All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.20 00/50] 4.20.9-stable review
@ 2019-02-13 18:38 Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 01/50] mtd: Make sure mtd->erasesize is valid even if the partition is of size 0 Greg Kroah-Hartman
                   ` (52 more replies)
  0 siblings, 53 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.20.9 release.
There are 50 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.20.9-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.20.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.20.9-rc1

Sven Eckelmann <sven@narfation.org>
    batman-adv: Force mac header to start of data on xmit

Sven Eckelmann <sven@narfation.org>
    batman-adv: Avoid WARN on net_device without parent in netns

Florian Westphal <fw@strlen.de>
    xfrm: refine validation of template and selector families

Ilya Dryomov <idryomov@gmail.com>
    libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()

Theodore Ts'o <tytso@mit.edu>
    Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen

Benedict Wong <benedictwong@google.com>
    xfrm: Make set-mark default behavior backward compatible

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Fix an uninitialized fence handle value

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Fix setting of dma masks

Lucas De Marchi <lucas.demarchi@intel.com>
    drm/i915: always return something on DDI clock selection

Gustavo A. R. Silva <gustavo@embeddedor.com>
    drm/amd/powerplay: Fix missing break in switch

Sandy Huang <hjc@rock-chips.com>
    drm/rockchip: rgb: update SPDX license identifier

Tina Zhang <tina.zhang@intel.com>
    drm/modes: Prevent division by zero htotal

Felix Fietkau <nbd@nbd.name>
    mac80211: ensure that mgmt tx skbs have tailroom for encryption

Vincent Whitchurch <vincent.whitchurch@axis.com>
    mic: vop: Fix use-after-free on remove

Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    powerpc/radix: Fix kernel crash with mremap()

Oliver O'Halloran <oohall@gmail.com>
    powerpc/papr_scm: Use the correct bind address

Sudeep Holla <sudeep.holla@arm.com>
    firmware: arm_scmi: provide the mandatory device release callback

Bartosz Golaszewski <bgolaszewski@baylibre.com>
    ARM: dts: da850: fix interrupt numbers for clocksource

Marc Gonzalez <marc.w.gonzalez@free.fr>
    ARM: tango: Improve ARCH_MULTIPLATFORM compatibility

Russell King <rmk+kernel@armlinux.org.uk>
    ARM: iop32x/n2100: fix PCI IRQ mapping

Paul Burton <paul.burton@mips.com>
    MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds

Yifeng Li <tomli@tomli.me>
    mips: loongson64: remove unreachable(), fix loongson_poweroff().

Paul Burton <paul.burton@mips.com>
    MIPS: VDSO: Use same -m%-float cflag as the kernel proper

Aaro Koskinen <aaro.koskinen@iki.fi>
    MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled

Paul Burton <paul.burton@mips.com>
    MIPS: Use lower case for addresses in nexys4ddr.dts

Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>
    mips: cm: reprime error cause

Andreas Ziegler <andreas.ziegler@fau.de>
    tracing: uprobes: Fix typo in pr_fmt string

Andreas Ziegler <andreas.ziegler@fau.de>
    tracing/uprobes: Fix output for multiple string arguments

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    pinctrl: cherryview: fix Strago DMI workaround

Chen-Yu Tsai <wens@csie.org>
    pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller

Chuck Lever <chuck.lever@oracle.com>
    svcrdma: Remove max_sge check at connect time

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    debugfs: fix debugfs_rename parameter checking

Tomas Winkler <tomas.winkler@intel.com>
    samples: mei: use /dev/mei0 instead of /dev/mei

Tomas Winkler <tomas.winkler@intel.com>
    mei: me: add ice lake point device id.

Johannes Berg <johannes.berg@intel.com>
    cfg80211: call disconnect_wk when AP stops

Dan Carpenter <dan.carpenter@oracle.com>
    misc: vexpress: Off by one in vexpress_syscfg_exec()

Eric W. Biederman <ebiederm@xmission.com>
    signal: Better detection of synchronous signals

Eric W. Biederman <ebiederm@xmission.com>
    signal: Always notice exiting tasks

Eric W. Biederman <ebiederm@xmission.com>
    signal: Always attempt to allocate siginfo for SIGSTOP

Dan Murphy <dmurphy@ti.com>
    iio: ti-ads8688: Update buffer allocation for timestamps

Matt Ranostay <matt.ranostay@konsulko.com>
    iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius

Hans de Goede <hdegoede@redhat.com>
    iio: adc: axp288: Fix TS-pin handling

Martin Kelly <mkelly@xevo.com>
    tools: iio: iio_generic_buffer: make num_loops signed

Hans de Goede <hdegoede@redhat.com>
    libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD

Martin Kepplinger <martink@posteo.de>
    mtd: rawnand: gpmi: fix MX28 bus master lockup problem

Boris Brezillon <bbrezillon@kernel.org>
    mtd: spinand: Fix the error/cleanup path in spinand_init()

Boris Brezillon <bbrezillon@kernel.org>
    mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache

Boris Brezillon <bbrezillon@kernel.org>
    mtd: Make sure mtd->erasesize is valid even if the partition is of size 0


-------------

Diffstat:

 Makefile                                          |   4 +-
 arch/arm/boot/dts/da850.dtsi                      |   2 +-
 arch/arm/mach-iop32x/n2100.c                      |   3 +-
 arch/arm/mach-tango/pm.c                          |   6 +-
 arch/arm/mach-tango/pm.h                          |   7 ++
 arch/arm/mach-tango/setup.c                       |   2 +
 arch/mips/boot/dts/xilfpga/nexys4ddr.dts          |   8 +-
 arch/mips/kernel/mips-cm.c                        |   2 +-
 arch/mips/loongson64/common/reset.c               |   7 +-
 arch/mips/pci/pci-octeon.c                        |  10 +--
 arch/mips/vdso/Makefile                           |   5 +-
 arch/powerpc/include/asm/book3s/64/pgtable.h      |  22 ++---
 arch/powerpc/mm/pgtable-book3s64.c                |  22 +++++
 arch/powerpc/platforms/pseries/papr_scm.c         |   5 +-
 drivers/ata/libata-core.c                         |   1 +
 drivers/firmware/arm_scmi/bus.c                   |   9 +-
 drivers/gpu/drm/amd/powerplay/hwmgr/smu10_hwmgr.c |   1 +
 drivers/gpu/drm/drm_modes.c                       |   2 +-
 drivers/gpu/drm/i915/intel_ddi.c                  |   2 +-
 drivers/gpu/drm/i915/intel_display.c              |  51 +++++++++--
 drivers/gpu/drm/rockchip/rockchip_rgb.c           |  11 +--
 drivers/gpu/drm/rockchip/rockchip_rgb.h           |  11 +--
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c               |   9 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c           |   2 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c               |   4 +-
 drivers/iio/adc/axp288_adc.c                      |  76 ++++++++++++----
 drivers/iio/adc/ti-ads8688.c                      |   3 +-
 drivers/iio/chemical/atlas-ph-sensor.c            |   7 +-
 drivers/misc/mei/hw-me-regs.h                     |   2 +
 drivers/misc/mei/pci-me.c                         |   2 +
 drivers/misc/mic/vop/vop_main.c                   |   4 +-
 drivers/misc/vexpress-syscfg.c                    |   2 +-
 drivers/mtd/mtdpart.c                             |   4 +
 drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c         |  13 ++-
 drivers/mtd/nand/spi/core.c                       |  46 +++++-----
 drivers/pinctrl/intel/pinctrl-cherryview.c        |   8 +-
 drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c         |   2 +-
 fs/debugfs/inode.c                                |   7 ++
 fs/ext4/fsync.c                                   |  13 +--
 kernel/signal.c                                   |  63 ++++++++++++-
 kernel/trace/trace_uprobe.c                       |   9 +-
 net/batman-adv/hard-interface.c                   |   5 +-
 net/batman-adv/soft-interface.c                   |   2 +
 net/ceph/messenger.c                              |   5 +-
 net/mac80211/tx.c                                 |  12 ++-
 net/sunrpc/xprtrdma/svc_rdma_sendto.c             | 105 ++++++++++++++++++++--
 net/sunrpc/xprtrdma/svc_rdma_transport.c          |   9 +-
 net/wireless/ap.c                                 |   2 +
 net/wireless/core.h                               |   2 +
 net/wireless/sme.c                                |   2 +-
 net/xfrm/xfrm_policy.c                            |   5 +-
 net/xfrm/xfrm_user.c                              |  13 ++-
 samples/mei/mei-amt-version.c                     |   2 +-
 tools/iio/iio_generic_buffer.c                    |   2 +-
 54 files changed, 461 insertions(+), 174 deletions(-)



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 01/50] mtd: Make sure mtd->erasesize is valid even if the partition is of size 0
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 02/50] mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Boris Brezillon,
	Geert Uytterhoeven

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Brezillon <bbrezillon@kernel.org>

commit ad4635153034c20c6f6e211e2ed3fd38b658649a upstream.

Commit 33f45c44d68b ("mtd: Do not allow MTD devices with inconsistent
erase properties") introduced a check to make sure ->erasesize and
->_erase values are consistent with the MTD_NO_ERASE flag.
This patch did not take the 0 bytes partition case into account which
can happen when the defined partition is outside the flash device memory
range. Fix that by setting the partition erasesize to the parent
erasesize.

Fixes: 33f45c44d68b ("mtd: Do not allow MTD devices with inconsistent erase properties")
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: <stable@vger.kernel.org>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/mtdpart.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/mtd/mtdpart.c
+++ b/drivers/mtd/mtdpart.c
@@ -470,6 +470,10 @@ static struct mtd_part *allocate_partiti
 		/* let's register it anyway to preserve ordering */
 		slave->offset = 0;
 		slave->mtd.size = 0;
+
+		/* Initialize ->erasesize to make add_mtd_device() happy. */
+		slave->mtd.erasesize = parent->erasesize;
+
 		printk(KERN_ERR"mtd: partition \"%s\" is out of reach -- disabled\n",
 			part->name);
 		goto out_register;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 02/50] mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 01/50] mtd: Make sure mtd->erasesize is valid even if the partition is of size 0 Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 03/50] mtd: spinand: Fix the error/cleanup path in spinand_init() Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Roese, Boris Brezillon, Miquel Raynal

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Brezillon <bbrezillon@kernel.org>

commit 13c15e07eedf26092054c8c71f2f47edb8388310 upstream.

Looks like PROGRAM LOAD (AKA write cache) does not necessarily reset
the cache content to 0xFF (depends on vendor implementation), so we
must fill the page cache entirely even if we only want to program the
data portion of the page, otherwise we might corrupt the BBM or user
data previously programmed in OOB area.

Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
Reported-by: Stefan Roese <sr@denx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
Tested-by: Stefan Roese <sr@denx.de>
Reviewed-by: Stefan Roese <sr@denx.de>
Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/spi/core.c |   42 ++++++++++++++++++++----------------------
 1 file changed, 20 insertions(+), 22 deletions(-)

--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -304,24 +304,30 @@ static int spinand_write_to_cache_op(str
 	struct nand_device *nand = spinand_to_nand(spinand);
 	struct mtd_info *mtd = nanddev_to_mtd(nand);
 	struct nand_page_io_req adjreq = *req;
-	unsigned int nbytes = 0;
-	void *buf = NULL;
+	void *buf = spinand->databuf;
+	unsigned int nbytes;
 	u16 column = 0;
 	int ret;
 
-	memset(spinand->databuf, 0xff,
-	       nanddev_page_size(nand) +
-	       nanddev_per_page_oobsize(nand));
+	/*
+	 * Looks like PROGRAM LOAD (AKA write cache) does not necessarily reset
+	 * the cache content to 0xFF (depends on vendor implementation), so we
+	 * must fill the page cache entirely even if we only want to program
+	 * the data portion of the page, otherwise we might corrupt the BBM or
+	 * user data previously programmed in OOB area.
+	 */
+	nbytes = nanddev_page_size(nand) + nanddev_per_page_oobsize(nand);
+	memset(spinand->databuf, 0xff, nbytes);
+	adjreq.dataoffs = 0;
+	adjreq.datalen = nanddev_page_size(nand);
+	adjreq.databuf.out = spinand->databuf;
+	adjreq.ooblen = nanddev_per_page_oobsize(nand);
+	adjreq.ooboffs = 0;
+	adjreq.oobbuf.out = spinand->oobbuf;
 
-	if (req->datalen) {
+	if (req->datalen)
 		memcpy(spinand->databuf + req->dataoffs, req->databuf.out,
 		       req->datalen);
-		adjreq.dataoffs = 0;
-		adjreq.datalen = nanddev_page_size(nand);
-		adjreq.databuf.out = spinand->databuf;
-		nbytes = adjreq.datalen;
-		buf = spinand->databuf;
-	}
 
 	if (req->ooblen) {
 		if (req->mode == MTD_OPS_AUTO_OOB)
@@ -332,14 +338,6 @@ static int spinand_write_to_cache_op(str
 		else
 			memcpy(spinand->oobbuf + req->ooboffs, req->oobbuf.out,
 			       req->ooblen);
-
-		adjreq.ooblen = nanddev_per_page_oobsize(nand);
-		adjreq.ooboffs = 0;
-		nbytes += nanddev_per_page_oobsize(nand);
-		if (!buf) {
-			buf = spinand->oobbuf;
-			column = nanddev_page_size(nand);
-		}
 	}
 
 	spinand_cache_op_adjust_colum(spinand, &adjreq, &column);
@@ -370,8 +368,8 @@ static int spinand_write_to_cache_op(str
 
 		/*
 		 * We need to use the RANDOM LOAD CACHE operation if there's
-		 * more than one iteration, because the LOAD operation resets
-		 * the cache to 0xff.
+		 * more than one iteration, because the LOAD operation might
+		 * reset the cache to 0xff.
 		 */
 		if (nbytes) {
 			column = op.addr.val;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 03/50] mtd: spinand: Fix the error/cleanup path in spinand_init()
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 01/50] mtd: Make sure mtd->erasesize is valid even if the partition is of size 0 Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 02/50] mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 04/50] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Miquel Raynal

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Boris Brezillon <bbrezillon@kernel.org>

commit c3c7dbf4887ab3ed9d611cd1f6e16937f8700743 upstream.

The manufacturer specific initialization has already been done when
block unlocking takes place, and if anything goes wrong during this
procedure we should call spinand_manufacturer_cleanup().

Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
Cc: <stable@vger.kernel.org>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/spi/core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -1014,11 +1014,11 @@ static int spinand_init(struct spinand_d
 	for (i = 0; i < nand->memorg.ntargets; i++) {
 		ret = spinand_select_target(spinand, i);
 		if (ret)
-			goto err_free_bufs;
+			goto err_manuf_cleanup;
 
 		ret = spinand_lock_block(spinand, BL_ALL_UNLOCKED);
 		if (ret)
-			goto err_free_bufs;
+			goto err_manuf_cleanup;
 	}
 
 	ret = nanddev_init(nand, &spinand_ops, THIS_MODULE);



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 04/50] mtd: rawnand: gpmi: fix MX28 bus master lockup problem
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 03/50] mtd: spinand: Fix the error/cleanup path in spinand_init() Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 05/50] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Manfred Schlaegl, Martin Kepplinger,
	Miquel Raynal, Fabio Estevam, Han Xu, Boris Brezillon

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kepplinger <martin.kepplinger@ginzinger.com>

commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream.

Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft
reset may cause bus master lock up") for MX28 too. It has the same
problem.

Observed problem: once per 100,000+ MX28 reboots NAND read failed on
DMA timeout errors:
[    1.770823] UBI: attaching mtd3 to ubi0
[    2.768088] gpmi_nand: DMA timeout, last DMA :1
[    3.958087] gpmi_nand: BCH timeout, last DMA :1
[    4.156033] gpmi_nand: Error in ECC-based read: -110
[    4.161136] UBI warning: ubi_io_read: error -110 while reading 64
bytes from PEB 0:0, read only 0 bytes, retry
[    4.171283] step 1 error
[    4.173846] gpmi_nand: Chip: 0, Error -1

Without BCH soft reset we successfully executed 1,000,000 MX28 reboots.

I have a quote from NXP regarding this problem, from July 18th 2016:

"As the i.MX23 and i.MX28 are of the same generation, they share many
characteristics. Unfortunately, also the erratas may be shared.
In case of the documented erratas and the workarounds, you can also
apply the workaround solution of one device on the other one. This have
been reported, but I’m afraid that there are not an estimated date for
updating the Errata documents.
Please accept our apologies for any inconveniences this may cause."

Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems")
Cc: stable@vger.kernel.org
Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c |   13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c
+++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c
@@ -155,9 +155,10 @@ int gpmi_init(struct gpmi_nand_data *thi
 
 	/*
 	 * Reset BCH here, too. We got failures otherwise :(
-	 * See later BCH reset for explanation of MX23 handling
+	 * See later BCH reset for explanation of MX23 and MX28 handling
 	 */
-	ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
+	ret = gpmi_reset_block(r->bch_regs,
+			       GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
 	if (ret)
 		goto err_out;
 
@@ -263,12 +264,10 @@ int bch_set_geometry(struct gpmi_nand_da
 	/*
 	* Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this
 	* chip, otherwise it will lock up. So we skip resetting BCH on the MX23.
-	* On the other hand, the MX28 needs the reset, because one case has been
-	* seen where the BCH produced ECC errors constantly after 10000
-	* consecutive reboots. The latter case has not been seen on the MX23
-	* yet, still we don't know if it could happen there as well.
+	* and MX28.
 	*/
-	ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
+	ret = gpmi_reset_block(r->bch_regs,
+			       GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
 	if (ret)
 		goto err_out;
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 05/50] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 04/50] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 06/50] tools: iio: iio_generic_buffer: make num_loops signed Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Jens Axboe

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit dd957493baa586f1431490f97f9c7c45eaf8ab10 upstream.

We've received a bugreport that using LPM with a SAMSUNG
MZ7TE512HMHP-000L1 SSD leads to system instability, we already have
a quirk for the MZ7TD256HAFV-000L9, which is also a Samsun EVO 840 /
PM851 OEM model, so it seems some of these models have a LPM issue.

This commits adds a NOLPM quirk for the model string from the new
bugeport, to avoid the reported stability issues.

Cc: stable@vger.kernel.org
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/ata/libata-core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4554,6 +4554,7 @@ static const struct ata_blacklist_entry
 	{ "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
 	{ "SAMSUNG SSD PM830 mSATA *",  "CXM13D1Q", ATA_HORKAGE_NOLPM, },
 	{ "SAMSUNG MZ7TD256HAFV-000L9", NULL,       ATA_HORKAGE_NOLPM, },
+	{ "SAMSUNG MZ7TE512HMHP-000L1", "EXT06L0Q", ATA_HORKAGE_NOLPM, },
 
 	/* devices that don't properly handle queued TRIM commands */
 	{ "Micron_M500IT_*",		"MU01",	ATA_HORKAGE_NO_NCQ_TRIM |



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 06/50] tools: iio: iio_generic_buffer: make num_loops signed
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 05/50] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 07/50] iio: adc: axp288: Fix TS-pin handling Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Kelly, Dan Carpenter, Stable,
	Jonathan Cameron

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Kelly <mkelly@xevo.com>

commit b119d3bc328e7a9574861ebe0c2110e2776c2de1 upstream.

Currently, num_loops is unsigned, but it's set by strtoll, which returns a
(signed) long long int. This could lead to overflow, and it also makes the
check "num_loops < 0" always be false, since num_loops is unsigned.
Setting num_loops to -1 to loop forever is almost working because num_loops
is getting set to a very high number, but it's technically still incorrect.

