--- /dev/null
+From 22e58665a01006d05f0239621f7d41cacca96cc4 Mon Sep 17 00:00:00 2001
+From: Junya Monden <jmonden@jp.adit-jv.com>
+Date: Wed, 16 Oct 2019 14:42:55 +0200
+Subject: ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
+
+From: Junya Monden <jmonden@jp.adit-jv.com>
+
+commit 22e58665a01006d05f0239621f7d41cacca96cc4 upstream.
+
+Unlike other format-related DAI parameters, rdai->bit_clk_inv flag
+is not properly re-initialized when setting format for new stream
+processing. The inversion, if requested, is then applied not to default,
+but to a previous value, which leads to SCKP bit in SSICR register being
+set incorrectly.
+Fix this by re-setting the flag to its initial value, determined by format.
+
+Fixes: 1a7889ca8aba3 ("ASoC: rsnd: fixup SND_SOC_DAIFMT_xB_xF behavior")
+Cc: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Cc: Jiada Wang <jiada_wang@mentor.com>
+Cc: Timo Wischer <twischer@de.adit-jv.com>
+Cc: stable@vger.kernel.org # v3.17+
+Signed-off-by: Junya Monden <jmonden@jp.adit-jv.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20191016124255.7442-1-erosca@de.adit-jv.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sh/rcar/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -629,6 +629,7 @@ static int rsnd_soc_dai_set_fmt(struct s
+ }
+
+ /* set format */
++ rdai->bit_clk_inv = 0;
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+ rdai->sys_delay = 0;
--- /dev/null
+From 4ac2813cc867ae563a1ba5a9414bfb554e5796fa Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 4 Oct 2019 10:51:32 +0100
+Subject: cfg80211: wext: avoid copying malformed SSIDs
+
+From: Will Deacon <will@kernel.org>
+
+commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream.
+
+Ensure the SSID element is bounds-checked prior to invoking memcpy()
+with its length field, when copying to userspace.
+
+Cc: <stable@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org
+[adjust commit log a bit]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-sme.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/wext-sme.c
++++ b/net/wireless/wext-sme.c
+@@ -224,6 +224,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ struct iw_point *data, char *ssid)
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
++ int ret = 0;
+
+ /* call only for station! */
+ if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
+@@ -241,7 +242,10 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ if (ie) {
+ data->flags = 1;
+ data->length = ie[1];
+- memcpy(ssid, ie + 2, data->length);
++ if (data->length > IW_ESSID_MAX_SIZE)
++ ret = -EINVAL;
++ else
++ memcpy(ssid, ie + 2, data->length);
+ }
+ rcu_read_unlock();
+ } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
+@@ -251,7 +255,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ }
+ wdev_unlock(wdev);
+
+- return 0;
++ return ret;
+ }
+
+ int cfg80211_mgd_wext_siwap(struct net_device *dev,
--- /dev/null
+From 11bcf5f78905b90baae8fb01e16650664ed0cb00 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 2 Apr 2019 11:30:37 +0800
+Subject: drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 11bcf5f78905b90baae8fb01e16650664ed0cb00 upstream.
+
+Another panel that needs 6BPC quirk.
+
+BugLink: https://bugs.launchpad.net/bugs/1819968
+Cc: <stable@vger.kernel.org> # v4.8+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190402033037.21877-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -160,6 +160,9 @@ static const struct edid_quirk {
+ /* Medion MD 30217 PG */
+ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 },
+
++ /* Lenovo G50 */
++ { "SDC", 18514, EDID_QUIRK_FORCE_6BPC },
++
+ /* Panel in Samsung NP700G7A-S01PL notebook reports 6bpc */
+ { "SEC", 0xd033, EDID_QUIRK_FORCE_8BPC },
+
--- /dev/null
+From afce285b859cea91c182015fc9858ea58c26cd0e Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Mon, 16 Sep 2019 12:45:48 -0700
+Subject: Input: da9063 - fix capability and drop KEY_SLEEP
+
+From: Marco Felsch <m.felsch@pengutronix.de>
+
+commit afce285b859cea91c182015fc9858ea58c26cd0e upstream.
+
+Since commit f889beaaab1c ("Input: da9063 - report KEY_POWER instead of
+KEY_SLEEP during power key-press") KEY_SLEEP isn't supported anymore. This
+caused input device to not generate any events if "dlg,disable-key-power"
+is set.
