commit 648d744eff1aedea4ffe49dfca07aa465669e1f4 Author: Sasha Levin Date: Wed May 11 00:10:35 2016 -0400 Linux 4.1.24 Signed-off-by: Sasha Levin commit 8e8ad4a07714556769f0bc5496b69c63b0fc902d Author: Tony Luck Date: Thu Apr 14 10:21:52 2016 -0700 x86 EDAC, sb_edac.c: Repair damage introduced when "fixing" channel address [ Upstream commit ff15e95c82768d589957dbb17d7eb7dba7904659 ] In commit: eb1af3b71f9d ("Fix computation of channel address") I switched the "sck_way" variable from holding the log2 value read from the h/w to instead be the actual number. Unfortunately it is needed in log2 form when used to shift the address. Tested-by: Patrick Geary Signed-off-by: Tony Luck Acked-by: Mauro Carvalho Chehab Cc: Aristeu Rozanski Cc: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-edac@vger.kernel.org Cc: stable@vger.kernel.org Fixes: eb1af3b71f9d ("Fix computation of channel address") Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 936d0871135e41fba0dc15095319ca106f55a584 Author: Jan Beulich Date: Thu Apr 21 00:27:04 2016 -0600 x86/mm/xen: Suppress hugetlbfs in PV guests [ Upstream commit 103f6112f253017d7062cd74d17f4a514ed4485c ] Huge pages are not normally available to PV guests. Not suppressing hugetlbfs use results in an endless loop of page faults when user mode code tries to access a hugetlbfs mapped area (since the hypervisor denies such PTEs to be created, but error indications can't be propagated out of xen_set_pte_at(), just like for various of its siblings), and - once killed in an oops like this: kernel BUG at .../fs/hugetlbfs/inode.c:428! invalid opcode: 0000 [#1] SMP ... RIP: e030:[] [] remove_inode_hugepages+0x25b/0x320 ... Call Trace: [] hugetlbfs_evict_inode+0x15/0x40 [] evict+0xbd/0x1b0 [] __dentry_kill+0x19a/0x1f0 [] dput+0x1fe/0x220 [] __fput+0x155/0x200 [] task_work_run+0x60/0xa0 [] do_exit+0x160/0x400 [] do_group_exit+0x3b/0xa0 [] get_signal+0x1ed/0x470 [] do_signal+0x14/0x110 [] prepare_exit_to_usermode+0xe9/0xf0 [] retint_user+0x8/0x13 This is CVE-2016-3961 / XSA-174. Reported-by: Vitaly Kuznetsov Signed-off-by: Jan Beulich Cc: Andrew Morton Cc: Andy Lutomirski Cc: Boris Ostrovsky Cc: Borislav Petkov Cc: Brian Gerst Cc: David Vrabel Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Juergen Gross Cc: Linus Torvalds Cc: Luis R. Rodriguez Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Toshi Kani Cc: stable@vger.kernel.org Cc: xen-devel Link: http://lkml.kernel.org/r/57188ED802000078000E431C@prv-mh.provo.novell.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 5a1b27489677535af7cf2ef082d0521f32fa145b Author: Dominik Dingel Date: Fri Jul 17 16:23:39 2015 -0700 s390/hugetlb: add hugepages_supported define [ Upstream commit 7f9be77555bb2e52de84e9dddf7b4eb20cc6e171 ] On s390 we only can enable hugepages if the underlying hardware/hypervisor also does support this. Common code now would assume this to be signaled by setting HPAGE_SHIFT to 0. But on s390, where we only support one hugepage size, there is a link between HPAGE_SHIFT and pageblock_order. So instead of setting HPAGE_SHIFT to 0, we will implement the check for the hardware capability. Signed-off-by: Dominik Dingel Acked-by: Martin Schwidefsky Cc: Heiko Carstens Cc: Christian Borntraeger Cc: Michael Holzheu Cc: Gerald Schaefer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ec8d85066c3a598ba747f578232d3dc89b33fa13 Author: Dominik Dingel Date: Fri Jul 17 16:23:37 2015 -0700 mm: hugetlb: allow hugepages_supported to be architecture specific [ Upstream commit 2531c8cf56a640cd7d17057df8484e570716a450 ] s390 has a constant hugepage size, by setting HPAGE_SHIFT we also change e.g. the pageblock_order, which should be independent in respect to hugepage support. With this patch every architecture is free to define how to check for hugepage support. Signed-off-by: Dominik Dingel Acked-by: Martin Schwidefsky Cc: Heiko Carstens Cc: Christian Borntraeger Cc: Michael Holzheu Cc: Gerald