Fix this issue by making num_loops signed. This also fixes an error found
by Smatch.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 55dda0abcf9d ("tools: iio: iio_generic_buffer: allow continuous looping")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/iio/iio_generic_buffer.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/iio/iio_generic_buffer.c
+++ b/tools/iio/iio_generic_buffer.c
@@ -330,7 +330,7 @@ static const struct option longopts[] =
 
 int main(int argc, char **argv)
 {
-	unsigned long long num_loops = 2;
+	long long num_loops = 2;
 	unsigned long timedelay = 1000000;
 	unsigned long buf_len = 128;
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 07/50] iio: adc: axp288: Fix TS-pin handling
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 06/50] tools: iio: iio_generic_buffer: make num_loops signed Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 08/50] iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Stable, Jonathan Cameron

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 9bcf15f75cac3c6a00d8f8083a635de9c8537799 upstream.

Prior to this commit there were 3 issues with our handling of the TS-pin:

1) There are 2 ways how the firmware can disable monitoring of the TS-pin
for designs which do not have a temperature-sensor for the battery:
a) Clearing bit 0 of the AXP20X_ADC_EN1 register
b) Setting bit 2 of the AXP288_ADC_TS_PIN_CTRL monitoring

Prior to this commit we were unconditionally setting both bits to the
value used on devices with a TS. This causes the temperature protection to
kick in on devices without a TS, such as the Jumper ezbook v2, causing
them to not charge under Linux.

This commit fixes this by using regmap_update_bits when updating these 2
registers, leaving the 2 mentioned bits alone.

The next 2 problems are related to our handling of the current-source
for the TS-pin. The current-source used for the battery temp-sensor (TS)
is shared with the GPADC. For proper fuel-gauge and charger operation the
TS current-source needs to be permanently on. But to read the GPADC we
need to temporary switch the TS current-source to ondemand, so that the
GPADC can use it, otherwise we will always read an all 0 value.

2) Problem 2 is we were writing hardcoded values to the ADC TS pin-ctrl
register, overwriting various other unrelated bits. Specifically we were
overwriting the current-source setting for the TS and GPIO0 pins, forcing
it to 80ųA independent of its original setting. On a Chuwi Vi10 tablet
this was causing us to get a too high adc value (due to a too high
current-source) resulting in the following errors being logged:

ACPI Error: AE_ERROR, Returned by Handler for [UserDefinedRegion]
ACPI Error: Method parse/execution failed \_SB.SXP1._TMP, AE_ERROR

This commit fixes this by using regmap_update_bits to change only the
relevant bits.

3) After reading the GPADC channel we were unconditionally enabling the
TS current-source even on devices where the TS-pin is not used and the
current-source thus was off before axp288_adc_read_raw call.

This commit fixes this by making axp288_adc_set_ts a nop on devices where
the ADC is not enabled for the TS-pin.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1610545
Fixes: 3091141d7803 ("iio: adc: axp288: Fix the GPADC pin ...")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/axp288_adc.c |   76 +++++++++++++++++++++++++++++++++----------
 1 file changed, 60 insertions(+), 16 deletions(-)

--- a/drivers/iio/adc/axp288_adc.c
+++ b/drivers/iio/adc/axp288_adc.c
@@ -27,9 +27,18 @@
 #include <linux/iio/machine.h>
 #include <linux/iio/driver.h>
 
-#define AXP288_ADC_EN_MASK		0xF1
-#define AXP288_ADC_TS_PIN_GPADC		0xF2
-#define AXP288_ADC_TS_PIN_ON		0xF3
+/*
+ * This mask enables all ADCs except for the battery temp-sensor (TS), that is
+ * left as-is to avoid breaking charging on devices without a temp-sensor.
+ */
+#define AXP288_ADC_EN_MASK				0xF0
+#define AXP288_ADC_TS_ENABLE				0x01
+
+#define AXP288_ADC_TS_CURRENT_ON_OFF_MASK		GENMASK(1, 0)
+#define AXP288_ADC_TS_CURRENT_OFF			(0 << 0)
+#define AXP288_ADC_TS_CURRENT_ON_WHEN_CHARGING		(1 << 0)
+#define AXP288_ADC_TS_CURRENT_ON_ONDEMAND		(2 << 0)
+#define AXP288_ADC_TS_CURRENT_ON			(3 << 0)
 
 enum axp288_adc_id {
 	AXP288_ADC_TS,
@@ -44,6 +53,7 @@ enum axp288_adc_id {
 struct axp288_adc_info {
 	int irq;
 	struct regmap *regmap;
+	bool ts_enabled;
 };
 
 static const struct iio_chan_spec axp288_adc_channels[] = {
@@ -115,21 +125,33 @@ static int axp288_adc_read_channel(int *
 	return IIO_VAL_INT;
 }
 
-static int axp288_adc_set_ts(struct regmap *regmap, unsigned int mode,
-				unsigned long address)
+/*
+ * The current-source used for the battery temp-sensor (TS) is shared
+ * with the GPADC. For proper fuel-gauge and charger operation the TS
+ * current-source needs to be permanently on. But to read the GPADC we
+ * need to temporary switch the TS current-source to ondemand, so that
+ * the GPADC can use it, otherwise we will always read an all 0 value.
+ */
+static int axp288_adc_set_ts(struct axp288_adc_info *info,
+			     unsigned int mode, unsigned long address)
 {
 	int ret;
 
-	/* channels other than GPADC do not need to switch TS pin */
+	/* No need to switch the current-source if the TS pin is disabled */
+	if (!info->ts_enabled)
+		return 0;
+
+	/* Channels other than GPADC do not need the current source */
 	if (address != AXP288_GP_ADC_H)
 		return 0;
 
-	ret = regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, mode);
+	ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL,
+				 AXP288_ADC_TS_CURRENT_ON_OFF_MASK, mode);
 	if (ret)
 		return ret;
 
 	/* When switching to the GPADC pin give things some time to settle */
-	if (mode == AXP288_ADC_TS_PIN_GPADC)
+	if (mode == AXP288_ADC_TS_CURRENT_ON_ONDEMAND)
 		usleep_range(6000, 10000);
 
 	return 0;
@@ -145,14 +167,14 @@ static int axp288_adc_read_raw(struct ii
 	mutex_lock(&indio_dev->mlock);
 	switch (mask) {
 	case IIO_CHAN_INFO_RAW:
-		if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_GPADC,
+		if (axp288_adc_set_ts(info, AXP288_ADC_TS_CURRENT_ON_ONDEMAND,
 					chan->address)) {
 			dev_err(&indio_dev->dev, "GPADC mode\n");
 			ret = -EINVAL;
 			break;
 		}
 		ret = axp288_adc_read_channel(val, chan->address, info->regmap);
-		if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_ON,
+		if (axp288_adc_set_ts(info, AXP288_ADC_TS_CURRENT_ON,
 						chan->address))
 			dev_err(&indio_dev->dev, "TS pin restore\n");
 		break;
@@ -164,13 +186,35 @@ static int axp288_adc_read_raw(struct ii
 	return ret;
 }
 
-static int axp288_adc_set_state(struct regmap *regmap)
+static int axp288_adc_initialize(struct axp288_adc_info *info)
 {
-	/* ADC should be always enabled for internal FG to function */
-	if (regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, AXP288_ADC_TS_PIN_ON))
-		return -EIO;
+	int ret, adc_enable_val;
+
+	/*
+	 * Determine if the TS pin is enabled and set the TS current-source
+	 * accordingly.
+	 */
+	ret = regmap_read(info->regmap, AXP20X_ADC_EN1, &adc_enable_val);
+	if (ret)
+		return ret;
+
+	if (adc_enable_val & AXP288_ADC_TS_ENABLE) {
+		info->ts_enabled = true;
+		ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL,
+					 AXP288_ADC_TS_CURRENT_ON_OFF_MASK,
+					 AXP288_ADC_TS_CURRENT_ON);
+	} else {
+		info->ts_enabled = false;
+		ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL,
+					 AXP288_ADC_TS_CURRENT_ON_OFF_MASK,
+					 AXP288_ADC_TS_CURRENT_OFF);
+	}
+	if (ret)
+		return ret;
 
-	return regmap_write(regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK);
+	/* Turn on the ADC for all channels except TS, leave TS as is */
+	return regmap_update_bits(info->regmap, AXP20X_ADC_EN1,
+				  AXP288_ADC_EN_MASK, AXP288_ADC_EN_MASK);
 }
 
 static const struct iio_info axp288_adc_iio_info = {
@@ -200,7 +244,7 @@ static int axp288_adc_probe(struct platf
 	 * Set ADC to enabled state at all time, including system suspend.
 	 * otherwise internal fuel gauge functionality may be affected.
 	 */
-	ret = axp288_adc_set_state(axp20x->regmap);
+	ret = axp288_adc_initialize(info);
 	if (ret) {
 		dev_err(&pdev->dev, "unable to enable ADC device\n");
 		return ret;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 08/50] iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 07/50] iio: adc: axp288: Fix TS-pin handling Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 09/50] iio: ti-ads8688: Update buffer allocation for timestamps Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Matt Ranostay, Jonathan Cameron

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Matt Ranostay <matt.ranostay@konsulko.com>

commit 0808831dc62e90023ad14ff8da4804c7846e904b upstream.

IIO_TEMP scale value for temperature was incorrect and not in millicelsius
as required by the ABI documentation.

Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
Fixes: 27dec00ecf2d (iio: chemical: add Atlas pH-SM sensor support)
Cc: <stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/chemical/atlas-ph-sensor.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/iio/chemical/atlas-ph-sensor.c
+++ b/drivers/iio/chemical/atlas-ph-sensor.c
@@ -444,9 +444,8 @@ static int atlas_read_raw(struct iio_dev
 	case IIO_CHAN_INFO_SCALE:
 		switch (chan->type) {
 		case IIO_TEMP:
-			*val = 1; /* 0.01 */
-			*val2 = 100;
-			break;
+			*val = 10;
+			return IIO_VAL_INT;
 		case IIO_PH:
 			*val = 1; /* 0.001 */
 			*val2 = 1000;
@@ -477,7 +476,7 @@ static int atlas_write_raw(struct iio_de
 			   int val, int val2, long mask)
 {
 	struct atlas_data *data = iio_priv(indio_dev);
-	__be32 reg = cpu_to_be32(val);
+	__be32 reg = cpu_to_be32(val / 10);
 
 	if (val2 != 0 || val < 0 || val > 20000)
 		return -EINVAL;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 09/50] iio: ti-ads8688: Update buffer allocation for timestamps
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 08/50] iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 10/50] signal: Always attempt to allocate siginfo for SIGSTOP Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Murphy, Stable, Jonathan Cameron

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Murphy <dmurphy@ti.com>

commit f214ff521fb1f861c8d7f7d0af98b06bf61b3369 upstream.

Per Jonathan Cameron, the buffer needs to allocate room for a
64 bit timestamp as well as the channels.  Change the buffer
to allocate this additional space.

Fixes: 2a86487786b5c ("iio: adc: ti-ads8688: add trigger and buffer support")
Signed-off-by: Dan Murphy <dmurphy@ti.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/ti-ads8688.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/iio/adc/ti-ads8688.c
+++ b/drivers/iio/adc/ti-ads8688.c
@@ -41,6 +41,7 @@
 
 #define ADS8688_VREF_MV			4096
 #define ADS8688_REALBITS		16
+#define ADS8688_MAX_CHANNELS		8
 
 /*
  * enum ads8688_range - ADS8688 reference voltage range
@@ -385,7 +386,7 @@ static irqreturn_t ads8688_trigger_handl
 {
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
-	u16 buffer[8];
+	u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)];
 	int i, j = 0;
 
 	for (i = 0; i < indio_dev->masklength; i++) {



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 10/50] signal: Always attempt to allocate siginfo for SIGSTOP
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 09/50] iio: ti-ads8688: Update buffer allocation for timestamps Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 11/50] signal: Always notice exiting tasks Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tycho Andersen, Kees Cook,
	Jack Andersen, Linus Torvalds, Christian Brauner,
	Eric W. Biederman

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit a692933a87691681e880feb708081681ff32400a upstream.

Since 2.5.34 the code has had the potential to not allocate siginfo
for SIGSTOP signals.  Except for ptrace this is perfectly fine as only
ptrace can use PTRACE_PEEK_SIGINFO and see what the contents of
the delivered siginfo are.

Users of PTRACE_PEEK_SIGINFO that care about the contents siginfo
for SIGSTOP are rare, but they do exist.  A seccomp self test
has cared and lldb cares.

Jack Andersen <jackoalan@gmail.com> writes:

> The patch titled
> `signal: Never allocate siginfo for SIGKILL or SIGSTOP`
> created a regression for users of PTRACE_GETSIGINFO needing to
> discern signals that were raised via the tgkill syscall.
>
> A notable user of this tgkill+ptrace combination is lldb while
> debugging a multithreaded program. Without the ability to detect a
> SIGSTOP originating from tgkill, lldb does not have a way to
> synchronize on a per-thread basis and falls back to SIGSTOP-ing the
> entire process.

Everyone affected by this please note.  The kernel can still fail to
allocate a siginfo structure.  The allocation is with GFP_KERNEL and
is best effort only.  If memory is tight when the signal allocation
comes in this will fail to allocate a siginfo.

So I strongly recommend looking at more robust solutions for
synchronizing with a single thread such as PTRACE_INTERRUPT.  Or if
that does not work persuading your friendly local kernel developer to
build the interface you need.

Reported-by: Tycho Andersen <tycho@tycho.ws>
Reported-by: Kees Cook <keescook@chromium.org>
Reported-by: Jack Andersen <jackoalan@gmail.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Christian Brauner <christian@brauner.io>
Cc: stable@vger.kernel.org
Fixes: f149b3155744 ("signal: Never allocate siginfo for SIGKILL or SIGSTOP")
Fixes: 6dfc88977e42 ("[PATCH] shared thread signals")
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/signal.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1057,10 +1057,9 @@ static int __send_signal(int sig, struct
 
 	result = TRACE_SIGNAL_DELIVERED;
 	/*
-	 * Skip useless siginfo allocation for SIGKILL SIGSTOP,
-	 * and kernel threads.
+	 * Skip useless siginfo allocation for SIGKILL and kernel threads.
 	 */
-	if (sig_kernel_only(sig) || (t->flags & PF_KTHREAD))
+	if ((sig == SIGKILL) || (t->flags & PF_KTHREAD))
 		goto out_set;
 
 	/*



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 11/50] signal: Always notice exiting tasks
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 10/50] signal: Always attempt to allocate siginfo for SIGSTOP Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-19  6:23   ` Jiri Slaby
  2019-02-13 18:38 ` [PATCH 4.20 12/50] signal: Better detection of synchronous signals Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  52 siblings, 1 reply; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Eric W. Biederman

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.

Recently syzkaller was able to create unkillablle processes by
creating a timer that is delivered as a thread local signal on SIGHUP,
and receiving SIGHUP SA_NODEFERER.  Ultimately causing a loop
failing to deliver SIGHUP but always trying.

Upon examination it turns out part of the problem is actually most of
the solution.  Since 2.5 signal delivery has found all fatal signals,
marked the signal group for death, and queued SIGKILL in every threads
thread queue relying on signal->group_exit_code to preserve the
information of which was the actual fatal signal.

The conversion of all fatal signals to SIGKILL results in the
synchronous signal heuristic in next_signal kicking in and preferring
SIGHUP to SIGKILL.  Which is especially problematic as all
fatal signals have already been transformed into SIGKILL.

Instead of dequeueing signals and depending upon SIGKILL to
be the first signal dequeued, first test if the signal group
has already been marked for death.  This guarantees that
nothing in the signal queue can prevent a process that needs
to exit from exiting.

Cc: stable@vger.kernel.org
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4")
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/signal.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2393,6 +2393,11 @@ relock:
 		goto relock;
 	}
 
+	/* Has this task already been marked for death? */
+	ksig->info.si_signo = signr = SIGKILL;
+	if (signal_group_exit(signal))
+		goto fatal;
+
 	for (;;) {
 		struct k_sigaction *ka;
 
@@ -2488,6 +2493,7 @@ relock:
 			continue;
 		}
 
+	fatal:
 		spin_unlock_irq(&sighand->siglock);
 
 		/*



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 12/50] signal: Better detection of synchronous signals
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 11/50] signal: Always notice exiting tasks Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 13/50] misc: vexpress: Off by one in vexpress_syscfg_exec() Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Eric W. Biederman

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric W. Biederman <ebiederm@xmission.com>

commit 7146db3317c67b517258cb5e1b08af387da0618b upstream.

Recently syzkaller was able to create unkillablle processes by
creating a timer that is delivered as a thread local signal on SIGHUP,
and receiving SIGHUP SA_NODEFERER.  Ultimately causing a loop failing
to deliver SIGHUP but always trying.

When the stack overflows delivery of SIGHUP fails and force_sigsegv is
called.  Unfortunately because SIGSEGV is numerically higher than
SIGHUP next_signal tries again to deliver a SIGHUP.

>From a quality of implementation standpoint attempting to deliver the
timer SIGHUP signal is wrong.  We should attempt to deliver the
synchronous SIGSEGV signal we just forced.

We can make that happening in a fairly straight forward manner by
instead of just looking at the signal number we also look at the
si_code.  In particular for exceptions (aka synchronous signals) the
si_code is always greater than 0.

That still has the potential to pick up a number of asynchronous
signals as in a few cases the same si_codes that are used
for synchronous signals are also used for asynchronous signals,
and SI_KERNEL is also included in the list of possible si_codes.

Still the heuristic is much better and timer signals are definitely
excluded.  Which is enough to prevent all known ways for someone
sending a process signals fast enough to cause unexpected and
arguably incorrect behavior.

Cc: stable@vger.kernel.org
Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals")
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/signal.c |   52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -688,6 +688,48 @@ int dequeue_signal(struct task_struct *t
 }
 EXPORT_SYMBOL_GPL(dequeue_signal);
 
+static int dequeue_synchronous_signal(kernel_siginfo_t *info)
+{
+	struct task_struct *tsk = current;
+	struct sigpending *pending = &tsk->pending;
+	struct sigqueue *q, *sync = NULL;
+
+	/*
+	 * Might a synchronous signal be in the queue?
+	 */
+	if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK))
+		return 0;
+
+	/*
+	 * Return the first synchronous signal in the queue.
+	 */
+	list_for_each_entry(q, &pending->list, list) {
+		/* Synchronous signals have a postive si_code */
+		if ((q->info.si_code > SI_USER) &&
+		    (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) {
+			sync = q;
+			goto next;
+		}
+	}
+	return 0;
+next:
+	/*
+	 * Check if there is another siginfo for the same signal.
+	 */
+	list_for_each_entry_continue(q, &pending->list, list) {
+		if (q->info.si_signo == sync->info.si_signo)
+			goto still_pending;
+	}
+
+	sigdelset(&pending->signal, sync->info.si_signo);
+	recalc_sigpending();
+still_pending:
+	list_del_init(&sync->list);
+	copy_siginfo(info, &sync->info);
+	__sigqueue_free(sync);
+	return info->si_signo;
+}
+
 /*
  * Tell a process that it has a new active signal..
  *
@@ -2411,7 +2453,15 @@ relock:
 			goto relock;
 		}
 
-		signr = dequeue_signal(current, &current->blocked, &ksig->info);
+		/*
+		 * Signals generated by the execution of an instruction
+		 * need to be delivered before any other pending signals
+		 * so that the instruction pointer in the signal stack
+		 * frame points to the faulting instruction.
+		 */
+		signr = dequeue_synchronous_signal(&ksig->info);
+		if (!signr)
+			signr = dequeue_signal(current, &current->blocked, &ksig->info);
 
 		if (!signr)
 			break; /* will return 0 */



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 13/50] misc: vexpress: Off by one in vexpress_syscfg_exec()
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 12/50] signal: Better detection of synchronous signals Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 14/50] cfg80211: call disconnect_wk when AP stops Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Sudeep Holla

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit f8a70d8b889f180e6860cb1f85fed43d37844c5a upstream.

The > comparison should be >= to prevent reading beyond the end of the
func->template[] array.

