commit 14a86b32c5f7ec8cef6c81d235da200468d340df Author: Greg Kroah-Hartman Date: Fri Jun 5 23:20:14 2015 -0700 Linux 3.10.80 commit f0d445db03594ec6658c5fee64099e181f5ce570 Author: Andrew Morton Date: Thu May 28 15:44:24 2015 -0700 fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings commit 2b1d3ae940acd11be44c6eced5873d47c2e00ffa upstream. load_elf_binary() returns `retval', not `error'. Fixes: a87938b2e246b81b4fb ("fs/binfmt_elf.c: fix bug in loading of PIE binaries") Reported-by: James Hogan Cc: Michael Davidson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fe023f735b36f809b4d740e86f15658a2852fc09 Author: Sasha Levin Date: Wed Jan 28 15:30:43 2015 -0500 vfs: read file_handle only once in handle_to_path commit 161f873b89136eb1e69477c847d5a5033239d9ba upstream. We used to read file_handle twice. Once to get the amount of extra bytes, and once to fetch the entire structure. This may be problematic since we do size verifications only after the first read, so if the number of extra bytes changes in userspace between the first and second calls, we'll have an incoherent view of file_handle. Instead, read the constant size once, and copy that over to the final structure without having to re-read it again. Signed-off-by: Sasha Levin Cc: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 92c934b10ec3ed9db375161829d715892c9f4f99 Author: Rafael J. Wysocki Date: Thu May 7 21:19:39 2015 +0200 ACPI / init: Fix the ordering of acpi_reserve_resources() commit b9a5e5e18fbf223502c0b2264c15024e393da928 upstream. Since acpi_reserve_resources() is defined as a device_initcall(), there's no guarantee that it will be executed in the right order with respect to the rest of the ACPI initialization code. On some systems this leads to breakage if, for example, the address range that should be reserved for the ACPI fixed registers is given to the PCI host bridge instead if the race is won by the wrong code path. Fix this by turning acpi_reserve_resources() into a void function and calling it directly from within the ACPI initialization sequence. Reported-and-tested-by: George McCollister Link: http://marc.info/?t=143092384600002&r=1&w=2 Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 1b577b9f2aadfca6935ceb96867d3b2def39cc9c Author: Benjamin Tissoires Date: Thu Apr 23 09:08:43 2015 -0700 Input: elantech - fix semi-mt protocol for v3 HW commit 3c0213d17a09601e0c6c0ae0e27caf70d988290f upstream. When the v3 hardware sees more than one finger, it uses the semi-mt protocol to report the touches. However, it currently works when num_fingers is 0, 1 or 2, but when it is 3 and above, it sends only 1 finger as if num_fingers was 1. This confuses userspace which knows how to deal with extra fingers when all the slots are used, but not when some are missing. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=90101 Signed-off-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 35760dc525870d213ba2a77fb92e8652290b76df Author: Larry Finger Date: Fri Apr 24 11:03:37 2015 -0500 rtlwifi: rtl8192cu: Fix kernel deadlock commit 414b7e3b9ce8b0577f613e656fdbc36b34b444dd upstream. The USB mini-driver in rtlwifi, which is used by rtl8192cu, issues a call to usb_control_msg() with a timeout value of 0. In some instances where the interface is shutting down, this infinite wait results in a CPU deadlock. A one second timeout fixes this problem without affecting any normal operations. This bug is reported at https://bugzilla.novell.com/show_bug.cgi?id=927786. Reported-by: Bernhard Wiedemann Tested-by: Bernhard Wiedemann Signed-off-by: Larry Finger Cc: Bernhard Wiedemann Cc: Takashi Iwai Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 3763b3c77e2c77aa226fde2fac64bd85a2b85c80 Author: NeilBrown Date: Fri May 8 18:19:34 2015 +1000 md/raid5: don't record new size if resize_stripes fails. commit 6e9eac2dcee5e19f125967dd2be3e36558c42fff upstream. If any memory allocation in resize_stripes fails we will return -ENOMEM, but in some cases we update conf->pool_size anyway. This means that if we try again, the allocations will be assumed to be larger than they are, and badness results. So only update pool_size if there is no error. This bug was introduced in 2.6.17 and the patch is suitable