All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.14 000/164] 4.14.6-stable review
@ 2017-12-12 12:43 Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 001/164] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
                   ` (162 more replies)
  0 siblings, 163 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.14.6 release.
There are 164 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.14.6-rc1

Reinette Chatre <reinette.chatre@intel.com>
    x86/intel_rdt: Fix potential deadlock during resctrl unmount

Leon Romanovsky <leon@kernel.org>
    RDMA/cxgb4: Annotate r2 and stag as __be32

Zdenek Kabelac <zkabelac@redhat.com>
    md: free unused memory after bitmap resize

Heinz Mauelshagen <heinzm@redhat.com>
    dm raid: fix panic when attempting to force a raid to sync

Paul Moore <paul@paul-moore.com>
    audit: ensure that 'audit=1' actually enables audit for PID 1

Steve Grubb <sgrubb@redhat.com>
    audit: Allow auditd to set pid to 0 to end auditing

Israel Rukshin <israelr@mellanox.com>
    nvmet-rdma: update queue list during ib_device removal

Bart Van Assche <bart.vanassche@wdc.com>
    blk-mq: Avoid that request queue removal can trigger list corruption

Hongxu Jia <hongxu.jia@windriver.com>
    ide: ide-atapi: fix compile error with defining macro DEBUG

Keefe Liu <liuqifa@huawei.com>
    ipvlan: fix ipv6 outbound device

Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
    powerpc/powernv/idle: Round up latency and residency values

Masahiro Yamada <yamada.masahiro@socionext.com>
    kbuild: do not call cc-option before KBUILD_CFLAGS initialization

David Howells <dhowells@redhat.com>
    afs: Connect up the CB.ProbeUuid

David Howells <dhowells@redhat.com>
    afs: Fix total-length calculation for multiple-page send

Majd Dibbiny <majd@mellanox.com>
    IB/mlx5: Assign send CQ and recv CQ of UMR QP

Mark Bloch <markb@mellanox.com>
    IB/mlx4: Increase maximal message size under UD QP

Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
    bnxt_re: changing the ip address shouldn't affect new connections

Chao Yu <yuchao0@huawei.com>
    f2fs: fix to clear FI_NO_PREALLOC

Herbert Xu <herbert@gondor.apana.org.au>
    xfrm: Copy policy family in clone_policy

Ilya Lesokhin <ilyal@mellanox.com>
    tls: Use kzalloc for aead_request allocation

Jason Baron <jbaron@akamai.com>
    jump_label: Invoke jump_label_test() via early_initcall()

Arvind Yadav <arvind.yadav.cs@gmail.com>
    atm: horizon: Fix irq release error

Masahiro Yamada <yamada.masahiro@socionext.com>
    kbuild: rpm-pkg: fix jobserver unavailable warning

Sudeep Holla <sudeep.holla@arm.com>
    mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready

Zhong Kaihua <zhongkaihua@huawei.com>
    clk: hi3660: fix incorrect uart3 clock freqency

Masahiro Yamada <yamada.masahiro@socionext.com>
    clk: uniphier: fix DAPLL2 clock rate of Pro5

Johan Hovold <johan@kernel.org>
    clk: qcom: common: fix legacy board-clock registration

Mylene JOSSERAND <mylene.josserand@free-electrons.com>
    clk: sunxi-ng: a83t: Fix i2c buses bits

Gabriel Fernandez <gabriel.fernandez@st.com>
    clk: stm32h7: fix test of clock config

Eric Dumazet <edumazet@google.com>
    bpf: fix lockdep splat

Hangbin Liu <liuhangbin@gmail.com>
    geneve: fix fill_info when link down

Jeff Layton <jlayton@redhat.com>
    fcntl: don't leak fd reference when fixup_compat_flock fails

Xin Long <lucien.xin@gmail.com>
    sctp: use the right sk after waking up from wait_buf sleep

Xin Long <lucien.xin@gmail.com>
    sctp: do not free asoc when it is already dead in sctp_sendmsg

Miles Chen <miles.chen@mediatek.com>
    slub: fix sysfs duplicate filename creation when slub_debug=O

Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
    zsmalloc: calling zs_map_object() from irq is a bug

Pavel Tatashin <pasha.tatashin@oracle.com>
    sparc64/mm: set fields in deferred pages

Ming Lei <ming.lei@redhat.com>
    block: wake up all tasks blocked in get_request()

Johan Hovold <johan@kernel.org>
    dt-bindings: usb: fix reg-property port-number range

Darrick J. Wong <darrick.wong@oracle.com>
    xfs: fix forgotten rcu read unlock when skipping inode reclaim

Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
    nfp: fix flower offload metadata flag usage

Dirk van der Merwe <dirk.vandermerwe@netronome.com>
    nfp: inherit the max_mtu from the PF netdev

Chuck Lever <chuck.lever@oracle.com>
    sunrpc: Fix rpc_task_begin trace point

Trond Myklebust <trond.myklebust@primarydata.com>
    NFS: Fix a typo in nfs_rename()

Randy Dunlap <rdunlap@infradead.org>
    dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0

Stephen Bates <sbates@raithlin.com>
    lib/genalloc.c: make the avail variable an atomic_long_t

Joe Lawrence <joe.lawrence@redhat.com>
    pipe: match pipe_max_size data type with procfs

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()'

Colin Ian King <colin.king@canonical.com>
    rsi: fix memory leak on buf and usb_reg_buf

Xin Long <lucien.xin@gmail.com>
    route: update fnhe_expires for redirect when the fnhe exists

Xin Long <lucien.xin@gmail.com>
    route: also update fnhe_genid when updating a route cache

Alexey Kodanev <alexey.kodanev@oracle.com>
    gre6: use log_ecn_error module parameter in ip6_tnl_rcv()

Ben Hutchings <ben.hutchings@codethink.co.uk>
    mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()

Dave Hansen <dave.hansen@linux.intel.com>
    x86/mpx/selftests: Fix up weird arrays

John Johansen <john.johansen@canonical.com>
    apparmor: fix leak of null profile name if profile allocation fails

Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
    powerpc/perf: Fix pmu_count to count only nest imc pmus

Masahiro Yamada <yamada.masahiro@socionext.com>
    coccinelle: fix parallel build with CHECK=scripts/coccicheck

Masahiro Yamada <yamada.masahiro@socionext.com>
    kbuild: pkg: use --transform option to prefix paths in tar

Ursula Braun <ursula.braun@de.ibm.com>
    net/smc: use sk_rcvbuf as start for rmb creation

Colin Ian King <colin.king@canonical.com>
    irqchip/qcom: Fix u32 comparison with value less than zero

Russell King <rmk+kernel@armlinux.org.uk>
    ARM: avoid faulting on qemu

Russell King <rmk+kernel@armlinux.org.uk>
    ARM: BUG if jumping to usermode address in kernel mode

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix ctr-aes-talitos

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix use of sg_link_tbl_len

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix AEAD for sha224 on non sha224 capable chips

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix setkey to check key weakness

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix memory corruption on SEC2

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix AEAD test failures

Daniel Jurgens <danielj@mellanox.com>
    IB/core: Only enforce security for InfiniBand

Parav Pandit <parav@mellanox.com>
    IB/core: Avoid unnecessary return value check

Kim Phillips <kim.phillips@arm.com>
    bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.

Marc Zyngier <marc.zyngier@arm.com>
    bus: arm-ccn: Fix use of smp_processor_id() in preemptible context

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    bus: arm-ccn: Check memory allocation failure

Marc Zyngier <marc.zyngier@arm.com>
    bus: arm-cci: Fix use of smp_processor_id() in preemptible context

Fabio Estevam <fabio.estevam@nxp.com>
    Revert "ARM: dts: imx53: add srtc node"

Will Deacon <will.deacon@arm.com>
    arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb

Will Deacon <will.deacon@arm.com>
    arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm

Dave Martin <Dave.Martin@arm.com>
    arm64: fpsimd: Prevent registers leaking from dead tasks

Marc Zyngier <marc.zyngier@arm.com>
    KVM: arm/arm64: vgic-its: Check result of allocation before use

Marc Zyngier <marc.zyngier@arm.com>
    KVM: arm/arm64: vgic: Preserve the revious read from the pending table

Marc Zyngier <marc.zyngier@arm.com>
    KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation

Christoffer Dall <christoffer.dall@linaro.org>
    KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion

Andrew Honig <ahonig@google.com>
    KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

Marc Zyngier <marc.zyngier@arm.com>
    arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one

Kristina Martsenko <kristina.martsenko@arm.com>
    arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one

Sean Young <sean@mess.org>
    media: rc: partial revert of "media: rc: per-protocol repeat period"

Sean Young <sean@mess.org>
    media: rc: sir_ir: detect presence of port

Laurent Caumont <lcaumont2@gmail.com>
    media: dvb: i2c transfers over usb cannot be done from stack

Daniel Vetter <daniel.vetter@ffwll.ch>
    drm: safely free connectors from connector_iter

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Fix vblank timestamp/frame counter jumps on gen2

Marek Szyprowski <m.szyprowski@samsung.com>
    drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU

Marek Szyprowski <m.szyprowski@samsung.com>
    drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback

Song Liu <songliubraving@fb.com>
    md/r5cache: move mddev_lock() out of r5c_journal_mode_set()

Daniel Thompson <daniel.thompson@linaro.org>
    kdb: Fix handling of kallsyms_symbol_next() return value

Arend Van Spriel <arend.vanspriel@broadcom.com>
    brcmfmac: change driver unbind order of the sdio function devices

David Spinadel <david.spinadel@intel.com>
    iwlwifi: mvm: enable RX offloading with TKIP and WEP

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: mvm: fix packet injection

Ihab Zhaika <ihab.zhaika@intel.com>
    iwlwifi: add new cards for 9260 and 22000 series

Johannes Berg <johannes.berg@intel.com>
    iwlwifi: mvm: flush queue before deleting ROC

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    iwlwifi: mvm: don't use transmit queue hang detection when it is not possible

Sara Sharon <sara.sharon@intel.com>
    iwlwifi: mvm: mark MIC stripped MPDUs

Nicholas Piggin <npiggin@gmail.com>
    powerpc/64s: Initialize ISAv3 MMU registers before setting partition table

David Gibson <david@gibson.dropbear.id.au>
    Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier"

Janosch Frank <frankja@linux.vnet.ibm.com>
    KVM: s390: Fix skey emulation permission check

Heiko Carstens <heiko.carstens@de.ibm.com>
    s390: fix compat system call table

Heiko Carstens <heiko.carstens@de.ibm.com>
    s390/mm: fix off-by-one bug in 5-level page table handling

Heiko Carstens <heiko.carstens@de.ibm.com>
    s390: always save and restore all registers on context switch

Lai Jiangshan <jiangshanlai@gmail.com>
    smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place

Robin Murphy <robin.murphy@arm.com>
    iommu/vt-d: Fix scatterlist offset handling

Jaejoong Kim <climbbb.kim@gmail.com>
    ALSA: usb-audio: Add check return value for usb_string()

Jaejoong Kim <climbbb.kim@gmail.com>
    ALSA: usb-audio: Fix out-of-bound error

Takashi Iwai <tiwai@suse.de>
    ALSA: seq: Remove spurious WARN_ON() at timer check

Robb Glasser <rglasser@google.com>
    ALSA: pcm: prevent UAF in snd_pcm_info

Kailang Yang <kailang@realtek.com>
    ALSA: hda/realtek - New codec support for ALC257

Jeff Mahoney <jeffm@suse.com>
    btrfs: handle errors while updating refcounts in update_ref_for_cow

Jeff Mahoney <jeffm@suse.com>
    btrfs: fix missing error return in btrfs_drop_snapshot

Radim Krčmář <rkrcmar@redhat.com>
    KVM: x86: fix APIC page invalidation

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    x86/PCI: Make broadcom_postcore_init() check acpi_disabled

Chunyu Hu <chuhu@redhat.com>
    x86/idt: Load idt early in start_secondary

Eric Biggers <ebiggers@google.com>
    X.509: fix comparisons of ->pkey_algo

Eric Biggers <ebiggers@google.com>
    X.509: reject invalid BIT STRING for subjectPublicKey

Eric Biggers <ebiggers@google.com>
    KEYS: reject NULL restriction string when type is specified

Eric Biggers <ebiggers@google.com>
    KEYS: add missing permission check for request_key() destination

Eric Biggers <ebiggers@google.com>
    ASN.1: check for error from ASN1_OP_END__ACT actions

Eric Biggers <ebiggers@google.com>
    ASN.1: fix out-of-bounds read when parsing indefinite length item

Pan Bian <bianpan2016@163.com>
    efi/esrt: Use memunmap() instead of kfree() to free the remapping

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    efi: Move some sysfs files to be read-only by root

Huacai Chen <chenhc@lemote.com>
    scsi: libsas: align sata_device's rps_resp on a cacheline

Huacai Chen <chenhc@lemote.com>
    scsi: use dma_get_cache_alignment() as minimum DMA alignment

Christoph Hellwig <hch@lst.de>
    scsi: dma-mapping: always provide dma_get_cache_alignment

William Breathitt Gray <vilhelm.gray@gmail.com>
    isa: Prevent NULL dereference in isa_bus driver callbacks

Guenter Roeck <linux@roeck-us.net>
    firmware: vpd: Fix platform driver and device registration/unregistration

Guenter Roeck <linux@roeck-us.net>
    firmware: vpd: Tie firmware kobject to device lifetime

Guenter Roeck <linux@roeck-us.net>
    firmware: vpd: Destroy vpd sections in remove function

Robin H. Johnson <robbat2@gentoo.org>
    firmware: cleanup FIRMWARE_IN_KERNEL message

Paul Meyer <Paul.Meyer@microsoft.com>
    hv: kvp: Avoid reading past allocated blocks from KVP file

K. Y. Srinivasan <kys@microsoft.com>
    Drivers: hv: vmbus: Fix a rescind issue

Gregory CLEMENT <gregory.clement@free-electrons.com>
    pinctrl: armada-37xx: Fix direction_output() callback behavior

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    iio: adc: meson-saradc: Meson8 and Meson8b do not have REG11 and REG13

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    iio: adc: meson-saradc: initialize the bandgap correctly on older SoCs

Martin Blumenstingl <martin.blumenstingl@googlemail.com>
    iio: adc: meson-saradc: fix the bit_idx of the adc_en clock

Pan Bian <bianpan2016@163.com>
    iio: adc: cpcap: fix incorrect validation

Peter Meerwald-Stadler <pmeerw@pmeerw.net>
    iio: health: max30102: Temperature should be in milli Celsius

Arnd Bergmann <arnd@arndb.de>
    iio: stm32: fix adc/trigger link error

weiping zhang <zwp10758@gmail.com>
    virtio: release virtio index when fail to device_register

Stephane Grosjean <s.grosjean@peak-system.com>
    can: peak/pcie_fd: fix potential bug in restarting tx queue

Martin Kelly <mkelly@xevo.com>
    can: usb_8dev: cancel urb on -EPIPE and -EPROTO

Martin Kelly <mkelly@xevo.com>
    can: esd_usb2: cancel urb on -EPIPE and -EPROTO

Martin Kelly <mkelly@xevo.com>
    can: ems_usb: cancel urb on -EPIPE and -EPROTO

Martin Kelly <mkelly@xevo.com>
    can: mcba_usb: cancel urb on -EPROTO

Martin Kelly <mkelly@xevo.com>
    can: kvaser_usb: cancel urb on -EPIPE and -EPROTO

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: ratelimit errors if incomplete messages are received

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: free buf in error paths

Oliver Stäbler <oliver.staebler@bytesatwork.ch>
    can: ti_hecc: Fix napi poll return value for repoll

Marc Kleine-Budde <mkl@pengutronix.de>
    can: flexcan: fix VF610 state transition issue

Stephane Grosjean <s.grosjean@peak-system.com>
    can: peak/pci: fix potential bug when probe() fails

Martin Kelly <mkelly@xevo.com>
    can: mcba_usb: fix device disconnect bug

John Keeping <john@metanate.com>
    usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT

Johan Hovold <johan@kernel.org>
    serdev: ttyport: fix tty locking in close

Johan Hovold <johan@kernel.org>
    serdev: ttyport: fix NULL-deref on hangup

Johan Hovold <johan@kernel.org>
    serdev: ttyport: add missing receive_buf sanity checks

Roger Quadros <rogerq@ti.com>
    usb: gadget: core: Fix ->udc_set_speed() speed handling

Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    usb: gadget: udc: renesas_usb3: fix number of the pipes


-------------

Diffstat:

 .../devicetree/bindings/usb/usb-device.txt         |  2 +-
 Makefile                                           | 25 ++++----
 arch/arm/boot/dts/imx53.dtsi                       |  9 ---
 arch/arm/include/asm/assembler.h                   | 18 ++++++
 arch/arm/include/asm/kvm_arm.h                     |  3 +-
 arch/arm/kernel/entry-header.S                     |  6 ++
 arch/arm64/include/asm/efi.h                       |  4 +-
 arch/arm64/include/asm/kvm_arm.h                   |  3 +-
 arch/arm64/include/asm/mmu_context.h               | 46 +++++++-------
 arch/arm64/kernel/process.c                        |  9 +++
 arch/powerpc/include/asm/machdep.h                 |  1 +
 arch/powerpc/include/asm/setup.h                   |  1 +
 arch/powerpc/kernel/cpu_setup_power.S              |  2 +
 arch/powerpc/kernel/fadump.c                       | 22 -------
 arch/powerpc/kernel/setup-common.c                 | 27 +++++++++
 arch/powerpc/platforms/powernv/opal-imc.c          |  6 +-
 arch/powerpc/platforms/ps3/setup.c                 | 15 +++++
 arch/powerpc/platforms/pseries/setup.c             |  1 +
 arch/s390/include/asm/switch_to.h                  | 27 ++++-----
 arch/s390/kernel/syscalls.S                        |  6 +-
 arch/s390/kvm/priv.c                               | 11 +++-
 arch/s390/mm/pgalloc.c                             |  2 -
 arch/sparc/mm/init_64.c                            |  9 ++-
 arch/x86/include/asm/kvm_host.h                    |  3 +
 arch/x86/kernel/cpu/intel_rdt_rdtgroup.c           | 10 ++--
 arch/x86/kernel/smpboot.c                          |  2 +-
 arch/x86/kvm/vmx.c                                 |  5 --
 arch/x86/kvm/x86.c                                 | 14 +++++
 arch/x86/pci/broadcom_bus.c                        |  2 +-
 block/blk-core.c                                   |  5 +-
 crypto/asymmetric_keys/pkcs7_verify.c              |  2 +-
 crypto/asymmetric_keys/x509_cert_parser.c          |  2 +
 crypto/asymmetric_keys/x509_public_key.c           |  2 +-
 drivers/atm/horizon.c                              |  2 +-
 drivers/base/Kconfig                               | 25 ++++----
 drivers/base/isa.c                                 | 10 ++--
 drivers/bus/arm-cci.c                              |  7 ++-
 drivers/bus/arm-ccn.c                              | 11 +++-
 drivers/clk/clk-stm32h7.c                          |  4 +-
 drivers/clk/hisilicon/clk-hi3660.c                 |  2 +-
 drivers/clk/qcom/common.c                          |  6 +-
 drivers/clk/sunxi-ng/ccu-sun8i-a83t.c              |  4 +-
 drivers/clk/uniphier/clk-uniphier-sys.c            |  2 +-
 drivers/cpuidle/cpuidle-powernv.c                  |  4 +-
 drivers/crypto/talitos.c                           | 66 +++++++++++++-------
 drivers/firmware/efi/efi.c                         |  3 +-
 drivers/firmware/efi/esrt.c                        | 17 +++---
 drivers/firmware/efi/runtime-map.c                 | 10 ++--
 drivers/firmware/google/vpd.c                      | 48 +++++++++++----
 drivers/gpu/drm/bridge/analogix/analogix_dp_core.c |  2 +
 drivers/gpu/drm/drm_connector.c                    | 28 ++++++++-
 drivers/gpu/drm/drm_mode_config.c                  |  2 +
 drivers/gpu/drm/exynos/exynos_drm_gem.c            |  9 +++
 drivers/gpu/drm/i915/intel_display.c               | 51 +++++++++++-----
 drivers/hv/channel.c                               | 10 +++-
 drivers/hv/channel_mgmt.c                          |  7 ++-
 drivers/ide/ide-atapi.c                            |  6 +-
 drivers/iio/adc/cpcap-adc.c                        |  2 +-
 drivers/iio/adc/meson_saradc.c                     | 52 ++++++++++++----
 drivers/iio/health/max30102.c                      |  2 +-
 drivers/infiniband/core/security.c                 | 63 ++++++++++++++-----
 drivers/infiniband/hw/bnxt_re/ib_verbs.c           |  1 +
 drivers/infiniband/hw/cxgb4/t4fw_ri_api.h          |  4 +-
 drivers/infiniband/hw/mlx4/qp.c                    |  2 +-
 drivers/infiniband/hw/mlx5/main.c                  |  2 +
 drivers/iommu/intel-iommu.c                        |  8 ++-
 drivers/irqchip/qcom-irq-combiner.c                |  2 +-
 drivers/mailbox/mailbox-test.c                     | 11 ++--
 drivers/md/bitmap.c                                |  9 +++
 drivers/md/dm-raid.c                               | 21 +++----
 drivers/md/raid5-cache.c                           | 22 +++----
 drivers/media/rc/rc-main.c                         | 32 +++++-----
 drivers/media/rc/sir_ir.c                          | 40 +++++++++++--
 drivers/media/usb/dvb-usb/dibusb-common.c          | 16 ++++-
 drivers/net/can/flexcan.c                          |  5 +-
 drivers/net/can/peak_canfd/peak_canfd.c            |  9 +--
 drivers/net/can/peak_canfd/peak_pciefd_main.c      |  5 +-
 drivers/net/can/sja1000/peak_pci.c                 |  5 +-
 drivers/net/can/ti_hecc.c                          |  3 +
 drivers/net/can/usb/ems_usb.c                      |  2 +
 drivers/net/can/usb/esd_usb2.c                     |  2 +
 drivers/net/can/usb/kvaser_usb.c                   | 13 ++--
 drivers/net/can/usb/mcba_usb.c                     |  2 +
 drivers/net/can/usb/usb_8dev.c                     |  2 +
 drivers/net/ethernet/netronome/nfp/flower/main.h   |  3 +-
 .../net/ethernet/netronome/nfp/flower/metadata.c   |  7 ++-
 drivers/net/ethernet/netronome/nfp/nfp_net_repr.c  |  2 +
 drivers/net/geneve.c                               | 24 ++++----
 drivers/net/ipvlan/ipvlan_core.c                   |  2 +-
 .../wireless/broadcom/brcm80211/brcmfmac/sdio.c    |  2 +-
 drivers/net/wireless/intel/iwlwifi/fw/api/txq.h    |  4 ++
 drivers/net/wireless/intel/iwlwifi/iwl-trans.h     |  4 +-
 drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c  |  2 +-
 drivers/net/wireless/intel/iwlwifi/mvm/mvm.h       |  3 +
 drivers/net/wireless/intel/iwlwifi/mvm/ops.c       |  1 +
 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c      | 14 ++++-
 drivers/net/wireless/intel/iwlwifi/mvm/sta.c       | 53 ++++++++++++----
 .../net/wireless/intel/iwlwifi/mvm/time-event.c    | 24 +++++++-
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c        |  3 +-
 drivers/net/wireless/intel/iwlwifi/mvm/utils.c     | 11 +++-
 drivers/net/wireless/intel/iwlwifi/pcie/drv.c      |  2 +
 drivers/net/wireless/mac80211_hwsim.c              |  5 +-
 drivers/net/wireless/rsi/rsi_91x_usb.c             | 12 ++--
 drivers/nvme/target/rdma.c                         |  6 +-
 drivers/pinctrl/mvebu/pinctrl-armada-37xx.c        | 13 +++-
 drivers/rapidio/devices/rio_mport_cdev.c           |  3 +-
 drivers/scsi/scsi_lib.c                            | 10 ++--
 drivers/tty/serdev/serdev-ttyport.c                | 26 +++++++-
 drivers/usb/gadget/function/f_fs.c                 | 13 +++-
 drivers/usb/gadget/udc/core.c                      |  8 ++-
 drivers/usb/gadget/udc/renesas_usb3.c              |  2 +-
 drivers/virtio/virtio.c                            |  2 +
 fs/afs/cmservice.c                                 |  3 +
 fs/afs/rxrpc.c                                     | 13 +++-
 fs/btrfs/ctree.c                                   | 18 ++++--
 fs/btrfs/extent-tree.c                             |  1 +
 fs/f2fs/file.c                                     |  1 +
 fs/fcntl.c                                         |  5 +-
 fs/nfs/dir.c                                       |  2 +-
 fs/pipe.c                                          |  2 +-
 fs/xfs/xfs_inode.c                                 |  1 +
 include/drm/drm_connector.h                        |  8 +++
 include/linux/dma-mapping.h                        |  2 -
 include/linux/genalloc.h                           |  3 +-
 include/linux/hyperv.h                             |  1 +
 include/linux/iio/timer/stm32-lptim-trigger.h      |  5 +-
 include/linux/sysfs.h                              |  6 ++
 include/scsi/libsas.h                              |  2 +-
 kernel/audit.c                                     | 39 ++++++------
 kernel/bpf/percpu_freelist.c                       |  8 ++-
 kernel/cpu.c                                       | 10 ++--
 kernel/debug/kdb/kdb_io.c                          |  2 +-
 kernel/jump_label.c                                |  2 +-
 kernel/sysctl.c                                    |  2 +-
 lib/asn1_decoder.c                                 | 49 ++++++++-------
 lib/dynamic_debug.c                                |  4 ++
 lib/genalloc.c                                     | 10 ++--
 mm/slub.c                                          |  4 ++
 mm/zsmalloc.c                                      |  2 +-
 net/ipv4/route.c                                   | 14 +++--
 net/ipv6/ip6_gre.c                                 |  2 +-
 net/sctp/socket.c                                  | 38 ++++++++----
 net/smc/smc_core.c                                 |  2 +-
 net/sunrpc/sched.c                                 |  3 +-
 net/tls/tls_sw.c                                   |  2 +-
 net/xfrm/xfrm_policy.c                             |  1 +
 scripts/coccicheck                                 | 15 +++--
 scripts/package/Makefile                           |  9 ++-
 security/apparmor/policy.c                         |  3 +-
 security/keys/keyctl.c                             | 24 ++++----
 security/keys/request_key.c                        | 46 +++++++++++---
 sound/core/pcm.c                                   |  2 +
 sound/core/seq/seq_timer.c                         |  2 +-
 sound/pci/hda/patch_realtek.c                      |  8 +++
 sound/usb/mixer.c                                  | 13 ++--
 tools/hv/hv_kvp_daemon.c                           | 70 +++++-----------------
 tools/testing/selftests/x86/mpx-hw.h               |  4 +-
 virt/kvm/arm/hyp/vgic-v2-sr.c                      |  4 --
 virt/kvm/arm/vgic/vgic-irqfd.c                     |  3 +-
 virt/kvm/arm/vgic/vgic-its.c                       |  2 +
 virt/kvm/arm/vgic/vgic-v3.c                        |  2 +-
 virt/kvm/kvm_main.c                                |  8 +++
 162 files changed, 1132 insertions(+), 586 deletions(-)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 001/164] usb: gadget: udc: renesas_usb3: fix number of the pipes
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 002/164] usb: gadget: core: Fix ->udc_set_speed() speed handling Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yoshihiro Shimoda, Felipe Balbi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit a58204ab91ad8cae4d8474aa0ba5d1fc504860c9 upstream.

This controller on R-Car Gen3 has 6 pipes that included PIPE 0 for
control actually. But, the datasheet has error in writing as it has
31 pipes. (However, the previous code defined 30 pipes wrongly...)

Anyway, this patch fixes it.

Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/udc/renesas_usb3.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -254,7 +254,7 @@
 #define USB3_EP0_SS_MAX_PACKET_SIZE	512
 #define USB3_EP0_HSFS_MAX_PACKET_SIZE	64
 #define USB3_EP0_BUF_SIZE		8
-#define USB3_MAX_NUM_PIPES		30
+#define USB3_MAX_NUM_PIPES		6	/* This includes PIPE 0 */
 #define USB3_WAIT_US			3
 #define USB3_DMA_NUM_SETTING_AREA	4
 /*

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 002/164] usb: gadget: core: Fix ->udc_set_speed() speed handling
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 001/164] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 003/164] serdev: ttyport: add missing receive_buf sanity checks Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dylan Howey, Roger Quadros, Felipe Balbi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roger Quadros <rogerq@ti.com>

commit a4f0927ef588cf62bb864707261482c874352942 upstream.

Currently UDC core calls ->udc_set_speed() with the speed parameter
containing the maximum speed supported by the gadget function
driver. This might very well be more than that supported by the
UDC controller driver.

Select the lesser of the 2 speeds so both UDC and gadget function
driver are operating within limits.

This fixes PHY Erratic errors and 2 second enumeration delay on
TI's AM437x platforms.

Fixes: 6099eca796ae ("usb: gadget: core: introduce ->udc_set_speed() method")
Reported-by: Dylan Howey <Dylan.Howey@tennantco.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/udc/core.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -1080,8 +1080,12 @@ static inline void usb_gadget_udc_stop(s
 static inline void usb_gadget_udc_set_speed(struct usb_udc *udc,
 					    enum usb_device_speed speed)
 {
-	if (udc->gadget->ops->udc_set_speed)
-		udc->gadget->ops->udc_set_speed(udc->gadget, speed);
+	if (udc->gadget->ops->udc_set_speed) {
+		enum usb_device_speed s;
+
+		s = min(speed, udc->gadget->max_speed);
+		udc->gadget->ops->udc_set_speed(udc->gadget, s);
+	}
 }
 
 /**

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 003/164] serdev: ttyport: add missing receive_buf sanity checks
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 001/164] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 002/164] usb: gadget: core: Fix ->udc_set_speed() speed handling Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 004/164] serdev: ttyport: fix NULL-deref on hangup Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit eb281683621b71ab9710d9dccbbef0c2e1769c97 upstream.

The receive_buf tty-port callback should return the number of bytes
accepted and must specifically never return a negative errno (or a value
larger than the buffer size) to the tty layer.

A serdev driver not providing a receive_buf callback would currently
cause the flush_to_ldisc() worker to spin in a tight loop when the tty
buffer pointers are incremented with -EINVAL (-22) after data has been
received.

A serdev driver occasionally returning a negative errno (or a too large
byte count) could cause information leaks or crashes when accessing
memory outside the tty buffers in consecutive callbacks.

Fixes: cd6484e1830b ("serdev: Introduce new bus for serial attached devices")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serdev/serdev-ttyport.c |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/drivers/tty/serdev/serdev-ttyport.c
+++ b/drivers/tty/serdev/serdev-ttyport.c
@@ -35,11 +35,22 @@ static int ttyport_receive_buf(struct tt
 {
 	struct serdev_controller *ctrl = port->client_data;
 	struct serport *serport = serdev_controller_get_drvdata(ctrl);
+	int ret;
 
 	if (!test_bit(SERPORT_ACTIVE, &serport->flags))
 		return 0;
 
-	return serdev_controller_receive_buf(ctrl, cp, count);
+	ret = serdev_controller_receive_buf(ctrl, cp, count);
+
+	dev_WARN_ONCE(&ctrl->dev, ret < 0 || ret > count,
+				"receive_buf returns %d (count = %zu)\n",
+				ret, count);
+	if (ret < 0)
+		return 0;
+	else if (ret > count)
+		return count;
+
+	return ret;
 }
 
 static void ttyport_write_wakeup(struct tty_port *port)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 004/164] serdev: ttyport: fix NULL-deref on hangup
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 003/164] serdev: ttyport: add missing receive_buf sanity checks Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 005/164] serdev: ttyport: fix tty locking in close Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 8bcd4e6a8decac251d55c4377e2e67f052777ce0 upstream.

Make sure to use a properly refcounted tty_struct in write_wake up to
avoid dereferencing a NULL-pointer when a port is being hung up.

Fixes: bed35c6dfa6a ("serdev: add a tty port controller driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serdev/serdev-ttyport.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/tty/serdev/serdev-ttyport.c
+++ b/drivers/tty/serdev/serdev-ttyport.c
@@ -57,12 +57,19 @@ static void ttyport_write_wakeup(struct
 {
 	struct serdev_controller *ctrl = port->client_data;
 	struct serport *serport = serdev_controller_get_drvdata(ctrl);
+	struct tty_struct *tty;
 
-	if (test_and_clear_bit(TTY_DO_WRITE_WAKEUP, &port->tty->flags) &&
+	tty = tty_port_tty_get(port);
+	if (!tty)
+		return;
+
+	if (test_and_clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags) &&
 	    test_bit(SERPORT_ACTIVE, &serport->flags))
 		serdev_controller_write_wakeup(ctrl);
 
-	wake_up_interruptible_poll(&port->tty->write_wait, POLLOUT);
+	wake_up_interruptible_poll(&tty->write_wait, POLLOUT);
+
+	tty_kref_put(tty);
 }
 
 static const struct tty_port_client_operations client_ops = {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 005/164] serdev: ttyport: fix tty locking in close
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 004/164] serdev: ttyport: fix NULL-deref on hangup Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 006/164] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 90dbad8cd6efccbdce109d5ef0724f8434a6cdde upstream.

Make sure to hold the tty lock as required when calling tty-driver
close() (e.g. to avoid racing with hangup()).

Note that the serport active flag is currently set under the lock at
controller open, but really isn't protected by it.

Fixes: cd6484e1830b ("serdev: Introduce new bus for serial attached devices")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serdev/serdev-ttyport.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/tty/serdev/serdev-ttyport.c
+++ b/drivers/tty/serdev/serdev-ttyport.c
@@ -149,8 +149,10 @@ static void ttyport_close(struct serdev_
 
 	clear_bit(SERPORT_ACTIVE, &serport->flags);
 
+	tty_lock(tty);
 	if (tty->ops->close)
 		tty->ops->close(tty, NULL);
+	tty_unlock(tty);
 
 	tty_release_struct(tty, serport->tty_idx);
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 006/164] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 005/164] serdev: ttyport: fix tty locking in close Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 007/164] can: mcba_usb: fix device disconnect bug Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John Keeping, Felipe Balbi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Keeping <john@metanate.com>

commit a3acc696085e112733d191a77b106e67a4fa110b upstream.

The specification says that the Reserved1 field in OS_DESC_EXT_COMPAT
must have the value "1", but when this feature was first implemented we
rejected any non-zero values.

This was adjusted to accept all non-zero values (while now rejecting
zero) in commit 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on
reserved1 of OS_DESC_EXT_COMPAT"), but that breaks any userspace
programs that worked previously by returning EINVAL when Reserved1 == 0
which was previously the only value that succeeded!

If we just set the field to "1" ourselves, both old and new userspace
programs continue to work correctly and, as a bonus, old programs are
now compliant with the specification without having to fix anything
themselves.

Fixes: 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT")
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/function/f_fs.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2286,9 +2286,18 @@ static int __ffs_data_do_os_desc(enum ff
 		int i;
 
 		if (len < sizeof(*d) ||
-		    d->bFirstInterfaceNumber >= ffs->interfaces_count ||
-		    !d->Reserved1)
+		    d->bFirstInterfaceNumber >= ffs->interfaces_count)
 			return -EINVAL;
+		if (d->Reserved1 != 1) {
+			/*
+			 * According to the spec, Reserved1 must be set to 1
+			 * but older kernels incorrectly rejected non-zero
+			 * values.  We fix it here to avoid returning EINVAL
+			 * in response to values we used to accept.
+			 */
+			pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n");
+			d->Reserved1 = 1;
+		}
 		for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i)
 			if (d->Reserved2[i])
 				return -EINVAL;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 007/164] can: mcba_usb: fix device disconnect bug
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 006/164] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 008/164] can: peak/pci: fix potential bug when probe() fails Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 1cb35a33a28394fd711bb26ddf3a564f4e9d9125 upstream.

Currently, when you disconnect the device, the driver infinitely
resubmits all URBs, so you see:

Rx URB aborted (-32)

in an infinite loop.

Fix this by catching -EPIPE (what we get in urb->status when the device
disconnects) and not resubmitting.

With this patch, I can plug and unplug many times and the driver
recovers correctly.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/mcba_usb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -592,6 +592,7 @@ static void mcba_usb_read_bulk_callback(
 		break;
 
 	case -ENOENT:
+	case -EPIPE:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 008/164] can: peak/pci: fix potential bug when probe() fails
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 007/164] can: mcba_usb: fix device disconnect bug Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 009/164] can: flexcan: fix VF610 state transition issue Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephane Grosjean, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephane Grosjean <s.grosjean@peak-system.com>

commit 5c2cb02edf79ad79d9b8d07c6d52243a948c4c9f upstream.

PCI/PCIe drivers for PEAK-System CAN/CAN-FD interfaces do some access to the
PCI config during probing. In case one of these accesses fails, a POSITIVE
PCIBIOS_xxx error code is returned back. This POSITIVE error code MUST be
converted into a NEGATIVE errno for the probe() function to indicate it
failed. Using the pcibios_err_to_errno() function, we make sure that the
return code will always be negative.

Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/peak_canfd/peak_pciefd_main.c |    5 ++++-
 drivers/net/can/sja1000/peak_pci.c            |    5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/net/can/peak_canfd/peak_pciefd_main.c
+++ b/drivers/net/can/peak_canfd/peak_pciefd_main.c
@@ -825,7 +825,10 @@ err_release_regions:
 err_disable_pci:
 	pci_disable_device(pdev);
 
-	return err;
+	/* pci_xxx_config_word() return positive PCIBIOS_xxx error codes while
+	 * the probe() function must return a negative errno in case of failure
+	 * (err is unchanged if negative) */
+	return pcibios_err_to_errno(err);
 }
 
 /* free the board structure object, as well as its resources: */
--- a/drivers/net/can/sja1000/peak_pci.c
+++ b/drivers/net/can/sja1000/peak_pci.c
@@ -717,7 +717,10 @@ failure_release_regions:
 failure_disable_pci:
 	pci_disable_device(pdev);
 
-	return err;
+	/* pci_xxx_config_word() return positive PCIBIOS_xxx error codes while
+	 * the probe() function must return a negative errno in case of failure
+	 * (err is unchanged if negative) */
+	return pcibios_err_to_errno(err);
 }
 
 static void peak_pci_remove(struct pci_dev *pdev)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 009/164] can: flexcan: fix VF610 state transition issue
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 008/164] can: peak/pci: fix potential bug when probe() fails Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 011/164] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mirza Krak, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit 29c64b17a0bc72232acc45e9533221d88a262efb upstream.

Enable FLEXCAN_QUIRK_BROKEN_PERR_STATE for VF610 to report correct state
transitions.

Tested-by: Mirza Krak <mirza.krak@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/flexcan.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -189,7 +189,7 @@
  *   MX35  FlexCAN2  03.00.00.00     no        no         ?       no        no
  *   MX53  FlexCAN2  03.00.00.00    yes        no        no       no        no
  *   MX6s  FlexCAN3  10.00.12.00    yes       yes        no       no       yes
- *   VF610 FlexCAN3  ?               no       yes         ?      yes       yes?
+ *   VF610 FlexCAN3  ?               no       yes        no      yes       yes?
  *
  * Some SOCs do not have the RX_WARN & TX_WARN interrupt line connected.
  */
@@ -297,7 +297,8 @@ static const struct flexcan_devtype_data
 
 static const struct flexcan_devtype_data fsl_vf610_devtype_data = {
 	.quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
-		FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP,
+		FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP |
+		FLEXCAN_QUIRK_BROKEN_PERR_STATE,
 };
 
 static const struct can_bittiming_const flexcan_bittiming_const = {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 011/164] can: kvaser_usb: free buf in error paths
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 009/164] can: flexcan: fix VF610 state transition issue Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 012/164] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit 435019b48033138581a6171093b181fc6b4d3d30 upstream.

The allocated buffer was not freed if usb_submit_urb() failed.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -813,6 +813,7 @@ static int kvaser_usb_simple_msg_async(s
 	if (err) {
 		netdev_err(netdev, "Error transmitting URB\n");
 		usb_unanchor_urb(urb);
+		kfree(buf);
 		usb_free_urb(urb);
 		return err;
 	}
@@ -1768,6 +1769,7 @@ static netdev_tx_t kvaser_usb_start_xmit
 		spin_unlock_irqrestore(&priv->tx_contexts_lock, flags);
 
 		usb_unanchor_urb(urb);
+		kfree(buf);
 
 		stats->tx_dropped++;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 012/164] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 011/164] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 013/164] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit e84f44eb5523401faeb9cc1c97895b68e3cfb78d upstream.

The conditon in the while-loop becomes true when actual_length is less than
2 (MSG_HEADER_LEN). In best case we end up with a former, already
dispatched msg, that got msg->len greater than actual_length. This will
result in a "Format error" error printout.

Problem seen when unplugging a Kvaser USB device connected to a vbox guest.

warning: comparison between signed and unsigned integer expressions
[-Wsign-compare]

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1334,7 +1334,7 @@ static void kvaser_usb_read_bulk_callbac
 		goto resubmit_urb;
 	}
 
-	while (pos <= urb->actual_length - MSG_HEADER_LEN) {
+	while (pos <= (int)(urb->actual_length - MSG_HEADER_LEN)) {
 		msg = urb->transfer_buffer + pos;
 
 		/* The Kvaser firmware can only read and write messages that

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 013/164] can: kvaser_usb: ratelimit errors if incomplete messages are received
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 012/164] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 014/164] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit 8bd13bd522ff7dfa0eb371921aeb417155f7a3be upstream.

Avoid flooding the kernel log with "Formate error", if incomplete message
are received.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -609,8 +609,8 @@ static int kvaser_usb_wait_msg(const str
 			}
 
 			if (pos + tmp->len > actual_len) {
-				dev_err(dev->udev->dev.parent,
-					"Format error\n");
+				dev_err_ratelimited(dev->udev->dev.parent,
+						    "Format error\n");
 				break;
 			}
 
@@ -1353,7 +1353,8 @@ static void kvaser_usb_read_bulk_callbac
 		}
 
 		if (pos + msg->len > urb->actual_length) {
-			dev_err(dev->udev->dev.parent, "Format error\n");
+			dev_err_ratelimited(dev->udev->dev.parent,
+					    "Format error\n");
 			break;
 		}
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 014/164] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 013/164] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 015/164] can: mcba_usb: cancel urb on -EPROTO Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 6aa8d5945502baf4687d80de59b7ac865e9e666b upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1326,6 +1326,8 @@ static void kvaser_usb_read_bulk_callbac
 	case 0:
 		break;
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 	default:

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 015/164] can: mcba_usb: cancel urb on -EPROTO
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 014/164] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 016/164] can: ems_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit c7f33023308f3142433b7379718af5f0c2c322a6 upstream.

When we unplug the device, we can see both -EPIPE and -EPROTO depending
on exact timing and what system we run on. If we continue to resubmit
URBs, they will immediately fail, and they can cause stalls, especially
on slower CPUs.

Fix this by not resubmitting on -EPROTO, as we already do on -EPIPE.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/mcba_usb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -593,6 +593,7 @@ static void mcba_usb_read_bulk_callback(
 
 	case -ENOENT:
 	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 016/164] can: ems_usb: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 015/164] can: mcba_usb: cancel urb on -EPROTO Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 017/164] can: esd_usb2: " Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit bd352e1adfe0d02d3ea7c8e3fb19183dc317e679 upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/ems_usb.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -288,6 +288,8 @@ static void ems_usb_read_interrupt_callb
 
 	case -ECONNRESET: /* unlink */
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 017/164] can: esd_usb2: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 016/164] can: ems_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 018/164] can: usb_8dev: " Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 7a31ced3de06e9878e4f9c3abe8f87d9344d8144 upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/esd_usb2.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
@@ -393,6 +393,8 @@ static void esd_usb2_read_bulk_callback(
 		break;
 
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 018/164] can: usb_8dev: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 017/164] can: esd_usb2: " Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 019/164] can: peak/pcie_fd: fix potential bug in restarting tx queue Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 12147edc434c9e4c7c2f5fee2e5519b2e5ac34ce upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/usb_8dev.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -524,6 +524,8 @@ static void usb_8dev_read_bulk_callback(
 		break;
 
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 019/164] can: peak/pcie_fd: fix potential bug in restarting tx queue
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 018/164] can: usb_8dev: " Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 020/164] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephane Grosjean, Marc Kleine-Budde

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephane Grosjean <s.grosjean@peak-system.com>

commit 91785de6f94b58c3fb6664609e3682f011bd28d2 upstream.

Don't rely on can_get_echo_skb() return value to wake the network tx
queue up: can_get_echo_skb() returns 0 if the echo array slot was not
occupied, but also when the DLC of the released echo frame was 0.

Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/peak_canfd/peak_canfd.c |    9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

--- a/drivers/net/can/peak_canfd/peak_canfd.c
+++ b/drivers/net/can/peak_canfd/peak_canfd.c
@@ -258,21 +258,18 @@ static int pucan_handle_can_rx(struct pe
 	/* if this frame is an echo, */
 	if ((rx_msg_flags & PUCAN_MSG_LOOPED_BACK) &&
 	    !(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) {
-		int n;
 		unsigned long flags;
 
 		spin_lock_irqsave(&priv->echo_lock, flags);
-		n = can_get_echo_skb(priv->ndev, msg->client);
+		can_get_echo_skb(priv->ndev, msg->client);
 		spin_unlock_irqrestore(&priv->echo_lock, flags);
 
 		/* count bytes of the echo instead of skb */
 		stats->tx_bytes += cf_len;
 		stats->tx_packets++;
 
-		if (n) {
-			/* restart tx queue only if a slot is free */
-			netif_wake_queue(priv->ndev);
-		}
+		/* restart tx queue (a slot is free) */
+		netif_wake_queue(priv->ndev);
 
 		return 0;
 	}

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 020/164] virtio: release virtio index when fail to device_register
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 019/164] can: peak/pcie_fd: fix potential bug in restarting tx queue Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 021/164] iio: stm32: fix adc/trigger link error Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, weiping zhang, Cornelia Huck,
	Michael S. Tsirkin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: weiping zhang <zwp10758@gmail.com>

commit e60ea67bb60459b95a50a156296041a13e0e380e upstream.

index can be reused by other virtio device.

Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/virtio/virtio.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio.c
+++ b/drivers/virtio/virtio.c
@@ -333,6 +333,8 @@ int register_virtio_device(struct virtio
 	/* device_register() causes the bus infrastructure to look for a
 	 * matching driver. */
 	err = device_register(&dev->dev);
+	if (err)
+		ida_simple_remove(&virtio_index_ida, dev->index);
 out:
 	if (err)
 		virtio_add_status(dev, VIRTIO_CONFIG_S_FAILED);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 021/164] iio: stm32: fix adc/trigger link error
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 020/164] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 022/164] iio: health: max30102: Temperature should be in milli Celsius Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Jonathan Cameron

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 6d745ee8b5e81f3a33791e3c854fbbfd6f3e585e upstream.

The ADC driver can trigger on either the timer or the lptim
trigger, but it only uses a Kconfig 'select' statement
to ensure that the first of the two is present. When the lptim
trigger is enabled as a loadable module, and the adc driver
is built-in, we now get a link error:

drivers/iio/adc/stm32-adc.o: In function `stm32_adc_get_trig_extsel':
stm32-adc.c:(.text+0x4e0): undefined reference to `is_stm32_lptim_trigger'

We could use a second 'select' statement and always have both
trigger drivers enabled when the adc driver is, but it seems that
the lptimer trigger was intentionally left optional, so it seems
better to keep it that way.

This adds a hack to use 'IS_REACHABLE()' rather than 'IS_ENABLED()',
which avoids the link error, but instead leads to the lptimer trigger
not being used in the broken configuration. I've added a runtime
warning for this case to help users figure out what they did wrong
if this should ever be done by accident.

