All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.9 000/148] 4.9.69-stable review
@ 2017-12-12 12:43 Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 001/148] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
                   ` (143 more replies)
  0 siblings, 144 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.9.69 release.
There are 148 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu Dec 14 12:43:58 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.69-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.9.69-rc1

Leon Romanovsky <leon@kernel.org>
    RDMA/cxgb4: Annotate r2 and stag as __be32

Zdenek Kabelac <zkabelac@redhat.com>
    md: free unused memory after bitmap resize

Paul Moore <paul@paul-moore.com>
    audit: ensure that 'audit=1' actually enables audit for PID 1

Keefe Liu <liuqifa@huawei.com>
    ipvlan: fix ipv6 outbound device

Masahiro Yamada <yamada.masahiro@socionext.com>
    kbuild: do not call cc-option before KBUILD_CFLAGS initialization

David Howells <dhowells@redhat.com>
    afs: Connect up the CB.ProbeUuid

Majd Dibbiny <majd@mellanox.com>
    IB/mlx5: Assign send CQ and recv CQ of UMR QP

Mark Bloch <markb@mellanox.com>
    IB/mlx4: Increase maximal message size under UD QP

Herbert Xu <herbert@gondor.apana.org.au>
    xfrm: Copy policy family in clone_policy

Jason Baron <jbaron@akamai.com>
    jump_label: Invoke jump_label_test() via early_initcall()

Arvind Yadav <arvind.yadav.cs@gmail.com>
    atm: horizon: Fix irq release error

Masahiro Yamada <yamada.masahiro@socionext.com>
    clk: uniphier: fix DAPLL2 clock rate of Pro5

Eric Dumazet <edumazet@google.com>
    bpf: fix lockdep splat

Xin Long <lucien.xin@gmail.com>
    sctp: use the right sk after waking up from wait_buf sleep

Xin Long <lucien.xin@gmail.com>
    sctp: do not free asoc when it is already dead in sctp_sendmsg

Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
    zsmalloc: calling zs_map_object() from irq is a bug

Pavel Tatashin <pasha.tatashin@oracle.com>
    sparc64/mm: set fields in deferred pages

Ming Lei <ming.lei@redhat.com>
    block: wake up all tasks blocked in get_request()

Johan Hovold <johan@kernel.org>
    dt-bindings: usb: fix reg-property port-number range

Darrick J. Wong <darrick.wong@oracle.com>
    xfs: fix forgotten rcu read unlock when skipping inode reclaim

Chuck Lever <chuck.lever@oracle.com>
    sunrpc: Fix rpc_task_begin trace point

Trond Myklebust <trond.myklebust@primarydata.com>
    NFS: Fix a typo in nfs_rename()

Randy Dunlap <rdunlap@infradead.org>
    dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0

Stephen Bates <sbates@raithlin.com>
    lib/genalloc.c: make the avail variable an atomic_long_t

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()'

Xin Long <lucien.xin@gmail.com>
    route: update fnhe_expires for redirect when the fnhe exists

Xin Long <lucien.xin@gmail.com>
    route: also update fnhe_genid when updating a route cache

Alexey Kodanev <alexey.kodanev@oracle.com>
    gre6: use log_ecn_error module parameter in ip6_tnl_rcv()

Ben Hutchings <ben.hutchings@codethink.co.uk>
    mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()

Dave Hansen <dave.hansen@linux.intel.com>
    x86/mpx/selftests: Fix up weird arrays

Masahiro Yamada <yamada.masahiro@socionext.com>
    coccinelle: fix parallel build with CHECK=scripts/coccicheck

Masahiro Yamada <yamada.masahiro@socionext.com>
    kbuild: pkg: use --transform option to prefix paths in tar

Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
    EDAC, i5000, i5400: Fix definition of NRECMEMB register

Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
    EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro

Alexey Kardashevskiy <aik@ozlabs.ru>
    powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested

Jim Qu <Jim.Qu@amd.com>
    drm/amd/amdgpu: fix console deadlock if late init failed

Jan Kara <jack@suse.cz>
    axonram: Fix gendisk handling

Florian Westphal <fw@strlen.de>
    netfilter: don't track fragmented packets

Johannes Thumshirn <jthumshirn@suse.de>
    zram: set physical queue limits to avoid array out of bounds accesses

Ming Lei <tom.leiming@gmail.com>
    blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue()

Chris Brandt <chris.brandt@renesas.com>
    i2c: riic: fix restart condition

Krzysztof Kozlowski <krzk@kernel.org>
    crypto: s5p-sss - Fix completing crypto request in IRQ handler

WANG Cong <xiyou.wangcong@gmail.com>
    ipv6: reorder icmpv6_init() and ip6_mr_init()

Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
    ibmvnic: Allocate number of rx/tx buffers agreed on by firmware

Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
    ibmvnic: Fix overflowing firmware/hardware TX queue

Sowmini Varadhan <sowmini.varadhan@oracle.com>
    rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races

Michal Schmidt <mschmidt@redhat.com>
    bnx2x: do not rollback VF MAC/VLAN filters we did not configure

Michal Schmidt <mschmidt@redhat.com>
    bnx2x: fix detection of VLAN filtering feature for VF

Michal Schmidt <mschmidt@redhat.com>
    bnx2x: fix possible overrun of VFPF multicast addresses array

Michal Schmidt <mschmidt@redhat.com>
    bnx2x: prevent crash when accessing PTP with interface down

Blomme, Maarten <Maarten.Blomme@flir.com>
    spi_ks8995: regs_size incorrect for some devices

Blomme, Maarten <Maarten.Blomme@flir.com>
    spi_ks8995: fix "BUG: key accdaa28 not in .data!"

Andre Przywara <andre.przywara@arm.com>
    KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled

Mark Rutland <mark.rutland@arm.com>
    arm64: KVM: Survive unknown traps from guests

Mark Rutland <mark.rutland@arm.com>
    arm: KVM: Survive unknown traps from guests

Wanpeng Li <wanpeng.li@hotmail.com>
    KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset

Franck Demathieu <fdemathieu@gmail.com>
    irqchip/crossbar: Fix incorrect type of register size

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters

Joe Perches <joe@perches.com>
    scsi: qla2xxx: Fix ql_dump_buffer

Tejun Heo <tj@kernel.org>
    workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq

Tejun Heo <tj@kernel.org>
    libata: drop WARN from protocol error in ata_sff_qc_issue()

Jim Mattson <jmattson@google.com>
    kvm: nVMX: VMCLEAR should not cause the vCPU to shut down

Raz Manor <Raz.Manor@valens.com>
    usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver

Petr Cvek <petr.cvek@tul.cz>
    usb: gadget: pxa27x: Test for a valid argument pointer

Roger Quadros <rogerq@ti.com>
    usb: dwc3: gadget: Fix system suspend/resume on TI platforms

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    USB: gadgetfs: Fix a potential memory leak in 'dev_config()'

John Keeping <john@metanate.com>
    usb: gadget: configs: plug memory leak

Daniel Drake <drake@endlessm.com>
    HID: chicony: Add support for another ASUS Zen AiO keyboard

Phil Reid <preid@electromag.com.au>
    gpio: altera: Use handle_level_irq when configured as a level_high

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: rcar: avoid SSI_MODEx settings for SSI8

Guenter Roeck <linux@roeck-us.net>
    ARM: OMAP2+: Release device node after it is no longer needed.

Guenter Roeck <linux@roeck-us.net>
    ARM: OMAP2+: Fix device node reference counts

Shile Zhang <shile.zhang@nokia.com>
    powerpc/64: Fix checksum folding in csum_add()

David Daney <david.daney@cavium.com>
    module: set __jump_table alignment to 8

Sean Young <sean@mess.org>
    lirc: fix dead lock between open and wakeup_filter

Nicholas Piggin <npiggin@gmail.com>
    powerpc: Fix compiling a BE kernel with a powerpc64le toolchain

Sachin Sant <sachinp@linux.vnet.ibm.com>
    selftest/powerpc: Fix false failures for skipped tests

Paul Mackerras <paulus@ozlabs.org>
    powerpc/64: Invalidate process table caching after setting process table

Thomas Gleixner <tglx@linutronix.de>
    x86/hpet: Prevent might sleep splat on resume

Peter Zijlstra <peterz@infradead.org>
    sched/fair: Make select_idle_cpu() more aggressive

Andrew Banman <abanman@hpe.com>
    x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register

Dmitry Safonov <dsafonov@virtuozzo.com>
    x86/selftests: Add clobbers for int80 on x86_64

Ladislav Michl <ladis@linux-mips.org>
    ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure

Steffen Klassert <steffen.klassert@secunet.com>
    vti6: Don't report path MTU below IPV6_MIN_MTU.

Kees Cook <keescook@chromium.org>
    ARM: 8657/1: uaccess: consistently check object sizes

Sasha Levin <alexander.levin@verizon.com>
    Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"

Sasha Levin <alexander.levin@verizon.com>
    Revert "drm/armada: Fix compile fail"

Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    mm: drop unused pmdp_huge_get_and_clear_notify()

Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    thp: fix MADV_DONTNEED vs. numa balancing race

Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    thp: reduce indentation level in change_huge_pmd()

Russell King <rmk+kernel@armlinux.org.uk>
    ARM: avoid faulting on qemu

Russell King <rmk+kernel@armlinux.org.uk>
    ARM: BUG if jumping to usermode address in kernel mode

John Keeping <john@metanate.com>
    usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix ctr-aes-talitos

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix use of sg_link_tbl_len

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix AEAD for sha224 on non sha224 capable chips

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix setkey to check key weakness

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix memory corruption on SEC2

LEROY Christophe <christophe.leroy@c-s.fr>
    crypto: talitos - fix AEAD test failures

Kim Phillips <kim.phillips@arm.com>
    bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.

Marc Zyngier <marc.zyngier@arm.com>
    bus: arm-ccn: Fix use of smp_processor_id() in preemptible context

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    bus: arm-ccn: Check memory allocation failure

Marc Zyngier <marc.zyngier@arm.com>
    bus: arm-cci: Fix use of smp_processor_id() in preemptible context

Dave Martin <Dave.Martin@arm.com>
    arm64: fpsimd: Prevent registers leaking from dead tasks

Marc Zyngier <marc.zyngier@arm.com>
    KVM: arm/arm64: vgic-its: Check result of allocation before use

Marc Zyngier <marc.zyngier@arm.com>
    KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation

Christoffer Dall <christoffer.dall@linaro.org>
    KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion

Andrew Honig <ahonig@google.com>
    KVM: VMX: remove I/O port 0x80 bypass on Intel hosts

Marc Zyngier <marc.zyngier@arm.com>
    arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one

Kristina Martsenko <kristina.martsenko@arm.com>
    arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one

Laurent Caumont <lcaumont2@gmail.com>
    media: dvb: i2c transfers over usb cannot be done from stack

Marek Szyprowski <m.szyprowski@samsung.com>
    drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU

Daniel Thompson <daniel.thompson@linaro.org>
    kdb: Fix handling of kallsyms_symbol_next() return value

Arend Van Spriel <arend.vanspriel@broadcom.com>
    brcmfmac: change driver unbind order of the sdio function devices

Nicholas Piggin <npiggin@gmail.com>
    powerpc/64s: Initialize ISAv3 MMU registers before setting partition table

Janosch Frank <frankja@linux.vnet.ibm.com>
    KVM: s390: Fix skey emulation permission check

Heiko Carstens <heiko.carstens@de.ibm.com>
    s390: fix compat system call table

Lai Jiangshan <jiangshanlai@gmail.com>
    smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place

Robin Murphy <robin.murphy@arm.com>
    iommu/vt-d: Fix scatterlist offset handling

Jaejoong Kim <climbbb.kim@gmail.com>
    ALSA: usb-audio: Add check return value for usb_string()

Jaejoong Kim <climbbb.kim@gmail.com>
    ALSA: usb-audio: Fix out-of-bound error

Takashi Iwai <tiwai@suse.de>
    ALSA: seq: Remove spurious WARN_ON() at timer check

Robb Glasser <rglasser@google.com>
    ALSA: pcm: prevent UAF in snd_pcm_info

Jeff Mahoney <jeffm@suse.com>
    btrfs: fix missing error return in btrfs_drop_snapshot

Radim Krčmář <rkrcmar@redhat.com>
    KVM: x86: fix APIC page invalidation

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    x86/PCI: Make broadcom_postcore_init() check acpi_disabled

Eric Biggers <ebiggers@google.com>
    X.509: fix comparisons of ->pkey_algo

Eric Biggers <ebiggers@google.com>
    X.509: reject invalid BIT STRING for subjectPublicKey

Eric Biggers <ebiggers@google.com>
    KEYS: add missing permission check for request_key() destination

Eric Biggers <ebiggers@google.com>
    ASN.1: check for error from ASN1_OP_END__ACT actions

Eric Biggers <ebiggers@google.com>
    ASN.1: fix out-of-bounds read when parsing indefinite length item

Pan Bian <bianpan2016@163.com>
    efi/esrt: Use memunmap() instead of kfree() to free the remapping

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    efi: Move some sysfs files to be read-only by root

Huacai Chen <chenhc@lemote.com>
    scsi: libsas: align sata_device's rps_resp on a cacheline

Huacai Chen <chenhc@lemote.com>
    scsi: use dma_get_cache_alignment() as minimum DMA alignment

Christoph Hellwig <hch@lst.de>
    scsi: dma-mapping: always provide dma_get_cache_alignment

William Breathitt Gray <vilhelm.gray@gmail.com>
    isa: Prevent NULL dereference in isa_bus driver callbacks

Paul Meyer <Paul.Meyer@microsoft.com>
    hv: kvp: Avoid reading past allocated blocks from KVP file

weiping zhang <zwp10758@gmail.com>
    virtio: release virtio index when fail to device_register

Martin Kelly <mkelly@xevo.com>
    can: usb_8dev: cancel urb on -EPIPE and -EPROTO

Martin Kelly <mkelly@xevo.com>
    can: esd_usb2: cancel urb on -EPIPE and -EPROTO

Martin Kelly <mkelly@xevo.com>
    can: ems_usb: cancel urb on -EPIPE and -EPROTO

Martin Kelly <mkelly@xevo.com>
    can: kvaser_usb: cancel urb on -EPIPE and -EPROTO

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: ratelimit errors if incomplete messages are received

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()

Jimmy Assarsson <jimmyassarsson@gmail.com>
    can: kvaser_usb: free buf in error paths

Oliver Stäbler <oliver.staebler@bytesatwork.ch>
    can: ti_hecc: Fix napi poll return value for repoll

Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    usb: gadget: udc: renesas_usb3: fix number of the pipes


-------------

Diffstat:

 .../devicetree/bindings/usb/usb-device.txt         |   2 +-
 Makefile                                           |  25 ++---
 arch/arm/include/asm/assembler.h                   |  18 ++++
 arch/arm/include/asm/kvm_arm.h                     |   4 +-
 arch/arm/include/asm/uaccess.h                     |  44 +++++---
 arch/arm/kernel/entry-header.S                     |   6 ++
 arch/arm/kvm/handle_exit.c                         |  19 ++--
 arch/arm/mach-omap2/gpmc-onenand.c                 |  10 +-
 arch/arm/mach-omap2/omap_hwmod_3xxx_data.c         |  25 +++--
 arch/arm64/include/asm/kvm_arm.h                   |   3 +-
 arch/arm64/kernel/process.c                        |   9 ++
 arch/arm64/kvm/handle_exit.c                       |  19 ++--
 arch/powerpc/Makefile                              |  11 +-
 arch/powerpc/include/asm/checksum.h                |   2 +-
 arch/powerpc/kernel/cpu_setup_power.S              |   2 +
 arch/powerpc/mm/pgtable-radix.c                    |   4 +
 arch/powerpc/platforms/powernv/pci-ioda.c          |   3 +
 arch/powerpc/sysdev/axonram.c                      |   5 +-
 arch/s390/kernel/syscalls.S                        |   6 +-
 arch/s390/kvm/priv.c                               |  11 +-
 arch/sparc/mm/init_64.c                            |   9 +-
 arch/x86/include/asm/kvm_host.h                    |   3 +
 arch/x86/kernel/hpet.c                             |   2 +-
 arch/x86/kvm/vmx.c                                 |  31 ++----
 arch/x86/kvm/x86.c                                 |  14 +++
 arch/x86/pci/broadcom_bus.c                        |   2 +-
 arch/x86/platform/uv/tlb_uv.c                      |   1 -
 block/blk-core.c                                   |   4 +-
 block/blk-mq-sysfs.c                               |   4 +-
 block/blk-mq.c                                     |   4 +-
 block/blk-mq.h                                     |   1 +
 crypto/asymmetric_keys/pkcs7_verify.c              |   2 +-
 crypto/asymmetric_keys/x509_cert_parser.c          |   2 +
 crypto/asymmetric_keys/x509_public_key.c           |   2 +-
 drivers/ata/libata-sff.c                           |   1 -
 drivers/atm/horizon.c                              |   2 +-
 drivers/base/isa.c                                 |  10 +-
 drivers/block/zram/zram_drv.c                      |   2 +
 drivers/bus/arm-cci.c                              |   7 +-
 drivers/bus/arm-ccn.c                              |  11 +-
 drivers/clk/uniphier/clk-uniphier-sys.c            |   2 +-
 drivers/crypto/s5p-sss.c                           |   5 +-
 drivers/crypto/talitos.c                           |  66 ++++++++----
 drivers/edac/i5000_edac.c                          |   8 +-
 drivers/edac/i5400_edac.c                          |   9 +-
 drivers/firmware/efi/efi.c                         |   3 +-
 drivers/firmware/efi/esrt.c                        |  17 ++--
 drivers/firmware/efi/runtime-map.c                 |  10 +-
 drivers/gpio/gpio-altera.c                         |  26 ++---
 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c         |   5 +-
 drivers/gpu/drm/armada/Makefile                    |   2 -
 drivers/gpu/drm/exynos/exynos_drm_gem.c            |   9 ++
 drivers/hid/Kconfig                                |   4 +-
 drivers/hid/hid-chicony.c                          |   1 +
 drivers/hid/hid-core.c                             |   1 +
 drivers/hid/hid-ids.h                              |   1 +
 drivers/i2c/busses/i2c-riic.c                      |   6 +-
 drivers/infiniband/hw/cxgb4/t4fw_ri_api.h          |   4 +-
 drivers/infiniband/hw/mlx4/qp.c                    |   2 +-
 drivers/infiniband/hw/mlx5/main.c                  |   2 +
 drivers/iommu/intel-iommu.c                        |   8 +-
 drivers/irqchip/irq-crossbar.c                     |   8 +-
 drivers/md/bitmap.c                                |   9 ++
 drivers/media/rc/lirc_dev.c                        |   4 +-
 drivers/media/usb/dvb-usb/dibusb-common.c          |  16 ++-
 drivers/memory/omap-gpmc.c                         |   4 +-
 drivers/net/can/ti_hecc.c                          |   3 +
 drivers/net/can/usb/ems_usb.c                      |   2 +
 drivers/net/can/usb/esd_usb2.c                     |   2 +
 drivers/net/can/usb/kvaser_usb.c                   |  13 ++-
 drivers/net/can/usb/usb_8dev.c                     |   2 +
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c   |  36 +++++--
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c  |   8 +-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h  |   1 +
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c   |  23 ++---
 drivers/net/ethernet/ibm/ibmvnic.c                 |  43 ++++++--
 drivers/net/ethernet/ibm/ibmvnic.h                 |   1 +
 drivers/net/ipvlan/ipvlan_core.c                   |   2 +-
 drivers/net/phy/spi_ks8995.c                       |   3 +-
 .../wireless/broadcom/brcm80211/brcmfmac/sdio.c    |   2 +-
 drivers/net/wireless/mac80211_hwsim.c              |   5 +-
 drivers/rapidio/devices/rio_mport_cdev.c           |   3 +-
 drivers/scsi/lpfc/lpfc_els.c                       |  14 ++-
 drivers/scsi/qla2xxx/qla_dbg.c                     |  12 +--
 drivers/scsi/scsi_lib.c                            |  10 +-
 drivers/spi/Kconfig                                |   1 -
 drivers/usb/dwc3/gadget.c                          |   7 +-
 drivers/usb/gadget/configfs.c                      |   1 +
 drivers/usb/gadget/function/f_fs.c                 |  13 ++-
 drivers/usb/gadget/legacy/inode.c                  |   4 +-
 drivers/usb/gadget/udc/net2280.c                   |  25 ++---
 drivers/usb/gadget/udc/pxa27x_udc.c                |   5 +-
 drivers/usb/gadget/udc/renesas_usb3.c              |   2 +-
 drivers/virtio/virtio.c                            |   2 +
 fs/afs/cmservice.c                                 |   3 +
 fs/btrfs/extent-tree.c                             |   1 +
 fs/nfs/dir.c                                       |   2 +-
 fs/xfs/xfs_inode.c                                 |   1 +
 include/linux/dma-mapping.h                        |   2 -
 include/linux/genalloc.h                           |   3 +-
 include/linux/mmu_notifier.h                       |  13 ---
 include/linux/omap-gpmc.h                          |   5 +-
 include/linux/sysfs.h                              |   6 ++
 include/scsi/libsas.h                              |   2 +-
 kernel/audit.c                                     |  10 +-
 kernel/bpf/percpu_freelist.c                       |   8 +-
 kernel/cpu.c                                       |  10 +-
 kernel/debug/kdb/kdb_io.c                          |   2 +-
 kernel/jump_label.c                                |   2 +-
 kernel/sched/fair.c                                |   2 +-
 kernel/sched/features.h                            |   5 +
 kernel/workqueue.c                                 |   1 +
 lib/asn1_decoder.c                                 |  49 +++++----
 lib/dynamic_debug.c                                |   4 +
 lib/genalloc.c                                     |  10 +-
 mm/huge_memory.c                                   |  84 +++++++++++-----
 mm/zsmalloc.c                                      |   2 +-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c     |   4 +
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c           |   5 -
 net/ipv4/route.c                                   |  14 ++-
 net/ipv6/af_inet6.c                                |  10 +-
 net/ipv6/ip6_gre.c                                 |   2 +-
 net/ipv6/ip6_vti.c                                 |   8 +-
 net/rds/tcp.c                                      |  15 ++-
 net/rds/tcp.h                                      |   2 +-
 net/rds/tcp_listen.c                               |   9 +-
 net/sctp/socket.c                                  |  38 ++++---
 net/sunrpc/sched.c                                 |   3 +-
 net/xfrm/xfrm_policy.c                             |   1 +
 scripts/coccicheck                                 |  15 +--
 scripts/module-common.lds                          |   2 +
 scripts/package/Makefile                           |   5 +-
 security/keys/request_key.c                        |  46 +++++++--
 sound/core/pcm.c                                   |   2 +
 sound/core/seq/seq_timer.c                         |   2 +-
 sound/soc/sh/rcar/ssiu.c                           |   6 +-
 sound/usb/mixer.c                                  |  13 ++-
 tools/hv/hv_kvp_daemon.c                           |  70 +++----------
 tools/testing/selftests/powerpc/harness.c          |   6 +-
 tools/testing/selftests/x86/fsgsbase.c             |   2 +-
 tools/testing/selftests/x86/ldt_gdt.c              |  16 ++-
 tools/testing/selftests/x86/mpx-hw.h               |   4 +-
 tools/testing/selftests/x86/ptrace_syscall.c       |   3 +-
 tools/testing/selftests/x86/single_step_syscall.c  |   5 +-
 virt/kvm/arm/hyp/vgic-v2-sr.c                      |   4 -
 virt/kvm/arm/vgic/vgic-irqfd.c                     |   3 +-
 virt/kvm/arm/vgic/vgic-its.c                       | 111 +++++++++++++--------
 virt/kvm/kvm_main.c                                |   8 ++
 148 files changed, 935 insertions(+), 545 deletions(-)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 001/148] usb: gadget: udc: renesas_usb3: fix number of the pipes
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 003/148] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yoshihiro Shimoda, Felipe Balbi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit a58204ab91ad8cae4d8474aa0ba5d1fc504860c9 upstream.

This controller on R-Car Gen3 has 6 pipes that included PIPE 0 for
control actually. But, the datasheet has error in writing as it has
31 pipes. (However, the previous code defined 30 pipes wrongly...)

Anyway, this patch fixes it.

Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/udc/renesas_usb3.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -222,7 +222,7 @@
 #define USB3_EP0_SS_MAX_PACKET_SIZE	512
 #define USB3_EP0_HSFS_MAX_PACKET_SIZE	64
 #define USB3_EP0_BUF_SIZE		8
-#define USB3_MAX_NUM_PIPES		30
+#define USB3_MAX_NUM_PIPES		6	/* This includes PIPE 0 */
 #define USB3_WAIT_US			3
 
 struct renesas_usb3;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 003/148] can: kvaser_usb: free buf in error paths
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 001/148] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 004/148] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Marc Kleine-Budde

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit 435019b48033138581a6171093b181fc6b4d3d30 upstream.

The allocated buffer was not freed if usb_submit_urb() failed.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -813,6 +813,7 @@ static int kvaser_usb_simple_msg_async(s
 	if (err) {
 		netdev_err(netdev, "Error transmitting URB\n");
 		usb_unanchor_urb(urb);
+		kfree(buf);
 		usb_free_urb(urb);
 		return err;
 	}
@@ -1768,6 +1769,7 @@ static netdev_tx_t kvaser_usb_start_xmit
 		spin_unlock_irqrestore(&priv->tx_contexts_lock, flags);
 
 		usb_unanchor_urb(urb);
+		kfree(buf);
 
 		stats->tx_dropped++;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 004/148] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 001/148] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 003/148] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 005/148] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Marc Kleine-Budde

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit e84f44eb5523401faeb9cc1c97895b68e3cfb78d upstream.

The conditon in the while-loop becomes true when actual_length is less than
2 (MSG_HEADER_LEN). In best case we end up with a former, already
dispatched msg, that got msg->len greater than actual_length. This will
result in a "Format error" error printout.

Problem seen when unplugging a Kvaser USB device connected to a vbox guest.

warning: comparison between signed and unsigned integer expressions
[-Wsign-compare]

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1334,7 +1334,7 @@ static void kvaser_usb_read_bulk_callbac
 		goto resubmit_urb;
 	}
 
-	while (pos <= urb->actual_length - MSG_HEADER_LEN) {
+	while (pos <= (int)(urb->actual_length - MSG_HEADER_LEN)) {
 		msg = urb->transfer_buffer + pos;
 
 		/* The Kvaser firmware can only read and write messages that

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 005/148] can: kvaser_usb: ratelimit errors if incomplete messages are received
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 004/148] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 006/148] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Marc Kleine-Budde

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jimmy Assarsson <jimmyassarsson@gmail.com>

commit 8bd13bd522ff7dfa0eb371921aeb417155f7a3be upstream.

Avoid flooding the kernel log with "Formate error", if incomplete message
are received.

Signed-off-by: Jimmy Assarsson <jimmyassarsson@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -609,8 +609,8 @@ static int kvaser_usb_wait_msg(const str
 			}
 
 			if (pos + tmp->len > actual_len) {
-				dev_err(dev->udev->dev.parent,
-					"Format error\n");
+				dev_err_ratelimited(dev->udev->dev.parent,
+						    "Format error\n");
 				break;
 			}
 
@@ -1353,7 +1353,8 @@ static void kvaser_usb_read_bulk_callbac
 		}
 
 		if (pos + msg->len > urb->actual_length) {
-			dev_err(dev->udev->dev.parent, "Format error\n");
+			dev_err_ratelimited(dev->udev->dev.parent,
+					    "Format error\n");
 			break;
 		}
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 006/148] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 005/148] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 007/148] can: ems_usb: " Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 6aa8d5945502baf4687d80de59b7ac865e9e666b upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/kvaser_usb.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -1326,6 +1326,8 @@ static void kvaser_usb_read_bulk_callbac
 	case 0:
 		break;
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 	default:

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 007/148] can: ems_usb: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 006/148] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 008/148] can: esd_usb2: " Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit bd352e1adfe0d02d3ea7c8e3fb19183dc317e679 upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/ems_usb.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -288,6 +288,8 @@ static void ems_usb_read_interrupt_callb
 
 	case -ECONNRESET: /* unlink */
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 008/148] can: esd_usb2: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 007/148] can: ems_usb: " Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 009/148] can: usb_8dev: " Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 7a31ced3de06e9878e4f9c3abe8f87d9344d8144 upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/esd_usb2.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
@@ -393,6 +393,8 @@ static void esd_usb2_read_bulk_callback(
 		break;
 
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 009/148] can: usb_8dev: cancel urb on -EPIPE and -EPROTO
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 008/148] can: esd_usb2: " Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 010/148] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Kelly, Marc Kleine-Budde

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit 12147edc434c9e4c7c2f5fee2e5519b2e5ac34ce upstream.

In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/usb_8dev.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -524,6 +524,8 @@ static void usb_8dev_read_bulk_callback(
 		break;
 
 	case -ENOENT:
+	case -EPIPE:
+	case -EPROTO:
 	case -ESHUTDOWN:
 		return;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 010/148] virtio: release virtio index when fail to device_register
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 009/148] can: usb_8dev: " Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 011/148] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, weiping zhang, Cornelia Huck,
	Michael S. Tsirkin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: weiping zhang <zwp10758@gmail.com>

commit e60ea67bb60459b95a50a156296041a13e0e380e upstream.

index can be reused by other virtio device.

Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/virtio/virtio.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/virtio/virtio.c
+++ b/drivers/virtio/virtio.c
@@ -323,6 +323,8 @@ int register_virtio_device(struct virtio
 	/* device_register() causes the bus infrastructure to look for a
 	 * matching driver. */
 	err = device_register(&dev->dev);
+	if (err)
+		ida_simple_remove(&virtio_index_ida, dev->index);
 out:
 	if (err)
 		add_status(dev, VIRTIO_CONFIG_S_FAILED);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 011/148] hv: kvp: Avoid reading past allocated blocks from KVP file
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 010/148] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 012/148] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Meyer, Long Li, K. Y. Srinivasan

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Meyer <Paul.Meyer@microsoft.com>

commit 297d6b6e56c2977fc504c61bbeeaa21296923f89 upstream.

While reading in more than one block (50) of KVP records, the allocation
goes per block, but the reads used the total number of allocated records
(without resetting the pointer/stream). This causes the records buffer to
overrun when the refresh reads more than one block over the previous
capacity (e.g. reading more than 100 KVP records whereas the in-memory
database was empty before).

Fix this by reading the correct number of KVP records from file each time.

Signed-off-by: Paul Meyer <Paul.Meyer@microsoft.com>
Signed-off-by: Long Li <longli@microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/hv/hv_kvp_daemon.c |   70 +++++++++--------------------------------------
 1 file changed, 14 insertions(+), 56 deletions(-)

--- a/tools/hv/hv_kvp_daemon.c
+++ b/tools/hv/hv_kvp_daemon.c
@@ -193,11 +193,14 @@ static void kvp_update_mem_state(int poo
 	for (;;) {
 		readp = &record[records_read];
 		records_read += fread(readp, sizeof(struct kvp_record),
-					ENTRIES_PER_BLOCK * num_blocks,
-					filep);
+				ENTRIES_PER_BLOCK * num_blocks - records_read,
+				filep);
 
 		if (ferror(filep)) {
-			syslog(LOG_ERR, "Failed to read file, pool: %d", pool);
+			syslog(LOG_ERR,
+				"Failed to read file, pool: %d; error: %d %s",
+				 pool, errno, strerror(errno));
+			kvp_release_lock(pool);
 			exit(EXIT_FAILURE);
 		}
 
@@ -210,6 +213,7 @@ static void kvp_update_mem_state(int poo
 
 			if (record == NULL) {
 				syslog(LOG_ERR, "malloc failed");
+				kvp_release_lock(pool);
 				exit(EXIT_FAILURE);
 			}
 			continue;
@@ -224,15 +228,11 @@ static void kvp_update_mem_state(int poo
 	fclose(filep);
 	kvp_release_lock(pool);
 }
+
 static int kvp_file_init(void)
 {
 	int  fd;
-	FILE *filep;
-	size_t records_read;
 	char *fname;
-	struct kvp_record *record;
-	struct kvp_record *readp;
-	int num_blocks;
 	int i;
 	int alloc_unit = sizeof(struct kvp_record) * ENTRIES_PER_BLOCK;
 
@@ -246,61 +246,19 @@ static int kvp_file_init(void)
 
 	for (i = 0; i < KVP_POOL_COUNT; i++) {
 		fname = kvp_file_info[i].fname;
-		records_read = 0;
-		num_blocks = 1;
 		sprintf(fname, "%s/.kvp_pool_%d", KVP_CONFIG_LOC, i);
 		fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0644 /* rw-r--r-- */);
 
 		if (fd == -1)
 			return 1;
 
-
-		filep = fopen(fname, "re");
-		if (!filep) {
-			close(fd);
-			return 1;
-		}
-
-		record = malloc(alloc_unit * num_blocks);
-		if (record == NULL) {
-			fclose(filep);
-			close(fd);
-			return 1;
-		}
-		for (;;) {
-			readp = &record[records_read];
-			records_read += fread(readp, sizeof(struct kvp_record),
-					ENTRIES_PER_BLOCK,
-					filep);
-
-			if (ferror(filep)) {
-				syslog(LOG_ERR, "Failed to read file, pool: %d",
-				       i);
-				exit(EXIT_FAILURE);
-			}
-
-			if (!feof(filep)) {
-				/*
-				 * We have more data to read.
-				 */
-				num_blocks++;
-				record = realloc(record, alloc_unit *
-						num_blocks);
-				if (record == NULL) {
-					fclose(filep);
-					close(fd);
-					return 1;
-				}
-				continue;
-			}
-			break;
-		}
 		kvp_file_info[i].fd = fd;
-		kvp_file_info[i].num_blocks = num_blocks;
-		kvp_file_info[i].records = record;
-		kvp_file_info[i].num_records = records_read;
-		fclose(filep);
-
+		kvp_file_info[i].num_blocks = 1;
+		kvp_file_info[i].records = malloc(alloc_unit);
+		if (kvp_file_info[i].records == NULL)
+			return 1;
+		kvp_file_info[i].num_records = 0;
+		kvp_update_mem_state(i);
 	}
 
 	return 0;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 012/148] isa: Prevent NULL dereference in isa_bus driver callbacks
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 011/148] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 013/148] scsi: dma-mapping: always provide dma_get_cache_alignment Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, William Breathitt Gray, Linus Torvalds

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: William Breathitt Gray <vilhelm.gray@gmail.com>

commit 5a244727f428a06634f22bb890e78024ab0c89f3 upstream.

The isa_driver structure for an isa_bus device is stored in the device
platform_data member of the respective device structure. This
platform_data member may be reset to NULL if isa_driver match callback
for the device fails, indicating a device unsupported by the ISA driver.

This patch fixes a possible NULL pointer dereference if one of the
isa_driver callbacks to attempted for an unsupported device. This error
should not occur in practice since ISA devices are typically manually
configured and loaded by the users, but we may as well prevent this
error from popping up for the 0day testers.

Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/isa.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/base/isa.c
+++ b/drivers/base/isa.c
@@ -39,7 +39,7 @@ static int isa_bus_probe(struct device *
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->probe)
+	if (isa_driver && isa_driver->probe)
 		return isa_driver->probe(dev, to_isa_dev(dev)->id);
 
 	return 0;
@@ -49,7 +49,7 @@ static int isa_bus_remove(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->remove)
+	if (isa_driver && isa_driver->remove)
 		return isa_driver->remove(dev, to_isa_dev(dev)->id);
 
 	return 0;
@@ -59,7 +59,7 @@ static void isa_bus_shutdown(struct devi
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->shutdown)
+	if (isa_driver && isa_driver->shutdown)
 		isa_driver->shutdown(dev, to_isa_dev(dev)->id);
 }
 
@@ -67,7 +67,7 @@ static int isa_bus_suspend(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->suspend)
+	if (isa_driver && isa_driver->suspend)
 		return isa_driver->suspend(dev, to_isa_dev(dev)->id, state);
 
 	return 0;
@@ -77,7 +77,7 @@ static int isa_bus_resume(struct device
 {
 	struct isa_driver *isa_driver = dev->platform_data;
 
-	if (isa_driver->resume)
+	if (isa_driver && isa_driver->resume)
 		return isa_driver->resume(dev, to_isa_dev(dev)->id);
 
 	return 0;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 013/148] scsi: dma-mapping: always provide dma_get_cache_alignment
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 012/148] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 014/148] scsi: use dma_get_cache_alignment() as minimum DMA alignment Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Martin K. Petersen

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <hch@lst.de>

commit 860dd4424f344400b491b212ee4acb3a358ba9d9 upstream.

Provide the dummy version of dma_get_cache_alignment that always returns
1 even if CONFIG_HAS_DMA is not set, so that drivers and subsystems can
use it without ifdefs.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/dma-mapping.h |    2 --
 1 file changed, 2 deletions(-)

--- a/include/linux/dma-mapping.h
+++ b/include/linux/dma-mapping.h
@@ -659,7 +659,6 @@ static inline void *dma_zalloc_coherent(
 	return ret;
 }
 
-#ifdef CONFIG_HAS_DMA
 static inline int dma_get_cache_alignment(void)
 {
 #ifdef ARCH_DMA_MINALIGN
@@ -667,7 +666,6 @@ static inline int dma_get_cache_alignmen
 #endif
 	return 1;
 }
-#endif
 
 /* flags for the coherent memory api */
 #define	DMA_MEMORY_MAP			0x01

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 014/148] scsi: use dma_get_cache_alignment() as minimum DMA alignment
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 013/148] scsi: dma-mapping: always provide dma_get_cache_alignment Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 015/148] scsi: libsas: align sata_devices rps_resp on a cacheline Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Christoph Hellwig,
	Martin K. Petersen

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit 90addc6b3c9cda0146fbd62a08e234c2b224a80c upstream.

In non-coherent DMA mode, kernel uses cache flushing operations to
maintain I/O coherency, so scsi's block queue should be aligned to the
value returned by dma_get_cache_alignment().  Otherwise, If a DMA buffer
and a kernel structure share a same cache line, and if the kernel
structure has dirty data, cache_invalidate (no writeback) will cause
data corruption.

Signed-off-by: Huacai Chen <chenhc@lemote.com>
[hch: rebased and updated the comment and changelog]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_lib.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2041,11 +2041,13 @@ static void __scsi_init_queue(struct Scs
 		q->limits.cluster = 0;
 
 	/*
-	 * set a reasonable default alignment on word boundaries: the
-	 * host and device may alter it using
-	 * blk_queue_update_dma_alignment() later.
+	 * Set a reasonable default alignment:  The larger of 32-byte (dword),
+	 * which is a common minimum for HBAs, and the minimum DMA alignment,
+	 * which is set by the platform.
+	 *
+	 * Devices that require a bigger alignment can increase it later.
 	 */
-	blk_queue_dma_alignment(q, 0x03);
+	blk_queue_dma_alignment(q, max(4, dma_get_cache_alignment()) - 1);
 }
 
 struct request_queue *__scsi_alloc_queue(struct Scsi_Host *shost,

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 015/148] scsi: libsas: align sata_devices rps_resp on a cacheline
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 014/148] scsi: use dma_get_cache_alignment() as minimum DMA alignment Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 016/148] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Christoph Hellwig,
	Martin K. Petersen

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Huacai Chen <chenhc@lemote.com>

commit c2e8fbf908afd81ad502b567a6639598f92c9b9d upstream.

The rps_resp buffer in ata_device is a DMA target, but it isn't
explicitly cacheline aligned. Due to this, adjacent fields can be
overwritten with stale data from memory on non-coherent architectures.
As a result, the kernel is sometimes unable to communicate with an SATA
device behind a SAS expander.

Fix this by ensuring that the rps_resp buffer is cacheline aligned.

This issue is similar to that fixed by Commit 84bda12af31f93 ("libata:
align ap->sector_buf") and Commit 4ee34ea3a12396f35b26 ("libata: Align
ata_device's id on a cacheline").

Signed-off-by: Huacai Chen <chenhc@lemote.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/scsi/libsas.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/scsi/libsas.h
+++ b/include/scsi/libsas.h
@@ -165,11 +165,11 @@ struct expander_device {
 
 struct sata_device {
 	unsigned int class;
-	struct smp_resp        rps_resp; /* report_phy_sata_resp */
 	u8     port_no;        /* port number, if this is a PM (Port) */
 
 	struct ata_port *ap;
 	struct ata_host ata_host;
+	struct smp_resp rps_resp ____cacheline_aligned; /* report_phy_sata_resp */
 	u8     fis[ATA_RESP_FIS_SIZE];
 };
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 016/148] efi: Move some sysfs files to be read-only by root
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 015/148] scsi: libsas: align sata_devices rps_resp on a cacheline Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 017/148] efi/esrt: Use memunmap() instead of kfree() to free the remapping Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Dave Young,
	Ard Biesheuvel, H. Peter Anvin, Matt Fleming, Peter Zijlstra,
	Thomas Gleixner, linux-efi, Ingo Molnar

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit af97a77bc01ce49a466f9d4c0125479e2e2230b6 upstream.

Thanks to the scripts/leaking_addresses.pl script, it was found that
some EFI values should not be readable by non-root users.

So make them root-only, and to do that, add a __ATTR_RO_MODE() macro to
make this easier, and use it in other places at the same time.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20171206095010.24170-2-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/efi.c         |    3 +--
 drivers/firmware/efi/esrt.c        |   15 ++++++---------
 drivers/firmware/efi/runtime-map.c |   10 +++++-----
 include/linux/sysfs.h              |    6 ++++++
 4 files changed, 18 insertions(+), 16 deletions(-)

--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -120,8 +120,7 @@ static ssize_t systab_show(struct kobjec
 	return str - buf;
 }
 
-static struct kobj_attribute efi_attr_systab =
-			__ATTR(systab, 0400, systab_show, NULL);
+static struct kobj_attribute efi_attr_systab = __ATTR_RO_MODE(systab, 0400);
 
 #define EFI_FIELD(var) efi.var
 
--- a/drivers/firmware/efi/esrt.c
+++ b/drivers/firmware/efi/esrt.c
@@ -106,7 +106,7 @@ static const struct sysfs_ops esre_attr_
 };
 
 /* Generic ESRT Entry ("ESRE") support. */
-static ssize_t esre_fw_class_show(struct esre_entry *entry, char *buf)
+static ssize_t fw_class_show(struct esre_entry *entry, char *buf)
 {
 	char *str = buf;
 
@@ -117,18 +117,16 @@ static ssize_t esre_fw_class_show(struct
 	return str - buf;
 }
 
-static struct esre_attribute esre_fw_class = __ATTR(fw_class, 0400,
-	esre_fw_class_show, NULL);
+static struct esre_attribute esre_fw_class = __ATTR_RO_MODE(fw_class, 0400);
 
 #define esre_attr_decl(name, size, fmt) \
-static ssize_t esre_##name##_show(struct esre_entry *entry, char *buf) \
+static ssize_t name##_show(struct esre_entry *entry, char *buf) \
 { \
 	return sprintf(buf, fmt "\n", \
 		       le##size##_to_cpu(entry->esre.esre1->name)); \
 } \
 \
-static struct esre_attribute esre_##name = __ATTR(name, 0400, \
-	esre_##name##_show, NULL)
+static struct esre_attribute esre_##name = __ATTR_RO_MODE(name, 0400)
 
 esre_attr_decl(fw_type, 32, "%u");
 esre_attr_decl(fw_version, 32, "%u");
@@ -193,14 +191,13 @@ static int esre_create_sysfs_entry(void
 
 /* support for displaying ESRT fields at the top level */
 #define esrt_attr_decl(name, size, fmt) \
-static ssize_t esrt_##name##_show(struct kobject *kobj, \
+static ssize_t name##_show(struct kobject *kobj, \
 				  struct kobj_attribute *attr, char *buf)\
 { \
 	return sprintf(buf, fmt "\n", le##size##_to_cpu(esrt->name)); \
 } \
 \
-static struct kobj_attribute esrt_##name = __ATTR(name, 0400, \
-	esrt_##name##_show, NULL)
+static struct kobj_attribute esrt_##name = __ATTR_RO_MODE(name, 0400)
 
 esrt_attr_decl(fw_resource_count, 32, "%u");
 esrt_attr_decl(fw_resource_count_max, 32, "%u");
--- a/drivers/firmware/efi/runtime-map.c
+++ b/drivers/firmware/efi/runtime-map.c
@@ -63,11 +63,11 @@ static ssize_t map_attr_show(struct kobj
 	return map_attr->show(entry, buf);
 }
 
-static struct map_attribute map_type_attr = __ATTR_RO(type);
-static struct map_attribute map_phys_addr_attr   = __ATTR_RO(phys_addr);
-static struct map_attribute map_virt_addr_attr  = __ATTR_RO(virt_addr);
-static struct map_attribute map_num_pages_attr  = __ATTR_RO(num_pages);
-static struct map_attribute map_attribute_attr  = __ATTR_RO(attribute);
+static struct map_attribute map_type_attr = __ATTR_RO_MODE(type, 0400);
+static struct map_attribute map_phys_addr_attr = __ATTR_RO_MODE(phys_addr, 0400);
+static struct map_attribute map_virt_addr_attr = __ATTR_RO_MODE(virt_addr, 0400);
+static struct map_attribute map_num_pages_attr = __ATTR_RO_MODE(num_pages, 0400);
+static struct map_attribute map_attribute_attr = __ATTR_RO_MODE(attribute, 0400);
 
 /*
  * These are default attributes that are added for every memmap entry.
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -116,6 +116,12 @@ struct attribute_group {
 	.show	= _name##_show,						\
 }
 
+#define __ATTR_RO_MODE(_name, _mode) {					\
+	.attr	= { .name = __stringify(_name),				\
+		    .mode = VERIFY_OCTAL_PERMISSIONS(_mode) },		\
+	.show	= _name##_show,						\
+}
+
 #define __ATTR_WO(_name) {						\
 	.attr	= { .name = __stringify(_name), .mode = S_IWUSR },	\
 	.store	= _name##_store,					\

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 017/148] efi/esrt: Use memunmap() instead of kfree() to free the remapping
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 016/148] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 018/148] ASN.1: fix out-of-bounds read when parsing indefinite length item Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pan Bian, Ard Biesheuvel,
	H. Peter Anvin, Linus Torvalds, Matt Fleming, Peter Zijlstra,
	Thomas Gleixner, linux-efi, Ingo Molnar

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pan Bian <bianpan2016@163.com>

commit 89c5a2d34bda58319e3075e8e7dd727ea25a435c upstream.