for -stable. Fixes: ad01c9e3752f ("[PATCH] md: Allow stripes to be expanded in preparation for expanding an array") Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit c709ca10c52b9bf7f0e4cb2e0d689f37eee991d0 Author: Scott Mayhew Date: Tue Apr 28 16:29:53 2015 -0400 svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures commit 9507271d960a1911a51683888837d75c171cd91f upstream. In an environment where the KDC is running Active Directory, the exported composite name field returned in the context could be large enough to span a page boundary. Attaching a scratch buffer to the decoding xdr_stream helps deal with those cases. The case where we saw this was actually due to behavior that's been fixed in newer gss-proxy versions, but we're fixing it here too. Signed-off-by: Scott Mayhew Reviewed-by: Simo Sorce Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 68507f74d96c86b778deb3b11c0f924e85b6b986 Author: Russell King Date: Fri May 15 11:02:23 2015 +0100 ARM: fix missing syscall trace exit commit 1b97937246d8b97c0760d16d8992c7937bdf5e6a upstream. Josh Stone reports: I've discovered a case where both arm and arm64 will miss a ptrace syscall-exit that they should report. If the syscall is entered without TIF_SYSCALL_TRACE set, then it goes on the fast path. It's then possible to have TIF_SYSCALL_TRACE added in the middle of the syscall, but ret_fast_syscall doesn't check this flag again. Fix this by always checking for a syscall trace in the fast exit path. Reported-by: Josh Stone Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit f8db4e64c79540e36a2b7cd728a3988ac568f0a5 Author: Philippe Reynes Date: Wed May 13 00:18:26 2015 +0200 ARM: dts: imx27: only map 4 Kbyte for fec registers commit a29ef819f3f34f89a1b9b6a939b4c1cdfe1e85ce upstream. According to the imx27 documentation, fec has a 4 Kbyte memory space map. Moreover, the actual 16 Kbyte mapping overlaps the SCC (Security Controller) memory register space. So, we reduce the memory register space to 4 Kbyte. Signed-off-by: Philippe Reynes Acked-by: Uwe Kleine-König Fixes: 9f0749e3eb88 ("ARM i.MX27: Add devicetree support") Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 61536d737f9353582619c60b658cf4db2059eeba Author: Harald Freudenberger Date: Thu May 21 10:01:11 2015 +0200 crypto: s390/ghash - Fix incorrect ghash icv buffer handling. commit a1cae34e23b1293eccbcc8ee9b39298039c3952a upstream. Multitheaded tests showed that the icv buffer in the current ghash implementation is not handled correctly. A move of this working ghash buffer value to the descriptor context fixed this. Code is tested and verified with an multithreaded application via af_alg interface. Signed-off-by: Harald Freudenberger Signed-off-by: Gerald Schaefer Reported-by: Herbert Xu Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit da9c40427d0b9f7385911cd2614e836fc309db5b Author: Scott Branden Date: Mon Mar 16 10:59:52 2015 -0700 rt2x00: add new rt2800usb device DWA 130 commit ea345c145ff23197eab34d0c4d0c8a93d7bea8c6 upstream. Add the USB Id to link the D-Link DWA 130 USB Wifi adapter to the rt2830 driver. Signed-off-by: Scott Branden Signed-off-by: Pieter Truter Signed-off-by: Kalle Valo Cc: Larry Finger Signed-off-by: Greg Kroah-Hartman commit e8d1999916842abf8540735ace775f733cfaa828 Author: Gabriele Mazzotta Date: Sat Apr 25 19:52:37 2015 +0200 libata: Ignore spurious PHY event on LPM policy change commit 09c5b4803a80a5451d950d6a539d2eb311dc0fb1 upstream. When the LPM policy is set to ATA_LPM_MAX_POWER, the device might generate a spurious PHY event that cuases errors on the link. Ignore this event if it occured within 10s after the policy change. The timeout was chosen observing that on a Dell XPS13 9333 these spurious events can occur up to roughly 6s after the policy change. Link: http://lkml.kernel.org/g/3352987.ugV1Ipy7Z5@xps13 Signed-off-by: Gabriele Mazzotta Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 8d850bbf3e11742927aa500a2dcd121999708246 Author: Gabriele Mazzotta Date: Sat Apr 25 19:52:36 2015 +0200 libata: Add helper to determine when PHY events should be ignored commit 8393b811f38acdf7fd8da2028708edad3e68ce1f upstream. This is a preparation commit that will allow to add other criteria according