Fixes: f0b638a7f6db ("iio: adc: stm32: add support for lptimer triggers")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/iio/timer/stm32-lptim-trigger.h |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/include/linux/iio/timer/stm32-lptim-trigger.h
+++ b/include/linux/iio/timer/stm32-lptim-trigger.h
@@ -16,11 +16,14 @@
 #define LPTIM2_OUT	"lptim2_out"
 #define LPTIM3_OUT	"lptim3_out"
 
-#if IS_ENABLED(CONFIG_IIO_STM32_LPTIMER_TRIGGER)
+#if IS_REACHABLE(CONFIG_IIO_STM32_LPTIMER_TRIGGER)
 bool is_stm32_lptim_trigger(struct iio_trigger *trig);
 #else
 static inline bool is_stm32_lptim_trigger(struct iio_trigger *trig)
 {
+#if IS_ENABLED(CONFIG_IIO_STM32_LPTIMER_TRIGGER)
+	pr_warn_once("stm32 lptim_trigger not linked in\n");
+#endif
 	return false;
 }
 #endif

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 022/164] iio: health: max30102: Temperature should be in milli Celsius
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 021/164] iio: stm32: fix adc/trigger link error Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 023/164] iio: adc: cpcap: fix incorrect validation Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Meerwald-Stadler,
	Matt Ranostay, Jonathan Cameron

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Meerwald-Stadler <pmeerw@pmeerw.net>

commit ad44a9f804c1591ba2a2ec0ac8d916a515d2790c upstream.

As per ABI temperature should be in milli Celsius after scaling,
not Celsius

Note on stable cc.  This driver is breaking the standard IIO
ABI. (JC)

Signed-off-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/health/max30102.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/health/max30102.c
+++ b/drivers/iio/health/max30102.c
@@ -371,7 +371,7 @@ static int max30102_read_raw(struct iio_
 		mutex_unlock(&indio_dev->mlock);
 		break;
 	case IIO_CHAN_INFO_SCALE:
-		*val = 1;  /* 0.0625 */
+		*val = 1000;  /* 62.5 */
 		*val2 = 16;
 		ret = IIO_VAL_FRACTIONAL;
 		break;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 023/164] iio: adc: cpcap: fix incorrect validation
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 022/164] iio: health: max30102: Temperature should be in milli Celsius Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 024/164] iio: adc: meson-saradc: fix the bit_idx of the adc_en clock Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pan Bian, Sebastian Reichel,
	Tony Lindgren, Jonathan Cameron

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit 81b039ec36a41a5451e1e36f05bb055eceab1dc8 upstream.

Function platform_get_irq_byname() returns a negative error code on
failure, and a zero or positive number on success. However, in function
cpcap_adc_probe(), positive IRQ numbers are also taken as error cases.
Use "if (ddata->irq < 0)" instead of "if (!ddata->irq)" to validate the
return value of platform_get_irq_byname().

Signed-off-by: Pan Bian <bianpan2016@163.com>
Fixes: 25ec249632d50 ("iio: adc: cpcap: Add minimal support for CPCAP PMIC ADC")
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/cpcap-adc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/cpcap-adc.c
+++ b/drivers/iio/adc/cpcap-adc.c
@@ -1012,7 +1012,7 @@ static int cpcap_adc_probe(struct platfo
 	platform_set_drvdata(pdev, indio_dev);
 
 	ddata->irq = platform_get_irq_byname(pdev, "adcdone");
-	if (!ddata->irq)
+	if (ddata->irq < 0)
 		return -ENODEV;
 
 	error = devm_request_threaded_irq(&pdev->dev, ddata->irq, NULL,

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 024/164] iio: adc: meson-saradc: fix the bit_idx of the adc_en clock
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 023/164] iio: adc: cpcap: fix incorrect validation Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 025/164] iio: adc: meson-saradc: initialize the bandgap correctly on older SoCs Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Jonathan Cameron

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit 7a6b0420d2fe4ce59437bd318826fe468f0d71ae upstream.

Meson8 and Meson8b SoCs use the the SAR ADC gate clock provided by the
MESON_SAR_ADC_REG3 register within the SAR ADC register area.
According to the datasheet (and the existing MESON_SAR_ADC_REG3_CLK_EN
definition) the gate is on bit 30.
The fls() function returns the last set bit, which is "bit index + 1"
(fls(MESON_SAR_ADC_REG3_CLK_EN) returns 31). Fix this by switching to
__ffs() which returns the first set bit, which is bit 30 in our case.

This off by one error results in the ADC not being usable on devices
where the bootloader did not enable the clock.

Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/meson_saradc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/meson_saradc.c
+++ b/drivers/iio/adc/meson_saradc.c
@@ -600,7 +600,7 @@ static int meson_sar_adc_clk_init(struct
 	init.num_parents = 1;
 
 	priv->clk_gate.reg = base + MESON_SAR_ADC_REG3;
-	priv->clk_gate.bit_idx = fls(MESON_SAR_ADC_REG3_CLK_EN);
+	priv->clk_gate.bit_idx = __ffs(MESON_SAR_ADC_REG3_CLK_EN);
 	priv->clk_gate.hw.init = &init;
 
 	priv->adc_clk = devm_clk_register(&indio_dev->dev, &priv->clk_gate.hw);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 025/164] iio: adc: meson-saradc: initialize the bandgap correctly on older SoCs
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 024/164] iio: adc: meson-saradc: fix the bit_idx of the adc_en clock Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 026/164] iio: adc: meson-saradc: Meson8 and Meson8b do not have REG11 and REG13 Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Jonathan Cameron

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit d85eed9f576369bc90322659de96b7dbea1f9a57 upstream.

Meson8 and Meson8b do not have the MESON_SAR_ADC_REG11 register. The
bandgap setting for these SoCs is configured in the
MESON_SAR_ADC_DELTA_10 register instead.
Make the driver aware of this difference and use the correct bandgap
register depending on the SoC.
This has worked fine on Meson8 and Meson8b because the bootloader is
already initializing the bandgap setting.

Fixes: 6c76ed31cd05 ("iio: adc: meson-saradc: add Meson8b SoC compatibility")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/meson_saradc.c |   33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

--- a/drivers/iio/adc/meson_saradc.c
+++ b/drivers/iio/adc/meson_saradc.c
@@ -221,6 +221,7 @@ enum meson_sar_adc_chan7_mux_sel {
 
 struct meson_sar_adc_data {
 	bool					has_bl30_integration;
+	u32					bandgap_reg;
 	unsigned int				resolution;
 	const char				*name;
 };
@@ -685,6 +686,20 @@ static int meson_sar_adc_init(struct iio
 	return 0;
 }
 
+static void meson_sar_adc_set_bandgap(struct iio_dev *indio_dev, bool on_off)
+{
+	struct meson_sar_adc_priv *priv = iio_priv(indio_dev);
+	u32 enable_mask;
+
+	if (priv->data->bandgap_reg == MESON_SAR_ADC_REG11)
+		enable_mask = MESON_SAR_ADC_REG11_BANDGAP_EN;
+	else
+		enable_mask = MESON_SAR_ADC_DELTA_10_TS_VBG_EN;
+
+	regmap_update_bits(priv->regmap, priv->data->bandgap_reg, enable_mask,
+			   on_off ? enable_mask : 0);
+}
+
 static int meson_sar_adc_hw_enable(struct iio_dev *indio_dev)
 {
 	struct meson_sar_adc_priv *priv = iio_priv(indio_dev);
@@ -717,9 +732,9 @@ static int meson_sar_adc_hw_enable(struc
 	regval = FIELD_PREP(MESON_SAR_ADC_REG0_FIFO_CNT_IRQ_MASK, 1);
 	regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG0,
 			   MESON_SAR_ADC_REG0_FIFO_CNT_IRQ_MASK, regval);
-	regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG11,
-			   MESON_SAR_ADC_REG11_BANDGAP_EN,
-			   MESON_SAR_ADC_REG11_BANDGAP_EN);
+
+	meson_sar_adc_set_bandgap(indio_dev, true);
+
 	regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG3,
 			   MESON_SAR_ADC_REG3_ADC_EN,
 			   MESON_SAR_ADC_REG3_ADC_EN);
@@ -739,8 +754,7 @@ static int meson_sar_adc_hw_enable(struc
 err_adc_clk:
 	regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG3,
 			   MESON_SAR_ADC_REG3_ADC_EN, 0);
-	regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG11,
-			   MESON_SAR_ADC_REG11_BANDGAP_EN, 0);
+	meson_sar_adc_set_bandgap(indio_dev, false);
 	clk_disable_unprepare(priv->sana_clk);
 err_sana_clk:
 	clk_disable_unprepare(priv->core_clk);
@@ -765,8 +779,8 @@ static int meson_sar_adc_hw_disable(stru
 
 	regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG3,
 			   MESON_SAR_ADC_REG3_ADC_EN, 0);
-	regmap_update_bits(priv->regmap, MESON_SAR_ADC_REG11,
-			   MESON_SAR_ADC_REG11_BANDGAP_EN, 0);
+
+	meson_sar_adc_set_bandgap(indio_dev, false);
 
 	clk_disable_unprepare(priv->sana_clk);
 	clk_disable_unprepare(priv->core_clk);
@@ -845,30 +859,35 @@ static const struct iio_info meson_sar_a
 
 static const struct meson_sar_adc_data meson_sar_adc_meson8_data = {
 	.has_bl30_integration = false,
+	.bandgap_reg = MESON_SAR_ADC_DELTA_10,
 	.resolution = 10,
 	.name = "meson-meson8-saradc",
 };
 
 static const struct meson_sar_adc_data meson_sar_adc_meson8b_data = {
 	.has_bl30_integration = false,
+	.bandgap_reg = MESON_SAR_ADC_DELTA_10,
 	.resolution = 10,
 	.name = "meson-meson8b-saradc",
 };
 
 static const struct meson_sar_adc_data meson_sar_adc_gxbb_data = {
 	.has_bl30_integration = true,
+	.bandgap_reg = MESON_SAR_ADC_REG11,
 	.resolution = 10,
 	.name = "meson-gxbb-saradc",
 };
 
 static const struct meson_sar_adc_data meson_sar_adc_gxl_data = {
 	.has_bl30_integration = true,
+	.bandgap_reg = MESON_SAR_ADC_REG11,
 	.resolution = 12,
 	.name = "meson-gxl-saradc",
 };
 
 static const struct meson_sar_adc_data meson_sar_adc_gxm_data = {
 	.has_bl30_integration = true,
+	.bandgap_reg = MESON_SAR_ADC_REG11,
 	.resolution = 12,
 	.name = "meson-gxm-saradc",
 };

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 026/164] iio: adc: meson-saradc: Meson8 and Meson8b do not have REG11 and REG13
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 025/164] iio: adc: meson-saradc: initialize the bandgap correctly on older SoCs Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 027/164] pinctrl: armada-37xx: Fix direction_output() callback behavior Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Blumenstingl, Jonathan Cameron

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

commit 96748823c483c6eed8321f78bd128dd33f09c55c upstream.

The Meson GXBB and newer SoCs have a few more registers than the older
Meson8 and Meson8b SoCs.
Use a separate regmap config to limit the older SoCs to the DELTA_10
register.

Fixes: 6c76ed31cd05 ("iio: adc: meson-saradc: add Meson8b SoC compatibility")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/meson_saradc.c |   17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

--- a/drivers/iio/adc/meson_saradc.c
+++ b/drivers/iio/adc/meson_saradc.c
@@ -224,6 +224,7 @@ struct meson_sar_adc_data {
 	u32					bandgap_reg;
 	unsigned int				resolution;
 	const char				*name;
+	const struct regmap_config		*regmap_config;
 };
 
 struct meson_sar_adc_priv {
@@ -243,13 +244,20 @@ struct meson_sar_adc_priv {
 	int					calibscale;
 };
 
-static const struct regmap_config meson_sar_adc_regmap_config = {
+static const struct regmap_config meson_sar_adc_regmap_config_gxbb = {
 	.reg_bits = 8,
 	.val_bits = 32,
 	.reg_stride = 4,
 	.max_register = MESON_SAR_ADC_REG13,
 };
 
+static const struct regmap_config meson_sar_adc_regmap_config_meson8 = {
+	.reg_bits = 8,
+	.val_bits = 32,
+	.reg_stride = 4,
+	.max_register = MESON_SAR_ADC_DELTA_10,
+};
+
 static unsigned int meson_sar_adc_get_fifo_count(struct iio_dev *indio_dev)
 {
 	struct meson_sar_adc_priv *priv = iio_priv(indio_dev);
@@ -860,6 +868,7 @@ static const struct iio_info meson_sar_a
 static const struct meson_sar_adc_data meson_sar_adc_meson8_data = {
 	.has_bl30_integration = false,
 	.bandgap_reg = MESON_SAR_ADC_DELTA_10,
+	.regmap_config = &meson_sar_adc_regmap_config_meson8,
 	.resolution = 10,
 	.name = "meson-meson8-saradc",
 };
@@ -867,6 +876,7 @@ static const struct meson_sar_adc_data m
 static const struct meson_sar_adc_data meson_sar_adc_meson8b_data = {
 	.has_bl30_integration = false,
 	.bandgap_reg = MESON_SAR_ADC_DELTA_10,
+	.regmap_config = &meson_sar_adc_regmap_config_meson8,
 	.resolution = 10,
 	.name = "meson-meson8b-saradc",
 };
@@ -874,6 +884,7 @@ static const struct meson_sar_adc_data m
 static const struct meson_sar_adc_data meson_sar_adc_gxbb_data = {
 	.has_bl30_integration = true,
 	.bandgap_reg = MESON_SAR_ADC_REG11,
+	.regmap_config = &meson_sar_adc_regmap_config_gxbb,
 	.resolution = 10,
 	.name = "meson-gxbb-saradc",
 };
@@ -881,6 +892,7 @@ static const struct meson_sar_adc_data m
 static const struct meson_sar_adc_data meson_sar_adc_gxl_data = {
 	.has_bl30_integration = true,
 	.bandgap_reg = MESON_SAR_ADC_REG11,
+	.regmap_config = &meson_sar_adc_regmap_config_gxbb,
 	.resolution = 12,
 	.name = "meson-gxl-saradc",
 };
@@ -888,6 +900,7 @@ static const struct meson_sar_adc_data m
 static const struct meson_sar_adc_data meson_sar_adc_gxm_data = {
 	.has_bl30_integration = true,
 	.bandgap_reg = MESON_SAR_ADC_REG11,
+	.regmap_config = &meson_sar_adc_regmap_config_gxbb,
 	.resolution = 12,
 	.name = "meson-gxm-saradc",
 };
@@ -965,7 +978,7 @@ static int meson_sar_adc_probe(struct pl
 		return ret;
 
 	priv->regmap = devm_regmap_init_mmio(&pdev->dev, base,
-					     &meson_sar_adc_regmap_config);
+					     priv->data->regmap_config);
 	if (IS_ERR(priv->regmap))
 		return PTR_ERR(priv->regmap);
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 027/164] pinctrl: armada-37xx: Fix direction_output() callback behavior
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 026/164] iio: adc: meson-saradc: Meson8 and Meson8b do not have REG11 and REG13 Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 028/164] Drivers: hv: vmbus: Fix a rescind issue Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Gregory CLEMENT,
	Linus Walleij

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gregory CLEMENT <gregory.clement@free-electrons.com>

commit 6702abb3bf2394f250af0ee04070227bb5dda788 upstream.

The direction_output callback of the gpio_chip structure is supposed to
set the output direction but also to set the value of the gpio. For the
armada-37xx driver this callback acted as the gpio_set_direction callback
for the pinctrl.

This patch fixes the behavior of the direction_output callback by also
applying the value received as parameter.

Fixes: 5715092a458c ("pinctrl: armada-37xx: Add gpio support")
Reported-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/mvebu/pinctrl-armada-37xx.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
+++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c
@@ -408,12 +408,21 @@ static int armada_37xx_gpio_direction_ou
 {
 	struct armada_37xx_pinctrl *info = gpiochip_get_data(chip);
 	unsigned int reg = OUTPUT_EN;
-	unsigned int mask;
+	unsigned int mask, val, ret;
 
 	armada_37xx_update_reg(&reg, offset);
 	mask = BIT(offset);
 
-	return regmap_update_bits(info->regmap, reg, mask, mask);
+	ret = regmap_update_bits(info->regmap, reg, mask, mask);
+
+	if (ret)
+		return ret;
+
+	reg = OUTPUT_VAL;
+	val = value ? mask : 0;
+	regmap_update_bits(info->regmap, reg, mask, val);
+
+	return 0;
 }
 
 static int armada_37xx_gpio_get(struct gpio_chip *chip, unsigned int offset)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 028/164] Drivers: hv: vmbus: Fix a rescind issue
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 027/164] pinctrl: armada-37xx: Fix direction_output() callback behavior Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 029/164] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, K. Y. Srinivasan

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: K. Y. Srinivasan <kys@microsoft.com>

commit 7fa32e5ec28b1609abc0b797b58267f725fc3964 upstream.

The current rescind processing code will not correctly handle
the case where the host immediately rescinds a channel that has
been offerred. In this case, we could be blocked in the open call and
since the channel is rescinded, the host will not respond and we could
be blocked forever in the vmbus open call.i Fix this problem.

Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hv/channel.c      |   10 ++++++++--
 drivers/hv/channel_mgmt.c |    7 ++++---
 include/linux/hyperv.h    |    1 +
 3 files changed, 13 insertions(+), 5 deletions(-)

--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -640,22 +640,28 @@ void vmbus_close(struct vmbus_channel *c
 		 */
 		return;
 	}
-	mutex_lock(&vmbus_connection.channel_mutex);
 	/*
 	 * Close all the sub-channels first and then close the
 	 * primary channel.
 	 */
 	list_for_each_safe(cur, tmp, &channel->sc_list) {
 		cur_channel = list_entry(cur, struct vmbus_channel, sc_list);
-		vmbus_close_internal(cur_channel);
 		if (cur_channel->rescind) {
+			wait_for_completion(&cur_channel->rescind_event);
+			mutex_lock(&vmbus_connection.channel_mutex);
+			vmbus_close_internal(cur_channel);
 			hv_process_channel_removal(
 					   cur_channel->offermsg.child_relid);
+		} else {
+			mutex_lock(&vmbus_connection.channel_mutex);
+			vmbus_close_internal(cur_channel);
 		}
+		mutex_unlock(&vmbus_connection.channel_mutex);
 	}
 	/*
 	 * Now close the primary.
 	 */
+	mutex_lock(&vmbus_connection.channel_mutex);
 	vmbus_close_internal(channel);
 	mutex_unlock(&vmbus_connection.channel_mutex);
 }
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -333,6 +333,7 @@ static struct vmbus_channel *alloc_chann
 		return NULL;
 
 	spin_lock_init(&channel->lock);
+	init_completion(&channel->rescind_event);
 
 	INIT_LIST_HEAD(&channel->sc_list);
 	INIT_LIST_HEAD(&channel->percpu_list);
@@ -883,6 +884,7 @@ static void vmbus_onoffer_rescind(struct
 	/*
 	 * Now wait for offer handling to complete.
 	 */
+	vmbus_rescind_cleanup(channel);
 	while (READ_ONCE(channel->probe_done) == false) {
 		/*
 		 * We wait here until any channel offer is currently
@@ -898,7 +900,6 @@ static void vmbus_onoffer_rescind(struct
 	if (channel->device_obj) {
 		if (channel->chn_rescind_callback) {
 			channel->chn_rescind_callback(channel);
-			vmbus_rescind_cleanup(channel);
 			return;
 		}
 		/*
@@ -907,7 +908,6 @@ static void vmbus_onoffer_rescind(struct
 		 */
 		dev = get_device(&channel->device_obj->device);
 		if (dev) {
-			vmbus_rescind_cleanup(channel);
 			vmbus_device_unregister(channel->device_obj);
 			put_device(dev);
 		}
@@ -921,13 +921,14 @@ static void vmbus_onoffer_rescind(struct
 		 * 2. Then close the primary channel.
 		 */
 		mutex_lock(&vmbus_connection.channel_mutex);
-		vmbus_rescind_cleanup(channel);
 		if (channel->state == CHANNEL_OPEN_STATE) {
 			/*
 			 * The channel is currently not open;
 			 * it is safe for us to cleanup the channel.
 			 */
 			hv_process_channel_removal(rescind->child_relid);
+		} else {
+			complete(&channel->rescind_event);
 		}
 		mutex_unlock(&vmbus_connection.channel_mutex);
 	}
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -708,6 +708,7 @@ struct vmbus_channel {
 	u8 monitor_bit;
 
 	bool rescind; /* got rescind msg */
+	struct completion rescind_event;
 
 	u32 ringbuffer_gpadlhandle;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 029/164] hv: kvp: Avoid reading past allocated blocks from KVP file
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 028/164] Drivers: hv: vmbus: Fix a rescind issue Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 030/164] firmware: cleanup FIRMWARE_IN_KERNEL message Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Meyer, Long Li, K. Y. Srinivasan

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Meyer <Paul.Meyer@microsoft.com>

commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream.

While reading in more than one block (50) of KVP records, the allocation
goes per block, but the reads used the total number of allocated records
(without resetting the pointer/stream). This causes the records buffer to
overrun when the refresh reads more than one block over the previous
capacity (e.g. reading more than 100 KVP records whereas the in-memory
database was empty before).

Fix this by reading the correct number of KVP records from file each time.

Signed-off-by: Paul Meyer <Paul.Meyer@microsoft.com>
Signed-off-by: Long Li <longli@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/hv/hv_kvp_daemon.c |   70 +++++++++--------------------------------------
 1 file changed, 14 insertions(+), 56 deletions(-)

--- a/tools/hv/hv_kvp_daemon.c
+++ b/tools/hv/hv_kvp_daemon.c
@@ -193,11 +193,14 @@ static void kvp_update_mem_state(int poo
 	for (;;) {
 		readp = &record[records_read];
 		records_read += fread(readp, sizeof(struct kvp_record),
-					ENTRIES_PER_BLOCK * num_blocks,
-					filep);
+				ENTRIES_PER_BLOCK * num_blocks - records_read,
+				filep);
 
 		if (ferror(filep)) {
-			syslog(LOG_ERR, "Failed to read file, pool: %d", pool);
+			syslog(LOG_ERR,
+				"Failed to read file, pool: %d; error: %d %s",
+				 pool, errno, strerror(errno));
+			kvp_release_lock(pool);
 			exit(EXIT_FAILURE);
 		}
 
@@ -210,6 +213,7 @@ static void kvp_update_mem_state(int poo
 
 			if (record == NULL) {
 				syslog(LOG_ERR, "malloc failed");
+				kvp_release_lock(pool);
 				exit(EXIT_FAILURE);
 			}
 			continue;
@@ -224,15 +228,11 @@ static void kvp_update_mem_state(int poo
 	fclose(filep);
 	kvp_release_lock(pool);
 }
+
 static int kvp_file_init(void)
 {
 	int  fd;
-	FILE *filep;
-	size_t records_read;
 	char *fname;
-	struct kvp_record *record;
-	struct kvp_record *readp;
-	int num_blocks;
 	int i;
 	int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK;
 
@@ -246,61 +246,19 @@ static int kvp_file_init(void)
 
 	for (i = 0; i < KVP_POOL_COUNT; i++) {
 		fname = kvp_file_info[i].fname;
-		records_read = 0;
-		num_blocks = 1;
 		sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i);
 		fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */);
 
 		if (fd == -1)
 			return 1;
 
-
-		filep = fopen(fname, "re");
-		if (!filep) {
-			close(fd);
-			return 1;
-		}
-
-		record = malloc(alloc_unit * num_blocks);
-		if (record == NULL) {
-			fclose(filep);
-			close(fd);
-			return 1;
-		}
-		for (;;) {
-			readp = &record[records_read];
-			records_read += fread(readp, sizeof(struct kvp_record),
-					ENTRIES_PER_BLOCK,
-					filep);
-
-			if (ferror(filep)) {
-				syslog(LOG_ERR, "Failed to read file, pool: %d",
-				       i);
-				exit(EXIT_FAILURE);
-			}
-
-			if (!feof(filep)) {
-				/*
-				 * We have more data to read.
-				 */
-				num_blocks++;
-				record = realloc(record, alloc_unit *
-						num_blocks);
-				if (record == NULL) {
-					fclose(filep);
-					close(fd);
-					return 1;
-				}
-				continue;
-			}
-			break;
-		}
 		kvp_file_info[i].fd = fd;
-		kvp_file_info[i].num_blocks = num_blocks;
-		kvp_file_info[i].records = record;
-		kvp_file_info[i].num_records = records_read;
-		fclose(filep);
-
+		kvp_file_info[i].num_blocks = 1;
+		kvp_file_info[i].records = malloc(alloc_unit);
+		if (kvp_file_info[i].records == NULL)
+			return 1;
+		kvp_file_info[i].num_records = 0;
+		kvp_update_mem_state(i);
 	}
 
 	return 0;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 030/164] firmware: cleanup FIRMWARE_IN_KERNEL message
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 029/164] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 031/164] firmware: vpd: Destroy vpd sections in remove function Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, David Woodhouse,
	Robin H. Johnson

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robin H. Johnson <robbat2@gentoo.org>

commit 0946b2fb38fdb6585a5ac3ca84ac73924f645952 upstream.

The help for FIRMWARE_IN_KERNEL still references the firmware_install
command that was recently removed by commit 5620a0d1aacd ("firmware:
delete in-kernel firmware").

Clean up the message to direct the user to their distribution's
linux-firmware package, and remove any reference to firmware being
included in the kernel source tree.

Fixes: 5620a0d1aacd ("firmware: delete in-kernel firmware").
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/Kconfig |   25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -91,22 +91,23 @@ config FIRMWARE_IN_KERNEL
 	depends on FW_LOADER
 	default y
 	help
-	  The kernel source tree includes a number of firmware 'blobs'
-	  that are used by various drivers. The recommended way to
-	  use these is to run "make firmware_install", which, after
-	  converting ihex files to binary, copies all of the needed
-	  binary files in firmware/ to /lib/firmware/ on your system so
-	  that they can be loaded by userspace helpers on request.
+	  Various drivers in the kernel source tree may require firmware,
+	  which is generally available in your distribution's linux-firmware
+	  package.
+
+	  The linux-firmware package should install firmware into
+	  /lib/firmware/ on your system, so they can be loaded by userspace
+	  helpers on request.
 
 	  Enabling this option will build each required firmware blob
-	  into the kernel directly, where request_firmware() will find
-	  them without having to call out to userspace. This may be
-	  useful if your root file system requires a device that uses
-	  such firmware and do not wish to use an initrd.
+	  specified by EXTRA_FIRMWARE into the kernel directly, where
+	  request_firmware() will find them without having to call out to
+	  userspace. This may be useful if your root file system requires a
+	  device that uses such firmware and you do not wish to use an
+	  initrd.
 
 	  This single option controls the inclusion of firmware for
-	  every driver that uses request_firmware() and ships its
-	  firmware in the kernel source tree, which avoids a
+	  every driver that uses request_firmware(), which avoids a
 	  proliferation of 'Include firmware for xxx device' options.
 
 	  Say 'N' and let firmware be loaded from userspace.

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 031/164] firmware: vpd: Destroy vpd sections in remove function
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 030/164] firmware: cleanup FIRMWARE_IN_KERNEL message Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 032/164] firmware: vpd: Tie firmware kobject to device lifetime Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Dmitry Torokhov, Randy Dunlap

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

commit 811d7e0215fb738fb9a9f0bcb1276516ad161ed1 upstream.

vpd sections are initialized during probe and thus should be destroyed
in the remove function.

Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/google/vpd.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/drivers/firmware/google/vpd.c
+++ b/drivers/firmware/google/vpd.c
@@ -298,8 +298,17 @@ static int vpd_probe(struct platform_dev
 	return vpd_sections_init(entry.cbmem_addr);
 }
 
+static int vpd_remove(struct platform_device *pdev)
+{
+	vpd_section_destroy(&ro_vpd);
+	vpd_section_destroy(&rw_vpd);
+
+	return 0;
+}
+
 static struct platform_driver vpd_driver = {
 	.probe = vpd_probe,
+	.remove = vpd_remove,
 	.driver = {
 		.name = "vpd",
 	},
@@ -324,8 +333,6 @@ static int __init vpd_platform_init(void
 
 static void __exit vpd_platform_exit(void)
 {
-	vpd_section_destroy(&ro_vpd);
-	vpd_section_destroy(&rw_vpd);
 	kobject_put(vpd_kobj);
 }
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 032/164] firmware: vpd: Tie firmware kobject to device lifetime
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 031/164] firmware: vpd: Destroy vpd sections in remove function Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 033/164] firmware: vpd: Fix platform driver and device registration/unregistration Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Dmitry Torokhov, Randy Dunlap

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

commit e4b28b3c3a405b251fa25db58abe1512814a680a upstream.

It doesn't make sense to have /sys/firmware/vpd if the device is not
instantiated, so tie its lifetime to the device.

Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/google/vpd.c |   19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

--- a/drivers/firmware/google/vpd.c
+++ b/drivers/firmware/google/vpd.c
@@ -295,7 +295,17 @@ static int vpd_probe(struct platform_dev
 	if (ret)
 		return ret;
 
-	return vpd_sections_init(entry.cbmem_addr);
+	vpd_kobj = kobject_create_and_add("vpd", firmware_kobj);
+	if (!vpd_kobj)
+		return -ENOMEM;
+
+	ret = vpd_sections_init(entry.cbmem_addr);
+	if (ret) {
+		kobject_put(vpd_kobj);
+		return ret;
+	}
+
+	return 0;
 }
 
 static int vpd_remove(struct platform_device *pdev)
@@ -303,6 +313,8 @@ static int vpd_remove(struct platform_de
 	vpd_section_destroy(&ro_vpd);
 	vpd_section_destroy(&rw_vpd);
 
+	kobject_put(vpd_kobj);
+
 	return 0;
 }
 
@@ -322,10 +334,6 @@ static int __init vpd_platform_init(void
 	if (IS_ERR(pdev))
 		return PTR_ERR(pdev);
 
-	vpd_kobj = kobject_create_and_add("vpd", firmware_kobj);
-	if (!vpd_kobj)
-		return -ENOMEM;
-
 	platform_driver_register(&vpd_driver);
 
 	return 0;
@@ -333,7 +341,6 @@ static int __init vpd_platform_init(void
 
 static void __exit vpd_platform_exit(void)
 {
-	kobject_put(vpd_kobj);
 }
 
 module_init(vpd_platform_init);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 033/164] firmware: vpd: Fix platform driver and device registration/unregistration
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 032/164] firmware: vpd: Tie firmware kobject to device lifetime Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 034/164] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Randy Dunlap, Dmitry Torokhov

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

commit 0631fb8b027f5968c2f5031f0b3ff7be3e4bebcc upstream.

The driver exit function needs to unregister both platform device and
driver. Also, during registration, register driver first and perform
error checks.

Fixes: 049a59db34eb ("firmware: Google VPD sysfs driver")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/google/vpd.c |   20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

--- a/drivers/firmware/google/vpd.c
+++ b/drivers/firmware/google/vpd.c
@@ -326,21 +326,29 @@ static struct platform_driver vpd_driver
 	},
 };
 
+static struct platform_device *vpd_pdev;
+
 static int __init vpd_platform_init(void)
 {
-	struct platform_device *pdev;
-
-	pdev = platform_device_register_simple("vpd", -1, NULL, 0);
-	if (IS_ERR(pdev))
-		return PTR_ERR(pdev);
+	int ret;
 
-	platform_driver_register(&vpd_driver);
+	ret = platform_driver_register(&vpd_driver);
+	if (ret)
+		return ret;
+
+	vpd_pdev = platform_device_register_simple("vpd", -1, NULL, 0);
+	if (IS_ERR(vpd_pdev)) {
+		platform_driver_unregister(&vpd_driver);
+		return PTR_ERR(vpd_pdev);
+	}
 
 	return 0;
 }
 
 static void __exit vpd_platform_exit(void)
 {
+	platform_device_unregister(vpd_pdev);
+	platform_driver_unregister(&vpd_driver);
 }
 
 module_init(vpd_platform_init);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 034/164] isa: Prevent NULL dereference in isa_bus driver callbacks
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 033/164] firmware: vpd: Fix platform driver and device registration/unregistration Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 035/164] scsi: dma-mapping: always provide dma_get_cache_alignment Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, William Breathitt Gray, Linus Torvalds

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: William Breathitt Gray <vilhelm.gray@gmail.com>

commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream.

The isa_driver structure for an isa_bus device is stored in the device
platform_data member of the respective device structure. This
platform_data member may be reset to NULL if isa_driver match callback
for the device fails, indicating a device unsupported by the ISA driver.

This patch fixes a possible NULL pointer dereference if one of the
isa_driver callbacks to attempted for an unsupported device. This error
should not occur in practice since ISA devices are typically manually
configured and loaded by the users, but we may as well prevent this
error from popping up for the 0day testers.

Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/isa.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/base/isa.c
+++ b/drivers/base/isa.c
@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device *
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->probe)
+	if (isa_driver && isa_driver->probe)
 		return isa_driver->probe(dev, to_isa_dev(dev)->id);
 
 	return 0;
@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->remove)
+	if (isa_driver && isa_driver->remove)
 		return isa_driver->remove(dev, to_isa_dev(dev)->id);
 
 	return 0;
@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->shutdown)
+	if (isa_driver && isa_driver->shutdown)
 		isa_driver->shutdown(dev, to_isa_dev(dev)->id);
 }
 
@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->suspend)
+	if (isa_driver && isa_driver->suspend)
 		return isa_driver->suspend(dev, to_isa_dev(dev)->id, state);
 
 	return 0;
@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->resume)
+	if (isa_driver && isa_driver->resume)
 		return isa_driver->resume(dev, to_isa_dev(dev)->id);
 
 	return 0;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 035/164] scsi: dma-mapping: always provide dma_get_cache_alignment
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 034/164] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 036/164] scsi: use dma_get_cache_alignment() as minimum DMA alignment Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Martin K. Petersen

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <hch@lst.de>

commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream.

Provide the dummy version of dma_get_cache_alignment that always returns
1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can
use it without ifdefs.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/dma-mapping.h |    2 --
 1 file changed, 2 deletions(-)

--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -697,7 +697,6 @@ static inline void *dma_zalloc_coherent(
 	return ret;
 }
 
-#ifdef CONFIG_HAS_DMA
 static inline int dma_get_cache_alignment(void)
 {
 #ifdef ARCH_DMA_MINALIGN
@@ -705,7 +704,6 @@ static inline int dma_get_cache_alignmen
 #endif
 	return 1;
 }
-#endif
 
 /* flags for the coherent memory api */
 #define DMA_MEMORY_EXCLUSIVE		0x01

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 036/164] scsi: use dma_get_cache_alignment() as minimum DMA alignment
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 035/164] scsi: dma-mapping: always provide dma_get_cache_alignment Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 037/164] scsi: libsas: align sata_devices rps_resp on a cacheline Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Christoph Hellwig,
	Martin K. Petersen

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream.

In non-coherent DMA mode, kernel uses cache flushing operations to
maintain I/O coherency, so scsi's block queue should be aligned to the
value returned by dma_get_cache_alignment().  Otherwise, If a DMA buffer
and a kernel structure share a same cache line, and if the kernel
structure has dirty data, cache_invalidate (no writeback) will cause
data corruption.

Signed-off-by: Huacai Chen <chenhc@lemote.com>
[hch: rebased and updated the comment and changelog]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_lib.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2126,11 +2126,13 @@ void __scsi_init_queue(struct Scsi_Host
 		q->limits.cluster = 0;
 
 	/*
-	 * set a reasonable default alignment on word boundaries: the
-	 * host and device may alter it using
-	 * blk_queue_update_dma_alignment() later.
+	 * Set a reasonable default alignment:  The larger of 32-byte (dword),
+	 * which is a common minimum for HBAs, and the minimum DMA alignment,
+	 * which is set by the platform.
+	 *
+	 * Devices that require a bigger alignment can increase it later.
 	 */
-	blk_queue_dma_alignment(q, 0x03);
+	blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1);
 }
 EXPORT_SYMBOL_GPL(__scsi_init_queue);
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 037/164] scsi: libsas: align sata_devices rps_resp on a cacheline
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 036/164] scsi: use dma_get_cache_alignment() as minimum DMA alignment Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 038/164] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Christoph Hellwig,
	Martin K. Petersen

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit c2e8fbf908afd81ad502b567a6639598f92c9b9d upstream.

The rps_resp buffer in ata_device is a DMA target, but it isn't
explicitly cacheline aligned. Due to this, adjacent fields can be
overwritten with stale data from memory on non-coherent architectures.
As a result, the kernel is sometimes unable to communicate with an SATA
device behind a SAS expander.

Fix this by ensuring that the rps_resp buffer is cacheline aligned.

This issue is similar to that fixed by Commit 84bda12af31f93 ("libata:
align ap->sector_buf") and Commit 4ee34ea3a12396f35b26 ("libata: Align
ata_device's id on a cacheline").

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/scsi/libsas.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/scsi/libsas.h
+++ b/include/scsi/libsas.h
@@ -165,11 +165,11 @@ struct expander_device {
 
 struct sata_device {
 	unsigned int class;
-	struct smp_resp        rps_resp; /* report_phy_sata_resp */
 	u8     port_no;        /* port number, if this is a PM (Port) */
 
 	struct ata_port *ap;
 	struct ata_host ata_host;
+	struct smp_resp rps_resp ____cacheline_aligned; /* report_phy_sata_resp */
 	u8     fis[ATA_RESP_FIS_SIZE];
 };
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 038/164] efi: Move some sysfs files to be read-only by root
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 037/164] scsi: libsas: align sata_devices rps_resp on a cacheline Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 039/164] efi/esrt: Use memunmap() instead of kfree() to free the remapping Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Dave Young,
	Ard Biesheuvel, H. Peter Anvin, Matt Fleming, Peter Zijlstra,
	Thomas Gleixner, linux-efi, Ingo Molnar

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.

Thanks to the scripts/leaking_addresses.pl script, it was found that
some EFI values should not be readable by non-root users.

So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
make this easier, and use it in other places at the same time.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/efi.c         |    3 +--
 drivers/firmware/efi/esrt.c        |   15 ++++++---------
 drivers/firmware/efi/runtime-map.c |   10 +++++-----
 include/linux/sysfs.h              |    6 ++++++
 4 files changed, 18 insertions(+), 16 deletions(-)

--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -143,8 +143,7 @@ static ssize_t systab_show(struct kobjec
 	return str - buf;
 }
 
-static struct kobj_attribute efi_attr_systab =
-			__ATTR(systab, 0400, systab_show, NULL);
+static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
 
 #define EFI_FIELD(var) efi.var
 
--- a/drivers/firmware/efi/esrt.c
+++ b/drivers/firmware/efi/esrt.c
@@ -106,7 +106,7 @@ static const struct sysfs_ops esre_attr_
 };
 
 /* Generic ESRT Entry ("ESRE") support. */
-static ssize_t esre_fw_class_show(struct esre_entry *entry, char *buf)
+static ssize_t fw_class_show(struct esre_entry *entry, char *buf)
 {
 	char *str = buf;
 
@@ -117,18 +117,16 @@ static ssize_t esre_fw_class_show(struct
 	return str - buf;
 }
 
-static struct esre_attribute esre_fw_class = __ATTR(fw_class, 0400,
-	esre_fw_class_show, NULL);
+static struct esre_attribute esre_fw_class = __ATTR_RO_MODE(fw_class, 0400);
 
 #define esre_attr_decl(name, size, fmt) \
-static ssize_t esre_##name##_show(struct esre_entry *entry, char *buf) \
+static ssize_t name##_show(struct esre_entry *entry, char *buf) \
 { \
 	return sprintf(buf, fmt "\n", \
 		       le##size##_to_cpu(entry->esre.esre1->name)); \
 } \
 \
-static struct esre_attribute esre_##name = __ATTR(name, 0400, \
-	esre_##name##_show, NULL)
+static struct esre_attribute esre_##name = __ATTR_RO_MODE(name, 0400)
 
 esre_attr_decl(fw_type, 32, "%u");
 esre_attr_decl(fw_version, 32, "%u");
@@ -193,14 +191,13 @@ static int esre_create_sysfs_entry(void
 
 /* support for displaying ESRT fields at the top level */
 #define esrt_attr_decl(name, size, fmt) \
-static ssize_t esrt_##name##_show(struct kobject *kobj, \
+static ssize_t name##_show(struct kobject *kobj, \
 				  struct kobj_attribute *attr, char *buf)\
 { \
 	return sprintf(buf, fmt "\n", le##size##_to_cpu(esrt->name)); \
 } \
 \
-static struct kobj_attribute esrt_##name = __ATTR(name, 0400, \
-	esrt_##name##_show, NULL)
+static struct kobj_attribute esrt_##name = __ATTR_RO_MODE(name, 0400)
 
 esrt_attr_decl(fw_resource_count, 32, "%u");
 esrt_attr_decl(fw_resource_count_max, 32, "%u");
--- a/drivers/firmware/efi/runtime-map.c
+++ b/drivers/firmware/efi/runtime-map.c
@@ -63,11 +63,11 @@ static ssize_t map_attr_show(struct kobj
 	return map_attr->show(entry, buf);
 }
 
-static struct map_attribute map_type_attr = __ATTR_RO(type);
-static struct map_attribute map_phys_addr_attr   = __ATTR_RO(phys_addr);
-static struct map_attribute map_virt_addr_attr  = __ATTR_RO(virt_addr);
-static struct map_attribute map_num_pages_attr  = __ATTR_RO(num_pages);
-static struct map_attribute map_attribute_attr  = __ATTR_RO(attribute);
+static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
+static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
+static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
+static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
+static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
 
 /*
  * These are default attributes that are added for every memmap entry.
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -117,6 +117,12 @@ struct attribute_group {
 	.show	= _name##_show,						\
 }
 
+#define __ATTR_RO_MODE(_name, _mode) {					\
+	.attr	= { .name = __stringify(_name),				\
+		    .mode = VERIFY_OCTAL_PERMISSIONS(_mode) },		\
+	.show	= _name##_show,						\
+}
+
 #define __ATTR_WO(_name) {						\
 	.attr	= { .name = __stringify(_name), .mode = S_IWUSR },	\
 	.store	= _name##_store,					\

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 039/164] efi/esrt: Use memunmap() instead of kfree() to free the remapping
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 038/164] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 040/164] ASN.1: fix out-of-bounds read when parsing indefinite length item Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pan Bian, Ard Biesheuvel,
	H. Peter Anvin, Linus Torvalds, Matt Fleming, Peter Zijlstra,
	Thomas Gleixner, linux-efi, Ingo Molnar

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit 89c5a2d34bda58319e3075e8e7dd727ea25a435c upstream.

The remapping result of memremap() should be freed with memunmap(), not kfree().

Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20171206095010.24170-3-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/esrt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/efi/esrt.c
+++ b/drivers/firmware/efi/esrt.c
@@ -428,7 +428,7 @@ err_remove_group:
 err_remove_esrt:
 	kobject_put(esrt_kobj);
 err:
-	kfree(esrt);
+	memunmap(esrt);
 	esrt = NULL;
 	return error;
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 040/164] ASN.1: fix out-of-bounds read when parsing indefinite length item
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 039/164] efi/esrt: Use memunmap() instead of kfree() to free the remapping Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 041/164] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Potapenko, Eric Biggers,
	David Howells

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.

In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
to the action functions before their lengths had been computed, using
the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH).  This resulted in
reading data past the end of the input buffer, when given a specially
crafted message.

Fix it by rearranging the code so that the indefinite length is resolved
before the action is called.

This bug was originally found by fuzzing the X.509 parser in userspace
using libFuzzer from the LLVM project.

KASAN report (cleaned up slightly):

    BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
    BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
    Read of size 128 at addr ffff880035dd9eaf by task keyctl/195

    CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0xd1/0x175 lib/dump_stack.c:53
     print_address_description+0x78/0x260 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x23f/0x350 mm/kasan/report.c:409
     memcpy+0x1f/0x50 mm/kasan/kasan.c:302
     memcpy ./include/linux/string.h:341 [inline]
     x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
     asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
     x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

    Allocated by task 195:
     __do_kmalloc_node mm/slab.c:3675 [inline]
     __kmalloc_node+0x47/0x60 mm/slab.c:3682
     kvmalloc ./include/linux/mm.h:540 [inline]
     SYSC_add_key security/keys/keyctl.c:104 [inline]
     SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/asn1_decoder.c |   47 ++++++++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 21 deletions(-)

--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -313,42 +313,47 @@ next_op:
 
 	/* Decide how to handle the operation */
 	switch (op) {
-	case ASN1_OP_MATCH_ANY_ACT:
-	case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
-	case ASN1_OP_COND_MATCH_ANY_ACT:
-	case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
-		ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len);
-		if (ret < 0)
-			return ret;
-		goto skip_data;
-
-	case ASN1_OP_MATCH_ACT:
-	case ASN1_OP_MATCH_ACT_OR_SKIP:
-	case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
-		ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len);
-		if (ret < 0)
-			return ret;
-		goto skip_data;
-
 	case ASN1_OP_MATCH:
 	case ASN1_OP_MATCH_OR_SKIP:
+	case ASN1_OP_MATCH_ACT:
+	case ASN1_OP_MATCH_ACT_OR_SKIP:
 	case ASN1_OP_MATCH_ANY:
 	case ASN1_OP_MATCH_ANY_OR_SKIP:
+	case ASN1_OP_MATCH_ANY_ACT:
+	case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
 	case ASN1_OP_COND_MATCH_OR_SKIP:
+	case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
 	case ASN1_OP_COND_MATCH_ANY:
 	case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
-	skip_data:
+	case ASN1_OP_COND_MATCH_ANY_ACT:
+	case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
+
 		if (!(flags & FLAG_CONS)) {
 			if (flags & FLAG_INDEFINITE_LENGTH) {
+				size_t tmp = dp;
+
 				ret = asn1_find_indefinite_length(
-					data, datalen, &dp, &len, &errmsg);
+					data, datalen, &tmp, &len, &errmsg);
 				if (ret < 0)
 					goto error;
-			} else {
-				dp += len;
 			}
 			pr_debug("- LEAF: %zu\n", len);
 		}
+
+		if (op & ASN1_OP_MATCH__ACT) {
+			unsigned char act;
+
+			if (op & ASN1_OP_MATCH__ANY)
+				act = machine[pc + 1];
+			else
+				act = machine[pc + 2];
+			ret = actions[act](context, hdr, tag, data + dp, len);
+			if (ret < 0)
+				return ret;
+		}
+
+		if (!(flags & FLAG_CONS))
+			dp += len;
 		pc += asn1_op_lengths[op];
 		goto next_op;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 041/164] ASN.1: check for error from ASN1_OP_END__ACT actions
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 040/164] ASN.1: fix out-of-bounds read when parsing indefinite length item Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 042/164] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells, James Morris

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.

asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes).  Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.

This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).

In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest.  But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/asn1_decoder.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -439,6 +439,8 @@ next_op:
 			else
 				act = machine[pc + 1];
 			ret = actions[act](context, hdr, 0, data + tdp, len);
+			if (ret < 0)
+				return ret;
 		}
 		pc += asn1_op_lengths[op];
 		goto next_op;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 042/164] KEYS: add missing permission check for request_key() destination
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 041/164] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 043/164] KEYS: reject NULL restriction string when type is specified Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.

When the request_key() syscall is not passed a destination keyring, it
links the requested key (if constructed) into the "default" request-key
keyring.  This should require Write permission to the keyring.  However,
there is actually no permission check.

This can be abused to add keys to any keyring to which only Search
permission is granted.  This is because Search permission allows joining
the keyring.  keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
then will set the default request-key keyring to the session keyring.
Then, request_key() can be used to add keys to the keyring.

Both negatively and positively instantiated keys can be added using this
method.  Adding negative keys is trivial.  Adding a positive key is a
bit trickier.  It requires that either /sbin/request-key positively
instantiates the key, or that another thread adds the key to the process
keyring at just the right time, such that request_key() misses it
initially but then finds it in construct_alloc_key().

Fix this bug by checking for Write permission to the keyring in
construct_get_dest_keyring() when the default keyring is being used.

We don't do the permission check for non-default keyrings because that
was already done by the earlier call to lookup_user_key().  Also,
request_key_and_link() is currently passed a 'struct key *' rather than
a key_ref_t, so the "possessed" bit is unavailable.