The remapping result of memremap() should be freed with memunmap(), not kfree().

Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20171206095010.24170-3-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/efi/esrt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/firmware/efi/esrt.c
+++ b/drivers/firmware/efi/esrt.c
@@ -428,7 +428,7 @@ err_remove_group:
 err_remove_esrt:
 	kobject_put(esrt_kobj);
 err:
-	kfree(esrt);
+	memunmap(esrt);
 	esrt = NULL;
 	return error;
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 018/148] ASN.1: fix out-of-bounds read when parsing indefinite length item
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 017/148] efi/esrt: Use memunmap() instead of kfree() to free the remapping Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 019/148] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Potapenko, Eric Biggers,
	David Howells

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit e0058f3a874ebb48b25be7ff79bc3b4e59929f90 upstream.

In asn1_ber_decoder(), indefinitely-sized ASN.1 items were being passed
to the action functions before their lengths had been computed, using
the bogus length of 0x80 (ASN1_INDEFINITE_LENGTH).  This resulted in
reading data past the end of the input buffer, when given a specially
crafted message.

Fix it by rearranging the code so that the indefinite length is resolved
before the action is called.

This bug was originally found by fuzzing the X.509 parser in userspace
using libFuzzer from the LLVM project.

KASAN report (cleaned up slightly):

    BUG: KASAN: slab-out-of-bounds in memcpy ./include/linux/string.h:341 [inline]
    BUG: KASAN: slab-out-of-bounds in x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
    Read of size 128 at addr ffff880035dd9eaf by task keyctl/195

    CPU: 1 PID: 195 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0xd1/0x175 lib/dump_stack.c:53
     print_address_description+0x78/0x260 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x23f/0x350 mm/kasan/report.c:409
     memcpy+0x1f/0x50 mm/kasan/kasan.c:302
     memcpy ./include/linux/string.h:341 [inline]
     x509_fabricate_name.constprop.1+0x1a4/0x940 crypto/asymmetric_keys/x509_cert_parser.c:366
     asn1_ber_decoder+0xb4a/0x1fd0 lib/asn1_decoder.c:447
     x509_cert_parse+0x1c7/0x620 crypto/asymmetric_keys/x509_cert_parser.c:89
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

    Allocated by task 195:
     __do_kmalloc_node mm/slab.c:3675 [inline]
     __kmalloc_node+0x47/0x60 mm/slab.c:3682
     kvmalloc ./include/linux/mm.h:540 [inline]
     SYSC_add_key security/keys/keyctl.c:104 [inline]
     SyS_add_key+0x19e/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/asn1_decoder.c |   47 ++++++++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 21 deletions(-)

--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -313,42 +313,47 @@ next_op:
 
 	/* Decide how to handle the operation */
 	switch (op) {
-	case ASN1_OP_MATCH_ANY_ACT:
-	case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
-	case ASN1_OP_COND_MATCH_ANY_ACT:
-	case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
-		ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len);
-		if (ret < 0)
-			return ret;
-		goto skip_data;
-
-	case ASN1_OP_MATCH_ACT:
-	case ASN1_OP_MATCH_ACT_OR_SKIP:
-	case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
-		ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len);
-		if (ret < 0)
-			return ret;
-		goto skip_data;
-
 	case ASN1_OP_MATCH:
 	case ASN1_OP_MATCH_OR_SKIP:
+	case ASN1_OP_MATCH_ACT:
+	case ASN1_OP_MATCH_ACT_OR_SKIP:
 	case ASN1_OP_MATCH_ANY:
 	case ASN1_OP_MATCH_ANY_OR_SKIP:
+	case ASN1_OP_MATCH_ANY_ACT:
+	case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
 	case ASN1_OP_COND_MATCH_OR_SKIP:
+	case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
 	case ASN1_OP_COND_MATCH_ANY:
 	case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
-	skip_data:
+	case ASN1_OP_COND_MATCH_ANY_ACT:
+	case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
+
 		if (!(flags & FLAG_CONS)) {
 			if (flags & FLAG_INDEFINITE_LENGTH) {
+				size_t tmp = dp;
+
 				ret = asn1_find_indefinite_length(
-					data, datalen, &dp, &len, &errmsg);
+					data, datalen, &tmp, &len, &errmsg);
 				if (ret < 0)
 					goto error;
-			} else {
-				dp += len;
 			}
 			pr_debug("- LEAF: %zu\n", len);
 		}
+
+		if (op & ASN1_OP_MATCH__ACT) {
+			unsigned char act;
+
+			if (op & ASN1_OP_MATCH__ANY)
+				act = machine[pc + 1];
+			else
+				act = machine[pc + 2];
+			ret = actions[act](context, hdr, tag, data + dp, len);
+			if (ret < 0)
+				return ret;
+		}
+
+		if (!(flags & FLAG_CONS))
+			dp += len;
 		pc += asn1_op_lengths[op];
 		goto next_op;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 019/148] ASN.1: check for error from ASN1_OP_END__ACT actions
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 018/148] ASN.1: fix out-of-bounds read when parsing indefinite length item Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 020/148] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells, James Morris

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 81a7be2cd69b412ab6aeacfe5ebf1bb6e5bce955 upstream.

asn1_ber_decoder() was ignoring errors from actions associated with the
opcodes ASN1_OP_END_SEQ_ACT, ASN1_OP_END_SET_ACT,
ASN1_OP_END_SEQ_OF_ACT, and ASN1_OP_END_SET_OF_ACT.  In practice, this
meant the pkcs7_note_signed_info() action (since that was the only user
of those opcodes).  Fix it by checking for the error, just like the
decoder does for actions associated with the other opcodes.

This bug allowed users to leak slab memory by repeatedly trying to add a
specially crafted "pkcs7_test" key (requires CONFIG_PKCS7_TEST_KEY).

In theory, this bug could also be used to bypass module signature
verification, by providing a PKCS#7 message that is misparsed such that
a signature's ->authattrs do not contain its ->msgdigest.  But it
doesn't seem practical in normal cases, due to restrictions on the
format of the ->authattrs.

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/asn1_decoder.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -439,6 +439,8 @@ next_op:
 			else
 				act = machine[pc + 1];
 			ret = actions[act](context, hdr, 0, data + tdp, len);
+			if (ret < 0)
+				return ret;
 		}
 		pc += asn1_op_lengths[op];
 		goto next_op;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 020/148] KEYS: add missing permission check for request_key() destination
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 019/148] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 021/148] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.

When the request_key() syscall is not passed a destination keyring, it
links the requested key (if constructed) into the "default" request-key
keyring.  This should require Write permission to the keyring.  However,
there is actually no permission check.

This can be abused to add keys to any keyring to which only Search
permission is granted.  This is because Search permission allows joining
the keyring.  keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
then will set the default request-key keyring to the session keyring.
Then, request_key() can be used to add keys to the keyring.

Both negatively and positively instantiated keys can be added using this
method.  Adding negative keys is trivial.  Adding a positive key is a
bit trickier.  It requires that either /sbin/request-key positively
instantiates the key, or that another thread adds the key to the process
keyring at just the right time, such that request_key() misses it
initially but then finds it in construct_alloc_key().

Fix this bug by checking for Write permission to the keyring in
construct_get_dest_keyring() when the default keyring is being used.

We don't do the permission check for non-default keyrings because that
was already done by the earlier call to lookup_user_key().  Also,
request_key_and_link() is currently passed a 'struct key *' rather than
a key_ref_t, so the "possessed" bit is unavailable.

We also don't do the permission check for the "requestor keyring", to
continue to support the use case described by commit 8bbf4976b59f
("KEYS: Alter use of key instantiation link-to-keyring argument") where
/sbin/request-key recursively calls request_key() to add keys to the
original requestor's destination keyring.  (I don't know of any users
who actually do that, though...)

Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/keys/request_key.c |   46 +++++++++++++++++++++++++++++++++++---------
 1 file changed, 37 insertions(+), 9 deletions(-)

--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -250,11 +250,12 @@ static int construct_key(struct key *key
  * The keyring selected is returned with an extra reference upon it which the
  * caller must release.
  */
-static void construct_get_dest_keyring(struct key **_dest_keyring)
+static int construct_get_dest_keyring(struct key **_dest_keyring)
 {
 	struct request_key_auth *rka;
 	const struct cred *cred = current_cred();
 	struct key *dest_keyring = *_dest_keyring, *authkey;
+	int ret;
 
 	kenter("%p", dest_keyring);
 
@@ -263,6 +264,8 @@ static void construct_get_dest_keyring(s
 		/* the caller supplied one */
 		key_get(dest_keyring);
 	} else {
+		bool do_perm_check = true;
+
 		/* use a default keyring; falling through the cases until we
 		 * find one that we actually have */
 		switch (cred->jit_keyring) {
@@ -277,8 +280,10 @@ static void construct_get_dest_keyring(s
 					dest_keyring =
 						key_get(rka->dest_keyring);
 				up_read(&authkey->sem);
-				if (dest_keyring)
+				if (dest_keyring) {
+					do_perm_check = false;
 					break;
+				}
 			}
 
 		case KEY_REQKEY_DEFL_THREAD_KEYRING:
@@ -313,11 +318,29 @@ static void construct_get_dest_keyring(s
 		default:
 			BUG();
 		}
+
+		/*
+		 * Require Write permission on the keyring.  This is essential
+		 * because the default keyring may be the session keyring, and
+		 * joining a keyring only requires Search permission.
+		 *
+		 * However, this check is skipped for the "requestor keyring" so
+		 * that /sbin/request-key can itself use request_key() to add
+		 * keys to the original requestor's destination keyring.
+		 */
+		if (dest_keyring && do_perm_check) {
+			ret = key_permission(make_key_ref(dest_keyring, 1),
+					     KEY_NEED_WRITE);
+			if (ret) {
+				key_put(dest_keyring);
+				return ret;
+			}
+		}
 	}
 
 	*_dest_keyring = dest_keyring;
 	kleave(" [dk %d]", key_serial(dest_keyring));
-	return;
+	return 0;
 }
 
 /*
@@ -443,11 +466,15 @@ static struct key *construct_key_and_lin
 	if (ctx->index_key.type == &key_type_keyring)
 		return ERR_PTR(-EPERM);
 
-	user = key_user_lookup(current_fsuid());
-	if (!user)
-		return ERR_PTR(-ENOMEM);
+	ret = construct_get_dest_keyring(&dest_keyring);
+	if (ret)
+		goto error;
 
-	construct_get_dest_keyring(&dest_keyring);
+	user = key_user_lookup(current_fsuid());
+	if (!user) {
+		ret = -ENOMEM;
+		goto error_put_dest_keyring;
+	}
 
 	ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
 	key_user_put(user);
@@ -462,7 +489,7 @@ static struct key *construct_key_and_lin
 	} else if (ret == -EINPROGRESS) {
 		ret = 0;
 	} else {
-		goto couldnt_alloc_key;
+		goto error_put_dest_keyring;
 	}
 
 	key_put(dest_keyring);
@@ -472,8 +499,9 @@ static struct key *construct_key_and_lin
 construction_failed:
 	key_negate_and_link(key, key_negative_timeout, NULL, NULL);
 	key_put(key);
-couldnt_alloc_key:
+error_put_dest_keyring:
 	key_put(dest_keyring);
+error:
 	kleave(" = %d", ret);
 	return ERR_PTR(ret);
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 021/148] X.509: reject invalid BIT STRING for subjectPublicKey
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 020/148] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 022/148] X.509: fix comparisons of ->pkey_algo Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells, James Morris

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.

Adding a specially crafted X.509 certificate whose subjectPublicKey
ASN.1 value is zero-length caused x509_extract_key_data() to set the
public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
metadata byte.  Then, x509_cert_parse() called kmemdup() with that bogus
size, triggering the WARN_ON_ONCE() in kmalloc_slab().

This appears to be harmless, but it still must be fixed since WARNs are
never supposed to be user-triggerable.

Fix it by updating x509_cert_parse() to validate that the value has a
BIT STRING metadata byte, and that the byte is 0 which indicates that
the number of bits in the bitstring is a multiple of 8.

It would be nice to handle the metadata byte in asn1_ber_decoder()
instead.  But that would be tricky because in the general case a BIT
STRING could be implicitly tagged, and/or could legitimately have a
length that is not a whole number of bytes.

Here was the WARN (cleaned up slightly):

    WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
    Modules linked in:
    CPU: 1 PID: 202 Comm: keyctl Tainted: G    B            4.14.0-09238-g1d3b78bbc6e9 #26
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    task: ffff880033014180 task.stack: ffff8800305c8000
    Call Trace:
     __do_kmalloc mm/slab.c:3706 [inline]
     __kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
     kmemdup+0x17/0x40 mm/util.c:118
     kmemdup include/linux/string.h:414 [inline]
     x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
     x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
     asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
     key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
     SYSC_add_key security/keys/keyctl.c:122 [inline]
     SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
     entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/asymmetric_keys/x509_cert_parser.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -408,6 +408,8 @@ int x509_extract_key_data(void *context,
 	ctx->cert->pub->pkey_algo = "rsa";
 
 	/* Discard the BIT STRING metadata */
+	if (vlen < 1 || *(const u8 *)value != 0)
+		return -EBADMSG;
 	ctx->key = value + 1;
 	ctx->key_size = vlen - 1;
 	return 0;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 022/148] X.509: fix comparisons of ->pkey_algo
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 021/148] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 023/148] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, David Howells

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 54c1fb39fe0495f846539ab765925b008f86801c upstream.

->pkey_algo used to be an enum, but was changed to a string by commit
4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum").  But
two comparisons were not updated.  Fix them to use strcmp().

This bug broke signature verification in certain configurations,
depending on whether the string constants were deduplicated or not.

Fixes: 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/asymmetric_keys/pkcs7_verify.c    |    2 +-
 crypto/asymmetric_keys/x509_public_key.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -150,7 +150,7 @@ static int pkcs7_find_key(struct pkcs7_m
 		pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
 			 sinfo->index, certix);
 
-		if (x509->pub->pkey_algo != sinfo->sig->pkey_algo) {
+		if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) {
 			pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
 				sinfo->index);
 			continue;
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -125,7 +125,7 @@ int x509_check_for_self_signed(struct x5
 	}
 
 	ret = -EKEYREJECTED;
-	if (cert->pub->pkey_algo != cert->sig->pkey_algo)
+	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
 		goto out;
 
 	ret = public_key_verify_signature(cert->pub, cert->sig);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 023/148] x86/PCI: Make broadcom_postcore_init() check acpi_disabled
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 022/148] X.509: fix comparisons of ->pkey_algo Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 025/148] btrfs: fix missing error return in btrfs_drop_snapshot Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Hansen, Rafael J. Wysocki,
	Thomas Gleixner, Bjorn Helgaas, Linux PCI, Ingo Molnar

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit ddec3bdee05b06f1dda20ded003c3e10e4184cab upstream.

acpi_os_get_root_pointer() may return a valid address even if acpi_disabled
is set, but the host bridge information from the ACPI tables is not going
to be used in that case and the Broadcom host bridge initialization should
not be skipped then, So make broadcom_postcore_init() check acpi_disabled
too to avoid this issue.

Fixes: 6361d72b04d1 (x86/PCI: read Broadcom CNB20LE host bridge info before PCI scan)
Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Linux PCI <linux-pci@vger.kernel.org>
Link: https://lkml.kernel.org/r/3186627.pxZj1QbYNg@aspire.rjw.lan
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/pci/broadcom_bus.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/pci/broadcom_bus.c
+++ b/arch/x86/pci/broadcom_bus.c
@@ -97,7 +97,7 @@ static int __init broadcom_postcore_init
 	 * We should get host bridge information from ACPI unless the BIOS
 	 * doesn't support it.
 	 */
-	if (acpi_os_get_root_pointer())
+	if (!acpi_disabled && acpi_os_get_root_pointer())
 		return 0;
 #endif
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 025/148] btrfs: fix missing error return in btrfs_drop_snapshot
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 023/148] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 026/148] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeff Mahoney, David Sterba

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jeff Mahoney <jeffm@suse.com>

commit e19182c0fff451e3744c1107d98f072e7ca377a0 upstream.

If btrfs_del_root fails in btrfs_drop_snapshot, we'll pick up the
error but then return 0 anyway due to mixing err and ret.

Fixes: 79787eaab4612 ("btrfs: replace many BUG_ONs with proper error handling")
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/extent-tree.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -9362,6 +9362,7 @@ int btrfs_drop_snapshot(struct btrfs_roo
 	ret = btrfs_del_root(trans, tree_root, &root->root_key);
 	if (ret) {
 		btrfs_abort_transaction(trans, ret);
+		err = ret;
 		goto out_end_trans;
 	}
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 026/148] ALSA: pcm: prevent UAF in snd_pcm_info
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 025/148] btrfs: fix missing error return in btrfs_drop_snapshot Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 027/148] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robb Glasser, Nick Desaulniers, Takashi Iwai

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robb Glasser <rglasser@google.com>

commit 362bca57f5d78220f8b5907b875961af9436e229 upstream.

When the device descriptor is closed, the `substream->runtime` pointer
is freed. But another thread may be in the ioctl handler, case
SNDRV_CTL_IOCTL_PCM_INFO. This case calls snd_pcm_info_user() which
calls snd_pcm_info() which accesses the now freed `substream->runtime`.

Note: this fixes CVE-2017-0861

Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/pcm.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -149,7 +149,9 @@ static int snd_pcm_control_ioctl(struct
 				err = -ENXIO;
 				goto _error;
 			}
+			mutex_lock(&pcm->open_mutex);
 			err = snd_pcm_info_user(substream, info);
+			mutex_unlock(&pcm->open_mutex);
 		_error:
 			mutex_unlock(&register_mutex);
 			return err;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 027/148] ALSA: seq: Remove spurious WARN_ON() at timer check
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 026/148] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 028/148] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, syzbot, Takashi Iwai

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 43a3542870328601be02fcc9d27b09db467336ef upstream.

The use of snd_BUG_ON() in ALSA sequencer timer may lead to a spurious
WARN_ON() when a slave timer is deployed as its backend and a
corresponding master timer stops meanwhile.  The symptom was triggered
by syzkaller spontaneously.

Since the NULL timer is valid there, rip off snd_BUG_ON().

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/seq/seq_timer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/seq/seq_timer.c
+++ b/sound/core/seq/seq_timer.c
@@ -355,7 +355,7 @@ static int initialize_timer(struct snd_s
 	unsigned long freq;
 
 	t = tmr->timeri->timer;
-	if (snd_BUG_ON(!t))
+	if (!t)
 		return -EINVAL;
 
 	freq = tmr->preferred_resolution;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 028/148] ALSA: usb-audio: Fix out-of-bound error
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 027/148] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 029/148] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaejoong Kim, Takashi Iwai

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jaejoong Kim <climbbb.kim@gmail.com>

commit 251552a2b0d454badc8f486e6d79100970c744b0 upstream.

The snd_usb_copy_string_desc() retrieves the usb string corresponding to
the index number through the usb_string(). The problem is that the
usb_string() returns the length of the string (>= 0) when successful, but
it can also return a negative value about the error case or status of
usb_control_msg().

If iClockSource is '0' as shown below, usb_string() will returns -EINVAL.
This will result in '0' being inserted into buf[-22], and the following
KASAN out-of-bound error message will be output.

AudioControl Interface Descriptor:
  bLength                 8
  bDescriptorType        36
  bDescriptorSubtype     10 (CLOCK_SOURCE)
  bClockID                1
  bmAttributes         0x07 Internal programmable Clock (synced to SOF)
  bmControls           0x07
  Clock Frequency Control (read/write)
  Clock Validity Control (read-only)
  bAssocTerminal          0
  iClockSource            0

To fix it, check usb_string()'return value and bail out.

==================================================================
BUG: KASAN: stack-out-of-bounds in parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
Write of size 1 at addr ffff88007e66735a by task systemd-udevd/18376

CPU: 0 PID: 18376 Comm: systemd-udevd Not tainted 4.13.0+ #3
Hardware name: LG Electronics                   15N540-RFLGL/White Tip Mountain, BIOS 15N5
Call Trace:
dump_stack+0x63/0x8d
print_address_description+0x70/0x290
? parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
kasan_report+0x265/0x350
__asan_store1+0x4a/0x50
parse_audio_unit+0x1327/0x1960 [snd_usb_audio]
? save_stack+0xb5/0xd0
? save_stack_trace+0x1b/0x20
? save_stack+0x46/0xd0
? kasan_kmalloc+0xad/0xe0
? kmem_cache_alloc_trace+0xff/0x230
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? usb_probe_interface+0x1f5/0x440
? driver_probe_device+0x3ed/0x660
? build_feature_ctl+0xb10/0xb10 [snd_usb_audio]
? save_stack_trace+0x1b/0x20
? init_object+0x69/0xa0
? snd_usb_find_csint_desc+0xa8/0xf0 [snd_usb_audio]
snd_usb_mixer_controls+0x1dc/0x370 [snd_usb_audio]
? build_audio_procunit+0x890/0x890 [snd_usb_audio]
? snd_usb_create_mixer+0xb0/0x4b0 [snd_usb_audio]
? kmem_cache_alloc_trace+0xff/0x230
? usb_ifnum_to_if+0xbd/0xf0
snd_usb_create_mixer+0x25b/0x4b0 [snd_usb_audio]
? snd_usb_create_stream+0x255/0x2c0 [snd_usb_audio]
usb_audio_probe+0x4de/0xf40 [snd_usb_audio]
? snd_usb_autosuspend.part.7+0x30/0x30 [snd_usb_audio]
? __pm_runtime_idle+0x90/0x90
? kernfs_activate+0xa6/0xc0
? usb_match_one_id_intf+0xdc/0x130
? __pm_runtime_set_status+0x2d4/0x450
usb_probe_interface+0x1f5/0x440

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/mixer.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -204,6 +204,10 @@ static int snd_usb_copy_string_desc(stru
 				    int index, char *buf, int maxlen)
 {
 	int len = usb_string(state->chip->dev, index, buf, maxlen - 1);
+
+	if (len < 0)
+		return 0;
+
 	buf[len] = 0;
 	return len;
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 029/148] ALSA: usb-audio: Add check return value for usb_string()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 028/148] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
@ 2017-12-12 12:43 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 030/148] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:43 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaejoong Kim, Takashi Iwai

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jaejoong Kim <climbbb.kim@gmail.com>

commit 89b89d121ffcf8d9546633b98ded9d18b8f75891 upstream.

snd_usb_copy_string_desc() returns zero if usb_string() fails.
In case of failure, we need to check the snd_usb_copy_string_desc()'s
return value and add an exception case

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/mixer.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2172,13 +2172,14 @@ static int parse_audio_selector_unit(str
 	if (len)
 		;
 	else if (nameid)
-		snd_usb_copy_string_desc(state, nameid, kctl->id.name,
+		len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
 					 sizeof(kctl->id.name));
-	else {
+	else
 		len = get_term_name(state, &state->oterm,
 				    kctl->id.name, sizeof(kctl->id.name), 0);
-		if (!len)
-			strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+
+	if (!len) {
+		strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
 
 		if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
 			append_ctl_name(kctl, " Clock Source");

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 030/148] iommu/vt-d: Fix scatterlist offset handling
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2017-12-12 12:43 ` [PATCH 4.9 029/148] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 031/148] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harsh Jain, Robin Murphy, Alex Williamson

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robin Murphy <robin.murphy@arm.com>

commit 29a90b70893817e2f2bb3cea40a29f5308e21b21 upstream.

The intel-iommu DMA ops fail to correctly handle scatterlists where
sg->offset is greater than PAGE_SIZE - the IOVA allocation is computed
appropriately based on the page-aligned portion of the offset, but the
mapping is set up relative to sg->page, which means it fails to actually
cover the whole buffer (and in the worst case doesn't cover it at all):

    (sg->dma_address + sg->dma_len) ----+
    sg->dma_address ---------+          |
    iov_pfn------+           |          |
                 |           |          |
                 v           v          v
iova:   a        b        c        d        e        f
        |--------|--------|--------|--------|--------|
                          <...calculated....>
                 [_____mapped______]
pfn:    0        1        2        3        4        5
        |--------|--------|--------|--------|--------|
                 ^           ^          ^
                 |           |          |
    sg->page ----+           |          |
    sg->offset --------------+          |
    (sg->offset + sg->length) ----------+

As a result, the caller ends up overrunning the mapping into whatever
lies beyond, which usually goes badly:

[  429.645492] DMAR: DRHD: handling fault status reg 2
[  429.650847] DMAR: [DMA Write] Request device [02:00.4] fault addr f2682000 ...

Whilst this is a fairly rare occurrence, it can happen from the result
of intermediate scatterlist processing such as scatterwalk_ffwd() in the
crypto layer. Whilst that particular site could be fixed up, it still
seems worthwhile to bring intel-iommu in line with other DMA API
implementations in handling this robustly.

To that end, fix the intel_map_sg() path to line up the mapping
correctly (in units of MM pages rather than VT-d pages to match the
aligned_nrpages() calculation) regardless of the offset, and use
sg_phys() consistently for clarity.

Reported-by: Harsh Jain <Harsh@chelsio.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Reviewed by: Ashok Raj <ashok.raj@intel.com>
Tested by: Jacob Pan <jacob.jun.pan@intel.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iommu/intel-iommu.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -2245,10 +2245,12 @@ static int __domain_mapping(struct dmar_
 		uint64_t tmp;
 
 		if (!sg_res) {
+			unsigned int pgoff = sg->offset & ~PAGE_MASK;
+
 			sg_res = aligned_nrpages(sg->offset, sg->length);
-			sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + sg->offset;
+			sg->dma_address = ((dma_addr_t)iov_pfn << VTD_PAGE_SHIFT) + pgoff;
 			sg->dma_length = sg->length;
-			pteval = page_to_phys(sg_page(sg)) | prot;
+			pteval = (sg_phys(sg) - pgoff) | prot;
 			phys_pfn = pteval >> VTD_PAGE_SHIFT;
 		}
 
@@ -3894,7 +3896,7 @@ static int intel_nontranslate_map_sg(str
 
 	for_each_sg(sglist, sg, nelems, i) {
 		BUG_ON(!sg_page(sg));
-		sg->dma_address = page_to_phys(sg_page(sg)) + sg->offset;
+		sg->dma_address = sg_phys(sg);
 		sg->dma_length = sg->length;
 	}
 	return nelems;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 031/148] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 030/148] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 032/148] s390: fix compat system call table Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lai Jiangshan, Thomas Gleixner,
	Peter Zijlstra, Richard Weinberger, Sebastian Andrzej Siewior,
	Boris Ostrovsky

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lai Jiangshan <jiangshanlai@gmail.com>

commit 46febd37f9c758b05cd25feae8512f22584742fe upstream.

Commit 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
accidently put this step on the wrong place. The step should be at the
cpuhp_ap_states[] rather than the cpuhp_bp_states[].

grep smpcfd /sys/devices/system/cpu/hotplug/states
 40: smpcfd:prepare
129: smpcfd:dying

"smpcfd:dying" was missing before.
So was the invocation of the function smpcfd_dying_cpu().

Fixes: 31487f8328f2 ("smp/cfd: Convert core to hotplug state machine")
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: https://lkml.kernel.org/r/20171128131954.81229-1-jiangshanlai@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/cpu.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -1321,11 +1321,6 @@ static struct cpuhp_step cpuhp_bp_states
 		.teardown.single	= NULL,
 		.cant_stop		= true,
 	},
-	[CPUHP_AP_SMPCFD_DYING] = {
-		.name			= "smpcfd:dying",
-		.startup.single		= NULL,
-		.teardown.single	= smpcfd_dying_cpu,
-	},
 	/*
 	 * Handled on controll processor until the plugged processor manages
 	 * this itself.
@@ -1367,6 +1362,11 @@ static struct cpuhp_step cpuhp_ap_states
 		.startup.single		= NULL,
 		.teardown.single	= rcutree_dying_cpu,
 	},
+	[CPUHP_AP_SMPCFD_DYING] = {
+		.name			= "smpcfd:dying",
+		.startup.single		= NULL,
+		.teardown.single	= smpcfd_dying_cpu,
+	},
 	/* Entry state on starting. Interrupts enabled from here on. Transient
 	 * state for synchronsization */
 	[CPUHP_AP_ONLINE] = {

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 032/148] s390: fix compat system call table
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 031/148] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 033/148] KVM: s390: Fix skey emulation permission check Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heiko Carstens, Martin Schwidefsky

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit e779498df587dd2189b30fe5b9245aefab870eb8 upstream.

When wiring up the socket system calls the compat entries were
incorrectly set. Not all of them point to the corresponding compat
wrapper functions, which clear the upper 33 bits of user space
pointers, like it is required.

Fixes: 977108f89c989 ("s390: wire up separate socketcalls system calls")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kernel/syscalls.S |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/s390/kernel/syscalls.S
+++ b/arch/s390/kernel/syscalls.S
@@ -369,10 +369,10 @@ SYSCALL(sys_recvmmsg,compat_sys_recvmmsg
 SYSCALL(sys_sendmmsg,compat_sys_sendmmsg)
 SYSCALL(sys_socket,sys_socket)
 SYSCALL(sys_socketpair,compat_sys_socketpair)		/* 360 */
-SYSCALL(sys_bind,sys_bind)
-SYSCALL(sys_connect,sys_connect)
+SYSCALL(sys_bind,compat_sys_bind)
+SYSCALL(sys_connect,compat_sys_connect)
 SYSCALL(sys_listen,sys_listen)
-SYSCALL(sys_accept4,sys_accept4)
+SYSCALL(sys_accept4,compat_sys_accept4)
 SYSCALL(sys_getsockopt,compat_sys_getsockopt)		/* 365 */
 SYSCALL(sys_setsockopt,compat_sys_setsockopt)
 SYSCALL(sys_getsockname,compat_sys_getsockname)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 033/148] KVM: s390: Fix skey emulation permission check
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 032/148] s390: fix compat system call table Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 034/148] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Janosch Frank, Christian Borntraeger,
	Cornelia Huck, Thomas Huth

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Janosch Frank <frankja@linux.vnet.ibm.com>

commit ca76ec9ca871e67d8cd0b6caba24aca3d3ac4546 upstream.

All skey functions call skey_check_enable at their start, which checks
if we are in the PSTATE and injects a privileged operation exception
if we are.

Unfortunately they continue processing afterwards and perform the
operation anyhow as skey_check_enable does not deliver an error if the
exception injection was successful.

Let's move the PSTATE check into the skey functions and exit them on
such an occasion, also we now do not enable skey handling anymore in
such a case.

Signed-off-by: Janosch Frank <frankja@linux.vnet.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Fixes: a7e19ab ("KVM: s390: handle missing storage-key facility")
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kvm/priv.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

--- a/arch/s390/kvm/priv.c
+++ b/arch/s390/kvm/priv.c
@@ -197,8 +197,6 @@ static int try_handle_skey(struct kvm_vc
 		VCPU_EVENT(vcpu, 4, "%s", "retrying storage key operation");
 		return -EAGAIN;
 	}
-	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
-		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
 	return 0;
 }
 
@@ -209,6 +207,9 @@ static int handle_iske(struct kvm_vcpu *
 	int reg1, reg2;
 	int rc;
 
+	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+
 	rc = try_handle_skey(vcpu);
 	if (rc)
 		return rc != -EAGAIN ? rc : 0;
@@ -238,6 +239,9 @@ static int handle_rrbe(struct kvm_vcpu *
 	int reg1, reg2;
 	int rc;
 
+	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+
 	rc = try_handle_skey(vcpu);
 	if (rc)
 		return rc != -EAGAIN ? rc : 0;
@@ -273,6 +277,9 @@ static int handle_sske(struct kvm_vcpu *
 	int reg1, reg2;
 	int rc;
 
+	if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
+		return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
+
 	rc = try_handle_skey(vcpu);
 	if (rc)
 		return rc != -EAGAIN ? rc : 0;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 034/148] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 033/148] KVM: s390: Fix skey emulation permission check Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 035/148] brcmfmac: change driver unbind order of the sdio function devices Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Piggin, Michael Ellerman

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Piggin <npiggin@gmail.com>

commit 371b80447ff33ddac392c189cf884a5a3e18faeb upstream.

kexec can leave MMU registers set when booting into a new kernel,
the PIDR (Process Identification Register) in particular. The boot
sequence does not zero PIDR, so it only gets set when CPUs first
switch to a userspace processes (until then it's running a kernel
thread with effective PID = 0).

This leaves a window where a process table entry and page tables are
set up due to user processes running on other CPUs, that happen to
match with a stale PID. The CPU with that PID may cause speculative
accesses that address quadrant 0 (aka userspace addresses), which will
result in cached translations and PWC (Page Walk Cache) for that
process, on a CPU which is not in the mm_cpumask and so they will not
be invalidated properly.

The most common result is the kernel hanging in infinite page fault
loops soon after kexec (usually in schedule_tail, which is usually the
first non-speculative quadrant 0 access to a new PID) due to a stale
PWC. However being a stale translation error, it could result in
anything up to security and data corruption problems.

Fix this by zeroing out PIDR at boot and kexec.

Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/cpu_setup_power.S |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/kernel/cpu_setup_power.S
+++ b/arch/powerpc/kernel/cpu_setup_power.S
@@ -97,6 +97,7 @@ _GLOBAL(__setup_cpu_power9)
 	beqlr
 	li	r0,0
 	mtspr	SPRN_LPID,r0
+	mtspr	SPRN_PID,r0
 	mfspr	r3,SPRN_LPCR
 	LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE)
 	or	r3, r3, r4
@@ -119,6 +120,7 @@ _GLOBAL(__restore_cpu_power9)
 	beqlr
 	li	r0,0
 	mtspr	SPRN_LPID,r0
+	mtspr	SPRN_PID,r0
 	mfspr   r3,SPRN_LPCR
 	LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE)
 	or	r3, r3, r4

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 035/148] brcmfmac: change driver unbind order of the sdio function devices
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 034/148] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 036/148] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Wahren, Hante Meuleman,
	Pieter-Paul Giesberts, Franky Lin, Arend van Spriel, Kalle Valo

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arend Van Spriel <arend.vanspriel@broadcom.com>

commit 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 upstream.

In the function brcmf_sdio_firmware_callback() the driver is
unbound from the sdio function devices in the error path.
However, the order in which it is done resulted in a use-after-free
issue (see brcmf_ops_sdio_remove() in bcmsdh.c). Hence change
the order and first unbind sdio function #2 device and then
unbind sdio function #1 device.

Fixes: 7a51461fc2da ("brcmfmac: unbind all devices upon failure in firmware callback")
Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -4080,8 +4080,8 @@ release:
 	sdio_release_host(sdiodev->func[1]);
 fail:
 	brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
-	device_release_driver(dev);
 	device_release_driver(&sdiodev->func[2]->dev);
+	device_release_driver(dev);
 }
 
 struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 036/148] kdb: Fix handling of kallsyms_symbol_next() return value
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 035/148] brcmfmac: change driver unbind order of the sdio function devices Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 037/148] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Daniel Thompson, Jason Wessel

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Thompson <daniel.thompson@linaro.org>

commit c07d35338081d107e57cf37572d8cc931a8e32e2 upstream.

kallsyms_symbol_next() returns a boolean (true on success). Currently
kdb_read() tests the return value with an inequality that
unconditionally evaluates to true.

This is fixed in the obvious way and, since the conditional branch is
supposed to be unreachable, we also add a WARN_ON().

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/debug/kdb/kdb_io.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/debug/kdb/kdb_io.c
+++ b/kernel/debug/kdb/kdb_io.c
@@ -349,7 +349,7 @@ poll_again:
 			}
 			kdb_printf("\n");
 			for (i = 0; i < count; i++) {
-				if (kallsyms_symbol_next(p_tmp, i) < 0)
+				if (WARN_ON(!kallsyms_symbol_next(p_tmp, i)))
 					break;
 				kdb_printf("%s ", p_tmp);
 				*(p_tmp + len) = '\0';

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 037/148] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 036/148] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 038/148] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Inki Dae

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marek Szyprowski <m.szyprowski@samsung.com>

commit 120a264f9c2782682027d931d83dcbd22e01da80 upstream.

When no IOMMU is available, all GEM buffers allocated by Exynos DRM driver
are contiguous, because of the underlying dma_alloc_attrs() function
provides only such buffers. In such case it makes no sense to keep
BO_NONCONTIG flag for the allocated GEM buffers. This allows to avoid
failures for buffer contiguity checks in the subsequent operations on GEM
objects.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/exynos/exynos_drm_gem.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/gpu/drm/exynos/exynos_drm_gem.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_gem.c
@@ -246,6 +246,15 @@ struct exynos_drm_gem *exynos_drm_gem_cr
 	if (IS_ERR(exynos_gem))
 		return exynos_gem;
 
+	if (!is_drm_iommu_supported(dev) && (flags & EXYNOS_BO_NONCONTIG)) {
+		/*
+		 * when no IOMMU is available, all allocated buffers are
+		 * contiguous anyway, so drop EXYNOS_BO_NONCONTIG flag
+		 */
+		flags &= ~EXYNOS_BO_NONCONTIG;
+		DRM_WARN("Non-contiguous allocation is not supported without IOMMU, falling back to contiguous buffer\n");
+	}
+
 	/* set memory type and cache attribute from user side. */
 	exynos_gem->flags = flags;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 038/148] media: dvb: i2c transfers over usb cannot be done from stack
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 037/148] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 039/148] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laurent Caumont, Sean Young,
	Mauro Carvalho Chehab

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Caumont <lcaumont2@gmail.com>

commit 6d33377f2abbf9f0e561b116dd468d1c3ff36a6a upstream.

Signed-off-by: Laurent Caumont <lcaumont2@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb/dibusb-common.c |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/dvb-usb/dibusb-common.c
+++ b/drivers/media/usb/dvb-usb/dibusb-common.c
@@ -223,8 +223,20 @@ EXPORT_SYMBOL(dibusb_i2c_algo);
 
 int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val)
 {
-	u8 wbuf[1] = { offs };
-	return dibusb_i2c_msg(d, 0x50, wbuf, 1, val, 1);
+	u8 *buf;
+	int rc;
+
+	buf = kmalloc(2, GFP_KERNEL);
+	if (!buf)
+		return -ENOMEM;
+
+	buf[0] = offs;
+
+	rc = dibusb_i2c_msg(d, 0x50, &buf[0], 1, &buf[1], 1);
+	*val = buf[1];
+	kfree(buf);
+
+	return rc;
 }
 EXPORT_SYMBOL(dibusb_read_eeprom_byte);
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 039/148] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 038/148] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 040/148] arm: KVM: Fix " Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Suzuki K Poulose, Christoffer Dall,
	Kristina Martsenko, Marc Zyngier

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kristina Martsenko <kristina.martsenko@arm.com>

commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream.

VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
VTTBR address. It seems to currently be off by one, thereby only
allowing up to 47-bit addresses (instead of 48-bit) and also
insufficiently checking the alignment. This patch fixes it.

As an example, with 4k pages, before this patch we have:

  PHYS_MASK_SHIFT = 48
  VTTBR_X = 37 - 24 = 13
  VTTBR_BADDR_SHIFT = 13 - 1 = 12
  VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000

Which is wrong, because the mask doesn't allow bit 47 of the VTTBR
address to be set, and only requires the address to be 12-bit (4k)
aligned, while it actually needs to be 13-bit (8k) aligned because we
concatenate two 4k tables.

With this patch, the mask becomes 0x0000ffffffffe000, which is what we
want.

Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions")
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/kvm_arm.h |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm64/include/asm/kvm_arm.h
+++ b/arch/arm64/include/asm/kvm_arm.h
@@ -170,8 +170,7 @@
 #define VTCR_EL2_FLAGS			(VTCR_EL2_COMMON_BITS | VTCR_EL2_TGRAN_FLAGS)
 #define VTTBR_X				(VTTBR_X_TGRAN_MAGIC - VTCR_EL2_T0SZ_IPA)
 
-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
-#define VTTBR_BADDR_MASK  (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
+#define VTTBR_BADDR_MASK  (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X)
 #define VTTBR_VMID_SHIFT  (UL(48))
 #define VTTBR_VMID_MASK(size) (_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 040/148] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 039/148] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 042/148] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kristina Martsenko, Christoffer Dall,
	Marc Zyngier

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream.

VTTBR_BADDR_MASK is used to sanity check the size and alignment of the
VTTBR address. It seems to currently be off by one, thereby only
allowing up to 39-bit addresses (instead of 40-bit) and also
insufficiently checking the alignment. This patch fixes it.

This patch is the 32bit pendent of Kristina's arm64 fix, and
she deserves the actual kudos for pinpointing that one.

Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation")
Reported-by: Kristina Martsenko <kristina.martsenko@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/include/asm/kvm_arm.h |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm/include/asm/kvm_arm.h
+++ b/arch/arm/include/asm/kvm_arm.h
@@ -161,8 +161,7 @@
 #else
 #define VTTBR_X		(5 - KVM_T0SZ)
 #endif
-#define VTTBR_BADDR_SHIFT (VTTBR_X - 1)
-#define VTTBR_BADDR_MASK  (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT)
+#define VTTBR_BADDR_MASK  (((_AC(1, ULL) << (40 - VTTBR_X)) - 1) << VTTBR_X)
 #define VTTBR_VMID_SHIFT  _AC(48, ULL)
 #define VTTBR_VMID_MASK(size)	(_AT(u64, (1 << size) - 1) << VTTBR_VMID_SHIFT)
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 042/148] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 040/148] arm: KVM: Fix " Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 043/148] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christoffer Dall

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christoffer Dall <christoffer.dall@linaro.org>

commit fc396e066318c0a02208c1d3f0b62950a7714999 upstream.

We are incorrectly rearranging 32-bit words inside a 64-bit typed value
for big endian systems, which would result in never marking a virtual
interrupt as inactive on big endian systems (assuming 32 or fewer LRs on
the hardware).  Fix this by not doing any word order manipulation for
the typed values.

Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/hyp/vgic-v2-sr.c |    4 ----
 1 file changed, 4 deletions(-)

--- a/virt/kvm/arm/hyp/vgic-v2-sr.c
+++ b/virt/kvm/arm/hyp/vgic-v2-sr.c
@@ -77,11 +77,7 @@ static void __hyp_text save_elrsr(struct
 	else
 		elrsr1 = 0;
 
-#ifdef CONFIG_CPU_BIG_ENDIAN
-	cpu_if->vgic_elrsr = ((u64)elrsr0 << 32) | elrsr1;
-#else
 	cpu_if->vgic_elrsr = ((u64)elrsr1 << 32) | elrsr0;
-#endif
 }
 
 static void __hyp_text save_lrs(struct kvm_vcpu *vcpu, void __iomem *base)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 043/148] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 042/148] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 044/148] KVM: arm/arm64: vgic-its: Check result of allocation before use Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, AKASHI Takahiro, Christoffer Dall,
	Marc Zyngier

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 150009e2c70cc3c6e97f00e7595055765d32fb85 upstream.

Using the size of the structure we're allocating is a good idea
and avoids any surprise... In this case, we're happilly confusing
kvm_kernel_irq_routing_entry and kvm_irq_routing_entry...

Fixes: 95b110ab9a09 ("KVM: arm/arm64: Enable irqchip routing")
Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/vgic/vgic-irqfd.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/virt/kvm/arm/vgic/vgic-irqfd.c
+++ b/virt/kvm/arm/vgic/vgic-irqfd.c
@@ -112,8 +112,7 @@ int kvm_vgic_setup_default_irq_routing(s
 	u32 nr = dist->nr_spis;
 	int i, ret;
 
-	entries = kcalloc(nr, sizeof(struct kvm_kernel_irq_routing_entry),
-			  GFP_KERNEL);
+	entries = kcalloc(nr, sizeof(*entries), GFP_KERNEL);
 	if (!entries)
 		return -ENOMEM;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 044/148] KVM: arm/arm64: vgic-its: Check result of allocation before use
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 043/148] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 045/148] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, AKASHI Takahiro, Christoffer Dall,
	Marc Zyngier

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 686f294f2f1ae40705283dd413ca1e4c14f20f93 upstream.

We miss a test against NULL after allocation.

Fixes: 6d03a68f8054 ("KVM: arm64: vgic-its: Turn device_id validation into generic ID validation")
Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/arm/vgic/vgic-its.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/virt/kvm/arm/vgic/vgic-its.c
+++ b/virt/kvm/arm/vgic/vgic-its.c
@@ -687,6 +687,8 @@ static int vgic_its_alloc_collection(str
 		return E_ITS_MAPC_COLLECTION_OOR;
 
 	collection = kzalloc(sizeof(*collection), GFP_KERNEL);
+	if (!collection)
+		return -ENOMEM;
 
 	collection->collection_id = coll_id;
 	collection->target_addr = COLLECTION_NOT_MAPPED;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 045/148] arm64: fpsimd: Prevent registers leaking from dead tasks
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 044/148] KVM: arm/arm64: vgic-its: Check result of allocation before use Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 046/148] bus: arm-cci: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Martin, Ard Biesheuvel, Will Deacon

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.

Currently, loading of a task's fpsimd state into the CPU registers
is skipped if that task's state is already present in the registers
of that CPU.

However, the code relies on the struct fpsimd_state * (and by
extension struct task_struct *) to unambiguously identify a task.

There is a particular case in which this doesn't work reliably:
when a task exits, its task_struct may be recycled to describe a
new task.

Consider the following scenario:

 1) Task P loads its fpsimd state onto cpu C.
        per_cpu(fpsimd_last_state, C) := P;
        P->thread.fpsimd_state.cpu := C;

 2) Task X is scheduled onto C and loads its fpsimd state on C.
        per_cpu(fpsimd_last_state, C) := X;
        X->thread.fpsimd_state.cpu := C;

 3) X exits, causing X's task_struct to be freed.

 4) P forks a new child T, which obtains X's recycled task_struct.
	T == X.
	T->thread.fpsimd_state.cpu == C (inherited from P).

 5) T is scheduled on C.
	T's fpsimd state is not loaded, because
	per_cpu(fpsimd_last_state, C) == T (== X) &&
	T->thread.fpsimd_state.cpu == C.

        (This is the check performed by fpsimd_thread_switch().)

So, T gets X's registers because the last registers loaded onto C
were those of X, in (2).

This patch fixes the problem by ensuring that the sched-in check
fails in (5): fpsimd_flush_task_state(T) is called when T is
forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
This relies on the fact that T is not schedulable until after
copy_thread() completes.

Once T's fpsimd state has been loaded on some CPU C there may still
be other cpus D for which per_cpu(fpsimd_last_state, D) ==
&X->thread.fpsimd_state.  But D is necessarily != C in this case,
and the check in (5) must fail.

An alternative fix would be to do refcounting on task_struct.  This
would result in each CPU holding a reference to the last task whose
fpsimd state was loaded there.  It's not clear whether this is
preferable, and it involves higher overhead than the fix proposed
in this patch.  It would also move all the task_struct freeing
work into the context switch critical section, or otherwise some
deferred cleanup mechanism would need to be introduced, neither of
which seems obviously justified.

Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[will: word-smithed the comment so it makes more sense]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kernel/process.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -255,6 +255,15 @@ int copy_thread(unsigned long clone_flag
 
 	memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
 
+	/*
+	 * In case p was allocated the same task_struct pointer as some
+	 * other recently-exited task, make sure p is disassociated from
+	 * any cpu that may have run that now-exited task recently.
+	 * Otherwise we could erroneously skip reloading the FPSIMD
+	 * registers for p.
+	 */
+	fpsimd_flush_task_state(p);
+
 	if (likely(!(p->flags & PF_KTHREAD))) {
 		*childregs = *current_pt_regs();
 		childregs->regs[0] = 0;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 046/148] bus: arm-cci: Fix use of smp_processor_id() in preemptible context
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 045/148] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 047/148] bus: arm-ccn: Check memory allocation failure Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Mark Rutland, Pawel Moll

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit 4608af8aa53e7f3922ddee695d023b7bcd5cb35b upstream.

The ARM CCI driver seem to be using smp_processor_id() in a
preemptible context, which is likely to make a DEBUG_PREMPT
kernel scream at boot time.

Turn this into a get_cpu()/put_cpu() that extends over the CPU
hotplug registration, making sure that we don't race against
a CPU down operation.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-cci.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/bus/arm-cci.c
+++ b/drivers/bus/arm-cci.c
@@ -1755,14 +1755,17 @@ static int cci_pmu_probe(struct platform
 	raw_spin_lock_init(&cci_pmu->hw_events.pmu_lock);
 	mutex_init(&cci_pmu->reserve_mutex);
 	atomic_set(&cci_pmu->active_events, 0);
-	cpumask_set_cpu(smp_processor_id(), &cci_pmu->cpus);
+	cpumask_set_cpu(get_cpu(), &cci_pmu->cpus);
 
 	ret = cci_pmu_init(cci_pmu, pdev);
-	if (ret)
+	if (ret) {
+		put_cpu();
 		return ret;
+	}
 
 	cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCI_ONLINE,
 					 &cci_pmu->node);
+	put_cpu();
 	pr_info("ARM %s PMU driver probed", cci_pmu->model->name);
 	return 0;
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 047/148] bus: arm-ccn: Check memory allocation failure
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 046/148] bus: arm-cci: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 048/148] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Scott Branden,
	Pawel Moll

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 24771179c5c138f0ea3ef88b7972979f62f2d5db upstream.

Check memory allocation failures and return -ENOMEM in such cases

This avoids a potential NULL pointer dereference.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Scott Branden <scott.branden@broadcom.com>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-ccn.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -1271,6 +1271,10 @@ static int arm_ccn_pmu_init(struct arm_c
 		int len = snprintf(NULL, 0, "ccn_%d", ccn->dt.id);
 
 		name = devm_kzalloc(ccn->dev, len + 1, GFP_KERNEL);
+		if (!name) {
+			err = -ENOMEM;
+			goto error_choose_name;
+		}
 		snprintf(name, len + 1, "ccn_%d", ccn->dt.id);
 	}
 
@@ -1318,6 +1322,7 @@ static int arm_ccn_pmu_init(struct arm_c
 
 error_pmu_register:
 error_set_affinity:
+error_choose_name:
 	ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
 	for (i = 0; i < ccn->num_xps; i++)
 		writel(0, ccn->xp[i].base + CCN_XP_DT_CONTROL);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 048/148] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 047/148] bus: arm-ccn: Check memory allocation failure Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 049/148] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Mark Rutland, Pawel Moll

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <marc.zyngier@arm.com>

commit b18c2b9487d8e797fc0a757e57ac3645348c5fba upstream.

Booting a DEBUG_PREEMPT enabled kernel on a CCN-based system
results in the following splat:

[...]
arm-ccn e8000000.ccn: No access to interrupts, using timer.
BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1
caller is debug_smp_processor_id+0x1c/0x28
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.13.0 #6111
Hardware name: AMD Seattle/Seattle, BIOS 17:08:23 Jun 26 2017
Call trace:
[<ffff000008089e78>] dump_backtrace+0x0/0x278
[<ffff00000808a22c>] show_stack+0x24/0x30
[<ffff000008bc3bc4>] dump_stack+0x8c/0xb0
[<ffff00000852b534>] check_preemption_disabled+0xfc/0x100
[<ffff00000852b554>] debug_smp_processor_id+0x1c/0x28
[<ffff000008551bd8>] arm_ccn_probe+0x358/0x4f0
[...]

as we use smp_processor_id() in the wrong context.

Turn this into a get_cpu()/put_cpu() that extends over the CPU hotplug
registration, making sure that we don't race against a CPU down operation.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-ccn.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -1301,7 +1301,7 @@ static int arm_ccn_pmu_init(struct arm_c
 	}
 
 	/* Pick one CPU which we will use to collect data from CCN... */
-	cpumask_set_cpu(smp_processor_id(), &ccn->dt.cpu);
+	cpumask_set_cpu(get_cpu(), &ccn->dt.cpu);
 
 	/* Also make sure that the overflow interrupt is handled by this CPU */
 	if (ccn->irq) {
@@ -1318,10 +1318,12 @@ static int arm_ccn_pmu_init(struct arm_c
 
 	cpuhp_state_add_instance_nocalls(CPUHP_AP_PERF_ARM_CCN_ONLINE,
 					 &ccn->dt.node);
+	put_cpu();
 	return 0;
 
 error_pmu_register:
 error_set_affinity:
+	put_cpu();
 error_choose_name:
 	ida_simple_remove(&arm_ccn_pmu_ida, ccn->dt.id);
 	for (i = 0; i < ccn->num_xps; i++)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 049/148] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left.
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 048/148] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 050/148] crypto: talitos - fix AEAD test failures Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kim Phillips,
	Sebastian Andrzej Siewior, Pawel Moll

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kim Phillips <kim.phillips@arm.com>

commit b69f63ebf553504739cc8534cbed31bd530c6f0b upstream.

Unregistering the driver before calling cpuhp_remove_multi_state() removes
any remaining hotplug cpu instances so __cpuhp_remove_state_cpuslocked()
doesn't emit this warning:

[  268.748362] Error: Removing state 147 which has instances left.
[  268.748373] ------------[ cut here ]------------
[  268.748386] WARNING: CPU: 2 PID: 5476 at kernel/cpu.c:1734 __cpuhp_remove_state_cpuslocked+0x454/0x4f0
[  268.748389] Modules linked in: arm_ccn(-) [last unloaded: arm_ccn]
[  268.748403] CPU: 2 PID: 5476 Comm: rmmod Tainted: G        W       4.14.0-rc4+ #3
[  268.748406] Hardware name: AMD Seattle/Seattle, BIOS 10:18:39 Dec  8 2016
[  268.748410] task: ffff8001a18ca000 task.stack: ffff80019c120000
[  268.748416] PC is at __cpuhp_remove_state_cpuslocked+0x454/0x4f0
[  268.748421] LR is at __cpuhp_remove_state_cpuslocked+0x448/0x4f0
[  268.748425] pc : [<ffff2000081729ec>] lr : [<ffff2000081729e0>] pstate: 60000145
[  268.748427] sp : ffff80019c127d30
[  268.748430] x29: ffff80019c127d30 x28: ffff8001a18ca000
[  268.748437] x27: ffff20000c2cb000 x26: 1fffe4000042d490
[  268.748443] x25: ffff20000216a480 x24: 0000000000000000
[  268.748449] x23: ffff20000b08e000 x22: 0000000000000001
[  268.748455] x21: 0000000000000093 x20: 00000000000016f8
[  268.748460] x19: ffff20000c2cbb80 x18: 0000ffffb5fe7c58
[  268.748466] x17: 00000000004402d0 x16: 1fffe40001864f01
[  268.748472] x15: ffff20000c4bf8b0 x14: 0000000000000000
[  268.748477] x13: 0000000000007032 x12: ffff20000829ae48
[  268.748483] x11: ffff20000c4bf000 x10: 0000000000000004
[  268.748488] x9 : 0000000000006fbc x8 : ffff20000c318a40
[  268.748494] x7 : 0000000000000000 x6 : ffff040001864f02
[  268.748500] x5 : 0000000000000000 x4 : 0000000000000000
[  268.748505] x3 : 0000000000000007 x2 : dfff200000000000
[  268.748510] x1 : 000000000000ad3d x0 : 00000000000001f0
[  268.748516] Call trace:
[  268.748521] Exception stack(0xffff80019c127bf0 to 0xffff80019c127d30)
[  268.748526] 7be0:                                   00000000000001f0 000000000000ad3d
[  268.748531] 7c00: dfff200000000000 0000000000000007 0000000000000000 0000000000000000
[  268.748535] 7c20: ffff040001864f02 0000000000000000 ffff20000c318a40 0000000000006fbc
[  268.748539] 7c40: 0000000000000004 ffff20000c4bf000 ffff20000829ae48 0000000000007032
[  268.748544] 7c60: 0000000000000000 ffff20000c4bf8b0 1fffe40001864f01 00000000004402d0
[  268.748548] 7c80: 0000ffffb5fe7c58 ffff20000c2cbb80 00000000000016f8 0000000000000093
[  268.748553] 7ca0: 0000000000000001 ffff20000b08e000 0000000000000000 ffff20000216a480
[  268.748557] 7cc0: 1fffe4000042d490 ffff20000c2cb000 ffff8001a18ca000 ffff80019c127d30
[  268.748562] 7ce0: ffff2000081729e0 ffff80019c127d30 ffff2000081729ec 0000000060000145
[  268.748566] 7d00: 00000000000001f0 0000000000000000 0001000000000000 0000000000000000
[  268.748569] 7d20: ffff80019c127d30 ffff2000081729ec
[  268.748575] [<ffff2000081729ec>] __cpuhp_remove_state_cpuslocked+0x454/0x4f0
[  268.748580] [<ffff200008172adc>] __cpuhp_remove_state+0x54/0x80
[  268.748597] [<ffff20000215dd84>] arm_ccn_exit+0x2c/0x70 [arm_ccn]
[  268.748604] [<ffff20000834cfbc>] SyS_delete_module+0x5a4/0x708
[  268.748607] Exception stack(0xffff80019c127ec0 to 0xffff80019c128000)
[  268.748612] 7ec0: 0000000019bb7258 0000000000000800 ba64d0fb3d26a800 00000000000000da
[  268.748616] 7ee0: 0000ffffb6144e28 0000ffffcd95b409 fefefefefefefeff 7f7f7f7f7f7f7f7f
[  268.748621] 7f00: 000000000000006a 1999999999999999 0000ffffb6179000 0000000000bbcc6d
[  268.748625] 7f20: 0000ffffb6176b98 0000ffffcd95c2d0 0000ffffb5fe7b58 0000ffffb6163000
[  268.748630] 7f40: 0000ffffb60ad3e0 00000000004402d0 0000ffffb5fe7c58 0000000019bb71f0
[  268.748634] 7f60: 0000ffffcd95c740 0000000000000000 0000000019bb71f0 0000000000416700
[  268.748639] 7f80: 0000000000000000 00000000004402e8 0000000019bb6010 0000ffffcd95c748
[  268.748643] 7fa0: 0000000000000000 0000ffffcd95c460 00000000004113a8 0000ffffcd95c460
[  268.748648] 7fc0: 0000ffffb60ad3e8 0000000080000000 0000000019bb7258 000000000000006a
[  268.748652] 7fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[  268.748657] [<ffff200008084f9c>] __sys_trace_return+0x0/0x4
[  268.748661] ---[ end trace a996d358dcaa7f9c ]---

Fixes: 8df038725ad5 ("bus/arm-ccn: Use cpu-hp's multi instance support instead custom list")
Signed-off-by: Kim Phillips <kim.phillips@arm.com>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Pawel Moll <pawel.moll@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/arm-ccn.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/bus/arm-ccn.c
+++ b/drivers/bus/arm-ccn.c
@@ -1585,8 +1585,8 @@ static int __init arm_ccn_init(void)
 
 static void __exit arm_ccn_exit(void)
 {
-	cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
 	platform_driver_unregister(&arm_ccn_driver);
+	cpuhp_remove_multi_state(CPUHP_AP_PERF_ARM_CCN_ONLINE);
 }
 
 module_init(arm_ccn_init);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 050/148] crypto: talitos - fix AEAD test failures
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 049/148] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 051/148] crypto: talitos - fix memory corruption on SEC2 Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit ec8c7d14acc0a477429d3a6fade5dab72c996c82 upstream.

AEAD tests fail when destination SG list has more than 1 element.

[    2.058752] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
[    2.066965] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: c0 43 ff 74 c0 43 ff e0 de 83 d1 20 de 84 8e 54
00000020: de 83 d7 c4
[    2.082138] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-aes-talitos
[    2.090435] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: de 84 ea 58 c0 93 1a 24 de 84 e8 59 de 84 f1 20
00000020: 00 00 00 00
[    2.105721] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
[    2.114259] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c
[    2.166410] alg: aead: Test 1 failed on encryption for authenc-hmac-sha1-cbc-3des-talitos
[    2.174794] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c
[    2.226486] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
[    2.236459] alg: No test for authenc(hmac(sha224),cbc(aes)) (authenc-hmac-sha224-cbc-aes-talitos)
[    2.247196] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
[    2.255555] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8
[    2.309004] alg: aead: Test 1 failed on encryption for authenc-hmac-sha224-cbc-3des-talitos
[    2.317562] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8
[    2.370710] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
[    2.379177] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
[    2.397863] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-aes-talitos
[    2.406134] 00000000: 53 69 6e 67 6c 65 20 62 6c 6f 63 6b 20 6d 73 67
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
[    2.424789] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
[    2.433491] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc
[    2.488832] alg: aead: Test 1 failed on encryption for authenc-hmac-sha256-cbc-3des-talitos
[    2.497387] 00000000: 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72 73 74
00000010: 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63 74 65
00000020: 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65 65 72
00000030: 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53 72 63
00000040: 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20 63 65
00000050: 65 72 73 74 54 20 6f 6f 4d 20 6e 61 20 79 65 53
00000060: 72 63 74 65 20 73 6f 54 20 6f 61 4d 79 6e 53 20
00000070: 63 65 65 72 73 74 54 20 6f 6f 4d 20 6e 61 0a 79
00000080: c0 50 f1 ac c0 50 f3 38 c0 50 f3 94 c0 50 f5 30
00000090: c0 99 74 3c c0 96 e5 b8 c0 96 e9 20 c0 00 3d dc

This patch fixes that.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1232,12 +1232,11 @@ static int ipsec_esp(struct talitos_edes
 			sg_link_tbl_len += authsize;
 	}
 
-	sg_count = talitos_sg_map(dev, areq->src, cryptlen, edesc,
-				  &desc->ptr[4], sg_count, areq->assoclen,
-				  tbl_off);
+	ret = talitos_sg_map(dev, areq->src, cryptlen, edesc, &desc->ptr[4],
+			     sg_count, areq->assoclen, tbl_off);
 
-	if (sg_count > 1) {
-		tbl_off += sg_count;
+	if (ret > 1) {
+		tbl_off += ret;
 		sync_needed = true;
 	}
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 051/148] crypto: talitos - fix memory corruption on SEC2
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 050/148] crypto: talitos - fix AEAD test failures Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 052/148] crypto: talitos - fix setkey to check key weakness Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit e04a61bebc5da1535b6f194b464295b8d558e2fc upstream.

On SEC2, when using the old descriptors type (hmac snoop no afeu)
for doing IPsec, the CICV out pointeur points out of the allocated
memory.

[    2.502554] =============================================================================
[    2.510740] BUG dma-kmalloc-256 (Not tainted): Redzone overwritten
[    2.516907] -----------------------------------------------------------------------------
[    2.516907]
[    2.526535] Disabling lock debugging due to kernel taint
[    2.531845] INFO: 0xde858108-0xde85810b. First byte 0xf8 instead of 0xcc
[    2.538549] INFO: Allocated in 0x806181a9 age=0 cpu=0 pid=58
[    2.544229] 	__kmalloc+0x374/0x564
[    2.547649] 	talitos_edesc_alloc+0x17c/0x48c
[    2.551929] 	aead_edesc_alloc+0x80/0x154
[    2.555863] 	aead_encrypt+0x30/0xe0
[    2.559368] 	__test_aead+0x5a0/0x1f3c
[    2.563042] 	test_aead+0x2c/0x110
[    2.566371] 	alg_test_aead+0x5c/0xf4
[    2.569958] 	alg_test+0x1dc/0x5a0
[    2.573305] 	cryptomgr_test+0x50/0x70
[    2.576984] 	kthread+0xd8/0x134
[    2.580155] 	ret_from_kernel_thread+0x5c/0x64
[    2.584534] INFO: Freed in ipsec_esp_encrypt_done+0x130/0x240 age=6 cpu=0 pid=0
[    2.591839] 	ipsec_esp_encrypt_done+0x130/0x240
[    2.596395] 	flush_channel+0x1dc/0x488
[    2.600161] 	talitos2_done_4ch+0x30/0x200
[    2.604185] 	tasklet_action+0xa0/0x13c
[    2.607948] 	__do_softirq+0x148/0x6cc
[    2.611623] 	irq_exit+0xc0/0x124
[    2.614869] 	call_do_irq+0x24/0x3c
[    2.618292] 	do_IRQ+0x78/0x108
[    2.621369] 	ret_from_except+0x0/0x14
[    2.625055] 	finish_task_switch+0x58/0x350
[    2.629165] 	schedule+0x80/0x134
[    2.632409] 	schedule_preempt_disabled+0x38/0xc8
[    2.637042] 	cpu_startup_entry+0xe4/0x190
[    2.641074] 	start_kernel+0x3f4/0x408
[    2.644741] 	0x3438
[    2.646857] INFO: Slab 0xdffbdb00 objects=9 used=1 fp=0xde8581c0 flags=0x0080
[    2.653978] INFO: Object 0xde858008 @offset=8 fp=0xca4395df
[    2.653978]
[    2.661032] Redzone de858000: cc cc cc cc cc cc cc cc                          ........
[    2.669029] Object de858008: 00 00 00 02 00 00 00 02 00 6b 6b 6b 1e 83 ea 28  .........kkk...(
[    2.677628] Object de858018: 00 00 00 70 1e 85 80 64 ff 73 1d 21 6b 6b 6b 6b  ...p...d.s.!kkkk
[    2.686228] Object de858028: 00 20 00 00 1e 84 17 24 00 10 00 00 1e 85 70 00  . .....$......p.
[    2.694829] Object de858038: 00 18 00 00 1e 84 17 44 00 08 00 00 1e 83 ea 28  .......D.......(
[    2.703430] Object de858048: 00 80 00 00 1e 84 f0 00 00 80 00 00 1e 85 70 10  ..............p.
[    2.712030] Object de858058: 00 20 6b 00 1e 85 80 f4 6b 6b 6b 6b 00 80 02 00  . k.....kkkk....
[    2.720629] Object de858068: 1e 84 f0 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  ....kkkkkkkkkkkk
[    2.729230] Object de858078: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.737830] Object de858088: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.746429] Object de858098: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.755029] Object de8580a8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.763628] Object de8580b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.772229] Object de8580c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.780829] Object de8580d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[    2.789430] Object de8580e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 73 b0 ea 9f  kkkkkkkkkkkks...
[    2.798030] Object de8580f8: e8 18 80 d6 56 38 44 c0 db e3 4f 71 f7 ce d1 d3  ....V8D...Oq....
[    2.806629] Redzone de858108: f8 bd 3e 4f                                      ..>O
[    2.814279] Padding de8581b0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
[    2.822283] CPU: 0 PID: 0 Comm: swapper Tainted: G    B           4.9.50-g995be12679 #179
[    2.831819] Call Trace:
[    2.834301] [dffefd20] [c01aa9a8] check_bytes_and_report+0x100/0x194 (unreliable)
[    2.841801] [dffefd50] [c01aac3c] check_object+0x200/0x530
[    2.847306] [dffefd80] [c01ae584] free_debug_processing+0x290/0x690
[    2.853585] [dffefde0] [c01aec8c] __slab_free+0x308/0x628
[    2.859000] [dffefe80] [c05057f4] ipsec_esp_encrypt_done+0x130/0x240
[    2.865378] [dffefeb0] [c05002c4] flush_channel+0x1dc/0x488
[    2.870968] [dffeff10] [c05007a8] talitos2_done_4ch+0x30/0x200
[    2.876814] [dffeff30] [c002fe38] tasklet_action+0xa0/0x13c
[    2.882399] [dffeff60] [c002f118] __do_softirq+0x148/0x6cc
[    2.887896] [dffeffd0] [c002f954] irq_exit+0xc0/0x124
[    2.892968] [dffefff0] [c0013adc] call_do_irq+0x24/0x3c
[    2.898213] [c0d4be00] [c000757c] do_IRQ+0x78/0x108
[    2.903113] [c0d4be30] [c0015c08] ret_from_except+0x0/0x14
[    2.908634] --- interrupt: 501 at finish_task_switch+0x70/0x350
[    2.908634]     LR = finish_task_switch+0x58/0x350
[    2.919327] [c0d4bf20] [c085e1d4] schedule+0x80/0x134
[    2.924398] [c0d4bf50] [c085e2c0] schedule_preempt_disabled+0x38/0xc8
[    2.930853] [c0d4bf60] [c007f064] cpu_startup_entry+0xe4/0x190
[    2.936707] [c0d4bfb0] [c096c434] start_kernel+0x3f4/0x408
[    2.942198] [c0d4bff0] [00003438] 0x3438
[    2.946137] FIX dma-kmalloc-256: Restoring 0xde858108-0xde85810b=0xcc
[    2.946137]
[    2.954158] FIX dma-kmalloc-256: Object at 0xde858008 not freed

This patch reworks the handling of the CICV out in order
to properly handle all cases.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |   42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1247,14 +1247,15 @@ static int ipsec_esp(struct talitos_edes
 			dma_map_sg(dev, areq->dst, sg_count, DMA_FROM_DEVICE);
 	}
 
-	sg_count = talitos_sg_map(dev, areq->dst, cryptlen, edesc,
-				  &desc->ptr[5], sg_count, areq->assoclen,
-				  tbl_off);
+	ret = talitos_sg_map(dev, areq->dst, cryptlen, edesc, &desc->ptr[5],
+			     sg_count, areq->assoclen, tbl_off);
 
 	if (desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)
 		to_talitos_ptr_ext_or(&desc->ptr[5], authsize, is_sec1);
 
-	if (sg_count > 1) {
+	/* ICV data */
+	if (ret > 1) {
+		tbl_off += ret;
 		edesc->icv_ool = true;
 		sync_needed = true;
 
@@ -1264,9 +1265,7 @@ static int ipsec_esp(struct talitos_edes
 				     sizeof(struct talitos_ptr) + authsize;
 
 			/* Add an entry to the link table for ICV data */
-			tbl_ptr += sg_count - 1;
-			to_talitos_ptr_ext_set(tbl_ptr, 0, is_sec1);
-			tbl_ptr++;
+			to_talitos_ptr_ext_set(tbl_ptr - 1, 0, is_sec1);
 			to_talitos_ptr_ext_set(tbl_ptr, DESC_PTR_LNKTBL_RETURN,
 					       is_sec1);
 			to_talitos_ptr_len(tbl_ptr, authsize, is_sec1);
@@ -1274,18 +1273,33 @@ static int ipsec_esp(struct talitos_edes
 			/* icv data follows link tables */
 			to_talitos_ptr(tbl_ptr, edesc->dma_link_tbl + offset,
 				       is_sec1);
+		} else {
+			dma_addr_t addr = edesc->dma_link_tbl;
+
+			if (is_sec1)
+				addr += areq->assoclen + cryptlen;
+			else
+				addr += sizeof(struct talitos_ptr) * tbl_off;
+
+			to_talitos_ptr(&desc->ptr[6], addr, is_sec1);
+			to_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);
+		}
+	} else if (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {
+		ret = talitos_sg_map(dev, areq->dst, authsize, edesc,
+				     &desc->ptr[6], sg_count, areq->assoclen +
+							      cryptlen,
+				     tbl_off);
+		if (ret > 1) {
+			tbl_off += ret;
+			edesc->icv_ool = true;
+			sync_needed = true;
+		} else {
+			edesc->icv_ool = false;
 		}
 	} else {
 		edesc->icv_ool = false;
 	}
 
-	/* ICV data */
-	if (!(desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)) {
-		to_talitos_ptr_len(&desc->ptr[6], authsize, is_sec1);
-		to_talitos_ptr(&desc->ptr[6], edesc->dma_link_tbl +
-			       areq->assoclen + cryptlen, is_sec1);
-	}
-
 	/* iv out */
 	if (desc->hdr & DESC_HDR_TYPE_IPSEC_ESP)
 		map_single_talitos_ptr(dev, &desc->ptr[6], ivsize, ctx->iv,

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 052/148] crypto: talitos - fix setkey to check key weakness
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 051/148] crypto: talitos - fix memory corruption on SEC2 Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 053/148] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit f384cdc4faf350fdb6ad93c5f26952b9ba7c7566 upstream.

Crypto manager test report the following failures:
[    3.061081] alg: skcipher: setkey failed on test 5 for ecb-des-talitos: flags=100
[    3.069342] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100
[    3.077754] alg: skcipher-ddst: setkey failed on test 5 for ecb-des-talitos: flags=100

This is due to setkey being expected to detect weak keys.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1507,12 +1507,20 @@ static int ablkcipher_setkey(struct cryp
 			     const u8 *key, unsigned int keylen)
 {
 	struct talitos_ctx *ctx = crypto_ablkcipher_ctx(cipher);
+	u32 tmp[DES_EXPKEY_WORDS];
 
 	if (keylen > TALITOS_MAX_KEY_SIZE) {
 		crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_BAD_KEY_LEN);
 		return -EINVAL;
 	}
 
+	if (unlikely(crypto_ablkcipher_get_flags(cipher) &
+		     CRYPTO_TFM_REQ_WEAK_KEY) &&
+	    !des_ekey(tmp, key)) {
+		crypto_ablkcipher_set_flags(cipher, CRYPTO_TFM_RES_WEAK_KEY);
+		return -EINVAL;
+	}
+
 	memcpy(&ctx->key, key, keylen);
 	ctx->keylen = keylen;
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 053/148] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 052/148] crypto: talitos - fix setkey to check key weakness Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 054/148] crypto: talitos - fix use of sg_link_tbl_len Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit 6cda075aff67a1b9b5ba1b2818091dc939643b6c upstream.

sha224 AEAD test fails with:

[    2.803125] talitos ff020000.crypto: DEUISR 0x00000000_00000000
[    2.808743] talitos ff020000.crypto: MDEUISR 0x80100000_00000000
[    2.814678] talitos ff020000.crypto: DESCBUF 0x20731f21_00000018
[    2.820616] talitos ff020000.crypto: DESCBUF 0x0628d64c_00000010
[    2.826554] talitos ff020000.crypto: DESCBUF 0x0631005c_00000018
[    2.832492] talitos ff020000.crypto: DESCBUF 0x0628d664_00000008
[    2.838430] talitos ff020000.crypto: DESCBUF 0x061b13a0_00000080
[    2.844369] talitos ff020000.crypto: DESCBUF 0x0631006c_00000080
[    2.850307] talitos ff020000.crypto: DESCBUF 0x0631006c_00000018
[    2.856245] talitos ff020000.crypto: DESCBUF 0x063100ec_00000000
[    2.884972] talitos ff020000.crypto: failed to reset channel 0
[    2.890503] talitos ff020000.crypto: done overflow, internal time out, or rngu error: ISR 0x20000000_00020000
[    2.900652] alg: aead: encryption failed on test 1 for authenc-hmac-sha224-cbc-3des-talitos: ret=22

This is due to SHA224 not being supported by the HW. Allthough for
hash we are able to init the hash context by SW, it is not
possible for AEAD. Therefore SHA224 AEAD has to be deactivated.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -3068,6 +3068,11 @@ static struct talitos_crypto_alg *talito
 		t_alg->algt.alg.aead.setkey = aead_setkey;
 		t_alg->algt.alg.aead.encrypt = aead_encrypt;
 		t_alg->algt.alg.aead.decrypt = aead_decrypt;
+		if (!(priv->features & TALITOS_FTR_SHA224_HWINIT) &&
+		    !strncmp(alg->cra_name, "authenc(hmac(sha224)", 20)) {
+			kfree(t_alg);
+			return ERR_PTR(-ENOTSUPP);
+		}
 		break;
 	case CRYPTO_ALG_TYPE_AHASH:
 		alg = &t_alg->algt.alg.hash.halg.base;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 054/148] crypto: talitos - fix use of sg_link_tbl_len
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 053/148] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 055/148] crypto: talitos - fix ctr-aes-talitos Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit fbb22137c4d9bab536958b152d096fb3f98020ea upstream.

sg_link_tbl_len shall be used instead of cryptlen, otherwise
SECs which perform HW CICV verification will fail.

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1232,8 +1232,8 @@ static int ipsec_esp(struct talitos_edes
 			sg_link_tbl_len += authsize;
 	}
 
-	ret = talitos_sg_map(dev, areq->src, cryptlen, edesc, &desc->ptr[4],
-			     sg_count, areq->assoclen, tbl_off);
+	ret = talitos_sg_map(dev, areq->src, sg_link_tbl_len, edesc,
+			     &desc->ptr[4], sg_count, areq->assoclen, tbl_off);
 
 	if (ret > 1) {
 		tbl_off += ret;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 055/148] crypto: talitos - fix ctr-aes-talitos
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 054/148] crypto: talitos - fix use of sg_link_tbl_len Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 056/148] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Herbert Xu

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: LEROY Christophe <christophe.leroy@c-s.fr>

commit 70d355ccea899dad47dc22d3a4406998f55143fd upstream.

ctr-aes-talitos test fails as follows on SEC2

[    0.837427] alg: skcipher: Test 1 failed (invalid result) on encryption for ctr-aes-talitos
[    0.845763] 00000000: 16 36 d5 ee 34 f8 06 25 d7 7f 8e 56 ca 88 43 45
[    0.852345] 00000010: f9 3f f7 17 2a b2 12 23 30 43 09 15 82 dd e1 97
[    0.858940] 00000020: a7 f7 32 b5 eb 25 06 13 9a ec f5 29 25 f8 4d 66
[    0.865366] 00000030: b0 03 5b 8e aa 9a 42 b6 19 33 8a e2 9d 65 96 95

This patch fixes the descriptor type which is special for CTR AES

Fixes: 5e75ae1b3cef6 ("crypto: talitos - add new crypto modes")
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/talitos.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -2635,7 +2635,7 @@ static struct talitos_alg_template drive
 				.ivsize = AES_BLOCK_SIZE,
 			}
 		},
-		.desc_hdr_template = DESC_HDR_TYPE_COMMON_NONSNOOP_NO_AFEU |
+		.desc_hdr_template = DESC_HDR_TYPE_AESU_CTR_NONSNOOP |
 				     DESC_HDR_SEL0_AESU |
 				     DESC_HDR_MODE0_AESU_CTR,
 	},

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 056/148] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 055/148] crypto: talitos - fix ctr-aes-talitos Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 057/148] ARM: BUG if jumping to usermode address in kernel mode Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John Keeping, Felipe Balbi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Keeping <john@metanate.com>

commit a3acc696085e112733d191a77b106e67a4fa110b upstream.

The specification says that the Reserved1 field in OS_DESC_EXT_COMPAT
must have the value "1", but when this feature was first implemented we
rejected any non-zero values.

This was adjusted to accept all non-zero values (while now rejecting
zero) in commit 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on
reserved1 of OS_DESC_EXT_COMPAT"), but that breaks any userspace
programs that worked previously by returning EINVAL when Reserved1 == 0
which was previously the only value that succeeded!

If we just set the field to "1" ourselves, both old and new userspace
programs continue to work correctly and, as a bonus, old programs are
now compliant with the specification without having to fix anything
themselves.

Fixes: 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT")
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/function/f_fs.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -2262,9 +2262,18 @@ static int __ffs_data_do_os_desc(enum ff
 		int i;
 
 		if (len < sizeof(*d) ||
-		    d->bFirstInterfaceNumber >= ffs->interfaces_count ||
-		    d->Reserved1)
+		    d->bFirstInterfaceNumber >= ffs->interfaces_count)
 			return -EINVAL;
+		if (d->Reserved1 != 1) {
+			/*
+			 * According to the spec, Reserved1 must be set to 1
+			 * but older kernels incorrectly rejected non-zero
+			 * values.  We fix it here to avoid returning EINVAL
+			 * in response to values we used to accept.
+			 */
+			pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n");
+			d->Reserved1 = 1;
+		}
 		for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i)
 			if (d->Reserved2[i])
 				return -EINVAL;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 057/148] ARM: BUG if jumping to usermode address in kernel mode
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 056/148] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 058/148] ARM: avoid faulting on qemu Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Russell King, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit 8bafae202c82dc257f649ea3c275a0f35ee15113 upstream.

Detect if we are returning to usermode via the normal kernel exit paths
but the saved PSR value indicates that we are in kernel mode.  This
could occur due to corrupted stack state, which has been observed with
"ftracetest".

This ensures that we catch the problem case before we get to user code.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Alex Shi <alex.shi@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/include/asm/assembler.h |   18 ++++++++++++++++++
 arch/arm/kernel/entry-header.S   |    6 ++++++
 2 files changed, 24 insertions(+)

--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -516,4 +516,22 @@ THUMB(	orr	\reg , \reg , #PSR_T_BIT	)
 #endif
 	.endm
 
+	.macro	bug, msg, line
+#ifdef CONFIG_THUMB2_KERNEL
+1:	.inst	0xde02
+#else
+1:	.inst	0xe7f001f2
+#endif
+#ifdef CONFIG_DEBUG_BUGVERBOSE
+	.pushsection .rodata.str, "aMS", %progbits, 1
+2:	.asciz	"\msg"
+	.popsection
+	.pushsection __bug_table, "aw"
+	.align	2
+	.word	1b, 2b
+	.hword	\line
+	.popsection
+#endif
+	.endm
+
 #endif /* __ASM_ASSEMBLER_H__ */
--- a/arch/arm/kernel/entry-header.S
+++ b/arch/arm/kernel/entry-header.S
@@ -299,6 +299,8 @@
 	mov	r2, sp
 	ldr	r1, [r2, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [r2, #\offset + S_PC]!	@ get pc
+	tst	r1, #0xcf
+	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
 	@ We must avoid clrex due to Cortex-A15 erratum #830321
@@ -313,6 +315,7 @@
 						@ after ldm {}^
 	add	sp, sp, #\offset + PT_REGS_SIZE
 	movs	pc, lr				@ return & move spsr_svc into cpsr
+1:	bug	"Returning to usermode but unexpected PSR bits set?", \@
 #elif defined(CONFIG_CPU_V7M)
 	@ V7M restore.
 	@ Note that we don't need to do clrex here as clearing the local
@@ -328,6 +331,8 @@
 	ldr	r1, [sp, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [sp, #\offset + S_PC]	@ get pc
 	add	sp, sp, #\offset + S_SP
+	tst	r1, #0xcf
+	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 
 	@ We must avoid clrex due to Cortex-A15 erratum #830321
@@ -340,6 +345,7 @@
 	.endif
 	add	sp, sp, #PT_REGS_SIZE - S_SP
 	movs	pc, lr				@ return & move spsr_svc into cpsr
+1:	bug	"Returning to usermode but unexpected PSR bits set?", \@
 #endif	/* !CONFIG_THUMB2_KERNEL */
 	.endm
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 058/148] ARM: avoid faulting on qemu
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 057/148] ARM: BUG if jumping to usermode address in kernel mode Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 059/148] thp: reduce indentation level in change_huge_pmd() Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Russell King, Alex Shi

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit 3aaf33bebda8d4ffcc0fc8ef39e6c1ac68823b11 upstream.

When qemu starts a kernel in a bare environment, the default SCR has
the AW and FW bits clear, which means that the kernel can't modify
the PSR A or PSR F bits, and means that FIQs and imprecise aborts are
always masked.

When running uboot under qemu, the AW and FW SCR bits are set, and the
kernel functions normally - and this is how real hardware behaves.

Fix this for qemu by ignoring the FIQ bit.

Fixes: 8bafae202c82 ("ARM: BUG if jumping to usermode address in kernel mode")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Alex Shi <alex.shi@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/kernel/entry-header.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/kernel/entry-header.S
+++ b/arch/arm/kernel/entry-header.S
@@ -299,7 +299,7 @@
 	mov	r2, sp
 	ldr	r1, [r2, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [r2, #\offset + S_PC]!	@ get pc
-	tst	r1, #0xcf
+	tst	r1, #PSR_I_BIT | 0x0f
 	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
@@ -331,7 +331,7 @@
 	ldr	r1, [sp, #\offset + S_PSR]	@ get calling cpsr
 	ldr	lr, [sp, #\offset + S_PC]	@ get pc
 	add	sp, sp, #\offset + S_SP
-	tst	r1, #0xcf
+	tst	r1, #PSR_I_BIT | 0x0f
 	bne	1f
 	msr	spsr_cxsf, r1			@ save in spsr_svc
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 059/148] thp: reduce indentation level in change_huge_pmd()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 058/148] ARM: avoid faulting on qemu Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 060/148] thp: fix MADV_DONTNEED vs. numa balancing race Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Vlastimil Babka,
	Andrea Arcangeli, Hillf Danton, Andrew Morton, Linus Torvalds,
	Jack Wang

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

commit 0a85e51d37645e9ce57e5e1a30859e07810ed07c upstream.

Patch series "thp: fix few MADV_DONTNEED races"

For MADV_DONTNEED to work properly with huge pages, it's critical to not
clear pmd intermittently unless you hold down_write(mmap_sem).

Otherwise MADV_DONTNEED can miss the THP which can lead to userspace
breakage.

See example of such race in commit message of patch 2/4.

All these races are found by code inspection.  I haven't seen them
triggered.  I don't think it's worth to apply them to stable@.

This patch (of 4):

Restructure code in preparation for a fix.

Link: http://lkml.kernel.org/r/20170302151034.27829-2-kirill.shutemov@linux.intel.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[jwang: adjust context for 4.9]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/huge_memory.c |   56 +++++++++++++++++++++++++++----------------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1509,37 +1509,37 @@ int change_huge_pmd(struct vm_area_struc
 {
 	struct mm_struct *mm = vma->vm_mm;
 	spinlock_t *ptl;
-	int ret = 0;
+	pmd_t entry;
+	bool preserve_write;
+	int ret;
 
 	ptl = __pmd_trans_huge_lock(pmd, vma);
-	if (ptl) {
-		pmd_t entry;
-		bool preserve_write = prot_numa && pmd_write(*pmd);
-		ret = 1;
-
-		/*
-		 * Avoid trapping faults against the zero page. The read-only
-		 * data is likely to be read-cached on the local CPU and
-		 * local/remote hits to the zero page are not interesting.
-		 */
-		if (prot_numa && is_huge_zero_pmd(*pmd)) {
-			spin_unlock(ptl);
-			return ret;
-		}
-
-		if (!prot_numa || !pmd_protnone(*pmd)) {
-			entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd);
-			entry = pmd_modify(entry, newprot);
-			if (preserve_write)
-				entry = pmd_mkwrite(entry);
-			ret = HPAGE_PMD_NR;
-			set_pmd_at(mm, addr, pmd, entry);
-			BUG_ON(vma_is_anonymous(vma) && !preserve_write &&
-					pmd_write(entry));
-		}
-		spin_unlock(ptl);
-	}
+	if (!ptl)
+		return 0;
 
+	preserve_write = prot_numa && pmd_write(*pmd);
+	ret = 1;
+
+	/*
+	 * Avoid trapping faults against the zero page. The read-only
+	 * data is likely to be read-cached on the local CPU and
+	 * local/remote hits to the zero page are not interesting.
+	 */
+	if (prot_numa && is_huge_zero_pmd(*pmd))
+		goto unlock;
+
+	if (prot_numa && pmd_protnone(*pmd))
+		goto unlock;
+
+	entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd);
+	entry = pmd_modify(entry, newprot);
+	if (preserve_write)
+		entry = pmd_mkwrite(entry);
+	ret = HPAGE_PMD_NR;
+	set_pmd_at(mm, addr, pmd, entry);
+	BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry));
+unlock:
+	spin_unlock(ptl);
 	return ret;
 }
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 060/148] thp: fix MADV_DONTNEED vs. numa balancing race
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 059/148] thp: reduce indentation level in change_huge_pmd() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 061/148] mm: drop unused pmdp_huge_get_and_clear_notify() Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Andrea Arcangeli,
	Hillf Danton, Andrew Morton, Linus Torvalds, Jack Wang

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

commit ced108037c2aa542b3ed8b7afd1576064ad1362a upstream.