to which PHY events should be dropped. Signed-off-by: Gabriele Mazzotta Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 566831a12ef80b9622bf8263299d859bdd35128c Author: Eryu Guan Date: Thu May 14 19:00:45 2015 -0400 ext4: check for zero length extent explicitly commit 2f974865ffdfe7b9f46a9940836c8b167342563d upstream. The following commit introduced a bug when checking for zero length extent 5946d08 ext4: check for overlapping extents in ext4_valid_extent_entries() Zero length extent could pass the check if lblock is zero. Adding the explicit check for zero length back. Signed-off-by: Eryu Guan Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 4379534c0d1131fabc7b4482943774a58233335a Author: Dmitry Monakhov Date: Wed Aug 28 14:30:47 2013 -0400 ext4: convert write_begin methods to stable_page_writes semantics commit 7afe5aa59ed3da7b6161617e7f157c7c680dc41e upstream. Use wait_for_stable_page() instead of wait_on_page_writeback() Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Reviewed-by: Jan Kara Cc: Alex Shi Signed-off-by: Greg Kroah-Hartman commit a72719d75d8e30203d8624465215072b74be30e7 Author: Ludovic Desroches Date: Wed May 6 15:16:46 2015 +0200 mmc: atmel-mci: fix bad variable type for clkdiv commit 60c8f783a18feb95ad967c87e9660caf09fb4700 upstream. clkdiv is declared as an u32 but it can be set to a negative value causing a huge divisor value. Change its type to int to avoid this case. Signed-off-by: Ludovic Desroches Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit c8f30d37ddc0800e6fcbda887c739f08654bef13 Author: Anton Blanchard Date: Thu May 14 14:45:40 2015 +1000 powerpc: Align TOC to 256 bytes commit 5e95235ccd5442d4a4fe11ec4eb99ba1b7959368 upstream. Recent toolchains force the TOC to be 256 byte aligned. We need to enforce this alignment in our linker script, otherwise pointers to our TOC variables (__toc_start, __prom_init_toc_start) could be incorrect. If they are bad, we die a few hundred instructions into boot. Signed-off-by: Anton Blanchard Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit e83c5792a723d6e7f5eed1fb74e76038d9932705 Author: Krzysztof Opasiak Date: Fri Mar 20 15:48:56 2015 +0100 usb: gadget: configfs: Fix interfaces array NULL-termination commit 903124fe1aa284f61745a9dd4fbfa0184e569fff upstream. memset() to 0 interfaces array before reusing usb_configuration structure. This commit fix bug: ln -s functions/acm.1 configs/c.1 ln -s functions/acm.2 configs/c.1 ln -s functions/acm.3 configs/c.1 echo "UDC name" > UDC echo "" > UDC rm configs/c.1/acm.* rmdir functions/* mkdir functions/ecm.usb0 ln -s functions/ecm.usb0 configs/c.1 echo "UDC name" > UDC [ 82.220969] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 82.229009] pgd = c0004000 [ 82.231698] [00000000] *pgd=00000000 [ 82.235260] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [ 82.240638] Modules linked in: [ 82.243681] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0-rc2 #39 [ 82.249926] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [ 82.256003] task: c07cd2f0 ti: c07c8000 task.ti: c07c8000 [ 82.261393] PC is at composite_setup+0xe3c/0x1674 [ 82.266073] LR is at composite_setup+0xf20/0x1674 [ 82.270760] pc : [] lr : [] psr: 600001d3 [ 82.270760] sp : c07c9df0 ip : c0806448 fp : ed8c9c9c [ 82.282216] r10: 00000001 r9 : 00000000 r8 : edaae918 [ 82.287425] r7 : ed551cc0 r6 : 00007fff r5 : 00000000 r4 : ed799634 [ 82.293934] r3 : 00000003 r2 : 00010002 r1 : edaae918 r0 : 0000002e [ 82.300446] Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment kernel [ 82.307910] Control: 10c5387d Table: 6bc1804a DAC: 00000015 [ 82.313638] Process swapper/0 (pid: 0, stack limit = 0xc07c8210) [ 82.319627] Stack: (0xc07c9df0 to 0xc07ca000) [ 82.323969] 9de0: 00000000 c06e65f4 00000000 c07c9f68 [ 82.332130] 9e00: 00000067 c07c59ac 000003f7 edaae918 ed8c9c98 ed799690 eca2f140 200001d3 [ 82.340289] 9e20: ee79a2d8 c07c9e88 c07c5304 ffff55db 00010002 edaae810 edaae860 eda96d50 [ 82.348448] 9e40: 00000009 ee264510 00000007 c07ca444 edaae860 c0340890 c0827a40 ffff55e0 [ 82.356607] 9e60: c0827a40 eda96e40 ee264510 edaae810 00000000 edaae860 00000007 c07ca444 [ 82.364766] 9e80: edaae860 c0354170 c03407dc c033db4c edaae810 00000000 00000000 00000010 [ 82.372925] 