This makes UHID_START include a "dev_flags" field that describes details
of the hid-device in the kernel. The first flags we introduce describe
whether a given report-type uses numbered reports. This is useful for
transport layers that force report-numbers and therefore might have to
prefix kernel-provided HID-messages with the report-number.

Currently, only HoG needs this and the spec only talks about "global
report numbers". That is, it's a global boolean not a per-type boolean.
However, given the quirks we already have in kernel-space, a per-type
value seems much more appropriate.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

We so far lacked support for hid_hw_raw_request(..., HID_REQ_SET_REPORT);
Add support for it and simply forward the request to user-space. Note that
SET_REPORT is synchronous, just like GET_REPORT, even though it does not
provide any data back besides an error code.

If a transport layer does SET_REPORT asynchronously, they can just ACK it
immediately by writing an uhid_set_report_reply to uhid.

This patch re-uses the synchronous uhid-report infrastructure to query
user-space. Note that this means you cannot run SET_REPORT and GET_REPORT
in parallel. However, that has always been a restriction of HID and due to
its blocking nature, this is just fine. Maybe some future transport layer
supports parallel requests (very unlikely), however, until then lets not
over-complicate things and avoid request-lookup-tables.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

We use strict prefixed in uhid.c:
  uhid_char_*: implement char-dev callbacks
  uhid_dev_*: implement uhid device management and runtime
  uhid_hid_*: implement hid-dev callbacks

uhid_raw_request is an hid callback, so rename it to uhid_hid_raw_request.

While at it, move it closer to it's extracted helpers and keep the same
order as in "struct hid_driver".
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Instead of inlining the legacy definitions into the main part of uhid.h,
keep them at the bottom now. This way, the API is much easier to read and
legacy requests can be looked up at a separate place.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

The old hdev->hid_get_raw_report() was broken by design. It was never
clear what kind of HW request it should trigger. Benjamin fixed that with
the core HID cleanup, though we never really adjusted uhid.

Unfortunately, our old UHID_FEATURE command was modelled around the broken
hid_get_raw_report(). We converted it silently to the new GET_REPORT and
nothing broke. Make this explicit by renaming UHID_FEATURE to
UHID_GET_REPORT and UHID_FEATURE_ANSWER to UHID_GET_REPORT_REPLY.

Note that this is 100% ABI compatible to UHID_FEATURE. This is just a
rename. But we have to keep the old definitions around to not break API.

>From now on, UHID_GET_REPORT must trigger a GET_REPORT request on the
user-space hardware layer. All the ambiguity due to the weird "feature"
name should be gone now.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

All accesses to @report_done are protected by qlock (or report-contexts).
No need to use an atomic.

While at it, invert the logic and call it "report_running". This is
similar to the uhid->running field and easier to read.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

All accesses to @report_id are protected by @qlock. No need to use an
atomic.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Avoid hard-coding the target buffer sizes and use sizeof() instead. This
also makes us future-proof to buffer-extensions later on.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Avoid keeping uhid->rd_data and uhid->rd_size set in case
uhid_dev_create2() fails. This is non-critical as we never flip
uhid->running and thus never enter uhid_dev_destroy(). However, it's much
nicer for debugging if pointers are only set if they point to valid data.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Instead of hard-coding the uhid_dev_create() function twice, copy any
create_req into a create2_req structure and forward it.

We allocate uhid_create_req on the stack here, but that should be fine.
Unlike uhid_create2_req it is fairly small (<1KB) and it's only used
temporarily to swap entries. uhid_dev_create2() doesn't access it.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

The report-query is blocking, so when user-space destroys a device we have
to wake up any blocking kernel context that is currently in the report-cb.
We used some broken correlation between @report_done and @running so far.
Replace it by a much more obvious use.

We now wake up the report-cb if either @report_done or @running is set.
wake_up() and wait_event() serve as implicit barriers (as they always do)
so no need to use smp_rmb/wmb directly.