Schaefer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b9a11c92d2060b6bafa8babb890d9e711e8b0f5e Author: Huacai Chen Date: Tue Apr 19 19:19:11 2016 +0800 drm: Loongson-3 doesn't fully support wc memory [ Upstream commit 221004c66a58949a0f25c937a6789c0839feb530 ] Signed-off-by: Huacai Chen Cc: stable@vger.kernel.org Reviewed-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Sasha Levin commit 2719d3c05d4c93054e7c5838cc5b1906f72b465e Author: Jérôme Glisse Date: Tue Apr 19 09:07:50 2016 -0400 drm/radeon: forbid mapping of userptr bo through radeon device file [ Upstream commit b5dcec693f87cb8475f2291c0075b2422addd3d6 ] Allowing userptr bo which are basicly a list of page from some vma (so either anonymous page or file backed page) would lead to serious corruption of kernel structures and counters (because we overwrite the page->mapping field when mapping buffer). This will already block if the buffer was populated before anyone does try to mmap it because then TTM_PAGE_FLAG_SG would be set in in the ttm_tt flags. But that flag is check before ttm_tt_populate in the ttm vm fault handler. So to be safe just add a check to verify_access() callback. Reviewed-by: Christian König Signed-off-by: Jérôme Glisse Cc: Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8361444613b869bd65386042f5c217469adb0952 Author: cpaul@redhat.com Date: Mon Apr 4 19:58:47 2016 -0400 drm/dp/mst: Validate port in drm_dp_payload_send_msg() [ Upstream commit deba0a2af9592b2022a0bce7b085a318b53ce1db ] With the joys of things running concurrently, there's always a chance that the port we get passed in drm_dp_payload_send_msg() isn't actually valid anymore. Because of this, we need to make sure we validate the reference to the port before we use it otherwise we risk running into various race conditions. For instance, on the Dell MST monitor I have here for testing, hotplugging it enough times causes us to kernel panic: [drm:intel_mst_enable_dp] 1 [drm:drm_dp_update_payload_part2] payload 0 1 [drm:intel_get_hpd_pins] hotplug event received, stat 0x00200000, dig 0x10101011, pins 0x00000020 [drm:intel_hpd_irq_handler] digital hpd port B - short [drm:intel_dp_hpd_pulse] got hpd irq on port B - short [drm:intel_dp_check_mst_status] got esi 00 10 00 [drm:drm_dp_update_payload_part2] payload 1 1 general protection fault: 0000 [#1] SMP … Call Trace: [] drm_dp_update_payload_part2+0xc2/0x130 [drm_kms_helper] [] intel_mst_enable_dp+0xf8/0x180 [i915] [] haswell_crtc_enable+0x3ed/0x8c0 [i915] [] intel_atomic_commit+0x5ad/0x1590 [i915] [] ? drm_atomic_set_crtc_for_connector+0x57/0xe0 [drm] [] drm_atomic_commit+0x37/0x60 [drm] [] drm_atomic_helper_set_config+0x7a/0xb0 [drm_kms_helper] [] drm_mode_set_config_internal+0x62/0x100 [drm] [] drm_mode_setcrtc+0x3cd/0x4e0 [drm] [] drm_ioctl+0x143/0x510 [drm] [] ? drm_mode_setplane+0x1b0/0x1b0 [drm] [] ? hrtimer_start_range_ns+0x1b7/0x3a0 [] do_vfs_ioctl+0x92/0x570 [] ? __sys_recvmsg+0x42/0x80 [] SyS_ioctl+0x79/0x90 [] entry_SYSCALL_64_fastpath+0x1a/0xa4 RIP [] drm_dp_payload_send_msg+0x146/0x1f0 [drm_kms_helper] Which occurs because of the hotplug event shown in the log, which ends up causing DRM's dp helpers to drop the port we're updating the payload on and panic. CC: stable@vger.kernel.org Signed-off-by: Lyude Reviewed-by: David Airlie Signed-off-by: Dave Airlie Signed-off-by: Sasha Levin commit faaa136bc7a4ed96ffe9585b495ec8bfac0032a8 Author: Takashi Iwai Date: Thu Apr 21 17:37:54 2016 +0200 ALSA: pcxhr: Fix missing mutex unlock [ Upstream commit 67f3754b51f22b18c4820fb84062f658c30e8644 ] The commit [9bef72bdb26e: ALSA: pcxhr: Use nonatomic PCM ops] converted to non-atomic PCM ops, but shamelessly with an unbalanced mutex locking, which leads to the hangup easily. Fix it. Fixes: 9bef72bdb26e ('ALSA: pcxhr: Use nonatomic PCM ops') Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116441 Cc: # 3.18+ Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 28f83d2daecd97392c9a0580c00853a19a76a8bc