All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.0 000/115] 5.0.10-stable review
@ 2019-04-24 17:08 Greg Kroah-Hartman
  2019-04-24 17:08 ` [PATCH 5.0 001/115] bonding: fix event handling for stacked bonds Greg Kroah-Hartman
                   ` (118 more replies)
  0 siblings, 119 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 5.0.10 release.
There are 115 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.0.10-rc1

Matteo Croce <mcroce@redhat.com>
    percpu: stop printing kernel addresses

Takashi Iwai <tiwai@suse.de>
    ALSA: info: Fix racy addition/deletion of nodes

Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n

zhong jiang <zhongjiang@huawei.com>
    mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    perf/ring_buffer: Fix AUX record suppression

Jann Horn <jannh@google.com>
    device_cgroup: fix RCU imbalance in error case

Stanislaw Gruszka <sgruszka@redhat.com>
    mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency

Tadeusz Struk <tadeusz.struk@intel.com>
    tpm: fix an invalid condition in tpm_common_poll

Phil Auld <pauld@redhat.com>
    sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup

Matthias Kaehlcke <mka@chromium.org>
    Revert "kbuild: use -Oz instead of -Os when using clang"

Yue Haibing <yuehaibing@huawei.com>
    tpm: Fix the type of the return value in calc_tpm2_event_size()

Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
    tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete

Dan Williams <dan.j.williams@intel.com>
    nfit/ars: Avoid stale ARS results

Dan Williams <dan.j.williams@intel.com>
    nfit/ars: Allow root to busy-poll the ARS state machine

Dan Williams <dan.j.williams@intel.com>
    nfit/ars: Introduce scrub_flags

Dan Williams <dan.j.williams@intel.com>
    nfit/ars: Remove ars_start_flags

Chang-An Chen <chang-an.chen@mediatek.com>
    timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze()

Thomas Gleixner <tglx@linutronix.de>
    x86/speculation: Prevent deadlock on ssb_state::lock

Kan Liang <kan.liang@linux.intel.com>
    perf/x86: Fix incorrect PEBS_REGS

Andi Kleen <ak@linux.intel.com>
    x86/cpu/bugs: Use __initconst for 'const' init data

Kim Phillips <kim.phillips@amd.com>
    perf/x86/amd: Add event map for AMD Family 17h

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming

Joe Perches <joe@perches.com>
    s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD)

Felix Fietkau <nbd@nbd.name>
    mac80211: do not call driver wake_tx_queue op during reconfig

Vijayakumar Durai <vijayakumar.durai1@vivint.com>
    rt2x00: do not increment sequence number while re-transmitting

Masami Hiramatsu <mhiramat@kernel.org>
    kprobes: Fix error check when reusing optimized probes

Masami Hiramatsu <mhiramat@kernel.org>
    x86/kprobes: Avoid kretprobe recursion bug

Masami Hiramatsu <mhiramat@kernel.org>
    kprobes: Mark ftrace mcount handler functions nokprobe

Masami Hiramatsu <mhiramat@kernel.org>
    x86/kprobes: Verify stack frame on kretprobe

Nathan Chancellor <natechancellor@gmail.com>
    arm64: futex: Restore oldval initialization to work around buggy compilers

Christian König <christian.koenig@amd.com>
    drm/ttm: fix out-of-bounds read in ttm_put_pages() v2

Eric Biggers <ebiggers@google.com>
    crypto: x86/poly1305 - fix overflow during partial reduction

Corey Minyard <cminyard@mvista.com>
    ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier

WANG Chao <chao.wang@ucloud.cn>
    x86/kvm: move kvm_load/put_guest_xcr0 into atomic context

Andrea Arcangeli <aarcange@redhat.com>
    coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping

Suthikulpanit, Suravee <Suravee.Suthikulpanit@amd.com>
    Revert "svm: Fix AVIC incomplete IPI emulation"

Vitor Soares <vitor.soares@synopsys.com>
    i3c: Fix the verification of random PID

Vitor Soares <vitor.soares@synopsys.com>
    i3c: dw: Fix dw_i3c_master_disable controller by using correct mask

Saurav Kashyap <skashyap@marvell.com>
    Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO"

Jaesoo Lee <jalee@purestorage.com>
    scsi: core: set result when the command cannot be dispatched

Mikulas Patocka <mpatocka@redhat.com>
    vt: fix cursor when clearing the screen

Geert Uytterhoeven <geert+renesas@glider.be>
    serial: sh-sci: Fix HSCIF RX sampling point calculation

Geert Uytterhoeven <geert+renesas@glider.be>
    serial: sh-sci: Fix HSCIF RX sampling point adjustment

KT Liao <kt.liao@emc.com.tw>
    Input: elan_i2c - add hardware ID for multiple Lenovo laptops

Takashi Iwai <tiwai@suse.de>
    ALSA: core: Fix card races between register and disconnect

Hui Wang <hui.wang@canonical.com>
    ALSA: hda/realtek - add two more pin configuration sets to quirk table

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: ni_usb6501: Fix use of uninitialized mutex

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf

Ian Abbott <abbotti@mev.co.uk>
    staging: comedi: vmk80xx: Fix use of uninitialized semaphore

Christian Gromm <christian.gromm@microchip.com>
    staging: most: core: use device description as name

he, bo <bo.he@intel.com>
    io: accel: kxcjk1013: restore the range after resume.

Fabrice Gasnier <fabrice.gasnier@st.com>
    iio: core: fix a possible circular locking dependency

Georg Ottinger <g.ottinger@abatec.at>
    iio: adc: at91: disable adc channel interrupt in timeout case

Lars-Peter Clausen <lars@metafoo.de>
    iio: Fix scan mask selection

Jean-Francois Dagenais <jeff.dagenais@gmail.com>
    iio: dac: mcp4725: add missing powerdown bits in store eeprom

Dragos Bogdan <dragos.bogdan@analog.com>
    iio: ad_sigma_delta: select channel when reading register

Gwendal Grignou <gwendal@chromium.org>
    iio: cros_ec: Fix the maths for gyro scale calculation

Mike Looijmans <mike.looijmans@topic.nl>
    iio:chemical:bme680: Fix SPI read interface

Mike Looijmans <mike.looijmans@topic.nl>
    iio:chemical:bme680: Fix, report temperature in millidegrees

Mike Looijmans <mike.looijmans@topic.nl>
    iio/gyro/bmg160: Use millidegrees for temperature scale

Sergey Larin <cerg2010cerg2010@mail.ru>
    iio: gyro: mpu3050: fix chip ID reading

Mircea Caprioru <mircea.caprioru@analog.com>
    staging: iio: ad7192: Fix ad7193 channel address

Leonard Pollak <leonardp@tr-host.de>
    Staging: iio: meter: fixed typo

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: svm: make sure NMI is injected after nmi_singlestep

Sean Christopherson <sean.j.christopherson@intel.com>
    KVM: x86: Don't clear EFER during SMM transitions for 32-bit vCPU

Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    fs/dax: Deposit pagetable even when installing zero page

Ronnie Sahlberg <lsahlber@redhat.com>
    cifs: fix handle leak in smb2_query_symlink()

ZhangXiaoxu <zhangxiaoxu5@huawei.com>
    cifs: Fix use-after-free in SMB2_read

ZhangXiaoxu <zhangxiaoxu5@huawei.com>
    cifs: Fix use-after-free in SMB2_write

ZhangXiaoxu <zhangxiaoxu5@huawei.com>
    cifs: Fix lease buffer length error

Aurelien Aptel <aaptel@suse.com>
    CIFS: keep FileInfo handle live during oplock break

Toke Høiland-Jørgensen <toke@redhat.com>
    sch_cake: Simplify logic in cake_select_tin()

Dan Carpenter <dan.carpenter@oracle.com>
    nfc: nci: Potential off by one in ->pipes[] array

Dan Carpenter <dan.carpenter@oracle.com>
    NFC: nci: Add some bounds checking in nci_hci_cmd_received()

Toke Høiland-Jørgensen <toke@redhat.com>
    sch_cake: Make sure we can write the IP header before changing DSCP bits

Toke Høiland-Jørgensen <toke@redhat.com>
    sch_cake: Use tc_skb_protocol() helper for getting packet protocol

Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
    nfp: flower: remove vlan CFI bit from push vlan action

Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
    nfp: flower: replace CFI with vlan present

Jonathan Lemon <jonathan.lemon@gmail.com>
    route: Avoid crash from dereferencing NULL rt->from

Saeed Mahameed <saeedm@mellanox.com>
    net/mlx5: FPGA, tls, idr remove on flow delete

Jakub Kicinski <jakub.kicinski@netronome.com>
    net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()

Saeed Mahameed <saeedm@mellanox.com>
    net/mlx5: FPGA, tls, hold rcu read lock a bit longer

Or Gerlitz <ogerlitz@mellanox.com>
    Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets"

Saeed Mahameed <saeedm@mellanox.com>
    net/mlx5e: Rx, Check ip headers sanity

Saeed Mahameed <saeedm@mellanox.com>
    net/mlx5e: Rx, Fixup skb checksum for packets with tail padding

Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    net/mlx5e: Switch to Toeplitz RSS hash by default

Dmytro Linkin <dmitrolin@mellanox.com>
    net/mlx5e: Protect against non-uplink representor for encap

Saeed Mahameed <saeedm@mellanox.com>
    net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded

Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    net: bridge: fix netlink export of vlan_stats_per_port option

Jakub Kicinski <jakub.kicinski@netronome.com>
    net/tls: fix build without CONFIG_TLS_DEVICE

Jakub Kicinski <jakub.kicinski@netronome.com>
    net: strparser: partially revert "strparser: Call skb_unclone conditionally"

Jakub Kicinski <jakub.kicinski@netronome.com>
    net/tls: don't leak partially sent record in device mode

Jakub Kicinski <jakub.kicinski@netronome.com>
    net/tls: fix the IV leaks

Matteo Croce <mcroce@redhat.com>
    net: thunderx: don't allow jumbo frames with XDP

Matteo Croce <mcroce@redhat.com>
    net: thunderx: raise XDP MTU to 1508

Ido Schimmel <idosch@mellanox.com>
    mlxsw: spectrum_router: Do not check VRF MAC address

Ido Schimmel <idosch@mellanox.com>
    mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue

Ido Schimmel <idosch@mellanox.com>
    mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue

Ido Schimmel <idosch@mellanox.com>
    mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue

Ido Schimmel <idosch@mellanox.com>
    mlxsw: spectrum_switchdev: Add MDB entries in prepare phase

Eric Dumazet <edumazet@google.com>
    ipv4: ensure rcu_read_lock() in ipv4_link_failure()

Stephen Suryaputra <ssuryaextr@gmail.com>
    ipv4: recompile ip options in ipv4_link_failure

Jason Wang <jasowang@redhat.com>
    vhost: reject zero size iova range

Hoang Le <hoang.h.le@dektech.com.au>
    tipc: missing entries in name table of publications

Hangbin Liu <liuhangbin@gmail.com>
    team: set slave to promisc if team is already in promisc mode

Eric Dumazet <edumazet@google.com>
    tcp: tcp_grow_window() needs to respect tcp_space()

Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
    net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv

Yuya Kusakabe <yuya.kusakabe@gmail.com>
    net: Fix missing meta data in skb with vlan packet

Andy Duan <fugang.duan@nxp.com>
    net: fec: manage ahb clock in runtime pm

Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    net: bridge: multicast: use rcu to access port list from br_multicast_start_querier

Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    net: bridge: fix per-port af_packet sockets

Gustavo A. R. Silva <gustavo@embeddedor.com>
    net: atm: Fix potential Spectre v1 vulnerabilities

Si-Wei Liu <si-wei.liu@oracle.com>
    failover: allow name change on IFF_UP slave interfaces

Sabrina Dubroca <sd@queasysnail.net>
    bonding: fix event handling for stacked bonds


-------------

Diffstat:

 Makefile                                           |   7 +-
 arch/arm64/include/asm/futex.h                     |   2 +-
 arch/s390/boot/mem_detect.c                        |   2 +-
 arch/x86/crypto/poly1305-avx2-x86_64.S             |  14 ++-
 arch/x86/crypto/poly1305-sse2-x86_64.S             |  22 ++--
 arch/x86/events/amd/core.c                         |  35 +++++--
 arch/x86/events/intel/core.c                       |   2 +-
 arch/x86/events/perf_event.h                       |  38 +++----
 arch/x86/kernel/cpu/bugs.c                         |   6 +-
 arch/x86/kernel/kprobes/core.c                     |  48 ++++++++-
 arch/x86/kernel/process.c                          |   8 +-
 arch/x86/kvm/emulate.c                             |  21 ++--
 arch/x86/kvm/svm.c                                 |  24 ++++-
 arch/x86/kvm/vmx/vmx.c                             |   4 +
 arch/x86/kvm/x86.c                                 |  10 +-
 arch/x86/kvm/x86.h                                 |   2 +
 crypto/testmgr.h                                   |  44 +++++++-
 drivers/acpi/nfit/core.c                           |  63 +++++++----
 drivers/acpi/nfit/nfit.h                           |  11 +-
 drivers/base/memory.c                              |   2 +-
 drivers/char/ipmi/ipmi_msghandler.c                |  19 +++-
 drivers/char/tpm/eventlog/tpm2.c                   |   4 +-
 drivers/char/tpm/tpm-dev-common.c                  |   9 +-
 drivers/char/tpm/tpm_i2c_atmel.c                   |   4 +
 drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c            |   1 +
 drivers/gpu/drm/ttm/ttm_page_alloc.c               |   5 +-
 drivers/i3c/master.c                               |   5 +-
 drivers/i3c/master/dw-i3c-master.c                 |   2 +-
 drivers/iio/accel/kxcjk-1013.c                     |   2 +
 drivers/iio/adc/ad_sigma_delta.c                   |   1 +
 drivers/iio/adc/at91_adc.c                         |  28 +++--
 drivers/iio/chemical/bme680.h                      |   6 +-
 drivers/iio/chemical/bme680_core.c                 |  54 ++++++++--
 drivers/iio/chemical/bme680_i2c.c                  |  21 ----
 drivers/iio/chemical/bme680_spi.c                  | 115 ++++++++++++++-------
 .../iio/common/cros_ec_sensors/cros_ec_sensors.c   |   7 +-
 drivers/iio/dac/mcp4725.c                          |   1 +
 drivers/iio/gyro/bmg160_core.c                     |   6 +-
 drivers/iio/gyro/mpu3050-core.c                    |   8 +-
 drivers/iio/industrialio-buffer.c                  |   5 +-
 drivers/iio/industrialio-core.c                    |   4 +-
 drivers/infiniband/core/uverbs_main.c              |   3 +
 drivers/input/mouse/elan_i2c_core.c                |  25 +++++
 drivers/net/bonding/bond_main.c                    |   6 +-
 drivers/net/ethernet/cavium/thunder/nicvf_main.c   |  22 +++-
 drivers/net/ethernet/freescale/fec_main.c          |  30 ++++--
 .../net/ethernet/mellanox/mlx5/core/en/tc_tun.c    |   4 +
 .../net/ethernet/mellanox/mlx5/core/en_ethtool.c   |   3 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c  |   8 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c    |  94 +++++++++++++----
 drivers/net/ethernet/mellanox/mlx5/core/en_stats.c |   6 ++
 drivers/net/ethernet/mellanox/mlx5/core/en_stats.h |   4 +
 drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c |  61 +++++------
 drivers/net/ethernet/mellanox/mlxsw/core.c         |   6 +-
 .../net/ethernet/mellanox/mlxsw/spectrum_router.c  |   2 +-
 .../ethernet/mellanox/mlxsw/spectrum_switchdev.c   |   2 +-
 drivers/net/ethernet/netronome/nfp/flower/action.c |   3 +-
 drivers/net/ethernet/netronome/nfp/flower/cmsg.h   |   3 +-
 drivers/net/ethernet/netronome/nfp/flower/match.c  |  14 ++-
 drivers/net/team/team.c                            |  26 +++++
 drivers/net/wireless/mediatek/mt76/mt76x02_mac.c   |  14 +--
 drivers/net/wireless/ralink/rt2x00/rt2x00.h        |   1 -
 drivers/net/wireless/ralink/rt2x00/rt2x00mac.c     |  10 --
 drivers/net/wireless/ralink/rt2x00/rt2x00queue.c   |  15 +--
 drivers/scsi/libfc/fc_rport.c                      |   1 -
 drivers/scsi/scsi_lib.c                            |   6 +-
 drivers/staging/comedi/drivers/ni_usb6501.c        |  10 +-
 drivers/staging/comedi/drivers/vmk80xx.c           |   8 +-
 drivers/staging/iio/adc/ad7192.c                   |   8 +-
 drivers/staging/iio/meter/ade7854.c                |   2 +-
 drivers/staging/most/core.c                        |   2 +-
 drivers/tty/serial/sh-sci.c                        |   6 +-
 drivers/tty/vt/vt.c                                |   3 +-
 drivers/vhost/vhost.c                              |   6 +-
 fs/cifs/cifsglob.h                                 |   2 +
 fs/cifs/file.c                                     |  30 +++++-
 fs/cifs/misc.c                                     |  25 ++++-
 fs/cifs/smb2misc.c                                 |   6 +-
 fs/cifs/smb2ops.c                                  |   2 +
 fs/cifs/smb2pdu.c                                  |  11 +-
 fs/dax.c                                           |  15 +++
 fs/proc/task_mmu.c                                 |  18 ++++
 fs/userfaultfd.c                                   |   9 ++
 include/linux/kprobes.h                            |   1 +
 include/linux/netdevice.h                          |   3 +
 include/linux/sched/mm.h                           |  21 ++++
 include/net/nfc/nci_core.h                         |   2 +-
 include/net/tls.h                                  |   4 +-
 kernel/events/ring_buffer.c                        |  33 +++---
 kernel/kprobes.c                                   |   6 +-
 kernel/sched/fair.c                                |  25 +++++
 kernel/time/sched_clock.c                          |   4 +-
 kernel/time/tick-common.c                          |   2 +
 kernel/time/timekeeping.h                          |   7 ++
 kernel/trace/ftrace.c                              |   6 +-
 mm/mmap.c                                          |   7 +-
 mm/percpu.c                                        |   8 +-
 mm/vmstat.c                                        |   5 -
 net/atm/lec.c                                      |   6 +-
 net/bridge/br_input.c                              |  23 +++--
 net/bridge/br_multicast.c                          |   4 +-
 net/bridge/br_netlink.c                            |   2 +-
 net/core/dev.c                                     |  16 ++-
 net/core/failover.c                                |   6 +-
 net/core/skbuff.c                                  |  10 +-
 net/ipv4/fou.c                                     |   4 +-
 net/ipv4/route.c                                   |  16 ++-
 net/ipv4/tcp_input.c                               |  10 +-
 net/ipv6/route.c                                   |   4 +
 net/mac80211/driver-ops.h                          |   3 +
 net/nfc/nci/hci.c                                  |   8 ++
 net/sched/sch_cake.c                               |  57 +++++-----
 net/strparser/strparser.c                          |  12 +--
 net/tipc/name_table.c                              |   3 +-
 net/tls/tls_device.c                               |  12 ++-
 net/tls/tls_main.c                                 |  24 +++++
 net/tls/tls_sw.c                                   |  15 +--
 security/device_cgroup.c                           |   2 +-
 sound/core/info.c                                  |  12 ++-
 sound/core/init.c                                  |  18 ++--
 sound/pci/hda/patch_realtek.c                      |   6 ++
 121 files changed, 1134 insertions(+), 477 deletions(-)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 001/115] bonding: fix event handling for stacked bonds
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
@ 2019-04-24 17:08 ` Greg Kroah-Hartman
  2019-04-24 17:08 ` [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:08 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sabrina Dubroca, David S. Miller

From: Sabrina Dubroca <sd@queasysnail.net>

[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ]

When a bond is enslaved to another bond, bond_netdev_event() only
handles the event as if the bond is a master, and skips treating the
bond as a slave.

This leads to a refcount leak on the slave, since we don't remove the
adjacency to its master and the master holds a reference on the slave.

Reproducer:
  ip link add bondL type bond
  ip link add bondU type bond
  ip link set bondL master bondU
  ip link del bondL

No "Fixes:" tag, this code is older than git history.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/bonding/bond_main.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3214,8 +3214,12 @@ static int bond_netdev_event(struct noti
 		return NOTIFY_DONE;
 
 	if (event_dev->flags & IFF_MASTER) {
+		int ret;
+
 		netdev_dbg(event_dev, "IFF_MASTER\n");
-		return bond_master_netdev_event(event, event_dev);
+		ret = bond_master_netdev_event(event, event_dev);
+		if (ret != NOTIFY_DONE)
+			return ret;
 	}
 
 	if (event_dev->flags & IFF_SLAVE) {



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
  2019-04-24 17:08 ` [PATCH 5.0 001/115] bonding: fix event handling for stacked bonds Greg Kroah-Hartman
@ 2019-04-24 17:08 ` Greg Kroah-Hartman
  2019-04-24 17:08 ` [PATCH 5.0 003/115] net: atm: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Si-Wei Liu, Liran Alon,
	Sridhar Samudrala, David S. Miller

From: Si-Wei Liu <si-wei.liu@oracle.com>

[ Upstream commit 8065a779f17e94536a1c4dcee4f9d88011672f97 ]

When a netdev appears through hot plug then gets enslaved by a failover
master that is already up and running, the slave will be opened
right away after getting enslaved. Today there's a race that userspace
(udev) may fail to rename the slave if the kernel (net_failover)
opens the slave earlier than when the userspace rename happens.
Unlike bond or team, the primary slave of failover can't be renamed by
userspace ahead of time, since the kernel initiated auto-enslavement is
unable to, or rather, is never meant to be synchronized with the rename
request from userspace.

As the failover slave interfaces are not designed to be operated
directly by userspace apps: IP configuration, filter rules with
regard to network traffic passing and etc., should all be done on master
interface. In general, userspace apps only care about the
name of master interface, while slave names are less important as long
as admin users can see reliable names that may carry
other information describing the netdev. For e.g., they can infer that
"ens3nsby" is a standby slave of "ens3", while for a
name like "eth0" they can't tell which master it belongs to.

Historically the name of IFF_UP interface can't be changed because
there might be admin script or management software that is already
relying on such behavior and assumes that the slave name can't be
changed once UP. But failover is special: with the in-kernel
auto-enslavement mechanism, the userspace expectation for device
enumeration and bring-up order is already broken. Previously initramfs
and various userspace config tools were modified to bypass failover
slaves because of auto-enslavement and duplicate MAC address. Similarly,
in case that users care about seeing reliable slave name, the new type
of failover slaves needs to be taken care of specifically in userspace
anyway.

It's less risky to lift up the rename restriction on failover slave
which is already UP. Although it's possible this change may potentially
break userspace component (most likely configuration scripts or
management software) that assumes slave name can't be changed while
UP, it's relatively a limited and controllable set among all userspace
components, which can be fixed specifically to listen for the rename
events on failover slaves. Userspace component interacting with slaves
is expected to be changed to operate on failover master interface
instead, as the failover slave is dynamic in nature which may come and
go at any point.  The goal is to make the role of failover slaves less
relevant, and userspace components should only deal with failover master
in the long run.

Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Acked-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/netdevice.h |    3 +++
 net/core/dev.c            |   16 +++++++++++++++-
 net/core/failover.c       |    6 +++---
 3 files changed, 21 insertions(+), 4 deletions(-)

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1484,6 +1484,7 @@ struct net_device_ops {
  * @IFF_FAILOVER: device is a failover master device
  * @IFF_FAILOVER_SLAVE: device is lower dev of a failover master device
  * @IFF_L3MDEV_RX_HANDLER: only invoke the rx handler of L3 master device
+ * @IFF_LIVE_RENAME_OK: rename is allowed while device is up and running
  */
 enum netdev_priv_flags {
 	IFF_802_1Q_VLAN			= 1<<0,
@@ -1516,6 +1517,7 @@ enum netdev_priv_flags {
 	IFF_FAILOVER			= 1<<27,
 	IFF_FAILOVER_SLAVE		= 1<<28,
 	IFF_L3MDEV_RX_HANDLER		= 1<<29,
+	IFF_LIVE_RENAME_OK		= 1<<30,
 };
 
 #define IFF_802_1Q_VLAN			IFF_802_1Q_VLAN
@@ -1547,6 +1549,7 @@ enum netdev_priv_flags {
 #define IFF_FAILOVER			IFF_FAILOVER
 #define IFF_FAILOVER_SLAVE		IFF_FAILOVER_SLAVE
 #define IFF_L3MDEV_RX_HANDLER		IFF_L3MDEV_RX_HANDLER
+#define IFF_LIVE_RENAME_OK		IFF_LIVE_RENAME_OK
 
 /**
  *	struct net_device - The DEVICE structure.
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1184,7 +1184,21 @@ int dev_change_name(struct net_device *d
 	BUG_ON(!dev_net(dev));
 
 	net = dev_net(dev);
-	if (dev->flags & IFF_UP)
+
+	/* Some auto-enslaved devices e.g. failover slaves are
+	 * special, as userspace might rename the device after
+	 * the interface had been brought up and running since
+	 * the point kernel initiated auto-enslavement. Allow
+	 * live name change even when these slave devices are
+	 * up and running.
+	 *
+	 * Typically, users of these auto-enslaving devices
+	 * don't actually care about slave name change, as
+	 * they are supposed to operate on master interface
+	 * directly.
+	 */
+	if (dev->flags & IFF_UP &&
+	    likely(!(dev->priv_flags & IFF_LIVE_RENAME_OK)))
 		return -EBUSY;
 
 	write_seqcount_begin(&devnet_rename_seq);
--- a/net/core/failover.c
+++ b/net/core/failover.c
@@ -80,14 +80,14 @@ static int failover_slave_register(struc
 		goto err_upper_link;
 	}
 
-	slave_dev->priv_flags |= IFF_FAILOVER_SLAVE;
+	slave_dev->priv_flags |= (IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
 
 	if (fops && fops->slave_register &&
 	    !fops->slave_register(slave_dev, failover_dev))
 		return NOTIFY_OK;
 
 	netdev_upper_dev_unlink(slave_dev, failover_dev);
-	slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE;
+	slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
 err_upper_link:
 	netdev_rx_handler_unregister(slave_dev);
 done:
@@ -121,7 +121,7 @@ int failover_slave_unregister(struct net
 
 	netdev_rx_handler_unregister(slave_dev);
 	netdev_upper_dev_unlink(slave_dev, failover_dev);
-	slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE;
+	slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
 
 	if (fops && fops->slave_unregister &&
 	    !fops->slave_unregister(slave_dev, failover_dev))



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 003/115] net: atm: Fix potential Spectre v1 vulnerabilities
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
  2019-04-24 17:08 ` [PATCH 5.0 001/115] bonding: fix event handling for stacked bonds Greg Kroah-Hartman
  2019-04-24 17:08 ` [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces Greg Kroah-Hartman
@ 2019-04-24 17:08 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 004/115] net: bridge: fix per-port af_packet sockets Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:08 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, David S. Miller

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

[ Upstream commit 899537b73557aafbdd11050b501cf54b4f5c45af ]

arg is controlled by user-space, hence leading to a potential
exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap)

Fix this by sanitizing arg before using it to index dev_lec.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/atm/lec.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -710,7 +710,10 @@ static int lec_vcc_attach(struct atm_vcc
 
 static int lec_mcast_attach(struct atm_vcc *vcc, int arg)
 {
-	if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg])
+	if (arg < 0 || arg >= MAX_LEC_ITF)
+		return -EINVAL;
+	arg = array_index_nospec(arg, MAX_LEC_ITF);
+	if (!dev_lec[arg])
 		return -EINVAL;
 	vcc->proto_data = dev_lec[arg];
 	return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc);
@@ -728,6 +731,7 @@ static int lecd_attach(struct atm_vcc *v
 		i = arg;
 	if (arg >= MAX_LEC_ITF)
 		return -EINVAL;
+	i = array_index_nospec(arg, MAX_LEC_ITF);
 	if (!dev_lec[i]) {
 		int size;
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 004/115] net: bridge: fix per-port af_packet sockets
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2019-04-24 17:08 ` [PATCH 5.0 003/115] net: atm: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 005/115] net: bridge: multicast: use rcu to access port list from br_multicast_start_querier Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Aleksandrov, David S. Miller

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

[ Upstream commit 3b2e2904deb314cc77a2192f506f2fd44e3d10d0 ]

When the commit below was introduced it changed two visible things:
 - the skb was no longer passed through the protocol handlers with the
   original device
 - the skb was passed up the stack with skb->dev = bridge

The first change broke af_packet sockets on bridge ports. For example we
use them for hostapd which listens for ETH_P_PAE packets on the ports.
We discussed two possible fixes:
 - create a clone and pass it through NF_HOOK(), act on the original skb
   based on the result
 - somehow signal to the caller from the okfn() that it was called,
   meaning the skb is ok to be passed, which this patch is trying to
   implement via returning 1 from the bridge link-local okfn()

Note that we rely on the fact that NF_QUEUE/STOLEN would return 0 and
drop/error would return < 0 thus the okfn() is called only when the
return was 1, so we signal to the caller that it was called by preserving
the return value from nf_hook().

Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bridge/br_input.c |   23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -197,13 +197,10 @@ static void __br_handle_local_finish(str
 /* note: already called with rcu_read_lock */
 static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-	struct net_bridge_port *p = br_port_get_rcu(skb->dev);
-
 	__br_handle_local_finish(skb);
 
-	BR_INPUT_SKB_CB(skb)->brdev = p->br->dev;
-	br_pass_frame_up(skb);
-	return 0;
+	/* return 1 to signal the okfn() was called so it's ok to use the skb */
+	return 1;
 }
 
 /*
@@ -280,10 +277,18 @@ rx_handler_result_t br_handle_frame(stru
 				goto forward;
 		}
 
-		/* Deliver packet to local host only */
-		NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev),
-			NULL, skb, skb->dev, NULL, br_handle_local_finish);
-		return RX_HANDLER_CONSUMED;
+		/* The else clause should be hit when nf_hook():
+		 *   - returns < 0 (drop/error)
+		 *   - returns = 0 (stolen/nf_queue)
+		 * Thus return 1 from the okfn() to signal the skb is ok to pass
+		 */
+		if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
+			    dev_net(skb->dev), NULL, skb, skb->dev, NULL,
+			    br_handle_local_finish) == 1) {
+			return RX_HANDLER_PASS;
+		} else {
+			return RX_HANDLER_CONSUMED;
+		}
 	}
 
 forward:



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 005/115] net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 004/115] net: bridge: fix per-port af_packet sockets Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 006/115] net: fec: manage ahb clock in runtime pm Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Aleksandrov, David S. Miller

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ]

br_multicast_start_querier() walks over the port list but it can be
called from a timer with only multicast_lock held which doesn't protect
the port list, so use RCU to walk over it.

Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bridge/br_multicast.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1916,7 +1916,8 @@ static void br_multicast_start_querier(s
 
 	__br_multicast_open(br, query);
 
-	list_for_each_entry(port, &br->port_list, list) {
+	rcu_read_lock();
+	list_for_each_entry_rcu(port, &br->port_list, list) {
 		if (port->state == BR_STATE_DISABLED ||
 		    port->state == BR_STATE_BLOCKING)
 			continue;
@@ -1928,6 +1929,7 @@ static void br_multicast_start_querier(s
 			br_multicast_enable(&port->ip6_own_query);
 #endif
 	}
+	rcu_read_unlock();
 }
 
 int br_multicast_toggle(struct net_bridge *br, unsigned long val)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 006/115] net: fec: manage ahb clock in runtime pm
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 005/115] net: bridge: multicast: use rcu to access port list from br_multicast_start_querier Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 007/115] net: Fix missing meta data in skb with vlan packet Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Fugang Duan, David S. Miller

From: Andy Duan <fugang.duan@nxp.com>

[ Upstream commit d7c3a206e6338e4ccdf030719dec028e26a521d5 ]

Some SOC like i.MX6SX clock have some limits:
- ahb clock should be disabled before ipg.
- ahb and ipg clocks are required for MAC MII bus.
So, move the ahb clock to runtime management together with
ipg clock.

Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/freescale/fec_main.c |   30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1840,13 +1840,9 @@ static int fec_enet_clk_enable(struct ne
 	int ret;
 
 	if (enable) {
-		ret = clk_prepare_enable(fep->clk_ahb);
-		if (ret)
-			return ret;
-
 		ret = clk_prepare_enable(fep->clk_enet_out);
 		if (ret)
-			goto failed_clk_enet_out;
+			return ret;
 
 		if (fep->clk_ptp) {
 			mutex_lock(&fep->ptp_clk_mutex);
@@ -1866,7 +1862,6 @@ static int fec_enet_clk_enable(struct ne
 
 		phy_reset_after_clk_enable(ndev->phydev);
 	} else {
-		clk_disable_unprepare(fep->clk_ahb);
 		clk_disable_unprepare(fep->clk_enet_out);
 		if (fep->clk_ptp) {
 			mutex_lock(&fep->ptp_clk_mutex);
@@ -1885,8 +1880,6 @@ failed_clk_ref:
 failed_clk_ptp:
 	if (fep->clk_enet_out)
 		clk_disable_unprepare(fep->clk_enet_out);
-failed_clk_enet_out:
-		clk_disable_unprepare(fep->clk_ahb);
 
 	return ret;
 }
@@ -3470,6 +3463,9 @@ fec_probe(struct platform_device *pdev)
 	ret = clk_prepare_enable(fep->clk_ipg);
 	if (ret)
 		goto failed_clk_ipg;
+	ret = clk_prepare_enable(fep->clk_ahb);
+	if (ret)
+		goto failed_clk_ahb;
 
 	fep->reg_phy = devm_regulator_get_optional(&pdev->dev, "phy");
 	if (!IS_ERR(fep->reg_phy)) {
@@ -3563,6 +3559,9 @@ failed_reset:
 	pm_runtime_put(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 failed_regulator:
+	clk_disable_unprepare(fep->clk_ahb);
+failed_clk_ahb:
+	clk_disable_unprepare(fep->clk_ipg);
 failed_clk_ipg:
 	fec_enet_clk_enable(ndev, false);
 failed_clk:
@@ -3686,6 +3685,7 @@ static int __maybe_unused fec_runtime_su
 	struct net_device *ndev = dev_get_drvdata(dev);
 	struct fec_enet_private *fep = netdev_priv(ndev);
 
+	clk_disable_unprepare(fep->clk_ahb);
 	clk_disable_unprepare(fep->clk_ipg);
 
 	return 0;
@@ -3695,8 +3695,20 @@ static int __maybe_unused fec_runtime_re
 {
 	struct net_device *ndev = dev_get_drvdata(dev);
 	struct fec_enet_private *fep = netdev_priv(ndev);
+	int ret;
 
-	return clk_prepare_enable(fep->clk_ipg);
+	ret = clk_prepare_enable(fep->clk_ahb);
+	if (ret)
+		return ret;
+	ret = clk_prepare_enable(fep->clk_ipg);
+	if (ret)
+		goto failed_clk_ipg;
+
+	return 0;
+
+failed_clk_ipg:
+	clk_disable_unprepare(fep->clk_ahb);
+	return ret;
 }
 
 static const struct dev_pm_ops fec_pm_ops = {



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 007/115] net: Fix missing meta data in skb with vlan packet
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 006/115] net: fec: manage ahb clock in runtime pm Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 008/115] net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuya Kusakabe, Takeru Hayasaka,
	Toshiaki Makita, David S. Miller

From: Yuya Kusakabe <yuya.kusakabe@gmail.com>

[ Upstream commit d85e8be2a5a02869f815dd0ac2d743deb4cd7957 ]

skb_reorder_vlan_header() should move XDP meta data with ethernet header
if XDP meta data exists.

Fixes: de8f3a83b0a0 ("bpf: add meta pointer for direct access")
Signed-off-by: Yuya Kusakabe <yuya.kusakabe@gmail.com>
Signed-off-by: Takeru Hayasaka <taketarou2@gmail.com>
Co-developed-by: Takeru Hayasaka <taketarou2@gmail.com>
Reviewed-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/skbuff.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5083,7 +5083,8 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_l
 
 static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
 {
-	int mac_len;
+	int mac_len, meta_len;
+	void *meta;
 
 	if (skb_cow(skb, skb_headroom(skb)) < 0) {
 		kfree_skb(skb);
@@ -5095,6 +5096,13 @@ static struct sk_buff *skb_reorder_vlan_
 		memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
 			mac_len - VLAN_HLEN - ETH_TLEN);
 	}
+
+	meta_len = skb_metadata_len(skb);
+	if (meta_len) {
+		meta = skb_metadata_end(skb) - meta_len;
+		memmove(meta + VLAN_HLEN, meta, meta_len);
+	}
+
 	skb->mac_header += VLAN_HLEN;
 	return skb;
 }



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 008/115] net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 007/115] net: Fix missing meta data in skb with vlan packet Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 009/115] tcp: tcp_grow_window() needs to respect tcp_space() Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Bianconi, David S. Miller

From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>

[ Upstream commit 988dc4a9a3b66be75b30405a5494faf0dc7cffb6 ]

gue tunnels run iptunnel_pull_offloads on received skbs. This can
determine a possible use-after-free accessing guehdr pointer since
the packet will be 'uncloned' running pskb_expand_head if it is a
cloned gso skb (e.g if the packet has been sent though a veth device)

Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/fou.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -121,6 +121,7 @@ static int gue_udp_recv(struct sock *sk,
 	struct guehdr *guehdr;
 	void *data;
 	u16 doffset = 0;
+	u8 proto_ctype;
 
 	if (!fou)
 		return 1;
@@ -212,13 +213,14 @@ static int gue_udp_recv(struct sock *sk,
 	if (unlikely(guehdr->control))
 		return gue_control_message(skb, guehdr);
 
+	proto_ctype = guehdr->proto_ctype;
 	__skb_pull(skb, sizeof(struct udphdr) + hdrlen);
 	skb_reset_transport_header(skb);
 
 	if (iptunnel_pull_offloads(skb))
 		goto drop;
 
-	return -guehdr->proto_ctype;
+	return -proto_ctype;
 
 drop:
 	kfree_skb(skb);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 009/115] tcp: tcp_grow_window() needs to respect tcp_space()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 008/115] net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 010/115] team: set slave to promisc if team is already in promisc mode Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Soheil Hassas Yeganeh,
	Neal Cardwell, Wei Wang, David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ]

For some reason, tcp_grow_window() correctly tests if enough room
is present before attempting to increase tp->rcv_ssthresh,
but does not prevent it to grow past tcp_space()

This is causing hard to debug issues, like failing
the (__tcp_select_window(sk) >= tp->rcv_wnd) test
in __tcp_ack_snd_check(), causing ACK delays and possibly
slow flows.

Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio,
we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000"
after about 60 round trips, when the active side no longer sends
immediate acks.