Note that @report_done is never reset by anyone but the report-cb, thus
it cannot flip twice while we wait for it. And whenever we set @running,
we afterwards synchronously remove the HID device. Therefore, we wait for
all report-cbs to finish before we return. This way, @running can never
flip to true while we wait for it.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Pull HID fixes from Jiri Kosina:

 - fixes for a couple potential memory corruption problems (the HW would
   have to be manufactured to be deliberately evil to trigger those)
   found by Ben Hawkes
 - fix for potential infinite loop when using sysfs interface of
   logitech driver, from Simon Wood
 - a couple more simple driver fixes

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: fix a couple of off-by-ones
  HID: logitech: perform bounds checking on device_id early enough
  HID: logitech: fix bounds checking on LED report size
  HID: logitech: Prevent possibility of infinite loop when using /sys interface
  HID: rmi: print an error if F11 is not found instead of stopping the device
  HID: hid-sensor-hub: use devm_ functions consistently
  HID: huion: Use allocated buffer for DMA
  HID: huion: Fail on parameter retrieval errors

Pull sound fixes from Takashi Iwai:
 "A bunch of ASoC fixes with a few HD-audio fixes in this pull request.

  All fairly small, boring and device-specific fixes, in addition to
  MAINTAINERS update for better reviewing"

* tag 'sound-3.17-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda/hdmi - apply Valleyview fix-ups to Cherryview display codec
  ALSA: hda/hdmi - set depop_delay for haswell plus
  ALSA: hda - restore the gpio led after resume
  ALSA: hda/realtek - Avoid setting wrong COEF on ALC269 & co
  ASoC: pxa-ssp: drop SNDRV_PCM_FMTBIT_S24_LE
  ASoC: fsl-esai: Revert .xlate_tdm_slot_mask() support
  ASoC: mcasp: Fix implicit BLCK divider setting
  ASoC: arizona: Fix TDM slot length handling in arizona_hw_params
  ASoC: pcm512x: Correct Digital Playback control names
  ASoC: dapm: Fix uninitialized variable in snd_soc_dapm_get_enum_double()
  ASoC: Intel: Restore Baytrail ADSP streams only when ADSP was in reset
  ASoC: Intel: Wait Baytrail ADSP boot at resume_early stage
  ASoC: Intel: Merge Baytrail ADSP suspend_noirq into suspend_late
  MAINTAINERS: Add i.MX maintainers and paths to Freescale ASoC entry
  ASoC: Intel: Update Baytrail ADSP firmware name

Pull i2c fixes from Wolfram Sang:
 "Here is the fixup for the 'lowlight' of my last pull request.  I2C is
  not selected anymore by I2C_ACPI.  Instead, the code in question now
  depends on I2C=y.

  Also, Mika has agreed to support me and be the maintainer for I2C-ACPI
  related patches.  Finally, a new-ID-patch came along last week"

* 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  MAINTAINERS: add maintainer for ACPI parts of I2C
  i2c: i801: Add PCI ID for Intel Braswell
  i2c: rework kernel config I2C_ACPI

Pull ia64 update from Tony Luck:
 "Add memfd_create syscall to ia64"

* tag 'please-pull-memfd_create' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux:
  [IA64] Wire up memfd_create() system call

Pull microblaze update from Michal Simek:
 "Wire-up seccomp/getrandom/memfd_create syscalls"

* tag 'microblaze-3.17-rc2' of git://git.monstr.eu/linux-2.6-microblaze:
  microblaze: Wire-up memfd_create syscall
  microblaze: Wire-up getrandom syscall
  microblaze: Wire-up seccomp syscall

There are a few very theoretical off-by-one bugs in report descriptor size
checking when performing a pre-parsing fixup. Fix those.

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

device_index is a char type and the size of paired_dj_deivces is 7
elements, therefore proper bounds checking has to be applied to
device_index before it is used.

We are currently performing the bounds checking in
logi_dj_recv_add_djhid_device(), which is too late, as malicious device
could send REPORT_TYPE_NOTIF_DEVICE_UNPAIRED early enough and trigger the
problem in one of the report forwarding functions called from
logi_dj_raw_event().

Fix this by performing the check at the earliest possible ocasion in
logi_dj_raw_event().

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

The check on report size for REPORT_TYPE_LEDS in logi_dj_ll_raw_request()
is wrong; the current check doesn't make any sense -- the report allocated
by HID core in hid_hw_raw_request() can be much larger than
DJREPORT_SHORT_LENGTH, and currently logi_dj_ll_raw_request() doesn't
handle this properly at all.

Fix the check by actually trimming down the report size properly if it is
too large.

