--- /dev/null
+From d1d0b6b668818571122d30d68a0b3f768bd83a52 Mon Sep 17 00:00:00 2001
+From: Christian Vogel <vogelchr@vogel.cx>
+Date: Sat, 25 Oct 2014 13:40:41 +0200
+Subject: ALSA: bebob: Uninitialized id returned by saffirepro_both_clk_src_get
+
+From: Christian Vogel <vogelchr@vogel.cx>
+
+commit d1d0b6b668818571122d30d68a0b3f768bd83a52 upstream.
+
+snd_bebob_stream_check_internal_clock() may get an id from
+saffirepro_both_clk_src_get (via clk_src->get()) that was uninitialized.
+
+a) make logic in saffirepro_both_clk_src_get explicit
+b) test if id used in snd_bebob_stream_check_internal_clock matches array size
+
+[fixed missing signed prefix to *_maps[] by tiwai]
+
+Signed-off-by: Christian Vogel <vogelchr@vogel.cx>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/bebob/bebob_focusrite.c | 62 +++++++++++++++++++++++++--------
+ sound/firewire/bebob/bebob_stream.c | 18 +++++++--
+ 2 files changed, 63 insertions(+), 17 deletions(-)
+
+--- a/sound/firewire/bebob/bebob_focusrite.c
++++ b/sound/firewire/bebob/bebob_focusrite.c
+@@ -27,12 +27,14 @@
+ #define SAFFIRE_CLOCK_SOURCE_INTERNAL 0
+ #define SAFFIRE_CLOCK_SOURCE_SPDIF 1
+
+-/* '1' is absent, why... */
++/* clock sources as returned from register of Saffire Pro 10 and 26 */
+ #define SAFFIREPRO_CLOCK_SOURCE_INTERNAL 0
++#define SAFFIREPRO_CLOCK_SOURCE_SKIP 1 /* never used on hardware */
+ #define SAFFIREPRO_CLOCK_SOURCE_SPDIF 2
+-#define SAFFIREPRO_CLOCK_SOURCE_ADAT1 3
+-#define SAFFIREPRO_CLOCK_SOURCE_ADAT2 4
++#define SAFFIREPRO_CLOCK_SOURCE_ADAT1 3 /* not used on s.pro. 10 */
++#define SAFFIREPRO_CLOCK_SOURCE_ADAT2 4 /* not used on s.pro. 10 */
+ #define SAFFIREPRO_CLOCK_SOURCE_WORDCLOCK 5
++#define SAFFIREPRO_CLOCK_SOURCE_COUNT 6
+
+ /* S/PDIF, ADAT1, ADAT2 is enabled or not. three quadlets */
+ #define SAFFIREPRO_ENABLE_DIG_IFACES 0x01a4
+@@ -101,13 +103,34 @@ saffire_write_quad(struct snd_bebob *beb
+ &data, sizeof(__be32), 0);
+ }
+
++static char *const saffirepro_10_clk_src_labels[] = {
++ SND_BEBOB_CLOCK_INTERNAL, "S/PDIF", "Word Clock"
++};
+ static char *const saffirepro_26_clk_src_labels[] = {
+ SND_BEBOB_CLOCK_INTERNAL, "S/PDIF", "ADAT1", "ADAT2", "Word Clock"
+ };
+-
+-static char *const saffirepro_10_clk_src_labels[] = {
+- SND_BEBOB_CLOCK_INTERNAL, "S/PDIF", "Word Clock"
++/* Value maps between registers and labels for SaffirePro 10/26. */
++static const signed char saffirepro_clk_maps[][SAFFIREPRO_CLOCK_SOURCE_COUNT] = {
++ /* SaffirePro 10 */
++ [0] = {
++ [SAFFIREPRO_CLOCK_SOURCE_INTERNAL] = 0,
++ [SAFFIREPRO_CLOCK_SOURCE_SKIP] = -1, /* not supported */
++ [SAFFIREPRO_CLOCK_SOURCE_SPDIF] = 1,
++ [SAFFIREPRO_CLOCK_SOURCE_ADAT1] = -1, /* not supported */
++ [SAFFIREPRO_CLOCK_SOURCE_ADAT2] = -1, /* not supported */
++ [SAFFIREPRO_CLOCK_SOURCE_WORDCLOCK] = 2,
++ },
++ /* SaffirePro 26 */
++ [1] = {
++ [SAFFIREPRO_CLOCK_SOURCE_INTERNAL] = 0,
++ [SAFFIREPRO_CLOCK_SOURCE_SKIP] = -1, /* not supported */
++ [SAFFIREPRO_CLOCK_SOURCE_SPDIF] = 1,
++ [SAFFIREPRO_CLOCK_SOURCE_ADAT1] = 2,
++ [SAFFIREPRO_CLOCK_SOURCE_ADAT2] = 3,
++ [SAFFIREPRO_CLOCK_SOURCE_WORDCLOCK] = 4,
++ }
+ };
++
+ static int
+ saffirepro_both_clk_freq_get(struct snd_bebob *bebob, unsigned int *rate)
+ {
+@@ -138,24 +161,35 @@ saffirepro_both_clk_freq_set(struct snd_
+
+ return saffire_write_quad(bebob, SAFFIREPRO_RATE_NOREBOOT, id);
+ }
++
++/*
++ * query hardware for current clock source, return our internally
++ * used clock index in *id, depending on hardware.
