:27:24 2014 +0800

    PCI/MSI: Add "msi_bus" sysfs MSI/MSI-X control for endpoints
    
    The "msi_bus" sysfs file for bridges sets a bus flag to allow or disallow
    future driver requests for MSI or MSI-X.  Previously, the sysfs file
    existed for endpoints but did nothing.
    
    Add "msi_bus" support for endpoints, so an administrator can prevent the
    use of MSI and MSI-X for individual devices.
    
    Note that as for bridges, these changes only affect future driver requests
    for MSI or MSI-X, so drivers may need to be reloaded.
    
    Add documentation for the "msi_bus" sysfs file.
    
    [bhelgaas: changelog, comments, add "subordinate", add endpoint printk,
    rework bus_flags setting, make bus_flags printk unconditional]
    Signed-off-by: Yijing Wang <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit 48c3c38f003c25d50a09d3da558667c5ecd530aa
Author: Yijing Wang <[email protected]>
Date:   Tue Sep 23 11:02:42 2014 -0600

    PCI/MSI: Remove "pos" from the struct msi_desc msi_attrib
    
    "msi_attrib.pos" is only used for MSI (not MSI-X), and we already cache the
    MSI capability offset in "dev->msi_cap".
    
    Remove "pos" from the struct msi_attrib and use "dev->msi_cap" directly.
    
    [bhelgaas: changelog, fix whitespace]
    Signed-off-by: Yijing Wang <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit 81052769e48609525c452d8f078a5786b673e178
Author: Yijing Wang <[email protected]>
Date:   Tue Sep 23 13:27:22 2014 +0800

    PCI/MSI: Remove unused kobject from struct msi_desc
    
    After commit 1c51b50c2995 ("PCI/MSI: Export MSI mode using attributes, not
    kobjects"), the kobject in struct msi_desc is unused.
    
    Remove the unused struct kobject from struct msi_desc.
    
    [bhelgaas: changelog]
    Fixes: 1c51b50c2995 ("PCI/MSI: Export MSI mode using attributes, not kobjects")
    Signed-off-by: Yijing Wang <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Acked-by: Greg Kroah-Hartman <[email protected]>

commit a06cd74cefe754341f747ddc4cf7b0058fa9bff8
Author: Alexander Gordeev <[email protected]>
Date:   Tue Sep 23 12:45:58 2014 -0600

    PCI/MSI: Rename pci_msi_check_device() to pci_msi_supported()
    
    Rename pci_msi_check_device() to pci_msi_supported() for clarity.  Note
    that pci_msi_supported() returns true if MSI/MSI-X is supported, so code
    like:
    
      if (pci_msi_supported(...))
    
    reads naturally.
    
    [bhelgaas: changelog, split to separate patch, reverse sense]
    Signed-off-by: Alexander Gordeev <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit 27e20603c54ba633ed259284d006275f13c9f95b
Author: Alexander Gordeev <[email protected]>
Date:   Tue Sep 23 14:25:11 2014 -0600

    PCI/MSI: Move D0 check into pci_msi_check_device()
    
    Both callers of pci_msi_check_device() check that the device is in D0
    state, so move the check from the callers into pci_msi_check_device()
    itself.
    
    In pci_enable_msi_range(), note that pci_msi_check_device() never returns a
    positive value any more, so the loop that called it until it returns zero
    or negative is no longer necessary.
    
    [bhelgaas: changelog, split to separate patch]
    Signed-off-by: Alexander Gordeev <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit ad975ebad4c3ce8dcc7d0bb4db26ea5aca4cfc99
Author: Alexander Gordeev <[email protected]>
Date:   Tue Sep 23 12:39:54 2014 -0600

    PCI/MSI: Remove arch_msi_check_device()
    
    No architectures implement arch_msi_check_device() or the struct msi_chip
    .check_device() method, so remove them.
    
    Remove the "type" parameter to pci_msi_check_device() because it was only
    used to call arch_msi_check_device() and is no longer needed.
    
    [bhelgaas: changelog, split to separate patch]
    Signed-off-by: Alexander Gordeev <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>

commit 3930115e0dd67f61b3b1882c7a34d0baeff1bb4c
Author: Alexander Gordeev <[email protected]>
Date:   Sun Sep 7 20:57:54 2014 +0200

    irqchip: armada-370-xp: Remove arch_msi_check_device()
    
    Move MSI checks from arch_msi_check_device() to arch_setup_msi_irqs().
    This makes the code more compact and allows removing
    arch_msi_check_device() from generic MSI code.
    
    Tested-by: Thomas Petazzoni <[email protected]>
    Signed-off-by: Alexander Gordeev <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Acked-by: Jason Cooper <[email protected]>
    CC: Thomas Gleixner <[email protected]>

commit 6b2fd7efeb888fa781c1f767de6c36497ac1596b
Author: Alexander Gordeev <[email protected]>
Date:   Sun Sep 7 20:57:53 2014 +0200

    PCI/MSI/PPC: Remove arch_msi_check_device()
    
    Move MSI checks from arch_msi_check_device() to arch_setup_msi_irqs().
    This makes the code more compact and allows removing
    arch_msi_check_device() from generic MSI code.
    
    Signed-off-by: Alexander Gordeev <[email protected]>
    Signed-off-by: Bjorn Helgaas <[email protected]>
    Acked-by: Michael Ellerman <[email protected]>

commit 977104ece1568f2e2ad3f5fd8e55bd640e8ab55a
Author: Mark Charlebois <[email protected]>
Date:   Thu Sep 4 14:16:17 2014 -0700

    arm: LLVMLinux: Use global stack register variable for percpu
    
    Using global current_stack_pointer works on both clang and gcc.
    current_stack_pointer is an unsigned long and needs to be cast
    as a pointer to dereference.
    
    KernelVersion: 3.17.0-rc6
    Signed-off-by: Mark Charlebois <[email protected]>
    Signed-off-by: Behan Webster <[email protected]>

commit a35dc594542b29935cd3a92e53233ad4ba4e622f
Author: Behan Webster <[email protected]>
Date:   Tue Sep 3 22:27:27 2013 -0400

    arm: LLVMLinux: Use current_stack_pointer in unwind_backtrace
    
    Use the global current_stack_pointer to get the value of the stack pointer.
    This change supports being able to compile the kernel with both gcc and clang.
    
    KernelVersion: 3.17.0-rc6
    Signed-off-by: Behan Webster <[email protected]>
    Reviewed-by: Mark Charlebois <[email protected]>
    Reviewed-by: Jan-Simon Möller <[email protected]>
    Acked-by: Will Deacon <[email protected]>
    Acked-by: Nicolas Pitre <[email protected]>

commit 5c5da6724d8e1767405a3f4b611451a11ece99e2
Author: Behan Webster <[email protected]>
Date:   Tue Sep 3 22:27:27 2013 -0400

    arm: LLVMLinux: Calculate current_thread_info from current_stack_pointer
    
    Use the global current_stack_pointer to get the value of the stack pointer.
    This change supports being able to compile the kernel with both gcc and clang.
    
    KernelVersion: 3.17.0-rc6
    Signed-off-by: Behan Webster <[email protected]>
    Reviewed-by: Mark Charlebois <[email protected]>
    Reviewed-by: Jan-Simon Möller <[email protected]>
    Acked-by: Will Deacon <[email protected]>
    Acked-by: Nicolas Pitre <[email protected]>

commit f2b6d8c6c56c9a164a2d885ba34a09d613c959c9
Author: Behan Webster <[email protected]>
Date:   Tue Sep 3 22:27:27 2013 -0400

    arm: LLVMLinux: Use current_stack_pointer in save_stack_trace_tsk
    
    Use the global current_stack_pointer to get the value of the stack pointer.
    This change supports being able to compile the kernel with both gcc and clang.
    
    KernelVersion: 3.17.0-rc6
    Signed-off-by: Behan Webster <[email protected]>
    Reviewed-by: Mark Charlebois <[email protected]>
    Reviewed-by: Jan-Simon Möller <[email protected]>
    Acked-by: Will Deacon <[email protected]>
    Acked-by: Nicolas Pitre <[email protected]>

commit 40802b84566a3d9731a8fea43b144301d9ac450d
Author: Behan Webster <[email protected]>
Date:   Tue Sep 3 22:27:27 2013 -0400

    arm: LLVMLinux: Use current_stack_pointer for return_address
    
    Use the global current_stack_pointer to get the value of the stack pointer.
    This change supports being able to compile the kernel with both gcc and Clang.
    
    KernelVersion: 3.17.0-rc6
    Signed-off-by: Behan Webster <[email protected]>
    Reviewed-by: Mark Charlebois <[email protected]>
    Reviewed-by: Jan-Simon Möller <[email protected]>
    Acked-by: Will Deacon <[email protected]>
    Acked-by: Nicolas Pitre <[email protected]>

commit d80ced5236764b8c4ffda5545d5b357cf88c77c1
Author: Behan Webster <[email protected]>
Date:   Tue Sep 3 22:27:27 2013 -0400

    arm: LLVMLinux: Use current_stack_pointer to calculate pt_regs address
    
    Use the global current_stack_pointer to calculate the end of the stack for
    current_pt_regs()
    
    KernelVersion: 3.17.0-rc6
    Signed-off-by: Behan Webster <[email protected]>
    Reviewed-by: Mark Charlebois <[email protected]>
    Reviewed-by: Jan-Simon Möller <[email protected]>
    Acked-by: Will Deacon <[email protected]>
    Acked-by: Nicolas Pitre <[email protected]>

commit 9d0d6994806b36891453beb1e94b6253f853af61
Author: Behan Webster <[email protected]>
Date:   Tue Sep 3 22:27:26 2013 -0400

    arm: LLVMLinux: Add global named register current_stack_pointer for ARM
    
    Define a global named register for current_stack_pointer. The use of this new
    variable guarantees that both gcc and clang can access this register in C code.
    
    KernelVersion: 3.17.0-rc6
    Signed-off-by: Behan Webster <[email protected]>
    Reviewed-by: Jan-Simon Möller <[email protected]>
    Reviewed-by: Mark Charlebois <[email protected]>
    Acked-by: Will Deacon <[email protected]>
    Acked-by: Nicolas Pitre <[email protected]>

commit 2c804d0f8fc7799981d9fdd8c88653541b28c1a7
Author: Eric Dumazet <[email protected]>
Date:   Tue Sep 30 22:12:05 2014 -0700

    ipv4: mentions skb_gro_postpull_rcsum() in inet_gro_receive()
    
    Proper CHECKSUM_COMPLETE support needs to adjust skb->csum
    when we remove one header. Its done using skb_gro_postpull_rcsum()
    
    In the case of IPv4, we know that the adjustment is not really needed,
    because the checksum over IPv4 header is 0. Lets add a comment to
    ease code comprehension and avoid copy/paste errors.
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit eb51bbaf8dedf142a54a7ff58514a29b40d515bb
Author: Stephen Rothwell <[email protected]>
Date:   Wed Oct 1 17:00:49 2014 +1000

    fm10k: using vmalloc requires including linux/vmalloc.h
    
    Signed-off-by: Stephen Rothwell <[email protected]>
    Acked-by: Jeff Kirsher <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 078efae00ffc76381c3248006e9cf0988163488f
Author: Anish Bhatt <[email protected]>
Date:   Mon Sep 15 17:44:18 2014 -0700

    [SCSI] cxgb4i: avoid holding mutex in interrupt context
    
    cxgbi_inet6addr_handler() can be called in interrupt context, so use rcu
    protected list while finding netdev.  This is observed as a scheduling in
    atomic oops when running over ipv6.
    
    Fixes: fc8d0590d914 ("libcxgbi: Add ipv6 api to driver")
    Fixes: 759a0cc5a3e1 ("cxgb4i: Add ipv6 code to driver, call into libcxgbi ipv6 api")
    
    Signed-off-by: Anish Bhatt <[email protected]>
    Signed-off-by: Karen Xie <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>
    Signed-off-by: James Bottomley <[email protected]>

commit 34549ab09e62db9703811c6ed4715f2ffa1fd7fb
Author: Jeff Layton <[email protected]>
Date:   Wed Oct 1 08:05:22 2014 -0400

    nfsd: eliminate "to_delegation" define
    
    We now have cb_to_delegation and to_delegation, which do the same thing
    and are defined separately in different .c files. Move the
    cb_to_delegation definition into a header file and eliminate the
    redundant to_delegation definition.
    
    Reviewed-by: Christoph Hellwig <[email protected]>
    Signed-off-by: Jeff Layton <[email protected]>

commit 4a0efdc933680d908de11712a774a2c9492c3d5a
Author: Hannes Reinecke <[email protected]>
Date:   Wed Oct 1 14:32:31 2014 +0200

    block: misplaced rq_complete tracepoint
    
    The rq_complete tracepoint was never issued for empty requests,
    causing the resulting blktrace information to never show any
    completion for those request.
    
    Signed-off-by: Hannes Reinecke <[email protected]>
    Acked-by: Tejun Heo <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>

commit fc2021fb9baf9ed375c8161b40b68e120e75c60e
Author: Michael Opdenacker <[email protected]>
Date:   Wed Oct 1 12:07:07 2014 +0200

    block: hd: remove deprecated IRQF_DISABLED
    
    This patch removes the use of the IRQF_DISABLED flag
    from drivers/block/hd.c
    
    It's a NOOP since 2.6.35 and it will be removed one day.
    
    This also removes a related comment which is obsolete too.
    
    Signed-off-by: Michael Opdenacker <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>

commit 19aeb5a65f1a6504fc665466c188241e7393d66f
Author: Bob Peterson <[email protected]>
Date:   Mon Sep 29 08:52:04 2014 -0400

    GFS2: Make rename not save dirent location
    
    This patch fixes a regression in the patch "GFS2: Remember directory
    insert point", commit 2b47dad866d04f14c328f888ba5406057b8c7d33.
    The problem had to do with the rename function: The function found
    space for the new dirent, and remembered that location. But then the
    old dirent was removed, which often moved the eligible location for
    the renamed dirent. Putting the new dirent at the saved location
    caused file system corruption.
    
    This patch adds a new "save_loc" variable to struct gfs2_diradd.
    If 1, the dirent location is saved. If 0, the dirent location is not
    saved and the buffer_head is released as per previous behavior.
    
    Signed-off-by: Bob Peterson <[email protected]>
    Signed-off-by: Steven Whitehouse <[email protected]>

commit 5235166fbc332c8b5dcf49e3a498a8b510a77449
Author: Oliver Neukum <[email protected]>
Date:   Tue Sep 30 12:54:56 2014 +0200

    HID: usbhid: add another mouse that needs QUIRK_ALWAYS_POLL
    
    There is a second mouse sharing the same vendor strings but different IDs.
    
    Signed-off-by: Oliver Neukum <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>

commit 2013add4ce73c93ae2148969a9ec3ecc8b1e26fa
Author: Gavin Shan <[email protected]>
Date:   Wed Oct 1 14:34:51 2014 +1000

    powerpc/eeh: Show hex prefix for PE state sysfs
    
    As Michael suggested, the hex prefix for the output of EEH PE
    state sysfs entry (/sys/bus/pci/devices/xxx/eeh_pe_state) is
    always informative to users.
    
    Suggested-by: Michael Ellerman <[email protected]>
    Signed-off-by: Gavin Shan <[email protected]>
    Signed-off-by: Michael Ellerman <[email protected]>

commit 24c20f10583647e30afe87b6f6d5e14bc7b1cbc6
Author: Christoph Hellwig <[email protected]>
Date:   Tue Sep 30 16:43:46 2014 +0200

    scsi: add a CONFIG_SCSI_MQ_DEFAULT option
    
    Add a Kconfig option to enable the blk-mq path for SCSI by default
    to ease testing and deployment in setups that know they benefit
    from blk-mq.
    
    Signed-off-by: Christoph Hellwig <[email protected]>
    Reviewed-by: Martin K. Petersen <[email protected]>
    Reviewed-by: Robert Elliott <[email protected]>
    Tested-by: Robert Elliott <[email protected]>

commit e785060ea3a1c8e37a8bc1449c79e36bff2b5b13
Author: Dolev Raviv <[email protected]>
Date:   Thu Sep 25 15:32:36 2014 +0300

    ufs: definitions for phy interface
    
    - Adding some of the definitions missing in unipro.h, including power
      enumeration.
    - Read Modify Write Line helper function
    - Indication for the type of suspend
    
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Subhash Jadavani <[email protected]>
    Signed-off-by: Yaniv Gardi <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 374a246e4ebda1fc55d537877bf2412e511ecc7b
Author: Subhash Jadavani <[email protected]>
Date:   Thu Sep 25 15:32:35 2014 +0300

    ufs: tune bkops while power managment events
    
    Add capability to control the auto bkops during suspend.
    If host explicitly enables the auto bkops (background operation) on device
    then only device would perform the bkops on its own. If auto bkops is not
    enabled explicitly and if the device reaches to state where it must do
    background operation, device would raise the urgent bkops exception event
    to host and then host will enable the auto bkops on device. This patch
    adds the option to choose whether auto bkops should be enabled during
    runtime suspend or not. Since we don't want to keep the device active to
    perform the non critical bkops, host will enable urgent bkops only.
    
    Keep auto-bkops enabled after resume if urgent bkops needed.
    If device bkops status shows that its in critical need of executing
    background operations, host should allow the device to continue doing
    background operations.
    
    Signed-off-by: Subhash Jadavani <[email protected]>
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 856b348305c98d4e0c8e5eafa97c61443197f8d3
Author: Sahitya Tummala <[email protected]>
Date:   Thu Sep 25 15:32:34 2014 +0300

    ufs: Add support for clock scaling using devfreq framework
    
    The clocks for UFS device will be managed by generic DVFS (Dynamic
    Voltage and Frequency Scaling) framework within kernel. This devfreq
    framework works with different governors to scale the clocks. By default,
    UFS devices uses simple_ondemand governor which scales the clocks up if
    the load is more than upthreshold and scales down if the load is less than
    downthreshold.
    
    Signed-off-by: Sahitya Tummala <[email protected]>
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 4cff6d991e4a291cf50fe2659da2ea9ad46620bf
Author: Sahitya Tummala <[email protected]>
Date:   Thu Sep 25 15:32:33 2014 +0300

    ufs: Add freq-table-hz property for UFS device
    
    Add freq-table-hz propery for UFS device to keep track of
    <min max> frequencies supported by UFS clocks.
    
    Signed-off-by: Sahitya Tummala <[email protected]>
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 1ab27c9cf8b63dd8dec9e17b5c17721c7f3b6cc7
Author: Sahitya Tummala <[email protected]>
Date:   Thu Sep 25 15:32:32 2014 +0300

    ufs: Add support for clock gating
    
    The UFS controller clocks can be gated after certain period of
    inactivity, which is typically less than runtime suspend timeout.
    In addition to clocks the link will also be put into Hibern8 mode
    to save more power.
    
    The clock gating can be turned on by enabling the capability
    UFSHCD_CAP_CLK_GATING. To enable entering into Hibern8 mode as part of
    clock gating, set the capability UFSHCD_CAP_HIBERN8_WITH_CLK_GATING.
    
    The tracing events for clock gating can be enabled through debugfs as:
    echo 1 > /sys/kernel/debug/tracing/events/ufs/ufshcd_clk_gating/enable
    cat /sys/kernel/debug/tracing/trace_pipe
    
    Signed-off-by: Sahitya Tummala <[email protected]>
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 7eb584db73bebbc9852a14341431ed6935419bec
Author: Dolev Raviv <[email protected]>
Date:   Thu Sep 25 15:32:31 2014 +0300

    ufs: refactor configuring power mode
    
    Sometimes, the device shall report its maximum power and speed
    capabilities, but we might not wish to configure it to use those
    maximum capabilities.
    This change adds support for the vendor specific host driver to
    implement power change notify callback.
    
    To enable configuring different power modes (number of lanes,
    gear number and fast/slow modes) it is necessary to split the
    configuration stage from the stage that reads the device max power mode.
    In addition, it is not required to read the configuration more than
    once, thus the configuration is stored after reading it once.
    
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Yaniv Gardi <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 57d104c153d3d6d7bea60089e80f37501851ed2c
Author: Subhash Jadavani <[email protected]>
Date:   Thu Sep 25 15:32:30 2014 +0300

    ufs: add UFS power management support
    
    This patch adds support for UFS device and UniPro link power management
    during runtime/system PM.
    
    Main idea is to define multiple UFS low power levels based on UFS device
    and UFS link power states. This would allow any specific platform or pci
    driver to choose the best suited low power level during runtime and
    system suspend based on their power goals.
    
    bkops handlig:
    To put the UFS device in sleep state when bkops is disabled, first query
    the bkops status from the device and enable bkops on device only if
    device needs time to perform the bkops.
    
    START_STOP handling:
    Before sending START_STOP_UNIT to the device well-known logical unit
    (w-lun) to make sure that the device w-lun unit attention condition is
    cleared.
    
    Write protection:
    UFS device specification allows LUs to be write protected, either
    permanently or power on write protected. If any LU is power on write
    protected and if the card is power cycled (by powering off VCCQ and/or
    VCC rails), LU's write protect status would be lost. So this means those
    LUs can be written now. To ensures that UFS device is power cycled only
    if the power on protect is not set for any of the LUs, check if power on
    write protect is set and if device is in sleep/power-off state & link in
    inactive state (Hibern8 or OFF state).
    If none of the Logical Units on UFS device is power on write protected
    then all UFS device power rails (VCC, VCCQ & VCCQ2) can be turned off if
    UFS device is in power-off state and UFS link is in OFF state. But current
    implementation would disable all device power rails even if UFS link is
    not in OFF state.
    
    Low power mode:
    If UFS link is in OFF state then UFS host controller can be power collapsed
    to avoid leakage current from it. Note that if UFS host controller is power
    collapsed, full UFS reinitialization will be required on resume to
    re-establish the link between host and device.
    
    Signed-off-by: Subhash Jadavani <[email protected]>
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Sujit Reddy Thumma <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 0ce147d48a3e3352859f0c185e98e8392bee7a25
Author: Subhash Jadavani <[email protected]>
Date:   Thu Sep 25 15:32:29 2014 +0300

    ufs: introduce well known logical unit in ufs
    
    UFS device may have standard LUs and LUN id could be from 0x00 to 0x7F.
    UFS device specification use "Peripheral Device Addressing Format"
    (SCSI SAM-5) for standard LUs.
    
    UFS device may also have the Well Known LUs (also referred as W-LU) which
    again could be from 0x00 to 0x7F. For W-LUs, UFS device specification only
    allows the "Extended Addressing Format" (SCSI SAM-5) which means the W-LUNs
    would start from 0xC100 onwards.
    
    This means max. LUN number reported from UFS device could be 0xC17F hence
    this patch advertise the "max_lun" as 0xC17F which will allow SCSI mid
    layer to detect the W-LUs as well.
    
    But once the W-LUs are detected, UFSHCD driver may get the commands with
    SCSI LUN id upto 0xC17F but UPIU LUN id field is only 8-bit wide so it
    requires the mapping of SCSI LUN id to UPIU LUN id. This patch also add
    support for this mapping.
    
    Signed-off-by: Subhash Jadavani <[email protected]>
    Signed-off-by: Dolev Raviv <[email protected]>
    Signed-off-by: Sujit Reddy Thumma <[email protected]>
    Signed-off-by: Christoph Hellwig <[email protected]>

commit 2a8fa600445c45222632810a4811ce820279d106
Author: Subhash Jadavani <su…
pstglia pushed a commit to pstglia/linux that referenced this pull request Oct 6, 2014
Array 'g_iommus' may be freed twice on error recovery path in function
init_dmars() and free_dmar_iommu(), thus cause random system crash as
below.