We also don't do the permission check for the "requestor keyring", to
continue to support the use case described by commit 8bbf4976b59f
("KEYS: Alter use of key instantiation link-to-keyring argument") where
/sbin/request-key recursively calls request_key() to add keys to the
original requestor's destination keyring.  (I don't know of any users
who actually do that, though...)

Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/request_key.c |   46 +++++++++++++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 9 deletions(-)

--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -251,11 +251,12 @@ static int construct_key(struct key *key
  * The keyring selected is returned with an extra reference upon it which the
  * caller must release.
  */
-static void construct_get_dest_keyring(struct key **_dest_keyring)
+static int construct_get_dest_keyring(struct key **_dest_keyring)
 {
 	struct request_key_auth *rka;
 	const struct cred *cred = current_cred();
 	struct key *dest_keyring = *_dest_keyring, *authkey;
+	int ret;
 
 	kenter("%p", dest_keyring);
 
@@ -264,6 +265,8 @@ static void construct_get_dest_keyring(s
 		/* the caller supplied one */
 		key_get(dest_keyring);
 	} else {
+		bool do_perm_check = true;
+
 		/* use a default keyring; falling through the cases until we
 		 * find one that we actually have */
 		switch (cred->jit_keyring) {
@@ -278,8 +281,10 @@ static void construct_get_dest_keyring(s
 					dest_keyring =
 						key_get(rka->dest_keyring);
 				up_read(&authkey->sem);
-				if (dest_keyring)
+				if (dest_keyring) {
+					do_perm_check = false;
 					break;
+				}
 			}
 
 		case KEY_REQKEY_DEFL_THREAD_KEYRING:
@@ -314,11 +319,29 @@ static void construct_get_dest_keyring(s
 		default:
 			BUG();
 		}
+
+		/*
+		 * Require Write permission on the keyring.  This is essential
+		 * because the default keyring may be the session keyring, and
+		 * joining a keyring only requires Search permission.
+		 *
+		 * However, this check is skipped for the "requestor keyring" so
+		 * that /sbin/request-key can itself use request_key() to add
+		 * keys to the original requestor's destination keyring.
+		 */
+		if (dest_keyring && do_perm_check) {
+			ret = key_permission(make_key_ref(dest_keyring, 1),
+					     KEY_NEED_WRITE);
+			if (ret) {
+				key_put(dest_keyring);
+				return ret;
+			}
+		}
 	}
 
 	*_dest_keyring = dest_keyring;
 	kleave(" [dk %d]", key_serial(dest_keyring));
-	return;
+	return 0;
 }
 
 /*
@@ -444,11 +467,15 @@ static struct key *construct_key_and_lin
 	if (ctx->index_key.type == &key_type_keyring)
 		return ERR_PTR(-EPERM);
 
-	user = key_user_lookup(current_fsuid());
-	if (!user)
-		return ERR_PTR(-ENOMEM);
+	ret = construct_get_dest_keyring(&dest_keyring);
+	if (ret)
+		goto error;
 
-	construct_get_dest_keyring(&dest_keyring);
+	user = key_user_lookup(current_fsuid());
+	if (!user) {
+		ret = -ENOMEM;
+		goto error_put_dest_keyring;
+	}
 
 	ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
 	key_user_put(user);
@@ -463,7 +490,7 @@ static struct key *construct_key_and_lin
 	} else if (ret == -EINPROGRESS) {
 		ret = 0;
 	} else {
-		goto couldnt_alloc_key;
+		goto error_put_dest_keyring;
 	}
 
 	key_put(dest_keyring);
@@ -473,8 +500,9 @@ static struct key *construct_key_and_lin
 construction_failed:
 	key_negate_and_link(key, key_negative_timeout, NULL, NULL);
 	key_put(key);
-couldnt_alloc_key:
+error_put_dest_keyring:
 	key_put(dest_keyring);
+error:
 	kleave(" = %d", ret);
 	return ERR_PTR(ret);
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 043/164] KEYS: reject NULL restriction string when type is specified
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 042/164] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 044/164] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Eric Biggers, David Howells

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 18026d866801d0c52e5550210563222bd6c7191d upstream.

keyctl_restrict_keyring() allows through a NULL restriction when the
"type" is non-NULL, which causes a NULL pointer dereference in
asymmetric_lookup_restriction() when it calls strcmp() on the
restriction string.

But no key types actually use a "NULL restriction" to mean anything, so
update keyctl_restrict_keyring() to reject it with EINVAL.

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/keyctl.c |   24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1588,9 +1588,8 @@ error_keyring:
  * The caller must have Setattr permission to change keyring restrictions.
  *
  * The requested type name may be a NULL pointer to reject all attempts
- * to link to the keyring. If _type is non-NULL, _restriction can be
- * NULL or a pointer to a string describing the restriction. If _type is
- * NULL, _restriction must also be NULL.
+ * to link to the keyring.  In this case, _restriction must also be NULL.
+ * Otherwise, both _type and _restriction must be non-NULL.
  *
  * Returns 0 if successful.
  */
@@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_
 			     const char __user *_restriction)
 {
 	key_ref_t key_ref;
-	bool link_reject = !_type;
 	char type[32];
 	char *restriction = NULL;
 	long ret;
@@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_
 	if (IS_ERR(key_ref))
 		return PTR_ERR(key_ref);
 
+	ret = -EINVAL;
 	if (_type) {
+		if (!_restriction)
+			goto error;
+
 		ret = key_get_type_from_user(type, _type, sizeof(type));
 		if (ret < 0)
 			goto error;
-	}
-
-	if (_restriction) {
-		if (!_type) {
-			ret = -EINVAL;
-			goto error;
-		}
 
 		restriction = strndup_user(_restriction, PAGE_SIZE);
 		if (IS_ERR(restriction)) {
 			ret = PTR_ERR(restriction);
 			goto error;
 		}
+	} else {
+		if (_restriction)
+			goto error;
 	}
 
-	ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction);
+	ret = keyring_restrict(key_ref, _type ? type : NULL, restriction);
 	kfree(restriction);
-
 error:
 	key_ref_put(key_ref);
-
 	return ret;
 }
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 044/164] X.509: reject invalid BIT STRING for subjectPublicKey
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 043/164] KEYS: reject NULL restriction string when type is specified Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 045/164] X.509: fix comparisons of ->pkey_algo Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells, James Morris

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.

Adding a specially crafted X.509 certificate whose subjectPublicKey
ASN.1 value is zero-length caused x509_extract_key_data() to set the
public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
metadata byte.  Then, x509_cert_parse() called kmemdup() with that bogus
size, triggering the WARN_ON_ONCE() in kmalloc_slab().

This appears to be harmless, but it still must be fixed since WARNs are
never supposed to be user-triggerable.

Fix it by updating x509_cert_parse() to validate that the value has a
BIT STRING metadata byte, and that the byte is 0 which indicates that
the number of bits in the bitstring is a multiple of 8.

It would be nice to handle the metadata byte in asn1_ber_decoder()
instead.  But that would be tricky because in the general case a BIT
STRING could be implicitly tagged, and/or could legitimately have a
length that is not a whole number of bytes.

Here was the WARN (cleaned up slightly):

    WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
    Modules linked in:
    CPU: 1 PID: 202 Comm: keyctl Tainted: G    B            4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    task: ffff880033014180 task.stack: ffff8800305c8000
    Call Trace:
     __do_kmalloc mm/slab.c:3706 [inline]
     __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
     kmemdup+0x17/0x40 mm/util.c:118
     kmemdup include/linux/string.h:414 [inline]
     x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/asymmetric_keys/x509_cert_parser.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -409,6 +409,8 @@ int x509_extract_key_data(void *context,
 	ctx->cert->pub->pkey_algo = "rsa";
 
 	/* Discard the BIT STRING metadata */
+	if (vlen < 1 || *(const u8 *)value != 0)
+		return -EBADMSG;
 	ctx->key = value + 1;
 	ctx->key_size = vlen - 1;
 	return 0;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 045/164] X.509: fix comparisons of ->pkey_algo
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 044/164] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 046/164] x86/idt: Load idt early in start_secondary Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 54c1fb39fe0495f846539ab765925b008f86801c upstream.

->pkey_algo used to be an enum, but was changed to a string by commit
4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum").  But
two comparisons were not updated.  Fix them to use strcmp().

This bug broke signature verification in certain configurations,
depending on whether the string constants were deduplicated or not.

Fixes: 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/asymmetric_keys/pkcs7_verify.c    |    2 +-
 crypto/asymmetric_keys/x509_public_key.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -150,7 +150,7 @@ static int pkcs7_find_key(struct pkcs7_m
 		pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
 			 sinfo->index, certix);
 
-		if (x509->pub->pkey_algo != sinfo->sig->pkey_algo) {
+		if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) {
 			pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
 				sinfo->index);
 			continue;
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -135,7 +135,7 @@ int x509_check_for_self_signed(struct x5
 	}
 
 	ret = -EKEYREJECTED;
-	if (cert->pub->pkey_algo != cert->sig->pkey_algo)
+	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
 		goto out;
 
 	ret = public_key_verify_signature(cert->pub, cert->sig);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 046/164] x86/idt: Load idt early in start_secondary
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 045/164] X.509: fix comparisons of ->pkey_algo Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 047/164] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chunyu Hu, Thomas Gleixner, peterz,
	bp, rostedt, luto

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chunyu Hu <chuhu@redhat.com>

commit 55d2d0ad2fb4325f615d1950486fbc5e6fba1769 upstream.

On a secondary, idt is first loaded in cpu_init() with load_current_idt(),
i.e. no exceptions can be handled before that point.

The conversion of WARN() to use UD requires the IDT being loaded earlier as
any warning between start_secondary() and load_curren_idt() in cpu_init()
will result in an unhandled @UD exception and therefore fail the bringup of
the CPU.

Install the IDT handlers right in start_secondary() before calling cpu_init().

[ tglx: Massaged changelog ]

Fixes: 9a93848fe787 ("x86/debug: Implement __WARN() using UD0")
Signed-off-by: Chunyu Hu <chuhu@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: rostedt@goodmis.org
Cc: luto@kernel.org
Link: https://lkml.kernel.org/r/1511792499-4073-1-git-send-email-chuhu@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/smpboot.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -239,7 +239,7 @@ static void notrace start_secondary(void
 	load_cr3(swapper_pg_dir);
 	__flush_tlb_all();
 #endif
-
+	load_current_idt();
 	cpu_init();
 	x86_cpuinit.early_percpu_clock_init();
 	preempt_disable();

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 047/164] x86/PCI: Make broadcom_postcore_init() check acpi_disabled
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 046/164] x86/idt: Load idt early in start_secondary Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 049/164] btrfs: fix missing error return in btrfs_drop_snapshot Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Hansen, Rafael J. Wysocki,
	Thomas Gleixner, Bjorn Helgaas, Linux PCI, Ingo Molnar

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream.

acpi_os_get_root_pointer() may return a valid address even if acpi_disabled
is set, but the host bridge information from the ACPI tables is not going
to be used in that case and the Broadcom host bridge initialization should
not be skipped then, So make broadcom_postcore_init() check acpi_disabled
too to avoid this issue.

Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan)
Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Linux PCI <linux-pci@vger.kernel.org>
Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/pci/broadcom_bus.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/pci/broadcom_bus.c
+++ b/arch/x86/pci/broadcom_bus.c
@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init
 	 * We should get host bridge information from ACPI unless the BIOS
 	 * doesn't support it.
 	 */
-	if (acpi_os_get_root_pointer())
+	if (!acpi_disabled && acpi_os_get_root_pointer())
 		return 0;
 #endif
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 049/164] btrfs: fix missing error return in btrfs_drop_snapshot
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 047/164] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 050/164] btrfs: handle errors while updating refcounts in update_ref_for_cow Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeff Mahoney, David Sterba

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

commit e19182c0fff451e3744c1107d98f072e7ca377a0 upstream.

If btrfs_del_root fails in btrfs_drop_snapshot, we'll pick up the
error but then return 0 anyway due to mixing err and ret.

Fixes: 79787eaab4612 ("btrfs: replace many BUG_ONs with proper error handling")
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -9283,6 +9283,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
 	ret = btrfs_del_root(trans, fs_info, &root->root_key);
 	if (ret) {
 		btrfs_abort_transaction(trans, ret);
+		err = ret;
 		goto out_end_trans;
 	}
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 050/164] btrfs: handle errors while updating refcounts in update_ref_for_cow
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 049/164] btrfs: fix missing error return in btrfs_drop_snapshot Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 051/164] ALSA: hda/realtek - New codec support for ALC257 Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeff Mahoney, Edmund Nadolski,
	Qu Wenruo, David Sterba

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

commit 692826b2738101549f032a761a9191636e83be4e upstream.

Since commit fb235dc06fa (btrfs: qgroup: Move half of the qgroup
accounting time out of commit trans) the assumption that
btrfs_add_delayed_{data,tree}_ref can only return 0 or -ENOMEM has
been false.  The qgroup operations call into btrfs_search_slot
and friends and can now return the full spectrum of error codes.

Fortunately, the fix here is easy since update_ref_for_cow failing
is already handled so we just need to bail early with the error
code.

Fixes: fb235dc06fa (btrfs: qgroup: Move half of the qgroup accounting ...)
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: Edmund Nadolski <enadolski@suse.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/ctree.c |   18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -1032,14 +1032,17 @@ static noinline int update_ref_for_cow(s
 		     root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) &&
 		    !(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF)) {
 			ret = btrfs_inc_ref(trans, root, buf, 1);
-			BUG_ON(ret); /* -ENOMEM */
+			if (ret)
+				return ret;
 
 			if (root->root_key.objectid ==
 			    BTRFS_TREE_RELOC_OBJECTID) {
 				ret = btrfs_dec_ref(trans, root, buf, 0);
-				BUG_ON(ret); /* -ENOMEM */
+				if (ret)
+					return ret;
 				ret = btrfs_inc_ref(trans, root, cow, 1);
-				BUG_ON(ret); /* -ENOMEM */
+				if (ret)
+					return ret;
 			}
 			new_flags |= BTRFS_BLOCK_FLAG_FULL_BACKREF;
 		} else {
@@ -1049,7 +1052,8 @@ static noinline int update_ref_for_cow(s
 				ret = btrfs_inc_ref(trans, root, cow, 1);
 			else
 				ret = btrfs_inc_ref(trans, root, cow, 0);
-			BUG_ON(ret); /* -ENOMEM */
+			if (ret)
+				return ret;
 		}
 		if (new_flags != 0) {
 			int level = btrfs_header_level(buf);
@@ -1068,9 +1072,11 @@ static noinline int update_ref_for_cow(s
 				ret = btrfs_inc_ref(trans, root, cow, 1);
 			else
 				ret = btrfs_inc_ref(trans, root, cow, 0);
-			BUG_ON(ret); /* -ENOMEM */
+			if (ret)
+				return ret;
 			ret = btrfs_dec_ref(trans, root, buf, 1);
-			BUG_ON(ret); /* -ENOMEM */
+			if (ret)
+				return ret;
 		}
 		clean_tree_block(fs_info, buf);
 		*last_ref = 1;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 051/164] ALSA: hda/realtek - New codec support for ALC257
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 050/164] btrfs: handle errors while updating refcounts in update_ref_for_cow Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 052/164] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kailang Yang <kailang@realtek.com>

commit f429e7e494afaded76e62c6f98211a635aa03098 upstream.

Add new support for ALC257 codec.

[ It's supposed to be almost equivalent with other ALC25x variants,
  just adding another type and id -- tiwai ]

Signed-off-by: Kailang Yang <kailang@realtek.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -330,6 +330,7 @@ static void alc_fill_eapd_coef(struct hd
 	case 0x10ec0236:
 	case 0x10ec0255:
 	case 0x10ec0256:
+	case 0x10ec0257:
 	case 0x10ec0282:
 	case 0x10ec0283:
 	case 0x10ec0286:
@@ -2749,6 +2750,7 @@ enum {
 	ALC269_TYPE_ALC298,
 	ALC269_TYPE_ALC255,
 	ALC269_TYPE_ALC256,
+	ALC269_TYPE_ALC257,
 	ALC269_TYPE_ALC215,
 	ALC269_TYPE_ALC225,
 	ALC269_TYPE_ALC294,
@@ -2782,6 +2784,7 @@ static int alc269_parse_auto_config(stru
 	case ALC269_TYPE_ALC298:
 	case ALC269_TYPE_ALC255:
 	case ALC269_TYPE_ALC256:
+	case ALC269_TYPE_ALC257:
 	case ALC269_TYPE_ALC215:
 	case ALC269_TYPE_ALC225:
 	case ALC269_TYPE_ALC294:
@@ -6839,6 +6842,10 @@ static int patch_alc269(struct hda_codec
 		spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */
 		alc_update_coef_idx(codec, 0x36, 1 << 13, 1 << 5); /* Switch pcbeep path to Line in path*/
 		break;
+	case 0x10ec0257:
+		spec->codec_variant = ALC269_TYPE_ALC257;
+		spec->gen.mixer_nid = 0;
+		break;
 	case 0x10ec0215:
 	case 0x10ec0285:
 	case 0x10ec0289:
@@ -7886,6 +7893,7 @@ static const struct hda_device_id snd_hd
 	HDA_CODEC_ENTRY(0x10ec0236, "ALC236", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0255, "ALC255", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0256, "ALC256", patch_alc269),
+	HDA_CODEC_ENTRY(0x10ec0257, "ALC257", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0260, "ALC260", patch_alc260),
 	HDA_CODEC_ENTRY(0x10ec0262, "ALC262", patch_alc262),
 	HDA_CODEC_ENTRY(0x10ec0267, "ALC267", patch_alc268),

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 052/164] ALSA: pcm: prevent UAF in snd_pcm_info
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 051/164] ALSA: hda/realtek - New codec support for ALC257 Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 053/164] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robb Glasser, Nick Desaulniers, Takashi Iwai

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robb Glasser <rglasser@google.com>

commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.

When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Note: this fixes CVE-2017-0861

Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/pcm.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -153,7 +153,9 @@ static int snd_pcm_control_ioctl(struct
 				err = -ENXIO;
 				goto _error;
 			}
+			mutex_lock(&pcm->open_mutex);
 			err = snd_pcm_info_user(substream, info);
+			mutex_unlock(&pcm->open_mutex);
 		_error:
 			mutex_unlock(&register_mutex);
 			return err;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 053/164] ALSA: seq: Remove spurious WARN_ON() at timer check
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 052/164] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 054/164] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, syzbot, Takashi Iwai

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 43a3542870328601be02fcc9d27b09db467336ef upstream.

The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
WARN_ON() when a slave timer is deployed as its backend and a
corresponding master timer stops meanwhile.  The symptom was triggered
by syzkaller spontaneously.

Since the NULL timer is valid there, rip off snd_BUG_ON().

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/seq_timer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s
 	unsigned long freq;
 
 	t = tmr->timeri->timer;
-	if (snd_BUG_ON(!t))
+	if (!t)
 		return -EINVAL;
 
 	freq = tmr->preferred_resolution;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 054/164] ALSA: usb-audio: Fix out-of-bound error
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 053/164] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 055/164] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaejoong Kim, Takashi Iwai

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jaejoong Kim <climbbb.kim@gmail.com>

commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream.

The snd_usb_copy_string_desc() retrieves the usb string corresponding to
the index number through the usb_string(). The problem is that the
usb_string() returns the length of the string (>= 0) when successful, but
it can also return a negative value about the error case or status of
usb_control_msg().

If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
This will result in '0' being inserted into buf[-22], and the following
KASAN out-of-bound error message will be output.

AudioControl Interface Descriptor:
  bLength                 8
  bDescriptorType        36
  bDescriptorSubtype     10 (CLOCK_SOURCE)
  bClockID                1
  bmAttributes         0x07 Internal programmable Clock (synced to SOF)
  bmControls           0x07
  Clock Frequency Control (read/write)
  Clock Validity Control (read-only)
  bAssocTerminal          0
  iClockSource            0

To fix it, check usb_string()'return value and bail out.

==================================================================
BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376

CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
Call Trace:
dump_stack+0x63/0x8d
print_address_description+0x70/0x290
? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
kasan_report+0x265/0x350
__asan_store1+0x4a/0x50
parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
? save_stack+0xb5/0xd0
? save_stack_trace+0x1b/0x20
? save_stack+0x46/0xd0
? kasan_kmalloc+0xad/0xe0
? kmem_cache_alloc_trace+0xff/0x230
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? usb_probe_interface+0x1f5/0x440
? driver_probe_device+0x3ed/0x660
? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
? save_stack_trace+0x1b/0x20
? init_object+0x69/0xa0
? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
? build_audio_procunit+0x890/0x890 [snd_usb_audio]
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? kmem_cache_alloc_trace+0xff/0x230
? usb_ifnum_to_if+0xbd/0xf0
snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
? __pm_runtime_idle+0x90/0x90
? kernfs_activate+0xa6/0xc0
? usb_match_one_id_intf+0xdc/0x130
? __pm_runtime_set_status+0x2d4/0x450
usb_probe_interface+0x1f5/0x440

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/mixer.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -204,6 +204,10 @@ static int snd_usb_copy_string_desc(stru
 				    int index, char *buf, int maxlen)
 {
 	int len = usb_string(state->chip->dev, index, buf, maxlen - 1);
+
+	if (len < 0)
+		return 0;
+
 	buf[len] = 0;
 	return len;
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 055/164] ALSA: usb-audio: Add check return value for usb_string()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 054/164] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 056/164] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaejoong Kim, Takashi Iwai

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jaejoong Kim <climbbb.kim@gmail.com>

commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream.

snd_usb_copy_string_desc() returns zero if usb_string() fails.
In case of failure, we need to check the snd_usb_copy_string_desc()'s
return value and add an exception case

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/mixer.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2178,13 +2178,14 @@ static int parse_audio_selector_unit(str
 	if (len)
 		;
 	else if (nameid)
-		snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+		len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
 					 sizeof(kctl->id.name));
-	else {
+	else
 		len = get_term_name(state, &state->oterm,
 				    kctl->id.name, sizeof(kctl->id.name), 0);
-		if (!len)
-			strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
+	if (!len) {
+		strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
 
 		if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
 			append_ctl_name(kctl, " Clock Source");

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 056/164] iommu/vt-d: Fix scatterlist offset handling
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 055/164] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 057/164] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harsh Jain, Robin Murphy, Alex Williamson

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robin Murphy <robin.murphy@arm.com>

commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream.

The intel-iommu DMA ops fail to correctly handle scatterlists where
sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
appropriately based on the page-aligned portion of the offset, but the
mapping is set up relative to sg->page, which means it fails to actually
cover the whole buffer (and in the worst case doesn't cover it at all):

    (sg->dma_address + sg->dma_len) ----+
    sg->dma_address ---------+          |
    iov_pfn------+           |          |
                 |           |          |
                 v           v          v
iova:   a        b        c        d        e        f
        |--------|--------|--------|--------|--------|
                          <...calculated....>
                 [_____mapped______]
pfn:    0        1        2        3        4        5
        |--------|--------|--------|--------|--------|
                 ^           ^          ^
                 |           |          |
    sg->page ----+           |          |
    sg->offset --------------+          |
    (sg->offset + sg->length) ----------+

As a result, the caller ends up overrunning the mapping into whatever
lies beyond, which usually goes badly:

[  429.645492] DMAR: DRHD: handling fault status reg 2
[  429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...

Whilst this is a fairly rare occurrence, it can happen from the result
of intermediate scatterlist processing such as scatterwalk_ffwd() in the
crypto layer. Whilst that particular site could be fixed up, it still
seems worthwhile to bring intel-iommu in line with other DMA API
implementations in handling this robustly.

To that end, fix the intel_map_sg() path to line up the mapping
correctly (in units of MM pages rather than VT-d pages to match the
aligned_nrpages() calculation) regardless of the offset, and use
sg_phys() consistently for clarity.

Reported-by: Harsh Jain <Harsh@chelsio.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Reviewed by: Ashok Raj <ashok.raj@intel.com>
Tested by: Jacob Pan <jacob.jun.pan@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iommu/intel-iommu.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -2254,10 +2254,12 @@ static int __domain_mapping(struct dmar_
 		uint64_t tmp;
 
 		if (!sg_res) {
+			unsigned int pgoff = sg->offset & ~PAGE_MASK;
+
 			sg_res = aligned_nrpages(sg->offset, sg->length);
-			sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
+			sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff;
 			sg->dma_length = sg->length;
-			pteval = page_to_phys(sg_page(sg)) | prot;
+			pteval = (sg_phys(sg) - pgoff) | prot;
 			phys_pfn = pteval >> VTD_PAGE_SHIFT;
 		}
 
@@ -3790,7 +3792,7 @@ static int intel_nontranslate_map_sg(str
 
 	for_each_sg(sglist, sg, nelems, i) {
 		BUG_ON(!sg_page(sg));
-		sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
+		sg->dma_address = sg_phys(sg);
 		sg->dma_length = sg->length;
 	}
 	return nelems;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 057/164] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 056/164] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 058/164] s390: always save and restore all registers on context switch Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lai Jiangshan, Thomas Gleixner,
	Peter Zijlstra, Richard Weinberger, Sebastian Andrzej Siewior,
	Boris Ostrovsky

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lai Jiangshan <jiangshanlai@gmail.com>

commit 46febd37f9c758b05cd25feae8512f22584742fe upstream.

Commit 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
accidently put this step on the wrong place. The step should be at the
cpuhp_ap_states[] rather than the cpuhp_bp_states[].

grep smpcfd /sys/devices/system/cpu/hotplug/states
 40: smpcfd:prepare
129: smpcfd:dying

"smpcfd:dying" was missing before.
So was the invocation of the function smpcfd_dying_cpu().

Fixes: 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: https://lkml.kernel.org/r/20171128131954.81229-1-jiangshanlai@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cpu.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -1289,11 +1289,6 @@ static struct cpuhp_step cpuhp_bp_states
 		.teardown.single	= NULL,
 		.cant_stop		= true,
 	},
-	[CPUHP_AP_SMPCFD_DYING] = {
-		.name			= "smpcfd:dying",
-		.startup.single		= NULL,
-		.teardown.single	= smpcfd_dying_cpu,
-	},
 	/*
 	 * Handled on controll processor until the plugged processor manages
 	 * this itself.
@@ -1335,6 +1330,11 @@ static struct cpuhp_step cpuhp_ap_states
 		.startup.single		= NULL,
 		.teardown.single	= rcutree_dying_cpu,
 	},
+	[CPUHP_AP_SMPCFD_DYING] = {
+		.name			= "smpcfd:dying",
+		.startup.single		= NULL,
+		.teardown.single	= smpcfd_dying_cpu,
+	},
 	/* Entry state on starting. Interrupts enabled from here on. Transient
 	 * state for synchronsization */
 	[CPUHP_AP_ONLINE] = {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 058/164] s390: always save and restore all registers on context switch
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 057/164] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 059/164] s390/mm: fix off-by-one bug in 5-level page table handling Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heiko Carstens, Martin Schwidefsky

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit fbbd7f1a51965b50dd12924841da0d478f3da71b upstream.

The switch_to() macro has an optimization to avoid saving and
restoring register contents that aren't needed for kernel threads.

There is however the possibility that a kernel thread execve's a user
space program. In such a case the execve'd process can partially see
the contents of the previous process, which shouldn't be allowed.

To avoid this, simply always save and restore register contents on
context switch.

Fixes: fdb6d070effba ("switch_to: dont restore/save access & fpu regs for kernel threads")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/include/asm/switch_to.h |   27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

--- a/arch/s390/include/asm/switch_to.h
+++ b/arch/s390/include/asm/switch_to.h
@@ -30,21 +30,20 @@ static inline void restore_access_regs(u
 	asm volatile("lam 0,15,%0" : : "Q" (*(acrstype *)acrs));
 }
 
-#define switch_to(prev,next,last) do {					\
-	if (prev->mm) {							\
-		save_fpu_regs();					\
-		save_access_regs(&prev->thread.acrs[0]);		\
-		save_ri_cb(prev->thread.ri_cb);				\
-		save_gs_cb(prev->thread.gs_cb);				\
-	}								\
+#define switch_to(prev, next, last) do {				\
+	/* save_fpu_regs() sets the CIF_FPU flag, which enforces	\
+	 * a restore of the floating point / vector registers as	\
+	 * soon as the next task returns to user space			\
+	 */								\
+	save_fpu_regs();						\
+	save_access_regs(&prev->thread.acrs[0]);			\
+	save_ri_cb(prev->thread.ri_cb);					\
+	save_gs_cb(prev->thread.gs_cb);					\
 	update_cr_regs(next);						\
-	if (next->mm) {							\
-		set_cpu_flag(CIF_FPU);					\
-		restore_access_regs(&next->thread.acrs[0]);		\
-		restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb);	\
-		restore_gs_cb(next->thread.gs_cb);			\
-	}								\
-	prev = __switch_to(prev,next);					\
+	restore_access_regs(&next->thread.acrs[0]);			\
+	restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb);		\
+	restore_gs_cb(next->thread.gs_cb);				\
+	prev = __switch_to(prev, next);					\
 } while (0)
 
 #endif /* __ASM_SWITCH_TO_H */

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 059/164] s390/mm: fix off-by-one bug in 5-level page table handling
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 058/164] s390: always save and restore all registers on context switch Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 060/164] s390: fix compat system call table Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Cermak, Hendrik Brueckner,
	Heiko Carstens, Martin Schwidefsky

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit 8d306f53b63099fec2d56300149e400d181ba4f5 upstream.

Martin Cermak reported that setting a uprobe doesn't work. Reason for
this is that the common uprobes code tries to get an unmapped area at
the last possible page within an address space.

This broke with commit 1aea9b3f9210 ("s390/mm: implement 5 level pages
tables") which introduced an off-by-one bug which prevents to map
anything at the last possible page within an address space.

The check with the off-by-one bug however can be removed since with
commit 8ab867cb0806 ("s390/mm: fix BUG_ON in crst_table_upgrade") the
necessary check is done at both call sites.

Reported-by: Martin Cermak <mcermak@redhat.com>
Bisected-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
Fixes: 1aea9b3f9210 ("s390/mm: implement 5 level pages tables")
Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/mm/pgalloc.c |    2 --
 1 file changed, 2 deletions(-)

--- a/arch/s390/mm/pgalloc.c
+++ b/arch/s390/mm/pgalloc.c
@@ -85,8 +85,6 @@ int crst_table_upgrade(struct mm_struct
 
 	/* upgrade should only happen from 3 to 4, 3 to 5, or 4 to 5 levels */
 	VM_BUG_ON(mm->context.asce_limit < _REGION2_SIZE);
-	if (end >= TASK_SIZE_MAX)
-		return -ENOMEM;
 	rc = 0;
 	notify = 0;
 	while (mm->context.asce_limit < end) {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 060/164] s390: fix compat system call table
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.14 059/164] s390/mm: fix off-by-one bug in 5-level page table handling Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 061/164] KVM: s390: Fix skey emulation permission check Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heiko Carstens, Martin Schwidefsky

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit e779498df587dd2189b30fe5b9245aefab870eb8 upstream.

When wiring up the socket system calls the compat entries were
incorrectly set. Not all of them point to the corresponding compat
wrapper functions, which clear the upper 33 bits of user space
pointers, like it is required.

Fixes: 977108f89c989 ("s390: wire up separate socketcalls system calls")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kernel/syscalls.S |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/s390/kernel/syscalls.S
+++ b/arch/s390/kernel/syscalls.S
@@ -370,10 +370,10 @@ SYSCALL(sys_recvmmsg,compat_sys_recvmmsg
 SYSCALL(sys_sendmmsg,compat_sys_sendmmsg)
 SYSCALL(sys_socket,sys_socket)
 SYSCALL(sys_socketpair,compat_sys_socketpair)		/* 360 */
-SYSCALL(sys_bind,sys_bind)
-SYSCALL(sys_connect,sys_connect)
+SYSCALL(sys_bind,compat_sys_bind)
+SYSCALL(sys_connect,compat_sys_connect)
 SYSCALL(sys_listen,sys_listen)
-SYSCALL(sys_accept4,sys_accept4)
+SYSCALL(sys_accept4,compat_sys_accept4)
 SYSCALL(sys_getsockopt,compat_sys_getsockopt)		/* 365 */
 SYSCALL(sys_setsockopt,compat_sys_setsockopt)
 SYSCALL(sys_getsockname,compat_sys_getsockname)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 061/164] KVM: s390: Fix skey emulation permission check
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 060/164] s390: fix compat system call table Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 062/164] Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier" Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Janosch Frank, Christian Borntraeger,
	Cornelia Huck, Thomas Huth

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Janosch Frank <frankja@linux.vnet.ibm.com>

commit ca76ec9ca871e67d8cd0b6caba24aca3d3ac4546 upstream.

All skey functions call skey_check_enable at their start, which checks
if we are in the PSTATE and injects a privileged operation exception
if we are.

Unfortunately they continue processing afterwards and perform the
operation anyhow as skey_check_enable does not deliver an error if the
exception injection was successful.

Let's move the PSTATE check into the skey functions and exit them on
such an occasion, also we now do not enable skey handling anymore in
such a case.

Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Fixes: a7e19ab ("KVM: s390: handle missing storage-key facility")
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kvm/priv.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/arch/s390/kvm/priv.c
+++ b/arch/s390/kvm/priv.c
@@ -235,8 +235,6 @@ static int try_handle_skey(struct kvm_vc
 		VCPU_EVENT(vcpu, 4, "%s", "retrying storage key operation");
 		return -EAGAIN;
 	}
-	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
-		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
 	return 0;
 }
 
@@ -247,6 +245,9 @@ static int handle_iske(struct kvm_vcpu *
 	int reg1, reg2;
 	int rc;
 
+	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+
 	rc = try_handle_skey(vcpu);
 	if (rc)
 		return rc != -EAGAIN ? rc : 0;
@@ -276,6 +277,9 @@ static int handle_rrbe(struct kvm_vcpu *
 	int reg1, reg2;
 	int rc;
 
+	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+
 	rc = try_handle_skey(vcpu);
 	if (rc)
 		return rc != -EAGAIN ? rc : 0;
@@ -311,6 +315,9 @@ static int handle_sske(struct kvm_vcpu *
 	int reg1, reg2;
 	int rc;
 
+	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+
 	rc = try_handle_skey(vcpu);
 	if (rc)
 		return rc != -EAGAIN ? rc : 0;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 062/164] Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier"
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 061/164] KVM: s390: Fix skey emulation permission check Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 063/164] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Gibson, Michael Ellerman

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Gibson <david@gibson.dropbear.id.au>

commit ab9dbf771ff9b6b7e814e759213ed01d7f0de320 upstream.

This reverts commit a3b2cb30f252b21a6f962e0dd107c8b897ca65e4.

That commit tried to fix problems with panic on powerpc in certain
circumstances, where some output from the generic panic code was being
dropped.

Unfortunately, it breaks things worse in other circumstances. In
particular when running a PAPR guest, it will now attempt to reboot
instead of informing the hypervisor (KVM or PowerVM) that the guest
has crashed. The crash notification is important to some
virtualization management layers.

Revert it for now until we can come up with a better solution.

Fixes: a3b2cb30f252 ("powerpc: Do not call ppc_md.panic in fadump panic notifier")
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
[mpe: Tweak change log a bit]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/include/asm/machdep.h     |    1 +
 arch/powerpc/include/asm/setup.h       |    1 +
 arch/powerpc/kernel/fadump.c           |   22 ----------------------
 arch/powerpc/kernel/setup-common.c     |   27 +++++++++++++++++++++++++++
 arch/powerpc/platforms/ps3/setup.c     |   15 +++++++++++++++
 arch/powerpc/platforms/pseries/setup.c |    1 +
 6 files changed, 45 insertions(+), 22 deletions(-)

--- a/arch/powerpc/include/asm/machdep.h
+++ b/arch/powerpc/include/asm/machdep.h
@@ -76,6 +76,7 @@ struct machdep_calls {
 
 	void __noreturn	(*restart)(char *cmd);
 	void __noreturn (*halt)(void);
+	void		(*panic)(char *str);
 	void		(*cpu_die)(void);
 
 	long		(*time_init)(void); /* Optional, may be NULL */
--- a/arch/powerpc/include/asm/setup.h
+++ b/arch/powerpc/include/asm/setup.h
@@ -24,6 +24,7 @@ extern void reloc_got2(unsigned long);
 
 void check_for_initrd(void);
 void initmem_init(void);
+void setup_panic(void);
 #define ARCH_PANIC_TIMEOUT 180
 
 #ifdef CONFIG_PPC_PSERIES
--- a/arch/powerpc/kernel/fadump.c
+++ b/arch/powerpc/kernel/fadump.c
@@ -1453,25 +1453,6 @@ static void fadump_init_files(void)
 	return;
 }
 
-static int fadump_panic_event(struct notifier_block *this,
-			      unsigned long event, void *ptr)
-{
-	/*
-	 * If firmware-assisted dump has been registered then trigger
-	 * firmware-assisted dump and let firmware handle everything
-	 * else. If this returns, then fadump was not registered, so
-	 * go through the rest of the panic path.
-	 */
-	crash_fadump(NULL, ptr);
-
-	return NOTIFY_DONE;
-}
-
-static struct notifier_block fadump_panic_block = {
-	.notifier_call = fadump_panic_event,
-	.priority = INT_MIN /* may not return; must be done last */
-};
-
 /*
  * Prepare for firmware-assisted dump.
  */
@@ -1504,9 +1485,6 @@ int __init setup_fadump(void)
 		init_fadump_mem_struct(&fdm, fw_dump.reserve_dump_area_start);
 	fadump_init_files();
 
-	atomic_notifier_chain_register(&panic_notifier_list,
-					&fadump_panic_block);
-
 	return 1;
 }
 subsys_initcall(setup_fadump);
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -704,6 +704,30 @@ int check_legacy_ioport(unsigned long ba
 }
 EXPORT_SYMBOL(check_legacy_ioport);
 
+static int ppc_panic_event(struct notifier_block *this,
+                             unsigned long event, void *ptr)
+{
+	/*
+	 * If firmware-assisted dump has been registered then trigger
+	 * firmware-assisted dump and let firmware handle everything else.
+	 */
+	crash_fadump(NULL, ptr);
+	ppc_md.panic(ptr);  /* May not return */
+	return NOTIFY_DONE;
+}
+
+static struct notifier_block ppc_panic_block = {
+	.notifier_call = ppc_panic_event,
+	.priority = INT_MIN /* may not return; must be done last */
+};
+
+void __init setup_panic(void)
+{
+	if (!ppc_md.panic)
+		return;
+	atomic_notifier_chain_register(&panic_notifier_list, &ppc_panic_block);
+}
+
 #ifdef CONFIG_CHECK_CACHE_COHERENCY
 /*
  * For platforms that have configurable cache-coherency.  This function
@@ -848,6 +872,9 @@ void __init setup_arch(char **cmdline_p)
 	/* Probe the machine type, establish ppc_md. */
 	probe_machine();
 
+	/* Setup panic notifier if requested by the platform. */
+	setup_panic();
+
 	/*
 	 * Configure ppc_md.power_save (ppc32 only, 64-bit machines do
 	 * it from their respective probe() function.
--- a/arch/powerpc/platforms/ps3/setup.c
+++ b/arch/powerpc/platforms/ps3/setup.c
@@ -104,6 +104,20 @@ static void __noreturn ps3_halt(void)
 	ps3_sys_manager_halt(); /* never returns */
 }
 
+static void ps3_panic(char *str)
+{
+	DBG("%s:%d %s\n", __func__, __LINE__, str);
+
+	smp_send_stop();
+	printk("\n");
+	printk("   System does not reboot automatically.\n");
+	printk("   Please press POWER button.\n");
+	printk("\n");
+
+	while(1)
+		lv1_pause(1);
+}
+
 #if defined(CONFIG_FB_PS3) || defined(CONFIG_FB_PS3_MODULE) || \
     defined(CONFIG_PS3_FLASH) || defined(CONFIG_PS3_FLASH_MODULE)
 static void __init prealloc(struct ps3_prealloc *p)
@@ -255,6 +269,7 @@ define_machine(ps3) {
 	.probe				= ps3_probe,
 	.setup_arch			= ps3_setup_arch,
 	.init_IRQ			= ps3_init_IRQ,
+	.panic				= ps3_panic,
 	.get_boot_time			= ps3_get_boot_time,
 	.set_dabr			= ps3_set_dabr,
 	.calibrate_decr			= ps3_calibrate_decr,
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -726,6 +726,7 @@ define_machine(pseries) {
 	.pcibios_fixup		= pSeries_final_fixup,
 	.restart		= rtas_restart,
 	.halt			= rtas_halt,
+	.panic			= rtas_os_term,
 	.get_boot_time		= rtas_get_boot_time,
 	.get_rtc_time		= rtas_get_rtc_time,
 	.set_rtc_time		= rtas_set_rtc_time,

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 063/164] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 062/164] Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier" Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 064/164] iwlwifi: mvm: mark MIC stripped MPDUs Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Piggin, Michael Ellerman

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Piggin <npiggin@gmail.com>

commit 371b80447ff33ddac392c189cf884a5a3e18faeb upstream.

kexec can leave MMU registers set when booting into a new kernel,
the PIDR (Process Identification Register) in particular. The boot
sequence does not zero PIDR, so it only gets set when CPUs first
switch to a userspace processes (until then it's running a kernel
thread with effective PID = 0).

This leaves a window where a process table entry and page tables are
set up due to user processes running on other CPUs, that happen to
match with a stale PID. The CPU with that PID may cause speculative
accesses that address quadrant 0 (aka userspace addresses), which will
result in cached translations and PWC (Page Walk Cache) for that
process, on a CPU which is not in the mm_cpumask and so they will not
be invalidated properly.

The most common result is the kernel hanging in infinite page fault
loops soon after kexec (usually in schedule_tail, which is usually the
first non-speculative quadrant 0 access to a new PID) due to a stale
PWC. However being a stale translation error, it could result in
anything up to security and data corruption problems.

Fix this by zeroing out PIDR at boot and kexec.

Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/cpu_setup_power.S |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/kernel/cpu_setup_power.S
+++ b/arch/powerpc/kernel/cpu_setup_power.S
@@ -102,6 +102,7 @@ _GLOBAL(__setup_cpu_power9)
 	li	r0,0
 	mtspr	SPRN_PSSCR,r0
 	mtspr	SPRN_LPID,r0
+	mtspr	SPRN_PID,r0
 	mfspr	r3,SPRN_LPCR
 	LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE  | LPCR_HEIC)
 	or	r3, r3, r4
@@ -126,6 +127,7 @@ _GLOBAL(__restore_cpu_power9)
 	li	r0,0
 	mtspr	SPRN_PSSCR,r0
 	mtspr	SPRN_LPID,r0
+	mtspr	SPRN_PID,r0
 	mfspr   r3,SPRN_LPCR
 	LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC)
 	or	r3, r3, r4

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 064/164] iwlwifi: mvm: mark MIC stripped MPDUs
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 063/164] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 065/164] iwlwifi: mvm: dont use transmit queue hang detection when it is not possible Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sara Sharon, Luca Coelho

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sara Sharon <sara.sharon@intel.com>

commit bf19037074e770aad74b3b90f37b8b98db3f3748 upstream.

When RADA is active, the hardware decrypts the packets and strips off
the MIC as it is useless after decryption. Indicate that to mac80211.

[this is needed for the 9000-series HW to work properly]
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -253,6 +253,8 @@ static int iwl_mvm_rx_crypto(struct iwl_
 			return -1;
 
 		stats->flag |= RX_FLAG_DECRYPTED;
+		if (pkt_flags & FH_RSCSR_RADA_EN)
+			stats->flag |= RX_FLAG_MIC_STRIPPED;
 		*crypt_len = IEEE80211_CCMP_HDR_LEN;
 		return 0;
 	case IWL_RX_MPDU_STATUS_SEC_TKIP:

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 065/164] iwlwifi: mvm: dont use transmit queue hang detection when it is not possible
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 064/164] iwlwifi: mvm: mark MIC stripped MPDUs Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 066/164] iwlwifi: mvm: flush queue before deleting ROC Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Luca Coelho

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit 0b9832b712d6767d6c7b01965fd788d1ca84fc92 upstream.

When we act as an AP, new firmware versions handle
internally the power saving clients and the driver doesn't
know that the peers went to sleep. It is, hence, possible
that a peer goes to sleep for a long time and stop pulling
frames. This will cause its transmit queue to hang which is
a condition that triggers the recovery flow in the driver.

While this client is certainly buggy (it should have pulled
the frame based on the TIM IE in the beacon), we can't blow
up because of a buggy client.

Change the current implementation to not enable the
transmit queue hang detection on queues that serve peers
when we act as an AP / GO.

We can still enable this mechanism using the debug
configuration which can come in handy when we want to
debug why the client doesn't wake up.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/utils.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c
@@ -1143,9 +1143,18 @@ unsigned int iwl_mvm_get_wd_timeout(stru
 	unsigned int default_timeout =
 		cmd_q ? IWL_DEF_WD_TIMEOUT : mvm->cfg->base_params->wd_timeout;
 
-	if (!iwl_fw_dbg_trigger_enabled(mvm->fw, FW_DBG_TRIGGER_TXQ_TIMERS))
+	if (!iwl_fw_dbg_trigger_enabled(mvm->fw, FW_DBG_TRIGGER_TXQ_TIMERS)) {
+		/*
+		 * We can't know when the station is asleep or awake, so we
+		 * must disable the queue hang detection.
+		 */
+		if (fw_has_capa(&mvm->fw->ucode_capa,
+				IWL_UCODE_TLV_CAPA_STA_PM_NOTIF) &&
+		    vif && vif->type == NL80211_IFTYPE_AP)
+			return IWL_WATCHDOG_DISABLED;
 		return iwlmvm_mod_params.tfd_q_hang_detect ?
 			default_timeout : IWL_WATCHDOG_DISABLED;
+	}
 
 	trigger = iwl_fw_dbg_get_trigger(mvm->fw, FW_DBG_TRIGGER_TXQ_TIMERS);
 	txq_timer = (void *)trigger->data;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 066/164] iwlwifi: mvm: flush queue before deleting ROC
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 065/164] iwlwifi: mvm: dont use transmit queue hang detection when it is not possible Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 067/164] iwlwifi: add new cards for 9260 and 22000 series Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Luca Coelho

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 6c2d49fdc5d947c5fe89935bd52e69f10000f4cb upstream.