This bug predates git history.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Wei Wang <weiwan@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_input.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -402,11 +402,12 @@ static int __tcp_grow_window(const struc
 static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
+	int room;
+
+	room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh;
 
 	/* Check #1 */
-	if (tp->rcv_ssthresh < tp->window_clamp &&
-	    (int)tp->rcv_ssthresh < tcp_space(sk) &&
-	    !tcp_under_memory_pressure(sk)) {
+	if (room > 0 && !tcp_under_memory_pressure(sk)) {
 		int incr;
 
 		/* Check #2. Increase window, if skb with such overhead
@@ -419,8 +420,7 @@ static void tcp_grow_window(struct sock
 
 		if (incr) {
 			incr = max_t(int, incr, 2 * skb->len);
-			tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr,
-					       tp->window_clamp);
+			tp->rcv_ssthresh += min(room, incr);
 			inet_csk(sk)->icsk_ack.quick |= 1;
 		}
 	}



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 010/115] team: set slave to promisc if team is already in promisc mode
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 009/115] tcp: tcp_grow_window() needs to respect tcp_space() Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 011/115] tipc: missing entries in name table of publications Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hangbin Liu, David S. Miller

From: Hangbin Liu <liuhangbin@gmail.com>

[ Upstream commit 43c2adb9df7ddd6560fd3546d925b42cef92daa0 ]

After adding a team interface to bridge, the team interface will enter
promisc mode. Then if we add a new slave to team0, the slave will keep
promisc off. Fix it by setting slave to promisc on if team master is
already in promisc mode, also do the same for allmulti.

v2: add promisc and allmulti checking when delete ports

Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/team/team.c |   26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1247,6 +1247,23 @@ static int team_port_add(struct team *te
 		goto err_option_port_add;
 	}
 
+	/* set promiscuity level to new slave */
+	if (dev->flags & IFF_PROMISC) {
+		err = dev_set_promiscuity(port_dev, 1);
+		if (err)
+			goto err_set_slave_promisc;
+	}
+
+	/* set allmulti level to new slave */
+	if (dev->flags & IFF_ALLMULTI) {
+		err = dev_set_allmulti(port_dev, 1);
+		if (err) {
+			if (dev->flags & IFF_PROMISC)
+				dev_set_promiscuity(port_dev, -1);
+			goto err_set_slave_promisc;
+		}
+	}
+
 	netif_addr_lock_bh(dev);
 	dev_uc_sync_multiple(port_dev, dev);
 	dev_mc_sync_multiple(port_dev, dev);
@@ -1263,6 +1280,9 @@ static int team_port_add(struct team *te
 
 	return 0;
 
+err_set_slave_promisc:
+	__team_option_inst_del_port(team, port);
+
 err_option_port_add:
 	team_upper_dev_unlink(team, port);
 
@@ -1308,6 +1328,12 @@ static int team_port_del(struct team *te
 
 	team_port_disable(team, port);
 	list_del_rcu(&port->list);
+
+	if (dev->flags & IFF_PROMISC)
+		dev_set_promiscuity(port_dev, -1);
+	if (dev->flags & IFF_ALLMULTI)
+		dev_set_allmulti(port_dev, -1);
+
 	team_upper_dev_unlink(team, port);
 	netdev_rx_handler_unregister(port_dev);
 	team_port_disable_netpoll(port);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 011/115] tipc: missing entries in name table of publications
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 010/115] team: set slave to promisc if team is already in promisc mode Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 012/115] vhost: reject zero size iova range Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Maloy, Hoang Le, David S. Miller

From: Hoang Le <hoang.h.le@dektech.com.au>

[ Upstream commit d1841533e54876f152a30ac398a34f47ad6590b1 ]

When binding multiple services with specific type 1Ki, 2Ki..,
this leads to some entries in the name table of publications
missing when listed out via 'tipc name show'.

The problem is at identify zero last_type conditional provided
via netlink. The first is initial 'type' when starting name table
dummping. The second is continuously with zero type (node state
service type). Then, lookup function failure to finding node state
service type in next iteration.

To solve this, adding more conditional to marked as dirty type and
lookup correct service type for the next iteration instead of select
the first service as initial 'type' zero.

Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/name_table.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/tipc/name_table.c
+++ b/net/tipc/name_table.c
@@ -909,7 +909,8 @@ static int tipc_nl_service_list(struct n
 	for (; i < TIPC_NAMETBL_SIZE; i++) {
 		head = &tn->nametbl->services[i];
 
-		if (*last_type) {
+		if (*last_type ||
+		    (!i && *last_key && (*last_lower == *last_key))) {
 			service = tipc_service_find(net, *last_type);
 			if (!service)
 				return -EPIPE;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 012/115] vhost: reject zero size iova range
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 011/115] tipc: missing entries in name table of publications Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 013/115] ipv4: recompile ip options in ipv4_link_failure Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d21e6e297322a900c128,
	Jason Wang, Michael S. Tsirkin, David S. Miller

From: Jason Wang <jasowang@redhat.com>

[ Upstream commit 813dbeb656d6c90266f251d8bd2b02d445afa63f ]

We used to accept zero size iova range which will lead a infinite loop
in translate_desc(). Fixing this by failing the request in this case.

Reported-by: syzbot+d21e6e297322a900c128@syzkaller.appspotmail.com
Fixes: 6b1e6cc7 ("vhost: new device IOTLB API")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/vhost/vhost.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -911,8 +911,12 @@ static int vhost_new_umem_range(struct v
 				u64 start, u64 size, u64 end,
 				u64 userspace_addr, int perm)
 {
-	struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC);
+	struct vhost_umem_node *tmp, *node;
 
+	if (!size)
+		return -EFAULT;
+
+	node = kmalloc(sizeof(*node), GFP_ATOMIC);
 	if (!node)
 		return -ENOMEM;
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 013/115] ipv4: recompile ip options in ipv4_link_failure
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 012/115] vhost: reject zero size iova range Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 014/115] ipv4: ensure rcu_read_lock() in ipv4_link_failure() Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Suryaputra, David S. Miller

From: Stephen Suryaputra <ssuryaextr@gmail.com>

[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ]

Recompile IP options since IPCB may not be valid anymore when
ipv4_link_failure is called from arp_error_report.

Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error")
and the commit before that (9ef6b42ad6fd) for a similar issue.

Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/route.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1186,8 +1186,16 @@ static struct dst_entry *ipv4_dst_check(
 static void ipv4_link_failure(struct sk_buff *skb)
 {
 	struct rtable *rt;
+	struct ip_options opt;
 
-	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
+	/* Recompile ip options since IPCB may not be valid anymore.
+	 */
+	memset(&opt, 0, sizeof(opt));
+	opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
+	if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
+		return;
+
+	__icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
 
 	rt = skb_rtable(skb);
 	if (rt)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 014/115] ipv4: ensure rcu_read_lock() in ipv4_link_failure()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 013/115] ipv4: recompile ip options in ipv4_link_failure Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 015/115] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot,
	Stephen Suryaputra, David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ]

fib_compute_spec_dst() needs to be called under rcu protection.

syzbot reported :

WARNING: suspicious RCU usage
5.1.0-rc4+ #165 Not tainted
include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
1 lock held by swapper/0/0:
 #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
 #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315

stack backtrace:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
 __in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
 fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
 spec_dst_fill net/ipv4/ip_options.c:245 [inline]
 __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
 ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
 dst_link_failure include/net/dst.h:427 [inline]
 arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
 neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
 neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
 call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
 expire_timers kernel/time/timer.c:1362 [inline]
 __run_timers kernel/time/timer.c:1681 [inline]
 __run_timers kernel/time/timer.c:1649 [inline]
 run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
 __do_softirq+0x266/0x95a kernel/softirq.c:293
 invoke_softirq kernel/softirq.c:374 [inline]
 irq_exit+0x180/0x1d0 kernel/softirq.c:414
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807

Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/route.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1185,14 +1185,20 @@ static struct dst_entry *ipv4_dst_check(
 
 static void ipv4_link_failure(struct sk_buff *skb)
 {
-	struct rtable *rt;
 	struct ip_options opt;
+	struct rtable *rt;
+	int res;
 
 	/* Recompile ip options since IPCB may not be valid anymore.
 	 */
 	memset(&opt, 0, sizeof(opt));
 	opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
-	if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
+
+	rcu_read_lock();
+	res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
+	rcu_read_unlock();
+
+	if (res)
 		return;
 
 	__icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 015/115] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 014/115] ipv4: ensure rcu_read_lock() in ipv4_link_failure() Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 016/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Alex Kushnarov,
	Jiri Pirko, David S. Miller

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit d4d0e40977ac450f32f2db5e4d8e23c9d2578899 ]

The driver cannot guarantee in the prepare phase that it will be able to
write an MDB entry to the device. In case the driver returned success
during the prepare phase, but then failed to add the entry in the commit
phase, a WARNING [1] will be generated by the switchdev core.

Fix this by doing the work in the prepare phase instead.

[1]
[  358.544486] swp12s0: Commit of object (id=2) failed.
[  358.550061] WARNING: CPU: 0 PID: 30 at net/switchdev/switchdev.c:281 switchdev_port_obj_add_now+0x9b/0xe0
[  358.560754] CPU: 0 PID: 30 Comm: kworker/0:1 Not tainted 5.0.0-custom-13382-gf2449babf221 #1350
[  358.570472] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
[  358.580582] Workqueue: events switchdev_deferred_process_work
[  358.587001] RIP: 0010:switchdev_port_obj_add_now+0x9b/0xe0
...
[  358.614109] RSP: 0018:ffffa6b900d6fe18 EFLAGS: 00010286
[  358.619943] RAX: 0000000000000000 RBX: ffff8b00797ff000 RCX: 0000000000000000
[  358.627912] RDX: ffff8b00b7a1d4c0 RSI: ffff8b00b7a152e8 RDI: ffff8b00b7a152e8
[  358.635881] RBP: ffff8b005c3f5bc0 R08: 000000000000022b R09: 0000000000000000
[  358.643850] R10: 0000000000000000 R11: ffffa6b900d6fcc8 R12: 0000000000000000
[  358.651819] R13: dead000000000100 R14: ffff8b00b65a23c0 R15: 0ffff8b00b7a2200
[  358.659790] FS:  0000000000000000(0000) GS:ffff8b00b7a00000(0000) knlGS:0000000000000000
[  358.668820] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  358.675228] CR2: 00007f00aad90de0 CR3: 00000001ca80d000 CR4: 00000000001006f0
[  358.683188] Call Trace:
[  358.685918]  switchdev_port_obj_add_deferred+0x13/0x60
[  358.691655]  switchdev_deferred_process+0x6b/0xf0
[  358.696907]  switchdev_deferred_process_work+0xa/0x10
[  358.702548]  process_one_work+0x1f5/0x3f0
[  358.707022]  worker_thread+0x28/0x3c0
[  358.711099]  ? process_one_work+0x3f0/0x3f0
[  358.715768]  kthread+0x10d/0x130
[  358.719369]  ? __kthread_create_on_node+0x180/0x180
[  358.724815]  ret_from_fork+0x35/0x40

Fixes: 3a49b4fde2a1 ("mlxsw: Adding layer 2 multicast support")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alex Kushnarov <alexanderk@mellanox.com>
Tested-by: Alex Kushnarov <alexanderk@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
@@ -1654,7 +1654,7 @@ static int mlxsw_sp_port_mdb_add(struct
 	u16 fid_index;
 	int err = 0;
 
-	if (switchdev_trans_ph_prepare(trans))
+	if (switchdev_trans_ph_commit(trans))
 		return 0;
 
 	bridge_port = mlxsw_sp_bridge_port_find(mlxsw_sp->bridge, orig_dev);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 016/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 015/115] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 017/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Jiri Pirko, David S. Miller

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit a8c133b06183c529c51cd0d54eb57d6b7078370c ]

The EMAD workqueue is used to handle retransmission of EMAD packets that
contain configuration data for the device's firmware.

Given the workers need to allocate these packets and that the code is
not called as part of memory reclaim path, remove the WQ_MEM_RECLAIM
flag.

Fixes: d965465b60ba ("mlxsw: core: Fix possible deadlock")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxsw/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
@@ -568,7 +568,7 @@ static int mlxsw_emad_init(struct mlxsw_
 	if (!(mlxsw_core->bus->features & MLXSW_BUS_F_TXRX))
 		return 0;
 
-	emad_wq = alloc_workqueue("mlxsw_core_emad", WQ_MEM_RECLAIM, 0);
+	emad_wq = alloc_workqueue("mlxsw_core_emad", 0, 0);
 	if (!emad_wq)
 		return -ENOMEM;
 	mlxsw_core->emad_wq = emad_wq;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 017/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 016/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 018/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Semion Lisyansky,
	Jiri Pirko, David S. Miller

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit 4af0699782e2cc7d0d89db9eb6f8844dd3df82dc ]

The ordered workqueue is used to offload various objects such as routes
and neighbours in the order they are notified.

It should not be called as part of memory reclaim path, so remove the
WQ_MEM_RECLAIM flag. This can also result in a warning [1], if a worker
tries to flush a non-WQ_MEM_RECLAIM workqueue.

[1]
[97703.542861] workqueue: WQ_MEM_RECLAIM mlxsw_core_ordered:mlxsw_sp_router_fib6_event_work [mlxsw_spectrum] is flushing !WQ_MEM_RECLAIM events:rht_deferred_worker
[97703.542884] WARNING: CPU: 1 PID: 32492 at kernel/workqueue.c:2605 check_flush_dependency+0xb5/0x130
...
[97703.542988] Hardware name: Mellanox Technologies Ltd. MSN3700C/VMOD0008, BIOS 5.11 10/10/2018
[97703.543049] Workqueue: mlxsw_core_ordered mlxsw_sp_router_fib6_event_work [mlxsw_spectrum]
[97703.543061] RIP: 0010:check_flush_dependency+0xb5/0x130
...
[97703.543071] RSP: 0018:ffffb3f08137bc00 EFLAGS: 00010086
[97703.543076] RAX: 0000000000000000 RBX: ffff96e07740ae00 RCX: 0000000000000000
[97703.543080] RDX: 0000000000000094 RSI: ffffffff82dc1934 RDI: 0000000000000046
[97703.543084] RBP: ffffb3f08137bc20 R08: ffffffff82dc18a0 R09: 00000000000225c0
[97703.543087] R10: 0000000000000000 R11: 0000000000007eec R12: ffffffff816e4ee0
[97703.543091] R13: ffff96e06f6a5c00 R14: ffff96e077ba7700 R15: ffffffff812ab0c0
[97703.543097] FS: 0000000000000000(0000) GS:ffff96e077a80000(0000) knlGS:0000000000000000
[97703.543101] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[97703.543104] CR2: 00007f8cd135b280 CR3: 00000001e860e003 CR4: 00000000003606e0
[97703.543109] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[97703.543112] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[97703.543115] Call Trace:
[97703.543129] __flush_work+0xbd/0x1e0
[97703.543137] ? __cancel_work_timer+0x136/0x1b0
[97703.543145] ? pwq_dec_nr_in_flight+0x49/0xa0
[97703.543154] __cancel_work_timer+0x136/0x1b0
[97703.543175] ? mlxsw_reg_trans_bulk_wait+0x145/0x400 [mlxsw_core]
[97703.543184] cancel_work_sync+0x10/0x20
[97703.543191] rhashtable_free_and_destroy+0x23/0x140
[97703.543198] rhashtable_destroy+0xd/0x10
[97703.543254] mlxsw_sp_fib_destroy+0xb1/0xf0 [mlxsw_spectrum]
[97703.543310] mlxsw_sp_vr_put+0xa8/0xc0 [mlxsw_spectrum]
[97703.543364] mlxsw_sp_fib_node_put+0xbf/0x140 [mlxsw_spectrum]
[97703.543418] ? mlxsw_sp_fib6_entry_destroy+0xe8/0x110 [mlxsw_spectrum]
[97703.543475] mlxsw_sp_router_fib6_event_work+0x6cd/0x7f0 [mlxsw_spectrum]
[97703.543484] process_one_work+0x1fd/0x400
[97703.543493] worker_thread+0x34/0x410
[97703.543500] kthread+0x121/0x140
[97703.543507] ? process_one_work+0x400/0x400
[97703.543512] ? kthread_park+0x90/0x90
[97703.543523] ret_from_fork+0x35/0x40

Fixes: a3832b31898f ("mlxsw: core: Create an ordered workqueue for FIB offload")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Semion Lisyansky <semionl@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxsw/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
@@ -1915,7 +1915,7 @@ static int __init mlxsw_core_module_init
 	mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, WQ_MEM_RECLAIM, 0);
 	if (!mlxsw_wq)
 		return -ENOMEM;
-	mlxsw_owq = alloc_ordered_workqueue("%s_ordered", WQ_MEM_RECLAIM,
+	mlxsw_owq = alloc_ordered_workqueue("%s_ordered", 0,
 					    mlxsw_core_driver_name);
 	if (!mlxsw_owq) {
 		err = -ENOMEM;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 018/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 017/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 019/115] mlxsw: spectrum_router: Do not check VRF MAC address Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Jiri Pirko, David S. Miller

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit b442fed1b724af0de087912a5718ddde1b87acbb ]

The workqueue is used to periodically update the networking stack about
activity / statistics of various objects such as neighbours and TC
actions.

It should not be called as part of memory reclaim path, so remove the
WQ_MEM_RECLAIM flag.

Fixes: 3d5479e92087 ("mlxsw: core: Remove deprecated create_workqueue")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxsw/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
@@ -1912,7 +1912,7 @@ static int __init mlxsw_core_module_init
 {
 	int err;
 
-	mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, WQ_MEM_RECLAIM, 0);
+	mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, 0, 0);
 	if (!mlxsw_wq)
 		return -ENOMEM;
 	mlxsw_owq = alloc_ordered_workqueue("%s_ordered", 0,



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 019/115] mlxsw: spectrum_router: Do not check VRF MAC address
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 018/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 020/115] net: thunderx: raise XDP MTU to 1508 Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Alexander Petrovskiy,
	Jiri Pirko, David S. Miller

From: Ido Schimmel <idosch@mellanox.com>

[ Upstream commit 972fae683cbad5cf348268e76abc6d55cfb3ba87 ]

Commit 74bc99397438 ("mlxsw: spectrum_router: Veto unsupported RIF MAC
addresses") enabled the driver to veto router interface (RIF) MAC
addresses that it cannot support.

This check should only be performed for interfaces for which the driver
actually configures a RIF. A VRF upper is not one of them, so ignore it.

Without this patch it is not possible to set an IP address on the VRF
device and use it as a loopback.

Fixes: 74bc99397438 ("mlxsw: spectrum_router: Veto unsupported RIF MAC addresses")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
Tested-by: Alexander Petrovskiy <alexpe@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -6745,7 +6745,7 @@ static int mlxsw_sp_router_port_check_ri
 	/* A RIF is not created for macvlan netdevs. Their MAC is used to
 	 * populate the FDB
 	 */
-	if (netif_is_macvlan(dev))
+	if (netif_is_macvlan(dev) || netif_is_l3_master(dev))
 		return 0;
 
 	for (i = 0; i < MLXSW_CORE_RES_GET(mlxsw_sp->core, MAX_RIFS); i++) {



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 020/115] net: thunderx: raise XDP MTU to 1508
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 019/115] mlxsw: spectrum_router: Do not check VRF MAC address Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 021/115] net: thunderx: dont allow jumbo frames with XDP Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matteo Croce, Jesper Dangaard Brouer,
	David S. Miller

From: Matteo Croce <mcroce@redhat.com>

[ Upstream commit 5ee15c101f29e0093ffb5448773ccbc786eb313b ]

The thunderx driver splits frames bigger than 1530 bytes to multiple
pages, making impossible to run an eBPF program on it.
This leads to a maximum MTU of 1508 if QinQ is in use.

The thunderx driver forbids to load an eBPF program if the MTU is higher
than 1500 bytes. Raise the limit to 1508 so it is possible to use L2
protocols which need some more headroom.

Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support")
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/cavium/thunder/nicvf_main.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
@@ -32,6 +32,13 @@
 #define DRV_NAME	"nicvf"
 #define DRV_VERSION	"1.0"
 
+/* NOTE: Packets bigger than 1530 are split across multiple pages and XDP needs
+ * the buffer to be contiguous. Allow XDP to be set up only if we don't exceed
+ * this value, keeping headroom for the 14 byte Ethernet header and two
+ * VLAN tags (for QinQ)
+ */
+#define MAX_XDP_MTU	(1530 - ETH_HLEN - VLAN_HLEN * 2)
+
 /* Supported devices */
 static const struct pci_device_id nicvf_id_table[] = {
 	{ PCI_DEVICE_SUB(PCI_VENDOR_ID_CAVIUM,
@@ -1830,8 +1837,10 @@ static int nicvf_xdp_setup(struct nicvf
 	bool bpf_attached = false;
 	int ret = 0;
 
-	/* For now just support only the usual MTU sized frames */
-	if (prog && (dev->mtu > 1500)) {
+	/* For now just support only the usual MTU sized frames,
+	 * plus some headroom for VLAN, QinQ.
+	 */
+	if (prog && dev->mtu > MAX_XDP_MTU) {
 		netdev_warn(dev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
 			    dev->mtu);
 		return -EOPNOTSUPP;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 021/115] net: thunderx: dont allow jumbo frames with XDP
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 020/115] net: thunderx: raise XDP MTU to 1508 Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 022/115] net/tls: fix the IV leaks Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matteo Croce, Jesper Dangaard Brouer,
	David S. Miller

From: Matteo Croce <mcroce@redhat.com>

[ Upstream commit 1f227d16083b2e280b7dde4ca78883d75593f2fd ]

The thunderx driver forbids to load an eBPF program if the MTU is too high,
but this can be circumvented by loading the eBPF, then raising the MTU.

Fix this by limiting the MTU if an eBPF program is already loaded.

Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support")
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/cavium/thunder/nicvf_main.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
@@ -1589,6 +1589,15 @@ static int nicvf_change_mtu(struct net_d
 	struct nicvf *nic = netdev_priv(netdev);
 	int orig_mtu = netdev->mtu;
 
+	/* For now just support only the usual MTU sized frames,
+	 * plus some headroom for VLAN, QinQ.
+	 */
+	if (nic->xdp_prog && new_mtu > MAX_XDP_MTU) {
+		netdev_warn(netdev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
+			    netdev->mtu);
+		return -EINVAL;
+	}
+
 	netdev->mtu = new_mtu;
 
 	if (!netif_running(netdev))



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 022/115] net/tls: fix the IV leaks
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 021/115] net: thunderx: dont allow jumbo frames with XDP Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 023/115] net/tls: dont leak partially sent record in device mode Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Dirk van der Merwe,
	Simon Horman, David S. Miller

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 5a03bc73abed6ae196c15e9950afde19d48be12c ]

Commit f66de3ee2c16 ("net/tls: Split conf to rx + tx") made
freeing of IV and record sequence number conditional to SW
path only, but commit e8f69799810c ("net/tls: Add generic NIC
offload infrastructure") also allocates that state for the
device offload configuration.  Remember to free it.

Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tls/tls_device.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -52,8 +52,11 @@ static DEFINE_SPINLOCK(tls_device_lock);
 
 static void tls_device_free_ctx(struct tls_context *ctx)
 {
-	if (ctx->tx_conf == TLS_HW)
+	if (ctx->tx_conf == TLS_HW) {
 		kfree(tls_offload_ctx_tx(ctx));
+		kfree(ctx->tx.rec_seq);
+		kfree(ctx->tx.iv);
+	}
 
 	if (ctx->rx_conf == TLS_HW)
 		kfree(tls_offload_ctx_rx(ctx));



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 023/115] net/tls: dont leak partially sent record in device mode
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 022/115] net/tls: fix the IV leaks Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 024/115] net: strparser: partially revert "strparser: Call skb_unclone conditionally" Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Beckett, Jakub Kicinski,
	Dirk van der Merwe, Simon Horman, David S. Miller

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 35b71a34ada62c9573847a324bf06a133fe11b11 ]

David reports that tls triggers warnings related to
sk->sk_forward_alloc not being zero at destruction time:

WARNING: CPU: 5 PID: 6831 at net/core/stream.c:206 sk_stream_kill_queues+0x103/0x110
WARNING: CPU: 5 PID: 6831 at net/ipv4/af_inet.c:160 inet_sock_destruct+0x15b/0x170

When sender fills up the write buffer and dies from
SIGPIPE.  This is due to the device implementation
not cleaning up the partially_sent_record.

This is because commit a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance")
moved the partial record cleanup to the SW-only path.

Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance")
Reported-by: David Beckett <david.beckett@netronome.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/tls.h    |    2 ++
 net/tls/tls_device.c |    7 +++++++
 net/tls/tls_main.c   |   22 ++++++++++++++++++++++
 net/tls/tls_sw.c     |   15 +--------------
 4 files changed, 32 insertions(+), 14 deletions(-)

--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -289,6 +289,7 @@ int tls_device_sendmsg(struct sock *sk,
 int tls_device_sendpage(struct sock *sk, struct page *page,
 			int offset, size_t size, int flags);
 void tls_device_sk_destruct(struct sock *sk);
+void tls_device_free_resources_tx(struct sock *sk);
 void tls_device_init(void);
 void tls_device_cleanup(void);
 int tls_tx_records(struct sock *sk, int flags);
@@ -312,6 +313,7 @@ int tls_push_sg(struct sock *sk, struct
 		int flags);
 int tls_push_partial_record(struct sock *sk, struct tls_context *ctx,
 			    int flags);
+bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx);
 
 int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx,
 				   int flags, long *timeo);
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -219,6 +219,13 @@ void tls_device_sk_destruct(struct sock
 }
 EXPORT_SYMBOL(tls_device_sk_destruct);
 
+void tls_device_free_resources_tx(struct sock *sk)
+{
+	struct tls_context *tls_ctx = tls_get_ctx(sk);
+
+	tls_free_partial_record(sk, tls_ctx);
+}
+
 static void tls_append_frag(struct tls_record_info *record,
 			    struct page_frag *pfrag,
 			    int size)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -220,6 +220,26 @@ int tls_push_pending_closed_record(struc
 		return tls_ctx->push_pending_record(sk, flags);
 }
 
+bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx)
+{
+	struct scatterlist *sg;
+
+	sg = ctx->partially_sent_record;
+	if (!sg)
+		return false;
+
+	while (1) {
+		put_page(sg_page(sg));
+		sk_mem_uncharge(sk, sg->length);
+
+		if (sg_is_last(sg))
+			break;
+		sg++;
+	}
+	ctx->partially_sent_record = NULL;
+	return true;
+}
+
 static void tls_write_space(struct sock *sk)
 {
 	struct tls_context *ctx = tls_get_ctx(sk);
@@ -278,6 +298,8 @@ static void tls_sk_proto_close(struct so
 		kfree(ctx->tx.rec_seq);
 		kfree(ctx->tx.iv);
 		tls_sw_free_resources_tx(sk);
+	} else if (ctx->tx_conf == TLS_HW) {
+		tls_device_free_resources_tx(sk);
 	}
 
 	if (ctx->rx_conf == TLS_SW) {
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1804,20 +1804,7 @@ void tls_sw_free_resources_tx(struct soc
 	/* Free up un-sent records in tx_list. First, free
 	 * the partially sent record if any at head of tx_list.
 	 */
-	if (tls_ctx->partially_sent_record) {
-		struct scatterlist *sg = tls_ctx->partially_sent_record;
-
-		while (1) {
-			put_page(sg_page(sg));
-			sk_mem_uncharge(sk, sg->length);
-
-			if (sg_is_last(sg))
-				break;
-			sg++;
-		}
-
-		tls_ctx->partially_sent_record = NULL;
-
+	if (tls_free_partial_record(sk, tls_ctx)) {
 		rec = list_first_entry(&ctx->tx_list,
 				       struct tls_rec, list);
 		list_del(&rec->list);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 024/115] net: strparser: partially revert "strparser: Call skb_unclone conditionally"
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 023/115] net/tls: dont leak partially sent record in device mode Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 025/115] net/tls: fix build without CONFIG_TLS_DEVICE Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Dirk van der Merwe,
	Eric Dumazet, David S. Miller

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 4a9c2e3746e6151fd5d077259d79ce9ca86d47d7 ]

This reverts the first part of commit 4e485d06bb8c ("strparser: Call
skb_unclone conditionally").  To build a message with multiple
fragments we need our own root of frag_list.  We can't simply
use the frag_list of orig_skb, because it will lead to linking
all orig_skbs together creating very long frag chains, and causing
stack overflow on kfree_skb() (which is called recursively on
the frag_lists).

BUG: stack guard page was hit at 00000000d40fad41 (stack is 0000000029dde9f4..000000008cce03d5)
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP
RIP: 0010:free_one_page+0x2b/0x490

Call Trace:
  __free_pages_ok+0x143/0x2c0
  skb_release_data+0x8e/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0

  [...]

  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  ? skb_release_data+0xad/0x140
  kfree_skb+0x32/0xb0
  skb_release_data+0xad/0x140
  __kfree_skb+0xe/0x20
  tcp_disconnect+0xd6/0x4d0
  tcp_close+0xf4/0x430
  ? tcp_check_oom+0xf0/0xf0
  tls_sk_proto_close+0xe4/0x1e0 [tls]
  inet_release+0x36/0x60
  __sock_release+0x37/0xa0
  sock_close+0x11/0x20
  __fput+0xa2/0x1d0
  task_work_run+0x89/0xb0
  exit_to_usermode_loop+0x9a/0xa0
  do_syscall_64+0xc0/0xf0
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Let's leave the second unclone conditional, as I'm not entirely
sure what is its purpose :)

Fixes: 4e485d06bb8c ("strparser: Call skb_unclone conditionally")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/strparser/strparser.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

--- a/net/strparser/strparser.c
+++ b/net/strparser/strparser.c
@@ -140,13 +140,11 @@ static int __strp_recv(read_descriptor_t
 			/* We are going to append to the frags_list of head.
 			 * Need to unshare the frag_list.
 			 */
-			if (skb_has_frag_list(head)) {
-				err = skb_unclone(head, GFP_ATOMIC);
-				if (err) {
-					STRP_STATS_INCR(strp->stats.mem_fail);
-					desc->error = err;
-					return 0;
-				}
+			err = skb_unclone(head, GFP_ATOMIC);
+			if (err) {
+				STRP_STATS_INCR(strp->stats.mem_fail);
+				desc->error = err;
+				return 0;
 			}
 
 			if (unlikely(skb_shinfo(head)->frag_list)) {



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 025/115] net/tls: fix build without CONFIG_TLS_DEVICE
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 024/115] net: strparser: partially revert "strparser: Call skb_unclone conditionally" Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 026/115] net: bridge: fix netlink export of vlan_stats_per_port option Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, David S. Miller

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit 903f1a187776bb8d79b13618ec05b25f86318885 ]

buildbot noticed that TLS_HW is not defined if CONFIG_TLS_DEVICE=n.
Wrap the cleanup branch into an ifdef, tls_device_free_resources_tx()
wouldn't be compiled either in this case.

Fixes: 35b71a34ada6 ("net/tls: don't leak partially sent record in device mode")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tls/tls_main.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -298,8 +298,10 @@ static void tls_sk_proto_close(struct so
 		kfree(ctx->tx.rec_seq);
 		kfree(ctx->tx.iv);
 		tls_sw_free_resources_tx(sk);
+#ifdef CONFIG_TLS_DEVICE
 	} else if (ctx->tx_conf == TLS_HW) {
 		tls_device_free_resources_tx(sk);
+#endif
 	}
 
 	if (ctx->rx_conf == TLS_SW) {



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 026/115] net: bridge: fix netlink export of vlan_stats_per_port option
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 025/115] net/tls: fix build without CONFIG_TLS_DEVICE Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 027/115] net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Aleksandrov, David S. Miller

From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>

[ Upstream commit 600bea7dba1a72874ae0cd9bc66bf2abfe43b49d ]

Since the introduction of the vlan_stats_per_port option the netlink
export of it has been broken since I made a typo and used the ifla
attribute instead of the bridge option to retrieve its state.
Sysfs export is fine, only netlink export has been affected.

Fixes: 9163a0fc1f0c0 ("net: bridge: add support for per-port vlan stats")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bridge/br_netlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -1441,7 +1441,7 @@ static int br_fill_info(struct sk_buff *
 	    nla_put_u8(skb, IFLA_BR_VLAN_STATS_ENABLED,
 		       br_opt_get(br, BROPT_VLAN_STATS_ENABLED)) ||
 	    nla_put_u8(skb, IFLA_BR_VLAN_STATS_PER_PORT,
-		       br_opt_get(br, IFLA_BR_VLAN_STATS_PER_PORT)))
+		       br_opt_get(br, BROPT_VLAN_STATS_PER_PORT)))
 		return -EMSGSIZE;
 #endif
 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 027/115] net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 026/115] net: bridge: fix netlink export of vlan_stats_per_port option Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 028/115] net/mlx5e: Protect against non-uplink representor for encap Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tariq Toukan, Saeed Mahameed

From: Saeed Mahameed <saeedm@mellanox.com>

[ Upstream commit 5d0bb3bac4b9f6c22280b04545626fdfd99edc6b ]

XDP programs might change packets data contents which will make the
reported skb checksum (checksum complete) invalid.

When XDP programs are loaded/unloaded set/clear rx RQs
MLX5E_RQ_STATE_NO_CSUM_COMPLETE flag.

Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support")
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c |    3 ++-
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c    |    6 +++++-
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c      |    3 ++-
 3 files changed, 9 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
@@ -1665,7 +1665,8 @@ static int set_pflag_rx_no_csum_complete
 	struct mlx5e_channel *c;
 	int i;
 
-	if (!test_bit(MLX5E_STATE_OPENED, &priv->state))
+	if (!test_bit(MLX5E_STATE_OPENED, &priv->state) ||
+	    priv->channels.params.xdp_prog)
 		return 0;
 
 	for (i = 0; i < channels->num; i++) {
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -950,7 +950,11 @@ static int mlx5e_open_rq(struct mlx5e_ch
 	if (params->rx_dim_enabled)
 		__set_bit(MLX5E_RQ_STATE_AM, &c->rq.state);
 
-	if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_NO_CSUM_COMPLETE))
+	/* We disable csum_complete when XDP is enabled since
+	 * XDP programs might manipulate packets which will render
+	 * skb->checksum incorrect.
+	 */
+	if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_NO_CSUM_COMPLETE) || c->xdp)
 		__set_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &c->rq.state);
 
 	return 0;
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -753,7 +753,8 @@ static inline void mlx5e_handle_csum(str
 		return;
 	}
 
-	if (unlikely(test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state)))
+	/* True when explicitly set via priv flag, or XDP prog is loaded */
+	if (test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state))
 		goto csum_unnecessary;
 
 	/* CQE csum doesn't cover padding octets in short ethernet



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 028/115] net/mlx5e: Protect against non-uplink representor for encap
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 027/115] net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 029/115] net/mlx5e: Switch to Toeplitz RSS hash by default Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmytro Linkin, Eli Britstein,
	Vlad Buslov, Roi Dayan, Saeed Mahameed

From: Dmytro Linkin <dmitrolin@mellanox.com>

[ Upstream commit 5e0060b1491b299b1706414e61ede0b02265680e ]

TC encap offload is supported only for the physical uplink
representor. Fail for non uplink representor.

Fixes: 3e621b19b0bb ("net/mlx5e: Support TC encapsulation offloads with upper devices")
Signed-off-by: Dmytro Linkin <dmitrolin@mellanox.com>
Reviewed-by: Eli Britstein <elibr@mellanox.com>
Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
@@ -39,6 +39,10 @@ static int get_route_and_out_devs(struct
 			return -EOPNOTSUPP;
 	}
 
+	if (!(mlx5e_eswitch_rep(*out_dev) &&
+	      mlx5e_is_uplink_rep(netdev_priv(*out_dev))))
+		return -EOPNOTSUPP;
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 029/115] net/mlx5e: Switch to Toeplitz RSS hash by default
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 028/115] net/mlx5e: Protect against non-uplink representor for encap Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 030/115] net/mlx5e: Rx, Fixup skb checksum for packets with tail padding Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov, Tariq Toukan,
	Moshe Shemesh, Saeed Mahameed

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

[ Upstream commit 7ee2ace9c544a0886e02b54b625e521df8692d20 ]

Although XOR hash function can perform very well on some special use
cases, to align with all drivers, mlx5 driver should use Toeplitz hash
by default.
Toeplitz is more stable for the general use case and it is more standard
and reliable.

On top of that, since XOR (MLX5_RX_HASH_FN_INVERTED_XOR8) gives only a
repeated 8 bits pattern. When used for udp tunneling RSS source port
manipulation it results in fixed source port, which will cause bad RSS
spread.

Fixes: 2be6967cdbc9 ("net/mlx5e: Support ETH_RSS_HASH_XOR")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -4574,7 +4574,7 @@ void mlx5e_build_rss_params(struct mlx5e
 {
 	enum mlx5e_traffic_types tt;
 
-	rss_params->hfunc = ETH_RSS_HASH_XOR;
+	rss_params->hfunc = ETH_RSS_HASH_TOP;
 	netdev_rss_key_fill(rss_params->toeplitz_hash_key,
 			    sizeof(rss_params->toeplitz_hash_key));
 	mlx5e_build_default_indir_rqt(rss_params->indirection_rqt,



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 030/115] net/mlx5e: Rx, Fixup skb checksum for packets with tail padding
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 029/115] net/mlx5e: Switch to Toeplitz RSS hash by default Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 031/115] net/mlx5e: Rx, Check ip headers sanity Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Tariq Toukan, Saeed Mahameed

From: Saeed Mahameed <saeedm@mellanox.com>

[ Upstream commit 0aa1d18615c163f92935b806dcaff9157645233a ]

When an ethernet frame with ip payload is padded, the padding octets are
not covered by the hardware checksum.

Prior to the cited commit, skb checksum was forced to be CHECKSUM_NONE
when padding is detected. After it, the kernel will try to trim the
padding bytes and subtract their checksum from skb->csum.

In this patch we fixup skb->csum for any ip packet with tail padding of
any size, if any padding found.
FCS case is just one special case of this general purpose patch, hence,
it is removed.

Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends"),
Cc: Eric Dumazet <edumazet@google.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c    |   79 +++++++++++++++++----
 drivers/net/ethernet/mellanox/mlx5/core/en_stats.c |    6 +
 drivers/net/ethernet/mellanox/mlx5/core/en_stats.h |    4 +
 3 files changed, 74 insertions(+), 15 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -713,17 +713,6 @@ static inline void mlx5e_enable_ecn(stru
 	rq->stats->ecn_mark += !!rc;
 }
 
-static u32 mlx5e_get_fcs(const struct sk_buff *skb)
-{
-	const void *fcs_bytes;
-	u32 _fcs_bytes;
-
-	fcs_bytes = skb_header_pointer(skb, skb->len - ETH_FCS_LEN,
-				       ETH_FCS_LEN, &_fcs_bytes);
-
-	return __get_unaligned_cpu32(fcs_bytes);
-}
-
 static u8 get_ip_proto(struct sk_buff *skb, int network_depth, __be16 proto)
 {
 	void *ip_p = skb->data + network_depth;
@@ -734,6 +723,68 @@ static u8 get_ip_proto(struct sk_buff *s
 
 #define short_frame(size) ((size) <= ETH_ZLEN + ETH_FCS_LEN)
 
+#define MAX_PADDING 8
+
+static void
+tail_padding_csum_slow(struct sk_buff *skb, int offset, int len,
+		       struct mlx5e_rq_stats *stats)
+{
+	stats->csum_complete_tail_slow++;
+	skb->csum = csum_block_add(skb->csum,
+				   skb_checksum(skb, offset, len, 0),
+				   offset);
+}
+
+static void
+tail_padding_csum(struct sk_buff *skb, int offset,
+		  struct mlx5e_rq_stats *stats)
+{
+	u8 tail_padding[MAX_PADDING];
+	int len = skb->len - offset;
+	void *tail;
+
+	if (unlikely(len > MAX_PADDING)) {
+		tail_padding_csum_slow(skb, offset, len, stats);
+		return;
+	}
+
+	tail = skb_header_pointer(skb, offset, len, tail_padding);
+	if (unlikely(!tail)) {
+		tail_padding_csum_slow(skb, offset, len, stats);
+		return;
+	}
+
+	stats->csum_complete_tail++;
+	skb->csum = csum_block_add(skb->csum, csum_partial(tail, len, 0), offset);
+}
+
+static void
+mlx5e_skb_padding_csum(struct sk_buff *skb, int network_depth, __be16 proto,
+		       struct mlx5e_rq_stats *stats)
+{
+	struct ipv6hdr *ip6;
+	struct iphdr   *ip4;
+	int pkt_len;
+
+	switch (proto) {
+	case htons(ETH_P_IP):
+		ip4 = (struct iphdr *)(skb->data + network_depth);
+		pkt_len = network_depth + ntohs(ip4->tot_len);
+		break;
+	case htons(ETH_P_IPV6):
+		ip6 = (struct ipv6hdr *)(skb->data + network_depth);
+		pkt_len = network_depth + sizeof(*ip6) + ntohs(ip6->payload_len);
+		break;
+	default:
+		return;
+	}
+
+	if (likely(pkt_len >= skb->len))
+		return;
+
+	tail_padding_csum(skb, pkt_len, stats);
+}
+
 static inline void mlx5e_handle_csum(struct net_device *netdev,
 				     struct mlx5_cqe64 *cqe,
 				     struct mlx5e_rq *rq,
@@ -782,10 +833,8 @@ static inline void mlx5e_handle_csum(str
 			skb->csum = csum_partial(skb->data + ETH_HLEN,
 						 network_depth - ETH_HLEN,
 						 skb->csum);
-		if (unlikely(netdev->features & NETIF_F_RXFCS))
-			skb->csum = csum_block_add(skb->csum,
-						   (__force __wsum)mlx5e_get_fcs(skb),
-						   skb->len - ETH_FCS_LEN);
+
+		mlx5e_skb_padding_csum(skb, network_depth, proto, stats);
 		stats->csum_complete++;
 		return;
 	}
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
@@ -59,6 +59,8 @@ static const struct counter_desc sw_stat
 	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_unnecessary) },
 	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_none) },
 	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete) },
+	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete_tail) },
+	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete_tail_slow) },
 	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_unnecessary_inner) },
 	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_xdp_drop) },
 	{ MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_xdp_redirect) },
@@ -151,6 +153,8 @@ void mlx5e_grp_sw_update_stats(struct ml
 		s->rx_removed_vlan_packets += rq_stats->removed_vlan_packets;
 		s->rx_csum_none	+= rq_stats->csum_none;
 		s->rx_csum_complete += rq_stats->csum_complete;
+		s->rx_csum_complete_tail += rq_stats->csum_complete_tail;
+		s->rx_csum_complete_tail_slow += rq_stats->csum_complete_tail_slow;
 		s->rx_csum_unnecessary += rq_stats->csum_unnecessary;
 		s->rx_csum_unnecessary_inner += rq_stats->csum_unnecessary_inner;
 		s->rx_xdp_drop     += rq_stats->xdp_drop;
@@ -1192,6 +1196,8 @@ static const struct counter_desc rq_stat
 	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, packets) },
 	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, bytes) },
 	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete) },
+	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete_tail) },
+	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete_tail_slow) },
 	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_unnecessary) },
 	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_unnecessary_inner) },
 	{ MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_none) },
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
@@ -71,6 +71,8 @@ struct mlx5e_sw_stats {
 	u64 rx_csum_unnecessary;
 	u64 rx_csum_none;
 	u64 rx_csum_complete;
+	u64 rx_csum_complete_tail;
+	u64 rx_csum_complete_tail_slow;
 	u64 rx_csum_unnecessary_inner;
 	u64 rx_xdp_drop;
 	u64 rx_xdp_redirect;
@@ -181,6 +183,8 @@ struct mlx5e_rq_stats {
 	u64 packets;
 	u64 bytes;
 	u64 csum_complete;
+	u64 csum_complete_tail;
+	u64 csum_complete_tail_slow;
 	u64 csum_unnecessary;
 	u64 csum_unnecessary_inner;
 	u64 csum_none;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 031/115] net/mlx5e: Rx, Check ip headers sanity
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 030/115] net/mlx5e: Rx, Fixup skb checksum for packets with tail padding Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 032/115] Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets" Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cong Wang, Tariq Toukan, Saeed Mahameed

From: Saeed Mahameed <saeedm@mellanox.com>

[ Upstream commit 0318a7b7fcad9765931146efa7ca3a034194737c ]

In the two places is_last_ethertype_ip is being called, the caller will
be looking inside the ip header, to be safe, add ip{4,6} header sanity
check. And return true only on valid ip headers, i.e: the whole header
is contained in the linear part of the skb.