++ */
+ static int
+ saffirepro_both_clk_src_get(struct snd_bebob *bebob, unsigned int *id)
+ {
+ int err;
+- u32 value;
++ u32 value; /* clock source read from hw register */
++ const signed char *map;
+
+ err = saffire_read_quad(bebob, SAFFIREPRO_OFFSET_CLOCK_SOURCE, &value);
+ if (err < 0)
+ goto end;
+
+- if (bebob->spec->clock->labels == saffirepro_10_clk_src_labels) {
+- if (value == SAFFIREPRO_CLOCK_SOURCE_WORDCLOCK)
+- *id = 2;
+- else if (value == SAFFIREPRO_CLOCK_SOURCE_SPDIF)
+- *id = 1;
+- } else if (value > 1) {
+- *id = value - 1;
++ /* depending on hardware, use a different mapping */
++ if (bebob->spec->clock->labels == saffirepro_10_clk_src_labels)
++ map = saffirepro_clk_maps[0];
++ else
++ map = saffirepro_clk_maps[1];
++
++ /* In a case that this driver cannot handle the value of register. */
++ if (value >= SAFFIREPRO_CLOCK_SOURCE_COUNT || map[value] < 0) {
++ err = -EIO;
++ goto end;
+ }
++
++ *id = (unsigned int)map[value];
+ end:
+ return err;
+ }
+--- a/sound/firewire/bebob/bebob_stream.c
++++ b/sound/firewire/bebob/bebob_stream.c
+@@ -129,12 +129,24 @@ snd_bebob_stream_check_internal_clock(st
+ /* 1.The device has its own operation to switch source of clock */
+ if (clk_spec) {
+ err = clk_spec->get(bebob, &id);
+- if (err < 0)
++ if (err < 0) {
+ dev_err(&bebob->unit->device,
+ "fail to get clock source: %d\n", err);
+- else if (strncmp(clk_spec->labels[id], SND_BEBOB_CLOCK_INTERNAL,
+- strlen(SND_BEBOB_CLOCK_INTERNAL)) == 0)
++ goto end;
++ }
++
++ if (id >= clk_spec->num) {
++ dev_err(&bebob->unit->device,
++ "clock source %d out of range 0..%d\n",
++ id, clk_spec->num - 1);
++ err = -EIO;
++ goto end;
++ }
++
++ if (strncmp(clk_spec->labels[id], SND_BEBOB_CLOCK_INTERNAL,
++ strlen(SND_BEBOB_CLOCK_INTERNAL)) == 0)
+ *internal = true;
++
+ goto end;
+ }
+
--- /dev/null
+From 3b70bdba2fcb374a2235a56ab73334348d819579 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 29 Oct 2014 16:13:05 +0100
+Subject: ALSA: hda - Add workaround for CMI8888 snoop behavior
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3b70bdba2fcb374a2235a56ab73334348d819579 upstream.
+
+CMI8888 shows the stuttering playback when the snooping is disabled
+on the audio buffer. Meanwhile, we've got reports that CORB/RIRB
+doesn't work in the snooped mode. So, as a compromise, disable the
+snoop only for CORB/RIRB and enable the snoop for the stream buffers.
+
+The resultant patch became a bit ugly, unfortunately, but we still can
+live with it.
+
+Reported-and-tested-by: Geoffrey McRae <geoff@spacevs.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -373,6 +373,8 @@ static void __mark_pages_wc(struct azx *
+ #ifdef CONFIG_SND_DMA_SGBUF
+ if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_SG) {
+ struct snd_sg_buf *sgbuf = dmab->private_data;
++ if (chip->driver_type == AZX_DRIVER_CMEDIA)
++ return; /* deal with only CORB/RIRB buffers */
+ if (on)
+ set_pages_array_wc(sgbuf->page_table, sgbuf->pages);
+ else
+@@ -1768,7 +1770,7 @@ static void pcm_mmap_prepare(struct snd_
+ #ifdef CONFIG_X86
+ struct azx_pcm *apcm = snd_pcm_substream_chip(substream);
+ struct azx *chip = apcm->chip;
+- if (!azx_snoop(chip))
++ if (!azx_snoop(chip) && chip->driver_type != AZX_DRIVER_CMEDIA)
+ area->vm_page_prot = pgprot_writecombine(area->vm_page_prot);
+ #endif
+ }
--- /dev/null
+From 317168d0c766defd14b3d0e9c2c4a9a258b803ee Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 28 Oct 2014 12:42:19 +0100
+Subject: ALSA: pcm: Zero-clear reserved fields of PCM status ioctl in compat mode
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 317168d0c766defd14b3d0e9c2c4a9a258b803ee upstream.