Author: Sebastian Andrzej Siewior Date: Fri Apr 15 14:35:39 2016 +0200 futex: Handle unlock_pi race gracefully [ Upstream commit 89e9e66ba1b3bde9d8ea90566c2aee20697ad681 ] If userspace calls UNLOCK_PI unconditionally without trying the TID -> 0 transition in user space first then the user space value might not have the waiters bit set. This opens the following race: CPU0 CPU1 uval = get_user(futex) lock(hb) lock(hb) futex |= FUTEX_WAITERS .... unlock(hb) cmpxchg(futex, uval, newval) So the cmpxchg fails and returns -EINVAL to user space, which is wrong because the futex value is valid. To handle this (yes, yet another) corner case gracefully, check for a flag change and retry. [ tglx: Massaged changelog and slightly reworked implementation ] Fixes: ccf9e6a80d9e ("futex: Make unlock_pi more robust") Signed-off-by: Sebastian Andrzej Siewior Cc: stable@vger.kernel.org Cc: Davidlohr Bueso Cc: Darren Hart Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1460723739-5195-1-git-send-email-bigeasy@linutronix.de Signed-off-by: Thomas Gleixner Signed-off-by: Sasha Levin commit 6024877a19556baa28a422ff555c1e1e6058504d Author: Lu, Han Date: Wed Apr 20 10:08:43 2016 +0800 ALSA: hda - add PCI ID for Intel Broxton-T [ Upstream commit 9859a971ca228725425238756ee89c6133306ec8 ] Add HD Audio Device PCI ID for the Intel Broxton-T platform. It is an HDA Intel PCH controller. Signed-off-by: Lu, Han Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit c58ef7831aa0ce786fe5cdaba579bc989ae7da6a Author: Lu, Han Date: Thu Nov 19 23:25:12 2015 +0800 ALSA: hda - add PCI IDs for Intel Broxton [ Upstream commit c87693da69f979f8a4370e7bc6115dd0898d8501 ] Add HD Audio Device PCI ID for the Intel Broxton platform. It is an HDA Intel PCH controller. Signed-off-by: Lu, Han Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 0763ce11708553fc7b2124f184ce2e4bb0cb186d Author: Lars-Peter Clausen Date: Thu Apr 14 17:01:17 2016 +0200 usb: gadget: f_fs: Fix use-after-free [ Upstream commit 38740a5b87d53ceb89eb2c970150f6e94e00373a ] When using asynchronous read or write operations on the USB endpoints the issuer of the IO request is notified by calling the ki_complete() callback of the submitted kiocb when the URB has been completed. Calling this ki_complete() callback will free kiocb. Make sure that the structure is no longer accessed beyond that point, otherwise undefined behaviour might occur. Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support") Cc: # v3.15+ Signed-off-by: Lars-Peter Clausen Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 18e7c4b1a1b62cacc92e2373a14db6d1d177712a Author: Alex Deucher Date: Mon Apr 18 11:19:19 2016 -0400 Revert "drm/radeon: disable runtime pm on PX laptops without dGPU power control" [ Upstream commit bfaddd9fc8ac048b99475f000dbef6f08297417f ] This reverts commit e64c952efb8e0c15ae82cec8e455ab4910690ef1. ATPX is the ACPI method for controlling AMD PowerXpress laptops. There are flags to indicate which methods are supported. If the dGPU power down flag is not supported, the driver needs to implement the dGPU power down manually. We had previously always forced the driver to assume the ATPX dGPU power down was present, but this causes problems on boards where it is not, leading to GPU hangs when attempting to power down the dGPU. Manual dGPU power down is not currently supported in the Linux driver. Some laptops indicate that the ATPX dGPU power down method is not present, but it actually apparently is. I'm not sure if this is a bios bug and it should be set or if there is a reason it was unset and the method should not be used. This is not an issue on other OSes since both the ATPX and the manual driver power down methods are supported. This is apparently fairly widespread, so just revert for now. bugs: https://bugzilla.kernel.org/show_bug.cgi?id=115321 https://bugzilla.kernel.org/show_bug.cgi?id=116581 https://bugzilla.kernel.org/show_bug.cgi?id=116251 Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 13865e4edd08ca07a9ba83c7dee081585ba13f3c Author: Alex Deucher Date: Thu Apr 14 14:15:16 2016 -0400 drm/radeon: add a quirk for a XFX R9 270X [ Upstream commit bcb31eba4a4ea356fd61cbd5dec5511c3883f57e ] bug: https://bugs.freedesktop.org/show_bug.cgi?id=76490 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 9df249b47f59ba60b2e92a83ad75666e8e8bc4a2 Author: Alex Deucher Date: Mon Mar 28 10:16:40 2016 -0400 drm/radeon: add another R7 370 quirk [ Upstream commit a64663d9870364bd2a2df62bf0d3a9fbe5ea62a8 ] bug: https://bugzilla.kernel.org/show_bug.cgi?id=115291 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit e388075f63d81be966dc967dc0e0332531f91b82 Author: Alex Deucher Date: Fri Oct 2 16:12:07 2015 -0400 drm/radeon: add quirk for ASUS R7 370 [ Upstream commit 2b02ec79004388a8c65e227bc289ed891b5ac8c6 ] Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92260 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin commit 95a5fa7da14d5296105307dba58a84d47f6ce7df Author: Maxim Sheviakov Date: Wed Sep 23 17:10:51 2015 -0400 drm/radeon: add quirk for MSI R7 370 [ Upstream commit e78654799135a788a941bacad3452fbd7083e518 ] Just adds the quirk for MSI R7 370 Armor 2X Bug: https://bugs.freedesktop.org/show_bug.cgi?id=91294 Signed-off-by: Maxim Sheviakov Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 90a6cf66d1112f32e4669dd99b7d0c8b6af23d01 Author: Anton Blanchard Date: Fri Apr 15 12:07:24 2016 +1000 powerpc: Update cpu_user_features2 in scan_features() [ Upstream commit beff82374b259d726e2625ec6c518a5f2613f0ae ] scan_features() updates cpu_user_features but not cpu_user_features2. Amongst other things, cpu_user_features2 contains the user TM feature bits which we must keep in sync with the kernel TM feature bit. Signed-off-by: Anton Blanchard Cc: stable@vger.kernel.org Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 85f0cb09c6458014e7bb168bc764675a06dc4dca Author: Anton Blanchard Date: Fri Apr 15 12:06:13 2016 +1000 powerpc: scan_features() updates incorrect bits for REAL_LE [ Upstream commit 6997e57d693b07289694239e52a10d2f02c3a46f ] The REAL_LE feature entry in the ibm_pa_feature struct is missing an MMU feature value, meaning all the remaining elements initialise the wrong values. This means instead of checking for byte 5, bit 0, we check for byte 0, bit 0, and then we incorrectly set the CPU feature bit as well as MMU feature bit 1 and CPU user feature bits 0 and 2 (5). Checking byte 0 bit 0 (IBM numbering), means we're looking at the "Memory Management Unit (MMU)" feature - ie. does the CPU have an MMU. In practice that bit is set on all platforms which have the property. This means we set CPU_FTR_REAL_LE always. In practice that seems not to matter because all the modern cpus which have this property also implement REAL_LE, and we've never needed to disable it. We're also incorrectly setting MMU feature bit 1, which is: #define MMU_FTR_TYPE_8xx 0x00000002 Luckily the only place that looks for MMU_FTR_TYPE_8xx is in Book3E code, which can't run on the same cpus as scan_features(). So this also doesn't matter in practice. Finally in the CPU user feature mask, we're setting bits 0 and 2. Bit 2 is not currently used, and bit 0 is: #define PPC_FEATURE_PPC_LE 0x00000001 Which says the CPU supports the old style "PPC Little Endian" mode. Again this should be harmless in practice as no 64-bit CPUs implement that mode. Fix the code by adding the missing initialisation of the MMU feature. Also add a comment marking CPU user feature bit 2 (0x4) as reserved. It would be unsafe to start using it as old kernels incorrectly set it. Fixes: 44ae3ab3358e ("powerpc: Free up some CPU feature bits by moving out MMU-related features") Signed-off-by: Anton Blanchard Cc: stable@vger.kernel.org [mpe: Flesh out changelog, add comment reserving 0x4] Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 38cadeda33b8bcbd3fa92870179cef3f39dff9a1 Author: Bastien