[    6.774301] IOMMU: dmar init failed
[    6.778310] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[    6.785615] software IO TLB [mem 0x76bcf000-0x7abcf000] (64MB) mapped at [ffff880076bcf000-ffff88007abcefff]
[    6.796887] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
[    6.804173] Modules linked in:
[    6.807731] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.0-rc1+ torvalds#108
[    6.815122] Hardware name: Intel Corporation BRICKLAND/BRICKLAND, BIOS BRIVTIN1.86B.0047.R00.1402050741 02/05/2014
[    6.836000] task: ffff880455a80000 ti: ffff880455a88000 task.ti: ffff880455a88000
[    6.844487] RIP: 0010:[<ffffffff8143eea6>]  [<ffffffff8143eea6>] memcpy+0x6/0x110
[    6.853039] RSP: 0000:ffff880455a89cc8  EFLAGS: 00010293
[    6.859064] RAX: ffff006568636163 RBX: ffff00656863616a RCX: 0000000000000005
[    6.867134] RDX: 0000000000000005 RSI: ffffffff81cdc439 RDI: ffff006568636163
[    6.875205] RBP: ffff880455a89d30 R08: 000000000001bc3b R09: 0000000000000000
[    6.883275] R10: 0000000000000000 R11: ffffffff81cdc43e R12: ffff880455a89da8
[    6.891338] R13: ffff006568636163 R14: 0000000000000005 R15: ffffffff81cdc439
[    6.899408] FS:  0000000000000000(0000) GS:ffff88045b800000(0000) knlGS:0000000000000000
[    6.908575] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    6.915088] CR2: ffff88047e1ff000 CR3: 0000000001e0e000 CR4: 00000000001407f0
[    6.923160] Stack:
[    6.925487]  ffffffff8143c904 ffff88045b407e00 ffff006568636163 ffff006568636163
[    6.934113]  ffffffff8120a1a9 ffffffff81cdc43e 0000000000000007 0000000000000000
[    6.942747]  ffff880455a89da8 ffff006568636163 0000000000000007 ffffffff81cdc439
[    6.951382] Call Trace:
[    6.954197]  [<ffffffff8143c904>] ? vsnprintf+0x124/0x6f0
[    6.960323]  [<ffffffff8120a1a9>] ? __kmalloc_track_caller+0x169/0x360
[    6.967716]  [<ffffffff81440e1b>] kvasprintf+0x6b/0x80
[    6.973552]  [<ffffffff81432bf1>] kobject_set_name_vargs+0x21/0x70
[    6.980552]  [<ffffffff8143393d>] kobject_init_and_add+0x4d/0x90
[    6.987364]  [<ffffffff812067c9>] ? __kmalloc+0x169/0x370
[    6.993492]  [<ffffffff8102dbbc>] ? cache_add_dev+0x17c/0x4f0
[    7.000005]  [<ffffffff8102ddfa>] cache_add_dev+0x3ba/0x4f0
[    7.006327]  [<ffffffff821a87ca>] ? i8237A_init_ops+0x14/0x14
[    7.012842]  [<ffffffff821a87f8>] cache_sysfs_init+0x2e/0x61
[    7.019260]  [<ffffffff81002162>] do_one_initcall+0xf2/0x220
[    7.025679]  [<ffffffff810a4a29>] ? parse_args+0x2c9/0x450
[    7.031903]  [<ffffffff8219d1b1>] kernel_init_freeable+0x1c9/0x25b
[    7.038904]  [<ffffffff8219c8d2>] ? do_early_param+0x8a/0x8a
[    7.045322]  [<ffffffff8184d5e0>] ? rest_init+0x150/0x150
[    7.051447]  [<ffffffff8184d5ee>] kernel_init+0xe/0x100
[    7.057380]  [<ffffffff8187b87c>] ret_from_fork+0x7c/0xb0
[    7.063503]  [<ffffffff8184d5e0>] ? rest_init+0x150/0x150
[    7.069628] Code: 89 e5 53 48 89 fb 75 16 80 7f 3c 00 75 05 e8 d2 f9 ff ff 48 8b 43 58 48 2b 43 50 88 43 4e 5b 5d c3 90 90 90 90 48 89 f8 48 89 d1 <f3> a4 c3 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 4c 8b 06 4c 8b
[    7.094960] RIP  [<ffffffff8143eea6>] memcpy+0x6/0x110
[    7.100856]  RSP <ffff880455a89cc8>
[    7.104864] ---[ end trace b5d3fdc6c6c28083 ]---
[    7.110142] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    7.110142]
[    7.120540] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)

Signed-off-by: Jiang Liu <[email protected]>
Signed-off-by: Joerg Roedel <[email protected]>
bengal pushed a commit to bengal/linux that referenced this pull request Oct 7, 2014
WARNING: Missing a blank line after declarations
torvalds#108: FILE: arch/arm64/mm/flush.c:114:
+	pmd_t pmd = pmd_mksplitting(*pmdp);
+	VM_BUG_ON(address & ~PMD_MASK);

total: 0 errors, 1 warnings, 72 lines checked

./patches/arm64-mm-enable-rcu-fast_gup.patch has style problems, please review.

If any of these errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Steve Capper <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
bengal pushed a commit to bengal/linux that referenced this pull request Nov 11, 2014
On latest mm + KASan patchset I've got this:

    ==================================================================
    BUG: AddressSanitizer: out of bounds access in sched_init_smp+0x3ba/0x62c at addr ffff88006d4bee6c
    =============================================================================
    BUG kmalloc-8 (Not tainted): kasan error
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in alloc_vfsmnt+0xb0/0x2c0 age=75 cpu=0 pid=0
     __slab_alloc+0x4b4/0x4f0
     __kmalloc_track_caller+0x15f/0x1e0
     kstrdup+0x44/0x90
     alloc_vfsmnt+0xb0/0x2c0
     vfs_kern_mount+0x35/0x190
     kern_mount_data+0x25/0x50
     pid_ns_prepare_proc+0x19/0x50
     alloc_pid+0x5e2/0x630
     copy_process.part.41+0xdf5/0x2aa0
     do_fork+0xf5/0x460
     kernel_thread+0x21/0x30
     rest_init+0x1e/0x90
     start_kernel+0x522/0x531
     x86_64_start_reservations+0x2a/0x2c
     x86_64_start_kernel+0x15b/0x16a
    INFO: Slab 0xffffea0001b52f80 objects=24 used=22 fp=0xffff88006d4befc0 flags=0x100000000004080
    INFO: Object 0xffff88006d4bed20 @offset=3360 fp=0xffff88006d4bee70

    Bytes b4 ffff88006d4bed10: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
    Object ffff88006d4bed20: 70 72 6f 63 00 6b 6b a5                          proc.kk.
    Redzone ffff88006d4bed28: cc cc cc cc cc cc cc cc                          ........
    Padding ffff88006d4bee68: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
    CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B          3.18.0-rc3-mm1+ torvalds#108
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
     ffff88006d4be000 0000000000000000 ffff88006d4bed20 ffff88006c86fd18
     ffffffff81cd0a59 0000000000000058 ffff88006d404240 ffff88006c86fd48
     ffffffff811fa3a8 ffff88006d404240 ffffea0001b52f80 ffff88006d4bed20
    Call Trace:
    dump_stack (lib/dump_stack.c:52)
    print_trailer (mm/slub.c:645)
    object_err (mm/slub.c:652)
    ? sched_init_smp (kernel/sched/core.c:6552 kernel/sched/core.c:7063)
    kasan_report_error (mm/kasan/report.c:102 mm/kasan/report.c:178)
    ? kasan_poison_shadow (mm/kasan/kasan.c:48)
    ? kasan_unpoison_shadow (mm/kasan/kasan.c:54)
    ? kasan_poison_shadow (mm/kasan/kasan.c:48)
    ? kasan_kmalloc (mm/kasan/kasan.c:311)
    __asan_load4 (mm/kasan/kasan.c:371)
    ? sched_init_smp (kernel/sched/core.c:6552 kernel/sched/core.c:7063)
    sched_init_smp (kernel/sched/core.c:6552 kernel/sched/core.c:7063)
    kernel_init_freeable (init/main.c:869 init/main.c:997)
    ? finish_task_switch (kernel/sched/sched.h:1036 kernel/sched/core.c:2248)
    ? rest_init (init/main.c:924)
    kernel_init (init/main.c:929)
    ? rest_init (init/main.c:924)
    ret_from_fork (arch/x86/kernel/entry_64.S:348)
    ? rest_init (init/main.c:924)
    Read of size 4 by task swapper/0:
    Memory state around the buggy address:
     ffff88006d4beb80: fc fc fc fc fc fc fc fc fc fc 00 fc fc fc fc fc
     ffff88006d4bec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff88006d4bec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff88006d4bed00: fc fc fc fc 00 fc fc fc fc fc fc fc fc fc fc fc
     ffff88006d4bed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    >ffff88006d4bee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 04 fc
                                                              ^
     ffff88006d4bee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff88006d4bef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff88006d4bef80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
     ffff88006d4bf000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff88006d4bf080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================

Zero 'level' (e.g. on non-NUMA system) causing out of bounds
access in this line:

     sched_max_numa_distance = sched_domains_numa_distance[level - 1];

Fix this by exiting from sched_init_numa() earlier.

Signed-off-by: Andrey Ryabinin <[email protected]>
Reviewed-by: Rik van Riel <[email protected]>
Fixes: 9942f79 ("sched/numa: Export info needed for NUMA balancing on complex topologies")
Cc: [email protected]
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
aryabinin referenced this pull request in aryabinin/linux Nov 18, 2014
GIT ca1fa22e67bcfc84f49e44ad6f728e3e3d487dce

commit 48eb5b9c3dd2768b6a4de9c1eab606820fd84192
Author: Daniel Borkmann <[email protected]>
Date:   Tue Nov 11 10:22:05 2014 -0800

    ixgbe: phy: fix uninitialized status in ixgbe_setup_phy_link_tnx
    
    Status variable is never initialized, can carry an arbitrary value
    on the stack and thus may let the function fail.
    
    Fixes: e90dd2645664 ("ixgbe: Make return values more direct")
    Signed-off-by: Daniel Borkmann <[email protected]>
    Acked-by: Emil Tantilov <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 4eed83a252257ad8ad41ba1c769341960ed4cdc5
Author: James Cameron <[email protected]>
Date:   Tue Nov 11 16:21:28 2014 +1100

    mwifiex: simplify ad hoc join capability info
    
    While preparing an ad-hoc start command, the capability info bitmap is
    needlessly set from the command, and then the ESS bit cleared.
    
    Change to set the bitmap directly without reference to the command.
    
    Signed-off-by: James Cameron <[email protected]>
    Acked-by: Amitkumar Karwar <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit d351f5fea44a7527819598070e11b5c9dc53c017
Author: Luciano Coelho <[email protected]>
Date:   Mon Nov 10 09:25:57 2014 +0200

    wlcore: make wlcore_cmd_send_failsafe() static
    
    The wlcore_cmd_send_failsafe() function is only called in the cmd.c
    file, where it is definde.  Make it static.
    
    Additionally, move the EXPORT_SYMBOL macro for wl1271_cmd_send() to
    the right place.
    
    Signed-off-by: Luciano Coelho <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit f5b8f4790bb5dfd541f9d61589357ea6042cc668
Author: Luciano Coelho <[email protected]>
Date:   Mon Nov 10 09:25:17 2014 +0200

    wlcore: check minimum buffer size in some cmd_send functions
    
    Check for the minimum required buffer length in wlcore_cmd_send() and
    wlcore_cmd_configure_failsafe.  This ensures that we will never try to
    use a buffer that is smaller than the required header.
    
    Reported-by: Dan Carpenter <[email protected]>
    Signed-off-by: Luciano Coelho <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 0d4b5c7c0892cb377cc71c388433425f598b902b
Author: Amitkumar Karwar <[email protected]>
Date:   Fri Nov 7 02:14:52 2014 -0800

    mwifiex: fix version display problem on big endian platforms
    
    It's been observed that wrong firmware version (ex. 66.14.96.p9
    instead of 14.66.9.p96) is displayed on big endian platforms.
    
    The problem is fixed here.
    
    Reported-by: Daniel Mosquera <[email protected]>
    Tested-by: Daniel Mosquera <[email protected]>
    Signed-off-by: Amitkumar Karwar <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 3f2aa13f6d16a53a4cf5de369c685c6f75fe4d58
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:38 2014 +0100

    ath9k_htc: add spectral scan debug interface
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 83fb287ecd8ae60ed79c647a5df8beacdf4f4807
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:37 2014 +0100

    ath9k_htc: process rx spectral packets
    
    use code provided by Ashish Patro <[email protected]>
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 911544f6a8d66c27ff807f5d71e3f0f5a904c100
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:36 2014 +0100

    ath9k_htc: trigger spectral scan on set_channel
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 88a2e3fb7b7e9dd3c51ceef81e0415478c27910c
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:35 2014 +0100

    ath9k_htc: set initial spec_config values
    
    use values provided by Ashish Patro <[email protected]>
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit fe30e8bb5be52e2e6b913db77dda6c22b643dbd7
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:34 2014 +0100

    ath9k_htc: add struct ath_spec_scan_priv to ath9k_htc_priv
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 94cd95c217a5ed4c45e2a8c97043c3efcd66dac9
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:33 2014 +0100

    ath9k_htc: add ath_ps_ops bindings
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 525d09456b9fc2f769647c744c75629d9926fb9e
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:32 2014 +0100

    ath9k_htc: fix rs_datalen conversation
    
    For some reason it didn't coused obvious problems.
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 46140ddf169703ef0538bf00098233b24b2269e8
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:31 2014 +0100

    ath9k: For AR9271 chipsets, set count = 0 for endless samples.
    
    not sure why.
    Initially provided by Ashish Patro <[email protected]>
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 67dc74f15f147b9f88702de2952d2951e3e000ec
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:30 2014 +0100

    ath9k: move spectral.* to common-spectral.*
    
    and rename exports from ath9k_spectral_* to ath9k_cmn_spectral_*
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit f00a422cc81ef665f5098c0bc43cb0c616e55a9b
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:29 2014 +0100

    ath9k: move ath9k_spectral_scan_ from main.c to spectral.c
    
    Now we should be ready to make this code common.
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 963916dfe2907d91eb8a250d12d2b5ae5a1bb343
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:28 2014 +0100

    ath9k: make ath9k_spectral_scan_ do not depend on ath_softc
    
    last preparation before moving ath9k_spectral_scan_ to spectral.c
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit ef948da55f20edbb68dac427b7e067c805c852f5
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:27 2014 +0100

    ath9k: use ath_common instead of ieee80211_hw in ath9k_spectral_scan_
    
    we don't have here any ieee80211_hw dependencies any way.
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 934bdc73dd3029c1b91e1a3538268b4afccd58cf
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:26 2014 +0100

    ath9k: use ath_ps_ops in ath9k_spectral_scan_
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 99d2217b731e664aa31001839f12944b1e114a08
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:25 2014 +0100

    ath9k: add ath_ps_ops bindings
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 0198c2e2987c5cd4980f15126d7c68759f4def95
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:24 2014 +0100

    ath: add struct ath_ps_ops
    
    we will need it to make common code
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 1111d426ef6a62903a8427a80c2a20cdf0380349
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:23 2014 +0100

    ath9k: remove all struct ath_softc dependencies from spectral code
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit dd7657be756551b23b3431d81e66a8d95a72c923
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:22 2014 +0100

    ath9k: add ath_hw to ath_spec_scan_priv
    
    spectral code mostly depends on ath_hw, not on ath_softc
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit c10b75af4344fe0e678d167cb401a94f565e978c
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:21 2014 +0100

    ath9k: use struct dentry by ath9k_spectral_init_debug
    
    this will alow us to make ath_softc independent code.
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 21af25d00b8bdf03a899b316d41d31ac3eafaf78
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:20 2014 +0100

    ath9k: move spec_config to ath_spec_scan_priv
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 8391f60194bd0d9ab489105381df6455afe1f39a
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:19 2014 +0100

    ath9k: move spectral_mode to ath_spec_scan_priv
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 911ea79f435302fabefa305d3649efd4e205672b
Author: Oleksij Rempel <[email protected]>
Date:   Thu Nov 6 08:53:18 2014 +0100

    ath9k: add struct ath_spec_scan_priv
    
    and move rfs_chan_spec_scan to this struct. We will need it
    for common spectral scan code.
    
    Signed-off-by: Oleksij Rempel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit d7d8b83473e6932cfe9f89e6d839f27abf35b319
Author: Avinash Patil <[email protected]>
Date:   Wed Nov 5 17:04:31 2014 +0530

    mwifiex: fix warning while starting BSS
    
    We see this warning while starting mwifiex AP:
    Unsupported RX-STBC, default to 2x2
    
    This was happening because of wrong offset while copying HT
    capabilities from BSS configuration of start_ap handler.
    
    Signed-off-by: Amitkumar Karwar <[email protected]>
    Signed-off-by: Avinash Patil <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit bfd713bc1a5d7f01e3d7febe0849b21ae1355c7c
Author: Avinash Patil <[email protected]>
Date:   Wed Nov 5 17:04:30 2014 +0530

    mwifiex: do not setup AMPDU/AMSDU with broadcast receiver
    
    It is observed that device sometimes sends BA setup requests for
    broadcast mac address.
    This patch adds a check to avoid checking availability of
    AMPDU/AMSDU streams for broadcast mac address.
    
    Signed-off-by: Amitkumar Karwar <[email protected]>
    Signed-off-by: Avinash Patil <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit cf6a64fd603ae0f7391f7589b0f3568d4e79605c
Author: Amitkumar Karwar <[email protected]>
Date:   Wed Nov 5 17:04:29 2014 +0530

    mwifiex: fix out of memory issue observed for USB chipsets
    
    On some platforms, system goes out of memory during heavy
    Rx traffic with our USB chipsets.
    
    In case of SDIO/PCIe, after receiving 50 packets in Rx queue
    we stop processing interrupts till packets pending fall below
    low threshold i.e 20. We don't have similar logic for USB,
    so if host platform is slow, we would hit a case where firmware
    keeps on pushing packets at high speed than driver/kernel can
    process.
    
    We will stop submitting URBs for Rx data when pending packet
    count reaches high threshold and restart them when enough
    packets are consumed to solve the problem.
    
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=85071
    Reported-by: Marek Belisko <[email protected]>
    Tested-by: Marek Belisko <[email protected]>
    Signed-off-by: Avinash Patil <[email protected]>
    Signed-off-by: Cathy Luo <[email protected]>
    Signed-off-by: Amitkumar Karwar <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 041bfab5bbb6ec721c743f487e3e22b87f666996
Author: Avinash Patil <[email protected]>
Date:   Wed Nov 5 17:04:28 2014 +0530

    mwifiex: remove data_complete handler
    
    This patch removes redundant data complete handler.
    
    Signed-off-by: Avinash Patil <[email protected]>
    Signed-off-by: Cathy Luo <[email protected]>
    Signed-off-by: Amitkumar Karwar <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit ec4a16b4d287d4d0f7465ae7e61ce4e9021d715c
Author: Avinash Patil <[email protected]>
Date:   Wed Nov 5 17:04:27 2014 +0530

    mwifiex: rx workqueue support for USB interface
    
    This patch adds RX workqueue support for USB interfaces.
    Currently rx_pending is applicable for cmd/events and Rx
    data in USB interface. Let's use it only for Rx data.
    
    Signed-off-by: Avinash Patil <[email protected]>
    Signed-off-by: Cathy Luo <[email protected]>
    Signed-off-by: Amitkumar Karwar <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit d385c5c2860075e1f3e03074f043dd8a828b2862
Author: Felix Fietkau <[email protected]>
Date:   Tue Nov 4 16:56:57 2014 +0100

    ath9k: add support for reporting tx power to mac80211
    
    Track it per channel context instead of in the softc
    
    Signed-off-by: Felix Fietkau <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 71783576b5345d63df048c0f18974037eea6e4f9
Author: Hauke Mehrtens <[email protected]>
Date:   Sat Nov 1 16:54:56 2014 +0100

    bcma: get IRQ numbers from dt
    
    It is not possible to auto detect the irq numbers used by the cores on
    an arm SoC. If bcma was registered with device tree it will search for
    some device tree nodes with the irq number and add it to the core
    configuration.
    
    Signed-off-by: Hauke Mehrtens <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 85eb92e81801d64686eb78928d500a4c83ee9623
Author: Hauke Mehrtens <[email protected]>
Date:   Sat Nov 1 16:54:55 2014 +0100

    bcma: make it possible to specify a IRQ num in bcma_core_irq()
    
    This moves bcma_core_irq() to main.c and add a extra parameter with a
    number so that we can return different irq number for devices with more
    than one.
    
    Signed-off-by: Hauke Mehrtens <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 09626e9d153326ca82568e4e27f2daa53713992e
Author: WANG Cong <[email protected]>
Date:   Tue Nov 11 13:29:42 2014 -0800

    net: kill netif_copy_real_num_queues()
    
    vlan was the only user of netif_copy_real_num_queues(),
    but it no longer calls it after
    commit 4af429d29b341bb1735f04c2fb960178 ("vlan: lockless transmit path").
    So we can just remove it.
    
    Cc: Eric Dumazet <[email protected]>
    Cc: David S. Miller <[email protected]>
    Signed-off-by: Cong Wang <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 67732cd34382066ae5df313b6dad65ab14b9735f
Author: Ulf Hansson <[email protected]>
Date:   Tue Nov 11 11:07:08 2014 +0100

    PM / Domains: Fix initial default state of the need_restore flag
    
    The initial state of the device's need_restore flag should'nt depend on
    the current state of the PM domain. For example it should be perfectly
    valid to attach an inactive device to a powered PM domain.
    
    The pm_genpd_dev_need_restore() API allow us to update the need_restore
    flag to somewhat cope with such scenarios. Typically that should have
    been done from drivers/buses ->probe() since it's those that put the
    requirements on the value of the need_restore flag.
    
    Until recently, the Exynos SOCs were the only user of the
    pm_genpd_dev_need_restore() API, though invoking it from a centralized
    location while adding devices to their PM domains.
    
    Due to that Exynos now have swithed to the generic OF-based PM domain
    look-up, it's no longer possible to invoke the API from a centralized
    location. The reason is because devices are now added to their PM
    domains during the probe sequence.
    
    Commit "ARM: exynos: Move to generic PM domain DT bindings"
    did the switch for Exynos to the generic OF-based PM domain look-up,
    but it also removed the call to pm_genpd_dev_need_restore(). This
    caused a regression for some of the Exynos drivers.
    
    To handle things more properly in the generic PM domain, let's change
    the default initial value of the need_restore flag to reflect that the
    state is unknown. As soon as some of the runtime PM callbacks gets
    invoked, update the initial value accordingly.
    
    Moreover, since the generic PM domain is verifying that all devices
    are both runtime PM enabled and suspended, using pm_runtime_suspended()
    while pm_genpd_poweroff() is invoked from the scheduled work, we can be
    sure of that the PM domain won't be powering off while having active
    devices.
    
    Do note that, the generic PM domain can still only know about active
    devices which has been activated through invoking its runtime PM resume
    callback. In other words, buses/drivers using pm_runtime_set_active()
    during ->probe() will still suffer from a race condition, potentially
    probing a device without having its PM domain being powered. That issue
    will have to be solved using a different approach.
    
    This a log from the boot regression for Exynos5, which is being fixed in
    this patch.
    
    ------------[ cut here ]------------
    WARNING: CPU: 0 PID: 308 at ../drivers/clk/clk.c:851 clk_disable+0x24/0x30()
    Modules linked in:
    CPU: 0 PID: 308 Comm: kworker/0:1 Not tainted 3.18.0-rc3-00569-gbd9449f-dirty #10
    Workqueue: pm pm_runtime_work
    [<c0013c64>] (unwind_backtrace) from [<c0010dec>] (show_stack+0x10/0x14)
    [<c0010dec>] (show_stack) from [<c03ee4cc>] (dump_stack+0x70/0xbc)
    [<c03ee4cc>] (dump_stack) from [<c0020d34>] (warn_slowpath_common+0x64/0x88)
    [<c0020d34>] (warn_slowpath_common) from [<c0020d74>] (warn_slowpath_null+0x1c/0x24)
    [<c0020d74>] (warn_slowpath_null) from [<c03107b0>] (clk_disable+0x24/0x30)
    [<c03107b0>] (clk_disable) from [<c02cc834>] (gsc_runtime_suspend+0x128/0x160)
    [<c02cc834>] (gsc_runtime_suspend) from [<c0249024>] (pm_generic_runtime_suspend+0x2c/0x38)
    [<c0249024>] (pm_generic_runtime_suspend) from [<c024f44c>] (pm_genpd_default_save_state+0x2c/0x8c)
    [<c024f44c>] (pm_genpd_default_save_state) from [<c024ff2c>] (pm_genpd_poweroff+0x224/0x3ec)
    [<c024ff2c>] (pm_genpd_poweroff) from [<c02501b4>] (pm_genpd_runtime_suspend+0x9c/0xcc)
    [<c02501b4>] (pm_genpd_runtime_suspend) from [<c024a4f8>] (__rpm_callback+0x2c/0x60)
    [<c024a4f8>] (__rpm_callback) from [<c024a54c>] (rpm_callback+0x20/0x74)
    [<c024a54c>] (rpm_callback) from [<c024a930>] (rpm_suspend+0xd4/0x43c)
    [<c024a930>] (rpm_suspend) from [<c024bbcc>] (pm_runtime_work+0x80/0x90)
    [<c024bbcc>] (pm_runtime_work) from [<c0032a9c>] (process_one_work+0x12c/0x314)
    [<c0032a9c>] (process_one_work) from [<c0032cf4>] (worker_thread+0x3c/0x4b0)
    [<c0032cf4>] (worker_thread) from [<c003747c>] (kthread+0xcc/0xe8)
    [<c003747c>] (kthread) from [<c000e738>] (ret_from_fork+0x14/0x3c)
    ---[ end trace 40cd58bcd6988f12 ]---
    
    Fixes: a4a8c2c4962bb655 (ARM: exynos: Move to generic PM domain DT bindings)
    Reported-and-tested0by: Sylwester Nawrocki <[email protected]>
    Reviewed-by: Sylwester Nawrocki <[email protected]>
    Reviewed-by: Kevin Hilman <[email protected]>
    Signed-off-by: Ulf Hansson <[email protected]>
    Signed-off-by: Rafael J. Wysocki <[email protected]>

commit 4e6ce4dc7ce71d0886908d55129d5d6482a27ff9
Author: Miaoqing Pan <[email protected]>
Date:   Thu Nov 6 10:52:23 2014 +0530

    ath9k: Fix RTC_DERIVED_CLK usage
    
    Based on the reference clock, which could be 25MHz or 40MHz,
    AR_RTC_DERIVED_CLK is programmed differently for AR9340 and AR9550.
    But, when a chip reset is done, processing the initvals
    sets the register back to the default value.
    
    Fix this by moving the code in ath9k_hw_init_pll() to
    ar9003_hw_override_ini(). Also, do this override for AR9531.
    
    Cc: [email protected]
    Signed-off-by: Miaoqing Pan <[email protected]>
    Signed-off-by: Sujith Manoharan <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit 8bca81d9875c7768c40a19fb439eebaf6cec898d
Author: Sudip Mukherjee <[email protected]>
Date:   Tue Nov 11 14:10:47 2014 +0530

    usbnet: smsc95xx: dereferencing NULL pointer
    
    we were dereferencing dev to initialize pdata. but just after that we
    have a BUG_ON(!dev). so we were basically dereferencing the pointer
    first and then tesing it for NULL.
    
    Signed-off-by: Sudip Mukherjee <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit d65c4e4e0aeb699e984bd4b382efffab418aa359
Author: Joe Perches <[email protected]>
Date:   Tue Nov 11 13:13:41 2014 -0800

    irda: Simplify IRDA logging macros
    
    These are the same as net_<level>_ratelimited, so
    use the more common style in the macro definition.
    
    Signed-off-by: Joe Perches <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 79ce0477ffe82e7e49e55179cd176a1c33382744
Author: Brian Hill <[email protected]>
Date:   Tue Nov 11 13:39:39 2014 -0700

    net: phy: Correctly handle MII ioctl which changes autonegotiation.
    
    When advertised capabilities are changed with mii-tool, such as:
    mii-tool -A 10baseT
    the existing handler has two errors.
    