Before deleting a time event (remain-on-channel instance), flush
the queue so that frames cannot get stuck on it. We already flush
the AUX STA queues, but a separate station is used for the P2P
Device queue.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/mvm.h        |    2 +
 drivers/net/wireless/intel/iwlwifi/mvm/time-event.c |   24 ++++++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
@@ -1042,6 +1042,7 @@ struct iwl_mvm {
  * @IWL_MVM_STATUS_ROC_AUX_RUNNING: AUX remain-on-channel is running
  * @IWL_MVM_STATUS_D3_RECONFIG: D3 reconfiguration is being done
  * @IWL_MVM_STATUS_FIRMWARE_RUNNING: firmware is running
+ * @IWL_MVM_STATUS_NEED_FLUSH_P2P: need to flush P2P bcast STA
  */
 enum iwl_mvm_status {
 	IWL_MVM_STATUS_HW_RFKILL,
@@ -1053,6 +1054,7 @@ enum iwl_mvm_status {
 	IWL_MVM_STATUS_ROC_AUX_RUNNING,
 	IWL_MVM_STATUS_D3_RECONFIG,
 	IWL_MVM_STATUS_FIRMWARE_RUNNING,
+	IWL_MVM_STATUS_NEED_FLUSH_P2P,
 };
 
 /* Keep track of completed init configuration */
--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
@@ -132,6 +132,24 @@ void iwl_mvm_roc_done_wk(struct work_str
 	 * executed, and a new time event means a new command.
 	 */
 	iwl_mvm_flush_sta(mvm, &mvm->aux_sta, true, CMD_ASYNC);
+
+	/* Do the same for the P2P device queue (STA) */
+	if (test_and_clear_bit(IWL_MVM_STATUS_NEED_FLUSH_P2P, &mvm->status)) {
+		struct iwl_mvm_vif *mvmvif;
+
+		/*
+		 * NB: access to this pointer would be racy, but the flush bit
+		 * can only be set when we had a P2P-Device VIF, and we have a
+		 * flush of this work in iwl_mvm_prepare_mac_removal() so it's
+		 * not really racy.
+		 */
+
+		if (!WARN_ON(!mvm->p2p_device_vif)) {
+			mvmvif = iwl_mvm_vif_from_mac80211(mvm->p2p_device_vif);
+			iwl_mvm_flush_sta(mvm, &mvmvif->bcast_sta, true,
+					  CMD_ASYNC);
+		}
+	}
 }
 
 static void iwl_mvm_roc_finished(struct iwl_mvm *mvm)
@@ -855,10 +873,12 @@ void iwl_mvm_stop_roc(struct iwl_mvm *mv
 
 	mvmvif = iwl_mvm_vif_from_mac80211(te_data->vif);
 
-	if (te_data->vif->type == NL80211_IFTYPE_P2P_DEVICE)
+	if (te_data->vif->type == NL80211_IFTYPE_P2P_DEVICE) {
 		iwl_mvm_remove_time_event(mvm, mvmvif, te_data);
-	else
+		set_bit(IWL_MVM_STATUS_NEED_FLUSH_P2P, &mvm->status);
+	} else {
 		iwl_mvm_remove_aux_roc_te(mvm, mvmvif, te_data);
+	}
 
 	iwl_mvm_roc_finished(mvm);
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 067/164] iwlwifi: add new cards for 9260 and 22000 series
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 066/164] iwlwifi: mvm: flush queue before deleting ROC Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 068/164] iwlwifi: mvm: fix packet injection Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ihab Zhaika, Luca Coelho

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ihab Zhaika <ihab.zhaika@intel.com>

commit 567deca8e72df3ceb6c07c63f8541a4928f64d3b upstream.

add 1 PCI ID for 9260 series and 1 for 22000 series.

Signed-off-by: Ihab Zhaika <ihab.zhaika@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/pcie/drv.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -551,6 +551,7 @@ static const struct pci_device_id iwl_hw
 	{IWL_PCI_DEVICE(0x271B, 0x0014, iwl9160_2ac_cfg)},
 	{IWL_PCI_DEVICE(0x271B, 0x0210, iwl9160_2ac_cfg)},
 	{IWL_PCI_DEVICE(0x271B, 0x0214, iwl9260_2ac_cfg)},
+	{IWL_PCI_DEVICE(0x271C, 0x0214, iwl9260_2ac_cfg)},
 	{IWL_PCI_DEVICE(0x2720, 0x0034, iwl9560_2ac_cfg)},
 	{IWL_PCI_DEVICE(0x2720, 0x0038, iwl9560_2ac_cfg)},
 	{IWL_PCI_DEVICE(0x2720, 0x003C, iwl9560_2ac_cfg)},
@@ -662,6 +663,7 @@ static const struct pci_device_id iwl_hw
 	{IWL_PCI_DEVICE(0x2720, 0x0310, iwla000_2ac_cfg_hr_cdb)},
 	{IWL_PCI_DEVICE(0x40C0, 0x0000, iwla000_2ax_cfg_hr)},
 	{IWL_PCI_DEVICE(0x40C0, 0x0A10, iwla000_2ax_cfg_hr)},
+	{IWL_PCI_DEVICE(0xA0F0, 0x0000, iwla000_2ax_cfg_hr)},
 
 #endif /* CONFIG_IWLMVM */
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 068/164] iwlwifi: mvm: fix packet injection
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 067/164] iwlwifi: add new cards for 9260 and 22000 series Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 069/164] iwlwifi: mvm: enable RX offloading with TKIP and WEP Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Luca Coelho

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

commit b13f43a48571f0cd0fda271b5046b65f1f268db5 upstream.

We need to have a station and a queue for the monitor
interface to be able to inject traffic. We used to have
this traffic routed to the auxiliary queue, but this queue
isn't scheduled for the station we had linked to the
monitor vif.

Allocate a new queue, link it to the monitor vif's station
and make that queue use the BE fifo.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=196715

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/fw/api/txq.h   |    4 +
 drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c |    2 
 drivers/net/wireless/intel/iwlwifi/mvm/mvm.h      |    1 
 drivers/net/wireless/intel/iwlwifi/mvm/ops.c      |    1 
 drivers/net/wireless/intel/iwlwifi/mvm/sta.c      |   53 ++++++++++++++++------
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c       |    3 -
 6 files changed, 49 insertions(+), 15 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/api/txq.h
@@ -68,6 +68,9 @@
  * @IWL_MVM_DQA_CMD_QUEUE: a queue reserved for sending HCMDs to the FW
  * @IWL_MVM_DQA_AUX_QUEUE: a queue reserved for aux frames
  * @IWL_MVM_DQA_P2P_DEVICE_QUEUE: a queue reserved for P2P device frames
+ * @IWL_MVM_DQA_INJECT_MONITOR_QUEUE: a queue reserved for injection using
+ *	monitor mode. Note this queue is the same as the queue for P2P device
+ *	but we can't have active monitor mode along with P2P device anyway.
  * @IWL_MVM_DQA_GCAST_QUEUE: a queue reserved for P2P GO/SoftAP GCAST frames
  * @IWL_MVM_DQA_BSS_CLIENT_QUEUE: a queue reserved for BSS activity, to ensure
  *	that we are never left without the possibility to connect to an AP.
@@ -87,6 +90,7 @@ enum iwl_mvm_dqa_txq {
 	IWL_MVM_DQA_CMD_QUEUE = 0,
 	IWL_MVM_DQA_AUX_QUEUE = 1,
 	IWL_MVM_DQA_P2P_DEVICE_QUEUE = 2,
+	IWL_MVM_DQA_INJECT_MONITOR_QUEUE = 2,
 	IWL_MVM_DQA_GCAST_QUEUE = 3,
 	IWL_MVM_DQA_BSS_CLIENT_QUEUE = 4,
 	IWL_MVM_DQA_MIN_MGMT_QUEUE = 5,
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
@@ -787,7 +787,7 @@ static int iwl_mvm_mac_ctxt_cmd_listener
 					 u32 action)
 {
 	struct iwl_mac_ctx_cmd cmd = {};
-	u32 tfd_queue_msk = 0;
+	u32 tfd_queue_msk = BIT(mvm->snif_queue);
 	int ret;
 
 	WARN_ON(vif->type != NL80211_IFTYPE_MONITOR);
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
@@ -954,6 +954,7 @@ struct iwl_mvm {
 
 	/* Tx queues */
 	u16 aux_queue;
+	u16 snif_queue;
 	u16 probe_queue;
 	u16 p2p_dev_queue;
 
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
@@ -622,6 +622,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *
 	mvm->fw_restart = iwlwifi_mod_params.fw_restart ? -1 : 0;
 
 	mvm->aux_queue = IWL_MVM_DQA_AUX_QUEUE;
+	mvm->snif_queue = IWL_MVM_DQA_INJECT_MONITOR_QUEUE;
 	mvm->probe_queue = IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
 	mvm->p2p_dev_queue = IWL_MVM_DQA_P2P_DEVICE_QUEUE;
 
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -1700,29 +1700,29 @@ void iwl_mvm_dealloc_int_sta(struct iwl_
 	sta->sta_id = IWL_MVM_INVALID_STA;
 }
 
-static void iwl_mvm_enable_aux_queue(struct iwl_mvm *mvm)
+static void iwl_mvm_enable_aux_snif_queue(struct iwl_mvm *mvm, u16 *queue,
+					  u8 sta_id, u8 fifo)
 {
 	unsigned int wdg_timeout = iwlmvm_mod_params.tfd_q_hang_detect ?
 					mvm->cfg->base_params->wd_timeout :
 					IWL_WATCHDOG_DISABLED;
 
 	if (iwl_mvm_has_new_tx_api(mvm)) {
-		int queue = iwl_mvm_tvqm_enable_txq(mvm, mvm->aux_queue,
-						    mvm->aux_sta.sta_id,
-						    IWL_MAX_TID_COUNT,
-						    wdg_timeout);
-		mvm->aux_queue = queue;
+		int tvqm_queue =
+			iwl_mvm_tvqm_enable_txq(mvm, *queue, sta_id,
+						IWL_MAX_TID_COUNT,
+						wdg_timeout);
+		*queue = tvqm_queue;
 	} else {
 		struct iwl_trans_txq_scd_cfg cfg = {
-			.fifo = IWL_MVM_TX_FIFO_MCAST,
-			.sta_id = mvm->aux_sta.sta_id,
+			.fifo = fifo,
+			.sta_id = sta_id,
 			.tid = IWL_MAX_TID_COUNT,
 			.aggregate = false,
 			.frame_limit = IWL_FRAME_LIMIT,
 		};
 
-		iwl_mvm_enable_txq(mvm, mvm->aux_queue, mvm->aux_queue, 0, &cfg,
-				   wdg_timeout);
+		iwl_mvm_enable_txq(mvm, *queue, *queue, 0, &cfg, wdg_timeout);
 	}
 }
 
@@ -1741,7 +1741,9 @@ int iwl_mvm_add_aux_sta(struct iwl_mvm *
 
 	/* Map Aux queue to fifo - needs to happen before adding Aux station */
 	if (!iwl_mvm_has_new_tx_api(mvm))
-		iwl_mvm_enable_aux_queue(mvm);
+		iwl_mvm_enable_aux_snif_queue(mvm, &mvm->aux_queue,
+					      mvm->aux_sta.sta_id,
+					      IWL_MVM_TX_FIFO_MCAST);
 
 	ret = iwl_mvm_add_int_sta_common(mvm, &mvm->aux_sta, NULL,
 					 MAC_INDEX_AUX, 0);
@@ -1755,7 +1757,9 @@ int iwl_mvm_add_aux_sta(struct iwl_mvm *
 	 * to firmware so enable queue here - after the station was added
 	 */
 	if (iwl_mvm_has_new_tx_api(mvm))
-		iwl_mvm_enable_aux_queue(mvm);
+		iwl_mvm_enable_aux_snif_queue(mvm, &mvm->aux_queue,
+					      mvm->aux_sta.sta_id,
+					      IWL_MVM_TX_FIFO_MCAST);
 
 	return 0;
 }
@@ -1763,10 +1767,31 @@ int iwl_mvm_add_aux_sta(struct iwl_mvm *
 int iwl_mvm_add_snif_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
 {
 	struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+	int ret;
 
 	lockdep_assert_held(&mvm->mutex);
-	return iwl_mvm_add_int_sta_common(mvm, &mvm->snif_sta, vif->addr,
+
+	/* Map snif queue to fifo - must happen before adding snif station */
+	if (!iwl_mvm_has_new_tx_api(mvm))
+		iwl_mvm_enable_aux_snif_queue(mvm, &mvm->snif_queue,
+					      mvm->snif_sta.sta_id,
+					      IWL_MVM_TX_FIFO_BE);
+
+	ret = iwl_mvm_add_int_sta_common(mvm, &mvm->snif_sta, vif->addr,
 					 mvmvif->id, 0);
+	if (ret)
+		return ret;
+
+	/*
+	 * For 22000 firmware and on we cannot add queue to a station unknown
+	 * to firmware so enable queue here - after the station was added
+	 */
+	if (iwl_mvm_has_new_tx_api(mvm))
+		iwl_mvm_enable_aux_snif_queue(mvm, &mvm->snif_queue,
+					      mvm->snif_sta.sta_id,
+					      IWL_MVM_TX_FIFO_BE);
+
+	return 0;
 }
 
 int iwl_mvm_rm_snif_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
@@ -1775,6 +1800,8 @@ int iwl_mvm_rm_snif_sta(struct iwl_mvm *
 
 	lockdep_assert_held(&mvm->mutex);
 
+	iwl_mvm_disable_txq(mvm, mvm->snif_queue, mvm->snif_queue,
+			    IWL_MAX_TID_COUNT, 0);
 	ret = iwl_mvm_rm_sta_common(mvm, mvm->snif_sta.sta_id);
 	if (ret)
 		IWL_WARN(mvm, "Failed sending remove station\n");
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -657,7 +657,8 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv
 			if (ap_sta_id != IWL_MVM_INVALID_STA)
 				sta_id = ap_sta_id;
 		} else if (info.control.vif->type == NL80211_IFTYPE_MONITOR) {
-			queue = mvm->aux_queue;
+			queue = mvm->snif_queue;
+			sta_id = mvm->snif_sta.sta_id;
 		}
 	}
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 069/164] iwlwifi: mvm: enable RX offloading with TKIP and WEP
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 068/164] iwlwifi: mvm: fix packet injection Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 070/164] brcmfmac: change driver unbind order of the sdio function devices Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Spinadel, Luca Coelho

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Spinadel <david.spinadel@intel.com>

commit 9d0fc5a50a0548f8e5d61243e5e5f26d5c405aef upstream.

Set the flag that indicates that ICV was stripped on if
this option was enabled in the HW.

[this is needed for the 9000-series HW to work properly]
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/iwl-trans.h |    4 +++-
 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c  |   12 +++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h
@@ -117,6 +117,7 @@
 #define FH_RSCSR_FRAME_INVALID		0x55550000
 #define FH_RSCSR_FRAME_ALIGN		0x40
 #define FH_RSCSR_RPA_EN			BIT(25)
+#define FH_RSCSR_RADA_EN		BIT(26)
 #define FH_RSCSR_RXQ_POS		16
 #define FH_RSCSR_RXQ_MASK		0x3F0000
 
@@ -128,7 +129,8 @@ struct iwl_rx_packet {
 	 * 31:    flag flush RB request
 	 * 30:    flag ignore TC (terminal counter) request
 	 * 29:    flag fast IRQ request
-	 * 28-26: Reserved
+	 * 28-27: Reserved
+	 * 26:    RADA enabled
 	 * 25:    Offload enabled
 	 * 24:    RPF enabled
 	 * 23:    RSS enabled
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -232,8 +232,8 @@ static void iwl_mvm_get_signal_strength(
 
 static int iwl_mvm_rx_crypto(struct iwl_mvm *mvm, struct ieee80211_hdr *hdr,
 			     struct ieee80211_rx_status *stats,
-			     struct iwl_rx_mpdu_desc *desc, int queue,
-			     u8 *crypt_len)
+			     struct iwl_rx_mpdu_desc *desc, u32 pkt_flags,
+			     int queue, u8 *crypt_len)
 {
 	u16 status = le16_to_cpu(desc->status);
 
@@ -272,6 +272,10 @@ static int iwl_mvm_rx_crypto(struct iwl_
 		if ((status & IWL_RX_MPDU_STATUS_SEC_MASK) ==
 				IWL_RX_MPDU_STATUS_SEC_WEP)
 			*crypt_len = IEEE80211_WEP_IV_LEN;
+
+		if (pkt_flags & FH_RSCSR_RADA_EN)
+			stats->flag |= RX_FLAG_ICV_STRIPPED;
+
 		return 0;
 	case IWL_RX_MPDU_STATUS_SEC_EXT_ENC:
 		if (!(status & IWL_RX_MPDU_STATUS_MIC_OK))
@@ -812,7 +816,9 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *
 
 	rx_status = IEEE80211_SKB_RXCB(skb);
 
-	if (iwl_mvm_rx_crypto(mvm, hdr, rx_status, desc, queue, &crypt_len)) {
+	if (iwl_mvm_rx_crypto(mvm, hdr, rx_status, desc,
+			      le32_to_cpu(pkt->len_n_flags), queue,
+			      &crypt_len)) {
 		kfree_skb(skb);
 		return;
 	}

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 070/164] brcmfmac: change driver unbind order of the sdio function devices
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 069/164] iwlwifi: mvm: enable RX offloading with TKIP and WEP Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 071/164] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Wahren, Hante Meuleman,
	Pieter-Paul Giesberts, Franky Lin, Arend van Spriel, Kalle Valo

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arend Van Spriel <arend.vanspriel@broadcom.com>

commit 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 upstream.

In the function brcmf_sdio_firmware_callback() the driver is
unbound from the sdio function devices in the error path.
However, the order in which it is done resulted in a use-after-free
issue (see brcmf_ops_sdio_remove() in bcmsdh.c). Hence change
the order and first unbind sdio function #2 device and then
unbind sdio function #1 device.

Fixes: 7a51461fc2da ("brcmfmac: unbind all devices upon failure in firmware callback")
Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -4096,8 +4096,8 @@ release:
 	sdio_release_host(sdiodev->func[1]);
 fail:
 	brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
-	device_release_driver(dev);
 	device_release_driver(&sdiodev->func[2]->dev);
+	device_release_driver(dev);
 }
 
 struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 071/164] kdb: Fix handling of kallsyms_symbol_next() return value
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 070/164] brcmfmac: change driver unbind order of the sdio function devices Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 072/164] md/r5cache: move mddev_lock() out of r5c_journal_mode_set() Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Daniel Thompson, Jason Wessel

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Thompson <daniel.thompson@linaro.org>

commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream.

kallsyms_symbol_next() returns a boolean (true on success). Currently
kdb_read() tests the return value with an inequality that
unconditionally evaluates to true.

This is fixed in the obvious way and, since the conditional branch is
supposed to be unreachable, we also add a WARN_ON().

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/debug/kdb/kdb_io.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/debug/kdb/kdb_io.c
+++ b/kernel/debug/kdb/kdb_io.c
@@ -350,7 +350,7 @@ poll_again:
 			}
 			kdb_printf("\n");
 			for (i = 0; i < count; i++) {
-				if (kallsyms_symbol_next(p_tmp, i) < 0)
+				if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
 					break;
 				kdb_printf("%s ", p_tmp);
 				*(p_tmp + len) = '\0';

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 072/164] md/r5cache: move mddev_lock() out of r5c_journal_mode_set()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 071/164] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 073/164] drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Song Liu, Shaohua Li

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Song Liu <songliubraving@fb.com>

commit ff35f58e8f8eb520367879a0ccc6f2ec4b62b17b upstream.

r5c_journal_mode_set() is called by r5c_journal_mode_store() and
raid_ctr() in dm-raid. We don't need mddev_lock() when calling from
raid_ctr(). This patch fixes this by moves the mddev_lock() to
r5c_journal_mode_store().

Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5-cache.c |   22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

--- a/drivers/md/raid5-cache.c
+++ b/drivers/md/raid5-cache.c
@@ -2571,31 +2571,22 @@ static ssize_t r5c_journal_mode_show(str
 int r5c_journal_mode_set(struct mddev *mddev, int mode)
 {
 	struct r5conf *conf;
-	int err;
 
 	if (mode < R5C_JOURNAL_MODE_WRITE_THROUGH ||
 	    mode > R5C_JOURNAL_MODE_WRITE_BACK)
 		return -EINVAL;
 
-	err = mddev_lock(mddev);
-	if (err)
-		return err;
 	conf = mddev->private;
-	if (!conf || !conf->log) {
-		mddev_unlock(mddev);
+	if (!conf || !conf->log)
 		return -ENODEV;
-	}
 
 	if (raid5_calc_degraded(conf) > 0 &&
-	    mode == R5C_JOURNAL_MODE_WRITE_BACK) {
-		mddev_unlock(mddev);
+	    mode == R5C_JOURNAL_MODE_WRITE_BACK)
 		return -EINVAL;
-	}
 
 	mddev_suspend(mddev);
 	conf->log->r5c_journal_mode = mode;
 	mddev_resume(mddev);
-	mddev_unlock(mddev);
 
 	pr_debug("md/raid:%s: setting r5c cache mode to %d: %s\n",
 		 mdname(mddev), mode, r5c_journal_mode_str[mode]);
@@ -2608,6 +2599,7 @@ static ssize_t r5c_journal_mode_store(st
 {
 	int mode = ARRAY_SIZE(r5c_journal_mode_str);
 	size_t len = length;
+	int ret;
 
 	if (len < 2)
 		return -EINVAL;
@@ -2619,8 +2611,12 @@ static ssize_t r5c_journal_mode_store(st
 		if (strlen(r5c_journal_mode_str[mode]) == len &&
 		    !strncmp(page, r5c_journal_mode_str[mode], len))
 			break;
-
-	return r5c_journal_mode_set(mddev, mode) ?: length;
+	ret = mddev_lock(mddev);
+	if (ret)
+		return ret;
+	ret = r5c_journal_mode_set(mddev, mode);
+	mddev_unlock(mddev);
+	return ret ?: length;
 }
 
 struct md_sysfs_entry

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 073/164] drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 072/164] md/r5cache: move mddev_lock() out of r5c_journal_mode_set() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 074/164] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Misha Komarovskiy, Marek Szyprowski,
	Archit Taneja

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Szyprowski <m.szyprowski@samsung.com>

commit 510353a63796d467b41237ab4f136136f68c297d upstream.

get_modes() callback might be called asynchronously from the DRM core and
it is not synchronized with bridge_enable(), which sets proper runtime PM
state of the main DP device. Fix this by calling pm_runtime_get_sync()
before calling drm_get_edid(), which in turn calls drm_dp_i2c_xfer() and
analogix_dp_transfer() to ensure that main DP device is runtime active
when doing any access to its registers.

This fixes the following kernel issue on Samsung Exynos5250 Snow board:
Unhandled fault: imprecise external abort (0x406) at 0x00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: : 406 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 PID: 62 Comm: kworker/0:2 Not tainted 4.13.0-rc2-00364-g4a97a3da420b #3357
Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
Workqueue: events output_poll_execute
task: edc14800 task.stack: edcb2000
PC is at analogix_dp_transfer+0x15c/0x2fc
LR is at analogix_dp_transfer+0x134/0x2fc
pc : [<c0468538>]    lr : [<c0468510>]    psr: 60000013
sp : edcb3be8  ip : 0000002a  fp : 00000001
r10: 00000000  r9 : edcb3cd8  r8 : edcb3c40
r7 : 00000000  r6 : edd3b380  r5 : edd3b010  r4 : 00000064
r3 : 00000000  r2 : f0ad3000  r1 : edcb3c40  r0 : edd3b010
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 4000406a  DAC: 00000051
Process kworker/0:2 (pid: 62, stack limit = 0xedcb2210)
Stack: (0xedcb3be8 to 0xedcb4000)
[<c0468538>] (analogix_dp_transfer) from [<c0424ba4>] (drm_dp_i2c_do_msg+0x8c/0x2b4)
[<c0424ba4>] (drm_dp_i2c_do_msg) from [<c0424e64>] (drm_dp_i2c_xfer+0x98/0x214)
[<c0424e64>] (drm_dp_i2c_xfer) from [<c057b2d8>] (__i2c_transfer+0x140/0x29c)
[<c057b2d8>] (__i2c_transfer) from [<c057b4a4>] (i2c_transfer+0x70/0xe4)
[<c057b4a4>] (i2c_transfer) from [<c0441de4>] (drm_do_probe_ddc_edid+0xb4/0x114)
[<c0441de4>] (drm_do_probe_ddc_edid) from [<c0441e5c>] (drm_probe_ddc+0x18/0x28)
[<c0441e5c>] (drm_probe_ddc) from [<c0445728>] (drm_get_edid+0x124/0x2d4)
[<c0445728>] (drm_get_edid) from [<c0465ea0>] (analogix_dp_get_modes+0x90/0x114)
[<c0465ea0>] (analogix_dp_get_modes) from [<c0425e8c>] (drm_helper_probe_single_connector_modes+0x198/0x68c)
[<c0425e8c>] (drm_helper_probe_single_connector_modes) from [<c04325d4>] (drm_setup_crtcs+0x1b4/0xd18)
[<c04325d4>] (drm_setup_crtcs) from [<c04344a8>] (drm_fb_helper_hotplug_event+0x94/0xd0)
[<c04344a8>] (drm_fb_helper_hotplug_event) from [<c0425a50>] (drm_kms_helper_hotplug_event+0x24/0x28)
[<c0425a50>] (drm_kms_helper_hotplug_event) from [<c04263ec>] (output_poll_execute+0x6c/0x174)
[<c04263ec>] (output_poll_execute) from [<c0136f18>] (process_one_work+0x188/0x3fc)
[<c0136f18>] (process_one_work) from [<c01371f4>] (worker_thread+0x30/0x4b8)
[<c01371f4>] (worker_thread) from [<c013daf8>] (kthread+0x128/0x164)
[<c013daf8>] (kthread) from [<c0108510>] (ret_from_fork+0x14/0x24)
Code: 0a000002 ea000009 e2544001 0a00004a (e59537c8)
---[ end trace cddc7919c79f7878 ]---

Reported-by: Misha Komarovskiy <zombah@gmail.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Archit Taneja <architt@codeaurora.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20171121074936.22520-1-m.szyprowski@samsung.com

---
 drivers/gpu/drm/bridge/analogix/analogix_dp_core.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
+++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c
@@ -946,7 +946,9 @@ static int analogix_dp_get_modes(struct
 			return 0;
 		}
 
+		pm_runtime_get_sync(dp->dev);
 		edid = drm_get_edid(connector, &dp->aux.ddc);
+		pm_runtime_put(dp->dev);
 		if (edid) {
 			drm_mode_connector_update_edid_property(&dp->connector,
 								edid);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 074/164] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 073/164] drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 076/164] drm: safely free connectors from connector_iter Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Inki Dae

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Szyprowski <m.szyprowski@samsung.com>

commit 120a264f9c2782682027d931d83dcbd22e01da80 upstream.

When no IOMMU is available, all GEM buffers allocated by Exynos DRM driver
are contiguous, because of the underlying dma_alloc_attrs() function
provides only such buffers. In such case it makes no sense to keep
BO_NONCONTIG flag for the allocated GEM buffers. This allows to avoid
failures for buffer contiguity checks in the subsequent operations on GEM
objects.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/exynos/exynos_drm_gem.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/gpu/drm/exynos/exynos_drm_gem.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c
@@ -247,6 +247,15 @@ struct exynos_drm_gem *exynos_drm_gem_cr
 	if (IS_ERR(exynos_gem))
 		return exynos_gem;
 
+	if (!is_drm_iommu_supported(dev) && (flags & EXYNOS_BO_NONCONTIG)) {
+		/*
+		 * when no IOMMU is available, all allocated buffers are
+		 * contiguous anyway, so drop EXYNOS_BO_NONCONTIG flag
+		 */
+		flags &= ~EXYNOS_BO_NONCONTIG;
+		DRM_WARN("Non-contiguous allocation is not supported without IOMMU, falling back to contiguous buffer\n");
+	}
+
 	/* set memory type and cache attribute from user side. */
 	exynos_gem->flags = flags;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 076/164] drm: safely free connectors from connector_iter
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 074/164] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 077/164] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Widawsky, Dave Airlie,
	Chris Wilson, Sean Paul, Daniel Vetter

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Vetter <daniel.vetter@ffwll.ch>

commit a703c55004e1c5076d57e43771b3e11117796ea0 upstream.

In

commit 613051dac40da1751ab269572766d3348d45a197
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Wed Dec 14 00:08:06 2016 +0100

    drm: locking&new iterators for connector_list

we've went to extreme lengths to make sure connector iterations works
in any context, without introducing any additional locking context.
This worked, except for a small fumble in the implementation:

When we actually race with a concurrent connector unplug event, and
our temporary connector reference turns out to be the final one, then
everything breaks: We call the connector release function from
whatever context we happen to be in, which can be an irq/atomic
context. And connector freeing grabs all kinds of locks and stuff.

Fix this by creating a specially safe put function for connetor_iter,
which (in this rare case) punts the cleanup to a worker.

Reported-by: Ben Widawsky <ben@bwidawsk.net>
Cc: Ben Widawsky <ben@bwidawsk.net>
Fixes: 613051dac40d ("drm: locking&new iterators for connector_list")
Cc: Dave Airlie <airlied@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Sean Paul <seanpaul@chromium.org>
Reviewed-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171204204818.24745-1-daniel.vetter@ffwll.ch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_connector.c   |   28 ++++++++++++++++++++++++++--
 drivers/gpu/drm/drm_mode_config.c |    2 ++
 include/drm/drm_connector.h       |    8 ++++++++
 3 files changed, 36 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/drm_connector.c
+++ b/drivers/gpu/drm/drm_connector.c
@@ -152,6 +152,16 @@ static void drm_connector_free(struct kr
 	connector->funcs->destroy(connector);
 }
 
+static void drm_connector_free_work_fn(struct work_struct *work)
+{
+	struct drm_connector *connector =
+		container_of(work, struct drm_connector, free_work);
+	struct drm_device *dev = connector->dev;
+
+	drm_mode_object_unregister(dev, &connector->base);
+	connector->funcs->destroy(connector);
+}
+
 /**
  * drm_connector_init - Init a preallocated connector
  * @dev: DRM device
@@ -181,6 +191,8 @@ int drm_connector_init(struct drm_device
 	if (ret)
 		return ret;
 
+	INIT_WORK(&connector->free_work, drm_connector_free_work_fn);
+
 	connector->base.properties = &connector->properties;
 	connector->dev = dev;
 	connector->funcs = funcs;
@@ -525,6 +537,18 @@ void drm_connector_list_iter_begin(struc
 }
 EXPORT_SYMBOL(drm_connector_list_iter_begin);
 
+/*
+ * Extra-safe connector put function that works in any context. Should only be
+ * used from the connector_iter functions, where we never really expect to
+ * actually release the connector when dropping our final reference.
+ */
+static void
+drm_connector_put_safe(struct drm_connector *conn)
+{
+	if (refcount_dec_and_test(&conn->base.refcount.refcount))
+		schedule_work(&conn->free_work);
+}
+
 /**
  * drm_connector_list_iter_next - return next connector
  * @iter: connectr_list iterator
@@ -557,7 +581,7 @@ drm_connector_list_iter_next(struct drm_
 	spin_unlock_irqrestore(&config->connector_list_lock, flags);
 
 	if (old_conn)
-		drm_connector_put(old_conn);
+		drm_connector_put_safe(old_conn);
 
 	return iter->conn;
 }
@@ -576,7 +600,7 @@ void drm_connector_list_iter_end(struct
 {
 	iter->dev = NULL;
 	if (iter->conn)
-		drm_connector_put(iter->conn);
+		drm_connector_put_safe(iter->conn);
 	lock_release(&connector_list_iter_dep_map, 0, _RET_IP_);
 }
 EXPORT_SYMBOL(drm_connector_list_iter_end);
--- a/drivers/gpu/drm/drm_mode_config.c
+++ b/drivers/gpu/drm/drm_mode_config.c
@@ -428,6 +428,8 @@ void drm_mode_config_cleanup(struct drm_
 		drm_connector_put(connector);
 	}
 	drm_connector_list_iter_end(&conn_iter);
+	/* connector_iter drops references in a work item. */
+	flush_scheduled_work();
 	if (WARN_ON(!list_empty(&dev->mode_config.connector_list))) {
 		drm_connector_list_iter_begin(dev, &conn_iter);
 		drm_for_each_connector_iter(connector, &conn_iter)
--- a/include/drm/drm_connector.h
+++ b/include/drm/drm_connector.h
@@ -905,6 +905,14 @@ struct drm_connector {
 	uint8_t num_h_tile, num_v_tile;
 	uint8_t tile_h_loc, tile_v_loc;
 	uint16_t tile_h_size, tile_v_size;
+
+	/**
+	 * @free_work:
+	 *
+	 * Work used only by &drm_connector_iter to be able to clean up a
+	 * connector from any context.
+	 */
+	struct work_struct free_work;
 };
 
 #define obj_to_connector(x) container_of(x, struct drm_connector, base)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 077/164] media: dvb: i2c transfers over usb cannot be done from stack
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 076/164] drm: safely free connectors from connector_iter Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 078/164] media: rc: sir_ir: detect presence of port Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laurent Caumont, Sean Young,
	Mauro Carvalho Chehab

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Caumont <lcaumont2@gmail.com>

commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream.

Signed-off-by: Laurent Caumont <lcaumont2@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb/dibusb-common.c |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/dvb-usb/dibusb-common.c
+++ b/drivers/media/usb/dvb-usb/dibusb-common.c
@@ -223,8 +223,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo);
 
 int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
 {
-	u8 wbuf[1] = { offs };
-	return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1);
+	u8 *buf;
+	int rc;
+
+	buf = kmalloc(2, GFP_KERNEL);
+	if (!buf)
+		return -ENOMEM;
+
+	buf[0] = offs;
+
+	rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1);
+	*val = buf[1];
+	kfree(buf);
+
+	return rc;
 }
 EXPORT_SYMBOL(dibusb_read_eeprom_byte);
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 078/164] media: rc: sir_ir: detect presence of port
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 077/164] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 079/164] media: rc: partial revert of "media: rc: per-protocol repeat period" Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Sean Young,
	Mauro Carvalho Chehab

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Young <sean@mess.org>

commit 30b4e122d71cbec2944a5f8b558b88936ee42f10 upstream.

Without this test, sir_ir clumsy claims resources for a device which
does not exist.

The 0-day kernel test robot reports the following errors (in a loop):
	sir_ir sir_ir.0: Trapped in interrupt
	genirq: Flags mismatch irq 4. 00000000 (ttyS0) vs. 00000000 (sir_ir)

When sir_ir is loaded with the default io and irq, the following happens:
 - sir_ir claims irq 4
 - user space opens /dev/ttyS0
 - in serial8250_do_startup(), some setup is done for ttyS0, which causes
   irq 4 to fire (in THRE test)
 - sir_ir does not realise it was not for it, and spins until the "trapped
   in interrupt"
 - now serial driver calls setup_irq() and fails and we get the
   "Flags mismatch" error.

There is no port present at 0x3e8 so simply check for the presence of a
port, as suggested by Linus.

Reported-by: kbuild test robot <fengguang.wu@intel.com>
Tested-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/rc/sir_ir.c |   40 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

--- a/drivers/media/rc/sir_ir.c
+++ b/drivers/media/rc/sir_ir.c
@@ -57,7 +57,7 @@ static void add_read_queue(int flag, uns
 static irqreturn_t sir_interrupt(int irq, void *dev_id);
 static void send_space(unsigned long len);
 static void send_pulse(unsigned long len);
-static void init_hardware(void);
+static int init_hardware(void);
 static void drop_hardware(void);
 /* Initialisation */
 
@@ -263,11 +263,36 @@ static void send_pulse(unsigned long len
 	}
 }
 
-static void init_hardware(void)
+static int init_hardware(void)
 {
+	u8 scratch, scratch2, scratch3;
 	unsigned long flags;
 
 	spin_lock_irqsave(&hardware_lock, flags);
+
+	/*
+	 * This is a simple port existence test, borrowed from the autoconfig
+	 * function in drivers/tty/serial/8250/8250_port.c
+	 */
+	scratch = sinp(UART_IER);
+	soutp(UART_IER, 0);
+#ifdef __i386__
+	outb(0xff, 0x080);
+#endif
+	scratch2 = sinp(UART_IER) & 0x0f;
+	soutp(UART_IER, 0x0f);
+#ifdef __i386__
+	outb(0x00, 0x080);
+#endif
+	scratch3 = sinp(UART_IER) & 0x0f;
+	soutp(UART_IER, scratch);
+	if (scratch2 != 0 || scratch3 != 0x0f) {
+		/* we fail, there's nothing here */
+		spin_unlock_irqrestore(&hardware_lock, flags);
+		pr_err("port existence test failed, cannot continue\n");
+		return -ENODEV;
+	}
+
 	/* reset UART */
 	outb(0, io + UART_MCR);
 	outb(0, io + UART_IER);
@@ -285,6 +310,8 @@ static void init_hardware(void)
 	/* turn on UART */
 	outb(UART_MCR_DTR | UART_MCR_RTS | UART_MCR_OUT2, io + UART_MCR);
 	spin_unlock_irqrestore(&hardware_lock, flags);
+
+	return 0;
 }
 
 static void drop_hardware(void)
@@ -334,14 +361,19 @@ static int sir_ir_probe(struct platform_
 		pr_err("IRQ %d already in use.\n", irq);
 		return retval;
 	}
+
+	retval = init_hardware();
+	if (retval) {
+		del_timer_sync(&timerlist);
+		return retval;
+	}
+
 	pr_info("I/O port 0x%.4x, IRQ %d.\n", io, irq);
 
 	retval = devm_rc_register_device(&sir_ir_dev->dev, rcdev);
 	if (retval < 0)
 		return retval;
 
-	init_hardware();
-
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 079/164] media: rc: partial revert of "media: rc: per-protocol repeat period"
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 078/164] media: rc: sir_ir: detect presence of port Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 080/164] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Reichl, Sean Young,
	Mauro Carvalho Chehab

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Young <sean@mess.org>

commit 67f0f15ad5c47490e19f2526f8f9cea97c5ce1a6 upstream.

Since commit d57ea877af38 ("media: rc: per-protocol repeat period"), most
IR protocols have a lower keyup timeout. This causes problems on the
ite-cir, which has default IR timeout of 200ms.

Since the IR decoders read the trailing space, with a IR timeout of 200ms,
the last keydown will have at least a delay of 200ms. This is more than
the protocol timeout of e.g. rc-6 (which is 164ms). As a result the last
IR will be interpreted as a new keydown event, and we get two keypresses.

Revert the protocol timeout to 250ms, except for cec which needs a timeout
of 550ms.

Fixes: d57ea877af38 ("media: rc: per-protocol repeat period")

Reported-by: Matthias Reichl <hias@horus.com>
Signed-off-by: Sean Young <sean@mess.org>
Tested-by: Matthias Reichl <hias@horus.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/rc/rc-main.c |   32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -38,41 +38,41 @@ static const struct {
 	[RC_PROTO_UNKNOWN] = { .name = "unknown", .repeat_period = 250 },
 	[RC_PROTO_OTHER] = { .name = "other", .repeat_period = 250 },
 	[RC_PROTO_RC5] = { .name = "rc-5",
-		.scancode_bits = 0x1f7f, .repeat_period = 164 },
+		.scancode_bits = 0x1f7f, .repeat_period = 250 },
 	[RC_PROTO_RC5X_20] = { .name = "rc-5x-20",
-		.scancode_bits = 0x1f7f3f, .repeat_period = 164 },
+		.scancode_bits = 0x1f7f3f, .repeat_period = 250 },
 	[RC_PROTO_RC5_SZ] = { .name = "rc-5-sz",
-		.scancode_bits = 0x2fff, .repeat_period = 164 },
+		.scancode_bits = 0x2fff, .repeat_period = 250 },
 	[RC_PROTO_JVC] = { .name = "jvc",
 		.scancode_bits = 0xffff, .repeat_period = 250 },
 	[RC_PROTO_SONY12] = { .name = "sony-12",
-		.scancode_bits = 0x1f007f, .repeat_period = 100 },
+		.scancode_bits = 0x1f007f, .repeat_period = 250 },
 	[RC_PROTO_SONY15] = { .name = "sony-15",
-		.scancode_bits = 0xff007f, .repeat_period = 100 },
+		.scancode_bits = 0xff007f, .repeat_period = 250 },
 	[RC_PROTO_SONY20] = { .name = "sony-20",
-		.scancode_bits = 0x1fff7f, .repeat_period = 100 },
+		.scancode_bits = 0x1fff7f, .repeat_period = 250 },
 	[RC_PROTO_NEC] = { .name = "nec",
-		.scancode_bits = 0xffff, .repeat_period = 160 },
+		.scancode_bits = 0xffff, .repeat_period = 250 },
 	[RC_PROTO_NECX] = { .name = "nec-x",
-		.scancode_bits = 0xffffff, .repeat_period = 160 },
+		.scancode_bits = 0xffffff, .repeat_period = 250 },
 	[RC_PROTO_NEC32] = { .name = "nec-32",
-		.scancode_bits = 0xffffffff, .repeat_period = 160 },
+		.scancode_bits = 0xffffffff, .repeat_period = 250 },
 	[RC_PROTO_SANYO] = { .name = "sanyo",
 		.scancode_bits = 0x1fffff, .repeat_period = 250 },
 	[RC_PROTO_MCIR2_KBD] = { .name = "mcir2-kbd",
-		.scancode_bits = 0xffff, .repeat_period = 150 },
+		.scancode_bits = 0xffff, .repeat_period = 250 },
 	[RC_PROTO_MCIR2_MSE] = { .name = "mcir2-mse",
-		.scancode_bits = 0x1fffff, .repeat_period = 150 },
+		.scancode_bits = 0x1fffff, .repeat_period = 250 },
 	[RC_PROTO_RC6_0] = { .name = "rc-6-0",
-		.scancode_bits = 0xffff, .repeat_period = 164 },
+		.scancode_bits = 0xffff, .repeat_period = 250 },
 	[RC_PROTO_RC6_6A_20] = { .name = "rc-6-6a-20",
-		.scancode_bits = 0xfffff, .repeat_period = 164 },
+		.scancode_bits = 0xfffff, .repeat_period = 250 },
 	[RC_PROTO_RC6_6A_24] = { .name = "rc-6-6a-24",
-		.scancode_bits = 0xffffff, .repeat_period = 164 },
+		.scancode_bits = 0xffffff, .repeat_period = 250 },
 	[RC_PROTO_RC6_6A_32] = { .name = "rc-6-6a-32",
-		.scancode_bits = 0xffffffff, .repeat_period = 164 },
+		.scancode_bits = 0xffffffff, .repeat_period = 250 },
 	[RC_PROTO_RC6_MCE] = { .name = "rc-6-mce",
-		.scancode_bits = 0xffff7fff, .repeat_period = 164 },
+		.scancode_bits = 0xffff7fff, .repeat_period = 250 },
 	[RC_PROTO_SHARP] = { .name = "sharp",
 		.scancode_bits = 0x1fff, .repeat_period = 250 },
 	[RC_PROTO_XMP] = { .name = "xmp", .repeat_period = 250 },

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 080/164] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 079/164] media: rc: partial revert of "media: rc: per-protocol repeat period" Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 081/164] arm: KVM: Fix " Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suzuki K Poulose, Christoffer Dall,
	Kristina Martsenko, Marc Zyngier

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kristina Martsenko <kristina.martsenko@arm.com>

commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream.

VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
VTTBR address. It seems to currently be off by one, thereby only
allowing up to 47-bit addresses (instead of 48-bit) and also
insufficiently checking the alignment. This patch fixes it.

As an example, with 4k pages, before this patch we have:

  PHYS_MASK_SHIFT = 48
  VTTBR_X = 37 - 24 = 13
  VTTBR_BADDR_SHIFT = 13 - 1 = 12
  VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000

Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
address to be set, and only requires the address to be 12-bit (4k)
aligned, while it actually needs to be 13-bit (8k) aligned because we
concatenate two 4k tables.

With this patch, the mask becomes 0x0000ffffffffe000, which is what we
want.

Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions")
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/kvm_arm.h |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm64/include/asm/kvm_arm.h
+++ b/arch/arm64/include/asm/kvm_arm.h
@@ -170,8 +170,7 @@
 #define VTCR_EL2_FLAGS			(VTCR_EL2_COMMON_BITS | VTCR_EL2_TGRAN_FLAGS)
 #define VTTBR_X				(VTTBR_X_TGRAN_MAGIC - VTCR_EL2_T0SZ_IPA)
 
-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
-#define VTTBR_BADDR_MASK  (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
+#define VTTBR_BADDR_MASK  (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X)
 #define VTTBR_VMID_SHIFT  (UL(48))
 #define VTTBR_VMID_MASK(size) (_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 081/164] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 080/164] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 083/164] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kristina Martsenko, Christoffer Dall,
	Marc Zyngier

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream.

VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
VTTBR address. It seems to currently be off by one, thereby only
allowing up to 39-bit addresses (instead of 40-bit) and also
insufficiently checking the alignment. This patch fixes it.

This patch is the 32bit pendent of Kristina's arm64 fix, and
she deserves the actual kudos for pinpointing that one.

Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation")
Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/include/asm/kvm_arm.h |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm/include/asm/kvm_arm.h
+++ b/arch/arm/include/asm/kvm_arm.h
@@ -161,8 +161,7 @@
 #else
 #define VTTBR_X		(5 - KVM_T0SZ)
 #endif
-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
-#define VTTBR_BADDR_MASK  (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
+#define VTTBR_BADDR_MASK  (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_X)
 #define VTTBR_VMID_SHIFT  _AC(48, ULL)
 #define VTTBR_VMID_MASK(size)	(_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 083/164] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 081/164] arm: KVM: Fix " Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 084/164] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christoffer Dall

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christoffer Dall <christoffer.dall@linaro.org>

commit fc396e066318c0a02208c1d3f0b62950a7714999 upstream.

We are incorrectly rearranging 32-bit words inside a 64-bit typed value
for big endian systems, which would result in never marking a virtual
interrupt as inactive on big endian systems (assuming 32 or fewer LRs on
the hardware).  Fix this by not doing any word order manipulation for
the typed values.

Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/hyp/vgic-v2-sr.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/virt/kvm/arm/hyp/vgic-v2-sr.c
+++ b/virt/kvm/arm/hyp/vgic-v2-sr.c
@@ -34,11 +34,7 @@ static void __hyp_text save_elrsr(struct
 	else
 		elrsr1 = 0;
 
-#ifdef CONFIG_CPU_BIG_ENDIAN
-	cpu_if->vgic_elrsr = ((u64)elrsr0 << 32) | elrsr1;
-#else
 	cpu_if->vgic_elrsr = ((u64)elrsr1 << 32) | elrsr0;
-#endif
 }
 
 static void __hyp_text save_lrs(struct kvm_vcpu *vcpu, void __iomem *base)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 084/164] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 083/164] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 085/164] KVM: arm/arm64: vgic: Preserve the revious read from the pending table Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, AKASHI Takahiro, Christoffer Dall,
	Marc Zyngier

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 150009e2c70cc3c6e97f00e7595055765d32fb85 upstream.

Using the size of the structure we're allocating is a good idea
and avoids any surprise... In this case, we're happilly confusing
kvm_kernel_irq_routing_entry and kvm_irq_routing_entry...

Fixes: 95b110ab9a09 ("KVM: arm/arm64: Enable irqchip routing")
Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/vgic/vgic-irqfd.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/virt/kvm/arm/vgic/vgic-irqfd.c
+++ b/virt/kvm/arm/vgic/vgic-irqfd.c
@@ -112,8 +112,7 @@ int kvm_vgic_setup_default_irq_routing(s
 	u32 nr = dist->nr_spis;
 	int i, ret;
 
-	entries = kcalloc(nr, sizeof(struct kvm_kernel_irq_routing_entry),
-			  GFP_KERNEL);
+	entries = kcalloc(nr, sizeof(*entries), GFP_KERNEL);
 	if (!entries)
 		return -ENOMEM;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 085/164] KVM: arm/arm64: vgic: Preserve the revious read from the pending table
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 084/164] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 086/164] KVM: arm/arm64: vgic-its: Check result of allocation before use Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, AKASHI Takahiro, Christoffer Dall,
	Marc Zyngier

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit ddb4b0102cb9cdd2398d98b3e1e024e08a2f4239 upstream.

The current pending table parsing code assumes that we keep the
previous read of the pending bits, but keep that variable in
the current block, making sure it is discarded on each loop.

We end-up using whatever is on the stack. Who knows, it might
just be the right thing...

Fixes: 280771252c1ba ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES")
Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/vgic/vgic-v3.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/virt/kvm/arm/vgic/vgic-v3.c
+++ b/virt/kvm/arm/vgic/vgic-v3.c
@@ -324,13 +324,13 @@ int vgic_v3_save_pending_tables(struct k
 	int last_byte_offset = -1;
 	struct vgic_irq *irq;
 	int ret;
+	u8 val;
 
 	list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) {
 		int byte_offset, bit_nr;
 		struct kvm_vcpu *vcpu;
 		gpa_t pendbase, ptr;
 		bool stored;
-		u8 val;
 
 		vcpu = irq->target_vcpu;
 		if (!vcpu)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 086/164] KVM: arm/arm64: vgic-its: Check result of allocation before use
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 085/164] KVM: arm/arm64: vgic: Preserve the revious read from the pending table Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 087/164] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, AKASHI Takahiro, Christoffer Dall,
	Marc Zyngier

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 686f294f2f1ae40705283dd413ca1e4c14f20f93 upstream.

We miss a test against NULL after allocation.