9ea0: 00000032 c0341670 00000000 00000000 00000001 eda96e00 00000000 00000000 [ 82.381084] 9ec0: 00000000 00000032 c0803a23 ee1aa840 00000001 c005d54c 249e2450 00000000 [ 82.389244] 9ee0: 200001d3 ee1aa840 ee1aa8a0 ed84f4c0 00000000 c07c9f68 00000067 c07c59ac [ 82.397403] 9f00: 00000000 c005d688 ee1aa840 ee1aa8a0 c07db4b4 c006009c 00000032 00000000 [ 82.405562] 9f20: 00000001 c005ce20 c07c59ac c005cf34 f002000c c07ca780 c07c9f68 00000057 [ 82.413722] 9f40: f0020000 413fc090 00000001 c00086b4 c000f804 60000053 ffffffff c07c9f9c [ 82.421880] 9f60: c0803a20 c0011fc0 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c [ 82.430040] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0 [ 82.438199] 9fa0: c000f800 c000f804 60000053 ffffffff 00000000 c0050e70 c0803bc0 c0783bd8 [ 82.446358] 9fc0: ffffffff ffffffff c0783664 00000000 00000000 c07b13e8 00000000 c0803e54 [ 82.454517] 9fe0: c07ca480 c07b13e4 c07ce40c 4000406a 00000000 40008074 00000000 00000000 [ 82.462689] [] (composite_setup) from [] (s3c_hsotg_complete_setup+0xb4/0x418) [ 82.471626] [] (s3c_hsotg_complete_setup) from [] (usb_gadget_giveback_request+0xc/0x10) [ 82.481429] [] (usb_gadget_giveback_request) from [] (s3c_hsotg_complete_request+0xcc/0x12c) [ 82.491583] [] (s3c_hsotg_complete_request) from [] (s3c_hsotg_irq+0x4fc/0x558) [ 82.500614] [] (s3c_hsotg_irq) from [] (handle_irq_event_percpu+0x50/0x150) [ 82.509291] [] (handle_irq_event_percpu) from [] (handle_irq_event+0x3c/0x5c) [ 82.518145] [] (handle_irq_event) from [] (handle_fasteoi_irq+0xd4/0x18c) [ 82.526650] [] (handle_fasteoi_irq) from [] (generic_handle_irq+0x20/0x30) [ 82.535242] [] (generic_handle_irq) from [] (__handle_domain_irq+0x6c/0xdc) [ 82.543923] [] (__handle_domain_irq) from [] (gic_handle_irq+0x2c/0x6c) [ 82.552256] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x74) [ 82.559716] Exception stack(0xc07c9f68 to 0xc07c9fb0) [ 82.564753] 9f60: 00000000 00000000 c07c9fb8 c001bee0 c07ca4f0 c057004c [ 82.572913] 9f80: c07ca4fc c0803a20 c0803a20 413fc090 00000001 00000000 01000000 c07c9fb0 [ 82.581069] 9fa0: c000f800 c000f804 60000053 ffffffff [ 82.586113] [] (__irq_svc) from [] (arch_cpu_idle+0x30/0x3c) [ 82.593491] [] (arch_cpu_idle) from [] (cpu_startup_entry+0x128/0x1a4) [ 82.601740] [] (cpu_startup_entry) from [] (start_kernel+0x350/0x3bc) [ 82.609890] Code: 0a000002 e3530005 05975010 15975008 (e5953000) [ 82.615965] ---[ end trace f57d5f599a5f1bfa ]--- Most of kernel code assume that interface array in struct usb_configuration is NULL terminated. When gadget is composed with configfs configuration structure may be reused for different functions set. This bug happens because purge_configs_funcs() sets only next_interface_id to 0. Interface array still contains pointers to already freed interfaces. If in second try we add less interfaces than earlier we may access unallocated memory when trying to get interface descriptors. Signed-off-by: Krzysztof Opasiak Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 7f7c38c09df662ef1f6ea92678da8b5aa5522385 Author: Hans de Goede Date: Thu Apr 30 11:09:44 2015 +0200 usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices commit 172115090f5e739660b97694618a2ba86457063a upstream. Without this flag some versions of these enclosures do not work. Reported-and-tested-by: Christian Schaller Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit 59846d318724b7f6277c5a3ed94d3eb702700609 Author: Mark Edwards Date: Tue Apr 14 08:52:34 2015 -0400 USB: cp210x: add ID for KCF Technologies PRN device commit c735ed74d83f8ecb45c4c4c95a16853c9c3c8157 upstream. Added the USB serial console device ID for KCF Technologies PRN device which has a USB port for its serial console. Signed-off-by: Mark Edwards Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e83388d8092a324cc954fe0e3749452f441054eb Author: Jason A. Donenfeld Date: Wed Apr 22 14:35:08 2015 +0200 USB: pl2303: Remove support for Samsung I330 commit 48ef23a4f686b1e4519d4193c20d26834ff810ff upstream. This phone is already supported by the visor driver. Signed-off-by: Jason A. Donenfeld Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d7493ce59186d9557324e4c9cc099051330a97bb Author: Jason A. Donenfeld Date: Wed Apr 22 14:35:09 2015 +0200 USB: visor: Match I330 phone more precisely commit 82ee3aeb9295c5fc37fd2ddf20f13ac2b40ec97d upstream. Samsung has just released a portable USB3 SSD, coming in a very small and nice form factor. It's USB ID is 04e8:8001, which unfortunately is already used by the Palm Visor driver for the Samsung I330 phone cradle. Having pl2303 or visor pick up this device ID results in conflicts with the usb-storage driver, which handles the newly released portable USB3 SSD. To work around this conflict, I've dug up a mailing list post [1] from a long time ago, in which a user posts the full USB descriptor information. The most specific value in this appears to be the interface class, which has value 255 (0xff). Since usb-storage requires an interface class of 0x8, I believe it's correct to disambiguate the two devices by matching on 0xff inside visor. [1] http://permalink.gmane.org/gmane.linux.usb.user/4264 Signed-off-by: Jason A. Donenfeld Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4c1c7ca54a9dbf06f273a49f130e14e09e563beb Author: Joe Lawrence Date: Thu Apr 30 17:16:04 2015 +0300 xhci: gracefully handle xhci_irq dead device commit 948fa13504f80b9765d2b753691ab94c83a10341 upstream. If the xHCI host controller has died (ie, device removed) or suffered other serious fatal error (STS_FATAL), then xhci_irq should handle this condition with IRQ_HANDLED instead of -ESHUTDOWN. Signed-off-by: Joe Lawrence Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 6d03a08b1ac8fbb4fbd53fb8d50414635ee020e7 Author: Mathias Nyman Date: Thu Apr 30 17:16:03 2015 +0300 xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 commit 18cc2f4cbbaf825a4fedcf2d60fd388d291e0a38 upstream. Our event ring consists of only one segment, and we risk filling the event ring in case we get isoc transfers with short intervals such as webcams that fill a TD every microframe (125us) With 64 TRB segment size one usb camera could fill the event ring in 8ms. A setup with several cameras and other devices can fill up the event ring as it is shared between all devices. This has occurred when uvcvideo queues 5 * 32TD URBs which then get cancelled when the video mode changes. The cancelled URBs are returned in the xhci interrupt context and blocks the interrupt handler from handling the new events. A full event ring will block xhci from scheduling traffic and affect all devices conneted to the xhci, will see errors such as Missed Service Intervals for isoc devices, and and Split transaction errors for LS/FS interrupt devices. Increasing the TRB_PER_SEGMENT will also increase the default endpoint ring size, which is welcome as for most isoc transfer we had to dynamically expand the endpoint ring anyway to be able to queue the 5 * 32TDs uvcvideo queues. The default size used to be 64 TRBs per segment Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 8297f04683fa3a5f5b10ae0d948147d8715318b5 Author: Mathias Nyman Date: Thu Apr 30 17:16:02 2015 +0300 xhci: fix isoc endpoint dequeue from advancing too far on transaction error commit d104d0152a97fade389f47635b73a9ccc7295d0b upstream. Isoc TDs usually consist of one TRB, sometimes two. When all goes well we receive only one success event for a TD, and move the dequeue pointer to the next TD. This fails if the TD consists of two TRBs and we get a transfer error on the first TRB, we will then see two events for that TD. Fix this by making sure the event we get is for the last TRB in that TD before moving the dequeue pointer to the next TD. This will resolve some of the uvc and dvb issues with the "ERROR Transfer event TRB DMA ptr not part of current TD" error message Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 72ca05549570dad27d096350569cf2d05c2da4b8 Author: Andy Grover Date: Fri May 22 14:07:44 2015 -0700 target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST commit 5a7125c64def3b21f8147eca8b54949a60963942 upstream. See https://bugzilla.redhat.com/show_bug.cgi?id=1025672 We need to put() the reference to the scsi host that we got in pscsi_configure_device(). In VIRTUAL_HOST mode it is associated with the dev_virt, not the hba_virt. Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 202847125c76ac628d0d2fa758e96c9d70bb7454 Author: Zidan Wang Date: Tue May 12 14:58:50 2015 +0800 ASoC: wm8994: correct BCLK DIV 348 to 384 commit 17fc2e0a3db11889e942c5ab15a1fcb876638f25 upstream. According to the RM of wm8958, BCLK DIV 348 doesn't exist, correct it to 384. Signed-off-by: Zidan Wang Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 83d438f13b0e415bf17098efe2884dfdea3293aa Author: Zidan Wang Date: Tue May 12 14:58:36 2015 +0800 ASoC: wm8960: fix "RINPUT3" audio route error commit 85e36a1f4a735d991ba5106781ea48e89a0b8901 upstream. It should be "RINPUT3" instead of "LINPUT3" route to "Right Input Mixer". Signed-off-by: Zidan Wang Acked-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 048a067a58e274b64a443365996009e60345a8f2 Author: Axel Lin Date: Mon Apr 27 14:51:35 2015 +0800 ASoC: mc13783: Fix wrong mask value used in mc13xxx_reg_rmw() calls commit 545774bd6e1427d98dde77244329d2311c5eca6f upstream. mc13xxx_reg_rmw() won't change any bit if passing 0 to the mask field. Pass AUDIO_SSI_SEL instead of 0 for the mask field to set AUDIO_SSI_SEL bit. Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 28bb832e33218f925421dbeae4076ae08579ff59 Author: Takashi Iwai Date: Fri May 1 09:20:34 2015 +0200 ALSA: hda - Add headphone quirk for Lifebook E752 commit 88776f366ede7d9cdce60bd2c9753dd6d6fa8b77 upstream. Fujitsu Lifebook E752 laptop needs a similar quirk done for Lifebook T731. Otherwise the headphone is always muted. Reported-and-tested-by: Christian Weber Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit aa7d4eb3a333d1f679ddaf31f30af43d9210d910 Author: David Henningsson Date: Wed May 13 13:28:54 2015 +0200 ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724 commit 6ffc0898b29a2811a6c0569c5dd9b581980110df upstream. This patch adds support for Conexant HD Audio codecs CX20721, CX20722, CX20723 and CX20724. BugLink: https://bugs.launchpad.net/bugs/1454656 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bf6aa269ed400ba7f159341a926e77b7464f1b64 Author: Al Viro Date: Thu May 28 23:09:19 2015 -0400 d_walk() might skip too much commit 2159184ea01e4ae7d15f2017e296d4bc82d5aeb0 upstream. when we find that a child has died while we'd been trying to ascend, we should go into the first live sibling itself, rather than its sibling. Off-by-one in question had been introduced in "deal with deadlock in d_walk()" and the fix needs to be backported to all branches this one has been backported to. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 73f668104f25d364f758e8c6738c2a1826d2f0fc Author: Jan Kara Date: Tue Jun 2 17:10:28 2015 +0200 lib: Fix strnlen_user() to not touch memory after specified maximum commit f18c34e483ff6b1d9866472221e4015b3a4698e4 upstream. If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e9aba80e289b3491597422f1bf843be5e8099a2d Author: Chris Lesiak Date: Tue May 26 15:40:44 2015 -0500 hwmon: (ntc_thermistor) Ensure iio channel is of type IIO_VOLTAGE commit adba657533bdd255f7b78bc8a324091f46b294cd upstream. When configured via device tree, the associated iio device needs to be measuring voltage for the conversion to resistance to be correct. Return -EINVAL if that is not the case. Signed-off-by: Chris Lesiak Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit d2e3dbf9c3449c208b962dff4d68bab013a16b61 Author: Ilya Dryomov Date: Mon May 11 17:53:10 2015 +0300 libceph: request a new osdmap if lingering request maps to no osd commit b0494532214bdfbf241e94fabab5dd46f7b82631 upstream. This commit does two things. First, if there are any homeless lingering requests, we now request a new osdmap even if the osdmap that is being processed brought no changes, i.e. if a given lingering request turned homeless in one of the previous epochs and remained homeless in the current epoch. Not doing so leaves us with a stale osdmap and as a result we may miss our window for reestablishing the watch and lose notifies. MON=1 OSD=1: # cat linger-needmap.sh #!