+
+In compat mode, we copy each field of snd_pcm_status struct but don't
+touch the reserved fields, and this leaves uninitialized values
+there. Meanwhile the native ioctl does zero-clear the whole
+structure, so we should follow the same rule in compat mode, too.
+
+Reported-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -210,6 +210,8 @@ static int snd_pcm_status_user_compat(st
+ if (err < 0)
+ return err;
+
++ if (clear_user(src, sizeof(*src)))
++ return -EFAULT;
+ if (put_user(status.state, &src->state) ||
+ compat_put_timespec(&status.trigger_tstamp, &src->trigger_tstamp) ||
+ compat_put_timespec(&status.tstamp, &src->tstamp) ||
--- /dev/null
+From 3b1deef6b1289a99505858a3b212c5b50adf0c2f Mon Sep 17 00:00:00 2001
+From: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Date: Tue, 28 Oct 2014 14:28:49 +0200
+Subject: evm: check xattr value length and type in evm_inode_setxattr()
+
+From: Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+commit 3b1deef6b1289a99505858a3b212c5b50adf0c2f upstream.
+
+evm_inode_setxattr() can be called with no value. The function does not
+check the length so that following command can be used to produce the
+kernel oops: setfattr -n security.evm FOO. This patch fixes it.
+
+Changes in v3:
+* there is no reason to return different error codes for EVM_XATTR_HMAC
+ and non EVM_XATTR_HMAC. Remove unnecessary test then.
+
+Changes in v2:
+* testing for validity of xattr type
+
+[ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null)
+[ 1106.398192] IP: [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
+[ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0
+[ 1106.399953] Oops: 0000 [#1] SMP
+[ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
+[ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936
+[ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000
+[ 1106.400020] RIP: 0010:[<ffffffff812af7b8>] [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
+[ 1106.400020] RSP: 0018:ffff88002917fd50 EFLAGS: 00010246
+[ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000
+[ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8
+[ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df
+[ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00
+[ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 1106.400020] FS: 00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
+[ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0
+[ 1106.400020] Stack:
+[ 1106.400020] ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98
+[ 1106.400020] ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000
+[ 1106.400020] 0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8
+[ 1106.400020] Call Trace:
+[ 1106.400020] [<ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a
+[ 1106.400020] [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f
+[ 1106.400020] [<ffffffff8116d1e0>] setxattr+0x122/0x16c
+[ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
+[ 1106.400020] [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143
+[ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
+[ 1106.400020] [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f
+[ 1106.400020] [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0
+[ 1106.400020] [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b
+[ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83
+[ 1106.400020] RIP [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
+[ 1106.400020] RSP <ffff88002917fd50>
+[ 1106.400020] CR2: 0000000000000000
+[ 1106.428061] ---[ end trace ae08331628ba3050 ]---
+
+Reported-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -318,9 +318,12 @@ int evm_inode_setxattr(struct dentry *de
+ {
+ const struct evm_ima_xattr_data *xattr_data = xattr_value;
+
+- if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
+- && (xattr_data->type == EVM_XATTR_HMAC))
+- return -EPERM;
++ if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
++ if (!xattr_value_len)
++ return -EINVAL;
++ if (xattr_data->type != EVM_IMA_XATTR_DIGSIG)
++ return -EPERM;
++ }
+ return evm_protect_xattr(dentry, xattr_name, xattr_value,
+ xattr_value_len);
+ }
--- /dev/null
+From 3dcbad52cf18c3c379e96b992d22815439ebbe53 Mon Sep 17 00:00:00 2001
+From: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Date: Tue, 2 Sep 2014 16:31:43 +0300
+Subject: evm: properly handle INTEGRITY_NOXATTRS EVM status
+
+From: Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+commit 3dcbad52cf18c3c379e96b992d22815439ebbe53 upstream.
+
+Unless an LSM labels a file during d_instantiate(), newly created
+files are not labeled with an initial security.evm xattr, until
+the file closes. EVM, before allowing a protected, security xattr
+to be written, verifies the existing 'security.evm' value is good.
+For newly created files without a security.evm label, this
+verification prevents writing any protected, security xattrs,
+until the file closes.
+
+Following is the example when this happens:
+fd = open("foo", O_CREAT | O_WRONLY, 0644);
+setxattr("foo", "security.SMACK64", value, sizeof(value), 0);
+close(fd);
+
+While INTEGRITY_NOXATTRS status is handled in other places, such
+as evm_inode_setattr(), it does not handle it in all cases in
+evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to
+newly created files, we can now allow setting "protected" xattrs.