(The func->template array is allocated in vexpress_syscfg_regmap_init()
and it has func->num_templates elements.)

Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/vexpress-syscfg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/misc/vexpress-syscfg.c
+++ b/drivers/misc/vexpress-syscfg.c
@@ -61,7 +61,7 @@ static int vexpress_syscfg_exec(struct v
 	int tries;
 	long timeout;
 
-	if (WARN_ON(index > func->num_templates))
+	if (WARN_ON(index >= func->num_templates))
 		return -EINVAL;
 
 	command = readl(syscfg->base + SYS_CFGCTRL);



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 14/50] cfg80211: call disconnect_wk when AP stops
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 13/50] misc: vexpress: Off by one in vexpress_syscfg_exec() Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 15/50] mei: me: add ice lake point device id Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit e005bd7ddea06784c1eb91ac5bb6b171a94f3b05 upstream.

Since we now prevent regulatory restore during STA disconnect
if concurrent AP interfaces are active, we need to reschedule
this check when the AP state changes. This fixes never doing
a restore when an AP is the last interface to stop. Or to put
it another way: we need to re-check after anything we check
here changes.

Cc: stable@vger.kernel.org
Fixes: 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/wireless/ap.c   |    2 ++
 net/wireless/core.h |    2 ++
 net/wireless/sme.c  |    2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)

--- a/net/wireless/ap.c
+++ b/net/wireless/ap.c
@@ -41,6 +41,8 @@ int __cfg80211_stop_ap(struct cfg80211_r
 		cfg80211_sched_dfs_chan_update(rdev);
 	}
 
+	schedule_work(&cfg80211_disconnect_work);
+
 	return err;
 }
 
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -444,6 +444,8 @@ void cfg80211_process_wdev_events(struct
 bool cfg80211_does_bw_fit_range(const struct ieee80211_freq_range *freq_range,
 				u32 center_freq_khz, u32 bw_khz);
 
+extern struct work_struct cfg80211_disconnect_work;
+
 /**
  * cfg80211_chandef_dfs_usable - checks if chandef is DFS usable
  * @wiphy: the wiphy to validate against
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -667,7 +667,7 @@ static void disconnect_work(struct work_
 	rtnl_unlock();
 }
 
-static DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
+DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
 
 
 /*



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 15/50] mei: me: add ice lake point device id.
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 14/50] cfg80211: call disconnect_wk when AP stops Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 16/50] samples: mei: use /dev/mei0 instead of /dev/mei Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tomas Winkler

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tomas Winkler <tomas.winkler@intel.com>

commit efe814e90b98aed6d655b5a4092b9114b8b26e42 upstream.

Add icelake mei device id.

Cc: <stable@vger.kernel.org>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mei/hw-me-regs.h |    2 ++
 drivers/misc/mei/pci-me.c     |    2 ++
 2 files changed, 4 insertions(+)

--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -139,6 +139,8 @@
 #define MEI_DEV_ID_CNP_H      0xA360  /* Cannon Point H */
 #define MEI_DEV_ID_CNP_H_4    0xA364  /* Cannon Point H 4 (iTouch) */
 
+#define MEI_DEV_ID_ICP_LP     0x34E0  /* Ice Lake Point LP */
+
 /*
  * MEI HW Section
  */
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -105,6 +105,8 @@ static const struct pci_device_id mei_me
 	{MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H, MEI_ME_PCH8_CFG)},
 	{MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H_4, MEI_ME_PCH8_CFG)},
 
+	{MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
+
 	/* required last entry */
 	{0, }
 };



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 16/50] samples: mei: use /dev/mei0 instead of /dev/mei
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 15/50] mei: me: add ice lake point device id Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 17/50] debugfs: fix debugfs_rename parameter checking Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tomas Winkler

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tomas Winkler <tomas.winkler@intel.com>

commit c4a46acf1db3ce547d290c29e55b3476c78dd76c upstream.

The device was moved from misc device to character devices
to support multiple mei devices.

Cc: <stable@vger.kernel.org> #v4.9+
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 samples/mei/mei-amt-version.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/samples/mei/mei-amt-version.c
+++ b/samples/mei/mei-amt-version.c
@@ -117,7 +117,7 @@ static bool mei_init(struct mei *me, con
 
 	me->verbose = verbose;
 
-	me->fd = open("/dev/mei", O_RDWR);
+	me->fd = open("/dev/mei0", O_RDWR);
 	if (me->fd == -1) {
 		mei_err(me, "Cannot establish a handle to the Intel MEI driver\n");
 		goto err;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 17/50] debugfs: fix debugfs_rename parameter checking
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 16/50] samples: mei: use /dev/mei0 instead of /dev/mei Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 18/50] svcrdma: Remove max_sge check at connect time Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d88c93f090f708c18195553b352b9f205e65418f upstream.

debugfs_rename() needs to check that the dentries passed into it really
are valid, as sometimes they are not (i.e. if the return value of
another debugfs call is passed into this one.)  So fix this up by
properly checking if the two parent directories are errors (they are
allowed to be NULL), and if the dentry to rename is not NULL or an
error.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/debugfs/inode.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -787,6 +787,13 @@ struct dentry *debugfs_rename(struct den
 	struct dentry *dentry = NULL, *trap;
 	struct name_snapshot old_name;
 
+	if (IS_ERR(old_dir))
+		return old_dir;
+	if (IS_ERR(new_dir))
+		return new_dir;
+	if (IS_ERR_OR_NULL(old_dentry))
+		return old_dentry;
+
 	trap = lock_rename(new_dir, old_dir);
 	/* Source or destination directories don't exist? */
 	if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir))



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 18/50] svcrdma: Remove max_sge check at connect time
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 17/50] debugfs: fix debugfs_rename parameter checking Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 19/50] pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Don Dutile, Chuck Lever, J. Bruce Fields

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>

commit e248aa7be86e8179f20ac0931774ecd746f3f5bf upstream.

Two and a half years ago, the client was changed to use gathered
Send for larger inline messages, in commit 655fec6987b ("xprtrdma:
Use gathered Send for large inline messages"). Several fixes were
required because there are a few in-kernel device drivers whose
max_sge is 3, and these were broken by the change.

Apparently my memory is going, because some time later, I submitted
commit 25fd86eca11c ("svcrdma: Don't overrun the SGE array in
svc_rdma_send_ctxt"), and after that, commit f3c1fd0ee294 ("svcrdma:
Reduce max_send_sges"). These too incorrectly assumed in-kernel
device drivers would have more than a few Send SGEs available.

The fix for the server side is not the same. This is because the
fundamental problem on the server is that, whether or not the client
has provisioned a chunk for the RPC reply, the server must squeeze
even the most complex RPC replies into a single RDMA Send. Failing
in the send path because of Send SGE exhaustion should never be an
option.

Therefore, instead of failing when the send path runs out of SGEs,
switch to using a bounce buffer mechanism to handle RPC replies that
are too complex for the device to send directly. That allows us to
remove the max_sge check to enable drivers with small max_sge to
work again.

Reported-by: Don Dutile <ddutile@redhat.com>
Fixes: 25fd86eca11c ("svcrdma: Don't overrun the SGE array in ...")
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/xprtrdma/svc_rdma_sendto.c    |  105 +++++++++++++++++++++++++++++--
 net/sunrpc/xprtrdma/svc_rdma_transport.c |    9 --
 2 files changed, 102 insertions(+), 12 deletions(-)

--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
@@ -563,6 +563,99 @@ void svc_rdma_sync_reply_hdr(struct svcx
 				      DMA_TO_DEVICE);
 }
 
+/* If the xdr_buf has more elements than the device can
+ * transmit in a single RDMA Send, then the reply will
+ * have to be copied into a bounce buffer.
+ */
+static bool svc_rdma_pull_up_needed(struct svcxprt_rdma *rdma,
+				    struct xdr_buf *xdr,
+				    __be32 *wr_lst)
+{
+	int elements;
+
+	/* xdr->head */
+	elements = 1;
+
+	/* xdr->pages */
+	if (!wr_lst) {
+		unsigned int remaining;
+		unsigned long pageoff;
+
+		pageoff = xdr->page_base & ~PAGE_MASK;
+		remaining = xdr->page_len;
+		while (remaining) {
+			++elements;
+			remaining -= min_t(u32, PAGE_SIZE - pageoff,
+					   remaining);
+			pageoff = 0;
+		}
+	}
+
+	/* xdr->tail */
+	if (xdr->tail[0].iov_len)
+		++elements;
+
+	/* assume 1 SGE is needed for the transport header */
+	return elements >= rdma->sc_max_send_sges;
+}
+
+/* The device is not capable of sending the reply directly.
+ * Assemble the elements of @xdr into the transport header
+ * buffer.
+ */
+static int svc_rdma_pull_up_reply_msg(struct svcxprt_rdma *rdma,
+				      struct svc_rdma_send_ctxt *ctxt,
+				      struct xdr_buf *xdr, __be32 *wr_lst)
+{
+	unsigned char *dst, *tailbase;
+	unsigned int taillen;
+
+	dst = ctxt->sc_xprt_buf;
+	dst += ctxt->sc_sges[0].length;
+
+	memcpy(dst, xdr->head[0].iov_base, xdr->head[0].iov_len);
+	dst += xdr->head[0].iov_len;
+
+	tailbase = xdr->tail[0].iov_base;
+	taillen = xdr->tail[0].iov_len;
+	if (wr_lst) {
+		u32 xdrpad;
+
+		xdrpad = xdr_padsize(xdr->page_len);
+		if (taillen && xdrpad) {
+			tailbase += xdrpad;
+			taillen -= xdrpad;
+		}
+	} else {
+		unsigned int len, remaining;
+		unsigned long pageoff;
+		struct page **ppages;
+
+		ppages = xdr->pages + (xdr->page_base >> PAGE_SHIFT);
+		pageoff = xdr->page_base & ~PAGE_MASK;
+		remaining = xdr->page_len;
+		while (remaining) {
+			len = min_t(u32, PAGE_SIZE - pageoff, remaining);
+
+			memcpy(dst, page_address(*ppages), len);
+			remaining -= len;
+			dst += len;
+			pageoff = 0;
+		}
+	}
+
+	if (taillen)
+		memcpy(dst, tailbase, taillen);
+
+	ctxt->sc_sges[0].length += xdr->len;
+	ib_dma_sync_single_for_device(rdma->sc_pd->device,
+				      ctxt->sc_sges[0].addr,
+				      ctxt->sc_sges[0].length,
+				      DMA_TO_DEVICE);
+
+	return 0;
+}
+
 /* svc_rdma_map_reply_msg - Map the buffer holding RPC message
  * @rdma: controlling transport
  * @ctxt: send_ctxt for the Send WR
@@ -585,8 +678,10 @@ int svc_rdma_map_reply_msg(struct svcxpr
 	u32 xdr_pad;
 	int ret;
 
-	if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges)
-		return -EIO;
+	if (svc_rdma_pull_up_needed(rdma, xdr, wr_lst))
+		return svc_rdma_pull_up_reply_msg(rdma, ctxt, xdr, wr_lst);
+
+	++ctxt->sc_cur_sge_no;
 	ret = svc_rdma_dma_map_buf(rdma, ctxt,
 				   xdr->head[0].iov_base,
 				   xdr->head[0].iov_len);
@@ -617,8 +712,7 @@ int svc_rdma_map_reply_msg(struct svcxpr
 	while (remaining) {
 		len = min_t(u32, PAGE_SIZE - page_off, remaining);
 
-		if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges)
-			return -EIO;
+		++ctxt->sc_cur_sge_no;
 		ret = svc_rdma_dma_map_page(rdma, ctxt, *ppages++,
 					    page_off, len);
 		if (ret < 0)
@@ -632,8 +726,7 @@ int svc_rdma_map_reply_msg(struct svcxpr
 	len = xdr->tail[0].iov_len;
 tail:
 	if (len) {
-		if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges)
-			return -EIO;
+		++ctxt->sc_cur_sge_no;
 		ret = svc_rdma_dma_map_buf(rdma, ctxt, base, len);
 		if (ret < 0)
 			return ret;
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
@@ -478,12 +478,9 @@ static struct svc_xprt *svc_rdma_accept(
 	/* Transport header, head iovec, tail iovec */
 	newxprt->sc_max_send_sges = 3;
 	/* Add one SGE per page list entry */
-	newxprt->sc_max_send_sges += svcrdma_max_req_size / PAGE_SIZE;
-	if (newxprt->sc_max_send_sges > dev->attrs.max_send_sge) {
-		pr_err("svcrdma: too few Send SGEs available (%d needed)\n",
-		       newxprt->sc_max_send_sges);
-		goto errout;
-	}
+	newxprt->sc_max_send_sges += (svcrdma_max_req_size / PAGE_SIZE) + 1;
+	if (newxprt->sc_max_send_sges > dev->attrs.max_send_sge)
+		newxprt->sc_max_send_sges = dev->attrs.max_send_sge;
 	newxprt->sc_max_req_size = svcrdma_max_req_size;
 	newxprt->sc_max_requests = svcrdma_max_requests;
 	newxprt->sc_max_bc_requests = svcrdma_max_bc_requests;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 19/50] pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 18/50] svcrdma: Remove max_sge check at connect time Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 20/50] pinctrl: cherryview: fix Strago DMI workaround Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen-Yu Tsai, Neil Armstrong,
	Maxime Ripard, Linus Walleij

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chen-Yu Tsai <wens@csie.org>

commit 10098709b4ee6f6f19f25ba81d9c6f83518c584c upstream.

The H6 main pin controller has four banks of interrupt-triggering pins.
The driver as originally submitted only specified three, but had pin
descriptions referencing a fourth bank. This results in a out-of-bounds
access into .irq_array of struct sunxi_pinctrl. This however did not
result in a crash until v4.20, with commit a66d972465d1 ("devres: Align
data[] to ARCH_KMALLOC_MINALIGN"), which changed the alignment of memory
region returned by devm_kcalloc(). The increase likely moved the
out-of-bounds access into the next, unmapped page.

With KASAN on, the bug is quite clear:

    BUG: KASAN: slab-out-of-bounds in sunxi_pinctrl_init_with_variant+0x49c/0x12b8
    Write of size 4 at addr ffff80002c680280 by task swapper/0/1

    CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.0.0-rc1-00016-gc480a5e6a077 #3
    Hardware name: OrangePi Lite2 (DT)
    Call trace:
     dump_backtrace+0x0/0x220
     show_stack+0x14/0x20
     dump_stack+0xac/0xd4
     print_address_description+0x60/0x25c
     kasan_report+0x14c/0x1ac
     __asan_store4+0x80/0xa0
     sunxi_pinctrl_init_with_variant+0x49c/0x12b8
     h6_pinctrl_probe+0x18/0x20
     platform_drv_probe+0x6c/0xc8
     really_probe+0x244/0x4b0
     driver_probe_device.part.4+0x11c/0x164
     __driver_attach+0x120/0x190
     bus_for_each_dev+0xe8/0x158
     driver_attach+0x30/0x40
     bus_add_driver+0x308/0x318
     driver_register+0xbc/0x1d0
     __platform_driver_register+0x7c/0x88
     h6_pinctrl_driver_init+0x18/0x20
     do_one_initcall+0xd4/0x208
     kernel_init_freeable+0x230/0x2c8
     kernel_init+0x10/0x108
     ret_from_fork+0x10/0x1c

    Allocated by task 1:
     kasan_kmalloc.part.0+0x4c/0x100
     kasan_kmalloc+0xc4/0xe8
     kasan_slab_alloc+0x14/0x20
     __kmalloc_track_caller+0x130/0x238
     devm_kmalloc+0x34/0xd0
     sunxi_pinctrl_init_with_variant+0x1d8/0x12b8
     h6_pinctrl_probe+0x18/0x20
     platform_drv_probe+0x6c/0xc8
     really_probe+0x244/0x4b0
     driver_probe_device.part.4+0x11c/0x164
     __driver_attach+0x120/0x190
     bus_for_each_dev+0xe8/0x158
     driver_attach+0x30/0x40
     bus_add_driver+0x308/0x318
     driver_register+0xbc/0x1d0
     __platform_driver_register+0x7c/0x88
     h6_pinctrl_driver_init+0x18/0x20
     do_one_initcall+0xd4/0x208
     kernel_init_freeable+0x230/0x2c8
     kernel_init+0x10/0x108
     ret_from_fork+0x10/0x1c

    Freed by task 0:
    (stack is not available)

    The buggy address belongs to the object at ffff80002c680080
     which belongs to the cache kmalloc-512 of size 512
    The buggy address is located 0 bytes to the right of
     512-byte region [ffff80002c680080, ffff80002c680280)
    The buggy address belongs to the page:
    page:ffff7e0000b1a000 count:1 mapcount:0 mapping:ffff80002e00c780 index:0xffff80002c683c80 compound_mapcount: 0
    flags: 0x10200(slab|head)
    raw: 0000000000010200 ffff80002e003a10 ffff80002e003a10 ffff80002e00c780
    raw: ffff80002c683c80 0000000000100001 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected

    Memory state around the buggy address:
     ffff80002c680180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff80002c680200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff80002c680280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
		       ^
     ffff80002c680300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff80002c680380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Correct the number of IRQ banks so there are no more mismatches.

Fixes: c8a830904991 ("pinctrl: sunxi: add support for the Allwinner H6 main pin controller")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Tested-by: Neil Armstrong <narmstrong@baylibre.com>
Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-h6.c
@@ -588,7 +588,7 @@ static const unsigned int h6_irq_bank_ma
 static const struct sunxi_pinctrl_desc h6_pinctrl_data = {
 	.pins = h6_pins,
 	.npins = ARRAY_SIZE(h6_pins),
-	.irq_banks = 3,
+	.irq_banks = 4,
 	.irq_bank_map = h6_irq_bank_map,
 	.irq_read_needs_mux = true,
 };



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 20/50] pinctrl: cherryview: fix Strago DMI workaround
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 19/50] pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 21/50] tracing/uprobes: Fix output for multiple string arguments Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Torokhov, Andy Shevchenko,
	Mika Westerberg, Linus Walleij

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

commit e3f72b749da2bf63bed7409e416f160418d475b6 upstream.

Well, hopefully 3rd time is a charm. We tried making that check
DMI_BIOS_VERSION and DMI_BOARD_VERSION, but the real one is
DMI_PRODUCT_VERSION.

Fixes: 86c5dd6860a6 ("pinctrl: cherryview: limit Strago DMI workarounds to version 1.0")
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=197953
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1631930
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/intel/pinctrl-cherryview.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/pinctrl/intel/pinctrl-cherryview.c
+++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
@@ -1507,7 +1507,7 @@ static const struct dmi_system_id chv_no
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"),
 			DMI_MATCH(DMI_PRODUCT_FAMILY, "Intel_Strago"),
-			DMI_MATCH(DMI_BOARD_VERSION, "1.0"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
 		},
 	},
 	{
@@ -1515,7 +1515,7 @@ static const struct dmi_system_id chv_no
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "HP"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "Setzer"),
-			DMI_MATCH(DMI_BOARD_VERSION, "1.0"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
 		},
 	},
 	{
@@ -1523,7 +1523,7 @@ static const struct dmi_system_id chv_no
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "Cyan"),
-			DMI_MATCH(DMI_BOARD_VERSION, "1.0"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
 		},
 	},
 	{
@@ -1531,7 +1531,7 @@ static const struct dmi_system_id chv_no
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "GOOGLE"),
 			DMI_MATCH(DMI_PRODUCT_NAME, "Celes"),
-			DMI_MATCH(DMI_BOARD_VERSION, "1.0"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "1.0"),
 		},
 	},
 	{}



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 21/50] tracing/uprobes: Fix output for multiple string arguments
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 20/50] pinctrl: cherryview: fix Strago DMI workaround Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 22/50] tracing: uprobes: Fix typo in pr_fmt string Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Masami Hiramatsu,
	Andreas Ziegler, Steven Rostedt (VMware)

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Ziegler <andreas.ziegler@fau.de>

commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream.