Note: Such situation is very rare and hard to reproduce, since mlx5e
allocates a large enough headroom to contain the largest header one can
imagine.

Fixes: fe1dc069990c ("net/mlx5e: don't set CHECKSUM_COMPLETE on SCTP packets")
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -693,7 +693,14 @@ static inline bool is_last_ethertype_ip(
 {
 	*proto = ((struct ethhdr *)skb->data)->h_proto;
 	*proto = __vlan_get_protocol(skb, *proto, network_depth);
-	return (*proto == htons(ETH_P_IP) || *proto == htons(ETH_P_IPV6));
+
+	if (*proto == htons(ETH_P_IP))
+		return pskb_may_pull(skb, *network_depth + sizeof(struct iphdr));
+
+	if (*proto == htons(ETH_P_IPV6))
+		return pskb_may_pull(skb, *network_depth + sizeof(struct ipv6hdr));
+
+	return false;
 }
 
 static inline void mlx5e_enable_ecn(struct mlx5e_rq *rq, struct sk_buff *skb)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 032/115] Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets"
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 031/115] net/mlx5e: Rx, Check ip headers sanity Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 033/115] net/mlx5: FPGA, tls, hold rcu read lock a bit longer Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Or Gerlitz, Avi Urman, Tariq Toukan,
	Saeed Mahameed

From: Or Gerlitz <ogerlitz@mellanox.com>

[ Upstream commit 8c8811d46d00d119ffbe039a6e52a0b504df1c2c ]

This reverts commit b820e6fb0978f9c2ac438c199d2bb2f35950e9c9.

Prior the commit we are reverting, checksum unnecessary was only set when
both the L3 OK and L4 OK bits are set on the CQE. This caused packets
of IP protocols such as SCTP which are not dealt by the current HW L4
parser (hence the L4 OK bit is not set, but the L4 header type none bit
is set) to go through the checksum none code, where currently we wrongly
report checksum unnecessary for them, a regression. Fix this by a revert.

Note that on our usual track we report checksum complete, so the revert
isn't expected to have any notable performance impact. Also, when we are
not on the checksum complete track, the L4 protocols for which we report
checksum none are not high performance ones, we will still report
checksum unnecessary for UDP/TCP.

Fixes: b820e6fb0978 ("net/mlx5e: Enable reporting checksum unnecessary also for L3 packets")
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reported-by: Avi Urman <aviu@mellanox.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -848,8 +848,7 @@ static inline void mlx5e_handle_csum(str
 
 csum_unnecessary:
 	if (likely((cqe->hds_ip_ext & CQE_L3_OK) &&
-		   ((cqe->hds_ip_ext & CQE_L4_OK) ||
-		    (get_cqe_l4_hdr_type(cqe) == CQE_L4_HDR_TYPE_NONE)))) {
+		   (cqe->hds_ip_ext & CQE_L4_OK))) {
 		skb->ip_summed = CHECKSUM_UNNECESSARY;
 		if (cqe_is_tunneled(cqe)) {
 			skb->csum_level = 1;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 033/115] net/mlx5: FPGA, tls, hold rcu read lock a bit longer
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 032/115] Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets" Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 034/115] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded() Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Saeed Mahameed

From: Saeed Mahameed <saeedm@mellanox.com>

[ Upstream commit 31634bf5dcc418b5b2cacd954394c0c4620db6a2 ]

To avoid use-after-free, hold the rcu read lock until we are done copying
flow data into the command buffer.

Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
@@ -217,22 +217,22 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_
 	void *cmd;
 	int ret;
 
-	rcu_read_lock();
-	flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
-	rcu_read_unlock();
-
-	if (!flow) {
-		WARN_ONCE(1, "Received NULL pointer for handle\n");
-		return -EINVAL;
-	}
-
 	buf = kzalloc(size, GFP_ATOMIC);
 	if (!buf)
 		return -ENOMEM;
 
 	cmd = (buf + 1);
 
+	rcu_read_lock();
+	flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
+	if (unlikely(!flow)) {
+		rcu_read_unlock();
+		WARN_ONCE(1, "Received NULL pointer for handle\n");
+		kfree(buf);
+		return -EINVAL;
+	}
 	mlx5_fpga_tls_flow_to_cmd(flow, cmd);
+	rcu_read_unlock();
 
 	MLX5_SET(tls_cmd, cmd, swid, ntohl(handle));
 	MLX5_SET64(tls_cmd, cmd, tls_rcd_sn, be64_to_cpu(rcd_sn));



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 034/115] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 033/115] net/mlx5: FPGA, tls, hold rcu read lock a bit longer Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 035/115] net/mlx5: FPGA, tls, idr remove on flow delete Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Dirk van der Merwe,
	Simon Horman, David S. Miller

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit b4f47f3848eb70986f75d06112af7b48b7f5f462 ]

Unlike '&&' operator, the '&' does not have short-circuit
evaluation semantics.  IOW both sides of the operator always
get evaluated.  Fix the wrong operator in
tls_is_sk_tx_device_offloaded(), which would lead to
out-of-bounds access for for non-full sockets.

Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/tls.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -366,7 +366,7 @@ tls_validate_xmit_skb(struct sock *sk, s
 static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
 {
 #ifdef CONFIG_SOCK_VALIDATE_XMIT
-	return sk_fullsock(sk) &
+	return sk_fullsock(sk) &&
 	       (smp_load_acquire(&sk->sk_validate_xmit_skb) ==
 	       &tls_validate_xmit_skb);
 #else



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 035/115] net/mlx5: FPGA, tls, idr remove on flow delete
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 034/115] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded() Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 036/115] route: Avoid crash from dereferencing NULL rt->from Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Saeed Mahameed

From: Saeed Mahameed <saeedm@mellanox.com>

[ Upstream commit df3a8344d404a810b4aadbf19b08c8232fbaa715 ]

Flow is kfreed on mlx5_fpga_tls_del_flow but kept in the idr data
structure, this is risky and can cause use-after-free, since the
idr_remove is delayed until tls_send_teardown_cmd completion.

Instead of delaying idr_remove, in this patch we do it on
mlx5_fpga_tls_del_flow, before actually kfree(flow).

Added synchronize_rcu before kfree(flow)

Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c |   43 +++++++--------------
 1 file changed, 15 insertions(+), 28 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
@@ -148,14 +148,16 @@ static int mlx5_fpga_tls_alloc_swid(stru
 	return ret;
 }
 
-static void mlx5_fpga_tls_release_swid(struct idr *idr,
-				       spinlock_t *idr_spinlock, u32 swid)
+static void *mlx5_fpga_tls_release_swid(struct idr *idr,
+					spinlock_t *idr_spinlock, u32 swid)
 {
 	unsigned long flags;
+	void *ptr;
 
 	spin_lock_irqsave(idr_spinlock, flags);
-	idr_remove(idr, swid);
+	ptr = idr_remove(idr, swid);
 	spin_unlock_irqrestore(idr_spinlock, flags);
+	return ptr;
 }
 
 static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn,
@@ -165,20 +167,12 @@ static void mlx_tls_kfree_complete(struc
 	kfree(buf);
 }
 
-struct mlx5_teardown_stream_context {
-	struct mlx5_fpga_tls_command_context cmd;
-	u32 swid;
-};
-
 static void
 mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn,
 				  struct mlx5_fpga_device *fdev,
 				  struct mlx5_fpga_tls_command_context *cmd,
 				  struct mlx5_fpga_dma_buf *resp)
 {
-	struct mlx5_teardown_stream_context *ctx =
-		    container_of(cmd, struct mlx5_teardown_stream_context, cmd);
-
 	if (resp) {
 		u32 syndrome = MLX5_GET(tls_resp, resp->sg[0].data, syndrome);
 
@@ -186,14 +180,6 @@ mlx5_fpga_tls_teardown_completion(struct
 			mlx5_fpga_err(fdev,
 				      "Teardown stream failed with syndrome = %d",
 				      syndrome);
-		else if (MLX5_GET(tls_cmd, cmd->buf.sg[0].data, direction_sx))
-			mlx5_fpga_tls_release_swid(&fdev->tls->tx_idr,
-						   &fdev->tls->tx_idr_spinlock,
-						   ctx->swid);
-		else
-			mlx5_fpga_tls_release_swid(&fdev->tls->rx_idr,
-						   &fdev->tls->rx_idr_spinlock,
-						   ctx->swid);
 	}
 	mlx5_fpga_tls_put_command_ctx(cmd);
 }
@@ -253,7 +239,7 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_
 static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev,
 					    void *flow, u32 swid, gfp_t flags)
 {
-	struct mlx5_teardown_stream_context *ctx;
+	struct mlx5_fpga_tls_command_context *ctx;
 	struct mlx5_fpga_dma_buf *buf;
 	void *cmd;
 
@@ -261,7 +247,7 @@ static void mlx5_fpga_tls_send_teardown_
 	if (!ctx)
 		return;
 
-	buf = &ctx->cmd.buf;
+	buf = &ctx->buf;
 	cmd = (ctx + 1);
 	MLX5_SET(tls_cmd, cmd, command_type, CMD_TEARDOWN_STREAM);
 	MLX5_SET(tls_cmd, cmd, swid, swid);
@@ -272,8 +258,7 @@ static void mlx5_fpga_tls_send_teardown_
 	buf->sg[0].data = cmd;
 	buf->sg[0].size = MLX5_TLS_COMMAND_SIZE;
 
-	ctx->swid = swid;
-	mlx5_fpga_tls_cmd_send(mdev->fpga, &ctx->cmd,
+	mlx5_fpga_tls_cmd_send(mdev->fpga, ctx,
 			       mlx5_fpga_tls_teardown_completion);
 }
 
@@ -283,13 +268,14 @@ void mlx5_fpga_tls_del_flow(struct mlx5_
 	struct mlx5_fpga_tls *tls = mdev->fpga->tls;
 	void *flow;
 
-	rcu_read_lock();
 	if (direction_sx)
-		flow = idr_find(&tls->tx_idr, swid);
+		flow = mlx5_fpga_tls_release_swid(&tls->tx_idr,
+						  &tls->tx_idr_spinlock,
+						  swid);
 	else
-		flow = idr_find(&tls->rx_idr, swid);
-
-	rcu_read_unlock();
+		flow = mlx5_fpga_tls_release_swid(&tls->rx_idr,
+						  &tls->rx_idr_spinlock,
+						  swid);
 
 	if (!flow) {
 		mlx5_fpga_err(mdev->fpga, "No flow information for swid %u\n",
@@ -297,6 +283,7 @@ void mlx5_fpga_tls_del_flow(struct mlx5_
 		return;
 	}
 
+	synchronize_rcu(); /* before kfree(flow) */
 	mlx5_fpga_tls_send_teardown_cmd(mdev, flow, swid, flags);
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 036/115] route: Avoid crash from dereferencing NULL rt->from
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 035/115] net/mlx5: FPGA, tls, idr remove on flow delete Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 037/115] nfp: flower: replace CFI with vlan present Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Lemon, Eric Dumazet,
	David Ahern, Martin KaFai Lau, David S. Miller

From: Jonathan Lemon <jonathan.lemon@gmail.com>

[ Upstream commit 9c69a13205151c0d801de9f9d83a818e6e8f60ec ]

When __ip6_rt_update_pmtu() is called, rt->from is RCU dereferenced, but is
never checked for null - rt6_flush_exceptions() may have removed the entry.

[ 1913.989004] RIP: 0010:ip6_rt_cache_alloc+0x13/0x170
[ 1914.209410] Call Trace:
[ 1914.214798]  <IRQ>
[ 1914.219226]  __ip6_rt_update_pmtu+0xb0/0x190
[ 1914.228649]  ip6_tnl_xmit+0x2c2/0x970 [ip6_tunnel]
[ 1914.239223]  ? ip6_tnl_parse_tlv_enc_lim+0x32/0x1a0 [ip6_tunnel]
[ 1914.252489]  ? __gre6_xmit+0x148/0x530 [ip6_gre]
[ 1914.262678]  ip6gre_tunnel_xmit+0x17e/0x3c7 [ip6_gre]
[ 1914.273831]  dev_hard_start_xmit+0x8d/0x1f0
[ 1914.283061]  sch_direct_xmit+0xfa/0x230
[ 1914.291521]  __qdisc_run+0x154/0x4b0
[ 1914.299407]  net_tx_action+0x10e/0x1f0
[ 1914.307678]  __do_softirq+0xca/0x297
[ 1914.315567]  irq_exit+0x96/0xa0
[ 1914.322494]  smp_apic_timer_interrupt+0x68/0x130
[ 1914.332683]  apic_timer_interrupt+0xf/0x20
[ 1914.341721]  </IRQ>

Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
Signed-off-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Reviewed-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/route.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2336,6 +2336,10 @@ static void __ip6_rt_update_pmtu(struct
 
 		rcu_read_lock();
 		from = rcu_dereference(rt6->from);
+		if (!from) {
+			rcu_read_unlock();
+			return;
+		}
 		nrt6 = ip6_rt_cache_alloc(from, daddr, saddr);
 		if (nrt6) {
 			rt6_do_update_pmtu(nrt6, mtu);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 037/115] nfp: flower: replace CFI with vlan present
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 036/115] route: Avoid crash from dereferencing NULL rt->from Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 038/115] nfp: flower: remove vlan CFI bit from push vlan action Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pieter Jansen van Vuuren, Louis Peens

From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>

[ Upstream commit f7ee799a51ddbcc205ef615fe424fb5084e9e0aa ]

Replace vlan CFI bit with a vlan present bit that indicates the
presence of a vlan tag. Previously the driver incorrectly assumed
that an vlan id of 0 is not matchable, therefore we indicate vlan
presence with a vlan present bit.

Fixes: 5571e8c9f241 ("nfp: extend flower matching capabilities")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Signed-off-by: Louis Peens <louis.peens@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/netronome/nfp/flower/cmsg.h  |    2 +-
 drivers/net/ethernet/netronome/nfp/flower/match.c |   14 ++++++--------
 2 files changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
@@ -26,7 +26,7 @@
 #define NFP_FLOWER_LAYER2_GENEVE_OP	BIT(6)
 
 #define NFP_FLOWER_MASK_VLAN_PRIO	GENMASK(15, 13)
-#define NFP_FLOWER_MASK_VLAN_CFI	BIT(12)
+#define NFP_FLOWER_MASK_VLAN_PRESENT	BIT(12)
 #define NFP_FLOWER_MASK_VLAN_VID	GENMASK(11, 0)
 
 #define NFP_FLOWER_MASK_MPLS_LB		GENMASK(31, 12)
--- a/drivers/net/ethernet/netronome/nfp/flower/match.c
+++ b/drivers/net/ethernet/netronome/nfp/flower/match.c
@@ -26,14 +26,12 @@ nfp_flower_compile_meta_tci(struct nfp_f
 						      FLOW_DISSECTOR_KEY_VLAN,
 						      target);
 		/* Populate the tci field. */
-		if (flow_vlan->vlan_id || flow_vlan->vlan_priority) {
-			tmp_tci = FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO,
-					     flow_vlan->vlan_priority) |
-				  FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID,
-					     flow_vlan->vlan_id) |
-				  NFP_FLOWER_MASK_VLAN_CFI;
-			frame->tci = cpu_to_be16(tmp_tci);
-		}
+		tmp_tci = NFP_FLOWER_MASK_VLAN_PRESENT;
+		tmp_tci |= FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO,
+				      flow_vlan->vlan_priority) |
+			   FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID,
+				      flow_vlan->vlan_id);
+		frame->tci = cpu_to_be16(tmp_tci);
 	}
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 038/115] nfp: flower: remove vlan CFI bit from push vlan action
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 037/115] nfp: flower: replace CFI with vlan present Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 039/115] sch_cake: Use tc_skb_protocol() helper for getting packet protocol Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pieter Jansen van Vuuren, Louis Peens

From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>

[ Upstream commit 42cd5484a22f1a1b947e21e2af65fa7dab09d017 ]

We no longer set CFI when pushing vlan tags, therefore we remove
the CFI bit from push vlan.

Fixes: 1a1e586f54bf ("nfp: add basic action capabilities to flower offloads")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Signed-off-by: Louis Peens <louis.peens@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/netronome/nfp/flower/action.c |    3 +--
 drivers/net/ethernet/netronome/nfp/flower/cmsg.h   |    1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/ethernet/netronome/nfp/flower/action.c
+++ b/drivers/net/ethernet/netronome/nfp/flower/action.c
@@ -49,8 +49,7 @@ nfp_fl_push_vlan(struct nfp_fl_push_vlan
 
 	tmp_push_vlan_tci =
 		FIELD_PREP(NFP_FL_PUSH_VLAN_PRIO, tcf_vlan_push_prio(action)) |
-		FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action)) |
-		NFP_FL_PUSH_VLAN_CFI;
+		FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action));
 	push_vlan->vlan_tci = cpu_to_be16(tmp_push_vlan_tci);
 }
 
--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
@@ -82,7 +82,6 @@
 #define NFP_FL_OUT_FLAGS_TYPE_IDX	GENMASK(2, 0)
 
 #define NFP_FL_PUSH_VLAN_PRIO		GENMASK(15, 13)
-#define NFP_FL_PUSH_VLAN_CFI		BIT(12)
 #define NFP_FL_PUSH_VLAN_VID		GENMASK(11, 0)
 
 #define IPV6_FLOW_LABEL_MASK		cpu_to_be32(0x000fffff)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 039/115] sch_cake: Use tc_skb_protocol() helper for getting packet protocol
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 038/115] nfp: flower: remove vlan CFI bit from push vlan action Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 040/115] sch_cake: Make sure we can write the IP header before changing DSCP bits Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Darbyshire-Bryant,
	Toke Høiland-Jørgensen

From: Toke Høiland-Jørgensen <toke@redhat.com>

[ Upstream commit b2100cc56fca8c51d28aa42a9f1fbcb2cf351996 ]

We shouldn't be using skb->protocol directly as that will miss cases with
hardware-accelerated VLAN tags. Use the helper instead to get the right
protocol number.

Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_cake.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1526,7 +1526,7 @@ static u8 cake_handle_diffserv(struct sk
 {
 	u8 dscp;
 
-	switch (skb->protocol) {
+	switch (tc_skb_protocol(skb)) {
 	case htons(ETH_P_IP):
 		dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
 		if (wash && dscp)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 040/115] sch_cake: Make sure we can write the IP header before changing DSCP bits
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 039/115] sch_cake: Use tc_skb_protocol() helper for getting packet protocol Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Darbyshire-Bryant,
	Toke Høiland-Jørgensen

From: Toke Høiland-Jørgensen <toke@redhat.com>

[ Upstream commit c87b4ecdbe8db27867a7b7f840291cd843406bd7 ]

There is not actually any guarantee that the IP headers are valid before we
access the DSCP bits of the packets. Fix this using the same approach taken
in sch_dsmark.

Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_cake.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1524,16 +1524,27 @@ static void cake_wash_diffserv(struct sk
 
 static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash)
 {
+	int wlen = skb_network_offset(skb);
 	u8 dscp;
 
 	switch (tc_skb_protocol(skb)) {
 	case htons(ETH_P_IP):
+		wlen += sizeof(struct iphdr);
+		if (!pskb_may_pull(skb, wlen) ||
+		    skb_try_make_writable(skb, wlen))
+			return 0;
+
 		dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
 		if (wash && dscp)
 			ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
 		return dscp;
 
 	case htons(ETH_P_IPV6):
+		wlen += sizeof(struct ipv6hdr);
+		if (!pskb_may_pull(skb, wlen) ||
+		    skb_try_make_writable(skb, wlen))
+			return 0;
+
 		dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2;
 		if (wash && dscp)
 			ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 040/115] sch_cake: Make sure we can write the IP header before changing DSCP bits Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 042/115] nfc: nci: Potential off by one in ->pipes[] array Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit d7ee81ad09f072eab1681877fc71ec05f9c1ae92 ]

This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
corruption when handling SHDLC I-Frame commands").

I'm not totally sure, but I think that commit description may have
overstated the danger.  I was under the impression that this data came
from the firmware?  If you can't trust your networking firmware, then
you're already in trouble.

Anyway, these days we add bounds checking where ever we can and we call
it kernel hardening.  Better safe than sorry.

Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/nfc/nci/hci.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct
 		create_info = (struct nci_hci_create_pipe_resp *)skb->data;
 		dest_gate = create_info->dest_gate;
 		new_pipe = create_info->pipe;
+		if (new_pipe >= NCI_HCI_MAX_PIPES) {
+			status = NCI_HCI_ANY_E_NOK;
+			goto exit;
+		}
 
 		/* Save the new created pipe and bind with local gate,
 		 * the description for skb->data[3] is destination gate id
@@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct
 			goto exit;
 		}
 		delete_info = (struct nci_hci_delete_pipe_noti *)skb->data;
+		if (delete_info->pipe >= NCI_HCI_MAX_PIPES) {
+			status = NCI_HCI_ANY_E_NOK;
+			goto exit;
+		}
 
 		ndev->hci_dev->pipes[delete_info->pipe].gate =
 						NCI_HCI_INVALID_GATE;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 042/115] nfc: nci: Potential off by one in ->pipes[] array
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 043/115] sch_cake: Simplify logic in cake_select_tin() Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 6491d698396fd5da4941980a35ca7c162a672016 ]

This is similar to commit e285d5bfb7e9 ("NFC: Fix the number of pipes")
where we changed NFC_HCI_MAX_PIPES from 127 to 128.

As the comment next to the define explains, the pipe identifier is 7
bits long.  The highest possible pipe is 127, but the number of possible
pipes is 128.  As the code is now, then there is potential for an
out of bounds array access:

    net/nfc/nci/hci.c:297 nci_hci_cmd_received() warn: array off by one?
    'ndev->hci_dev->pipes[pipe]' '0-127 == 127'

Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/nfc/nci_core.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/nfc/nci_core.h
+++ b/include/net/nfc/nci_core.h
@@ -166,7 +166,7 @@ struct nci_conn_info {
  * According to specification 102 622 chapter 4.4 Pipes,
  * the pipe identifier is 7 bits long.
  */
-#define NCI_HCI_MAX_PIPES          127
+#define NCI_HCI_MAX_PIPES          128
 
 struct nci_hci_gate {
 	u8 gate;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 043/115] sch_cake: Simplify logic in cake_select_tin()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 042/115] nfc: nci: Potential off by one in ->pipes[] array Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 044/115] CIFS: keep FileInfo handle live during oplock break Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kevin Darbyshire-Bryant,
	Toke Høiland-Jørgensen

From: Toke Høiland-Jørgensen <toke@redhat.com>

[ Upstream commit 4976e3c683f328bc6f2edef555a4ffee6524486f ]

The logic in cake_select_tin() was getting a bit hairy, and it turns out we
can simplify it quite a bit. This also allows us to get rid of one of the
two diffserv parsing functions, which has the added benefit that
already-zeroed DSCP fields won't get re-written.

Suggested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/sch_cake.c |   44 ++++++++++++++++----------------------------
 1 file changed, 16 insertions(+), 28 deletions(-)

--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1508,20 +1508,6 @@ static unsigned int cake_drop(struct Qdi
 	return idx + (tin << 16);
 }
 
-static void cake_wash_diffserv(struct sk_buff *skb)
-{
-	switch (skb->protocol) {
-	case htons(ETH_P_IP):
-		ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
-		break;
-	case htons(ETH_P_IPV6):
-		ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);
-		break;
-	default:
-		break;
-	}
-}
-
 static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash)
 {
 	int wlen = skb_network_offset(skb);
@@ -1564,25 +1550,27 @@ static struct cake_tin_data *cake_select
 {
 	struct cake_sched_data *q = qdisc_priv(sch);
 	u32 tin;
+	u8 dscp;
+
+	/* Tin selection: Default to diffserv-based selection, allow overriding
+	 * using firewall marks or skb->priority.
+	 */
+	dscp = cake_handle_diffserv(skb,
+				    q->rate_flags & CAKE_FLAG_WASH);
+
+	if (q->tin_mode == CAKE_DIFFSERV_BESTEFFORT)
+		tin = 0;
 
-	if (TC_H_MAJ(skb->priority) == sch->handle &&
-	    TC_H_MIN(skb->priority) > 0 &&
-	    TC_H_MIN(skb->priority) <= q->tin_cnt) {
+	else if (TC_H_MAJ(skb->priority) == sch->handle &&
+		 TC_H_MIN(skb->priority) > 0 &&
+		 TC_H_MIN(skb->priority) <= q->tin_cnt)
 		tin = q->tin_order[TC_H_MIN(skb->priority) - 1];
 
-		if (q->rate_flags & CAKE_FLAG_WASH)
-			cake_wash_diffserv(skb);
-	} else if (q->tin_mode != CAKE_DIFFSERV_BESTEFFORT) {
-		/* extract the Diffserv Precedence field, if it exists */
-		/* and clear DSCP bits if washing */
-		tin = q->tin_index[cake_handle_diffserv(skb,
-				q->rate_flags & CAKE_FLAG_WASH)];
+	else {
+		tin = q->tin_index[dscp];
+
 		if (unlikely(tin >= q->tin_cnt))
 			tin = 0;
-	} else {
-		tin = 0;
-		if (q->rate_flags & CAKE_FLAG_WASH)
-			cake_wash_diffserv(skb);
 	}
 
 	return &q->tins[tin];



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 044/115] CIFS: keep FileInfo handle live during oplock break
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 043/115] sch_cake: Simplify logic in cake_select_tin() Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 045/115] cifs: Fix lease buffer length error Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aurelien Aptel, Steve French,
	Pavel Shilovsky

From: Aurelien Aptel <aaptel@suse.com>

commit b98749cac4a695f084a5ff076f4510b23e353ecd upstream.

In the oplock break handler, writing pending changes from pages puts
the FileInfo handle. If the refcount reaches zero it closes the handle
and waits for any oplock break handler to return, thus causing a deadlock.

To prevent this situation:

* We add a wait flag to cifsFileInfo_put() to decide whether we should
  wait for running/pending oplock break handlers

* We keep an additionnal reference of the SMB FileInfo handle so that
  for the rest of the handler putting the handle won't close it.
  - The ref is bumped everytime we queue the handler via the
    cifs_queue_oplock_break() helper.
  - The ref is decremented at the end of the handler

This bug was triggered by xfstest 464.

Also important fix to address the various reports of
oops in smb2_push_mandatory_locks

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/cifsglob.h |    2 ++
 fs/cifs/file.c     |   30 +++++++++++++++++++++++++-----
 fs/cifs/misc.c     |   25 +++++++++++++++++++++++--
 fs/cifs/smb2misc.c |    6 +++---
 4 files changed, 53 insertions(+), 10 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1303,6 +1303,7 @@ cifsFileInfo_get_locked(struct cifsFileI
 }
 
 struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file);
+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr);
 void cifsFileInfo_put(struct cifsFileInfo *cifs_file);
 
 #define CIFS_CACHE_READ_FLG	1
@@ -1824,6 +1825,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock;
 #endif /* CONFIG_CIFS_ACL */
 
 void cifs_oplock_break(struct work_struct *work);
+void cifs_queue_oplock_break(struct cifsFileInfo *cfile);
 
 extern const struct slow_work_ops cifs_oplock_break_ops;
 extern struct workqueue_struct *cifsiod_wq;
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -360,13 +360,31 @@ cifsFileInfo_get(struct cifsFileInfo *ci
 	return cifs_file;
 }
 
-/*
- * Release a reference on the file private data. This may involve closing
- * the filehandle out on the server. Must be called without holding
- * tcon->open_file_lock and cifs_file->file_info_lock.
+/**
+ * cifsFileInfo_put - release a reference of file priv data
+ *
+ * Always potentially wait for oplock handler. See _cifsFileInfo_put().
  */
 void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
 {
+	_cifsFileInfo_put(cifs_file, true);
+}
+
+/**
+ * _cifsFileInfo_put - release a reference of file priv data
+ *
+ * This may involve closing the filehandle @cifs_file out on the
+ * server. Must be called without holding tcon->open_file_lock and
+ * cifs_file->file_info_lock.
+ *
+ * If @wait_for_oplock_handler is true and we are releasing the last
+ * reference, wait for any running oplock break handler of the file
+ * and cancel any pending one. If calling this function from the
+ * oplock break handler, you need to pass false.
+ *
+ */
+void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
+{
 	struct inode *inode = d_inode(cifs_file->dentry);
 	struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink);
 	struct TCP_Server_Info *server = tcon->ses->server;
@@ -414,7 +432,8 @@ void cifsFileInfo_put(struct cifsFileInf
 
 	spin_unlock(&tcon->open_file_lock);
 
-	oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
+	oplock_break_cancelled = wait_oplock_handler ?
+		cancel_work_sync(&cifs_file->oplock_break) : false;
 
 	if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
 		struct TCP_Server_Info *server = tcon->ses->server;
@@ -4480,6 +4499,7 @@ void cifs_oplock_break(struct work_struc
 							     cinode);
 		cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
 	}
+	_cifsFileInfo_put(cfile, false /* do not wait for ourself */);
 	cifs_done_oplock_break(cinode);
 }
 
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -501,8 +501,7 @@ is_valid_oplock_break(char *buffer, stru
 					   CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
 					   &pCifsInode->flags);
 
-				queue_work(cifsoplockd_wq,
-					   &netfile->oplock_break);
+				cifs_queue_oplock_break(netfile);
 				netfile->oplock_break_cancelled = false;
 
 				spin_unlock(&tcon->open_file_lock);
@@ -607,6 +606,28 @@ void cifs_put_writer(struct cifsInodeInf
 	spin_unlock(&cinode->writers_lock);
 }
 
+/**
+ * cifs_queue_oplock_break - queue the oplock break handler for cfile
+ *
+ * This function is called from the demultiplex thread when it
+ * receives an oplock break for @cfile.
+ *
+ * Assumes the tcon->open_file_lock is held.
+ * Assumes cfile->file_info_lock is NOT held.
+ */
+void cifs_queue_oplock_break(struct cifsFileInfo *cfile)
+{
+	/*
+	 * Bump the handle refcount now while we hold the
+	 * open_file_lock to enforce the validity of it for the oplock
+	 * break handler. The matching put is done at the end of the
+	 * handler.
+	 */
+	cifsFileInfo_get(cfile);
+
+	queue_work(cifsoplockd_wq, &cfile->oplock_break);
+}
+
 void cifs_done_oplock_break(struct cifsInodeInfo *cinode)
 {
 	clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -555,7 +555,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
 			clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
 				  &cinode->flags);
 
-		queue_work(cifsoplockd_wq, &cfile->oplock_break);
+		cifs_queue_oplock_break(cfile);
 		kfree(lw);
 		return true;
 	}
@@ -719,8 +719,8 @@ smb2_is_valid_oplock_break(char *buffer,
 					   CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
 					   &cinode->flags);
 				spin_unlock(&cfile->file_info_lock);
-				queue_work(cifsoplockd_wq,
-					   &cfile->oplock_break);
+
+				cifs_queue_oplock_break(cfile);
 
 				spin_unlock(&tcon->open_file_lock);
 				spin_unlock(&cifs_tcp_ses_lock);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 045/115] cifs: Fix lease buffer length error
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 044/115] CIFS: keep FileInfo handle live during oplock break Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 046/115] cifs: Fix use-after-free in SMB2_write Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, ZhangXiaoxu, Steve French, Pavel Shilovsky

From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>

commit b57a55e2200ede754e4dc9cce4ba9402544b9365 upstream.

There is a KASAN slab-out-of-bounds:
BUG: KASAN: slab-out-of-bounds in _copy_from_iter_full+0x783/0xaa0
Read of size 80 at addr ffff88810c35e180 by task mount.cifs/539

CPU: 1 PID: 539 Comm: mount.cifs Not tainted 4.19 #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
            rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
Call Trace:
 dump_stack+0xdd/0x12a
 print_address_description+0xa7/0x540
 kasan_report+0x1ff/0x550
 check_memory_region+0x2f1/0x310
 memcpy+0x2f/0x80
 _copy_from_iter_full+0x783/0xaa0
 tcp_sendmsg_locked+0x1840/0x4140
 tcp_sendmsg+0x37/0x60
 inet_sendmsg+0x18c/0x490
 sock_sendmsg+0xae/0x130
 smb_send_kvec+0x29c/0x520
 __smb_send_rqst+0x3ef/0xc60
 smb_send_rqst+0x25a/0x2e0
 compound_send_recv+0x9e8/0x2af0
 cifs_send_recv+0x24/0x30
 SMB2_open+0x35e/0x1620
 open_shroot+0x27b/0x490
 smb2_open_op_close+0x4e1/0x590
 smb2_query_path_info+0x2ac/0x650
 cifs_get_inode_info+0x1058/0x28f0
 cifs_root_iget+0x3bb/0xf80
 cifs_smb3_do_mount+0xe00/0x14c0
 cifs_do_mount+0x15/0x20
 mount_fs+0x5e/0x290
 vfs_kern_mount+0x88/0x460
 do_mount+0x398/0x31e0
 ksys_mount+0xc6/0x150
 __x64_sys_mount+0xea/0x190
 do_syscall_64+0x122/0x590
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

It can be reproduced by the following step:
  1. samba configured with: server max protocol = SMB2_10
  2. mount -o vers=default

When parse the mount version parameter, the 'ops' and 'vals'
was setted to smb30,  if negotiate result is smb21, just
update the 'ops' to smb21, but the 'vals' is still smb30.
When add lease context, the iov_base is allocated with smb21
ops, but the iov_len is initiallited with the smb30. Because
the iov_len is longer than iov_base, when send the message,
copy array out of bounds.

we need to keep the 'ops' and 'vals' consistent.

Fixes: 9764c02fcbad ("SMB3: Add support for multidialect negotiate (SMB2.1 and later)")
Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list")

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -815,8 +815,11 @@ SMB2_negotiate(const unsigned int xid, s
 		} else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
 			/* ops set to 3.0 by default for default so update */
 			ses->server->ops = &smb21_operations;
-		} else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID))
+			ses->server->vals = &smb21_values;
+		} else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
 			ses->server->ops = &smb311_operations;
+			ses->server->vals = &smb311_values;
+		}
 	} else if (le16_to_cpu(rsp->DialectRevision) !=
 				ses->server->vals->protocol_id) {
 		/* if requested single dialect ensure returned dialect matched */



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 046/115] cifs: Fix use-after-free in SMB2_write
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 045/115] cifs: Fix lease buffer length error Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 047/115] cifs: Fix use-after-free in SMB2_read Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, ZhangXiaoxu, Steve French, Pavel Shilovsky

From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>

commit 6a3eb3360667170988f8a6477f6686242061488a upstream.

There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_write+0x1342/0x1580
Read of size 8 at addr ffff8880b6a8e450 by task ln/4196

Should not release the 'req' because it will use in the trace.

Fixes: eccb4422cf97 ("smb3: Add ftrace tracepoints for improved SMB3 debugging")

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org> 4.18+
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3708,7 +3708,6 @@ SMB2_write(const unsigned int xid, struc
 
 	rc = cifs_send_recv(xid, io_parms->tcon->ses, &rqst,
 			    &resp_buftype, flags, &rsp_iov);
-	cifs_small_buf_release(req);
 	rsp = (struct smb2_write_rsp *)rsp_iov.iov_base;
 
 	if (rc) {
@@ -3726,6 +3725,7 @@ SMB2_write(const unsigned int xid, struc
 				     io_parms->offset, *nbytes);
 	}
 
+	cifs_small_buf_release(req);
 	free_rsp_buf(resp_buftype, rsp);
 	return rc;
 }



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 047/115] cifs: Fix use-after-free in SMB2_read
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 046/115] cifs: Fix use-after-free in SMB2_write Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 048/115] cifs: fix handle leak in smb2_query_symlink() Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, ZhangXiaoxu, Steve French, Pavel Shilovsky

From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>

commit 088aaf17aa79300cab14dbee2569c58cfafd7d6e upstream.

There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_read+0x1136/0x1190
Read of size 8 at addr ffff8880b4e45e50 by task ln/1009

Should not release the 'req' because it will use in the trace.

Fixes: eccb4422cf97 ("smb3: Add ftrace tracepoints for improved SMB3 debugging")

Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org> 4.18+
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3390,8 +3390,6 @@ SMB2_read(const unsigned int xid, struct
 	rqst.rq_nvec = 1;
 
 	rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov);
-	cifs_small_buf_release(req);
-
 	rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
 
 	if (rc) {
@@ -3410,6 +3408,8 @@ SMB2_read(const unsigned int xid, struct
 				    io_parms->tcon->tid, ses->Suid,
 				    io_parms->offset, io_parms->length);
 
+	cifs_small_buf_release(req);
+
 	*nbytes = le32_to_cpu(rsp->DataLength);
 	if ((*nbytes > CIFS_MAX_MSGSIZE) ||
 	    (*nbytes > io_parms->length)) {



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 048/115] cifs: fix handle leak in smb2_query_symlink()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 047/115] cifs: Fix use-after-free in SMB2_read Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 049/115] fs/dax: Deposit pagetable even when installing zero page Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ronnie Sahlberg, Steve French,
	Pavel Shilovsky

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit e6d0fb7b34f264f72c33053558a360a6a734905e upstream.