Nocera Date: Mon Apr 18 11:10:42 2016 +0200 ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m [ Upstream commit afecb146d8d8a60a1dde9cdf570c278649617fde ] The Optiplex 9020m with Haswell-DT processor needs a quirk for the headset jack at the front of the machine to be able to use microphones. A quirk for this model was originally added in 3127899, but c77900e removed it in favour of a more generic version. Unfortunately, pin configurations can changed based on firmware/BIOS versions, and the generic version doesn't have any effect on newer versions of the machine/firmware anymore. With help from David Henningsson Signed-off-by: Bastien Nocera Tested-by: Bastien Nocera Cc: Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b34e6a486eb70ba92192c877b2904ede0a792679 Author: Ville Syrjälä Date: Thu Apr 14 14:39:02 2016 +0300 drm/i915: Use fw_domains_put_with_fifo() on HSW [ Upstream commit 31318a922395ec9e78d6e2ddf70779355afc7594 ] HSW still has the wake FIFO, so let's check it. Cc: Mika Kuoppala Cc: Deepak S Fixes: 05a2fb157e44 ("drm/i915: Consolidate forcewake code") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/1460633942-24013-1-git-send-email-ville.syrjala@linux.intel.com Cc: stable@vger.kernel.org Reviewed-by: Mika Kuoppala (cherry picked from commit 3d7d0c85e41afb5a05e98b3a8a72c38357f02594) Signed-off-by: Jani Nikula Signed-off-by: Sasha Levin commit 3fa5e41c8667e3856ba3191b7156157b8f8aaf1c Author: Tom Lendacky Date: Wed Apr 13 10:52:25 2016 -0500 crypto: ccp - Prevent information leakage on export [ Upstream commit f709b45ec461b548c41a00044dba1f1b572783bf ] Prevent information from leaking to userspace by doing a memset to 0 of the export state structure before setting the structure values and copying it. This prevents un-initialized padding areas from being copied into the export area. Cc: # 3.14.x- Reported-by: Ben Hutchings Signed-off-by: Tom Lendacky Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f6a93797957220ead95f575047f43e1d4d085205 Author: Xiaodong Liu Date: Tue Apr 12 09:45:51 2016 +0000 crypto: sha1-mb - use corrcet pointer while completing jobs [ Upstream commit 0851561d9c965df086ef8a53f981f5f95a57c2c8 ] In sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is used when check and complete other jobs. If the memory of first completed req is freed, while still completing other jobs in the func, kernel will crash since NULL pointer is assigned to RIP. Cc: Signed-off-by: Xiaodong Liu Acked-by: Tim Chen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 56c61a30de3ff2b2327a3f4333a81ddfe3e42516 Author: Yingjoe Chen Date: Sat Apr 2 14:57:49 2016 +0800 pinctrl: mediatek: correct debounce time unit in mtk_gpio_set_debounce [ Upstream commit 5fedbb923936174ab4d1d5cc92bca1cf6b2e0ca2 ] The debounce time unit for gpio_chip.set_debounce is us but mtk_gpio_set_debounce regard it as ms. Fix this by correct debounce time array dbnc_arr so it can find correct debounce setting. Debounce time for first debounce setting is 500us, correct this as well. While I'm at it, also change the debounce time array name to "debounce_time" for readability. Cc: stable@vger.kernel.org Signed-off-by: Yingjoe Chen Reviewed-by: Daniel Kurtz Acked-by: Hongzhou Yang Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 6e39cdfc828fc5938e9d4e99f446930009ac35f2 Author: Alex Deucher Date: Wed Apr 13 12:08:27 2016 -0400 drm/radeon: fix initial connector audio value [ Upstream commit 7403c515c49c033fec33df0814fffdc977e6acdc ] This got lost somewhere along the way. This fixes audio not working until set_property was called. Noticed-by: Hyungwon Hwang Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2c8c83f64c0fb9764b486f14a08f2e3e51bcbc40 Author: Dmitry Ivanov Date: Wed Apr 6 17:23:18 2016 +0300 nl80211: check netlink protocol in socket release notification [ Upstream commit 8f815cdde3e550e10c2736990d791f60c2ce43eb ] A non-privileged user can create a netlink socket with the same port_id