    - An actual PHY register value is provided by mii-tool, and this
      must be mapped to internal state with mii_adv_to_ethtool_adv_t().
    - The PHY state machine needs to be told that autonegotiation has
      again been performed.  If not, the MAC will not be notified of
      the new link speed and duplex, resulting in a possible config
      mismatch.
    
    Signed-off-by: Brian Hill <[email protected]>
    Acked-by: Florian Fainelli <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 0cd75b19899fd86b51a6480fb8c00dcd85a54591
Author: Arend van Spriel <[email protected]>
Date:   Tue Nov 11 13:58:44 2014 +0100

    brcmfmac: fix conversion of channel width 20MHZ_NOHT
    
    The function chandef_to_chanspec() failed when converting a
    chandef with bandwidth set to NL80211_CHAN_WIDTH_20_NOHT. This
    was reported by user running the device in AP mode.
    
    ------------[ cut here ]------------
    WARNING: CPU: 0 PID: 304 at
    	drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c:381
    		chandef_to_chanspec.isra.11+0x158/0x184()
    
    Modules linked in:
    
    CPU: 0 PID: 304 Comm: hostapd Not tainted 3.16.0-rc7-abb+g64aa90f #8
    
    [<c0014bb4>] (unwind_backtrace) from [<c0012314>] (show_stack+0x10/0x14)
    [<c0012314>] (show_stack) from [<c001d3f8>] (warn_slowpath_common+0x6c/0x8c)
    [<c001d3f8>] (warn_slowpath_common) from [<c001d4b4>] (warn_slowpath_null+0x1c/0x24)
    [<c001d4b4>] (warn_slowpath_null) from [<c03449a4>] (chandef_to_chanspec.isra.11+0x158/0x184)
    [<c03449a4>] (chandef_to_chanspec.isra.11) from [<c0348e00>] (brcmf_cfg80211_start_ap+0x1e4/0x614)
    [<c0348e00>] (brcmf_cfg80211_start_ap) from [<c04d1468>] (nl80211_start_ap+0x288/0x414)
    [<c04d1468>] (nl80211_start_ap) from [<c043d144>] (genl_rcv_msg+0x21c/0x38c)
    [<c043d144>] (genl_rcv_msg) from [<c043c740>] (netlink_rcv_skb+0xac/0xc0)
    [<c043c740>] (netlink_rcv_skb) from [<c043cf14>] (genl_rcv+0x20/0x34)
    [<c043cf14>] (genl_rcv) from [<c043c0a0>] (netlink_unicast+0x150/0x20c)
    [<c043c0a0>] (netlink_unicast) from [<c043c4b8>] (netlink_sendmsg+0x2b8/0x398)
    [<c043c4b8>] (netlink_sendmsg) from [<c04066a4>] (sock_sendmsg+0x84/0xa8)
    [<c04066a4>] (sock_sendmsg) from [<c0407c5c>] (___sys_sendmsg.part.29+0x268/0x278)
    [<c0407c5c>] (___sys_sendmsg.part.29) from [<c0408bdc>] (__sys_sendmsg+0x4c/0x7c)
    [<c0408bdc>] (__sys_sendmsg) from [<c000ec60>] (ret_fast_syscall+0x0/0x44)
    ---[ end trace 965ee2158c9905a2 ]---
    
    Cc: [email protected] # v3.17
    Reported-by: Pontus Fuchs <[email protected]>
    Reviewed-by: Hante Meuleman <[email protected]>
    Reviewed-by: Daniel (Deognyoun) Kim <[email protected]>
    Reviewed-by: Franky (Zhenhui) Lin <[email protected]>
    Reviewed-by: Pieter-Paul Giesberts <[email protected]>
    Signed-off-by: Arend van Spriel <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit cfd9167af14eb4ec21517a32911d460083ee3d59
Author: Stanislaw Gruszka <[email protected]>
Date:   Tue Nov 11 14:28:47 2014 +0100

    rt2x00: do not align payload on modern H/W
    
    RT2800 and newer hardware require padding between header and payload if
    header length is not multiple of 4.
    
    For historical reasons we also align payload to to 4 bytes boundary, but
    such alignment is not needed on modern H/W.
    
    Patch fixes skb_under_panic problems reported from time to time:
    
    https://bugzilla.kernel.org/show_bug.cgi?id=84911
    https://bugzilla.kernel.org/show_bug.cgi?id=72471
    http://marc.info/?l=linux-wireless&m=139108549530402&w=2
    https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1087591
    
    Panic happened because we eat 4 bytes of skb headroom on each
    (re)transmission when sending frame without the payload and the header
    length not being multiple of 4 (i.e. QoS header has 26 bytes). On such
    case because paylad_aling=2 is bigger than header_align=0 we increase
    header_align by 4 bytes. To prevent that we could change the check to:
    
    	if (payload_length && payload_align > header_align)
    		header_align += 4;
    
    but not aligning payload at all is more effective and alignment is not
    really needed by H/W (that has been tested on OpenWrt project for few
    years now).
    
    Reported-and-tested-by: Antti S. Lankila <[email protected]>
    Debugged-by: Antti S. Lankila <[email protected]>
    Reported-by: Henrik Asp <[email protected]>
    Originally-From: Helmut Schaa <[email protected]>
    Cc: [email protected]
    Signed-off-by: Stanislaw Gruszka <[email protected]>
    Signed-off-by: John W. Linville <[email protected]>

commit f47436734dc89ece62654d4db8d08163a89dd7ca
Author: Joe Perches <[email protected]>
Date:   Fri Oct 31 10:50:46 2014 -0700

    tile: Use the more common pr_warn instead of pr_warning
    
    And other message logging neatening.
    
    Other miscellanea:
    
    o coalesce formats
    o realign arguments
    o standardize a couple of macros
    o use __func__ instead of embedding the function name
    
    Signed-off-by: Joe Perches <[email protected]>
    Signed-off-by: Chris Metcalf <[email protected]>

commit ebd25caf7d511312d1a9724ab5752e9e661dfe60
Author: Chen Gang <[email protected]>
Date:   Sun Nov 9 18:32:03 2014 +0800

    arch: tile: gxio: Export symbols for module using in 'mpipe.c'
    
    'gxio_mpipe_adjust_timestamp', 'gxio_mpipe_link_instance',
    'gxio_mpipe_get_timestamp', and 'gxio_mpipe_set_timestamp' may be use by
    other tile modules, so export them.
    
    The related error (with allmodconfig under tile):
    
        MODPOST 4002 modules
      ERROR: "gxio_mpipe_link_instance" [drivers/net/ethernet/tile/tile_net.ko] undefined!
      ERROR: "gxio_mpipe_get_timestamp" [drivers/net/ethernet/tile/tile_net.ko] undefined!
      ERROR: "gxio_mpipe_set_timestamp" [drivers/net/ethernet/tile/tile_net.ko] undefined!
      ERROR: "gxio_mpipe_adjust_timestamp" [drivers/net/ethernet/tile/tile_net.ko] undefined!
    
    Signed-off-by: Chen Gang <[email protected]>
    Signed-off-by: Chris Metcalf <[email protected]>

commit 5337b5b75cd9bd3624a6820e3c2a084d2480061c
Author: Eric Dumazet <[email protected]>
Date:   Mon Nov 10 17:54:25 2014 -0800

    ipv6: fix IPV6_PKTINFO with v4 mapped
    
    Use IS_ENABLED(CONFIG_IPV6), to enable this code if IPv6 is
    a module.
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Fixes: c8e6ad0829a7 ("ipv6: honor IPV6_PKTINFO with v4 mapped addresses on sendmsg")
    Acked-by: Hannes Frederic Sowa <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit d7480fd3b1738a8eae6a76098b17af318cf9b9cc
Author: WANG Cong <[email protected]>
Date:   Mon Nov 10 15:59:36 2014 -0800

    neigh: remove dynamic neigh table registration support
    
    Currently there are only three neigh tables in the whole kernel:
    arp table, ndisc table and decnet neigh table. What's more,
    we don't support registering multiple tables per family.
    Therefore we can just make these tables statically built-in.
    
    Cc: David S. Miller <[email protected]>
    Signed-off-by: Cong Wang <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 4184b2a79a7612a9272ce20d639934584a1f3786
Author: Daniel Borkmann <[email protected]>
Date:   Mon Nov 10 18:00:09 2014 +0100

    net: sctp: fix memory leak in auth key management
    
    A very minimal and simple user space application allocating an SCTP
    socket, setting SCTP_AUTH_KEY setsockopt(2) on it and then closing
    the socket again will leak the memory containing the authentication
    key from user space:
    
    unreferenced object 0xffff8800837047c0 (size 16):
      comm "a.out", pid 2789, jiffies 4296954322 (age 192.258s)
      hex dump (first 16 bytes):
        01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<ffffffff816d7e8e>] kmemleak_alloc+0x4e/0xb0
        [<ffffffff811c88d8>] __kmalloc+0xe8/0x270
        [<ffffffffa0870c23>] sctp_auth_create_key+0x23/0x50 [sctp]
        [<ffffffffa08718b1>] sctp_auth_set_key+0xa1/0x140 [sctp]
        [<ffffffffa086b383>] sctp_setsockopt+0xd03/0x1180 [sctp]
        [<ffffffff815bfd94>] sock_common_setsockopt+0x14/0x20
        [<ffffffff815beb61>] SyS_setsockopt+0x71/0xd0
        [<ffffffff816e58a9>] system_call_fastpath+0x12/0x17
        [<ffffffffffffffff>] 0xffffffffffffffff
    
    This is bad because of two things, we can bring down a machine from
    user space when auth_enable=1, but also we would leave security sensitive
    keying material in memory without clearing it after use. The issue is
    that sctp_auth_create_key() already sets the refcount to 1, but after
    allocation sctp_auth_set_key() does an additional refcount on it, and
    thus leaving it around when we free the socket.
    
    Fixes: 65b07e5d0d0 ("[SCTP]: API updates to suport SCTP-AUTH extensions.")
    Signed-off-by: Daniel Borkmann <[email protected]>
    Cc: Vlad Yasevich <[email protected]>
    Acked-by: Neil Horman <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit e40607cbe270a9e8360907cb1e62ddf0736e4864
Author: Daniel Borkmann <[email protected]>
Date:   Mon Nov 10 17:54:26 2014 +0100

    net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet
    
    An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
    in the form of:
    
      ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
    
    While the INIT chunk parameter verification dissects through many things
    in order to detect malformed input, it misses to actually check parameters
    inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
    IP address' parameter in ASCONF, which has as a subparameter an address
    parameter.
    
    So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
    or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
    and thus sctp_get_af_specific() returns NULL, too, which we then happily
    dereference unconditionally through af->from_addr_param().
    
    The trace for the log:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
    IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
    PGD 0
    Oops: 0000 [#1] SMP
    [...]
    Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
    RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
    [...]
    Call Trace:
     <IRQ>
     [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
     [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
     [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
     [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
     [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
     [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
     [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
     [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
     [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
     [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
     [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
    [...]
    
    A minimal way to address this is to check for NULL as we do on all
    other such occasions where we know sctp_get_af_specific() could
    possibly return with NULL.
    
    Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
    Signed-off-by: Daniel Borkmann <[email protected]>
    Cc: Vlad Yasevich <[email protected]>
    Acked-by: Neil Horman <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 5748eb8f8e989a9da1ac7c96dc73d68cbdedf7df
Author: Takashi Iwai <[email protected]>
Date:   Mon Nov 10 11:50:21 2014 +0100

    net: ppp: Don't call bpf_prog_create() in ppp_lock
    
    In ppp_ioctl(), bpf_prog_create() is called inside ppp_lock, which
    eventually calls vmalloc() and hits BUG_ON() in vmalloc.c.  This patch
    works around the problem by moving the allocation outside the lock.
    
    The bug was revealed by the recent change in net/core/filter.c, as it
    allocates via vmalloc() instead of kmalloc() now.
    
    Reported-and-tested-by: Stefan Seyfried <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit b2e2f0c779fefede3a871781c8827bd8e76c7c0f
Author: Andy Shevchenko <[email protected]>
Date:   Mon Nov 10 12:38:59 2014 +0200

    stmmac: split to core library and probe drivers
    
    Instead of registering the platform and PCI drivers in one module let's move
    necessary bits to where it belongs. During this procedure we convert the module
    registration part to use module_*_driver() macros which makes code simplier.
    
    >From now on the driver consists three parts: core library, PCI, and platform
    drivers.
    
    Signed-off-by: Andy Shevchenko <[email protected]>
    Acked-by: Giuseppe Cavallaro <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit dc680b989d519952e0e0d37204fec850925a0225
Author: Linus Walleij <[email protected]>
Date:   Mon Nov 10 18:52:31 2014 +0100

    ARM: fix multiplatform allmodcompile
    
    Commit 68f3b875f7848f5304472184a4634148c5330cbd
    "ARM: integrator: make the Integrator multiplatform"
    broke allmodconfig like this:
    
    >> arch/arm/include/asm/cmpxchg.h:114:2: error: #error
    "SMP is not supported on this platform"
    (etc)
    
    This is due to the fact that as we turned on multiplatform
    for the Integrator, this enabled a lot of non-applicable
    CPU's to be selected for its multiplatform images, due to
    a lot of "depends on ARCH_INTEGRATOR" restrictions in
    arch/arm/mm/Kconfig for the different ARM CPU types.
    
    Fix this by restricting the CPU selections to respective
    multiplatform config, which now becomes a subset of the
    possible Integrator configurations, or alternatively the
    non-multiplatform config plus ARCH_INTEGRATOR, i.e.:
    
    if (!ARCH_MULTIPLATFORM || ARCH_MULTI_Vx) &&
       (ARCH_INTEGRATOR || ARCH_FOO ...)
    
    Since the Integrator has been converted to multiplatform,
    this will often take the short form:
    
    if (ARCH_MULTI_Vx && ARCH_INTEGRATOR)
    
    If no other non-multiplatform platforms are elegible.
    
    Reported-by: Build bot for Mark Brown <[email protected]>
    Reported-by: Kbuild test robot <[email protected]>
    Suggested-by: Russell King <[email protected]>
    Signed-off-by: Linus Walleij <[email protected]>
    Signed-off-by: Arnd Bergmann <[email protected]>

commit ba7a46f16dd29f93303daeb1fee8af316c5a07f4
Author: Joe Perches <[email protected]>
Date:   Tue Nov 11 10:59:17 2014 -0800

    net: Convert LIMIT_NETDEBUG to net_dbg_ratelimited
    
    Use the more common dynamic_debug capable net_dbg_ratelimited
    and remove the LIMIT_NETDEBUG macro.
    
    All messages are still ratelimited.
    
    Some KERN_<LEVEL> uses are changed to KERN_DEBUG.
    
    This may have some negative impact on messages that were
    emitted at KERN_INFO that are not not enabled at all unless
    DEBUG is defined or dynamic_debug is enabled.  Even so,
    these messages are now _not_ emitted by default.
    
    This also eliminates the use of the net_msg_warn sysctl
    "/proc/sys/net/core/warnings".  For backward compatibility,
    the sysctl is not removed, but it has no function.  The extern
    declaration of net_msg_warn is removed from sock.h and made
    static in net/core/sysctl_net_core.c
    
    Miscellanea:
    
    o Update the sysctl documentation
    o Remove the embedded uses of pr_fmt
    o Coalesce format fragments
    o Realign arguments
    
    Signed-off-by: Joe Perches <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit e349d9d5b3f9509e6a053d9d1d9f4c7d9471c8f0
Author: Neelesh Gupta <[email protected]>
Date:   Wed Nov 5 16:45:14 2014 +0530

    hwmon: (ibmpowernv) Use platform 'id_table' to probe the device
    
    The current driver probe() function assumes the sensor device to be
    always present and gets executed every time if the driver is loaded,
    but the appropriate hardware could not be present.
    
    So, move the platform device creation as part of platform init code
    and use the 'id_table' to check if the device is present or not.
    
    Signed-off-by: Neelesh Gupta <[email protected]>
    Acked-by: Michael Ellerman <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit eebb2554a0a4ce8f637c72febc883997a58093ca
Author: Guenter Roeck <[email protected]>
Date:   Sat Sep 27 08:31:12 2014 -0700

    hwmon: (iio_hwmon) Add support for humidity sensors
    
    The iio subsystem supports humidity sensors, so it makes sense
    to support it in the iio-hwmon bridge as well.
    
    Cc: Jonathan Cameron <[email protected]>
    Acked-by: Jonathan Cameron <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit c2827f34af5ced95daddefd7de6105d7fcf0d4d5
Author: Alan Tull <[email protected]>
Date:   Wed Oct 15 13:55:10 2014 -0500

    hwmon: (ltc2978) Add regulator support
    
    Add simple on/off regulator support for ltc2978 and
    other pmbus parts supported by the ltc2978 driver.
    
    Signed-off-by: Alan Tull <[email protected]>
    Cc: Guenter Roeck <[email protected]>
    Cc: Mark Brown <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit 3ca7aa3feedc0cc838b242e09ff6b306501029d0
Author: Alan Tull <[email protected]>
Date:   Wed Oct 15 13:55:09 2014 -0500

    hwmon: (pmbus) Add regulator support
    
    Add support for simple on/off control of each channel.
    
    To add regulator support, the pmbus part driver needs to add
    regulator_desc information and number of regulators to its
    pmbus_driver_info struct.
    
    regulator_desc can be declared using default macro for a
    regulator (PMBUS_REGULATOR) that is in pmbus.h
    
    The regulator_init_data can be initialized from either
    platform data or the device tree.
    
    Signed-off-by: Alan Tull <[email protected]>
    Reviewed-by: Mark Brown <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit e94c450610a10a9b798b39754a6099fea5d5279e
Author: Alan Tull <[email protected]>
Date:   Wed Oct 15 13:55:08 2014 -0500

    hwmon: (pmbus) add helpers for byte write and read modify write
    
    Add two helper functions:
     * pmbus_write_byte_data  = paged byte write
     * pmbus_update_byte_data = paged byte read/modify/write
    
    Signed-off-by: Alan Tull <[email protected]>
    Cc: Mark Brown <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit 7c6d297620427048742977c2258669f3cc926f1f
Author: Alan Tull <[email protected]>
Date:   Wed Oct 15 13:55:07 2014 -0500

    hwmon: (ltc2978) device tree bindings documentation
    
    Add device tree bindings documentation for ltc2978.
    
    Signed-off-by: Alan Tull <[email protected]>
    Cc: Mark Rutland <[email protected]>
    Cc: Mark Brown <[email protected]>
    [Guenter Roeck: Minor correction of 'compatible' example]
    Signed-off-by: Guenter Roeck <[email protected]>

commit 5b61c4db49e2530ed10631321d4c73f49d560a93
Author: Denis Kirjanov <[email protected]>
Date:   Mon Nov 10 08:59:43 2014 +0300

    PPC: bpf_jit_comp: add SKF_AD_HATYPE instruction
    
    Add BPF extension SKF_AD_HATYPE to ppc JIT to check
    the hw type of the interface
    
    Before:
    [   57.723666] test_bpf: #20 LD_HATYPE
    [   57.723675] BPF filter opcode 0020 (@0) unsupported
    [   57.724168] 48 48 PASS
    
    After:
    [  103.053184] test_bpf: #20 LD_HATYPE 7 6 PASS
    
    CC: Alexei Starovoitov<[email protected]>
    CC: Daniel Borkmann<[email protected]>
    CC: Philippe Bergheaud<[email protected]>
    Signed-off-by: Denis Kirjanov <[email protected]>
    
    v2: address Alexei's comments
    Acked-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 0bd52941586b3b59ab9b6e89e55b2dc9e2680de9
Author: Aravind Gopalakrishnan <[email protected]>
Date:   Tue Nov 4 11:49:02 2014 -0600

    hwmon: (fam15h_power) Fix NB device ID for F16h M30h
    
    F3 device ID is wrongly included in fam15h_power_id_table
    for F16h M30h. It should be F4 device ID. Fix this.
    
    Signed-off-by: Aravind Gopalakrishnan <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit 48b9d5b4f408259cd6800c4b17d4fe5025435da2
Author: Kamil Debski <[email protected]>
Date:   Mon Nov 3 15:42:55 2014 +0100

    hwmon: (pwm-fan) Fix suspend/resume behavior
    
    The state of a PWM output is not clearly defined after resume. Some PWM
    drivers do not restore the duty cycle upon resume, thus it is necessary to
    manually restore the correct value.
    
    Signed-off-by: Kamil Debski <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit aab18da44f243cf59b4dee335ea50b32f529b5b0
Author: Michael Ellerman <[email protected]>
Date:   Fri Oct 31 17:45:22 2014 +1100

    hwmon: (ibmpowernv) Quieten when probing finds no device
    
    Because we build kernels with drivers built in for many platforms, it's
    normal for the ibmpowernv driver to be loaded on systems that don't have
    the appropriate hardware.
    
    Currently the driver spams the log with:
    
      ibmpowernv ibmpowernv.0: Opal node 'sensors' not found
      ibmpowernv: Platfrom driver probe failed
    
    But there is no error, this machine is not a powernv and doesn't have
    the hardware. So change the sensors message to dev_dbg(), and only print
    an error about the probe failing if it's not ENODEV.
    
    Also fix the spelling of "Platfrom" and print the actual error value.
    
    Signed-off-by: Michael Ellerman <[email protected]>
    Reviewed-by: Jean Delvare <[email protected]>
    Signed-off-by: Guenter Roeck <[email protected]>

commit a2ae6007a442d6bb27d77bf20ec1b06cda9e306e
Author: Joe Perches <[email protected]>
Date:   Sun Nov 9 16:32:46 2014 -0800

    dsa: Use netdev_<level> instead of printk
    
    Neaten and standardize the logging output.
    
    Other miscellanea:
    
    o Use pr_notice_once instead of a guard flag.
    o Convert existing pr_<level> uses too.
    
    Signed-off-by: Joe Perches <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit f4a1edd56120249198073aa4a373b77e3700ac8f
Author: Or Gerlitz <[email protected]>
Date:   Sun Nov 9 14:25:39 2014 +0200

    net/mlx4_en: Advertize encapsulation offloads features only when VXLAN tunnel is set
    
    Currenly we only support Large-Send and TX checksum offloads for
    encapsulated traffic of type VXLAN. We must make sure to advertize
    these offloads up to the stack only when VXLAN tunnel is set.
    
    Failing to do so, would mislead the the networking stack to assume
    that the driver can offload the internal TX checksum for GRE packets
    and other buggy schemes.
    
    Reported-by: Florian Westphal <[email protected]>
    Signed-off-by: Or Gerlitz <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit f8c6455bb04b944edb69e9b074e28efee2c56bdd
Author: Shani Michaeli <[email protected]>
Date:   Sun Nov 9 13:51:53 2014 +0200

    net/mlx4_en: Extend checksum offloading by CHECKSUM COMPLETE
    
    When processing received traffic, pass CHECKSUM_COMPLETE status to the
    stack, with calculated checksum for non TCP/UDP packets (such
    as GRE or ICMP).
    
    Although the stack expects checksum which doesn't include the pseudo
    header, the HW adds it. To address that, we are subtracting the pseudo
    header checksum from the checksum value provided by the HW.
    
    In the IPv6 case, we also compute/add the IP header checksum which
    is not added by the HW for such packets.
    
    Cc: Jerry Chu <[email protected]>
    Signed-off-by: Shani Michaeli <[email protected]>
    Signed-off-by: Matan Barak <[email protected]>
    Signed-off-by: Or Gerlitz <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit dd65beac48a5259945846956d4b27344dfb73bd9
Author: Shani Michaeli <[email protected]>
Date:   Sun Nov 9 13:51:52 2014 +0200

    net/mlx4_en: Extend usage of napi_gro_frags
    
    We can call napi_gro_frags for all the received traffic regardless
    of the checksum status. Specifically, received packets whose status
    is CHECKSUM_NONE (and soon to be added CHECKSUM_COMPLETE)
    are eligible for napi_gro_frags as well.
    
    Signed-off-by: Or Gerlitz <[email protected]>
    Signed-off-by: Shani Michaeli <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 242fe7a1fd7af133d4c0ae2aae1de4e33b1b39af
Author: Rafał Miłecki <[email protected]>
Date:   Wed Sep 3 07:36:51 2014 +0200

    MIPS: Fix info about plat_setup in arch_mem_init comment
    
    Signed-off-by: Rafał Miłecki <[email protected]>
    Cc: [email protected]
    Patchwork: https://patchwork.linux-mips.org/patch/7607/
    Signed-off-by: Ralf Baechle <[email protected]>

commit 5996d33df117bc3c56c28d6a930679ddcb693626
Author: Rafał Miłecki <[email protected]>
Date:   Thu Oct 30 12:50:03 2014 +0100

    MIPS: BCM47XX: Clean up nvram header
    
    1) Move private defines to the .c file
    2) Move SPROM helper to the sprom.c
    3) Drop unused code
    4) Rename magic to the NVRAM_MAGIC
    5) Add const to the char pointer we never modify
    
    Signed-off-by: Rafał Miłecki <[email protected]>
    Acked-by: Hauke Mehrtens <[email protected]>
    Cc: [email protected]
    Patchwork: https://patchwork.linux-mips.org/patch/8289/
    Signed-off-by: Ralf Baechle <[email protected]>

commit 1bb002b25f08e7e295b2c16dfc09a4cefc3cc5db
Author: Rafał Miłecki <[email protected]>
Date:   Wed Oct 29 10:05:06 2014 +0100

    MIPS: BCM47XX: Use mtd as an alternative way/API to get NVRAM content
    
    NVRAM can be read using magic memory offset, but after all it's just a
    flash partition. On platforms where NVRAM isn't needed early we can get
    it using mtd subsystem.
    
    Signed-off-by: Rafał Miłecki <[email protected]>
    Acked-by: Hauke Mehrtens <[email protected]>
    Cc: [email protected]
    Patchwork: https://patchwork.linux-mips.org/patch/8266/
    Signed-off-by: Ralf Baechle <[email protected]>

commit 2a90d4aae5509e9cf1ba848c5d0b3458201160a0
Author: Paolo Bonzini <[email protected]>
Date:   Fri Nov 7 23:04:00 2014 +0100

    blk-mq: use get_cpu/put_cpu instead of preempt_disable/preempt_enable
    
    blk-mq is using preempt_disable/enable in order to ensure that the
    queue runners are placed on the right CPU.  This does not work with
    the RT patches, because __blk_mq_run_hw_queue takes a non-raw
    spinlock with the preemption-disabled region.  If there is contention
    on the lock, this violates the rules for preemption-disabled regions.
    