If we enter smb2_query_symlink() for something that is not a symlink
and where the SMB2_open() would succeed we would never end up
closing this handle and would thus leak a handle on the server.

Fix this by immediately calling SMB2_close() on successfull open.

Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2ops.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2210,6 +2210,8 @@ smb2_query_symlink(const unsigned int xi
 
 	rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_iov,
 		       &resp_buftype);
+	if (!rc)
+		SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
 	if (!rc || !err_iov.iov_base) {
 		rc = -ENOENT;
 		goto free_path;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 049/115] fs/dax: Deposit pagetable even when installing zero page
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 048/115] cifs: fix handle leak in smb2_query_symlink() Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 050/115] KVM: x86: Dont clear EFER during SMM transitions for 32-bit vCPU Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kara, Aneesh Kumar K.V, Dan Williams

From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>

commit 11cf9d863dcb583345723b0ed72173348761e9c0 upstream.

Architectures like ppc64 use the deposited page table to store hardware
page table slot information. Make sure we deposit a page table when
using zero page at the pmd level for hash.

Without this we hit

Unable to handle kernel paging request for data at address 0x00000000
Faulting instruction address: 0xc000000000082a74
Oops: Kernel access of bad area, sig: 11 [#1]
....

NIP [c000000000082a74] __hash_page_thp+0x224/0x5b0
LR [c0000000000829a4] __hash_page_thp+0x154/0x5b0
Call Trace:
 hash_page_mm+0x43c/0x740
 do_hash_page+0x2c/0x3c
 copy_from_iter_flushcache+0xa4/0x4a0
 pmem_copy_from_iter+0x2c/0x50 [nd_pmem]
 dax_copy_from_iter+0x40/0x70
 dax_iomap_actor+0x134/0x360
 iomap_apply+0xfc/0x1b0
 dax_iomap_rw+0xac/0x130
 ext4_file_write_iter+0x254/0x460 [ext4]
 __vfs_write+0x120/0x1e0
 vfs_write+0xd8/0x220
 SyS_write+0x6c/0x110
 system_call+0x3c/0x130

Fixes: b5beae5e224f ("powerpc/pseries: Add driver for PAPR SCM regions")
Cc: <stable@vger.kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/dax.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/fs/dax.c
+++ b/fs/dax.c
@@ -33,6 +33,7 @@
 #include <linux/sizes.h>
 #include <linux/mmu_notifier.h>
 #include <linux/iomap.h>
+#include <asm/pgalloc.h>
 #include "internal.h"
 
 #define CREATE_TRACE_POINTS
@@ -1409,7 +1410,9 @@ static vm_fault_t dax_pmd_load_hole(stru
 {
 	struct address_space *mapping = vmf->vma->vm_file->f_mapping;
 	unsigned long pmd_addr = vmf->address & PMD_MASK;
+	struct vm_area_struct *vma = vmf->vma;
 	struct inode *inode = mapping->host;
+	pgtable_t pgtable = NULL;
 	struct page *zero_page;
 	spinlock_t *ptl;
 	pmd_t pmd_entry;
@@ -1424,12 +1427,22 @@ static vm_fault_t dax_pmd_load_hole(stru
 	*entry = dax_insert_entry(xas, mapping, vmf, *entry, pfn,
 			DAX_PMD | DAX_ZERO_PAGE, false);
 
+	if (arch_needs_pgtable_deposit()) {
+		pgtable = pte_alloc_one(vma->vm_mm);
+		if (!pgtable)
+			return VM_FAULT_OOM;
+	}
+
 	ptl = pmd_lock(vmf->vma->vm_mm, vmf->pmd);
 	if (!pmd_none(*(vmf->pmd))) {
 		spin_unlock(ptl);
 		goto fallback;
 	}
 
+	if (pgtable) {
+		pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable);
+		mm_inc_nr_ptes(vma->vm_mm);
+	}
 	pmd_entry = mk_pmd(zero_page, vmf->vma->vm_page_prot);
 	pmd_entry = pmd_mkhuge(pmd_entry);
 	set_pmd_at(vmf->vma->vm_mm, pmd_addr, vmf->pmd, pmd_entry);
@@ -1438,6 +1451,8 @@ static vm_fault_t dax_pmd_load_hole(stru
 	return VM_FAULT_NOPAGE;
 
 fallback:
+	if (pgtable)
+		pte_free(vma->vm_mm, pgtable);
 	trace_dax_pmd_load_hole_fallback(inode, vmf, zero_page, *entry);
 	return VM_FAULT_FALLBACK;
 }



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 050/115] KVM: x86: Dont clear EFER during SMM transitions for 32-bit vCPU
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 049/115] fs/dax: Deposit pagetable even when installing zero page Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 051/115] KVM: x86: svm: make sure NMI is injected after nmi_singlestep Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit 8f4dc2e77cdfaf7e644ef29693fa229db29ee1de upstream.

Neither AMD nor Intel CPUs have an EFER field in the legacy SMRAM save
state area, i.e. don't save/restore EFER across SMM transitions.  KVM
somewhat models this, e.g. doesn't clear EFER on entry to SMM if the
guest doesn't support long mode.  But during RSM, KVM unconditionally
clears EFER so that it can get back to pure 32-bit mode in order to
start loading CRs with their actual non-SMM values.

Clear EFER only when it will be written when loading the non-SMM state
so as to preserve bits that can theoretically be set on 32-bit vCPUs,
e.g. KVM always emulates EFER_SCE.

And because CR4.PAE is cleared only to play nice with EFER, wrap that
code in the long mode check as well.  Note, this may result in a
compiler warning about cr4 being consumed uninitialized.  Re-read CR4
even though it's technically unnecessary, as doing so allows for more
readable code and RSM emulation is not a performance critical path.

Fixes: 660a5d517aaab ("KVM: x86: save/load state on SMM switch")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/emulate.c |   23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2575,15 +2575,13 @@ static int em_rsm(struct x86_emulate_ctx
 	 * CR0/CR3/CR4/EFER.  It's all a bit more complicated if the vCPU
 	 * supports long mode.
 	 */
-	cr4 = ctxt->ops->get_cr(ctxt, 4);
 	if (emulator_has_longmode(ctxt)) {
 		struct desc_struct cs_desc;
 
 		/* Zero CR4.PCIDE before CR0.PG.  */
-		if (cr4 & X86_CR4_PCIDE) {
+		cr4 = ctxt->ops->get_cr(ctxt, 4);
+		if (cr4 & X86_CR4_PCIDE)
 			ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
-			cr4 &= ~X86_CR4_PCIDE;
-		}
 
 		/* A 32-bit code segment is required to clear EFER.LMA.  */
 		memset(&cs_desc, 0, sizeof(cs_desc));
@@ -2597,13 +2595,16 @@ static int em_rsm(struct x86_emulate_ctx
 	if (cr0 & X86_CR0_PE)
 		ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
 
-	/* Now clear CR4.PAE (which must be done before clearing EFER.LME).  */
-	if (cr4 & X86_CR4_PAE)
-		ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
-
-	/* And finally go back to 32-bit mode.  */
-	efer = 0;
-	ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
+	if (emulator_has_longmode(ctxt)) {
+		/* Clear CR4.PAE before clearing EFER.LME. */
+		cr4 = ctxt->ops->get_cr(ctxt, 4);
+		if (cr4 & X86_CR4_PAE)
+			ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
+
+		/* And finally go back to 32-bit mode.  */
+		efer = 0;
+		ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
+	}
 
 	smbase = ctxt->ops->get_smbase(ctxt);
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 051/115] KVM: x86: svm: make sure NMI is injected after nmi_singlestep
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 050/115] KVM: x86: Dont clear EFER during SMM transitions for 32-bit vCPU Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 052/115] Staging: iio: meter: fixed typo Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vitaly Kuznetsov, Paolo Bonzini

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit 99c221796a810055974b54c02e8f53297e48d146 upstream.

I noticed that apic test from kvm-unit-tests always hangs on my EPYC 7401P,
the hanging test nmi-after-sti is trying to deliver 30000 NMIs and tracing
shows that we're sometimes able to deliver a few but never all.

When we're trying to inject an NMI we may fail to do so immediately for
various reasons, however, we still need to inject it so enable_nmi_window()
arms nmi_singlestep mode. #DB occurs as expected, but we're not checking
for pending NMIs before entering the guest and unless there's a different
event to process, the NMI will never get delivered.

Make KVM_REQ_EVENT request on the vCPU from db_interception() to make sure
pending NMIs are checked and possibly injected.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/svm.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -2687,6 +2687,7 @@ static int npf_interception(struct vcpu_
 static int db_interception(struct vcpu_svm *svm)
 {
 	struct kvm_run *kvm_run = svm->vcpu.run;
+	struct kvm_vcpu *vcpu = &svm->vcpu;
 
 	if (!(svm->vcpu.guest_debug &
 	      (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) &&
@@ -2697,6 +2698,8 @@ static int db_interception(struct vcpu_s
 
 	if (svm->nmi_singlestep) {
 		disable_nmi_singlestep(svm);
+		/* Make sure we check for pending NMIs upon entry */
+		kvm_make_request(KVM_REQ_EVENT, vcpu);
 	}
 
 	if (svm->vcpu.guest_debug &



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 052/115] Staging: iio: meter: fixed typo
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 051/115] KVM: x86: svm: make sure NMI is injected after nmi_singlestep Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 053/115] staging: iio: ad7192: Fix ad7193 channel address Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Leonard Pollak, Stable,
	Michael Hennerich, Jonathan Cameron

From: Leonard Pollak <leonardp@tr-host.de>

commit 0a8a29be499cbb67df79370aaf5109085509feb8 upstream.

This patch fixes an obvious typo, which will cause erroneously returning the Peak
Voltage instead of the Peak Current.

Signed-off-by: Leonard Pollak <leonardp@tr-host.de>
Cc: <Stable@vger.kernel.org>
Acked-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/iio/meter/ade7854.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/meter/ade7854.c
+++ b/drivers/staging/iio/meter/ade7854.c
@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(0644,
 static IIO_DEV_ATTR_IPEAK(0644,
 		ade7854_read_32bit,
 		ade7854_write_32bit,
-		ADE7854_VPEAK);
+		ADE7854_IPEAK);
 static IIO_DEV_ATTR_APHCAL(0644,
 		ade7854_read_16bit,
 		ade7854_write_16bit,



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 053/115] staging: iio: ad7192: Fix ad7193 channel address
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 052/115] Staging: iio: meter: fixed typo Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 054/115] iio: gyro: mpu3050: fix chip ID reading Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mircea Caprioru, Stable, Jonathan Cameron

From: Mircea Caprioru <mircea.caprioru@analog.com>

commit 7ce0f216221856a17fc4934b39284678a5fef2e9 upstream.

This patch fixes the differential channels addresses for the ad7193.

Signed-off-by: Mircea Caprioru <mircea.caprioru@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/iio/adc/ad7192.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/staging/iio/adc/ad7192.c
+++ b/drivers/staging/iio/adc/ad7192.c
@@ -109,10 +109,10 @@
 #define AD7192_CH_AIN3		BIT(6) /* AIN3 - AINCOM */
 #define AD7192_CH_AIN4		BIT(7) /* AIN4 - AINCOM */
 
-#define AD7193_CH_AIN1P_AIN2M	0x000  /* AIN1(+) - AIN2(-) */
-#define AD7193_CH_AIN3P_AIN4M	0x001  /* AIN3(+) - AIN4(-) */
-#define AD7193_CH_AIN5P_AIN6M	0x002  /* AIN5(+) - AIN6(-) */
-#define AD7193_CH_AIN7P_AIN8M	0x004  /* AIN7(+) - AIN8(-) */
+#define AD7193_CH_AIN1P_AIN2M	0x001  /* AIN1(+) - AIN2(-) */
+#define AD7193_CH_AIN3P_AIN4M	0x002  /* AIN3(+) - AIN4(-) */
+#define AD7193_CH_AIN5P_AIN6M	0x004  /* AIN5(+) - AIN6(-) */
+#define AD7193_CH_AIN7P_AIN8M	0x008  /* AIN7(+) - AIN8(-) */
 #define AD7193_CH_TEMP		0x100 /* Temp senseor */
 #define AD7193_CH_AIN2P_AIN2M	0x200 /* AIN2(+) - AIN2(-) */
 #define AD7193_CH_AIN1		0x401 /* AIN1 - AINCOM */



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 054/115] iio: gyro: mpu3050: fix chip ID reading
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 053/115] staging: iio: ad7192: Fix ad7193 channel address Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 055/115] iio/gyro/bmg160: Use millidegrees for temperature scale Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Larin, Linus Walleij, Stable,
	Jonathan Cameron

From: Sergey Larin <cerg2010cerg2010@mail.ru>

commit 409a51e0a4a5f908763191fae2c29008632eb712 upstream.

According to the datasheet, the last bit of CHIP_ID register controls
I2C bus, and the first one is unused. Handle this correctly.

Note that there are chips out there that have a value such that
the id check currently fails.

Signed-off-by: Sergey Larin <cerg2010cerg2010@mail.ru>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/gyro/mpu3050-core.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/iio/gyro/mpu3050-core.c
+++ b/drivers/iio/gyro/mpu3050-core.c
@@ -29,7 +29,8 @@
 
 #include "mpu3050.h"
 
-#define MPU3050_CHIP_ID		0x69
+#define MPU3050_CHIP_ID		0x68
+#define MPU3050_CHIP_ID_MASK	0x7E
 
 /*
  * Register map: anything suffixed *_H is a big-endian high byte and always
@@ -1176,8 +1177,9 @@ int mpu3050_common_probe(struct device *
 		goto err_power_down;
 	}
 
-	if (val != MPU3050_CHIP_ID) {
-		dev_err(dev, "unsupported chip id %02x\n", (u8)val);
+	if ((val & MPU3050_CHIP_ID_MASK) != MPU3050_CHIP_ID) {
+		dev_err(dev, "unsupported chip id %02x\n",
+				(u8)(val & MPU3050_CHIP_ID_MASK));
 		ret = -ENODEV;
 		goto err_power_down;
 	}



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 055/115] iio/gyro/bmg160: Use millidegrees for temperature scale
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 054/115] iio: gyro: mpu3050: fix chip ID reading Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 056/115] iio:chemical:bme680: Fix, report temperature in millidegrees Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Looijmans, Stable, Jonathan Cameron

From: Mike Looijmans <mike.looijmans@topic.nl>

commit 40a7198a4a01037003c7ca714f0d048a61e729ac upstream.

Standard unit for temperature is millidegrees Celcius, whereas this driver
was reporting in degrees. Fix the scale factor in the driver.

Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/gyro/bmg160_core.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/iio/gyro/bmg160_core.c
+++ b/drivers/iio/gyro/bmg160_core.c
@@ -582,11 +582,10 @@ static int bmg160_read_raw(struct iio_de
 	case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
 		return bmg160_get_filter(data, val);
 	case IIO_CHAN_INFO_SCALE:
-		*val = 0;
 		switch (chan->type) {
 		case IIO_TEMP:
-			*val2 = 500000;
-			return IIO_VAL_INT_PLUS_MICRO;
+			*val = 500;
+			return IIO_VAL_INT;
 		case IIO_ANGL_VEL:
 		{
 			int i;
@@ -594,6 +593,7 @@ static int bmg160_read_raw(struct iio_de
 			for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) {
 				if (bmg160_scale_table[i].dps_range ==
 							data->dps_range) {
+					*val = 0;
 					*val2 = bmg160_scale_table[i].scale;
 					return IIO_VAL_INT_PLUS_MICRO;
 				}



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 056/115] iio:chemical:bme680: Fix, report temperature in millidegrees
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 055/115] iio/gyro/bmg160: Use millidegrees for temperature scale Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 057/115] iio:chemical:bme680: Fix SPI read interface Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Looijmans, Stable, Jonathan Cameron

From: Mike Looijmans <mike.looijmans@topic.nl>

commit 9436f45dd53595e21566a8c6627411077dfdb776 upstream.

The standard unit for temperature is millidegrees Celcius. Adapt the
driver to report in millidegrees instead of degrees.

Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor");
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/chemical/bme680_core.c |   16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -583,8 +583,7 @@ static int bme680_gas_config(struct bme6
 	return ret;
 }
 
-static int bme680_read_temp(struct bme680_data *data,
-			    int *val, int *val2)
+static int bme680_read_temp(struct bme680_data *data, int *val)
 {
 	struct device *dev = regmap_get_device(data->regmap);
 	int ret;
@@ -617,10 +616,9 @@ static int bme680_read_temp(struct bme68
 	 * compensate_press/compensate_humid to get compensated
 	 * pressure/humidity readings.
 	 */
-	if (val && val2) {
-		*val = comp_temp;
-		*val2 = 100;
-		return IIO_VAL_FRACTIONAL;
+	if (val) {
+		*val = comp_temp * 10; /* Centidegrees to millidegrees */
+		return IIO_VAL_INT;
 	}
 
 	return ret;
@@ -635,7 +633,7 @@ static int bme680_read_press(struct bme6
 	s32 adc_press;
 
 	/* Read and compensate temperature to get a reading of t_fine */
-	ret = bme680_read_temp(data, NULL, NULL);
+	ret = bme680_read_temp(data, NULL);
 	if (ret < 0)
 		return ret;
 
@@ -668,7 +666,7 @@ static int bme680_read_humid(struct bme6
 	u32 comp_humidity;
 
 	/* Read and compensate temperature to get a reading of t_fine */
-	ret = bme680_read_temp(data, NULL, NULL);
+	ret = bme680_read_temp(data, NULL);
 	if (ret < 0)
 		return ret;
 
@@ -761,7 +759,7 @@ static int bme680_read_raw(struct iio_de
 	case IIO_CHAN_INFO_PROCESSED:
 		switch (chan->type) {
 		case IIO_TEMP:
-			return bme680_read_temp(data, val, val2);
+			return bme680_read_temp(data, val);
 		case IIO_PRESSURE:
 			return bme680_read_press(data, val, val2);
 		case IIO_HUMIDITYRELATIVE:



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 057/115] iio:chemical:bme680: Fix SPI read interface
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 056/115] iio:chemical:bme680: Fix, report temperature in millidegrees Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 058/115] iio: cros_ec: Fix the maths for gyro scale calculation Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Looijmans, Stable, Jonathan Cameron

From: Mike Looijmans <mike.looijmans@topic.nl>

commit 73f3bc6da506711302bb67572440eb84b1ec4a2c upstream.

The SPI interface implementation was completely broken.

When using the SPI interface, there are only 7 address bits, the upper bit
is controlled by a page select register. The core needs access to both
ranges, so implement register read/write for both regions. The regmap
paging functionality didn't agree with a register that needs to be read
and modified, so I implemented a custom paging algorithm.

This fixes that the device wouldn't even probe in SPI mode.

The SPI interface then isn't different from I2C, merged them into the core,
and the I2C/SPI named registers are no longer needed.

Implemented register value caching for the registers to reduce the I2C/SPI
data transfers considerably.

The calibration set reads as all zeroes until some undefined point in time,
and I couldn't determine what makes it valid. The datasheet mentions these
registers but does not provide any hints on when they become valid, and they
aren't even enumerated in the memory map. So check the calibration and
retry reading it from the device after each measurement until it provides
something valid.

Despite the size this is suitable for a stable backport given that
it seems the SPI support never worked.

Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor");
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/chemical/bme680.h      |    6 -
 drivers/iio/chemical/bme680_core.c |   38 ++++++++++++
 drivers/iio/chemical/bme680_i2c.c  |   21 ------
 drivers/iio/chemical/bme680_spi.c  |  115 +++++++++++++++++++++++++------------
 4 files changed, 118 insertions(+), 62 deletions(-)

--- a/drivers/iio/chemical/bme680.h
+++ b/drivers/iio/chemical/bme680.h
@@ -2,11 +2,9 @@
 #ifndef BME680_H_
 #define BME680_H_
 
-#define BME680_REG_CHIP_I2C_ID			0xD0
-#define BME680_REG_CHIP_SPI_ID			0x50
+#define BME680_REG_CHIP_ID			0xD0
 #define   BME680_CHIP_ID_VAL			0x61
-#define BME680_REG_SOFT_RESET_I2C		0xE0
-#define BME680_REG_SOFT_RESET_SPI		0x60
+#define BME680_REG_SOFT_RESET			0xE0
 #define   BME680_CMD_SOFTRESET			0xB6
 #define BME680_REG_STATUS			0x73
 #define   BME680_SPI_MEM_PAGE_BIT		BIT(4)
--- a/drivers/iio/chemical/bme680_core.c
+++ b/drivers/iio/chemical/bme680_core.c
@@ -63,9 +63,23 @@ struct bme680_data {
 	s32 t_fine;
 };
 
+static const struct regmap_range bme680_volatile_ranges[] = {
+	regmap_reg_range(BME680_REG_MEAS_STAT_0, BME680_REG_GAS_R_LSB),
+	regmap_reg_range(BME680_REG_STATUS, BME680_REG_STATUS),
+	regmap_reg_range(BME680_T2_LSB_REG, BME680_GH3_REG),
+};
+
+static const struct regmap_access_table bme680_volatile_table = {
+	.yes_ranges	= bme680_volatile_ranges,
+	.n_yes_ranges	= ARRAY_SIZE(bme680_volatile_ranges),
+};
+
 const struct regmap_config bme680_regmap_config = {
 	.reg_bits = 8,
 	.val_bits = 8,
+	.max_register = 0xef,
+	.volatile_table = &bme680_volatile_table,
+	.cache_type = REGCACHE_RBTREE,
 };
 EXPORT_SYMBOL(bme680_regmap_config);
 
@@ -316,6 +330,10 @@ static s16 bme680_compensate_temp(struct
 	s64 var1, var2, var3;
 	s16 calc_temp;
 
+	/* If the calibration is invalid, attempt to reload it */
+	if (!calib->par_t2)
+		bme680_read_calib(data, calib);
+
 	var1 = (adc_temp >> 3) - (calib->par_t1 << 1);
 	var2 = (var1 * calib->par_t2) >> 11;
 	var3 = ((var1 >> 1) * (var1 >> 1)) >> 12;
@@ -865,8 +883,28 @@ int bme680_core_probe(struct device *dev
 {
 	struct iio_dev *indio_dev;
 	struct bme680_data *data;
+	unsigned int val;
 	int ret;
 
+	ret = regmap_write(regmap, BME680_REG_SOFT_RESET,
+			   BME680_CMD_SOFTRESET);
+	if (ret < 0) {
+		dev_err(dev, "Failed to reset chip\n");
+		return ret;
+	}
+
+	ret = regmap_read(regmap, BME680_REG_CHIP_ID, &val);
+	if (ret < 0) {
+		dev_err(dev, "Error reading chip ID\n");
+		return ret;
+	}
+
+	if (val != BME680_CHIP_ID_VAL) {
+		dev_err(dev, "Wrong chip ID, got %x expected %x\n",
+				val, BME680_CHIP_ID_VAL);
+		return -ENODEV;
+	}
+
 	indio_dev = devm_iio_device_alloc(dev, sizeof(*data));
 	if (!indio_dev)
 		return -ENOMEM;
--- a/drivers/iio/chemical/bme680_i2c.c
+++ b/drivers/iio/chemical/bme680_i2c.c
@@ -23,8 +23,6 @@ static int bme680_i2c_probe(struct i2c_c
 {
 	struct regmap *regmap;
 	const char *name = NULL;
-	unsigned int val;
-	int ret;
 
 	regmap = devm_regmap_init_i2c(client, &bme680_regmap_config);
 	if (IS_ERR(regmap)) {
@@ -33,25 +31,6 @@ static int bme680_i2c_probe(struct i2c_c
 		return PTR_ERR(regmap);
 	}
 
-	ret = regmap_write(regmap, BME680_REG_SOFT_RESET_I2C,
-			   BME680_CMD_SOFTRESET);
-	if (ret < 0) {
-		dev_err(&client->dev, "Failed to reset chip\n");
-		return ret;
-	}
-
-	ret = regmap_read(regmap, BME680_REG_CHIP_I2C_ID, &val);
-	if (ret < 0) {
-		dev_err(&client->dev, "Error reading I2C chip ID\n");
-		return ret;
-	}
-
-	if (val != BME680_CHIP_ID_VAL) {
-		dev_err(&client->dev, "Wrong chip ID, got %x expected %x\n",
-				val, BME680_CHIP_ID_VAL);
-		return -ENODEV;
-	}
-
 	if (id)
 		name = id->name;
 
--- a/drivers/iio/chemical/bme680_spi.c
+++ b/drivers/iio/chemical/bme680_spi.c
@@ -11,28 +11,93 @@
 
 #include "bme680.h"
 
+struct bme680_spi_bus_context {
+	struct spi_device *spi;
+	u8 current_page;
+};
+
+/*
+ * In SPI mode there are only 7 address bits, a "page" register determines
+ * which part of the 8-bit range is active. This function looks at the address
+ * and writes the page selection bit if needed
+ */
+static int bme680_regmap_spi_select_page(
+	struct bme680_spi_bus_context *ctx, u8 reg)
+{
+	struct spi_device *spi = ctx->spi;
+	int ret;
+	u8 buf[2];
+	u8 page = (reg & 0x80) ? 0 : 1; /* Page "1" is low range */
+
+	if (page == ctx->current_page)
+		return 0;
+
+	/*
+	 * Data sheet claims we're only allowed to change bit 4, so we must do
+	 * a read-modify-write on each and every page select
+	 */
+	buf[0] = BME680_REG_STATUS;
+	ret = spi_write_then_read(spi, buf, 1, buf + 1, 1);
+	if (ret < 0) {
+		dev_err(&spi->dev, "failed to set page %u\n", page);
+		return ret;
+	}
+
+	buf[0] = BME680_REG_STATUS;
+	if (page)
+		buf[1] |= BME680_SPI_MEM_PAGE_BIT;
+	else
+		buf[1] &= ~BME680_SPI_MEM_PAGE_BIT;
+
+	ret = spi_write(spi, buf, 2);
+	if (ret < 0) {
+		dev_err(&spi->dev, "failed to set page %u\n", page);
+		return ret;
+	}
+
+	ctx->current_page = page;
+
+	return 0;
+}
+
 static int bme680_regmap_spi_write(void *context, const void *data,
 				   size_t count)
 {
-	struct spi_device *spi = context;
+	struct bme680_spi_bus_context *ctx = context;
+	struct spi_device *spi = ctx->spi;
+	int ret;
 	u8 buf[2];
 
 	memcpy(buf, data, 2);
+
+	ret = bme680_regmap_spi_select_page(ctx, buf[0]);
+	if (ret)
+		return ret;
+
 	/*
 	 * The SPI register address (= full register address without bit 7)
 	 * and the write command (bit7 = RW = '0')
 	 */
 	buf[0] &= ~0x80;
 
-	return spi_write_then_read(spi, buf, 2, NULL, 0);
+	return spi_write(spi, buf, 2);
 }
 
 static int bme680_regmap_spi_read(void *context, const void *reg,
 				  size_t reg_size, void *val, size_t val_size)
 {
-	struct spi_device *spi = context;
+	struct bme680_spi_bus_context *ctx = context;
+	struct spi_device *spi = ctx->spi;
+	int ret;
+	u8 addr = *(const u8 *)reg;
+
+	ret = bme680_regmap_spi_select_page(ctx, addr);
+	if (ret)
+		return ret;
+
+	addr |= 0x80; /* bit7 = RW = '1' */
 
-	return spi_write_then_read(spi, reg, reg_size, val, val_size);
+	return spi_write_then_read(spi, &addr, 1, val, val_size);
 }
 
 static struct regmap_bus bme680_regmap_bus = {
@@ -45,8 +110,8 @@ static struct regmap_bus bme680_regmap_b
 static int bme680_spi_probe(struct spi_device *spi)
 {
 	const struct spi_device_id *id = spi_get_device_id(spi);
+	struct bme680_spi_bus_context *bus_context;
 	struct regmap *regmap;
-	unsigned int val;
 	int ret;
 
 	spi->bits_per_word = 8;
@@ -56,45 +121,21 @@ static int bme680_spi_probe(struct spi_d
 		return ret;
 	}
 
+	bus_context = devm_kzalloc(&spi->dev, sizeof(*bus_context), GFP_KERNEL);
+	if (!bus_context)
+		return -ENOMEM;
+
+	bus_context->spi = spi;
+	bus_context->current_page = 0xff; /* Undefined on warm boot */
+
 	regmap = devm_regmap_init(&spi->dev, &bme680_regmap_bus,
-				  &spi->dev, &bme680_regmap_config);
+				  bus_context, &bme680_regmap_config);
 	if (IS_ERR(regmap)) {
 		dev_err(&spi->dev, "Failed to register spi regmap %d\n",
 				(int)PTR_ERR(regmap));
 		return PTR_ERR(regmap);
 	}
 
-	ret = regmap_write(regmap, BME680_REG_SOFT_RESET_SPI,
-			   BME680_CMD_SOFTRESET);
-	if (ret < 0) {
-		dev_err(&spi->dev, "Failed to reset chip\n");
-		return ret;
-	}
-
-	/* after power-on reset, Page 0(0x80-0xFF) of spi_mem_page is active */
-	ret = regmap_read(regmap, BME680_REG_CHIP_SPI_ID, &val);
-	if (ret < 0) {
-		dev_err(&spi->dev, "Error reading SPI chip ID\n");
-		return ret;
-	}
-
-	if (val != BME680_CHIP_ID_VAL) {
-		dev_err(&spi->dev, "Wrong chip ID, got %x expected %x\n",
-				val, BME680_CHIP_ID_VAL);
-		return -ENODEV;
-	}
-	/*
-	 * select Page 1 of spi_mem_page to enable access to
-	 * to registers from address 0x00 to 0x7F.
-	 */
-	ret = regmap_write_bits(regmap, BME680_REG_STATUS,
-				BME680_SPI_MEM_PAGE_BIT,
-				BME680_SPI_MEM_PAGE_1_VAL);
-	if (ret < 0) {
-		dev_err(&spi->dev, "failed to set page 1 of spi_mem_page\n");
-		return ret;
-	}
-
 	return bme680_core_probe(&spi->dev, regmap, id->name);
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 058/115] iio: cros_ec: Fix the maths for gyro scale calculation
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 057/115] iio:chemical:bme680: Fix SPI read interface Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 059/115] iio: ad_sigma_delta: select channel when reading register Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gwendal Grignou,
	Enric Balletbo i Serra, Stable, Jonathan Cameron

From: Gwendal Grignou <gwendal@chromium.org>

commit 3d02d7082e5823598090530c3988a35f69689943 upstream.

Calculation did not use IIO_DEGREE_TO_RAD and implemented a variant to
avoid precision loss as we aim a nano value. The offset added to avoid
rounding error, though, doesn't give us a close result to the expected
value. E.g.

For 1000dps, the result should be:

    (1000 * pi ) / 180 >> 15 ~= 0.000532632218

But with current calculation we get

    $ cat scale
    0.000547890

Fix the calculation by just doing the maths involved for a nano value

   val * pi * 10e12 / (180 * 2^15)

so we get a closer result.

    $ cat scale
    0.000532632

Fixes: c14dca07a31d ("iio: cros_ec_sensors: add ChromeOS EC Contiguous Sensors driver")
Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
+++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
@@ -103,9 +103,10 @@ static int cros_ec_sensors_read(struct i
 			 * Do not use IIO_DEGREE_TO_RAD to avoid precision
 			 * loss. Round to the nearest integer.
 			 */
-			*val = div_s64(val64 * 314159 + 9000000ULL, 1000);
-			*val2 = 18000 << (CROS_EC_SENSOR_BITS - 1);
-			ret = IIO_VAL_FRACTIONAL;
+			*val = 0;
+			*val2 = div_s64(val64 * 3141592653ULL,
+					180 << (CROS_EC_SENSOR_BITS - 1));
+			ret = IIO_VAL_INT_PLUS_NANO;
 			break;
 		case MOTIONSENSE_TYPE_MAG:
 			/*



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 059/115] iio: ad_sigma_delta: select channel when reading register
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 058/115] iio: cros_ec: Fix the maths for gyro scale calculation Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 060/115] iio: dac: mcp4725: add missing powerdown bits in store eeprom Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dragos Bogdan, Alexandru Ardelean,
	Stable, Jonathan Cameron

From: Dragos Bogdan <dragos.bogdan@analog.com>

commit fccfb9ce70ed4ea7a145f77b86de62e38178517f upstream.

The desired channel has to be selected in order to correctly fill the
buffer with the corresponding data.
The `ad_sd_write_reg()` already does this, but for the
`ad_sd_read_reg_raw()` this was omitted.

Fixes: af3008485ea03 ("iio:adc: Add common code for ADI Sigma Delta devices")
Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/ad_sigma_delta.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_
 	if (sigma_delta->info->has_registers) {
 		data[0] = reg << sigma_delta->info->addr_shift;
 		data[0] |= sigma_delta->info->read_mask;
+		data[0] |= sigma_delta->comm;
 		spi_message_add_tail(&t[0], &m);
 	}
 	spi_message_add_tail(&t[1], &m);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 060/115] iio: dac: mcp4725: add missing powerdown bits in store eeprom
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 059/115] iio: ad_sigma_delta: select channel when reading register Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 061/115] iio: Fix scan mask selection Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jean-Francois Dagenais,
	Peter Meerwald-Stadler, Stable, Jonathan Cameron

From: Jean-Francois Dagenais <jeff.dagenais@gmail.com>

commit 06003531502d06bc89d32528f6ec96bf978790f9 upstream.

When issuing the write DAC register and write eeprom command, the two
powerdown bits (PD0 and PD1) are assumed by the chip to be present in
the bytes sent. Leaving them at 0 implies "powerdown disabled" which is
a different state that the current one. By adding the current state of
the powerdown in the i2c write, the chip will correctly power-on exactly
like as it is at the moment of store_eeprom call.

This is documented in MCP4725's datasheet, FIGURE 6-2: "Write Commands
for DAC Input Register and EEPROM" and MCP4726's datasheet, FIGURE 6-3:
"Write All Memory Command".

Signed-off-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com>
Acked-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/dac/mcp4725.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/iio/dac/mcp4725.c
+++ b/drivers/iio/dac/mcp4725.c
@@ -92,6 +92,7 @@ static ssize_t mcp4725_store_eeprom(stru
 
 	inoutbuf[0] = 0x60; /* write EEPROM */
 	inoutbuf[0] |= data->ref_mode << 3;
+	inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0;
 	inoutbuf[1] = data->dac_value >> 4;
 	inoutbuf[2] = (data->dac_value & 0xf) << 4;
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 061/115] iio: Fix scan mask selection
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 060/115] iio: dac: mcp4725: add missing powerdown bits in store eeprom Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 062/115] iio: adc: at91: disable adc channel interrupt in timeout case Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen,
	Alexandru Ardelean, Stable, Jonathan Cameron

From: Lars-Peter Clausen <lars@metafoo.de>

commit 20ea39ef9f2f911bd01c69519e7d69cfec79fde3 upstream.

The trialmask is expected to have all bits set to 0 after allocation.
Currently kmalloc_array() is used which does not zero the memory and so
random bits are set. This results in random channels being enabled when
they shouldn't. Replace kmalloc_array() with kcalloc() which has the same
interface but zeros the memory.

Note the fix is actually required earlier than the below fixes tag, but
will require a manual backport due to move from kmalloc to kmalloc_array.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Fixes commit 057ac1acdfc4 ("iio: Use kmalloc_array() in iio_scan_mask_set()").
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/industrialio-buffer.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -320,9 +320,8 @@ static int iio_scan_mask_set(struct iio_
 	const unsigned long *mask;
 	unsigned long *trialmask;
 
-	trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength),
-				  sizeof(*trialmask),
-				  GFP_KERNEL);
+	trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength),
+			    sizeof(*trialmask), GFP_KERNEL);
 	if (trialmask == NULL)
 		return -ENOMEM;
 	if (!indio_dev->masklength) {



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 062/115] iio: adc: at91: disable adc channel interrupt in timeout case
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 061/115] iio: Fix scan mask selection Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:09 ` [PATCH 5.0 063/115] iio: core: fix a possible circular locking dependency Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Georg Ottinger, Ludovic Desroches,
	Stable, Jonathan Cameron

From: Georg Ottinger <g.ottinger@abatec.at>

commit 09c6bdee51183a575bf7546890c8c137a75a2b44 upstream.

Having a brief look at at91_adc_read_raw() it is obvious that in the case
of a timeout the setting of AT91_ADC_CHDR and AT91_ADC_IDR registers is
omitted. If 2 different channels are queried we can end up with a
situation where two interrupts are enabled, but only one interrupt is
cleared in the interrupt handler. Resulting in a interrupt loop and a
system hang.

Signed-off-by: Georg Ottinger <g.ottinger@abatec.at>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/adc/at91_adc.c |   28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

--- a/drivers/iio/adc/at91_adc.c
+++ b/drivers/iio/adc/at91_adc.c
@@ -704,23 +704,29 @@ static int at91_adc_read_raw(struct iio_
 		ret = wait_event_interruptible_timeout(st->wq_data_avail,
 						       st->done,
 						       msecs_to_jiffies(1000));
-		if (ret == 0)
-			ret = -ETIMEDOUT;
-		if (ret < 0) {
-			mutex_unlock(&st->lock);
-			return ret;
-		}
-
-		*val = st->last_value;
 
+		/* Disable interrupts, regardless if adc conversion was
+		 * successful or not
+		 */
 		at91_adc_writel(st, AT91_ADC_CHDR,
 				AT91_ADC_CH(chan->channel));
 		at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel));
 
-		st->last_value = 0;
-		st->done = false;
+		if (ret > 0) {
+			/* a valid conversion took place */
+			*val = st->last_value;
+			st->last_value = 0;
+			st->done = false;
+			ret = IIO_VAL_INT;
+		} else if (ret == 0) {
+			/* conversion timeout */
+			dev_err(&idev->dev, "ADC Channel %d timeout.\n",
+				chan->channel);
+			ret = -ETIMEDOUT;
+		}
+
 		mutex_unlock(&st->lock);
-		return IIO_VAL_INT;
+		return ret;
 
 	case IIO_CHAN_INFO_SCALE:
 		*val = st->vref_mv;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 063/115] iio: core: fix a possible circular locking dependency
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 062/115] iio: adc: at91: disable adc channel interrupt in timeout case Greg Kroah-Hartman
@ 2019-04-24 17:09 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 064/115] io: accel: kxcjk1013: restore the range after resume Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:09 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabrice Gasnier, Stable, Jonathan Cameron

From: Fabrice Gasnier <fabrice.gasnier@st.com>

commit 7f75591fc5a123929a29636834d1bcb8b5c9fee3 upstream.

This fixes a possible circular locking dependency detected warning seen
with:
- CONFIG_PROVE_LOCKING=y
- consumer/provider IIO devices (ex: "voltage-divider" consumer of "adc")

When using the IIO consumer interface, e.g. iio_channel_get(), the consumer
device will likely call iio_read_channel_raw() or similar that rely on
'info_exist_lock' mutex.

typically:
...
	mutex_lock(&chan->indio_dev->info_exist_lock);
	if (chan->indio_dev->info == NULL) {
		ret = -ENODEV;
		goto err_unlock;
	}
	ret = do_some_ops()
err_unlock:
	mutex_unlock(&chan->indio_dev->info_exist_lock);
	return ret;
...

Same mutex is also hold in iio_device_unregister().