+
+Changelog:
+- limit the use of INTEGRITY_NOXATTRS to IMA identified new files
+
+Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -284,6 +284,13 @@ static int evm_protect_xattr(struct dent
+ goto out;
+ }
+ evm_status = evm_verify_current_integrity(dentry);
++ if (evm_status == INTEGRITY_NOXATTRS) {
++ struct integrity_iint_cache *iint;
++
++ iint = integrity_iint_find(dentry->d_inode);
++ if (iint && (iint->flags & IMA_NEW_FILE))
++ return 0;
++ }
+ out:
+ if (evm_status != INTEGRITY_PASS)
+ integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode,
--- /dev/null
+From 24dff96a37a2ca319e75a74d3929b2de22447ca6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 8 Oct 2014 23:44:00 -0400
+Subject: fix misuses of f_count() in ppp and netlink
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 24dff96a37a2ca319e75a74d3929b2de22447ca6 upstream.
+
+we used to check for "nobody else could start doing anything with
+that opened file" by checking that refcount was 2 or less - one
+for descriptor table and one we'd acquired in fget() on the way to
+wherever we are. That was race-prone (somebody else might have
+had a reference to descriptor table and do fget() just as we'd
+been checking) and it had become flat-out incorrect back when
+we switched to fget_light() on those codepaths - unlike fget(),
+it doesn't grab an extra reference unless the descriptor table
+is shared. The same change allowed a race-free check, though -
+we are safe exactly when refcount is less than 2.
+
+It was a long time ago; pre-2.6.12 for ioctl() (the codepath leading
+to ppp one) and 2.6.17 for sendmsg() (netlink one). OTOH,
+netlink hadn't grown that check until 3.9 and ppp used to live
+in drivers/net, not drivers/net/ppp until 3.1. The bug existed
+well before that, though, and the same fix used to apply in old
+location of file.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ppp/ppp_generic.c | 2 +-
+ net/netlink/af_netlink.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -594,7 +594,7 @@ static long ppp_ioctl(struct file *file,
+ if (file == ppp->owner)
+ ppp_shutdown_interface(ppp);
+ }
+- if (atomic_long_read(&file->f_count) <= 2) {
++ if (atomic_long_read(&file->f_count) < 2) {
+ ppp_release(NULL, file);
+ err = 0;
+ } else
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -723,7 +723,7 @@ static int netlink_mmap_sendmsg(struct s
+ * after validation, the socket and the ring may only be used by a
+ * single process, otherwise we fall back to copying.
+ */
+- if (atomic_long_read(&sk->sk_socket->file->f_count) > 2 ||
++ if (atomic_long_read(&sk->sk_socket->file->f_count) > 1 ||
+ atomic_read(&nlk->mapped) > 1)
+ excl = false;
+
--- /dev/null
+From 99358a1ca53e8e6ce09423500191396f0e6584d2 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Fri, 1 Aug 2014 20:13:40 +0100
+Subject: [jffs2] kill wbuf_queued/wbuf_dwork_lock
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 99358a1ca53e8e6ce09423500191396f0e6584d2 upstream.
+
+schedule_delayed_work() happening when the work is already pending is
+a cheap no-op. Don't bother with ->wbuf_queued logics - it's both
+broken (cancelling ->wbuf_dwork leaves it set, as spotted by Jeff Harris)
+and pointless. It's cheaper to let schedule_delayed_work() handle that
+case.
