--- /dev/null
+From 44008f0896ae205b02b0882dbf807f0de149efc4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 25 Jul 2015 03:03:38 +0300
+Subject: ALSA: hda - fix cs4210_spdif_automute()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 44008f0896ae205b02b0882dbf807f0de149efc4 upstream.
+
+Smatch complains that we have nested checks for "spdif_present". It
+turns out the current behavior isn't correct, we should remove the first
+check and keep the second.
+
+Fixes: 1077a024812d ('ALSA: hda - Use generic parser for Cirrus codec driver')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_cirrus.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/sound/pci/hda/patch_cirrus.c
++++ b/sound/pci/hda/patch_cirrus.c
+@@ -787,9 +787,7 @@ static void cs4210_spdif_automute(struct
+
+ spec->spdif_present = spdif_present;
+ /* SPDIF TX on/off */
+- if (spdif_present)
+- snd_hda_set_pin_ctl(codec, spdif_pin,
+- spdif_present ? PIN_OUT : 0);
++ snd_hda_set_pin_ctl(codec, spdif_pin, spdif_present ? PIN_OUT : 0);
+
+ cs_automute(codec);
+ }
--- /dev/null
+From de54b9ac253787c366bbfb28d901a31954eb3511 Mon Sep 17 00:00:00 2001
+From: Marcus Gelderie <redmnic@gmail.com>
+Date: Thu, 6 Aug 2015 15:46:10 -0700
+Subject: ipc: modify message queue accounting to not take kernel data structures into account
+
+From: Marcus Gelderie <redmnic@gmail.com>
+
+commit de54b9ac253787c366bbfb28d901a31954eb3511 upstream.
+
+A while back, the message queue implementation in the kernel was
+improved to use btrees to speed up retrieval of messages, in commit
+d6629859b36d ("ipc/mqueue: improve performance of send/recv").
+
+That patch introducing the improved kernel handling of message queues
+(using btrees) has, as a by-product, changed the meaning of the QSIZE
+field in the pseudo-file created for the queue. Before, this field
+reflected the size of the user-data in the queue. Since, it also takes
+kernel data structures into account. For example, if 13 bytes of user
+data are in the queue, on my machine the file reports a size of 61
+bytes.
+
+There was some discussion on this topic before (for example
+https://lkml.org/lkml/2014/10/1/115). Commenting on a th lkml, Michael
+Kerrisk gave the following background
+(https://lkml.org/lkml/2015/6/16/74):
+
+ The pseudofiles in the mqueue filesystem (usually mounted at
+ /dev/mqueue) expose fields with metadata describing a message
+ queue. One of these fields, QSIZE, as originally implemented,
+ showed the total number of bytes of user data in all messages in
+ the message queue, and this feature was documented from the
+ beginning in the mq_overview(7) page. In 3.5, some other (useful)
+ work happened to break the user-space API in a couple of places,
+ including the value exposed via QSIZE, which now includes a measure
+ of kernel overhead bytes for the queue, a figure that renders QSIZE
+ useless for its original purpose, since there's no way to deduce
+ the number of overhead bytes consumed by the implementation.
+ (The other user-space breakage was subsequently fixed.)
+
+This patch removes the accounting of kernel data structures in the
+queue. Reporting the size of these data-structures in the QSIZE field
+was a breaking change (see Michael's comment above). Without the QSIZE
+field reporting the total size of user-data in the queue, there is no
+way to deduce this number.
+
+It should be noted that the resource limit RLIMIT_MSGQUEUE is counted
+against the worst-case size of the queue (in both the old and the new
+implementation). Therefore, the kernel overhead accounting in QSIZE is
+not necessary to help the user understand the limitations RLIMIT imposes
+on the processes.