The following deadlock warning happens when:
- the consumer device has called an API like iio_read_channel_raw()
  at least once.
- the consumer driver is unregistered, removed (unbind from sysfs)

======================================================
WARNING: possible circular locking dependency detected
4.19.24 #577 Not tainted
------------------------------------------------------
sh/372 is trying to acquire lock:
(kn->count#30){++++}, at: kernfs_remove_by_name_ns+0x3c/0x84

but task is already holding lock:
(&dev->info_exist_lock){+.+.}, at: iio_device_unregister+0x18/0x60

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&dev->info_exist_lock){+.+.}:
       __mutex_lock+0x70/0xa3c
       mutex_lock_nested+0x1c/0x24
       iio_read_channel_raw+0x1c/0x60
       iio_read_channel_info+0xa8/0xb0
       dev_attr_show+0x1c/0x48
       sysfs_kf_seq_show+0x84/0xec
       seq_read+0x154/0x528
       __vfs_read+0x2c/0x15c
       vfs_read+0x8c/0x110
       ksys_read+0x4c/0xac
       ret_fast_syscall+0x0/0x28
       0xbedefb60

-> #0 (kn->count#30){++++}:
       lock_acquire+0xd8/0x268
       __kernfs_remove+0x288/0x374
       kernfs_remove_by_name_ns+0x3c/0x84
       remove_files+0x34/0x78
       sysfs_remove_group+0x40/0x9c
       sysfs_remove_groups+0x24/0x34
       device_remove_attrs+0x38/0x64
       device_del+0x11c/0x360
       cdev_device_del+0x14/0x2c
       iio_device_unregister+0x24/0x60
       release_nodes+0x1bc/0x200
       device_release_driver_internal+0x1a0/0x230
       unbind_store+0x80/0x130
       kernfs_fop_write+0x100/0x1e4
       __vfs_write+0x2c/0x160
       vfs_write+0xa4/0x17c
       ksys_write+0x4c/0xac
       ret_fast_syscall+0x0/0x28
       0xbe906840

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&dev->info_exist_lock);
                               lock(kn->count#30);
                               lock(&dev->info_exist_lock);
  lock(kn->count#30);

 *** DEADLOCK ***
...

cdev_device_del() can be called without holding the lock. It should be safe
as info_exist_lock prevents kernelspace consumers to use the exported
routines during/after provider removal. cdev_device_del() is for userspace.

Help to reproduce:
See example: Documentation/devicetree/bindings/iio/afe/voltage-divider.txt
sysv {
	compatible = "voltage-divider";
	io-channels = <&adc 0>;
	output-ohms = <22>;
	full-ohms = <222>;
};

First, go to iio:deviceX for the "voltage-divider", do one read:
$ cd /sys/bus/iio/devices/iio:deviceX
$ cat in_voltage0_raw

Then, unbind the consumer driver. It triggers above deadlock warning.
$ cd /sys/bus/platform/drivers/iio-rescale/
$ echo sysv > unbind

Note I don't actually expect stable will pick this up all the
way back into IIO being in staging, but if's probably valid that
far back.

Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
Fixes: ac917a81117c ("staging:iio:core set the iio_dev.info pointer to null on unregister")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/industrialio-core.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1738,10 +1738,10 @@ EXPORT_SYMBOL(__iio_device_register);
  **/
 void iio_device_unregister(struct iio_dev *indio_dev)
 {
-	mutex_lock(&indio_dev->info_exist_lock);
-
 	cdev_device_del(&indio_dev->chrdev, &indio_dev->dev);
 
+	mutex_lock(&indio_dev->info_exist_lock);
+
 	iio_device_unregister_debugfs(indio_dev);
 
 	iio_disable_all_buffers(indio_dev);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 064/115] io: accel: kxcjk1013: restore the range after resume.
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2019-04-24 17:09 ` [PATCH 5.0 063/115] iio: core: fix a possible circular locking dependency Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 065/115] staging: most: core: use device description as name Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, he, bo, Chen, Hu, Hans de Goede,
	Stable, Jonathan Cameron

From: he, bo <bo.he@intel.com>

commit fe2d3df639a7940a125a33d6460529b9689c5406 upstream.

On some laptops, kxcjk1013 is powered off when system enters S3. We need
restore the range regiter during resume. Otherwise, the sensor doesn't
work properly after S3.

Signed-off-by: he, bo <bo.he@intel.com>
Signed-off-by: Chen, Hu <hu1.chen@intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/accel/kxcjk-1013.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/iio/accel/kxcjk-1013.c
+++ b/drivers/iio/accel/kxcjk-1013.c
@@ -1437,6 +1437,8 @@ static int kxcjk1013_resume(struct devic
 
 	mutex_lock(&data->mutex);
 	ret = kxcjk1013_set_mode(data, OPERATION);
+	if (ret == 0)
+		ret = kxcjk1013_set_range(data, data->range);
 	mutex_unlock(&data->mutex);
 
 	return ret;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 065/115] staging: most: core: use device description as name
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 064/115] io: accel: kxcjk1013: restore the range after resume Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 066/115] staging: comedi: vmk80xx: Fix use of uninitialized semaphore Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christian Gromm

From: Christian Gromm <christian.gromm@microchip.com>

commit 131ac62253dba79daf4a6d83ab12293d2b9863d3 upstream.

This patch uses the device description to clearly identity a device
attached to the bus. It is needed as the currently useed mdevX
notation is not sufficiant in case more than one network
interface controller is being used at the same time.

Cc: stable@vger.kernel.org
Signed-off-by: Christian Gromm <christian.gromm@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/most/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/most/core.c
+++ b/drivers/staging/most/core.c
@@ -1431,7 +1431,7 @@ int most_register_interface(struct most_
 
 	INIT_LIST_HEAD(&iface->p->channel_list);
 	iface->p->dev_id = id;
-	snprintf(iface->p->name, STRING_SIZE, "mdev%d", id);
+	strcpy(iface->p->name, iface->description);
 	iface->dev.init_name = iface->p->name;
 	iface->dev.bus = &mc.bus;
 	iface->dev.parent = &mc.dev;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 066/115] staging: comedi: vmk80xx: Fix use of uninitialized semaphore
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 065/115] staging: most: core: use device description as name Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 067/115] staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+54c2f58f15fe6876b6ad, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit 08b7c2f9208f0e2a32159e4e7a4831b7adb10a3e upstream.

If `vmk80xx_auto_attach()` returns an error, the core comedi module code
will call `vmk80xx_detach()` to clean up.  If `vmk80xx_auto_attach()`
successfully allocated the comedi device private data,
`vmk80xx_detach()` assumes that a `struct semaphore limit_sem` contained
in the private data has been initialized and uses it.  Unfortunately,
there are a couple of places where `vmk80xx_auto_attach()` can return an
error after allocating the device private data but before initializing
the semaphore, so this assumption is invalid.  Fix it by initializing
the semaphore just after allocating the private data in
`vmk80xx_auto_attach()` before any other errors can be returned.

I believe this was the cause of the following syzbot crash report
<https://syzkaller.appspot.com/bug?extid=54c2f58f15fe6876b6ad>:

usb 1-1: config 0 has no interface number 0
usb 1-1: New USB device found, idVendor=10cf, idProduct=8068, bcdDevice=e6.8d
usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
vmk80xx 1-1:0.117: driver 'vmk80xx' failed to auto-configure device.
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xe8/0x16e lib/dump_stack.c:113
 assign_lock_key kernel/locking/lockdep.c:786 [inline]
 register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
 __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
 lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
 down+0x12/0x80 kernel/locking/semaphore.c:58
 vmk80xx_detach+0x59/0x100 drivers/staging/comedi/drivers/vmk80xx.c:829
 comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
 comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
 comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
 comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
 comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
 comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
 comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
 usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
 really_probe+0x2da/0xb10 drivers/base/dd.c:509
 driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
 __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
 __device_attach+0x223/0x3a0 drivers/base/dd.c:844
 bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
 device_add+0xad2/0x16e0 drivers/base/core.c:2106
 usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
 generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
 usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
 really_probe+0x2da/0xb10 drivers/base/dd.c:509
 driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
 __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
 __device_attach+0x223/0x3a0 drivers/base/dd.c:844
 bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
 device_add+0xad2/0x16e0 drivers/base/core.c:2106
 usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
 hub_port_connect drivers/usb/core/hub.c:5089 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
 port_event drivers/usb/core/hub.c:5350 [inline]
 hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
 process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
 worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
 kthread+0x313/0x420 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Reported-by: syzbot+54c2f58f15fe6876b6ad@syzkaller.appspotmail.com
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/vmk80xx.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/comedi/drivers/vmk80xx.c
+++ b/drivers/staging/comedi/drivers/vmk80xx.c
@@ -800,6 +800,8 @@ static int vmk80xx_auto_attach(struct co
 
 	devpriv->model = board->model;
 
+	sema_init(&devpriv->limit_sem, 8);
+
 	ret = vmk80xx_find_usb_endpoints(dev);
 	if (ret)
 		return ret;
@@ -808,8 +810,6 @@ static int vmk80xx_auto_attach(struct co
 	if (ret)
 		return ret;
 
-	sema_init(&devpriv->limit_sem, 8);
-
 	usb_set_intfdata(intf, devpriv);
 
 	if (devpriv->model == VMK8055_MODEL)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 067/115] staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 066/115] staging: comedi: vmk80xx: Fix use of uninitialized semaphore Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 068/115] staging: comedi: ni_usb6501: Fix use of uninitialized mutex Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit 663d294b4768bfd89e529e069bffa544a830b5bf upstream.

`vmk80xx_alloc_usb_buffers()` is called from `vmk80xx_auto_attach()` to
allocate RX and TX buffers for USB transfers.  It allocates
`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
allocation of `devpriv->usb_tx_buf` fails, it frees
`devpriv->usb_rx_buf`,  leaving the pointer set dangling, and returns an
error.  Later, `vmk80xx_detach()` will be called from the core comedi
module code to clean up.  `vmk80xx_detach()` also frees both
`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
`devpriv->usb_rx_buf` may have already been freed, leading to a
double-free error.  Fix it by removing the call to
`kfree(devpriv->usb_rx_buf)` from `vmk80xx_alloc_usb_buffers()`, relying
on `vmk80xx_detach()` to free the memory.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/vmk80xx.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/staging/comedi/drivers/vmk80xx.c
+++ b/drivers/staging/comedi/drivers/vmk80xx.c
@@ -682,10 +682,8 @@ static int vmk80xx_alloc_usb_buffers(str
 
 	size = usb_endpoint_maxp(devpriv->ep_tx);
 	devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
-	if (!devpriv->usb_tx_buf) {
-		kfree(devpriv->usb_rx_buf);
+	if (!devpriv->usb_tx_buf)
 		return -ENOMEM;
-	}
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 068/115] staging: comedi: ni_usb6501: Fix use of uninitialized mutex
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 067/115] staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 069/115] staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+cf4f2b6c24aff0a3edf6, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit 660cf4ce9d0f3497cc7456eaa6d74c8b71d6282c upstream.

If `ni6501_auto_attach()` returns an error, the core comedi module code
will call `ni6501_detach()` to clean up.  If `ni6501_auto_attach()`
successfully allocated the comedi device private data, `ni6501_detach()`
assumes that a `struct mutex mut` contained in the private data has been
initialized and uses it.  Unfortunately, there are a couple of places
where `ni6501_auto_attach()` can return an error after allocating the
device private data but before initializing the mutex, so this
assumption is invalid.  Fix it by initializing the mutex just after
allocating the private data in `ni6501_auto_attach()` before any other
errors can be retturned.  Also move the call to `usb_set_intfdata()`
just to keep the code a bit neater (either position for the call is
fine).

I believe this was the cause of the following syzbot crash report
<https://syzkaller.appspot.com/bug?extid=cf4f2b6c24aff0a3edf6>:

usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
usb 1-1: config 0 descriptor??
usb 1-1: string descriptor 0 read error: -71
comedi comedi0: Wrong number of endpoints
ni6501 1-1:0.233: driver 'ni6501' failed to auto-configure device.
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 585 Comm: kworker/0:3 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xe8/0x16e lib/dump_stack.c:113
 assign_lock_key kernel/locking/lockdep.c:786 [inline]
 register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
 __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
 lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
 __mutex_lock_common kernel/locking/mutex.c:925 [inline]
 __mutex_lock+0xfe/0x12b0 kernel/locking/mutex.c:1072
 ni6501_detach+0x5b/0x110 drivers/staging/comedi/drivers/ni_usb6501.c:567
 comedi_device_detach+0xed/0x800 drivers/staging/comedi/drivers.c:204
 comedi_device_cleanup.part.0+0x68/0x140 drivers/staging/comedi/comedi_fops.c:156
 comedi_device_cleanup drivers/staging/comedi/comedi_fops.c:187 [inline]
 comedi_free_board_dev.part.0+0x16/0x90 drivers/staging/comedi/comedi_fops.c:190
 comedi_free_board_dev drivers/staging/comedi/comedi_fops.c:189 [inline]
 comedi_release_hardware_device+0x111/0x140 drivers/staging/comedi/comedi_fops.c:2880
 comedi_auto_config.cold+0x124/0x1b0 drivers/staging/comedi/drivers.c:1068
 usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
 really_probe+0x2da/0xb10 drivers/base/dd.c:509
 driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
 __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
 __device_attach+0x223/0x3a0 drivers/base/dd.c:844
 bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
 device_add+0xad2/0x16e0 drivers/base/core.c:2106
 usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
 generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
 usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
 really_probe+0x2da/0xb10 drivers/base/dd.c:509
 driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
 __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
 bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
 __device_attach+0x223/0x3a0 drivers/base/dd.c:844
 bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
 device_add+0xad2/0x16e0 drivers/base/core.c:2106
 usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
 hub_port_connect drivers/usb/core/hub.c:5089 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
 port_event drivers/usb/core/hub.c:5350 [inline]
 hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
 process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
 worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
 kthread+0x313/0x420 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Reported-by: syzbot+cf4f2b6c24aff0a3edf6@syzkaller.appspotmail.com
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/ni_usb6501.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/staging/comedi/drivers/ni_usb6501.c
+++ b/drivers/staging/comedi/drivers/ni_usb6501.c
@@ -518,6 +518,9 @@ static int ni6501_auto_attach(struct com
 	if (!devpriv)
 		return -ENOMEM;
 
+	mutex_init(&devpriv->mut);
+	usb_set_intfdata(intf, devpriv);
+
 	ret = ni6501_find_endpoints(dev);
 	if (ret)
 		return ret;
@@ -526,9 +529,6 @@ static int ni6501_auto_attach(struct com
 	if (ret)
 		return ret;
 
-	mutex_init(&devpriv->mut);
-	usb_set_intfdata(intf, devpriv);
-
 	ret = comedi_alloc_subdevices(dev, 2);
 	if (ret)
 		return ret;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 069/115] staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 068/115] staging: comedi: ni_usb6501: Fix use of uninitialized mutex Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 070/115] ALSA: hda/realtek - add two more pin configuration sets to quirk table Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit af4b54a2e5ba18259ff9aac445bf546dd60d037e upstream.

`ni6501_alloc_usb_buffers()` is called from `ni6501_auto_attach()` to
allocate RX and TX buffers for USB transfers.  It allocates
`devpriv->usb_rx_buf` followed by `devpriv->usb_tx_buf`.  If the
allocation of `devpriv->usb_tx_buf` fails, it frees
`devpriv->usb_rx_buf`, leaving the pointer set dangling, and returns an
error.  Later, `ni6501_detach()` will be called from the core comedi
module code to clean up.  `ni6501_detach()` also frees both
`devpriv->usb_rx_buf` and `devpriv->usb_tx_buf`, but
`devpriv->usb_rx_buf` may have already beed freed, leading to a
double-free error.  Fix it bu removing the call to
`kfree(devpriv->usb_rx_buf)` from `ni6501_alloc_usb_buffers()`, relying
on `ni6501_detach()` to free the memory.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/ni_usb6501.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/staging/comedi/drivers/ni_usb6501.c
+++ b/drivers/staging/comedi/drivers/ni_usb6501.c
@@ -463,10 +463,8 @@ static int ni6501_alloc_usb_buffers(stru
 
 	size = usb_endpoint_maxp(devpriv->ep_tx);
 	devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
-	if (!devpriv->usb_tx_buf) {
-		kfree(devpriv->usb_rx_buf);
+	if (!devpriv->usb_tx_buf)
 		return -ENOMEM;
-	}
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 070/115] ALSA: hda/realtek - add two more pin configuration sets to quirk table
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 069/115] staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 071/115] ALSA: core: Fix card races between register and disconnect Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hui Wang, Takashi Iwai

From: Hui Wang <hui.wang@canonical.com>

commit b26e36b7ef36a8a3a147b1609b2505f8a4ecf511 upstream.

We have two Dell laptops which have the codec 10ec0236 and 10ec0256
respectively, the headset mic on them can't work, need to apply the
quirk of ALC255_FIXUP_DELL1_MIC_NO_PRESENCE. So adding their pin
configurations in the pin quirk table.

Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7247,6 +7247,8 @@ static const struct snd_hda_pin_quirk al
 		{0x12, 0x90a60140},
 		{0x14, 0x90170150},
 		{0x21, 0x02211020}),
+	SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+		{0x21, 0x02211020}),
 	SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE,
 		{0x14, 0x90170110},
 		{0x21, 0x02211020}),
@@ -7357,6 +7359,10 @@ static const struct snd_hda_pin_quirk al
 		{0x21, 0x0221101f}),
 	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
 		ALC256_STANDARD_PINS),
+	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+		{0x14, 0x90170110},
+		{0x1b, 0x01011020},
+		{0x21, 0x0221101f}),
 	SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC,
 		{0x14, 0x90170110},
 		{0x1b, 0x90a70130},



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 071/115] ALSA: core: Fix card races between register and disconnect
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 070/115] ALSA: hda/realtek - add two more pin configuration sets to quirk table Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 072/115] Input: elan_i2c - add hardware ID for multiple Lenovo laptops Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+48df349490c36f9f54ab, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 2a3f7221acddfe1caa9ff09b3a8158c39b2fdeac upstream.

There is a small race window in the card disconnection code that
allows the registration of another card with the very same card id.
This leads to a warning in procfs creation as caught by syzkaller.

The problem is that we delete snd_cards and snd_cards_lock entries at
the very beginning of the disconnection procedure.  This makes the
slot available to be assigned for another card object while the
disconnection procedure is being processed.  Then it becomes possible
to issue a procfs registration with the existing file name although we
check the conflict beforehand.

The fix is simply to move the snd_cards and snd_cards_lock clearances
at the end of the disconnection procedure.  The references to these
entries are merely either from the global proc files like
/proc/asound/cards or from the card registration / disconnection, so
it should be fine to shift at the very end.

Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/init.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -407,14 +407,7 @@ int snd_card_disconnect(struct snd_card
 	card->shutdown = 1;
 	spin_unlock(&card->files_lock);
 
-	/* phase 1: disable fops (user space) operations for ALSA API */
-	mutex_lock(&snd_card_mutex);
-	snd_cards[card->number] = NULL;
-	clear_bit(card->number, snd_cards_lock);
-	mutex_unlock(&snd_card_mutex);
-	
-	/* phase 2: replace file->f_op with special dummy operations */
-	
+	/* replace file->f_op with special dummy operations */
 	spin_lock(&card->files_lock);
 	list_for_each_entry(mfile, &card->files_list, list) {
 		/* it's critical part, use endless loop */
@@ -430,7 +423,7 @@ int snd_card_disconnect(struct snd_card
 	}
 	spin_unlock(&card->files_lock);	
 
-	/* phase 3: notify all connected devices about disconnection */
+	/* notify all connected devices about disconnection */
 	/* at this point, they cannot respond to any calls except release() */
 
 #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
@@ -446,6 +439,13 @@ int snd_card_disconnect(struct snd_card
 		device_del(&card->card_dev);
 		card->registered = false;
 	}
+
+	/* disable fops (user space) operations for ALSA API */
+	mutex_lock(&snd_card_mutex);
+	snd_cards[card->number] = NULL;
+	clear_bit(card->number, snd_cards_lock);
+	mutex_unlock(&snd_card_mutex);
+
 #ifdef CONFIG_PM
 	wake_up(&card->power_sleep);
 #endif



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 072/115] Input: elan_i2c - add hardware ID for multiple Lenovo laptops
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 071/115] ALSA: core: Fix card races between register and disconnect Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 073/115] serial: sh-sci: Fix HSCIF RX sampling point adjustment Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, KT Liao, Dmitry Torokhov

From: KT Liao <kt.liao@emc.com.tw>

commit 738c06d0e4562e0acf9f2c7438a22b2d5afc67aa upstream.

There are many Lenovo laptops which need elan_i2c support, this patch adds
relevant IDs to the Elan driver so that touchpads are recognized.

Signed-off-by: KT Liao <kt.liao@emc.com.tw>
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/elan_i2c_core.c |   25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -1339,21 +1339,46 @@ static const struct acpi_device_id elan_
 	{ "ELAN0600", 0 },
 	{ "ELAN0601", 0 },
 	{ "ELAN0602", 0 },
+	{ "ELAN0603", 0 },
+	{ "ELAN0604", 0 },
 	{ "ELAN0605", 0 },
+	{ "ELAN0606", 0 },
+	{ "ELAN0607", 0 },
 	{ "ELAN0608", 0 },
 	{ "ELAN0609", 0 },
 	{ "ELAN060B", 0 },
 	{ "ELAN060C", 0 },
+	{ "ELAN060F", 0 },
+	{ "ELAN0610", 0 },
 	{ "ELAN0611", 0 },
 	{ "ELAN0612", 0 },
+	{ "ELAN0615", 0 },
+	{ "ELAN0616", 0 },
 	{ "ELAN0617", 0 },
 	{ "ELAN0618", 0 },
+	{ "ELAN0619", 0 },
+	{ "ELAN061A", 0 },
+	{ "ELAN061B", 0 },
 	{ "ELAN061C", 0 },
 	{ "ELAN061D", 0 },
 	{ "ELAN061E", 0 },
+	{ "ELAN061F", 0 },
 	{ "ELAN0620", 0 },
 	{ "ELAN0621", 0 },
 	{ "ELAN0622", 0 },
+	{ "ELAN0623", 0 },
+	{ "ELAN0624", 0 },
+	{ "ELAN0625", 0 },
+	{ "ELAN0626", 0 },
+	{ "ELAN0627", 0 },
+	{ "ELAN0628", 0 },
+	{ "ELAN0629", 0 },
+	{ "ELAN062A", 0 },
+	{ "ELAN062B", 0 },
+	{ "ELAN062C", 0 },
+	{ "ELAN062D", 0 },
+	{ "ELAN0631", 0 },
+	{ "ELAN0632", 0 },
 	{ "ELAN1000", 0 },
 	{ }
 };



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 073/115] serial: sh-sci: Fix HSCIF RX sampling point adjustment
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 072/115] Input: elan_i2c - add hardware ID for multiple Lenovo laptops Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 074/115] serial: sh-sci: Fix HSCIF RX sampling point calculation Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Ulrich Hecht,
	Wolfram Sang, Dirk Behme, Simon Horman

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit 6b87784b53592a90d21576be8eff688b56d93cce upstream.

The calculation of the sampling point has min() and max() exchanged.
Fix this by using the clamp() helper instead.

Fixes: 63ba1e00f178a448 ("serial: sh-sci: Support for HSCIF RX sampling point adjustment")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Ulrich Hecht <uli+renesas@fpond.eu>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Acked-by: Dirk Behme <dirk.behme@de.bosch.com>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/sh-sci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2504,7 +2504,7 @@ done:
 				 * last stop bit; we can increase the error
 				 * margin by shifting the sampling point.
 				 */
-				int shift = min(-8, max(7, deviation / 2));
+				int shift = clamp(deviation / 2, -8, 7);
 
 				hssrr |= (shift << HSCIF_SRHP_SHIFT) &
 					 HSCIF_SRHP_MASK;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 074/115] serial: sh-sci: Fix HSCIF RX sampling point calculation
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 073/115] serial: sh-sci: Fix HSCIF RX sampling point adjustment Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 075/115] vt: fix cursor when clearing the screen Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Mukesh Ojha,
	Ulrich Hecht

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit ace965696da2611af759f0284e26342b7b6cec89 upstream.

There are several issues with the formula used for calculating the
deviation from the intended rate:
  1. While min_err and last_stop are signed, srr and baud are unsigned.
     Hence the signed values are promoted to unsigned, which will lead
     to a bogus value of deviation if min_err is negative,
  2. Srr is the register field value, which is one less than the actual
     sampling rate factor,
  3. The divisions do not use rounding.

Fix this by casting unsigned variables to int, adding one to srr, and
using a single DIV_ROUND_CLOSEST().

Fixes: 63ba1e00f178a448 ("serial: sh-sci: Support for HSCIF RX sampling point adjustment")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Ulrich Hecht <uli+renesas@fpond.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/sh-sci.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2497,7 +2497,9 @@ done:
 			 * center of the last stop bit in sampling clocks.
 			 */
 			int last_stop = bits * 2 - 1;
-			int deviation = min_err * srr * last_stop / 2 / baud;
+			int deviation = DIV_ROUND_CLOSEST(min_err * last_stop *
+							  (int)(srr + 1),
+							  2 * (int)baud);
 
 			if (abs(deviation) >= 2) {
 				/* At least two sampling clocks off at the



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 075/115] vt: fix cursor when clearing the screen
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 074/115] serial: sh-sci: Fix HSCIF RX sampling point calculation Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 076/115] scsi: core: set result when the command cannot be dispatched Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Nicolas Pitre

From: Mikulas Patocka <mpatocka@redhat.com>

commit b2ecf00631362a83744e5ec249947620db5e240c upstream.

The patch a6dbe4427559 ("vt: perform safe console erase in the right
order") introduced a bug. The conditional do_update_region() was
replaced by a call to update_region() that does contain the conditional
already, but with unwanted extra side effects such as restoring the cursor
drawing.

In order to reproduce the bug:
- use framebuffer console with the AMDGPU driver
- type "links" to start the console www browser
- press 'q' and space to exit links

Now the cursor will be permanently visible in the center of the
screen. It will stay there until something overwrites it.

The bug goes away if we change update_region() back to the conditional
do_update_region().

[ nico: reworded changelog ]

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
Cc: stable@vger.kernel.org
Fixes: a6dbe4427559 ("vt: perform safe console erase in the right order")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/vt/vt.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1518,7 +1518,8 @@ static void csi_J(struct vc_data *vc, in
 			return;
 	}
 	scr_memsetw(start, vc->vc_video_erase_char, 2 * count);
-	update_region(vc, (unsigned long) start, count);
+	if (con_should_update(vc))
+		do_update_region(vc, (unsigned long) start, count);
 	vc->vc_need_wrap = 0;
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 076/115] scsi: core: set result when the command cannot be dispatched
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 075/115] vt: fix cursor when clearing the screen Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 077/115] Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jaesoo Lee, Hannes Reinecke,
	Bart Van Assche, Martin K. Petersen

From: Jaesoo Lee <jalee@purestorage.com>

commit be549d49115422f846b6d96ee8fd7173a5f7ceb0 upstream.

When SCSI blk-mq is enabled, there is a bug in handling errors in
scsi_queue_rq.  Specifically, the bug is not setting result field of
scsi_request correctly when the dispatch of the command has been
failed. Since the upper layer code including the sg_io ioctl expects to
receive any error status from result field of scsi_request, the error is
silently ignored and this could cause data corruptions for some
applications.

Fixes: d285203cf647 ("scsi: add support for a blk-mq based I/O path.")
Cc: <stable@vger.kernel.org>
Signed-off-by: Jaesoo Lee <jalee@purestorage.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_lib.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1763,8 +1763,12 @@ out_put_budget:
 			ret = BLK_STS_DEV_RESOURCE;
 		break;
 	default:
+		if (unlikely(!scsi_device_online(sdev)))
+			scsi_req(req)->result = DID_NO_CONNECT << 16;
+		else
+			scsi_req(req)->result = DID_ERROR << 16;
 		/*
-		 * Make sure to release all allocated ressources when
+		 * Make sure to release all allocated resources when
 		 * we hit an error, as we will never see this command
 		 * again.
 		 */



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 077/115] Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO"
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 076/115] scsi: core: set result when the command cannot be dispatched Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 078/115] i3c: dw: Fix dw_i3c_master_disable controller by using correct mask Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Saurav Kashyap, Hannes Reinecke,
	Martin K. Petersen

From: Saurav Kashyap <skashyap@marvell.com>

commit 0228034d8e5915b98c33db35a98f5e909e848ae9 upstream.

This patch clears FC_RP_STARTED flag during logoff, because of this
re-login(flogi) didn't happen to the switch.

This reverts commit 1550ec458e0cf1a40a170ab1f4c46e3f52860f65.

Fixes: 1550ec458e0c ("scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO")
Cc: <stable@vger.kernel.org> # v4.18+
Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
Reviewed-by: Hannes Reinecke <hare@#suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/libfc/fc_rport.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/scsi/libfc/fc_rport.c
+++ b/drivers/scsi/libfc/fc_rport.c
@@ -2162,7 +2162,6 @@ static void fc_rport_recv_logo_req(struc
 		FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n",
 			     fc_rport_state(rdata));
 
-		rdata->flags &= ~FC_RP_STARTED;
 		fc_rport_enter_delete(rdata, RPORT_EV_STOP);
 		mutex_unlock(&rdata->rp_mutex);
 		kref_put(&rdata->kref, fc_rport_destroy);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 078/115] i3c: dw: Fix dw_i3c_master_disable controller by using correct mask
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 077/115] Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 079/115] i3c: Fix the verification of random PID Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Vitor Soares,
	Boris Brezillon

From: Vitor Soares <vitor.soares@synopsys.com>

commit 907621e94d49b85cd76f13110eceb940a182c69e upstream.

The controller was being disabled incorrectly. The correct way is to clear
the DEV_CTRL_ENABLE bit.

Fix this by clearing this bit.

Cc: Boris Brezillon <bbrezillon@kernel.org>
Cc: <stable@vger.kernel.org>
Fixes: 1dd728f5d4d4 ("i3c: master: Add driver for Synopsys DesignWare IP")
Signed-off-by: Vitor Soares <vitor.soares@synopsys.com>
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i3c/master/dw-i3c-master.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i3c/master/dw-i3c-master.c
+++ b/drivers/i3c/master/dw-i3c-master.c
@@ -300,7 +300,7 @@ to_dw_i3c_master(struct i3c_master_contr
 
 static void dw_i3c_master_disable(struct dw_i3c_master *master)
 {
-	writel(readl(master->regs + DEVICE_CTRL) & DEV_CTRL_ENABLE,
+	writel(readl(master->regs + DEVICE_CTRL) & ~DEV_CTRL_ENABLE,
 	       master->regs + DEVICE_CTRL);
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 079/115] i3c: Fix the verification of random PID
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 078/115] i3c: dw: Fix dw_i3c_master_disable controller by using correct mask Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 080/115] Revert "svm: Fix AVIC incomplete IPI emulation" Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Vitor Soares,
	Boris Brezillon

From: Vitor Soares <vitor.soares@synopsys.com>

commit 9752c37cc89f43675e70cf9acff23519fa84b48c upstream.

The validation of random PID should be done by checking the
boardinfo->pid instead of info.pid which is empty.

Doing the change the info struture declaration is no longer necessary.

Cc: Boris Brezillon <bbrezillon@kernel.org>
Cc: <stable@vger.kernel.org>
Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
Signed-off-by: Vitor Soares <vitor.soares@synopsys.com>
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i3c/master.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -1980,7 +1980,6 @@ of_i3c_master_add_i3c_boardinfo(struct i
 {
 	struct i3c_dev_boardinfo *boardinfo;
 	struct device *dev = &master->dev;
-	struct i3c_device_info info = { };
 	enum i3c_addr_slot_status addrstatus;
 	u32 init_dyn_addr = 0;
 
@@ -2012,8 +2011,8 @@ of_i3c_master_add_i3c_boardinfo(struct i
 
 	boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
 
-	if ((info.pid & GENMASK_ULL(63, 48)) ||
-	    I3C_PID_RND_LOWER_32BITS(info.pid))
+	if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
+	    I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
 		return -EINVAL;
 
 	boardinfo->init_dyn_addr = init_dyn_addr;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 080/115] Revert "svm: Fix AVIC incomplete IPI emulation"
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 079/115] i3c: Fix the verification of random PID Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 081/115] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Radim Krčmář,
	Paolo Bonzini, Oren Twaig, Suravee Suthikulpanit

From: Suthikulpanit, Suravee <Suravee.Suthikulpanit@amd.com>

commit 4a58038b9e420276157785afa0a0bbb4b9bc2265 upstream.

This reverts commit bb218fbcfaaa3b115d4cd7a43c0ca164f3a96e57.

As Oren Twaig pointed out the old discussion:

  https://patchwork.kernel.org/patch/8292231/

that the change coud potentially cause an extra IPI to be sent to
the destination vcpu because the AVIC hardware already set the IRR bit
before the incomplete IPI #VMEXIT with id=1 (target vcpu is not running).
Since writting to ICR and ICR2 will also set the IRR. If something triggers
the destination vcpu to get scheduled before the emulation finishes, then
this could result in an additional IPI.

Also, the issue mentioned in the commit bb218fbcfaaa was misdiagnosed.

Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Oren Twaig <oren@scalemp.com>
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/svm.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4515,14 +4515,25 @@ static int avic_incomplete_ipi_intercept
 		kvm_lapic_reg_write(apic, APIC_ICR, icrl);
 		break;
 	case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: {
+		int i;
+		struct kvm_vcpu *vcpu;
+		struct kvm *kvm = svm->vcpu.kvm;
 		struct kvm_lapic *apic = svm->vcpu.arch.apic;
 
 		/*
-		 * Update ICR high and low, then emulate sending IPI,
-		 * which is handled when writing APIC_ICR.
+		 * At this point, we expect that the AVIC HW has already
+		 * set the appropriate IRR bits on the valid target
+		 * vcpus. So, we just need to kick the appropriate vcpu.
 		 */
-		kvm_lapic_reg_write(apic, APIC_ICR2, icrh);
-		kvm_lapic_reg_write(apic, APIC_ICR, icrl);
+		kvm_for_each_vcpu(i, vcpu, kvm) {
+			bool m = kvm_apic_match_dest(vcpu, apic,
+						     icrl & KVM_APIC_SHORT_MASK,
+						     GET_APIC_DEST_FIELD(icrh),
+						     icrl & KVM_APIC_DEST_MASK);
+
+			if (m && !avic_vcpu_is_running(vcpu))
+				kvm_vcpu_wake_up(vcpu);
+		}
 		break;
 	}
 	case AVIC_IPI_FAILURE_INVALID_TARGET:



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 081/115] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 080/115] Revert "svm: Fix AVIC incomplete IPI emulation" Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 082/115] x86/kvm: move kvm_load/put_guest_xcr0 into atomic context Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrea Arcangeli, Jann Horn,
	Oleg Nesterov, Peter Xu, Mike Rapoport, Jason Gunthorpe,
	Michal Hocko, Andrew Morton, Linus Torvalds

From: Andrea Arcangeli <aarcange@redhat.com>

commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.

The core dumping code has always run without holding the mmap_sem for
writing, despite that is the only way to ensure that the entire vma
layout will not change from under it.  Only using some signal
serialization on the processes belonging to the mm is not nearly enough.
This was pointed out earlier.  For example in Hugh's post from Jul 2017:

  https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils

  "Not strictly relevant here, but a related note: I was very surprised
   to discover, only quite recently, how handle_mm_fault() may be called
   without down_read(mmap_sem) - when core dumping. That seems a
   misguided optimization to me, which would also be nice to correct"

In particular because the growsdown and growsup can move the
vm_start/vm_end the various loops the core dump does around the vma will
not be consistent if page faults can happen concurrently.

Pretty much all users calling mmget_not_zero()/get_task_mm() and then
taking the mmap_sem had the potential to introduce unexpected side
effects in the core dumping code.

Adding mmap_sem for writing around the ->core_dump invocation is a
viable long term fix, but it requires removing all copy user and page
faults and to replace them with get_dump_page() for all binary formats
which is not suitable as a short term fix.

For the time being this solution manually covers the places that can
confuse the core dump either by altering the vma layout or the vma flags
while it runs.  Once ->core_dump runs under mmap_sem for writing the
function mmget_still_valid() can be dropped.

Allowing mmap_sem protected sections to run in parallel with the
coredump provides some minor parallelism advantage to the swapoff code
(which seems to be safe enough by never mangling any vma field and can
keep doing swapins in parallel to the core dumping) and to some other
corner case.

In order to facilitate the backporting I added "Fixes: 86039bd3b4e6"
however the side effect of this same race condition in /proc/pid/mem
should be reproducible since before 2.6.12-rc2 so I couldn't add any
other "Fixes:" because there's no hash beyond the git genesis commit.

Because find_extend_vma() is the only location outside of the process
context that could modify the "mm" structures under mmap_sem for
reading, by adding the mmget_still_valid() check to it, all other cases
that take the mmap_sem for reading don't need the new check after
mmget_not_zero()/get_task_mm().  The expand_stack() in page fault
context also doesn't need the new check, because all tasks under core
dumping are frozen.

Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Jann Horn <jannh@google.com>
Acked-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/core/uverbs_main.c |    3 +++
 fs/proc/task_mmu.c                    |   18 ++++++++++++++++++
 fs/userfaultfd.c                      |    9 +++++++++
 include/linux/sched/mm.h              |   21 +++++++++++++++++++++
 mm/mmap.c                             |    7 ++++++-
 5 files changed, 57 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -992,6 +992,8 @@ void uverbs_user_mmap_disassociate(struc
 		 * will only be one mm, so no big deal.
 		 */
 		down_write(&mm->mmap_sem);
+		if (!mmget_still_valid(mm))
+			goto skip_mm;
 		mutex_lock(&ufile->umap_lock);
 		list_for_each_entry_safe (priv, next_priv, &ufile->umaps,
 					  list) {
@@ -1006,6 +1008,7 @@ void uverbs_user_mmap_disassociate(struc
 			vma->vm_flags &= ~(VM_SHARED | VM_MAYSHARE);
 		}
 		mutex_unlock(&ufile->umap_lock);
+	skip_mm:
 		up_write(&mm->mmap_sem);
 		mmput(mm);
 	}
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -1141,6 +1141,24 @@ static ssize_t clear_refs_write(struct f
 					count = -EINTR;
 					goto out_mm;
 				}
+				/*
+				 * Avoid to modify vma->vm_flags
+				 * without locked ops while the
+				 * coredump reads the vm_flags.
+				 */
+				if (!mmget_still_valid(mm)) {
+					/*
+					 * Silently return "count"
+					 * like if get_task_mm()
+					 * failed. FIXME: should this
+					 * function have returned
+					 * -ESRCH if get_task_mm()
+					 * failed like if
+					 * get_proc_task() fails?
+					 */
+					up_write(&mm->mmap_sem);
+					goto out_mm;
+				}
 				for (vma = mm->mmap; vma; vma = vma->vm_next) {
 					vma->vm_flags &= ~VM_SOFTDIRTY;
 					vma_set_page_prot(vma);
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -629,6 +629,8 @@ static void userfaultfd_event_wait_compl
 
 		/* the various vma->vm_userfaultfd_ctx still points to it */
 		down_write(&mm->mmap_sem);
+		/* no task can run (and in turn coredump) yet */
+		VM_WARN_ON(!mmget_still_valid(mm));
 		for (vma = mm->mmap; vma; vma = vma->vm_next)
 			if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
 				vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
@@ -883,6 +885,8 @@ static int userfaultfd_release(struct in
 	 * taking the mmap_sem for writing.
 	 */
 	down_write(&mm->mmap_sem);
+	if (!mmget_still_valid(mm))
+		goto skip_mm;
 	prev = NULL;
 	for (vma = mm->mmap; vma; vma = vma->vm_next) {
 		cond_resched();
@@ -905,6 +909,7 @@ static int userfaultfd_release(struct in
 		vma->vm_flags = new_flags;
 		vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
 	}
+skip_mm:
 	up_write(&mm->mmap_sem);
 	mmput(mm);
 wakeup:
@@ -1333,6 +1338,8 @@ static int userfaultfd_register(struct u
 		goto out;
 
 	down_write(&mm->mmap_sem);
+	if (!mmget_still_valid(mm))
+		goto out_unlock;
 	vma = find_vma_prev(mm, start, &prev);
 	if (!vma)
 		goto out_unlock;
@@ -1520,6 +1527,8 @@ static int userfaultfd_unregister(struct
 		goto out;
 
 	down_write(&mm->mmap_sem);
+	if (!mmget_still_valid(mm))
+		goto out_unlock;
 	vma = find_vma_prev(mm, start, &prev);
 	if (!vma)
 		goto out_unlock;
--- a/include/linux/sched/mm.h
+++ b/include/linux/sched/mm.h
@@ -49,6 +49,27 @@ static inline void mmdrop(struct mm_stru
 		__mmdrop(mm);
 }
 
+/*
+ * This has to be called after a get_task_mm()/mmget_not_zero()
+ * followed by taking the mmap_sem for writing before modifying the
+ * vmas or anything the coredump pretends not to change from under it.
+ *
+ * NOTE: find_extend_vma() called from GUP context is the only place
+ * that can modify the "mm" (notably the vm_start/end) under mmap_sem
+ * for reading and outside the context of the process, so it is also
+ * the only case that holds the mmap_sem for reading that must call
+ * this function. Generally if the mmap_sem is hold for reading
+ * there's no need of this check after get_task_mm()/mmget_not_zero().
+ *
+ * This function can be obsoleted and the check can be removed, after
+ * the coredump code will hold the mmap_sem for writing before
+ * invoking the ->core_dump methods.
+ */
+static inline bool mmget_still_valid(struct mm_struct *mm)
+{
+	return likely(!mm->core_state);
+}
+
 /**
  * mmget() - Pin the address space associated with a &struct mm_struct.
  * @mm: The address space to pin.
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -45,6 +45,7 @@
 #include <linux/moduleparam.h>
 #include <linux/pkeys.h>
 #include <linux/oom.h>
+#include <linux/sched/mm.h>
 
 #include <linux/uaccess.h>
 #include <asm/cacheflush.h>
@@ -2526,7 +2527,8 @@ find_extend_vma(struct mm_struct *mm, un
 	vma = find_vma_prev(mm, addr, &prev);
 	if (vma && (vma->vm_start <= addr))
 		return vma;
-	if (!prev || expand_stack(prev, addr))
+	/* don't alter vm_end if the coredump is running */
+	if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr))
 		return NULL;
 	if (prev->vm_flags & VM_LOCKED)
 		populate_vma_page_range(prev, addr, prev->vm_end, NULL);
@@ -2552,6 +2554,9 @@ find_extend_vma(struct mm_struct *mm, un
 		return vma;
 	if (!(vma->vm_flags & VM_GROWSDOWN))
 		return NULL;
+	/* don't alter vm_start if the coredump is running */
+	if (!mmget_still_valid(mm))
+		return NULL;
 	start = vma->vm_start;
 	if (expand_stack(vma, addr))
 		return NULL;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 082/115] x86/kvm: move kvm_load/put_guest_xcr0 into atomic context
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 081/115] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 083/115] ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, WANG Chao, Paolo Bonzini

From: WANG Chao <chao.wang@ucloud.cn>

commit 1811d979c71621aafc7b879477202d286f7e863b upstream.

guest xcr0 could leak into host when MCE happens in guest mode. Because
do_machine_check() could schedule out at a few places.