Cc: stable@vger.kernel.org
Reported-by: Ben Hawkes <hawkes@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

Add new memfd_create syscall.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>

Add new getrandom syscall.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>

Add new seccomp syscall.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>

Pull cifs fixes from Steve French:
 "Most important fixes in this set include three SMB3 fixes for stable
  (including fix for possible kernel oops), and a workaround to allow
  writes to Mac servers (only cifs dialect, not more current SMB2.1,
  worked to Mac servers).  Also fallocate support added, and lease fix
  from Jeff"

* 'for-linus' of git://git.samba.org/sfrench/cifs-2.6:
  [SMB3] Enable fallocate -z support for SMB3 mounts
  enable fallocate punch hole ("fallocate -p") for SMB3
  Incorrect error returned on setting file compressed on SMB2
  CIFS: Fix wrong directory attributes after rename
  CIFS: Fix SMB2 readdir error handling
  [CIFS] Possible null ptr deref in SMB2_tcon
  [CIFS] Workaround MacOS server problem with SMB2.1 write  response
  cifs: handle lease F_UNLCK requests properly
  Cleanup sparse file support by creating worker function for it
  Add sparse file support to SMB2/SMB3 mounts
  Add missing definitions for CIFS File System Attributes
  cifs: remove unused function cifs_oplock_break_wait

Pull filesystem fixes from Jan Kara:
 "udf, isofs, and ext3 bug fixes"

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  ext3: Count internal journal as bsddf overhead in ext3_statfs
  isofs: Fix unbounded recursion when processing relocated directories
  udf: avoid unneeded up_write when fail to add entry in ->symlink

Pull x86 platform driver revert from Matthew Garrett:
 "This clearly shouldn't have been merged.  No excuse on my part"

* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
  Revert "platform/x86/toshiba-apci.c possible bad if test?"

Pull KVM fixes from Paolo Bonzini:
 "Reverting a 3.16 patch, fixing two bugs in device assignment (one has
  a CVE), and fixing some problems introduced during the merge window
  (the CMA bug came in via Andrew, the x86 ones via yours truly)"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  virt/kvm/assigned-dev.c: Set 'dev->irq_source_id' to '-1' after free it
  Revert "KVM: x86: Increase the number of fixed MTRR regs to 10"
  KVM: x86: do not check CS.DPL against RPL during task switch
  KVM: x86: Avoid emulating instructions on #UD mistakenly
  PC, KVM, CMA: Fix regression caused by wrong get_order() use
  kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)

Pull SCSI fixes from James Bottomley:
 "These are the two bug fixes I mentioned in the final merge window
  pull.  One is a reversed logic check in the device busy tests which
  can cause a nasty hang and another crash seen in the new SCSI pool
  support if the use count ever goes to zero"

[ The device busy test already got merged from a patch earlier, so is
  now duplicated.  ]

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  [SCSI] save command pool address of Scsi_Host
  [SCSI] fix qemu boot hang problem

This reverts commit bdc3ae72.
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>

The journal blocks of external journal device should not
be counted as overhead.
Signed-off-by: Chin-Tsung Cheng <chintzung@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>

The latest kernel fails to boot qemu arm images when using scsi
for disk access. Boot gets stuck after the following messages.

brd: module loaded
sym53c8xx 0000:00:0c.0: enabling device (0100 -> 0103)
sym0: <895a> rev 0x0 at pci 0000:00:0c.0 irq 93
sym0: No NVRAM, ID 7, Fast-40, LVD, parity checking
sym0: SCSI BUS has been reset.
scsi host0: sym-2.2.3

Bisect points to commit 71e75c97 ("scsi: convert device_busy to
atomic_t"). Code inspection shows the following suspicious change
in scsi_request_fn.

out_delay:
-       if (sdev->device_busy == 0 && !scsi_device_blocked(sdev))
+       if (atomic_read(&sdev->device_busy) && !scsi_device_blocked(sdev))
		blk_delay_queue(q, SCSI_QUEUE_DELAY);
	}

'sdev->device_busy == 0' was replaced with 'atomic_read(&sdev->device_busy)',
meaning the logic was reversed. Changing this expression to
'!atomic_read(&sdev->device_busy)' fixes the problem.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Acked-by: Jens Axboe <axboe@fb.com>
Reviewed-by: Venkatesh Srinivas <venkateshs@google.com>
Reviewed-by: Webb Scales <webbnh@hp.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

We did not check relocated directory in any way when processing Rock
Ridge 'CL' tag. Thus a corrupted isofs image can possibly have a CL
entry pointing to another CL entry leading to possibly unbounded
recursion in kernel code and thus stack overflow or deadlocks (if there
is a loop created from CL entries).