In case prot_numa, we are under down_read(mmap_sem).  It's critical to
not clear pmd intermittently to avoid race with MADV_DONTNEED which is
also under down_read(mmap_sem):

	CPU0:				CPU1:
				change_huge_pmd(prot_numa=1)
				 pmdp_huge_get_and_clear_notify()
madvise_dontneed()
 zap_pmd_range()
  pmd_trans_huge(*pmd) == 0 (without ptl)
  // skip the pmd
				 set_pmd_at();
				 // pmd is re-established

The race makes MADV_DONTNEED miss the huge pmd and don't clear it
which may break userspace.

Found by code analysis, never saw triggered.

Link: http://lkml.kernel.org/r/20170302151034.27829-3-kirill.shutemov@linux.intel.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[jwang: adjust context for 4.9 ]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/huge_memory.c |   34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1531,7 +1531,39 @@ int change_huge_pmd(struct vm_area_struc
 	if (prot_numa && pmd_protnone(*pmd))
 		goto unlock;
 
-	entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd);
+	/*
+	 * In case prot_numa, we are under down_read(mmap_sem). It's critical
+	 * to not clear pmd intermittently to avoid race with MADV_DONTNEED
+	 * which is also under down_read(mmap_sem):
+	 *
+	 *	CPU0:				CPU1:
+	 *				change_huge_pmd(prot_numa=1)
+	 *				 pmdp_huge_get_and_clear_notify()
+	 * madvise_dontneed()
+	 *  zap_pmd_range()
+	 *   pmd_trans_huge(*pmd) == 0 (without ptl)
+	 *   // skip the pmd
+	 *				 set_pmd_at();
+	 *				 // pmd is re-established
+	 *
+	 * The race makes MADV_DONTNEED miss the huge pmd and don't clear it
+	 * which may break userspace.
+	 *
+	 * pmdp_invalidate() is required to make sure we don't miss
+	 * dirty/young flags set by hardware.
+	 */
+	entry = *pmd;
+	pmdp_invalidate(vma, addr, pmd);
+
+	/*
+	 * Recover dirty/young flags.  It relies on pmdp_invalidate to not
+	 * corrupt them.
+	 */
+	if (pmd_dirty(*pmd))
+		entry = pmd_mkdirty(entry);
+	if (pmd_young(*pmd))
+		entry = pmd_mkyoung(entry);
+
 	entry = pmd_modify(entry, newprot);
 	if (preserve_write)
 		entry = pmd_mkwrite(entry);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 061/148] mm: drop unused pmdp_huge_get_and_clear_notify()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 060/148] thp: fix MADV_DONTNEED vs. numa balancing race Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 062/148] Revert "drm/armada: Fix compile fail" Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kirill A. Shutemov, Dave Hansen,
	Andrew Morton, Linus Torvalds, Jack Wang

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

commit c0c379e2931b05facef538e53bf3b21f283d9a0b upstream.

Dave noticed that after fixing MADV_DONTNEED vs numa balancing race the
last pmdp_huge_get_and_clear_notify() user is gone.

Let's drop the helper.

Link: http://lkml.kernel.org/r/20170306112047.24809-1-kirill.shutemov@linux.intel.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[jwang: adjust context for 4.9]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/mmu_notifier.h |   13 -------------
 1 file changed, 13 deletions(-)

--- a/include/linux/mmu_notifier.h
+++ b/include/linux/mmu_notifier.h
@@ -381,18 +381,6 @@ static inline void mmu_notifier_mm_destr
 	___pmd;								\
 })
 
-#define pmdp_huge_get_and_clear_notify(__mm, __haddr, __pmd)		\
-({									\
-	unsigned long ___haddr = __haddr & HPAGE_PMD_MASK;		\
-	pmd_t ___pmd;							\
-									\
-	___pmd = pmdp_huge_get_and_clear(__mm, __haddr, __pmd);		\
-	mmu_notifier_invalidate_range(__mm, ___haddr,			\
-				      ___haddr + HPAGE_PMD_SIZE);	\
-									\
-	___pmd;								\
-})
-
 /*
  * set_pte_at_notify() sets the pte _after_ running the notifier.
  * This is safe to start by updating the secondary MMUs, because the primary MMU
@@ -480,7 +468,6 @@ static inline void mmu_notifier_mm_destr
 #define pmdp_clear_young_notify pmdp_test_and_clear_young
 #define	ptep_clear_flush_notify ptep_clear_flush
 #define pmdp_huge_clear_flush_notify pmdp_huge_clear_flush
-#define pmdp_huge_get_and_clear_notify pmdp_huge_get_and_clear
 #define set_pte_at_notify set_pte_at
 
 #endif /* CONFIG_MMU_NOTIFIER */

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 062/148] Revert "drm/armada: Fix compile fail"
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 061/148] mm: drop unused pmdp_huge_get_and_clear_notify() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 063/148] Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sasha Levin <alexander.levin@verizon.com>


This reverts commit 82f260d472c3b4dbb7324624e395c3e91f73a040.

Not required on < 4.10.

Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/armada/Makefile |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/gpu/drm/armada/Makefile
+++ b/drivers/gpu/drm/armada/Makefile
@@ -4,5 +4,3 @@ armada-y	+= armada_510.o
 armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o
 
 obj-$(CONFIG_DRM_ARMADA) := armada.o
-
-CFLAGS_armada_trace.o := -I$(src)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 063/148] Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 062/148] Revert "drm/armada: Fix compile fail" Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 064/148] ARM: 8657/1: uaccess: consistently check object sizes Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sasha Levin <alexander.levin@verizon.com>


This reverts commit dadab2d4e3cf708ceba22ecddd94aedfecb39199.

Not required on < 4.10.

Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/Kconfig |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/spi/Kconfig
+++ b/drivers/spi/Kconfig
@@ -365,7 +365,6 @@ config SPI_FSL_SPI
 config SPI_FSL_DSPI
 	tristate "Freescale DSPI controller"
 	select REGMAP_MMIO
-	depends on HAS_DMA
 	depends on SOC_VF610 || SOC_LS1021A || ARCH_LAYERSCAPE || COMPILE_TEST
 	help
 	  This enables support for the Freescale DSPI controller in master

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 064/148] ARM: 8657/1: uaccess: consistently check object sizes
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 063/148] Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 065/148] vti6: Dont report path MTU below IPV6_MIN_MTU Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Kees Cook,
	Russell King, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@chromium.org>


[ Upstream commit 32b143637e8180f5d5cea54320c769210dea4f19 ]

In commit 76624175dcae ("arm64: uaccess: consistently check object sizes"),
the object size checks are moved outside the access_ok() so that bad
destinations are detected before hitting the "memset(dest, 0, size)" in the
copy_from_user() failure path.

This makes the same change for arm, with attention given to possibly
extracting the uaccess routines into a common header file for all
architectures in the future.

Suggested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/uaccess.h |   44 +++++++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 12 deletions(-)

--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -478,11 +478,10 @@ extern unsigned long __must_check
 arm_copy_from_user(void *to, const void __user *from, unsigned long n);
 
 static inline unsigned long __must_check
-__copy_from_user(void *to, const void __user *from, unsigned long n)
+__arch_copy_from_user(void *to, const void __user *from, unsigned long n)
 {
 	unsigned int __ua_flags;
 
-	check_object_size(to, n, false);
 	__ua_flags = uaccess_save_and_enable();
 	n = arm_copy_from_user(to, from, n);
 	uaccess_restore(__ua_flags);
@@ -495,18 +494,15 @@ extern unsigned long __must_check
 __copy_to_user_std(void __user *to, const void *from, unsigned long n);
 
 static inline unsigned long __must_check
-__copy_to_user(void __user *to, const void *from, unsigned long n)
+__arch_copy_to_user(void __user *to, const void *from, unsigned long n)
 {
 #ifndef CONFIG_UACCESS_WITH_MEMCPY
 	unsigned int __ua_flags;
-
-	check_object_size(from, n, true);
 	__ua_flags = uaccess_save_and_enable();
 	n = arm_copy_to_user(to, from, n);
 	uaccess_restore(__ua_flags);
 	return n;
 #else
-	check_object_size(from, n, true);
 	return arm_copy_to_user(to, from, n);
 #endif
 }
@@ -526,25 +522,49 @@ __clear_user(void __user *addr, unsigned
 }
 
 #else
-#define __copy_from_user(to, from, n)	(memcpy(to, (void __force *)from, n), 0)
-#define __copy_to_user(to, from, n)	(memcpy((void __force *)to, from, n), 0)
+#define __arch_copy_from_user(to, from, n)	\
+					(memcpy(to, (void __force *)from, n), 0)
+#define __arch_copy_to_user(to, from, n)	\
+					(memcpy((void __force *)to, from, n), 0)
 #define __clear_user(addr, n)		(memset((void __force *)addr, 0, n), 0)
 #endif
 
-static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
+static inline unsigned long __must_check
+__copy_from_user(void *to, const void __user *from, unsigned long n)
+{
+	check_object_size(to, n, false);
+	return __arch_copy_from_user(to, from, n);
+}
+
+static inline unsigned long __must_check
+copy_from_user(void *to, const void __user *from, unsigned long n)
 {
 	unsigned long res = n;
+
+	check_object_size(to, n, false);
+
 	if (likely(access_ok(VERIFY_READ, from, n)))
-		res = __copy_from_user(to, from, n);
+		res = __arch_copy_from_user(to, from, n);
 	if (unlikely(res))
 		memset(to + (n - res), 0, res);
 	return res;
 }
 
-static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
+static inline unsigned long __must_check
+__copy_to_user(void __user *to, const void *from, unsigned long n)
 {
+	check_object_size(from, n, true);
+
+	return __arch_copy_to_user(to, from, n);
+}
+
+static inline unsigned long __must_check
+copy_to_user(void __user *to, const void *from, unsigned long n)
+{
+	check_object_size(from, n, true);
+
 	if (access_ok(VERIFY_WRITE, to, n))
-		n = __copy_to_user(to, from, n);
+		n = __arch_copy_to_user(to, from, n);
 	return n;
 }
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 065/148] vti6: Dont report path MTU below IPV6_MIN_MTU.
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 064/148] ARM: 8657/1: uaccess: consistently check object sizes Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 066/148] ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steffen Klassert, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Klassert <steffen.klassert@secunet.com>


[ Upstream commit e3dc847a5f85b43ee2bfc8eae407a7e383483228 ]

In vti6_xmit(), the check for IPV6_MIN_MTU before we
send a ICMPV6_PKT_TOOBIG message is missing. So we might
report a PMTU below 1280. Fix this by adding the required
check.

Fixes: ccd740cbc6e ("vti6: Add pmtu handling to vti6_xmit.")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_vti.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -485,11 +485,15 @@ vti6_xmit(struct sk_buff *skb, struct ne
 	if (!skb->ignore_df && skb->len > mtu) {
 		skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
 
-		if (skb->protocol == htons(ETH_P_IPV6))
+		if (skb->protocol == htons(ETH_P_IPV6)) {
+			if (mtu < IPV6_MIN_MTU)
+				mtu = IPV6_MIN_MTU;
+
 			icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
-		else
+		} else {
 			icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
 				  htonl(mtu));
+		}
 
 		return -EMSGSIZE;
 	}

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 066/148] ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 065/148] vti6: Dont report path MTU below IPV6_MIN_MTU Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44   ` gregkh
                   ` (80 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ladislav Michl, Roger Quadros,
	Tony Lindgren, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ladislav Michl <ladis@linux-mips.org>


[ Upstream commit 7807e086a2d1f69cc1a57958cac04fea79fc2112 ]

gpmc_probe_onenand_child returns success even on gpmc_onenand_init
failure. Fix that.

Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Acked-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/mach-omap2/gpmc-onenand.c |   10 ++++++----
 drivers/memory/omap-gpmc.c         |    4 +---
 include/linux/omap-gpmc.h          |    5 +++--
 3 files changed, 10 insertions(+), 9 deletions(-)

--- a/arch/arm/mach-omap2/gpmc-onenand.c
+++ b/arch/arm/mach-omap2/gpmc-onenand.c
@@ -367,7 +367,7 @@ static int gpmc_onenand_setup(void __iom
 	return ret;
 }
 
-void gpmc_onenand_init(struct omap_onenand_platform_data *_onenand_data)
+int gpmc_onenand_init(struct omap_onenand_platform_data *_onenand_data)
 {
 	int err;
 	struct device *dev = &gpmc_onenand_device.dev;
@@ -393,15 +393,17 @@ void gpmc_onenand_init(struct omap_onena
 	if (err < 0) {
 		dev_err(dev, "Cannot request GPMC CS %d, error %d\n",
 			gpmc_onenand_data->cs, err);
-		return;
+		return err;
 	}
 
 	gpmc_onenand_resource.end = gpmc_onenand_resource.start +
 							ONENAND_IO_SIZE - 1;
 
-	if (platform_device_register(&gpmc_onenand_device) < 0) {
+	err = platform_device_register(&gpmc_onenand_device);
+	if (err) {
 		dev_err(dev, "Unable to register OneNAND device\n");
 		gpmc_cs_free(gpmc_onenand_data->cs);
-		return;
 	}
+
+	return err;
 }
--- a/drivers/memory/omap-gpmc.c
+++ b/drivers/memory/omap-gpmc.c
@@ -1947,9 +1947,7 @@ static int gpmc_probe_onenand_child(stru
 	if (!of_property_read_u32(child, "dma-channel", &val))
 		gpmc_onenand_data->dma_channel = val;
 
-	gpmc_onenand_init(gpmc_onenand_data);
-
-	return 0;
+	return gpmc_onenand_init(gpmc_onenand_data);
 }
 #else
 static int gpmc_probe_onenand_child(struct platform_device *pdev,
--- a/include/linux/omap-gpmc.h
+++ b/include/linux/omap-gpmc.h
@@ -88,10 +88,11 @@ static inline int gpmc_nand_init(struct
 #endif
 
 #if IS_ENABLED(CONFIG_MTD_ONENAND_OMAP2)
-extern void gpmc_onenand_init(struct omap_onenand_platform_data *d);
+extern int gpmc_onenand_init(struct omap_onenand_platform_data *d);
 #else
 #define board_onenand_data	NULL
-static inline void gpmc_onenand_init(struct omap_onenand_platform_data *d)
+static inline int gpmc_onenand_init(struct omap_onenand_platform_data *d)
 {
+	return 0;
 }
 #endif

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 067/148] x86/selftests: Add clobbers for int80 on x86_64
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
  2017-12-12 12:43 ` [PATCH 4.9 001/148] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
@ 2017-12-12 12:44   ` gregkh
  2017-12-12 12:43 ` [PATCH 4.9 004/148] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
                     ` (141 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Safonov, Andy Lutomirski,
	0x7f454c46, Borislav Petkov, Borislav Petkov, Brian Gerst,
	Denys Vlasenko, H. Peter Anvin, Josh Poimboeuf, Linus Torvalds,
	Peter Zijlstra, Shuah Khan, Thomas Gleixner, linux-kselftest,
	Ingo Molnar, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dsafonov@virtuozzo.com>


[ Upstream commit 2a4d0c627f5374f365a873dea4e10ae0bb437680 ]

Kernel erases R8..R11 registers prior returning to userspace
from int80:

  https://lkml.org/lkml/2009/10/1/164

GCC can reuse these registers and doesn't expect them to change
during syscall invocation. I met this kind of bug in CRIU once
GCC 6.1 and CLANG stored local variables in those registers
and the kernel zerofied them during syscall:

  https://github.com/xemul/criu/commit/990d33f1a1cdd17bca6c2eb059ab3be2564f7fa2

By that reason I suggest to add those registers to clobbers
in selftests.  Also, as noted by Andy - removed unneeded clobber
for flags in INT $0x80 inline asm.

Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: 0x7f454c46@gmail.com
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bp@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kselftest@vger.kernel.org
Link: http://lkml.kernel.org/r/20170213101336.20486-1-dsafonov@virtuozzo.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/x86/fsgsbase.c            |    2 +-
 tools/testing/selftests/x86/ldt_gdt.c             |   16 +++++++++++-----
 tools/testing/selftests/x86/ptrace_syscall.c      |    3 ++-
 tools/testing/selftests/x86/single_step_syscall.c |    5 ++++-
 4 files changed, 18 insertions(+), 8 deletions(-)

--- a/tools/testing/selftests/x86/fsgsbase.c
+++ b/tools/testing/selftests/x86/fsgsbase.c
@@ -245,7 +245,7 @@ void do_unexpected_base(void)
 		long ret;
 		asm volatile ("int $0x80"
 			      : "=a" (ret) : "a" (243), "b" (low_desc)
-			      : "flags");
+			      : "r8", "r9", "r10", "r11");
 		memcpy(&desc, low_desc, sizeof(desc));
 		munmap(low_desc, sizeof(desc));
 
--- a/tools/testing/selftests/x86/ldt_gdt.c
+++ b/tools/testing/selftests/x86/ldt_gdt.c
@@ -45,6 +45,12 @@
 #define AR_DB			(1 << 22)
 #define AR_G			(1 << 23)
 
+#ifdef __x86_64__
+# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
+#else
+# define INT80_CLOBBERS
+#endif
+
 static int nerrs;
 
 /* Points to an array of 1024 ints, each holding its own index. */
@@ -649,7 +655,7 @@ static int invoke_set_thread_area(void)
 	asm volatile ("int $0x80"
 		      : "=a" (ret), "+m" (low_user_desc) :
 			"a" (243), "b" (low_user_desc)
-		      : "flags");
+		      : INT80_CLOBBERS);
 	return ret;
 }
 
@@ -718,7 +724,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 	if (sel != 0) {
 		result = "FAIL";
@@ -749,7 +755,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 	if (sel != 0) {
 		result = "FAIL";
@@ -782,7 +788,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 #ifdef __x86_64__
 	syscall(SYS_arch_prctl, ARCH_GET_FS, &new_base);
@@ -835,7 +841,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 #ifdef __x86_64__
 	syscall(SYS_arch_prctl, ARCH_GET_GS, &new_base);
--- a/tools/testing/selftests/x86/ptrace_syscall.c
+++ b/tools/testing/selftests/x86/ptrace_syscall.c
@@ -58,7 +58,8 @@ static void do_full_int80(struct syscall
 	asm volatile ("int $0x80"
 		      : "+a" (args->nr),
 			"+b" (args->arg0), "+c" (args->arg1), "+d" (args->arg2),
-			"+S" (args->arg3), "+D" (args->arg4), "+r" (bp));
+			"+S" (args->arg3), "+D" (args->arg4), "+r" (bp)
+			: : "r8", "r9", "r10", "r11");
 	args->arg5 = bp;
 #else
 	sys32_helper(args, int80_and_ret);
--- a/tools/testing/selftests/x86/single_step_syscall.c
+++ b/tools/testing/selftests/x86/single_step_syscall.c
@@ -56,9 +56,11 @@ static volatile sig_atomic_t sig_traps;
 #ifdef __x86_64__
 # define REG_IP REG_RIP
 # define WIDTH "q"
+# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
 #else
 # define REG_IP REG_EIP
 # define WIDTH "l"
+# define INT80_CLOBBERS
 #endif
 
 static unsigned long get_eflags(void)
@@ -140,7 +142,8 @@ int main()
 
 	printf("[RUN]\tSet TF and check int80\n");
 	set_eflags(get_eflags() | X86_EFLAGS_TF);
-	asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid));
+	asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid)
+			: INT80_CLOBBERS);
 	check_result();
 
 	/*

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [Linux-kselftest-mirror] [PATCH 4.9 067/148] x86/selftests: Add clobbers for int80 on x86_64
@ 2017-12-12 12:44   ` gregkh
  0 siblings, 0 replies; 151+ messages in thread
From: gregkh @ 2017-12-12 12:44 UTC (permalink / raw)


4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dsafonov at virtuozzo.com>


[ Upstream commit 2a4d0c627f5374f365a873dea4e10ae0bb437680 ]

Kernel erases R8..R11 registers prior returning to userspace
from int80:

  https://lkml.org/lkml/2009/10/1/164

GCC can reuse these registers and doesn't expect them to change
during syscall invocation. I met this kind of bug in CRIU once
GCC 6.1 and CLANG stored local variables in those registers
and the kernel zerofied them during syscall:

  https://github.com/xemul/criu/commit/990d33f1a1cdd17bca6c2eb059ab3be2564f7fa2

By that reason I suggest to add those registers to clobbers
in selftests.  Also, as noted by Andy - removed unneeded clobber
for flags in INT $0x80 inline asm.

Signed-off-by: Dmitry Safonov <dsafonov at virtuozzo.com>
Acked-by: Andy Lutomirski <luto at kernel.org>
Cc: 0x7f454c46 at gmail.com
Cc: Borislav Petkov <bp at alien8.de>
Cc: Borislav Petkov <bp at suse.de>
Cc: Brian Gerst <brgerst at gmail.com>
Cc: Denys Vlasenko <dvlasenk at redhat.com>
Cc: H. Peter Anvin <hpa at zytor.com>
Cc: Josh Poimboeuf <jpoimboe at redhat.com>
Cc: Linus Torvalds <torvalds at linux-foundation.org>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Shuah Khan <shuah at kernel.org>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: linux-kselftest at vger.kernel.org
Link: http://lkml.kernel.org/r/20170213101336.20486-1-dsafonov at virtuozzo.com
Signed-off-by: Ingo Molnar <mingo at kernel.org>
Signed-off-by: Sasha Levin <alexander.levin at verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 tools/testing/selftests/x86/fsgsbase.c            |    2 +-
 tools/testing/selftests/x86/ldt_gdt.c             |   16 +++++++++++-----
 tools/testing/selftests/x86/ptrace_syscall.c      |    3 ++-
 tools/testing/selftests/x86/single_step_syscall.c |    5 ++++-
 4 files changed, 18 insertions(+), 8 deletions(-)

--- a/tools/testing/selftests/x86/fsgsbase.c
+++ b/tools/testing/selftests/x86/fsgsbase.c
@@ -245,7 +245,7 @@ void do_unexpected_base(void)
 		long ret;
 		asm volatile ("int $0x80"
 			      : "=a" (ret) : "a" (243), "b" (low_desc)
-			      : "flags");
+			      : "r8", "r9", "r10", "r11");
 		memcpy(&desc, low_desc, sizeof(desc));
 		munmap(low_desc, sizeof(desc));
 
--- a/tools/testing/selftests/x86/ldt_gdt.c
+++ b/tools/testing/selftests/x86/ldt_gdt.c
@@ -45,6 +45,12 @@
 #define AR_DB			(1 << 22)
 #define AR_G			(1 << 23)
 
+#ifdef __x86_64__
+# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
+#else
+# define INT80_CLOBBERS
+#endif
+
 static int nerrs;
 
 /* Points to an array of 1024 ints, each holding its own index. */
@@ -649,7 +655,7 @@ static int invoke_set_thread_area(void)
 	asm volatile ("int $0x80"
 		      : "=a" (ret), "+m" (low_user_desc) :
 			"a" (243), "b" (low_user_desc)
-		      : "flags");
+		      : INT80_CLOBBERS);
 	return ret;
 }
 
@@ -718,7 +724,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 	if (sel != 0) {
 		result = "FAIL";
@@ -749,7 +755,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 	if (sel != 0) {
 		result = "FAIL";
@@ -782,7 +788,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 #ifdef __x86_64__
 	syscall(SYS_arch_prctl, ARCH_GET_FS, &new_base);
@@ -835,7 +841,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 #ifdef __x86_64__
 	syscall(SYS_arch_prctl, ARCH_GET_GS, &new_base);
--- a/tools/testing/selftests/x86/ptrace_syscall.c
+++ b/tools/testing/selftests/x86/ptrace_syscall.c
@@ -58,7 +58,8 @@ static void do_full_int80(struct syscall
 	asm volatile ("int $0x80"
 		      : "+a" (args->nr),
 			"+b" (args->arg0), "+c" (args->arg1), "+d" (args->arg2),
-			"+S" (args->arg3), "+D" (args->arg4), "+r" (bp));
+			"+S" (args->arg3), "+D" (args->arg4), "+r" (bp)
+			: : "r8", "r9", "r10", "r11");
 	args->arg5 = bp;
 #else
 	sys32_helper(args, int80_and_ret);
--- a/tools/testing/selftests/x86/single_step_syscall.c
+++ b/tools/testing/selftests/x86/single_step_syscall.c
@@ -56,9 +56,11 @@ static volatile sig_atomic_t sig_traps;
 #ifdef __x86_64__
 # define REG_IP REG_RIP
 # define WIDTH "q"
+# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
 #else
 # define REG_IP REG_EIP
 # define WIDTH "l"
+# define INT80_CLOBBERS
 #endif
 
 static unsigned long get_eflags(void)
@@ -140,7 +142,8 @@ int main()
 
 	printf("[RUN]\tSet TF and check int80\n");
 	set_eflags(get_eflags() | X86_EFLAGS_TF);
-	asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid));
+	asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid)
+			: INT80_CLOBBERS);
 	check_result();
 
 	/*


--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [Linux-kselftest-mirror] [PATCH 4.9 067/148] x86/selftests: Add clobbers for int80 on x86_64
@ 2017-12-12 12:44   ` gregkh
  0 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)


4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dsafonov@virtuozzo.com>


[ Upstream commit 2a4d0c627f5374f365a873dea4e10ae0bb437680 ]

Kernel erases R8..R11 registers prior returning to userspace
from int80:

  https://lkml.org/lkml/2009/10/1/164

GCC can reuse these registers and doesn't expect them to change
during syscall invocation. I met this kind of bug in CRIU once
GCC 6.1 and CLANG stored local variables in those registers
and the kernel zerofied them during syscall:

  https://github.com/xemul/criu/commit/990d33f1a1cdd17bca6c2eb059ab3be2564f7fa2

By that reason I suggest to add those registers to clobbers
in selftests.  Also, as noted by Andy - removed unneeded clobber
for flags in INT $0x80 inline asm.

Signed-off-by: Dmitry Safonov <dsafonov at virtuozzo.com>
Acked-by: Andy Lutomirski <luto at kernel.org>
Cc: 0x7f454c46 at gmail.com
Cc: Borislav Petkov <bp at alien8.de>
Cc: Borislav Petkov <bp at suse.de>
Cc: Brian Gerst <brgerst at gmail.com>
Cc: Denys Vlasenko <dvlasenk at redhat.com>
Cc: H. Peter Anvin <hpa at zytor.com>
Cc: Josh Poimboeuf <jpoimboe at redhat.com>
Cc: Linus Torvalds <torvalds at linux-foundation.org>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Shuah Khan <shuah at kernel.org>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: linux-kselftest at vger.kernel.org
Link: http://lkml.kernel.org/r/20170213101336.20486-1-dsafonov at virtuozzo.com
Signed-off-by: Ingo Molnar <mingo at kernel.org>
Signed-off-by: Sasha Levin <alexander.levin at verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 tools/testing/selftests/x86/fsgsbase.c            |    2 +-
 tools/testing/selftests/x86/ldt_gdt.c             |   16 +++++++++++-----
 tools/testing/selftests/x86/ptrace_syscall.c      |    3 ++-
 tools/testing/selftests/x86/single_step_syscall.c |    5 ++++-
 4 files changed, 18 insertions(+), 8 deletions(-)

--- a/tools/testing/selftests/x86/fsgsbase.c
+++ b/tools/testing/selftests/x86/fsgsbase.c
@@ -245,7 +245,7 @@ void do_unexpected_base(void)
 		long ret;
 		asm volatile ("int $0x80"
 			      : "=a" (ret) : "a" (243), "b" (low_desc)
-			      : "flags");
+			      : "r8", "r9", "r10", "r11");
 		memcpy(&desc, low_desc, sizeof(desc));
 		munmap(low_desc, sizeof(desc));
 
--- a/tools/testing/selftests/x86/ldt_gdt.c
+++ b/tools/testing/selftests/x86/ldt_gdt.c
@@ -45,6 +45,12 @@
 #define AR_DB			(1 << 22)
 #define AR_G			(1 << 23)
 
+#ifdef __x86_64__
+# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
+#else
+# define INT80_CLOBBERS
+#endif
+
 static int nerrs;
 
 /* Points to an array of 1024 ints, each holding its own index. */
@@ -649,7 +655,7 @@ static int invoke_set_thread_area(void)
 	asm volatile ("int $0x80"
 		      : "=a" (ret), "+m" (low_user_desc) :
 			"a" (243), "b" (low_user_desc)
-		      : "flags");
+		      : INT80_CLOBBERS);
 	return ret;
 }
 
@@ -718,7 +724,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 	if (sel != 0) {
 		result = "FAIL";
@@ -749,7 +755,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 	if (sel != 0) {
 		result = "FAIL";
@@ -782,7 +788,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 #ifdef __x86_64__
 	syscall(SYS_arch_prctl, ARCH_GET_FS, &new_base);
@@ -835,7 +841,7 @@ static void test_gdt_invalidation(void)
 			"+a" (eax)
 		      : "m" (low_user_desc_clear),
 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
-		      : "flags");
+		      : INT80_CLOBBERS);
 
 #ifdef __x86_64__
 	syscall(SYS_arch_prctl, ARCH_GET_GS, &new_base);
--- a/tools/testing/selftests/x86/ptrace_syscall.c
+++ b/tools/testing/selftests/x86/ptrace_syscall.c
@@ -58,7 +58,8 @@ static void do_full_int80(struct syscall
 	asm volatile ("int $0x80"
 		      : "+a" (args->nr),
 			"+b" (args->arg0), "+c" (args->arg1), "+d" (args->arg2),
-			"+S" (args->arg3), "+D" (args->arg4), "+r" (bp));
+			"+S" (args->arg3), "+D" (args->arg4), "+r" (bp)
+			: : "r8", "r9", "r10", "r11");
 	args->arg5 = bp;
 #else
 	sys32_helper(args, int80_and_ret);
--- a/tools/testing/selftests/x86/single_step_syscall.c
+++ b/tools/testing/selftests/x86/single_step_syscall.c
@@ -56,9 +56,11 @@ static volatile sig_atomic_t sig_traps;
 #ifdef __x86_64__
 # define REG_IP REG_RIP
 # define WIDTH "q"
+# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
 #else
 # define REG_IP REG_EIP
 # define WIDTH "l"
+# define INT80_CLOBBERS
 #endif
 
 static unsigned long get_eflags(void)
@@ -140,7 +142,8 @@ int main()
 
 	printf("[RUN]\tSet TF and check int80\n");
 	set_eflags(get_eflags() | X86_EFLAGS_TF);
-	asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid));
+	asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid)
+			: INT80_CLOBBERS);
 	check_result();
 
 	/*


--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 068/148] x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2017-12-12 12:44   ` gregkh
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 069/148] sched/fair: Make select_idle_cpu() more aggressive Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrew Banman, Mike Travis,
	Andy Lutomirski, Borislav Petkov, Brian Gerst, Denys Vlasenko,
	H. Peter Anvin, Josh Poimboeuf, Linus Torvalds, Peter Zijlstra,
	Thomas Gleixner, akpm, rja, sivanich, Ingo Molnar, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andrew Banman <abanman@hpe.com>


[ Upstream commit 1b17c6df852851b40c3c27c66b8fa2fd99cf25d8 ]

Writing to the software acknowledge clear register when there are no
pending messages causes a HUB error to assert. The original intent of this
write was to clear the pending bits before start of operation, but this is
an incorrect method and has been determined to be unnecessary.

Signed-off-by: Andrew Banman <abanman@hpe.com>
Acked-by: Mike Travis <mike.travis@hpe.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: akpm@linux-foundation.org
Cc: rja@hpe.com
Cc: sivanich@hpe.com
Link: http://lkml.kernel.org/r/1487351269-181133-1-git-send-email-abanman@hpe.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/platform/uv/tlb_uv.c |    1 -
 1 file changed, 1 deletion(-)

--- a/arch/x86/platform/uv/tlb_uv.c
+++ b/arch/x86/platform/uv/tlb_uv.c
@@ -1848,7 +1848,6 @@ static void pq_init(int node, int pnode)
 
 	ops.write_payload_first(pnode, first);
 	ops.write_payload_last(pnode, last);
-	ops.write_g_sw_ack(pnode, 0xffffUL);
 
 	/* in effect, all msg_type's are set to MSG_NOOP */
 	memset(pqp, 0, sizeof(struct bau_pq_entry) * DEST_Q_SIZE);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 069/148] sched/fair: Make select_idle_cpu() more aggressive
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 068/148] x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 070/148] x86/hpet: Prevent might sleep splat on resume Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kitsunyan, Peter Zijlstra (Intel),
	Chris Mason, Linus Torvalds, Mike Galbraith, Mike Galbraith,
	Thomas Gleixner, Ingo Molnar, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>


[ Upstream commit 4c77b18cf8b7ab37c7d5737b4609010d2ceec5f0 ]

Kitsunyan reported desktop latency issues on his Celeron 887 because
of commit:

  1b568f0aabf2 ("sched/core: Optimize SCHED_SMT")

... even though his CPU doesn't do SMT.

The effect of running the SMT code on a !SMT part is basically a more
aggressive select_idle_cpu(). Removing the avg condition fixed things
for him.

I also know FB likes this test gone, even though other workloads like
having it.

For now, take it out by default, until we get a better idea.

Reported-by: kitsunyan <kitsunyan@inbox.ru>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Chris Mason <clm@fb.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Mike Galbraith <umgwanakikbuti@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/fair.c     |    2 +-
 kernel/sched/features.h |    5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -5451,7 +5451,7 @@ static int select_idle_cpu(struct task_s
 	 * Due to large variance we need a large fuzz factor; hackbench in
 	 * particularly is sensitive here.
 	 */
-	if ((avg_idle / 512) < avg_cost)
+	if (sched_feat(SIS_AVG_CPU) && (avg_idle / 512) < avg_cost)
 		return -1;
 
 	time = local_clock();
--- a/kernel/sched/features.h
+++ b/kernel/sched/features.h
@@ -51,6 +51,11 @@ SCHED_FEAT(NONTASK_CAPACITY, true)
  */
 SCHED_FEAT(TTWU_QUEUE, true)
 
+/*
+ * When doing wakeups, attempt to limit superfluous scans of the LLC domain.
+ */
+SCHED_FEAT(SIS_AVG_CPU, false)
+
 #ifdef HAVE_RT_PUSH_IPI
 /*
  * In order to avoid a thundering herd attack of CPUs that are

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 070/148] x86/hpet: Prevent might sleep splat on resume
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 069/148] sched/fair: Make select_idle_cpu() more aggressive Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 071/148] powerpc/64: Invalidate process table caching after setting process table Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Peter Zijlstra,
	Rafael J. Wysocki, Sergey Senozhatsky, Borislav Petkov,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>


[ Upstream commit bb1a2c26165640ba2cbcfe06c81e9f9d6db4e643 ]

Sergey reported a might sleep warning triggered from the hpet resume
path. It's caused by the call to disable_irq() from interrupt disabled
context.

The problem with the low level resume code is that it is not accounted as a
special system_state like we do during the boot process. Calling the same
code during system boot would not trigger the warning. That's inconsistent
at best.

In this particular case it's trivial to replace the disable_irq() with
disable_hardirq() because this particular code path is solely used from
system resume and the involved hpet interrupts can never be force threaded.

Reported-and-tested-by: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Borislav Petkov <bp@alien8.de>
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1703012108460.3684@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/hpet.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/hpet.c
+++ b/arch/x86/kernel/hpet.c
@@ -354,7 +354,7 @@ static int hpet_resume(struct clock_even
 
 		irq_domain_deactivate_irq(irq_get_irq_data(hdev->irq));
 		irq_domain_activate_irq(irq_get_irq_data(hdev->irq));
-		disable_irq(hdev->irq);
+		disable_hardirq(hdev->irq);
 		irq_set_affinity(hdev->irq, cpumask_of(hdev->cpu));
 		enable_irq(hdev->irq);
 	}

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 071/148] powerpc/64: Invalidate process table caching after setting process table
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 070/148] x86/hpet: Prevent might sleep splat on resume Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 072/148] selftest/powerpc: Fix false failures for skipped tests Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Mackerras, Michael Ellerman,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Mackerras <paulus@ozlabs.org>


[ Upstream commit 7a70d7288c926ae88e0c773fbb506aa374e99c2d ]

The POWER9 MMU reads and caches entries from the process table.
When we kexec from one kernel to another, the second kernel sets
its process table pointer but doesn't currently do anything to
make the CPU invalidate any cached entries from the old process table.
This adds a tlbie (TLB invalidate entry) instruction with parameters
to invalidate caching of the process table after the new process
table is installed.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/mm/pgtable-radix.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/powerpc/mm/pgtable-radix.c
+++ b/arch/powerpc/mm/pgtable-radix.c
@@ -173,6 +173,10 @@ redo:
 	 */
 	register_process_table(__pa(process_tb), 0, PRTB_SIZE_SHIFT - 12);
 	pr_info("Process table %p and radix root for kernel: %p\n", process_tb, init_mm.pgd);
+	asm volatile("ptesync" : : : "memory");
+	asm volatile(PPC_TLBIE_5(%0,%1,2,1,1) : :
+		     "r" (TLBIEL_INVAL_SET_LPID), "r" (0));
+	asm volatile("eieio; tlbsync; ptesync" : : : "memory");
 }
 
 static void __init radix_init_partition_table(void)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 072/148] selftest/powerpc: Fix false failures for skipped tests
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 071/148] powerpc/64: Invalidate process table caching after setting process table Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 073/148] powerpc: Fix compiling a BE kernel with a powerpc64le toolchain Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sachin Sant, Michael Ellerman, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sachin Sant <sachinp@linux.vnet.ibm.com>


[ Upstream commit a6d8a21596df041f36f4c2ccc260c459e3e851f1 ]

Tests under alignment subdirectory are skipped when executed on previous
generation hardware, but harness still marks them as failed.

  test: test_copy_unaligned
  tags: git_version:unknown
  [SKIP] Test skipped on line 26
  skip: test_copy_unaligned
  selftests: copy_unaligned [FAIL]

The MAGIC_SKIP_RETURN_VALUE value assigned to rc variable is retained till
the program exit which causes the test to be marked as failed.

This patch resets the value before returning to the main() routine.
With this patch the test o/p is as follows:

  test: test_copy_unaligned
  tags: git_version:unknown
  [SKIP] Test skipped on line 26
  skip: test_copy_unaligned
  selftests: copy_unaligned [PASS]

Signed-off-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/powerpc/harness.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/tools/testing/selftests/powerpc/harness.c
+++ b/tools/testing/selftests/powerpc/harness.c
@@ -114,9 +114,11 @@ int test_harness(int (test_function)(voi
 
 	rc = run_test(test_function, name);
 
-	if (rc == MAGIC_SKIP_RETURN_VALUE)
+	if (rc == MAGIC_SKIP_RETURN_VALUE) {
 		test_skip(name);
-	else
+		/* so that skipped test is not marked as failed */
+		rc = 0;
+	} else
 		test_finish(name, rc);
 
 	return rc;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 073/148] powerpc: Fix compiling a BE kernel with a powerpc64le toolchain
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 072/148] selftest/powerpc: Fix false failures for skipped tests Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 074/148] [media] lirc: fix dead lock between open and wakeup_filter Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Piggin, Naveen N. Rao,
	Michael Ellerman, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nicholas Piggin <npiggin@gmail.com>


[ Upstream commit 4dc831aa88132f835cefe876aa0206977c4d7710 ]

GCC can compile with either endian, but the default ABI version is set
based on the default endianness of the toolchain. Alan Modra says:

  you need both -mbig and -mabi=elfv1 to make a powerpc64le gcc
  generate powerpc64 code

The opposite is true for powerpc64 when generating -mlittle it
requires -mabi=elfv2 to generate v2 ABI, which we were already doing.

This change adds ABI annotations together with endianness for all cases,
LE and BE. This fixes the case of building a BE kernel with a toolchain
that is LE by default.

Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/Makefile |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/arch/powerpc/Makefile
+++ b/arch/powerpc/Makefile
@@ -72,8 +72,15 @@ GNUTARGET	:= powerpc
 MULTIPLEWORD	:= -mmultiple
 endif
 
-cflags-$(CONFIG_CPU_BIG_ENDIAN)		+= $(call cc-option,-mbig-endian)
+ifdef CONFIG_PPC64
+cflags-$(CONFIG_CPU_BIG_ENDIAN)		+= $(call cc-option,-mabi=elfv1)
+cflags-$(CONFIG_CPU_BIG_ENDIAN)		+= $(call cc-option,-mcall-aixdesc)
+aflags-$(CONFIG_CPU_BIG_ENDIAN)		+= $(call cc-option,-mabi=elfv1)
+aflags-$(CONFIG_CPU_LITTLE_ENDIAN)	+= -mabi=elfv2
+endif
+
 cflags-$(CONFIG_CPU_LITTLE_ENDIAN)	+= -mlittle-endian
+cflags-$(CONFIG_CPU_BIG_ENDIAN)		+= $(call cc-option,-mbig-endian)
 ifneq ($(cc-name),clang)
   cflags-$(CONFIG_CPU_LITTLE_ENDIAN)	+= -mno-strict-align
 endif
@@ -113,7 +120,9 @@ ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y)
 CFLAGS-$(CONFIG_PPC64)	+= $(call cc-option,-mabi=elfv2,$(call cc-option,-mcall-aixdesc))
 AFLAGS-$(CONFIG_PPC64)	+= $(call cc-option,-mabi=elfv2)
 else
+CFLAGS-$(CONFIG_PPC64)	+= $(call cc-option,-mabi=elfv1)
 CFLAGS-$(CONFIG_PPC64)	+= $(call cc-option,-mcall-aixdesc)
+AFLAGS-$(CONFIG_PPC64)	+= $(call cc-option,-mabi=elfv1)
 endif
 CFLAGS-$(CONFIG_PPC64)	+= $(call cc-option,-mcmodel=medium,$(call cc-option,-mminimal-toc))
 CFLAGS-$(CONFIG_PPC64)	+= $(call cc-option,-mno-pointers-to-nested-functions)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 074/148] [media] lirc: fix dead lock between open and wakeup_filter
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 073/148] powerpc: Fix compiling a BE kernel with a powerpc64le toolchain Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 075/148] module: set __jump_table alignment to 8 Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Young, Mauro Carvalho Chehab,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sean Young <sean@mess.org>


[ Upstream commit db5b15b74ed9a5c04bb808d18ffa2c773f5c18c0 ]

The locking in lirc needs improvement, but for now just fix this potential
deadlock.