+
+Signed-off-by: Marcus Gelderie <redmnic@gmail.com>
+Acked-by: Doug Ledford <dledford@redhat.com>
+Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
+Acked-by: Davidlohr Bueso <dbueso@suse.de>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: John Duffy <jb_duffy@btinternet.com>
+Cc: Arto Bendiken <arto@bendiken.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/mqueue.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -143,7 +143,6 @@ static int msg_insert(struct msg_msg *ms
+ if (!leaf)
+ return -ENOMEM;
+ INIT_LIST_HEAD(&leaf->msg_list);
+- info->qsize += sizeof(*leaf);
+ }
+ leaf->priority = msg->m_type;
+ rb_link_node(&leaf->rb_node, parent, p);
+@@ -188,7 +187,6 @@ try_again:
+ "lazy leaf delete!\n");
+ rb_erase(&leaf->rb_node, &info->msg_tree);
+ if (info->node_cache) {
+- info->qsize -= sizeof(*leaf);
+ kfree(leaf);
+ } else {
+ info->node_cache = leaf;
+@@ -201,7 +199,6 @@ try_again:
+ if (list_empty(&leaf->msg_list)) {
+ rb_erase(&leaf->rb_node, &info->msg_tree);
+ if (info->node_cache) {
+- info->qsize -= sizeof(*leaf);
+ kfree(leaf);
+ } else {
+ info->node_cache = leaf;
+@@ -1026,7 +1023,6 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqd
+ /* Save our speculative allocation into the cache */
+ INIT_LIST_HEAD(&new_leaf->msg_list);
+ info->node_cache = new_leaf;
+- info->qsize += sizeof(*new_leaf);
+ new_leaf = NULL;
+ } else {
+ kfree(new_leaf);
+@@ -1133,7 +1129,6 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t,
+ /* Save our speculative allocation into the cache */
+ INIT_LIST_HEAD(&new_leaf->msg_list);
+ info->node_cache = new_leaf;
+- info->qsize += sizeof(*new_leaf);
+ } else {
+ kfree(new_leaf);
+ }
--- /dev/null
+From 423f04d63cf421ea436bcc5be02543d549ce4b28 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Mon, 27 Jul 2015 11:48:52 +1000
+Subject: md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies
+
+From: NeilBrown <neilb@suse.com>
+
+commit 423f04d63cf421ea436bcc5be02543d549ce4b28 upstream.
+
+raid1_end_read_request() assumes that the In_sync bits are consistent
+with the ->degaded count.
+raid1_spare_active updates the In_sync bit before the ->degraded count
+and so exposes an inconsistency, as does error()
+So extend the spinlock in raid1_spare_active() and error() to hide those
+inconsistencies.
+
+This should probably be part of
+ Commit: 34cab6f42003 ("md/raid1: fix test for 'was read error from
+ last working device'.")
+as it addresses the same issue. It fixes the same bug and should go
+to -stable for same reasons.
+
+Fixes: 76073054c95b ("md/raid1: clean up read_balance.")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/raid1.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1382,6 +1382,7 @@ static void error(struct mddev *mddev, s
+ {
+ char b[BDEVNAME_SIZE];
+ struct r1conf *conf = mddev->private;
++ unsigned long flags;
+
+ /*
+ * If it is not operational, then we have already marked it as dead
+@@ -1401,14 +1402,13 @@ static void error(struct mddev *mddev, s
+ return;
+ }
+ set_bit(Blocked, &rdev->flags);
++ spin_lock_irqsave(&conf->device_lock, flags);
+ if (test_and_clear_bit(In_sync, &rdev->flags)) {
+- unsigned long flags;
+- spin_lock_irqsave(&conf->device_lock, flags);
+ mddev->degraded++;
+ set_bit(Faulty, &rdev->flags);
+- spin_unlock_irqrestore(&conf->device_lock, flags);
+ } else
+ set_bit(Faulty, &rdev->flags);
++ spin_unlock_irqrestore(&conf->device_lock, flags);
+ /*
+ * if recovery is running, make sure it aborts.
+ */
+@@ -1466,7 +1466,10 @@ static int raid1_spare_active(struct mdd
+ * Find all failed disks within the RAID1 configuration
+ * and mark them readable.
+ * Called under mddev lock, so rcu protection not needed.
++ * device_lock used to avoid races with raid1_end_read_request
++ * which expects 'In_sync' flags and ->degraded to be consistent.