/bin/bash rbd create --size 1 test DEV=$(rbd map test) ceph osd out 0 rbd map dne/dne # obtain a new osdmap as a side effect (!) sleep 1 ceph osd in 0 rbd resize --size 2 test # rbd info test | grep size -> 2M # blockdev --getsize $DEV -> 1M N.B.: Not obtaining a new osdmap in between "osd out" and "osd in" above is enough to make it miss that resize notify, but that is a bug^Wlimitation of ceph watch/notify v1. Second, homeless lingering requests are now kicked just like those lingering requests whose mapping has changed. This is mainly to recognize that a homeless lingering request makes no sense and to preserve the invariant that a registered lingering request is not sitting on any of r_req_lru_item lists. This spares us a WARN_ON, which commit ba9d114ec557 ("libceph: clear r_req_lru_item in __unregister_linger_request()") tried to fix the _wrong_ way. Signed-off-by: Ilya Dryomov Reviewed-by: Sage Weil Signed-off-by: Greg Kroah-Hartman commit 15a6585a7cacf301508ee52d5517e0ce4059f6cd Author: Rusty Russell Date: Wed May 27 10:59:26 2015 +0930 lguest: fix out-by-one error in address checking. commit 83a35114d0e4583e6b0ca39502e68b6a92e2910c upstream. This bug has been there since day 1; addresses in the top guest physical page weren't considered valid. You could map that page (the check in check_gpte() is correct), but if a guest tried to put a pagetable there we'd check that address manually when walking it, and kill the guest. Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f00429f1fb50d113494c8a02cf7bfdb121f0d105 Author: Sasha Levin Date: Thu May 28 15:44:29 2015 -0700 fs, omfs: add NULL terminator in the end up the token list commit dcbff39da3d815f08750552fdd04f96b51751129 upstream. match_token() expects a NULL terminator at the end of the token list so that it would know where to stop. Not having one causes it to overrun to invalid memory. In practice, passing a mount option that omfs didn't recognize would sometimes panic the system. Signed-off-by: Sasha Levin Signed-off-by: Bob Copeland Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0b93bc9d1b0ca52d58a2015809b69ad188d0866c Author: Paolo Bonzini Date: Thu Apr 2 11:04:05 2015 +0200 KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages commit 898761158be7682082955e3efa4ad24725305fc7 upstream. smep_andnot_wp is initialized in kvm_init_shadow_mmu and shadow pages should not be reused for different values of it. Thus, it has to be added to the mask in kvm_mmu_pte_write. Reviewed-by: Xiao Guangrong Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 521c4dd4415ca24519468add60f6586fde913470 Author: Junling Zheng Date: Mon Jun 1 09:28:00 2015 +0000 net: socket: Fix the wrong returns for recvmsg and sendmsg Based on 08adb7dabd4874cc5666b4490653b26534702ce0 upstream. We found that after v3.10.73, recvmsg might return -EFAULT while -EINVAL was expected. We tested it through the recvmsg01 testcase come from LTP testsuit. It set msg->msg_namelen to -1 and the recvmsg syscall returned errno 14, which is unexpected (errno 22 is expected): recvmsg01 4 TFAIL : invalid socket length ; returned -1 (expected -1), errno 14 (expected 22) Linux mainline has no this bug for commit 08adb7dab fixes it accidentally. However, it is too large and complex to be backported to LTS 3.10. Commit 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour) made get_compat_msghdr() return error if msg_sys->msg_namelen was negative, which changed the behaviors of recvmsg and sendmsg syscall in a lib32 system: Before commit 281c9c36, get_compat_msghdr() wouldn't fail and it would return -EINVAL in move_addr_to_user() or somewhere if msg_sys->msg_namelen was invalid and then syscall returned -EINVAL, which is correct. And now, when msg_sys->msg_namelen is negative, get_compat_msghdr() will fail and wants to return -EINVAL, however, the outer syscall will return -EFAULT directly, which is unexpected. This patch gets the return value of get_compat_msghdr() as well as copy_msghdr_from_user(), then returns this expected value if get_compat_msghdr() fails. Fixes: 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour) Signed-off-by: Junling Zheng Signed-off-by: Hanbing Xu Cc: Li Zefan Cc: Al Viro Cc: David Miller Signed-off-by: Greg Kroah-Hartman commit c7c867483e2037842f0fa60664d758d9c23a8180 Author: Kirill A. Shutemov Date: Mon Oct 20 12:23:12 2014 +0300 kernel: use the gnu89 standard explicitly commit 51b97e354ba9fce1890cf38ecc754aa49677fc89 upstream. Sasha Levin reports: "gcc5 changes the default standard to c11, which makes kernel build unhappy Explicitly