+
+Reported-by: Jeff Harris <jefftharris@gmail.com>
+Tested-by: Jeff Harris <jefftharris@gmail.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jffs2/jffs2_fs_sb.h | 2 --
+ fs/jffs2/wbuf.c | 17 ++---------------
+ 2 files changed, 2 insertions(+), 17 deletions(-)
+
+--- a/fs/jffs2/jffs2_fs_sb.h
++++ b/fs/jffs2/jffs2_fs_sb.h
+@@ -134,8 +134,6 @@ struct jffs2_sb_info {
+ struct rw_semaphore wbuf_sem; /* Protects the write buffer */
+
+ struct delayed_work wbuf_dwork; /* write-buffer write-out work */
+- int wbuf_queued; /* non-zero delayed work is queued */
+- spinlock_t wbuf_dwork_lock; /* protects wbuf_dwork and and wbuf_queued */
+
+ unsigned char *oobbuf;
+ int oobavail; /* How many bytes are available for JFFS2 in OOB */
+--- a/fs/jffs2/wbuf.c
++++ b/fs/jffs2/wbuf.c
+@@ -1162,10 +1162,6 @@ static void delayed_wbuf_sync(struct wor
+ struct jffs2_sb_info *c = work_to_sb(work);
+ struct super_block *sb = OFNI_BS_2SFFJ(c);
+
+- spin_lock(&c->wbuf_dwork_lock);
+- c->wbuf_queued = 0;
+- spin_unlock(&c->wbuf_dwork_lock);
+-
+ if (!(sb->s_flags & MS_RDONLY)) {
+ jffs2_dbg(1, "%s()\n", __func__);
+ jffs2_flush_wbuf_gc(c, 0);
+@@ -1180,14 +1176,9 @@ void jffs2_dirty_trigger(struct jffs2_sb
+ if (sb->s_flags & MS_RDONLY)
+ return;
+
+- spin_lock(&c->wbuf_dwork_lock);
+- if (!c->wbuf_queued) {
++ delay = msecs_to_jiffies(dirty_writeback_interval * 10);
++ if (queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay))
+ jffs2_dbg(1, "%s()\n", __func__);
+- delay = msecs_to_jiffies(dirty_writeback_interval * 10);
+- queue_delayed_work(system_long_wq, &c->wbuf_dwork, delay);
+- c->wbuf_queued = 1;
+- }
+- spin_unlock(&c->wbuf_dwork_lock);
+ }
+
+ int jffs2_nand_flash_setup(struct jffs2_sb_info *c)
+@@ -1211,7 +1202,6 @@ int jffs2_nand_flash_setup(struct jffs2_
+
+ /* Initialise write buffer */
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+ c->wbuf_pagesize = c->mtd->writesize;
+ c->wbuf_ofs = 0xFFFFFFFF;
+@@ -1251,7 +1241,6 @@ int jffs2_dataflash_setup(struct jffs2_s
+
+ /* Initialize write buffer */
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+ c->wbuf_pagesize = c->mtd->erasesize;
+
+@@ -1311,7 +1300,6 @@ int jffs2_nor_wbuf_flash_setup(struct jf
+
+ /* Initialize write buffer */
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+
+ c->wbuf_pagesize = c->mtd->writesize;
+@@ -1346,7 +1334,6 @@ int jffs2_ubivol_setup(struct jffs2_sb_i
+ return 0;
+
+ init_rwsem(&c->wbuf_sem);
+- spin_lock_init(&c->wbuf_dwork_lock);
+ INIT_DELAYED_WORK(&c->wbuf_dwork, delayed_wbuf_sync);
+
+ c->wbuf_pagesize = c->mtd->writesize;
--- /dev/null
+From f9865f06f7f18c6661c88d0511f05c48612319cc Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@redhat.com>
+Date: Fri, 10 Oct 2014 16:39:05 +0400
+Subject: libceph: ceph-msgr workqueue needs a resque worker
+
+From: Ilya Dryomov <idryomov@redhat.com>
+
+commit f9865f06f7f18c6661c88d0511f05c48612319cc upstream.
+
+Commit f363e45fd118 ("net/ceph: make ceph_msgr_wq non-reentrant")
+effectively removed WQ_MEM_RECLAIM flag from ceph_msgr_wq. This is
+wrong - libceph is very much a memory reclaim path, so restore it.
+
+Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
+Tested-by: Micha Krause <micha@krausam.de>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/messenger.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -292,7 +292,11 @@ int ceph_msgr_init(void)
+ if (ceph_msgr_slab_init())
+ return -ENOMEM;
+
+- ceph_msgr_wq = alloc_workqueue("ceph-msgr", 0, 0);
++ /*
++ * The number of active work items is limited by the number of
++ * connections, so leave @max_active at default.
++ */
++ ceph_msgr_wq = alloc_workqueue("ceph-msgr", WQ_MEM_RECLAIM, 0);
+ if (ceph_msgr_wq)
+ return 0;
+
--- /dev/null
+From 6d13f69444bd3d4888e43f7756449748f5a98bad Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon, 29 Sep 2014 14:46:30 -0400
+Subject: missing data dependency barrier in prepend_name()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6d13f69444bd3d4888e43f7756449748f5a98bad upstream.
+
+AFAICS, prepend_name() is broken on SMP alpha. Disclaimer: I don't have
+SMP alpha boxen to reproduce it on. However, it really looks like the race
+is real.
+
+CPU1: d_path() on /mnt/ramfs/<255-character>/foo
+CPU2: mv /mnt/ramfs/<255-character> /mnt/ramfs/<63-character>
+
+CPU2 does d_alloc(), which allocates an external name, stores the name there
+including terminating NUL, does smp_wmb() and stores its address in
+dentry->d_name.name. It proceeds to d_add(dentry, NULL) and d_move()
+old dentry over to that. ->d_name.name value ends up in that dentry.
+
+In the meanwhile, CPU1 gets to prepend_name() for that dentry. It fetches
+->d_name.name and ->d_name.len; the former ends up pointing to new name
+(64-byte kmalloc'ed array), the latter - 255 (length of the old name).