+
+Fix this by unconditionally setting KEY_POWER capability, and not
+declaring KEY_SLEEP.
+
+Fixes: f889beaaab1c ("Input: da9063 - report KEY_POWER instead of KEY_SLEEP during power key-press")
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/da9063_onkey.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/input/misc/da9063_onkey.c
++++ b/drivers/input/misc/da9063_onkey.c
+@@ -247,10 +247,7 @@ static int da9063_onkey_probe(struct pla
+ onkey->input->phys = onkey->phys;
+ onkey->input->dev.parent = &pdev->dev;
+
+- if (onkey->key_power)
+- input_set_capability(onkey->input, EV_KEY, KEY_POWER);
+-
+- input_set_capability(onkey->input, EV_KEY, KEY_SLEEP);
++ input_set_capability(onkey->input, EV_KEY, KEY_POWER);
+
+ INIT_DELAYED_WORK(&onkey->work, da9063_poll_on);
+
--- /dev/null
+From 4152561f5da3fca92af7179dd538ea89e248f9d0 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 4 Oct 2019 10:51:31 +0100
+Subject: mac80211: Reject malformed SSID elements
+
+From: Will Deacon <will@kernel.org>
+
+commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream.
+
+Although this shouldn't occur in practice, it's a good idea to bounds
+check the length field of the SSID element prior to using it for things
+like allocations or memcpy operations.
+
+Cc: <stable@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2434,7 +2434,8 @@ struct sk_buff *ieee80211_ap_probereq_ge
+
+ rcu_read_lock();
+ ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
+- if (WARN_ON_ONCE(ssid == NULL))
++ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN,
++ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
+ ssid_len = 0;
+ else
+ ssid_len = ssid[1];
+@@ -4691,7 +4692,7 @@ int ieee80211_mgd_assoc(struct ieee80211
+
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
+- if (!ssidie) {
++ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) {
+ rcu_read_unlock();
+ kfree(assoc_data);
+ return -EINVAL;
--- /dev/null
+From b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paulburton@kernel.org>
+Date: Fri, 18 Oct 2019 15:38:48 -0700
+Subject: MIPS: tlbex: Fix build_restore_pagemask KScratch restore
+
+From: Paul Burton <paulburton@kernel.org>
+
+commit b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 upstream.
+
+build_restore_pagemask() will restore the value of register $1/$at when
+its restore_scratch argument is non-zero, and aims to do so by filling a
+branch delay slot. Commit 0b24cae4d535 ("MIPS: Add missing EHB in mtc0
+-> mfc0 sequence.") added an EHB instruction (Execution Hazard Barrier)
+prior to restoring $1 from a KScratch register, in order to resolve a
+hazard that can result in stale values of the KScratch register being
+observed. In particular, P-class CPUs from MIPS with out of order
+execution pipelines such as the P5600 & P6600 are affected.
+
+Unfortunately this EHB instruction was inserted in the branch delay slot
+causing the MFC0 instruction which performs the restoration to no longer
+execute along with the branch. The result is that the $1 register isn't
+actually restored, ie. the TLB refill exception handler clobbers it -
+which is exactly the problem the EHB is meant to avoid for the P-class
+CPUs.
+
+Similarly build_get_pgd_vmalloc() will restore the value of $1/$at when
+its mode argument equals refill_scratch, and suffers from the same
+problem.
+
+Fix this by in both cases moving the EHB earlier in the emitted code.
+There's no reason it needs to immediately precede the MFC0 - it simply
+needs to be between the MTC0 & MFC0.
+
+This bug only affects Cavium Octeon systems which use
+build_fast_tlb_refill_handler().
+
+Signed-off-by: Paul Burton <paulburton@kernel.org>
+Fixes: 0b24cae4d535 ("MIPS: Add missing EHB in mtc0 -> mfc0 sequence.")
+Cc: Dmitry Korotin <dkorotin@wavecomp.com>
+Cc: stable@vger.kernel.org # v3.15+
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/mm/tlbex.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/mm/tlbex.c
++++ b/arch/mips/mm/tlbex.c
+@@ -661,6 +661,13 @@ static void build_restore_pagemask(u32 *
+ int restore_scratch)
+ {
+ if (restore_scratch) {
++ /*
++ * Ensure the MFC0 below observes the value written to the
++ * KScratch register by the prior MTC0.