+ */
++ spin_lock_irqsave(&conf->device_lock, flags);
+ for (i = 0; i < conf->raid_disks; i++) {
+ struct md_rdev *rdev = conf->mirrors[i].rdev;
+ struct md_rdev *repl = conf->mirrors[conf->raid_disks + i].rdev;
+@@ -1496,7 +1499,6 @@ static int raid1_spare_active(struct mdd
+ sysfs_notify_dirent_safe(rdev->sysfs_state);
+ }
+ }
+- spin_lock_irqsave(&conf->device_lock, flags);
+ mddev->degraded -= count;
+ spin_unlock_irqrestore(&conf->device_lock, flags);
+
--- /dev/null
+From 209f7512d007980fd111a74a064d70a3656079cf Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@huawei.com>
+Date: Thu, 6 Aug 2015 15:46:23 -0700
+Subject: ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
+
+From: Joseph Qi <joseph.qi@huawei.com>
+
+commit 209f7512d007980fd111a74a064d70a3656079cf upstream.
+
+The "BUG_ON(list_empty(&osb->blocked_lock_list))" in
+ocfs2_downconvert_thread_do_work can be triggered in the following case:
+
+ocfs2dc has firstly saved osb->blocked_lock_count to local varibale
+processed, and then processes the dentry lockres. During the dentry
+put, it calls iput and then deletes rw, inode and open lockres from
+blocked list in ocfs2_mark_lockres_freeing. And this causes the
+variable `processed' to not reflect the number of blocked lockres to be
+processed, which triggers the BUG.
+
+Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/dlmglue.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/ocfs2/dlmglue.c
++++ b/fs/ocfs2/dlmglue.c
+@@ -3971,9 +3971,13 @@ static void ocfs2_downconvert_thread_do_
+ osb->dc_work_sequence = osb->dc_wake_sequence;
+
+ processed = osb->blocked_lock_count;
+- while (processed) {
+- BUG_ON(list_empty(&osb->blocked_lock_list));
+-
++ /*
++ * blocked lock processing in this loop might call iput which can
++ * remove items off osb->blocked_lock_list. Downconvert up to
++ * 'processed' number of locks, but stop short if we had some
++ * removed in ocfs2_mark_lockres_freeing when downconverting.
++ */
++ while (processed && !list_empty(&osb->blocked_lock_list)) {
+ lockres = list_entry(osb->blocked_lock_list.next,
+ struct ocfs2_lock_res, l_blocked_list);
+ list_del_init(&lockres->l_blocked_list);
crypto-ixp4xx-remove-bogus-bug_on-on-scattered-dst-buffer.patch
rbd-fix-copyup-completion-race.patch
iscsi-target-fix-iscsit_start_kthreads-failure-oops.patch
+alsa-hda-fix-cs4210_spdif_automute.patch
+ipc-modify-message-queue-accounting-to-not-take-kernel-data-structures-into-account.patch
+ocfs2-fix-bug-in-ocfs2_downconvert_thread_do_work.patch
+md-raid1-extend-spinlock-to-protect-raid1_end_read_request-against-inconsistencies.patch
+sg_start_req-make-sure-that-there-s-not-too-many-elements-in-iovec.patch
--- /dev/null
+From 451a2886b6bf90e2fb378f7c46c655450fb96e81 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 21 Mar 2015 20:08:18 -0400
+Subject: sg_start_req(): make sure that there's not too many elements in iovec
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 451a2886b6bf90e2fb378f7c46c655450fb96e81 upstream.
+
+unfortunately, allowing an arbitrary 16bit value means a possibility of
+overflow in the calculation of total number of pages in bio_map_user_iov() -
+we rely on there being no more than PAGE_SIZE members of sum in the
+first loop there. If that sum wraps around, we end up allocating
+too small array of pointers to pages and it's easy to overflow it in
+the second loop.
+
+X-Coverup: TINC (and there's no lumber cartel either)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
+ fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
+ that function.]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1694,6 +1694,9 @@ static int sg_start_req(Sg_request *srp,
+ md->from_user = 0;
+ }
+
++ if (unlikely(iov_count > UIO_MAXIOV))
++ return -EINVAL;
++
+ if (iov_count) {
+ int len, size = sizeof(struct sg_iovec) * iov_count;
+ struct iovec *iov;
projects / thirdparty / kernel / stable-queue.git / commitdiff