For example:

kvm_load_guest_xcr0
...
kvm_x86_ops->run(vcpu) {
  vmx_vcpu_run
    vmx_complete_atomic_exit
      kvm_machine_check
        do_machine_check
          do_memory_failure
            memory_failure
              lock_page

In this case, host_xcr0 is 0x2ff, guest vcpu xcr0 is 0xff. After schedule
out, host cpu has guest xcr0 loaded (0xff).

In __switch_to {
     switch_fpu_finish
       copy_kernel_to_fpregs
         XRSTORS

If any bit i in XSTATE_BV[i] == 1 and xcr0[i] == 0, XRSTORS will
generate #GP (In this case, bit 9). Then ex_handler_fprestore kicks in
and tries to reinitialize fpu by restoring init fpu state. Same story as
last #GP, except we get DOUBLE FAULT this time.

Cc: stable@vger.kernel.org
Signed-off-by: WANG Chao <chao.wang@ucloud.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/svm.c     |    2 ++
 arch/x86/kvm/vmx/vmx.c |    4 ++++
 arch/x86/kvm/x86.c     |   10 ++++------
 arch/x86/kvm/x86.h     |    2 ++
 4 files changed, 12 insertions(+), 6 deletions(-)

--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -5634,6 +5634,7 @@ static void svm_vcpu_run(struct kvm_vcpu
 	svm->vmcb->save.cr2 = vcpu->arch.cr2;
 
 	clgi();
+	kvm_load_guest_xcr0(vcpu);
 
 	/*
 	 * If this vCPU has touched SPEC_CTRL, restore the guest's value if
@@ -5779,6 +5780,7 @@ static void svm_vcpu_run(struct kvm_vcpu
 	if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))
 		kvm_before_interrupt(&svm->vcpu);
 
+	kvm_put_guest_xcr0(vcpu);
 	stgi();
 
 	/* Any pending NMI will happen here */
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -6548,6 +6548,8 @@ static void vmx_vcpu_run(struct kvm_vcpu
 	if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
 		vmx_set_interrupt_shadow(vcpu, 0);
 
+	kvm_load_guest_xcr0(vcpu);
+
 	if (static_cpu_has(X86_FEATURE_PKU) &&
 	    kvm_read_cr4_bits(vcpu, X86_CR4_PKE) &&
 	    vcpu->arch.pkru != vmx->host_pkru)
@@ -6635,6 +6637,8 @@ static void vmx_vcpu_run(struct kvm_vcpu
 			__write_pkru(vmx->host_pkru);
 	}
 
+	kvm_put_guest_xcr0(vcpu);
+
 	vmx->nested.nested_run_pending = 0;
 	vmx->idt_vectoring_info = 0;
 
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -800,7 +800,7 @@ void kvm_lmsw(struct kvm_vcpu *vcpu, uns
 }
 EXPORT_SYMBOL_GPL(kvm_lmsw);
 
-static void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu)
+void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu)
 {
 	if (kvm_read_cr4_bits(vcpu, X86_CR4_OSXSAVE) &&
 			!vcpu->guest_xcr0_loaded) {
@@ -810,8 +810,9 @@ static void kvm_load_guest_xcr0(struct k
 		vcpu->guest_xcr0_loaded = 1;
 	}
 }
+EXPORT_SYMBOL_GPL(kvm_load_guest_xcr0);
 
-static void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu)
+void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu)
 {
 	if (vcpu->guest_xcr0_loaded) {
 		if (vcpu->arch.xcr0 != host_xcr0)
@@ -819,6 +820,7 @@ static void kvm_put_guest_xcr0(struct kv
 		vcpu->guest_xcr0_loaded = 0;
 	}
 }
+EXPORT_SYMBOL_GPL(kvm_put_guest_xcr0);
 
 static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr)
 {
@@ -7856,8 +7858,6 @@ static int vcpu_enter_guest(struct kvm_v
 		goto cancel_injection;
 	}
 
-	kvm_load_guest_xcr0(vcpu);
-
 	if (req_immediate_exit) {
 		kvm_make_request(KVM_REQ_EVENT, vcpu);
 		kvm_x86_ops->request_immediate_exit(vcpu);
@@ -7910,8 +7910,6 @@ static int vcpu_enter_guest(struct kvm_v
 	vcpu->mode = OUTSIDE_GUEST_MODE;
 	smp_wmb();
 
-	kvm_put_guest_xcr0(vcpu);
-
 	kvm_before_interrupt(vcpu);
 	kvm_x86_ops->handle_external_intr(vcpu);
 	kvm_after_interrupt(vcpu);
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -347,4 +347,6 @@ static inline void kvm_after_interrupt(s
 	__this_cpu_write(current_vcpu, NULL);
 }
 
+void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu);
+void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu);
 #endif



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 083/115] ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 082/115] x86/kvm: move kvm_load/put_guest_xcr0 into atomic context Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 084/115] crypto: x86/poly1305 - fix overflow during partial reduction Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov, Corey Minyard,
	Yang Yingliang

From: Corey Minyard <cminyard@mvista.com>

commit 3b9a907223d7f6b9d1dadea29436842ae9bcd76d upstream.

free_user() could be called in atomic context.

This patch pushed the free operation off into a workqueue.

Example:

 BUG: sleeping function called from invalid context at kernel/workqueue.c:2856
 in_atomic(): 1, irqs_disabled(): 0, pid: 177, name: ksoftirqd/27
 CPU: 27 PID: 177 Comm: ksoftirqd/27 Not tainted 4.19.25-3 #1
 Hardware name: AIC 1S-HV26-08/MB-DPSB04-06, BIOS IVYBV060 10/21/2015
 Call Trace:
  dump_stack+0x5c/0x7b
  ___might_sleep+0xec/0x110
  __flush_work+0x48/0x1f0
  ? try_to_del_timer_sync+0x4d/0x80
  _cleanup_srcu_struct+0x104/0x140
  free_user+0x18/0x30 [ipmi_msghandler]
  ipmi_free_recv_msg+0x3a/0x50 [ipmi_msghandler]
  deliver_response+0xbd/0xd0 [ipmi_msghandler]
  deliver_local_response+0xe/0x30 [ipmi_msghandler]
  handle_one_recv_msg+0x163/0xc80 [ipmi_msghandler]
  ? dequeue_entity+0xa0/0x960
  handle_new_recv_msgs+0x15c/0x1f0 [ipmi_msghandler]
  tasklet_action_common.isra.22+0x103/0x120
  __do_softirq+0xf8/0x2d7
  run_ksoftirqd+0x26/0x50
  smpboot_thread_fn+0x11d/0x1e0
  kthread+0x103/0x140
  ? sort_range+0x20/0x20
  ? kthread_destroy_worker+0x40/0x40
  ret_from_fork+0x1f/0x40

Fixes: 77f8269606bf ("ipmi: fix use-after-free of user->release_barrier.rda")

Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # 5.0
Cc: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/ipmi/ipmi_msghandler.c |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -214,6 +214,9 @@ struct ipmi_user {
 
 	/* Does this interface receive IPMI events? */
 	bool gets_events;
+
+	/* Free must run in process context for RCU cleanup. */
+	struct work_struct remove_work;
 };
 
 static struct ipmi_user *acquire_ipmi_user(struct ipmi_user *user, int *index)
@@ -1079,6 +1082,15 @@ static int intf_err_seq(struct ipmi_smi
 }
 
 
+static void free_user_work(struct work_struct *work)
+{
+	struct ipmi_user *user = container_of(work, struct ipmi_user,
+					      remove_work);
+
+	cleanup_srcu_struct(&user->release_barrier);
+	kfree(user);
+}
+
 int ipmi_create_user(unsigned int          if_num,
 		     const struct ipmi_user_hndl *handler,
 		     void                  *handler_data,
@@ -1122,6 +1134,8 @@ int ipmi_create_user(unsigned int
 	goto out_kfree;
 
  found:
+	INIT_WORK(&new_user->remove_work, free_user_work);
+
 	rv = init_srcu_struct(&new_user->release_barrier);
 	if (rv)
 		goto out_kfree;
@@ -1184,8 +1198,9 @@ EXPORT_SYMBOL(ipmi_get_smi_info);
 static void free_user(struct kref *ref)
 {
 	struct ipmi_user *user = container_of(ref, struct ipmi_user, refcount);
-	cleanup_srcu_struct(&user->release_barrier);
-	kfree(user);
+
+	/* SRCU cleanup must happen in task context. */
+	schedule_work(&user->remove_work);
 }
 
 static void _ipmi_destroy_user(struct ipmi_user *user)



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 084/115] crypto: x86/poly1305 - fix overflow during partial reduction
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 083/115] ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 085/115] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Willi, Jason A. Donenfeld,
	Eric Biggers, Herbert Xu

From: Eric Biggers <ebiggers@google.com>

commit 678cce4019d746da6c680c48ba9e6d417803e127 upstream.

The x86_64 implementation of Poly1305 produces the wrong result on some
inputs because poly1305_4block_avx2() incorrectly assumes that when
partially reducing the accumulator, the bits carried from limb 'd4' to
limb 'h0' fit in a 32-bit integer.  This is true for poly1305-generic
which processes only one block at a time.  However, it's not true for
the AVX2 implementation, which processes 4 blocks at a time and
therefore can produce intermediate limbs about 4x larger.

Fix it by making the relevant calculations use 64-bit arithmetic rather
than 32-bit.  Note that most of the carries already used 64-bit
arithmetic, but the d4 -> h0 carry was different for some reason.

To be safe I also made the same change to the corresponding SSE2 code,
though that only operates on 1 or 2 blocks at a time.  I don't think
it's really needed for poly1305_block_sse2(), but it doesn't hurt
because it's already x86_64 code.  It *might* be needed for
poly1305_2block_sse2(), but overflows aren't easy to reproduce there.

This bug was originally detected by my patches that improve testmgr to
fuzz algorithms against their generic implementation.  But also add a
test vector which reproduces it directly (in the AVX2 case).

Fixes: b1ccc8f4b631 ("crypto: poly1305 - Add a four block AVX2 variant for x86_64")
Fixes: c70f4abef07a ("crypto: poly1305 - Add a SSE2 SIMD variant for x86_64")
Cc: <stable@vger.kernel.org> # v4.3+
Cc: Martin Willi <martin@strongswan.org>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/crypto/poly1305-avx2-x86_64.S |   14 +++++++---
 arch/x86/crypto/poly1305-sse2-x86_64.S |   22 ++++++++++------
 crypto/testmgr.h                       |   44 ++++++++++++++++++++++++++++++++-
 3 files changed, 67 insertions(+), 13 deletions(-)

--- a/arch/x86/crypto/poly1305-avx2-x86_64.S
+++ b/arch/x86/crypto/poly1305-avx2-x86_64.S
@@ -323,6 +323,12 @@ ENTRY(poly1305_4block_avx2)
 	vpaddq		t2,t1,t1
 	vmovq		t1x,d4
 
+	# Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
+	# h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
+	# amount.  Careful: we must not assume the carry bits 'd0 >> 26',
+	# 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
+	# integers.  It's true in a single-block implementation, but not here.
+
 	# d1 += d0 >> 26
 	mov		d0,%rax
 	shr		$26,%rax
@@ -361,16 +367,16 @@ ENTRY(poly1305_4block_avx2)
 	# h0 += (d4 >> 26) * 5
 	mov		d4,%rax
 	shr		$26,%rax
-	lea		(%eax,%eax,4),%eax
-	add		%eax,%ebx
+	lea		(%rax,%rax,4),%rax
+	add		%rax,%rbx
 	# h4 = d4 & 0x3ffffff
 	mov		d4,%rax
 	and		$0x3ffffff,%eax
 	mov		%eax,h4
 
 	# h1 += h0 >> 26
-	mov		%ebx,%eax
-	shr		$26,%eax
+	mov		%rbx,%rax
+	shr		$26,%rax
 	add		%eax,h1
 	# h0 = h0 & 0x3ffffff
 	andl		$0x3ffffff,%ebx
--- a/arch/x86/crypto/poly1305-sse2-x86_64.S
+++ b/arch/x86/crypto/poly1305-sse2-x86_64.S
@@ -253,16 +253,16 @@ ENTRY(poly1305_block_sse2)
 	# h0 += (d4 >> 26) * 5
 	mov		d4,%rax
 	shr		$26,%rax
-	lea		(%eax,%eax,4),%eax
-	add		%eax,%ebx
+	lea		(%rax,%rax,4),%rax
+	add		%rax,%rbx
 	# h4 = d4 & 0x3ffffff
 	mov		d4,%rax
 	and		$0x3ffffff,%eax
 	mov		%eax,h4
 
 	# h1 += h0 >> 26
-	mov		%ebx,%eax
-	shr		$26,%eax
+	mov		%rbx,%rax
+	shr		$26,%rax
 	add		%eax,h1
 	# h0 = h0 & 0x3ffffff
 	andl		$0x3ffffff,%ebx
@@ -520,6 +520,12 @@ ENTRY(poly1305_2block_sse2)
 	paddq		t2,t1
 	movq		t1,d4
 
+	# Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
+	# h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
+	# amount.  Careful: we must not assume the carry bits 'd0 >> 26',
+	# 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
+	# integers.  It's true in a single-block implementation, but not here.
+
 	# d1 += d0 >> 26
 	mov		d0,%rax
 	shr		$26,%rax
@@ -558,16 +564,16 @@ ENTRY(poly1305_2block_sse2)
 	# h0 += (d4 >> 26) * 5
 	mov		d4,%rax
 	shr		$26,%rax
-	lea		(%eax,%eax,4),%eax
-	add		%eax,%ebx
+	lea		(%rax,%rax,4),%rax
+	add		%rax,%rbx
 	# h4 = d4 & 0x3ffffff
 	mov		d4,%rax
 	and		$0x3ffffff,%eax
 	mov		%eax,h4
 
 	# h1 += h0 >> 26
-	mov		%ebx,%eax
-	shr		$26,%eax
+	mov		%rbx,%rax
+	shr		$26,%rax
 	add		%eax,h1
 	# h0 = h0 & 0x3ffffff
 	andl		$0x3ffffff,%ebx
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -5706,7 +5706,49 @@ static const struct hash_testvec poly130
 		.psize		= 80,
 		.digest		= "\x13\x00\x00\x00\x00\x00\x00\x00"
 				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	},
+	}, { /* Regression test for overflow in AVX2 implementation */
+		.plaintext	= "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff\xff\xff\xff\xff"
+				  "\xff\xff\xff\xff",
+		.psize		= 300,
+		.digest		= "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8"
+				  "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1",
+	}
 };
 
 /* NHPoly1305 test vectors from https://github.com/google/adiantum */



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 085/115] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 084/115] crypto: x86/poly1305 - fix overflow during partial reduction Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 086/115] arm64: futex: Restore oldval initialization to work around buggy compilers Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, Christian König,
	Michel Dänzer, Junwei Zhang, Huang Rui, Alex Deucher

From: Christian König <christian.koenig@amd.com>

commit a66477b0efe511d98dde3e4aaeb189790e6f0a39 upstream.

When ttm_put_pages() tries to figure out whether it's dealing with
transparent hugepages, it just reads past the bounds of the pages array
without a check.

v2: simplify the test if enough pages are left in the array (Christian).

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Fixes: 5c42c64f7d54 ("drm/ttm: fix the fix for huge compound pages")
Cc: stable@vger.kernel.org
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
Reviewed-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/ttm/ttm_page_alloc.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **
 			}
 
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
-			if (!(flags & TTM_PAGE_FLAG_DMA32)) {
+			if (!(flags & TTM_PAGE_FLAG_DMA32) &&
+			    (npages - i) >= HPAGE_PMD_NR) {
 				for (j = 0; j < HPAGE_PMD_NR; ++j)
 					if (p++ != pages[i + j])
 					    break;
@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **
 		unsigned max_size, n2free;
 
 		spin_lock_irqsave(&huge->lock, irq_flags);
-		while (i < npages) {
+		while ((npages - i) >= HPAGE_PMD_NR) {
 			struct page *p = pages[i];
 			unsigned j;
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 086/115] arm64: futex: Restore oldval initialization to work around buggy compilers
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 085/115] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 087/115] x86/kprobes: Verify stack frame on kretprobe Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Catalin Marinas

From: Nathan Chancellor <natechancellor@gmail.com>

commit ff8acf929014b7f87315588e0daf8597c8aa9d1c upstream.

Commit 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with
non-zero result value") removed oldval's zero initialization in
arch_futex_atomic_op_inuser because it is not necessary. Unfortunately,
Android's arm64 GCC 4.9.4 [1] does not agree:

../kernel/futex.c: In function 'do_futex':
../kernel/futex.c:1658:17: warning: 'oldval' may be used uninitialized
in this function [-Wmaybe-uninitialized]
   return oldval == cmparg;
                 ^
In file included from ../kernel/futex.c:73:0:
../arch/arm64/include/asm/futex.h:53:6: note: 'oldval' was declared here
  int oldval, ret, tmp;
      ^

GCC fails to follow that when ret is non-zero, futex_atomic_op_inuser
returns right away, avoiding the uninitialized use that it claims.
Restoring the zero initialization works around this issue.

[1]: https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/aarch64/aarch64-linux-android-4.9/

Cc: stable@vger.kernel.org
Fixes: 045afc24124d ("arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/futex.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/include/asm/futex.h
+++ b/arch/arm64/include/asm/futex.h
@@ -50,7 +50,7 @@ do {									\
 static inline int
 arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr)
 {
-	int oldval, ret, tmp;
+	int oldval = 0, ret, tmp;
 	u32 __user *uaddr = __uaccess_mask_ptr(_uaddr);
 
 	pagefault_disable();



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 087/115] x86/kprobes: Verify stack frame on kretprobe
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 086/115] arm64: futex: Restore oldval initialization to work around buggy compilers Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 088/115] kprobes: Mark ftrace mcount handler functions nokprobe Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrea Righi, Masami Hiramatsu,
	Steven Rostedt, Linus Torvalds, Mathieu Desnoyers,
	Peter Zijlstra, Thomas Gleixner, Ingo Molnar

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 3ff9c075cc767b3060bdac12da72fc94dd7da1b8 upstream.

Verify the stack frame pointer on kretprobe trampoline handler,
If the stack frame pointer does not match, it skips the wrong
entry and tries to find correct one.

This can happen if user puts the kretprobe on the function
which can be used in the path of ftrace user-function call.
Such functions should not be probed, so this adds a warning
message that reports which function should be blacklisted.

Tested-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/155094059185.6137.15527904013362842072.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/kprobes/core.c |   26 ++++++++++++++++++++++++++
 include/linux/kprobes.h        |    1 +
 2 files changed, 27 insertions(+)

--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -569,6 +569,7 @@ void arch_prepare_kretprobe(struct kretp
 	unsigned long *sara = stack_addr(regs);
 
 	ri->ret_addr = (kprobe_opcode_t *) *sara;
+	ri->fp = sara;
 
 	/* Replace the return addr with trampoline addr */
 	*sara = (unsigned long) &kretprobe_trampoline;
@@ -759,15 +760,21 @@ static __used void *trampoline_handler(s
 	unsigned long flags, orig_ret_address = 0;
 	unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
 	kprobe_opcode_t *correct_ret_addr = NULL;
+	void *frame_pointer;
+	bool skipped = false;
 
 	INIT_HLIST_HEAD(&empty_rp);
 	kretprobe_hash_lock(current, &head, &flags);
 	/* fixup registers */
 #ifdef CONFIG_X86_64
 	regs->cs = __KERNEL_CS;
+	/* On x86-64, we use pt_regs->sp for return address holder. */
+	frame_pointer = &regs->sp;
 #else
 	regs->cs = __KERNEL_CS | get_kernel_rpl();
 	regs->gs = 0;
+	/* On x86-32, we use pt_regs->flags for return address holder. */
+	frame_pointer = &regs->flags;
 #endif
 	regs->ip = trampoline_address;
 	regs->orig_ax = ~0UL;
@@ -789,8 +796,25 @@ static __used void *trampoline_handler(s
 		if (ri->task != current)
 			/* another task is sharing our hash bucket */
 			continue;
+		/*
+		 * Return probes must be pushed on this hash list correct
+		 * order (same as return order) so that it can be poped
+		 * correctly. However, if we find it is pushed it incorrect
+		 * order, this means we find a function which should not be
+		 * probed, because the wrong order entry is pushed on the
+		 * path of processing other kretprobe itself.
+		 */
+		if (ri->fp != frame_pointer) {
+			if (!skipped)
+				pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n");
+			skipped = true;
+			continue;
+		}
 
 		orig_ret_address = (unsigned long)ri->ret_addr;
+		if (skipped)
+			pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
+				ri->rp->kp.addr);
 
 		if (orig_ret_address != trampoline_address)
 			/*
@@ -808,6 +832,8 @@ static __used void *trampoline_handler(s
 		if (ri->task != current)
 			/* another task is sharing our hash bucket */
 			continue;
+		if (ri->fp != frame_pointer)
+			continue;
 
 		orig_ret_address = (unsigned long)ri->ret_addr;
 		if (ri->rp && ri->rp->handler) {
--- a/include/linux/kprobes.h
+++ b/include/linux/kprobes.h
@@ -173,6 +173,7 @@ struct kretprobe_instance {
 	struct kretprobe *rp;
 	kprobe_opcode_t *ret_addr;
 	struct task_struct *task;
+	void *fp;
 	char data[0];
 };
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 088/115] kprobes: Mark ftrace mcount handler functions nokprobe
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 087/115] x86/kprobes: Verify stack frame on kretprobe Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 089/115] x86/kprobes: Avoid kretprobe recursion bug Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Francis Deslauriers, Andrea Righi,
	Masami Hiramatsu, Steven Rostedt, Linus Torvalds,
	Mathieu Desnoyers, Peter Zijlstra, Thomas Gleixner, Ingo Molnar

From: Masami Hiramatsu <mhiramat@kernel.org>

commit fabe38ab6b2bd9418350284c63825f13b8a6abba upstream.

Mark ftrace mcount handler functions nokprobe since
probing on these functions with kretprobe pushes
return address incorrectly on kretprobe shadow stack.

Reported-by: Francis Deslauriers <francis.deslauriers@efficios.com>
Tested-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/155094062044.6137.6419622920568680640.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/ftrace.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -33,6 +33,7 @@
 #include <linux/list.h>
 #include <linux/hash.h>
 #include <linux/rcupdate.h>
+#include <linux/kprobes.h>
 
 #include <trace/events/sched.h>
 
@@ -6216,7 +6217,7 @@ void ftrace_reset_array_ops(struct trace
 	tr->ops->func = ftrace_stub;
 }
 
-static inline void
+static nokprobe_inline void
 __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
 		       struct ftrace_ops *ignored, struct pt_regs *regs)
 {
@@ -6276,11 +6277,13 @@ static void ftrace_ops_list_func(unsigne
 {
 	__ftrace_ops_list_func(ip, parent_ip, NULL, regs);
 }
+NOKPROBE_SYMBOL(ftrace_ops_list_func);
 #else
 static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip)
 {
 	__ftrace_ops_list_func(ip, parent_ip, NULL, NULL);
 }
+NOKPROBE_SYMBOL(ftrace_ops_no_ops);
 #endif
 
 /*
@@ -6307,6 +6310,7 @@ static void ftrace_ops_assist_func(unsig
 	preempt_enable_notrace();
 	trace_clear_recursion(bit);
 }
+NOKPROBE_SYMBOL(ftrace_ops_assist_func);
 
 /**
  * ftrace_ops_get_func - get the function a trampoline should call



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 089/115] x86/kprobes: Avoid kretprobe recursion bug
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 088/115] kprobes: Mark ftrace mcount handler functions nokprobe Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 090/115] kprobes: Fix error check when reusing optimized probes Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrea Righi, Masami Hiramatsu,
	Steven Rostedt, Linus Torvalds, Mathieu Desnoyers,
	Peter Zijlstra, Thomas Gleixner, Ingo Molnar

From: Masami Hiramatsu <mhiramat@kernel.org>

commit b191fa96ea6dc00d331dcc28c1f7db5e075693a0 upstream.

Avoid kretprobe recursion loop bg by setting a dummy
kprobes to current_kprobe per-CPU variable.

This bug has been introduced with the asm-coded trampoline
code, since previously it used another kprobe for hooking
the function return placeholder (which only has a nop) and
trampoline handler was called from that kprobe.

This revives the old lost kprobe again.

With this fix, we don't see deadlock anymore.

And you can see that all inner-called kretprobe are skipped.

  event_1                                  235               0
  event_2                                19375           19612

The 1st column is recorded count and the 2nd is missed count.
Above shows (event_1 rec) + (event_2 rec) ~= (event_2 missed)
(some difference are here because the counter is racy)

Reported-by: Andrea Righi <righi.andrea@gmail.com>
Tested-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: c9becf58d935 ("[PATCH] kretprobe: kretprobe-booster")
Link: http://lkml.kernel.org/r/155094064889.6137.972160690963039.stgit@devbox
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/kprobes/core.c |   22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -749,11 +749,16 @@ asm(
 NOKPROBE_SYMBOL(kretprobe_trampoline);
 STACK_FRAME_NON_STANDARD(kretprobe_trampoline);
 
+static struct kprobe kretprobe_kprobe = {
+	.addr = (void *)kretprobe_trampoline,
+};
+
 /*
  * Called from kretprobe_trampoline
  */
 static __used void *trampoline_handler(struct pt_regs *regs)
 {
+	struct kprobe_ctlblk *kcb;
 	struct kretprobe_instance *ri = NULL;
 	struct hlist_head *head, empty_rp;
 	struct hlist_node *tmp;
@@ -763,6 +768,17 @@ static __used void *trampoline_handler(s
 	void *frame_pointer;
 	bool skipped = false;
 
+	preempt_disable();
+
+	/*
+	 * Set a dummy kprobe for avoiding kretprobe recursion.
+	 * Since kretprobe never run in kprobe handler, kprobe must not
+	 * be running at this point.
+	 */
+	kcb = get_kprobe_ctlblk();
+	__this_cpu_write(current_kprobe, &kretprobe_kprobe);
+	kcb->kprobe_status = KPROBE_HIT_ACTIVE;
+
 	INIT_HLIST_HEAD(&empty_rp);
 	kretprobe_hash_lock(current, &head, &flags);
 	/* fixup registers */
@@ -838,10 +854,9 @@ static __used void *trampoline_handler(s
 		orig_ret_address = (unsigned long)ri->ret_addr;
 		if (ri->rp && ri->rp->handler) {
 			__this_cpu_write(current_kprobe, &ri->rp->kp);
-			get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
 			ri->ret_addr = correct_ret_addr;
 			ri->rp->handler(ri, regs);
-			__this_cpu_write(current_kprobe, NULL);
+			__this_cpu_write(current_kprobe, &kretprobe_kprobe);
 		}
 
 		recycle_rp_inst(ri, &empty_rp);
@@ -857,6 +872,9 @@ static __used void *trampoline_handler(s
 
 	kretprobe_hash_unlock(current, &flags);
 
+	__this_cpu_write(current_kprobe, NULL);
+	preempt_enable();
+
 	hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
 		hlist_del(&ri->hlist);
 		kfree(ri);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 090/115] kprobes: Fix error check when reusing optimized probes
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 089/115] x86/kprobes: Avoid kretprobe recursion bug Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 091/115] rt2x00: do not increment sequence number while re-transmitting Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu,
	Anil S Keshavamurthy, David S . Miller, Linus Torvalds,
	Naveen N . Rao, Peter Zijlstra, Thomas Gleixner, Ingo Molnar

From: Masami Hiramatsu <mhiramat@kernel.org>

commit 5f843ed415581cfad4ef8fefe31c138a8346ca8a upstream.

The following commit introduced a bug in one of our error paths:

  819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()")

it missed to handle the return value of kprobe_optready() as
error-value. In reality, the kprobe_optready() returns a bool
result, so "true" case must be passed instead of 0.

This causes some errors on kprobe boot-time selftests on ARM:

 [   ] Beginning kprobe tests...
 [   ] Probe ARM code
 [   ]     kprobe
 [   ]     kretprobe
 [   ] ARM instruction simulation
 [   ]     Check decoding tables
 [   ]     Run test cases
 [   ] FAIL: test_case_handler not run
 [   ] FAIL: Test andge	r10, r11, r14, asr r7
 [   ] FAIL: Scenario 11
 ...
 [   ] FAIL: Scenario 7
 [   ] Total instruction simulation tests=1631, pass=1433 fail=198
 [   ] kprobe tests failed

This can happen if an optimized probe is unregistered and next
kprobe is registered on same address until the previous probe
is not reclaimed.

If this happens, a hidden aggregated probe may be kept in memory,
and no new kprobe can probe same address. Also, in that case
register_kprobe() will return "1" instead of minus error value,
which can mislead caller logic.

Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: David S . Miller <davem@davemloft.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Naveen N . Rao <naveen.n.rao@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org # v5.0+
Fixes: 819319fc9346 ("kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()")
Link: http://lkml.kernel.org/r/155530808559.32517.539898325433642204.stgit@devnote2
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/kprobes.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -709,7 +709,6 @@ static void unoptimize_kprobe(struct kpr
 static int reuse_unused_kprobe(struct kprobe *ap)
 {
 	struct optimized_kprobe *op;
-	int ret;
 
 	/*
 	 * Unused kprobe MUST be on the way of delayed unoptimizing (means
@@ -720,9 +719,8 @@ static int reuse_unused_kprobe(struct kp
 	/* Enable the probe again */
 	ap->flags &= ~KPROBE_FLAG_DISABLED;
 	/* Optimize it again (remove from op->list) */
-	ret = kprobe_optready(ap);
-	if (ret)
-		return ret;
+	if (!kprobe_optready(ap))
+		return -EINVAL;
 
 	optimize_kprobe(ap);
 	return 0;



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 091/115] rt2x00: do not increment sequence number while re-transmitting
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 090/115] kprobes: Fix error check when reusing optimized probes Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 092/115] mac80211: do not call driver wake_tx_queue op during reconfig Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vijayakumar Durai, Stanislaw Gruszka,
	Kalle Valo

From: Vijayakumar Durai <vijayakumar.durai1@vivint.com>

commit 746ba11f170603bf1eaade817553a6c2e9135bbe upstream.

Currently rt2x00 devices retransmit the management frames with
incremented sequence number if hardware is assigning the sequence.

This is HW bug fixed already for non-QOS data frames, but it should
be fixed for management frames except beacon.

Without fix retransmitted frames have wrong SN:

 AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1
 AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1
 AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1

With the fix SN stays correctly the same:

 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C
 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C

Cc: stable@vger.kernel.org
Signed-off-by: Vijayakumar Durai <vijayakumar.durai1@vivint.com>
[sgruszka: simplify code, change comments and changelog]
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ralink/rt2x00/rt2x00.h      |    1 -
 drivers/net/wireless/ralink/rt2x00/rt2x00mac.c   |   10 ----------
 drivers/net/wireless/ralink/rt2x00/rt2x00queue.c |   15 +++++++++------
 3 files changed, 9 insertions(+), 17 deletions(-)

--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
@@ -673,7 +673,6 @@ enum rt2x00_state_flags {
 	CONFIG_CHANNEL_HT40,
 	CONFIG_POWERSAVING,
 	CONFIG_HT_DISABLED,
-	CONFIG_QOS_DISABLED,
 	CONFIG_MONITORING,
 
 	/*
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
@@ -642,19 +642,9 @@ void rt2x00mac_bss_info_changed(struct i
 			rt2x00dev->intf_associated--;
 
 		rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated);
-
-		clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
 	}
 
 	/*
-	 * Check for access point which do not support 802.11e . We have to
-	 * generate data frames sequence number in S/W for such AP, because
-	 * of H/W bug.
-	 */
-	if (changes & BSS_CHANGED_QOS && !bss_conf->qos)
-		set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
-
-	/*
 	 * When the erp information has changed, we should perform
 	 * additional configuration steps. For all other changes we are done.
 	 */
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descri
 	if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) {
 		/*
 		 * rt2800 has a H/W (or F/W) bug, device incorrectly increase
-		 * seqno on retransmited data (non-QOS) frames. To workaround
-		 * the problem let's generate seqno in software if QOS is
-		 * disabled.
+		 * seqno on retransmitted data (non-QOS) and management frames.
+		 * To workaround the problem let's generate seqno in software.
+		 * Except for beacons which are transmitted periodically by H/W
+		 * hence hardware has to assign seqno for them.
 		 */
-		if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags))
-			__clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
-		else
+	    	if (ieee80211_is_beacon(hdr->frame_control)) {
+			__set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
 			/* H/W will generate sequence number */
 			return;
+		}
+
+		__clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
 	}
 
 	/*



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 092/115] mac80211: do not call driver wake_tx_queue op during reconfig
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 091/115] rt2x00: do not increment sequence number while re-transmitting Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 093/115] s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD) Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit 4856bfd230985e43e84c26473c91028ff0a533bd upstream.

There are several scenarios in which mac80211 can call drv_wake_tx_queue
after ieee80211_restart_hw has been called and has not yet completed.
Driver private structs are considered uninitialized until mac80211 has
uploaded the vifs, stations and keys again, so using private tx queue
data during that time is not safe.

The driver can also not rely on drv_reconfig_complete to figure out when
it is safe to accept drv_wake_tx_queue calls again, because it is only
called after all tx queues are woken again.

To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig
is set.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/driver-ops.h |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -1166,6 +1166,9 @@ static inline void drv_wake_tx_queue(str
 {
 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
 
+	if (local->in_reconfig)
+		return;
+
 	if (!check_sdata_in_driver(sdata))
 		return;
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 093/115] s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD)
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 092/115] mac80211: do not call driver wake_tx_queue op during reconfig Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 094/115] drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Perches, Martin Schwidefsky

From: Joe Perches <joe@perches.com>

commit 2d4ea4b95cae3133de6b18ec5d5a42ee824fa0ef upstream.

IS_ENABLED should generally use CONFIG_ prefaced symbols and
it doesn't appear as if there is a BLK_DEV_INITRD define.

Cc: <stable@vger.kernel.org> # 4.20
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/boot/mem_detect.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/boot/mem_detect.c
+++ b/arch/s390/boot/mem_detect.c
@@ -25,7 +25,7 @@ static void *mem_detect_alloc_extended(v
 {
 	unsigned long offset = ALIGN(mem_safe_offset(), sizeof(u64));
 
-	if (IS_ENABLED(BLK_DEV_INITRD) && INITRD_START && INITRD_SIZE &&
+	if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && INITRD_START && INITRD_SIZE &&
 	    INITRD_START < offset + ENTRIES_EXTENDED_MAX)
 		offset = ALIGN(INITRD_START + INITRD_SIZE, sizeof(u64));
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 094/115] drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 093/115] s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD) Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 095/115] perf/x86/amd: Add event map for AMD Family 17h Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian König, Alex Deucher

From: Alex Deucher <alexander.deucher@amd.com>

commit 1925e7d3d4677e681cc2e878c2bdbeaee988c8e2 upstream.

Got accidently dropped when 2+1 level support was added.

Fixes: 6a42fd6fbf534096 ("drm/amdgpu: implement 2+1 PD support for Raven v3")
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
@@ -182,6 +182,7 @@ static void mmhub_v1_0_init_cache_regs(s
 		tmp = REG_SET_FIELD(tmp, VM_L2_CNTL3,
 				    L2_CACHE_BIGK_FRAGMENT_SIZE, 6);
 	}
+	WREG32_SOC15(MMHUB, 0, mmVM_L2_CNTL3, tmp);
 
 	tmp = mmVM_L2_CNTL4_DEFAULT;
 	tmp = REG_SET_FIELD(tmp, VM_L2_CNTL4, VMC_TAP_PDE_REQUEST_PHYSICAL, 0);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 095/115] perf/x86/amd: Add event map for AMD Family 17h
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 094/115] drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 096/115] x86/cpu/bugs: Use __initconst for const init data Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kim Phillips, Alexander Shishkin,
	Arnaldo Carvalho de Melo, Borislav Petkov, H. Peter Anvin,
	Janakarajan Natarajan, Jiri Olsa, Linus Torvalds,
	Martin Liška, Namhyung Kim, Peter Zijlstra, Pu Wen,
	Suravee Suthikulpanit, Thomas Gleixner, Ingo Molnar

From: Kim Phillips <kim.phillips@amd.com>

commit 3fe3331bb285700ab2253dbb07f8e478fcea2f1b upstream.

Family 17h differs from prior families by:

 - Does not support an L2 cache miss event
 - It has re-enumerated PMC counters for:
   - L2 cache references
   - front & back end stalled cycles

So we add a new amd_f17h_perfmon_event_map[] so that the generic
perf event names will resolve to the correct h/w events on
family 17h and above processors.