define the kernel standard to be gnu89 which should keep everything working exactly like it was before gcc5" There are multiple small issues with the new default, but the biggest issue seems to be that the old - and very useful - GNU extension to allow a cast in front of an initializer has gone away. Patch updated by Kirill: "I'm pretty sure all gcc versions you can build kernel with supports -std=gnu89. cc-option is redunrant. We also need to adjust HOSTCFLAGS otherwise allmodconfig fails for me" Note by Andrew Pinski: "Yes it was reported and both problems relating to this extension has been added to gnu99 and gnu11. Though there are other issues with the kernel dealing with extern inline have different semantics between gnu89 and gnu99/11" End result: we may be able to move up to a newer stdc model eventually, but right now the newer models have some annoying deficiencies, so the traditional "gnu89" model ends up being the preferred one. Signed-off-by: Sasha Levin Singed-off-by: Kirill A. Shutemov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3b3f7517262ba59188cfbd23d0d0c20eea2c8c84 Author: Behan Webster Date: Wed Oct 29 15:42:21 2014 -0700 staging, rtl8192e, LLVMLinux: Remove unused inline prototype commit 62ec95f86d2850b7ce6d73fb236a6fcf48411aea upstream. rtllib_probe_req is defined as "static inline" in rtllib_softmac.c however it is declared differently as "extern inline" in rtllib_softmac.h. Since it isn't used outside of the scope of rtllib_softmac, it makes sense to remove the incorrect declaration. Signed-off-by: Behan Webster Suggested-by: Arnd Bergmann Cc: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 5a22665df4777a97757bbf3e4a707173660c9867 Author: Arnd Bergmann Date: Thu Jun 5 22:48:15 2014 +0200 staging: rtl8712, rtl8712: avoid lots of build warnings commit 0c9f3a65c5eb7fe1fc611a22eb8a8b71ea865998 upstream. The rtl8712 driver has an 'extern inline' function that contains an 'if', which causes lots of warnings with CONFIG_PROFILE_ALL_BRANCHES overriding the definition of 'if': drivers/staging/rtl8712/ieee80211.h:759:229: warning: '______f' is static but declared in inline function 'ieee80211_get_hdrlen' which is not static [enabled by default] This changes the driver to use 'static inline' instead, which happens to be the correct annotation anyway. Signed-off-by: Arnd Bergmann Cc: Larry Finger Cc: Florian Schilhabel Signed-off-by: Greg Kroah-Hartman commit 51ec10a70d9884cb31583a11c792d844434e39ca Author: Behan Webster Date: Wed Oct 29 15:42:20 2014 -0700 staging, rtl8192e, LLVMLinux: Change extern inline to static inline commit 6d91857d4826b382b3fd4fad95f52713be646f96 upstream. With compilers which follow the C99 standard (like modern versions of gcc and clang), "extern inline" does the opposite thing from older versions of gcc (emits code for an externally linkable version of the inline function). "static inline" does the intended behavior in all cases instead. Signed-off-by: Behan Webster Suggested-by: Arnd Bergmann Cc: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 00ac0c1f0216d9ba96f06b7417cb8301ce0cfdbf Author: Jan-Simon Möller Date: Mon May 6 14:52:08 2013 +0200 drm/i915: Fix declaration of intel_gmbus_{is_forced_bit/is_port_falid} commit 8f375e10ee47b9d7b9b3aefcf67854c6e92708be upstream. Description: intel_gmbus_is_forced_bit is no extern as its body is right below. Likewise for intel_gmbus_is_port_valid. This fixes a compilation issue with clang. An initial version of this patch was developed by PaX Team . This is respin of this patch. 20130509: v2: (re-)add inline upon request. Signed-off-by: Jan-Simon Möller CC: pageexec@freemail.hu CC: daniel.vetter@ffwll.ch CC: airlied@linux.ie CC: intel-gfx@lists.freedesktop.org CC: dri-devel@lists.freedesktop.org CC: linux-kernel@vger.kernel.org [danvet: Bikeshed commit message.] Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 3631a05f1068ef755cafaf3b2c4db3fdebb0341d Author: Greg Kroah-Hartman Date: Sat May 23 13:26:23 2015 -0700 staging: wlags49_h2: fix extern inline functions Patch not upstream as this driver is deleted there. Fix up some "extern inline" functions as they break the build when using a "modern" complier (i.e. gcc5). Signed-off-by: Greg Kroah-Hartman