======================================================
[ INFO: possible circular locking dependency detected ]
4.10.0-rc1+ #1 Not tainted
-------------------------------------------------------
bash/2502 is trying to acquire lock:
 (ir_raw_handler_lock){+.+.+.}, at: [<ffffffffc06f6a5e>] ir_raw_encode_scancode+0x3e/0xb0 [rc_core]

               but task is already holding lock:
 (&dev->lock){+.+.+.}, at: [<ffffffffc06f511f>] store_filter+0x9f/0x240 [rc_core]

               which lock already depends on the new lock.

               the existing dependency chain (in reverse order) is:

               -> #2 (&dev->lock){+.+.+.}:

[<ffffffffa110adad>] lock_acquire+0xfd/0x200
[<ffffffffa1921327>] mutex_lock_nested+0x77/0x6d0
[<ffffffffc06f436a>] rc_open+0x2a/0x80 [rc_core]
[<ffffffffc07114ca>] lirc_dev_fop_open+0xda/0x1e0 [lirc_dev]
[<ffffffffa12975e0>] chrdev_open+0xb0/0x210
[<ffffffffa128eb5a>] do_dentry_open+0x20a/0x2f0
[<ffffffffa128ffcc>] vfs_open+0x4c/0x80
[<ffffffffa12a35ec>] path_openat+0x5bc/0xc00
[<ffffffffa12a5271>] do_filp_open+0x91/0x100
[<ffffffffa12903f0>] do_sys_open+0x130/0x220
[<ffffffffa12904fe>] SyS_open+0x1e/0x20
[<ffffffffa19278c1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
               -> #1 (lirc_dev_lock){+.+.+.}:
[<ffffffffa110adad>] lock_acquire+0xfd/0x200
[<ffffffffa1921327>] mutex_lock_nested+0x77/0x6d0
[<ffffffffc0711f47>] lirc_register_driver+0x67/0x59b [lirc_dev]
[<ffffffffc06db7f4>] ir_lirc_register+0x1f4/0x260 [ir_lirc_codec]
[<ffffffffc06f6cac>] ir_raw_handler_register+0x7c/0xb0 [rc_core]
[<ffffffffc0398010>] 0xffffffffc0398010
[<ffffffffa1002192>] do_one_initcall+0x52/0x1b0
[<ffffffffa11ef5c8>] do_init_module+0x5f/0x1fa
[<ffffffffa11566b5>] load_module+0x2675/0x2b00
[<ffffffffa1156dcf>] SYSC_finit_module+0xdf/0x110
[<ffffffffa1156e1e>] SyS_finit_module+0xe/0x10
[<ffffffffa1003f5c>] do_syscall_64+0x6c/0x1f0
[<ffffffffa1927989>] return_from_SYSCALL_64+0x0/0x7a
               -> #0 (ir_raw_handler_lock){+.+.+.}:
[<ffffffffa110a7b7>] __lock_acquire+0x10f7/0x1290
[<ffffffffa110adad>] lock_acquire+0xfd/0x200
[<ffffffffa1921327>] mutex_lock_nested+0x77/0x6d0
[<ffffffffc06f6a5e>] ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
[<ffffffffc0b0f492>] loop_set_wakeup_filter+0x62/0xbd [rc_loopback]
[<ffffffffc06f522a>] store_filter+0x1aa/0x240 [rc_core]
[<ffffffffa15e46f8>] dev_attr_store+0x18/0x30
[<ffffffffa13318e5>] sysfs_kf_write+0x45/0x60
[<ffffffffa1330b55>] kernfs_fop_write+0x155/0x1e0
[<ffffffffa1290797>] __vfs_write+0x37/0x160
[<ffffffffa12921f8>] vfs_write+0xc8/0x1e0
[<ffffffffa12936e8>] SyS_write+0x58/0xc0
[<ffffffffa19278c1>] entry_SYSCALL_64_fastpath+0x1f/0xc2

               other info that might help us debug this:

Chain exists of:
                 ir_raw_handler_lock --> lirc_dev_lock --> &dev->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&dev->lock);
                               lock(lirc_dev_lock);
                               lock(&dev->lock);
  lock(ir_raw_handler_lock);

                *** DEADLOCK ***

4 locks held by bash/2502:
 #0:  (sb_writers#4){.+.+.+}, at: [<ffffffffa12922c5>] vfs_write+0x195/0x1e0
 #1:  (&of->mutex){+.+.+.}, at: [<ffffffffa1330b1f>] kernfs_fop_write+0x11f/0x1e0
 #2:  (s_active#215){.+.+.+}, at: [<ffffffffa1330b28>] kernfs_fop_write+0x128/0x1e0
 #3:  (&dev->lock){+.+.+.}, at: [<ffffffffc06f511f>] store_filter+0x9f/0x240 [rc_core]

               stack backtrace:
CPU: 3 PID: 2502 Comm: bash Not tainted 4.10.0-rc1+ #1
Hardware name:                  /DG45ID, BIOS IDG4510H.86A.0135.2011.0225.1100 02/25/2011
Call Trace:
 dump_stack+0x86/0xc3
 print_circular_bug+0x1be/0x210
 __lock_acquire+0x10f7/0x1290
 lock_acquire+0xfd/0x200
 ? ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
 ? ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
 mutex_lock_nested+0x77/0x6d0
 ? ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
 ? loop_set_wakeup_filter+0x44/0xbd [rc_loopback]
 ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
 loop_set_wakeup_filter+0x62/0xbd [rc_loopback]
 ? loop_set_tx_duty_cycle+0x70/0x70 [rc_loopback]
 store_filter+0x1aa/0x240 [rc_core]
 dev_attr_store+0x18/0x30
 sysfs_kf_write+0x45/0x60
 kernfs_fop_write+0x155/0x1e0
 __vfs_write+0x37/0x160
 ? rcu_read_lock_sched_held+0x4a/0x80
 ? rcu_sync_lockdep_assert+0x2f/0x60
 ? __sb_start_write+0x10c/0x220
 ? vfs_write+0x195/0x1e0
 ? security_file_permission+0x3b/0xc0
 vfs_write+0xc8/0x1e0
 SyS_write+0x58/0xc0
 entry_SYSCALL_64_fastpath+0x1f/0xc2

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/rc/lirc_dev.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -446,6 +446,8 @@ int lirc_dev_fop_open(struct inode *inod
 		return -ERESTARTSYS;
 
 	ir = irctls[iminor(inode)];
+	mutex_unlock(&lirc_dev_lock);
+
 	if (!ir) {
 		retval = -ENODEV;
 		goto error;
@@ -486,8 +488,6 @@ int lirc_dev_fop_open(struct inode *inod
 	}
 
 error:
-	mutex_unlock(&lirc_dev_lock);
-
 	nonseekable_open(inode, file);
 
 	return retval;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 075/148] module: set __jump_table alignment to 8
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 074/148] [media] lirc: fix dead lock between open and wakeup_filter Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 076/148] powerpc/64: Fix checksum folding in csum_add() Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Baron, Jessica Yu, Sachin Sant,
	David Daney, Steven Rostedt (VMware),
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Daney <david.daney@cavium.com>


[ Upstream commit ab42632156becd35d3884ee5c14da2bedbf3149a ]

For powerpc the __jump_table section in modules is not aligned, this
causes a WARN_ON() splat when loading a module containing a __jump_table.

Strict alignment became necessary with commit 3821fd35b58d
("jump_label: Reduce the size of struct static_key"), currently in
linux-next, which uses the two least significant bits of pointers to
__jump_table elements.

Fix by forcing __jump_table to 8, which is the same alignment used for
this section in the kernel proper.

Link: http://lkml.kernel.org/r/20170301220453.4756-1-david.daney@cavium.com

Reviewed-by: Jason Baron <jbaron@akamai.com>
Acked-by: Jessica Yu <jeyu@redhat.com>
Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: David Daney <david.daney@cavium.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/module-common.lds |    2 ++
 1 file changed, 2 insertions(+)

--- a/scripts/module-common.lds
+++ b/scripts/module-common.lds
@@ -19,4 +19,6 @@ SECTIONS {
 
 	. = ALIGN(8);
 	.init_array		0 : { *(SORT(.init_array.*)) *(.init_array) }
+
+	__jump_table		0 : ALIGN(8) { KEEP(*(__jump_table)) }
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 076/148] powerpc/64: Fix checksum folding in csum_add()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 075/148] module: set __jump_table alignment to 8 Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 077/148] ARM: OMAP2+: Fix device node reference counts Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shile Zhang, Paul Mackerras,
	Michael Ellerman, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shile Zhang <shile.zhang@nokia.com>


[ Upstream commit 6ad966d7303b70165228dba1ee8da1a05c10eefe ]

Paul's patch to fix checksum folding, commit b492f7e4e07a ("powerpc/64:
Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold")
missed a case in csum_add(). Fix it.

Signed-off-by: Shile Zhang <shile.zhang@nokia.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/include/asm/checksum.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/include/asm/checksum.h
+++ b/arch/powerpc/include/asm/checksum.h
@@ -100,7 +100,7 @@ static inline __wsum csum_add(__wsum csu
 
 #ifdef __powerpc64__
 	res += (__force u64)addend;
-	return (__force __wsum)((u32)res + (res >> 32));
+	return (__force __wsum) from64to32(res);
 #else
 	asm("addc %0,%0,%1;"
 	    "addze %0,%0;"

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 077/148] ARM: OMAP2+: Fix device node reference counts
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 076/148] powerpc/64: Fix checksum folding in csum_add() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 078/148] ARM: OMAP2+: Release device node after it is no longer needed Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qi Hou, Peter Rosin, Rob Herring,
	Guenter Roeck, Tony Lindgren, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>


[ Upstream commit 10e5778f54765c96fe0c8f104b7a030e5b35bc72 ]

After commit 0549bde0fcb1 ("of: fix of_node leak caused in
of_find_node_opts_by_path"), the following error may be
reported when running omap images.

OF: ERROR: Bad of_node_put() on /ocp@68000000
CPU: 0 PID: 0 Comm: swapper Not tainted 4.10.0-rc7-next-20170210 #1
Hardware name: Generic OMAP3-GP (Flattened Device Tree)
[<c0310604>] (unwind_backtrace) from [<c030bbf4>] (show_stack+0x10/0x14)
[<c030bbf4>] (show_stack) from [<c05add8c>] (dump_stack+0x98/0xac)
[<c05add8c>] (dump_stack) from [<c05af1b0>] (kobject_release+0x48/0x7c)
[<c05af1b0>] (kobject_release)
	from [<c0ad1aa4>] (of_find_node_by_name+0x74/0x94)
[<c0ad1aa4>] (of_find_node_by_name)
	from [<c1215bd4>] (omap3xxx_hwmod_is_hs_ip_block_usable+0x24/0x2c)
[<c1215bd4>] (omap3xxx_hwmod_is_hs_ip_block_usable) from
[<c1215d5c>] (omap3xxx_hwmod_init+0x180/0x274)
[<c1215d5c>] (omap3xxx_hwmod_init)
	from [<c120faa8>] (omap3_init_early+0xa0/0x11c)
[<c120faa8>] (omap3_init_early)
	from [<c120fb2c>] (omap3430_init_early+0x8/0x30)
[<c120fb2c>] (omap3430_init_early)
	from [<c1204710>] (setup_arch+0xc04/0xc34)
[<c1204710>] (setup_arch) from [<c1200948>] (start_kernel+0x68/0x38c)
[<c1200948>] (start_kernel) from [<8020807c>] (0x8020807c)

of_find_node_by_name() drops the reference to the passed device node.
The commit referenced above exposes this problem.

To fix the problem, use of_get_child_by_name() instead of
of_find_node_by_name(); of_get_child_by_name() does not drop
the reference count of passed device nodes. While semantically
different, we only look for immediate children of the passed
device node, so of_get_child_by_name() is a more appropriate
function to use anyway.

Release the reference to the device node obtained with
of_get_child_by_name() after it is no longer needed to avoid
another device node leak.

While at it, clean up the code and change the return type of
omap3xxx_hwmod_is_hs_ip_block_usable() to bool to match its use
and the return type of of_device_is_available().

Cc: Qi Hou <qi.hou@windriver.com>
Cc: Peter Rosin <peda@axentia.se>
Cc: Rob Herring <robh@kernel.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/mach-omap2/omap_hwmod_3xxx_data.c |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -3828,16 +3828,20 @@ static struct omap_hwmod_ocp_if *omap3xx
  * Return: 0 if device named @dev_name is not likely to be accessible,
  * or 1 if it is likely to be accessible.
  */
-static int __init omap3xxx_hwmod_is_hs_ip_block_usable(struct device_node *bus,
-						       const char *dev_name)
+static bool __init omap3xxx_hwmod_is_hs_ip_block_usable(struct device_node *bus,
+							const char *dev_name)
 {
+	struct device_node *node;
+	bool available;
+
 	if (!bus)
-		return (omap_type() == OMAP2_DEVICE_TYPE_GP) ? 1 : 0;
+		return omap_type() == OMAP2_DEVICE_TYPE_GP;
 
-	if (of_device_is_available(of_find_node_by_name(bus, dev_name)))
-		return 1;
+	node = of_get_child_by_name(bus, dev_name);
+	available = of_device_is_available(node);
+	of_node_put(node);
 
-	return 0;
+	return available;
 }
 
 int __init omap3xxx_hwmod_init(void)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 078/148] ARM: OMAP2+: Release device node after it is no longer needed.
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 077/148] ARM: OMAP2+: Fix device node reference counts Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 079/148] ASoC: rcar: avoid SSI_MODEx settings for SSI8 Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Tony Lindgren, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>


[ Upstream commit b92675d998a9fa37fe9e0e35053a95b4a23c158b ]

The device node returned by of_find_node_by_name() needs to be released
after it is no longer needed to avoid a device node leak.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/mach-omap2/omap_hwmod_3xxx_data.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
@@ -3910,15 +3910,20 @@ int __init omap3xxx_hwmod_init(void)
 
 	if (h_sham && omap3xxx_hwmod_is_hs_ip_block_usable(bus, "sham")) {
 		r = omap_hwmod_register_links(h_sham);
-		if (r < 0)
+		if (r < 0) {
+			of_node_put(bus);
 			return r;
+		}
 	}
 
 	if (h_aes && omap3xxx_hwmod_is_hs_ip_block_usable(bus, "aes")) {
 		r = omap_hwmod_register_links(h_aes);
-		if (r < 0)
+		if (r < 0) {
+			of_node_put(bus);
 			return r;
+		}
 	}
+	of_node_put(bus);
 
 	/*
 	 * Register hwmod links specific to certain ES levels of a

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 079/148] ASoC: rcar: avoid SSI_MODEx settings for SSI8
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 078/148] ARM: OMAP2+: Release device node after it is no longer needed Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 080/148] gpio: altera: Use handle_level_irq when configured as a level_high Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kuninori Morimoto, Hiroyuki Yokoyama,
	Mark Brown, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>


[ Upstream commit 4b30eebfc35c67771b5f58d9274d3e321b72d7a8 ]

SSI8 is is sharing pin with SSI7, and nothing to do for SSI_MODEx.
It is special pin and it needs special settings whole system,
but we can't confirm it, because we never have SSI8 available board.

This patch fixup SSI_MODEx settings error for SSI8 on connection test,
but should be confirmed behavior on real board in the future.

Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Tested-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/sh/rcar/ssiu.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/sound/soc/sh/rcar/ssiu.c
+++ b/sound/soc/sh/rcar/ssiu.c
@@ -44,7 +44,11 @@ static int rsnd_ssiu_init(struct rsnd_mo
 	mask1 = (1 << 4) | (1 << 20);	/* mask sync bit */
 	mask2 = (1 << 4);		/* mask sync bit */
 	val1  = val2  = 0;
-	if (rsnd_ssi_is_pin_sharing(io)) {
+	if (id == 8) {
+		/*
+		 * SSI8 pin is sharing with SSI7, nothing to do.
+		 */
+	} else if (rsnd_ssi_is_pin_sharing(io)) {
 		int shift = -1;
 
 		switch (id) {

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 080/148] gpio: altera: Use handle_level_irq when configured as a level_high
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 079/148] ASoC: rcar: avoid SSI_MODEx settings for SSI8 Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 081/148] HID: chicony: Add support for another ASUS Zen AiO keyboard Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Reid, Linus Walleij, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Phil Reid <preid@electromag.com.au>


[ Upstream commit f759921cfbf4847319d197a6ed7c9534d593f8bc ]

When a threaded irq handler is chained attached to one of the gpio
pins when configure for level irq the altera_gpio_irq_leveL_high_handler
does not mask the interrupt while being handled by the chained irq.
This resulting in the threaded irq not getting enough cycles to complete
quickly enough before the irq was disabled as faulty. handle_level_irq
should be used in this situation instead of handle_simple_irq.

In gpiochip_irqchip_add set default handler to handle_bad_irq as
per Documentation/gpio/driver.txt. Then set the correct handler in
the set_type callback.

Signed-off-by: Phil Reid <preid@electromag.com.au>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpio/gpio-altera.c |   26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

--- a/drivers/gpio/gpio-altera.c
+++ b/drivers/gpio/gpio-altera.c
@@ -90,21 +90,18 @@ static int altera_gpio_irq_set_type(stru
 
 	altera_gc = gpiochip_get_data(irq_data_get_irq_chip_data(d));
 
-	if (type == IRQ_TYPE_NONE)
+	if (type == IRQ_TYPE_NONE) {
+		irq_set_handler_locked(d, handle_bad_irq);
 		return 0;
-	if (type == IRQ_TYPE_LEVEL_HIGH &&
-		altera_gc->interrupt_trigger == IRQ_TYPE_LEVEL_HIGH)
-		return 0;
-	if (type == IRQ_TYPE_EDGE_RISING &&
-		altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_RISING)
-		return 0;
-	if (type == IRQ_TYPE_EDGE_FALLING &&
-		altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_FALLING)
-		return 0;
-	if (type == IRQ_TYPE_EDGE_BOTH &&
-		altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_BOTH)
+	}
+	if (type == altera_gc->interrupt_trigger) {
+		if (type == IRQ_TYPE_LEVEL_HIGH)
+			irq_set_handler_locked(d, handle_level_irq);
+		else
+			irq_set_handler_locked(d, handle_simple_irq);
 		return 0;
-
+	}
+	irq_set_handler_locked(d, handle_bad_irq);
 	return -EINVAL;
 }
 
@@ -230,7 +227,6 @@ static void altera_gpio_irq_edge_handler
 	chained_irq_exit(chip, desc);
 }
 
-
 static void altera_gpio_irq_leveL_high_handler(struct irq_desc *desc)
 {
 	struct altera_gpio_chip *altera_gc;
@@ -310,7 +306,7 @@ static int altera_gpio_probe(struct plat
 	altera_gc->interrupt_trigger = reg;
 
 	ret = gpiochip_irqchip_add(&altera_gc->mmchip.gc, &altera_irq_chip, 0,
-		handle_simple_irq, IRQ_TYPE_NONE);
+		handle_bad_irq, IRQ_TYPE_NONE);
 
 	if (ret) {
 		dev_err(&pdev->dev, "could not add irqchip\n");

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 081/148] HID: chicony: Add support for another ASUS Zen AiO keyboard
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 080/148] gpio: altera: Use handle_level_irq when configured as a level_high Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 082/148] usb: gadget: configs: plug memory leak Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Drake, Jiri Kosina, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Drake <drake@endlessm.com>


[ Upstream commit f2f10b7e722a75c6d75a7f7cd06b0eee3ae20f7c ]

Add support for media keys on the keyboard that comes with the
Asus V221ID and ZN241IC All In One computers.

The keys to support here are WLAN, BRIGHTNESSDOWN and BRIGHTNESSUP.

This device is not visibly branded as Chicony, and the USB Vendor ID
suggests that it is a JESS device. However this seems like the right place
to put it: the usage codes are identical to the currently supported
devices, and this driver already supports the ASUS AIO keyboard AK1D.

Signed-off-by: Daniel Drake <drake@endlessm.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/Kconfig       |    4 ++--
 drivers/hid/hid-chicony.c |    1 +
 drivers/hid/hid-core.c    |    1 +
 drivers/hid/hid-ids.h     |    1 +
 4 files changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/hid/Kconfig
+++ b/drivers/hid/Kconfig
@@ -175,11 +175,11 @@ config HID_CHERRY
 	Support for Cherry Cymotion keyboard.
 
 config HID_CHICONY
-	tristate "Chicony Tactical pad"
+	tristate "Chicony devices"
 	depends on HID
 	default !EXPERT
 	---help---
-	Support for Chicony Tactical pad.
+	Support for Chicony Tactical pad and special keys on Chicony keyboards.
 
 config HID_CORSAIR
 	tristate "Corsair devices"
--- a/drivers/hid/hid-chicony.c
+++ b/drivers/hid/hid-chicony.c
@@ -86,6 +86,7 @@ static const struct hid_device_id ch_dev
 	{ HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS2) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_AK1D) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_ACER_SWITCH12) },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_JESS, USB_DEVICE_ID_JESS_ZEN_AIO_KBD) },
 	{ }
 };
 MODULE_DEVICE_TABLE(hid, ch_devices);
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1906,6 +1906,7 @@ static const struct hid_device_id hid_ha
 	{ HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A081) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A0C2) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_HUION, USB_DEVICE_ID_HUION_TABLET) },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_JESS, USB_DEVICE_ID_JESS_ZEN_AIO_KBD) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_JESS2, USB_DEVICE_ID_JESS2_COLOR_RUMBLE_PAD) },
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ION, USB_DEVICE_ID_ICADE) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) },
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -558,6 +558,7 @@
 
 #define USB_VENDOR_ID_JESS		0x0c45
 #define USB_DEVICE_ID_JESS_YUREX	0x1010
+#define USB_DEVICE_ID_JESS_ZEN_AIO_KBD	0x5112
 
 #define USB_VENDOR_ID_JESS2		0x0f30
 #define USB_DEVICE_ID_JESS2_COLOR_RUMBLE_PAD 0x0111

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 082/148] usb: gadget: configs: plug memory leak
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 081/148] HID: chicony: Add support for another ASUS Zen AiO keyboard Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 083/148] USB: gadgetfs: Fix a potential memory leak in dev_config() Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Keeping, Felipe Balbi, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Keeping <john@metanate.com>


[ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ]

When binding a gadget to a device, "name" is stored in gi->udc_name, but
this does not happen when unregistering and the string is leaked.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/configfs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -269,6 +269,7 @@ static ssize_t gadget_dev_desc_UDC_store
 		ret = unregister_gadget(gi);
 		if (ret)
 			goto err;
+		kfree(name);
 	} else {
 		if (gi->composite.gadget_driver.udc_name) {
 			ret = -EBUSY;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 083/148] USB: gadgetfs: Fix a potential memory leak in dev_config()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 082/148] usb: gadget: configs: plug memory leak Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 084/148] usb: dwc3: gadget: Fix system suspend/resume on TI platforms Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Felipe Balbi,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>


[ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ]

'kbuf' is allocated just a few lines above using 'memdup_user()'.
If the 'if (dev->buf)' test fails, this memory is never released.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/legacy/inode.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1819,8 +1819,10 @@ dev_config (struct file *fd, const char
 
 	spin_lock_irq (&dev->lock);
 	value = -EINVAL;
-	if (dev->buf)
+	if (dev->buf) {
+		kfree(kbuf);
 		goto fail;
+	}
 	dev->buf = kbuf;
 
 	/* full or low speed config */

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 084/148] usb: dwc3: gadget: Fix system suspend/resume on TI platforms
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 083/148] USB: gadgetfs: Fix a potential memory leak in dev_config() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 085/148] usb: gadget: pxa27x: Test for a valid argument pointer Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roger Quadros, Felipe Balbi, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Roger Quadros <rogerq@ti.com>


[ Upstream commit 1551e35ea4189c1f7199fe278395fc94196715f2 ]

On TI platforms (dra7, am437x), the DWC3_DSTS_DEVCTRLHLT bit is not set
after the device controller is stopped via DWC3_DCTL_RUN_STOP.

If we don't disconnect and stop the gadget, it stops working after a
system resume with the trace below.

There is no point in preventing gadget disconnect and gadget stop during
system suspend/resume as we're going to suspend in any case, whether
DEVCTRLHLT timed out or not.

[  141.727480] ------------[ cut here ]------------
[  141.732349] WARNING: CPU: 1 PID: 2135 at drivers/usb/dwc3/gadget.c:2384 dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3]
[  141.744299] Modules linked in: usb_f_ss_lb g_zero libcomposite xhci_plat_hcd xhci_hcd usbcore dwc3 evdev udc_core m25p80 usb_common spi_nor snd_soc_davinci_mcasp snd_soc_simple_card snd_soc_edma snd_soc_tlv3e
[  141.792163] CPU: 1 PID: 2135 Comm: irq/456-dwc3 Not tainted 4.10.0-rc8 #1138
[  141.799547] Hardware name: Generic DRA74X (Flattened Device Tree)
[  141.805940] [<c01101b4>] (unwind_backtrace) from [<c010c31c>] (show_stack+0x10/0x14)
[  141.814066] [<c010c31c>] (show_stack) from [<c04a0918>] (dump_stack+0xac/0xe0)
[  141.821648] [<c04a0918>] (dump_stack) from [<c013708c>] (__warn+0xd8/0x104)
[  141.828955] [<c013708c>] (__warn) from [<c0137164>] (warn_slowpath_null+0x20/0x28)
[  141.836902] [<c0137164>] (warn_slowpath_null) from [<bf27784c>] (dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3])
[  141.848329] [<bf27784c>] (dwc3_stop_active_transfer.constprop.4 [dwc3]) from [<bf27ab14>] (__dwc3_gadget_ep_disable+0x64/0x528 [dwc3])
[  141.861034] [<bf27ab14>] (__dwc3_gadget_ep_disable [dwc3]) from [<bf27c27c>] (dwc3_gadget_ep_disable+0x3c/0xc8 [dwc3])
[  141.872280] [<bf27c27c>] (dwc3_gadget_ep_disable [dwc3]) from [<bf23b428>] (usb_ep_disable+0x11c/0x18c [udc_core])
[  141.883160] [<bf23b428>] (usb_ep_disable [udc_core]) from [<bf342774>] (disable_ep+0x18/0x54 [usb_f_ss_lb])
[  141.893408] [<bf342774>] (disable_ep [usb_f_ss_lb]) from [<bf3437b0>] (disable_endpoints+0x18/0x50 [usb_f_ss_lb])
[  141.904168] [<bf3437b0>] (disable_endpoints [usb_f_ss_lb]) from [<bf343814>] (disable_source_sink+0x2c/0x34 [usb_f_ss_lb])
[  141.915771] [<bf343814>] (disable_source_sink [usb_f_ss_lb]) from [<bf329a9c>] (reset_config+0x48/0x7c [libcomposite])
[  141.927012] [<bf329a9c>] (reset_config [libcomposite]) from [<bf329afc>] (composite_disconnect+0x2c/0x54 [libcomposite])
[  141.938444] [<bf329afc>] (composite_disconnect [libcomposite]) from [<bf23d7dc>] (usb_gadget_udc_reset+0x10/0x34 [udc_core])
[  141.950237] [<bf23d7dc>] (usb_gadget_udc_reset [udc_core]) from [<bf276d70>] (dwc3_gadget_reset_interrupt+0x64/0x698 [dwc3])
[  141.962022] [<bf276d70>] (dwc3_gadget_reset_interrupt [dwc3]) from [<bf27952c>] (dwc3_thread_interrupt+0x618/0x1a3c [dwc3])
[  141.973723] [<bf27952c>] (dwc3_thread_interrupt [dwc3]) from [<c01a7ce8>] (irq_thread_fn+0x1c/0x54)
[  141.983215] [<c01a7ce8>] (irq_thread_fn) from [<c01a7fbc>] (irq_thread+0x120/0x1f0)
[  141.991247] [<c01a7fbc>] (irq_thread) from [<c015ba14>] (kthread+0xf8/0x138)
[  141.998641] [<c015ba14>] (kthread) from [<c01078f0>] (ret_from_fork+0x14/0x24)
[  142.006213] ---[ end trace b4ecfe9f175b9a9c ]---

Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |    7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3092,15 +3092,10 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
 
 int dwc3_gadget_suspend(struct dwc3 *dwc)
 {
-	int ret;
-
 	if (!dwc->gadget_driver)
 		return 0;
 
-	ret = dwc3_gadget_run_stop(dwc, false, false);
-	if (ret < 0)
-		return ret;
-
+	dwc3_gadget_run_stop(dwc, false, false);
 	dwc3_disconnect_gadget(dwc);
 	__dwc3_gadget_stop(dwc);
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 085/148] usb: gadget: pxa27x: Test for a valid argument pointer
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 084/148] usb: dwc3: gadget: Fix system suspend/resume on TI platforms Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44   ` [4.9,086/148] " Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Jarzmik, Petr Cvek,
	Felipe Balbi, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Petr Cvek <petr.cvek@tul.cz>


[ Upstream commit df7545719a14fa7b481896fb8689e23d0a00f682 ]

A call usb_put_phy(udc->transceiver) must be tested for a valid pointer.
Use an already existing test for usb_unregister_notifier call.

Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Reported-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Petr Cvek <petr.cvek@tul.cz>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/pxa27x_udc.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/udc/pxa27x_udc.c
+++ b/drivers/usb/gadget/udc/pxa27x_udc.c
@@ -2534,9 +2534,10 @@ static int pxa_udc_remove(struct platfor
 	usb_del_gadget_udc(&udc->gadget);
 	pxa_cleanup_debugfs(udc);
 
-	if (!IS_ERR_OR_NULL(udc->transceiver))
+	if (!IS_ERR_OR_NULL(udc->transceiver)) {
 		usb_unregister_notifier(udc->transceiver, &pxa27x_udc_phy);
-	usb_put_phy(udc->transceiver);
+		usb_put_phy(udc->transceiver);
+	}
 
 	udc->transceiver = NULL;
 	the_controller = NULL;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 086/148] usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver
@ 2017-12-12 12:44   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Balbi, linux-usb, Raz Manor,
	Felipe Balbi, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Raz Manor <Raz.Manor@valens.com>


[ Upstream commit ef5e2fa9f65befa12f1113c734602d2c1964d2a5 ]

In the function scan_dma_completions() there is a reusage of tmp
variable. That coused a wrong value being used in some case when
reading a short packet terminated transaction from an endpoint,
in 2 concecutive reads.

This was my logic for the patch:

The req->td->dmadesc equals to 0 iff:
-- There was a transaction ending with a short packet, and
-- The read() to read it was shorter than the transaction length, and
-- The read() to complete it is longer than the residue.
I believe this is true from the printouts of various cases,
but I can't be positive it is correct.

Entering this if, there should be no more data in the endpoint
(a short packet terminated the transaction).
If there is, the transaction wasn't really done and we should exit and
wait for it to finish entirely. That is the inner if.
That inner if should never happen, but it is there to be on the safe
side. That is why it is marked with the comment /* paranoia */.
The size of the data available in the endpoint is ep->dma->dmacount
and it is read to tmp.
This entire clause is based on my own educated guesses.

If we passed that inner if without breaking in the original code,
than tmp & DMA_BYTE_MASK_COUNT== 0.
That means we will always pass dma bytes count of 0 to dma_done(),
meaning all the requested bytes were read.

dma_done() reports back to the upper layer that the request (read())
was done and how many bytes were read.
In the original code that would always be the request size,
regardless of the actual size of the data.
That did not make sense to me at all.

However, the original value of tmp is req->td->dmacount,
which is the dmacount value when the request's dma transaction was
finished. And that is a much more reasonable value to report back to
the caller.

To recreate the problem:
Read from a bulk out endpoint in a loop, 1024 * n bytes in each
iteration.
Connect the PLX to a host you can control.
Send to that endpoint 1024 * n + x bytes,
such that 0 < x < 1024 * n and (x % 1024) != 0
You would expect the first read() to return 1024 * n
and the second read() to return x.
But you will get the first read to return 1024 * n
and the second one to return 1024 * n.
That is true for every positive integer n.

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Signed-off-by: Raz Manor <Raz.Manor@valens.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/net2280.c |   25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -1146,15 +1146,15 @@ static int scan_dma_completions(struct n
 	 */
 	while (!list_empty(&ep->queue)) {
 		struct net2280_request	*req;
-		u32			tmp;
+		u32 req_dma_count;
 
 		req = list_entry(ep->queue.next,
 				struct net2280_request, queue);
 		if (!req->valid)
 			break;
 		rmb();
-		tmp = le32_to_cpup(&req->td->dmacount);
-		if ((tmp & BIT(VALID_BIT)) != 0)
+		req_dma_count = le32_to_cpup(&req->td->dmacount);
+		if ((req_dma_count & BIT(VALID_BIT)) != 0)
 			break;
 
 		/* SHORT_PACKET_TRANSFERRED_INTERRUPT handles "usb-short"
@@ -1163,40 +1163,41 @@ static int scan_dma_completions(struct n
 		 */
 		if (unlikely(req->td->dmadesc == 0)) {
 			/* paranoia */
-			tmp = readl(&ep->dma->dmacount);
-			if (tmp & DMA_BYTE_COUNT_MASK)
+			u32 const ep_dmacount = readl(&ep->dma->dmacount);
+
+			if (ep_dmacount & DMA_BYTE_COUNT_MASK)
 				break;
 			/* single transfer mode */
-			dma_done(ep, req, tmp, 0);
+			dma_done(ep, req, req_dma_count, 0);
 			num_completed++;
 			break;
 		} else if (!ep->is_in &&
 			   (req->req.length % ep->ep.maxpacket) &&
 			   !(ep->dev->quirks & PLX_PCIE)) {
 
-			tmp = readl(&ep->regs->ep_stat);
+			u32 const ep_stat = readl(&ep->regs->ep_stat);
 			/* AVOID TROUBLE HERE by not issuing short reads from
 			 * your gadget driver.  That helps avoids errata 0121,
 			 * 0122, and 0124; not all cases trigger the warning.
 			 */
-			if ((tmp & BIT(NAK_OUT_PACKETS)) == 0) {
+			if ((ep_stat & BIT(NAK_OUT_PACKETS)) == 0) {
 				ep_warn(ep->dev, "%s lost packet sync!\n",
 						ep->ep.name);
 				req->req.status = -EOVERFLOW;
 			} else {
-				tmp = readl(&ep->regs->ep_avail);
-				if (tmp) {
+				u32 const ep_avail = readl(&ep->regs->ep_avail);
+				if (ep_avail) {
 					/* fifo gets flushed later */
 					ep->out_overflow = 1;
 					ep_dbg(ep->dev,
 						"%s dma, discard %d len %d\n",
-						ep->ep.name, tmp,
+						ep->ep.name, ep_avail,
 						req->req.length);
 					req->req.status = -EOVERFLOW;
 				}
 			}
 		}
-		dma_done(ep, req, tmp, 0);
+		dma_done(ep, req, req_dma_count, 0);
 		num_completed++;
 	}
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [4.9,086/148] usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver
@ 2017-12-12 12:44   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Balbi, linux-usb, Raz Manor,
	Felipe Balbi, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Raz Manor <Raz.Manor@valens.com>


[ Upstream commit ef5e2fa9f65befa12f1113c734602d2c1964d2a5 ]

In the function scan_dma_completions() there is a reusage of tmp
variable. That coused a wrong value being used in some case when
reading a short packet terminated transaction from an endpoint,
in 2 concecutive reads.

This was my logic for the patch:

The req->td->dmadesc equals to 0 iff:
-- There was a transaction ending with a short packet, and
-- The read() to read it was shorter than the transaction length, and
-- The read() to complete it is longer than the residue.
I believe this is true from the printouts of various cases,
but I can't be positive it is correct.

Entering this if, there should be no more data in the endpoint
(a short packet terminated the transaction).
If there is, the transaction wasn't really done and we should exit and
wait for it to finish entirely. That is the inner if.
That inner if should never happen, but it is there to be on the safe
side. That is why it is marked with the comment /* paranoia */.
The size of the data available in the endpoint is ep->dma->dmacount
and it is read to tmp.
This entire clause is based on my own educated guesses.

If we passed that inner if without breaking in the original code,
than tmp & DMA_BYTE_MASK_COUNT== 0.
That means we will always pass dma bytes count of 0 to dma_done(),
meaning all the requested bytes were read.

dma_done() reports back to the upper layer that the request (read())
was done and how many bytes were read.
In the original code that would always be the request size,
regardless of the actual size of the data.
That did not make sense to me at all.

However, the original value of tmp is req->td->dmacount,
which is the dmacount value when the request's dma transaction was
finished. And that is a much more reasonable value to report back to
the caller.

To recreate the problem:
Read from a bulk out endpoint in a loop, 1024 * n bytes in each
iteration.
Connect the PLX to a host you can control.
Send to that endpoint 1024 * n + x bytes,
such that 0 < x < 1024 * n and (x % 1024) != 0
You would expect the first read() to return 1024 * n
and the second read() to return x.
But you will get the first read to return 1024 * n
and the second one to return 1024 * n.
That is true for every positive integer n.

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Signed-off-by: Raz Manor <Raz.Manor@valens.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/net2280.c |   25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -1146,15 +1146,15 @@ static int scan_dma_completions(struct n
 	 */
 	while (!list_empty(&ep->queue)) {
 		struct net2280_request	*req;
-		u32			tmp;
+		u32 req_dma_count;
 
 		req = list_entry(ep->queue.next,
 				struct net2280_request, queue);
 		if (!req->valid)
 			break;
 		rmb();
-		tmp = le32_to_cpup(&req->td->dmacount);
-		if ((tmp & BIT(VALID_BIT)) != 0)
+		req_dma_count = le32_to_cpup(&req->td->dmacount);
+		if ((req_dma_count & BIT(VALID_BIT)) != 0)
 			break;
 
 		/* SHORT_PACKET_TRANSFERRED_INTERRUPT handles "usb-short"
@@ -1163,40 +1163,41 @@ static int scan_dma_completions(struct n
 		 */
 		if (unlikely(req->td->dmadesc == 0)) {
 			/* paranoia */
-			tmp = readl(&ep->dma->dmacount);
-			if (tmp & DMA_BYTE_COUNT_MASK)
+			u32 const ep_dmacount = readl(&ep->dma->dmacount);
+
+			if (ep_dmacount & DMA_BYTE_COUNT_MASK)
 				break;
 			/* single transfer mode */
-			dma_done(ep, req, tmp, 0);
+			dma_done(ep, req, req_dma_count, 0);
 			num_completed++;
 			break;
 		} else if (!ep->is_in &&
 			   (req->req.length % ep->ep.maxpacket) &&
 			   !(ep->dev->quirks & PLX_PCIE)) {
 
-			tmp = readl(&ep->regs->ep_stat);
+			u32 const ep_stat = readl(&ep->regs->ep_stat);
 			/* AVOID TROUBLE HERE by not issuing short reads from
 			 * your gadget driver.  That helps avoids errata 0121,
 			 * 0122, and 0124; not all cases trigger the warning.
 			 */
-			if ((tmp & BIT(NAK_OUT_PACKETS)) == 0) {
+			if ((ep_stat & BIT(NAK_OUT_PACKETS)) == 0) {
 				ep_warn(ep->dev, "%s lost packet sync!\n",
 						ep->ep.name);
 				req->req.status = -EOVERFLOW;
 			} else {
-				tmp = readl(&ep->regs->ep_avail);
-				if (tmp) {
+				u32 const ep_avail = readl(&ep->regs->ep_avail);
+				if (ep_avail) {
 					/* fifo gets flushed later */
 					ep->out_overflow = 1;
 					ep_dbg(ep->dev,
 						"%s dma, discard %d len %d\n",
-						ep->ep.name, tmp,
+						ep->ep.name, ep_avail,
 						req->req.length);
 					req->req.status = -EOVERFLOW;
 				}
 			}
 		}
-		dma_done(ep, req, tmp, 0);
+		dma_done(ep, req, req_dma_count, 0);
 		num_completed++;
 	}
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 088/148] libata: drop WARN from protocol error in ata_sff_qc_issue()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2017-12-12 12:44   ` [4.9,086/148] " Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:44 ` [PATCH 4.9 089/148] workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Tejun Heo, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>


[ Upstream commit 0580b762a4d6b70817476b90042813f8573283fa ]

ata_sff_qc_issue() expects upper layers to never issue commands on a
command protocol that it doesn't implement.  While the assumption
holds fine with the usual IO path, nothing filters based on the
command protocol in the passthrough path (which was added later),
allowing the warning to be tripped with a passthrough command with the
right (well, wrong) protocol.

Failing with AC_ERR_SYSTEM is the right thing to do anyway.  Remove
the unnecessary WARN.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Link: http://lkml.kernel.org/r/CACT4Y+bXkvevNZU8uP6X0QVqsj6wNoUA_1exfTSOzc+SmUtMOA@mail.gmail.com
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/ata/libata-sff.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -1481,7 +1481,6 @@ unsigned int ata_sff_qc_issue(struct ata
 		break;
 
 	default:
-		WARN_ON_ONCE(1);
 		return AC_ERR_SYSTEM;
 	}
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 089/148] workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 088/148] libata: drop WARN from protocol error in ata_sff_qc_issue() Greg Kroah-Hartman
@ 2017-12-12 12:44 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 090/148] scsi: qla2xxx: Fix ql_dump_buffer Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jones, Tejun Heo, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>


[ Upstream commit 637fdbae60d6cb9f6e963c1079d7e0445c86ff7d ]

If queue_delayed_work() gets called with NULL @wq, the kernel will
oops asynchronuosly on timer expiration which isn't too helpful in
tracking down the offender.  This actually happened with smc.

__queue_delayed_work() already does several input sanity checks
synchronously.  Add NULL @wq check.

Reported-by: Dave Jones <davej@codemonkey.org.uk>
Link: http://lkml.kernel.org/r/20170227171439.jshx3qplflyrgcv7@codemonkey.org.uk
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/workqueue.c |    1 +
 1 file changed, 1 insertion(+)

--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -1506,6 +1506,7 @@ static void __queue_delayed_work(int cpu
 	struct timer_list *timer = &dwork->timer;
 	struct work_struct *work = &dwork->work;
 
+	WARN_ON_ONCE(!wq);
 	WARN_ON_ONCE(timer->function != delayed_work_timer_fn ||
 		     timer->data != (unsigned long)dwork);
 	WARN_ON_ONCE(timer_pending(timer));

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 090/148] scsi: qla2xxx: Fix ql_dump_buffer
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2017-12-12 12:44 ` [PATCH 4.9 089/148] workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 091/148] scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Perches, Himanshu Madhani,
	Martin K. Petersen, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Perches <joe@perches.com>


[ Upstream commit 23456565acf6d452e0368f7380aecd584c019c67 ]

Recent printk changes for KERN_CONT cause this logging to be defectively
emitted on multiple lines.  Fix it.

Also reduces object size a trivial amount.

$ size drivers/scsi/qla2xxx/qla_dbg.o*
   text	   data	    bss	    dec	    hex	filename
  39125	      0	      0	  39125	   98d5	drivers/scsi/qla2xxx/qla_dbg.o.new
  39164	      0	      0	  39164	   98fc	drivers/scsi/qla2xxx/qla_dbg.o.old

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/qla2xxx/qla_dbg.c |   12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_dbg.c
+++ b/drivers/scsi/qla2xxx/qla_dbg.c
@@ -2707,13 +2707,9 @@ ql_dump_buffer(uint32_t level, scsi_qla_
 	    "%-+5d  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F\n", size);
 	ql_dbg(level, vha, id,
 	    "----- -----------------------------------------------\n");
-	for (cnt = 0; cnt < size; cnt++, buf++) {
-		if (cnt % 16 == 0)
-			ql_dbg(level, vha, id, "%04x:", cnt & ~0xFU);
-		printk(" %02x", *buf);
-		if (cnt % 16 == 15)
-			printk("\n");
+	for (cnt = 0; cnt < size; cnt += 16) {
+		ql_dbg(level, vha, id, "%04x: ", cnt);
+		print_hex_dump(KERN_CONT, "", DUMP_PREFIX_NONE, 16, 1,
+			       buf + cnt, min(16U, size - cnt), false);
 	}
-	if (cnt % 16 != 0)
-		printk("\n");
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 091/148] scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 090/148] scsi: qla2xxx: Fix ql_dump_buffer Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 092/148] irqchip/crossbar: Fix incorrect type of register size Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
	Martin K. Petersen, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: James Smart <jsmart2021@gmail.com>


[ Upstream commit 5d181531bc6169e19a02a27d202cf0e982db9d0e ]

if REG_VPI fails, the driver was incorrectly issuing INIT_VFI
(a SLI4 command) on a SLI3 adapter.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/lpfc/lpfc_els.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -8185,11 +8185,17 @@ lpfc_cmpl_reg_new_vport(struct lpfc_hba
 			spin_lock_irq(shost->host_lock);
 			vport->fc_flag |= FC_VPORT_NEEDS_REG_VPI;
 			spin_unlock_irq(shost->host_lock);
-			if (vport->port_type == LPFC_PHYSICAL_PORT
-				&& !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG))
-				lpfc_issue_init_vfi(vport);
-			else
+			if (mb->mbxStatus == MBX_NOT_FINISHED)
+				break;
+			if ((vport->port_type == LPFC_PHYSICAL_PORT) &&
+			    !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) {
+				if (phba->sli_rev == LPFC_SLI_REV4)
+					lpfc_issue_init_vfi(vport);
+				else
+					lpfc_initial_flogi(vport);
+			} else {
 				lpfc_initial_fdisc(vport);
+			}
 			break;
 		}
 	} else {

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 092/148] irqchip/crossbar: Fix incorrect type of register size
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 091/148] scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 094/148] arm: KVM: Survive unknown traps from guests Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Franck Demathieu, Marc Zyngier, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Franck Demathieu <fdemathieu@gmail.com>


[ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ]

The 'size' variable is unsigned according to the dt-bindings.
As this variable is used as integer in other places, create a new variable
that allows to fix the following sparse issue (-Wtypesign):

  drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness)
  drivers/irqchip/irq-crossbar.c:279:52:    expected unsigned int [usertype] *out_value
  drivers/irqchip/irq-crossbar.c:279:52:    got int *<noident>

Signed-off-by: Franck Demathieu <fdemathieu@gmail.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/irqchip/irq-crossbar.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/irqchip/irq-crossbar.c
+++ b/drivers/irqchip/irq-crossbar.c
@@ -199,7 +199,7 @@ static const struct irq_domain_ops cross
 static int __init crossbar_of_init(struct device_node *node)
 {
 	int i, size, reserved = 0;
-	u32 max = 0, entry;
+	u32 max = 0, entry, reg_size;
 	const __be32 *irqsr;
 	int ret = -ENOMEM;
 
@@ -276,9 +276,9 @@ static int __init crossbar_of_init(struc
 	if (!cb->register_offsets)
 		goto err_irq_map;
 
-	of_property_read_u32(node, "ti,reg-size", &size);
+	of_property_read_u32(node, "ti,reg-size", &reg_size);
 
-	switch (size) {
+	switch (reg_size) {
 	case 1:
 		cb->write = crossbar_writeb;
 		break;
@@ -304,7 +304,7 @@ static int __init crossbar_of_init(struc
 			continue;
 
 		cb->register_offsets[i] = reserved;
-		reserved += size;
+		reserved += reg_size;
 	}
 
 	of_property_read_u32(node, "ti,irqs-safe-map", &cb->safe_map);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 094/148] arm: KVM: Survive unknown traps from guests
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 092/148] irqchip/crossbar: Fix incorrect type of register size Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 095/148] arm64: " Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Martin, Suzuki K Poulose,
	Christoffer Dall, Mark Rutland, Marc Zyngier, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>


[ Upstream commit f050fe7a9164945dd1c28be05bf00e8cfb082ccf ]

Currently we BUG() if we see a HSR.EC value we don't recognise. As
configurable disables/enables are added to the architecture (controlled
by RES1/RES0 bits respectively), with associated synchronous exceptions,
it may be possible for a guest to trigger exceptions with classes that
we don't recognise.