Fixes: 6d03a68f8054 ("KVM: arm64: vgic-its: Turn device_id validation into generic ID validation")
Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/vgic/vgic-its.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/virt/kvm/arm/vgic/vgic-its.c
+++ b/virt/kvm/arm/vgic/vgic-its.c
@@ -775,6 +775,8 @@ static int vgic_its_alloc_collection(str
 		return E_ITS_MAPC_COLLECTION_OOR;
 
 	collection = kzalloc(sizeof(*collection), GFP_KERNEL);
+	if (!collection)
+		return -ENOMEM;
 
 	collection->collection_id = coll_id;
 	collection->target_addr = COLLECTION_NOT_MAPPED;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 087/164] arm64: fpsimd: Prevent registers leaking from dead tasks
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 086/164] KVM: arm/arm64: vgic-its: Check result of allocation before use Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 088/164] arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Martin, Ard Biesheuvel, Will Deacon

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.

Currently, loading of a task's fpsimd state into the CPU registers
is skipped if that task's state is already present in the registers
of that CPU.

However, the code relies on the struct fpsimd_state * (and by
extension struct task_struct *) to unambiguously identify a task.

There is a particular case in which this doesn't work reliably:
when a task exits, its task_struct may be recycled to describe a
new task.

Consider the following scenario:

 1) Task P loads its fpsimd state onto cpu C.
        per_cpu(fpsimd_last_state, C) := P;
        P->thread.fpsimd_state.cpu := C;

 2) Task X is scheduled onto C and loads its fpsimd state on C.
        per_cpu(fpsimd_last_state, C) := X;
        X->thread.fpsimd_state.cpu := C;

 3) X exits, causing X's task_struct to be freed.

 4) P forks a new child T, which obtains X's recycled task_struct.
	T == X.
	T->thread.fpsimd_state.cpu == C (inherited from P).

 5) T is scheduled on C.
	T's fpsimd state is not loaded, because
	per_cpu(fpsimd_last_state, C) == T (== X) &&
	T->thread.fpsimd_state.cpu == C.

        (This is the check performed by fpsimd_thread_switch().)

So, T gets X's registers because the last registers loaded onto C
were those of X, in (2).

This patch fixes the problem by ensuring that the sched-in check
fails in (5): fpsimd_flush_task_state(T) is called when T is
forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
This relies on the fact that T is not schedulable until after
copy_thread() completes.

Once T's fpsimd state has been loaded on some CPU C there may still
be other cpus D for which per_cpu(fpsimd_last_state, D) ==
&X->thread.fpsimd_state.  But D is necessarily != C in this case,
and the check in (5) must fail.

An alternative fix would be to do refcounting on task_struct.  This
would result in each CPU holding a reference to the last task whose
fpsimd state was loaded there.  It's not clear whether this is
preferable, and it involves higher overhead than the fix proposed
in this patch.  It would also move all the task_struct freeing
work into the context switch critical section, or otherwise some
deferred cleanup mechanism would need to be introduced, neither of
which seems obviously justified.

Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[will: word-smithed the comment so it makes more sense]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/process.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -258,6 +258,15 @@ int copy_thread(unsigned long clone_flag
 
 	memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
 
+	/*
+	 * In case p was allocated the same task_struct pointer as some
+	 * other recently-exited task, make sure p is disassociated from
+	 * any cpu that may have run that now-exited task recently.
+	 * Otherwise we could erroneously skip reloading the FPSIMD
+	 * registers for p.
+	 */
+	fpsimd_flush_task_state(p);
+
 	if (likely(!(p->flags & PF_KTHREAD))) {
 		*childregs = *current_pt_regs();
 		childregs->regs[0] = 0;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 088/164] arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 087/164] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 089/164] arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Ard Biesheuvel,
	Vinayak Menon, Catalin Marinas, Will Deacon

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 0adbdfde8cfc9415aeed2a4955d2d17b3bd9bf13 upstream.

update_saved_ttbr0 mandates that mm->pgd is not swapper, since swapper
contains kernel mappings and should never be installed into ttbr0. However,
this means that callers must avoid passing the init_mm to update_saved_ttbr0
which in turn can cause the saved ttbr0 value to be out-of-date in the context
of the idle thread. For example, EFI runtime services may leave the saved ttbr0
pointing at the EFI page table, and kernel threads may end up with stale
references to freed page tables.

This patch changes update_saved_ttbr0 so that the init_mm points the saved
ttbr0 value to the empty zero page, which always exists and never contains
valid translations. EFI and switch can then call into update_saved_ttbr0
unconditionally.

Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Vinayak Menon <vinmenon@codeaurora.org>
Fixes: 39bc88e5e38e9b21 ("arm64: Disable TTBR0_EL1 during normal kernel execution")
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Vinayak Menon <vinmenon@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/efi.h         |    4 +---
 arch/arm64/include/asm/mmu_context.h |   22 +++++++++++++---------
 2 files changed, 14 insertions(+), 12 deletions(-)

--- a/arch/arm64/include/asm/efi.h
+++ b/arch/arm64/include/asm/efi.h
@@ -132,11 +132,9 @@ static inline void efi_set_pgd(struct mm
 			 * Defer the switch to the current thread's TTBR0_EL1
 			 * until uaccess_enable(). Restore the current
 			 * thread's saved ttbr0 corresponding to its active_mm
-			 * (if different from init_mm).
 			 */
 			cpu_set_reserved_ttbr0();
-			if (current->active_mm != &init_mm)
-				update_saved_ttbr0(current, current->active_mm);
+			update_saved_ttbr0(current, current->active_mm);
 		}
 	}
 }
--- a/arch/arm64/include/asm/mmu_context.h
+++ b/arch/arm64/include/asm/mmu_context.h
@@ -174,11 +174,17 @@ enter_lazy_tlb(struct mm_struct *mm, str
 static inline void update_saved_ttbr0(struct task_struct *tsk,
 				      struct mm_struct *mm)
 {
-	if (system_uses_ttbr0_pan()) {
-		BUG_ON(mm->pgd == swapper_pg_dir);
-		task_thread_info(tsk)->ttbr0 =
-			virt_to_phys(mm->pgd) | ASID(mm) << 48;
-	}
+	u64 ttbr;
+
+	if (!system_uses_ttbr0_pan())
+		return;
+
+	if (mm == &init_mm)
+		ttbr = __pa_symbol(empty_zero_page);
+	else
+		ttbr = virt_to_phys(mm->pgd) | ASID(mm) << 48;
+
+	task_thread_info(tsk)->ttbr0 = ttbr;
 }
 #else
 static inline void update_saved_ttbr0(struct task_struct *tsk,
@@ -214,11 +220,9 @@ switch_mm(struct mm_struct *prev, struct
 	 * Update the saved TTBR0_EL1 of the scheduled-in task as the previous
 	 * value may have not been initialised yet (activate_mm caller) or the
 	 * ASID has changed since the last run (following the context switch
-	 * of another thread of the same process). Avoid setting the reserved
-	 * TTBR0_EL1 to swapper_pg_dir (init_mm; e.g. via idle_task_exit).
+	 * of another thread of the same process).
 	 */
-	if (next != &init_mm)
-		update_saved_ttbr0(tsk, next);
+	update_saved_ttbr0(tsk, next);
 }
 
 #define deactivate_mm(tsk,mm)	do { } while (0)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 089/164] arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 088/164] arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 090/164] Revert "ARM: dts: imx53: add srtc node" Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Ard Biesheuvel,
	Vinayak Menon, Catalin Marinas, Will Deacon

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit d96cc49bff5a7735576cc6f6f111f875d101cec8 upstream.

enter_lazy_tlb is called when a kernel thread rides on the back of
another mm, due to a context switch or an explicit call to unuse_mm
where a call to switch_mm is elided.

In these cases, it's important to keep the saved ttbr value up to date
with the active mm, otherwise we can end up with a stale value which
points to a potentially freed page table.

This patch implements enter_lazy_tlb for arm64, so that the saved ttbr0
is kept up-to-date with the active mm for kernel threads.

Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Vinayak Menon <vinmenon@codeaurora.org>
Fixes: 39bc88e5e38e9b21 ("arm64: Disable TTBR0_EL1 during normal kernel execution")
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Vinayak Menon <vinmenon@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/mmu_context.h |   24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

--- a/arch/arm64/include/asm/mmu_context.h
+++ b/arch/arm64/include/asm/mmu_context.h
@@ -156,20 +156,6 @@ void check_and_switch_context(struct mm_
 
 #define init_new_context(tsk,mm)	({ atomic64_set(&(mm)->context.id, 0); 0; })
 
-/*
- * This is called when "tsk" is about to enter lazy TLB mode.
- *
- * mm:  describes the currently active mm context
- * tsk: task which is entering lazy tlb
- * cpu: cpu number which is entering lazy tlb
- *
- * tsk->mm will be NULL
- */
-static inline void
-enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
-{
-}
-
 #ifdef CONFIG_ARM64_SW_TTBR0_PAN
 static inline void update_saved_ttbr0(struct task_struct *tsk,
 				      struct mm_struct *mm)
@@ -193,6 +179,16 @@ static inline void update_saved_ttbr0(st
 }
 #endif
 
+static inline void
+enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
+{
+	/*
+	 * We don't actually care about the ttbr0 mapping, so point it at the
+	 * zero page.
+	 */
+	update_saved_ttbr0(tsk, &init_mm);
+}
+
 static inline void __switch_mm(struct mm_struct *next)
 {
 	unsigned int cpu = smp_processor_id();

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 090/164] Revert "ARM: dts: imx53: add srtc node"
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 089/164] arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 091/164] bus: arm-cci: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Noel Vellemans, Juergen Borleis,
	Fabio Estevam, Shawn Guo

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fabio Estevam <fabio.estevam@nxp.com>

commit e501506d3ea00eefa64463ebd9e5c13ee70990bd upstream.

This reverts commit 5b725054147deaf966b3919e10a86c6bfe946a18.

The rtc block on i.MX53 is a completely different hardware than the
one found on i.MX25.

Reported-by: Noel Vellemans <Noel.Vellemans@visionbms.com>
Suggested-by: Juergen Borleis <jbe@pengutronix.de>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx53.dtsi |    9 ---------
 1 file changed, 9 deletions(-)

--- a/arch/arm/boot/dts/imx53.dtsi
+++ b/arch/arm/boot/dts/imx53.dtsi
@@ -433,15 +433,6 @@
 				clock-names = "ipg", "per";
 			};
 
-			srtc: srtc@53fa4000 {
-				compatible = "fsl,imx53-rtc", "fsl,imx25-rtc";
-				reg = <0x53fa4000 0x4000>;
-				interrupts = <24>;
-				interrupt-parent = <&tzic>;
-				clocks = <&clks IMX5_CLK_SRTC_GATE>;
-				clock-names = "ipg";
-			};
-
 			iomuxc: iomuxc@53fa8000 {
 				compatible = "fsl,imx53-iomuxc";
 				reg = <0x53fa8000 0x4000>;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 091/164] bus: arm-cci: Fix use of smp_processor_id() in preemptible context
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 090/164] Revert "ARM: dts: imx53: add srtc node" Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 092/164] bus: arm-ccn: Check memory allocation failure Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Mark Rutland, Pawel Moll

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 4608af8aa53e7f3922ddee695d023b7bcd5cb35b upstream.

The ARM CCI driver seem to be using smp_processor_id() in a
preemptible context, which is likely to make a DEBUG_PREMPT
kernel scream at boot time.

Turn this into a get_cpu()/put_cpu() that extends over the CPU
hotplug registration, making sure that we don't race against
a CPU down operation.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-cci.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/bus/arm-cci.c
+++ b/drivers/bus/arm-cci.c
@@ -1755,14 +1755,17 @@ static int cci_pmu_probe(struct platform
 	raw_spin_lock_init(&cci_pmu->hw_events.pmu_lock);
 	mutex_init(&cci_pmu->reserve_mutex);
 	atomic_set(&cci_pmu->active_events, 0);
-	cpumask_set_cpu(smp_processor_id(), &cci_pmu->cpus);
+	cpumask_set_cpu(get_cpu(), &cci_pmu->cpus);
 
 	ret = cci_pmu_init(cci_pmu, pdev);
-	if (ret)
+	if (ret) {
+		put_cpu();
 		return ret;
+	}
 
 	cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCI_ONLINE,
 					 &cci_pmu->node);
+	put_cpu();
 	pr_info("ARM %s PMU driver probed", cci_pmu->model->name);
 	return 0;
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 092/164] bus: arm-ccn: Check memory allocation failure
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 091/164] bus: arm-cci: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 093/164] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Scott Branden,
	Pawel Moll

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 24771179c5c138f0ea3ef88b7972979f62f2d5db upstream.

Check memory allocation failures and return -ENOMEM in such cases

This avoids a potential NULL pointer dereference.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Scott Branden <scott.branden@broadcom.com>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-ccn.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -1271,6 +1271,10 @@ static int arm_ccn_pmu_init(struct arm_c
 		int len = snprintf(NULL, 0, "ccn_%d", ccn->dt.id);
 
 		name = devm_kzalloc(ccn->dev, len + 1, GFP_KERNEL);
+		if (!name) {
+			err = -ENOMEM;
+			goto error_choose_name;
+		}
 		snprintf(name, len + 1, "ccn_%d", ccn->dt.id);
 	}
 
@@ -1318,6 +1322,7 @@ static int arm_ccn_pmu_init(struct arm_c
 
 error_pmu_register:
 error_set_affinity:
+error_choose_name:
 	ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
 	for (i = 0; i < ccn->num_xps; i++)
 		writel(0, ccn->xp[i].base + CCN_XP_DT_CONTROL);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 093/164] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 092/164] bus: arm-ccn: Check memory allocation failure Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 094/164] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Mark Rutland, Pawel Moll

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit b18c2b9487d8e797fc0a757e57ac3645348c5fba upstream.

Booting a DEBUG_PREEMPT enabled kernel on a CCN-based system
results in the following splat:

[...]
arm-ccn e8000000.ccn: No access to interrupts, using timer.
BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
caller is debug_smp_processor_id+0x1c/0x28
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.13.0 #6111
Hardware name: AMD Seattle/Seattle, BIOS 17:08:23 Jun 26 2017
Call trace:
[<ffff000008089e78>] dump_backtrace+0x0/0x278
[<ffff00000808a22c>] show_stack+0x24/0x30
[<ffff000008bc3bc4>] dump_stack+0x8c/0xb0
[<ffff00000852b534>] check_preemption_disabled+0xfc/0x100
[<ffff00000852b554>] debug_smp_processor_id+0x1c/0x28
[<ffff000008551bd8>] arm_ccn_probe+0x358/0x4f0
[...]

as we use smp_processor_id() in the wrong context.

Turn this into a get_cpu()/put_cpu() that extends over the CPU hotplug
registration, making sure that we don't race against a CPU down operation.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-ccn.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -1301,7 +1301,7 @@ static int arm_ccn_pmu_init(struct arm_c
 	}
 
 	/* Pick one CPU which we will use to collect data from CCN... */
-	cpumask_set_cpu(smp_processor_id(), &ccn->dt.cpu);
+	cpumask_set_cpu(get_cpu(), &ccn->dt.cpu);
 
 	/* Also make sure that the overflow interrupt is handled by this CPU */
 	if (ccn->irq) {
@@ -1318,10 +1318,12 @@ static int arm_ccn_pmu_init(struct arm_c
 
 	cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCN_ONLINE,
 					 &ccn->dt.node);
+	put_cpu();
 	return 0;
 
 error_pmu_register:
 error_set_affinity:
+	put_cpu();
 error_choose_name:
 	ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
 	for (i = 0; i < ccn->num_xps; i++)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 094/164] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 093/164] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 095/164] IB/core: Avoid unnecessary return value check Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kim Phillips,
	Sebastian Andrzej Siewior, Pawel Moll

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kim Phillips <kim.phillips@arm.com>

commit b69f63ebf553504739cc8534cbed31bd530c6f0b upstream.

Unregistering the driver before calling cpuhp_remove_multi_state() removes
any remaining hotplug cpu instances so __cpuhp_remove_state_cpuslocked()
doesn't emit this warning:

[  268.748362] Error: Removing state 147 which has instances left.
[  268.748373] ------------[ cut here ]------------
[  268.748386] WARNING: CPU: 2 PID: 5476 at kernel/cpu.c:1734 __cpuhp_remove_state_cpuslocked+0x454/0x4f0
[  268.748389] Modules linked in: arm_ccn(-) [last unloaded: arm_ccn]
[  268.748403] CPU: 2 PID: 5476 Comm: rmmod Tainted: G        W       4.14.0-rc4+ #3
[  268.748406] Hardware name: AMD Seattle/Seattle, BIOS 10:18:39 Dec  8 2016
[  268.748410] task: ffff8001a18ca000 task.stack: ffff80019c120000
[  268.748416] PC is at __cpuhp_remove_state_cpuslocked+0x454/0x4f0
[  268.748421] LR is at __cpuhp_remove_state_cpuslocked+0x448/0x4f0
[  268.748425] pc : [<ffff2000081729ec>] lr : [<ffff2000081729e0>] pstate: 60000145
[  268.748427] sp : ffff80019c127d30
[  268.748430] x29: ffff80019c127d30 x28: ffff8001a18ca000
[  268.748437] x27: ffff20000c2cb000 x26: 1fffe4000042d490
[  268.748443] x25: ffff20000216a480 x24: 0000000000000000
[  268.748449] x23: ffff20000b08e000 x22: 0000000000000001
[  268.748455] x21: 0000000000000093 x20: 00000000000016f8
[  268.748460] x19: ffff20000c2cbb80 x18: 0000ffffb5fe7c58
[  268.748466] x17: 00000000004402d0 x16: 1fffe40001864f01
[  268.748472] x15: ffff20000c4bf8b0 x14: 0000000000000000
[  268.748477] x13: 0000000000007032 x12: ffff20000829ae48
[  268.748483] x11: ffff20000c4bf000 x10: 0000000000000004
[  268.748488] x9 : 0000000000006fbc x8 : ffff20000c318a40
[  268.748494] x7 : 0000000000000000 x6 : ffff040001864f02
[  268.748500] x5 : 0000000000000000 x4 : 0000000000000000
[  268.748505] x3 : 0000000000000007 x2 : dfff200000000000
[  268.748510] x1 : 000000000000ad3d x0 : 00000000000001f0
[  268.748516] Call trace:
[  268.748521] Exception stack(0xffff80019c127bf0 to 0xffff80019c127d30)
[  268.748526] 7be0:                                   00000000000001f0 000000000000ad3d
[  268.748531] 7c00: dfff200000000000 0000000000000007 0000000000000000 0000000000000000
[  268.748535] 7c20: ffff040001864f02 0000000000000000 ffff20000c318a40 0000000000006fbc
[  268.748539] 7c40: 0000000000000004 ffff20000c4bf000 ffff20000829ae48 0000000000007032
[  268.748544] 7c60: 0000000000000000 ffff20000c4bf8b0 1fffe40001864f01 00000000004402d0
[  268.748548] 7c80: 0000ffffb5fe7c58 ffff20000c2cbb80 00000000000016f8 0000000000000093
[  268.748553] 7ca0: 0000000000000001 ffff20000b08e000 0000000000000000 ffff20000216a480
[  268.748557] 7cc0: 1fffe4000042d490 ffff20000c2cb000 ffff8001a18ca000 ffff80019c127d30
[  268.748562] 7ce0: ffff2000081729e0 ffff80019c127d30 ffff2000081729ec 0000000060000145
[  268.748566] 7d00: 00000000000001f0 0000000000000000 0001000000000000 0000000000000000
[  268.748569] 7d20: ffff80019c127d30 ffff2000081729ec
[  268.748575] [<ffff2000081729ec>] __cpuhp_remove_state_cpuslocked+0x454/0x4f0
[  268.748580] [<ffff200008172adc>] __cpuhp_remove_state+0x54/0x80
[  268.748597] [<ffff20000215dd84>] arm_ccn_exit+0x2c/0x70 [arm_ccn]
[  268.748604] [<ffff20000834cfbc>] SyS_delete_module+0x5a4/0x708
[  268.748607] Exception stack(0xffff80019c127ec0 to 0xffff80019c128000)
[  268.748612] 7ec0: 0000000019bb7258 0000000000000800 ba64d0fb3d26a800 00000000000000da
[  268.748616] 7ee0: 0000ffffb6144e28 0000ffffcd95b409 fefefefefefefeff 7f7f7f7f7f7f7f7f
[  268.748621] 7f00: 000000000000006a 1999999999999999 0000ffffb6179000 0000000000bbcc6d
[  268.748625] 7f20: 0000ffffb6176b98 0000ffffcd95c2d0 0000ffffb5fe7b58 0000ffffb6163000
[  268.748630] 7f40: 0000ffffb60ad3e0 00000000004402d0 0000ffffb5fe7c58 0000000019bb71f0
[  268.748634] 7f60: 0000ffffcd95c740 0000000000000000 0000000019bb71f0 0000000000416700
[  268.748639] 7f80: 0000000000000000 00000000004402e8 0000000019bb6010 0000ffffcd95c748
[  268.748643] 7fa0: 0000000000000000 0000ffffcd95c460 00000000004113a8 0000ffffcd95c460
[  268.748648] 7fc0: 0000ffffb60ad3e8 0000000080000000 0000000019bb7258 000000000000006a
[  268.748652] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  268.748657] [<ffff200008084f9c>] __sys_trace_return+0x0/0x4
[  268.748661] ---[ end trace a996d358dcaa7f9c ]---

Fixes: 8df038725ad5 ("bus/arm-ccn: Use cpu-hp's multi instance support instead custom list")
Signed-off-by: Kim Phillips <kim.phillips@arm.com>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-ccn.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -1587,8 +1587,8 @@ static int __init arm_ccn_init(void)
 
 static void __exit arm_ccn_exit(void)
 {
-	cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
 	platform_driver_unregister(&arm_ccn_driver);
+	cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
 }
 
 module_init(arm_ccn_init);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 095/164] IB/core: Avoid unnecessary return value check
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 094/164] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 096/164] IB/core: Only enforce security for InfiniBand Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Parav Pandit, Daniel Jurgens,
	Leon Romanovsky, Doug Ledford

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Parav Pandit <parav@mellanox.com>

commit 2e4c85c6edc80fa532b2c7e1eb3597ef4d4bbb8f upstream.

Since there is nothing done with non zero return value, such check is
avoided.

Signed-off-by: Parav Pandit <parav@mellanox.com>
Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/security.c |   15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -697,20 +697,13 @@ void ib_mad_agent_security_cleanup(struc
 
 int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
 {
-	int ret;
-
 	if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed)
 		return -EACCES;
 
-	ret = ib_security_pkey_access(map->agent.device,
-				      map->agent.port_num,
-				      pkey_index,
-				      map->agent.security);
-
-	if (ret)
-		return ret;
-
-	return 0;
+	return ib_security_pkey_access(map->agent.device,
+				       map->agent.port_num,
+				       pkey_index,
+				       map->agent.security);
 }
 
 #endif /* CONFIG_SECURITY_INFINIBAND */

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 096/164] IB/core: Only enforce security for InfiniBand
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 095/164] IB/core: Avoid unnecessary return value check Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 097/164] crypto: talitos - fix AEAD test failures Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Moore, Don Dutile,
	Potnuri Bharat Teja, Daniel Jurgens, Parav Pandit,
	Leon Romanovsky, Jason Gunthorpe

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Jurgens <danielj@mellanox.com>

commit 315d160c5a4e034a576a13aa21e7235d5c9ec609 upstream.

For now the only LSM security enforcement mechanism available is
specific to InfiniBand. Bypass enforcement for non-IB link types.

This fixes a regression where modify_qp fails for iWARP because
querying the PKEY returns -EINVAL.

Cc: Paul Moore <paul@paul-moore.com>
Cc: Don Dutile <ddutile@redhat.com>
Reported-by: Potnuri Bharat Teja <bharat@chelsio.com>
Fixes: d291f1a65232("IB/core: Enforce PKey security on QPs")
Fixes: 47a2b338fe63("IB/core: Enforce security on management datagrams")
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Parav Pandit <parav@mellanox.com>
Tested-by: Potnuri Bharat Teja <bharat@chelsio.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/security.c |   50 ++++++++++++++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -417,8 +417,17 @@ void ib_close_shared_qp_security(struct
 
 int ib_create_qp_security(struct ib_qp *qp, struct ib_device *dev)
 {
+	u8 i = rdma_start_port(dev);
+	bool is_ib = false;
 	int ret;
 
+	while (i <= rdma_end_port(dev) && !is_ib)
+		is_ib = rdma_protocol_ib(dev, i++);
+
+	/* If this isn't an IB device don't create the security context */
+	if (!is_ib)
+		return 0;
+
 	qp->qp_sec = kzalloc(sizeof(*qp->qp_sec), GFP_KERNEL);
 	if (!qp->qp_sec)
 		return -ENOMEM;
@@ -441,6 +450,10 @@ EXPORT_SYMBOL(ib_create_qp_security);
 
 void ib_destroy_qp_security_begin(struct ib_qp_security *sec)
 {
+	/* Return if not IB */
+	if (!sec)
+		return;
+
 	mutex_lock(&sec->mutex);
 
 	/* Remove the QP from the lists so it won't get added to
@@ -470,6 +483,10 @@ void ib_destroy_qp_security_abort(struct
 	int ret;
 	int i;
 
+	/* Return if not IB */
+	if (!sec)
+		return;
+
 	/* If a concurrent cache update is in progress this
 	 * QP security could be marked for an error state
 	 * transition.  Wait for this to complete.
@@ -505,6 +522,10 @@ void ib_destroy_qp_security_end(struct i
 {
 	int i;
 
+	/* Return if not IB */
+	if (!sec)
+		return;
+
 	/* If a concurrent cache update is occurring we must
 	 * wait until this QP security structure is processed
 	 * in the QP to error flow before destroying it because
@@ -557,7 +578,7 @@ int ib_security_modify_qp(struct ib_qp *
 {
 	int ret = 0;
 	struct ib_ports_pkeys *tmp_pps;
-	struct ib_ports_pkeys *new_pps;
+	struct ib_ports_pkeys *new_pps = NULL;
 	struct ib_qp *real_qp = qp->real_qp;
 	bool special_qp = (real_qp->qp_type == IB_QPT_SMI ||
 			   real_qp->qp_type == IB_QPT_GSI ||
@@ -565,18 +586,27 @@ int ib_security_modify_qp(struct ib_qp *
 	bool pps_change = ((qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) ||
 			   (qp_attr_mask & IB_QP_ALT_PATH));
 
+	WARN_ONCE((qp_attr_mask & IB_QP_PORT &&
+		   rdma_protocol_ib(real_qp->device, qp_attr->port_num) &&
+		   !real_qp->qp_sec),
+		   "%s: QP security is not initialized for IB QP: %d\n",
+		   __func__, real_qp->qp_num);
+
 	/* The port/pkey settings are maintained only for the real QP. Open
 	 * handles on the real QP will be in the shared_qp_list. When
 	 * enforcing security on the real QP all the shared QPs will be
 	 * checked as well.
 	 */
 
-	if (pps_change && !special_qp) {
+	if (pps_change && !special_qp && real_qp->qp_sec) {
 		mutex_lock(&real_qp->qp_sec->mutex);
 		new_pps = get_new_pps(real_qp,
 				      qp_attr,
 				      qp_attr_mask);
-
+		if (!new_pps) {
+			mutex_unlock(&real_qp->qp_sec->mutex);
+			return -ENOMEM;
+		}
 		/* Add this QP to the lists for the new port
 		 * and pkey settings before checking for permission
 		 * in case there is a concurrent cache update
@@ -600,7 +630,7 @@ int ib_security_modify_qp(struct ib_qp *
 						 qp_attr_mask,
 						 udata);
 
-	if (pps_change && !special_qp) {
+	if (new_pps) {
 		/* Clean up the lists and free the appropriate
 		 * ports_pkeys structure.
 		 */
@@ -631,6 +661,9 @@ int ib_security_pkey_access(struct ib_de
 	u16 pkey;
 	int ret;
 
+	if (!rdma_protocol_ib(dev, port_num))
+		return 0;
+
 	ret = ib_get_cached_pkey(dev, port_num, pkey_index, &pkey);
 	if (ret)
 		return ret;
@@ -665,6 +698,9 @@ int ib_mad_agent_security_setup(struct i
 {
 	int ret;
 
+	if (!rdma_protocol_ib(agent->device, agent->port_num))
+		return 0;
+
 	ret = security_ib_alloc_security(&agent->security);
 	if (ret)
 		return ret;
@@ -690,6 +726,9 @@ int ib_mad_agent_security_setup(struct i
 
 void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
 {
+	if (!rdma_protocol_ib(agent->device, agent->port_num))
+		return;
+
 	security_ib_free_security(agent->security);
 	if (agent->lsm_nb_reg)
 		unregister_lsm_notifier(&agent->lsm_nb);
@@ -697,6 +736,9 @@ void ib_mad_agent_security_cleanup(struc
 
 int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)
 {
+	if (!rdma_protocol_ib(map->agent.device, map->agent.port_num))
+		return 0;
+
 	if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed)
 		return -EACCES;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 097/164] crypto: talitos - fix AEAD test failures
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 096/164] IB/core: Only enforce security for InfiniBand Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 098/164] crypto: talitos - fix memory corruption on SEC2 Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit ec8c7d14acc0a477429d3a6fade5dab72c996c82 upstream.

AEAD tests fail when destination SG list has more than 1 element.

[    2.058752] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
[    2.066965] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: c0 43 ff 74 c0 43 ff e0 de 83 d1 20 de 84 8e 54
00000020: de 83 d7 c4
[    2.082138] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
[    2.090435] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: de 84 ea 58 c0 93 1a 24 de 84 e8 59 de 84 f1 20
00000020: 00 00 00 00
[    2.105721] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
[    2.114259] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c
[    2.166410] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
[    2.174794] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c
[    2.226486] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
[    2.236459] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
[    2.247196] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
[    2.255555] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8
[    2.309004] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
[    2.317562] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8
[    2.370710] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
[    2.379177] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
[    2.397863] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
[    2.406134] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
[    2.424789] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
[    2.433491] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc
[    2.488832] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
[    2.497387] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc

This patch fixes that.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1232,12 +1232,11 @@ static int ipsec_esp(struct talitos_edes
 			sg_link_tbl_len += authsize;
 	}
 
-	sg_count = talitos_sg_map(dev, areq->src, cryptlen, edesc,
-				  &desc->ptr[4], sg_count, areq->assoclen,
-				  tbl_off);
+	ret = talitos_sg_map(dev, areq->src, cryptlen, edesc, &desc->ptr[4],
+			     sg_count, areq->assoclen, tbl_off);
 
-	if (sg_count > 1) {
-		tbl_off += sg_count;
+	if (ret > 1) {
+		tbl_off += ret;
 		sync_needed = true;
 	}
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 098/164] crypto: talitos - fix memory corruption on SEC2
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 097/164] crypto: talitos - fix AEAD test failures Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 099/164] crypto: talitos - fix setkey to check key weakness Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit e04a61bebc5da1535b6f194b464295b8d558e2fc upstream.

On SEC2, when using the old descriptors type (hmac snoop no afeu)
for doing IPsec, the CICV out pointeur points out of the allocated
memory.

[    2.502554] =============================================================================
[    2.510740] BUG dma-kmalloc-256 (Not tainted): Redzone overwritten
[    2.516907] -----------------------------------------------------------------------------
[    2.516907]
[    2.526535] Disabling lock debugging due to kernel taint
[    2.531845] INFO: 0xde858108-0xde85810b. First byte 0xf8 instead of 0xcc
[    2.538549] INFO: Allocated in 0x806181a9 age=0 cpu=0 pid=58
[    2.544229] 	__kmalloc+0x374/0x564
[    2.547649] 	talitos_edesc_alloc+0x17c/0x48c
[    2.551929] 	aead_edesc_alloc+0x80/0x154
[    2.555863] 	aead_encrypt+0x30/0xe0
[    2.559368] 	__test_aead+0x5a0/0x1f3c
[    2.563042] 	test_aead+0x2c/0x110
[    2.566371] 	alg_test_aead+0x5c/0xf4
[    2.569958] 	alg_test+0x1dc/0x5a0
[    2.573305] 	cryptomgr_test+0x50/0x70
[    2.576984] 	kthread+0xd8/0x134
[    2.580155] 	ret_from_kernel_thread+0x5c/0x64
[    2.584534] INFO: Freed in ipsec_esp_encrypt_done+0x130/0x240 age=6 cpu=0 pid=0
[    2.591839] 	ipsec_esp_encrypt_done+0x130/0x240
[    2.596395] 	flush_channel+0x1dc/0x488
[    2.600161] 	talitos2_done_4ch+0x30/0x200
[    2.604185] 	tasklet_action+0xa0/0x13c
[    2.607948] 	__do_softirq+0x148/0x6cc
[    2.611623] 	irq_exit+0xc0/0x124
[    2.614869] 	call_do_irq+0x24/0x3c
[    2.618292] 	do_IRQ+0x78/0x108
[    2.621369] 	ret_from_except+0x0/0x14
[    2.625055] 	finish_task_switch+0x58/0x350
[    2.629165] 	schedule+0x80/0x134
[    2.632409] 	schedule_preempt_disabled+0x38/0xc8
[    2.637042] 	cpu_startup_entry+0xe4/0x190
[    2.641074] 	start_kernel+0x3f4/0x408
[    2.644741] 	0x3438
[    2.646857] INFO: Slab 0xdffbdb00 objects=9 used=1 fp=0xde8581c0 flags=0x0080
[    2.653978] INFO: Object 0xde858008 @offset=8 fp=0xca4395df
[    2.653978]
[    2.661032] Redzone de858000: cc cc cc cc cc cc cc cc                          ........
[    2.669029] Object de858008: 00 00 00 02 00 00 00 02 00 6b 6b 6b 1e 83 ea 28  .........kkk...(
[    2.677628] Object de858018: 00 00 00 70 1e 85 80 64 ff 73 1d 21 6b 6b 6b 6b  ...p...d.s.!kkkk
[    2.686228] Object de858028: 00 20 00 00 1e 84 17 24 00 10 00 00 1e 85 70 00  . .....$......p.
[    2.694829] Object de858038: 00 18 00 00 1e 84 17 44 00 08 00 00 1e 83 ea 28  .......D.......(
[    2.703430] Object de858048: 00 80 00 00 1e 84 f0 00 00 80 00 00 1e 85 70 10  ..............p.
[    2.712030] Object de858058: 00 20 6b 00 1e 85 80 f4 6b 6b 6b 6b 00 80 02 00  . k.....kkkk....
[    2.720629] Object de858068: 1e 84 f0 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  ....kkkkkkkkkkkk
[    2.729230] Object de858078: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.737830] Object de858088: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.746429] Object de858098: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.755029] Object de8580a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.763628] Object de8580b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.772229] Object de8580c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.780829] Object de8580d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.789430] Object de8580e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 73 b0 ea 9f  kkkkkkkkkkkks...
[    2.798030] Object de8580f8: e8 18 80 d6 56 38 44 c0 db e3 4f 71 f7 ce d1 d3  ....V8D...Oq....
[    2.806629] Redzone de858108: f8 bd 3e 4f                                      ..>O
[    2.814279] Padding de8581b0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
[    2.822283] CPU: 0 PID: 0 Comm: swapper Tainted: G    B           4.9.50-g995be12679 #179
[    2.831819] Call Trace:
[    2.834301] [dffefd20] [c01aa9a8] check_bytes_and_report+0x100/0x194 (unreliable)
[    2.841801] [dffefd50] [c01aac3c] check_object+0x200/0x530
[    2.847306] [dffefd80] [c01ae584] free_debug_processing+0x290/0x690
[    2.853585] [dffefde0] [c01aec8c] __slab_free+0x308/0x628
[    2.859000] [dffefe80] [c05057f4] ipsec_esp_encrypt_done+0x130/0x240
[    2.865378] [dffefeb0] [c05002c4] flush_channel+0x1dc/0x488
[    2.870968] [dffeff10] [c05007a8] talitos2_done_4ch+0x30/0x200
[    2.876814] [dffeff30] [c002fe38] tasklet_action+0xa0/0x13c
[    2.882399] [dffeff60] [c002f118] __do_softirq+0x148/0x6cc
[    2.887896] [dffeffd0] [c002f954] irq_exit+0xc0/0x124
[    2.892968] [dffefff0] [c0013adc] call_do_irq+0x24/0x3c
[    2.898213] [c0d4be00] [c000757c] do_IRQ+0x78/0x108
[    2.903113] [c0d4be30] [c0015c08] ret_from_except+0x0/0x14
[    2.908634] --- interrupt: 501 at finish_task_switch+0x70/0x350
[    2.908634]     LR = finish_task_switch+0x58/0x350
[    2.919327] [c0d4bf20] [c085e1d4] schedule+0x80/0x134
[    2.924398] [c0d4bf50] [c085e2c0] schedule_preempt_disabled+0x38/0xc8
[    2.930853] [c0d4bf60] [c007f064] cpu_startup_entry+0xe4/0x190
[    2.936707] [c0d4bfb0] [c096c434] start_kernel+0x3f4/0x408
[    2.942198] [c0d4bff0] [00003438] 0x3438
[    2.946137] FIX dma-kmalloc-256: Restoring 0xde858108-0xde85810b=0xcc
[    2.946137]
[    2.954158] FIX dma-kmalloc-256: Object at 0xde858008 not freed

This patch reworks the handling of the CICV out in order
to properly handle all cases.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |   42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1247,14 +1247,15 @@ static int ipsec_esp(struct talitos_edes
 			dma_map_sg(dev, areq->dst, sg_count, DMA_FROM_DEVICE);
 	}
 
-	sg_count = talitos_sg_map(dev, areq->dst, cryptlen, edesc,
-				  &desc->ptr[5], sg_count, areq->assoclen,
-				  tbl_off);
+	ret = talitos_sg_map(dev, areq->dst, cryptlen, edesc, &desc->ptr[5],
+			     sg_count, areq->assoclen, tbl_off);
 
 	if (desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)
 		to_talitos_ptr_ext_or(&desc->ptr[5], authsize, is_sec1);
 
-	if (sg_count > 1) {
+	/* ICV data */
+	if (ret > 1) {
+		tbl_off += ret;
 		edesc->icv_ool = true;
 		sync_needed = true;
 
@@ -1264,9 +1265,7 @@ static int ipsec_esp(struct talitos_edes
 				     sizeof(struct talitos_ptr) + authsize;
 
 			/* Add an entry to the link table for ICV data */
-			tbl_ptr += sg_count - 1;
-			to_talitos_ptr_ext_set(tbl_ptr, 0, is_sec1);
-			tbl_ptr++;
+			to_talitos_ptr_ext_set(tbl_ptr - 1, 0, is_sec1);
 			to_talitos_ptr_ext_set(tbl_ptr, DESC_PTR_LNKTBL_RETURN,
 					       is_sec1);
 			to_talitos_ptr_len(tbl_ptr, authsize, is_sec1);
@@ -1274,18 +1273,33 @@ static int ipsec_esp(struct talitos_edes
 			/* icv data follows link tables */
 			to_talitos_ptr(tbl_ptr, edesc->dma_link_tbl + offset,
 				       is_sec1);
+		} else {
+			dma_addr_t addr = edesc->dma_link_tbl;
+
+			if (is_sec1)
+				addr += areq->assoclen + cryptlen;
+			else
+				addr += sizeof(struct talitos_ptr) * tbl_off;
+
+			to_talitos_ptr(&desc->ptr[6], addr, is_sec1);
+			to_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);
+		}
+	} else if (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {
+		ret = talitos_sg_map(dev, areq->dst, authsize, edesc,
+				     &desc->ptr[6], sg_count, areq->assoclen +
+							      cryptlen,
+				     tbl_off);
+		if (ret > 1) {
+			tbl_off += ret;
+			edesc->icv_ool = true;
+			sync_needed = true;
+		} else {
+			edesc->icv_ool = false;
 		}
 	} else {
 		edesc->icv_ool = false;
 	}
 
-	/* ICV data */
-	if (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {
-		to_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);
-		to_talitos_ptr(&desc->ptr[6], edesc->dma_link_tbl +
-			       areq->assoclen + cryptlen, is_sec1);
-	}
-
 	/* iv out */
 	if (desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)
 		map_single_talitos_ptr(dev, &desc->ptr[6], ivsize, ctx->iv,

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 099/164] crypto: talitos - fix setkey to check key weakness
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 098/164] crypto: talitos - fix memory corruption on SEC2 Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 100/164] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit f384cdc4faf350fdb6ad93c5f26952b9ba7c7566 upstream.

Crypto manager test report the following failures:
[    3.061081] alg: skcipher: setkey failed on test 5 for ecb-des-talitos: flags=100
[    3.069342] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100
[    3.077754] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100

This is due to setkey being expected to detect weak keys.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1507,12 +1507,20 @@ static int ablkcipher_setkey(struct cryp
 			     const u8 *key, unsigned int keylen)
 {
 	struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
+	u32 tmp[DES_EXPKEY_WORDS];
 
 	if (keylen > TALITOS_MAX_KEY_SIZE) {
 		crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN);
 		return -EINVAL;
 	}
 
+	if (unlikely(crypto_ablkcipher_get_flags(cipher) &
+		     CRYPTO_TFM_REQ_WEAK_KEY) &&
+	    !des_ekey(tmp, key)) {
+		crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_WEAK_KEY);
+		return -EINVAL;
+	}
+
 	memcpy(&ctx->key, key, keylen);
 	ctx->keylen = keylen;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 100/164] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 099/164] crypto: talitos - fix setkey to check key weakness Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 101/164] crypto: talitos - fix use of sg_link_tbl_len Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit 6cda075aff67a1b9b5ba1b2818091dc939643b6c upstream.

sha224 AEAD test fails with:

[    2.803125] talitos ff020000.crypto: DEUISR 0x00000000_00000000
[    2.808743] talitos ff020000.crypto: MDEUISR 0x80100000_00000000
[    2.814678] talitos ff020000.crypto: DESCBUF 0x20731f21_00000018
[    2.820616] talitos ff020000.crypto: DESCBUF 0x0628d64c_00000010
[    2.826554] talitos ff020000.crypto: DESCBUF 0x0631005c_00000018
[    2.832492] talitos ff020000.crypto: DESCBUF 0x0628d664_00000008
[    2.838430] talitos ff020000.crypto: DESCBUF 0x061b13a0_00000080
[    2.844369] talitos ff020000.crypto: DESCBUF 0x0631006c_00000080
[    2.850307] talitos ff020000.crypto: DESCBUF 0x0631006c_00000018
[    2.856245] talitos ff020000.crypto: DESCBUF 0x063100ec_00000000
[    2.884972] talitos ff020000.crypto: failed to reset channel 0
[    2.890503] talitos ff020000.crypto: done overflow, internal time out, or rngu error: ISR 0x20000000_00020000
[    2.900652] alg: aead: encryption failed on test 1 for authenc-hmac-sha224-cbc-3des-talitos: ret=22

This is due to SHA224 not being supported by the HW. Allthough for
hash we are able to init the hash context by SW, it is not
possible for AEAD. Therefore SHA224 AEAD has to be deactivated.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -3068,6 +3068,11 @@ static struct talitos_crypto_alg *talito
 		t_alg->algt.alg.aead.setkey = aead_setkey;
 		t_alg->algt.alg.aead.encrypt = aead_encrypt;
 		t_alg->algt.alg.aead.decrypt = aead_decrypt;
+		if (!(priv->features & TALITOS_FTR_SHA224_HWINIT) &&
+		    !strncmp(alg->cra_name, "authenc(hmac(sha224)", 20)) {
+			kfree(t_alg);
+			return ERR_PTR(-ENOTSUPP);
+		}
 		break;
 	case CRYPTO_ALG_TYPE_AHASH:
 		alg = &t_alg->algt.alg.hash.halg.base;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 101/164] crypto: talitos - fix use of sg_link_tbl_len
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 100/164] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 102/164] crypto: talitos - fix ctr-aes-talitos Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit fbb22137c4d9bab536958b152d096fb3f98020ea upstream.

sg_link_tbl_len shall be used instead of cryptlen, otherwise
SECs which perform HW CICV verification will fail.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1232,8 +1232,8 @@ static int ipsec_esp(struct talitos_edes
 			sg_link_tbl_len += authsize;
 	}
 
-	ret = talitos_sg_map(dev, areq->src, cryptlen, edesc, &desc->ptr[4],
-			     sg_count, areq->assoclen, tbl_off);
+	ret = talitos_sg_map(dev, areq->src, sg_link_tbl_len, edesc,
+			     &desc->ptr[4], sg_count, areq->assoclen, tbl_off);
 
 	if (ret > 1) {
 		tbl_off += ret;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 102/164] crypto: talitos - fix ctr-aes-talitos
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 101/164] crypto: talitos - fix use of sg_link_tbl_len Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 103/164] ARM: BUG if jumping to usermode address in kernel mode Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit 70d355ccea899dad47dc22d3a4406998f55143fd upstream.

ctr-aes-talitos test fails as follows on SEC2

[    0.837427] alg: skcipher: Test 1 failed (invalid result) on encryption for ctr-aes-talitos
[    0.845763] 00000000: 16 36 d5 ee 34 f8 06 25 d7 7f 8e 56 ca 88 43 45
[    0.852345] 00000010: f9 3f f7 17 2a b2 12 23 30 43 09 15 82 dd e1 97
[    0.858940] 00000020: a7 f7 32 b5 eb 25 06 13 9a ec f5 29 25 f8 4d 66
[    0.865366] 00000030: b0 03 5b 8e aa 9a 42 b6 19 33 8a e2 9d 65 96 95

This patch fixes the descriptor type which is special for CTR AES

Fixes: 5e75ae1b3cef6 ("crypto: talitos - add new crypto modes")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -2635,7 +2635,7 @@ static struct talitos_alg_template drive
 				.ivsize = AES_BLOCK_SIZE,
 			}
 		},
-		.desc_hdr_template = DESC_HDR_TYPE_COMMON_NONSNOOP_NO_AFEU |
+		.desc_hdr_template = DESC_HDR_TYPE_AESU_CTR_NONSNOOP |
 				     DESC_HDR_SEL0_AESU |
 				     DESC_HDR_MODE0_AESU_CTR,
 	},

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 103/164] ARM: BUG if jumping to usermode address in kernel mode
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 102/164] crypto: talitos - fix ctr-aes-talitos Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 104/164] ARM: avoid faulting on qemu Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Russell King, Alex Shi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit 8bafae202c82dc257f649ea3c275a0f35ee15113 upstream.

Detect if we are returning to usermode via the normal kernel exit paths
but the saved PSR value indicates that we are in kernel mode.  This
could occur due to corrupted stack state, which has been observed with
"ftracetest".

This ensures that we catch the problem case before we get to user code.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Alex Shi <alex.shi@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/include/asm/assembler.h |   18 ++++++++++++++++++
 arch/arm/kernel/entry-header.S   |    6 ++++++
 2 files changed, 24 insertions(+)

--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -518,4 +518,22 @@ THUMB(	orr	\reg , \reg , #PSR_T_BIT	)
 #endif
 	.endm
 
+	.macro	bug, msg, line
+#ifdef CONFIG_THUMB2_KERNEL
+1:	.inst	0xde02
+#else
+1:	.inst	0xe7f001f2
+#endif
+#ifdef CONFIG_DEBUG_BUGVERBOSE
+	.pushsection .rodata.str, "aMS", %progbits, 1
+2:	.asciz	"\msg"
+	.popsection
+	.pushsection __bug_table, "aw"
+	.align	2
+	.word	1b, 2b
+	.hword	\line
+	.popsection
+#endif
+	.endm
+
 #endif /* __ASM_ASSEMBLER_H__ */
--- a/arch/arm/kernel/entry-header.S
+++ b/arch/arm/kernel/entry-header.S
@@ -300,6 +300,8 @@
 	mov	r2, sp
 	ldr	r1, [r2, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [r2, #\offset + S_PC]!	@ get pc
+	tst	r1, #0xcf
+	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
 	@ We must avoid clrex due to Cortex-A15 erratum #830321
@@ -314,6 +316,7 @@
 						@ after ldm {}^
 	add	sp, sp, #\offset + PT_REGS_SIZE
 	movs	pc, lr				@ return & move spsr_svc into cpsr
+1:	bug	"Returning to usermode but unexpected PSR bits set?", \@
 #elif defined(CONFIG_CPU_V7M)
 	@ V7M restore.
 	@ Note that we don't need to do clrex here as clearing the local
@@ -329,6 +332,8 @@
 	ldr	r1, [sp, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [sp, #\offset + S_PC]	@ get pc
 	add	sp, sp, #\offset + S_SP
+	tst	r1, #0xcf
+	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 
 	@ We must avoid clrex due to Cortex-A15 erratum #830321
@@ -341,6 +346,7 @@
 	.endif
 	add	sp, sp, #PT_REGS_SIZE - S_SP
 	movs	pc, lr				@ return & move spsr_svc into cpsr
+1:	bug	"Returning to usermode but unexpected PSR bits set?", \@
 #endif	/* !CONFIG_THUMB2_KERNEL */
 	.endm
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 104/164] ARM: avoid faulting on qemu
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 103/164] ARM: BUG if jumping to usermode address in kernel mode Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44   ` Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Russell King, Alex Shi

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit 3aaf33bebda8d4ffcc0fc8ef39e6c1ac68823b11 upstream.