When printing multiple uprobe arguments as strings the output for the
earlier arguments would also include all later string arguments.

This is best explained in an example:

Consider adding a uprobe to a function receiving two strings as
parameters which is at offset 0xa0 in strlib.so and we want to print
both parameters when the uprobe is hit (on x86_64):

$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \
    /sys/kernel/debug/tracing/uprobe_events

When the function is called as func("foo", "bar") and we hit the probe,
the trace file shows a line like the following:

  [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar"

Note the extra "bar" printed as part of arg1. This behaviour stacks up
for additional string arguments.

The strings are stored in a dynamically growing part of the uprobe
buffer by fetch_store_string() after copying them from userspace via
strncpy_from_user(). The return value of strncpy_from_user() is then
directly used as the required size for the string. However, this does
not take the terminating null byte into account as the documentation
for strncpy_from_user() cleary states that it "[...] returns the
length of the string (not including the trailing NUL)" even though the
null byte will be copied to the destination.

Therefore, subsequent calls to fetch_store_string() will overwrite
the terminating null byte of the most recently fetched string with
the first character of the current string, leading to the
"accumulation" of strings in earlier arguments in the output.

Fix this by incrementing the return value of strncpy_from_user() by
one if we did not hit the maximum buffer size.

Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de

Cc: Ingo Molnar <mingo@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_uprobe.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -127,6 +127,13 @@ fetch_store_string(unsigned long addr, v
 	if (ret >= 0) {
 		if (ret == maxlen)
 			dst[ret - 1] = '\0';
+		else
+			/*
+			 * Include the terminating null byte. In this case it
+			 * was copied by strncpy_from_user but not accounted
+			 * for in ret.
+			 */
+			ret++;
 		*(u32 *)dest = make_data_loc(ret, (void *)dst - base);
 	}
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 22/50] tracing: uprobes: Fix typo in pr_fmt string
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 21/50] tracing/uprobes: Fix output for multiple string arguments Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 23/50] mips: cm: reprime error cause Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Masami Hiramatsu,
	Andreas Ziegler, Steven Rostedt (VMware)

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Ziegler <andreas.ziegler@fau.de>

commit ea6eb5e7d15e1838de335609994b4546e2abcaaf upstream.

The subsystem-specific message prefix for uprobes was also
"trace_kprobe: " instead of "trace_uprobe: " as described in
the original commit message.

Link: http://lkml.kernel.org/r/20190117133023.19292-1-andreas.ziegler@fau.de

Cc: Ingo Molnar <mingo@redhat.com>
Cc: stable@vger.kernel.org
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Fixes: 7257634135c24 ("tracing/probe: Show subsystem name in messages")
Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_uprobe.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -5,7 +5,7 @@
  * Copyright (C) IBM Corporation, 2010-2012
  * Author:	Srikar Dronamraju <srikar@linux.vnet.ibm.com>
  */
-#define pr_fmt(fmt)	"trace_kprobe: " fmt
+#define pr_fmt(fmt)	"trace_uprobe: " fmt
 
 #include <linux/module.h>
 #include <linux/uaccess.h>



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 23/50] mips: cm: reprime error cause
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 22/50] tracing: uprobes: Fix typo in pr_fmt string Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 24/50] MIPS: Use lower case for addresses in nexys4ddr.dts Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Kondratiev, Paul Burton,
	Ralf Baechle, James Hogan, linux-mips

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>

commit 05dc6001af0630e200ad5ea08707187fe5537e6d upstream.

Accordingly to the documentation
---cut---
The GCR_ERROR_CAUSE.ERR_TYPE field and the GCR_ERROR_MULT.ERR_TYPE
fields can be cleared by either a reset or by writing the current
value of GCR_ERROR_CAUSE.ERR_TYPE to the
GCR_ERROR_CAUSE.ERR_TYPE register.
---cut---
Do exactly this. Original value of cm_error may be safely written back;
it clears error cause and keeps other bits untouched.

Fixes: 3885c2b463f6 ("MIPS: CM: Add support for reporting CM cache errors")
Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@linux.intel.com>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # v4.3+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kernel/mips-cm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/mips/kernel/mips-cm.c
+++ b/arch/mips/kernel/mips-cm.c
@@ -457,5 +457,5 @@ void mips_cm_error_report(void)
 	}
 
 	/* reprime cause register */
-	write_gcr_error_cause(0);
+	write_gcr_error_cause(cm_error);
 }



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 24/50] MIPS: Use lower case for addresses in nexys4ddr.dts
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 23/50] mips: cm: reprime error cause Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 25/50] MIPS: OCTEON: dont set octeon_dma_bar_type if PCI is disabled Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paul Burton, linux-mips

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@mips.com>

commit 047f2d941b8b24cadd6a4a09e606b7f41188ba3e upstream.

DTC introduced an i2c_bus_reg check in v1.4.7, used since Linux v4.20,
which complains about upper case addresses used in the unit name.

nexys4ddr.dts names an I2C device node "ad7420@4B", leading to:

  arch/mips/boot/dts/xilfpga/nexys4ddr.dts:109.16-112.8: Warning
    (i2c_bus_reg): /i2c@10A00000/ad7420@4B: I2C bus unit address format
    error, expected "4b"

Fix this by switching to lower case addresses throughout the file, as is
*mostly* the case in the file already & fairly standard throughout the
tree.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: stable@vger.kernel.org # v4.20+
Cc: linux-mips@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/boot/dts/xilfpga/nexys4ddr.dts |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/mips/boot/dts/xilfpga/nexys4ddr.dts
+++ b/arch/mips/boot/dts/xilfpga/nexys4ddr.dts
@@ -90,11 +90,11 @@
 		interrupts = <0>;
 	};
 
-	axi_i2c: i2c@10A00000 {
+	axi_i2c: i2c@10a00000 {
 	    compatible = "xlnx,xps-iic-2.00.a";
 	    interrupt-parent = <&axi_intc>;
 	    interrupts = <4>;
-	    reg = < 0x10A00000 0x10000 >;
+	    reg = < 0x10a00000 0x10000 >;
 	    clocks = <&ext>;
 	    xlnx,clk-freq = <0x5f5e100>;
 	    xlnx,family = "Artix7";
@@ -106,9 +106,9 @@
 	    #address-cells = <1>;
 	    #size-cells = <0>;
 
-	    ad7420@4B {
+	    ad7420@4b {
 		compatible = "adi,adt7420";
-		reg = <0x4B>;
+		reg = <0x4b>;
 	    };
 	} ;
 };



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 25/50] MIPS: OCTEON: dont set octeon_dma_bar_type if PCI is disabled
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 24/50] MIPS: Use lower case for addresses in nexys4ddr.dts Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 26/50] MIPS: VDSO: Use same -m%-float cflag as the kernel proper Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Paul Burton, linux-mips

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@iki.fi>

commit dcf300a69ac307053dfb35c2e33972e754a98bce upstream.

Don't set octeon_dma_bar_type if PCI is disabled. This avoids creation
of the MSI irqchip later on, and saves a bit of memory.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: a214720cbf50 ("Disable MSI also when pcie-octeon.pcie_disable on")
Cc: stable@vger.kernel.org # v3.3+
Cc: linux-mips@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/pci/pci-octeon.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/arch/mips/pci/pci-octeon.c
+++ b/arch/mips/pci/pci-octeon.c
@@ -568,6 +568,11 @@ static int __init octeon_pci_setup(void)
 	if (octeon_has_feature(OCTEON_FEATURE_PCIE))
 		return 0;
 
+	if (!octeon_is_pci_host()) {
+		pr_notice("Not in host mode, PCI Controller not initialized\n");
+		return 0;
+	}
+
 	/* Point pcibios_map_irq() to the PCI version of it */
 	octeon_pcibios_map_irq = octeon_pci_pcibios_map_irq;
 
@@ -579,11 +584,6 @@ static int __init octeon_pci_setup(void)
 	else
 		octeon_dma_bar_type = OCTEON_DMA_BAR_TYPE_BIG;
 
-	if (!octeon_is_pci_host()) {
-		pr_notice("Not in host mode, PCI Controller not initialized\n");
-		return 0;
-	}
-
 	/* PCI I/O and PCI MEM values */
 	set_io_port_base(OCTEON_PCI_IOSPACE_BASE);
 	ioport_resource.start = 0;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 26/50] MIPS: VDSO: Use same -m%-float cflag as the kernel proper
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 25/50] MIPS: OCTEON: dont set octeon_dma_bar_type if PCI is disabled Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 27/50] mips: loongson64: remove unreachable(), fix loongson_poweroff() Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Burton, Kevin Hilman,
	Guenter Roeck, Maciej W. Rozycki, linux-mips

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@mips.com>

commit 0648e50e548d881d025b9419a1a168753c8e2bf7 upstream.

The MIPS VDSO build currently doesn't provide the -msoft-float flag to
the compiler as the kernel proper does. This results in an attempt to
use the compiler's default floating point configuration, which can be
problematic in cases where this is incompatible with the target CPU's
-march= flag. For example decstation_defconfig fails to build using
toolchains in which gcc was configured --with-fp-32=xx with the
following error:

    LDS     arch/mips/vdso/vdso.lds
  cc1: error: '-march=r3000' requires '-mfp32'
  make[2]: *** [scripts/Makefile.build:379: arch/mips/vdso/vdso.lds] Error 1

The kernel proper avoids this error because we build with the
-msoft-float compiler flag, rather than using the compiler's default.
Pass this flag through to the VDSO build so that it too becomes agnostic
to the toolchain's floating point configuration.

Note that this is filtered out from KBUILD_CFLAGS rather than simply
always using -msoft-float such that if we switch the kernel to use
-mno-float in the future the VDSO will automatically inherit the change.

The VDSO doesn't actually include any floating point code, and its
.MIPS.abiflags section is already manually generated to specify that
it's compatible with any floating point ABI. As such this change should
have no effect on the resulting VDSO, apart from fixing the build
failure for affected toolchains.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Reported-by: Kevin Hilman <khilman@baylibre.com>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Kevin Hilman <khilman@baylibre.com>
References: https://lore.kernel.org/linux-mips/1477843551-21813-1-git-send-email-linux@roeck-us.net/
References: https://kernelci.org/build/id/5c4e4ae059b5142a249ad004/logs/
Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
Cc: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@vger.kernel.org
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/vdso/Makefile |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/mips/vdso/Makefile
+++ b/arch/mips/vdso/Makefile
@@ -8,6 +8,7 @@ ccflags-vdso := \
 	$(filter -E%,$(KBUILD_CFLAGS)) \
 	$(filter -mmicromips,$(KBUILD_CFLAGS)) \
 	$(filter -march=%,$(KBUILD_CFLAGS)) \
+	$(filter -m%-float,$(KBUILD_CFLAGS)) \
 	-D__VDSO__
 
 ifdef CONFIG_CC_IS_CLANG



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 27/50] mips: loongson64: remove unreachable(), fix loongson_poweroff().
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 26/50] MIPS: VDSO: Use same -m%-float cflag as the kernel proper Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 28/50] MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yifeng Li, Paul Burton, linux-mips,
	Huacai Chen, Ralf Baechle, James Hogan, Aaro Koskinen

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Yifeng Li <tomli@tomli.me>

commit 8a96669d77897ff3613157bf43f875739205d66d upstream.

On my Yeeloong 8089, I noticed the machine fails to shutdown
properly, and often, the function mach_prepare_reboot() is
unexpectedly executed, thus the machine reboots instead. A
wait loop is needed to ensure the system is in a well-defined
state before going down.

In commit 997e93d4df16 ("MIPS: Hang more efficiently on
halt/powerdown/restart"), a general superset of the wait loop for all
platforms is already provided, so we don't need to implement our own.

This commit simply removes the unreachable() compiler marco after
mach_prepare_reboot(), thus allowing the execution of machine_hang().
My test shows that the machine is now able to shutdown successfully.

Please note that there are two different bugs preventing the machine
from shutting down, another work-in-progress commit is needed to
fix a lockup in cpufreq / i8259 driver, please read Reference, this
commit does not fix that bug.

Reference: https://lkml.org/lkml/2019/2/5/908
Signed-off-by: Yifeng Li <tomli@tomli.me>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: linux-mips@vger.kernel.org
Cc: Huacai Chen <chenhc@lemote.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-kernel@vger.kernel.org
Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
Cc: stable@vger.kernel.org # v4.17+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/loongson64/common/reset.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/arch/mips/loongson64/common/reset.c
+++ b/arch/mips/loongson64/common/reset.c
@@ -59,7 +59,12 @@ static void loongson_poweroff(void)
 {
 #ifndef CONFIG_LEFI_FIRMWARE_INTERFACE
 	mach_prepare_shutdown();
-	unreachable();
+
+	/*
+	 * It needs a wait loop here, but mips/kernel/reset.c already calls
+	 * a generic delay loop, machine_hang(), so simply return.
+	 */
+	return;
 #else
 	void (*fw_poweroff)(void) = (void *)loongson_sysconf.poweroff_addr;
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 28/50] MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 27/50] mips: loongson64: remove unreachable(), fix loongson_poweroff() Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 29/50] ARM: iop32x/n2100: fix PCI IRQ mapping Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Burton, linux-mips,
	Kevin Hilman, Guenter Roeck, Maciej W . Rozycki

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul.burton@mips.com>

commit 67fc5dc8a541e8f458d7f08bf88ff55933bf9f9d upstream.

When generating vdso-o32.lds & vdso-n32.lds for use with programs
running as compat ABIs under 64b kernels, we previously haven't included
the compiler flags that are supposedly common to all ABIs - ie. those in
the ccflags-vdso variable.

This is problematic in cases where we need to provide the -m%-float flag
in order to ensure that we don't attempt to use a floating point ABI
that's incompatible with the target CPU & ABI. For example a toolchain
using current gcc trunk configured --with-fp-32=xx fails to build a
64r6el_defconfig kernel with the following error:

  cc1: error: '-march=mips1' requires '-mfp32'
  make[2]: *** [arch/mips/vdso/Makefile:135: arch/mips/vdso/vdso-o32.lds] Error 1

Include $(ccflags-vdso) for the compat VDSO .lds builds, just as it is
included for the native VDSO .lds & when compiling objects for the
compat VDSOs. This ensures we consistently provide the -msoft-float flag
amongst others, avoiding the problem by ensuring we're agnostic to the
toolchain defaults.

Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO")
Cc: linux-mips@vger.kernel.org
Cc: Kevin Hilman <khilman@baylibre.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Maciej W . Rozycki <macro@linux-mips.org>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/vdso/Makefile |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/mips/vdso/Makefile
+++ b/arch/mips/vdso/Makefile
@@ -129,7 +129,7 @@ $(obj)/%-o32.o: $(src)/%.c FORCE
 	$(call cmd,force_checksrc)
 	$(call if_changed_rule,cc_o_c)
 
-$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := -mabi=32
+$(obj)/vdso-o32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=32
 $(obj)/vdso-o32.lds: $(src)/vdso.lds.S FORCE
 	$(call if_changed_dep,cpp_lds_S)
 
@@ -169,7 +169,7 @@ $(obj)/%-n32.o: $(src)/%.c FORCE
 	$(call cmd,force_checksrc)
 	$(call if_changed_rule,cc_o_c)
 
-$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := -mabi=n32
+$(obj)/vdso-n32.lds: KBUILD_CPPFLAGS := $(ccflags-vdso) -mabi=n32
 $(obj)/vdso-n32.lds: $(src)/vdso.lds.S FORCE
 	$(call if_changed_dep,cpp_lds_S)
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 29/50] ARM: iop32x/n2100: fix PCI IRQ mapping
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 28/50] MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 30/50] ARM: tango: Improve ARCH_MULTIPLATFORM compatibility Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Russell King, Arnd Bergmann

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

commit db4090920ba2d61a5827a23e441447926a02ffee upstream.

Booting 4.20 on a TheCUS N2100 results in a kernel oops while probing
PCI, due to n2100_pci_map_irq() having been discarded during boot.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Cc: stable@vger.kernel.org # 2.6.18+
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-iop32x/n2100.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/arm/mach-iop32x/n2100.c
+++ b/arch/arm/mach-iop32x/n2100.c
@@ -75,8 +75,7 @@ void __init n2100_map_io(void)
 /*
  * N2100 PCI.
  */
-static int __init
-n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
+static int n2100_pci_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
 {
 	int irq;
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 30/50] ARM: tango: Improve ARCH_MULTIPLATFORM compatibility
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 29/50] ARM: iop32x/n2100: fix PCI IRQ mapping Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 31/50] ARM: dts: da850: fix interrupt numbers for clocksource Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paolo Pisati, Marc Gonzalez,
	Pavel Machek, Arnd Bergmann

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Marc Gonzalez <marc.w.gonzalez@free.fr>

commit d0f9f16788e15d9eb40f68b047732d49658c5a3a upstream.

Calling platform-specific code unconditionally blows up when running
an ARCH_MULTIPLATFORM kernel on a different platform. Don't do it.

Reported-by: Paolo Pisati <p.pisati@gmail.com>
Signed-off-by: Marc Gonzalez <marc.w.gonzalez@free.fr>
Acked-by: Pavel Machek <pavel@ucw.cz>
Cc: stable@vger.kernel.org # v4.8+
Fixes: a30eceb7a59d ("ARM: tango: add Suspend-to-RAM support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/mach-tango/pm.c    |    6 ++----
 arch/arm/mach-tango/pm.h    |    7 +++++++
 arch/arm/mach-tango/setup.c |    2 ++
 3 files changed, 11 insertions(+), 4 deletions(-)

--- a/arch/arm/mach-tango/pm.c
+++ b/arch/arm/mach-tango/pm.c
@@ -3,6 +3,7 @@
 #include <linux/suspend.h>
 #include <asm/suspend.h>
 #include "smc.h"
+#include "pm.h"
 
 static int tango_pm_powerdown(unsigned long arg)
 {
@@ -24,10 +25,7 @@ static const struct platform_suspend_ops
 	.valid = suspend_valid_only_mem,
 };
 
-static int __init tango_pm_init(void)
+void __init tango_pm_init(void)
 {
 	suspend_set_ops(&tango_pm_ops);
-	return 0;
 }
-
-late_initcall(tango_pm_init);
--- /dev/null
+++ b/arch/arm/mach-tango/pm.h
@@ -0,0 +1,7 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#ifdef CONFIG_SUSPEND
+void __init tango_pm_init(void);
+#else
+#define tango_pm_init NULL
+#endif
--- a/arch/arm/mach-tango/setup.c
+++ b/arch/arm/mach-tango/setup.c
@@ -2,6 +2,7 @@
 #include <asm/mach/arch.h>
 #include <asm/hardware/cache-l2x0.h>
 #include "smc.h"
+#include "pm.h"
 
 static void tango_l2c_write(unsigned long val, unsigned int reg)
 {
@@ -15,4 +16,5 @@ DT_MACHINE_START(TANGO_DT, "Sigma Tango
 	.dt_compat	= tango_dt_compat,
 	.l2c_aux_mask	= ~0,
 	.l2c_write_sec	= tango_l2c_write,
+	.init_late	= tango_pm_init,
 MACHINE_END



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 31/50] ARM: dts: da850: fix interrupt numbers for clocksource
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 30/50] ARM: tango: Improve ARCH_MULTIPLATFORM compatibility Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 32/50] firmware: arm_scmi: provide the mandatory device release callback Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bartosz Golaszewski, Sekhar Nori

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bartosz Golaszewski <bgolaszewski@baylibre.com>

commit e3966a766865da7ced1dece663697861dd5cf103 upstream.

The timer interrupts specified in commit 3652e2741f42 ("ARM: dts:
da850: Add clocks") are wrong but since the current timer code
hard-codes them, the bug was never spotted.