+Nothing to force the ordering there, and normally that would be OK, since we'd
+run into the terminating NUL and stop. Except that it's alpha, and we'd need
+a data dependency barrier to guarantee that we see that store of NUL
+__d_alloc() has done. In a similar situation dentry_cmp() would survive; it
+does explicit smp_read_barrier_depends() after fetching ->d_name.name.
+prepend_name() doesn't and it risks walking past the end of kmalloc'ed object
+and possibly oops due to taking a page fault in kernel mode.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2810,6 +2810,9 @@ static int prepend(char **buffer, int *b
+ * the beginning of the name. The sequence number check at the caller will
+ * retry it again when a d_move() does happen. So any garbage in the buffer
+ * due to mismatched pointer and length will be discarded.
++ *
++ * Data dependency barrier is needed to make sure that we see that terminating
++ * NUL. Alpha strikes again, film at 11...
+ */
+ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
+ {
+@@ -2817,6 +2820,8 @@ static int prepend_name(char **buffer, i
+ u32 dlen = ACCESS_ONCE(name->len);
+ char *p;
+
++ smp_read_barrier_depends();
++
+ *buflen -= dlen + 1;
+ if (*buflen < 0)
+ return -ENAMETOOLONG;
--- /dev/null
+From 211de6eba8960521e2be450a7d07db85fba4604c Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Tue, 30 Sep 2014 19:23:08 +0200
+Subject: perf: Fix unclone_ctx() vs. locking
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 211de6eba8960521e2be450a7d07db85fba4604c upstream.
+
+The idiot who did 4a1c0f262f88 ("perf: Fix lockdep warning on process exit")
+forgot to pay attention and fix all similar cases. Do so now.
+
+In particular, unclone_ctx() must be called while holding ctx->lock,
+therefore all such sites are broken for the same reason. Pull the
+put_ctx() call out from under ctx->lock.
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Probably-also-reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Fixes: 4a1c0f262f88 ("perf: Fix lockdep warning on process exit")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Cc: Cong Wang <cwang@twopensource.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: http://lkml.kernel.org/r/20140930172308.GI4241@worktop.programming.kicks-ass.net
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 54 +++++++++++++++++++++++++++++----------------------
+ 1 file changed, 31 insertions(+), 23 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -902,13 +902,23 @@ static void put_ctx(struct perf_event_co
+ }
+ }
+
+-static void unclone_ctx(struct perf_event_context *ctx)
++/*
++ * This must be done under the ctx->lock, such as to serialize against
++ * context_equiv(), therefore we cannot call put_ctx() since that might end up
++ * calling scheduler related locks and ctx->lock nests inside those.
++ */
++static __must_check struct perf_event_context *
++unclone_ctx(struct perf_event_context *ctx)
+ {
+- if (ctx->parent_ctx) {
+- put_ctx(ctx->parent_ctx);
++ struct perf_event_context *parent_ctx = ctx->parent_ctx;
++
++ lockdep_assert_held(&ctx->lock);
++
++ if (parent_ctx)
+ ctx->parent_ctx = NULL;
+- }
+ ctx->generation++;
++
++ return parent_ctx;
+ }
+
+ static u32 perf_event_pid(struct perf_event *event, struct task_struct *p)
+@@ -2210,6 +2220,9 @@ static void ctx_sched_out(struct perf_ev
+ static int context_equiv(struct perf_event_context *ctx1,
+ struct perf_event_context *ctx2)
+ {
++ lockdep_assert_held(&ctx1->lock);
++ lockdep_assert_held(&ctx2->lock);
++
+ /* Pinning disables the swap optimization */
+ if (ctx1->pin_count || ctx2->pin_count)
+ return 0;
+@@ -2943,6 +2956,7 @@ static int event_enable_on_exec(struct p
+ */
+ static void perf_event_enable_on_exec(struct perf_event_context *ctx)
+ {
++ struct perf_event_context *clone_ctx = NULL;
+ struct perf_event *event;
+ unsigned long flags;
+ int enabled = 0;
+@@ -2974,7 +2988,7 @@ static void perf_event_enable_on_exec(st
+ * Unclone this context if we enabled any event.