While we can't service these exceptions in a manner useful to the guest,
we can avoid bringing down the host. Per ARM DDI 0406C.c, all currently
unallocated HSR EC encodings are reserved, and per ARM DDI
0487A.k_iss10775, page G6-4395, EC values within the range 0x00 - 0x2c
are reserved for future use with synchronous exceptions, and EC values
within the range 0x2d - 0x3f may be used for either synchronous or
asynchronous exceptions.

The patch makes KVM handle any unknown EC by injecting an UNDEFINED
exception into the guest, with a corresponding (ratelimited) warning in
the host dmesg. We could later improve on this with with a new (opt-in)
exit to the host userspace.

Cc: Dave Martin <dave.martin@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/kvm_arm.h |    1 +
 arch/arm/kvm/handle_exit.c     |   19 ++++++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

--- a/arch/arm/include/asm/kvm_arm.h
+++ b/arch/arm/include/asm/kvm_arm.h
@@ -208,6 +208,7 @@
 #define HSR_EC_IABT_HYP	(0x21)
 #define HSR_EC_DABT	(0x24)
 #define HSR_EC_DABT_HYP	(0x25)
+#define HSR_EC_MAX	(0x3f)
 
 #define HSR_WFI_IS_WFE		(_AC(1, UL) << 0)
 
--- a/arch/arm/kvm/handle_exit.c
+++ b/arch/arm/kvm/handle_exit.c
@@ -79,7 +79,19 @@ static int kvm_handle_wfx(struct kvm_vcp
 	return 1;
 }
 
+static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run)
+{
+	u32 hsr = kvm_vcpu_get_hsr(vcpu);
+
+	kvm_pr_unimpl("Unknown exception class: hsr: %#08x\n",
+		      hsr);
+
+	kvm_inject_undefined(vcpu);
+	return 1;
+}
+
 static exit_handle_fn arm_exit_handlers[] = {
+	[0 ... HSR_EC_MAX]	= kvm_handle_unknown_ec,
 	[HSR_EC_WFI]		= kvm_handle_wfx,
 	[HSR_EC_CP15_32]	= kvm_handle_cp15_32,
 	[HSR_EC_CP15_64]	= kvm_handle_cp15_64,
@@ -98,13 +110,6 @@ static exit_handle_fn kvm_get_exit_handl
 {
 	u8 hsr_ec = kvm_vcpu_trap_get_class(vcpu);
 
-	if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) ||
-	    !arm_exit_handlers[hsr_ec]) {
-		kvm_err("Unknown exception class: hsr: %#08x\n",
-			(unsigned int)kvm_vcpu_get_hsr(vcpu));
-		BUG();
-	}
-
 	return arm_exit_handlers[hsr_ec];
 }
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 095/148] arm64: KVM: Survive unknown traps from guests
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 094/148] arm: KVM: Survive unknown traps from guests Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 096/148] KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Martin, Suzuki K Poulose,
	Christoffer Dall, Mark Rutland, Marc Zyngier, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>


[ Upstream commit ba4dd156eabdca93501d92a980ba27fa5f4bbd27 ]

Currently we BUG() if we see an ESR_EL2.EC value we don't recognise. As
configurable disables/enables are added to the architecture (controlled
by RES1/RES0 bits respectively), with associated synchronous exceptions,
it may be possible for a guest to trigger exceptions with classes that
we don't recognise.

While we can't service these exceptions in a manner useful to the guest,
we can avoid bringing down the host. Per ARM DDI 0487A.k_iss10775, page
D7-1937, EC values within the range 0x00 - 0x2c are reserved for future
use with synchronous exceptions, and EC values within the range 0x2d -
0x3f may be used for either synchronous or asynchronous exceptions.

The patch makes KVM handle any unknown EC by injecting an UNDEFINED
exception into the guest, with a corresponding (ratelimited) warning in
the host dmesg. We could later improve on this with with a new (opt-in)
exit to the host userspace.

Cc: Dave Martin <dave.martin@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kvm/handle_exit.c |   19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -125,7 +125,19 @@ static int kvm_handle_guest_debug(struct
 	return ret;
 }
 
+static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run)
+{
+	u32 hsr = kvm_vcpu_get_hsr(vcpu);
+
+	kvm_pr_unimpl("Unknown exception class: hsr: %#08x -- %s\n",
+		      hsr, esr_get_class_string(hsr));
+
+	kvm_inject_undefined(vcpu);
+	return 1;
+}
+
 static exit_handle_fn arm_exit_handlers[] = {
+	[0 ... ESR_ELx_EC_MAX]	= kvm_handle_unknown_ec,
 	[ESR_ELx_EC_WFx]	= kvm_handle_wfx,
 	[ESR_ELx_EC_CP15_32]	= kvm_handle_cp15_32,
 	[ESR_ELx_EC_CP15_64]	= kvm_handle_cp15_64,
@@ -151,13 +163,6 @@ static exit_handle_fn kvm_get_exit_handl
 	u32 hsr = kvm_vcpu_get_hsr(vcpu);
 	u8 hsr_ec = ESR_ELx_EC(hsr);
 
-	if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) ||
-	    !arm_exit_handlers[hsr_ec]) {
-		kvm_err("Unknown exception class: hsr: %#08x -- %s\n",
-			hsr, esr_get_class_string(hsr));
-		BUG();
-	}
-
 	return arm_exit_handlers[hsr_ec];
 }
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 096/148] KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 095/148] arm64: " Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 097/148] spi_ks8995: fix "BUG: key accdaa28 not in .data!" Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Auger, Christoffer Dall,
	Andre Przywara, Marc Zyngier, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andre Przywara <andre.przywara@arm.com>


[ Upstream commit a5e1e6ca94a8cec51571fd62e3eaec269717969c ]

The ITS spec says that ITS commands are only processed when the ITS
is enabled (section 8.19.4, Enabled, bit[0]). Our emulation was not taking
this into account.
Fix this by checking the enabled state before handling CWRITER writes.

On the other hand that means that CWRITER could advance while the ITS
is disabled, and enabling it would need those commands to be processed.
Fix this case as well by refactoring actual command processing and
calling this from both the GITS_CWRITER and GITS_CTLR handlers.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Christoffer Dall <cdall@linaro.org>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 virt/kvm/arm/vgic/vgic-its.c |  109 +++++++++++++++++++++++++------------------
 1 file changed, 65 insertions(+), 44 deletions(-)

--- a/virt/kvm/arm/vgic/vgic-its.c
+++ b/virt/kvm/arm/vgic/vgic-its.c
@@ -360,29 +360,6 @@ static int its_sync_lpi_pending_table(st
 	return ret;
 }
 
-static unsigned long vgic_mmio_read_its_ctlr(struct kvm *vcpu,
-					     struct vgic_its *its,
-					     gpa_t addr, unsigned int len)
-{
-	u32 reg = 0;
-
-	mutex_lock(&its->cmd_lock);
-	if (its->creadr == its->cwriter)
-		reg |= GITS_CTLR_QUIESCENT;
-	if (its->enabled)
-		reg |= GITS_CTLR_ENABLE;
-	mutex_unlock(&its->cmd_lock);
-
-	return reg;
-}
-
-static void vgic_mmio_write_its_ctlr(struct kvm *kvm, struct vgic_its *its,
-				     gpa_t addr, unsigned int len,
-				     unsigned long val)
-{
-	its->enabled = !!(val & GITS_CTLR_ENABLE);
-}
-
 static unsigned long vgic_mmio_read_its_typer(struct kvm *kvm,
 					      struct vgic_its *its,
 					      gpa_t addr, unsigned int len)
@@ -1162,33 +1139,16 @@ static void vgic_mmio_write_its_cbaser(s
 #define ITS_CMD_SIZE			32
 #define ITS_CMD_OFFSET(reg)		((reg) & GENMASK(19, 5))
 
-/*
- * By writing to CWRITER the guest announces new commands to be processed.
- * To avoid any races in the first place, we take the its_cmd lock, which
- * protects our ring buffer variables, so that there is only one user
- * per ITS handling commands at a given time.
- */
-static void vgic_mmio_write_its_cwriter(struct kvm *kvm, struct vgic_its *its,
-					gpa_t addr, unsigned int len,
-					unsigned long val)
+/* Must be called with the cmd_lock held. */
+static void vgic_its_process_commands(struct kvm *kvm, struct vgic_its *its)
 {
 	gpa_t cbaser;
 	u64 cmd_buf[4];
-	u32 reg;
 
-	if (!its)
-		return;
-
-	mutex_lock(&its->cmd_lock);
-
-	reg = update_64bit_reg(its->cwriter, addr & 7, len, val);
-	reg = ITS_CMD_OFFSET(reg);
-	if (reg >= ITS_CMD_BUFFER_SIZE(its->cbaser)) {
-		mutex_unlock(&its->cmd_lock);
+	/* Commands are only processed when the ITS is enabled. */
+	if (!its->enabled)
 		return;
-	}
 
-	its->cwriter = reg;
 	cbaser = CBASER_ADDRESS(its->cbaser);
 
 	while (its->cwriter != its->creadr) {
@@ -1208,6 +1168,34 @@ static void vgic_mmio_write_its_cwriter(
 		if (its->creadr == ITS_CMD_BUFFER_SIZE(its->cbaser))
 			its->creadr = 0;
 	}
+}
+
+/*
+ * By writing to CWRITER the guest announces new commands to be processed.
+ * To avoid any races in the first place, we take the its_cmd lock, which
+ * protects our ring buffer variables, so that there is only one user
+ * per ITS handling commands at a given time.
+ */
+static void vgic_mmio_write_its_cwriter(struct kvm *kvm, struct vgic_its *its,
+					gpa_t addr, unsigned int len,
+					unsigned long val)
+{
+	u64 reg;
+
+	if (!its)
+		return;
+
+	mutex_lock(&its->cmd_lock);
+
+	reg = update_64bit_reg(its->cwriter, addr & 7, len, val);
+	reg = ITS_CMD_OFFSET(reg);
+	if (reg >= ITS_CMD_BUFFER_SIZE(its->cbaser)) {
+		mutex_unlock(&its->cmd_lock);
+		return;
+	}
+	its->cwriter = reg;
+
+	vgic_its_process_commands(kvm, its);
 
 	mutex_unlock(&its->cmd_lock);
 }
@@ -1288,6 +1276,39 @@ static void vgic_mmio_write_its_baser(st
 	*regptr = reg;
 }
 
+static unsigned long vgic_mmio_read_its_ctlr(struct kvm *vcpu,
+					     struct vgic_its *its,
+					     gpa_t addr, unsigned int len)
+{
+	u32 reg = 0;
+
+	mutex_lock(&its->cmd_lock);
+	if (its->creadr == its->cwriter)
+		reg |= GITS_CTLR_QUIESCENT;
+	if (its->enabled)
+		reg |= GITS_CTLR_ENABLE;
+	mutex_unlock(&its->cmd_lock);
+
+	return reg;
+}
+
+static void vgic_mmio_write_its_ctlr(struct kvm *kvm, struct vgic_its *its,
+				     gpa_t addr, unsigned int len,
+				     unsigned long val)
+{
+	mutex_lock(&its->cmd_lock);
+
+	its->enabled = !!(val & GITS_CTLR_ENABLE);
+
+	/*
+	 * Try to process any pending commands. This function bails out early
+	 * if the ITS is disabled or no commands have been queued.
+	 */
+	vgic_its_process_commands(kvm, its);
+
+	mutex_unlock(&its->cmd_lock);
+}
+
 #define REGISTER_ITS_DESC(off, rd, wr, length, acc)		\
 {								\
 	.reg_offset = off,					\

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 097/148] spi_ks8995: fix "BUG: key accdaa28 not in .data!"
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 096/148] KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 098/148] spi_ks8995: regs_size incorrect for some devices Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maarten Blomme, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Blomme, Maarten" <Maarten.Blomme@flir.com>


[ Upstream commit 4342696df764ec65dcdfbd0c10d90ea52505f8ba ]

Signed-off-by: Maarten Blomme <Maarten.Blomme@flir.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/spi_ks8995.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/phy/spi_ks8995.c
+++ b/drivers/net/phy/spi_ks8995.c
@@ -498,6 +498,7 @@ static int ks8995_probe(struct spi_devic
 	if (err)
 		return err;
 
+	sysfs_attr_init(&ks->regs_attr.attr);
 	err = sysfs_create_bin_file(&spi->dev.kobj, &ks->regs_attr);
 	if (err) {
 		dev_err(&spi->dev, "unable to create sysfs file, err=%d\n",

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 098/148] spi_ks8995: regs_size incorrect for some devices
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 097/148] spi_ks8995: fix "BUG: key accdaa28 not in .data!" Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 099/148] bnx2x: prevent crash when accessing PTP with interface down Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maarten Blomme, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Blomme, Maarten" <Maarten.Blomme@flir.com>


[ Upstream commit 239870f2a0ebf75cc8f6d987dc528c5243f93d69 ]

Signed-off-by: Maarten Blomme <Maarten.Blomme@flir.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/spi_ks8995.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/phy/spi_ks8995.c
+++ b/drivers/net/phy/spi_ks8995.c
@@ -491,8 +491,8 @@ static int ks8995_probe(struct spi_devic
 	if (err)
 		return err;
 
-	ks->regs_attr.size = ks->chip->regs_size;
 	memcpy(&ks->regs_attr, &ks8995_registers_attr, sizeof(ks->regs_attr));
+	ks->regs_attr.size = ks->chip->regs_size;
 
 	err = ks8995_reset(ks);
 	if (err)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 099/148] bnx2x: prevent crash when accessing PTP with interface down
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 098/148] spi_ks8995: regs_size incorrect for some devices Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 100/148] bnx2x: fix possible overrun of VFPF multicast addresses array Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Schmidt, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Schmidt <mschmidt@redhat.com>


[ Upstream commit 466e8bf10ac104d96e1ea813e8126e11cb72ea20 ]

It is possible to crash the kernel by accessing a PTP device while its
associated bnx2x interface is down. Before the interface is brought up,
the timecounter is not initialized, so accessing it results in NULL
dereference.

Fix it by checking if the interface is up.

Use -ENETDOWN as the error code when the interface is down.
 -EFAULT in bnx2x_ptp_adjfreq() did not seem right.

Tested using phc_ctl get/set/adj/freq commands.

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |   20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -13735,7 +13735,7 @@ static int bnx2x_ptp_adjfreq(struct ptp_
 	if (!netif_running(bp->dev)) {
 		DP(BNX2X_MSG_PTP,
 		   "PTP adjfreq called while the interface is down\n");
-		return -EFAULT;
+		return -ENETDOWN;
 	}
 
 	if (ppb < 0) {
@@ -13794,6 +13794,12 @@ static int bnx2x_ptp_adjtime(struct ptp_
 {
 	struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
 
+	if (!netif_running(bp->dev)) {
+		DP(BNX2X_MSG_PTP,
+		   "PTP adjtime called while the interface is down\n");
+		return -ENETDOWN;
+	}
+
 	DP(BNX2X_MSG_PTP, "PTP adjtime called, delta = %llx\n", delta);
 
 	timecounter_adjtime(&bp->timecounter, delta);
@@ -13806,6 +13812,12 @@ static int bnx2x_ptp_gettime(struct ptp_
 	struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
 	u64 ns;
 
+	if (!netif_running(bp->dev)) {
+		DP(BNX2X_MSG_PTP,
+		   "PTP gettime called while the interface is down\n");
+		return -ENETDOWN;
+	}
+
 	ns = timecounter_read(&bp->timecounter);
 
 	DP(BNX2X_MSG_PTP, "PTP gettime called, ns = %llu\n", ns);
@@ -13821,6 +13833,12 @@ static int bnx2x_ptp_settime(struct ptp_
 	struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
 	u64 ns;
 
+	if (!netif_running(bp->dev)) {
+		DP(BNX2X_MSG_PTP,
+		   "PTP settime called while the interface is down\n");
+		return -ENETDOWN;
+	}
+
 	ns = timespec64_to_ns(ts);
 
 	DP(BNX2X_MSG_PTP, "PTP settime called, ns = %llu\n", ns);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 100/148] bnx2x: fix possible overrun of VFPF multicast addresses array
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 099/148] bnx2x: prevent crash when accessing PTP with interface down Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 101/148] bnx2x: fix detection of VLAN filtering feature for VF Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Schmidt, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Schmidt <mschmidt@redhat.com>


[ Upstream commit 22118d861cec5da6ed525aaf12a3de9bfeffc58f ]

It is too late to check for the limit of the number of VF multicast
addresses after they have already been copied to the req->multicast[]
array, possibly overflowing it.

Do the check before copying.

Also fix the error path to not skip unlocking vf2pf_mutex.

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c |   23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
@@ -868,7 +868,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
 	struct bnx2x *bp = netdev_priv(dev);
 	struct vfpf_set_q_filters_tlv *req = &bp->vf2pf_mbox->req.set_q_filters;
 	struct pfvf_general_resp_tlv *resp = &bp->vf2pf_mbox->resp.general_resp;
-	int rc, i = 0;
+	int rc = 0, i = 0;
 	struct netdev_hw_addr *ha;
 
 	if (bp->state != BNX2X_STATE_OPEN) {
@@ -883,6 +883,15 @@ int bnx2x_vfpf_set_mcast(struct net_devi
 	/* Get Rx mode requested */
 	DP(NETIF_MSG_IFUP, "dev->flags = %x\n", dev->flags);
 
+	/* We support PFVF_MAX_MULTICAST_PER_VF mcast addresses tops */
+	if (netdev_mc_count(dev) > PFVF_MAX_MULTICAST_PER_VF) {
+		DP(NETIF_MSG_IFUP,
+		   "VF supports not more than %d multicast MAC addresses\n",
+		   PFVF_MAX_MULTICAST_PER_VF);
+		rc = -EINVAL;
+		goto out;
+	}
+
 	netdev_for_each_mc_addr(ha, dev) {
 		DP(NETIF_MSG_IFUP, "Adding mcast MAC: %pM\n",
 		   bnx2x_mc_addr(ha));
@@ -890,16 +899,6 @@ int bnx2x_vfpf_set_mcast(struct net_devi
 		i++;
 	}
 
-	/* We support four PFVF_MAX_MULTICAST_PER_VF mcast
-	  * addresses tops
-	  */
-	if (i >= PFVF_MAX_MULTICAST_PER_VF) {
-		DP(NETIF_MSG_IFUP,
-		   "VF supports not more than %d multicast MAC addresses\n",
-		   PFVF_MAX_MULTICAST_PER_VF);
-		return -EINVAL;
-	}
-
 	req->n_multicast = i;
 	req->flags |= VFPF_SET_Q_FILTERS_MULTICAST_CHANGED;
 	req->vf_qid = 0;
@@ -924,7 +923,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
 out:
 	bnx2x_vfpf_finalize(bp, &req->first_tlv);
 
-	return 0;
+	return rc;
 }
 
 /* request pf to add a vlan for the vf */

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 101/148] bnx2x: fix detection of VLAN filtering feature for VF
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 100/148] bnx2x: fix possible overrun of VFPF multicast addresses array Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 102/148] bnx2x: do not rollback VF MAC/VLAN filters we did not configure Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Schmidt, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Schmidt <mschmidt@redhat.com>


[ Upstream commit 83bd9eb8fc69cdd5135ed6e1f066adc8841800fd ]

VFs are currently missing the VLAN filtering feature, because we were
checking the PF's acquire response before actually performing the acquire.

Fix it by setting the feature flag later when we have the PF response.

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |   16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -13293,17 +13293,15 @@ static int bnx2x_init_dev(struct bnx2x *
 	dev->vlan_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
 		NETIF_F_TSO | NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_HIGHDMA;
 
-	/* VF with OLD Hypervisor or old PF do not support filtering */
 	if (IS_PF(bp)) {
 		if (chip_is_e1x)
 			bp->accept_any_vlan = true;
 		else
 			dev->hw_features |= NETIF_F_HW_VLAN_CTAG_FILTER;
-#ifdef CONFIG_BNX2X_SRIOV
-	} else if (bp->acquire_resp.pfdev_info.pf_cap & PFVF_CAP_VLAN_FILTER) {
-		dev->hw_features |= NETIF_F_HW_VLAN_CTAG_FILTER;
-#endif
 	}
+	/* For VF we'll know whether to enable VLAN filtering after
+	 * getting a response to CHANNEL_TLV_ACQUIRE from PF.
+	 */
 
 	dev->features |= dev->hw_features | NETIF_F_HW_VLAN_CTAG_RX;
 	dev->features |= NETIF_F_HIGHDMA;
@@ -14006,6 +14004,14 @@ static int bnx2x_init_one(struct pci_dev
 		rc = bnx2x_vfpf_acquire(bp, tx_count, rx_count);
 		if (rc)
 			goto init_one_freemem;
+
+#ifdef CONFIG_BNX2X_SRIOV
+		/* VF with OLD Hypervisor or old PF do not support filtering */
+		if (bp->acquire_resp.pfdev_info.pf_cap & PFVF_CAP_VLAN_FILTER) {
+			dev->hw_features |= NETIF_F_HW_VLAN_CTAG_FILTER;
+			dev->features |= NETIF_F_HW_VLAN_CTAG_FILTER;
+		}
+#endif
 	}
 
 	/* Enable SRIOV if capability found in configuration space */

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 102/148] bnx2x: do not rollback VF MAC/VLAN filters we did not configure
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 101/148] bnx2x: fix detection of VLAN filtering feature for VF Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 103/148] rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Schmidt, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Schmidt <mschmidt@redhat.com>


[ Upstream commit 78d5505432436516456c12abbe705ec8dee7ee2b ]

On failure to configure a VF MAC/VLAN filter we should not attempt to
rollback filters that we failed to configure with -EEXIST.

Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c |    8 +++++++-
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h |    1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
@@ -434,7 +434,9 @@ static int bnx2x_vf_mac_vlan_config(stru
 
 	/* Add/Remove the filter */
 	rc = bnx2x_config_vlan_mac(bp, &ramrod);
-	if (rc && rc != -EEXIST) {
+	if (rc == -EEXIST)
+		return 0;
+	if (rc) {
 		BNX2X_ERR("Failed to %s %s\n",
 			  filter->add ? "add" : "delete",
 			  (filter->type == BNX2X_VF_FILTER_VLAN_MAC) ?
@@ -444,6 +446,8 @@ static int bnx2x_vf_mac_vlan_config(stru
 		return rc;
 	}
 
+	filter->applied = true;
+
 	return 0;
 }
 
@@ -471,6 +475,8 @@ int bnx2x_vf_mac_vlan_config_list(struct
 		BNX2X_ERR("Managed only %d/%d filters - rolling back\n",
 			  i, filters->count + 1);
 		while (--i >= 0) {
+			if (!filters->filters[i].applied)
+				continue;
 			filters->filters[i].add = !filters->filters[i].add;
 			bnx2x_vf_mac_vlan_config(bp, vf, qid,
 						 &filters->filters[i],
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
@@ -114,6 +114,7 @@ struct bnx2x_vf_mac_vlan_filter {
 	(BNX2X_VF_FILTER_MAC | BNX2X_VF_FILTER_VLAN) /*shortcut*/
 
 	bool add;
+	bool applied;
 	u8 *mac;
 	u16 vid;
 };

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 103/148] rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 102/148] bnx2x: do not rollback VF MAC/VLAN filters we did not configure Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 104/148] ibmvnic: Fix overflowing firmware/hardware TX queue Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sowmini Varadhan, David S. Miller,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sowmini Varadhan <sowmini.varadhan@oracle.com>


[ Upstream commit b21dd4506b71bdb9c5a20e759255cd2513ea7ebe ]

Commit a93d01f5777e ("RDS: TCP: avoid bad page reference in
rds_tcp_listen_data_ready") added the function
rds_tcp_listen_sock_def_readable()  to handle the case when a
partially set-up acceptor socket drops into rds_tcp_listen_data_ready().
However, if the listen socket (rtn->rds_tcp_listen_sock) is itself going
through a tear-down via rds_tcp_listen_stop(), the (*ready)() will be
null and we would hit a panic  of the form
  BUG: unable to handle kernel NULL pointer dereference at   (null)
  IP:           (null)
   :
  ? rds_tcp_listen_data_ready+0x59/0xb0 [rds_tcp]
  tcp_data_queue+0x39d/0x5b0
  tcp_rcv_established+0x2e5/0x660
  tcp_v4_do_rcv+0x122/0x220
  tcp_v4_rcv+0x8b7/0x980
    :
In the above case, it is not fatal to encounter a NULL value for
ready- we should just drop the packet and let the flush of the
acceptor thread finish gracefully.

In general, the tear-down sequence for listen() and accept() socket
that is ensured by this commit is:
     rtn->rds_tcp_listen_sock = NULL; /* prevent any new accepts */
     In rds_tcp_listen_stop():
         serialize with, and prevent, further callbacks using lock_sock()
         flush rds_wq
         flush acceptor workq
         sock_release(listen socket)

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/rds/tcp.c        |   15 ++++++++++-----
 net/rds/tcp.h        |    2 +-
 net/rds/tcp_listen.c |    9 +++++++--
 3 files changed, 18 insertions(+), 8 deletions(-)

--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -478,9 +478,10 @@ static void __net_exit rds_tcp_exit_net(
 	 * we do need to clean up the listen socket here.
 	 */
 	if (rtn->rds_tcp_listen_sock) {
-		rds_tcp_listen_stop(rtn->rds_tcp_listen_sock);
+		struct socket *lsock = rtn->rds_tcp_listen_sock;
+
 		rtn->rds_tcp_listen_sock = NULL;
-		flush_work(&rtn->rds_tcp_accept_w);
+		rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w);
 	}
 }
 
@@ -517,10 +518,10 @@ static void rds_tcp_kill_sock(struct net
 	struct rds_tcp_connection *tc, *_tc;
 	LIST_HEAD(tmp_list);
 	struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
+	struct socket *lsock = rtn->rds_tcp_listen_sock;
 
-	rds_tcp_listen_stop(rtn->rds_tcp_listen_sock);
 	rtn->rds_tcp_listen_sock = NULL;
-	flush_work(&rtn->rds_tcp_accept_w);
+	rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w);
 	spin_lock_irq(&rds_tcp_conn_lock);
 	list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
 		struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
@@ -540,8 +541,12 @@ static void rds_tcp_kill_sock(struct net
 void *rds_tcp_listen_sock_def_readable(struct net *net)
 {
 	struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
+	struct socket *lsock = rtn->rds_tcp_listen_sock;
+
+	if (!lsock)
+		return NULL;
 
-	return rtn->rds_tcp_listen_sock->sk->sk_user_data;
+	return lsock->sk->sk_user_data;
 }
 
 static int rds_tcp_dev_event(struct notifier_block *this,
--- a/net/rds/tcp.h
+++ b/net/rds/tcp.h
@@ -66,7 +66,7 @@ void rds_tcp_state_change(struct sock *s
 
 /* tcp_listen.c */
 struct socket *rds_tcp_listen_init(struct net *);
-void rds_tcp_listen_stop(struct socket *);
+void rds_tcp_listen_stop(struct socket *sock, struct work_struct *acceptor);
 void rds_tcp_listen_data_ready(struct sock *sk);
 int rds_tcp_accept_one(struct socket *sock);
 int rds_tcp_keepalive(struct socket *sock);
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -227,6 +227,9 @@ void rds_tcp_listen_data_ready(struct so
 	 * before it has been accepted and the accepter has set up their
 	 * data_ready.. we only want to queue listen work for our listening
 	 * socket
+	 *
+	 * (*ready)() may be null if we are racing with netns delete, and
+	 * the listen socket is being torn down.
 	 */
 	if (sk->sk_state == TCP_LISTEN)
 		rds_tcp_accept_work(sk);
@@ -235,7 +238,8 @@ void rds_tcp_listen_data_ready(struct so
 
 out:
 	read_unlock_bh(&sk->sk_callback_lock);
-	ready(sk);
+	if (ready)
+		ready(sk);
 }
 
 struct socket *rds_tcp_listen_init(struct net *net)
@@ -275,7 +279,7 @@ out:
 	return NULL;
 }
 
-void rds_tcp_listen_stop(struct socket *sock)
+void rds_tcp_listen_stop(struct socket *sock, struct work_struct *acceptor)
 {
 	struct sock *sk;
 
@@ -296,5 +300,6 @@ void rds_tcp_listen_stop(struct socket *
 
 	/* wait for accepts to stop and close the socket */
 	flush_workqueue(rds_wq);
+	flush_work(acceptor);
 	sock_release(sock);
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 104/148] ibmvnic: Fix overflowing firmware/hardware TX queue
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 103/148] rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 105/148] ibmvnic: Allocate number of rx/tx buffers agreed on by firmware Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Falcon, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>


[ Upstream commit 142c0ac445792c492579cb01f1cfd4e32e6dfcce ]

Use a counter to track the number of outstanding transmissions sent
that have not received completions. If the counter reaches the maximum
number of queue entries, stop transmissions on that queue. As we receive
more completions from firmware, wake the queue once the counter reaches
an acceptable level.

This patch prevents hardware/firmware TX queue from filling up and
and generating errors.  Since incorporating this fix, internal testing
has reported that these firmware errors have stopped.

Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/ibm/ibmvnic.c |   27 ++++++++++++++++++++++++++-
 drivers/net/ethernet/ibm/ibmvnic.h |    1 +
 2 files changed, 27 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -705,6 +705,7 @@ static int ibmvnic_xmit(struct sk_buff *
 	u8 *hdrs = (u8 *)&adapter->tx_rx_desc_req;
 	struct device *dev = &adapter->vdev->dev;
 	struct ibmvnic_tx_buff *tx_buff = NULL;
+	struct ibmvnic_sub_crq_queue *tx_scrq;
 	struct ibmvnic_tx_pool *tx_pool;
 	unsigned int tx_send_failed = 0;
 	unsigned int tx_map_failed = 0;
@@ -724,6 +725,7 @@ static int ibmvnic_xmit(struct sk_buff *
 	int ret = 0;
 
 	tx_pool = &adapter->tx_pool[queue_num];
+	tx_scrq = adapter->tx_scrq[queue_num];
 	txq = netdev_get_tx_queue(netdev, skb_get_queue_mapping(skb));
 	handle_array = (u64 *)((u8 *)(adapter->login_rsp_buf) +
 				   be32_to_cpu(adapter->login_rsp_buf->
@@ -826,6 +828,14 @@ static int ibmvnic_xmit(struct sk_buff *
 		ret = NETDEV_TX_BUSY;
 		goto out;
 	}
+
+	atomic_inc(&tx_scrq->used);
+
+	if (atomic_read(&tx_scrq->used) >= adapter->req_tx_entries_per_subcrq) {
+		netdev_info(netdev, "Stopping queue %d\n", queue_num);
+		netif_stop_subqueue(netdev, queue_num);
+	}
+
 	tx_packets++;
 	tx_bytes += skb->len;
 	txq->trans_start = jiffies;
@@ -1220,6 +1230,7 @@ static struct ibmvnic_sub_crq_queue *ini
 	scrq->adapter = adapter;
 	scrq->size = 4 * PAGE_SIZE / sizeof(*scrq->msgs);
 	scrq->cur = 0;
+	atomic_set(&scrq->used, 0);
 	scrq->rx_skb_top = NULL;
 	spin_lock_init(&scrq->lock);
 
@@ -1368,8 +1379,22 @@ restart_loop:
 						 DMA_TO_DEVICE);
 			}
 
-			if (txbuff->last_frag)
+			if (txbuff->last_frag) {
+				atomic_dec(&scrq->used);
+
+				if (atomic_read(&scrq->used) <=
+				    (adapter->req_tx_entries_per_subcrq / 2) &&
+				    netif_subqueue_stopped(adapter->netdev,
+							   txbuff->skb)) {
+					netif_wake_subqueue(adapter->netdev,
+							    scrq->pool_index);
+					netdev_dbg(adapter->netdev,
+						   "Started queue %d\n",
+						   scrq->pool_index);
+				}
+
 				dev_kfree_skb_any(txbuff->skb);
+			}
 
 			adapter->tx_pool[pool].free_map[adapter->tx_pool[pool].
 						     producer_index] = index;
--- a/drivers/net/ethernet/ibm/ibmvnic.h
+++ b/drivers/net/ethernet/ibm/ibmvnic.h
@@ -863,6 +863,7 @@ struct ibmvnic_sub_crq_queue {
 	spinlock_t lock;
 	struct sk_buff *rx_skb_top;
 	struct ibmvnic_adapter *adapter;
+	atomic_t used;
 };
 
 struct ibmvnic_long_term_buff {

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 105/148] ibmvnic: Allocate number of rx/tx buffers agreed on by firmware
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 104/148] ibmvnic: Fix overflowing firmware/hardware TX queue Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 106/148] ipv6: reorder icmpv6_init() and ip6_mr_init() Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Falcon, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>


[ Upstream commit 068d9f90a6978c3e3a662d9e85204a7d6be240d2 ]

The amount of TX/RX buffers that the vNIC driver currently allocates
is different from the amount agreed upon in negotiation with firmware.
Correct that by allocating the requested number of buffers confirmed
by firmware.

Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/ibm/ibmvnic.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -404,7 +404,7 @@ static int ibmvnic_open(struct net_devic
 	send_map_query(adapter);
 	for (i = 0; i < rxadd_subcrqs; i++) {
 		init_rx_pool(adapter, &adapter->rx_pool[i],
-			     IBMVNIC_BUFFS_PER_POOL, i,
+			     adapter->req_rx_add_entries_per_subcrq, i,
 			     be64_to_cpu(size_array[i]), 1);
 		if (alloc_rx_pool(adapter, &adapter->rx_pool[i])) {
 			dev_err(dev, "Couldn't alloc rx pool\n");
@@ -419,23 +419,23 @@ static int ibmvnic_open(struct net_devic
 	for (i = 0; i < tx_subcrqs; i++) {
 		tx_pool = &adapter->tx_pool[i];
 		tx_pool->tx_buff =
-		    kcalloc(adapter->max_tx_entries_per_subcrq,
+		    kcalloc(adapter->req_tx_entries_per_subcrq,
 			    sizeof(struct ibmvnic_tx_buff), GFP_KERNEL);
 		if (!tx_pool->tx_buff)
 			goto tx_pool_alloc_failed;
 
 		if (alloc_long_term_buff(adapter, &tx_pool->long_term_buff,
-					 adapter->max_tx_entries_per_subcrq *
+					 adapter->req_tx_entries_per_subcrq *
 					 adapter->req_mtu))
 			goto tx_ltb_alloc_failed;
 
 		tx_pool->free_map =
-		    kcalloc(adapter->max_tx_entries_per_subcrq,
+		    kcalloc(adapter->req_tx_entries_per_subcrq,
 			    sizeof(int), GFP_KERNEL);
 		if (!tx_pool->free_map)
 			goto tx_fm_alloc_failed;
 
-		for (j = 0; j < adapter->max_tx_entries_per_subcrq; j++)
+		for (j = 0; j < adapter->req_tx_entries_per_subcrq; j++)
 			tx_pool->free_map[j] = j;
 
 		tx_pool->consumer_index = 0;
@@ -746,7 +746,7 @@ static int ibmvnic_xmit(struct sk_buff *
 
 	tx_pool->consumer_index =
 	    (tx_pool->consumer_index + 1) %
-		adapter->max_tx_entries_per_subcrq;
+		adapter->req_tx_entries_per_subcrq;
 
 	tx_buff = &tx_pool->tx_buff[index];
 	tx_buff->skb = skb;
@@ -819,7 +819,7 @@ static int ibmvnic_xmit(struct sk_buff *
 
 		if (tx_pool->consumer_index == 0)
 			tx_pool->consumer_index =
-				adapter->max_tx_entries_per_subcrq - 1;
+				adapter->req_tx_entries_per_subcrq - 1;
 		else
 			tx_pool->consumer_index--;
 
@@ -1400,7 +1400,7 @@ restart_loop:
 						     producer_index] = index;
 			adapter->tx_pool[pool].producer_index =
 			    (adapter->tx_pool[pool].producer_index + 1) %
-			    adapter->max_tx_entries_per_subcrq;
+			    adapter->req_tx_entries_per_subcrq;
 		}
 		/* remove tx_comp scrq*/
 		next->tx_comp.first = 0;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 106/148] ipv6: reorder icmpv6_init() and ip6_mr_init()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 105/148] ibmvnic: Allocate number of rx/tx buffers agreed on by firmware Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 107/148] crypto: s5p-sss - Fix completing crypto request in IRQ handler Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Konovalov, Cong Wang,
	David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: WANG Cong <xiyou.wangcong@gmail.com>


[ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ]

Andrey reported the following kernel crash:

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88001f311700 task.stack: ffff88001f6e8000
RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
FS:  00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
 sock_release+0x8d/0x1e0 net/socket.c:597
 __sock_create+0x39d/0x880 net/socket.c:1226
 sock_create_kern+0x3f/0x50 net/socket.c:1243
 inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
 icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
 ops_init+0x10a/0x550 net/core/net_namespace.c:115
 setup_net+0x261/0x660 net/core/net_namespace.c:291
 copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
9pnet_virtio: no channels available for device ./file1
 create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
 unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
 SYSC_unshare kernel/fork.c:2281 [inline]
 SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
 entry_SYSCALL_64_fastpath+0x1f/0xc2

This is because net->ipv6.mr6_tables is not initialized at that point,
ip6mr_rules_init() is not called yet, therefore on the error path when
we iterator the list, we trigger this oops. Fix this by reordering
ip6mr_rules_init() before icmpv6_sk_init().

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/af_inet6.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -909,12 +909,12 @@ static int __init inet6_init(void)
 	err = register_pernet_subsys(&inet6_net_ops);
 	if (err)
 		goto register_pernet_fail;
-	err = icmpv6_init();
-	if (err)
-		goto icmp_fail;
 	err = ip6_mr_init();
 	if (err)
 		goto ipmr_fail;
+	err = icmpv6_init();
+	if (err)
+		goto icmp_fail;
 	err = ndisc_init();
 	if (err)
 		goto ndisc_fail;
@@ -1044,10 +1044,10 @@ igmp_fail:
 	ndisc_cleanup();
 ndisc_fail:
 	ip6_mr_cleanup();
-ipmr_fail:
-	icmpv6_cleanup();
 icmp_fail:
 	unregister_pernet_subsys(&inet6_net_ops);
+ipmr_fail:
+	icmpv6_cleanup();
 register_pernet_fail:
 	sock_unregister(PF_INET6);
 	rtnl_unregister_all(PF_INET6);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 107/148] crypto: s5p-sss - Fix completing crypto request in IRQ handler
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 106/148] ipv6: reorder icmpv6_init() and ip6_mr_init() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 108/148] i2c: riic: fix restart condition Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Herbert Xu, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <krzk@kernel.org>


[ Upstream commit 07de4bc88ce6a4d898cad9aa4c99c1df7e87702d ]

In a regular interrupt handler driver was finishing the crypt/decrypt
request by calling complete on crypto request.  This is disallowed since
converting to skcipher in commit b286d8b1a690 ("crypto: skcipher - Add
skcipher walk interface") and causes a warning:
	WARNING: CPU: 0 PID: 0 at crypto/skcipher.c:430 skcipher_walk_first+0x13c/0x14c

The interrupt is marked shared but in fact there are no other users
sharing it.  Thus the simplest solution seems to be to just use a
threaded interrupt handler, after converting it to oneshot.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/crypto/s5p-sss.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/crypto/s5p-sss.c
+++ b/drivers/crypto/s5p-sss.c
@@ -805,8 +805,9 @@ static int s5p_aes_probe(struct platform
 		dev_warn(dev, "feed control interrupt is not available.\n");
 		goto err_irq;
 	}
-	err = devm_request_irq(dev, pdata->irq_fc, s5p_aes_interrupt,
-			       IRQF_SHARED, pdev->name, pdev);
+	err = devm_request_threaded_irq(dev, pdata->irq_fc, NULL,
+					s5p_aes_interrupt, IRQF_ONESHOT,
+					pdev->name, pdev);
 	if (err < 0) {
 		dev_warn(dev, "feed control interrupt is not available.\n");
 		goto err_irq;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 108/148] i2c: riic: fix restart condition
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 107/148] crypto: s5p-sss - Fix completing crypto request in IRQ handler Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 109/148] blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue() Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Simon Horman, Chris Brandt,
	Simon Horman, Wolfram Sang, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Brandt <chris.brandt@renesas.com>


[ Upstream commit 2501c1bb054290679baad0ff7f4f07c714251f4c ]

While modifying the driver to use the STOP interrupt, the completion of the
intermediate transfers need to wake the driver back up in order to initiate
the next transfer (restart condition). Otherwise you get never ending
interrupts and only the first transfer sent.

Fixes: 71ccea095ea1 ("i2c: riic: correctly finish transfers")
Reported-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
Tested-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/i2c/busses/i2c-riic.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -218,8 +218,12 @@ static irqreturn_t riic_tend_isr(int irq
 	}
 
 	if (riic->is_last || riic->err) {
-		riic_clear_set_bit(riic, 0, ICIER_SPIE, RIIC_ICIER);
+		riic_clear_set_bit(riic, ICIER_TEIE, ICIER_SPIE, RIIC_ICIER);
 		writeb(ICCR2_SP, riic->base + RIIC_ICCR2);
+	} else {
+		/* Transfer is complete, but do not send STOP */
+		riic_clear_set_bit(riic, ICIER_TEIE, 0, RIIC_ICIER);
+		complete(&riic->msg_done);
 	}
 
 	return IRQ_HANDLED;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 109/148] blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 108/148] i2c: riic: fix restart condition Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 110/148] zram: set physical queue limits to avoid array out of bounds accesses Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Ming Lei,
	Peter Zijlstra (Intel),
	Jens Axboe, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ming Lei <tom.leiming@gmail.com>


[ Upstream commit 737f98cfe7de8df7433a4d846850aa8efa44bd48 ]

Both q->mq_kobj and sw queues' kobjects should have been initialized
once, instead of doing that each add_disk context.