This patch must go into stable since, once we introduce a proper
clocksource driver, devices with buggy device tree will stop booting.

Fixes: 3652e2741f42 ("ARM: dts: da850: Add clocks")
Cc: stable@vger.kernel.org
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/da850.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/da850.dtsi
+++ b/arch/arm/boot/dts/da850.dtsi
@@ -476,7 +476,7 @@
 		clocksource: timer@20000 {
 			compatible = "ti,da830-timer";
 			reg = <0x20000 0x1000>;
-			interrupts = <12>, <13>;
+			interrupts = <21>, <22>;
 			interrupt-names = "tint12", "tint34";
 			clocks = <&pll0_auxclk>;
 		};



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 32/50] firmware: arm_scmi: provide the mandatory device release callback
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 31/50] ARM: dts: da850: fix interrupt numbers for clocksource Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 33/50] powerpc/papr_scm: Use the correct bind address Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sudeep Holla, Arnd Bergmann

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sudeep Holla <sudeep.holla@arm.com>

commit 46edb8d1322c1763dd04e179992f8e9996085047 upstream.

The device/driver model clearly mandates that bus driver that discover
and allocate the device must set the release callback. This callback
will be used to free the device after all references have gone away.

scmi bus driver is missing the obvious callback which will result in
the following warning if the device is unregistered:

Device 'scmi_dev.1' does not have a release() function, it is broken and
must be fixed. See Documentation/kobject.txt.
WARNING at drivers/base/core.c:922 device_release+0x8c/0xa0
Hardware name: ARM LTD Juno Development Platform BIOS EDK II Jan 21 2019
Workqueue: events deferred_probe_work_func
pstate: 60000005 (nZCv daif -PAN -UAO)
pc : device_release+0x8c/0xa0
lr : device_release+0x8c/0xa0
Call trace:
 device_release+0x8c/0xa0
 kobject_put+0x8c/0x208
 device_unregister+0x30/0x78
 scmi_device_destroy+0x28/0x50
 scmi_probe+0x354/0x5b0
 platform_drv_probe+0x58/0xa8
 really_probe+0x2c4/0x3e8
 driver_probe_device+0x12c/0x148
 __device_attach_driver+0xac/0x150
 bus_for_each_drv+0x78/0xd8
 __device_attach+0xe0/0x168
 device_initial_probe+0x24/0x30
 bus_probe_device+0xa0/0xa8
 deferred_probe_work_func+0x8c/0xe0
 process_one_work+0x1f0/0x478
 worker_thread+0x22c/0x450
 kthread+0x134/0x138
 ret_from_fork+0x10/0x1c
---[ end trace 420bdb7f6af50937 ]---

Fix the issue by providing scmi_device_release callback. We have
everything required for device release already in scmi_device_destroy,
so we just need to move freeing of the device to scmi_device_release.

Fixes: 933c504424a2 ("firmware: arm_scmi: add scmi protocol bus to enumerate protocol devices")
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Cc: stable@vger.kernel.org # 4.17+
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/arm_scmi/bus.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/firmware/arm_scmi/bus.c
+++ b/drivers/firmware/arm_scmi/bus.c
@@ -119,6 +119,11 @@ void scmi_driver_unregister(struct scmi_
 }
 EXPORT_SYMBOL_GPL(scmi_driver_unregister);
 
+static void scmi_device_release(struct device *dev)
+{
+	kfree(to_scmi_dev(dev));
+}
+
 struct scmi_device *
 scmi_device_create(struct device_node *np, struct device *parent, int protocol)
 {
@@ -138,6 +143,7 @@ scmi_device_create(struct device_node *n
 	scmi_dev->dev.parent = parent;
 	scmi_dev->dev.of_node = np;
 	scmi_dev->dev.bus = &scmi_bus_type;
+	scmi_dev->dev.release = scmi_device_release;
 	dev_set_name(&scmi_dev->dev, "scmi_dev.%d", id);
 
 	retval = device_register(&scmi_dev->dev);
@@ -156,9 +162,8 @@ free_mem:
 void scmi_device_destroy(struct scmi_device *scmi_dev)
 {
 	scmi_handle_put(scmi_dev->handle);
-	device_unregister(&scmi_dev->dev);
 	ida_simple_remove(&scmi_bus_id, scmi_dev->id);
-	kfree(scmi_dev);
+	device_unregister(&scmi_dev->dev);
 }
 
 void scmi_set_handle(struct scmi_device *scmi_dev)



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 33/50] powerpc/papr_scm: Use the correct bind address
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 32/50] firmware: arm_scmi: provide the mandatory device release callback Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 34/50] powerpc/radix: Fix kernel crash with mremap() Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver OHalloran, Michael Ellerman

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver O'Halloran <oohall@gmail.com>

commit 5a3840a470c41ec0b85cd36ca80370330656b163 upstream.

When binding an SCM volume to a physical address the hypervisor has the
option to return early with a continue token with the expectation that
the guest will resume the bind operation until it completes. A quirk of
this interface is that the bind address will only be returned by the
first bind h-call and the subsequent calls will return
0xFFFF_FFFF_FFFF_FFFF for the bind address.

We currently do not save the address returned by the first h-call. As a
result we will use the junk address as the base of the bound region if
the hypervisor decides to split the bind across multiple h-calls. This
bug was found when testing with very large SCM volumes where the bind
process would take more time than they hypervisor's internal h-call time
limit would allow. This patch fixes the issue by saving the bind address
from the first call.

Cc: stable@vger.kernel.org
Fixes: b5beae5e224f ("powerpc/pseries: Add driver for PAPR SCM regions")
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/platforms/pseries/papr_scm.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/powerpc/platforms/pseries/papr_scm.c
+++ b/arch/powerpc/platforms/pseries/papr_scm.c
@@ -43,6 +43,7 @@ static int drc_pmem_bind(struct papr_scm
 {
 	unsigned long ret[PLPAR_HCALL_BUFSIZE];
 	uint64_t rc, token;
+	uint64_t saved = 0;
 
 	/*
 	 * When the hypervisor cannot map all the requested memory in a single
@@ -56,6 +57,8 @@ static int drc_pmem_bind(struct papr_scm
 		rc = plpar_hcall(H_SCM_BIND_MEM, ret, p->drc_index, 0,
 				p->blocks, BIND_ANY_ADDR, token);
 		token = ret[0];
+		if (!saved)
+			saved = ret[1];
 		cond_resched();
 	} while (rc == H_BUSY);
 
@@ -64,7 +67,7 @@ static int drc_pmem_bind(struct papr_scm
 		return -ENXIO;
 	}
 
-	p->bound_addr = ret[1];
+	p->bound_addr = saved;
 
 	dev_dbg(&p->pdev->dev, "bound drc %x to %pR\n", p->drc_index, &p->res);
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 34/50] powerpc/radix: Fix kernel crash with mremap()
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 33/50] powerpc/papr_scm: Use the correct bind address Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 35/50] mic: vop: Fix use-after-free on remove Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aneesh Kumar K.V, Michael Ellerman

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>

commit 579b9239c1f38665b21e8d0e6ee83ecc96dbd6bb upstream.

With support for split pmd lock, we use pmd page pmd_huge_pte pointer
to store the deposited page table. In those config when we move page
tables we need to make sure we move the deposited page table to the
correct pmd page. Otherwise this can result in crash when we withdraw
of deposited page table because we can find the pmd_huge_pte NULL.

eg:

  __split_huge_pmd+0x1070/0x1940
  __split_huge_pmd+0xe34/0x1940 (unreliable)
  vma_adjust_trans_huge+0x110/0x1c0
  __vma_adjust+0x2b4/0x9b0
  __split_vma+0x1b8/0x280
  __do_munmap+0x13c/0x550
  sys_mremap+0x220/0x7e0
  system_call+0x5c/0x70

Fixes: 675d995297d4 ("powerpc/book3s64: Enable split pmd ptlock.")
Cc: stable@vger.kernel.org # v4.18+
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/include/asm/book3s/64/pgtable.h |   22 +++++++---------------
 arch/powerpc/mm/pgtable-book3s64.c           |   22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 15 deletions(-)

--- a/arch/powerpc/include/asm/book3s/64/pgtable.h
+++ b/arch/powerpc/include/asm/book3s/64/pgtable.h
@@ -1258,21 +1258,13 @@ extern pmd_t pmdp_invalidate(struct vm_a
 
 #define pmd_move_must_withdraw pmd_move_must_withdraw
 struct spinlock;
-static inline int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl,
-					 struct spinlock *old_pmd_ptl,
-					 struct vm_area_struct *vma)
-{
-	if (radix_enabled())
-		return false;
-	/*
-	 * Archs like ppc64 use pgtable to store per pmd
-	 * specific information. So when we switch the pmd,
-	 * we should also withdraw and deposit the pgtable
-	 */
-	return true;
-}
-
-
+extern int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl,
+				  struct spinlock *old_pmd_ptl,
+				  struct vm_area_struct *vma);
+/*
+ * Hash translation mode use the deposited table to store hash pte
+ * slot information.
+ */
 #define arch_needs_pgtable_deposit arch_needs_pgtable_deposit
 static inline bool arch_needs_pgtable_deposit(void)
 {
--- a/arch/powerpc/mm/pgtable-book3s64.c
+++ b/arch/powerpc/mm/pgtable-book3s64.c
@@ -482,3 +482,25 @@ void arch_report_meminfo(struct seq_file
 		   atomic_long_read(&direct_pages_count[MMU_PAGE_1G]) << 20);
 }
 #endif /* CONFIG_PROC_FS */
+
+/*
+ * For hash translation mode, we use the deposited table to store hash slot
+ * information and they are stored at PTRS_PER_PMD offset from related pmd
+ * location. Hence a pmd move requires deposit and withdraw.
+ *
+ * For radix translation with split pmd ptl, we store the deposited table in the
+ * pmd page. Hence if we have different pmd page we need to withdraw during pmd
+ * move.
+ *
+ * With hash we use deposited table always irrespective of anon or not.
+ * With radix we use deposited table only for anonymous mapping.
+ */
+int pmd_move_must_withdraw(struct spinlock *new_pmd_ptl,
+			   struct spinlock *old_pmd_ptl,
+			   struct vm_area_struct *vma)
+{
+	if (radix_enabled())
+		return (new_pmd_ptl != old_pmd_ptl) && vma_is_anonymous(vma);
+
+	return true;
+}



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 35/50] mic: vop: Fix use-after-free on remove
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 34/50] powerpc/radix: Fix kernel crash with mremap() Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 36/50] mac80211: ensure that mgmt tx skbs have tailroom for encryption Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vincent Whitchurch

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

commit 70ed7148dadb812f2f7c9927e98ef3cf4869dfa9 upstream.

KASAN detects a use-after-free when vop devices are removed.

This problem was introduced by commit 0063e8bbd2b62d136 ("virtio_vop:
don't kfree device on register failure").  That patch moved the freeing
of the struct _vop_vdev to the release function, but failed to ensure
that vop holds a reference to the device when it doesn't want it to go
away.  A kfree() was replaced with a put_device() in the unregistration
path, but the last reference to the device is already dropped in
unregister_virtio_device() so the struct is freed before vop is done
with it.

Fix it by holding a reference until cleanup is done.  This is similar to
the fix in virtio_pci in commit 2989be09a8a9d6 ("virtio_pci: fix use
after free on release").

 ==================================================================
 BUG: KASAN: use-after-free in vop_scan_devices+0xc6c/0xe50 [vop]
 Read of size 8 at addr ffff88800da18580 by task kworker/0:1/12

 CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.0.0-rc4+ #53
 Workqueue: events vop_hotplug_devices [vop]
 Call Trace:
  dump_stack+0x74/0xbb
  print_address_description+0x5d/0x2b0
  ? vop_scan_devices+0xc6c/0xe50 [vop]
  kasan_report+0x152/0x1aa
  ? vop_scan_devices+0xc6c/0xe50 [vop]
  ? vop_scan_devices+0xc6c/0xe50 [vop]
  vop_scan_devices+0xc6c/0xe50 [vop]
  ? vop_loopback_free_irq+0x160/0x160 [vop_loopback]
  process_one_work+0x7c0/0x14b0
  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
  ? do_raw_spin_lock+0x120/0x280
  worker_thread+0x8f/0xbf0
  ? __kthread_parkme+0x78/0xf0
  ? process_one_work+0x14b0/0x14b0
  kthread+0x2ae/0x3a0
  ? kthread_park+0x120/0x120
  ret_from_fork+0x3a/0x50

 Allocated by task 12:
  kmem_cache_alloc_trace+0x13a/0x2a0
  vop_scan_devices+0x473/0xe50 [vop]
  process_one_work+0x7c0/0x14b0
  worker_thread+0x8f/0xbf0
  kthread+0x2ae/0x3a0
  ret_from_fork+0x3a/0x50

 Freed by task 12:
  kfree+0x104/0x310
  device_release+0x73/0x1d0
  kobject_put+0x14f/0x420
  unregister_virtio_device+0x32/0x50
  vop_scan_devices+0x19d/0xe50 [vop]
  process_one_work+0x7c0/0x14b0
  worker_thread+0x8f/0xbf0
  kthread+0x2ae/0x3a0
  ret_from_fork+0x3a/0x50

 The buggy address belongs to the object at ffff88800da18008
  which belongs to the cache kmalloc-2k of size 2048
 The buggy address is located 1400 bytes inside of
  2048-byte region [ffff88800da18008, ffff88800da18808)
 The buggy address belongs to the page:
 page:ffffea0000368600 count:1 mapcount:0 mapping:ffff88801440dbc0 index:0x0 compound_mapcount: 0
 flags: 0x4000000000010200(slab|head)
 raw: 4000000000010200 ffffea0000378608 ffffea000037a008 ffff88801440dbc0
 raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff88800da18480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88800da18500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 >ffff88800da18580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                    ^
  ffff88800da18600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88800da18680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ==================================================================

Fixes: 0063e8bbd2b62d136 ("virtio_vop: don't kfree device on register failure")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mic/vop/vop_main.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/misc/mic/vop/vop_main.c
+++ b/drivers/misc/mic/vop/vop_main.c
@@ -568,6 +568,8 @@ static int _vop_remove_device(struct mic
 	int ret = -1;
 
 	if (ioread8(&dc->config_change) == MIC_VIRTIO_PARAM_DEV_REMOVE) {
+		struct device *dev = get_device(&vdev->vdev.dev);
+
 		dev_dbg(&vpdev->dev,
 			"%s %d config_change %d type %d vdev %p\n",
 			__func__, __LINE__,
@@ -579,7 +581,7 @@ static int _vop_remove_device(struct mic
 		iowrite8(-1, &dc->h2c_vdev_db);
 		if (status & VIRTIO_CONFIG_S_DRIVER_OK)
 			wait_for_completion(&vdev->reset_done);
-		put_device(&vdev->vdev.dev);
+		put_device(dev);
 		iowrite8(1, &dc->guest_ack);
 		dev_dbg(&vpdev->dev, "%s %d guest_ack %d\n",
 			__func__, __LINE__, ioread8(&dc->guest_ack));



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 36/50] mac80211: ensure that mgmt tx skbs have tailroom for encryption
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 35/50] mic: vop: Fix use-after-free on remove Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 37/50] drm/modes: Prevent division by zero htotal Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <nbd@nbd.name>

commit 9d0f50b80222dc273e67e4e14410fcfa4130a90c upstream.

Some drivers use IEEE80211_KEY_FLAG_SW_MGMT_TX to indicate that management
frames need to be software encrypted. Since normal data packets are still
encrypted by the hardware, crypto_tx_tailroom_needed_cnt gets decremented
after key upload to hw. This can lead to passing skbs to ccmp_encrypt_skb,
which don't have the necessary tailroom for software encryption.

Change the code to add tailroom for encrypted management packets, even if
crypto_tx_tailroom_needed_cnt is 0.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/tx.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1938,9 +1938,16 @@ static int ieee80211_skb_resize(struct i
 				int head_need, bool may_encrypt)
 {
 	struct ieee80211_local *local = sdata->local;
+	struct ieee80211_hdr *hdr;
+	bool enc_tailroom;
 	int tail_need = 0;
 
-	if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) {
+	hdr = (struct ieee80211_hdr *) skb->data;
+	enc_tailroom = may_encrypt &&
+		       (sdata->crypto_tx_tailroom_needed_cnt ||
+			ieee80211_is_mgmt(hdr->frame_control));
+
+	if (enc_tailroom) {
 		tail_need = IEEE80211_ENCRYPT_TAILROOM;
 		tail_need -= skb_tailroom(skb);
 		tail_need = max_t(int, tail_need, 0);
@@ -1948,8 +1955,7 @@ static int ieee80211_skb_resize(struct i
 
 	if (skb_cloned(skb) &&
 	    (!ieee80211_hw_check(&local->hw, SUPPORTS_CLONED_SKBS) ||
-	     !skb_clone_writable(skb, ETH_HLEN) ||
-	     (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt)))
+	     !skb_clone_writable(skb, ETH_HLEN) || enc_tailroom))
 		I802_DEBUG_INC(local->tx_expand_skb_head_cloned);
 	else if (head_need || tail_need)
 		I802_DEBUG_INC(local->tx_expand_skb_head);



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 37/50] drm/modes: Prevent division by zero htotal
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 36/50] mac80211: ensure that mgmt tx skbs have tailroom for encryption Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 38/50] drm/rockchip: rgb: update SPDX license identifier Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tina Zhang, Adam Jackson,
	Dave Airlie, Daniel Vetter, Daniel Vetter

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tina Zhang <tina.zhang@intel.com>

commit a2fcd5c84f7a7825e028381b10182439067aa90d upstream.

This patch prevents division by zero htotal.

In a follow-up mail Tina writes:

> > How did you manage to get here with htotal == 0? This needs backtraces (or if
> > this is just about static checkers, a mention of that).
> > -Daniel
>
> In GVT-g, we are trying to enable a virtual display w/o setting timings for a pipe
> (a.k.a htotal=0), then we met the following kernel panic:
>
> [   32.832048] divide error: 0000 [#1] SMP PTI
> [   32.833614] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.18.0-rc4-sriov+ #33
> [   32.834438] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.10.1-0-g8891697-dirty-20180511_165818-tinazhang-linux-1 04/01/2014
> [   32.835901] RIP: 0010:drm_mode_hsync+0x1e/0x40
> [   32.836004] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66
> [   32.836004] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206
> [   32.836004] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000
> [   32.836004] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0
> [   32.836004] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330
> [   32.836004] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000
> [   32.836004] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800
> [   32.836004] FS:  0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000
> [   32.836004] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   32.836004] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0
> [   32.836004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   32.836004] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   32.836004] Call Trace:
> [   32.836004]  intel_mode_from_pipe_config+0x72/0x90
> [   32.836004]  intel_modeset_setup_hw_state+0x569/0xf90
> [   32.836004]  intel_modeset_init+0x905/0x1db0
> [   32.836004]  i915_driver_load+0xb8c/0x1120
> [   32.836004]  i915_pci_probe+0x4d/0xb0
> [   32.836004]  local_pci_probe+0x44/0xa0
> [   32.836004]  ? pci_assign_irq+0x27/0x130
> [   32.836004]  pci_device_probe+0x102/0x1c0
> [   32.836004]  driver_probe_device+0x2b8/0x480
> [   32.836004]  __driver_attach+0x109/0x110
> [   32.836004]  ? driver_probe_device+0x480/0x480
> [   32.836004]  bus_for_each_dev+0x67/0xc0
> [   32.836004]  ? klist_add_tail+0x3b/0x70
> [   32.836004]  bus_add_driver+0x1e8/0x260
> [   32.836004]  driver_register+0x5b/0xe0
> [   32.836004]  ? mipi_dsi_bus_init+0x11/0x11
> [   32.836004]  do_one_initcall+0x4d/0x1eb
> [   32.836004]  kernel_init_freeable+0x197/0x237
> [   32.836004]  ? rest_init+0xd0/0xd0
> [   32.836004]  kernel_init+0xa/0x110
> [   32.836004]  ret_from_fork+0x35/0x40
> [   32.836004] Modules linked in:
> [   32.859183] ---[ end trace 525608b0ed0e8665 ]---
> [   32.859722] RIP: 0010:drm_mode_hsync+0x1e/0x40
> [   32.860287] Code: 31 c0 c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 87 d8 00 00 00 85 c0 75 22 8b 4f 68 85 c9 78 1b 69 47 58 e8 03 00 00 99 <f7> f9 b9 d3 4d 62 10 05 f4 01 00 00 f7 e1 89 d0 c1 e8 06 f3 c3 66
> [   32.862680] RSP: 0000:ffffc900000ebb90 EFLAGS: 00010206
> [   32.863309] RAX: 0000000000000000 RBX: ffff88001c67c8a0 RCX: 0000000000000000
> [   32.864182] RDX: 0000000000000000 RSI: ffff88001c67c000 RDI: ffff88001c67c8a0
> [   32.865206] RBP: ffff88001c7d03a0 R08: ffff88001c67c8a0 R09: ffff88001c7d0330
> [   32.866359] R10: ffffffff822c3a98 R11: 0000000000000001 R12: ffff88001c67c000
> [   32.867213] R13: ffff88001c7d0370 R14: ffffffff8207eb78 R15: ffff88001c67c800
> [   32.868075] FS:  0000000000000000(0000) GS:ffff88001da00000(0000) knlGS:0000000000000000
> [   32.868983] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   32.869659] CR2: 0000000000000000 CR3: 000000000220a000 CR4: 00000000000006f0
> [   32.870599] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   32.871598] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [   32.872549] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
>
> Since drm_mode_hsync() has the logic to check mode->htotal, I just extend it to cover the case htotal==0.