    While this should be easily fixable within the RT patches just by doing
    migrate_disable/enable, we can do better and document _why_ this
    particular region runs with disabled preemption.  After the previous
    patch, it is trivial to switch it to get/put_cpu; the RT patches then
    can change it to get_cpu_light, which lets virtio-blk run under RT
    kernels.
    
    Cc: Jens Axboe <[email protected]>
    Cc: Thomas Gleixner <[email protected]>
    Reported-by: Clark Williams <[email protected]>
    Tested-by: Clark Williams <[email protected]>
    Signed-off-by: Paolo Bonzini <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>

commit 398205b8391b208f0034a392242867b28ad8af3d
Author: Paolo Bonzini <[email protected]>
Date:   Fri Nov 7 23:03:59 2014 +0100

    blk_mq: call preempt_disable/enable in blk_mq_run_hw_queue, and only if needed
    
    preempt_disable/enable surrounds every call to blk_mq_run_hw_queue,
    except the one in blk-flush.c.  In fact that one is always asynchronous,
    and it does not need smp_processor_id().
    
    We can do the same for all other calls, avoiding preempt_disable when
    async is true.  This avoids peppering blk-mq.c with preemption-disabled
    regions.
    
    Cc: Jens Axboe <[email protected]>
    Cc: Thomas Gleixner <[email protected]>
    Reported-by: Clark Williams <[email protected]>
    Tested-by: Clark Williams <[email protected]>
    Signed-off-by: Paolo Bonzini <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>

commit 9169051617df7fca597274e9e43324332cb8f0ee
Author: Mark Brown <[email protected]>
Date:   Sat Nov 8 10:28:10 2014 +0000

    spi: spidev: Don't mangle max_speed_hz in underlying spi device
    
    Currently spidev allows callers to set the default speed by overriding the
    max_speed_hz in the underlying device. This achieves the immediate goal but
    is not what devices expect and can easily lead to userspace trying to set
    unsupported speeds and succeeding, apart from anything else drivers can't
    set a limit on the speed using max_speed_hz as they'd expect and any other
    devices on the bus will be affected.
    
    Instead store the default speed in the spidev struct and fill this in on
    each transfer.
    
    Signed-off-by: Mark Brown <[email protected]>

commit 2c8c56e15df3d4c2af3d656e44feb18789f75837
Author: Eric Dumazet <[email protected]>
Date:   Tue Nov 11 05:54:28 2014 -0800

    net: introduce SO_INCOMING_CPU
    
    Alternative to RPS/RFS is to use hardware support for multiple
    queues.
    
    Then split a set of million of sockets into worker threads, each
    one using epoll() to manage events on its own socket pool.
    
    Ideally, we want one thread per RX/TX queue/cpu, but we have no way to
    know after accept() or connect() on which queue/cpu a socket is managed.
    
    We normally use one cpu per RX queue (IRQ smp_affinity being properly
    set), so remembering on socket structure which cpu delivered last packet
    is enough to solve the problem.
    
    After accept(), connect(), or even file descriptor passing around
    processes, applications can use :
    
     int cpu;
     socklen_t len = sizeof(cpu);
    
     getsockopt(fd, SOL_SOCKET, SO_INCOMING_CPU, &cpu, &len);
    
    And use this information to put the socket into the right silo
    for optimal performance, as all networking stack should run
    on the appropriate cpu, without need to send IPI (RPS/RFS).
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 3d97379a67486bc481ab5b8f7aa5b7ceb6154a95
Author: Eric Dumazet <[email protected]>
Date:   Tue Nov 11 05:54:27 2014 -0800

    tcp: move sk_mark_napi_id() at the right place
    
    sk_mark_napi_id() is used to record for a flow napi id of incoming
    packets for busypoll sake.
    We should do this only on established flows, not on listeners.
    
    This was 'working' by virtue of the socket cloning, but doing
    this on SYN packets in unecessary cache line dirtying.
    
    Even if we move sk_napi_id in the same cache line than sk_lock,
    we are working to make SYN processing lockless, so it is desirable
    to set sk_napi_id only for established flows.
    
    Signed-off-by: Eric Dumazet <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 26488b3723270880a28b542ff2276689506d6a9f
Author: Jiang Liu <[email protected]>
Date:   Thu Aug 22 20:59:39 2013 +0800

    tracing: Add entry->next_cpu to trace_ctxwake_bin()
    
    Function trace_ctxwake_bin() misses ctx_switch_entry->next_cpu field,
    so user will get stale value for "next_cpu".
    
    Link: http://lkml.kernel.org/p/[email protected]
    
    Signed-off-by: Jiang Liu <[email protected]>
    Signed-off-by: Steven Rostedt <[email protected]>

commit 243f7610a68a606eb1787c09450a440bf30bebe0
Author: Steven Rostedt (Red Hat) <[email protected]>
Date:   Thu Oct 30 20:44:53 2014 -0400

    tracing: Move tracing_sched_{switch,wakeup}() into wakeup tracer
    
    The only code that references tracing_sched_switch_trace() and
    tracing_sched_wakeup_trace() is the wakeup latency tracer. Those
    two functions use to belong to the sched_switch tracer which has
    long been removed. These functions were left behind because the
    wakeup latency tracer used them. But since the wakeup latency tracer
    is the only one to use them, they should be static functions inside
    that code.
    
    Signed-off-by: Steven Rostedt <[email protected]>

commit 458faf0b88b19a46d51bb9760fa6e03a1bc6d97b
Author: Oleg Nesterov <[email protected]>
Date:   Wed Jul 23 21:35:03 2014 +0200

    tracing: Kill the dead code in probe_sched_switch() and probe_sched_wakeup()
    
    After the previous patch it is clear that "tracer_enabled" can never be
    true, we can remove the "if (tracer_enabled)" code in probe_sched_switch()
    and probe_sched_wakeup(). Plus we can obviously remove tracer_enabled,
    ctx_trace, and sched_stopped as well.
    
    Link: http://lkml.kernel.org/p/[email protected]
    
    Signed-off-by: Oleg Nesterov <[email protected]>
    Signed-off-by: Steven Rostedt <[email protected]>

commit 632537256e9f969a188cc4d0159e0027a459d3e7
Author: Oleg Nesterov <[email protected]>
Date:   Wed Jul 23 21:35:01 2014 +0200

    tracing: Kill tracing_{start,stop}_sched_switch_record() and tracing_sched_switch_assign_trace()
    
    tracing_{start,stop}_sched_switch_record() have no callers since
    87d80de2800d "tracing: Remove obsolete sched_switch tracer".
    
    The last caller of tracing_sched_switch_assign_trace() was removed
    by 30dbb20e68e6 "tracing: Remove boot tracer".
    
    Link: http://lkml.kernel.org/p/[email protected]
    
    Signed-off-by: Oleg Nesterov <[email protected]>
    Signed-off-by: Steven Rostedt <[email protected]>

commit 4fd3279b48605ae3ea509b9b2c02e46aa0975930
Author: Steven Rostedt (Red Hat) <[email protected]>
Date:   Fri Oct 24 17:56:04 2014 -0400

    ftrace: Add more information to ftrace_bug() output
    
    With the introduction of the dynamic trampolines, it is useful that if
    things go wrong that ftrace_bug() produces more information about what
    the current state is. This can help debug issues that may arise.
    
    Ftrace has lots of checks to make sure that the state of the system it
    touchs is exactly what it expects it to be. When it detects an abnormality
    it calls ftrace_bug() and disables itself to prevent any further damage.
    It is crucial that ftrace_bug() produces sufficient information that
    can be used to debug the situation.
    
    Cc: Benjamin Herrenschmidt <[email protected]>
    Acked-by: Borislav Petkov <[email protected]>
    Tested-by: Masami Hiramatsu <[email protected]>
    Tested-by: Jiri Kosina <[email protected]>
    Signed-off-by: Steven Rostedt <[email protected]>

commit 12cce594fa8f12e002e7eb5d10141853c1e6a112
Author: Steven Rostedt (Red Hat) <[email protected]>
Date:   Thu Jul 3 15:48:16 2014 -0400

    ftrace/x86: Allow !CONFIG_PREEMPT dynamic ops to use allocated trampolines
    
    When the static ftrace_ops (like function tracer) enables tracing, and it
    is the only callback that is referencing a function, a trampoline is
    dynamically allocated to the function that calls the callback directly
    instead of calling a loop function that iterates over all the registered
    ftrace ops (if more than one ops is registered).
    
    But when it comes to dynamically allocated ftrace_ops, where they may be
    freed, on a CONFIG_PREEMPT kernel there's no way to know when it is safe
    to free the trampoline. If a task was preempted while executing on the
    trampoline, there's currently no way to know when it will be off that
    trampoline.
    
    But this is not true when it comes to !CONFIG_PREEMPT. The current method
    of calling schedule_on_each_cpu() will force tasks off the trampoline,
    becaues they can not schedule while on it (kernel preemption is not
    configured). That means it is safe to free a dynamically allocated
    ftrace ops trampoline when CONFIG_PREEMPT is not configured.
    
    Cc: H. Peter Anvin <[email protected]>
    Cc: Paul E. McKenney <[email protected]>
    Acked-by: Borislav Petkov <[email protected]>
    Tested-by: Masami Hiramatsu <[email protected]>
    Tested-by: Jiri Kosina <[email protected]>
    Signed-off-by: Steven Rostedt <[email protected]>

commit 19ca5a3cc425cc9a8abedb0f4fb7b4e7ceee2255
Author: Andreas Ruprecht <[email protected]>
Date:   Sun Aug 10 21:10:03 2014 +0200

    EDAC, pci_sysfs: remove unneccessary ifdef around entire file
    
    The file edac_pci_sysfs.c is dependent on CONFIG_PCI. This is already
    modelled in the Makefile, but edac_pci_sysfs.o is still contained in
    the list of files compiled even without CONFIG_PCI.
    
    This change removes edac_pci_sysfs.o from the list of built objects
    when not having CONFIG_PCI enabled and removes the then-unnecessary
    ifdef from the source file.
    
    Signed-off-by: Andreas Ruprecht <[email protected]>
    Link: http://lkml.kernel.org/r/[email protected]
    Signed-off-by: Borislav Petkov <[email protected]>

commit 419a2ea074189be8de0b0ab052dd98061fed1c16
Author: Mike Snitzer <[email protected]>
Date:   Tue Oct 28 20:58:45 2014 -0400

    dm thin: suspend/resume active thin devices when reloading thin-pool
    
    Before this change it was expected that userspace would first suspend
    all active thin devices, reload/resize the thin-pool target, then resume
    all active thin devices.  Now the thin-pool suspend/resume will trigger
    the suspend/resume of all active thins via appropriate calls to
    dm_internal_suspend and dm_internal_resume.
    
    Store the mapped_device for each thin device in struct thin_c to make
    these calls possible.
    
    Signed-off-by: Mike Snitzer <[email protected]>

commit 665aa8cdc499b9aeea6532e682a58ca34b7f94e6
Author: Dan Carpenter <[email protected]>
Date:   Fri Aug 1 11:25:14 2014 +0300

    ghes_edac: Use snprintf() to silence a static checker warning
    
    My static checker complains because the "e->location" has up to 256
    characters but we are copying it into the "pvt->detail_location" which
    only has space for 240 characters.  That's not counting the surrounding
    text and the "e->other_detail" string which can be over 80 characters
    long.
    
    I am not familiar with this code but presumably it normally works.
    Let's add a limit though for safety.
    
    Signed-off-by: Dan Carpenter <[email protected]>
    Acked-by: Mauro Carvalho Chehab <[email protected]>
    Link: http://lkml.kernel.org/r/20140801082514.GD28869@mwanda
    Signed-off-by: Borislav Petkov <[email protected]>

commit 8860704ea9afa699484c9fe7822da1cd37e40690
Author: Mike Snitzer <[email protected]>
Date:   Tue Oct 28 18:34:52 2014 -0400

    dm: enhance internal suspend and resume interface
    
    Rename dm_internal_{suspend,resume} to dm_internal_{suspend,resume}_fast
    -- dm-stats will continue using these methods to avoid all the extra
    suspend/resume logic that is not needed in order to quickly flush IO.
    
    Introduce dm_internal_suspend_noflush() variant that actually calls the
    mapped_device's target callbacks -- otherwise target-specific hooks are
    avoided (e.g. dm-thin's thin_presuspend and thin_postsuspend).  Common
    code between dm_internal_{suspend_noflush,resume} and
    dm_{suspend,resume} was factored out as __dm_{suspend,resume}.
    
    Update dm_internal_{suspend_noflush,resume} to always take and release
    the mapped_device's suspend_lock.  Also update dm_{suspend,resume} to be
    aware of potential for DM_INTERNAL_SUSPEND_FLAG to be set and respond
    accordingly by interruptibly waiting for the DM_INTERNAL_SUSPEND_FLAG to
    be cleared.  Add lockdep annotation to dm_suspend() and dm_resume().
    
    Also add DM_INTERNAL_SUSPEND_FLAG to status report.  This new
    DM_INTERNAL_SUSPEND_FLAG state is being tracked/reported to assist with
    debugging (e.g. 'dmsetup info' will report an internally suspended
    device accordingly).
    
    The existing DM_SUSPEND_FLAG remains unchanged.
    DM_INTERNAL_SUSPEND_FLAG is set by dm_internal_suspend_noflush() and
    cleared by dm_internal_resume().
    
    Both DM_SUSPEND_FLAG and DM_INTERNAL_SUSPEND_FLAG may be set if a device
    was already suspended when dm_internal_suspend_noflush() was called --
    this can be thought of as a "nested suspend".  A "nested suspend" can
    with legacy userspace dm-thin code that might suspend all active thin
    volumes before suspending the pool for resize.
    
    But otherwise, in the normal dm-thin-pool suspend case moving forward:
    the thin-pool will have DM_SUSPEND_FLAG set and all active thins from
    that thin-pool will have DM_INTERNAL_SUSPEND_FLAG set.
    
    Signed-off-by: Mike Snitzer <[email protected]>

commit bf735ebb898c1348f635488bee737b95886aa20e
Author: Mike Snitzer <[email protected]>
Date:   Fri Nov 7 15:09:46 2014 -0500

    dm thin: do not allow thin device activation while pool is suspended
    
    Otherwise IO could be issued to the pool while it is suspended.
    
    Care was taken to properly interlock between the thin and thin-pool
    targets when accessing the pool's 'suspended' flag.
    
    Signed-off-by: Mike Snitzer <[email protected]>

commit 3ca4517dc53569ad82152ff035be0e909c06c722
Author: Mike Snitzer <[email protected]>
Date:   Tue Oct 28 20:13:31 2014 -0400

    dm: add presuspend_undo hook to target_type
    
    The DM thin-pool target now must undo the changes performed during
    pool_presuspend() so introduce presuspend_undo hook in target_type.
    
    Signed-off-by: Mike Snitzer <[email protected]>

commit f35d0679e47ef97c6037f7aefba41f18a7865421
Author: Mike Snitzer <[email protected]>
Date:   Fri Nov 7 15:27:56 2014 -0500

    dm thin: remove stale 'trim' message in block comment above pool_message
    
    Signed-off-by: M…
aryabinin referenced this pull request in aryabinin/linux Nov 24, 2014
GIT c04878ff13662bf8e5361d3f96ce3e38bf3bf1f2

commit c04878ff13662bf8e5361d3f96ce3e38bf3bf1f2
Author: Stephen Rothwell <[email protected]>
Date:   Wed Nov 19 18:49:07 2014 +1100

    sparc: io: fix for implement dummy relaxed accessor macros for writes
    
    Signed-off-by: Stephen Rothwell <[email protected]>

commit 882407763830dd34fc527dc96998bd4d124ed799
Author: Matthew Garrett <[email protected]>
Date:   Tue Feb 18 11:28:29 2014 -0500

    Change ACPI IPMI support to "default y"
    
    The ACPI IPMI driver implements IPMI operation region support for the ACPI
    core. Systems that declare ACPI operation regions may reference them at any
    time, including during kernel initialisation. These accesses will fail
    unless the ACPI IPMI driver is present, and undesirable system behaviour
    may result. Set the default to Y in order to encourage distributions and
    users to configure kernels to avoid awkward surprises.
    
    Signed-off-by: Matthew Garrett <[email protected]>
    Signed-off-by: Corey Minyard <[email protected]>

commit 0d7c4ceb16d175f719fbe728799f9a7d4fd69297
Author: Corey Minyard <[email protected]>
Date:   Mon Nov 10 21:24:45 2014 -0600

    ipmi: Handle I2C parms in the SSIF driver.
    
    Signed-off-by: Corey Minyard <[email protected]>

commit 99a7a9582a0206ca2fded95d85fddfd399cfcbe4
Author: Corey Minyard <[email protected]>
Date:   Mon Nov 10 21:10:49 2014 -0600

    i2c: Add parameters to sysfs-added i2c devices
    
    Some devices might need parameters to control their operation,
    add the ability to pass these parameters to the client.
    
    This also makes the parsing of sysfs-added I2C devices a little
    more flexible, allowing tabs and arbitrary numbers of spaces.
    
    Signed-off-by: Corey Minyard <[email protected]>

commit 451b7a67f772a923135e57e0e710f7aeed62b5bf
Author: Jeremy Kerr <[email protected]>
Date:   Wed Nov 12 15:41:05 2014 +0800

    drivers/char/ipmi: Add powernv IPMI driver
    
    This change adds an initial IPMI driver for powerpc OPAL firmware. The
    interface is exposed entirely through firmware: we have two functions to
    send and receive IPMI messages, and an interrupt notification from the
    firmware to signify that a message is available.
    
    Signed-off-by: Jeremy Kerr <[email protected]>
    Signed-off-by: Corey Minyard <[email protected]>

commit 5ad7fb122df9e16d0f3bdb3723995b70e978e035
Author: Jeremy Kerr <[email protected]>
Date:   Thu Nov 6 11:38:27 2014 +0800

    powerpc/powernv: Add OPAL IPMI interface
    
    Recent OPAL firmare adds a couple of functions to send and receive IPMI
    messages:
    
      https://github.com/open-power/skiboot/commit/b2a374da
    
    This change updates the token list and wrappers to suit, and adds the
    platform devices for any IPMI interfaces.
    
    Signed-off-by: Jeremy Kerr <[email protected]>
    Signed-off-by: Michael Ellerman <[email protected]>

commit 02b8f3c67cf074350611983f8b963d9f00b02d64
Author: Corey Minyard <[email protected]>
Date:   Mon Mar 19 16:00:55 2012 -0500

    ipmi: Add SMBus interface driver (SSIF)
    
    This patch adds the SMBus interface to the IPMI driver.
    
    Signed-off-by: Corey Minyard <[email protected]>
    
     Documentation/IPMI.txt       |   32
     drivers/char/ipmi/Kconfig    |   11
     drivers/char/ipmi/Makefile   |    1
     drivers/char/ipmi/ipmi_smb.c | 1737 +++++++++++++++++++++++++++++++++++++++++++
     4 files changed, 1769 insertions(+), 12 deletions(-)

commit 08bb7beae7fe102939fe5931222fc09e10d27cda
Author: Jean-Baptiste Maneyrol <[email protected]>
Date:   Sun Nov 16 22:45:43 2014 +0800

    HID: i2c-hid: print the correct data in dbg msg
    
    Report is received in "buffer"; fix the following i2c_hid_dbg()
    to dump data from the correct pointer.
    
    Signed-off-by: Jean-Baptiste Maneyrol <[email protected]>
    [Antonio Borneo: cleanup and rebase to v3.17]
    Signed-off-by: Antonio Borneo <[email protected]>
    Reviewed-by: Benjamin Tissoires <[email protected]>
    Signed-off-by: Jiri Kosina <[email protected]>

commit 11bf7828a59880427403e13dcff8228d67e9e0f7
Author: Joe Stringer <[email protected]>
Date:   Mon Nov 17 16:24:54 2014 -0800

    vxlan: Inline vxlan_gso_check().
    
    Suggested-by: Or Gerlitz <[email protected]>
    Signed-off-by: Joe Stringer <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit e3e3217029a35c579bf100998b43976d0b1cb8d7
Author: Rick Jones <[email protected]>
Date:   Mon Nov 17 14:04:29 2014 -0800

    icmp: Remove some spurious dropped packet profile hits from the ICMP path
    
    If icmp_rcv() has successfully processed the incoming ICMP datagram, we
    should use consume_skb() rather than kfree_skb() because a hit on the likes
    of perf -e skb:kfree_skb is not called-for.
    
    Signed-off-by: Rick Jones <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 54aeba7f06323e04d59a6053ee3c6023079667b2
Author: Fabian Frederick <[email protected]>
Date:   Mon Nov 17 22:23:17 2014 +0100

    dev_ioctl: use sizeof(x) instead of sizeof x
    
    Also remove spaces after cast.
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit e56f735913c8d3c417c65c7e7fcdd65011f8d96f
Author: Fabian Frederick <[email protected]>
Date:   Mon Nov 17 22:08:22 2014 +0100

    net/core: include linux/types.h instead of asm/types.h
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 1d2398dc7c78f32c50ee23a21ad9141e5e08a2ed
Author: Fabian Frederick <[email protected]>
Date:   Mon Nov 17 22:04:03 2014 +0100

    net: fix spelling for synchronized
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit a77b634367d4987718012b896c3d19c4cd7e8b4c
Author: Fabian Frederick <[email protected]>
Date:   Mon Nov 17 22:00:22 2014 +0100

    dccp: spelling s/reseting/resetting
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 02c31d2e56dfc6e65ebf5891cf6953e3391ce590
Author: Fabian Frederick <[email protected]>
Date:   Mon Nov 17 21:58:37 2014 +0100

    dccp: replace min/casting by min_t
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 54da7996b85b3a3e7388c5010ec0f1d866fc4830
Author: Fabian Frederick <[email protected]>
Date:   Mon Nov 17 21:54:58 2014 +0100

    dccp: remove blank lines between function/EXPORT_SYMBOL
    
    See Documentation/CodingStyle chapter 6.
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 6d80c4732bbbd8a76057337cb758ed64cf34f804
Author: Fabian Frederick <[email protected]>
Date:   Mon Nov 17 21:51:21 2014 +0100

    dccp: kerneldoc warning fixes
    
    Signed-off-by: Fabian Frederick <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit c20e599bb57bf12177cd5404d124cae0b6fc7970
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:24 2014 +0100

    net: fec: remove unused return value from swap_buffer()
    
    The return value of swap_buffer() is not used by any caller, thus
    remove it.
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 7b487d070a0edea01816135d3b1a9c8f2c069657
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:23 2014 +0100

    net: fec: simplify loop counter handling in swap_buffer()
    
    Eliminate the DIV_ROUND_UP() and change the loop counter increment to
    4 instead. This results in saving 6 instructions in the functions
    assembly code.
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit e453789a66ab152ecee80ded3279539d826c48ed
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:22 2014 +0100

    net: fec: use swab32s() instead of cpu_to_be32()
    
    when swap_buffer() is being called, we know for sure, that we need to
    byte swap the data. Furthermore, this function is called for swapping
    data in both directions. Thus cpu_to_be32() is semantically not
    correct for all use cases. Use swab32s() to reflect this.
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 6b7e4008389c8cb8140a9aef424b10048c44da39
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:21 2014 +0100

    net: fec: improve access to quirk flags by copying them into fec_enet_private struct
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 217b5844e279c279414fdeb47a89959fad1fbc8f
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:20 2014 +0100

    net: fec: change type of 'bufdesc_ex' to bool
    
    fep->bufdesc_ex is treated as a boolean value, thus declare it as
    such.
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit df406bc9c0d002ef52671dc7b6887ff1bb9142e9
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:19 2014 +0100

    net: fec: properly parenthesize macro args
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 745f42ba2a52d5b95594c24fb3755ff678f669f9
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:18 2014 +0100

    net: fec: consistently use lower case chars as hex digits
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit ea209de3dded8acd37677cf4e2f5fc06b791e052
Author: Lothar Waßmann <[email protected]>
Date:   Mon Nov 17 10:51:17 2014 +0100

    net: fec: indentation cleanup
    
    consistently use TABs for indentation
    
    Signed-off-by: Lothar Waßmann <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit be603bbb7bc12a006f1db36c338ac1c7f20c5a4a
Author: J. Bruce Fields <[email protected]>
Date:   Wed Oct 29 14:23:21 2014 -0400

    OOPS

commit 92424e9c63e5d74ff1c282258f3e5c82bf1d913b
Author: Christoph Hellwig <[email protected]>
Date:   Thu Nov 6 15:11:36 2014 -0500

    nfsd: implement DATA_SYNC4 support
    
    Signed-off-by: Christoph Hellwig <[email protected]>
    Signed-off-by: J. Bruce Fields <[email protected]>

commit 14fdfac3e8fe1f6f73578a3ea964dab2f844e52c
Author: Trond Myklebust <[email protected]>
Date:   Wed Nov 12 18:04:04 2014 -0500

    SUNRPC: Fix locking around callback channel reply receive
    
    Both xprt_lookup_rqst() and xprt_complete_rqst() require that you
    take the transport lock in order to avoid races with xprt_transmit().
    
    Signed-off-by: Trond Myklebust <[email protected]>
    Reviewed-by: Jeff Layton <[email protected]>
    Signed-off-by: J. Bruce Fields <[email protected]>

commit ffa21a408184e95424035234496ec1b0cdde4b79
Author: Jeff Layton <[email protected]>
Date:   Mon Nov 17 17:02:57 2014 -0500

    sunrpc: eliminate the XPT_DETACHED flag
    
    All it does is indicate whether a xprt has already been deleted from
    a list or not, which is unnecessary since we use list_del_init and it's
    always set and checked under the sv_lock anyway.
    