Also this patch removes clearing of ctx in blk_mq_init_cpu_queues()
because percpu allocator fills zero to allocated variable.

This patch fixes one issue[1] reported from Omar.

[1] kernel wearning when doing unbind/bind on one scsi-mq device

[   19.347924] kobject (ffff8800791ea0b8): tried to init an initialized object, something is seriously wrong.
[   19.349781] CPU: 1 PID: 84 Comm: kworker/u8:1 Not tainted 4.10.0-rc7-00210-g53f39eeaa263 #34
[   19.350686] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-20161122_114906-anatol 04/01/2014
[   19.350920] Workqueue: events_unbound async_run_entry_fn
[   19.350920] Call Trace:
[   19.350920]  dump_stack+0x63/0x83
[   19.350920]  kobject_init+0x77/0x90
[   19.350920]  blk_mq_register_dev+0x40/0x130
[   19.350920]  blk_register_queue+0xb6/0x190
[   19.350920]  device_add_disk+0x1ec/0x4b0
[   19.350920]  sd_probe_async+0x10d/0x1c0 [sd_mod]
[   19.350920]  async_run_entry_fn+0x48/0x150
[   19.350920]  process_one_work+0x1d0/0x480
[   19.350920]  worker_thread+0x48/0x4e0
[   19.350920]  kthread+0x101/0x140
[   19.350920]  ? process_one_work+0x480/0x480
[   19.350920]  ? kthread_create_on_node+0x60/0x60
[   19.350920]  ret_from_fork+0x2c/0x40

Cc: Omar Sandoval <osandov@osandov.com>
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Tested-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-mq-sysfs.c |    4 +---
 block/blk-mq.c       |    4 +++-
 block/blk-mq.h       |    1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -429,7 +429,7 @@ void blk_mq_hctx_kobj_init(struct blk_mq
 	kobject_init(&hctx->kobj, &blk_mq_hw_ktype);
 }
 
-static void blk_mq_sysfs_init(struct request_queue *q)
+void blk_mq_sysfs_init(struct request_queue *q)
 {
 	struct blk_mq_ctx *ctx;
 	int cpu;
@@ -449,8 +449,6 @@ int blk_mq_register_dev(struct device *d
 
 	blk_mq_disable_hotplug();
 
-	blk_mq_sysfs_init(q);
-
 	ret = kobject_add(&q->mq_kobj, kobject_get(&dev->kobj), "%s", "mq");
 	if (ret < 0)
 		goto out;
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1707,7 +1707,6 @@ static void blk_mq_init_cpu_queues(struc
 		struct blk_mq_ctx *__ctx = per_cpu_ptr(q->queue_ctx, i);
 		struct blk_mq_hw_ctx *hctx;
 
-		memset(__ctx, 0, sizeof(*__ctx));
 		__ctx->cpu = i;
 		spin_lock_init(&__ctx->lock);
 		INIT_LIST_HEAD(&__ctx->rq_list);
@@ -1970,6 +1969,9 @@ struct request_queue *blk_mq_init_alloca
 	if (!q->queue_ctx)
 		goto err_exit;
 
+	/* init q->mq_kobj and sw queues' kobjects */
+	blk_mq_sysfs_init(q);
+
 	q->queue_hw_ctx = kzalloc_node(nr_cpu_ids * sizeof(*(q->queue_hw_ctx)),
 						GFP_KERNEL, set->numa_node);
 	if (!q->queue_hw_ctx)
--- a/block/blk-mq.h
+++ b/block/blk-mq.h
@@ -50,6 +50,7 @@ static inline struct blk_mq_hw_ctx *blk_
 /*
  * sysfs helpers
  */
+extern void blk_mq_sysfs_init(struct request_queue *q);
 extern int blk_mq_sysfs_register(struct request_queue *q);
 extern void blk_mq_sysfs_unregister(struct request_queue *q);
 extern void blk_mq_hctx_kobj_init(struct blk_mq_hw_ctx *hctx);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 110/148] zram: set physical queue limits to avoid array out of bounds accesses
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 109/148] blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 111/148] netfilter: dont track fragmented packets Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Thumshirn, Hannes Reinecke,
	Sergey Senozhatsky, Jens Axboe, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Thumshirn <jthumshirn@suse.de>


[ Upstream commit 0bc315381fe9ed9fb91db8b0e82171b645ac008f ]

zram can handle at most SECTORS_PER_PAGE sectors in a bio's bvec. When using
the NVMe over Fabrics loopback target which potentially sends a huge bulk of
pages attached to the bio's bvec this results in a kernel panic because of
array out of bounds accesses in zram_decompress_page().

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/zram/zram_drv.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/block/zram/zram_drv.c
+++ b/drivers/block/zram/zram_drv.c
@@ -1286,6 +1286,8 @@ static int zram_add(void)
 	blk_queue_io_min(zram->disk->queue, PAGE_SIZE);
 	blk_queue_io_opt(zram->disk->queue, PAGE_SIZE);
 	zram->disk->queue->limits.discard_granularity = PAGE_SIZE;
+	zram->disk->queue->limits.max_sectors = SECTORS_PER_PAGE;
+	zram->disk->queue->limits.chunk_sectors = 0;
 	blk_queue_max_discard_sectors(zram->disk->queue, UINT_MAX);
 	/*
 	 * zram_bio_discard() will clear all logical blocks if logical block

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 111/148] netfilter: dont track fragmented packets
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 110/148] zram: set physical queue limits to avoid array out of bounds accesses Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 112/148] axonram: Fix gendisk handling Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Konovalov, Florian Westphal,
	Pablo Neira Ayuso, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>


[ Upstream commit 7b4fdf77a450ec0fdcb2f677b080ddbf2c186544 ]

Andrey reports syzkaller splat caused by

NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));

in ipv4 nat.  But this assertion (and the comment) are wrong, this function
does see fragments when IP_NODEFRAG setsockopt is used.

As conntrack doesn't track packets without complete l4 header, only the
first fragment is tracked.

Because applying nat to first packet but not the rest makes no sense this
also turns off tracking of all fragments.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    4 ++++
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c       |    5 -----
 2 files changed, 4 insertions(+), 5 deletions(-)

--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -158,6 +158,10 @@ static unsigned int ipv4_conntrack_local
 	if (skb->len < sizeof(struct iphdr) ||
 	    ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
+
+	if (ip_is_fragment(ip_hdr(skb))) /* IP_NODEFRAG setsockopt set */
+		return NF_ACCEPT;
+
 	return nf_conntrack_in(state->net, PF_INET, state->hook, skb);
 }
 
--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -255,11 +255,6 @@ nf_nat_ipv4_fn(void *priv, struct sk_buf
 	/* maniptype == SRC for postrouting. */
 	enum nf_nat_manip_type maniptype = HOOK2MANIP(state->hook);
 
-	/* We never see fragments: conntrack defrags on pre-routing
-	 * and local-out, and nf_nat_out protects post-routing.
-	 */
-	NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));
-
 	ct = nf_ct_get(skb, &ctinfo);
 	/* Can't track?  It's not due to stress, or conntrack would
 	 * have dropped it.  Hence it's the user's responsibilty to

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 112/148] axonram: Fix gendisk handling
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 111/148] netfilter: dont track fragmented packets Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 113/148] drm/amd/amdgpu: fix console deadlock if late init failed Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Jan Kara, Jens Axboe,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kara <jack@suse.cz>


[ Upstream commit 672a2c87c83649fb0167202342ce85af9a3b4f1c ]

It is invalid to call del_gendisk() when disk->queue is NULL. Fix error
handling in axon_ram_probe() to avoid doing that.

Also del_gendisk() does not drop a reference to gendisk allocated by
alloc_disk(). That has to be done by put_disk(). Add that call where
needed.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/sysdev/axonram.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/powerpc/sysdev/axonram.c
+++ b/arch/powerpc/sysdev/axonram.c
@@ -274,7 +274,9 @@ failed:
 			if (bank->disk->major > 0)
 				unregister_blkdev(bank->disk->major,
 						bank->disk->disk_name);
-			del_gendisk(bank->disk);
+			if (bank->disk->flags & GENHD_FL_UP)
+				del_gendisk(bank->disk);
+			put_disk(bank->disk);
 		}
 		device->dev.platform_data = NULL;
 		if (bank->io_addr != 0)
@@ -299,6 +301,7 @@ axon_ram_remove(struct platform_device *
 	device_remove_file(&device->dev, &dev_attr_ecc);
 	free_irq(bank->irq_id, device);
 	del_gendisk(bank->disk);
+	put_disk(bank->disk);
 	iounmap((void __iomem *) bank->io_addr);
 	kfree(bank);
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 113/148] drm/amd/amdgpu: fix console deadlock if late init failed
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 112/148] axonram: Fix gendisk handling Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 114/148] powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jim Qu, Alex Deucher, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jim Qu <Jim.Qu@amd.com>


[ Upstream commit c085bd5119d5d0bdf3ef591a5563566be7dedced ]

Signed-off-by: Jim Qu <Jim.Qu@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -2020,8 +2020,11 @@ int amdgpu_device_resume(struct drm_devi
 	}
 
 	r = amdgpu_late_init(adev);
-	if (r)
+	if (r) {
+		if (fbcon)
+			console_unlock();
 		return r;
+	}
 
 	/* pin cursors */
 	list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) {

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 114/148] powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 113/148] drm/amd/amdgpu: fix console deadlock if late init failed Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 117/148] kbuild: pkg: use --transform option to prefix paths in tar Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Kardashevskiy, Gavin Shan,
	Michael Ellerman, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kardashevskiy <aik@ozlabs.ru>


[ Upstream commit 7aafac11e308d37ed3c509829bb43d80c1811ac3 ]

The IODA2 specification says that a 64 DMA address cannot use top 4 bits
(3 are reserved and one is a "TVE select"); bottom page_shift bits
cannot be used for multilevel table addressing either.

The existing IODA2 table allocation code aligns the minimum TCE table
size to PAGE_SIZE so in the case of 64K system pages and 4K IOMMU pages,
we have 64-4-12=48 bits. Since 64K page stores 8192 TCEs, i.e. needs
13 bits, the maximum number of levels is 48/13 = 3 so we physically
cannot address more and EEH happens on DMA accesses.

This adds a check that too many levels were requested.

It is still possible to have 5 levels in the case of 4K system page size.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Acked-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/platforms/powernv/pci-ioda.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/powerpc/platforms/powernv/pci-ioda.c
+++ b/arch/powerpc/platforms/powernv/pci-ioda.c
@@ -2623,6 +2623,9 @@ static long pnv_pci_ioda2_table_alloc_pa
 	level_shift = entries_shift + 3;
 	level_shift = max_t(unsigned, level_shift, PAGE_SHIFT);
 
+	if ((level_shift - 3) * levels + page_shift >= 60)
+		return -EINVAL;
+
 	/* Allocate TCE table */
 	addr = pnv_pci_ioda2_table_do_alloc_pages(nid, level_shift,
 			levels, tce_table_size, &offset, &total_allocated);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 117/148] kbuild: pkg: use --transform option to prefix paths in tar
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 114/148] powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 118/148] coccinelle: fix parallel build with CHECK=scripts/coccicheck Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit 2dbc644ac62bbcb9ee78e84719953f611be0413d ]

For rpm-pkg and deb-pkg, a source tar file is created.  All paths in
the archive must be prefixed with the base name of the tar so that
everything is contained in the directory when you extract it.

Currently, scripts/package/Makefile uses a symlink for that, and
removes it after the tar is created.

If you terminate the build during the tar creation, the symlink is
left over.  Then, at the next package build, you will see a warning
like follows:

  ln: '.' and 'kernel-4.14.0+/.' are the same file

It is possible to fix it by adding -n (--no-dereference) option to
the "ln" command, but a cleaner way is to use --transform option
of "tar" command.  This option is GNU extension, but it should not
hurt to use it in the Linux build system.

The 'S' flag is needed to exclude symlinks from the path fixup.
Without it, symlinks in the kernel are broken.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/package/Makefile |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/scripts/package/Makefile
+++ b/scripts/package/Makefile
@@ -39,10 +39,9 @@ if test "$(objtree)" != "$(srctree)"; th
 	false; \
 fi ; \
 $(srctree)/scripts/setlocalversion --save-scmversion; \
-ln -sf $(srctree) $(2); \
 tar -cz $(RCS_TAR_IGNORE) -f $(2).tar.gz \
-	$(addprefix $(2)/,$(TAR_CONTENT) $(3)); \
-rm -f $(2) $(objtree)/.scmversion
+	--transform 's:^:$(2)/:S' $(TAR_CONTENT) $(3); \
+rm -f $(objtree)/.scmversion
 
 # rpm-pkg
 # ---------------------------------------------------------------------------

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 118/148] coccinelle: fix parallel build with CHECK=scripts/coccicheck
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 117/148] kbuild: pkg: use --transform option to prefix paths in tar Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 119/148] x86/mpx/selftests: Fix up weird arrays Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Julia Lawall, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit d7059ca0147adcd495f3c5b41f260e1ac55bb679 ]

The command "make -j8 C=1 CHECK=scripts/coccicheck" produces
lots of "coccicheck failed" error messages.

Julia Lawall explained the Coccinelle behavior as follows:
"The problem on the Coccinelle side is that it uses a subdirectory
with the name of the semantic patch to store standard output and
standard error for the different threads.  I didn't want to use a
name with the pid, so that one could easily find this information
while Coccinelle is running.  Normally the subdirectory is cleaned
up when Coccinelle completes, so there is only one of them at a time.
Maybe it is best to just add the pid.  There is the risk that these
subdirectories will accumulate if Coccinelle crashes in a way such
that they don't get cleaned up, but Coccinelle could print a warning
if it detects this case, rather than failing."

When scripts/coccicheck is used as CHECK tool and -j option is given
to Make, the whole of build process runs in parallel.  So, multiple
processes try to get access to the same subdirectory.

I notice spatch creates the subdirectory only when it runs in parallel
(i.e. --jobs <N> is given and <N> is greater than 1).

Setting NPROC=1 is a reasonable solution; spatch does not create the
subdirectory.  Besides, ONLINE=1 mode takes a single file input for
each spatch invocation, so there is no reason to parallelize it in
the first place.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/coccicheck |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/scripts/coccicheck
+++ b/scripts/coccicheck
@@ -29,12 +29,6 @@ else
 	VERBOSE=0
 fi
 
-if [ -z "$J" ]; then
-	NPROC=$(getconf _NPROCESSORS_ONLN)
-else
-	NPROC="$J"
-fi
-
 FLAGS="--very-quiet"
 
 # You can use SPFLAGS to append extra arguments to coccicheck or override any
@@ -69,6 +63,9 @@ if [ "$C" = "1" -o "$C" = "2" ]; then
     # Take only the last argument, which is the C file to test
     shift $(( $# - 1 ))
     OPTIONS="$COCCIINCLUDE $1"
+
+    # No need to parallelize Coccinelle since this mode takes one input file.
+    NPROC=1
 else
     ONLINE=0
     if [ "$KBUILD_EXTMOD" = "" ] ; then
@@ -76,6 +73,12 @@ else
     else
         OPTIONS="--dir $KBUILD_EXTMOD $COCCIINCLUDE"
     fi
+
+    if [ -z "$J" ]; then
+        NPROC=$(getconf _NPROCESSORS_ONLN)
+    else
+        NPROC="$J"
+    fi
 fi
 
 if [ "$KBUILD_EXTMOD" != "" ] ; then

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 119/148] x86/mpx/selftests: Fix up weird arrays
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 118/148] coccinelle: fix parallel build with CHECK=scripts/coccicheck Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 120/148] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Hansen, Thomas Gleixner,
	Andy Lutomirski, Borislav Petkov, Brian Gerst, Denys Vlasenko,
	H. Peter Anvin, Josh Poimboeuf, Linus Torvalds, Peter Zijlstra,
	Ingo Molnar, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Hansen <dave.hansen@linux.intel.com>


[ Upstream commit a6400120d042397675fcf694060779d21e9e762d ]

The MPX hardware data structurse are defined in a weird way: they define
their size in bytes and then union that with the type with which we want
to access them.

Yes, this is weird, but it does work.  But, new GCC's complain that we
are accessing the array out of bounds.  Just make it a zero-sized array
so gcc will stop complaining.  There was not really a bug here.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20171111001229.58A7933D@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/x86/mpx-hw.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/testing/selftests/x86/mpx-hw.h
+++ b/tools/testing/selftests/x86/mpx-hw.h
@@ -51,14 +51,14 @@
 struct mpx_bd_entry {
 	union {
 		char x[MPX_BOUNDS_DIR_ENTRY_SIZE_BYTES];
-		void *contents[1];
+		void *contents[0];
 	};
 } __attribute__((packed));
 
 struct mpx_bt_entry {
 	union {
 		char x[MPX_BOUNDS_TABLE_ENTRY_SIZE_BYTES];
-		unsigned long contents[1];
+		unsigned long contents[0];
 	};
 } __attribute__((packed));
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 120/148] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 119/148] x86/mpx/selftests: Fix up weird arrays Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 121/148] gre6: use log_ecn_error module parameter in ip6_tnl_rcv() Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Johannes Berg, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben.hutchings@codethink.co.uk>


[ Upstream commit 67bd52386125ce1159c0581cbcd2740addf33cd4 ]

hwsim_new_radio_nl() now copies the name attribute in order to add a
null-terminator.  mac80211_hwsim_new_radio() (indirectly) copies it
again into the net_device structure, so the first copy is not used or
freed later.  Free the first copy before returning.

Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/mac80211_hwsim.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3047,6 +3047,7 @@ static int hwsim_new_radio_nl(struct sk_
 {
 	struct hwsim_new_radio_params param = { 0 };
 	const char *hwname = NULL;
+	int ret;
 
 	param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
 	param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
@@ -3086,7 +3087,9 @@ static int hwsim_new_radio_nl(struct sk_
 		param.regd = hwsim_world_regdom_custom[idx];
 	}
 
-	return mac80211_hwsim_new_radio(info, &param);
+	ret = mac80211_hwsim_new_radio(info, &param);
+	kfree(hwname);
+	return ret;
 }
 
 static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 121/148] gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 120/148] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 122/148] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Kodanev, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Kodanev <alexey.kodanev@oracle.com>


[ Upstream commit 981542c526ecd846920bc500e9989da906ee9fb9 ]

After commit 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call
common GRE functions") it's not used anywhere in the module, but
previously was used in ip6gre_rcv().

Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_gre.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -461,7 +461,7 @@ static int ip6gre_rcv(struct sk_buff *sk
 				      &ipv6h->saddr, &ipv6h->daddr, tpi->key,
 				      tpi->proto);
 	if (tunnel) {
-		ip6_tnl_rcv(tunnel, skb, tpi, NULL, false);
+		ip6_tnl_rcv(tunnel, skb, tpi, NULL, log_ecn_error);
 
 		return PACKET_RCVD;
 	}

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 122/148] route: also update fnhe_genid when updating a route cache
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 121/148] gre6: use log_ecn_error module parameter in ip6_tnl_rcv() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 123/148] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hannes Frederic Sowa, Xin Long,
	David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit cebe84c6190d741045a322f5343f717139993c08 ]

Now when ip route flush cache and it turn out all fnhe_genid != genid.
If a redirect/pmtu icmp packet comes and the old fnhe is found and all
it's members but fnhe_genid will be updated.

Then next time when it looks up route and tries to rebind this fnhe to
the new dst, the fnhe will be flushed due to fnhe_genid != genid. It
causes this redirect/pmtu icmp packet acutally not to be applied.

This patch is to also reset fnhe_genid when updating a route cache.

Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions")
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/route.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -630,9 +630,12 @@ static void update_or_create_fnhe(struct
 	struct fnhe_hash_bucket *hash;
 	struct fib_nh_exception *fnhe;
 	struct rtable *rt;
+	u32 genid, hval;
 	unsigned int i;
 	int depth;
-	u32 hval = fnhe_hashfun(daddr);
+
+	genid = fnhe_genid(dev_net(nh->nh_dev));
+	hval = fnhe_hashfun(daddr);
 
 	spin_lock_bh(&fnhe_lock);
 
@@ -655,6 +658,8 @@ static void update_or_create_fnhe(struct
 	}
 
 	if (fnhe) {
+		if (fnhe->fnhe_genid != genid)
+			fnhe->fnhe_genid = genid;
 		if (gw)
 			fnhe->fnhe_gw = gw;
 		if (pmtu) {
@@ -679,7 +684,7 @@ static void update_or_create_fnhe(struct
 			fnhe->fnhe_next = hash->chain;
 			rcu_assign_pointer(hash->chain, fnhe);
 		}
-		fnhe->fnhe_genid = fnhe_genid(dev_net(nh->nh_dev));
+		fnhe->fnhe_genid = genid;
 		fnhe->fnhe_daddr = daddr;
 		fnhe->fnhe_gw = gw;
 		fnhe->fnhe_pmtu = pmtu;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 123/148] route: update fnhe_expires for redirect when the fnhe exists
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 122/148] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 124/148] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer() Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jianlin Shi, Hannes Frederic Sowa,
	Xin Long, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit e39d5246111399dbc6e11cd39fd8580191b86c47 ]

Now when creating fnhe for redirect, it sets fnhe_expires for this
new route cache. But when updating the exist one, it doesn't do it.
It will cause this fnhe never to be expired.

Paolo already noticed it before, in Jianlin's test case, it became
even worse:

When ip route flush cache, the old fnhe is not to be removed, but
only clean it's members. When redirect comes again, this fnhe will
be found and updated, but never be expired due to fnhe_expires not
being set.

So fix it by simply updating fnhe_expires even it's for redirect.

Fixes: aee06da6726d ("ipv4: use seqlock for nh_exceptions")
Reported-by: Jianlin Shi <jishi@redhat.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/route.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -662,10 +662,9 @@ static void update_or_create_fnhe(struct
 			fnhe->fnhe_genid = genid;
 		if (gw)
 			fnhe->fnhe_gw = gw;
-		if (pmtu) {
+		if (pmtu)
 			fnhe->fnhe_pmtu = pmtu;
-			fnhe->fnhe_expires = max(1UL, expires);
-		}
+		fnhe->fnhe_expires = max(1UL, expires);
 		/* Update all cached dsts too */
 		rt = rcu_dereference(fnhe->fnhe_rth_input);
 		if (rt)

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 124/148] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 123/148] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 125/148] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Logan Gunthorpe,
	Matt Porter, Alexandre Bounine, Lorenzo Stoakes, Jesper Nilsson,
	Christian K_nig, Andrew Morton, Linus Torvalds, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>


[ Upstream commit b1402dcb5643b7a27d46a05edd7491d49ba0e248 ]

If 'dma_map_sg()', we should branch to the existing error handling path
to free some resources before returning.

Link: http://lkml.kernel.org/r/61292a4f369229eee03394247385e955027283f8.1505687047.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Christian K_nig <christian.koenig@amd.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/rapidio/devices/rio_mport_cdev.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -964,7 +964,8 @@ rio_dma_transfer(struct file *filp, u32
 			   req->sgt.sgl, req->sgt.nents, dir);
 	if (nents == -EFAULT) {
 		rmcd_error("Failed to map SG list");
-		return -EFAULT;
+		ret = -EFAULT;
+		goto err_pg;
 	}
 
 	ret = do_dma_request(req, xfer, sync, nents);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 125/148] lib/genalloc.c: make the avail variable an atomic_long_t
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 124/148] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 126/148] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Bates, Logan Gunthorpe,
	Mathieu Desnoyers, Daniel Mentz, Jonathan Corbet, Andrew Morton,
	Will Deacon, Linus Torvalds, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephen Bates <sbates@raithlin.com>


[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ]

If the amount of resources allocated to a gen_pool exceeds 2^32 then the
avail atomic overflows and this causes problems when clients try and
borrow resources from the pool.  This is only expected to be an issue on
64 bit systems.

Add the <linux/atomic.h> header to pull in atomic_long* operations.  So
that 32 bit systems continue to use atomic32_t but 64 bit systems can
use atomic64_t.

Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com
Signed-off-by: Stephen Bates <sbates@raithlin.com>
Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Daniel Mentz <danielmentz@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/genalloc.h |    3 ++-
 lib/genalloc.c           |   10 +++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

--- a/include/linux/genalloc.h
+++ b/include/linux/genalloc.h
@@ -32,6 +32,7 @@
 
 #include <linux/types.h>
 #include <linux/spinlock_types.h>
+#include <linux/atomic.h>
 
 struct device;
 struct device_node;
@@ -70,7 +71,7 @@ struct gen_pool {
  */
 struct gen_pool_chunk {
 	struct list_head next_chunk;	/* next chunk in pool */
-	atomic_t avail;
+	atomic_long_t avail;
 	phys_addr_t phys_addr;		/* physical starting address of memory chunk */
 	unsigned long start_addr;	/* start address of memory chunk */
 	unsigned long end_addr;		/* end address of memory chunk (inclusive) */
--- a/lib/genalloc.c
+++ b/lib/genalloc.c
@@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p
 	chunk->phys_addr = phys;
 	chunk->start_addr = virt;
 	chunk->end_addr = virt + size - 1;
-	atomic_set(&chunk->avail, size);
+	atomic_long_set(&chunk->avail, size);
 
 	spin_lock(&pool->lock);
 	list_add_rcu(&chunk->next_chunk, &pool->chunks);
@@ -304,7 +304,7 @@ unsigned long gen_pool_alloc_algo(struct
 	nbits = (size + (1UL << order) - 1) >> order;
 	rcu_read_lock();
 	list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
-		if (size > atomic_read(&chunk->avail))
+		if (size > atomic_long_read(&chunk->avail))
 			continue;
 
 		start_bit = 0;
@@ -324,7 +324,7 @@ retry:
 
 		addr = chunk->start_addr + ((unsigned long)start_bit << order);
 		size = nbits << order;
-		atomic_sub(size, &chunk->avail);
+		atomic_long_sub(size, &chunk->avail);
 		break;
 	}
 	rcu_read_unlock();
@@ -390,7 +390,7 @@ void gen_pool_free(struct gen_pool *pool
 			remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
 			BUG_ON(remain);
 			size = nbits << order;
-			atomic_add(size, &chunk->avail);
+			atomic_long_add(size, &chunk->avail);
 			rcu_read_unlock();
 			return;
 		}
@@ -464,7 +464,7 @@ size_t gen_pool_avail(struct gen_pool *p
 
 	rcu_read_lock();
 	list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
-		avail += atomic_read(&chunk->avail);
+		avail += atomic_long_read(&chunk->avail);
 	rcu_read_unlock();
 	return avail;
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 126/148] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 125/148] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 127/148] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Jason Baron,
	Andrew Morton, Linus Torvalds, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdunlap@infradead.org>


[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ]

line-range is supposed to treat "1-" as "1-endoffile", so
handle the special case by setting last_lineno to UINT_MAX.

Fixes this error:

  dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1
  dynamic_debug:ddebug_exec_query: query parse failed

Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 lib/dynamic_debug.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/lib/dynamic_debug.c
+++ b/lib/dynamic_debug.c
@@ -360,6 +360,10 @@ static int ddebug_parse_query(char *word
 				if (parse_lineno(last, &query->last_lineno) < 0)
 					return -EINVAL;
 
+				/* special case for last lineno not specified */
+				if (query->last_lineno == 0)
+					query->last_lineno = UINT_MAX;
+
 				if (query->last_lineno < query->first_lineno) {
 					pr_err("last-line:%d < 1st-line:%d\n",
 						query->last_lineno,

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 127/148] NFS: Fix a typo in nfs_rename()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 126/148] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 128/148] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Anna Schumaker, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>


[ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ]

On successful rename, the "old_dentry" is retained and is attached to
the "new_dir", so we need to call nfs_set_verifier() accordingly.

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/dir.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2098,7 +2098,7 @@ out:
 		if (new_inode != NULL)
 			nfs_drop_nlink(new_inode);
 		d_move(old_dentry, new_dentry);
-		nfs_set_verifier(new_dentry,
+		nfs_set_verifier(old_dentry,
 					nfs_save_change_attribute(new_dir));
 	} else if (error == -ENOENT)
 		nfs_dentry_handle_enoent(old_dentry);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 128/148] sunrpc: Fix rpc_task_begin trace point
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 127/148] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 129/148] xfs: fix forgotten rcu read unlock when skipping inode reclaim Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuck Lever, Anna Schumaker, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>


[ Upstream commit b2bfe5915d5fe7577221031a39ac722a0a2a1199 ]

The rpc_task_begin trace point always display a task ID of zero.
Move the trace point call site so that it picks up the new task ID.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sunrpc/sched.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -274,10 +274,9 @@ static inline void rpc_task_set_debuginf
 
 static void rpc_set_active(struct rpc_task *task)
 {
-	trace_rpc_task_begin(task->tk_client, task, NULL);
-
 	rpc_task_set_debuginfo(task);
 	set_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
+	trace_rpc_task_begin(task->tk_client, task, NULL);
 }
 
 /*

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 129/148] xfs: fix forgotten rcu read unlock when skipping inode reclaim
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 128/148] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 130/148] dt-bindings: usb: fix reg-property port-number range Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Darrick J. Wong,
	Christoph Hellwig, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Darrick J. Wong" <darrick.wong@oracle.com>


[ Upstream commit 962cc1ad6caddb5abbb9f0a43e5abe7131a71f18 ]

In commit f2e9ad21 ("xfs: check for race with xfs_reclaim_inode"), we
skip an inode if we're racing with freeing the inode via
xfs_reclaim_inode, but we forgot to release the rcu read lock when
dumping the inode, with the result that we exit to userspace with a lock
held.  Don't do that; generic/320 with a 1k block size fails this
very occasionally.

================================================
WARNING: lock held when returning to user space!
4.14.0-rc6-djwong #4 Tainted: G        W
------------------------------------------------
rm/30466 is leaving the kernel with locks still held!
1 lock held by rm/30466:
 #0:  (rcu_read_lock){....}, at: [<ffffffffa01364d3>] xfs_ifree_cluster.isra.17+0x2c3/0x6f0 [xfs]
------------[ cut here ]------------
WARNING: CPU: 1 PID: 30466 at kernel/rcu/tree_plugin.h:329 rcu_note_context_switch+0x71/0x700
Modules linked in: deadline_iosched dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey xfs libcrc32c dax_pmem device_dax nd_pmem sch_fq_codel af_packet [last unloaded: scsi_debug]
CPU: 1 PID: 30466 Comm: rm Tainted: G        W       4.14.0-rc6-djwong #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1djwong0 04/01/2014
task: ffff880037680000 task.stack: ffffc90001064000
RIP: 0010:rcu_note_context_switch+0x71/0x700
RSP: 0000:ffffc90001067e50 EFLAGS: 00010002
RAX: 0000000000000001 RBX: ffff880037680000 RCX: ffff88003e73d200
RDX: 0000000000000002 RSI: ffffffff819e53e9 RDI: ffffffff819f4375
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff880062c900d0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880037680000
R13: 0000000000000000 R14: ffffc90001067eb8 R15: ffff880037680690
FS:  00007fa3b8ce8700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f69bf77c000 CR3: 000000002450a000 CR4: 00000000000006e0
Call Trace:
 __schedule+0xb8/0xb10
 schedule+0x40/0x90
 exit_to_usermode_loop+0x6b/0xa0
 prepare_exit_to_usermode+0x7a/0x90
 retint_user+0x8/0x20
RIP: 0033:0x7fa3b87fda87
RSP: 002b:00007ffe41206568 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02
RAX: 0000000000000000 RBX: 00000000010e88c0 RCX: 00007fa3b87fda87
RDX: 0000000000000000 RSI: 00000000010e89c8 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 000000000000015e R11: 0000000000000246 R12: 00000000010c8060
R13: 00007ffe41206690 R14: 0000000000000000 R15: 0000000000000000
---[ end trace e88f83bf0cfbd07d ]---

Fixes: f2e9ad212def50bcf4c098c6288779dd97fff0f0
Cc: Omar Sandoval <osandov@fb.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/xfs/xfs_inode.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -2386,6 +2386,7 @@ retry:
 				 */
 				if (ip->i_ino != inum + i) {
 					xfs_iunlock(ip, XFS_ILOCK_EXCL);
+					rcu_read_unlock();
 					continue;
 				}
 			}

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 130/148] dt-bindings: usb: fix reg-property port-number range
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 129/148] xfs: fix forgotten rcu read unlock when skipping inode reclaim Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 131/148] block: wake up all tasks blocked in get_request() Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Rob Herring, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>


[ Upstream commit f42ae7b0540937e00fe005812997f126aaac4bc2 ]

The USB hub port-number range for USB 2.0 is 1-255 and not 1-31 which
reflects an arbitrary limit set by the current Linux implementation.

Note that for USB 3.1 hubs the valid range is 1-15.

Increase the documented valid range in the binding to 255, which is the
maximum allowed by the specifications.

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/usb/usb-device.txt |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Documentation/devicetree/bindings/usb/usb-device.txt
+++ b/Documentation/devicetree/bindings/usb/usb-device.txt
@@ -11,7 +11,7 @@ Required properties:
   be used, but a device adhering to this binding may leave out all except
   for usbVID,PID.
 - reg: the port number which this device is connecting to, the range
-  is 1-31.
+  is 1-255.
 
 Example:
 

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 131/148] block: wake up all tasks blocked in get_request()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 130/148] dt-bindings: usb: fix reg-property port-number range Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 132/148] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ming Lei, Jens Axboe, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ming Lei <ming.lei@redhat.com>


[ Upstream commit 34d9715ac1edd50285168dd8d80c972739a4f6a4 ]

Once blk_set_queue_dying() is done in blk_cleanup_queue(), we call
blk_freeze_queue() and wait for q->q_usage_counter becoming zero. But
if there are tasks blocked in get_request(), q->q_usage_counter can
never become zero. So we have to wake up all these tasks in
blk_set_queue_dying() first.

Fixes: 3ef28e83ab157997 ("block: generic request_queue reference counting")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -527,8 +527,8 @@ void blk_set_queue_dying(struct request_
 
 		blk_queue_for_each_rl(rl, q) {
 			if (rl->rq_pool) {
-				wake_up(&rl->wait[BLK_RW_SYNC]);
-				wake_up(&rl->wait[BLK_RW_ASYNC]);
+				wake_up_all(&rl->wait[BLK_RW_SYNC]);
+				wake_up_all(&rl->wait[BLK_RW_ASYNC]);
 			}
 		}
 	}

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 132/148] sparc64/mm: set fields in deferred pages
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 131/148] block: wake up all tasks blocked in get_request() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 133/148] zsmalloc: calling zs_map_object() from irq is a bug Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Tatashin, Steven Sistare,
	Daniel Jordan, Bob Picco, David S. Miller, Michal Hocko,
	Alexander Potapenko, Andrey Ryabinin, Ard Biesheuvel,
	Catalin Marinas, Christian Borntraeger, Dmitry Vyukov,
	Heiko Carstens, H. Peter Anvin, Ingo Molnar, Mark Rutland,
	Matthew Wilcox, Mel Gorman, Michal Hocko, Sam Ravnborg,
	Thomas Gleixner, Will Deacon, Andrew Morton, Linus Torvalds,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Pavel Tatashin <pasha.tatashin@oracle.com>


[ Upstream commit 2a20aa171071a334d80c4e5d5af719d8374702fc ]

Without deferred struct page feature (CONFIG_DEFERRED_STRUCT_PAGE_INIT),
flags and other fields in "struct page"es are never changed prior to
first initializing struct pages by going through __init_single_page().

With deferred struct page feature enabled there is a case where we set
some fields prior to initializing:

mem_init() {
     register_page_bootmem_info();
     free_all_bootmem();
     ...
}

When register_page_bootmem_info() is called only non-deferred struct
pages are initialized.  But, this function goes through some reserved
pages which might be part of the deferred, and thus are not yet
initialized.

mem_init
register_page_bootmem_info
register_page_bootmem_info_node
 get_page_bootmem
  .. setting fields here ..
  such as: page->freelist = (void *)type;

free_all_bootmem()
free_low_memory_core_early()
 for_each_reserved_mem_region()
  reserve_bootmem_region()
   init_reserved_page() <- Only if this is deferred reserved page
    __init_single_pfn()
     __init_single_page()
      memset(0) <-- Loose the set fields here

We end up with similar issue as in the previous patch, where currently
we do not observe problem as memory is zeroed.  But, if flag asserts are
changed we can start hitting issues.

Also, because in this patch series we will stop zeroing struct page
memory during allocation, we must make sure that struct pages are
properly initialized prior to using them.

The deferred-reserved pages are initialized in free_all_bootmem().
Therefore, the fix is to switch the above calls.

Link: http://lkml.kernel.org/r/20171013173214.27300-4-pasha.tatashin@oracle.com
Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: Bob Picco <bob.picco@oracle.com>
Acked-by: David S. Miller <davem@davemloft.net>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/sparc/mm/init_64.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/arch/sparc/mm/init_64.c
+++ b/arch/sparc/mm/init_64.c
@@ -2391,10 +2391,17 @@ void __init mem_init(void)
 {
 	high_memory = __va(last_valid_pfn << PAGE_SHIFT);
 
-	register_page_bootmem_info();
 	free_all_bootmem();
 
 	/*
+	 * Must be done after boot memory is put on freelist, because here we
+	 * might set fields in deferred struct pages that have not yet been
+	 * initialized, and free_all_bootmem() initializes all the reserved
+	 * deferred pages for us.
+	 */
+	register_page_bootmem_info();
+
+	/*
 	 * Set up the zero page, mark it reserved, so that page count
 	 * is not manipulated when freeing the page from user ptes.
 	 */

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 133/148] zsmalloc: calling zs_map_object() from irq is a bug
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 132/148] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 134/148] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Minchan Kim,
	Andrew Morton, Linus Torvalds, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>


[ Upstream commit 1aedcafbf32b3f232c159b14cd0d423fcfe2b861 ]

Use BUG_ON(in_interrupt()) in zs_map_object().  This is not a new
BUG_ON(), it's always been there, but was recently changed to
VM_BUG_ON().  There are several problems there.  First, we use use
per-CPU mappings both in zsmalloc and in zram, and interrupt may easily
corrupt those buffers.  Second, and more importantly, we believe it's
possible to start leaking sensitive information.  Consider the following
case:

-> process P
	swap out
	 zram
	  per-cpu mapping CPU1
	   compress page A
-> IRQ

	swap out
	 zram
	  per-cpu mapping CPU1
	   compress page B
	    write page from per-cpu mapping CPU1 to zsmalloc pool
	iret

-> process P
	    write page from per-cpu mapping CPU1 to zsmalloc pool  [*]
	return

* so we store overwritten data that actually belongs to another
  page (task) and potentially contains sensitive data. And when
  process P will page fault it's going to read (swap in) that
  other task's data.

Link: http://lkml.kernel.org/r/20170929045140.4055-1-sergey.senozhatsky@gmail.com
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/zsmalloc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1407,7 +1407,7 @@ void *zs_map_object(struct zs_pool *pool
 	 * pools/users, we can't allow mapping in interrupt context
 	 * because it can corrupt another users mappings.
 	 */
-	WARN_ON_ONCE(in_interrupt());
+	BUG_ON(in_interrupt());
 
 	/* From now on, migration cannot move the object */
 	pin_tag(handle);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 134/148] sctp: do not free asoc when it is already dead in sctp_sendmsg
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 133/148] zsmalloc: calling zs_map_object() from irq is a bug Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 135/148] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Horman, Dmitry Vyukov, Xin Long,
	David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit ca3af4dd28cff4e7216e213ba3b671fbf9f84758 ]

Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without
holding sock sk. It means the current asoc can be freed elsewhere,
like when receiving an abort packet.

If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf
returns err, the asoc will be freed again due to new_asoc is not nil.
An use-after-free issue would be triggered by this.

This patch is to fix it by setting new_asoc with nil if the asoc is
already dead when cpu schedules back, so that it will not be freed
again in sctp_sendmsg.

v1->v2:
  set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf.

Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1958,8 +1958,14 @@ static int sctp_sendmsg(struct sock *sk,
 	timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
 	if (!sctp_wspace(asoc)) {
 		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
-		if (err)
+		if (err) {
+			if (err == -ESRCH) {
+				/* asoc is already dead. */
+				new_asoc = NULL;
+				err = -EPIPE;
+			}
 			goto out_free;
+		}
 	}
 
 	/* If an address is passed with the sendto/sendmsg call, it is used
@@ -7457,10 +7463,11 @@ static int sctp_wait_for_sndbuf(struct s
 	for (;;) {
 		prepare_to_wait_exclusive(&asoc->wait, &wait,
 					  TASK_INTERRUPTIBLE);
+		if (asoc->base.dead)
+			goto do_dead;
 		if (!*timeo_p)
 			goto do_nonblock;
-		if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING ||
-		    asoc->base.dead)
+		if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
 			goto do_error;
 		if (signal_pending(current))
 			goto do_interrupted;
@@ -7485,6 +7492,10 @@ out:
 
 	return err;
 
+do_dead:
+	err = -ESRCH;
+	goto out;
+
 do_error:
 	err = -EPIPE;
 	goto out;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 135/148] sctp: use the right sk after waking up from wait_buf sleep
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 134/148] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 136/148] bpf: fix lockdep splat Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Neil Horman, Xin Long,
	David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff ]

Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads
sleeping on it") fixed the race between peeloff and wait sndbuf by
checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().

But it actually doesn't work, as even if waitqueue_active returns false
the waiting sndbuf thread may still not yet hold sk lock. After asoc is
peeled off, sk is not asoc->base.sk any more, then to hold the old sk
lock couldn't make assoc safe to access.

This patch is to fix this by changing to hold the new sk lock if sk is
not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
new sk.

With this fix, there is no more race between peeloff and waitbuf, the
check 'waitqueue_active' in sctp_do_peeloff can be removed.

Thanks Marcelo and Neil for making this clear.

v1->v2:
  fix it by changing to lock the new sock instead of adding a flag in asoc.

Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |   21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -82,8 +82,8 @@
 /* Forward declarations for internal helper functions. */
 static int sctp_writeable(struct sock *sk);
 static void sctp_wfree(struct sk_buff *skb);
-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p,
-				size_t msg_len);
+static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+				size_t msg_len, struct sock **orig_sk);
 static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
 static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
 static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -1957,7 +1957,8 @@ static int sctp_sendmsg(struct sock *sk,
 
 	timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
 	if (!sctp_wspace(asoc)) {
-		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+		/* sk can be changed by peel off when waiting for buf. */
+		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
 		if (err) {
 			if (err == -ESRCH) {
 				/* asoc is already dead. */
@@ -4777,12 +4778,6 @@ int sctp_do_peeloff(struct sock *sk, sct
 	if (!asoc)
 		return -EINVAL;
 
-	/* If there is a thread waiting on more sndbuf space for
-	 * sending on this asoc, it cannot be peeled.
-	 */
-	if (waitqueue_active(&asoc->wait))
-		return -EBUSY;
-
 	/* An association cannot be branched off from an already peeled-off
 	 * socket, nor is this supported for tcp style sockets.
 	 */
@@ -7446,7 +7441,7 @@ void sctp_sock_rfree(struct sk_buff *skb
 
 /* Helper function to wait for space in the sndbuf.  */
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-				size_t msg_len)
+				size_t msg_len, struct sock **orig_sk)
 {
 	struct sock *sk = asoc->base.sk;
 	int err = 0;
@@ -7480,11 +7475,17 @@ static int sctp_wait_for_sndbuf(struct s
 		release_sock(sk);
 		current_timeo = schedule_timeout(current_timeo);
 		lock_sock(sk);
+		if (sk != asoc->base.sk) {
+			release_sock(sk);
+			sk = asoc->base.sk;
+			lock_sock(sk);
+		}
 
 		*timeo_p = current_timeo;
 	}
 
 out:
+	*orig_sk = sk;
 	finish_wait(&asoc->wait, &wait);
 
 	/* Release the association's refcnt.  */

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 136/148] bpf: fix lockdep splat
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 135/148] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 137/148] clk: uniphier: fix DAPLL2 clock rate of Pro5 Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit 89ad2fa3f043a1e8daae193bcb5fe34d5f8caf28 ]

pcpu_freelist_pop() needs the same lockdep awareness than
pcpu_freelist_populate() to avoid a false positive.