Signed-off-by: Tina Zhang <tina.zhang@intel.com>
Cc: Adam Jackson <ajax@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
[danvet: Add additional explanations + cc: stable.]
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/1548228539-3061-1-git-send-email-tina.zhang@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_modes.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -758,7 +758,7 @@ int drm_mode_hsync(const struct drm_disp
 	if (mode->hsync)
 		return mode->hsync;
 
-	if (mode->htotal < 0)
+	if (mode->htotal <= 0)
 		return 0;
 
 	calc_val = (mode->clock * 1000) / mode->htotal; /* hsync in Hz */



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 38/50] drm/rockchip: rgb: update SPDX license identifier
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 37/50] drm/modes: Prevent division by zero htotal Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 39/50] drm/amd/powerplay: Fix missing break in switch Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Sandy Huang, Heiko Stuebner

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sandy Huang <hjc@rock-chips.com>

commit 053ff09f1a8f2151339f9fda457c5250929d1c49 upstream.

Update SPDX License Identifier from GPL-2.0+ to GPL-2.0
and drop some GPL text.
This fixes a mismatch between the existing SPDX headers and GPL
boilerplate text.

Fixes: 1f0f01515172 ("Add support for Rockchip Soc RGB output interface")
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sandy Huang <hjc@rock-chips.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/1548238479-171491-1-git-send-email-hjc@rock-chips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/rockchip/rockchip_rgb.c |   11 +----------
 drivers/gpu/drm/rockchip/rockchip_rgb.h |   11 +----------
 2 files changed, 2 insertions(+), 20 deletions(-)

--- a/drivers/gpu/drm/rockchip/rockchip_rgb.c
+++ b/drivers/gpu/drm/rockchip/rockchip_rgb.c
@@ -1,17 +1,8 @@
-//SPDX-License-Identifier: GPL-2.0+
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Copyright (C) Fuzhou Rockchip Electronics Co.Ltd
  * Author:
  *      Sandy Huang <hjc@rock-chips.com>
- *
- * This software is licensed under the terms of the GNU General Public
- * License version 2, as published by the Free Software Foundation, and
- * may be copied, distributed, and modified under those terms.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
  */
 
 #include <drm/drmP.h>
--- a/drivers/gpu/drm/rockchip/rockchip_rgb.h
+++ b/drivers/gpu/drm/rockchip/rockchip_rgb.h
@@ -1,17 +1,8 @@
-//SPDX-License-Identifier: GPL-2.0+
+/* SPDX-License-Identifier: GPL-2.0 */
 /*
  * Copyright (C) Fuzhou Rockchip Electronics Co.Ltd
  * Author:
  *      Sandy Huang <hjc@rock-chips.com>
- *
- * This software is licensed under the terms of the GNU General Public
- * License version 2, as published by the Free Software Foundation, and
- * may be copied, distributed, and modified under those terms.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
  */
 
 #ifdef CONFIG_ROCKCHIP_RGB



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 39/50] drm/amd/powerplay: Fix missing break in switch
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 38/50] drm/rockchip: rgb: update SPDX license identifier Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 40/50] drm/i915: always return something on DDI clock selection Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, Alex Deucher

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gustavo A. R. Silva <gustavo@embeddedor.com>

commit 2f10d823739680d2477ce34437e8a08a53117f40 upstream.

Add missing break statement in order to prevent the code from falling
through to the default case.

The resoning for this is that pclk_vol_table is an automatic variable.
So, it makes no sense to update it just before falling through to the
default case and return -EINVAL.

This bug was found thanks to the ongoing efforts to enabling
-Wimplicit-fallthrough.

Fixes: cd70f3d6e3fa ("drm/amd/powerplay: PP/DAL interface changes for dynamic clock switch")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/powerplay/hwmgr/smu10_hwmgr.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu10_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu10_hwmgr.c
@@ -1005,6 +1005,7 @@ static int smu10_get_clock_by_type_with_
 		break;
 	case amd_pp_dpp_clock:
 		pclk_vol_table = pinfo->vdd_dep_on_dppclk;
+		break;
 	default:
 		return -EINVAL;
 	}



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 40/50] drm/i915: always return something on DDI clock selection
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 39/50] drm/amd/powerplay: Fix missing break in switch Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 41/50] drm/vmwgfx: Fix setting of dma masks Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paulo Zanoni, Lucas De Marchi,
	Mika Kahola, Jani Nikula

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lucas De Marchi <lucas.demarchi@intel.com>

commit 2a121030d4ee3f84f60c6f415f9c44bffbcde81d upstream.

Even if we don't have the correct clock and get a warning, we should not
skip the return.

v2: improve commit message (from Joonas)

Fixes: 1fa11ee2d9d0 ("drm/i915/icl: start adding the TBT pll")
Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
Cc: <stable@vger.kernel.org> # v4.19+
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Reviewed-by: Mika Kahola <mika.kahola@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190125222444.19926-3-lucas.demarchi@intel.com
(cherry picked from commit 7a61a6dec3dfb9f2e8c39a337580a3c3036c5cdf)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_ddi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/intel_ddi.c
+++ b/drivers/gpu/drm/i915/intel_ddi.c
@@ -1085,7 +1085,7 @@ static uint32_t icl_pll_to_ddi_pll_sel(s
 			return DDI_CLK_SEL_TBT_810;
 		default:
 			MISSING_CASE(clock);
-			break;
+			return DDI_CLK_SEL_NONE;
 		}
 	case DPLL_ID_ICL_MGPLL1:
 	case DPLL_ID_ICL_MGPLL2:



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 41/50] drm/vmwgfx: Fix setting of dma masks
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 40/50] drm/i915: always return something on DDI clock selection Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 42/50] drm/vmwgfx: Fix an uninitialized fence handle value Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Hellstrom, Deepak Rawat

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Hellstrom <thellstrom@vmware.com>

commit 4cbfa1e6c09e98450aab3240e5119b0ab2c9795b upstream.

Previously we set only the dma mask and not the coherent mask. Fix that.
Also, for clarity, make sure both are initially set to 64 bits.

Cc: <stable@vger.kernel.org>
Fixes: 0d00c488f3de: ("drm/vmwgfx: Fix the driver for large dma addresses")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -629,13 +629,16 @@ out_fixup:
 static int vmw_dma_masks(struct vmw_private *dev_priv)
 {
 	struct drm_device *dev = dev_priv->dev;
+	int ret = 0;
 
-	if (intel_iommu_enabled &&
+	ret = dma_set_mask_and_coherent(dev->dev, DMA_BIT_MASK(64));
+	if (dev_priv->map_mode != vmw_dma_phys &&
 	    (sizeof(unsigned long) == 4 || vmw_restrict_dma_mask)) {
 		DRM_INFO("Restricting DMA addresses to 44 bits.\n");
-		return dma_set_mask(dev->dev, DMA_BIT_MASK(44));
+		return dma_set_mask_and_coherent(dev->dev, DMA_BIT_MASK(44));
 	}
-	return 0;
+
+	return ret;
 }
 #else
 static int vmw_dma_masks(struct vmw_private *dev_priv)



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 42/50] drm/vmwgfx: Fix an uninitialized fence handle value
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 41/50] drm/vmwgfx: Fix setting of dma masks Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 43/50] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Thomas Hellstrom,
	Deepak Rawat, Brian Paul, Sinclair Yeh

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Hellstrom <thellstrom@vmware.com>

commit 51fdbeb4ca1a8415c98f87cb877956ae83e71627 upstream.

if vmw_execbuf_fence_commands() fails, The handle value will be
uninitialized and a bogus fence handle might be copied to user-space.

Cc: <stable@vger.kernel.org>
Fixes: 2724b2d54cda: ("drm/vmwgfx: Use new validation interface for the modesetting code v2")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com> #v1
Reviewed-by: Sinclair Yeh <syeh@vmware.com> #v1
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -2592,8 +2592,8 @@ void vmw_kms_helper_validation_finish(st
 				      user_fence_rep)
 {
 	struct vmw_fence_obj *fence = NULL;
-	uint32_t handle;
-	int ret;
+	uint32_t handle = 0;
+	int ret = 0;
 
 	if (file_priv || user_fence_rep || vmw_validation_has_bos(ctx) ||
 	    out_fence)



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 43/50] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 42/50] drm/vmwgfx: Fix an uninitialized fence handle value Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 44/50] xfrm: Make set-mark default behavior backward compatible Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Hellstrom, Deepak Rawat

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Hellstrom <thellstrom@vmware.com>

commit 728354c005c36eaf44b6e5552372b67e60d17f56 upstream.

The function was unconditionally returning 0, and a caller would have to
rely on the returned fence pointer being NULL to detect errors. However,
the function vmw_execbuf_copy_fence_user() would expect a non-zero error
code in that case and would BUG otherwise.

So make sure we return a proper non-zero error code if the fence pointer
returned is NULL.

Cc: <stable@vger.kernel.org>
Fixes: ae2a104058e2: ("vmwgfx: Implement fence objects")
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Deepak Rawat <drawat@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -3570,7 +3570,7 @@ int vmw_execbuf_fence_commands(struct dr
 		*p_fence = NULL;
 	}
 
-	return 0;
+	return ret;
 }
 
 /**



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 44/50] xfrm: Make set-mark default behavior backward compatible
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 43/50] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 45/50] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Benedict Wong, Steffen Klassert

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Benedict Wong <benedictwong@google.com>

commit e2612cd496e7b465711d219ea6118893d7253f52 upstream.

Fixes 9b42c1f179a6, which changed the default route lookup behavior for
tunnel mode SAs in the outbound direction to use the skb mark, whereas
previously mark=0 was used if the output mark was unspecified. In
mark-based routing schemes such as Android’s, this change in default
behavior causes routing loops or lookup failures.

This patch restores the default behavior of using a 0 mark while still
incorporating the skb mark if the SET_MARK (and SET_MARK_MASK) is
specified.

Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/860150

Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction and masking")
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_policy.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1628,7 +1628,10 @@ static struct dst_entry *xfrm_bundle_cre
 		dst_copy_metrics(dst1, dst);
 
 		if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
-			__u32 mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]);
+			__u32 mark = 0;
+
+			if (xfrm[i]->props.smark.v || xfrm[i]->props.smark.m)
+				mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]);
 
 			family = xfrm[i]->props.family;
 			dst = xfrm_dst_lookup(xfrm[i], tos, fl->flowi_oif,



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 45/50] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 44/50] xfrm: Make set-mark default behavior backward compatible Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 46/50] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal" Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Kamil Kozar,
	Ville Syrjälä,
	Mika Kahola, Jani Nikula

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit d028a646e84b9b131e4ff2cb5bbdd3825d141028 upstream.

Certain SNB machines (eg. ASUS K53SV) seem to have a broken BIOS
which misprograms the hardware badly when encountering a suitably
high resolution display. The programmed pipe timings are somewhat
bonkers and the DPLL is totally misprogrammed (P divider == 0).
That will result in atomic commit timeouts as apparently the pipe
is sufficiently stuck to not signal vblank interrupts.

IIRC something like this was also observed on some other SNB
machine years ago (might have been a Dell XPS 8300) but a BIOS
update cured it. Sadly looks like this was never fixed for the
ASUS K53SV as the latest BIOS (K53SV.320 11/11/2011) is still
broken.

The quickest way to deal with this seems to be to shut down
the pipe+ports+DPLL. Unfortunately doing this during the
normal sanitization phase isn't quite soon enough as we
already spew several WARNs about the bogus hardware state.
But it's better than hanging the boot for a few dozen seconds.
Since this is limited to a few old machines it doesn't seem
entirely worthwile to try and rework the readout+sanitization
code to handle it more gracefully.

v2: Fix potential NULL deref (kbuild test robot)
    Constify has_bogus_dpll_config()

Cc: stable@vger.kernel.org # v4.20+
Cc: Daniel Kamil Kozar <dkk089@gmail.com>
Reported-by: Daniel Kamil Kozar <dkk089@gmail.com>
Tested-by: Daniel Kamil Kozar <dkk089@gmail.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109245
Fixes: 516a49cc1946 ("drm/i915: Fix assert_plane() warning on bootup with external display")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190111174950.10681-1-ville.syrjala@linux.intel.com
Reviewed-by: Mika Kahola <mika.kahola@intel.com>
(cherry picked from commit 7bed8adcd9f86231bb69bbc02f88ad89330f99e3)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190205141846.6053-1-ville.syrjala@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i915/intel_display.c |   51 ++++++++++++++++++++++++++++++-----
 1 file changed, 45 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -15684,15 +15684,44 @@ static void intel_sanitize_crtc(struct i
 	}
 }
 
+static bool has_bogus_dpll_config(const struct intel_crtc_state *crtc_state)
+{
+	struct drm_i915_private *dev_priv = to_i915(crtc_state->base.crtc->dev);
+
+	/*
+	 * Some SNB BIOSen (eg. ASUS K53SV) are known to misprogram
+	 * the hardware when a high res displays plugged in. DPLL P
+	 * divider is zero, and the pipe timings are bonkers. We'll
+	 * try to disable everything in that case.
+	 *
+	 * FIXME would be nice to be able to sanitize this state
+	 * without several WARNs, but for now let's take the easy
+	 * road.
+	 */
+	return IS_GEN6(dev_priv) &&
+		crtc_state->base.active &&
+		crtc_state->shared_dpll &&
+		crtc_state->port_clock == 0;
+}
+
 static void intel_sanitize_encoder(struct intel_encoder *encoder)
 {
 	struct intel_connector *connector;
+	struct intel_crtc *crtc = to_intel_crtc(encoder->base.crtc);
+	struct intel_crtc_state *crtc_state = crtc ?
+		to_intel_crtc_state(crtc->base.state) : NULL;
 
 	/* We need to check both for a crtc link (meaning that the
 	 * encoder is active and trying to read from a pipe) and the
 	 * pipe itself being active. */
-	bool has_active_crtc = encoder->base.crtc &&
-		to_intel_crtc(encoder->base.crtc)->active;
+	bool has_active_crtc = crtc_state &&
+		crtc_state->base.active;
+
+	if (crtc_state && has_bogus_dpll_config(crtc_state)) {
+		DRM_DEBUG_KMS("BIOS has misprogrammed the hardware. Disabling pipe %c\n",
+			      pipe_name(crtc->pipe));
+		has_active_crtc = false;
+	}
 
 	connector = intel_encoder_find_connector(encoder);
 	if (connector && !has_active_crtc) {
@@ -15703,15 +15732,25 @@ static void intel_sanitize_encoder(struc
 		/* Connector is active, but has no active pipe. This is
 		 * fallout from our resume register restoring. Disable
 		 * the encoder manually again. */
-		if (encoder->base.crtc) {
-			struct drm_crtc_state *crtc_state = encoder->base.crtc->state;
+		if (crtc_state) {
+			struct drm_encoder *best_encoder;
 
 			DRM_DEBUG_KMS("[ENCODER:%d:%s] manually disabled\n",
 				      encoder->base.base.id,
 				      encoder->base.name);
-			encoder->disable(encoder, to_intel_crtc_state(crtc_state), connector->base.state);
+
+			/* avoid oopsing in case the hooks consult best_encoder */
+			best_encoder = connector->base.state->best_encoder;
+			connector->base.state->best_encoder = &encoder->base;
+
+			if (encoder->disable)
+				encoder->disable(encoder, crtc_state,
+						 connector->base.state);
 			if (encoder->post_disable)
-				encoder->post_disable(encoder, to_intel_crtc_state(crtc_state), connector->base.state);
+				encoder->post_disable(encoder, crtc_state,
+						      connector->base.state);
+
+			connector->base.state->best_encoder = best_encoder;
 		}
 		encoder->base.crtc = NULL;
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 46/50] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 45/50] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 47/50] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Theodore Tso

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 8fdd60f2ae3682caf2a7258626abc21eb4711892 upstream.

This reverts commit ad211f3e94b314a910d4af03178a0b52a7d1ee0a.

As Jan Kara pointed out, this change was unsafe since it means we lose
the call to sync_mapping_buffers() in the nojournal case.  The
original point of the commit was avoid taking the inode mutex (since
it causes a lockdep warning in generic/113); but we need the mutex in
order to call sync_mapping_buffers().

The real fix to this problem was discussed here:

https://lore.kernel.org/lkml/20181025150540.259281-4-bvanassche@acm.org

The proposed patch was to fix a syzbot complaint, but the problem can
also demonstrated via "kvm-xfstests -c nojournal generic/113".
Multiple solutions were discused in the e-mail thread, but none have
landed in the kernel as of this writing.  Anyway, commit
ad211f3e94b314 is absolutely the wrong way to suppress the lockdep, so
revert it.

Fixes: ad211f3e94b314a910d4af03178a0b52a7d1ee0a ("ext4: use ext4_write_inode() when fsyncing w/o a journal")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/fsync.c |   13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

--- a/fs/ext4/fsync.c
+++ b/fs/ext4/fsync.c
@@ -116,16 +116,8 @@ int ext4_sync_file(struct file *file, lo
 		goto out;
 	}
 
-	ret = file_write_and_wait_range(file, start, end);
-	if (ret)
-		return ret;
-
 	if (!journal) {
-		struct writeback_control wbc = {
-			.sync_mode = WB_SYNC_ALL
-		};
-
-		ret = ext4_write_inode(inode, &wbc);
+		ret = __generic_file_fsync(file, start, end, datasync);
 		if (!ret)
 			ret = ext4_sync_parent(inode);
 		if (test_opt(inode->i_sb, BARRIER))
@@ -133,6 +125,9 @@ int ext4_sync_file(struct file *file, lo
 		goto out;
 	}
 
+	ret = file_write_and_wait_range(file, start, end);
+	if (ret)
+		return ret;
 	/*
 	 * data=writeback,ordered:
 	 *  The caller's filemap_fdatawrite()/wait will sync the data.