When qemu starts a kernel in a bare environment, the default SCR has
the AW and FW bits clear, which means that the kernel can't modify
the PSR A or PSR F bits, and means that FIQs and imprecise aborts are
always masked.

When running uboot under qemu, the AW and FW SCR bits are set, and the
kernel functions normally - and this is how real hardware behaves.

Fix this for qemu by ignoring the FIQ bit.

Fixes: 8bafae202c82 ("ARM: BUG if jumping to usermode address in kernel mode")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Alex Shi <alex.shi@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/kernel/entry-header.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/kernel/entry-header.S
+++ b/arch/arm/kernel/entry-header.S
@@ -300,7 +300,7 @@
 	mov	r2, sp
 	ldr	r1, [r2, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [r2, #\offset + S_PC]!	@ get pc
-	tst	r1, #0xcf
+	tst	r1, #PSR_I_BIT | 0x0f
 	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
@@ -332,7 +332,7 @@
 	ldr	r1, [sp, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [sp, #\offset + S_PC]	@ get pc
 	add	sp, sp, #\offset + S_SP
-	tst	r1, #0xcf
+	tst	r1, #PSR_I_BIT | 0x0f
 	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 105/164] irqchip/qcom: Fix u32 comparison with value less than zero
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
@ 2017-12-12 12:44   ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 002/164] usb: gadget: core: Fix ->udc_set_speed() speed handling Greg Kroah-Hartman
                     ` (161 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Thomas Gleixner,
	Marc Zyngier, kernel-janitors, Jason Cooper, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>


[ Upstream commit e9990d70e8a063a7b894c5cbb99f630a0f41200d ]

The comparison of u32 nregs being less than zero is never true since
nregs is unsigned. Fix this by making nregs a signed integer.

Fixes: f20cc9b00c7b ("irqchip/qcom: Add IRQ combiner driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: kernel-janitors@vger.kernel.org
Cc: Jason Cooper <jason@lakedaemon.net>
Link: https://lkml.kernel.org/r/20171117183553.2739-1-colin.king@canonical.com
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/qcom-irq-combiner.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/irqchip/qcom-irq-combiner.c
+++ b/drivers/irqchip/qcom-irq-combiner.c
@@ -238,7 +238,7 @@ static int __init combiner_probe(struct
 {
 	struct combiner *combiner;
 	size_t alloc_sz;
-	u32 nregs;
+	int nregs;
 	int err;
 
 	nregs = count_registers(pdev);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 105/164] irqchip/qcom: Fix u32 comparison with value less than zero
@ 2017-12-12 12:44   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Thomas Gleixner,
	Marc Zyngier, kernel-janitors, Jason Cooper, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>


[ Upstream commit e9990d70e8a063a7b894c5cbb99f630a0f41200d ]

The comparison of u32 nregs being less than zero is never true since
nregs is unsigned. Fix this by making nregs a signed integer.

Fixes: f20cc9b00c7b ("irqchip/qcom: Add IRQ combiner driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: kernel-janitors@vger.kernel.org
Cc: Jason Cooper <jason@lakedaemon.net>
Link: https://lkml.kernel.org/r/20171117183553.2739-1-colin.king@canonical.com
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/qcom-irq-combiner.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/irqchip/qcom-irq-combiner.c
+++ b/drivers/irqchip/qcom-irq-combiner.c
@@ -238,7 +238,7 @@ static int __init combiner_probe(struct
 {
 	struct combiner *combiner;
 	size_t alloc_sz;
-	u32 nregs;
+	int nregs;
 	int err;
 
 	nregs = count_registers(pdev);



^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 106/164] net/smc: use sk_rcvbuf as start for rmb creation
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2017-12-12 12:44   ` Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 107/164] kbuild: pkg: use --transform option to prefix paths in tar Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ursula Braun, Hans Wippel,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ursula Braun <ursula.braun@de.ibm.com>


[ Upstream commit 4e1061f4a2bba1669c7297455c73ddafbebf2b12 ]

Commit 3e034725c0d8 ("net/smc: common functions for RMBs and send buffers")
merged handling of SMC receive and send buffers. It introduced sk_buf_size
as merged start value for size determination. But since sk_buf_size is not
used at all, sk_sndbuf is erroneously used as start for rmb creation.
This patch makes sure, sk_buf_size is really used as intended, and
sk_rcvbuf is used as start value for rmb creation.

Fixes: 3e034725c0d8 ("net/smc: common functions for RMBs and send buffers")
Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Reviewed-by: Hans Wippel <hwippel@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/smc/smc_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -571,7 +571,7 @@ static int __smc_buf_create(struct smc_s
 		/* use socket send buffer size (w/o overhead) as start value */
 		sk_buf_size = smc->sk.sk_sndbuf / 2;
 
-	for (bufsize_short = smc_compress_bufsize(smc->sk.sk_sndbuf / 2);
+	for (bufsize_short = smc_compress_bufsize(sk_buf_size);
 	     bufsize_short >= 0; bufsize_short--) {
 
 		if (is_rmb) {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 107/164] kbuild: pkg: use --transform option to prefix paths in tar
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 106/164] net/smc: use sk_rcvbuf as start for rmb creation Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 108/164] coccinelle: fix parallel build with CHECK=scripts/coccicheck Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit 2dbc644ac62bbcb9ee78e84719953f611be0413d ]

For rpm-pkg and deb-pkg, a source tar file is created.  All paths in
the archive must be prefixed with the base name of the tar so that
everything is contained in the directory when you extract it.

Currently, scripts/package/Makefile uses a symlink for that, and
removes it after the tar is created.

If you terminate the build during the tar creation, the symlink is
left over.  Then, at the next package build, you will see a warning
like follows:

  ln: '.' and 'kernel-4.14.0+/.' are the same file

It is possible to fix it by adding -n (--no-dereference) option to
the "ln" command, but a cleaner way is to use --transform option
of "tar" command.  This option is GNU extension, but it should not
hurt to use it in the Linux build system.

The 'S' flag is needed to exclude symlinks from the path fixup.
Without it, symlinks in the kernel are broken.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/package/Makefile |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/scripts/package/Makefile
+++ b/scripts/package/Makefile
@@ -39,10 +39,9 @@ if test "$(objtree)" != "$(srctree)"; th
 	false; \
 fi ; \
 $(srctree)/scripts/setlocalversion --save-scmversion; \
-ln -sf $(srctree) $(2); \
 tar -cz $(RCS_TAR_IGNORE) -f $(2).tar.gz \
-	$(addprefix $(2)/,$(TAR_CONTENT) $(3)); \
-rm -f $(2) $(objtree)/.scmversion
+	--transform 's:^:$(2)/:S' $(TAR_CONTENT) $(3); \
+rm -f $(objtree)/.scmversion
 
 # rpm-pkg
 # ---------------------------------------------------------------------------

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 108/164] coccinelle: fix parallel build with CHECK=scripts/coccicheck
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 107/164] kbuild: pkg: use --transform option to prefix paths in tar Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 109/164] powerpc/perf: Fix pmu_count to count only nest imc pmus Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Julia Lawall, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit d7059ca0147adcd495f3c5b41f260e1ac55bb679 ]

The command "make -j8 C=1 CHECK=scripts/coccicheck" produces
lots of "coccicheck failed" error messages.

Julia Lawall explained the Coccinelle behavior as follows:
"The problem on the Coccinelle side is that it uses a subdirectory
with the name of the semantic patch to store standard output and
standard error for the different threads.  I didn't want to use a
name with the pid, so that one could easily find this information
while Coccinelle is running.  Normally the subdirectory is cleaned
up when Coccinelle completes, so there is only one of them at a time.
Maybe it is best to just add the pid.  There is the risk that these
subdirectories will accumulate if Coccinelle crashes in a way such
that they don't get cleaned up, but Coccinelle could print a warning
if it detects this case, rather than failing."

When scripts/coccicheck is used as CHECK tool and -j option is given
to Make, the whole of build process runs in parallel.  So, multiple
processes try to get access to the same subdirectory.

I notice spatch creates the subdirectory only when it runs in parallel
(i.e. --jobs <N> is given and <N> is greater than 1).

Setting NPROC=1 is a reasonable solution; spatch does not create the
subdirectory.  Besides, ONLINE=1 mode takes a single file input for
each spatch invocation, so there is no reason to parallelize it in
the first place.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/coccicheck |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/scripts/coccicheck
+++ b/scripts/coccicheck
@@ -30,12 +30,6 @@ else
 	VERBOSE=0
 fi
 
-if [ -z "$J" ]; then
-	NPROC=$(getconf _NPROCESSORS_ONLN)
-else
-	NPROC="$J"
-fi
-
 FLAGS="--very-quiet"
 
 # You can use SPFLAGS to append extra arguments to coccicheck or override any
@@ -70,6 +64,9 @@ if [ "$C" = "1" -o "$C" = "2" ]; then
     # Take only the last argument, which is the C file to test
     shift $(( $# - 1 ))
     OPTIONS="$COCCIINCLUDE $1"
+
+    # No need to parallelize Coccinelle since this mode takes one input file.
+    NPROC=1
 else
     ONLINE=0
     if [ "$KBUILD_EXTMOD" = "" ] ; then
@@ -77,6 +74,12 @@ else
     else
         OPTIONS="--dir $KBUILD_EXTMOD $COCCIINCLUDE"
     fi
+
+    if [ -z "$J" ]; then
+        NPROC=$(getconf _NPROCESSORS_ONLN)
+    else
+        NPROC="$J"
+    fi
 fi
 
 if [ "$KBUILD_EXTMOD" != "" ] ; then

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 109/164] powerpc/perf: Fix pmu_count to count only nest imc pmus
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 108/164] coccinelle: fix parallel build with CHECK=scripts/coccicheck Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 110/164] apparmor: fix leak of null profile name if profile allocation fails Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Madhavan Srinivasan,
	Michael Ellerman, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>


[ Upstream commit de34787f1096cce38e2590be0013b44418d14546 ]

"pmu_count" in opal_imc_counters_probe() is intended to hold
the number of successful nest imc pmu registerations. But
current code also counts other imc units like core_imc and
thread_imc. Patch add a check to count only nest imc pmus.

Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/platforms/powernv/opal-imc.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/powerpc/platforms/powernv/opal-imc.c
+++ b/arch/powerpc/platforms/powernv/opal-imc.c
@@ -191,8 +191,10 @@ static int opal_imc_counters_probe(struc
 			break;
 		}
 
-		if (!imc_pmu_create(imc_dev, pmu_count, domain))
-			pmu_count++;
+		if (!imc_pmu_create(imc_dev, pmu_count, domain)) {
+			if (domain == IMC_DOMAIN_NEST)
+				pmu_count++;
+		}
 	}
 
 	return 0;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 110/164] apparmor: fix leak of null profile name if profile allocation fails
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 109/164] powerpc/perf: Fix pmu_count to count only nest imc pmus Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 111/164] x86/mpx/selftests: Fix up weird arrays Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Seth Arnold, John Johansen, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Johansen <john.johansen@canonical.com>


[ Upstream commit 4633307e5ed6128975595df43f796a10c41d11c1 ]

Fixes: d07881d2edb0 ("apparmor: move new_null_profile to after profile lookup fns()")
Reported-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/apparmor/policy.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -502,7 +502,7 @@ struct aa_profile *aa_new_null_profile(s
 {
 	struct aa_profile *p, *profile;
 	const char *bname;
-	char *name;
+	char *name = NULL;
 
 	AA_BUG(!parent);
 
@@ -562,6 +562,7 @@ out:
 	return profile;
 
 fail:
+	kfree(name);
 	aa_free_profile(profile);
 	return NULL;
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 111/164] x86/mpx/selftests: Fix up weird arrays
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 110/164] apparmor: fix leak of null profile name if profile allocation fails Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 112/164] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Hansen, Thomas Gleixner,
	Andy Lutomirski, Borislav Petkov, Brian Gerst, Denys Vlasenko,
	H. Peter Anvin, Josh Poimboeuf, Linus Torvalds, Peter Zijlstra,
	Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Hansen <dave.hansen@linux.intel.com>


[ Upstream commit a6400120d042397675fcf694060779d21e9e762d ]

The MPX hardware data structurse are defined in a weird way: they define
their size in bytes and then union that with the type with which we want
to access them.

Yes, this is weird, but it does work.  But, new GCC's complain that we
are accessing the array out of bounds.  Just make it a zero-sized array
so gcc will stop complaining.  There was not really a bug here.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20171111001229.58A7933D@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/x86/mpx-hw.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/testing/selftests/x86/mpx-hw.h
+++ b/tools/testing/selftests/x86/mpx-hw.h
@@ -52,14 +52,14 @@
 struct mpx_bd_entry {
 	union {
 		char x[MPX_BOUNDS_DIR_ENTRY_SIZE_BYTES];
-		void *contents[1];
+		void *contents[0];
 	};
 } __attribute__((packed));
 
 struct mpx_bt_entry {
 	union {
 		char x[MPX_BOUNDS_TABLE_ENTRY_SIZE_BYTES];
-		unsigned long contents[1];
+		unsigned long contents[0];
 	};
 } __attribute__((packed));
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 112/164] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 111/164] x86/mpx/selftests: Fix up weird arrays Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 113/164] gre6: use log_ecn_error module parameter in ip6_tnl_rcv() Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Johannes Berg, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>


[ Upstream commit 67bd52386125ce1159c0581cbcd2740addf33cd4 ]

hwsim_new_radio_nl() now copies the name attribute in order to add a
null-terminator.  mac80211_hwsim_new_radio() (indirectly) copies it
again into the net_device structure, so the first copy is not used or
freed later.  Free the first copy before returning.

Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mac80211_hwsim.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3108,6 +3108,7 @@ static int hwsim_new_radio_nl(struct sk_
 {
 	struct hwsim_new_radio_params param = { 0 };
 	const char *hwname = NULL;
+	int ret;
 
 	param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
 	param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
@@ -3147,7 +3148,9 @@ static int hwsim_new_radio_nl(struct sk_
 		param.regd = hwsim_world_regdom_custom[idx];
 	}
 
-	return mac80211_hwsim_new_radio(info, &param);
+	ret = mac80211_hwsim_new_radio(info, &param);
+	kfree(hwname);
+	return ret;
 }
 
 static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 113/164] gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 112/164] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 114/164] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Kodanev, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kodanev <alexey.kodanev@oracle.com>


[ Upstream commit 981542c526ecd846920bc500e9989da906ee9fb9 ]

After commit 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call
common GRE functions") it's not used anywhere in the module, but
previously was used in ip6gre_rcv().

Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_gre.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -461,7 +461,7 @@ static int ip6gre_rcv(struct sk_buff *sk
 				      &ipv6h->saddr, &ipv6h->daddr, tpi->key,
 				      tpi->proto);
 	if (tunnel) {
-		ip6_tnl_rcv(tunnel, skb, tpi, NULL, false);
+		ip6_tnl_rcv(tunnel, skb, tpi, NULL, log_ecn_error);
 
 		return PACKET_RCVD;
 	}

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 114/164] route: also update fnhe_genid when updating a route cache
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 113/164] gre6: use log_ecn_error module parameter in ip6_tnl_rcv() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 115/164] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hannes Frederic Sowa, Xin Long,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit cebe84c6190d741045a322f5343f717139993c08 ]

Now when ip route flush cache and it turn out all fnhe_genid != genid.
If a redirect/pmtu icmp packet comes and the old fnhe is found and all
it's members but fnhe_genid will be updated.

Then next time when it looks up route and tries to rebind this fnhe to
the new dst, the fnhe will be flushed due to fnhe_genid != genid. It
causes this redirect/pmtu icmp packet acutally not to be applied.

This patch is to also reset fnhe_genid when updating a route cache.

Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/route.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -651,9 +651,12 @@ static void update_or_create_fnhe(struct
 	struct fnhe_hash_bucket *hash;
 	struct fib_nh_exception *fnhe;
 	struct rtable *rt;
+	u32 genid, hval;
 	unsigned int i;
 	int depth;
-	u32 hval = fnhe_hashfun(daddr);
+
+	genid = fnhe_genid(dev_net(nh->nh_dev));
+	hval = fnhe_hashfun(daddr);
 
 	spin_lock_bh(&fnhe_lock);
 
@@ -676,6 +679,8 @@ static void update_or_create_fnhe(struct
 	}
 
 	if (fnhe) {
+		if (fnhe->fnhe_genid != genid)
+			fnhe->fnhe_genid = genid;
 		if (gw)
 			fnhe->fnhe_gw = gw;
 		if (pmtu) {
@@ -700,7 +705,7 @@ static void update_or_create_fnhe(struct
 			fnhe->fnhe_next = hash->chain;
 			rcu_assign_pointer(hash->chain, fnhe);
 		}
-		fnhe->fnhe_genid = fnhe_genid(dev_net(nh->nh_dev));
+		fnhe->fnhe_genid = genid;
 		fnhe->fnhe_daddr = daddr;
 		fnhe->fnhe_gw = gw;
 		fnhe->fnhe_pmtu = pmtu;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 115/164] route: update fnhe_expires for redirect when the fnhe exists
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 114/164] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 116/164] rsi: fix memory leak on buf and usb_reg_buf Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jianlin Shi, Hannes Frederic Sowa,
	Xin Long, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit e39d5246111399dbc6e11cd39fd8580191b86c47 ]

Now when creating fnhe for redirect, it sets fnhe_expires for this
new route cache. But when updating the exist one, it doesn't do it.
It will cause this fnhe never to be expired.

Paolo already noticed it before, in Jianlin's test case, it became
even worse:

When ip route flush cache, the old fnhe is not to be removed, but
only clean it's members. When redirect comes again, this fnhe will
be found and updated, but never be expired due to fnhe_expires not
being set.

So fix it by simply updating fnhe_expires even it's for redirect.

Fixes: aee06da6726d ("ipv4: use seqlock for nh_exceptions")
Reported-by: Jianlin Shi <jishi@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/route.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -683,10 +683,9 @@ static void update_or_create_fnhe(struct
 			fnhe->fnhe_genid = genid;
 		if (gw)
 			fnhe->fnhe_gw = gw;
-		if (pmtu) {
+		if (pmtu)
 			fnhe->fnhe_pmtu = pmtu;
-			fnhe->fnhe_expires = max(1UL, expires);
-		}
+		fnhe->fnhe_expires = max(1UL, expires);
 		/* Update all cached dsts too */
 		rt = rcu_dereference(fnhe->fnhe_rth_input);
 		if (rt)

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 116/164] rsi: fix memory leak on buf and usb_reg_buf
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 115/164] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 117/164] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer() Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Ian King <colin.king@canonical.com>


[ Upstream commit d35ef8f846c72d84bfccf239c248c84f79c3a7e8 ]

In the cases where len is too long, the error return path fails to
kfree allocated buffers buf and usb_reg_buf.  The simplest fix is to
perform the sanity check on len before the allocations to avoid having
to do the kfree'ing in the first place.

Detected by CoverityScan, CID#1452258,1452259 ("Resource Leak")

Fixes: 59f73e2ae185 ("rsi: check length before USB read/write register")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/rsi/rsi_91x_usb.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
@@ -162,13 +162,13 @@ static int rsi_usb_reg_read(struct usb_d
 	u8 *buf;
 	int status = -ENOMEM;
 
+	if (len > RSI_USB_CTRL_BUF_SIZE)
+		return -EINVAL;
+
 	buf  = kmalloc(RSI_USB_CTRL_BUF_SIZE, GFP_KERNEL);
 	if (!buf)
 		return status;
 
-	if (len > RSI_USB_CTRL_BUF_SIZE)
-		return -EINVAL;
-
 	status = usb_control_msg(usbdev,
 				 usb_rcvctrlpipe(usbdev, 0),
 				 USB_VENDOR_REGISTER_READ,
@@ -207,13 +207,13 @@ static int rsi_usb_reg_write(struct usb_
 	u8 *usb_reg_buf;
 	int status = -ENOMEM;
 
+	if (len > RSI_USB_CTRL_BUF_SIZE)
+		return -EINVAL;
+
 	usb_reg_buf  = kmalloc(RSI_USB_CTRL_BUF_SIZE, GFP_KERNEL);
 	if (!usb_reg_buf)
 		return status;
 
-	if (len > RSI_USB_CTRL_BUF_SIZE)
-		return -EINVAL;
-
 	usb_reg_buf[0] = (value & 0x00ff);
 	usb_reg_buf[1] = (value & 0xff00) >> 8;
 	usb_reg_buf[2] = 0x0;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 117/164] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 116/164] rsi: fix memory leak on buf and usb_reg_buf Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 118/164] pipe: match pipe_max_size data type with procfs Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Logan Gunthorpe,
	Matt Porter, Alexandre Bounine, Lorenzo Stoakes, Jesper Nilsson,
	Christian K_nig, Andrew Morton, Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>


[ Upstream commit b1402dcb5643b7a27d46a05edd7491d49ba0e248 ]

If 'dma_map_sg()', we should branch to the existing error handling path
to free some resources before returning.

Link: http://lkml.kernel.org/r/61292a4f369229eee03394247385e955027283f8.1505687047.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Christian K_nig <christian.koenig@amd.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rapidio/devices/rio_mport_cdev.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -963,7 +963,8 @@ rio_dma_transfer(struct file *filp, u32
 			   req->sgt.sgl, req->sgt.nents, dir);
 	if (nents == -EFAULT) {
 		rmcd_error("Failed to map SG list");
-		return -EFAULT;
+		ret = -EFAULT;
+		goto err_pg;
 	}
 
 	ret = do_dma_request(req, xfer, sync, nents);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 118/164] pipe: match pipe_max_size data type with procfs
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 117/164] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.14 119/164] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Lawrence, Mikulas Patocka,
	Michael Kerrisk, Randy Dunlap, Al Viro, Jens Axboe,
	Josh Poimboeuf, Andrew Morton, Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Lawrence <joe.lawrence@redhat.com>


[ Upstream commit 98159d977f71c3b3dee898d1c34e56f520b094e7 ]

Patch series "A few round_pipe_size() and pipe-max-size fixups", v3.

While backporting Michael's "pipe: fix limit handling" patchset to a
distro-kernel, Mikulas noticed that current upstream pipe limit handling
contains a few problems:

  1 - procfs signed wrap: echo'ing a large number into
      /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
      negative value.

  2 - round_pipe_size() nr_pages overflow on 32bit:  this would
      subsequently try roundup_pow_of_two(0), which is undefined.

  3 - visible non-rounded pipe-max-size value: there is no mutual
      exclusion or protection between the time pipe_max_size is assigned
      a raw value from proc_dointvec_minmax() and when it is rounded.

  4 - unsigned long -> unsigned int conversion makes for potential odd
      return errors from do_proc_douintvec_minmax_conv() and
      do_proc_dopipe_max_size_conv().

This version underwent the same testing as v1:
https://marc.info/?l=linux-kernel&m=150643571406022&w=2

This patch (of 4):

pipe_max_size is defined as an unsigned int:

  unsigned int pipe_max_size = 1048576;

but its procfs/sysctl representation is an integer:

  static struct ctl_table fs_table[] = {
          ...
          {
                  .procname       = "pipe-max-size",
                  .data           = &pipe_max_size,
                  .maxlen         = sizeof(int),
                  .mode           = 0644,
                  .proc_handler   = &pipe_proc_fn,
                  .extra1         = &pipe_min_size,
          },
          ...

that is signed:

  int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
                   size_t *lenp, loff_t *ppos)
  {
          ...
          ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)

This leads to signed results via procfs for large values of pipe_max_size:

  % echo 2147483647 >/proc/sys/fs/pipe-max-size
  % cat /proc/sys/fs/pipe-max-size
  -2147483648

Use unsigned operations on this variable to avoid such negative values.

Link: http://lkml.kernel.org/r/1507658689-11669-2-git-send-email-joe.lawrence@redhat.com
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/pipe.c       |    2 +-
 kernel/sysctl.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1125,7 +1125,7 @@ int pipe_proc_fn(struct ctl_table *table
 {
 	int ret;
 
-	ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
+	ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
 	if (ret < 0 || !write)
 		return ret;
 
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1822,7 +1822,7 @@ static struct ctl_table fs_table[] = {
 	{
 		.procname	= "pipe-max-size",
 		.data		= &pipe_max_size,
-		.maxlen		= sizeof(int),
+		.maxlen		= sizeof(pipe_max_size),
 		.mode		= 0644,
 		.proc_handler	= &pipe_proc_fn,
 		.extra1		= &pipe_min_size,

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 119/164] lib/genalloc.c: make the avail variable an atomic_long_t
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 118/164] pipe: match pipe_max_size data type with procfs Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 120/164] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Bates, Logan Gunthorpe,
	Mathieu Desnoyers, Daniel Mentz, Jonathan Corbet, Andrew Morton,
	Will Deacon, Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Bates <sbates@raithlin.com>


[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ]

If the amount of resources allocated to a gen_pool exceeds 2^32 then the
avail atomic overflows and this causes problems when clients try and
borrow resources from the pool.  This is only expected to be an issue on
64 bit systems.

Add the <linux/atomic.h> header to pull in atomic_long* operations.  So
that 32 bit systems continue to use atomic32_t but 64 bit systems can
use atomic64_t.

Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com
Signed-off-by: Stephen Bates <sbates@raithlin.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Daniel Mentz <danielmentz@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/genalloc.h |    3 ++-
 lib/genalloc.c           |   10 +++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

--- a/include/linux/genalloc.h
+++ b/include/linux/genalloc.h
@@ -32,6 +32,7 @@
 
 #include <linux/types.h>
 #include <linux/spinlock_types.h>
+#include <linux/atomic.h>
 
 struct device;
 struct device_node;
@@ -71,7 +72,7 @@ struct gen_pool {
  */
 struct gen_pool_chunk {
 	struct list_head next_chunk;	/* next chunk in pool */
-	atomic_t avail;
+	atomic_long_t avail;
 	phys_addr_t phys_addr;		/* physical starting address of memory chunk */
 	unsigned long start_addr;	/* start address of memory chunk */
 	unsigned long end_addr;		/* end address of memory chunk (inclusive) */
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p
 	chunk->phys_addr = phys;
 	chunk->start_addr = virt;
 	chunk->end_addr = virt + size - 1;
-	atomic_set(&chunk->avail, size);
+	atomic_long_set(&chunk->avail, size);
 
 	spin_lock(&pool->lock);
 	list_add_rcu(&chunk->next_chunk, &pool->chunks);
@@ -304,7 +304,7 @@ unsigned long gen_pool_alloc_algo(struct
 	nbits = (size + (1UL << order) - 1) >> order;
 	rcu_read_lock();
 	list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
-		if (size > atomic_read(&chunk->avail))
+		if (size > atomic_long_read(&chunk->avail))
 			continue;
 
 		start_bit = 0;
@@ -324,7 +324,7 @@ retry:
 
 		addr = chunk->start_addr + ((unsigned long)start_bit << order);
 		size = nbits << order;
-		atomic_sub(size, &chunk->avail);
+		atomic_long_sub(size, &chunk->avail);
 		break;
 	}
 	rcu_read_unlock();
@@ -390,7 +390,7 @@ void gen_pool_free(struct gen_pool *pool
 			remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
 			BUG_ON(remain);
 			size = nbits << order;
-			atomic_add(size, &chunk->avail);
+			atomic_long_add(size, &chunk->avail);
 			rcu_read_unlock();
 			return;
 		}
@@ -464,7 +464,7 @@ size_t gen_pool_avail(struct gen_pool *p
 
 	rcu_read_lock();
 	list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
-		avail += atomic_read(&chunk->avail);
+		avail += atomic_long_read(&chunk->avail);
 	rcu_read_unlock();
 	return avail;
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 120/164] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.14 119/164] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 121/164] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Jason Baron,
	Andrew Morton, Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdunlap@infradead.org>


[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ]

line-range is supposed to treat "1-" as "1-endoffile", so
handle the special case by setting last_lineno to UINT_MAX.

Fixes this error:

  dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1
  dynamic_debug:ddebug_exec_query: query parse failed

Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 lib/dynamic_debug.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/lib/dynamic_debug.c
+++ b/lib/dynamic_debug.c
@@ -360,6 +360,10 @@ static int ddebug_parse_query(char *word
 				if (parse_lineno(last, &query->last_lineno) < 0)
 					return -EINVAL;
 
+				/* special case for last lineno not specified */
+				if (query->last_lineno == 0)
+					query->last_lineno = UINT_MAX;
+
 				if (query->last_lineno < query->first_lineno) {
 					pr_err("last-line:%d < 1st-line:%d\n",
 						query->last_lineno,

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 121/164] NFS: Fix a typo in nfs_rename()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 120/164] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 122/164] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Anna Schumaker, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>


[ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ]

On successful rename, the "old_dentry" is retained and is attached to
the "new_dir", so we need to call nfs_set_verifier() accordingly.

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/dir.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2064,7 +2064,7 @@ out:
 		 * should mark the directories for revalidation.
 		 */
 		d_move(old_dentry, new_dentry);
-		nfs_set_verifier(new_dentry,
+		nfs_set_verifier(old_dentry,
 					nfs_save_change_attribute(new_dir));
 	} else if (error == -ENOENT)
 		nfs_dentry_handle_enoent(old_dentry);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 122/164] sunrpc: Fix rpc_task_begin trace point
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 121/164] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 123/164] nfp: inherit the max_mtu from the PF netdev Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuck Lever, Anna Schumaker, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>


[ Upstream commit b2bfe5915d5fe7577221031a39ac722a0a2a1199 ]

The rpc_task_begin trace point always display a task ID of zero.
Move the trace point call site so that it picks up the new task ID.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sunrpc/sched.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -274,10 +274,9 @@ static inline void rpc_task_set_debuginf
 
 static void rpc_set_active(struct rpc_task *task)
 {
-	trace_rpc_task_begin(task->tk_client, task, NULL);
-
 	rpc_task_set_debuginfo(task);
 	set_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
+	trace_rpc_task_begin(task->tk_client, task, NULL);
 }
 
 /*

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 123/164] nfp: inherit the max_mtu from the PF netdev
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 122/164] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45   ` Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dirk van der Merwe, Jakub Kicinski,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dirk van der Merwe <dirk.vandermerwe@netronome.com>


[ Upstream commit 743ba5b47f7961fb29f2e06bb694fb4f068ac58f ]

The PF netdev is used for data transfer for reprs, so reprs inherit the
maximum MTU settings of the PF netdev.

Fixes: 5de73ee46704 ("nfp: general representor implementation")
Signed-off-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/netronome/nfp/nfp_net_repr.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net_repr.c
@@ -297,6 +297,8 @@ int nfp_repr_init(struct nfp_app *app, s
 	netdev->netdev_ops = &nfp_repr_netdev_ops;
 	netdev->ethtool_ops = &nfp_port_ethtool_ops;
 
+	netdev->max_mtu = pf_netdev->max_mtu;
+
 	SWITCHDEV_SET_OPS(netdev, &nfp_port_switchdev_ops);
 
 	if (nfp_app_has_tc(app)) {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 124/164] nfp: fix flower offload metadata flag usage
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
@ 2017-12-12 12:45   ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.14 002/164] usb: gadget: core: Fix ->udc_set_speed() speed handling Greg Kroah-Hartman
                     ` (161 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pieter Jansen van Vuuren,
	Jakub Kicinski, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>


[ Upstream commit 6c3ab204f4ca00374a374bc0fc9a275b64d1bcbb ]

Hardware has no notion of new or last mask id, instead it makes use of the
message type (i.e. add flow or del flow) in combination with a single bit
in metadata flags to determine when to add or delete a mask id. Previously
we made use of the new or last flags to indicate that a new mask should be
allocated or deallocated, respectively. This incorrect behaviour is fixed
by making use single bit in metadata flags to indicate mask allocation or
deallocation.

Fixes: 43f84b72c50d ("nfp: add metadata to each flow offload")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/netronome/nfp/flower/main.h     |    3 +--
 drivers/net/ethernet/netronome/nfp/flower/metadata.c |    7 +++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/netronome/nfp/flower/main.h
+++ b/drivers/net/ethernet/netronome/nfp/flower/main.h
@@ -52,8 +52,7 @@ struct nfp_app;
 #define NFP_FLOWER_MASK_ELEMENT_RS	1
 #define NFP_FLOWER_MASK_HASH_BITS	10
 
-#define NFP_FL_META_FLAG_NEW_MASK	128
-#define NFP_FL_META_FLAG_LAST_MASK	1
+#define NFP_FL_META_FLAG_MANAGE_MASK	BIT(7)
 
 #define NFP_FL_MASK_REUSE_TIME_NS	40000
 #define NFP_FL_MASK_ID_LOCATION		1
--- a/drivers/net/ethernet/netronome/nfp/flower/metadata.c
+++ b/drivers/net/ethernet/netronome/nfp/flower/metadata.c
@@ -282,7 +282,7 @@ nfp_check_mask_add(struct nfp_app *app,
 		id = nfp_add_mask_table(app, mask_data, mask_len);
 		if (id < 0)
 			return false;
-		*meta_flags |= NFP_FL_META_FLAG_NEW_MASK;
+		*meta_flags |= NFP_FL_META_FLAG_MANAGE_MASK;
 	}
 	*mask_id = id;
 
@@ -299,6 +299,9 @@ nfp_check_mask_remove(struct nfp_app *ap
 	if (!mask_entry)
 		return false;
 
+	if (meta_flags)
+		*meta_flags &= ~NFP_FL_META_FLAG_MANAGE_MASK;
+
 	*mask_id = mask_entry->mask_id;
 	mask_entry->ref_cnt--;
 	if (!mask_entry->ref_cnt) {
@@ -306,7 +309,7 @@ nfp_check_mask_remove(struct nfp_app *ap
 		nfp_release_mask_id(app, *mask_id);
 		kfree(mask_entry);
 		if (meta_flags)
-			*meta_flags |= NFP_FL_META_FLAG_LAST_MASK;
+			*meta_flags |= NFP_FL_META_FLAG_MANAGE_MASK;
 	}
 
 	return true;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 124/164] nfp: fix flower offload metadata flag usage
@ 2017-12-12 12:45   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pieter Jansen van Vuuren,
	Jakub Kicinski, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>


[ Upstream commit 6c3ab204f4ca00374a374bc0fc9a275b64d1bcbb ]

Hardware has no notion of new or last mask id, instead it makes use of the
message type (i.e. add flow or del flow) in combination with a single bit
in metadata flags to determine when to add or delete a mask id. Previously
we made use of the new or last flags to indicate that a new mask should be
allocated or deallocated, respectively. This incorrect behaviour is fixed
by making use single bit in metadata flags to indicate mask allocation or
deallocation.

Fixes: 43f84b72c50d ("nfp: add metadata to each flow offload")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/netronome/nfp/flower/main.h     |    3 +--
 drivers/net/ethernet/netronome/nfp/flower/metadata.c |    7 +++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/netronome/nfp/flower/main.h
+++ b/drivers/net/ethernet/netronome/nfp/flower/main.h
@@ -52,8 +52,7 @@ struct nfp_app;
 #define NFP_FLOWER_MASK_ELEMENT_RS	1
 #define NFP_FLOWER_MASK_HASH_BITS	10
 
-#define NFP_FL_META_FLAG_NEW_MASK	128
-#define NFP_FL_META_FLAG_LAST_MASK	1
+#define NFP_FL_META_FLAG_MANAGE_MASK	BIT(7)
 
 #define NFP_FL_MASK_REUSE_TIME_NS	40000
 #define NFP_FL_MASK_ID_LOCATION		1
--- a/drivers/net/ethernet/netronome/nfp/flower/metadata.c
+++ b/drivers/net/ethernet/netronome/nfp/flower/metadata.c
@@ -282,7 +282,7 @@ nfp_check_mask_add(struct nfp_app *app,
 		id = nfp_add_mask_table(app, mask_data, mask_len);
 		if (id < 0)
 			return false;
-		*meta_flags |= NFP_FL_META_FLAG_NEW_MASK;
+		*meta_flags |= NFP_FL_META_FLAG_MANAGE_MASK;
 	}
 	*mask_id = id;
 
@@ -299,6 +299,9 @@ nfp_check_mask_remove(struct nfp_app *ap
 	if (!mask_entry)
 		return false;
 
+	if (meta_flags)
+		*meta_flags &= ~NFP_FL_META_FLAG_MANAGE_MASK;
+
 	*mask_id = mask_entry->mask_id;
 	mask_entry->ref_cnt--;
 	if (!mask_entry->ref_cnt) {
@@ -306,7 +309,7 @@ nfp_check_mask_remove(struct nfp_app *ap
 		nfp_release_mask_id(app, *mask_id);
 		kfree(mask_entry);
 		if (meta_flags)
-			*meta_flags |= NFP_FL_META_FLAG_LAST_MASK;
+			*meta_flags |= NFP_FL_META_FLAG_MANAGE_MASK;
 	}
 
 	return true;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 125/164] xfs: fix forgotten rcu read unlock when skipping inode reclaim
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2017-12-12 12:45   ` Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 126/164] dt-bindings: usb: fix reg-property port-number range Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Darrick J. Wong,
	Christoph Hellwig, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Darrick J. Wong" <darrick.wong@oracle.com>


[ Upstream commit 962cc1ad6caddb5abbb9f0a43e5abe7131a71f18 ]

In commit f2e9ad21 ("xfs: check for race with xfs_reclaim_inode"), we
skip an inode if we're racing with freeing the inode via
xfs_reclaim_inode, but we forgot to release the rcu read lock when
dumping the inode, with the result that we exit to userspace with a lock
held.  Don't do that; generic/320 with a 1k block size fails this
very occasionally.

================================================
WARNING: lock held when returning to user space!
4.14.0-rc6-djwong #4 Tainted: G        W
------------------------------------------------
rm/30466 is leaving the kernel with locks still held!
1 lock held by rm/30466:
 #0:  (rcu_read_lock){....}, at: [<ffffffffa01364d3>] xfs_ifree_cluster.isra.17+0x2c3/0x6f0 [xfs]
------------[ cut here ]------------
WARNING: CPU: 1 PID: 30466 at kernel/rcu/tree_plugin.h:329 rcu_note_context_switch+0x71/0x700
Modules linked in: deadline_iosched dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey xfs libcrc32c dax_pmem device_dax nd_pmem sch_fq_codel af_packet [last unloaded: scsi_debug]
CPU: 1 PID: 30466 Comm: rm Tainted: G        W       4.14.0-rc6-djwong #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1djwong0 04/01/2014
task: ffff880037680000 task.stack: ffffc90001064000
RIP: 0010:rcu_note_context_switch+0x71/0x700
RSP: 0000:ffffc90001067e50 EFLAGS: 00010002
RAX: 0000000000000001 RBX: ffff880037680000 RCX: ffff88003e73d200
RDX: 0000000000000002 RSI: ffffffff819e53e9 RDI: ffffffff819f4375
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff880062c900d0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880037680000
R13: 0000000000000000 R14: ffffc90001067eb8 R15: ffff880037680690
FS:  00007fa3b8ce8700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f69bf77c000 CR3: 000000002450a000 CR4: 00000000000006e0
Call Trace:
 __schedule+0xb8/0xb10
 schedule+0x40/0x90
 exit_to_usermode_loop+0x6b/0xa0
 prepare_exit_to_usermode+0x7a/0x90
 retint_user+0x8/0x20
RIP: 0033:0x7fa3b87fda87
RSP: 002b:00007ffe41206568 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02
RAX: 0000000000000000 RBX: 00000000010e88c0 RCX: 00007fa3b87fda87
RDX: 0000000000000000 RSI: 00000000010e89c8 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 000000000000015e R11: 0000000000000246 R12: 00000000010c8060
R13: 00007ffe41206690 R14: 0000000000000000 R15: 0000000000000000
---[ end trace e88f83bf0cfbd07d ]---

Fixes: f2e9ad212def50bcf4c098c6288779dd97fff0f0
Cc: Omar Sandoval <osandov@fb.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xfs/xfs_inode.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -2378,6 +2378,7 @@ retry:
 				 */
 				if (ip->i_ino != inum + i) {
 					xfs_iunlock(ip, XFS_ILOCK_EXCL);
+					rcu_read_unlock();
 					continue;
 				}
 			}

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 126/164] dt-bindings: usb: fix reg-property port-number range
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 125/164] xfs: fix forgotten rcu read unlock when skipping inode reclaim Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 127/164] block: wake up all tasks blocked in get_request() Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Rob Herring, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>


[ Upstream commit f42ae7b0540937e00fe005812997f126aaac4bc2 ]

The USB hub port-number range for USB 2.0 is 1-255 and not 1-31 which
reflects an arbitrary limit set by the current Linux implementation.

Note that for USB 3.1 hubs the valid range is 1-15.

Increase the documented valid range in the binding to 255, which is the
maximum allowed by the specifications.

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/usb/usb-device.txt |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Documentation/devicetree/bindings/usb/usb-device.txt
+++ b/Documentation/devicetree/bindings/usb/usb-device.txt
@@ -11,7 +11,7 @@ Required properties:
   be used, but a device adhering to this binding may leave out all except
   for usbVID,PID.
 - reg: the port number which this device is connecting to, the range
-  is 1-31.
+  is 1-255.
 
 Example:
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 127/164] block: wake up all tasks blocked in get_request()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 126/164] dt-bindings: usb: fix reg-property port-number range Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 128/164] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ming Lei, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ming Lei <ming.lei@redhat.com>


[ Upstream commit 34d9715ac1edd50285168dd8d80c972739a4f6a4 ]

Once blk_set_queue_dying() is done in blk_cleanup_queue(), we call
blk_freeze_queue() and wait for q->q_usage_counter becoming zero. But
if there are tasks blocked in get_request(), q->q_usage_counter can
never become zero. So we have to wake up all these tasks in
blk_set_queue_dying() first.

Fixes: 3ef28e83ab157997 ("block: generic request_queue reference counting")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -605,8 +605,8 @@ void blk_set_queue_dying(struct request_
 		spin_lock_irq(q->queue_lock);
 		blk_queue_for_each_rl(rl, q) {
 			if (rl->rq_pool) {
-				wake_up(&rl->wait[BLK_RW_SYNC]);
-				wake_up(&rl->wait[BLK_RW_ASYNC]);
+				wake_up_all(&rl->wait[BLK_RW_SYNC]);
+				wake_up_all(&rl->wait[BLK_RW_ASYNC]);
 			}
 		}
 		spin_unlock_irq(q->queue_lock);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 128/164] sparc64/mm: set fields in deferred pages
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 127/164] block: wake up all tasks blocked in get_request() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 129/164] zsmalloc: calling zs_map_object() from irq is a bug Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Tatashin, Steven Sistare,
	Daniel Jordan, Bob Picco, David S. Miller, Michal Hocko,
	Alexander Potapenko, Andrey Ryabinin, Ard Biesheuvel,
	Catalin Marinas, Christian Borntraeger, Dmitry Vyukov,
	Heiko Carstens, H. Peter Anvin, Ingo Molnar, Mark Rutland,
	Matthew Wilcox, Mel Gorman, Michal Hocko, Sam Ravnborg,
	Thomas Gleixner, Will Deacon, Andrew Morton, Linus Torvalds,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Tatashin <pasha.tatashin@oracle.com>


[ Upstream commit 2a20aa171071a334d80c4e5d5af719d8374702fc ]

Without deferred struct page feature (CONFIG_DEFERRED_STRUCT_PAGE_INIT),
flags and other fields in "struct page"es are never changed prior to
first initializing struct pages by going through __init_single_page().

With deferred struct page feature enabled there is a case where we set
some fields prior to initializing:

mem_init() {
     register_page_bootmem_info();
     free_all_bootmem();
     ...
}

When register_page_bootmem_info() is called only non-deferred struct
pages are initialized.  But, this function goes through some reserved
pages which might be part of the deferred, and thus are not yet
initialized.

mem_init
register_page_bootmem_info
register_page_bootmem_info_node
 get_page_bootmem
  .. setting fields here ..
  such as: page->freelist = (void *)type;

free_all_bootmem()
free_low_memory_core_early()
 for_each_reserved_mem_region()
  reserve_bootmem_region()
   init_reserved_page() <- Only if this is deferred reserved page
    __init_single_pfn()
     __init_single_page()
      memset(0) <-- Loose the set fields here

We end up with similar issue as in the previous patch, where currently
we do not observe problem as memory is zeroed.  But, if flag asserts are
changed we can start hitting issues.

Also, because in this patch series we will stop zeroing struct page
memory during allocation, we must make sure that struct pages are
properly initialized prior to using them.

The deferred-reserved pages are initialized in free_all_bootmem().
Therefore, the fix is to switch the above calls.

Link: http://lkml.kernel.org/r/20171013173214.27300-4-pasha.tatashin@oracle.com
Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: Bob Picco <bob.picco@oracle.com>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/mm/init_64.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/arch/sparc/mm/init_64.c
+++ b/arch/sparc/mm/init_64.c
@@ -2540,10 +2540,17 @@ void __init mem_init(void)
 {
 	high_memory = __va(last_valid_pfn << PAGE_SHIFT);
 
-	register_page_bootmem_info();
 	free_all_bootmem();
 
 	/*
+	 * Must be done after boot memory is put on freelist, because here we
+	 * might set fields in deferred struct pages that have not yet been
+	 * initialized, and free_all_bootmem() initializes all the reserved
+	 * deferred pages for us.
+	 */
+	register_page_bootmem_info();
+
+	/*
 	 * Set up the zero page, mark it reserved, so that page count
 	 * is not manipulated when freeing the page from user ptes.
 	 */

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 129/164] zsmalloc: calling zs_map_object() from irq is a bug
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 128/164] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 130/164] slub: fix sysfs duplicate filename creation when slub_debug=O Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Minchan Kim,
	Andrew Morton, Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>


[ Upstream commit 1aedcafbf32b3f232c159b14cd0d423fcfe2b861 ]

Use BUG_ON(in_interrupt()) in zs_map_object().  This is not a new
BUG_ON(), it's always been there, but was recently changed to
VM_BUG_ON().  There are several problems there.  First, we use use
per-CPU mappings both in zsmalloc and in zram, and interrupt may easily
corrupt those buffers.  Second, and more importantly, we believe it's
possible to start leaking sensitive information.  Consider the following
case:

-> process P
	swap out
	 zram
	  per-cpu mapping CPU1
	   compress page A
-> IRQ

	swap out
	 zram
	  per-cpu mapping CPU1
	   compress page B
	    write page from per-cpu mapping CPU1 to zsmalloc pool
	iret

-> process P
	    write page from per-cpu mapping CPU1 to zsmalloc pool  [*]
	return

* so we store overwritten data that actually belongs to another
  page (task) and potentially contains sensitive data. And when
  process P will page fault it's going to read (swap in) that
  other task's data.