+ */
+ if (enabled)
+- unclone_ctx(ctx);
++ clone_ctx = unclone_ctx(ctx);
+
+ raw_spin_unlock(&ctx->lock);
+
+@@ -2984,6 +2998,9 @@ static void perf_event_enable_on_exec(st
+ perf_event_context_sched_in(ctx, ctx->task);
+ out:
+ local_irq_restore(flags);
++
++ if (clone_ctx)
++ put_ctx(clone_ctx);
+ }
+
+ void perf_event_exec(void)
+@@ -3135,7 +3152,7 @@ errout:
+ static struct perf_event_context *
+ find_get_context(struct pmu *pmu, struct task_struct *task, int cpu)
+ {
+- struct perf_event_context *ctx;
++ struct perf_event_context *ctx, *clone_ctx = NULL;
+ struct perf_cpu_context *cpuctx;
+ unsigned long flags;
+ int ctxn, err;
+@@ -3169,9 +3186,12 @@ find_get_context(struct pmu *pmu, struct
+ retry:
+ ctx = perf_lock_task_context(task, ctxn, &flags);
+ if (ctx) {
+- unclone_ctx(ctx);
++ clone_ctx = unclone_ctx(ctx);
+ ++ctx->pin_count;
+ raw_spin_unlock_irqrestore(&ctx->lock, flags);
++
++ if (clone_ctx)
++ put_ctx(clone_ctx);
+ } else {
+ ctx = alloc_perf_context(pmu, task);
+ err = -ENOMEM;
+@@ -7523,7 +7543,7 @@ __perf_event_exit_task(struct perf_event
+ static void perf_event_exit_task_context(struct task_struct *child, int ctxn)
+ {
+ struct perf_event *child_event, *next;
+- struct perf_event_context *child_ctx, *parent_ctx;
++ struct perf_event_context *child_ctx, *clone_ctx = NULL;
+ unsigned long flags;
+
+ if (likely(!child->perf_event_ctxp[ctxn])) {
+@@ -7550,28 +7570,16 @@ static void perf_event_exit_task_context
+ child->perf_event_ctxp[ctxn] = NULL;
+
+ /*
+- * In order to avoid freeing: child_ctx->parent_ctx->task
+- * under perf_event_context::lock, grab another reference.
+- */
+- parent_ctx = child_ctx->parent_ctx;
+- if (parent_ctx)
+- get_ctx(parent_ctx);
+-
+- /*
+ * If this context is a clone; unclone it so it can't get
+ * swapped to another process while we're removing all
+ * the events from it.
+ */
+- unclone_ctx(child_ctx);
++ clone_ctx = unclone_ctx(child_ctx);
+ update_context_time(child_ctx);
+ raw_spin_unlock_irqrestore(&child_ctx->lock, flags);
+
+- /*
+- * Now that we no longer hold perf_event_context::lock, drop
+- * our extra child_ctx->parent_ctx reference.
+- */
+- if (parent_ctx)
+- put_ctx(parent_ctx);
++ if (clone_ctx)
++ put_ctx(clone_ctx);
+
+ /*
+ * Report the task dead after unscheduling the events so that we
--- /dev/null
+From 792c3a914910bd34302c5345578f85cfcb5e2c01 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@redhat.com>
+Date: Fri, 10 Oct 2014 18:36:07 +0400
+Subject: rbd: rbd workqueues need a resque worker
+
+From: Ilya Dryomov <idryomov@redhat.com>
+
+commit 792c3a914910bd34302c5345578f85cfcb5e2c01 upstream.
+
+Need to use WQ_MEM_RECLAIM for our workqueues to prevent I/O lockups
+under memory pressure - we sit on the memory reclaim path.
+
+Signed-off-by: Ilya Dryomov <idryomov@redhat.com>
+Tested-by: Micha Krause <micha@krausam.de>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -5087,7 +5087,8 @@ static int rbd_dev_device_setup(struct r
+ set_capacity(rbd_dev->disk, rbd_dev->mapping.size / SECTOR_SIZE);
+ set_disk_ro(rbd_dev->disk, rbd_dev->mapping.read_only);
+
+- rbd_dev->rq_wq = alloc_workqueue("%s", 0, 0, rbd_dev->disk->disk_name);
++ rbd_dev->rq_wq = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0,
++ rbd_dev->disk->disk_name);
+ if (!rbd_dev->rq_wq) {
+ ret = -ENOMEM;
+ goto err_out_mapping;
--- /dev/null
+From 66339c31bc3978d5fff9c4b4cb590a861def4db2 Mon Sep 17 00:00:00 2001
+From: Kirill Tkhai <ktkhai@parallels.com>
+Date: Mon, 22 Sep 2014 22:36:24 +0400
+Subject: sched: Use dl_bw_of() under RCU read lock
+
+From: Kirill Tkhai <ktkhai@parallels.com>
+
+commit 66339c31bc3978d5fff9c4b4cb590a861def4db2 upstream.
+
+dl_bw_of() dereferences rq->rd which has to have RCU read lock held.
+Probability of use-after-free isn't zero here.
+
+Also add lockdep assert into dl_bw_cpus().