 [ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]

 switchto-defaul/12508 [HC0[0]:SC0[6]:HE0:SE0] is trying to acquire:
  (&htab->buckets[i].lock){......}, at: [<ffffffff9dc099cb>] __htab_percpu_map_update_elem+0x1cb/0x300

 and this task is already holding:
  (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}, at: [<ffffffff9e135848>] __dev_queue_xmit+0
x868/0x1240
 which would create a new lock dependency:
  (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...} -> (&htab->buckets[i].lock){......}

 but this new dependency connects a SOFTIRQ-irq-safe lock:
  (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}
 ... which became SOFTIRQ-irq-safe at:
   [<ffffffff9db5931b>] __lock_acquire+0x42b/0x1f10
   [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
   [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
   [<ffffffff9e135848>] __dev_queue_xmit+0x868/0x1240
   [<ffffffff9e136240>] dev_queue_xmit+0x10/0x20
   [<ffffffff9e1965d9>] ip_finish_output2+0x439/0x590
   [<ffffffff9e197410>] ip_finish_output+0x150/0x2f0
   [<ffffffff9e19886d>] ip_output+0x7d/0x260
   [<ffffffff9e19789e>] ip_local_out+0x5e/0xe0
   [<ffffffff9e197b25>] ip_queue_xmit+0x205/0x620
   [<ffffffff9e1b8398>] tcp_transmit_skb+0x5a8/0xcb0
   [<ffffffff9e1ba152>] tcp_write_xmit+0x242/0x1070
   [<ffffffff9e1baffc>] __tcp_push_pending_frames+0x3c/0xf0
   [<ffffffff9e1b3472>] tcp_rcv_established+0x312/0x700
   [<ffffffff9e1c1acc>] tcp_v4_do_rcv+0x11c/0x200
   [<ffffffff9e1c3dc2>] tcp_v4_rcv+0xaa2/0xc30
   [<ffffffff9e191107>] ip_local_deliver_finish+0xa7/0x240
   [<ffffffff9e191a36>] ip_local_deliver+0x66/0x200
   [<ffffffff9e19137d>] ip_rcv_finish+0xdd/0x560
   [<ffffffff9e191e65>] ip_rcv+0x295/0x510
   [<ffffffff9e12ff88>] __netif_receive_skb_core+0x988/0x1020
   [<ffffffff9e130641>] __netif_receive_skb+0x21/0x70
   [<ffffffff9e1306ff>] process_backlog+0x6f/0x230
   [<ffffffff9e132129>] net_rx_action+0x229/0x420
   [<ffffffff9da07ee8>] __do_softirq+0xd8/0x43d
   [<ffffffff9e282bcc>] do_softirq_own_stack+0x1c/0x30
   [<ffffffff9dafc2f5>] do_softirq+0x55/0x60
   [<ffffffff9dafc3a8>] __local_bh_enable_ip+0xa8/0xb0
   [<ffffffff9db4c727>] cpu_startup_entry+0x1c7/0x500
   [<ffffffff9daab333>] start_secondary+0x113/0x140

 to a SOFTIRQ-irq-unsafe lock:
  (&head->lock){+.+...}
 ... which became SOFTIRQ-irq-unsafe at:
 ...  [<ffffffff9db5971f>] __lock_acquire+0x82f/0x1f10
   [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
   [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
   [<ffffffff9dc0b7fa>] pcpu_freelist_pop+0x7a/0xb0
   [<ffffffff9dc08b2c>] htab_map_alloc+0x50c/0x5f0
   [<ffffffff9dc00dc5>] SyS_bpf+0x265/0x1200
   [<ffffffff9e28195f>] entry_SYSCALL_64_fastpath+0x12/0x17

 other info that might help us debug this:

 Chain exists of:
   dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2 --> &htab->buckets[i].lock --> &head->lock

  Possible interrupt unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(&head->lock);
                                local_irq_disable();
                                lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
                                lock(&htab->buckets[i].lock);
   <Interrupt>
     lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);

  *** DEADLOCK ***

Fixes: e19494edab82 ("bpf: introduce percpu_freelist")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/percpu_freelist.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/bpf/percpu_freelist.c
+++ b/kernel/bpf/percpu_freelist.c
@@ -78,8 +78,10 @@ struct pcpu_freelist_node *pcpu_freelist
 {
 	struct pcpu_freelist_head *head;
 	struct pcpu_freelist_node *node;
+	unsigned long flags;
 	int orig_cpu, cpu;
 
+	local_irq_save(flags);
 	orig_cpu = cpu = raw_smp_processor_id();
 	while (1) {
 		head = per_cpu_ptr(s->freelist, cpu);
@@ -87,14 +89,16 @@ struct pcpu_freelist_node *pcpu_freelist
 		node = head->first;
 		if (node) {
 			head->first = node->next;
-			raw_spin_unlock(&head->lock);
+			raw_spin_unlock_irqrestore(&head->lock, flags);
 			return node;
 		}
 		raw_spin_unlock(&head->lock);
 		cpu = cpumask_next(cpu, cpu_possible_mask);
 		if (cpu >= nr_cpu_ids)
 			cpu = 0;
-		if (cpu == orig_cpu)
+		if (cpu == orig_cpu) {
+			local_irq_restore(flags);
 			return NULL;
+		}
 	}
 }

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 137/148] clk: uniphier: fix DAPLL2 clock rate of Pro5
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 136/148] bpf: fix lockdep splat Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 138/148] atm: horizon: Fix irq release error Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Stephen Boyd, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit 67affb78a4e4feb837953e3434c8402a5c3b272f ]

The parent of DAPLL2 should be DAPLL1.  Fix the clock connection.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/uniphier/clk-uniphier-sys.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/uniphier/clk-uniphier-sys.c
+++ b/drivers/clk/uniphier/clk-uniphier-sys.c
@@ -98,7 +98,7 @@ const struct uniphier_clk_data uniphier_
 const struct uniphier_clk_data uniphier_pro5_sys_clk_data[] = {
 	UNIPHIER_CLK_FACTOR("spll", -1, "ref", 120, 1),		/* 2400 MHz */
 	UNIPHIER_CLK_FACTOR("dapll1", -1, "ref", 128, 1),	/* 2560 MHz */
-	UNIPHIER_CLK_FACTOR("dapll2", -1, "ref", 144, 125),	/* 2949.12 MHz */
+	UNIPHIER_CLK_FACTOR("dapll2", -1, "dapll1", 144, 125),	/* 2949.12 MHz */
 	UNIPHIER_CLK_FACTOR("uart", 0, "dapll2", 1, 40),
 	UNIPHIER_CLK_FACTOR("i2c", 1, "spll", 1, 48),
 	UNIPHIER_PRO5_SYS_CLK_SD,

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 138/148] atm: horizon: Fix irq release error
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 137/148] clk: uniphier: fix DAPLL2 clock rate of Pro5 Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 139/148] jump_label: Invoke jump_label_test() via early_initcall() Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arvind Yadav, David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arvind Yadav <arvind.yadav.cs@gmail.com>


[ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ]

atm_dev_register() can fail here and passed parameters to free irq
which is not initialised. Initialization of 'dev->irq' happened after
the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in
free_irq().

Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/atm/horizon.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/atm/horizon.c
+++ b/drivers/atm/horizon.c
@@ -2802,7 +2802,7 @@ out:
 	return err;
 
 out_free_irq:
-	free_irq(dev->irq, dev);
+	free_irq(irq, dev);
 out_free:
 	kfree(dev);
 out_release:

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 139/148] jump_label: Invoke jump_label_test() via early_initcall()
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 138/148] atm: horizon: Fix irq release error Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 140/148] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fengguang Wu, Jason Baron,
	Paul E. McKenney, Linus Torvalds, Peter Zijlstra, Steven Rostedt,
	Thomas Gleixner, Ingo Molnar, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Baron <jbaron@akamai.com>


[ Upstream commit 92ee46efeb505ead3ab06d3c5ce695637ed5f152 ]

Fengguang Wu reported that running the rcuperf test during boot can cause
the jump_label_test() to hit a WARN_ON(). The issue is that the core jump
label code relies on kernel_text_address() to detect when it can no longer
update branches that may be contained in __init sections. The
kernel_text_address() in turn assumes that if the system_state variable is
greter than or equal to SYSTEM_RUNNING then __init sections are no longer
valid (since the assumption is that they have been freed). However, when
rcuperf is setup to run in early boot it can call kernel_power_off() which
sets the system_state to SYSTEM_POWER_OFF.

Since rcuperf initialization is invoked via a module_init(), we can make
the dependency of jump_label_test() needing to complete before rcuperf
explicit by calling it via early_initcall().

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Jason Baron <jbaron@akamai.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1510609727-2238-1-git-send-email-jbaron@akamai.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/jump_label.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -612,7 +612,7 @@ static __init int jump_label_test(void)
 
 	return 0;
 }
-late_initcall(jump_label_test);
+early_initcall(jump_label_test);
 #endif /* STATIC_KEYS_SELFTEST */
 
 #endif /* HAVE_JUMP_LABEL */

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 140/148] xfrm: Copy policy family in clone_policy
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 139/148] jump_label: Invoke jump_label_test() via early_initcall() Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 141/148] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Herbert Xu, Steffen Klassert,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Herbert Xu <herbert@gondor.apana.org.au>


[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ]

The syzbot found an ancient bug in the IPsec code.  When we cloned
a socket policy (for example, for a child TCP socket derived from a
listening socket), we did not copy the family field.  This results
in a live policy with a zero family field.  This triggers a BUG_ON
check in the af_key code when the cloned policy is retrieved.

This patch fixes it by copying the family field over.

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xfrm/xfrm_policy.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1393,6 +1393,7 @@ static struct xfrm_policy *clone_policy(
 		newp->xfrm_nr = old->xfrm_nr;
 		newp->index = old->index;
 		newp->type = old->type;
+		newp->family = old->family;
 		memcpy(newp->xfrm_vec, old->xfrm_vec,
 		       newp->xfrm_nr*sizeof(struct xfrm_tmpl));
 		spin_lock_bh(&net->xfrm.xfrm_policy_lock);

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 141/148] IB/mlx4: Increase maximal message size under UD QP
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 140/148] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 142/148] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Bloch, Majd Dibbiny,
	Leon Romanovsky, Doug Ledford, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Bloch <markb@mellanox.com>


[ Upstream commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca ]

Maximal message should be used as a limit to the max message payload allowed,
without the headers. The ConnectX-3 check is done against this value includes
the headers. When the payload is 4K this will cause the NIC to drop packets.

Increase maximal message to 8K as workaround, this shouldn't change current
behaviour because we continue to set the MTU to 4k.

To reproduce;
set MTU to 4296 on the corresponding interface, for example:
ifconfig eth0 mtu 4296 (both server and client)

On server:
ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096

On client:
ib_send_bw -d mlx4_0 -c UD <server_ip> -s 4096 -n 1000000 -i 1 -m 4096

Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Reviewed-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx4/qp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1669,7 +1669,7 @@ static int __mlx4_ib_modify_qp(struct ib
 			context->mtu_msgmax = (IB_MTU_4096 << 5) |
 					      ilog2(dev->dev->caps.max_gso_sz);
 		else
-			context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
+			context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
 	} else if (attr_mask & IB_QP_PATH_MTU) {
 		if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) {
 			pr_err("path MTU (%u) is invalid\n",

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 142/148] IB/mlx5: Assign send CQ and recv CQ of UMR QP
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 141/148] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 143/148] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Majd Dibbiny, Yishai Hadas,
	Leon Romanovsky, Doug Ledford, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Majd Dibbiny <majd@mellanox.com>


[ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ]

The UMR's QP is created by calling mlx5_ib_create_qp directly, and
therefore the send CQ and the recv CQ on the ibqp weren't assigned.

Assign them right after calling the mlx5_ib_create_qp to assure
that any access to those pointers will work as expected and won't
crash the system as might happen as part of reset flow.

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Majd Dibbiny <majd@mellanox.com>
Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/main.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -2514,6 +2514,8 @@ static int create_umr_res(struct mlx5_ib
 	qp->real_qp    = qp;
 	qp->uobject    = NULL;
 	qp->qp_type    = MLX5_IB_QPT_REG_UMR;
+	qp->send_cq    = init_attr->send_cq;
+	qp->recv_cq    = init_attr->recv_cq;
 
 	attr->qp_state = IB_QPS_INIT;
 	attr->port_num = 1;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 143/148] afs: Connect up the CB.ProbeUuid
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 142/148] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 144/148] kbuild: do not call cc-option before KBUILD_CFLAGS initialization Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Howells, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>


[ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ]

The handler for the CB.ProbeUuid operation in the cache manager is
implemented, but isn't listed in the switch-statement of operation
selection, so won't be used.  Fix this by adding it.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/afs/cmservice.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -106,6 +106,9 @@ bool afs_cm_incoming_call(struct afs_cal
 	case CBProbe:
 		call->type = &afs_SRXCBProbe;
 		return true;
+	case CBProbeUuid:
+		call->type = &afs_SRXCBProbeUuid;
+		return true;
 	case CBTellMeAboutYourself:
 		call->type = &afs_SRXCBTellMeAboutYourself;
 		return true;

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 144/148] kbuild: do not call cc-option before KBUILD_CFLAGS initialization
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 143/148] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 145/148] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masahiro Yamada, Douglas Anderson,
	Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Masahiro Yamada <yamada.masahiro@socionext.com>


[ Upstream commit 433dc2ebe7d17dd21cba7ad5c362d37323592236 ]

Some $(call cc-option,...) are invoked very early, even before
KBUILD_CFLAGS, etc. are initialized.

The returned string from $(call cc-option,...) depends on
KBUILD_CPPFLAGS, KBUILD_CFLAGS, and GCC_PLUGINS_CFLAGS.

Since they are exported, they are not empty when the top Makefile
is recursively invoked.

The recursion occurs in several places.  For example, the top
Makefile invokes itself for silentoldconfig.  "make tinyconfig",
"make rpm-pkg" are the cases, too.

In those cases, the second call of cc-option from the same line
runs a different shell command due to non-pristine KBUILD_CFLAGS.

To get the same result all the time, KBUILD_* and GCC_PLUGINS_CFLAGS
must be initialized before any call of cc-option.  This avoids
garbage data in the .cache.mk file.

Move all calls of cc-option below the config targets because target
compiler flags are unnecessary for Kconfig.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Makefile |   21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

--- a/Makefile
+++ b/Makefile
@@ -370,9 +370,6 @@ LDFLAGS_MODULE  =
 CFLAGS_KERNEL	=
 AFLAGS_KERNEL	=
 LDFLAGS_vmlinux =
-CFLAGS_GCOV	:= -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
-CFLAGS_KCOV	:= $(call cc-option,-fsanitize-coverage=trace-pc,)
-
 
 # Use USERINCLUDE when you must reference the UAPI directories only.
 USERINCLUDE    := \
@@ -393,21 +390,19 @@ LINUXINCLUDE    := \
 
 LINUXINCLUDE	+= $(filter-out $(LINUXINCLUDE),$(USERINCLUDE))
 
-KBUILD_CPPFLAGS := -D__KERNEL__
-
+KBUILD_AFLAGS   := -D__ASSEMBLY__
 KBUILD_CFLAGS   := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
 		   -fno-strict-aliasing -fno-common \
 		   -Werror-implicit-function-declaration \
 		   -Wno-format-security \
-		   -std=gnu89 $(call cc-option,-fno-PIE)
-
-
+		   -std=gnu89
+KBUILD_CPPFLAGS := -D__KERNEL__
 KBUILD_AFLAGS_KERNEL :=
 KBUILD_CFLAGS_KERNEL :=
-KBUILD_AFLAGS   := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
 KBUILD_AFLAGS_MODULE  := -DMODULE
 KBUILD_CFLAGS_MODULE  := -DMODULE
 KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
+GCC_PLUGINS_CFLAGS :=
 
 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
 KERNELRELEASE = $(shell cat include/config/kernel.release 2> /dev/null)
@@ -420,7 +415,7 @@ export MAKE AWK GENKSYMS INSTALLKERNEL P
 export HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
 
 export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS
-export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV CFLAGS_KCOV CFLAGS_KASAN CFLAGS_UBSAN
+export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_KASAN CFLAGS_UBSAN
 export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
 export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE
 export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL
@@ -620,6 +615,12 @@ endif
 # Defaults to vmlinux, but the arch makefile usually adds further targets
 all: vmlinux
 
+KBUILD_CFLAGS	+= $(call cc-option,-fno-PIE)
+KBUILD_AFLAGS	+= $(call cc-option,-fno-PIE)
+CFLAGS_GCOV	:= -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+CFLAGS_KCOV	:= $(call cc-option,-fsanitize-coverage=trace-pc,)
+export CFLAGS_GCOV CFLAGS_KCOV
+
 # The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
 # values of the respective KBUILD_* variables
 ARCH_CPPFLAGS :=

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 145/148] ipvlan: fix ipv6 outbound device
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 144/148] kbuild: do not call cc-option before KBUILD_CFLAGS initialization Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 146/148] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keefe Liu, Mahesh Bandewar,
	David S. Miller, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Keefe Liu <liuqifa@huawei.com>


[ Upstream commit ca29fd7cce5a6444d57fb86517589a1a31c759e1 ]

When process the outbound packet of ipv6, we should assign the master
device to output device other than input device.

Signed-off-by: Keefe Liu <liuqifa@huawei.com>
Acked-by: Mahesh Bandewar <maheshb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ipvlan/ipvlan_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -404,7 +404,7 @@ static int ipvlan_process_v6_outbound(st
 	struct dst_entry *dst;
 	int err, ret = NET_XMIT_DROP;
 	struct flowi6 fl6 = {
-		.flowi6_iif = dev->ifindex,
+		.flowi6_oif = dev->ifindex,
 		.daddr = ip6h->daddr,
 		.saddr = ip6h->saddr,
 		.flowi6_flags = FLOWI_FLAG_ANYSRC,

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 146/148] audit: ensure that audit=1 actually enables audit for PID 1
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 145/148] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 147/148] md: free unused memory after bitmap resize Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Guy Briggs, Paul Moore, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Moore <paul@paul-moore.com>


[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]

Prior to this patch we enabled audit in audit_init(), which is too
late for PID 1 as the standard initcalls are run after the PID 1 task
is forked.  This means that we never allocate an audit_context (see
audit_alloc()) for PID 1 and therefore miss a lot of audit events
generated by PID 1.

This patch enables audit as early as possible to help ensure that when
PID 1 is forked it can allocate an audit_context if required.

Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/audit.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -79,13 +79,13 @@ static int	audit_initialized;
 #define AUDIT_OFF	0
 #define AUDIT_ON	1
 #define AUDIT_LOCKED	2
-u32		audit_enabled;
-u32		audit_ever_enabled;
+u32		audit_enabled = AUDIT_OFF;
+u32		audit_ever_enabled = !!AUDIT_OFF;
 
 EXPORT_SYMBOL_GPL(audit_enabled);
 
 /* Default state when kernel boots without any parameters. */
-static u32	audit_default;
+static u32	audit_default = AUDIT_OFF;
 
 /* If auditing cannot proceed, audit_failure selects what happens. */
 static u32	audit_failure = AUDIT_FAIL_PRINTK;
@@ -1199,8 +1199,6 @@ static int __init audit_init(void)
 	skb_queue_head_init(&audit_skb_queue);
 	skb_queue_head_init(&audit_skb_hold_queue);
 	audit_initialized = AUDIT_INITIALIZED;
-	audit_enabled = audit_default;
-	audit_ever_enabled |= !!audit_default;
 
 	audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
 
@@ -1217,6 +1215,8 @@ static int __init audit_enable(char *str
 	audit_default = !!simple_strtol(str, NULL, 0);
 	if (!audit_default)
 		audit_initialized = AUDIT_DISABLED;
+	audit_enabled = audit_default;
+	audit_ever_enabled = !!audit_enabled;
 
 	pr_info("%s\n", audit_default ?
 		"enabled (after initialization)" : "disabled (until reboot)");

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 147/148] md: free unused memory after bitmap resize
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 146/148] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 12:45 ` [PATCH 4.9 148/148] RDMA/cxgb4: Annotate r2 and stag as __be32 Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zdenek Kabelac, Shaohua Li, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zdenek Kabelac <zkabelac@redhat.com>


[ Upstream commit 0868b99c214a3d55486c700de7c3f770b7243e7c ]

When bitmap is resized, the old kalloced chunks just are not released
once the resized bitmap starts to use new space.

This fixes in particular kmemleak reports like this one:

unreferenced object 0xffff8f4311e9c000 (size 4096):
  comm "lvm", pid 19333, jiffies 4295263268 (age 528.265s)
  hex dump (first 32 bytes):
    02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80  ................
    02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80  ................
  backtrace:
    [<ffffffffa69471ca>] kmemleak_alloc+0x4a/0xa0
    [<ffffffffa628c10e>] kmem_cache_alloc_trace+0x14e/0x2e0
    [<ffffffffa676cfec>] bitmap_checkpage+0x7c/0x110
    [<ffffffffa676d0c5>] bitmap_get_counter+0x45/0xd0
    [<ffffffffa676d6b3>] bitmap_set_memory_bits+0x43/0xe0
    [<ffffffffa676e41c>] bitmap_init_from_disk+0x23c/0x530
    [<ffffffffa676f1ae>] bitmap_load+0xbe/0x160
    [<ffffffffc04c47d3>] raid_preresume+0x203/0x2f0 [dm_raid]
    [<ffffffffa677762f>] dm_table_resume_targets+0x4f/0xe0
    [<ffffffffa6774b52>] dm_resume+0x122/0x140
    [<ffffffffa6779b9f>] dev_suspend+0x18f/0x290
    [<ffffffffa677a3a7>] ctl_ioctl+0x287/0x560
    [<ffffffffa677a693>] dm_ctl_ioctl+0x13/0x20
    [<ffffffffa62d6b46>] do_vfs_ioctl+0xa6/0x750
    [<ffffffffa62d7269>] SyS_ioctl+0x79/0x90
    [<ffffffffa6956d41>] entry_SYSCALL_64_fastpath+0x1f/0xc2

Signed-off-by: Zdenek Kabelac <zkabelac@redhat.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/bitmap.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
@@ -2084,6 +2084,7 @@ int bitmap_resize(struct bitmap *bitmap,
 				for (k = 0; k < page; k++) {
 					kfree(new_bp[k].map);
 				}
+				kfree(new_bp);
 
 				/* restore some fields from old_counts */
 				bitmap->counts.bp = old_counts.bp;
@@ -2134,6 +2135,14 @@ int bitmap_resize(struct bitmap *bitmap,
 		block += old_blocks;
 	}
 
+	if (bitmap->counts.bp != old_counts.bp) {
+		unsigned long k;
+		for (k = 0; k < old_counts.pages; k++)
+			if (!old_counts.bp[k].hijacked)
+				kfree(old_counts.bp[k].map);
+		kfree(old_counts.bp);
+	}
+
 	if (!init) {
 		int i;
 		while (block < (chunks << chunkshift)) {

^ permalink raw reply	[flat|nested] 151+ messages in thread

* [PATCH 4.9 148/148] RDMA/cxgb4: Annotate r2 and stag as __be32
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 147/148] md: free unused memory after bitmap resize Greg Kroah-Hartman
@ 2017-12-12 12:45 ` Greg Kroah-Hartman
  2017-12-12 21:55 ` [PATCH 4.9 000/148] 4.9.69-stable review Shuah Khan
                   ` (2 subsequent siblings)
  143 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-12 12:45 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Wise, Leon Romanovsky,
	Doug Ledford, Sasha Levin

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <leon@kernel.org>


[ Upstream commit 7d7d065a5eec7e218174d5c64a9f53f99ffdb119 ]

Chelsio cxgb4 HW is big-endian, hence there is need to properly
annotate r2 and stag fields as __be32 and not __u32 to fix the
following sparse warnings.

  drivers/infiniband/hw/cxgb4/qp.c:614:16:
    warning: incorrect type in assignment (different base types)
      expected unsigned int [unsigned] [usertype] r2
      got restricted __be32 [usertype] <noident>
  drivers/infiniband/hw/cxgb4/qp.c:615:18:
    warning: incorrect type in assignment (different base types)
      expected unsigned int [unsigned] [usertype] stag
      got restricted __be32 [usertype] <noident>

Cc: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/cxgb4/t4fw_ri_api.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
+++ b/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
@@ -675,8 +675,8 @@ struct fw_ri_fr_nsmr_tpte_wr {
 	__u16  wrid;
 	__u8   r1[3];
 	__u8   len16;
-	__u32  r2;
-	__u32  stag;
+	__be32  r2;
+	__be32  stag;
 	struct fw_ri_tpte tpte;
 	__u64  pbl[2];
 };

^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 4.9 000/148] 4.9.69-stable review
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2017-12-12 12:45 ` [PATCH 4.9 148/148] RDMA/cxgb4: Annotate r2 and stag as __be32 Greg Kroah-Hartman
@ 2017-12-12 21:55 ` Shuah Khan
  2017-12-13  0:22 ` Guenter Roeck
  2017-12-13 11:58 ` Naresh Kamboju
  143 siblings, 0 replies; 151+ messages in thread
From: Shuah Khan @ 2017-12-12 21:55 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, Shuah Khan

On 12/12/2017 05:43 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.69 release.
> There are 148 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Dec 14 12:43:58 UTC 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.69-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 4.9 000/148] 4.9.69-stable review
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2017-12-12 21:55 ` [PATCH 4.9 000/148] 4.9.69-stable review Shuah Khan
@ 2017-12-13  0:22 ` Guenter Roeck
  2017-12-13  0:30   ` Nathan Chancellor
  2017-12-13 11:58 ` Naresh Kamboju
  143 siblings, 1 reply; 151+ messages in thread
From: Guenter Roeck @ 2017-12-13  0:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuahkh, patches, ben.hutchings, lkft-triage, stable

On 12/12/2017 04:43 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.9.69 release.
> There are 148 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu Dec 14 12:43:58 UTC 2017.
> Anything received after that time might be too late.
> 

Build results:
	total: 145 pass: 140 fail: 5
Failed builds:
	powerpc:defconfig
	powerpc:allmodconfig
	powerpc:ppc64e_defconfig
	powerpc:cell_defconfig
	powerpc:maple_defconfig
Qemu test results:
	total: 124 pass: 119 fail: 5
Failed tests:
	powerpc:mac99:ppc64_book3s_defconfig:nosmp
	powerpc:mac99:ppc64_book3s_defconfig:smp4
	powerpc:pseries:pseries_defconfig
	powerpc:mpc8544ds:ppc64_e5500_defconfig:nosmp
	powerpc:mpc8544ds:ppc64_e5500_defconfig:smp

Failures:

arch/powerpc/include/asm/checksum.h:103:2: error: implicit declaration of function 'from64to32'

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 4.9 000/148] 4.9.69-stable review
  2017-12-13  0:22 ` Guenter Roeck
@ 2017-12-13  0:30   ` Nathan Chancellor
  2017-12-14  7:53     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 151+ messages in thread
From: Nathan Chancellor @ 2017-12-13  0:30 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: Greg Kroah-Hartman, linux-kernel, torvalds, akpm, shuahkh,
	patches, ben.hutchings, lkft-triage, stable

On Tue, Dec 12, 2017 at 04:22:36PM -0800, Guenter Roeck wrote:
> On 12/12/2017 04:43 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.9.69 release.
> > There are 148 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Thu Dec 14 12:43:58 UTC 2017.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 145 pass: 140 fail: 5
> Failed builds:
> 	powerpc:defconfig
> 	powerpc:allmodconfig
> 	powerpc:ppc64e_defconfig
> 	powerpc:cell_defconfig
> 	powerpc:maple_defconfig
> Qemu test results:
> 	total: 124 pass: 119 fail: 5
> Failed tests:
> 	powerpc:mac99:ppc64_book3s_defconfig:nosmp
> 	powerpc:mac99:ppc64_book3s_defconfig:smp4
> 	powerpc:pseries:pseries_defconfig
> 	powerpc:mpc8544ds:ppc64_e5500_defconfig:nosmp
> 	powerpc:mpc8544ds:ppc64_e5500_defconfig:smp
> 
> Failures:
> 
> arch/powerpc/include/asm/checksum.h:103:2: error: implicit declaration of function 'from64to32'
> 
> Details are available at http://kerneltests.org/builders.
> 
> Guenter

Commit 7a06adf7b37f ("powerpc/64: Fix checksum folding in csum_add()") in
the stable-rc tree needs commit b492f7e4e07a ("powerpc/64: Fix checksum
folding in csum_tcpudp_nofold and ip_fast_csum_nofold") from upstream as a
prerequisite. It applies cleanly on 4.9.68 (can't say if it is appropriate
or not).

Cheers!
Nathan

^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 4.9 000/148] 4.9.69-stable review
  2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2017-12-13  0:22 ` Guenter Roeck
@ 2017-12-13 11:58 ` Naresh Kamboju
  2017-12-14  7:53   ` Greg Kroah-Hartman
  143 siblings, 1 reply; 151+ messages in thread
From: Naresh Kamboju @ 2017-12-13 11:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, Guenter Roeck, Shuah Khan, patches,
	Ben Hutchings, lkft-triage, linux- stable, Tom Gall

On 12 December 2017 at 18:13, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 4.9.69 release.
> There are 148 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu Dec 14 12:43:58 UTC 2017.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.69-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm and x86_64.

Note:
Newly added selftests/net/reuseport_bpf FAILED in full run on x86_64 and
the independent test execution resulted as PASS.
For the internal investigation bug reported.
https://bugs.linaro.org/show_bug.cgi?id=3502#c4

Summary
------------------------------------------------------------------------

kernel: 4.9.69-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.9.y
git commit: ae5cfc67087cf771ca5d1ba4da22f6ddcd960426
git describe: v4.9.68-149-gae5cfc67087c
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/build/v4.9.68-149-gae5cfc67087c

No regressions (compared to build v4.9.68-50-gb06970f8c916)

Boards, architectures and test suites:
-------------------------------------

hi6220-hikey - arm64
* boot - pass: 20,
* kselftest - pass: 40, skip: 23
* libhugetlbfs - pass: 90, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 21, skip: 1
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 983, skip: 121
* ltp-timers-tests - pass: 12,

juno-r2 - arm64
* boot - pass: 20,
* kselftest - pass: 40, skip: 23
* libhugetlbfs - pass: 90, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 14,
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 985, skip: 121
* ltp-timers-tests - pass: 12,

x15 - arm
* boot - pass: 20,
* kselftest - pass: 37, skip: 25
* libhugetlbfs - pass: 87, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 60,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 20, skip: 2
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 13, skip: 1
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 1036, skip: 66
* ltp-timers-tests - pass: 12,

x86_64
* boot - pass: 20,
* kselftest - fail: 1, pass: 53, skip: 22
* libhugetlbfs - pass: 90, skip: 1
* ltp-cap_bounds-tests - pass: 2,
* ltp-containers-tests - pass: 64,
* ltp-fcntl-locktests-tests - pass: 2,
* ltp-filecaps-tests - pass: 2,
* ltp-fs-tests - pass: 61,
* ltp-fs_bind-tests - pass: 2,
* ltp-fs_perms_simple-tests - pass: 19,
* ltp-fsx-tests - pass: 2,
* ltp-hugetlb-tests - pass: 22,
* ltp-io-tests - pass: 3,
* ltp-ipc-tests - pass: 9,
* ltp-math-tests - pass: 11,
* ltp-nptl-tests - pass: 2,
* ltp-pty-tests - pass: 4,
* ltp-sched-tests - pass: 9, skip: 1
* ltp-securebits-tests - pass: 4,
* ltp-syscalls-tests - pass: 957, skip: 163
* ltp-timers-tests - pass: 12,

Documentation - https://collaborate.linaro.org/display/LKFT/Email+Reports

Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>

^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 4.9 000/148] 4.9.69-stable review
  2017-12-13  0:30   ` Nathan Chancellor
@ 2017-12-14  7:53     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-14  7:53 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Guenter Roeck, linux-kernel, torvalds, akpm, shuahkh, patches,
	ben.hutchings, lkft-triage, stable

On Tue, Dec 12, 2017 at 05:30:42PM -0700, Nathan Chancellor wrote:
> On Tue, Dec 12, 2017 at 04:22:36PM -0800, Guenter Roeck wrote:
> > On 12/12/2017 04:43 AM, Greg Kroah-Hartman wrote:
> > > This is the start of the stable review cycle for the 4.9.69 release.
> > > There are 148 patches in this series, all will be posted as a response
> > > to this one.  If anyone has any issues with these being applied, please
> > > let me know.
> > > 
> > > Responses should be made by Thu Dec 14 12:43:58 UTC 2017.
> > > Anything received after that time might be too late.
> > > 
> > 
> > Build results:
> > 	total: 145 pass: 140 fail: 5
> > Failed builds:
> > 	powerpc:defconfig
> > 	powerpc:allmodconfig
> > 	powerpc:ppc64e_defconfig
> > 	powerpc:cell_defconfig
> > 	powerpc:maple_defconfig
> > Qemu test results:
> > 	total: 124 pass: 119 fail: 5
> > Failed tests:
> > 	powerpc:mac99:ppc64_book3s_defconfig:nosmp
> > 	powerpc:mac99:ppc64_book3s_defconfig:smp4
> > 	powerpc:pseries:pseries_defconfig
> > 	powerpc:mpc8544ds:ppc64_e5500_defconfig:nosmp
> > 	powerpc:mpc8544ds:ppc64_e5500_defconfig:smp
> > 
> > Failures:
> > 
> > arch/powerpc/include/asm/checksum.h:103:2: error: implicit declaration of function 'from64to32'
> > 
> > Details are available at http://kerneltests.org/builders.
> > 
> > Guenter
> 
> Commit 7a06adf7b37f ("powerpc/64: Fix checksum folding in csum_add()") in
> the stable-rc tree needs commit b492f7e4e07a ("powerpc/64: Fix checksum
> folding in csum_tcpudp_nofold and ip_fast_csum_nofold") from upstream as a
> prerequisite. It applies cleanly on 4.9.68 (can't say if it is appropriate
> or not).

I've taken this patch now, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 151+ messages in thread

* Re: [PATCH 4.9 000/148] 4.9.69-stable review
  2017-12-13 11:58 ` Naresh Kamboju
@ 2017-12-14  7:53   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 151+ messages in thread
From: Greg Kroah-Hartman @ 2017-12-14  7:53 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: linux-kernel, torvalds, akpm, Guenter Roeck, Shuah Khan, patches,
	Ben Hutchings, lkft-triage, linux- stable, Tom Gall

On Wed, Dec 13, 2017 at 05:28:44PM +0530, Naresh Kamboju wrote:
> On 12 December 2017 at 18:13, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > This is the start of the stable review cycle for the 4.9.69 release.
> > There are 148 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu Dec 14 12:43:58 UTC 2017.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.69-rc1.gz
> > or in the git tree and branch at:
> >   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm and x86_64.
> 
> Note:
> Newly added selftests/net/reuseport_bpf FAILED in full run on x86_64 and
> the independent test execution resulted as PASS.
> For the internal investigation bug reported.
> https://bugs.linaro.org/show_bug.cgi?id=3502#c4

Thanks for testing and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 151+ messages in thread

end of thread, other threads:[~2017-12-14  7:53 UTC | newest]

Thread overview: 151+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-12 12:43 [PATCH 4.9 000/148] 4.9.69-stable review Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 001/148] usb: gadget: udc: renesas_usb3: fix number of the pipes Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 003/148] can: kvaser_usb: free buf in error paths Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 004/148] can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 005/148] can: kvaser_usb: ratelimit errors if incomplete messages are received Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 006/148] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 007/148] can: ems_usb: " Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 008/148] can: esd_usb2: " Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 009/148] can: usb_8dev: " Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 010/148] virtio: release virtio index when fail to device_register Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 011/148] hv: kvp: Avoid reading past allocated blocks from KVP file Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 012/148] isa: Prevent NULL dereference in isa_bus driver callbacks Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 013/148] scsi: dma-mapping: always provide dma_get_cache_alignment Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 014/148] scsi: use dma_get_cache_alignment() as minimum DMA alignment Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 015/148] scsi: libsas: align sata_devices rps_resp on a cacheline Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 016/148] efi: Move some sysfs files to be read-only by root Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 017/148] efi/esrt: Use memunmap() instead of kfree() to free the remapping Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 018/148] ASN.1: fix out-of-bounds read when parsing indefinite length item Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 019/148] ASN.1: check for error from ASN1_OP_END__ACT actions Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 020/148] KEYS: add missing permission check for request_key() destination Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 021/148] X.509: reject invalid BIT STRING for subjectPublicKey Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 022/148] X.509: fix comparisons of ->pkey_algo Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 023/148] x86/PCI: Make broadcom_postcore_init() check acpi_disabled Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 025/148] btrfs: fix missing error return in btrfs_drop_snapshot Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 026/148] ALSA: pcm: prevent UAF in snd_pcm_info Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 027/148] ALSA: seq: Remove spurious WARN_ON() at timer check Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 028/148] ALSA: usb-audio: Fix out-of-bound error Greg Kroah-Hartman
2017-12-12 12:43 ` [PATCH 4.9 029/148] ALSA: usb-audio: Add check return value for usb_string() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 030/148] iommu/vt-d: Fix scatterlist offset handling Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 031/148] smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 032/148] s390: fix compat system call table Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 033/148] KVM: s390: Fix skey emulation permission check Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 034/148] powerpc/64s: Initialize ISAv3 MMU registers before setting partition table Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 035/148] brcmfmac: change driver unbind order of the sdio function devices Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 036/148] kdb: Fix handling of kallsyms_symbol_next() return value Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 037/148] drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 038/148] media: dvb: i2c transfers over usb cannot be done from stack Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 039/148] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 040/148] arm: KVM: Fix " Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 042/148] KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 043/148] KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 044/148] KVM: arm/arm64: vgic-its: Check result of allocation before use Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 045/148] arm64: fpsimd: Prevent registers leaking from dead tasks Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 046/148] bus: arm-cci: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 047/148] bus: arm-ccn: Check memory allocation failure Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 048/148] bus: arm-ccn: Fix use of smp_processor_id() in preemptible context Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 049/148] bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 050/148] crypto: talitos - fix AEAD test failures Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 051/148] crypto: talitos - fix memory corruption on SEC2 Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 052/148] crypto: talitos - fix setkey to check key weakness Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 053/148] crypto: talitos - fix AEAD for sha224 on non sha224 capable chips Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 054/148] crypto: talitos - fix use of sg_link_tbl_len Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 055/148] crypto: talitos - fix ctr-aes-talitos Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 056/148] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 057/148] ARM: BUG if jumping to usermode address in kernel mode Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 058/148] ARM: avoid faulting on qemu Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 059/148] thp: reduce indentation level in change_huge_pmd() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 060/148] thp: fix MADV_DONTNEED vs. numa balancing race Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 061/148] mm: drop unused pmdp_huge_get_and_clear_notify() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 062/148] Revert "drm/armada: Fix compile fail" Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 063/148] Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 064/148] ARM: 8657/1: uaccess: consistently check object sizes Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 065/148] vti6: Dont report path MTU below IPV6_MIN_MTU Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 066/148] ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 067/148] x86/selftests: Add clobbers for int80 on x86_64 Greg Kroah-Hartman
2017-12-12 12:44   ` [Linux-kselftest-mirror] " Greg Kroah-Hartman
2017-12-12 12:44   ` gregkh
2017-12-12 12:44 ` [PATCH 4.9 068/148] x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 069/148] sched/fair: Make select_idle_cpu() more aggressive Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 070/148] x86/hpet: Prevent might sleep splat on resume Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 071/148] powerpc/64: Invalidate process table caching after setting process table Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 072/148] selftest/powerpc: Fix false failures for skipped tests Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 073/148] powerpc: Fix compiling a BE kernel with a powerpc64le toolchain Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 074/148] [media] lirc: fix dead lock between open and wakeup_filter Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 075/148] module: set __jump_table alignment to 8 Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 076/148] powerpc/64: Fix checksum folding in csum_add() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 077/148] ARM: OMAP2+: Fix device node reference counts Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 078/148] ARM: OMAP2+: Release device node after it is no longer needed Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 079/148] ASoC: rcar: avoid SSI_MODEx settings for SSI8 Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 080/148] gpio: altera: Use handle_level_irq when configured as a level_high Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 081/148] HID: chicony: Add support for another ASUS Zen AiO keyboard Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 082/148] usb: gadget: configs: plug memory leak Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 083/148] USB: gadgetfs: Fix a potential memory leak in dev_config() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 084/148] usb: dwc3: gadget: Fix system suspend/resume on TI platforms Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 085/148] usb: gadget: pxa27x: Test for a valid argument pointer Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 086/148] usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver Greg Kroah-Hartman
2017-12-12 12:44   ` [4.9,086/148] " Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 088/148] libata: drop WARN from protocol error in ata_sff_qc_issue() Greg Kroah-Hartman
2017-12-12 12:44 ` [PATCH 4.9 089/148] workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 090/148] scsi: qla2xxx: Fix ql_dump_buffer Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 091/148] scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 092/148] irqchip/crossbar: Fix incorrect type of register size Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 094/148] arm: KVM: Survive unknown traps from guests Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 095/148] arm64: " Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 096/148] KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 097/148] spi_ks8995: fix "BUG: key accdaa28 not in .data!" Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 098/148] spi_ks8995: regs_size incorrect for some devices Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 099/148] bnx2x: prevent crash when accessing PTP with interface down Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 100/148] bnx2x: fix possible overrun of VFPF multicast addresses array Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 101/148] bnx2x: fix detection of VLAN filtering feature for VF Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 102/148] bnx2x: do not rollback VF MAC/VLAN filters we did not configure Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 103/148] rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 104/148] ibmvnic: Fix overflowing firmware/hardware TX queue Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 105/148] ibmvnic: Allocate number of rx/tx buffers agreed on by firmware Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 106/148] ipv6: reorder icmpv6_init() and ip6_mr_init() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 107/148] crypto: s5p-sss - Fix completing crypto request in IRQ handler Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 108/148] i2c: riic: fix restart condition Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 109/148] blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 110/148] zram: set physical queue limits to avoid array out of bounds accesses Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 111/148] netfilter: dont track fragmented packets Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 112/148] axonram: Fix gendisk handling Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 113/148] drm/amd/amdgpu: fix console deadlock if late init failed Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 114/148] powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 117/148] kbuild: pkg: use --transform option to prefix paths in tar Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 118/148] coccinelle: fix parallel build with CHECK=scripts/coccicheck Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 119/148] x86/mpx/selftests: Fix up weird arrays Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 120/148] mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 121/148] gre6: use log_ecn_error module parameter in ip6_tnl_rcv() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 122/148] route: also update fnhe_genid when updating a route cache Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 123/148] route: update fnhe_expires for redirect when the fnhe exists Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 124/148] drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in rio_dma_transfer() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 125/148] lib/genalloc.c: make the avail variable an atomic_long_t Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 126/148] dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 127/148] NFS: Fix a typo in nfs_rename() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 128/148] sunrpc: Fix rpc_task_begin trace point Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 129/148] xfs: fix forgotten rcu read unlock when skipping inode reclaim Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 130/148] dt-bindings: usb: fix reg-property port-number range Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 131/148] block: wake up all tasks blocked in get_request() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 132/148] sparc64/mm: set fields in deferred pages Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 133/148] zsmalloc: calling zs_map_object() from irq is a bug Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 134/148] sctp: do not free asoc when it is already dead in sctp_sendmsg Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 135/148] sctp: use the right sk after waking up from wait_buf sleep Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 136/148] bpf: fix lockdep splat Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 137/148] clk: uniphier: fix DAPLL2 clock rate of Pro5 Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 138/148] atm: horizon: Fix irq release error Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 139/148] jump_label: Invoke jump_label_test() via early_initcall() Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 140/148] xfrm: Copy policy family in clone_policy Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 141/148] IB/mlx4: Increase maximal message size under UD QP Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 142/148] IB/mlx5: Assign send CQ and recv CQ of UMR QP Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 143/148] afs: Connect up the CB.ProbeUuid Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 144/148] kbuild: do not call cc-option before KBUILD_CFLAGS initialization Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 145/148] ipvlan: fix ipv6 outbound device Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 146/148] audit: ensure that audit=1 actually enables audit for PID 1 Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 147/148] md: free unused memory after bitmap resize Greg Kroah-Hartman
2017-12-12 12:45 ` [PATCH 4.9 148/148] RDMA/cxgb4: Annotate r2 and stag as __be32 Greg Kroah-Hartman
2017-12-12 21:55 ` [PATCH 4.9 000/148] 4.9.69-stable review Shuah Khan
2017-12-13  0:22 ` Guenter Roeck
2017-12-13  0:30   ` Nathan Chancellor
2017-12-14  7:53     ` Greg Kroah-Hartman
2017-12-13 11:58 ` Naresh Kamboju
2017-12-14  7:53   ` Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.