++ */
++ if (scratch_reg >= 0)
++ uasm_i_ehb(p);
++
+ /* Reset default page size */
+ if (PM_DEFAULT_MASK >> 16) {
+ uasm_i_lui(p, tmp, PM_DEFAULT_MASK >> 16);
+@@ -675,12 +682,10 @@ static void build_restore_pagemask(u32 *
+ uasm_i_mtc0(p, 0, C0_PAGEMASK);
+ uasm_il_b(p, r, lid);
+ }
+- if (scratch_reg >= 0) {
+- uasm_i_ehb(p);
++ if (scratch_reg >= 0)
+ UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg);
+- } else {
++ else
+ UASM_i_LW(p, 1, scratchpad_offset(0), 0);
+- }
+ } else {
+ /* Reset default page size */
+ if (PM_DEFAULT_MASK >> 16) {
+@@ -922,6 +927,10 @@ build_get_pgd_vmalloc64(u32 **p, struct
+ }
+ if (mode != not_refill && check_for_high_segbits) {
+ uasm_l_large_segbits_fault(l, *p);
++
++ if (mode == refill_scratch && scratch_reg >= 0)
++ uasm_i_ehb(p);
++
+ /*
+ * We get here if we are an xsseg address, or if we are
+ * an xuseg address above (PGDIR_SHIFT+PGDIR_BITS) boundary.
+@@ -938,12 +947,10 @@ build_get_pgd_vmalloc64(u32 **p, struct
+ uasm_i_jr(p, ptr);
+
+ if (mode == refill_scratch) {
+- if (scratch_reg >= 0) {
+- uasm_i_ehb(p);
++ if (scratch_reg >= 0)
+ UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg);
+- } else {
++ else
+ UASM_i_LW(p, 1, scratchpad_offset(0), 0);
+- }
+ } else {
+ uasm_i_nop(p);
+ }
--- /dev/null
+From 77c301287ebae86cc71d03eb3806f271cb14da79 Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 15 Oct 2019 21:05:56 +0800
+Subject: scsi: core: try to get module before removing device
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+commit 77c301287ebae86cc71d03eb3806f271cb14da79 upstream.
+
+We have a test case like block/001 in blktests, which will create a scsi
+device by loading scsi_debug module and then try to delete the device by
+sysfs interface. At the same time, it may remove the scsi_debug module.
+
+And getting a invalid paging request BUG_ON as following:
+
+[ 34.625854] BUG: unable to handle page fault for address: ffffffffa0016bb8
+[ 34.629189] Oops: 0000 [#1] SMP PTI
+[ 34.629618] CPU: 1 PID: 450 Comm: bash Tainted: G W 5.4.0-rc3+ #473
+[ 34.632524] RIP: 0010:scsi_proc_hostdir_rm+0x5/0xa0
+[ 34.643555] CR2: ffffffffa0016bb8 CR3: 000000012cd88000 CR4: 00000000000006e0
+[ 34.644545] Call Trace:
+[ 34.644907] scsi_host_dev_release+0x6b/0x1f0
+[ 34.645511] device_release+0x74/0x110
+[ 34.646046] kobject_put+0x116/0x390
+[ 34.646559] put_device+0x17/0x30
+[ 34.647041] scsi_target_dev_release+0x2b/0x40
+[ 34.647652] device_release+0x74/0x110
+[ 34.648186] kobject_put+0x116/0x390
+[ 34.648691] put_device+0x17/0x30
+[ 34.649157] scsi_device_dev_release_usercontext+0x2e8/0x360
+[ 34.649953] execute_in_process_context+0x29/0x80
+[ 34.650603] scsi_device_dev_release+0x20/0x30
+[ 34.651221] device_release+0x74/0x110
+[ 34.651732] kobject_put+0x116/0x390
+[ 34.652230] sysfs_unbreak_active_protection+0x3f/0x50
+[ 34.652935] sdev_store_delete.cold.4+0x71/0x8f
+[ 34.653579] dev_attr_store+0x1b/0x40
+[ 34.654103] sysfs_kf_write+0x3d/0x60
+[ 34.654603] kernfs_fop_write+0x174/0x250
+[ 34.655165] __vfs_write+0x1f/0x60
+[ 34.655639] vfs_write+0xc7/0x280
+[ 34.656117] ksys_write+0x6d/0x140
+[ 34.656591] __x64_sys_write+0x1e/0x30
+[ 34.657114] do_syscall_64+0xb1/0x400
+[ 34.657627] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 34.658335] RIP: 0033:0x7f156f337130
+
+During deleting scsi target, the scsi_debug module have been removed. Then,
+sdebug_driver_template belonged to the module cannot be accessd, resulting
+in scsi_proc_hostdir_rm() BUG_ON.