as used by an existing open nl80211 netlink socket (e.g. as used by a hostapd process) with a different protocol number. Closing this socket will then lead to the notification going to nl80211's socket release notification handler, and possibly cause an action such as removing a virtual interface. Fix this issue by checking that the netlink protocol is NETLINK_GENERIC. Since generic netlink has no notifier chain of its own, we can't fix the problem more generically. Fixes: 026331c4d9b5 ("cfg80211/mac80211: allow registering for and sending action frames") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Ivanov [rewrite commit message] Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 3254e46ceac3033a4f7b433d36e54da714a05bd8 Author: Dmitry Ivanov Date: Thu Apr 7 09:31:38 2016 +0200 netlink: don't send NETLINK_URELEASE for unbound sockets [ Upstream commit e27260203912b40751fa353d009eaa5a642c739f ] All existing users of NETLINK_URELEASE use it to clean up resources that were previously allocated to a socket via some command. As a result, no users require getting this notification for unbound sockets. Sending it for unbound sockets, however, is a problem because any user (including unprivileged users) can create a socket that uses the same ID as an existing socket. Binding this new socket will fail, but if the NETLINK_URELEASE notification is generated for such sockets, the users thereof will be tricked into thinking the socket that they allocated the resources for is closed. In the nl80211 case, this will cause destruction of virtual interfaces that still belong to an existing hostapd process; this is the case that Dmitry noticed. In the NFC case, it will cause a poll abort. In the case of netlink log/queue it will cause them to stop reporting events, as if NFULNL_CFG_CMD_UNBIND/NFQNL_CFG_CMD_UNBIND had been called. Fix this problem by checking that the socket is bound before generating the NETLINK_URELEASE notification. Cc: stable@vger.kernel.org Signed-off-by: Dmitry Ivanov Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9a447b1ba7d4e310a6921fe81e04e9e0ee0d31e4 Author: Sebastian Ott Date: Thu Mar 31 11:48:31 2016 +0200 s390/pci: add extra padding to function measurement block [ Upstream commit 9d89d9e61d361f3adb75e1aebe4bb367faf16cfa ] Newer machines might use a different (larger) format for function measurement blocks. To ensure that we comply with the alignment requirement on these machines and prevent memory corruption (when firmware writes more data than we expect) add 16 padding bytes at the end of the fmb. Cc: stable@vger.kernel.org # v4.1+ Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin commit 464508beeb30376f277fbfbfd9137cf19cbfa785 Author: Vladis Dronov Date: Thu Mar 31 10:53:42 2016 -0700 Input: gtco - fix crash on detecting device without endpoints [ Upstream commit 162f98dea487206d9ab79fc12ed64700667a894d ] The gtco driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it. Also let's fix a minor coding style issue. The full correct report of this issue can be found in the public Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283385 Reported-by: Ralf Spenneberg Signed-off-by: Vladis Dronov Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit fdfdfc7cdf6bfd1ec60d26f123a2b73caf9617f3 Author: Emmanuel Grumbach Date: Thu Mar 10 13:07:17 2016 +0200 iwlwifi: pcie: lower the debug level for RSA semaphore access [ Upstream commit 9fc515bc9e735c10cd327f05c20f5ef69474188d ] IWL_INFO is not an error but still printed by default. "can't access the RSA semaphore it is write protected" seems worrisome but it is not really a problem. CC: [4.1+] Signed-off-by: Emmanuel Grumbach Signed-off-by: Sasha Levin commit 183c7c8e973b01358799d1718f67dd3a94451a59 Author: Sasha Levin Date: Wed May 4 11:43:55 2016 -0400 Revert "mei: bus: move driver api functions at the start of the file" This reverts commit 79b768dec5d354aeb143f51db11e0cbb758176fb. Signed-off-by: Sasha Levin