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 47/50] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 46/50] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal" Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 48/50] xfrm: refine validation of template and selector families Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+acdeb633f6211ccdf886,
	Ilya Dryomov, Myungho Jung

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Dryomov <idryomov@gmail.com>

commit 4aac9228d16458cedcfd90c7fb37211cf3653ac3 upstream.

con_fault() can transition the connection into STANDBY right after
ceph_con_keepalive() clears STANDBY in clear_standby():

    libceph user thread               ceph-msgr worker

ceph_con_keepalive()
  mutex_lock(&con->mutex)
  clear_standby(con)
  mutex_unlock(&con->mutex)
                                mutex_lock(&con->mutex)
                                con_fault()
                                  ...
                                  if KEEPALIVE_PENDING isn't set
                                    set state to STANDBY
                                  ...
                                mutex_unlock(&con->mutex)
  set KEEPALIVE_PENDING
  set WRITE_PENDING

This triggers warnings in clear_standby() when either ceph_con_send()
or ceph_con_keepalive() get to clearing STANDBY next time.

I don't see a reason to condition queue_con() call on the previous
value of KEEPALIVE_PENDING, so move the setting of KEEPALIVE_PENDING
into the critical section -- unlike WRITE_PENDING, KEEPALIVE_PENDING
could have been a non-atomic flag.

Reported-by: syzbot+acdeb633f6211ccdf886@syzkaller.appspotmail.com
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Tested-by: Myungho Jung <mhjungk@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/ceph/messenger.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -3219,9 +3219,10 @@ void ceph_con_keepalive(struct ceph_conn
 	dout("con_keepalive %p\n", con);
 	mutex_lock(&con->mutex);
 	clear_standby(con);
+	con_flag_set(con, CON_FLAG_KEEPALIVE_PENDING);
 	mutex_unlock(&con->mutex);
-	if (con_flag_test_and_set(con, CON_FLAG_KEEPALIVE_PENDING) == 0 &&
-	    con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0)
+
+	if (con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0)
 		queue_con(con);
 }
 EXPORT_SYMBOL(ceph_con_keepalive);



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 48/50] xfrm: refine validation of template and selector families
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 47/50] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 49/50] batman-adv: Avoid WARN on net_device without parent in netns Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, 3ntr0py1337, Daniel Borkmann,
	Florian Westphal, Steffen Klassert

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Florian Westphal <fw@strlen.de>

commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream.

The check assumes that in transport mode, the first templates family
must match the address family of the policy selector.

Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
with ipv4-in-ipv6 chain, leading to following splat:

BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
 xfrm_state_find+0x1db/0x1854
 xfrm_tmpl_resolve+0x100/0x1d0
 xfrm_resolve_and_create_bundle+0x108/0x1000 [..]

Problem is that addresses point into flowi4 struct, but xfrm_state_find
treats them as being ipv6 because it uses templ->encap_family is used
(AF_INET6 in case of reproducer) rather than family (AF_INET).

This patch inverts the logic: Enforce 'template family must match
selector' EXCEPT for tunnel and BEET mode.

In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
address pointers changed to point at the addresses found in the template,
rather than the flowi ones, so no oob read will occur.

Reported-by: 3ntr0py1337@gmail.com
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_user.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1488,10 +1488,15 @@ static int validate_tmpl(int nr, struct
 		if (!ut[i].family)
 			ut[i].family = family;
 
-		if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
-		    (ut[i].family != prev_family))
-			return -EINVAL;
-
+		switch (ut[i].mode) {
+		case XFRM_MODE_TUNNEL:
+		case XFRM_MODE_BEET:
+			break;
+		default:
+			if (ut[i].family != prev_family)
+				return -EINVAL;
+			break;
+		}
 		if (ut[i].mode >= XFRM_MODE_MAX)
 			return -EINVAL;
 



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 49/50] batman-adv: Avoid WARN on net_device without parent in netns
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 48/50] xfrm: refine validation of template and selector families Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-13 18:38 ` [PATCH 4.20 50/50] batman-adv: Force mac header to start of data on xmit Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c764de0fcfadca9a8595,
	Dmitry Vyukov, Sven Eckelmann, Simon Wunderlich

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 955d3411a17f590364238bd0d3329b61f20c1cd2 upstream.

It is not allowed to use WARN* helpers on potential incorrect input from
the user or transient problems because systems configured as panic_on_warn
will reboot due to such a problem.

A NULL return value of __dev_get_by_index can be caused by various problems
which can either be related to the system configuration or problems
(incorrectly returned network namespaces) in other (virtual) net_device
drivers. batman-adv should not cause a (harmful) WARN in this situation and
instead only report it via a simple message.

Fixes: b7eddd0b3950 ("batman-adv: prevent using any virtual device created on batman-adv as hard-interface")
Reported-by: syzbot+c764de0fcfadca9a8595@syzkaller.appspotmail.com
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/batman-adv/hard-interface.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -20,7 +20,6 @@
 #include "main.h"
 
 #include <linux/atomic.h>
-#include <linux/bug.h>
 #include <linux/byteorder/generic.h>
 #include <linux/errno.h>
 #include <linux/gfp.h>
@@ -179,8 +178,10 @@ static bool batadv_is_on_batman_iface(co
 	parent_dev = __dev_get_by_index((struct net *)parent_net,
 					dev_get_iflink(net_dev));
 	/* if we got a NULL parent_dev there is something broken.. */
-	if (WARN(!parent_dev, "Cannot find parent device"))
+	if (!parent_dev) {
+		pr_err("Cannot find parent device\n");
 		return false;
+	}
 
 	if (batadv_mutual_parents(net_dev, net, parent_dev, parent_net))
 		return false;



^ permalink raw reply	[flat|nested] 62+ messages in thread

* [PATCH 4.20 50/50] batman-adv: Force mac header to start of data on xmit
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 49/50] batman-adv: Avoid WARN on net_device without parent in netns Greg Kroah-Hartman
@ 2019-02-13 18:38 ` Greg Kroah-Hartman
  2019-02-14 16:52 ` [PATCH 4.20 00/50] 4.20.9-stable review Dan Rue
                   ` (2 subsequent siblings)
  52 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-13 18:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+9d7405c7faa390e60b4e,
	syzbot+7d20bc3f1ddddc0f9079, Sven Eckelmann, Simon Wunderlich

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@narfation.org>

commit 9114daa825fc3f335f9bea3313ce667090187280 upstream.

The caller of ndo_start_xmit may not already have called
skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
therefore can be in the wrong position and even outside the current skbuff.
This for example happens when the user binds to the device using a
PF_PACKET-SOCK_RAW with enabled qdisc-bypass:

  int opt = 4;
  setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));

Since eth_hdr is used all over the codebase, the batadv_interface_tx
function must always take care of resetting it.

Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/batman-adv/soft-interface.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -221,6 +221,8 @@ static netdev_tx_t batadv_interface_tx(s
 
 	netif_trans_update(soft_iface);
 	vid = batadv_get_vid(skb, 0);
+
+	skb_reset_mac_header(skb);
 	ethhdr = eth_hdr(skb);
 
 	switch (ntohs(ethhdr->h_proto)) {



^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-02-13 18:38 ` [PATCH 4.20 50/50] batman-adv: Force mac header to start of data on xmit Greg Kroah-Hartman
@ 2019-02-14 16:52 ` Dan Rue
  2019-02-15  6:56   ` Greg Kroah-Hartman
  2019-02-14 21:02 ` Guenter Roeck
  2019-02-14 22:24 ` shuah
  52 siblings, 1 reply; 62+ messages in thread
From: Dan Rue @ 2019-02-14 16:52 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, shuah, patches, lkft-triage, ben.hutchings, stable,
	akpm, torvalds, linux

On Wed, Feb 13, 2019 at 07:38:05PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.20.9 release.
> There are 50 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> Anything received after that time might be too late.

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 4.20.9-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.20.y
git commit: f4a86d6d2a0bdead7cf98d552481367e6356ef28
git describe: v4.20.8-51-gf4a86d6d2a0b
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.20-oe/build/v4.20.8-51-gf4a86d6d2a0b

No regressions (compared to build v4.20.8)

No fixes (compared to build v4.20.8)

Ran 21515 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* boot
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* spectre-meltdown-checker-test
* ltp-fs-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-02-14 16:52 ` [PATCH 4.20 00/50] 4.20.9-stable review Dan Rue
@ 2019-02-14 21:02 ` Guenter Roeck
  2019-02-15  6:56   ` Greg Kroah-Hartman
  2019-02-14 22:24 ` shuah
  52 siblings, 1 reply; 62+ messages in thread
From: Guenter Roeck @ 2019-02-14 21:02 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Wed, Feb 13, 2019 at 07:38:05PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.20.9 release.
> There are 50 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> Anything received after that time might be too late.
> 

Build results:
	total: 159 pass: 159 fail: 0
Qemu test results:
	total: 343 pass: 330 fail: 13
Failed tests: 
	sh:rts7751r2dplus_defconfig:initrd 
	sh:rts7751r2dplus_defconfig:ata:rootfs 
	sh:rts7751r2dplus_defconfig:mmc:rootfs 
	sh:rts7751r2dplus_defconfig:usb:rootfs 
	sh:rts7751r2dplus_defconfig:usb-hub:rootfs 
	sh:rts7751r2dplus_defconfig:usb-ohci:rootfs 
	sh:rts7751r2dplus_defconfig:usb-ehci:rootfs 
	sh:rts7751r2dplus_defconfig:usb-xhci:rootfs 
	sh:rts7751r2dplus_defconfig:usb-uas-ehci:rootfs 
	sh:rts7751r2dplus_defconfig:usb-uas-xhci:rootfs 
	sh:rts7751r2dplus_defconfig:scsi[53C810]:rootfs 
	sh:rts7751r2dplus_defconfig:scsi[53C895A]:rootfs
	sh:rts7751r2dplus_defconfig:scsi[FUSION]:rootfs

This failure gave me a bit of trouble. It is similar to the failure observed
earlier with v4.4.y, but changing the C compiler version did not help (I
tried 8.2.0 and 5.5.0), and changing the qemu version did not help either.
Bisect points to commit 31e8a058e1f ("Revert "ext4: use ext4_write_inode()
when fsyncing w/o a journal") as the culprit. No idea why that would be
the case, but I repeated the bisect twice with the same results, and
reverting that revert indeed fixes the problem. This is weird since
one of the failing tests doesn't even mount a file system but boots
from initrd. Go figure. Bisect results are below.

Guenter

---
# bad: [f4a86d6d2a0bdead7cf98d552481367e6356ef28] Linux 4.20.9-rc1
# good: [0788acb1a3ed1589da1768ba64b1e5c76e8cb661] Linux 4.20.8
git bisect start 'HEAD' 'v4.20.8'
# good: [df6033ca3341635d8f529d6cdb6d37257df6f783] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
git bisect good df6033ca3341635d8f529d6cdb6d37257df6f783
# good: [da33f30a55d08758a63de90038344f956252ea8f] drm/rockchip: rgb: update SPDX license identifier
git bisect good da33f30a55d08758a63de90038344f956252ea8f
# good: [3ef454cd518997a8447080fb01743aaa4d4de8ae] xfrm: Make set-mark default behavior backward compatible
git bisect good 3ef454cd518997a8447080fb01743aaa4d4de8ae
# bad: [b442f17368f050887aae5d525b4dd0e146440f94] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
git bisect bad b442f17368f050887aae5d525b4dd0e146440f94
# bad: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
git bisect bad 31e8a058e1f9aa32254f64a9643853062141895a
# good: [0bc4dd12c3196b01d2123f95bb1c949e5eebe483] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen
git bisect good 0bc4dd12c3196b01d2123f95bb1c949e5eebe483
# first bad commit: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-02-14 21:02 ` Guenter Roeck
@ 2019-02-14 22:24 ` shuah
  2019-02-15  6:53   ` Greg Kroah-Hartman
  52 siblings, 1 reply; 62+ messages in thread
From: shuah @ 2019-02-14 22:24 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 2/13/19 11:38 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.20.9 release.
> There are 50 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.20.9-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.20.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-14 22:24 ` shuah
@ 2019-02-15  6:53   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-15  6:53 UTC (permalink / raw)
  To: shuah
  Cc: linux-kernel, torvalds, akpm, linux, patches, ben.hutchings,
	lkft-triage, stable

On Thu, Feb 14, 2019 at 03:24:07PM -0700, shuah wrote:
> On 2/13/19 11:38 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.20.9 release.
> > There are 50 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.20.9-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.20.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-14 21:02 ` Guenter Roeck
@ 2019-02-15  6:56   ` Greg Kroah-Hartman
  2019-02-15 17:22     ` Guenter Roeck
  0 siblings, 1 reply; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-15  6:56 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Thu, Feb 14, 2019 at 01:02:26PM -0800, Guenter Roeck wrote:
> On Wed, Feb 13, 2019 at 07:38:05PM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.20.9 release.
> > There are 50 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 159 pass: 159 fail: 0
> Qemu test results:
> 	total: 343 pass: 330 fail: 13
> Failed tests: 
> 	sh:rts7751r2dplus_defconfig:initrd 
> 	sh:rts7751r2dplus_defconfig:ata:rootfs 
> 	sh:rts7751r2dplus_defconfig:mmc:rootfs 
> 	sh:rts7751r2dplus_defconfig:usb:rootfs 
> 	sh:rts7751r2dplus_defconfig:usb-hub:rootfs 
> 	sh:rts7751r2dplus_defconfig:usb-ohci:rootfs 
> 	sh:rts7751r2dplus_defconfig:usb-ehci:rootfs 
> 	sh:rts7751r2dplus_defconfig:usb-xhci:rootfs 
> 	sh:rts7751r2dplus_defconfig:usb-uas-ehci:rootfs 
> 	sh:rts7751r2dplus_defconfig:usb-uas-xhci:rootfs 
> 	sh:rts7751r2dplus_defconfig:scsi[53C810]:rootfs 
> 	sh:rts7751r2dplus_defconfig:scsi[53C895A]:rootfs
> 	sh:rts7751r2dplus_defconfig:scsi[FUSION]:rootfs
> 
> This failure gave me a bit of trouble. It is similar to the failure observed
> earlier with v4.4.y, but changing the C compiler version did not help (I
> tried 8.2.0 and 5.5.0), and changing the qemu version did not help either.
> Bisect points to commit 31e8a058e1f ("Revert "ext4: use ext4_write_inode()
> when fsyncing w/o a journal") as the culprit. No idea why that would be
> the case, but I repeated the bisect twice with the same results, and
> reverting that revert indeed fixes the problem. This is weird since
> one of the failing tests doesn't even mount a file system but boots
> from initrd. Go figure. Bisect results are below.
> 
> Guenter
> 
> ---
> # bad: [f4a86d6d2a0bdead7cf98d552481367e6356ef28] Linux 4.20.9-rc1
> # good: [0788acb1a3ed1589da1768ba64b1e5c76e8cb661] Linux 4.20.8
> git bisect start 'HEAD' 'v4.20.8'
> # good: [df6033ca3341635d8f529d6cdb6d37257df6f783] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
> git bisect good df6033ca3341635d8f529d6cdb6d37257df6f783
> # good: [da33f30a55d08758a63de90038344f956252ea8f] drm/rockchip: rgb: update SPDX license identifier
> git bisect good da33f30a55d08758a63de90038344f956252ea8f
> # good: [3ef454cd518997a8447080fb01743aaa4d4de8ae] xfrm: Make set-mark default behavior backward compatible
> git bisect good 3ef454cd518997a8447080fb01743aaa4d4de8ae
> # bad: [b442f17368f050887aae5d525b4dd0e146440f94] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
> git bisect bad b442f17368f050887aae5d525b4dd0e146440f94
> # bad: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
> git bisect bad 31e8a058e1f9aa32254f64a9643853062141895a
> # good: [0bc4dd12c3196b01d2123f95bb1c949e5eebe483] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen
> git bisect good 0bc4dd12c3196b01d2123f95bb1c949e5eebe483
> # first bad commit: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"

That's really odd, given that this is only showing up in sh and not in
any of the other releases.  I'll blame gcc for this one :(

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-14 16:52 ` [PATCH 4.20 00/50] 4.20.9-stable review Dan Rue
@ 2019-02-15  6:56   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-15  6:56 UTC (permalink / raw)
  To: linux-kernel, shuah, patches, lkft-triage, ben.hutchings, stable,
	akpm, torvalds, linux

On Thu, Feb 14, 2019 at 10:52:42AM -0600, Dan Rue wrote:
> On Wed, Feb 13, 2019 at 07:38:05PM +0100, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.20.9 release.
> > There are 50 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> > Anything received after that time might be too late.
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Great, thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-15  6:56   ` Greg Kroah-Hartman
@ 2019-02-15 17:22     ` Guenter Roeck
  2019-02-15 20:52       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 62+ messages in thread
From: Guenter Roeck @ 2019-02-15 17:22 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Fri, Feb 15, 2019 at 07:56:22AM +0100, Greg Kroah-Hartman wrote:
> On Thu, Feb 14, 2019 at 01:02:26PM -0800, Guenter Roeck wrote:
> > On Wed, Feb 13, 2019 at 07:38:05PM +0100, Greg Kroah-Hartman wrote:
> > > This is the start of the stable review cycle for the 4.20.9 release.
> > > There are 50 patches in this series, all will be posted as a response
> > > to this one.  If anyone has any issues with these being applied, please
> > > let me know.
> > > 
> > > Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> > > Anything received after that time might be too late.
> > > 
> > 
> > Build results:
> > 	total: 159 pass: 159 fail: 0
> > Qemu test results:
> > 	total: 343 pass: 330 fail: 13
> > Failed tests: 
> > 	sh:rts7751r2dplus_defconfig:initrd 
> > 	sh:rts7751r2dplus_defconfig:ata:rootfs 
> > 	sh:rts7751r2dplus_defconfig:mmc:rootfs 
> > 	sh:rts7751r2dplus_defconfig:usb:rootfs 
> > 	sh:rts7751r2dplus_defconfig:usb-hub:rootfs 
> > 	sh:rts7751r2dplus_defconfig:usb-ohci:rootfs 
> > 	sh:rts7751r2dplus_defconfig:usb-ehci:rootfs 
> > 	sh:rts7751r2dplus_defconfig:usb-xhci:rootfs 
> > 	sh:rts7751r2dplus_defconfig:usb-uas-ehci:rootfs 
> > 	sh:rts7751r2dplus_defconfig:usb-uas-xhci:rootfs 
> > 	sh:rts7751r2dplus_defconfig:scsi[53C810]:rootfs 
> > 	sh:rts7751r2dplus_defconfig:scsi[53C895A]:rootfs
> > 	sh:rts7751r2dplus_defconfig:scsi[FUSION]:rootfs
> > 
> > This failure gave me a bit of trouble. It is similar to the failure observed
> > earlier with v4.4.y, but changing the C compiler version did not help (I
> > tried 8.2.0 and 5.5.0), and changing the qemu version did not help either.
> > Bisect points to commit 31e8a058e1f ("Revert "ext4: use ext4_write_inode()
> > when fsyncing w/o a journal") as the culprit. No idea why that would be
> > the case, but I repeated the bisect twice with the same results, and
> > reverting that revert indeed fixes the problem. This is weird since
> > one of the failing tests doesn't even mount a file system but boots
> > from initrd. Go figure. Bisect results are below.
> > 
> > Guenter
> > 
> > ---
> > # bad: [f4a86d6d2a0bdead7cf98d552481367e6356ef28] Linux 4.20.9-rc1
> > # good: [0788acb1a3ed1589da1768ba64b1e5c76e8cb661] Linux 4.20.8
> > git bisect start 'HEAD' 'v4.20.8'
> > # good: [df6033ca3341635d8f529d6cdb6d37257df6f783] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
> > git bisect good df6033ca3341635d8f529d6cdb6d37257df6f783
> > # good: [da33f30a55d08758a63de90038344f956252ea8f] drm/rockchip: rgb: update SPDX license identifier
> > git bisect good da33f30a55d08758a63de90038344f956252ea8f
> > # good: [3ef454cd518997a8447080fb01743aaa4d4de8ae] xfrm: Make set-mark default behavior backward compatible
> > git bisect good 3ef454cd518997a8447080fb01743aaa4d4de8ae
> > # bad: [b442f17368f050887aae5d525b4dd0e146440f94] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
> > git bisect bad b442f17368f050887aae5d525b4dd0e146440f94
> > # bad: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
> > git bisect bad 31e8a058e1f9aa32254f64a9643853062141895a
> > # good: [0bc4dd12c3196b01d2123f95bb1c949e5eebe483] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen
> > git bisect good 0bc4dd12c3196b01d2123f95bb1c949e5eebe483
> > # first bad commit: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
> 
> That's really odd, given that this is only showing up in sh and not in
> any of the other releases.  I'll blame gcc for this one :(
> 
I suspect it may be a code alignment issue, but who knows. The problem
is gone in v4.20.10, meaning the revert of "exec: load_script: don't
blindly truncate shebang string" "fixed" the problem as well.