+
+To fix the bug, we add scsi_device_get() in sdev_store_delete() to try to
+increase refcount of module, avoiding the module been removed.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191015130556.18061-1-yuyufen@huawei.com
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_sysfs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -710,6 +710,14 @@ sdev_store_delete(struct device *dev, st
+ const char *buf, size_t count)
+ {
+ struct kernfs_node *kn;
++ struct scsi_device *sdev = to_scsi_device(dev);
++
++ /*
++ * We need to try to get module, avoiding the module been removed
++ * during delete.
++ */
++ if (scsi_device_get(sdev))
++ return -ENODEV;
+
+ kn = sysfs_break_active_protection(&dev->kobj, &attr->attr);
+ WARN_ON_ONCE(!kn);
+@@ -724,9 +732,10 @@ sdev_store_delete(struct device *dev, st
+ * state into SDEV_DEL.
+ */
+ device_remove_file(dev, attr);
+- scsi_remove_device(to_scsi_device(dev));
++ scsi_remove_device(sdev);
+ if (kn)
+ sysfs_unbreak_active_protection(kn);
++ scsi_device_put(sdev);
+ return count;
+ };
+ static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete);
usb-ldusb-fix-memleak-on-disconnect.patch
usb-usblp-fix-use-after-free-on-disconnect.patch
usb-ldusb-fix-read-info-leaks.patch
+mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch
+staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch
+scsi-core-try-to-get-module-before-removing-device.patch
+input-da9063-fix-capability-and-drop-key_sleep.patch
+asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch
+cfg80211-wext-avoid-copying-malformed-ssids.patch
+mac80211-reject-malformed-ssid-elements.patch
+drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch
--- /dev/null
+From 153c5d8191c26165dbbd2646448ca7207f7796d0 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 14 Oct 2019 12:02:01 +0100
+Subject: staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 153c5d8191c26165dbbd2646448ca7207f7796d0 upstream.
+
+Currently the exit return path when sme->key_idx >= NUM_WEPKEYS is via
+label 'exit' and this checks if result is non-zero, however result has
+not been initialized and contains garbage. Fix this by replacing the
+goto with a return with the error code.
+
+Addresses-Coverity: ("Uninitialized scalar variable")
+Fixes: 0ca6d8e74489 ("Staging: wlan-ng: replace switch-case statements with macro")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191014110201.9874-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wlan-ng/cfg80211.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/wlan-ng/cfg80211.c
++++ b/drivers/staging/wlan-ng/cfg80211.c
+@@ -489,10 +489,8 @@ static int prism2_connect(struct wiphy *
+ /* Set the encryption - we only support wep */
+ if (is_wep) {
+ if (sme->key) {
+- if (sme->key_idx >= NUM_WEPKEYS) {
+- err = -EINVAL;
+- goto exit;
+- }
++ if (sme->key_idx >= NUM_WEPKEYS)
++ return -EINVAL;
+
+ result = prism2_domibset_uint32(wlandev,
+ DIDmib_dot11smt_dot11PrivacyTable_dot11WEPDefaultKeyID,
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- drivers/usb/misc/ldusb.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
+ drivers/usb/misc/ldusb.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/usb/misc/ldusb.c
+++ b/drivers/usb/misc/ldusb.c
dev->interrupt_in_done = 0;
spin_unlock_irq(&dev->rbsl);
if (file->f_flags & O_NONBLOCK) {
-@@ -479,11 +479,16 @@ static ssize_t ld_usb_read(struct file *
+@@ -478,12 +478,17 @@ static ssize_t ld_usb_read(struct file *
+ retval = wait_event_interruptible(dev->read_wait, dev->interrupt_in_done);
if (retval < 0)
goto unlock_exit;
- } else {
+- } else {
- spin_unlock_irq(&dev->rbsl);
++
+ spin_lock_irq(&dev->rbsl);
}
+ spin_unlock_irq(&dev->rbsl);
projects / thirdparty / kernel / stable-queue.git / commitdiff