Reference sections 2.1.13.3.3 (stalls) and 2.1.13.3.6 (L2):

  https://www.amd.com/system/files/TechDocs/54945_PPR_Family_17h_Models_00h-0Fh.pdf

Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Cc: <stable@vger.kernel.org> # v4.9+
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Martin Liška <mliska@suse.cz>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Pu Wen <puwen@hygon.cn>
Cc: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Fixes: e40ed1542dd7 ("perf/x86: Add perf support for AMD family-17h processors")
[ Improved the formatting a bit. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/events/amd/core.c |   35 ++++++++++++++++++++++++++---------
 1 file changed, 26 insertions(+), 9 deletions(-)

--- a/arch/x86/events/amd/core.c
+++ b/arch/x86/events/amd/core.c
@@ -117,22 +117,39 @@ static __initconst const u64 amd_hw_cach
 };
 
 /*
- * AMD Performance Monitor K7 and later.
+ * AMD Performance Monitor K7 and later, up to and including Family 16h:
  */
 static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] =
 {
-  [PERF_COUNT_HW_CPU_CYCLES]			= 0x0076,
-  [PERF_COUNT_HW_INSTRUCTIONS]			= 0x00c0,
-  [PERF_COUNT_HW_CACHE_REFERENCES]		= 0x077d,
-  [PERF_COUNT_HW_CACHE_MISSES]			= 0x077e,
-  [PERF_COUNT_HW_BRANCH_INSTRUCTIONS]		= 0x00c2,
-  [PERF_COUNT_HW_BRANCH_MISSES]			= 0x00c3,
-  [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND]	= 0x00d0, /* "Decoder empty" event */
-  [PERF_COUNT_HW_STALLED_CYCLES_BACKEND]	= 0x00d1, /* "Dispatch stalls" event */
+	[PERF_COUNT_HW_CPU_CYCLES]		= 0x0076,
+	[PERF_COUNT_HW_INSTRUCTIONS]		= 0x00c0,
+	[PERF_COUNT_HW_CACHE_REFERENCES]	= 0x077d,
+	[PERF_COUNT_HW_CACHE_MISSES]		= 0x077e,
+	[PERF_COUNT_HW_BRANCH_INSTRUCTIONS]	= 0x00c2,
+	[PERF_COUNT_HW_BRANCH_MISSES]		= 0x00c3,
+	[PERF_COUNT_HW_STALLED_CYCLES_FRONTEND]	= 0x00d0, /* "Decoder empty" event */
+	[PERF_COUNT_HW_STALLED_CYCLES_BACKEND]	= 0x00d1, /* "Dispatch stalls" event */
+};
+
+/*
+ * AMD Performance Monitor Family 17h and later:
+ */
+static const u64 amd_f17h_perfmon_event_map[PERF_COUNT_HW_MAX] =
+{
+	[PERF_COUNT_HW_CPU_CYCLES]		= 0x0076,
+	[PERF_COUNT_HW_INSTRUCTIONS]		= 0x00c0,
+	[PERF_COUNT_HW_CACHE_REFERENCES]	= 0xff60,
+	[PERF_COUNT_HW_BRANCH_INSTRUCTIONS]	= 0x00c2,
+	[PERF_COUNT_HW_BRANCH_MISSES]		= 0x00c3,
+	[PERF_COUNT_HW_STALLED_CYCLES_FRONTEND]	= 0x0287,
+	[PERF_COUNT_HW_STALLED_CYCLES_BACKEND]	= 0x0187,
 };
 
 static u64 amd_pmu_event_map(int hw_event)
 {
+	if (boot_cpu_data.x86 >= 0x17)
+		return amd_f17h_perfmon_event_map[hw_event];
+
 	return amd_perfmon_event_map[hw_event];
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 096/115] x86/cpu/bugs: Use __initconst for const init data
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 095/115] perf/x86/amd: Add event map for AMD Family 17h Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 097/115] perf/x86: Fix incorrect PEBS_REGS Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andi Kleen, Thomas Gleixner

From: Andi Kleen <ak@linux.intel.com>

commit 1de7edbb59c8f1b46071f66c5c97b8a59569eb51 upstream.

Some of the recently added const tables use __initdata which causes section
attribute conflicts.

Use __initconst instead.

Fixes: fa1202ef2243 ("x86/speculation: Add command line control")
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190330004743.29541-9-andi@firstfloor.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/bugs.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -275,7 +275,7 @@ static const struct {
 	const char			*option;
 	enum spectre_v2_user_cmd	cmd;
 	bool				secure;
-} v2_user_options[] __initdata = {
+} v2_user_options[] __initconst = {
 	{ "auto",		SPECTRE_V2_USER_CMD_AUTO,		false },
 	{ "off",		SPECTRE_V2_USER_CMD_NONE,		false },
 	{ "on",			SPECTRE_V2_USER_CMD_FORCE,		true  },
@@ -419,7 +419,7 @@ static const struct {
 	const char *option;
 	enum spectre_v2_mitigation_cmd cmd;
 	bool secure;
-} mitigation_options[] __initdata = {
+} mitigation_options[] __initconst = {
 	{ "off",		SPECTRE_V2_CMD_NONE,		  false },
 	{ "on",			SPECTRE_V2_CMD_FORCE,		  true  },
 	{ "retpoline",		SPECTRE_V2_CMD_RETPOLINE,	  false },
@@ -658,7 +658,7 @@ static const char * const ssb_strings[]
 static const struct {
 	const char *option;
 	enum ssb_mitigation_cmd cmd;
-} ssb_mitigation_options[]  __initdata = {
+} ssb_mitigation_options[]  __initconst = {
 	{ "auto",	SPEC_STORE_BYPASS_CMD_AUTO },    /* Platform decides */
 	{ "on",		SPEC_STORE_BYPASS_CMD_ON },      /* Disable Speculative Store Bypass */
 	{ "off",	SPEC_STORE_BYPASS_CMD_NONE },    /* Don't touch Speculative Store Bypass */



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 097/115] perf/x86: Fix incorrect PEBS_REGS
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 096/115] x86/cpu/bugs: Use __initconst for const init data Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 098/115] x86/speculation: Prevent deadlock on ssb_state::lock Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kan Liang, Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	acme, jolsa, Ingo Molnar

From: Kan Liang <kan.liang@linux.intel.com>

commit 9d5dcc93a6ddfc78124f006ccd3637ce070ef2fc upstream.

PEBS_REGS used as mask for the supported registers for large PEBS.
However, the mask cannot filter the sample_regs_user/sample_regs_intr
correctly.

(1ULL << PERF_REG_X86_*) should be used to replace PERF_REG_X86_*, which
is only the index.

Rename PEBS_REGS to PEBS_GP_REGS, because the mask is only for general
purpose registers.

Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@vger.kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: acme@kernel.org
Cc: jolsa@kernel.org
Fixes: 2fe1bc1f501d ("perf/x86: Enable free running PEBS for REGS_USER/INTR")
Link: https://lkml.kernel.org/r/20190402194509.2832-2-kan.liang@linux.intel.com
[ Renamed it to PEBS_GP_REGS - as 'GPRS' is used elsewhere ;-) ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/events/intel/core.c |    2 +-
 arch/x86/events/perf_event.h |   38 +++++++++++++++++++-------------------
 2 files changed, 20 insertions(+), 20 deletions(-)

--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3130,7 +3130,7 @@ static unsigned long intel_pmu_large_peb
 		flags &= ~PERF_SAMPLE_TIME;
 	if (!event->attr.exclude_kernel)
 		flags &= ~PERF_SAMPLE_REGS_USER;
-	if (event->attr.sample_regs_user & ~PEBS_REGS)
+	if (event->attr.sample_regs_user & ~PEBS_GP_REGS)
 		flags &= ~(PERF_SAMPLE_REGS_USER | PERF_SAMPLE_REGS_INTR);
 	return flags;
 }
--- a/arch/x86/events/perf_event.h
+++ b/arch/x86/events/perf_event.h
@@ -96,25 +96,25 @@ struct amd_nb {
 	PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER | \
 	PERF_SAMPLE_PERIOD)
 
-#define PEBS_REGS \
-	(PERF_REG_X86_AX | \
-	 PERF_REG_X86_BX | \
-	 PERF_REG_X86_CX | \
-	 PERF_REG_X86_DX | \
-	 PERF_REG_X86_DI | \
-	 PERF_REG_X86_SI | \
-	 PERF_REG_X86_SP | \
-	 PERF_REG_X86_BP | \
-	 PERF_REG_X86_IP | \
-	 PERF_REG_X86_FLAGS | \
-	 PERF_REG_X86_R8 | \
-	 PERF_REG_X86_R9 | \
-	 PERF_REG_X86_R10 | \
-	 PERF_REG_X86_R11 | \
-	 PERF_REG_X86_R12 | \
-	 PERF_REG_X86_R13 | \
-	 PERF_REG_X86_R14 | \
-	 PERF_REG_X86_R15)
+#define PEBS_GP_REGS			\
+	((1ULL << PERF_REG_X86_AX)    | \
+	 (1ULL << PERF_REG_X86_BX)    | \
+	 (1ULL << PERF_REG_X86_CX)    | \
+	 (1ULL << PERF_REG_X86_DX)    | \
+	 (1ULL << PERF_REG_X86_DI)    | \
+	 (1ULL << PERF_REG_X86_SI)    | \
+	 (1ULL << PERF_REG_X86_SP)    | \
+	 (1ULL << PERF_REG_X86_BP)    | \
+	 (1ULL << PERF_REG_X86_IP)    | \
+	 (1ULL << PERF_REG_X86_FLAGS) | \
+	 (1ULL << PERF_REG_X86_R8)    | \
+	 (1ULL << PERF_REG_X86_R9)    | \
+	 (1ULL << PERF_REG_X86_R10)   | \
+	 (1ULL << PERF_REG_X86_R11)   | \
+	 (1ULL << PERF_REG_X86_R12)   | \
+	 (1ULL << PERF_REG_X86_R13)   | \
+	 (1ULL << PERF_REG_X86_R14)   | \
+	 (1ULL << PERF_REG_X86_R15))
 
 /*
  * Per register state.



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 098/115] x86/speculation: Prevent deadlock on ssb_state::lock
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 097/115] perf/x86: Fix incorrect PEBS_REGS Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10   ` Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikhail Gavrilov, Thomas Gleixner,
	Thomas Lendacky

From: Thomas Gleixner <tglx@linutronix.de>

commit 2f5fb19341883bb6e37da351bc3700489d8506a7 upstream.

Mikhail reported a lockdep splat related to the AMD specific ssb_state
lock:

  CPU0                       CPU1
  lock(&st->lock);
                             local_irq_disable();
                             lock(&(&sighand->siglock)->rlock);
                             lock(&st->lock);
  <Interrupt>
     lock(&(&sighand->siglock)->rlock);

  *** DEADLOCK ***

The connection between sighand->siglock and st->lock comes through seccomp,
which takes st->lock while holding sighand->siglock.

Make sure interrupts are disabled when __speculation_ctrl_update() is
invoked via prctl() -> speculation_ctrl_update(). Add a lockdep assert to
catch future offenders.

Fixes: 1f50ddb4f418 ("x86/speculation: Handle HT correctly on AMD")
Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Cc: Thomas Lendacky <thomas.lendacky@amd.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1904141948200.4917@nanos.tec.linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/process.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -414,6 +414,8 @@ static __always_inline void __speculatio
 	u64 msr = x86_spec_ctrl_base;
 	bool updmsr = false;
 
+	lockdep_assert_irqs_disabled();
+
 	/*
 	 * If TIF_SSBD is different, select the proper mitigation
 	 * method. Note that if SSBD mitigation is disabled or permanentely
@@ -465,10 +467,12 @@ static unsigned long speculation_ctrl_up
 
 void speculation_ctrl_update(unsigned long tif)
 {
+	unsigned long flags;
+
 	/* Forced update. Make sure all relevant TIF flags are different */
-	preempt_disable();
+	local_irq_save(flags);
 	__speculation_ctrl_update(~tif, tif);
-	preempt_enable();
+	local_irq_restore(flags);
 }
 
 /* Called from seccomp/prctl update */



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 099/115] timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
@ 2019-04-24 17:10   ` Greg Kroah-Hartman
  2019-04-24 17:08 ` [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces Greg Kroah-Hartman
                     ` (117 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chang-An Chen, Thomas Gleixner,
	Frederic Weisbecker, Matthias Brugger, John Stultz, Kees Cook,
	Corey Minyard, linux-mediatek, linux-arm-kernel, Stanley Chu,
	kuohong.wang, freddy.hsin

From: Chang-An Chen <chang-an.chen@mediatek.com>

commit 3f2552f7e9c5abef2775c53f7af66532f8bf65bc upstream.

tick_freeze() introduced by suspend-to-idle in commit 124cf9117c5f ("PM /
sleep: Make it possible to quiesce timers during suspend-to-idle") uses
timekeeping_suspend() instead of syscore_suspend() during
suspend-to-idle. As a consequence generic sched_clock will keep going
because sched_clock_suspend() and sched_clock_resume() are not invoked
during suspend-to-idle which can result in a generic sched_clock wrap.

On a ARM system with suspend-to-idle enabled, sched_clock is registered
as "56 bits at 13MHz, resolution 76ns, wraps every 4398046511101ns", which
means the real wrapping duration is 8796093022202ns.

[  134.551779] suspend-to-idle suspend (timekeeping_suspend())
[ 1204.912239] suspend-to-idle resume (timekeeping_resume())
......
[ 1206.912239] suspend-to-idle suspend (timekeeping_suspend())
[ 5880.502807] suspend-to-idle resume (timekeeping_resume())
......
[ 6000.403724] suspend-to-idle suspend (timekeeping_suspend())
[ 8035.753167] suspend-to-idle resume  (timekeeping_resume())
......
[ 8795.786684] (2)[321:charger_thread]......
[ 8795.788387] (2)[321:charger_thread]......
[    0.057226] (0)[0:swapper/0]......
[    0.061447] (2)[0:swapper/2]......

sched_clock was not stopped during suspend-to-idle, and sched_clock_poll
hrtimer was not expired because timekeeping_suspend() was invoked during
suspend-to-idle. It makes sched_clock wrap at kernel time 8796s.

To prevent this, invoke sched_clock_suspend() and sched_clock_resume() in
tick_freeze() together with timekeeping_suspend() and timekeeping_resume().

Fixes: 124cf9117c5f (PM / sleep: Make it possible to quiesce timers during suspend-to-idle)
Signed-off-by: Chang-An Chen <chang-an.chen@mediatek.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Corey Minyard <cminyard@mvista.com>
Cc: <linux-mediatek@lists.infradead.org>
Cc: <linux-arm-kernel@lists.infradead.org>
Cc: Stanley Chu <stanley.chu@mediatek.com>
Cc: <kuohong.wang@mediatek.com>
Cc: <freddy.hsin@mediatek.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1553828349-8914-1-git-send-email-chang-an.chen@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/time/sched_clock.c |    4 ++--
 kernel/time/tick-common.c |    2 ++
 kernel/time/timekeeping.h |    7 +++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

--- a/kernel/time/sched_clock.c
+++ b/kernel/time/sched_clock.c
@@ -272,7 +272,7 @@ static u64 notrace suspended_sched_clock
 	return cd.read_data[seq & 1].epoch_cyc;
 }
 
-static int sched_clock_suspend(void)
+int sched_clock_suspend(void)
 {
 	struct clock_read_data *rd = &cd.read_data[0];
 
@@ -283,7 +283,7 @@ static int sched_clock_suspend(void)
 	return 0;
 }
 
-static void sched_clock_resume(void)
+void sched_clock_resume(void)
 {
 	struct clock_read_data *rd = &cd.read_data[0];
 
--- a/kernel/time/tick-common.c
+++ b/kernel/time/tick-common.c
@@ -487,6 +487,7 @@ void tick_freeze(void)
 		trace_suspend_resume(TPS("timekeeping_freeze"),
 				     smp_processor_id(), true);
 		system_state = SYSTEM_SUSPEND;
+		sched_clock_suspend();
 		timekeeping_suspend();
 	} else {
 		tick_suspend_local();
@@ -510,6 +511,7 @@ void tick_unfreeze(void)
 
 	if (tick_freeze_depth == num_online_cpus()) {
 		timekeeping_resume();
+		sched_clock_resume();
 		system_state = SYSTEM_RUNNING;
 		trace_suspend_resume(TPS("timekeeping_freeze"),
 				     smp_processor_id(), false);
--- a/kernel/time/timekeeping.h
+++ b/kernel/time/timekeeping.h
@@ -14,6 +14,13 @@ extern u64 timekeeping_max_deferment(voi
 extern void timekeeping_warp_clock(void);
 extern int timekeeping_suspend(void);
 extern void timekeeping_resume(void);
+#ifdef CONFIG_GENERIC_SCHED_CLOCK
+extern int sched_clock_suspend(void);
+extern void sched_clock_resume(void);
+#else
+static inline int sched_clock_suspend(void) { return 0; }
+static inline void sched_clock_resume(void) { }
+#endif
 
 extern void do_timer(unsigned long ticks);
 extern void update_wall_time(void);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 099/115] timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze()
@ 2019-04-24 17:10   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Corey Minyard, freddy.hsin, Kees Cook, Greg Kroah-Hartman,
	linux-mediatek, stable, kuohong.wang, Chang-An Chen,
	Frederic Weisbecker, Matthias Brugger, John Stultz,
	Thomas Gleixner, Stanley Chu, linux-arm-kernel

From: Chang-An Chen <chang-an.chen@mediatek.com>

commit 3f2552f7e9c5abef2775c53f7af66532f8bf65bc upstream.

tick_freeze() introduced by suspend-to-idle in commit 124cf9117c5f ("PM /
sleep: Make it possible to quiesce timers during suspend-to-idle") uses
timekeeping_suspend() instead of syscore_suspend() during
suspend-to-idle. As a consequence generic sched_clock will keep going
because sched_clock_suspend() and sched_clock_resume() are not invoked
during suspend-to-idle which can result in a generic sched_clock wrap.

On a ARM system with suspend-to-idle enabled, sched_clock is registered
as "56 bits at 13MHz, resolution 76ns, wraps every 4398046511101ns", which
means the real wrapping duration is 8796093022202ns.

[  134.551779] suspend-to-idle suspend (timekeeping_suspend())
[ 1204.912239] suspend-to-idle resume (timekeeping_resume())
......
[ 1206.912239] suspend-to-idle suspend (timekeeping_suspend())
[ 5880.502807] suspend-to-idle resume (timekeeping_resume())
......
[ 6000.403724] suspend-to-idle suspend (timekeeping_suspend())
[ 8035.753167] suspend-to-idle resume  (timekeeping_resume())
......
[ 8795.786684] (2)[321:charger_thread]......
[ 8795.788387] (2)[321:charger_thread]......
[    0.057226] (0)[0:swapper/0]......
[    0.061447] (2)[0:swapper/2]......

sched_clock was not stopped during suspend-to-idle, and sched_clock_poll
hrtimer was not expired because timekeeping_suspend() was invoked during
suspend-to-idle. It makes sched_clock wrap at kernel time 8796s.

To prevent this, invoke sched_clock_suspend() and sched_clock_resume() in
tick_freeze() together with timekeeping_suspend() and timekeeping_resume().

Fixes: 124cf9117c5f (PM / sleep: Make it possible to quiesce timers during suspend-to-idle)
Signed-off-by: Chang-An Chen <chang-an.chen@mediatek.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Corey Minyard <cminyard@mvista.com>
Cc: <linux-mediatek@lists.infradead.org>
Cc: <linux-arm-kernel@lists.infradead.org>
Cc: Stanley Chu <stanley.chu@mediatek.com>
Cc: <kuohong.wang@mediatek.com>
Cc: <freddy.hsin@mediatek.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1553828349-8914-1-git-send-email-chang-an.chen@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/time/sched_clock.c |    4 ++--
 kernel/time/tick-common.c |    2 ++
 kernel/time/timekeeping.h |    7 +++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

--- a/kernel/time/sched_clock.c
+++ b/kernel/time/sched_clock.c
@@ -272,7 +272,7 @@ static u64 notrace suspended_sched_clock
 	return cd.read_data[seq & 1].epoch_cyc;
 }
 
-static int sched_clock_suspend(void)
+int sched_clock_suspend(void)
 {
 	struct clock_read_data *rd = &cd.read_data[0];
 
@@ -283,7 +283,7 @@ static int sched_clock_suspend(void)
 	return 0;
 }
 
-static void sched_clock_resume(void)
+void sched_clock_resume(void)
 {
 	struct clock_read_data *rd = &cd.read_data[0];
 
--- a/kernel/time/tick-common.c
+++ b/kernel/time/tick-common.c
@@ -487,6 +487,7 @@ void tick_freeze(void)
 		trace_suspend_resume(TPS("timekeeping_freeze"),
 				     smp_processor_id(), true);
 		system_state = SYSTEM_SUSPEND;
+		sched_clock_suspend();
 		timekeeping_suspend();
 	} else {
 		tick_suspend_local();
@@ -510,6 +511,7 @@ void tick_unfreeze(void)
 
 	if (tick_freeze_depth == num_online_cpus()) {
 		timekeeping_resume();
+		sched_clock_resume();
 		system_state = SYSTEM_RUNNING;
 		trace_suspend_resume(TPS("timekeeping_freeze"),
 				     smp_processor_id(), false);
--- a/kernel/time/timekeeping.h
+++ b/kernel/time/timekeeping.h
@@ -14,6 +14,13 @@ extern u64 timekeeping_max_deferment(voi
 extern void timekeeping_warp_clock(void);
 extern int timekeeping_suspend(void);
 extern void timekeeping_resume(void);
+#ifdef CONFIG_GENERIC_SCHED_CLOCK
+extern int sched_clock_suspend(void);
+extern void sched_clock_resume(void);
+#else
+static inline int sched_clock_suspend(void) { return 0; }
+static inline void sched_clock_resume(void) { }
+#endif
 
 extern void do_timer(unsigned long ticks);
 extern void update_wall_time(void);



_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 100/115] nfit/ars: Remove ars_start_flags
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2019-04-24 17:10   ` Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 101/115] nfit/ars: Introduce scrub_flags Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Toshi Kani, Dan Williams, Sasha Levin

commit 317a992ab9266b86b774b9f6b0f87eb4f59879a1 upstream.

The ars_start_flags property of 'struct acpi_nfit_desc' is no longer
used since ARS_REQ_SHORT and ARS_REQ_LONG were added.

Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/nfit/core.c | 10 +++++-----
 drivers/acpi/nfit/nfit.h |  1 -
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index f75f8f870ce3..1a48c92eaed5 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -2660,11 +2660,11 @@ static int ars_continue(struct acpi_nfit_desc *acpi_desc)
 	struct nvdimm_bus_descriptor *nd_desc = &acpi_desc->nd_desc;
 	struct nd_cmd_ars_status *ars_status = acpi_desc->ars_status;
 
-	memset(&ars_start, 0, sizeof(ars_start));
-	ars_start.address = ars_status->restart_address;
-	ars_start.length = ars_status->restart_length;
-	ars_start.type = ars_status->type;
-	ars_start.flags = acpi_desc->ars_start_flags;
+	ars_start = (struct nd_cmd_ars_start) {
+		.address = ars_status->restart_address,
+		.length = ars_status->restart_length,
+		.type = ars_status->type,
+	};
 	rc = nd_desc->ndctl(nd_desc, NULL, ND_CMD_ARS_START, &ars_start,
 			sizeof(ars_start), &cmd_rc);
 	if (rc < 0)
diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h
index 33691aecfcee..871fb3de3b30 100644
--- a/drivers/acpi/nfit/nfit.h
+++ b/drivers/acpi/nfit/nfit.h
@@ -223,7 +223,6 @@ struct acpi_nfit_desc {
 	struct list_head idts;
 	struct nvdimm_bus *nvdimm_bus;
 	struct device *dev;
-	u8 ars_start_flags;
 	struct nd_cmd_ars_status *ars_status;
 	struct nfit_spa *scrub_spa;
 	struct delayed_work dwork;
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 101/115] nfit/ars: Introduce scrub_flags
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 100/115] nfit/ars: Remove ars_start_flags Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 102/115] nfit/ars: Allow root to busy-poll the ARS state machine Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Toshi Kani, Dan Williams, Sasha Levin

commit e34b8252a3d2893ca55c82dbfcdaa302fa03d400 upstream.

In preparation for introducing new flags to gate whether ARS results are
stale, or poll the completion state, convert the existing flags to an
unsigned long with enumerated values. This conversion allows the flags
to be atomically updated outside of ->init_mutex.

Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/nfit/core.c | 30 +++++++++++++++++-------------
 drivers/acpi/nfit/nfit.h |  8 ++++++--
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 1a48c92eaed5..64308e669250 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -1319,19 +1319,23 @@ static ssize_t scrub_show(struct device *dev,
 		struct device_attribute *attr, char *buf)
 {
 	struct nvdimm_bus_descriptor *nd_desc;
+	struct acpi_nfit_desc *acpi_desc;
 	ssize_t rc = -ENXIO;
+	bool busy;
 
 	device_lock(dev);
 	nd_desc = dev_get_drvdata(dev);
-	if (nd_desc) {
-		struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
-
-		mutex_lock(&acpi_desc->init_mutex);
-		rc = sprintf(buf, "%d%s", acpi_desc->scrub_count,
-				acpi_desc->scrub_busy
-				&& !acpi_desc->cancel ? "+\n" : "\n");
-		mutex_unlock(&acpi_desc->init_mutex);
+	if (!nd_desc) {
+		device_unlock(dev);
+		return rc;
 	}
+	acpi_desc = to_acpi_desc(nd_desc);
+
+	mutex_lock(&acpi_desc->init_mutex);
+	busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags)
+		&& !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
+	rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n");
+	mutex_unlock(&acpi_desc->init_mutex);
 	device_unlock(dev);
 	return rc;
 }
@@ -3081,7 +3085,7 @@ static unsigned int __acpi_nfit_scrub(struct acpi_nfit_desc *acpi_desc,
 
 	lockdep_assert_held(&acpi_desc->init_mutex);
 
-	if (acpi_desc->cancel)
+	if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags))
 		return 0;
 
 	if (query_rc == -EBUSY) {
@@ -3155,7 +3159,7 @@ static void __sched_ars(struct acpi_nfit_desc *acpi_desc, unsigned int tmo)
 {
 	lockdep_assert_held(&acpi_desc->init_mutex);
 
-	acpi_desc->scrub_busy = 1;
+	set_bit(ARS_BUSY, &acpi_desc->scrub_flags);
 	/* note this should only be set from within the workqueue */
 	if (tmo)
 		acpi_desc->scrub_tmo = tmo;
@@ -3171,7 +3175,7 @@ static void notify_ars_done(struct acpi_nfit_desc *acpi_desc)
 {
 	lockdep_assert_held(&acpi_desc->init_mutex);
 
-	acpi_desc->scrub_busy = 0;
+	clear_bit(ARS_BUSY, &acpi_desc->scrub_flags);
 	acpi_desc->scrub_count++;
 	if (acpi_desc->scrub_count_state)
 		sysfs_notify_dirent(acpi_desc->scrub_count_state);
@@ -3460,7 +3464,7 @@ int acpi_nfit_ars_rescan(struct acpi_nfit_desc *acpi_desc,
 	struct nfit_spa *nfit_spa;
 
 	mutex_lock(&acpi_desc->init_mutex);
-	if (acpi_desc->cancel) {
+	if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) {
 		mutex_unlock(&acpi_desc->init_mutex);
 		return 0;
 	}
@@ -3539,7 +3543,7 @@ void acpi_nfit_shutdown(void *data)
 	mutex_unlock(&acpi_desc_lock);
 
 	mutex_lock(&acpi_desc->init_mutex);
-	acpi_desc->cancel = 1;
+	set_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
 	cancel_delayed_work_sync(&acpi_desc->dwork);
 	mutex_unlock(&acpi_desc->init_mutex);
 
diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h
index 871fb3de3b30..897ce10192a0 100644
--- a/drivers/acpi/nfit/nfit.h
+++ b/drivers/acpi/nfit/nfit.h
@@ -210,6 +210,11 @@ struct nfit_mem {
 	int family;
 };
 
+enum scrub_flags {
+	ARS_BUSY,
+	ARS_CANCEL,
+};
+
 struct acpi_nfit_desc {
 	struct nvdimm_bus_descriptor nd_desc;
 	struct acpi_table_header acpi_header;
@@ -231,8 +236,7 @@ struct acpi_nfit_desc {
 	unsigned int max_ars;
 	unsigned int scrub_count;
 	unsigned int scrub_mode;
-	unsigned int scrub_busy:1;
-	unsigned int cancel:1;
+	unsigned long scrub_flags;
 	unsigned long dimm_cmd_force_en;
 	unsigned long bus_cmd_force_en;
 	unsigned long bus_nfit_cmd_force_en;
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 102/115] nfit/ars: Allow root to busy-poll the ARS state machine
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 101/115] nfit/ars: Introduce scrub_flags Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 103/115] nfit/ars: Avoid stale ARS results Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Erwin Tsaur, Toshi Kani,
	Dan Williams, Sasha Levin

commit 5479b2757f26fe9908fc341d105b2097fe820b6f upstream.

The ARS implementation implements exponential back-off on the poll
interval to prevent high-frequency access to the DIMM / platform
interface. Depending on when the ARS completes the poll interval may
exceed the completion event by minutes. Allow root to reset the timeout
each time it probes the status. A one-second timeout is still enforced,
but root can otherwise can control the poll interval.

Fixes: bc6ba8085842 ("nfit, address-range-scrub: rework and simplify ARS...")
Cc: <stable@vger.kernel.org>
Reported-by: Erwin Tsaur <erwin.tsaur@oracle.com>
Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/nfit/core.c | 8 ++++++++
 drivers/acpi/nfit/nfit.h | 1 +
 2 files changed, 9 insertions(+)

diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 64308e669250..61d3fd65fbe9 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -1335,6 +1335,13 @@ static ssize_t scrub_show(struct device *dev,
 	busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags)
 		&& !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
 	rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n");
+	/* Allow an admin to poll the busy state at a higher rate */
+	if (busy && capable(CAP_SYS_RAWIO) && !test_and_set_bit(ARS_POLL,
+				&acpi_desc->scrub_flags)) {
+		acpi_desc->scrub_tmo = 1;
+		mod_delayed_work(nfit_wq, &acpi_desc->dwork, HZ);
+	}
+
 	mutex_unlock(&acpi_desc->init_mutex);
 	device_unlock(dev);
 	return rc;
@@ -3196,6 +3203,7 @@ static void acpi_nfit_scrub(struct work_struct *work)
 	else
 		notify_ars_done(acpi_desc);
 	memset(acpi_desc->ars_status, 0, acpi_desc->max_ars);
+	clear_bit(ARS_POLL, &acpi_desc->scrub_flags);
 	mutex_unlock(&acpi_desc->init_mutex);
 }
 
diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h
index 897ce10192a0..d14bad687fb8 100644
--- a/drivers/acpi/nfit/nfit.h
+++ b/drivers/acpi/nfit/nfit.h
@@ -213,6 +213,7 @@ struct nfit_mem {
 enum scrub_flags {
 	ARS_BUSY,
 	ARS_CANCEL,
+	ARS_POLL,
 };
 
 struct acpi_nfit_desc {
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 103/115] nfit/ars: Avoid stale ARS results
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 102/115] nfit/ars: Allow root to busy-poll the ARS state machine Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 104/115] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Rusocki, Vishal Verma,
	Toshi Kani, Dan Williams, Sasha Levin

commit 78153dd45e7e0596ba32b15d02bda08e1513111e upstream.

Gate ARS result consumption on whether the OS issued start-ARS since the
previous consumption. The BIOS may only clear its result buffers after a
successful start-ARS.

Fixes: 0caeef63e6d2 ("libnvdimm: Add a poison list and export badblocks")
Cc: <stable@vger.kernel.org>
Reported-by: Krzysztof Rusocki <krzysztof.rusocki@intel.com>
Reported-by: Vishal Verma <vishal.l.verma@intel.com>
Reviewed-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/nfit/core.c | 17 ++++++++++++++++-
 drivers/acpi/nfit/nfit.h |  1 +
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
index 61d3fd65fbe9..4be4dc3e8aa6 100644
--- a/drivers/acpi/nfit/core.c
+++ b/drivers/acpi/nfit/core.c
@@ -2661,7 +2661,10 @@ static int ars_start(struct acpi_nfit_desc *acpi_desc,
 
 	if (rc < 0)
 		return rc;
-	return cmd_rc;
+	if (cmd_rc < 0)
+		return cmd_rc;
+	set_bit(ARS_VALID, &acpi_desc->scrub_flags);
+	return 0;
 }
 
 static int ars_continue(struct acpi_nfit_desc *acpi_desc)
@@ -2754,6 +2757,17 @@ static int ars_status_process_records(struct acpi_nfit_desc *acpi_desc)
 	 */
 	if (ars_status->out_length < 44)
 		return 0;
+
+	/*
+	 * Ignore potentially stale results that are only refreshed
+	 * after a start-ARS event.
+	 */
+	if (!test_and_clear_bit(ARS_VALID, &acpi_desc->scrub_flags)) {
+		dev_dbg(acpi_desc->dev, "skip %d stale records\n",
+				ars_status->num_records);
+		return 0;
+	}
+
 	for (i = 0; i < ars_status->num_records; i++) {
 		/* only process full records */
 		if (ars_status->out_length
@@ -3238,6 +3252,7 @@ static int acpi_nfit_register_regions(struct acpi_nfit_desc *acpi_desc)
 	struct nfit_spa *nfit_spa;
 	int rc;
 
+	set_bit(ARS_VALID, &acpi_desc->scrub_flags);
 	list_for_each_entry(nfit_spa, &acpi_desc->spas, list) {
 		switch (nfit_spa_type(nfit_spa->spa)) {
 		case NFIT_SPA_VOLATILE:
diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h
index d14bad687fb8..0cbe5009eb2c 100644
--- a/drivers/acpi/nfit/nfit.h
+++ b/drivers/acpi/nfit/nfit.h
@@ -213,6 +213,7 @@ struct nfit_mem {
 enum scrub_flags {
 	ARS_BUSY,
 	ARS_CANCEL,
+	ARS_VALID,
 	ARS_POLL,
 };
 
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 104/115] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 103/115] nfit/ars: Avoid stale ARS results Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 105/115] tpm: Fix the type of the return value in calc_tpm2_event_size() Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jarkko Sakkinen, Stefan Berger,
	Jerry Snitselaar, Sasha Levin

[ Upstream commit 442601e87a4769a8daba4976ec3afa5222ca211d ]

Return -E2BIG when the transfer is incomplete. The upper layer does
not retry, so not doing that is incorrect behaviour.

Cc: stable@vger.kernel.org
Fixes: a2871c62e186 ("tpm: Add support for Atmel I2C TPMs")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/tpm/tpm_i2c_atmel.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c
index 32a8e27c5382..cc4e642d3180 100644
--- a/drivers/char/tpm/tpm_i2c_atmel.c
+++ b/drivers/char/tpm/tpm_i2c_atmel.c
@@ -69,6 +69,10 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t len)
 	if (status < 0)
 		return status;
 
+	/* The upper layer does not support incomplete sends. */
+	if (status != len)
+		return -E2BIG;
+
 	return 0;
 }
 
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 105/115] tpm: Fix the type of the return value in calc_tpm2_event_size()
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 104/115] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 106/115] Revert "kbuild: use -Oz instead of -Os when using clang" Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jarkko Sakkinen, Yue Haibing,
	James Morris, Sasha Levin

commit b9d0a85d6b2e76630cfd4c475ee3af4109bfd87a upstream

calc_tpm2_event_size() has an invalid signature because
it returns a 'size_t' where as its signature says that
it returns 'int'.

Cc: <stable@vger.kernel.org>
Fixes: 4d23cc323cdb ("tpm: add securityfs support for TPM 2.0 firmware event log")
Suggested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/tpm/eventlog/tpm2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c
index 1b8fa9de2cac..41b9f6c92da7 100644
--- a/drivers/char/tpm/eventlog/tpm2.c
+++ b/drivers/char/tpm/eventlog/tpm2.c
@@ -37,8 +37,8 @@
  *
  * Returns size of the event. If it is an invalid event, returns 0.
  */
-static int calc_tpm2_event_size(struct tcg_pcr_event2 *event,
-				struct tcg_pcr_event *event_header)
+static size_t calc_tpm2_event_size(struct tcg_pcr_event2 *event,
+				   struct tcg_pcr_event *event_header)
 {
 	struct tcg_efi_specid_event *efispecid;
 	struct tcg_event_field *event_field;
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 106/115] Revert "kbuild: use -Oz instead of -Os when using clang"
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 105/115] tpm: Fix the type of the return value in calc_tpm2_event_size() Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 107/115] sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra, Matthias Kaehlcke,
	Nick Desaulniers, Masahiro Yamada, Nathan Chancellor,
	Sasha Levin

commit a75bb4eb9e565b9f5115e2e8c07377ce32cbe69a upstream.

The clang option -Oz enables *aggressive* optimization for size,
which doesn't necessarily result in smaller images, but can have
negative impact on performance. Switch back to the less aggressive
-Os.

This reverts commit 6748cb3c299de1ffbe56733647b01dbcc398c419.

Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index ef192ca04330..807ae0e3ff6e 100644
--- a/Makefile
+++ b/Makefile
@@ -678,8 +678,7 @@ KBUILD_CFLAGS	+= $(call cc-disable-warning, format-overflow)
 KBUILD_CFLAGS	+= $(call cc-disable-warning, int-in-bool-context)
 
 ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
-KBUILD_CFLAGS	+= $(call cc-option,-Oz,-Os)
-KBUILD_CFLAGS	+= $(call cc-disable-warning,maybe-uninitialized,)
+KBUILD_CFLAGS	+= -Os $(call cc-disable-warning,maybe-uninitialized,)
 else
 ifdef CONFIG_PROFILE_ALL_BRANCHES
 KBUILD_CFLAGS	+= -O2 $(call cc-disable-warning,maybe-uninitialized,)
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 107/115] sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 106/115] Revert "kbuild: use -Oz instead of -Os when using clang" Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 108/115] tpm: fix an invalid condition in tpm_common_poll Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Auld, Peter Zijlstra (Intel),
	Anton Blanchard, Ben Segall, Linus Torvalds, Thomas Gleixner,
	Ingo Molnar, Sasha Levin

[ Upstream commit 2e8e19226398db8265a8e675fcc0118b9e80c9e8 ]

With extremely short cfs_period_us setting on a parent task group with a large
number of children the for loop in sched_cfs_period_timer() can run until the
watchdog fires. There is no guarantee that the call to hrtimer_forward_now()
will ever return 0.  The large number of children can make
do_sched_cfs_period_timer() take longer than the period.

 NMI watchdog: Watchdog detected hard LOCKUP on cpu 24
 RIP: 0010:tg_nop+0x0/0x10
  <IRQ>
  walk_tg_tree_from+0x29/0xb0
  unthrottle_cfs_rq+0xe0/0x1a0
  distribute_cfs_runtime+0xd3/0xf0
  sched_cfs_period_timer+0xcb/0x160
  ? sched_cfs_slack_timer+0xd0/0xd0
  __hrtimer_run_queues+0xfb/0x270
  hrtimer_interrupt+0x122/0x270
  smp_apic_timer_interrupt+0x6a/0x140
  apic_timer_interrupt+0xf/0x20
  </IRQ>

To prevent this we add protection to the loop that detects when the loop has run
too many times and scales the period and quota up, proportionally, so that the timer
can complete before then next period expires.  This preserves the relative runtime
quota while preventing the hard lockup.

A warning is issued reporting this state and the new values.

Signed-off-by: Phil Auld <pauld@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@vger.kernel.org>
Cc: Anton Blanchard <anton@ozlabs.org>
Cc: Ben Segall <bsegall@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20190319130005.25492-1-pauld@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/fair.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 5e61a1a99e38..eeb605656d59 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -4859,12 +4859,15 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer)
 	return HRTIMER_NORESTART;
 }
 
+extern const u64 max_cfs_quota_period;
+
 static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
 {
 	struct cfs_bandwidth *cfs_b =
 		container_of(timer, struct cfs_bandwidth, period_timer);
 	int overrun;
 	int idle = 0;
+	int count = 0;
 
 	raw_spin_lock(&cfs_b->lock);
 	for (;;) {
@@ -4872,6 +4875,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
 		if (!overrun)
 			break;
 
+		if (++count > 3) {
+			u64 new, old = ktime_to_ns(cfs_b->period);
+
+			new = (old * 147) / 128; /* ~115% */
+			new = min(new, max_cfs_quota_period);
+
+			cfs_b->period = ns_to_ktime(new);
+
+			/* since max is 1s, this is limited to 1e9^2, which fits in u64 */
+			cfs_b->quota *= new;
+			cfs_b->quota = div64_u64(cfs_b->quota, old);
+
+			pr_warn_ratelimited(
+        "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n",
+	                        smp_processor_id(),
+	                        div_u64(new, NSEC_PER_USEC),
+                                div_u64(cfs_b->quota, NSEC_PER_USEC));
+
+			/* reset count so we don't come right back in here */
+			count = 0;
+		}
+
 		idle = do_sched_cfs_period_timer(cfs_b, overrun);
 	}
 	if (idle)
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 108/115] tpm: fix an invalid condition in tpm_common_poll
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 107/115] sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 109/115] mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mantas Mikulėnas, Tadeusz Struk,
	Jarkko Sakkinen, James Morris, Sasha Levin

[ Upstream commit 7110629263469b4664d00b38ef80a656eddf3637 ]

The poll condition should only check response_length,
because reads should only be issued if there is data to read.
The response_read flag only prevents double writes.
The problem was that the write set the response_read to false,
enqued a tpm job, and returned. Then application called poll
which checked the response_read flag and returned EPOLLIN.
Then the application called read, but got nothing.
After all that the async_work kicked in.
Added also mutex_lock around the poll check to prevent
other possible race conditions.