Guenter

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 00/50] 4.20.9-stable review
  2019-02-15 17:22     ` Guenter Roeck
@ 2019-02-15 20:52       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-15 20:52 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Fri, Feb 15, 2019 at 09:22:21AM -0800, Guenter Roeck wrote:
> On Fri, Feb 15, 2019 at 07:56:22AM +0100, Greg Kroah-Hartman wrote:
> > On Thu, Feb 14, 2019 at 01:02:26PM -0800, Guenter Roeck wrote:
> > > On Wed, Feb 13, 2019 at 07:38:05PM +0100, Greg Kroah-Hartman wrote:
> > > > This is the start of the stable review cycle for the 4.20.9 release.
> > > > There are 50 patches in this series, all will be posted as a response
> > > > to this one.  If anyone has any issues with these being applied, please
> > > > let me know.
> > > > 
> > > > Responses should be made by Fri Feb 15 18:36:30 UTC 2019.
> > > > Anything received after that time might be too late.
> > > > 
> > > 
> > > Build results:
> > > 	total: 159 pass: 159 fail: 0
> > > Qemu test results:
> > > 	total: 343 pass: 330 fail: 13
> > > Failed tests: 
> > > 	sh:rts7751r2dplus_defconfig:initrd 
> > > 	sh:rts7751r2dplus_defconfig:ata:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:mmc:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:usb:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:usb-hub:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:usb-ohci:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:usb-ehci:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:usb-xhci:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:usb-uas-ehci:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:usb-uas-xhci:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:scsi[53C810]:rootfs 
> > > 	sh:rts7751r2dplus_defconfig:scsi[53C895A]:rootfs
> > > 	sh:rts7751r2dplus_defconfig:scsi[FUSION]:rootfs
> > > 
> > > This failure gave me a bit of trouble. It is similar to the failure observed
> > > earlier with v4.4.y, but changing the C compiler version did not help (I
> > > tried 8.2.0 and 5.5.0), and changing the qemu version did not help either.
> > > Bisect points to commit 31e8a058e1f ("Revert "ext4: use ext4_write_inode()
> > > when fsyncing w/o a journal") as the culprit. No idea why that would be
> > > the case, but I repeated the bisect twice with the same results, and
> > > reverting that revert indeed fixes the problem. This is weird since
> > > one of the failing tests doesn't even mount a file system but boots
> > > from initrd. Go figure. Bisect results are below.
> > > 
> > > Guenter
> > > 
> > > ---
> > > # bad: [f4a86d6d2a0bdead7cf98d552481367e6356ef28] Linux 4.20.9-rc1
> > > # good: [0788acb1a3ed1589da1768ba64b1e5c76e8cb661] Linux 4.20.8
> > > git bisect start 'HEAD' 'v4.20.8'
> > > # good: [df6033ca3341635d8f529d6cdb6d37257df6f783] MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
> > > git bisect good df6033ca3341635d8f529d6cdb6d37257df6f783
> > > # good: [da33f30a55d08758a63de90038344f956252ea8f] drm/rockchip: rgb: update SPDX license identifier
> > > git bisect good da33f30a55d08758a63de90038344f956252ea8f
> > > # good: [3ef454cd518997a8447080fb01743aaa4d4de8ae] xfrm: Make set-mark default behavior backward compatible
> > > git bisect good 3ef454cd518997a8447080fb01743aaa4d4de8ae
> > > # bad: [b442f17368f050887aae5d525b4dd0e146440f94] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
> > > git bisect bad b442f17368f050887aae5d525b4dd0e146440f94
> > > # bad: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
> > > git bisect bad 31e8a058e1f9aa32254f64a9643853062141895a
> > > # good: [0bc4dd12c3196b01d2123f95bb1c949e5eebe483] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen
> > > git bisect good 0bc4dd12c3196b01d2123f95bb1c949e5eebe483
> > > # first bad commit: [31e8a058e1f9aa32254f64a9643853062141895a] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
> > 
> > That's really odd, given that this is only showing up in sh and not in
> > any of the other releases.  I'll blame gcc for this one :(
> > 
> I suspect it may be a code alignment issue, but who knows. The problem
> is gone in v4.20.10, meaning the revert of "exec: load_script: don't
> blindly truncate shebang string" "fixed" the problem as well.

That's sad, and scary :(

Thanks for letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 11/50] signal: Always notice exiting tasks
  2019-02-13 18:38 ` [PATCH 4.20 11/50] signal: Always notice exiting tasks Greg Kroah-Hartman
@ 2019-02-19  6:23   ` Jiri Slaby
  2019-02-19  9:07     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 62+ messages in thread
From: Jiri Slaby @ 2019-02-19  6:23 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Dmitry Vyukov, Eric W. Biederman

On 13. 02. 19, 19:38, Greg Kroah-Hartman wrote:
> 4.20-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Eric W. Biederman <ebiederm@xmission.com>
> 
> commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.
> 
> Recently syzkaller was able to create unkillablle processes by
> creating a timer that is delivered as a thread local signal on SIGHUP,
> and receiving SIGHUP SA_NODEFERER.  Ultimately causing a loop
> failing to deliver SIGHUP but always trying.
> 
> Upon examination it turns out part of the problem is actually most of
> the solution.  Since 2.5 signal delivery has found all fatal signals,
> marked the signal group for death, and queued SIGKILL in every threads
> thread queue relying on signal->group_exit_code to preserve the
> information of which was the actual fatal signal.
> 
> The conversion of all fatal signals to SIGKILL results in the
> synchronous signal heuristic in next_signal kicking in and preferring
> SIGHUP to SIGKILL.  Which is especially problematic as all
> fatal signals have already been transformed into SIGKILL.
> 
> Instead of dequeueing signals and depending upon SIGKILL to
> be the first signal dequeued, first test if the signal group
> has already been marked for death.  This guarantees that
> nothing in the signal queue can prevent a process that needs
> to exit from exiting.
> 
> Cc: stable@vger.kernel.org
> Tested-by: Dmitry Vyukov <dvyukov@google.com>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4")
> History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This patch breaks strace self-tests in 4.20.9. In particular,
"threads-execve":
https://github.com/strace/strace/blob/master/tests/threads-execve.c
https://github.com/strace/strace/blob/master/tests/threads-execve.test

The test received some fix a day ago, but it did not help in this case:
 https://github.com/strace/strace/commit/2a50278b9

Only a revert of the above patch helped.

I don't know if the strace's test is broken (which is quite usual in
cases like these) or the patch affects some user-visible behaviour --
e.g. could this be a reason for sh failures in the build farm?

Any ideas?

The failure is (the test output is non-unified diff: "<" lines are
expected, ">" is actual output from strace):

> FAIL: threads-execve
> ====================
> 
> 11,12c11
> < 19311 execve("../threads-execve", ["../threads-execve", "8", "2"], 0x7ffc2447c258 /* 63 vars */ <unfinished ...>
> < 19181 <... rt_sigsuspend resumed>) = ?
> ---
>> 19311 execve("../threads-execve", ["../threads-execve", "8", "2"], 0x7ffc2447c258 /* 63 vars */ <pid changed to 19181 ...>
> 17,18c16
> < 19395 execve("../threads-execve", ["../threads-execve", "8", "3"], 0x7ffdedb69ee8 /* 63 vars */ <unfinished ...>
> < 19181 <... nanosleep resumed> <unfinished ...>) = ?
> ---
>> 19395 execve("../threads-execve", ["../threads-execve", "8", "3"], 0x7ffdedb69ee8 /* 63 vars */ <pid changed to 19181 ...>
> ...
> 11,12c11
> < 22715 execve("../threads-execve", ["../threads-execve", "8", "2"], 0x7fff2ea03388 /* 63 vars */ <unfinished ...>
> < 22657 <... rt_sigsuspend resumed>) = ?
> ---
>> 22715 execve("../threads-execve", ["../threads-execve", "8", "2"], 0x7fff2ea03388 /* 63 vars */ <pid changed to 22657 ...>
> 17,18c16
> < 22764 execve("../threads-execve", ["../threads-execve", "8", "3"], 0x7ffc5ea29658 /* 63 vars */ <unfinished ...>
> < 22657 <... nanosleep resumed> <unfinished ...>) = ?
> ---
>> 22764 execve("../threads-execve", ["../threads-execve", "8", "3"], 0x7ffc5ea29658 /* 63 vars */ <pid changed to 22657 ...>
> threads-execve.test: failed test: ../../strace -a21 -f -esignal=none -e trace=execve,exit,nanosleep,rt_sigsuspend ../threads-execve output mismatch


> ---
>  kernel/signal.c |    6 ++++++
>  1 file changed, 6 insertions(+)
> 
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -2393,6 +2393,11 @@ relock:
>  		goto relock;
>  	}
>  
> +	/* Has this task already been marked for death? */
> +	ksig->info.si_signo = signr = SIGKILL;
> +	if (signal_group_exit(signal))
> +		goto fatal;
> +
>  	for (;;) {
>  		struct k_sigaction *ka;
>  
> @@ -2488,6 +2493,7 @@ relock:
>  			continue;
>  		}
>  
> +	fatal:
>  		spin_unlock_irq(&sighand->siglock);
>  
>  		/*
> 
> 


-- 
js

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 11/50] signal: Always notice exiting tasks
  2019-02-19  6:23   ` Jiri Slaby
@ 2019-02-19  9:07     ` Greg Kroah-Hartman
  2019-02-24 18:25       ` Jiri Slaby
  0 siblings, 1 reply; 62+ messages in thread
From: Greg Kroah-Hartman @ 2019-02-19  9:07 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: linux-kernel, stable, Dmitry Vyukov, Eric W. Biederman

On Tue, Feb 19, 2019 at 07:23:41AM +0100, Jiri Slaby wrote:
> On 13. 02. 19, 19:38, Greg Kroah-Hartman wrote:
> > 4.20-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Eric W. Biederman <ebiederm@xmission.com>
> > 
> > commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.
> > 
> > Recently syzkaller was able to create unkillablle processes by
> > creating a timer that is delivered as a thread local signal on SIGHUP,
> > and receiving SIGHUP SA_NODEFERER.  Ultimately causing a loop
> > failing to deliver SIGHUP but always trying.
> > 
> > Upon examination it turns out part of the problem is actually most of
> > the solution.  Since 2.5 signal delivery has found all fatal signals,
> > marked the signal group for death, and queued SIGKILL in every threads
> > thread queue relying on signal->group_exit_code to preserve the
> > information of which was the actual fatal signal.
> > 
> > The conversion of all fatal signals to SIGKILL results in the
> > synchronous signal heuristic in next_signal kicking in and preferring
> > SIGHUP to SIGKILL.  Which is especially problematic as all
> > fatal signals have already been transformed into SIGKILL.
> > 
> > Instead of dequeueing signals and depending upon SIGKILL to
> > be the first signal dequeued, first test if the signal group
> > has already been marked for death.  This guarantees that
> > nothing in the signal queue can prevent a process that needs
> > to exit from exiting.
> > 
> > Cc: stable@vger.kernel.org
> > Tested-by: Dmitry Vyukov <dvyukov@google.com>
> > Reported-by: Dmitry Vyukov <dvyukov@google.com>
> > Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4")
> > History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
> > Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> This patch breaks strace self-tests in 4.20.9. In particular,
> "threads-execve":
> https://github.com/strace/strace/blob/master/tests/threads-execve.c
> https://github.com/strace/strace/blob/master/tests/threads-execve.test
> 
> The test received some fix a day ago, but it did not help in this case:
>  https://github.com/strace/strace/commit/2a50278b9
> 
> Only a revert of the above patch helped.
> 
> I don't know if the strace's test is broken (which is quite usual in
> cases like these) or the patch affects some user-visible behaviour --
> e.g. could this be a reason for sh failures in the build farm?
> 
> Any ideas?

Does cf43a757fd49 ("signal: Restore the stop PTRACE_EVENT_EXIT") help
with this?  It's queued up for the next round of stable releases and is
in Linus's tree.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 62+ messages in thread

* Re: [PATCH 4.20 11/50] signal: Always notice exiting tasks
  2019-02-19  9:07     ` Greg Kroah-Hartman
@ 2019-02-24 18:25       ` Jiri Slaby
  0 siblings, 0 replies; 62+ messages in thread
From: Jiri Slaby @ 2019-02-24 18:25 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Dmitry Vyukov, Eric W. Biederman

On 19. 02. 19, 10:07, Greg Kroah-Hartman wrote:
> On Tue, Feb 19, 2019 at 07:23:41AM +0100, Jiri Slaby wrote:
>> On 13. 02. 19, 19:38, Greg Kroah-Hartman wrote:
>>> 4.20-stable review patch.  If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Eric W. Biederman <ebiederm@xmission.com>
>>>
>>> commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.
>>>
>>> Recently syzkaller was able to create unkillablle processes by
>>> creating a timer that is delivered as a thread local signal on SIGHUP,
>>> and receiving SIGHUP SA_NODEFERER.  Ultimately causing a loop
>>> failing to deliver SIGHUP but always trying.
>>>
>>> Upon examination it turns out part of the problem is actually most of
>>> the solution.  Since 2.5 signal delivery has found all fatal signals,
>>> marked the signal group for death, and queued SIGKILL in every threads
>>> thread queue relying on signal->group_exit_code to preserve the
>>> information of which was the actual fatal signal.
>>>
>>> The conversion of all fatal signals to SIGKILL results in the
>>> synchronous signal heuristic in next_signal kicking in and preferring
>>> SIGHUP to SIGKILL.  Which is especially problematic as all
>>> fatal signals have already been transformed into SIGKILL.
>>>
>>> Instead of dequeueing signals and depending upon SIGKILL to
>>> be the first signal dequeued, first test if the signal group
>>> has already been marked for death.  This guarantees that
>>> nothing in the signal queue can prevent a process that needs
>>> to exit from exiting.
>>>
>>> Cc: stable@vger.kernel.org
>>> Tested-by: Dmitry Vyukov <dvyukov@google.com>
>>> Reported-by: Dmitry Vyukov <dvyukov@google.com>
>>> Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4")
>>> History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
>>> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
>>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>> This patch breaks strace self-tests in 4.20.9. In particular,
>> "threads-execve":
>> https://github.com/strace/strace/blob/master/tests/threads-execve.c
>> https://github.com/strace/strace/blob/master/tests/threads-execve.test
>>
>> The test received some fix a day ago, but it did not help in this case:
>>  https://github.com/strace/strace/commit/2a50278b9
>>
>> Only a revert of the above patch helped.
>>
>> I don't know if the strace's test is broken (which is quite usual in
>> cases like these) or the patch affects some user-visible behaviour --
>> e.g. could this be a reason for sh failures in the build farm?
>>
>> Any ideas?
> 
> Does cf43a757fd49 ("signal: Restore the stop PTRACE_EVENT_EXIT") help
> with this?  It's queued up for the next round of stable releases and is
> in Linus's tree.

Yes, confirmed.

thanks,
-- 
js

^ permalink raw reply	[flat|nested] 62+ messages in thread

end of thread, other threads:[~2019-02-24 18:25 UTC | newest]

Thread overview: 62+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-13 18:38 [PATCH 4.20 00/50] 4.20.9-stable review Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 01/50] mtd: Make sure mtd->erasesize is valid even if the partition is of size 0 Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 02/50] mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 03/50] mtd: spinand: Fix the error/cleanup path in spinand_init() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 04/50] mtd: rawnand: gpmi: fix MX28 bus master lockup problem Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 05/50] libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 06/50] tools: iio: iio_generic_buffer: make num_loops signed Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 07/50] iio: adc: axp288: Fix TS-pin handling Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 08/50] iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 09/50] iio: ti-ads8688: Update buffer allocation for timestamps Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 10/50] signal: Always attempt to allocate siginfo for SIGSTOP Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 11/50] signal: Always notice exiting tasks Greg Kroah-Hartman
2019-02-19  6:23   ` Jiri Slaby
2019-02-19  9:07     ` Greg Kroah-Hartman
2019-02-24 18:25       ` Jiri Slaby
2019-02-13 18:38 ` [PATCH 4.20 12/50] signal: Better detection of synchronous signals Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 13/50] misc: vexpress: Off by one in vexpress_syscfg_exec() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 14/50] cfg80211: call disconnect_wk when AP stops Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 15/50] mei: me: add ice lake point device id Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 16/50] samples: mei: use /dev/mei0 instead of /dev/mei Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 17/50] debugfs: fix debugfs_rename parameter checking Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 18/50] svcrdma: Remove max_sge check at connect time Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 19/50] pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 20/50] pinctrl: cherryview: fix Strago DMI workaround Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 21/50] tracing/uprobes: Fix output for multiple string arguments Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 22/50] tracing: uprobes: Fix typo in pr_fmt string Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 23/50] mips: cm: reprime error cause Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 24/50] MIPS: Use lower case for addresses in nexys4ddr.dts Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 25/50] MIPS: OCTEON: dont set octeon_dma_bar_type if PCI is disabled Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 26/50] MIPS: VDSO: Use same -m%-float cflag as the kernel proper Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 27/50] mips: loongson64: remove unreachable(), fix loongson_poweroff() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 28/50] MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 29/50] ARM: iop32x/n2100: fix PCI IRQ mapping Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 30/50] ARM: tango: Improve ARCH_MULTIPLATFORM compatibility Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 31/50] ARM: dts: da850: fix interrupt numbers for clocksource Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 32/50] firmware: arm_scmi: provide the mandatory device release callback Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 33/50] powerpc/papr_scm: Use the correct bind address Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 34/50] powerpc/radix: Fix kernel crash with mremap() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 35/50] mic: vop: Fix use-after-free on remove Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 36/50] mac80211: ensure that mgmt tx skbs have tailroom for encryption Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 37/50] drm/modes: Prevent division by zero htotal Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 38/50] drm/rockchip: rgb: update SPDX license identifier Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 39/50] drm/amd/powerplay: Fix missing break in switch Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 40/50] drm/i915: always return something on DDI clock selection Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 41/50] drm/vmwgfx: Fix setting of dma masks Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 42/50] drm/vmwgfx: Fix an uninitialized fence handle value Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 43/50] drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 44/50] xfrm: Make set-mark default behavior backward compatible Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 45/50] drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 46/50] Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal" Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 47/50] libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 48/50] xfrm: refine validation of template and selector families Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 49/50] batman-adv: Avoid WARN on net_device without parent in netns Greg Kroah-Hartman
2019-02-13 18:38 ` [PATCH 4.20 50/50] batman-adv: Force mac header to start of data on xmit Greg Kroah-Hartman
2019-02-14 16:52 ` [PATCH 4.20 00/50] 4.20.9-stable review Dan Rue
2019-02-15  6:56   ` Greg Kroah-Hartman
2019-02-14 21:02 ` Guenter Roeck
2019-02-15  6:56   ` Greg Kroah-Hartman
2019-02-15 17:22     ` Guenter Roeck
2019-02-15 20:52       ` Greg Kroah-Hartman
2019-02-14 22:24 ` shuah
2019-02-15  6:53   ` Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.