Fix the problem by not allowing CL entry to point to a directory entry
with CL entry (such use makes no good sense anyway) and by checking
whether CL entry doesn't point to itself.

CC: stable@vger.kernel.org
Reported-by: Chris Evans <cevans@google.com>
Signed-off-by: Jan Kara <jack@suse.cz>

We have released the ->i_data_sem before invoking udf_add_entry(),
so in following error path, we should not release this lock again.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jan Kara <jack@suse.cz>

Mika has done great work in that field, so let people know.
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>

The SMBus host controller is the same as used in Baytrail so add the new
PCI ID to the driver's list of supported IDs.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>

Commit da3c6647(I2C/ACPI: Clean up I2C ACPI code and Add CONFIG_I2C_ACPI
config) adds a new kernel config I2C_ACPI and make I2C core built in
when the config is selected. This is wrong because distributions
etc generally compile I2C as a module and the commit broken that.
This patch is to rename I2C_ACPI to ACPI_I2C_OPREGION. New config
only controls ACPI I2C operation region code and depends on I2C=y.
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
[wsa: removed unrelated change for Kconfig]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>

Pull md bugfixes from Neil Brown:
 "Here are the bug-fixes I promised :-)

  Funny how you start looking for one and other start appearing.

   - raid6 data corruption during recovery
   - raid6 livelock
   - raid10 memory leaks"

* tag 'md/3.17-fixes' of git://neil.brown.name/md:
  md/raid10: always initialise ->state on newly allocated r10_bio
  md/raid10: avoid memory leak on error path during reshape.
  md/raid10: Fix memory leak when raid10 reshape completes.
  md/raid10: fix memory leak when reshaping a RAID10.
  md/raid6: avoid data corruption during recovery of double-degraded RAID6
  md/raid5: avoid livelock caused by non-aligned writes.

Pull PCI changes from Bjorn Helgaas:
 "Marvell MVEBU
    - Remove ARCH_KIRKWOOD dependency (Andrew Lunn)

  NVIDIA Tegra
    - Add debugfs support (Thierry Reding)

  Synopsys DesignWare
    - Look for configuration space in 'reg', not 'ranges' (Kishon Vijay Abraham I)
    - Program ATU with untranslated address (Kishon Vijay Abraham I)
    - Add config access-related pcie_host_ops for v3.65 hardware (Murali Karicheri)
    - Add MSI-related pcie_host_ops for v3.65 hardware (Murali Karicheri)

  TI DRA7xx
    - Add TI DR7xx PCIe driver (Kishon Vijay Abraham I)"

* tag 'pci-v3.17-changes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: designware: Add MSI-related pcie_host_ops for v3.65 hardware
  PCI: designware: Add config access-related pcie_host_ops for v3.65 hardware
  PCI: dra7xx: Add TI DRA7xx PCIe driver
  PCI: designware: Program ATU with untranslated address
  PCI: designware: Look for configuration space in 'reg', not 'ranges'
  PCI: tegra: Add debugfs support
  PCI: mvebu: Remove ARCH_KIRKWOOD dependency

Pull devicetree fixes from Grant Likely:
 "Three more commits needed for v3.17: A bug fix for reserved regions
  based at address zero, a clarification on how to interpret existence
  of both interrupts and interrupts-extended properties, and a fix to
  allow device tree testcases to run on any platform"

* tag 'devicetree-for-linus' of git://git.secretlab.ca/git/linux:
  of/irq: Fix lookup to use 'interrupts-extended' property first
  Enabling OF selftest to run without machine's devicetree
  of: Allow mem_reserve of memory with a base address of zero

3a6bfbc9 "(arch,locking: Ciao arch_mutex_cpu_relax()") broke
building the frv arch.  Fixes errors such as:

  kernel/locking/mcs_spinlock.h:87:2: error: implicit declaration of function 'cpu_relax_lowlatency'
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Compile-tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

As a generic function, deassign_guest_irq() assumes it can be called
even if assign_guest_irq() is not be called successfully (which can be
triggered by ioctl from user mode, indirectly).

So for assign_guest_irq() failure process, need set 'dev->irq_source_id'
to -1 after free 'dev->irq_source_id', or deassign_guest_irq() may free
it again.
Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>