    Signed-off-by: Jeff Layton <[email protected]>
    Signed-off-by: J. Bruce Fields <[email protected]>

commit ea7aaa26273431650cb94e712c7c7cfec4306587
Author: Sebastian Hesselbarth <[email protected]>
Date:   Mon Nov 17 14:35:47 2014 +0100

    ARM: dts: berlin: enable USB on the Google Chromecast
    
    Enable usb1 on Google Chromecast which is connected to micro-USB
    plug used for external power supply, too.
    
    Signed-off-by: Antoine Tenart <[email protected]>
    Signed-off-by: Sebastian Hesselbarth <[email protected]>

commit e802b3a2bfd4f52a9b23037800fa0965aae92013
Author: Sebastian Hesselbarth <[email protected]>
Date:   Mon Nov 17 14:35:46 2014 +0100

    ARM: dts: berlin: add BG2CD nodes for USB support
    
    Adds nodes describing the Marvell Berlin BG2CD USB PHY and USB. The BG2CD
    SoC has 2 USB ChipIdea controllers, with usb0 host-only and usb1 dual-role
    capable.
    
    Signed-off-by: Antoine Tenart <[email protected]>
    Signed-off-by: Sebastian Hesselbarth <[email protected]>

commit fe354939edffe1f2579b4b372bad44e72bd9a9b3
Author: Antoine Tenart <[email protected]>
Date:   Mon Nov 17 14:35:45 2014 +0100

    ARM: dts: Berlin: enable USB on the BG2Q DMP
    
    Enable the 2 available USB PHY and USB nodes on the Marvell Berlin BG2Q
    DMP.
    
    Signed-off-by: Antoine Tenart <[email protected]>
    Signed-off-by: Sebastian Hesselbarth <[email protected]>

commit c539711ee79f997b0cdc136382167963932461b8
Author: Antoine Tenart <[email protected]>
Date:   Mon Nov 17 14:35:44 2014 +0100

    ARM: dts: berlin: add BG2Q nodes for USB support
    
    Adds nodes describing the Marvell Berlin BG2Q USB PHY and USB. The BG2Q
    SoC has 3 USB host controller, compatible with ChipIdea.
    
    Signed-off-by: Antoine Tenart <[email protected]>
    Signed-off-by: Sebastian Hesselbarth <[email protected]>

commit 81906906d8d95837c87b934a1a929cc43b61f4ee
Author: Antoine Tenart <[email protected]>
Date:   Mon Nov 17 14:33:12 2014 +0100

    ARM: berlin: do not select RESET_CONTROLLER
    
    RESET_CONTROLLER is meant to be user-selectable. To respect that,
    do not select it automatically when using ARCH_BERLIN.
    
    Signed-off-by: Antoine Tenart <[email protected]>
    Signed-off-by: Sebastian Hesselbarth <[email protected]>

commit 7943c0f329d33f531607d66f5781f2210e1e278c
Author: Alexei Starovoitov <[email protected]>
Date:   Thu Nov 13 17:36:50 2014 -0800

    bpf: remove test map scaffolding and user proper types
    
    proper types and function helpers are ready. Use them in verifier testsuite.
    Remove temporary stubs
    
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit d0003ec01c667b731c139e23de3306a8b328ccf5
Author: Alexei Starovoitov <[email protected]>
Date:   Thu Nov 13 17:36:49 2014 -0800

    bpf: allow eBPF programs to use maps
    
    expose bpf_map_lookup_elem(), bpf_map_update_elem(), bpf_map_delete_elem()
    map accessors to eBPF programs
    
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit ffb65f27a15583379567b6a59a9758163b7f5750
Author: Alexei Starovoitov <[email protected]>
Date:   Thu Nov 13 17:36:48 2014 -0800

    bpf: add a testsuite for eBPF maps
    
    . check error conditions and sanity of hash and array map APIs
    . check large maps (that kernel gracefully switches to vmalloc from kmalloc)
    . check multi-process parallel access and stress test
    
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit a1854d6ac0008518bfc45e791172ad250999c2a2
Author: Alexei Starovoitov <[email protected]>
Date:   Thu Nov 13 17:36:47 2014 -0800

    bpf: fix BPF_MAP_LOOKUP_ELEM command return code
    
    fix errno of BPF_MAP_LOOKUP_ELEM command as bpf manpage
    described it in commit b4fc1a460f30("Merge branch 'bpf-next'"):
    -----
    BPF_MAP_LOOKUP_ELEM
        int bpf_lookup_elem(int fd, void *key, void *value)
        {
            union bpf_attr attr = {
                .map_fd = fd,
                .key = ptr_to_u64(key),
                .value = ptr_to_u64(value),
            };
    
            return bpf(BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
        }
        bpf() syscall looks up an element with given key in  a  map  fd.
        If  element  is found it returns zero and stores element's value
        into value.  If element is not found  it  returns  -1  and  sets
        errno to ENOENT.
    
    and further down in manpage:
    
       ENOENT For BPF_MAP_LOOKUP_ELEM or BPF_MAP_DELETE_ELEM,  indicates  that
              element with given key was not found.
    -----
    
    In general all BPF commands return ENOENT when map element is not found
    (including BPF_MAP_GET_NEXT_KEY and BPF_MAP_UPDATE_ELEM with
     flags == BPF_MAP_UPDATE_ONLY)
    
    Subsequent patch adds a testsuite to check return values for all of
    these combinations.
    
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 28fbcfa08d8ed7c5a50d41a0433aad222835e8e3
Author: Alexei Starovoitov <[email protected]>
Date:   Thu Nov 13 17:36:46 2014 -0800

    bpf: add array type of eBPF maps
    
    add new map type BPF_MAP_TYPE_ARRAY and its implementation
    
    - optimized for fastest possible lookup()
      . in the future verifier/JIT may recognize lookup() with constant key
        and optimize it into constant pointer. Can optimize non-constant
        key into direct pointer arithmetic as well, since pointers and
        value_size are constant for the life of the eBPF program.
        In other words array_map_lookup_elem() may be 'inlined' by verifier/JIT
        while preserving concurrent access to this map from user space
    
    - two main use cases for array type:
      . 'global' eBPF variables: array of 1 element with key=0 and value is a
        collection of 'global' variables which programs can use to keep the state
        between events
      . aggregation of tracing events into fixed set of buckets
    
    - all array elements pre-allocated and zero initialized at init time
    
    - key as an index in array and can only be 4 byte
    
    - map_delete_elem() returns EINVAL, since elements cannot be deleted
    
    - map_update_elem() replaces elements in an non-atomic way
      (for atomic updates hashtable type should be used instead)
    
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 0f8e4bd8a1fc8c4185f1630061d0a1f2d197a475
Author: Alexei Starovoitov <[email protected]>
Date:   Thu Nov 13 17:36:45 2014 -0800

    bpf: add hashtable type of eBPF maps
    
    add new map type BPF_MAP_TYPE_HASH and its implementation
    
    - maps are created/destroyed by userspace. Both userspace and eBPF programs
      can lookup/update/delete elements from the map
    
    - eBPF programs can be called in_irq(), so use spin_lock_irqsave() mechanism
      for concurrent updates
    
    - key/value are opaque range of bytes (aligned to 8 bytes)
    
    - user space provides 3 configuration attributes via BPF syscall:
      key_size, value_size, max_entries
    
    - map takes care of allocating/freeing key/value pairs
    
    - map_update_elem() must fail to insert new element when max_entries
      limit is reached to make sure that eBPF programs cannot exhaust memory
    
    - map_update_elem() replaces elements in an atomic way
    
    - optimized for speed of lookup() which can be called multiple times from
      eBPF program which itself is triggered by high volume of events
      . in the future JIT compiler may recognize lookup() call and optimize it
        further, since key_size is constant for life of eBPF program
    
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 3274f52073d88b62f3c5ace82ae9d48546232e72
Author: Alexei Starovoitov <[email protected]>
Date:   Thu Nov 13 17:36:44 2014 -0800

    bpf: add 'flags' attribute to BPF_MAP_UPDATE_ELEM command
    
    the current meaning of BPF_MAP_UPDATE_ELEM syscall command is:
    either update existing map element or create a new one.
    Initially the plan was to add a new command to handle the case of
    'create new element if it didn't exist', but 'flags' style looks
    cleaner and overall diff is much smaller (more code reused), so add 'flags'
    attribute to BPF_MAP_UPDATE_ELEM command with the following meaning:
     #define BPF_ANY	0 /* create new element or update existing */
     #define BPF_NOEXIST	1 /* create new element if it didn't exist */
     #define BPF_EXIST	2 /* update existing element */
    
    bpf_update_elem(fd, key, value, BPF_NOEXIST) call can fail with EEXIST
    if element already exists.
    
    bpf_update_elem(fd, key, value, BPF_EXIST) can fail with ENOENT
    if element doesn't exist.
    
    Userspace will call it as:
    int bpf_update_elem(int fd, void *key, void *value, __u64 flags)
    {
        union bpf_attr attr = {
            .map_fd = fd,
            .key = ptr_to_u64(key),
            .value = ptr_to_u64(value),
            .flags = flags;
        };
    
        return bpf(BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
    }
    
    First two bits of 'flags' are used to encode style of bpf_update_elem() command.
    Bits 2-63 are reserved for future use.
    
    Signed-off-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit 2d791d2259d465ba1669a4cf3d7395d54f5e9772
Author: Ralf Baechle <[email protected]>
Date:   Tue Nov 18 18:47:13 2014 +0100

    MIPS: Zero variable read by get_user / __get_user in case of an error.
    
    This wasn't happening in all cases.
    
    Signed-off-by: Ralf Baechle <[email protected]>

commit cadaecd2188b99d93de676150007f0e097223232
Author: Denis Kirjanov <[email protected]>
Date:   Mon Nov 17 23:07:41 2014 +0300

    PPC: bpf_jit_comp: Unify BPF_MOD | BPF_X and BPF_DIV | BPF_X
    
    Reduce duplicated code by unifying
    BPF_ALU | BPF_MOD | BPF_X and BPF_ALU | BPF_DIV | BPF_X
    
    CC: Alexei Starovoitov<[email protected]>
    CC: Daniel Borkmann<[email protected]>
    CC: Philippe Bergheaud<[email protected]>
    Signed-off-by: Denis Kirjanov <[email protected]>
    Acked-by: Alexei Starovoitov <[email protected]>
    Signed-off-by: David S. Miller <[email protected]>

commit a0e27f51ba8a04125c22a95c4d3e98297a7191de
Author: Soren Brinkmann <[email protected]>
Date:   Thu Nov 6 07:38:51 2014 -0800

    documentation: pinctrl bindings: Fix trivial typo 'abitrary'
    
    A misspelled 'arbitrary' propagated to quite a few locations in the DT
    binding documentation for pin-controllers. Fixing by:
      git grep abitrary | cut -f1 -d: | xargs sed -i 's/abitrary/arbitrary/'
    
    Reported-by: Andreas Färber <[email protected]>
    Signed-off-by: Soren Brinkmann <[email protected]>
    Signed-off-by: Rob Herring <[email protected]>

commit 5641c09226f401ee054e48521707fb185380e8d3
Author: bpqw <[email protected]>
Date:   Wed Nov 12 14:26:42 2014 +0000

    devicetree: bindings: Add vendor prefix for Micron Technology, Inc.
    
    This patch is used to add vendor prefix for Micron Technology, Inc. in
    the vendor-prefixes.txt file.
    
    Micron Technology, Inc. is an American multinational corporation based
    in Boise, Idaho, best known for producing many forms of semiconductor
    devices. This includes DRAM, SDRAM, flash memory, eMMC and SSDs.
    
    Signed-off-by: Bean Huo <[email protected]>
    [robh: cleanup commit msg formatting and company name]
    Signed-off-by: Rob Herring <[email protected]>

commit f9cb89b63db8cb2755a5179843a0643cc284f1ef
Author: Philipp Zabel <[email protected]>
Date:   Wed May 14 11:24:43 2014 +0200

    of: Add vendor prefix for Chips&Media, Inc.
    
    Chips&Media is a developer of Video Codec IP cores.
    
    Signed-off-by: Philipp Zabel <[email protected]>
    [robh: fix-up alphabetical ordering]
    Signed-off-by: Rob Herring <[email protected]>

commit 746c9e9f92dde2789908e51a354ba90a1962a2eb
Author: Benjamin Herrenschmidt <[email protected]>
Date:   Fri Nov 14 17:55:03 2014 +1100

    of/base: Fix PowerPC address parsing hack
    
    We have a historical hack that treats missing ranges properties as the
    equivalent of an empty one. This is needed for ancient PowerMac "bad"
    device-trees, and shouldn't be enabled for any other PowerPC platform,
    otherwise we get some nasty layout of devices in sysfs or even
    duplication when a set of otherwise identically named devices is
    created multiple times under a different parent node with no ranges
    property.
    
    This fix is needed for the PowerNV i2c busses to be exposed properly
    and will fix a number of other embedded cases.
    
    Signed-off-by: Benjamin Herrenschmidt <[email protected]>
    CC: <[email protected]>
    Acked-by: Grant Likely <[email protected]>
    Signed-off-by: Rob Herring <[email protected]>

commit 9b6eab07588c2de102423fe99c875fc4bfda2508
Author: Antony Pavlov <[email protected]>
Date:   Sun Nov 9 01:37:34 2014 +0300

    devicetree: vendor-prefixes.txt: fix whitespace
    
    Signed-off-by: Antony Pavlov <[email protected]>
    Signed-off-by: Rob Herring <[email protected]>

commit ab74d00a39f70e1bc34a01322bb59f3750ca7a8c
Author: Kevin Cernekee <[email protected]>
Date:   Sun Nov 9 00:55:47 2014 -0800

    of: Fix crash if an earlycon driver is not found
    
    __earlycon_of_table_sentinel.compatible is a char[128], not a pointer, so
    it will never be NULL.  Checking it against NULL causes the match loop to
    run past the end of the array, and eventually match a bogus entry, under
    the following conditions:
    
     - Kernel command line specifies "earlycon" with no parameters
     - DT has a stdout-path pointing to a UART node
     - The UART driver doesn't use OF_EARLYCON_DECLARE (or maybe the console
       driver is compiled out)
    
    Fix this by checking to see if match->compatible is a non-empty string.
    
    Signed-off-by: Kevin Cernekee <[email protected]>
    Cc: <[email protected]> # 3.16+
    Signed-off-by: Rob Herring <[email protected]>

commit 66865de4314caca30598244b86817e774c188afa
Author: Bjorn Helgaas <[email protected]>
Date:   Sat Nov 1 17:35:31 2014 -0600

    of/irq: Drop obsolete 'interrupts' vs 'interrupts-extended' text
    
    a9ecdc0fdc54 ("of/irq: Fix lookup to use 'interrupts-extended' property
    first") updated the description to say that:
    
      - Both 'interrupts' and 'interrupts-extended' may be present
      - Software should prefer 'interrupts-extended'
      - Software that doesn't comprehend 'interrupts-extended' may use
        'interrupts'
    
    But there is still a paragraph at the end that prohibits having both and
    says 'interrupts' should be preferred.
    
    Remove the contradictory text.
    
    Fixes: a9ecdc0fdc54 ("of/irq: Fix lookup to use 'interrupts-extended' property first")
    Signed-off-by: Bjorn Helgaas <[email protected]>
    CC: [email protected]	# v3.13+
    Acked-by: Brian Norris <[email protected]>
    Acked-by: Mark Rutland <[email protected]>
    Signed-off-by: Rob Herring <[email protected]>

commit 27b3383a1432127bfcf9f8a63bf184ff4d866141
Author: Geert Uytterhoeven <[email protected]>
Date:   Wed Oct 22 11:49:01 2014 +0200

    of: Spelling s/stucture/structure/
    
    Signed-off-by: Geert Uytterhoeven <[email protected]>
    Cc: Grant Likely <[email protected]>
    Cc: Rob Herring <[email protected]>
    Signed-off-by: Rob Herring <[email protected]>

commit f2a306c29d024193b1272cd014108882f7887a9e
Author: Robert Jarzmik <[email protected]>
Date:   Fri Sep 26 00:26:27 2014 +0200

    devicetree: bindings: add sandisk to the vendor prefixes
    
    Add sandisk to the list of vendors. This prefix should be used
    also for companies absorbed by Sandisk, like M-Systems.
    
    Signed-off-by: Robert Jarzmik <[email protected]>
    Signed-off-by: Rob Herring <[email protected]>

commit 00e4c3b6e285da90e736fbefff3d9e74a200ee54
Author: Charles Keepax <[email protected]>
Date:   Tue Nov 18 16:25:27 2014 +0000

    ASoC: wm_adsp: Move core_ena to be co-located with start bit
    
    Many firmwares do not wait for the start bit before they begin
    processing audio, whilst this is a bug on the firmware side there are
    too many such firmwares in the wild to ignore the situation. This patch
    moves the core enable to happen at same time as the start, the firmware
    looses the ability to overlap its own startup with the audio path bring
    up but we ensure that all firmwares behave.
    
    Signed-off-by: Charles Keepax <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 17c1861eabd12f28c24d4929efcc8aba8920b88f
Author: Alexey Ishchuk <[email protected]>
Date:   Fri Nov 14 14:27:58 2014 +0100

    s390/kernel: add system calls for access PCI memory
    
    Add the new __NR_s390_pci_mmio_write and __NR_s390_pci_mmio_read
    system calls to allow user space applications to access device PCI I/O
    memory pages on s390x platform.
    
    [ Martin Schwidefsky: some code beautification ]
    
    Signed-off-by: Alexey Ishchuk <[email protected]>
    Signed-off-by: Martin Schwidefsky <[email protected]>

commit 6d1e2e1783deecb7b922716295ca17deebbd3d0e
Author: Martin Schwidefsky <[email protected]>
Date:   Fri Nov 14 16:37:47 2014 +0100

    s390: fix ptrace of user area if the inferior uses vector registers
    
    The floating point registers f a process that uses vector instruction are
    not store into task->thread.fp_regs anymore but in the upper halves of the
    first 16 vector registers.
    The ptrace interface for the peeks and pokes to the user area fails to take
    this into account. Fix __peek_user[_compat] and __poke_user[_compat]
    to use the vector array for the floating pointer register if the process
    has one.
    
    Signed-off-by: Martin Schwidefsky <[email protected]>

commit afaa7d29bc04bf0fcf2e7bda2a802392a38d059b
Author: Sebastian Ott <[email protected]>
Date:   Fri Nov 14 11:01:37 2014 +0100

    s390/irq: use irq 0
    
    Irq 0 is currently unused on s390. Since there is no reason to
    do this start counting at the beginning and gain an additional
    irq. Also correctly report the smallest usable irq number for
    dynamic allocation.
    
    Signed-off-by: Sebastian Ott <[email protected]>
    Signed-off-by: Martin Schwidefsky <[email protected]>

commit 99e97b7106d492a3cac4f7963f4a89935d2fbca4
Author: Frank Blaschka <[email protected]>
Date:   Thu Nov 6 13:17:06 2014 +0100

    s390/io: add ioport_map stubs
    
    add ioport_map stubs to make vfio build on s390.
    
    Signed-off-by: Frank Blaschka <[email protected]>
    Signed-off-by: Martin Schwidefsky <[email protected]>

commit a6b42afa3fc452339e157ad5245320804cf1206f
Author: Thomas Huth <[email protected]>
Date:   Tue Oct 28 15:12:23 2014 +0100

    s390/docs: Remove sections that are not related to s390
    
    Information how to use the GCC pre-processor, objdump, strace, top, etc.
    are generic and not specific to the S390 architecture, so we do not need
    this information in Debugging390.txt
    
    Signed-off-by: Thomas Huth <[email protected]>
    Signed-off-by: Martin Schwidefsky <[email protected]>

commit b19556231156ce3e58ffd677747bf3ef7890a937
Author: Thomas Huth <[email protected]>
Date:   Fri Oct 31 14:10:14 2014 +0100

    s390/docs: Fix the documentation of the address spaces
    
    The information about the address spaces was completely outdated, since
    the usage of the address spaces changed quite a bit since the early days.
    This patch now updates the information about the usage of the address
    spaces, mostly by using the description from Heiko's patch "rework uaccess
    code - fix locking issues" (457f2180951cdcbfb4657ddcc83b486e93497f56).
    
    Signed-off-by: Thomas Huth <[email protected]>
    Signed-off-by: Martin Schwidefsky <[email protected]>

commit 5f217f905bc5e9d609d0aac830736bcfc087c7f5
Author: Takashi Sakamoto <[email protected]>
Date:   Tue Nov 18 23:59:40 2014 +0900

    ALSA: firewire-lib: fix kerneldoc errors
    
    Complete missing parameters, correct wrong reference, and add an explaination
    about the differences between the latest specification and our implementation.
    
    Signed-off-by: Takashi Sakamoto <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>

commit d6d521799fac14e14dead4e9428158340ff6b95f
Author: JS Park <[email protected]>
Date:   Tue Nov 18 16:07:22 2014 +0000

    ASoC: wm_adsp: Fix memory leak in wm_adsp_setup_algs
    
    Signed-off-by: JS Park <[email protected]>
    Signed-off-by: Charles Keepax <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 139768895309c6c1d6913e909e9c9422f81a1640
Author: Jens Axboe <[email protected]>
Date:   Tue Nov 18 08:45:31 2014 -0700

    NVMe: enable IO stats by default
    
    Before the blk-mq conversion they were on by default, we should
    not change behavior there.
    
    Signed-off-by: Jens Axboe <[email protected]>

commit a5a267cf9ca9937b0ef946b502657ae7638282f6
Author: Sudip Mukherjee <[email protected]>
Date:   Tue Nov 18 17:42:54 2014 +0530

    ASoC: rt286: build warning of section mismatch
    
    while building we were getting the following build warning:
    
    Section mismatch in reference from the function rt286_i2c_probe()
    to the variable .init.data:force_combo_jack_table
    The function rt286_i2c_probe() references
    the variable __initdata force_combo_jack_table.
    This is often because rt286_i2c_probe lacks a __initdata
    annotation or the annotation of force_combo_jack_table is wrong.
    
    we were getting the warning as force_combo_jack_table was marked
    with __initdata
    
    Signed-off-by: Sudip Mukherjee <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 358a8bb5628420529e4f0b77068155ca8fa8973b
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:53 2014 +0100

    ASoC: ac97: Push snd_ac97 pointer to the driver level
    
    Now that the ASoC core no longer needs a handle to the AC'97 device that is
    associated with a CODEC we can remove it from the snd_soc_codec struct and
    push it into the individual driver state structs like we do for other
    communication buses. Doing so creates a clean separation between the AC'97
    bus support and the ASoC core.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Acked-by: Charles Keepax <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit bc2632140435cc84f9817f1c362479b23dbdfebc
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:52 2014 +0100

    ASoC: Rename snd_soc_dai_driver struct ac97_control field to bus_control
    
    Setting the ac97_control field on a CPU DAI tells the ASoC core that this
    DAI in addition to audio data also transports control data to the CODEC.
    This causes the core to suspend the DAI after the CODEC and resume it before
    the CODEC so communication to the CODEC is still possible. This is not
    necessarily something that is specific to AC'97 and can be used by other
    buses with the same requirement. This patch renames the flag from
    ac97_control to bus_control to make this explicit.
    
    While we are at it also change the type from int to bool.
    
    The following semantich patch was used for automatic conversion of the
    drivers:
    // <smpl>
    @@
    identifier drv;
    @@
    struct snd_soc_dai_driver drv = {
    -	.ac97_control
    +	.bus_control
    	=
    -	1
    +	true
    };
    // </smpl>
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 4bafcf074aca3bd191e4d93c6a140ca52654f192
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:51 2014 +0100

    ASoC: Drop ac97_control initialization from CODEC driver DAIs
    
    This is no longer necessary as there is no code anymore that uses this for
    CODEC DAIs.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Acked-by: Charles Keepax <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 6794f709b7124ff1e574c4f4c9494418ab56c4b4
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:50 2014 +0100

    ASoC: ac97: Drop delayed device registration
    
    We have all the information and dependencies we need to initialize and
    register the device available in snd_soc_new_ac97_codec(). So there is no
    need to delay the device registration until after the card itself as been
    registered.
    
    This makes the code significantly simpler and also makes it possible to use
    the AC'97 device in the CODECs probe function. The later will be required to
    be able to convert the AC'97 CODEC drivers to regmap.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit ca005f324ee38308b319c693f40523d959027acf
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:49 2014 +0100

    ASoC: ac97: Drop support for setting platform data via the CPU DAI
    
    This has no users since commit f0fba2ad1b6b ("ASoC: multi-component - ASoC
    Multi-Component Support") which was almost 5 years ago. Given that this runs
    after CODEC probe functions have been run it also doesn't seem to be that
    useful.
    
    So drop it altogether to make the code simpler.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit bdfd60e3c0affb914549f1d22e8aeef71e7828e6
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:48 2014 +0100

    ASoC: ac97: Merge soc_ac97_dev_{un,}register()/soc_{un,}register_ac97_codec()
    
    soc_{un,}register_ac97_codec() is just a simple wrapper around
    soc_ac97_dev_{un,}register(). There is no need to split these up into two
    different sets of functions.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit eda1a701fd9589b6ed15b109558bd4f6202e3829
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:47 2014 +0100

    ASoC: ac97: Use static ac97_bus
    
    We always pass soc_ac97_ops to snd_soc_new_ac97_codec(). So instead of
    allocating a snd_ac97_bus in snd_soc_new_ac97_codec() just use a static one
    that gets initialized when snd_soc_set_ac97_ops() is called.
    