Link: http://lkml.kernel.org/r/20170929045140.4055-1-sergey.senozhatsky@gmail.com
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/zsmalloc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1349,7 +1349,7 @@ void *zs_map_object(struct zs_pool *pool
 	 * pools/users, we can't allow mapping in interrupt context
 	 * because it can corrupt another users mappings.
 	 */
-	WARN_ON_ONCE(in_interrupt());
+	BUG_ON(in_interrupt());
 
 	/* From now on, migration cannot move the object */
 	pin_tag(handle);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 130/164] slub: fix sysfs duplicate filename creation when slub_debug=O
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 129/164] zsmalloc: calling zs_map_object() from irq is a bug Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 131/164] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miles Chen, Christoph Lameter,
	Pekka Enberg, David Rientjes, Joonsoo Kim, Andrew Morton,
	Linus Torvalds, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Miles Chen <miles.chen@mediatek.com>


[ Upstream commit 11066386efa692f77171484c32ea30f6e5a0d729 ]

When slub_debug=O is set.  It is possible to clear debug flags for an
"unmergeable" slab cache in kmem_cache_open().  It makes the "unmergeable"
cache became "mergeable" in sysfs_slab_add().

These caches will generate their "unique IDs" by create_unique_id(), but
it is possible to create identical unique IDs.  In my experiment,
sgpool-128, names_cache, biovec-256 generate the same ID ":Ft-0004096" and
the kernel reports "sysfs: cannot create duplicate filename
'/kernel/slab/:Ft-0004096'".

To repeat my experiment, set disable_higher_order_debug=1,
CONFIG_SLUB_DEBUG_ON=y in kernel-4.14.

Fix this issue by setting unmergeable=1 if slub_debug=O and the the
default slub_debug contains any no-merge flags.

call path:
kmem_cache_create()
  __kmem_cache_alias()	-> we set SLAB_NEVER_MERGE flags here
  create_cache()
    __kmem_cache_create()
      kmem_cache_open()	-> clear DEBUG_METADATA_FLAGS
      sysfs_slab_add()	-> the slab cache is mergeable now

  sysfs: cannot create duplicate filename '/kernel/slab/:Ft-0004096'
  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x60/0x7c
  Modules linked in:
  CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W       4.14.0-rc7ajb-00131-gd4c2e9f-dirty #123
  Hardware name: linux,dummy-virt (DT)
  task: ffffffc07d4e0080 task.stack: ffffff8008008000
  PC is at sysfs_warn_dup+0x60/0x7c
  LR is at sysfs_warn_dup+0x60/0x7c
  pc :  lr :  pstate: 60000145
  Call trace:
   sysfs_warn_dup+0x60/0x7c
   sysfs_create_dir_ns+0x98/0xa0
   kobject_add_internal+0xa0/0x294
   kobject_init_and_add+0x90/0xb4
   sysfs_slab_add+0x90/0x200
   __kmem_cache_create+0x26c/0x438
   kmem_cache_create+0x164/0x1f4
   sg_pool_init+0x60/0x100
   do_one_initcall+0x38/0x12c
   kernel_init_freeable+0x138/0x1d4
   kernel_init+0x10/0xfc
   ret_from_fork+0x10/0x18

Link: http://lkml.kernel.org/r/1510365805-5155-1-git-send-email-miles.chen@mediatek.com
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Acked-by: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/slub.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5704,6 +5704,10 @@ static int sysfs_slab_add(struct kmem_ca
 		return 0;
 	}
 
+	if (!unmergeable && disable_higher_order_debug &&
+			(slub_debug & DEBUG_METADATA_FLAGS))
+		unmergeable = 1;
+
 	if (unmergeable) {
 		/*
 		 * Slabcache can never be merged so we can use the name proper.

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 131/164] sctp: do not free asoc when it is already dead in sctp_sendmsg
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 130/164] slub: fix sysfs duplicate filename creation when slub_debug=O Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 132/164] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Horman, Dmitry Vyukov, Xin Long,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit ca3af4dd28cff4e7216e213ba3b671fbf9f84758 ]

Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without
holding sock sk. It means the current asoc can be freed elsewhere,
like when receiving an abort packet.

If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf
returns err, the asoc will be freed again due to new_asoc is not nil.
An use-after-free issue would be triggered by this.

This patch is to fix it by setting new_asoc with nil if the asoc is
already dead when cpu schedules back, so that it will not be freed
again in sctp_sendmsg.

v1->v2:
  set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf.

Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1963,8 +1963,14 @@ static int sctp_sendmsg(struct sock *sk,
 	timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
 	if (!sctp_wspace(asoc)) {
 		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
-		if (err)
+		if (err) {
+			if (err == -ESRCH) {
+				/* asoc is already dead. */
+				new_asoc = NULL;
+				err = -EPIPE;
+			}
 			goto out_free;
+		}
 	}
 
 	/* If an address is passed with the sendto/sendmsg call, it is used
@@ -7839,10 +7845,11 @@ static int sctp_wait_for_sndbuf(struct s
 	for (;;) {
 		prepare_to_wait_exclusive(&asoc->wait, &wait,
 					  TASK_INTERRUPTIBLE);
+		if (asoc->base.dead)
+			goto do_dead;
 		if (!*timeo_p)
 			goto do_nonblock;
-		if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING ||
-		    asoc->base.dead)
+		if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
 			goto do_error;
 		if (signal_pending(current))
 			goto do_interrupted;
@@ -7867,6 +7874,10 @@ out:
 
 	return err;
 
+do_dead:
+	err = -ESRCH;
+	goto out;
+
 do_error:
 	err = -EPIPE;
 	goto out;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 132/164] sctp: use the right sk after waking up from wait_buf sleep
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 131/164] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 133/164] fcntl: dont leak fd reference when fixup_compat_flock fails Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Horman, Xin Long,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff ]

Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads
sleeping on it") fixed the race between peeloff and wait sndbuf by
checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().

But it actually doesn't work, as even if waitqueue_active returns false
the waiting sndbuf thread may still not yet hold sk lock. After asoc is
peeled off, sk is not asoc->base.sk any more, then to hold the old sk
lock couldn't make assoc safe to access.

This patch is to fix this by changing to hold the new sk lock if sk is
not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
new sk.

With this fix, there is no more race between peeloff and waitbuf, the
check 'waitqueue_active' in sctp_do_peeloff can be removed.

Thanks Marcelo and Neil for making this clear.

v1->v2:
  fix it by changing to lock the new sock instead of adding a flag in asoc.

Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |   21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -83,8 +83,8 @@
 /* Forward declarations for internal helper functions. */
 static int sctp_writeable(struct sock *sk);
 static void sctp_wfree(struct sk_buff *skb);
-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p,
-				size_t msg_len);
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+				size_t msg_len, struct sock **orig_sk);
 static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
 static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
 static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -1962,7 +1962,8 @@ static int sctp_sendmsg(struct sock *sk,
 
 	timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
 	if (!sctp_wspace(asoc)) {
-		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+		/* sk can be changed by peel off when waiting for buf. */
+		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
 		if (err) {
 			if (err == -ESRCH) {
 				/* asoc is already dead. */
@@ -4949,12 +4950,6 @@ int sctp_do_peeloff(struct sock *sk, sct
 	if (!asoc)
 		return -EINVAL;
 
-	/* If there is a thread waiting on more sndbuf space for
-	 * sending on this asoc, it cannot be peeled.
-	 */
-	if (waitqueue_active(&asoc->wait))
-		return -EBUSY;
-
 	/* An association cannot be branched off from an already peeled-off
 	 * socket, nor is this supported for tcp style sockets.
 	 */
@@ -7828,7 +7823,7 @@ void sctp_sock_rfree(struct sk_buff *skb
 
 /* Helper function to wait for space in the sndbuf.  */
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-				size_t msg_len)
+				size_t msg_len, struct sock **orig_sk)
 {
 	struct sock *sk = asoc->base.sk;
 	int err = 0;
@@ -7862,11 +7857,17 @@ static int sctp_wait_for_sndbuf(struct s
 		release_sock(sk);
 		current_timeo = schedule_timeout(current_timeo);
 		lock_sock(sk);
+		if (sk != asoc->base.sk) {
+			release_sock(sk);
+			sk = asoc->base.sk;
+			lock_sock(sk);
+		}
 
 		*timeo_p = current_timeo;
 	}
 
 out:
+	*orig_sk = sk;
 	finish_wait(&asoc->wait, &wait);
 
 	/* Release the association's refcnt.  */

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 133/164] fcntl: dont leak fd reference when fixup_compat_flock fails
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 132/164] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 134/164] geneve: fix fill_info when link down Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeff Layton, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Layton <jlayton@redhat.com>


[ Upstream commit 9280a601e6080c9ff658468c1c775ff6514099a6 ]

Currently we just return err here, but we need to put the fd reference
first.

Fixes: 94073ad77fff (fs/locks: don't mess with the address limit in compat_fcntl64)
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fcntl.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -632,9 +632,8 @@ COMPAT_SYSCALL_DEFINE3(fcntl64, unsigned
 		if (err)
 			break;
 		err = fixup_compat_flock(&flock);
-		if (err)
-			return err;
-		err = put_compat_flock(&flock, compat_ptr(arg));
+		if (!err)
+			err = put_compat_flock(&flock, compat_ptr(arg));
 		break;
 	case F_GETLK64:
 	case F_OFD_GETLK:

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 134/164] geneve: fix fill_info when link down
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 133/164] fcntl: dont leak fd reference when fixup_compat_flock fails Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 135/164] bpf: fix lockdep splat Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hangbin Liu, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hangbin Liu <liuhangbin@gmail.com>


[ Upstream commit fd7eafd02121d6ef501ef1a4a891e6061366c952 ]

geneve->sock4/6 were added with geneve_open and released with geneve_stop.
So when geneve link down, we will not able to show remote address and
checksum info after commit 11387fe4a98 ("geneve: fix fill_info when using
collect_metadata").

Fix this by avoid passing *_REMOTE{,6} for COLLECT_METADATA since they are
mutually exclusive, and always show UDP_ZERO_CSUM6_RX info.

Fixes: 11387fe4a98 ("geneve: fix fill_info when using collect_metadata")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/geneve.c |   24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -1503,6 +1503,7 @@ static int geneve_fill_info(struct sk_bu
 {
 	struct geneve_dev *geneve = netdev_priv(dev);
 	struct ip_tunnel_info *info = &geneve->info;
+	bool metadata = geneve->collect_md;
 	__u8 tmp_vni[3];
 	__u32 vni;
 
@@ -1511,32 +1512,24 @@ static int geneve_fill_info(struct sk_bu
 	if (nla_put_u32(skb, IFLA_GENEVE_ID, vni))
 		goto nla_put_failure;
 
-	if (rtnl_dereference(geneve->sock4)) {
+	if (!metadata && ip_tunnel_info_af(info) == AF_INET) {
 		if (nla_put_in_addr(skb, IFLA_GENEVE_REMOTE,
 				    info->key.u.ipv4.dst))
 			goto nla_put_failure;
-
 		if (nla_put_u8(skb, IFLA_GENEVE_UDP_CSUM,
 			       !!(info->key.tun_flags & TUNNEL_CSUM)))
 			goto nla_put_failure;
 
-	}
-
 #if IS_ENABLED(CONFIG_IPV6)
-	if (rtnl_dereference(geneve->sock6)) {
+	} else if (!metadata) {
 		if (nla_put_in6_addr(skb, IFLA_GENEVE_REMOTE6,
 				     &info->key.u.ipv6.dst))
 			goto nla_put_failure;
-
 		if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_TX,
 			       !(info->key.tun_flags & TUNNEL_CSUM)))
 			goto nla_put_failure;
-
-		if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_RX,
-			       !geneve->use_udp6_rx_checksums))
-			goto nla_put_failure;
-	}
 #endif
+	}
 
 	if (nla_put_u8(skb, IFLA_GENEVE_TTL, info->key.ttl) ||
 	    nla_put_u8(skb, IFLA_GENEVE_TOS, info->key.tos) ||
@@ -1546,10 +1539,13 @@ static int geneve_fill_info(struct sk_bu
 	if (nla_put_be16(skb, IFLA_GENEVE_PORT, info->key.tp_dst))
 		goto nla_put_failure;
 
-	if (geneve->collect_md) {
-		if (nla_put_flag(skb, IFLA_GENEVE_COLLECT_METADATA))
+	if (metadata && nla_put_flag(skb, IFLA_GENEVE_COLLECT_METADATA))
 			goto nla_put_failure;
-	}
+
+	if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_RX,
+		       !geneve->use_udp6_rx_checksums))
+		goto nla_put_failure;
+
 	return 0;
 
 nla_put_failure:

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 135/164] bpf: fix lockdep splat
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 134/164] geneve: fix fill_info when link down Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 136/164] clk: stm32h7: fix test of clock config Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit 89ad2fa3f043a1e8daae193bcb5fe34d5f8caf28 ]

pcpu_freelist_pop() needs the same lockdep awareness than
pcpu_freelist_populate() to avoid a false positive.

 [ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]

 switchto-defaul/12508 [HC0[0]:SC0[6]:HE0:SE0] is trying to acquire:
  (&htab->buckets[i].lock){......}, at: [<ffffffff9dc099cb>] __htab_percpu_map_update_elem+0x1cb/0x300

 and this task is already holding:
  (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}, at: [<ffffffff9e135848>] __dev_queue_xmit+0
x868/0x1240
 which would create a new lock dependency:
  (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...} -> (&htab->buckets[i].lock){......}

 but this new dependency connects a SOFTIRQ-irq-safe lock:
  (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}
 ... which became SOFTIRQ-irq-safe at:
   [<ffffffff9db5931b>] __lock_acquire+0x42b/0x1f10
   [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
   [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
   [<ffffffff9e135848>] __dev_queue_xmit+0x868/0x1240
   [<ffffffff9e136240>] dev_queue_xmit+0x10/0x20
   [<ffffffff9e1965d9>] ip_finish_output2+0x439/0x590
   [<ffffffff9e197410>] ip_finish_output+0x150/0x2f0
   [<ffffffff9e19886d>] ip_output+0x7d/0x260
   [<ffffffff9e19789e>] ip_local_out+0x5e/0xe0
   [<ffffffff9e197b25>] ip_queue_xmit+0x205/0x620
   [<ffffffff9e1b8398>] tcp_transmit_skb+0x5a8/0xcb0
   [<ffffffff9e1ba152>] tcp_write_xmit+0x242/0x1070
   [<ffffffff9e1baffc>] __tcp_push_pending_frames+0x3c/0xf0
   [<ffffffff9e1b3472>] tcp_rcv_established+0x312/0x700
   [<ffffffff9e1c1acc>] tcp_v4_do_rcv+0x11c/0x200
   [<ffffffff9e1c3dc2>] tcp_v4_rcv+0xaa2/0xc30
   [<ffffffff9e191107>] ip_local_deliver_finish+0xa7/0x240
   [<ffffffff9e191a36>] ip_local_deliver+0x66/0x200
   [<ffffffff9e19137d>] ip_rcv_finish+0xdd/0x560
   [<ffffffff9e191e65>] ip_rcv+0x295/0x510
   [<ffffffff9e12ff88>] __netif_receive_skb_core+0x988/0x1020
   [<ffffffff9e130641>] __netif_receive_skb+0x21/0x70
   [<ffffffff9e1306ff>] process_backlog+0x6f/0x230
   [<ffffffff9e132129>] net_rx_action+0x229/0x420
   [<ffffffff9da07ee8>] __do_softirq+0xd8/0x43d
   [<ffffffff9e282bcc>] do_softirq_own_stack+0x1c/0x30
   [<ffffffff9dafc2f5>] do_softirq+0x55/0x60
   [<ffffffff9dafc3a8>] __local_bh_enable_ip+0xa8/0xb0
   [<ffffffff9db4c727>] cpu_startup_entry+0x1c7/0x500
   [<ffffffff9daab333>] start_secondary+0x113/0x140

 to a SOFTIRQ-irq-unsafe lock:
  (&head->lock){+.+...}
 ... which became SOFTIRQ-irq-unsafe at:
 ...  [<ffffffff9db5971f>] __lock_acquire+0x82f/0x1f10
   [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
   [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
   [<ffffffff9dc0b7fa>] pcpu_freelist_pop+0x7a/0xb0
   [<ffffffff9dc08b2c>] htab_map_alloc+0x50c/0x5f0
   [<ffffffff9dc00dc5>] SyS_bpf+0x265/0x1200
   [<ffffffff9e28195f>] entry_SYSCALL_64_fastpath+0x12/0x17

 other info that might help us debug this:

 Chain exists of:
   dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2 --> &htab->buckets[i].lock --> &head->lock

  Possible interrupt unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(&head->lock);
                                local_irq_disable();
                                lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
                                lock(&htab->buckets[i].lock);
   <Interrupt>
     lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);

  *** DEADLOCK ***

Fixes: e19494edab82 ("bpf: introduce percpu_freelist")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/percpu_freelist.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/bpf/percpu_freelist.c
+++ b/kernel/bpf/percpu_freelist.c
@@ -78,8 +78,10 @@ struct pcpu_freelist_node *pcpu_freelist
 {
 	struct pcpu_freelist_head *head;
 	struct pcpu_freelist_node *node;
+	unsigned long flags;
 	int orig_cpu, cpu;
 
+	local_irq_save(flags);
 	orig_cpu = cpu = raw_smp_processor_id();
 	while (1) {
 		head = per_cpu_ptr(s->freelist, cpu);
@@ -87,14 +89,16 @@ struct pcpu_freelist_node *pcpu_freelist
 		node = head->first;
 		if (node) {
 			head->first = node->next;
-			raw_spin_unlock(&head->lock);
+			raw_spin_unlock_irqrestore(&head->lock, flags);
 			return node;
 		}
 		raw_spin_unlock(&head->lock);
 		cpu = cpumask_next(cpu, cpu_possible_mask);
 		if (cpu >= nr_cpu_ids)
 			cpu = 0;
-		if (cpu == orig_cpu)
+		if (cpu == orig_cpu) {
+			local_irq_restore(flags);
 			return NULL;
+		}
 	}
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 136/164] clk: stm32h7: fix test of clock config
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 135/164] bpf: fix lockdep splat Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 138/164] clk: qcom: common: fix legacy board-clock registration Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gabriel Fernandez, Stephen Boyd, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gabriel Fernandez <gabriel.fernandez@st.com>


[ Upstream commit c1ea839c41d049604a3f64ef72712d1c7c6639d0 ]

fix test of composite clock config (bad copy / past)

Signed-off-by: Gabriel Fernandez <gabriel.fernandez@st.com>
Fixes: 3e4d618b0722 ("clk: stm32h7: Add stm32h743 clock driver")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/clk-stm32h7.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/clk/clk-stm32h7.c
+++ b/drivers/clk/clk-stm32h7.c
@@ -384,7 +384,7 @@ static void get_cfg_composite_div(const
 	mux_ops = div_ops = gate_ops = NULL;
 	mux_hw = div_hw = gate_hw = NULL;
 
-	if (gcfg->mux && gcfg->mux) {
+	if (gcfg->mux && cfg->mux) {
 		mux = _get_cmux(base + cfg->mux->offset,
 				cfg->mux->shift,
 				cfg->mux->width,
@@ -410,7 +410,7 @@ static void get_cfg_composite_div(const
 		}
 	}
 
-	if (gcfg->gate && gcfg->gate) {
+	if (gcfg->gate && cfg->gate) {
 		gate = _get_cgate(base + cfg->gate->offset,
 				cfg->gate->bit_idx,
 				gcfg->gate->flags, lock);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 138/164] clk: qcom: common: fix legacy board-clock registration
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 136/164] clk: stm32h7: fix test of clock config Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 139/164] clk: uniphier: fix DAPLL2 clock rate of Pro5 Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Stephen Boyd, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>


[ Upstream commit 43a51019cc8ff1b1cd2ba72e86563beb40d356fc ]

Make sure to search only the child nodes of "/clocks", rather than the
whole device-tree depth-first starting at "/clocks" when determining
whether to register a fixed clock in the legacy board-clock registration
helper.

Fixes: ee15faffef11 ("clk: qcom: common: Add API to register board clocks backwards compatibly")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/qcom/common.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/clk/qcom/common.c
+++ b/drivers/clk/qcom/common.c
@@ -143,8 +143,10 @@ static int _qcom_cc_register_board_clk(s
 	int ret;
 
 	clocks_node = of_find_node_by_path("/clocks");
-	if (clocks_node)
-		node = of_find_node_by_name(clocks_node, path);
+	if (clocks_node) {
+		node = of_get_child_by_name(clocks_node, path);
+		of_node_put(clocks_node);
+	}
 
 	if (!node) {
 		fixed = devm_kzalloc(dev, sizeof(*fixed), GFP_KERNEL);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 139/164] clk: uniphier: fix DAPLL2 clock rate of Pro5
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 138/164] clk: qcom: common: fix legacy board-clock registration Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 140/164] clk: hi3660: fix incorrect uart3 clock freqency Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Stephen Boyd, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit 67affb78a4e4feb837953e3434c8402a5c3b272f ]

The parent of DAPLL2 should be DAPLL1.  Fix the clock connection.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/uniphier/clk-uniphier-sys.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/uniphier/clk-uniphier-sys.c
+++ b/drivers/clk/uniphier/clk-uniphier-sys.c
@@ -123,7 +123,7 @@ const struct uniphier_clk_data uniphier_
 const struct uniphier_clk_data uniphier_pro5_sys_clk_data[] = {
 	UNIPHIER_CLK_FACTOR("spll", -1, "ref", 120, 1),		/* 2400 MHz */
 	UNIPHIER_CLK_FACTOR("dapll1", -1, "ref", 128, 1),	/* 2560 MHz */
-	UNIPHIER_CLK_FACTOR("dapll2", -1, "ref", 144, 125),	/* 2949.12 MHz */
+	UNIPHIER_CLK_FACTOR("dapll2", -1, "dapll1", 144, 125),	/* 2949.12 MHz */
 	UNIPHIER_CLK_FACTOR("uart", 0, "dapll2", 1, 40),
 	UNIPHIER_CLK_FACTOR("i2c", 1, "spll", 1, 48),
 	UNIPHIER_PRO5_SYS_CLK_NAND(2),

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 140/164] clk: hi3660: fix incorrect uart3 clock freqency
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 139/164] clk: uniphier: fix DAPLL2 clock rate of Pro5 Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 141/164] mailbox: mailbox-test: dont rely on rx_buffer content to signal data ready Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhong Kaihua, Guodong Xu,
	Stephen Boyd, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zhong Kaihua <zhongkaihua@huawei.com>


[ Upstream commit d33fb1b9f0fcb67f2b9f8b1891465a088a9480f8 ]

UART3 clock rate is doubled in previous commit.

This error is not detected until recently a mezzanine board which makes
real use of uart3 port (through LS connector of 96boards) was setup
and tested on hi3660-hikey960 board.

This patch changes clock source rate of clk_factor_uart3 to 100000000.

Signed-off-by: Zhong Kaihua <zhongkaihua@huawei.com>
Signed-off-by: Guodong Xu <guodong.xu@linaro.org>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/hisilicon/clk-hi3660.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/hisilicon/clk-hi3660.c
+++ b/drivers/clk/hisilicon/clk-hi3660.c
@@ -34,7 +34,7 @@ static const struct hisi_fixed_rate_cloc
 
 /* crgctrl */
 static const struct hisi_fixed_factor_clock hi3660_crg_fixed_factor_clks[] = {
-	{ HI3660_FACTOR_UART3, "clk_factor_uart3", "iomcu_peri0", 1, 8, 0, },
+	{ HI3660_FACTOR_UART3, "clk_factor_uart3", "iomcu_peri0", 1, 16, 0, },
 	{ HI3660_CLK_FACTOR_MMC, "clk_factor_mmc", "clkin_sys", 1, 6, 0, },
 	{ HI3660_CLK_GATE_I2C0, "clk_gate_i2c0", "clk_i2c0_iomcu", 1, 4, 0, },
 	{ HI3660_CLK_GATE_I2C1, "clk_gate_i2c1", "clk_i2c1_iomcu", 1, 4, 0, },

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 141/164] mailbox: mailbox-test: dont rely on rx_buffer content to signal data ready
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 140/164] clk: hi3660: fix incorrect uart3 clock freqency Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 142/164] kbuild: rpm-pkg: fix jobserver unavailable warning Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sudeep Holla, Jassi Brar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sudeep Holla <sudeep.holla@arm.com>


[ Upstream commit e339c80af95e14de3712d69ddea09a3868fa14cd ]

Currently we rely on the first byte of the Rx buffer to check if there's
any data available to be read. If the first byte of the received buffer
is zero (i.e. null character), then we fail to signal that data is
available even when it's available.

Instead introduce a boolean variable to track the data availability and
update it in the channel receive callback as ready and clear it when the
data is read.

Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mailbox/mailbox-test.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/mailbox/mailbox-test.c
+++ b/drivers/mailbox/mailbox-test.c
@@ -30,6 +30,7 @@
 #define MBOX_HEXDUMP_MAX_LEN	(MBOX_HEXDUMP_LINE_LEN *		\
 				 (MBOX_MAX_MSG_LEN / MBOX_BYTES_PER_LINE))
 
+static bool mbox_data_ready;
 static struct dentry *root_debugfs_dir;
 
 struct mbox_test_device {
@@ -152,16 +153,14 @@ out:
 
 static bool mbox_test_message_data_ready(struct mbox_test_device *tdev)
 {
-	unsigned char data;
+	bool data_ready;
 	unsigned long flags;
 
 	spin_lock_irqsave(&tdev->lock, flags);
-	data = tdev->rx_buffer[0];
+	data_ready = mbox_data_ready;
 	spin_unlock_irqrestore(&tdev->lock, flags);
 
-	if (data != '\0')
-		return true;
-	return false;
+	return data_ready;
 }
 
 static ssize_t mbox_test_message_read(struct file *filp, char __user *userbuf,
@@ -223,6 +222,7 @@ static ssize_t mbox_test_message_read(st
 	*(touser + l) = '\0';
 
 	memset(tdev->rx_buffer, 0, MBOX_MAX_MSG_LEN);
+	mbox_data_ready = false;
 
 	spin_unlock_irqrestore(&tdev->lock, flags);
 
@@ -292,6 +292,7 @@ static void mbox_test_receive_message(st
 				     message, MBOX_MAX_MSG_LEN);
 		memcpy(tdev->rx_buffer, message, MBOX_MAX_MSG_LEN);
 	}
+	mbox_data_ready = true;
 	spin_unlock_irqrestore(&tdev->lock, flags);
 
 	wake_up_interruptible(&tdev->waitq);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 142/164] kbuild: rpm-pkg: fix jobserver unavailable warning
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 141/164] mailbox: mailbox-test: dont rely on rx_buffer content to signal data ready Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 143/164] atm: horizon: Fix irq release error Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit 606625be47bc87b6fab0af10cd57aaa675cb9e42 ]

If "make rpm-pkg" or "make binrpm-pkg" is run with -j[jobs] option,
the following warning message is displayed.

  warning: jobserver unavailable: using -j1.  Add '+' to parent make rule.

Follow the suggestion.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/package/Makefile |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/scripts/package/Makefile
+++ b/scripts/package/Makefile
@@ -49,7 +49,7 @@ rpm-pkg rpm: FORCE
 	$(MAKE) clean
 	$(CONFIG_SHELL) $(MKSPEC) >$(objtree)/kernel.spec
 	$(call cmd,src_tar,$(KERNELPATH),kernel.spec)
-	rpmbuild $(RPMOPTS) --target $(UTS_MACHINE) -ta $(KERNELPATH).tar.gz
+	+rpmbuild $(RPMOPTS) --target $(UTS_MACHINE) -ta $(KERNELPATH).tar.gz
 	rm $(KERNELPATH).tar.gz kernel.spec
 
 # binrpm-pkg
@@ -57,7 +57,7 @@ rpm-pkg rpm: FORCE
 binrpm-pkg: FORCE
 	$(MAKE) KBUILD_SRC=
 	$(CONFIG_SHELL) $(MKSPEC) prebuilt > $(objtree)/binkernel.spec
-	rpmbuild $(RPMOPTS) --define "_builddir $(objtree)" --target \
+	+rpmbuild $(RPMOPTS) --define "_builddir $(objtree)" --target \
 		$(UTS_MACHINE) -bb $(objtree)/binkernel.spec
 	rm binkernel.spec
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 143/164] atm: horizon: Fix irq release error
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 142/164] kbuild: rpm-pkg: fix jobserver unavailable warning Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 144/164] jump_label: Invoke jump_label_test() via early_initcall() Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arvind Yadav, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arvind Yadav <arvind.yadav.cs@gmail.com>


[ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ]

atm_dev_register() can fail here and passed parameters to free irq
which is not initialised. Initialization of 'dev->irq' happened after
the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in
free_irq().

Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/atm/horizon.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/atm/horizon.c
+++ b/drivers/atm/horizon.c
@@ -2803,7 +2803,7 @@ out:
 	return err;
 
 out_free_irq:
-	free_irq(dev->irq, dev);
+	free_irq(irq, dev);
 out_free:
 	kfree(dev);
 out_release:

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 144/164] jump_label: Invoke jump_label_test() via early_initcall()
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 143/164] atm: horizon: Fix irq release error Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 145/164] tls: Use kzalloc for aead_request allocation Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fengguang Wu, Jason Baron,
	Paul E. McKenney, Linus Torvalds, Peter Zijlstra, Steven Rostedt,
	Thomas Gleixner, Ingo Molnar, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Baron <jbaron@akamai.com>


[ Upstream commit 92ee46efeb505ead3ab06d3c5ce695637ed5f152 ]

Fengguang Wu reported that running the rcuperf test during boot can cause
the jump_label_test() to hit a WARN_ON(). The issue is that the core jump
label code relies on kernel_text_address() to detect when it can no longer
update branches that may be contained in __init sections. The
kernel_text_address() in turn assumes that if the system_state variable is
greter than or equal to SYSTEM_RUNNING then __init sections are no longer
valid (since the assumption is that they have been freed). However, when
rcuperf is setup to run in early boot it can call kernel_power_off() which
sets the system_state to SYSTEM_POWER_OFF.

Since rcuperf initialization is invoked via a module_init(), we can make
the dependency of jump_label_test() needing to complete before rcuperf
explicit by calling it via early_initcall().

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jason Baron <jbaron@akamai.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1510609727-2238-1-git-send-email-jbaron@akamai.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/jump_label.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -769,7 +769,7 @@ static __init int jump_label_test(void)
 
 	return 0;
 }
-late_initcall(jump_label_test);
+early_initcall(jump_label_test);
 #endif /* STATIC_KEYS_SELFTEST */
 
 #endif /* HAVE_JUMP_LABEL */

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 145/164] tls: Use kzalloc for aead_request allocation
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 144/164] jump_label: Invoke jump_label_test() via early_initcall() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 146/164] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilya Lesokhin, David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Lesokhin <ilyal@mellanox.com>


[ Upstream commit 61ef6da622aa7b66bf92991bd272490eea6c712e ]

Use kzalloc for aead_request allocation as
we don't set all the bits in the request.

Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tls/tls_sw.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -219,7 +219,7 @@ static int tls_do_encryption(struct tls_
 	struct aead_request *aead_req;
 	int rc;
 
-	aead_req = kmalloc(req_size, flags);
+	aead_req = kzalloc(req_size, flags);
 	if (!aead_req)
 		return -ENOMEM;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 146/164] xfrm: Copy policy family in clone_policy
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 145/164] tls: Use kzalloc for aead_request allocation Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 147/164] f2fs: fix to clear FI_NO_PREALLOC Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Herbert Xu, Steffen Klassert,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>


[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ]

The syzbot found an ancient bug in the IPsec code.  When we cloned
a socket policy (for example, for a child TCP socket derived from a
listening socket), we did not copy the family field.  This results
in a live policy with a zero family field.  This triggers a BUG_ON
check in the af_key code when the cloned policy is retrieved.

This patch fixes it by copying the family field over.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xfrm/xfrm_policy.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1306,6 +1306,7 @@ static struct xfrm_policy *clone_policy(
 		newp->xfrm_nr = old->xfrm_nr;
 		newp->index = old->index;
 		newp->type = old->type;
+		newp->family = old->family;
 		memcpy(newp->xfrm_vec, old->xfrm_vec,
 		       newp->xfrm_nr*sizeof(struct xfrm_tmpl));
 		spin_lock_bh(&net->xfrm.xfrm_policy_lock);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 147/164] f2fs: fix to clear FI_NO_PREALLOC
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 146/164] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 148/164] bnxt_re: changing the ip address shouldnt affect new connections Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chao Yu <yuchao0@huawei.com>


[ Upstream commit 28cfafb73853f0494b06649716687a3ea07681d5 ]

We need to clear FI_NO_PREALLOC flag in error path of f2fs_file_write_iter,
otherwise we will lose the chance to preallocate blocks in latter write()
at one time.

Fixes: dc91de78e5e1 ("f2fs: do not preallocate blocks which has wrong buffer")
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/file.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2697,6 +2697,7 @@ static ssize_t f2fs_file_write_iter(stru
 
 		err = f2fs_preallocate_blocks(iocb, from);
 		if (err) {
+			clear_inode_flag(inode, FI_NO_PREALLOC);
 			inode_unlock(inode);
 			return err;
 		}

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 148/164] bnxt_re: changing the ip address shouldnt affect new connections
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 147/164] f2fs: fix to clear FI_NO_PREALLOC Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 149/164] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sriharsha Basavapatna, Doug Ledford,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>


[ Upstream commit 063fb5bd1a01937094f40169a20e4aa5ca030db1 ]

While adding a new gid, the driver currently does not return the context
back to the stack. A subsequent del_gid() (e.g, when ip address is changed)
doesn't find the right context in the driver and it ends up dropping that
request. This results in the HW caching a stale gid entry and traffic fails
because of that. Fix by returning the proper context in bnxt_re_add_gid().

Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/bnxt_re/ib_verbs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
@@ -394,6 +394,7 @@ int bnxt_re_add_gid(struct ib_device *ib
 	ctx->idx = tbl_idx;
 	ctx->refcnt = 1;
 	ctx_tbl[tbl_idx] = ctx;
+	*context = ctx;
 
 	return rc;
 }

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 149/164] IB/mlx4: Increase maximal message size under UD QP
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 148/164] bnxt_re: changing the ip address shouldnt affect new connections Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 150/164] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Bloch, Majd Dibbiny,
	Leon Romanovsky, Doug Ledford, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Bloch <markb@mellanox.com>


[ Upstream commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca ]

Maximal message should be used as a limit to the max message payload allowed,
without the headers. The ConnectX-3 check is done against this value includes
the headers. When the payload is 4K this will cause the NIC to drop packets.

Increase maximal message to 8K as workaround, this shouldn't change current
behaviour because we continue to set the MTU to 4k.

To reproduce;
set MTU to 4296 on the corresponding interface, for example:
ifconfig eth0 mtu 4296 (both server and client)

On server:
ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096

On client:
ib_send_bw -d mlx4_0 -c UD <server_ip> -s 4096 -n 1000000 -i 1 -m 4096

Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Reviewed-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx4/qp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -2216,7 +2216,7 @@ static int __mlx4_ib_modify_qp(void *src
 			context->mtu_msgmax = (IB_MTU_4096 << 5) |
 					      ilog2(dev->dev->caps.max_gso_sz);
 		else
-			context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
+			context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
 	} else if (attr_mask & IB_QP_PATH_MTU) {
 		if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) {
 			pr_err("path MTU (%u) is invalid\n",

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 150/164] IB/mlx5: Assign send CQ and recv CQ of UMR QP
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 149/164] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 151/164] afs: Fix total-length calculation for multiple-page send Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Majd Dibbiny, Yishai Hadas,
	Leon Romanovsky, Doug Ledford, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Majd Dibbiny <majd@mellanox.com>


[ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ]

The UMR's QP is created by calling mlx5_ib_create_qp directly, and
therefore the send CQ and the recv CQ on the ibqp weren't assigned.

Assign them right after calling the mlx5_ib_create_qp to assure
that any access to those pointers will work as expected and won't
crash the system as might happen as part of reset flow.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Majd Dibbiny <majd@mellanox.com>
Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/main.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -3097,6 +3097,8 @@ static int create_umr_res(struct mlx5_ib
 	qp->real_qp    = qp;
 	qp->uobject    = NULL;
 	qp->qp_type    = MLX5_IB_QPT_REG_UMR;
+	qp->send_cq    = init_attr->send_cq;
+	qp->recv_cq    = init_attr->recv_cq;
 
 	attr->qp_state = IB_QPS_INIT;
 	attr->port_num = 1;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 151/164] afs: Fix total-length calculation for multiple-page send
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 150/164] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 152/164] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>


[ Upstream commit 1199db603511d7463d9d3840f96f61967affc766 ]

Fix the total-length calculation in afs_make_call() when the operation
being dispatched has data from a series of pages attached.

Despite the patched code looking like that it should reduce mathematically
to the current code, it doesn't because the 32-bit unsigned arithmetic
being used to calculate the page-offset-difference doesn't correctly extend
to a 64-bit value when the result is effectively negative.

Without this, some FS.StoreData operations that span multiple pages fail,
reporting too little or too much data.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/afs/rxrpc.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -377,8 +377,17 @@ int afs_make_call(struct in_addr *addr,
 	 */
 	tx_total_len = call->request_size;
 	if (call->send_pages) {
-		tx_total_len += call->last_to - call->first_offset;
-		tx_total_len += (call->last - call->first) * PAGE_SIZE;
+		if (call->last == call->first) {
+			tx_total_len += call->last_to - call->first_offset;
+		} else {
+			/* It looks mathematically like you should be able to
+			 * combine the following lines with the ones above, but
+			 * unsigned arithmetic is fun when it wraps...
+			 */
+			tx_total_len += PAGE_SIZE - call->first_offset;
+			tx_total_len += call->last_to;
+			tx_total_len += (call->last - call->first - 1) * PAGE_SIZE;
+		}
 	}
 
 	/* create a call */

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 152/164] afs: Connect up the CB.ProbeUuid
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 151/164] afs: Fix total-length calculation for multiple-page send Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 153/164] kbuild: do not call cc-option before KBUILD_CFLAGS initialization Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>


[ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ]

The handler for the CB.ProbeUuid operation in the cache manager is
implemented, but isn't listed in the switch-statement of operation
selection, so won't be used.  Fix this by adding it.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/afs/cmservice.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -127,6 +127,9 @@ bool afs_cm_incoming_call(struct afs_cal
 	case CBProbe:
 		call->type = &afs_SRXCBProbe;
 		return true;
+	case CBProbeUuid:
+		call->type = &afs_SRXCBProbeUuid;
+		return true;
 	case CBTellMeAboutYourself:
 		call->type = &afs_SRXCBTellMeAboutYourself;
 		return true;

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 153/164] kbuild: do not call cc-option before KBUILD_CFLAGS initialization
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 152/164] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 154/164] powerpc/powernv/idle: Round up latency and residency values Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Douglas Anderson,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit 433dc2ebe7d17dd21cba7ad5c362d37323592236 ]

Some $(call cc-option,...) are invoked very early, even before
KBUILD_CFLAGS, etc. are initialized.

The returned string from $(call cc-option,...) depends on
KBUILD_CPPFLAGS, KBUILD_CFLAGS, and GCC_PLUGINS_CFLAGS.

Since they are exported, they are not empty when the top Makefile
is recursively invoked.

The recursion occurs in several places.  For example, the top
Makefile invokes itself for silentoldconfig.  "make tinyconfig",
"make rpm-pkg" are the cases, too.

In those cases, the second call of cc-option from the same line
runs a different shell command due to non-pristine KBUILD_CFLAGS.

To get the same result all the time, KBUILD_* and GCC_PLUGINS_CFLAGS
must be initialized before any call of cc-option.  This avoids
garbage data in the .cache.mk file.

Move all calls of cc-option below the config targets because target
compiler flags are unnecessary for Kconfig.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Makefile |   21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

--- a/Makefile
+++ b/Makefile
@@ -373,9 +373,6 @@ LDFLAGS_MODULE  =
 CFLAGS_KERNEL	=
 AFLAGS_KERNEL	=
 LDFLAGS_vmlinux =
-CFLAGS_GCOV	:= -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
-CFLAGS_KCOV	:= $(call cc-option,-fsanitize-coverage=trace-pc,)
-
 
 # Use USERINCLUDE when you must reference the UAPI directories only.
 USERINCLUDE    := \
@@ -394,21 +391,19 @@ LINUXINCLUDE    := \
 		-I$(objtree)/include \
 		$(USERINCLUDE)
 
-KBUILD_CPPFLAGS := -D__KERNEL__
-
+KBUILD_AFLAGS   := -D__ASSEMBLY__
 KBUILD_CFLAGS   := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
 		   -fno-strict-aliasing -fno-common -fshort-wchar \
 		   -Werror-implicit-function-declaration \
 		   -Wno-format-security \
-		   -std=gnu89 $(call cc-option,-fno-PIE)
-
-
+		   -std=gnu89
+KBUILD_CPPFLAGS := -D__KERNEL__
 KBUILD_AFLAGS_KERNEL :=
 KBUILD_CFLAGS_KERNEL :=
-KBUILD_AFLAGS   := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
 KBUILD_AFLAGS_MODULE  := -DMODULE
 KBUILD_CFLAGS_MODULE  := -DMODULE
 KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
+GCC_PLUGINS_CFLAGS :=
 
 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
 KERNELRELEASE = $(shell cat include/config/kernel.release 2> /dev/null)
@@ -421,7 +416,7 @@ export MAKE AWK GENKSYMS INSTALLKERNEL P
 export HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
 
 export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS
-export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV CFLAGS_KCOV CFLAGS_KASAN CFLAGS_UBSAN
+export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_KASAN CFLAGS_UBSAN
 export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
 export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE
 export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL
@@ -622,6 +617,12 @@ endif
 # Defaults to vmlinux, but the arch makefile usually adds further targets
 all: vmlinux
 
+KBUILD_CFLAGS	+= $(call cc-option,-fno-PIE)
+KBUILD_AFLAGS	+= $(call cc-option,-fno-PIE)
+CFLAGS_GCOV	:= -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+CFLAGS_KCOV	:= $(call cc-option,-fsanitize-coverage=trace-pc,)
+export CFLAGS_GCOV CFLAGS_KCOV
+
 # The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
 # values of the respective KBUILD_* variables
 ARCH_CPPFLAGS :=

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 154/164] powerpc/powernv/idle: Round up latency and residency values
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 153/164] kbuild: do not call cc-option before KBUILD_CFLAGS initialization Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 155/164] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anton Blanchard,
	Vaidyanathan Srinivasan, Gautham R. Shenoy, Michael Ellerman,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>


[ Upstream commit 8d4e10e9ed9450e18fbbf6a8872be0eac9fd4999 ]

On PowerNV platforms, firmware provides exit latency and
target residency for each of the idle states in nano
seconds.  Cpuidle framework expects the values in micro
seconds.  Round up to nearest micro seconds to avoid errors
in cases where the values are defined as fractional micro
seconds.

Default idle state of 'snooze' has exit latency of zero.  If
other states have fractional micro second exit latency, they
would get rounded down to zero micro second and make cpuidle
framework choose deeper idle state when snooze loop is the
right choice.

Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpuidle/cpuidle-powernv.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/cpuidle/cpuidle-powernv.c
+++ b/drivers/cpuidle/cpuidle-powernv.c
@@ -384,9 +384,9 @@ static int powernv_add_idle_states(void)
 		 * Firmware passes residency and latency values in ns.
 		 * cpuidle expects it in us.
 		 */
-		exit_latency = latency_ns[i] / 1000;
+		exit_latency = DIV_ROUND_UP(latency_ns[i], 1000);
 		if (!rc)
-			target_residency = residency_ns[i] / 1000;
+			target_residency = DIV_ROUND_UP(residency_ns[i], 1000);
 		else
 			target_residency = 0;
 

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 155/164] ipvlan: fix ipv6 outbound device
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 154/164] powerpc/powernv/idle: Round up latency and residency values Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 156/164] ide: ide-atapi: fix compile error with defining macro DEBUG Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keefe Liu, Mahesh Bandewar,
	David S. Miller, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Keefe Liu <liuqifa@huawei.com>


[ Upstream commit ca29fd7cce5a6444d57fb86517589a1a31c759e1 ]

When process the outbound packet of ipv6, we should assign the master
device to output device other than input device.

Signed-off-by: Keefe Liu <liuqifa@huawei.com>
Acked-by: Mahesh Bandewar <maheshb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ipvlan/ipvlan_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -409,7 +409,7 @@ static int ipvlan_process_v6_outbound(st
 	struct dst_entry *dst;
 	int err, ret = NET_XMIT_DROP;
 	struct flowi6 fl6 = {
-		.flowi6_iif = dev->ifindex,
+		.flowi6_oif = dev->ifindex,
 		.daddr = ip6h->daddr,
 		.saddr = ip6h->saddr,
 		.flowi6_flags = FLOWI_FLAG_ANYSRC,

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 156/164] ide: ide-atapi: fix compile error with defining macro DEBUG
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 155/164] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 157/164] blk-mq: Avoid that request queue removal can trigger list corruption Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hongxu Jia, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hongxu Jia <hongxu.jia@windriver.com>


[ Upstream commit 8dc7a31fbce5e2dbbacd83d910da37105181b054 ]

Compile ide-atapi failed with defining macro "DEBUG"
...
|drivers/ide/ide-atapi.c:285:52: error: 'struct request' has
no member named 'cmd'; did you mean 'csd'?
|  debug_log("%s: rq->cmd[0]: 0x%x\n", __func__, rq->cmd[0]);
...

Since we split the scsi_request out of struct request, it missed
do the same thing on debug_log

Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/ide/ide-atapi.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/ide/ide-atapi.c
+++ b/drivers/ide/ide-atapi.c
@@ -282,7 +282,7 @@ int ide_cd_expiry(ide_drive_t *drive)
 	struct request *rq = drive->hwif->rq;
 	unsigned long wait = 0;
 
-	debug_log("%s: rq->cmd[0]: 0x%x\n", __func__, rq->cmd[0]);
+	debug_log("%s: scsi_req(rq)->cmd[0]: 0x%x\n", __func__, scsi_req(rq)->cmd[0]);
 
 	/*
 	 * Some commands are *slow* and normally take a long time to complete.
@@ -463,7 +463,7 @@ static ide_startstop_t ide_pc_intr(ide_d
 				return ide_do_reset(drive);
 			}
 
-			debug_log("[cmd %x]: check condition\n", rq->cmd[0]);
+			debug_log("[cmd %x]: check condition\n", scsi_req(rq)->cmd[0]);
 
 			/* Retry operation */
 			ide_retry_pc(drive);
@@ -531,7 +531,7 @@ static ide_startstop_t ide_pc_intr(ide_d
 		ide_pad_transfer(drive, write, bcount);
 
 	debug_log("[cmd %x] transferred %d bytes, padded %d bytes, resid: %u\n",
-		  rq->cmd[0], done, bcount, scsi_req(rq)->resid_len);
+		  scsi_req(rq)->cmd[0], done, bcount, scsi_req(rq)->resid_len);
 
 	/* And set the interrupt handler again */
 	ide_set_handler(drive, ide_pc_intr, timeout);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 157/164] blk-mq: Avoid that request queue removal can trigger list corruption
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 156/164] ide: ide-atapi: fix compile error with defining macro DEBUG Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 158/164] nvmet-rdma: update queue list during ib_device removal Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Christoph Hellwig,
	Hannes Reinecke, Johannes Thumshirn, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@wdc.com>


[ Upstream commit aba7afc5671c23beade64d10caf86e24a9105dab ]

Avoid that removal of a request queue sporadically triggers the
following warning:

list_del corruption. next->prev should be ffff8807d649b970, but was 6b6b6b6b6b6b6b6b
WARNING: CPU: 3 PID: 342 at lib/list_debug.c:56 __list_del_entry_valid+0x92/0xa0
Call Trace:
 process_one_work+0x11b/0x660
 worker_thread+0x3d/0x3b0
 kthread+0x129/0x140
 ret_from_fork+0x27/0x40

Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -339,6 +339,7 @@ void blk_sync_queue(struct request_queue
 		struct blk_mq_hw_ctx *hctx;
 		int i;
 
+		cancel_delayed_work_sync(&q->requeue_work);
 		queue_for_each_hw_ctx(q, hctx, i)
 			cancel_delayed_work_sync(&hctx->run_work);
 	} else {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 158/164] nvmet-rdma: update queue list during ib_device removal
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 157/164] blk-mq: Avoid that request queue removal can trigger list corruption Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 159/164] audit: Allow auditd to set pid to 0 to end auditing Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Israel Rukshin, Max Gurtovoy,
	Sagi Grimberg, Christoph Hellwig, Jens Axboe, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Israel Rukshin <israelr@mellanox.com>


[ Upstream commit 43b92fd27aaef0f529c9321cfebbaec1d7b8f503 ]

A NULL deref happens when nvmet_rdma_remove_one() is called more than once
(e.g. while connected via 2 ports).
The first call frees the queues related to the first ib_device but
doesn't remove them from the queue list.
While calling nvmet_rdma_remove_one() for the second ib_device it goes over
the full queue list again and we get the NULL deref.