+
+Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: http://lkml.kernel.org/r/20140922183624.11015.71558.stgit@localhost
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1977,6 +1977,8 @@ unsigned long to_ratio(u64 period, u64 r
+ #ifdef CONFIG_SMP
+ inline struct dl_bw *dl_bw_of(int i)
+ {
++ rcu_lockdep_assert(rcu_read_lock_sched_held(),
++ "sched RCU must be held");
+ return &cpu_rq(i)->rd->dl_bw;
+ }
+
+@@ -1985,6 +1987,8 @@ static inline int dl_bw_cpus(int i)
+ struct root_domain *rd = cpu_rq(i)->rd;
+ int cpus = 0;
+
++ rcu_lockdep_assert(rcu_read_lock_sched_held(),
++ "sched RCU must be held");
+ for_each_cpu_and(i, rd->span, cpu_active_mask)
+ cpus++;
+
+@@ -7580,6 +7584,8 @@ static int sched_dl_global_constraints(v
+ int cpu, ret = 0;
+ unsigned long flags;
+
++ rcu_read_lock();
++
+ /*
+ * Here we want to check the bandwidth not being set to some
+ * value smaller than the currently allocated bandwidth in
+@@ -7601,6 +7607,8 @@ static int sched_dl_global_constraints(v
+ break;
+ }
+
++ rcu_read_unlock();
++
+ return ret;
+ }
+
+@@ -7616,6 +7624,7 @@ static void sched_dl_do_global(void)
+ if (global_rt_runtime() != RUNTIME_INF)
+ new_bw = to_ratio(global_rt_period(), global_rt_runtime());
+
++ rcu_read_lock();
+ /*
+ * FIXME: As above...
+ */
+@@ -7626,6 +7635,7 @@ static void sched_dl_do_global(void)
+ dl_b->bw = new_bw;
+ raw_spin_unlock_irqrestore(&dl_b->lock, flags);
+ }
++ rcu_read_unlock();
+ }
+
+ static int sched_rt_global_validate(void)
x86_64-entry-filter-rflags.nt-on-entry-from-userspace.patch
x86_64-entry-fix-out-of-bounds-read-on-sysenter.patch
x86-pageattr-prevent-overflow-in-slow_virt_to_phys-for-x86_pae.patch
+perf-fix-unclone_ctx-vs.-locking.patch
+evm-properly-handle-integrity_noxattrs-evm-status.patch
+evm-check-xattr-value-length-and-type-in-evm_inode_setxattr.patch
+alsa-hda-add-workaround-for-cmi8888-snoop-behavior.patch
+alsa-bebob-uninitialized-id-returned-by-saffirepro_both_clk_src_get.patch
+alsa-pcm-zero-clear-reserved-fields-of-pcm-status-ioctl-in-compat-mode.patch
+missing-data-dependency-barrier-in-prepend_name.patch
+kill-wbuf_queued-wbuf_dwork_lock.patch
+fix-misuses-of-f_count-in-ppp-and-netlink.patch
+rbd-rbd-workqueues-need-a-resque-worker.patch
+libceph-ceph-msgr-workqueue-needs-a-resque-worker.patch
+sched-use-dl_bw_of-under-rcu-read-lock.patch
+um-ubd-fix-for-processes-stuck-in-d-state-forever.patch
--- /dev/null
+From 2a2361228c5e6d8c1733f00653481de918598e50 Mon Sep 17 00:00:00 2001
+From: Thorsten Knabe <linux@thorsten-knabe.de>
+Date: Sat, 23 Aug 2014 15:47:38 +0200
+Subject: um: ubd: Fix for processes stuck in D state forever
+
+From: Thorsten Knabe <linux@thorsten-knabe.de>
+
+commit 2a2361228c5e6d8c1733f00653481de918598e50 upstream.
+
+Starting with Linux 3.12 processes get stuck in D state forever in
+UserModeLinux under sync heavy workloads. This bug was introduced by
+commit 805f11a0d5 (um: ubd: Add REQ_FLUSH suppport).
+Fix bug by adding a check if FLUSH request was successfully submitted to
+the I/O thread and keeping the FLUSH request on the request queue on
+submission failures.
+
+Fixes: 805f11a0d5 (um: ubd: Add REQ_FLUSH suppport)
+Signed-off-by: Thorsten Knabe <linux@thorsten-knabe.de>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/drivers/ubd_kern.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/um/drivers/ubd_kern.c
++++ b/arch/um/drivers/ubd_kern.c
+@@ -1277,7 +1277,7 @@ static void do_ubd_request(struct reques
+
+ while(1){
+ struct ubd *dev = q->queuedata;
+- if(dev->end_sg == 0){
++ if(dev->request == NULL){
+ struct request *req = blk_fetch_request(q);
+ if(req == NULL)
+ return;
+@@ -1299,7 +1299,8 @@ static void do_ubd_request(struct reques
+ return;
+ }
+ prepare_flush_request(req, io_req);
+- submit_request(io_req, dev);
++ if (submit_request(io_req, dev) == false)
++ return;
+ }
+
+ while(dev->start_sg < dev->end_sg){
projects / thirdparty / kernel / stable-queue.git / commitdiff