    Also drop the device number parameter from snd_soc_new_ac97_codec(). We
    currently only support one device per bus and all drivers pass 0 for the
    device number. And if we should ever support multiple devices per bus it
    wouldn't be up to individual AC'97 device drivers to pick their number, but
    rather either the AC'97 adapter driver or the core code will assign them.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Acked-by: Charles Keepax <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 336b8423e285174ebecf02a743d69913b83bbc48
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:46 2014 +0100

    ASoC: Move AC'97 support to its own file
    
    Currently the AC'97 support is splattered all throughout soc-core.c. Some
    parts are #ifdef'd some parts are not. This patch moves the AC'97 support to
    its own file, this should make the code a bit more clearer and also makes it
    possible to easily not compile it into the kernel when not needed.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 70f3af3ca15affaef3d026a5aa6e44c4627ea6c7
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:45 2014 +0100

    ASoC: Properly handle AC'97 device lifetime management
    
    The memory that a struct device is contained in must not be freed except
    from within the device's release callback. The ASoC code currently does not
    adhere to this rule for the AC'97 device. This patch fixes it by moving the
    freeing of the AC'97 to the release callback and splitting up the
    registration and unregistration of the device into separate steps for
    getting/putting the reference to the device and adding/removing it to the
    device hierarchy.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 65c72efd1ea370f0311a5d89754996fff9fc0747
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:44 2014 +0100

    ASoC: mpc5200_dma: Don't overwrite ac97 device private_data
    
    The mpc5200_dma overwrites the private_data field of the CODEC's AC'97
    device with the DMA drivers private data, but never actually reads it again.
    Given that the private_data field is supposed to be owned by the AC'97
    driver, overwriting it may cause undefined behavior. This patch removes the
    code that overwrites the field from the driver.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 35480e3536cdab1ee1976675e798f16d707f5356
Author: Lars-Peter Clausen <[email protected]>
Date:   Mon Nov 10 22:41:43 2014 +0100

    ASoC: mpc5200_psc_ac97: Remove unused on-stack snd_ac97 device
    
    The mpc5200_psc_ac97 driver puts a snd_ac97 device on the stack in the
    driver probe function, initializes the private data member of the device and
    the never uses the device again. It should be safe to remove it.
    
    Signed-off-by: Lars-Peter Clausen <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 77c1aa84de0096792de673aa1c64c36b38553cf5
Author: Daniel Vetter <[email protected]>
Date:   Tue Nov 18 13:27:07 2014 +0100

    drm/i915: Don't print header in error state for non-existing CS
    
    This goes back to
    
    commit 362b8af7ad1d91266aa4931e62be45c1e5cf753b
    Author: Ben Widawsky <[email protected]>
    Date:   Thu Jan 30 00:19:38 2014 -0800
    
        drm/i915: Move per ring error state to ring_error
    
    Spotted while reading error states.
    
    Cc: Ben Widawsky <[email protected]>
    Cc: Chris Wilson <[email protected]>
    Reviewed-by: Chris Wilson <[email protected]>
    Signed-off-by: Daniel Vetter <[email protected]>

commit 6dcc0cf6cb3120cedc0d4c12171894f3d6415981
Author: Jens Axboe <[email protected]>
Date:   Tue Nov 18 08:21:18 2014 -0700

    NVMe: nvme_submit_async_admin_req() must use atomic rq allocation
    
    We are called for async event notification issues, and the
    nvmeq lock is already held. If we fail the request allocation,
    we'll just retry next time.
    
    Reported-by: Julia Lawall <[email protected]>
    Signed-off-by: Jens Axboe <[email protected]>

commit 30021e3707a75cc29dc1252c062d374151c5985f
Author: Beniamino Galvani <[email protected]>
Date:   Thu Nov 13 20:32:01 2014 +0100

    i2c: add support for Amlogic Meson I2C controller
    
    This is a driver for the I2C controller found in Amlogic Meson SoCs.
    
    Signed-off-by: Beniamino Galvani <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>

commit c9449affad2ae0824927df5a207705e07f346fb1
Author: Gerlando Falauto <[email protected]>
Date:   Thu Nov 13 14:39:56 2014 +0100

    i2c: mux: create "channel-n" symlinks for child segments in the mux device
    
    This makes the topology clearer. For instance, by adding a pca9547
    device with address 0x70 to bus i2c-0, you get:
    
    /sys/class/i2c-dev/i2c-0/device/0-0070/channel-0 -> i2c-1
    ...
    /sys/class/i2c-dev/i2c-0/device/0-0070/channel-7 -> i2c-8
    
    Signed-off-by: Gerlando Falauto <[email protected]>
    [wsa: simplified sysfs-usage and fixed format string usage]
    Signed-off-by: Wolfram Sang <[email protected]>
    Acked-by: Martin Belanger <[email protected]>
    Acked-by: Danielle Costantino <[email protected]>

commit 51cf3b0e2a72bb08cd280be6c0ead4e08ed50a2c
Author: Wolfram Sang <[email protected]>
Date:   Thu Nov 13 14:39:55 2014 +0100

    i2c: mux: create symlink to actual mux device
    
    The current implementation creates muxed i2c-<n> busses as immediate
    children of their i2c-<n> parent bus. In case of multiple muxes on one
    bus, it is impossible to determine which muxed bus comes from which mux.
    
    It could be argued that the parent device should be changed from the
    parent adapter to the mux device. This has pros and cons. To improve the
    topology, simply add a "mux_device" symlink pointing to the actual
    muxing device, so we can distinguish muxed busses. Doing it this way, we
    don't break the ABI.
    
    Signed-off-by: Wolfram Sang <[email protected]>
    Tested-by: Guenter Roeck <[email protected]>

commit 4470c725ba7b86481c31466640ab487f927de6b7
Author: Wolfram Sang <[email protected]>
Date:   Tue Nov 18 15:12:43 2014 +0100

    i2c: acpi: remove unneeded variable initialization
    
    No need to initialize 'ret' if it gets assigned directly after that.
    
    Signed-off-by: Wolfram Sang <[email protected]>
    Acked-by: Mika Westerberg <[email protected]>

commit bb29a93b38610d2adc6ead40b75e1a1991617550
Author: Masanari Iida <[email protected]>
Date:   Wed Nov 12 00:52:23 2014 +0900

    ASoC: jack: Fix warning while make htmldocs caused by soc-jack.c
    
    This patch fix following errors while "make htmldocs" on
    linux-next-20141110.
    
    Warning(.//sound/soc/soc-jack.c:126): No description found for
    parameter 'zones'
    Warning(.//sound/soc/soc-jack.c:126): Excess function parameter
    'zone' description in 'snd_soc_jack_add_zones'
    
    Signed-off-by: Masanari Iida <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit ce1a78840ff7ab846065d5b65eaac959bafe1949
Author: Yao Yuan <[email protected]>
Date:   Tue Nov 18 18:31:06 2014 +0800

    i2c: imx: add DMA support for freescale i2c driver
    
    Add dma support for i2c. This function depend on DMA driver.
    You can turn on it by write both the dmas and dma-name properties in dts node.
    DMA is optional, even DMA request unsuccessfully, i2c can also work well.
    
    Signed-off-by: Yuan Yao <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>

commit 2fbed5119d6a07a6777b2131262587df338df22b
Author: Yao Yuan <[email protected]>
Date:   Tue Nov 18 18:31:05 2014 +0800

    i2c: imx: Sort include headers alphabetically
    
    If the inlcude headers aren't sorted alphabetically, then the
    logical choice is to append new ones, however that creates a
    lot of potential for conflicts or duplicates because every change
    will then add new includes in the same location.
    
    Signed-off-by: Yuan Yao <[email protected]>
    Signed-off-by: Wolfram Sang <[email protected]>

commit fcc50e5cd2deb8316d19e446d8efdfc9b35646ef
Author: Qipan Li <[email protected]>
Date:   Mon Nov 17 23:17:03 2014 +0800

    spi: sirf: assign spi_master's max_speed_hz member
    
    if spi device has no frequency, spi core will setup the default frequency
    to max_speed_hz of spi_master according to
    int spi_setup(struct spi_device *spi)
    {
    	...
            if (!spi->max_speed_hz)
                    spi->max_speed_hz = spi->master->max_speed_hz;
    	...
    }
    this patch moves CSR SiRFSoC SPI frequency set to follow SPI core behaviour.
    
    Signed-off-by: Qipan Li <[email protected]>
    Signed-off-by: Barry Song <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>

commit 9c4b19a07dddda3ba35a2eb9b4134d485908e2f5
Author: Qipan Li <[email protected]>
Date:   Mon Nov 17 23:17:02 2014 +0800

    spi: sirf: fix word width configuration
    
    commit 8c328a262f ("spi: sirf: Avoid duplicate code in various
    bits_per_word cases") is wrong in setting data width register of
    fifo is not right, it should use sspi->word_width >> 1 to set
    related bits. According to hardware spec, the mapping between
    register value and data width:
    0 - byte
    1 - WORD
    2 - DWORD
    
    Fixes: 8c328a262f ("spi: sirf: Avoid duplicate code in various bits_per_word cases") is wrong in setting data width register of
    Signed-off-by: Qipan Li <[email protected]>
    Signed-off-by: Barry Song <[email protected]>
    Signed-off-by: Mark Brown <[email protected]>
    Cc: [email protected]

commit 864b94adfcba752aa902ee34497bbe58b97aa8d3
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:48:03 2014 +0800

    pci, ACPI, iommu: Enhance pci_root to support DMAR device hotplug
    
    Finally enhance pci_root driver to support DMAR device hotplug when
    hot-plugging PCI host bridges.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Reviewed-by: Yijing Wang <[email protected]>
    Acked-by: Bjorn Helgaas <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit 30badc9543490f41497c42f004db02f1e8a29341
Author: Markus Elfring <[email protected]>
Date:   Tue Nov 18 11:31:23 2014 +0100

    GFS2: Deletion of unnecessary checks before two function calls
    
    The functions iput() and put_pid() test whether their argument is NULL
    and then return immediately. Thus the test around the call is not needed.
    
    This issue was detected by using the Coccinelle software.
    
    Signed-off-by: Markus Elfring <[email protected]>
    Signed-off-by: Steven Whitehouse <[email protected]>

commit 0690cbd2e55a72a8eae557c389d1a136ed9fa142
Author: Joerg Roedel <[email protected]>
Date:   Wed Nov 5 15:28:30 2014 +0100

    powerpc/iommu: Rename iommu_[un]map_sg functions
    
    The IOMMU-API gained support for a new iommu_map_sg
    function. This causes compile failures on powerpc because
    the function name is already globally used there.
    This patch renames adds a ppc_ prefix to these functions to
    solve the compile problem.
    
    Signed-off-by: Joerg Roedel <[email protected]>

commit ffebeb46dd34736c90ffbca1ccb0bef8f4827c44
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:48:02 2014 +0800

    iommu/vt-d: Enhance intel-iommu driver to support DMAR unit hotplug
    
    Implement required callback functions for intel-iommu driver
    to support DMAR unit hotplug.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Reviewed-by: Yijing Wang <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit 51acce33c4df6ee23b5ad4c2e6c239e0d6f25771
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:48:01 2014 +0800

    iommu/vt-d: Enhance error recovery in function intel_enable_irq_remapping()
    
    Enhance error recovery in function intel_enable_irq_remapping()
    by tearing down all created data structures.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Reviewed-by: Yijing Wang <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit a7a3dad944344caf034699b0c0e8dc51b469cf20
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:48:00 2014 +0800

    iommu/vt-d: Enhance intel_irq_remapping driver to support DMAR unit hotplug
    
    Implement required callback functions for intel_irq_remapping driver
    to support DMAR unit hotplug.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit d35165a955f095095cdb8512cb7cd8f63101649a
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:47:59 2014 +0800

    iommu/vt-d: Search for ACPI _DSM method for DMAR hotplug
    
    According to Intel VT-d specification, _DSM method to support DMAR
    hotplug should exist directly under corresponding ACPI object
    representing PCI host bridge. But some BIOSes doesn't conform to
    this, so search for _DSM method in the subtree starting from the
    ACPI object representing the PCI host bridge.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Reviewed-by: Yijing Wang <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit 6b1972493a84f8fe13ff9d202745590f6c53d670
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:47:58 2014 +0800

    iommu/vt-d: Implement DMAR unit hotplug framework
    
    On Intel platforms, an IO Hub (PCI/PCIe host bridge) may contain DMAR
    units, so we need to support DMAR hotplug when supporting PCI host
    bridge hotplug on Intel platforms.
    
    According to Section 8.8 "Remapping Hardware Unit Hot Plug" in "Intel
    Virtualization Technology for Directed IO Architecture Specification
    Rev 2.2", ACPI BIOS should implement ACPI _DSM method under the ACPI
    object for the PCI host bridge to support DMAR hotplug.
    
    This patch introduces interfaces to parse ACPI _DSM method for
    DMAR unit hotplug. It also implements state machines for DMAR unit
    hot-addition and hot-removal.
    
    The PCI host bridge hotplug driver should call dmar_hotplug_hotplug()
    before scanning PCI devices connected for hot-addition and after
    destroying all PCI devices for hot-removal.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Reviewed-by: Yijing Wang <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit 78d8e7046111425bb688cddc4303d79cb0f0d281
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:47:57 2014 +0800

    iommu/vt-d: Dynamically allocate and free seq_id for DMAR units
    
    Introduce functions to support dynamic IOMMU seq_id allocating and
    releasing, which will be used to support DMAR hotplug.
    
    Also rename IOMMU_UNITS_SUPPORTED as DMAR_UNITS_SUPPORTED.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Reviewed-by: Yijing Wang <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit c2a0b538d2c778aef7bf2fbe7973229192c9a392
Author: Jiang Liu <[email protected]>
Date:   Sun Nov 9 22:47:56 2014 +0800

    iommu/vt-d: Introduce helper function dmar_walk_resources()
    
    Introduce helper function dmar_walk_resources to walk resource entries
    in DMAR table and ACPI buffer object returned by ACPI _DSM method
    for IOMMU hot-plug.
    
    Signed-off-by: Jiang Liu <[email protected]>
    Signed-off-by: Joerg Roedel <[email protected]>

commit eb45fa0b93e03b03848cd048dcc57648409c8125
Author: Jani Nikula <[email protected]>
Date:   Tue Nov 18 12:11:29 2014 +0200

    drm/i915/audio: fix monitor presence indication after disable
    
    Indicate the monitor has been disconnected on disable.
    
    The regression has been introduced in
    
    commit 5fad84a7530f8e7664cdc6f490cb90653fed1266
    Author: Jani Nikula <[email protected]>
    Date:   Tue Nov 4 10:30:23 2014 +0200
    
        drm/i915: rewrite hsw/bdw audio codec enable/disable sequences
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86424
    Cc: Rodrigo Vivi <[email protected]>
    Signed-off-by: Jani Nikula <[email protected]>
    Signed-off-by: Daniel Vetter <[email protected]>

commit 6676f3081f7e3dae64e05b87d47a041b782f898a
Author: Hui Wang <[email protected]>
Date:   Tue Nov 18 17:57:41 2014 +0800

    ALSA: hda - fix the mic mute led problem for Latitude E5550
    
    The microphone mute led on the Latitude E5550 can't work. We need to
    apply DELL_WMI_MIC_MUTE_LED quirk to this machine.
    
    The machine uses alc293 codec and already applied the quirk
    ALC293_FIXUP_DELL1_MIC_NO_PRESENCE through pin_fixup_tbl[].
    
    Here we just let DELL_WMI_MIC_MUTE_LED be chained to
    ALC269_FIXUP_HEADSET_MODE, then the machine will have these
    quirks ALC293_FIXUP_DELL1_MIC_NO_PRESENCE-->
    ALC269_FIXUP_HEADSET_MODE-->ALC255_FIXUP_DELL_WMI_MIC_MUTE_LED.
    
    BugLink: https://bugs.launchpad.net/bugs/1381856
    Reported-and-tested-by: Po-Hsu Lin <[email protected]>
    Signed-off-by: Hui Wang <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>

commit 4a83d42ae2041d5b76f1a0662bc3a5a85e4eb0d1
Author: Hui Wang <[email protected]>
Date:   Tue Nov 18 17:57:40 2014 +0800

    ALSA: hda - move DELL_WMI_MIC_MUTE_LED to the tail in the quirk chain
    
    We have one more Dell machine needs DELL_WMI_MIC_MUTE_LED quirk, but
    the machine uses alc293 instead of alc255. So if
    DELL_WMI_MIC_MUTE_LED still chain ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
    the machine can't use this quirk.
    
    To change this situation, let the DELL_WMI_MIC_MUTE_LED to be a
    standalone quirk, and let other quirks chain it.
    
    After this change, this quirk can be chained to any existing quirks,
    and as a result, it is possible that this quirk is applied to
    a non-Dell machine or a Dell machine without mic mute led on it, but
    it is still safe since alc_fixup_dell_wmi() will return an error in
    these situations.
    
    And remove the quirk for machine with subsystem id 0x6010 and 0x601f,
    these two machines will fall back to the quirk
    ALC255_FIXUP_DELL1_MIC_NO_PRESENCE-->ALC255_FIXUP_HEADSET_MODE-->
    ALC255_FIXUP_DELL_WMI_MIC_MUTE_LED through pin_fixup_tbl[].
    
    BugLink: https://bugs.launchpad.net/bugs/1381856
    Reported-and-tested-by: Po-Hsu Lin <[email protected]>
    Signed-off-by: Hui Wang <[email protected]>
    Signed-off-by: Takashi Iwai <[email protected]>

commit 3ffa037d7f78ceb25115eda29176c2bd2844866f
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:19:02 2014 +0000

    i40e: Set XPS bit mask to zero in DCB mode
    
    Due to DCBX configuration change if the VSI needs to use more than 1 TC;
    it needs to disable the XPS maps that were set when operating in 1 TC mode.
    Without disabling XPS the netdev layer will select queues based on those
    settings and not use the TC queue mapping to make the queue selection.
    
    This patch allows the driver to enable/disable the XPS based on the number
    of TCs being enabled for the given VSI.
    
    Change-ID: Idc4dec47a672d2a509f6d7fe11ed1ee65b4f0e08
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit 4b7698cb95638693e3d9a2fc01a2bdbd8710ff81
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:18:57 2014 +0000

    i40e: Prevent link flow control settings when PFC is enabled
    
    When PFC is enabled we should not proceed with setting the link flow control
    parameters.  Also, always report the link flow Tx/Rx settings as off when
    PFC is enabled.
    
    Change-ID: Ib09ec58afdf0b2e587ac9d8851a5c80ad58206c4
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit d341b7a52be79520f8e8b1ed0e3df657b2442e5b
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:18:51 2014 +0000

    i40e: Do not disable/enable FCoE VSI with DCB reconfig
    
    FCoE VSI Tx queue disable times out when reconfiguring as a result of
    DCB TC configuration change event.
    
    The hardware allows us to skip disabling and enabling of Tx queues for
    VSIs with single TC enabled. As FCoE VSI is configured to have only
    single TC we skip it from disable/enable flow.
    
    Change-ID: Ia73ff3df8785ba2aa3db91e6f2c9005e61ebaec2
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit 69129dc39fac45e0ea1dbbca995abdac279df376
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:18:46 2014 +0000

    i40e: Modify Tx disable wait flow in case of DCB reconfiguration
    
    When DCB TC configuration changes the firmware suspends the port's Tx.
    Now, as DCB TCs may have changed the PF driver tries to reconfigure the
    TC configuration of the VSIs it manages. As part of this process it disables
    the VSI queues but the Tx queue disable will not complete as the port's
    Tx has been suspended. So, waiting for Tx queues to go to disable state
    in this flow may lead to detection of Tx queue disable timeout errors.
    
    Hence, this patch adds a new PF state so that if a port's Tx is in
    suspended state the Tx queue disable flow would just put the request for
    the queue to be disabled and return without waiting for the queue to be
    actually disabled.
    Once the VSI(s) TC reconfiguration has been done and driver has called
    firmware AQC "Resume PF Traffic" the driver checks the Tx queues requested
    to be disabled are actually disabled before re-enabling them again.
    
    Change-ID: If3e03ce4813a4e342dbd5a1eb1d2861e952b7544
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit 23cd1f095adf110d118ef972914c714176cd48d0
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:18:41 2014 +0000

    i40e: Update VEB's enabled_tc after reconfiguration
    
    When the port TC configuration changes as a result of DCBx the driver
    modifies the enabled TCs for the VEBs it manages. But, in the process
    it did not update the enabled_tc value that it caches on a per VEB basis.
    
    So, when the next reconfiguration event occurs where the number of TC
    value is same as the value cached in enabled_tc for a given VEB; driver
    does not modify it's TC configuration by calling appropriate AQ command
    believing it is running with the same configuration as requested.
    Now, as the VEB is not actually enabled for the TCs that are there any
    TC configuration command for VSI attached to that VEB with TCs that are
    not enabled for the VEB fails.
    
    This patch fixes this issue.
    
    Change-ID: Ife5694469b05494228e0d850429ea1734738cf29
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit e1c4751ee22f5d5f6f6cfcb70614e18e4218892e
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:18:30 2014 +0000

    i40e: Check for LLDP AdminStatus before querying DCBX
    
    This patch adds a check whether LLDP Agent's default AdminStatus is
    enabled or disabled on a given port. If it is disabled then it sets
    the DCBX status to disabled as well; and would not query firmware for
    any DCBX configuration data.
    
    Change-ID: I73c0b9f0adbf4cae177d14914b20a48c9a8f50fd
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit 9fa61dd2153a4ff3a57891d4866a2595eb9ac81a
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:18:25 2014 +0000

    i40e: Add support to firmware CEE DCBX mode
    
    This patch allows i40e driver to query and use DCB configuration from
    firmware when firmware DCBX agent is in CEE mode.
    
    Change-ID: I30f92a67eb890f0f024f35339696e6e83d49a274
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit 2fd75f31f6bacaed38061f95f0fee26de3e01170
Author: Neerav Parikh <[email protected]>
Date:   Wed Nov 12 00:18:20 2014 +0000

    i40e: Resume Port Tx after DCB event
    
    When there are DCB configuration changes based on DCBX the firmware suspends
    the port's Tx and generates an event to the PF. The PF is then responsible
    to reconfigure the PF VSIs and switching topology as per the updated DCB
    configuration and then resume the port's Tx by calling the "Resume Port Tx"
    AQ command.
    
    This patch adds this call to the flow that handles DCB re-configuration in
    the PF.
    
    Change-ID: I5b860ad48abfbf379b003143c4d3453e2ed5cc1c
    Signed-off-by: Neerav Parikh <[email protected]>
    Tested-By: Jack Morgan <[email protected]>
    Signed-off-by: Jeff Kirsher <[email protected]>

commit 7bda87c7fb2eaab8e144d6d0a2638099d7b6e5f5
Author: Catherine Sullivan <[email protected]>
Date:   Tue Nov 11 03:15:06 2014 +0000

    i40e: Bump version to 1.1.23
    
    Bumping minor version as this will be the second SW release and it
    should be 1.
    
    Change-ID: If0bd102095d2f059ae0c9b7f4ad625535ffbbdee
    Signed-off-by: Catherine Sullivan <[email protected]>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirshe…
tobetter pushed a commit to tobetter/linux that referenced this pull request Jul 7, 2015
CkNoSFeRaTU pushed a commit to CkNoSFeRaTU/linux that referenced this pull request Aug 25, 2016
iaguis pushed a commit to kinvolk/linux that referenced this pull request Feb 6, 2018
mrchapp pushed a commit to mrchapp/linux that referenced this pull request Apr 6, 2018
At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
pascalhuerst pushed a commit to nonlinear-labs-dev/linux that referenced this pull request Apr 19, 2018
commit 85ea29f upstream.

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
frank-w referenced this pull request in frank-w/BPI-Router-Linux Apr 19, 2018
commit 85ea29f upstream.

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ #108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Noltari pushed a commit to Noltari/linux that referenced this pull request Apr 20, 2018
commit 85ea29f upstream.

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
tombriden pushed a commit to tombriden/linux that referenced this pull request Apr 22, 2018
commit 85ea29f upstream.

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Noltari pushed a commit to Noltari/linux that referenced this pull request Apr 24, 2018
commit 85ea29f upstream.

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Noltari pushed a commit to Noltari/linux that referenced this pull request May 29, 2018
[ Upstream commit 85ea29f ]

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
nemunaire pushed a commit to nemunaire/CI20_linux that referenced this pull request Jun 6, 2018
commit 85ea29f upstream.

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [MIPS#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [MIPS#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

cc: [email protected]
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Noltari pushed a commit to Noltari/linux that referenced this pull request Oct 22, 2018
commit 85ea29f upstream.

At put_v4l2_window32(), it tries to access kp->clips. However,
kp points to an userspace pointer. So, it should be obtained
via get_user(), otherwise it can OOPS:

 vivid-000: ==================  END STATUS  ==================
 BUG: unable to handle kernel paging request at 00000000fffb18e0
 IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
 Oops: 0001 [#1] SMP
 Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
 CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ torvalds#107
 Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
 RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
 RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
 RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
 R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
 R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
 Stack:
  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
 Call Trace:
  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
 RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
 RSP <ffff8803f5643e28>
 CR2: 00000000fffb18e0

Tested with vivid driver on Kernel v3.18.102.

Same bug happens upstream too:

 BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
 Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713

 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 Call Trace:
  dump_stack+0x5c/0x7c
  kasan_report+0x164/0x380
  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
  __put_v4l2_format32+0x98/0x4d0 [videodev]
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 ==================================================================
 Disabling lock debugging due to kernel taint
 BUG: unable to handle kernel paging request at 00000000ffe48400
 IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
 PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
 Oops: 0001 [#1] SMP KASAN
 Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
 CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ torvalds#108
 Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
 RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
 RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
 RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
 RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
 R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
 R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
 FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
 CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
 CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
 Call Trace:
  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
  ? __fsnotify_inode_delete+0x20/0x20
  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
  compat_SyS_ioctl+0x646/0x14d0
  ? do_ioctl+0x30/0x30
  do_fast_syscall_32+0x191/0x3f4
  entry_SYSENTER_compat+0x6b/0x7a
 Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
 RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
 CR2: 00000000ffe48400

Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Reviewed-by: Sakari Ailus <[email protected]>
Reviewed-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
ffainelli pushed a commit to ffainelli/linux that referenced this pull request Nov 30, 2018
__qdisc_drop_all() accesses skb->prev to get to the tail of the
segment-list.

With commit 68d2f84 ("net: gro: properly remove skb from list")
the skb-list handling has been changed to set skb->next to NULL and set
the list-poison on skb->prev.