Fixes: 9488585b21bef0df12 ("tpm: add support for partial reads")
Reported-by: Mantas Mikulėnas <grawity@gmail.com>
Tested-by: Mantas Mikulėnas <grawity@gmail.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/tpm/tpm-dev-common.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
index 5eecad233ea1..744b0237300a 100644
--- a/drivers/char/tpm/tpm-dev-common.c
+++ b/drivers/char/tpm/tpm-dev-common.c
@@ -203,12 +203,19 @@ __poll_t tpm_common_poll(struct file *file, poll_table *wait)
 	__poll_t mask = 0;
 
 	poll_wait(file, &priv->async_wait, wait);
+	mutex_lock(&priv->buffer_mutex);
 
-	if (!priv->response_read || priv->response_length)
+	/*
+	 * The response_length indicates if there is still response
+	 * (or part of it) to be consumed. Partial reads decrease it
+	 * by the number of bytes read, and write resets it the zero.
+	 */
+	if (priv->response_length)
 		mask = EPOLLIN | EPOLLRDNORM;
 	else
 		mask = EPOLLOUT | EPOLLWRNORM;
 
+	mutex_unlock(&priv->buffer_mutex);
 	return mask;
 }
 
-- 
2.19.1




^ permalink raw reply related	[flat|nested] 126+ messages in thread

* [PATCH 5.0 109/115] mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 108/115] tpm: fix an invalid condition in tpm_common_poll Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 110/115] device_cgroup: fix RCU imbalance in error case Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka, Felix Fietkau, Kalle Valo

From: Stanislaw Gruszka <sgruszka@redhat.com>

commit bafdf85dfa59374f927ff597bc8c259193afda30 upstream.

Move ieee80211_tx_status_ext() outside of status_list lock section
in order to avoid locking dependency and possible deadlock reposed by
LOCKDEP in below warning.

Also do mt76_tx_status_lock() just before it's needed.

[  440.224832] WARNING: possible circular locking dependency detected
[  440.224833] 5.1.0-rc2+ #22 Not tainted
[  440.224834] ------------------------------------------------------
[  440.224835] kworker/u16:28/2362 is trying to acquire lock:
[  440.224836] 0000000089b8cacf (&(&q->lock)->rlock#2){+.-.}, at: mt76_wake_tx_queue+0x4c/0xb0 [mt76]
[  440.224842]
               but task is already holding lock:
[  440.224842] 000000002cfedc59 (&(&sta->lock)->rlock){+.-.}, at: ieee80211_stop_tx_ba_cb+0x32/0x1f0 [mac80211]
[  440.224863]
               which lock already depends on the new lock.

[  440.224863]
               the existing dependency chain (in reverse order) is:
[  440.224864]
               -> #3 (&(&sta->lock)->rlock){+.-.}:
[  440.224869]        _raw_spin_lock_bh+0x34/0x40
[  440.224880]        ieee80211_start_tx_ba_session+0xe4/0x3d0 [mac80211]
[  440.224894]        minstrel_ht_get_rate+0x45c/0x510 [mac80211]
[  440.224906]        rate_control_get_rate+0xc1/0x140 [mac80211]
[  440.224918]        ieee80211_tx_h_rate_ctrl+0x195/0x3c0 [mac80211]
[  440.224930]        ieee80211_xmit_fast+0x26d/0xa50 [mac80211]
[  440.224942]        __ieee80211_subif_start_xmit+0xfc/0x310 [mac80211]
[  440.224954]        ieee80211_subif_start_xmit+0x38/0x390 [mac80211]
[  440.224956]        dev_hard_start_xmit+0xb8/0x300
[  440.224957]        __dev_queue_xmit+0x7d4/0xbb0
[  440.224968]        ip6_finish_output2+0x246/0x860 [ipv6]
[  440.224978]        mld_sendpack+0x1bd/0x360 [ipv6]
[  440.224987]        mld_ifc_timer_expire+0x1a4/0x2f0 [ipv6]
[  440.224989]        call_timer_fn+0x89/0x2a0
[  440.224990]        run_timer_softirq+0x1bd/0x4d0
[  440.224992]        __do_softirq+0xdb/0x47c
[  440.224994]        irq_exit+0xfa/0x100
[  440.224996]        smp_apic_timer_interrupt+0x9a/0x220
[  440.224997]        apic_timer_interrupt+0xf/0x20
[  440.224999]        cpuidle_enter_state+0xc1/0x470
[  440.225000]        do_idle+0x21a/0x260
[  440.225001]        cpu_startup_entry+0x19/0x20
[  440.225004]        start_secondary+0x135/0x170
[  440.225006]        secondary_startup_64+0xa4/0xb0
[  440.225007]
               -> #2 (&(&sta->rate_ctrl_lock)->rlock){+.-.}:
[  440.225009]        _raw_spin_lock_bh+0x34/0x40
[  440.225022]        rate_control_tx_status+0x4f/0xb0 [mac80211]
[  440.225031]        ieee80211_tx_status_ext+0x142/0x1a0 [mac80211]
[  440.225035]        mt76x02_send_tx_status+0x2e4/0x340 [mt76x02_lib]
[  440.225037]        mt76x02_tx_status_data+0x31/0x40 [mt76x02_lib]
[  440.225040]        mt76u_tx_status_data+0x51/0xa0 [mt76_usb]
[  440.225042]        process_one_work+0x237/0x5d0
[  440.225043]        worker_thread+0x3c/0x390
[  440.225045]        kthread+0x11d/0x140
[  440.225046]        ret_from_fork+0x3a/0x50
[  440.225047]
               -> #1 (&(&list->lock)->rlock#8){+.-.}:
[  440.225049]        _raw_spin_lock_bh+0x34/0x40
[  440.225052]        mt76_tx_status_skb_add+0x51/0x100 [mt76]
[  440.225054]        mt76x02u_tx_prepare_skb+0xbd/0x116 [mt76x02_usb]
[  440.225056]        mt76u_tx_queue_skb+0x5f/0x180 [mt76_usb]
[  440.225058]        mt76_tx+0x93/0x190 [mt76]
[  440.225070]        ieee80211_tx_frags+0x148/0x210 [mac80211]
[  440.225081]        __ieee80211_tx+0x75/0x1b0 [mac80211]
[  440.225092]        ieee80211_tx+0xde/0x110 [mac80211]
[  440.225105]        __ieee80211_tx_skb_tid_band+0x72/0x90 [mac80211]
[  440.225122]        ieee80211_send_auth+0x1f3/0x360 [mac80211]
[  440.225141]        ieee80211_auth.cold.40+0x6c/0x100 [mac80211]
[  440.225156]        ieee80211_mgd_auth.cold.50+0x132/0x15f [mac80211]
[  440.225171]        cfg80211_mlme_auth+0x149/0x360 [cfg80211]
[  440.225181]        nl80211_authenticate+0x273/0x2e0 [cfg80211]
[  440.225183]        genl_family_rcv_msg+0x196/0x3a0
[  440.225184]        genl_rcv_msg+0x47/0x8e
[  440.225185]        netlink_rcv_skb+0x3a/0xf0
[  440.225187]        genl_rcv+0x24/0x40
[  440.225188]        netlink_unicast+0x16d/0x210
[  440.225189]        netlink_sendmsg+0x204/0x3b0
[  440.225191]        sock_sendmsg+0x36/0x40
[  440.225193]        ___sys_sendmsg+0x259/0x2b0
[  440.225194]        __sys_sendmsg+0x47/0x80
[  440.225196]        do_syscall_64+0x60/0x1f0
[  440.225197]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  440.225198]
               -> #0 (&(&q->lock)->rlock#2){+.-.}:
[  440.225200]        lock_acquire+0xb9/0x1a0
[  440.225202]        _raw_spin_lock_bh+0x34/0x40
[  440.225204]        mt76_wake_tx_queue+0x4c/0xb0 [mt76]
[  440.225215]        ieee80211_agg_start_txq+0xe8/0x2b0 [mac80211]
[  440.225225]        ieee80211_stop_tx_ba_cb+0xb8/0x1f0 [mac80211]
[  440.225235]        ieee80211_ba_session_work+0x1c1/0x2f0 [mac80211]
[  440.225236]        process_one_work+0x237/0x5d0
[  440.225237]        worker_thread+0x3c/0x390
[  440.225239]        kthread+0x11d/0x140
[  440.225240]        ret_from_fork+0x3a/0x50
[  440.225240]
               other info that might help us debug this:

[  440.225241] Chain exists of:
                 &(&q->lock)->rlock#2 --> &(&sta->rate_ctrl_lock)->rlock --> &(&sta->lock)->rlock

[  440.225243]  Possible unsafe locking scenario:

[  440.225244]        CPU0                    CPU1
[  440.225244]        ----                    ----
[  440.225245]   lock(&(&sta->lock)->rlock);
[  440.225245]                                lock(&(&sta->rate_ctrl_lock)->rlock);
[  440.225246]                                lock(&(&sta->lock)->rlock);
[  440.225247]   lock(&(&q->lock)->rlock#2);
[  440.225248]
                *** DEADLOCK ***

[  440.225249] 5 locks held by kworker/u16:28/2362:
[  440.225250]  #0: 0000000048fcd291 ((wq_completion)phy0){+.+.}, at: process_one_work+0x1b5/0x5d0
[  440.225252]  #1: 00000000f1c6828f ((work_completion)(&sta->ampdu_mlme.work)){+.+.}, at: process_one_work+0x1b5/0x5d0
[  440.225254]  #2: 00000000433d2b2c (&sta->ampdu_mlme.mtx){+.+.}, at: ieee80211_ba_session_work+0x5c/0x2f0 [mac80211]
[  440.225265]  #3: 000000002cfedc59 (&(&sta->lock)->rlock){+.-.}, at: ieee80211_stop_tx_ba_cb+0x32/0x1f0 [mac80211]
[  440.225276]  #4: 000000009d7b9a44 (rcu_read_lock){....}, at: ieee80211_agg_start_txq+0x33/0x2b0 [mac80211]
[  440.225286]
               stack backtrace:
[  440.225288] CPU: 2 PID: 2362 Comm: kworker/u16:28 Not tainted 5.1.0-rc2+ #22
[  440.225289] Hardware name: LENOVO 20KGS23S0P/20KGS23S0P, BIOS N23ET55W (1.30 ) 08/31/2018
[  440.225300] Workqueue: phy0 ieee80211_ba_session_work [mac80211]
[  440.225301] Call Trace:
[  440.225304]  dump_stack+0x85/0xc0
[  440.225306]  print_circular_bug.isra.38.cold.58+0x15c/0x195
[  440.225307]  check_prev_add.constprop.48+0x5f0/0xc00
[  440.225309]  ? check_prev_add.constprop.48+0x39d/0xc00
[  440.225311]  ? __lock_acquire+0x41d/0x1100
[  440.225312]  __lock_acquire+0xd98/0x1100
[  440.225313]  ? __lock_acquire+0x41d/0x1100
[  440.225315]  lock_acquire+0xb9/0x1a0
[  440.225317]  ? mt76_wake_tx_queue+0x4c/0xb0 [mt76]
[  440.225319]  _raw_spin_lock_bh+0x34/0x40
[  440.225321]  ? mt76_wake_tx_queue+0x4c/0xb0 [mt76]
[  440.225323]  mt76_wake_tx_queue+0x4c/0xb0 [mt76]
[  440.225334]  ieee80211_agg_start_txq+0xe8/0x2b0 [mac80211]
[  440.225344]  ieee80211_stop_tx_ba_cb+0xb8/0x1f0 [mac80211]
[  440.225354]  ieee80211_ba_session_work+0x1c1/0x2f0 [mac80211]
[  440.225356]  process_one_work+0x237/0x5d0
[  440.225358]  worker_thread+0x3c/0x390
[  440.225359]  ? wq_calc_node_cpumask+0x70/0x70
[  440.225360]  kthread+0x11d/0x140
[  440.225362]  ? kthread_create_on_node+0x40/0x40
[  440.225363]  ret_from_fork+0x3a/0x50

Cc: stable@vger.kernel.org
Fixes: 88046b2c9f6d ("mt76: add support for reporting tx status with skb")
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/mediatek/mt76/mt76x02_mac.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
@@ -421,7 +421,6 @@ void mt76x02_send_tx_status(struct mt76x
 		return;
 
 	rcu_read_lock();
-	mt76_tx_status_lock(mdev, &list);
 
 	if (stat->wcid < ARRAY_SIZE(dev->mt76.wcid))
 		wcid = rcu_dereference(dev->mt76.wcid[stat->wcid]);
@@ -434,6 +433,8 @@ void mt76x02_send_tx_status(struct mt76x
 					  drv_priv);
 	}
 
+	mt76_tx_status_lock(mdev, &list);
+
 	if (wcid) {
 		if (stat->pktid)
 			status.skb = mt76_tx_status_skb_get(mdev, wcid,
@@ -453,7 +454,9 @@ void mt76x02_send_tx_status(struct mt76x
 		if (*update == 0 && stat_val == stat_cache &&
 		    stat->wcid == msta->status.wcid && msta->n_frames < 32) {
 			msta->n_frames++;
-			goto out;
+			mt76_tx_status_unlock(mdev, &list);
+			rcu_read_unlock();
+			return;
 		}
 
 		mt76x02_mac_fill_tx_status(dev, status.info, &msta->status,
@@ -469,11 +472,10 @@ void mt76x02_send_tx_status(struct mt76x
 
 	if (status.skb)
 		mt76_tx_status_skb_done(mdev, status.skb, &list);
-	else
-		ieee80211_tx_status_ext(mt76_hw(dev), &status);
-
-out:
 	mt76_tx_status_unlock(mdev, &list);
+
+	if (!status.skb)
+		ieee80211_tx_status_ext(mt76_hw(dev), &status);
 	rcu_read_unlock();
 }
 



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 110/115] device_cgroup: fix RCU imbalance in error case
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 109/115] mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 111/115] perf/ring_buffer: Fix AUX record suppression Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, Michal Hocko, Tejun Heo

From: Jann Horn <jannh@google.com>

commit 0fcc4c8c044e117ac126ab6df4138ea9a67fa2a9 upstream.

When dev_exception_add() returns an error (due to a failed memory
allocation), make sure that we move the RCU preemption count back to where
it was before we were called. We dropped the RCU read lock inside the loop
body, so we can't just "break".

sparse complains about this, too:

$ make -s C=2 security/device_cgroup.o
./include/linux/rcupdate.h:647:9: warning: context imbalance in
'propagate_exception' - unexpected unlock

Fixes: d591fb56618f ("device_cgroup: simplify cgroup tree walk in propagate_exception()")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/device_cgroup.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -560,7 +560,7 @@ static int propagate_exception(struct de
 		    devcg->behavior == DEVCG_DEFAULT_ALLOW) {
 			rc = dev_exception_add(devcg, ex);
 			if (rc)
-				break;
+				return rc;
 		} else {
 			/*
 			 * in the other possible cases:



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 111/115] perf/ring_buffer: Fix AUX record suppression
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 110/115] device_cgroup: fix RCU imbalance in error case Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 112/115] mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Gainey, Alexander Shishkin,
	Peter Zijlstra (Intel),
	Arnaldo Carvalho de Melo, Jiri Olsa, Linus Torvalds,
	Stephane Eranian, Thomas Gleixner, Vince Weaver, Ingo Molnar

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit 339bc4183596e1f68c2c98a03b87aa124107c317 upstream.

The following commit:

  1627314fb54a33e ("perf: Suppress AUX/OVERWRITE records")

has an unintended side-effect of also suppressing all AUX records with no flags
and non-zero size, so all the regular records in the full trace mode.
This breaks some use cases for people.

Fix this by restoring "regular" AUX records.

Reported-by: Ben Gainey <Ben.Gainey@arm.com>
Tested-by: Ben Gainey <Ben.Gainey@arm.com>
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <stable@vger.kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 1627314fb54a33e ("perf: Suppress AUX/OVERWRITE records")
Link: https://lkml.kernel.org/r/20190329091338.29999-1-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/events/ring_buffer.c |   33 +++++++++++++++------------------
 1 file changed, 15 insertions(+), 18 deletions(-)

--- a/kernel/events/ring_buffer.c
+++ b/kernel/events/ring_buffer.c
@@ -456,24 +456,21 @@ void perf_aux_output_end(struct perf_out
 		rb->aux_head += size;
 	}
 
-	if (size || handle->aux_flags) {
-		/*
-		 * Only send RECORD_AUX if we have something useful to communicate
-		 *
-		 * Note: the OVERWRITE records by themselves are not considered
-		 * useful, as they don't communicate any *new* information,
-		 * aside from the short-lived offset, that becomes history at
-		 * the next event sched-in and therefore isn't useful.
-		 * The userspace that needs to copy out AUX data in overwrite
-		 * mode should know to use user_page::aux_head for the actual
-		 * offset. So, from now on we don't output AUX records that
-		 * have *only* OVERWRITE flag set.
-		 */
-
-		if (handle->aux_flags & ~(u64)PERF_AUX_FLAG_OVERWRITE)
-			perf_event_aux_event(handle->event, aux_head, size,
-			                     handle->aux_flags);
-	}
+	/*
+	 * Only send RECORD_AUX if we have something useful to communicate
+	 *
+	 * Note: the OVERWRITE records by themselves are not considered
+	 * useful, as they don't communicate any *new* information,
+	 * aside from the short-lived offset, that becomes history at
+	 * the next event sched-in and therefore isn't useful.
+	 * The userspace that needs to copy out AUX data in overwrite
+	 * mode should know to use user_page::aux_head for the actual
+	 * offset. So, from now on we don't output AUX records that
+	 * have *only* OVERWRITE flag set.
+	 */
+	if (size || (handle->aux_flags & ~(u64)PERF_AUX_FLAG_OVERWRITE))
+		perf_event_aux_event(handle->event, aux_head, size,
+				     handle->aux_flags);
 
 	rb->user_page->aux_head = rb->aux_head;
 	if (rb_need_aux_wakeup(rb))



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 112/115] mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 111/115] perf/ring_buffer: Fix AUX record suppression Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 113/115] mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zhong jiang, Yang yingliang,
	Michal Hocko, David Hildenbrand, Oscar Salvador, Andrew Morton,
	Linus Torvalds

From: zhong jiang <zhongjiang@huawei.com>

commit 37803841c92d7b327147e0b1be3436423189e1cf upstream.

When adding memory by probing a memory block in the sysfs interface,
there is an obvious issue where we will unlock the device_hotplug_lock
when we failed to takes it.

That issue was introduced in 8df1d0e4a265 ("mm/memory_hotplug: make
add_memory() take the device_hotplug_lock").

We should drop out in time when failing to take the device_hotplug_lock.

Link: http://lkml.kernel.org/r/1554696437-9593-1-git-send-email-zhongjiang@huawei.com
Fixes: 8df1d0e4a265 ("mm/memory_hotplug: make add_memory() take the device_hotplug_lock")
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Reported-by: Yang yingliang <yangyingliang@huawei.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/base/memory.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -505,7 +505,7 @@ static ssize_t probe_store(struct device
 
 	ret = lock_device_hotplug_sysfs();
 	if (ret)
-		goto out;
+		return ret;
 
 	nid = memory_add_physaddr_to_nid(phys_addr);
 	ret = __add_memory(nid, phys_addr,



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 113/115] mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 112/115] mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 114/115] ALSA: info: Fix racy addition/deletion of nodes Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov,
	Vlastimil Babka, Roman Gushchin, Jann Horn, Andrew Morton,
	Linus Torvalds

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit e8277b3b52240ec1caad8e6df278863e4bf42eac upstream.

Commit 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
depends on skipping vmstat entries with empty name introduced in
7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in
/proc/vmstat") but reverted in b29940c1abd7 ("mm: rename and change
semantics of nr_indirectly_reclaimable_bytes").

So skipping no longer works and /proc/vmstat has misformatted lines " 0".

This patch simply shows debug counters "nr_tlb_remote_*" for UP.

Link: http://lkml.kernel.org/r/155481488468.467.4295519102880913454.stgit@buzz
Fixes: 58bc4c34d249 ("mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Roman Gushchin <guro@fb.com>
Cc: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/vmstat.c |    5 -----
 1 file changed, 5 deletions(-)

--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -1274,13 +1274,8 @@ const char * const vmstat_text[] = {
 #endif
 #endif /* CONFIG_MEMORY_BALLOON */
 #ifdef CONFIG_DEBUG_TLBFLUSH
-#ifdef CONFIG_SMP
 	"nr_tlb_remote_flush",
 	"nr_tlb_remote_flush_received",
-#else
-	"", /* nr_tlb_remote_flush */
-	"", /* nr_tlb_remote_flush_received */
-#endif /* CONFIG_SMP */
 	"nr_tlb_local_flush_all",
 	"nr_tlb_local_flush_one",
 #endif /* CONFIG_DEBUG_TLBFLUSH */



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 114/115] ALSA: info: Fix racy addition/deletion of nodes
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 113/115] mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-24 17:10 ` [PATCH 5.0 115/115] percpu: stop printing kernel addresses Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+48df349490c36f9f54ab, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 8c2f870890fd28e023b0fcf49dcee333f2c8bad7 upstream.

The ALSA proc helper manages the child nodes in a linked list, but its
addition and deletion is done without any lock.  This leads to a
corruption if they are operated concurrently.  Usually this isn't a
problem because the proc entries are added sequentially in the driver
probe procedure itself.  But the card registrations are done often
asynchronously, and the crash could be actually reproduced with
syzkaller.

This patch papers over it by protecting the link addition and deletion
with the parent's mutex.  There is "access" mutex that is used for the
file access, and this can be reused for this purpose as well.

Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/info.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/sound/core/info.c
+++ b/sound/core/info.c
@@ -722,8 +722,11 @@ snd_info_create_entry(const char *name,
 	INIT_LIST_HEAD(&entry->children);
 	INIT_LIST_HEAD(&entry->list);
 	entry->parent = parent;
-	if (parent)
+	if (parent) {
+		mutex_lock(&parent->access);
 		list_add_tail(&entry->list, &parent->children);
+		mutex_unlock(&parent->access);
+	}
 	return entry;
 }
 
@@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info
 	list_for_each_entry_safe(p, n, &entry->children, list)
 		snd_info_free_entry(p);
 
-	list_del(&entry->list);
+	p = entry->parent;
+	if (p) {
+		mutex_lock(&p->access);
+		list_del(&entry->list);
+		mutex_unlock(&p->access);
+	}
 	kfree(entry->name);
 	if (entry->private_free)
 		entry->private_free(entry);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* [PATCH 5.0 115/115] percpu: stop printing kernel addresses
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 114/115] ALSA: info: Fix racy addition/deletion of nodes Greg Kroah-Hartman
@ 2019-04-24 17:10 ` Greg Kroah-Hartman
  2019-04-25  5:25 ` [PATCH 5.0 000/115] 5.0.10-stable review Naresh Kamboju
                   ` (3 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-24 17:10 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Matteo Croce, Dennis Zhou

From: Matteo Croce <mcroce@redhat.com>

commit 00206a69ee32f03e6f40837684dcbe475ea02266 upstream.

Since commit ad67b74d2469d9b8 ("printk: hash addresses printed with %p"),
at boot "____ptrval____" is printed instead of actual addresses:

    percpu: Embedded 38 pages/cpu @(____ptrval____) s124376 r0 d31272 u524288

Instead of changing the print to "%px", and leaking kernel addresses,
just remove the print completely, cfr. e.g. commit 071929dbdd865f77
("arm64: Stop printing the virtual memory layout").

Signed-off-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Dennis Zhou <dennis@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/percpu.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/mm/percpu.c
+++ b/mm/percpu.c
@@ -2531,8 +2531,8 @@ int __init pcpu_embed_first_chunk(size_t
 		ai->groups[group].base_offset = areas[group] - base;
 	}
 
-	pr_info("Embedded %zu pages/cpu @%p s%zu r%zu d%zu u%zu\n",
-		PFN_DOWN(size_sum), base, ai->static_size, ai->reserved_size,
+	pr_info("Embedded %zu pages/cpu s%zu r%zu d%zu u%zu\n",
+		PFN_DOWN(size_sum), ai->static_size, ai->reserved_size,
 		ai->dyn_size, ai->unit_size);
 
 	rc = pcpu_setup_first_chunk(ai, base);
@@ -2653,8 +2653,8 @@ int __init pcpu_page_first_chunk(size_t
 	}
 
 	/* we're ready, commit */
-	pr_info("%d %s pages/cpu @%p s%zu r%zu d%zu\n",
-		unit_pages, psize_str, vm.addr, ai->static_size,
+	pr_info("%d %s pages/cpu s%zu r%zu d%zu\n",
+		unit_pages, psize_str, ai->static_size,
 		ai->reserved_size, ai->dyn_size);
 
 	rc = pcpu_setup_first_chunk(ai, vm.addr);



^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2019-04-24 17:10 ` [PATCH 5.0 115/115] percpu: stop printing kernel addresses Greg Kroah-Hartman
@ 2019-04-25  5:25 ` Naresh Kamboju
  2019-04-25  7:18   ` Greg Kroah-Hartman
  2019-04-25 11:56   ` Jon Hunter
                   ` (2 subsequent siblings)
  118 siblings, 1 reply; 126+ messages in thread
From: Naresh Kamboju @ 2019-04-25  5:25 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Wed, 24 Apr 2019 at 23:04, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.0.10 release.
> There are 115 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Summary
------------------------------------------------------------------------

kernel: 5.0.10-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.0.y
git commit: 058cd3811b12d43363fbf20f6c7963e67b4802c6
git describe: v5.0.9-116-g058cd3811b12
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-5.0-oe/build/v5.0.9-116-g058cd3811b12

No regressions (compared to build v5.0.9)

No fixes (compared to build v5.0.9)

Ran 25039 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86

Test Suites
-----------
* install-android-platform-tools-r2600
* kselftest
* libgpiod
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* kvm-unit-tests
* ltp-dio-tests
* ltp-fs-tests
* ltp-open-posix-tests
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-25  5:25 ` [PATCH 5.0 000/115] 5.0.10-stable review Naresh Kamboju
@ 2019-04-25  7:18   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-25  7:18 UTC (permalink / raw)
  To: Naresh Kamboju
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable

On Thu, Apr 25, 2019 at 10:55:54AM +0530, Naresh Kamboju wrote:
> On Wed, 24 Apr 2019 at 23:04, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 5.0.10 release.
> > There are 115 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> >         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
> > or in the git tree and branch at:
> >         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> 
> Results from Linaro’s test farm.
> No regressions on arm64, arm, x86_64, and i386.

Thanks for testing 4 of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
@ 2019-04-25 11:56   ` Jon Hunter
  2019-04-24 17:08 ` [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces Greg Kroah-Hartman
                     ` (117 subsequent siblings)
  118 siblings, 0 replies; 126+ messages in thread
From: Jon Hunter @ 2019-04-25 11:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 24/04/2019 18:08, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.0.10 release.
> There are 115 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h


All tests are passing for Tegra ...

Test results for stable-v5.0:
    12 builds:	12 pass, 0 fail
    22 boots:	22 pass, 0 fail
    32 tests:	32 pass, 0 fail

Linux version:	5.0.10-rc2-ge428bc9
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana, tegra210,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
@ 2019-04-25 11:56   ` Jon Hunter
  0 siblings, 0 replies; 126+ messages in thread
From: Jon Hunter @ 2019-04-25 11:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 24/04/2019 18:08, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.0.10 release.
> There are 115 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h


All tests are passing for Tegra ...

Test results for stable-v5.0:
    12 builds:	12 pass, 0 fail
    22 boots:	22 pass, 0 fail
    32 tests:	32 pass, 0 fail

Linux version:	5.0.10-rc2-ge428bc9
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana, tegra210,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-25 11:56   ` Jon Hunter
  (?)
@ 2019-04-25 14:29   ` Greg Kroah-Hartman
  -1 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-25 14:29 UTC (permalink / raw)
  To: Jon Hunter
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable, linux-tegra

On Thu, Apr 25, 2019 at 12:56:11PM +0100, Jon Hunter wrote:
> 
> On 24/04/2019 18:08, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.0.10 release.
> > There are 115 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> 
> 
> All tests are passing for Tegra ...
> 
> Test results for stable-v5.0:
>     12 builds:	12 pass, 0 fail
>     22 boots:	22 pass, 0 fail
>     32 tests:	32 pass, 0 fail
> 
> Linux version:	5.0.10-rc2-ge428bc9
> Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
>                 tegra194-p2972-0000, tegra20-ventana, tegra210,
>                 tegra210-p2371-2180, tegra30-cardhu-a04

Wonderful, thanks for testing 5 of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2019-04-25 11:56   ` Jon Hunter
@ 2019-04-25 16:23 ` shuah
  2019-04-25 17:08   ` Greg Kroah-Hartman
  2019-04-25 19:39 ` Guenter Roeck
  118 siblings, 1 reply; 126+ messages in thread
From: shuah @ 2019-04-25 16:23 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 4/24/19 11:08 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.0.10 release.
> There are 115 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-25 16:23 ` shuah
@ 2019-04-25 17:08   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-25 17:08 UTC (permalink / raw)
  To: shuah
  Cc: linux-kernel, torvalds, akpm, linux, patches, ben.hutchings,
	lkft-triage, stable

On Thu, Apr 25, 2019 at 10:23:57AM -0600, shuah wrote:
> On 4/24/19 11:08 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.0.10 release.
> > There are 115 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.10-rc1.gz
> > or in the git tree and branch at:
> > 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.

Great!  Thanks for testing all 6 of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2019-04-25 16:23 ` shuah
@ 2019-04-25 19:39 ` Guenter Roeck
  2019-04-27  6:49   ` Greg Kroah-Hartman
  118 siblings, 1 reply; 126+ messages in thread
From: Guenter Roeck @ 2019-04-25 19:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Wed, Apr 24, 2019 at 07:08:56PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.0.10 release.
> There are 115 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> Anything received after that time might be too late.
> 

For v5.0.9-117-ge428bc9cd366:

Build results:
	total: 159 pass: 159 fail: 0
Qemu test results:
	total: 349 pass: 349 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 126+ messages in thread

* Re: [PATCH 5.0 000/115] 5.0.10-stable review
  2019-04-25 19:39 ` Guenter Roeck
@ 2019-04-27  6:49   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 126+ messages in thread
From: Greg Kroah-Hartman @ 2019-04-27  6:49 UTC (permalink / raw)
  To: Guenter Roeck
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Thu, Apr 25, 2019 at 12:39:36PM -0700, Guenter Roeck wrote:
> On Wed, Apr 24, 2019 at 07:08:56PM +0200, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.0.10 release.
> > There are 115 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri 26 Apr 2019 05:07:37 PM UTC.
> > Anything received after that time might be too late.
> > 
> 
> For v5.0.9-117-ge428bc9cd366:
> 
> Build results:
> 	total: 159 pass: 159 fail: 0
> Qemu test results:
> 	total: 349 pass: 349 fail: 0

Wonderful, many thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 126+ messages in thread

end of thread, other threads:[~2019-04-27  6:49 UTC | newest]

Thread overview: 126+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-24 17:08 [PATCH 5.0 000/115] 5.0.10-stable review Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 001/115] bonding: fix event handling for stacked bonds Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 002/115] failover: allow name change on IFF_UP slave interfaces Greg Kroah-Hartman
2019-04-24 17:08 ` [PATCH 5.0 003/115] net: atm: Fix potential Spectre v1 vulnerabilities Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 004/115] net: bridge: fix per-port af_packet sockets Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 005/115] net: bridge: multicast: use rcu to access port list from br_multicast_start_querier Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 006/115] net: fec: manage ahb clock in runtime pm Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 007/115] net: Fix missing meta data in skb with vlan packet Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 008/115] net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 009/115] tcp: tcp_grow_window() needs to respect tcp_space() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 010/115] team: set slave to promisc if team is already in promisc mode Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 011/115] tipc: missing entries in name table of publications Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 012/115] vhost: reject zero size iova range Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 013/115] ipv4: recompile ip options in ipv4_link_failure Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 014/115] ipv4: ensure rcu_read_lock() in ipv4_link_failure() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 015/115] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 016/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 017/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 018/115] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 019/115] mlxsw: spectrum_router: Do not check VRF MAC address Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 020/115] net: thunderx: raise XDP MTU to 1508 Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 021/115] net: thunderx: dont allow jumbo frames with XDP Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 022/115] net/tls: fix the IV leaks Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 023/115] net/tls: dont leak partially sent record in device mode Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 024/115] net: strparser: partially revert "strparser: Call skb_unclone conditionally" Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 025/115] net/tls: fix build without CONFIG_TLS_DEVICE Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 026/115] net: bridge: fix netlink export of vlan_stats_per_port option Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 027/115] net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 028/115] net/mlx5e: Protect against non-uplink representor for encap Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 029/115] net/mlx5e: Switch to Toeplitz RSS hash by default Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 030/115] net/mlx5e: Rx, Fixup skb checksum for packets with tail padding Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 031/115] net/mlx5e: Rx, Check ip headers sanity Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 032/115] Revert "net/mlx5e: Enable reporting checksum unnecessary also for L3 packets" Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 033/115] net/mlx5: FPGA, tls, hold rcu read lock a bit longer Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 034/115] net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 035/115] net/mlx5: FPGA, tls, idr remove on flow delete Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 036/115] route: Avoid crash from dereferencing NULL rt->from Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 037/115] nfp: flower: replace CFI with vlan present Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 038/115] nfp: flower: remove vlan CFI bit from push vlan action Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 039/115] sch_cake: Use tc_skb_protocol() helper for getting packet protocol Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 040/115] sch_cake: Make sure we can write the IP header before changing DSCP bits Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 041/115] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 042/115] nfc: nci: Potential off by one in ->pipes[] array Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 043/115] sch_cake: Simplify logic in cake_select_tin() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 044/115] CIFS: keep FileInfo handle live during oplock break Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 045/115] cifs: Fix lease buffer length error Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 046/115] cifs: Fix use-after-free in SMB2_write Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 047/115] cifs: Fix use-after-free in SMB2_read Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 048/115] cifs: fix handle leak in smb2_query_symlink() Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 049/115] fs/dax: Deposit pagetable even when installing zero page Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 050/115] KVM: x86: Dont clear EFER during SMM transitions for 32-bit vCPU Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 051/115] KVM: x86: svm: make sure NMI is injected after nmi_singlestep Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 052/115] Staging: iio: meter: fixed typo Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 053/115] staging: iio: ad7192: Fix ad7193 channel address Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 054/115] iio: gyro: mpu3050: fix chip ID reading Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 055/115] iio/gyro/bmg160: Use millidegrees for temperature scale Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 056/115] iio:chemical:bme680: Fix, report temperature in millidegrees Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 057/115] iio:chemical:bme680: Fix SPI read interface Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 058/115] iio: cros_ec: Fix the maths for gyro scale calculation Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 059/115] iio: ad_sigma_delta: select channel when reading register Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 060/115] iio: dac: mcp4725: add missing powerdown bits in store eeprom Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 061/115] iio: Fix scan mask selection Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 062/115] iio: adc: at91: disable adc channel interrupt in timeout case Greg Kroah-Hartman
2019-04-24 17:09 ` [PATCH 5.0 063/115] iio: core: fix a possible circular locking dependency Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 064/115] io: accel: kxcjk1013: restore the range after resume Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 065/115] staging: most: core: use device description as name Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 066/115] staging: comedi: vmk80xx: Fix use of uninitialized semaphore Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 067/115] staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 068/115] staging: comedi: ni_usb6501: Fix use of uninitialized mutex Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 069/115] staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 070/115] ALSA: hda/realtek - add two more pin configuration sets to quirk table Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 071/115] ALSA: core: Fix card races between register and disconnect Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 072/115] Input: elan_i2c - add hardware ID for multiple Lenovo laptops Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 073/115] serial: sh-sci: Fix HSCIF RX sampling point adjustment Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 074/115] serial: sh-sci: Fix HSCIF RX sampling point calculation Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 075/115] vt: fix cursor when clearing the screen Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 076/115] scsi: core: set result when the command cannot be dispatched Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 077/115] Revert "scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 078/115] i3c: dw: Fix dw_i3c_master_disable controller by using correct mask Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 079/115] i3c: Fix the verification of random PID Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 080/115] Revert "svm: Fix AVIC incomplete IPI emulation" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 081/115] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 082/115] x86/kvm: move kvm_load/put_guest_xcr0 into atomic context Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 083/115] ipmi: fix sleep-in-atomic in free_user at cleanup SRCU user->release_barrier Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 084/115] crypto: x86/poly1305 - fix overflow during partial reduction Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 085/115] drm/ttm: fix out-of-bounds read in ttm_put_pages() v2 Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 086/115] arm64: futex: Restore oldval initialization to work around buggy compilers Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 087/115] x86/kprobes: Verify stack frame on kretprobe Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 088/115] kprobes: Mark ftrace mcount handler functions nokprobe Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 089/115] x86/kprobes: Avoid kretprobe recursion bug Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 090/115] kprobes: Fix error check when reusing optimized probes Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 091/115] rt2x00: do not increment sequence number while re-transmitting Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 092/115] mac80211: do not call driver wake_tx_queue op during reconfig Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 093/115] s390/mem_detect: Use IS_ENABLED(CONFIG_BLK_DEV_INITRD) Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 094/115] drm/amdgpu/gmc9: fix VM_L2_CNTL3 programming Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 095/115] perf/x86/amd: Add event map for AMD Family 17h Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 096/115] x86/cpu/bugs: Use __initconst for const init data Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 097/115] perf/x86: Fix incorrect PEBS_REGS Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 098/115] x86/speculation: Prevent deadlock on ssb_state::lock Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 099/115] timers/sched_clock: Prevent generic sched_clock wrap caused by tick_freeze() Greg Kroah-Hartman
2019-04-24 17:10   ` Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 100/115] nfit/ars: Remove ars_start_flags Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 101/115] nfit/ars: Introduce scrub_flags Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 102/115] nfit/ars: Allow root to busy-poll the ARS state machine Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 103/115] nfit/ars: Avoid stale ARS results Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 104/115] tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 105/115] tpm: Fix the type of the return value in calc_tpm2_event_size() Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 106/115] Revert "kbuild: use -Oz instead of -Os when using clang" Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 107/115] sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 108/115] tpm: fix an invalid condition in tpm_common_poll Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 109/115] mt76x02: avoid status_list.lock and sta->rate_ctrl_lock dependency Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 110/115] device_cgroup: fix RCU imbalance in error case Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 111/115] perf/ring_buffer: Fix AUX record suppression Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 112/115] mm/memory_hotplug: do not unlock after failing to take the device_hotplug_lock Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 113/115] mm/vmstat.c: fix /proc/vmstat format for CONFIG_DEBUG_TLBFLUSH=y CONFIG_SMP=n Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 114/115] ALSA: info: Fix racy addition/deletion of nodes Greg Kroah-Hartman
2019-04-24 17:10 ` [PATCH 5.0 115/115] percpu: stop printing kernel addresses Greg Kroah-Hartman
2019-04-25  5:25 ` [PATCH 5.0 000/115] 5.0.10-stable review Naresh Kamboju
2019-04-25  7:18   ` Greg Kroah-Hartman
2019-04-25 11:56 ` Jon Hunter
2019-04-25 11:56   ` Jon Hunter
2019-04-25 14:29   ` Greg Kroah-Hartman
2019-04-25 16:23 ` shuah
2019-04-25 17:08   ` Greg Kroah-Hartman
2019-04-25 19:39 ` Guenter Roeck
2019-04-27  6:49   ` Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.