Fixes: f1d4ef7d ("nvmet-rdma: register ib_client to not deadlock in device removal")
Signed-off-by: Israel Rukshin <israelr@mellanox.com>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Sagi Grimberg <sagi@grmberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvme/target/rdma.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -1512,15 +1512,17 @@ static struct nvmet_fabrics_ops nvmet_rd
 
 static void nvmet_rdma_remove_one(struct ib_device *ib_device, void *client_data)
 {
-	struct nvmet_rdma_queue *queue;
+	struct nvmet_rdma_queue *queue, *tmp;
 
 	/* Device is being removed, delete all queues using this device */
 	mutex_lock(&nvmet_rdma_queue_mutex);
-	list_for_each_entry(queue, &nvmet_rdma_queue_list, queue_list) {
+	list_for_each_entry_safe(queue, tmp, &nvmet_rdma_queue_list,
+				 queue_list) {
 		if (queue->dev->device != ib_device)
 			continue;
 
 		pr_info("Removing queue %d\n", queue->idx);
+		list_del_init(&queue->queue_list);
 		__nvmet_rdma_queue_disconnect(queue);
 	}
 	mutex_unlock(&nvmet_rdma_queue_mutex);

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 159/164] audit: Allow auditd to set pid to 0 to end auditing
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 158/164] nvmet-rdma: update queue list during ib_device removal Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 160/164] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Guy Briggs, Steve Grubb,
	Paul Moore, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steve Grubb <sgrubb@redhat.com>


[ Upstream commit 33e8a907804428109ce1d12301c3365d619cc4df ]

The API to end auditing has historically been for auditd to set the
pid to 0. This patch restores that functionality.

See: https://github.com/linux-audit/audit-kernel/issues/69

Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/audit.c |   29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_b
 			pid_t auditd_pid;
 			struct pid *req_pid = task_tgid(current);
 
-			/* sanity check - PID values must match */
-			if (new_pid != pid_vnr(req_pid))
+			/* Sanity check - PID values must match. Setting
+			 * pid to 0 is how auditd ends auditing. */
+			if (new_pid && (new_pid != pid_vnr(req_pid)))
 				return -EINVAL;
 
 			/* test the auditd connection */
 			audit_replace(req_pid);
 
 			auditd_pid = auditd_pid_vnr();
-			/* only the current auditd can unregister itself */
-			if ((!new_pid) && (new_pid != auditd_pid)) {
-				audit_log_config_change("audit_pid", new_pid,
-							auditd_pid, 0);
-				return -EACCES;
-			}
-			/* replacing a healthy auditd is not allowed */
-			if (auditd_pid && new_pid) {
-				audit_log_config_change("audit_pid", new_pid,
-							auditd_pid, 0);
-				return -EEXIST;
+			if (auditd_pid) {
+				/* replacing a healthy auditd is not allowed */
+				if (new_pid) {
+					audit_log_config_change("audit_pid",
+							new_pid, auditd_pid, 0);
+					return -EEXIST;
+				}
+				/* only current auditd can unregister itself */
+				if (pid_vnr(req_pid) != auditd_pid) {
+					audit_log_config_change("audit_pid",
+							new_pid, auditd_pid, 0);
+					return -EACCES;
+				}
 			}
 
 			if (new_pid) {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 160/164] audit: ensure that audit=1 actually enables audit for PID 1
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 159/164] audit: Allow auditd to set pid to 0 to end auditing Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 161/164] dm raid: fix panic when attempting to force a raid to sync Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Guy Briggs, Paul Moore, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Moore <paul@paul-moore.com>


[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]

Prior to this patch we enabled audit in audit_init(), which is too
late for PID 1 as the standard initcalls are run after the PID 1 task
is forked.  This means that we never allocate an audit_context (see
audit_alloc()) for PID 1 and therefore miss a lot of audit events
generated by PID 1.

This patch enables audit as early as possible to help ensure that when
PID 1 is forked it can allocate an audit_context if required.

Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/audit.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -85,13 +85,13 @@ static int	audit_initialized;
 #define AUDIT_OFF	0
 #define AUDIT_ON	1
 #define AUDIT_LOCKED	2
-u32		audit_enabled;
-u32		audit_ever_enabled;
+u32		audit_enabled = AUDIT_OFF;
+u32		audit_ever_enabled = !!AUDIT_OFF;
 
 EXPORT_SYMBOL_GPL(audit_enabled);
 
 /* Default state when kernel boots without any parameters. */
-static u32	audit_default;
+static u32	audit_default = AUDIT_OFF;
 
 /* If auditing cannot proceed, audit_failure selects what happens. */
 static u32	audit_failure = AUDIT_FAIL_PRINTK;
@@ -1552,8 +1552,6 @@ static int __init audit_init(void)
 	register_pernet_subsys(&audit_net_ops);
 
 	audit_initialized = AUDIT_INITIALIZED;
-	audit_enabled = audit_default;
-	audit_ever_enabled |= !!audit_default;
 
 	kauditd_task = kthread_run(kauditd_thread, NULL, "kauditd");
 	if (IS_ERR(kauditd_task)) {
@@ -1575,6 +1573,8 @@ static int __init audit_enable(char *str
 	audit_default = !!simple_strtol(str, NULL, 0);
 	if (!audit_default)
 		audit_initialized = AUDIT_DISABLED;
+	audit_enabled = audit_default;
+	audit_ever_enabled = !!audit_enabled;
 
 	pr_info("%s\n", audit_default ?
 		"enabled (after initialization)" : "disabled (until reboot)");

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 161/164] dm raid: fix panic when attempting to force a raid to sync
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 160/164] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 162/164] md: free unused memory after bitmap resize Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heinz Mauelshagen, Mike Snitzer, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heinz Mauelshagen <heinzm@redhat.com>


[ Upstream commit 233978449074ca7e45d9c959f9ec612d1b852893 ]

Requesting a sync on an active raid device via a table reload
(see 'sync' parameter in Documentation/device-mapper/dm-raid.txt)
skips the super_load() call that defines the superblock size
(rdev->sb_size) -- resulting in an oops if/when super_sync()->memset()
is called.

Fix by moving the initialization of the superblock start and size
out of super_load() to the caller (analyse_superblocks).

Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/dm-raid.c |   21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -2143,13 +2143,6 @@ static int super_load(struct md_rdev *rd
 	struct dm_raid_superblock *refsb;
 	uint64_t events_sb, events_refsb;
 
-	rdev->sb_start = 0;
-	rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
-	if (rdev->sb_size < sizeof(*sb) || rdev->sb_size > PAGE_SIZE) {
-		DMERR("superblock size of a logical block is no longer valid");
-		return -EINVAL;
-	}
-
 	r = read_disk_sb(rdev, rdev->sb_size, false);
 	if (r)
 		return r;
@@ -2494,6 +2487,17 @@ static int analyse_superblocks(struct dm
 		if (test_bit(Journal, &rdev->flags))
 			continue;
 
+		if (!rdev->meta_bdev)
+			continue;
+
+		/* Set superblock offset/size for metadata device. */
+		rdev->sb_start = 0;
+		rdev->sb_size = bdev_logical_block_size(rdev->meta_bdev);
+		if (rdev->sb_size < sizeof(struct dm_raid_superblock) || rdev->sb_size > PAGE_SIZE) {
+			DMERR("superblock size of a logical block is no longer valid");
+			return -EINVAL;
+		}
+
 		/*
 		 * Skipping super_load due to CTR_FLAG_SYNC will cause
 		 * the array to undergo initialization again as
@@ -2506,9 +2510,6 @@ static int analyse_superblocks(struct dm
 		if (test_bit(__CTR_FLAG_SYNC, &rs->ctr_flags))
 			continue;
 
-		if (!rdev->meta_bdev)
-			continue;
-
 		r = super_load(rdev, freshest);
 
 		switch (r) {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 162/164] md: free unused memory after bitmap resize
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 161/164] dm raid: fix panic when attempting to force a raid to sync Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 163/164] RDMA/cxgb4: Annotate r2 and stag as __be32 Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zdenek Kabelac, Shaohua Li, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zdenek Kabelac <zkabelac@redhat.com>


[ Upstream commit 0868b99c214a3d55486c700de7c3f770b7243e7c ]

When bitmap is resized, the old kalloced chunks just are not released
once the resized bitmap starts to use new space.

This fixes in particular kmemleak reports like this one:

unreferenced object 0xffff8f4311e9c000 (size 4096):
  comm "lvm", pid 19333, jiffies 4295263268 (age 528.265s)
  hex dump (first 32 bytes):
    02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80  ................
    02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80  ................
  backtrace:
    [<ffffffffa69471ca>] kmemleak_alloc+0x4a/0xa0
    [<ffffffffa628c10e>] kmem_cache_alloc_trace+0x14e/0x2e0
    [<ffffffffa676cfec>] bitmap_checkpage+0x7c/0x110
    [<ffffffffa676d0c5>] bitmap_get_counter+0x45/0xd0
    [<ffffffffa676d6b3>] bitmap_set_memory_bits+0x43/0xe0
    [<ffffffffa676e41c>] bitmap_init_from_disk+0x23c/0x530
    [<ffffffffa676f1ae>] bitmap_load+0xbe/0x160
    [<ffffffffc04c47d3>] raid_preresume+0x203/0x2f0 [dm_raid]
    [<ffffffffa677762f>] dm_table_resume_targets+0x4f/0xe0
    [<ffffffffa6774b52>] dm_resume+0x122/0x140
    [<ffffffffa6779b9f>] dev_suspend+0x18f/0x290
    [<ffffffffa677a3a7>] ctl_ioctl+0x287/0x560
    [<ffffffffa677a693>] dm_ctl_ioctl+0x13/0x20
    [<ffffffffa62d6b46>] do_vfs_ioctl+0xa6/0x750
    [<ffffffffa62d7269>] SyS_ioctl+0x79/0x90
    [<ffffffffa6956d41>] entry_SYSCALL_64_fastpath+0x1f/0xc2

Signed-off-by: Zdenek Kabelac <zkabelac@redhat.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/bitmap.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
@@ -2158,6 +2158,7 @@ int bitmap_resize(struct bitmap *bitmap,
 				for (k = 0; k < page; k++) {
 					kfree(new_bp[k].map);
 				}
+				kfree(new_bp);
 
 				/* restore some fields from old_counts */
 				bitmap->counts.bp = old_counts.bp;
@@ -2208,6 +2209,14 @@ int bitmap_resize(struct bitmap *bitmap,
 		block += old_blocks;
 	}
 
+	if (bitmap->counts.bp != old_counts.bp) {
+		unsigned long k;
+		for (k = 0; k < old_counts.pages; k++)
+			if (!old_counts.bp[k].hijacked)
+				kfree(old_counts.bp[k].map);
+		kfree(old_counts.bp);
+	}
+
 	if (!init) {
 		int i;
 		while (block < (chunks << chunkshift)) {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 163/164] RDMA/cxgb4: Annotate r2 and stag as __be32
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 162/164] md: free unused memory after bitmap resize Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.14 164/164] x86/intel_rdt: Fix potential deadlock during resctrl unmount Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Wise, Leon Romanovsky,
	Doug Ledford, Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leon@kernel.org>


[ Upstream commit 7d7d065a5eec7e218174d5c64a9f53f99ffdb119 ]

Chelsio cxgb4 HW is big-endian, hence there is need to properly
annotate r2 and stag fields as __be32 and not __u32 to fix the
following sparse warnings.

  drivers/infiniband/hw/cxgb4/qp.c:614:16:
    warning: incorrect type in assignment (different base types)
      expected unsigned int [unsigned] [usertype] r2
      got restricted __be32 [usertype] <noident>
  drivers/infiniband/hw/cxgb4/qp.c:615:18:
    warning: incorrect type in assignment (different base types)
      expected unsigned int [unsigned] [usertype] stag
      got restricted __be32 [usertype] <noident>

Cc: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/cxgb4/t4fw_ri_api.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
+++ b/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
@@ -675,8 +675,8 @@ struct fw_ri_fr_nsmr_tpte_wr {
 	__u16  wrid;
 	__u8   r1[3];
 	__u8   len16;
-	__u32  r2;
-	__u32  stag;
+	__be32  r2;
+	__be32  stag;
 	struct fw_ri_tpte tpte;
 	__u64  pbl[2];
 };

^ permalink raw reply	[flat|nested] 176+ messages in thread

* [PATCH 4.14 164/164] x86/intel_rdt: Fix potential deadlock during resctrl unmount
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 163/164] RDMA/cxgb4: Annotate r2 and stag as __be32 Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 14:47 ` [PATCH 4.14 000/164] 4.14.6-stable review Shuah Khan
                   ` (3 subsequent siblings)
  162 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Reinette Chatre, Thomas Gleixner,
	Sai Praneeth Prakhya, Vikas Shivappa, Fenghua Yu, Tony Luck,
	Sasha Levin

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Reinette Chatre <reinette.chatre@intel.com>


[ Upstream commit 36b6f9fcb8928c06b6638a4cf91bc9d69bb49aa2 ]

Lockdep warns about a potential deadlock:

[   66.782842] ======================================================
[   66.782888] WARNING: possible circular locking dependency detected
[   66.782937] 4.14.0-rc2-test-test+ #48 Not tainted
[   66.782983] ------------------------------------------------------
[   66.783052] umount/336 is trying to acquire lock:
[   66.783117]  (cpu_hotplug_lock.rw_sem){++++}, at: [<ffffffff81032395>] rdt_kill_sb+0x215/0x390
[   66.783193]
               but task is already holding lock:
[   66.783244]  (rdtgroup_mutex){+.+.}, at: [<ffffffff810321b6>] rdt_kill_sb+0x36/0x390
[   66.783305]
               which lock already depends on the new lock.

[   66.783364]
               the existing dependency chain (in reverse order) is:
[   66.783419]
               -> #3 (rdtgroup_mutex){+.+.}:
[   66.783467]        __lock_acquire+0x1293/0x13f0
[   66.783509]        lock_acquire+0xaf/0x220
[   66.783543]        __mutex_lock+0x71/0x9b0
[   66.783575]        mutex_lock_nested+0x1b/0x20
[   66.783610]        intel_rdt_online_cpu+0x3b/0x430
[   66.783649]        cpuhp_invoke_callback+0xab/0x8e0
[   66.783687]        cpuhp_thread_fun+0x7a/0x150
[   66.783722]        smpboot_thread_fn+0x1cc/0x270
[   66.783764]        kthread+0x16e/0x190
[   66.783794]        ret_from_fork+0x27/0x40
[   66.783825]
               -> #2 (cpuhp_state){+.+.}:
[   66.783870]        __lock_acquire+0x1293/0x13f0
[   66.783906]        lock_acquire+0xaf/0x220
[   66.783938]        cpuhp_issue_call+0x102/0x170
[   66.783974]        __cpuhp_setup_state_cpuslocked+0x154/0x2a0
[   66.784023]        __cpuhp_setup_state+0xc7/0x170
[   66.784061]        page_writeback_init+0x43/0x67
[   66.784097]        pagecache_init+0x43/0x4a
[   66.784131]        start_kernel+0x3ad/0x3f7
[   66.784165]        x86_64_start_reservations+0x2a/0x2c
[   66.784204]        x86_64_start_kernel+0x72/0x75
[   66.784241]        verify_cpu+0x0/0xfb
[   66.784270]
               -> #1 (cpuhp_state_mutex){+.+.}:
[   66.784319]        __lock_acquire+0x1293/0x13f0
[   66.784355]        lock_acquire+0xaf/0x220
[   66.784387]        __mutex_lock+0x71/0x9b0
[   66.784419]        mutex_lock_nested+0x1b/0x20
[   66.784454]        __cpuhp_setup_state_cpuslocked+0x52/0x2a0
[   66.784497]        __cpuhp_setup_state+0xc7/0x170
[   66.784535]        page_alloc_init+0x28/0x30
[   66.784569]        start_kernel+0x148/0x3f7
[   66.784602]        x86_64_start_reservations+0x2a/0x2c
[   66.784642]        x86_64_start_kernel+0x72/0x75
[   66.784678]        verify_cpu+0x0/0xfb
[   66.784707]
               -> #0 (cpu_hotplug_lock.rw_sem){++++}:
[   66.784759]        check_prev_add+0x32f/0x6e0
[   66.784794]        __lock_acquire+0x1293/0x13f0
[   66.784830]        lock_acquire+0xaf/0x220
[   66.784863]        cpus_read_lock+0x3d/0xb0
[   66.784896]        rdt_kill_sb+0x215/0x390
[   66.784930]        deactivate_locked_super+0x3e/0x70
[   66.784968]        deactivate_super+0x40/0x60
[   66.785003]        cleanup_mnt+0x3f/0x80
[   66.785034]        __cleanup_mnt+0x12/0x20
[   66.785070]        task_work_run+0x8b/0xc0
[   66.785103]        exit_to_usermode_loop+0x94/0xa0
[   66.786804]        syscall_return_slowpath+0xe8/0x150
[   66.788502]        entry_SYSCALL_64_fastpath+0xab/0xad
[   66.790194]
               other info that might help us debug this:

[   66.795139] Chain exists of:
                 cpu_hotplug_lock.rw_sem --> cpuhp_state --> rdtgroup_mutex

[   66.800035]  Possible unsafe locking scenario:

[   66.803267]        CPU0                    CPU1
[   66.804867]        ----                    ----
[   66.806443]   lock(rdtgroup_mutex);
[   66.808002]                                lock(cpuhp_state);
[   66.809565]                                lock(rdtgroup_mutex);
[   66.811110]   lock(cpu_hotplug_lock.rw_sem);
[   66.812608]
                *** DEADLOCK ***

[   66.816983] 2 locks held by umount/336:
[   66.818418]  #0:  (&type->s_umount_key#35){+.+.}, at: [<ffffffff81229738>] deactivate_super+0x38/0x60
[   66.819922]  #1:  (rdtgroup_mutex){+.+.}, at: [<ffffffff810321b6>] rdt_kill_sb+0x36/0x390

When the resctrl filesystem is unmounted the locks should be obtain in the
locks in the same order as was done when the cpus came online:

      cpu_hotplug_lock before rdtgroup_mutex.

This also requires to switch the static_branch_disable() calls to the
_cpulocked variant because now cpu hotplug lock is held already.

[ tglx: Switched to cpus_read_[un]lock ]

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
Acked-by: Vikas Shivappa <vikas.shivappa@linux.intel.com>
Acked-by: Fenghua Yu <fenghua.yu@intel.com>
Acked-by: Tony Luck <tony.luck@intel.com>
Link: https://lkml.kernel.org/r/cc292e76be073f7260604651711c47b09fd0dc81.1508490116.git.reinette.chatre@intel.com
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/intel_rdt_rdtgroup.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
+++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c
@@ -1297,9 +1297,7 @@ static void rmdir_all_sub(void)
 		kfree(rdtgrp);
 	}
 	/* Notify online CPUs to update per cpu storage and PQR_ASSOC MSR */
-	get_online_cpus();
 	update_closid_rmid(cpu_online_mask, &rdtgroup_default);
-	put_online_cpus();
 
 	kernfs_remove(kn_info);
 	kernfs_remove(kn_mongrp);
@@ -1310,6 +1308,7 @@ static void rdt_kill_sb(struct super_blo
 {
 	struct rdt_resource *r;
 
+	cpus_read_lock();
 	mutex_lock(&rdtgroup_mutex);
 
 	/*Put everything back to default values. */
@@ -1317,11 +1316,12 @@ static void rdt_kill_sb(struct super_blo
 		reset_all_ctrls(r);
 	cdp_disable();
 	rmdir_all_sub();
-	static_branch_disable(&rdt_alloc_enable_key);
-	static_branch_disable(&rdt_mon_enable_key);
-	static_branch_disable(&rdt_enable_key);
+	static_branch_disable_cpuslocked(&rdt_alloc_enable_key);
+	static_branch_disable_cpuslocked(&rdt_mon_enable_key);
+	static_branch_disable_cpuslocked(&rdt_enable_key);
 	kernfs_kill_sb(sb);
 	mutex_unlock(&rdtgroup_mutex);
+	cpus_read_unlock();
 }
 
 static struct file_system_type rdt_fs_type = {

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.14 164/164] x86/intel_rdt: Fix potential deadlock during resctrl unmount Greg Kroah-Hartman
@ 2017-12-12 14:47 ` Shuah Khan
  2017-12-13  6:48   ` Marek Szyprowski
  2017-12-12 21:54 ` Shuah Khan
                   ` (2 subsequent siblings)
  162 siblings, 1 reply; 176+ messages in thread
From: Shuah Khan @ 2017-12-12 14:47 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel, m.szyprowski, Daniel Vetter,
	Shuah Khan
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage, stable

On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.6 release.
> There are 164 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 
 
> Daniel Vetter <daniel.vetter@ffwll.ch>
>     drm: safely free connectors from connector_iter
> 

> Marek Szyprowski <m.szyprowski@samsung.com>
>     drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
> 

The above two patches have been found to be the cause of boot hang on
exynos Peach Pi(t) chromebooks. 

I am adding Daniel and Marek to the thread.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2017-12-12 14:47 ` [PATCH 4.14 000/164] 4.14.6-stable review Shuah Khan
@ 2017-12-12 21:54 ` Shuah Khan
  2017-12-14  8:00   ` Greg Kroah-Hartman
  2017-12-13  2:47 ` Guenter Roeck
  2017-12-13 17:15 ` Naresh Kamboju
  162 siblings, 1 reply; 176+ messages in thread
From: Shuah Khan @ 2017-12-12 21:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, Shuah Khan

On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.6 release.
> There are 164 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2017-12-12 21:54 ` Shuah Khan
@ 2017-12-13  2:47 ` Guenter Roeck
  2017-12-14  7:54   ` Greg Kroah-Hartman
  2017-12-13 17:15 ` Naresh Kamboju
  162 siblings, 1 reply; 176+ messages in thread
From: Guenter Roeck @ 2017-12-13  2:47 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuahkh, patches, ben.hutchings, lkft-triage, stable

On 12/12/2017 04:43 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.6 release.
> There are 164 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> Anything received after that time might be too late.
> 

Build results:
	total: 145 pass: 145 fail: 0
Qemu test results:
	total: 124 pass: 124 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-12 14:47 ` [PATCH 4.14 000/164] 4.14.6-stable review Shuah Khan
@ 2017-12-13  6:48   ` Marek Szyprowski
  2017-12-13  7:57     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 176+ messages in thread
From: Marek Szyprowski @ 2017-12-13  6:48 UTC (permalink / raw)
  To: Shuah Khan, Greg Kroah-Hartman, linux-kernel, Daniel Vetter
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage, stable

Hi Shuah and Greg,

On 2017-12-12 15:47, Shuah Khan wrote:
> On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
>> This is the start of the stable review cycle for the 4.14.6 release.
>> There are 164 patches in this series, all will be posted as a response
>> to this one.  If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
>> Anything received after that time might be too late.
>>
>> The whole patch series can be found in one patch at:
>> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
>> or in the git tree and branch at:
>>    git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
>> and the diffstat can be found below.
>>
>> thanks,
>>
>> greg k-h
>>
>   
>> Daniel Vetter <daniel.vetter@ffwll.ch>
>>      drm: safely free connectors from connector_iter
>>
>> Marek Szyprowski <m.szyprowski@samsung.com>
>>      drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
>>
> The above two patches have been found to be the cause of boot hang on
> exynos Peach Pi(t) chromebooks.
>
> I am adding Daniel and Marek to the thread.

The deadlock is caused by the Daniels patch. My patch only changes the order
of device initialization what might hide or reveal bug related to 
Daniels patch.

My drm/bridge patch it is definitely needed for v4.14 stable to fix boot 
issue
on Samsung Snow Chromebooks (Exynos 5250 based).

Best regards

-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-13  6:48   ` Marek Szyprowski
@ 2017-12-13  7:57     ` Greg Kroah-Hartman
  2017-12-13  8:49       ` Daniel Vetter
  0 siblings, 1 reply; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-13  7:57 UTC (permalink / raw)
  To: Marek Szyprowski
  Cc: Shuah Khan, linux-kernel, Daniel Vetter, torvalds, akpm, linux,
	patches, ben.hutchings, lkft-triage, stable

On Wed, Dec 13, 2017 at 07:48:43AM +0100, Marek Szyprowski wrote:
> Hi Shuah and Greg,
> 
> On 2017-12-12 15:47, Shuah Khan wrote:
> > On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
> > > This is the start of the stable review cycle for the 4.14.6 release.
> > > There are 164 patches in this series, all will be posted as a response
> > > to this one.  If anyone has any issues with these being applied, please
> > > let me know.
> > > 
> > > Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> > > Anything received after that time might be too late.
> > > 
> > > The whole patch series can be found in one patch at:
> > > 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
> > > or in the git tree and branch at:
> > >    git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > > and the diffstat can be found below.
> > > 
> > > thanks,
> > > 
> > > greg k-h
> > > 
> > > Daniel Vetter <daniel.vetter@ffwll.ch>
> > >      drm: safely free connectors from connector_iter
> > > 
> > > Marek Szyprowski <m.szyprowski@samsung.com>
> > >      drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
> > > 
> > The above two patches have been found to be the cause of boot hang on
> > exynos Peach Pi(t) chromebooks.
> > 
> > I am adding Daniel and Marek to the thread.
> 
> The deadlock is caused by the Daniels patch. My patch only changes the order
> of device initialization what might hide or reveal bug related to Daniels
> patch.

So should I revert Daniel's patch?  Or is there already a fix for that
in Linus's tree?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-13  7:57     ` Greg Kroah-Hartman
@ 2017-12-13  8:49       ` Daniel Vetter
  2017-12-14  8:00         ` Greg Kroah-Hartman
  0 siblings, 1 reply; 176+ messages in thread
From: Daniel Vetter @ 2017-12-13  8:49 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Marek Szyprowski, Shuah Khan, Linux Kernel Mailing List,
	Linus Torvalds, Andrew Morton, Guenter Roeck, patches,
	ben.hutchings, lkft-triage, stable

On Wed, Dec 13, 2017 at 8:57 AM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Wed, Dec 13, 2017 at 07:48:43AM +0100, Marek Szyprowski wrote:
>> Hi Shuah and Greg,
>>
>> On 2017-12-12 15:47, Shuah Khan wrote:
>> > On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
>> > > This is the start of the stable review cycle for the 4.14.6 release.
>> > > There are 164 patches in this series, all will be posted as a response
>> > > to this one.  If anyone has any issues with these being applied, please
>> > > let me know.
>> > >
>> > > Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
>> > > Anything received after that time might be too late.
>> > >
>> > > The whole patch series can be found in one patch at:
>> > >   kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
>> > > or in the git tree and branch at:
>> > >    git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
>> > > and the diffstat can be found below.
>> > >
>> > > thanks,
>> > >
>> > > greg k-h
>> > >
>> > > Daniel Vetter <daniel.vetter@ffwll.ch>
>> > >      drm: safely free connectors from connector_iter
>> > >
>> > > Marek Szyprowski <m.szyprowski@samsung.com>
>> > >      drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
>> > >
>> > The above two patches have been found to be the cause of boot hang on
>> > exynos Peach Pi(t) chromebooks.
>> >
>> > I am adding Daniel and Marek to the thread.
>>
>> The deadlock is caused by the Daniels patch. My patch only changes the order
>> of device initialization what might hide or reveal bug related to Daniels
>> patch.
>
> So should I revert Daniel's patch?  Or is there already a fix for that
> in Linus's tree?

Not yet, still typing it. Hopefully all in time for -rc4. I think
reverting it for now should be ok, I'll annotate the cc: stable lines
for the new ones with a note that you need to re-cherry-pick it to
make it all work.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2017-12-13  2:47 ` Guenter Roeck
@ 2017-12-13 17:15 ` Naresh Kamboju
  2017-12-14  8:01   ` Greg Kroah-Hartman
  162 siblings, 1 reply; 176+ messages in thread
From: Naresh Kamboju @ 2017-12-13 17:15 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, Ben Hutchings, Shuah Khan, lkft-triage, patches,
	linux- stable, akpm, torvalds, Guenter Roeck, Tom Gall

On 12 December 2017 at 18:13, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 4.14.6 release.
> There are 164 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64 and x86_64.
armv7 beagleboard x15 results are not available due to infrastructure issues.

Note:
Newly added selftests/net/reuseport_bpf FAILED in full run on x86_64 and
the independent test execution resulted as PASS.
For the internal investigation bug reported.
https://bugs.linaro.org/show_bug.cgi?id=3502#c4

Summary
------------------------------------------------------------------------

kernel: 4.14.6-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 84729424b1da9e59e21c7a626d2b51970b348461
git describe: v4.14.5-165-g84729424b1da
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.5-165-g84729424b1da


No regressions (compared to build v4.14.5-97-gcdda4aaafa84)

Boards, architectures and test suites:
-------------------------------------

hi6220-hikey - arm64
* boot - pass: 20,
* kselftest - pass: 46, skip: 16
* libhugetlbfs - pass: 90, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 21, skip: 1
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 983, skip: 121
* ltp-timers-tests - pass: 12,

juno-r2 - arm64
* boot - pass: 20,
* kselftest - pass: 45, skip: 17
* libhugetlbfs - pass: 90, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 985, skip: 121
* ltp-timers-tests - pass: 12,

x86_64
* boot - pass: 20,
* kselftest - fail: 1, pass: 60, skip: 16
* libhugetlbfs - pass: 90, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 61, skip: 1
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 9, skip: 1
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 957, skip: 163
* ltp-timers-tests - pass: 12,

Documentation - https://collaborate.linaro.org/display/LKFT/Email+Reports

Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-13  2:47 ` Guenter Roeck
@ 2017-12-14  7:54   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-14  7:54 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuahkh, patches, ben.hutchings,
	lkft-triage, stable

On Tue, Dec 12, 2017 at 06:47:33PM -0800, Guenter Roeck wrote:
> On 12/12/2017 04:43 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.14.6 release.
> > There are 164 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 145 pass: 145 fail: 0
> Qemu test results:
> 	total: 124 pass: 124 fail: 0
> 
> Details are available at http://kerneltests.org/builders.

Thanks for testing these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-13  8:49       ` Daniel Vetter
@ 2017-12-14  8:00         ` Greg Kroah-Hartman
  0 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-14  8:00 UTC (permalink / raw)
  To: Daniel Vetter
  Cc: Marek Szyprowski, Shuah Khan, Linux Kernel Mailing List,
	Linus Torvalds, Andrew Morton, Guenter Roeck, patches,
	ben.hutchings, lkft-triage, stable

On Wed, Dec 13, 2017 at 09:49:32AM +0100, Daniel Vetter wrote:
> On Wed, Dec 13, 2017 at 8:57 AM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > On Wed, Dec 13, 2017 at 07:48:43AM +0100, Marek Szyprowski wrote:
> >> Hi Shuah and Greg,
> >>
> >> On 2017-12-12 15:47, Shuah Khan wrote:
> >> > On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
> >> > > This is the start of the stable review cycle for the 4.14.6 release.
> >> > > There are 164 patches in this series, all will be posted as a response
> >> > > to this one.  If anyone has any issues with these being applied, please
> >> > > let me know.
> >> > >
> >> > > Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> >> > > Anything received after that time might be too late.
> >> > >
> >> > > The whole patch series can be found in one patch at:
> >> > >   kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
> >> > > or in the git tree and branch at:
> >> > >    git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> >> > > and the diffstat can be found below.
> >> > >
> >> > > thanks,
> >> > >
> >> > > greg k-h
> >> > >
> >> > > Daniel Vetter <daniel.vetter@ffwll.ch>
> >> > >      drm: safely free connectors from connector_iter
> >> > >
> >> > > Marek Szyprowski <m.szyprowski@samsung.com>
> >> > >      drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
> >> > >
> >> > The above two patches have been found to be the cause of boot hang on
> >> > exynos Peach Pi(t) chromebooks.
> >> >
> >> > I am adding Daniel and Marek to the thread.
> >>
> >> The deadlock is caused by the Daniels patch. My patch only changes the order
> >> of device initialization what might hide or reveal bug related to Daniels
> >> patch.
> >
> > So should I revert Daniel's patch?  Or is there already a fix for that
> > in Linus's tree?
> 
> Not yet, still typing it. Hopefully all in time for -rc4. I think
> reverting it for now should be ok, I'll annotate the cc: stable lines
> for the new ones with a note that you need to re-cherry-pick it to
> make it all work.

Thanks, I've dropped this for now.

greg k-h

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-12 21:54 ` Shuah Khan
@ 2017-12-14  8:00   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-14  8:00 UTC (permalink / raw)
  To: Shuah Khan
  Cc: linux-kernel, torvalds, akpm, linux, patches, ben.hutchings,
	lkft-triage, stable

On Tue, Dec 12, 2017 at 02:54:58PM -0700, Shuah Khan wrote:
> On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.14.6 release.
> > There are 164 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
> > or in the git tree and branch at:
> >   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.

Thanks for the testing and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-13 17:15 ` Naresh Kamboju
@ 2017-12-14  8:01   ` Greg Kroah-Hartman
  2017-12-14 10:37     ` Naresh Kamboju
  2017-12-14 17:13     ` Shuah Khan
  0 siblings, 2 replies; 176+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-14  8:01 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: linux-kernel, Ben Hutchings, Shuah Khan, lkft-triage, patches,
	linux- stable, akpm, torvalds, Guenter Roeck, Tom Gall

On Wed, Dec 13, 2017 at 10:45:39PM +0530, Naresh Kamboju wrote:
> On 12 December 2017 at 18:13, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > This is the start of the stable review cycle for the 4.14.6 release.
> > There are 164 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
> > or in the git tree and branch at:
> >   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> 
> Results from Linaro’s test farm.
> No regressions on arm64 and x86_64.
> armv7 beagleboard x15 results are not available due to infrastructure issues.
> 
> Note:
> Newly added selftests/net/reuseport_bpf FAILED in full run on x86_64 and
> the independent test execution resulted as PASS.

That's odd, it's not good when test infrastructure doesn't work :(

Anyway, thanks for testing and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-14  8:01   ` Greg Kroah-Hartman
@ 2017-12-14 10:37     ` Naresh Kamboju
  2017-12-14 17:13     ` Shuah Khan
  1 sibling, 0 replies; 176+ messages in thread
From: Naresh Kamboju @ 2017-12-14 10:37 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, Ben Hutchings, Shuah Khan, lkft-triage, patches,
	linux- stable, akpm, torvalds, Guenter Roeck, Tom Gall

On 14 December 2017 at 13:31, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Wed, Dec 13, 2017 at 10:45:39PM +0530, Naresh Kamboju wrote:
>> On 12 December 2017 at 18:13, Greg Kroah-Hartman
>> <gregkh@linuxfoundation.org> wrote:
>> > This is the start of the stable review cycle for the 4.14.6 release.
>> > There are 164 patches in this series, all will be posted as a response
>> > to this one.  If anyone has any issues with these being applied, please
>> > let me know.
>> >
>> > Responses should be made by Thu Dec 14 12:34:08 UTC 2017.
>> > Anything received after that time might be too late.
>> >
>> > The whole patch series can be found in one patch at:
>> >         kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.6-rc1.gz
>> > or in the git tree and branch at:
>> >   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
>> > and the diffstat can be found below.
>> >
>> > thanks,
>> >
>> > greg k-h
>>
>> Results from Linaro’s test farm.
>> No regressions on arm64 and x86_64.
>> armv7 beagleboard x15 results are not available due to infrastructure issues.
>>
>> Note:
>> Newly added selftests/net/reuseport_bpf FAILED in full run on x86_64 and
>> the independent test execution resulted as PASS.
>
> That's odd, it's not good when test infrastructure doesn't work :(

Now we have results on armv7 beagleboard x15.
No regressions on armv7.

Summary
------------------------------------------------------------------------

kernel: 4.14.6-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 84729424b1da9e59e21c7a626d2b51970b348461
git describe: v4.14.5-165-g84729424b1da
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.5-165-g84729424b1da

No regressions (compared to build v4.14.5-97-gcdda4aaafa84)

x15 - arm
* boot - pass: 20,
* kselftest - pass: 41, skip: 20
* libhugetlbfs - pass: 87, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 20, skip: 2
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 13, skip: 1
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1036, skip: 66
* ltp-timers-tests - pass: 12,

Documentation - https://collaborate.linaro.org/display/LKFT/Email+Reports

Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>

>
> Anyway, thanks for testing and letting me know.
>
> greg k-h

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-14  8:01   ` Greg Kroah-Hartman
  2017-12-14 10:37     ` Naresh Kamboju
@ 2017-12-14 17:13     ` Shuah Khan
  2017-12-15 14:44       ` Dan Rue
  1 sibling, 1 reply; 176+ messages in thread
From: Shuah Khan @ 2017-12-14 17:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Naresh Kamboju
  Cc: linux-kernel, Ben Hutchings, lkft-triage, patches, linux- stable,
	akpm, torvalds, Guenter Roeck, Tom Gall, Shuah Khan

Hi Naresh,

>> Results from Linaro’s test farm.
>> No regressions on arm64 and x86_64.
>> armv7 beagleboard x15 results are not available due to infrastructure issues.
>>
>> Note:
>> Newly added selftests/net/reuseport_bpf FAILED in full run on x86_64 and
>> the independent test execution resulted as PASS.

This test went in through net-next very likely. Could you please send me the
failure log for the full run.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 176+ messages in thread

* Re: [PATCH 4.14 000/164] 4.14.6-stable review
  2017-12-14 17:13     ` Shuah Khan
@ 2017-12-15 14:44       ` Dan Rue
  0 siblings, 0 replies; 176+ messages in thread
From: Dan Rue @ 2017-12-15 14:44 UTC (permalink / raw)
  To: Shuah Khan
  Cc: Greg Kroah-Hartman, Naresh Kamboju, linux-kernel, Ben Hutchings,
	lkft-triage, patches, linux- stable, akpm, torvalds,
	Guenter Roeck, Tom Gall

On Thu, Dec 14, 2017 at 10:13:47AM -0700, Shuah Khan wrote:
> Hi Naresh,
> 
> >> Results from Linaro’s test farm.
> >> No regressions on arm64 and x86_64.
> >> armv7 beagleboard x15 results are not available due to infrastructure issues.
> >>
> >> Note:
> >> Newly added selftests/net/reuseport_bpf FAILED in full run on x86_64 and
> >> the independent test execution resulted as PASS.
> 
> This test went in through net-next very likely. Could you please send me the
> failure log for the full run.

Hi Shuah,

Have a look at https://bugs.linaro.org/show_bug.cgi?id=3502#c7. It seems
that the problems can be seen when running reuseport_bpf as a part of
the rest of kselftest (sometimes), or when running it in a loop.

Dan

^ permalink raw reply	[flat|nested] 176+ messages in thread

end of thread, other threads:[~2017-12-15 14:44 UTC | newest]

Thread overview: 176+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-12 12:43 [PATCH 4.14 000/164] 4.14.6-stable review Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 001/164] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 002/164] usb: gadget: core: Fix ->udc_set_speed() speed handling Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 003/164] serdev: ttyport: add missing receive_buf sanity checks Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 004/164] serdev: ttyport: fix NULL-deref on hangup Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 005/164] serdev: ttyport: fix tty locking in close Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 006/164] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 007/164] can: mcba_usb: fix device disconnect bug Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 008/164] can: peak/pci: fix potential bug when probe() fails Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 009/164] can: flexcan: fix VF610 state transition issue Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 011/164] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 012/164] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 013/164] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 014/164] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 015/164] can: mcba_usb: cancel urb on -EPROTO Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 016/164] can: ems_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 017/164] can: esd_usb2: " Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 018/164] can: usb_8dev: " Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 019/164] can: peak/pcie_fd: fix potential bug in restarting tx queue Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 020/164] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 021/164] iio: stm32: fix adc/trigger link error Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 022/164] iio: health: max30102: Temperature should be in milli Celsius Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 023/164] iio: adc: cpcap: fix incorrect validation Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 024/164] iio: adc: meson-saradc: fix the bit_idx of the adc_en clock Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 025/164] iio: adc: meson-saradc: initialize the bandgap correctly on older SoCs Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 026/164] iio: adc: meson-saradc: Meson8 and Meson8b do not have REG11 and REG13 Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 027/164] pinctrl: armada-37xx: Fix direction_output() callback behavior Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 028/164] Drivers: hv: vmbus: Fix a rescind issue Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 029/164] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 030/164] firmware: cleanup FIRMWARE_IN_KERNEL message Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 031/164] firmware: vpd: Destroy vpd sections in remove function Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 032/164] firmware: vpd: Tie firmware kobject to device lifetime Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 033/164] firmware: vpd: Fix platform driver and device registration/unregistration Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 034/164] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 035/164] scsi: dma-mapping: always provide dma_get_cache_alignment Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 036/164] scsi: use dma_get_cache_alignment() as minimum DMA alignment Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 037/164] scsi: libsas: align sata_devices rps_resp on a cacheline Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 038/164] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 039/164] efi/esrt: Use memunmap() instead of kfree() to free the remapping Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 040/164] ASN.1: fix out-of-bounds read when parsing indefinite length item Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 041/164] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 042/164] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 043/164] KEYS: reject NULL restriction string when type is specified Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 044/164] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 045/164] X.509: fix comparisons of ->pkey_algo Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 046/164] x86/idt: Load idt early in start_secondary Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 047/164] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 049/164] btrfs: fix missing error return in btrfs_drop_snapshot Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 050/164] btrfs: handle errors while updating refcounts in update_ref_for_cow Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 051/164] ALSA: hda/realtek - New codec support for ALC257 Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 052/164] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 053/164] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 054/164] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 055/164] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 056/164] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 057/164] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 058/164] s390: always save and restore all registers on context switch Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.14 059/164] s390/mm: fix off-by-one bug in 5-level page table handling Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 060/164] s390: fix compat system call table Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 061/164] KVM: s390: Fix skey emulation permission check Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 062/164] Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier" Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 063/164] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 064/164] iwlwifi: mvm: mark MIC stripped MPDUs Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 065/164] iwlwifi: mvm: dont use transmit queue hang detection when it is not possible Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 066/164] iwlwifi: mvm: flush queue before deleting ROC Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 067/164] iwlwifi: add new cards for 9260 and 22000 series Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 068/164] iwlwifi: mvm: fix packet injection Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 069/164] iwlwifi: mvm: enable RX offloading with TKIP and WEP Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 070/164] brcmfmac: change driver unbind order of the sdio function devices Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 071/164] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 072/164] md/r5cache: move mddev_lock() out of r5c_journal_mode_set() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 073/164] drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 074/164] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 076/164] drm: safely free connectors from connector_iter Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 077/164] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 078/164] media: rc: sir_ir: detect presence of port Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 079/164] media: rc: partial revert of "media: rc: per-protocol repeat period" Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 080/164] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 081/164] arm: KVM: Fix " Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 083/164] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 084/164] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 085/164] KVM: arm/arm64: vgic: Preserve the revious read from the pending table Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 086/164] KVM: arm/arm64: vgic-its: Check result of allocation before use Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 087/164] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 088/164] arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 089/164] arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 090/164] Revert "ARM: dts: imx53: add srtc node" Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 091/164] bus: arm-cci: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 092/164] bus: arm-ccn: Check memory allocation failure Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 093/164] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 094/164] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 095/164] IB/core: Avoid unnecessary return value check Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 096/164] IB/core: Only enforce security for InfiniBand Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 097/164] crypto: talitos - fix AEAD test failures Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 098/164] crypto: talitos - fix memory corruption on SEC2 Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 099/164] crypto: talitos - fix setkey to check key weakness Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 100/164] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 101/164] crypto: talitos - fix use of sg_link_tbl_len Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 102/164] crypto: talitos - fix ctr-aes-talitos Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 103/164] ARM: BUG if jumping to usermode address in kernel mode Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 104/164] ARM: avoid faulting on qemu Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 105/164] irqchip/qcom: Fix u32 comparison with value less than zero Greg Kroah-Hartman
2017-12-12 12:44   ` Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 106/164] net/smc: use sk_rcvbuf as start for rmb creation Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 107/164] kbuild: pkg: use --transform option to prefix paths in tar Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 108/164] coccinelle: fix parallel build with CHECK=scripts/coccicheck Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 109/164] powerpc/perf: Fix pmu_count to count only nest imc pmus Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 110/164] apparmor: fix leak of null profile name if profile allocation fails Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 111/164] x86/mpx/selftests: Fix up weird arrays Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 112/164] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 113/164] gre6: use log_ecn_error module parameter in ip6_tnl_rcv() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 114/164] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 115/164] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 116/164] rsi: fix memory leak on buf and usb_reg_buf Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 117/164] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 118/164] pipe: match pipe_max_size data type with procfs Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.14 119/164] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 120/164] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 121/164] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 122/164] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 123/164] nfp: inherit the max_mtu from the PF netdev Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 124/164] nfp: fix flower offload metadata flag usage Greg Kroah-Hartman
2017-12-12 12:45   ` Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 125/164] xfs: fix forgotten rcu read unlock when skipping inode reclaim Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 126/164] dt-bindings: usb: fix reg-property port-number range Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 127/164] block: wake up all tasks blocked in get_request() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 128/164] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 129/164] zsmalloc: calling zs_map_object() from irq is a bug Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 130/164] slub: fix sysfs duplicate filename creation when slub_debug=O Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 131/164] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 132/164] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 133/164] fcntl: dont leak fd reference when fixup_compat_flock fails Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 134/164] geneve: fix fill_info when link down Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 135/164] bpf: fix lockdep splat Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 136/164] clk: stm32h7: fix test of clock config Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 138/164] clk: qcom: common: fix legacy board-clock registration Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 139/164] clk: uniphier: fix DAPLL2 clock rate of Pro5 Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 140/164] clk: hi3660: fix incorrect uart3 clock freqency Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 141/164] mailbox: mailbox-test: dont rely on rx_buffer content to signal data ready Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 142/164] kbuild: rpm-pkg: fix jobserver unavailable warning Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 143/164] atm: horizon: Fix irq release error Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 144/164] jump_label: Invoke jump_label_test() via early_initcall() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 145/164] tls: Use kzalloc for aead_request allocation Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 146/164] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 147/164] f2fs: fix to clear FI_NO_PREALLOC Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 148/164] bnxt_re: changing the ip address shouldnt affect new connections Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 149/164] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 150/164] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 151/164] afs: Fix total-length calculation for multiple-page send Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 152/164] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 153/164] kbuild: do not call cc-option before KBUILD_CFLAGS initialization Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 154/164] powerpc/powernv/idle: Round up latency and residency values Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 155/164] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 156/164] ide: ide-atapi: fix compile error with defining macro DEBUG Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 157/164] blk-mq: Avoid that request queue removal can trigger list corruption Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 158/164] nvmet-rdma: update queue list during ib_device removal Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 159/164] audit: Allow auditd to set pid to 0 to end auditing Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 160/164] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 161/164] dm raid: fix panic when attempting to force a raid to sync Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 162/164] md: free unused memory after bitmap resize Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 163/164] RDMA/cxgb4: Annotate r2 and stag as __be32 Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.14 164/164] x86/intel_rdt: Fix potential deadlock during resctrl unmount Greg Kroah-Hartman
2017-12-12 14:47 ` [PATCH 4.14 000/164] 4.14.6-stable review Shuah Khan
2017-12-13  6:48   ` Marek Szyprowski
2017-12-13  7:57     ` Greg Kroah-Hartman
2017-12-13  8:49       ` Daniel Vetter
2017-12-14  8:00         ` Greg Kroah-Hartman
2017-12-12 21:54 ` Shuah Khan
2017-12-14  8:00   ` Greg Kroah-Hartman
2017-12-13  2:47 ` Guenter Roeck
2017-12-14  7:54   ` Greg Kroah-Hartman
2017-12-13 17:15 ` Naresh Kamboju
2017-12-14  8:01   ` Greg Kroah-Hartman
2017-12-14 10:37     ` Naresh Kamboju
2017-12-14 17:13     ` Shuah Khan
2017-12-15 14:44       ` Dan Rue

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.