With that change, __qdisc_drop_all() will panic when it tries to
dereference skb->prev.

Since commit 992cba7 ("net: Add and use skb_list_del_init().")
__list_del_entry is used, leaving skb->prev unchanged (thus,
pointing to the list-head if it's the first skb of the list).
This will make __qdisc_drop_all modify the next-pointer of the list-head
and result in a panic later on:

[   34.501053] general protection fault: 0000 [#1] SMP KASAN PTI
[   34.501968] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.20.0-rc2.mptcp torvalds#108
[   34.502887] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   34.504074] RIP: 0010:dev_gro_receive+0x343/0x1f90
[   34.504751] Code: e0 48 c1 e8 03 42 80 3c 30 00 0f 85 4a 1c 00 00 4d 8b 24 24 4c 39 65 d0 0f 84 0a 04 00 00 49 8d 7c 24 38 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 04
[   34.507060] RSP: 0018:ffff8883af507930 EFLAGS: 00010202
[   34.507761] RAX: 0000000000000007 RBX: ffff8883970b2c80 RCX: 1ffff11072e165a6
[   34.508640] RDX: 1ffff11075867008 RSI: ffff8883ac338040 RDI: 0000000000000038
[   34.509493] RBP: ffff8883af5079d0 R08: ffff8883970b2d40 R09: 0000000000000062
[   34.510346] R10: 0000000000000034 R11: 0000000000000000 R12: 0000000000000000
[   34.511215] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8883ac338008
[   34.512082] FS:  0000000000000000(0000) GS:ffff8883af500000(0000) knlGS:0000000000000000
[   34.513036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   34.513741] CR2: 000055ccc3e9d020 CR3: 00000003abf32000 CR4: 00000000000006e0
[   34.514593] Call Trace:
[   34.514893]  <IRQ>
[   34.515157]  napi_gro_receive+0x93/0x150
[   34.515632]  receive_buf+0x893/0x3700
[   34.516094]  ? __netif_receive_skb+0x1f/0x1a0
[   34.516629]  ? virtnet_probe+0x1b40/0x1b40
[   34.517153]  ? __stable_node_chain+0x4d0/0x850
[   34.517684]  ? kfree+0x9a/0x180
[   34.518067]  ? __kasan_slab_free+0x171/0x190
[   34.518582]  ? detach_buf+0x1df/0x650
[   34.519061]  ? lapic_next_event+0x5a/0x90
[   34.519539]  ? virtqueue_get_buf_ctx+0x280/0x7f0
[   34.520093]  virtnet_poll+0x2df/0xd60
[   34.520533]  ? receive_buf+0x3700/0x3700
[   34.521027]  ? qdisc_watchdog_schedule_ns+0xd5/0x140
[   34.521631]  ? htb_dequeue+0x1817/0x25f0
[   34.522107]  ? sch_direct_xmit+0x142/0xf30
[   34.522595]  ? virtqueue_napi_schedule+0x26/0x30
[   34.523155]  net_rx_action+0x2f6/0xc50
[   34.523601]  ? napi_complete_done+0x2f0/0x2f0
[   34.524126]  ? kasan_check_read+0x11/0x20
[   34.524608]  ? _raw_spin_lock+0x7d/0xd0
[   34.525070]  ? _raw_spin_lock_bh+0xd0/0xd0
[   34.525563]  ? kvm_guest_apic_eoi_write+0x6b/0x80
[   34.526130]  ? apic_ack_irq+0x9e/0xe0
[   34.526567]  __do_softirq+0x188/0x4b5
[   34.527015]  irq_exit+0x151/0x180
[   34.527417]  do_IRQ+0xdb/0x150
[   34.527783]  common_interrupt+0xf/0xf
[   34.528223]  </IRQ>

This patch makes sure that skb->prev is set to NULL when entering
netem_enqueue.

Cc: Prashant Bhole <[email protected]>
Cc: Tyler Hicks <[email protected]>
Cc: Eric Dumazet <[email protected]>
Fixes: 68d2f84 ("net: gro: properly remove skb from list")
Suggested-by: Eric Dumazet <[email protected]>
Signed-off-by: Christoph Paasch <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Nov 30, 2018
There are places in the stack, where we access skb->prev directly and
modify it. Namely, __qdisc_drop_all().

With commit 68d2f84 ("net: gro: properly remove skb from list")
the skb-list handling has been changed to set skb->next to NULL and set
the list-poison on skb->prev.

With that change, __qdisc_drop_all() will panic when it tries to
dereference skb->prev.

Since commit 992cba7 ("net: Add and use skb_list_del_init().")
__list_del_entry is used, leaving skb->prev unchanged (thus,
pointing to the list-head if it's the first skb of the list).
This will make __qdisc_drop_all modify the next-pointer of the list-head
and result in a panic later on:

[   34.501053] general protection fault: 0000 [#1] SMP KASAN PTI
[   34.501968] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.20.0-rc2.mptcp torvalds#108
[   34.502887] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   34.504074] RIP: 0010:dev_gro_receive+0x343/0x1f90
[   34.504751] Code: e0 48 c1 e8 03 42 80 3c 30 00 0f 85 4a 1c 00 00 4d 8b 24 24 4c 39 65 d0 0f 84 0a 04 00 00 49 8d 7c 24 38 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 04
[   34.507060] RSP: 0018:ffff8883af507930 EFLAGS: 00010202
[   34.507761] RAX: 0000000000000007 RBX: ffff8883970b2c80 RCX: 1ffff11072e165a6
[   34.508640] RDX: 1ffff11075867008 RSI: ffff8883ac338040 RDI: 0000000000000038
[   34.509493] RBP: ffff8883af5079d0 R08: ffff8883970b2d40 R09: 0000000000000062
[   34.510346] R10: 0000000000000034 R11: 0000000000000000 R12: 0000000000000000
[   34.511215] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8883ac338008
[   34.512082] FS:  0000000000000000(0000) GS:ffff8883af500000(0000) knlGS:0000000000000000
[   34.513036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   34.513741] CR2: 000055ccc3e9d020 CR3: 00000003abf32000 CR4: 00000000000006e0
[   34.514593] Call Trace:
[   34.514893]  <IRQ>
[   34.515157]  napi_gro_receive+0x93/0x150
[   34.515632]  receive_buf+0x893/0x3700
[   34.516094]  ? __netif_receive_skb+0x1f/0x1a0
[   34.516629]  ? virtnet_probe+0x1b40/0x1b40
[   34.517153]  ? __stable_node_chain+0x4d0/0x850
[   34.517684]  ? kfree+0x9a/0x180
[   34.518067]  ? __kasan_slab_free+0x171/0x190
[   34.518582]  ? detach_buf+0x1df/0x650
[   34.519061]  ? lapic_next_event+0x5a/0x90
[   34.519539]  ? virtqueue_get_buf_ctx+0x280/0x7f0
[   34.520093]  virtnet_poll+0x2df/0xd60
[   34.520533]  ? receive_buf+0x3700/0x3700
[   34.521027]  ? qdisc_watchdog_schedule_ns+0xd5/0x140
[   34.521631]  ? htb_dequeue+0x1817/0x25f0
[   34.522107]  ? sch_direct_xmit+0x142/0xf30
[   34.522595]  ? virtqueue_napi_schedule+0x26/0x30
[   34.523155]  net_rx_action+0x2f6/0xc50
[   34.523601]  ? napi_complete_done+0x2f0/0x2f0
[   34.524126]  ? kasan_check_read+0x11/0x20
[   34.524608]  ? _raw_spin_lock+0x7d/0xd0
[   34.525070]  ? _raw_spin_lock_bh+0xd0/0xd0
[   34.525563]  ? kvm_guest_apic_eoi_write+0x6b/0x80
[   34.526130]  ? apic_ack_irq+0x9e/0xe0
[   34.526567]  __do_softirq+0x188/0x4b5
[   34.527015]  irq_exit+0x151/0x180
[   34.527417]  do_IRQ+0xdb/0x150
[   34.527783]  common_interrupt+0xf/0xf
[   34.528223]  </IRQ>

This patch makes sure that skb->prev is also set to NULL when removing
it from the list.

The bug is in v4.19.x as well, but the patch can't be backported easily.
I can post a follow-up for that.

Cc: Prashant Bhole <[email protected]>
Cc: Tyler Hicks <[email protected]>
Fixes: 68d2f84 ("net: gro: properly remove skb from list")
Signed-off-by: Christoph Paasch <[email protected]>
Noltari pushed a commit to Noltari/linux that referenced this pull request Dec 17, 2018
[ Upstream commit 9410d38 ]

__qdisc_drop_all() accesses skb->prev to get to the tail of the
segment-list.

With commit 68d2f84 ("net: gro: properly remove skb from list")
the skb-list handling has been changed to set skb->next to NULL and set
the list-poison on skb->prev.

With that change, __qdisc_drop_all() will panic when it tries to
dereference skb->prev.

Since commit 992cba7 ("net: Add and use skb_list_del_init().")
__list_del_entry is used, leaving skb->prev unchanged (thus,
pointing to the list-head if it's the first skb of the list).
This will make __qdisc_drop_all modify the next-pointer of the list-head
and result in a panic later on:

[   34.501053] general protection fault: 0000 [#1] SMP KASAN PTI
[   34.501968] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.20.0-rc2.mptcp torvalds#108
[   34.502887] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   34.504074] RIP: 0010:dev_gro_receive+0x343/0x1f90
[   34.504751] Code: e0 48 c1 e8 03 42 80 3c 30 00 0f 85 4a 1c 00 00 4d 8b 24 24 4c 39 65 d0 0f 84 0a 04 00 00 49 8d 7c 24 38 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 04
[   34.507060] RSP: 0018:ffff8883af507930 EFLAGS: 00010202
[   34.507761] RAX: 0000000000000007 RBX: ffff8883970b2c80 RCX: 1ffff11072e165a6
[   34.508640] RDX: 1ffff11075867008 RSI: ffff8883ac338040 RDI: 0000000000000038
[   34.509493] RBP: ffff8883af5079d0 R08: ffff8883970b2d40 R09: 0000000000000062
[   34.510346] R10: 0000000000000034 R11: 0000000000000000 R12: 0000000000000000
[   34.511215] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8883ac338008
[   34.512082] FS:  0000000000000000(0000) GS:ffff8883af500000(0000) knlGS:0000000000000000
[   34.513036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   34.513741] CR2: 000055ccc3e9d020 CR3: 00000003abf32000 CR4: 00000000000006e0
[   34.514593] Call Trace:
[   34.514893]  <IRQ>
[   34.515157]  napi_gro_receive+0x93/0x150
[   34.515632]  receive_buf+0x893/0x3700
[   34.516094]  ? __netif_receive_skb+0x1f/0x1a0
[   34.516629]  ? virtnet_probe+0x1b40/0x1b40
[   34.517153]  ? __stable_node_chain+0x4d0/0x850
[   34.517684]  ? kfree+0x9a/0x180
[   34.518067]  ? __kasan_slab_free+0x171/0x190
[   34.518582]  ? detach_buf+0x1df/0x650
[   34.519061]  ? lapic_next_event+0x5a/0x90
[   34.519539]  ? virtqueue_get_buf_ctx+0x280/0x7f0
[   34.520093]  virtnet_poll+0x2df/0xd60
[   34.520533]  ? receive_buf+0x3700/0x3700
[   34.521027]  ? qdisc_watchdog_schedule_ns+0xd5/0x140
[   34.521631]  ? htb_dequeue+0x1817/0x25f0
[   34.522107]  ? sch_direct_xmit+0x142/0xf30
[   34.522595]  ? virtqueue_napi_schedule+0x26/0x30
[   34.523155]  net_rx_action+0x2f6/0xc50
[   34.523601]  ? napi_complete_done+0x2f0/0x2f0
[   34.524126]  ? kasan_check_read+0x11/0x20
[   34.524608]  ? _raw_spin_lock+0x7d/0xd0
[   34.525070]  ? _raw_spin_lock_bh+0xd0/0xd0
[   34.525563]  ? kvm_guest_apic_eoi_write+0x6b/0x80
[   34.526130]  ? apic_ack_irq+0x9e/0xe0
[   34.526567]  __do_softirq+0x188/0x4b5
[   34.527015]  irq_exit+0x151/0x180
[   34.527417]  do_IRQ+0xdb/0x150
[   34.527783]  common_interrupt+0xf/0xf
[   34.528223]  </IRQ>

This patch makes sure that skb->prev is set to NULL when entering
netem_enqueue.

Cc: Prashant Bhole <[email protected]>
Cc: Tyler Hicks <[email protected]>
Cc: Eric Dumazet <[email protected]>
Fixes: 68d2f84 ("net: gro: properly remove skb from list")
Suggested-by: Eric Dumazet <[email protected]>
Signed-off-by: Christoph Paasch <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Noltari pushed a commit to Noltari/linux that referenced this pull request Dec 17, 2018
[ Upstream commit 9410d38 ]

__qdisc_drop_all() accesses skb->prev to get to the tail of the
segment-list.

With commit 68d2f84 ("net: gro: properly remove skb from list")
the skb-list handling has been changed to set skb->next to NULL and set
the list-poison on skb->prev.

With that change, __qdisc_drop_all() will panic when it tries to
dereference skb->prev.

Since commit 992cba7 ("net: Add and use skb_list_del_init().")
__list_del_entry is used, leaving skb->prev unchanged (thus,
pointing to the list-head if it's the first skb of the list).
This will make __qdisc_drop_all modify the next-pointer of the list-head
and result in a panic later on:

[   34.501053] general protection fault: 0000 [#1] SMP KASAN PTI
[   34.501968] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.20.0-rc2.mptcp torvalds#108
[   34.502887] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   34.504074] RIP: 0010:dev_gro_receive+0x343/0x1f90
[   34.504751] Code: e0 48 c1 e8 03 42 80 3c 30 00 0f 85 4a 1c 00 00 4d 8b 24 24 4c 39 65 d0 0f 84 0a 04 00 00 49 8d 7c 24 38 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 04
[   34.507060] RSP: 0018:ffff8883af507930 EFLAGS: 00010202
[   34.507761] RAX: 0000000000000007 RBX: ffff8883970b2c80 RCX: 1ffff11072e165a6
[   34.508640] RDX: 1ffff11075867008 RSI: ffff8883ac338040 RDI: 0000000000000038
[   34.509493] RBP: ffff8883af5079d0 R08: ffff8883970b2d40 R09: 0000000000000062
[   34.510346] R10: 0000000000000034 R11: 0000000000000000 R12: 0000000000000000
[   34.511215] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8883ac338008
[   34.512082] FS:  0000000000000000(0000) GS:ffff8883af500000(0000) knlGS:0000000000000000
[   34.513036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   34.513741] CR2: 000055ccc3e9d020 CR3: 00000003abf32000 CR4: 00000000000006e0
[   34.514593] Call Trace:
[   34.514893]  <IRQ>
[   34.515157]  napi_gro_receive+0x93/0x150
[   34.515632]  receive_buf+0x893/0x3700
[   34.516094]  ? __netif_receive_skb+0x1f/0x1a0
[   34.516629]  ? virtnet_probe+0x1b40/0x1b40
[   34.517153]  ? __stable_node_chain+0x4d0/0x850
[   34.517684]  ? kfree+0x9a/0x180
[   34.518067]  ? __kasan_slab_free+0x171/0x190
[   34.518582]  ? detach_buf+0x1df/0x650
[   34.519061]  ? lapic_next_event+0x5a/0x90
[   34.519539]  ? virtqueue_get_buf_ctx+0x280/0x7f0
[   34.520093]  virtnet_poll+0x2df/0xd60
[   34.520533]  ? receive_buf+0x3700/0x3700
[   34.521027]  ? qdisc_watchdog_schedule_ns+0xd5/0x140
[   34.521631]  ? htb_dequeue+0x1817/0x25f0
[   34.522107]  ? sch_direct_xmit+0x142/0xf30
[   34.522595]  ? virtqueue_napi_schedule+0x26/0x30
[   34.523155]  net_rx_action+0x2f6/0xc50
[   34.523601]  ? napi_complete_done+0x2f0/0x2f0
[   34.524126]  ? kasan_check_read+0x11/0x20
[   34.524608]  ? _raw_spin_lock+0x7d/0xd0
[   34.525070]  ? _raw_spin_lock_bh+0xd0/0xd0
[   34.525563]  ? kvm_guest_apic_eoi_write+0x6b/0x80
[   34.526130]  ? apic_ack_irq+0x9e/0xe0
[   34.526567]  __do_softirq+0x188/0x4b5
[   34.527015]  irq_exit+0x151/0x180
[   34.527417]  do_IRQ+0xdb/0x150
[   34.527783]  common_interrupt+0xf/0xf
[   34.528223]  </IRQ>

This patch makes sure that skb->prev is set to NULL when entering
netem_enqueue.

Cc: Prashant Bhole <[email protected]>
Cc: Tyler Hicks <[email protected]>
Cc: Eric Dumazet <[email protected]>
Fixes: 68d2f84 ("net: gro: properly remove skb from list")
Suggested-by: Eric Dumazet <[email protected]>
Signed-off-by: Christoph Paasch <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
teknoraver pushed a commit to teknoraver/linux that referenced this pull request Dec 18, 2018
[ Upstream commit 9410d38 ]

__qdisc_drop_all() accesses skb->prev to get to the tail of the
segment-list.

With commit 68d2f84 ("net: gro: properly remove skb from list")
the skb-list handling has been changed to set skb->next to NULL and set
the list-poison on skb->prev.

With that change, __qdisc_drop_all() will panic when it tries to
dereference skb->prev.

Since commit 992cba7 ("net: Add and use skb_list_del_init().")
__list_del_entry is used, leaving skb->prev unchanged (thus,
pointing to the list-head if it's the first skb of the list).
This will make __qdisc_drop_all modify the next-pointer of the list-head
and result in a panic later on:

[   34.501053] general protection fault: 0000 [#1] SMP KASAN PTI
[   34.501968] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.20.0-rc2.mptcp torvalds#108
[   34.502887] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   34.504074] RIP: 0010:dev_gro_receive+0x343/0x1f90
[   34.504751] Code: e0 48 c1 e8 03 42 80 3c 30 00 0f 85 4a 1c 00 00 4d 8b 24 24 4c 39 65 d0 0f 84 0a 04 00 00 49 8d 7c 24 38 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 04
[   34.507060] RSP: 0018:ffff8883af507930 EFLAGS: 00010202
[   34.507761] RAX: 0000000000000007 RBX: ffff8883970b2c80 RCX: 1ffff11072e165a6
[   34.508640] RDX: 1ffff11075867008 RSI: ffff8883ac338040 RDI: 0000000000000038
[   34.509493] RBP: ffff8883af5079d0 R08: ffff8883970b2d40 R09: 0000000000000062
[   34.510346] R10: 0000000000000034 R11: 0000000000000000 R12: 0000000000000000
[   34.511215] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8883ac338008
[   34.512082] FS:  0000000000000000(0000) GS:ffff8883af500000(0000) knlGS:0000000000000000
[   34.513036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   34.513741] CR2: 000055ccc3e9d020 CR3: 00000003abf32000 CR4: 00000000000006e0
[   34.514593] Call Trace:
[   34.514893]  <IRQ>
[   34.515157]  napi_gro_receive+0x93/0x150
[   34.515632]  receive_buf+0x893/0x3700
[   34.516094]  ? __netif_receive_skb+0x1f/0x1a0
[   34.516629]  ? virtnet_probe+0x1b40/0x1b40
[   34.517153]  ? __stable_node_chain+0x4d0/0x850
[   34.517684]  ? kfree+0x9a/0x180
[   34.518067]  ? __kasan_slab_free+0x171/0x190
[   34.518582]  ? detach_buf+0x1df/0x650
[   34.519061]  ? lapic_next_event+0x5a/0x90
[   34.519539]  ? virtqueue_get_buf_ctx+0x280/0x7f0
[   34.520093]  virtnet_poll+0x2df/0xd60
[   34.520533]  ? receive_buf+0x3700/0x3700
[   34.521027]  ? qdisc_watchdog_schedule_ns+0xd5/0x140
[   34.521631]  ? htb_dequeue+0x1817/0x25f0
[   34.522107]  ? sch_direct_xmit+0x142/0xf30
[   34.522595]  ? virtqueue_napi_schedule+0x26/0x30
[   34.523155]  net_rx_action+0x2f6/0xc50
[   34.523601]  ? napi_complete_done+0x2f0/0x2f0
[   34.524126]  ? kasan_check_read+0x11/0x20
[   34.524608]  ? _raw_spin_lock+0x7d/0xd0
[   34.525070]  ? _raw_spin_lock_bh+0xd0/0xd0
[   34.525563]  ? kvm_guest_apic_eoi_write+0x6b/0x80
[   34.526130]  ? apic_ack_irq+0x9e/0xe0
[   34.526567]  __do_softirq+0x188/0x4b5
[   34.527015]  irq_exit+0x151/0x180
[   34.527417]  do_IRQ+0xdb/0x150
[   34.527783]  common_interrupt+0xf/0xf
[   34.528223]  </IRQ>

This patch makes sure that skb->prev is set to NULL when entering
netem_enqueue.

Cc: Prashant Bhole <[email protected]>
Cc: Tyler Hicks <[email protected]>
Cc: Eric Dumazet <[email protected]>
Fixes: 68d2f84 ("net: gro: properly remove skb from list")
Suggested-by: Eric Dumazet <[email protected]>
Signed-off-by: Christoph Paasch <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
redbrain17 referenced this pull request in redbrain17/linux-fslc Dec 20, 2018
[ Upstream commit 9410d38 ]

__qdisc_drop_all() accesses skb->prev to get to the tail of the
segment-list.

With commit 68d2f84 ("net: gro: properly remove skb from list")
the skb-list handling has been changed to set skb->next to NULL and set
the list-poison on skb->prev.

With that change, __qdisc_drop_all() will panic when it tries to
dereference skb->prev.

Since commit 992cba7 ("net: Add and use skb_list_del_init().")
__list_del_entry is used, leaving skb->prev unchanged (thus,
pointing to the list-head if it's the first skb of the list).
This will make __qdisc_drop_all modify the next-pointer of the list-head
and result in a panic later on:

[   34.501053] general protection fault: 0000 [Freescale#1] SMP KASAN PTI
[   34.501968] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.20.0-rc2.mptcp Freescale#108
[   34.502887] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011
[   34.504074] RIP: 0010:dev_gro_receive+0x343/0x1f90
[   34.504751] Code: e0 48 c1 e8 03 42 80 3c 30 00 0f 85 4a 1c 00 00 4d 8b 24 24 4c 39 65 d0 0f 84 0a 04 00 00 49 8d 7c 24 38 48 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 04
[   34.507060] RSP: 0018:ffff8883af507930 EFLAGS: 00010202
[   34.507761] RAX: 0000000000000007 RBX: ffff8883970b2c80 RCX: 1ffff11072e165a6
[   34.508640] RDX: 1ffff11075867008 RSI: ffff8883ac338040 RDI: 0000000000000038
[   34.509493] RBP: ffff8883af5079d0 R08: ffff8883970b2d40 R09: 0000000000000062
[   34.510346] R10: 0000000000000034 R11: 0000000000000000 R12: 0000000000000000
[   34.511215] R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8883ac338008
[   34.512082] FS:  0000000000000000(0000) GS:ffff8883af500000(0000) knlGS:0000000000000000
[   34.513036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   34.513741] CR2: 000055ccc3e9d020 CR3: 00000003abf32000 CR4: 00000000000006e0
[   34.514593] Call Trace:
[   34.514893]  <IRQ>
[   34.515157]  napi_gro_receive+0x93/0x150
[   34.515632]  receive_buf+0x893/0x3700
[   34.516094]  ? __netif_receive_skb+0x1f/0x1a0
[   34.516629]  ? virtnet_probe+0x1b40/0x1b40
[   34.517153]  ? __stable_node_chain+0x4d0/0x850
[   34.517684]  ? kfree+0x9a/0x180
[   34.518067]  ? __kasan_slab_free+0x171/0x190
[   34.518582]  ? detach_buf+0x1df/0x650
[   34.519061]  ? lapic_next_event+0x5a/0x90
[   34.519539]  ? virtqueue_get_buf_ctx+0x280/0x7f0
[   34.520093]  virtnet_poll+0x2df/0xd60
[   34.520533]  ? receive_buf+0x3700/0x3700
[   34.521027]  ? qdisc_watchdog_schedule_ns+0xd5/0x140
[   34.521631]  ? htb_dequeue+0x1817/0x25f0
[   34.522107]  ? sch_direct_xmit+0x142/0xf30
[   34.522595]  ? virtqueue_napi_schedule+0x26/0x30
[   34.523155]  net_rx_action+0x2f6/0xc50
[   34.523601]  ? napi_complete_done+0x2f0/0x2f0
[   34.524126]  ? kasan_check_read+0x11/0x20
[   34.524608]  ? _raw_spin_lock+0x7d/0xd0
[   34.525070]  ? _raw_spin_lock_bh+0xd0/0xd0
[   34.525563]  ? kvm_guest_apic_eoi_write+0x6b/0x80
[   34.526130]  ? apic_ack_irq+0x9e/0xe0
[   34.526567]  __do_softirq+0x188/0x4b5
[   34.527015]  irq_exit+0x151/0x180
[   34.527417]  do_IRQ+0xdb/0x150
[   34.527783]  common_interrupt+0xf/0xf
[   34.528223]  </IRQ>

This patch makes sure that skb->prev is set to NULL when entering
netem_enqueue.

Cc: Prashant Bhole <[email protected]>
Cc: Tyler Hicks <[email protected]>
Cc: Eric Dumazet <[email protected]>
Fixes: 68d2f84 ("net: gro: properly remove skb from list")
Suggested-by: Eric Dumazet <[email protected]>
Signed-off-by: Christoph Paasch <[email protected]>
Reviewed-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 10, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 12, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 13, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 14, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 15, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
staging-kernelci-org pushed a commit to kernelci/linux that referenced this pull request Sep 16, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 16, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 19, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 22, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 25, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Sep 27, 2022
WARNING: line length of 108 exceeds 100 columns
torvalds#97: FILE: tools/testing/selftests/vm/mremap_test.c:136:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

WARNING: Missing a blank line after declarations
torvalds#98: FILE: tools/testing/selftests/vm/mremap_test.c:137:
+	char *start = mmap(NULL, 3 * page_size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	munmap(start + page_size, page_size);

ERROR: space required before the open parenthesis '('
torvalds#107: FILE: tools/testing/selftests/vm/mremap_test.c:146:
+	while(getline(&line, &len, fp) != -1) {

ERROR: space required after that ',' (ctx:VxV)
torvalds#108: FILE: tools/testing/selftests/vm/mremap_test.c:147:
+		char *first = strtok(line,"- ");
 		                         ^

ERROR: space required after that ',' (ctx:VxV)
torvalds#110: FILE: tools/testing/selftests/vm/mremap_test.c:149:
+		char *second = strtok(NULL,"- ");
 		                          ^

WARNING: Missing a blank line after declarations
torvalds#112: FILE: tools/testing/selftests/vm/mremap_test.c:151:
+		void *second_val = (void *) strtol(second, NULL, 16);
+		if (first_val == start && second_val == start + 3 * page_size) {

total: 3 errors, 3 warnings, 113 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/mm-add-merging-after-mremap-resize.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jakub Matěna <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Nov 28, 2022
When doing the following test steps, an error was found:
  step 1: modprobe 9pnet_virtio succeeded
    # modprobe 9pnet_virtio      <-- OK

  step 2: fault injection in sysfs_create_file()
    # modprobe -r 9pnet_virtio   <-- OK
    # ...
      FAULT_INJECTION: forcing a failure.
      name failslab, interval 1, probability 0, space 0, times 0
      CPU: 0 PID: 3790 Comm: modprobe Tainted: G        W
      6.1.0-rc6-00285-g6a1e40c4b995-dirty torvalds#108
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
      Call Trace:
       <TASK>
       ...
       should_failslab+0xa/0x20
       ...
       sysfs_create_file_ns+0x130/0x1d0
       p9_virtio_probe+0x662/0xb30 [9pnet_virtio]
       virtio_dev_probe+0x608/0xae0
       ...
       </TASK>
      9pnet_virtio: probe of virtio3 failed with error -12

  step 3: modprobe virtio_net failed
    # modprobe 9pnet_virtio       <-- failed
      9pnet_virtio: probe of virtio3 failed with error -2

The root cause of the problem is that the virtqueues are not
stopped on the error handling path when sysfs_create_file()
fails in p9_virtio_probe(), resulting in an error "-ENOENT"
returned in the next modprobe call in setup_vq().

virtio_pci_modern_device uses virtqueues to send or
receive message, and "queue_enable" records whether the
queues are available. In vp_modern_find_vqs(), all queues
will be selected and activated, but once queues are enabled
there is no way to go back except reset.

Fix it by reset virtio device on error handling path. After
virtio_find_single_vq() succeeded, all virtqueues should be
stopped on error handling path.

Fixes: 1fcf051 ("virtio_pci: modern driver")
Signed-off-by: Li Zetao <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Nov 30, 2022
When doing the following test steps, an error was found:
  step 1: modprobe 9pnet_virtio succeeded
    # modprobe 9pnet_virtio      <-- OK

  step 2: fault injection in sysfs_create_file()
    # modprobe -r 9pnet_virtio   <-- OK
    # ...
      FAULT_INJECTION: forcing a failure.
      name failslab, interval 1, probability 0, space 0, times 0
      CPU: 0 PID: 3790 Comm: modprobe Tainted: G        W
      6.1.0-rc6-00285-g6a1e40c4b995-dirty torvalds#108
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
      Call Trace:
       <TASK>
       ...
       should_failslab+0xa/0x20
       ...
       sysfs_create_file_ns+0x130/0x1d0
       p9_virtio_probe+0x662/0xb30 [9pnet_virtio]
       virtio_dev_probe+0x608/0xae0
       ...
       </TASK>
      9pnet_virtio: probe of virtio3 failed with error -12

  step 3: modprobe 9pnet_virtio failed
    # modprobe 9pnet_virtio       <-- failed
      9pnet_virtio: probe of virtio3 failed with error -2

The root cause of the problem is that the virtqueues are not
stopped on the error handling path when sysfs_create_file()
fails in p9_virtio_probe(), resulting in an error "-ENOENT"
returned in the next modprobe call in setup_vq().

virtio_pci_modern_device uses virtqueues to send or
receive message, and "queue_enable" records whether the
queues are available. In vp_modern_find_vqs(), all queues
will be selected and activated, but once queues are enabled
there is no way to go back except reset.

Fix it by reset virtio device on error handling path. After
virtio_find_single_vq() succeeded, all virtqueues should be
stopped on error handling path.

Fixes: ea52bf8 ("9p/trans_virtio: reset virtio device on remove")
Signed-off-by: Li Zetao <[email protected]>
Reviewed-by: Christian Schoenebeck <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Nov 16, 2023
Ensure the skb is available in metadata mapping to skbs before tracking the
metadata index for detecting undelivered CQEs. If the metadata index is put
in the tracking list before putting the skb in the map, the metadata index
might be used for detecting undelivered CQEs before the relevant skb is
available in the map, which can lead to a null-ptr-deref.

Log:
    general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
    CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ torvalds#108
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Workqueue: events mlx5e_rx_dim_work [mlx5_core]
    RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07
    RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206
    RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005
    RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028
    RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383
    R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40
    R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <IRQ>
    ? die_addr+0x3c/0xa0
    ? exc_general_protection+0x144/0x210
    ? asm_exc_general_protection+0x22/0x30
    ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]
    __napi_poll.constprop.0+0xa4/0x580
    net_rx_action+0x460/0xb80
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? __napi_poll.constprop.0+0x580/0x580
    ? tasklet_action_common.isra.0+0x2ef/0x760
    __do_softirq+0x26c/0x827
    irq_exit_rcu+0xc2/0x100
    common_interrupt+0x7f/0xa0
    </IRQ>
    <TASK>
    asm_common_interrupt+0x22/0x40
    RIP: 0010:__kmem_cache_alloc_node+0xb/0x330
    Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83
    RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246
    RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218
    RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0
    RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9
    R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0
    R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450
    ? cmd_exec+0x796/0x2200 [mlx5_core]
    kmalloc_trace+0x26/0xc0
    cmd_exec+0x796/0x2200 [mlx5_core]
    mlx5_cmd_do+0x22/0xc0 [mlx5_core]
    mlx5_cmd_exec+0x17/0x30 [mlx5_core]
    mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]
    ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]
    ? lockdep_set_lock_cmp_fn+0x190/0x190
    ? process_one_work+0x659/0x1220
    mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]
    process_one_work+0x730/0x1220
    ? lockdep_hardirqs_on_prepare+0x400/0x400
    ? max_active_store+0xf0/0xf0
    ? assign_work+0x168/0x240
    worker_thread+0x70f/0x12d0
    ? __kthread_parkme+0xd1/0x1d0
    ? process_one_work+0x1220/0x1220
    kthread+0x2d9/0x3b0
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork+0x2d/0x70
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork_asm+0x11/0x20
    </TASK>
    Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_ib ib_uverbs ib_core zram zsmalloc mlx5_core fuse
    ---[ end trace 0000000000000000 ]---

Fixes: 3178308 ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
Signed-off-by: Rahul Rameshbabu <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
andyshrk pushed a commit to andyshrk/linux that referenced this pull request Nov 22, 2023
Ensure the skb is available in metadata mapping to skbs before tracking the
metadata index for detecting undelivered CQEs. If the metadata index is put
in the tracking list before putting the skb in the map, the metadata index
might be used for detecting undelivered CQEs before the relevant skb is
available in the map, which can lead to a null-ptr-deref.

Log:
    general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
    CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ torvalds#108
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Workqueue: events mlx5e_rx_dim_work [mlx5_core]
    RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07
    RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206
    RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005
    RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028
    RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383
    R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40
    R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <IRQ>
    ? die_addr+0x3c/0xa0
    ? exc_general_protection+0x144/0x210
    ? asm_exc_general_protection+0x22/0x30
    ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]
    __napi_poll.constprop.0+0xa4/0x580
    net_rx_action+0x460/0xb80
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? __napi_poll.constprop.0+0x580/0x580
    ? tasklet_action_common.isra.0+0x2ef/0x760
    __do_softirq+0x26c/0x827
    irq_exit_rcu+0xc2/0x100
    common_interrupt+0x7f/0xa0
    </IRQ>
    <TASK>
    asm_common_interrupt+0x22/0x40
    RIP: 0010:__kmem_cache_alloc_node+0xb/0x330
    Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83
    RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246
    RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218
    RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0
    RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9
    R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0
    R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450
    ? cmd_exec+0x796/0x2200 [mlx5_core]
    kmalloc_trace+0x26/0xc0
    cmd_exec+0x796/0x2200 [mlx5_core]
    mlx5_cmd_do+0x22/0xc0 [mlx5_core]
    mlx5_cmd_exec+0x17/0x30 [mlx5_core]
    mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]
    ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]
    ? lockdep_set_lock_cmp_fn+0x190/0x190
    ? process_one_work+0x659/0x1220
    mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]
    process_one_work+0x730/0x1220
    ? lockdep_hardirqs_on_prepare+0x400/0x400
    ? max_active_store+0xf0/0xf0
    ? assign_work+0x168/0x240
    worker_thread+0x70f/0x12d0
    ? __kthread_parkme+0xd1/0x1d0
    ? process_one_work+0x1220/0x1220
    kthread+0x2d9/0x3b0
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork+0x2d/0x70
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork_asm+0x11/0x20
    </TASK>
    Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_ib ib_uverbs ib_core zram zsmalloc mlx5_core fuse
    ---[ end trace 0000000000000000 ]---

Fixes: 3178308 ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
Signed-off-by: Rahul Rameshbabu <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Kaz205 pushed a commit to Kaz205/linux that referenced this pull request Nov 26, 2023
[ Upstream commit 7e3f3ba ]

Ensure the skb is available in metadata mapping to skbs before tracking the
metadata index for detecting undelivered CQEs. If the metadata index is put
in the tracking list before putting the skb in the map, the metadata index
might be used for detecting undelivered CQEs before the relevant skb is
available in the map, which can lead to a null-ptr-deref.

Log:
    general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
    CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ torvalds#108
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Workqueue: events mlx5e_rx_dim_work [mlx5_core]
    RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07
    RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206
    RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005
    RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028
    RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383
    R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40
    R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <IRQ>
    ? die_addr+0x3c/0xa0
    ? exc_general_protection+0x144/0x210
    ? asm_exc_general_protection+0x22/0x30
    ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]
    __napi_poll.constprop.0+0xa4/0x580
    net_rx_action+0x460/0xb80
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? __napi_poll.constprop.0+0x580/0x580
    ? tasklet_action_common.isra.0+0x2ef/0x760
    __do_softirq+0x26c/0x827
    irq_exit_rcu+0xc2/0x100
    common_interrupt+0x7f/0xa0
    </IRQ>
    <TASK>
    asm_common_interrupt+0x22/0x40
    RIP: 0010:__kmem_cache_alloc_node+0xb/0x330
    Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83
    RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246
    RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218
    RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0
    RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9
    R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0
    R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450
    ? cmd_exec+0x796/0x2200 [mlx5_core]
    kmalloc_trace+0x26/0xc0
    cmd_exec+0x796/0x2200 [mlx5_core]
    mlx5_cmd_do+0x22/0xc0 [mlx5_core]
    mlx5_cmd_exec+0x17/0x30 [mlx5_core]
    mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]
    ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]
    ? lockdep_set_lock_cmp_fn+0x190/0x190
    ? process_one_work+0x659/0x1220
    mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]
    process_one_work+0x730/0x1220
    ? lockdep_hardirqs_on_prepare+0x400/0x400
    ? max_active_store+0xf0/0xf0
    ? assign_work+0x168/0x240
    worker_thread+0x70f/0x12d0
    ? __kthread_parkme+0xd1/0x1d0
    ? process_one_work+0x1220/0x1220
    kthread+0x2d9/0x3b0
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork+0x2d/0x70
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork_asm+0x11/0x20
    </TASK>
    Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_ib ib_uverbs ib_core zram zsmalloc mlx5_core fuse
    ---[ end trace 0000000000000000 ]---

Fixes: 3178308 ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
Signed-off-by: Rahul Rameshbabu <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Kaz205 pushed a commit to Kaz205/linux that referenced this pull request Nov 27, 2023
[ Upstream commit 7e3f3ba ]

Ensure the skb is available in metadata mapping to skbs before tracking the
metadata index for detecting undelivered CQEs. If the metadata index is put
in the tracking list before putting the skb in the map, the metadata index
might be used for detecting undelivered CQEs before the relevant skb is
available in the map, which can lead to a null-ptr-deref.

Log:
    general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
    CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ torvalds#108
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Workqueue: events mlx5e_rx_dim_work [mlx5_core]
    RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07
    RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206
    RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005
    RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028
    RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383
    R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40
    R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <IRQ>
    ? die_addr+0x3c/0xa0
    ? exc_general_protection+0x144/0x210
    ? asm_exc_general_protection+0x22/0x30
    ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]
    __napi_poll.constprop.0+0xa4/0x580
    net_rx_action+0x460/0xb80
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? __napi_poll.constprop.0+0x580/0x580
    ? tasklet_action_common.isra.0+0x2ef/0x760
    __do_softirq+0x26c/0x827
    irq_exit_rcu+0xc2/0x100
    common_interrupt+0x7f/0xa0
    </IRQ>
    <TASK>
    asm_common_interrupt+0x22/0x40
    RIP: 0010:__kmem_cache_alloc_node+0xb/0x330
    Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83
    RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246
    RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218
    RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0
    RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9
    R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0
    R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450
    ? cmd_exec+0x796/0x2200 [mlx5_core]
    kmalloc_trace+0x26/0xc0
    cmd_exec+0x796/0x2200 [mlx5_core]
    mlx5_cmd_do+0x22/0xc0 [mlx5_core]
    mlx5_cmd_exec+0x17/0x30 [mlx5_core]
    mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]
    ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]
    ? lockdep_set_lock_cmp_fn+0x190/0x190
    ? process_one_work+0x659/0x1220
    mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]
    process_one_work+0x730/0x1220
    ? lockdep_hardirqs_on_prepare+0x400/0x400
    ? max_active_store+0xf0/0xf0
    ? assign_work+0x168/0x240
    worker_thread+0x70f/0x12d0
    ? __kthread_parkme+0xd1/0x1d0
    ? process_one_work+0x1220/0x1220
    kthread+0x2d9/0x3b0
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork+0x2d/0x70
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork_asm+0x11/0x20
    </TASK>
    Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_ib ib_uverbs ib_core zram zsmalloc mlx5_core fuse
    ---[ end trace 0000000000000000 ]---

Fixes: 3178308 ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
Signed-off-by: Rahul Rameshbabu <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
BoukeHaarsma23 pushed a commit to ChimeraOS/linux that referenced this pull request Nov 28, 2023
[ Upstream commit 7e3f3ba ]

Ensure the skb is available in metadata mapping to skbs before tracking the
metadata index for detecting undelivered CQEs. If the metadata index is put
in the tracking list before putting the skb in the map, the metadata index
might be used for detecting undelivered CQEs before the relevant skb is
available in the map, which can lead to a null-ptr-deref.

Log:
    general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
    CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ torvalds#108
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Workqueue: events mlx5e_rx_dim_work [mlx5_core]
    RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07
    RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206
    RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005
    RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028
    RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383
    R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40
    R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <IRQ>
    ? die_addr+0x3c/0xa0
    ? exc_general_protection+0x144/0x210
    ? asm_exc_general_protection+0x22/0x30
    ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]
    __napi_poll.constprop.0+0xa4/0x580
    net_rx_action+0x460/0xb80
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? __napi_poll.constprop.0+0x580/0x580
    ? tasklet_action_common.isra.0+0x2ef/0x760
    __do_softirq+0x26c/0x827
    irq_exit_rcu+0xc2/0x100
    common_interrupt+0x7f/0xa0
    </IRQ>
    <TASK>
    asm_common_interrupt+0x22/0x40
    RIP: 0010:__kmem_cache_alloc_node+0xb/0x330
    Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83
    RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246
    RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218
    RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0
    RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9
    R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0
    R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450
    ? cmd_exec+0x796/0x2200 [mlx5_core]
    kmalloc_trace+0x26/0xc0
    cmd_exec+0x796/0x2200 [mlx5_core]
    mlx5_cmd_do+0x22/0xc0 [mlx5_core]
    mlx5_cmd_exec+0x17/0x30 [mlx5_core]
    mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]
    ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]
    ? lockdep_set_lock_cmp_fn+0x190/0x190
    ? process_one_work+0x659/0x1220
    mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]
    process_one_work+0x730/0x1220
    ? lockdep_hardirqs_on_prepare+0x400/0x400
    ? max_active_store+0xf0/0xf0
    ? assign_work+0x168/0x240
    worker_thread+0x70f/0x12d0
    ? __kthread_parkme+0xd1/0x1d0
    ? process_one_work+0x1220/0x1220
    kthread+0x2d9/0x3b0
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork+0x2d/0x70
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork_asm+0x11/0x20
    </TASK>
    Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_ib ib_uverbs ib_core zram zsmalloc mlx5_core fuse
    ---[ end trace 0000000000000000 ]---

Fixes: 3178308 ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
Signed-off-by: Rahul Rameshbabu <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
1054009064 pushed a commit to 1054009064/linux that referenced this pull request Nov 28, 2023
commit 7e3f3ba upstream.

Ensure the skb is available in metadata mapping to skbs before tracking the
metadata index for detecting undelivered CQEs. If the metadata index is put
in the tracking list before putting the skb in the map, the metadata index
might be used for detecting undelivered CQEs before the relevant skb is
available in the map, which can lead to a null-ptr-deref.

Log:
    general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN
    KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
    CPU: 0 PID: 1243 Comm: kworker/0:2 Not tainted 6.6.0-rc4+ torvalds#108
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    Workqueue: events mlx5e_rx_dim_work [mlx5_core]
    RIP: 0010:mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    Code: 8c 24 38 cc ff ff 4c 8d 3c c1 4c 89 f9 48 c1 e9 03 42 80 3c 31 00 0f 85 97 0f 00 00 4d 8b 3f 49 8d 7f 28 48 89 f9 48 c1 e9 03 <42> 80 3c 31 00 0f 85 8b 0f 00 00 49 8b 47 28 48 85 c0 0f 84 05 07
    RSP: 0018:ffff8884d3c09c88 EFLAGS: 00010206
    RAX: 0000000000000069 RBX: ffff8881160349d8 RCX: 0000000000000005
    RDX: ffffed10218f48cf RSI: 0000000000000004 RDI: 0000000000000028
    RBP: ffff888122707700 R08: 0000000000000001 R09: ffffed109a781383
    R10: 0000000000000003 R11: 0000000000000003 R12: ffff88810c7a7a40
    R13: ffff888122707700 R14: dffffc0000000000 R15: 0000000000000000
    FS:  0000000000000000(0000) GS:ffff8884d3c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f4f878dd6e0 CR3: 000000014d108002 CR4: 0000000000370eb0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
    <IRQ>
    ? die_addr+0x3c/0xa0
    ? exc_general_protection+0x144/0x210
    ? asm_exc_general_protection+0x22/0x30
    ? mlx5e_ptp_napi_poll+0x9a4/0x2290 [mlx5_core]
    ? mlx5e_ptp_napi_poll+0x8f6/0x2290 [mlx5_core]
    __napi_poll.constprop.0+0xa4/0x580
    net_rx_action+0x460/0xb80
    ? _raw_spin_unlock_irqrestore+0x32/0x60
    ? __napi_poll.constprop.0+0x580/0x580
    ? tasklet_action_common.isra.0+0x2ef/0x760
    __do_softirq+0x26c/0x827
    irq_exit_rcu+0xc2/0x100
    common_interrupt+0x7f/0xa0
    </IRQ>
    <TASK>
    asm_common_interrupt+0x22/0x40
    RIP: 0010:__kmem_cache_alloc_node+0xb/0x330
    Code: 41 5d 41 5e 41 5f c3 8b 44 24 14 8b 4c 24 10 09 c8 eb d5 e8 b7 43 ca 01 0f 1f 80 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 <41> 56 41 89 d6 41 55 41 89 f5 41 54 49 89 fc 53 48 83 e4 f0 48 83
    RSP: 0018:ffff88812c4079c0 EFLAGS: 00000246
    RAX: 1ffffffff083c7fe RBX: ffff888100042dc0 RCX: 0000000000000218
    RDX: 00000000ffffffff RSI: 0000000000000dc0 RDI: ffff888100042dc0
    RBP: ffff88812c4079c8 R08: ffffffffa0289f96 R09: ffffed1025880ea9
    R10: ffff888138839f80 R11: 0000000000000002 R12: 0000000000000dc0
    R13: 0000000000000100 R14: 000000000000008c R15: ffff8881271fc450
    ? cmd_exec+0x796/0x2200 [mlx5_core]
    kmalloc_trace+0x26/0xc0
    cmd_exec+0x796/0x2200 [mlx5_core]
    mlx5_cmd_do+0x22/0xc0 [mlx5_core]
    mlx5_cmd_exec+0x17/0x30 [mlx5_core]
    mlx5_core_modify_cq_moderation+0x139/0x1b0 [mlx5_core]
    ? mlx5_add_cq_to_tasklet+0x280/0x280 [mlx5_core]
    ? lockdep_set_lock_cmp_fn+0x190/0x190
    ? process_one_work+0x659/0x1220
    mlx5e_rx_dim_work+0x9d/0x100 [mlx5_core]
    process_one_work+0x730/0x1220
    ? lockdep_hardirqs_on_prepare+0x400/0x400
    ? max_active_store+0xf0/0xf0
    ? assign_work+0x168/0x240
    worker_thread+0x70f/0x12d0
    ? __kthread_parkme+0xd1/0x1d0
    ? process_one_work+0x1220/0x1220
    kthread+0x2d9/0x3b0
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork+0x2d/0x70
    ? kthread_complete_and_exit+0x20/0x20
    ret_from_fork_asm+0x11/0x20
    </TASK>
    Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_ib ib_uverbs ib_core zram zsmalloc mlx5_core fuse
    ---[ end trace 0000000000000000 ]---

Fixes: 3178308 ("net/mlx5e: Make tx_port_ts logic resilient to out-of-order CQEs")
Signed-off-by: Rahul Rameshbabu <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Dec 25, 2023
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#107/p inline simple bpf_loop call FAIL
  torvalds#108/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#109/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#110/p bpf_loop_inline and a dead func FAIL
  torvalds#111/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#112/p inline bpf_loop call in a big program FAIL
  Summary: 505 PASSED, 266 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, just return -ENOTSUPP instead of -EINVAL for pseudo
calls in fixup_call_args().

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 505 PASSED, 272 SKIPPED, 0 FAILED

Signed-off-by: Tiezhu Yang <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 4, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, just return -ENOTSUPP instead of -EINVAL for pseudo
calls in fixup_call_args().

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Additionally, as Eduard suggested, return -ENOTSUPP instead of -EINVAL
for the other three places where "non-JITed" is used in error messages
to keep consistent.

Signed-off-by: Tiezhu Yang <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 11, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, copy some check functions from the other places under
tools directory, and then handle this case in do_test_single().

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Signed-off-by: Tiezhu Yang <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 12, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, copy some check functions from the other places under
tools directory, and then handle this case in do_test_single().

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Signed-off-by: Tiezhu Yang <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 15, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, copy some check functions from the other places under
tools directory, and then handle this case in do_test_single().

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Signed-off-by: Tiezhu Yang <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 16, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, copy some check functions from the other places under
tools directory, and then handle this case in do_test_single().

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Signed-off-by: Tiezhu Yang <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 17, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, just handle this case in do_test_single().

After including bpf/libbpf_internal.h, there exist some build errors:

  error: attempt to use poisoned "u32"
  error: attempt to use poisoned "u64"

replace u32 and u64 with __u32 and __u64 to fix them.

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Signed-off-by: Tiezhu Yang <[email protected]>
Acked-by: Hou Tao <[email protected]>
logic10492 pushed a commit to logic10492/linux-amd-zen2 that referenced this pull request Jan 18, 2024
scx: Avoid possible deadlock with cpus_read_lock()
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 22, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, just handle this case in do_test_single().

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Signed-off-by: Tiezhu Yang <[email protected]>
Acked-by: Hou Tao <[email protected]>
Acked-by: Song Liu <[email protected]>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Jan 23, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled.

Add an explicit flag F_NEEDS_JIT_ENABLED to those tests to mark that they
require JIT enabled in bpf_loop_inline.c, check the flag and jit_disabled
at the beginning of do_test_single() to handle this case.

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Suggested-by: Andrii Nakryiko <[email protected]>
Signed-off-by: Tiezhu Yang <[email protected]>
alobakin pushed a commit to alobakin/linux that referenced this pull request Jan 24, 2024
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  torvalds#106/p inline simple bpf_loop call FAIL
  torvalds#107/p don't inline bpf_loop call, flags non-zero FAIL
  torvalds#108/p don't inline bpf_loop call, callback non-constant FAIL
  torvalds#109/p bpf_loop_inline and a dead func FAIL
  torvalds#110/p bpf_loop_inline stack locations for loop vars FAIL
  torvalds#111/p inline bpf_loop call in a big program FAIL
  Summary: 768 PASSED, 15 SKIPPED, 6 FAILED

The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled.

Add an explicit flag F_NEEDS_JIT_ENABLED to those tests to mark that they
require JIT enabled in bpf_loop_inline.c, check the flag and jit_disabled
at the beginning of do_test_single() to handle this case.

With this patch:

  [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
  [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
  [root@linux bpf]# ./test_verifier | grep FAIL
  Summary: 768 PASSED, 21 SKIPPED, 0 FAILED

Suggested-by: Andrii Nakryiko <[email protected]>
Signed-off-by: Tiezhu Yang <[email protected]>
Signed-off-by: Andrii Nakryiko <[email protected]>
Link: https://lore.kernel.org/bpf/[email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants