All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 3.16 00/63] 3.16.81-rc1 review
@ 2020-01-08 19:42 Ben Hutchings
  2020-01-08 19:42 ` [PATCH 3.16 01/63] net: qlogic: Fix memory leak in ql_alloc_large_buffers Ben Hutchings
                   ` (63 more replies)
  0 siblings, 64 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:42 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm, Denis Kirjanov

This is the start of the stable review cycle for the 3.16.81 release.
There are 63 patches in this series, which will be posted as responses
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Fri Jan 10 20:00:00 UTC 2020.
Anything received after that time might be too late.

All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.

Ben.

-------------

Adrian Bunk (1):
      mwifiex: Fix NL80211_TX_POWER_LIMITED
         [65a576e27309120e0621f54d5c81eb9128bd56be]

Amitkumar Karwar (1):
      mwifiex: don't follow AP if country code received from EEPROM
         [947d315257f9b25b0e24f5706f8184b3b00774d4]

Andreas Ziegler (1):
      tracing/uprobes: Fix output for multiple string arguments
         [0722069a5374b904ec1a67f91249f90e1cfae259]

Ard Biesheuvel (1):
      arm64/kernel: fix incorrect EL0 check in inv_entry macro
         [b660950c60a7278f9d8deb7c32a162031207c758]

Arnd Bergmann (1):
      ARM: 8458/1: bL_switcher: add GIC dependency
         [6c044fecdf78be3fda159a5036bb33700cdd5e59]

Baolin Wang (1):
      usb: gadget: Add the gserial port checking in gs_start_tx()
         [511a36d2f357724312bb3776d2f6eed3890928b2]

Ben Hutchings (3):
      Revert "sched/fair: Fix bandwidth timer clock drift condition"
         [not upstream; upstream fix is unsuitable for stable]
      ext4: Introduce ext4_clamp_want_extra_isize()
         [7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7]
      net: qlogic: Fix error paths in ql_alloc_large_buffers()
         [cad46039e4c99812db067c8ac22a864960e7acc4]

Bhadram Varka (1):
      stmmac: copy unicast mac address to MAC registers
         [a830405ee452ddc4101c3c9334e6fedd42c6b357]

Chaotian Jing (1):
      mmc: mmc: fix switch timeout issue caused by jiffies precision
         [987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1]

Christoffer Dall (1):
      video: fbdev: Set pixclock = 0 in goldfishfb
         [ace6033ec5c356615eaa3582fb1946e9eaff6662]

Christoph Hellwig (1):
      suspend: simplify block I/O handling
         [343df3c79c62b644ce6ff5dff96c9e0be1ecb242]

Chuanxiao Dong (1):
      mmc: debugfs: Add a restriction to mmc debugfs clock setting
         [e5905ff1281f0a0f5c9863c430ac1ed5faaf5707]

Colin Cross (1):
      mmc: block: Allow more than 8 partitions per card
         [382c55f88ffeb218c446bf0c46d0fc25d2795fe2]

Dmitry Vyukov (1):
      locking/x86: Remove the unused atomic_inc_short() methd
         [31b35f6b4d5285a311e10753f4eb17304326b211]

Dong Aisheng (1):
      mmc: core: fix using wrong io voltage if mmc_select_hs200 fails
         [e51534c806609c806d81bfb034f02737461f855c]

Eric Biggers (2):
      arm64: support keyctl() system call in 32-bit mode
         [5c2a625937ba49bc691089370638223d310cda9a]
      crypto: cts - fix crash on short inputs
         [not upstream; issue was fixed by large refactoring]

Eric Dumazet (2):
      net: diag: support v4mapped sockets in inet_diag_find_one_icsk()
         [7c1306723ee916ea9f1fa7d9e4c7a6d029ca7aaf]
      tcp/dccp: drop SYN packets if accept queue is full
         [5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071]

Ezequiel Garcia (1):
      arm64: kconfig: drop CONFIG_RTC_LIB dependency
         [99a507771fa57238dc7ffe674ae06090333d02c9]

Ganapathi Bhat (1):
      mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
         [3d94a4a8373bf5f45cf5f939e88b8354dbf2311b]

Greg Hackmann (1):
      staging: goldfish: audio: fix compiliation on arm
         [4532150762ceb0d6fd765ebcb3ba6966fbb8faab]

Ilya Dryomov (1):
      libceph: handle an empty authorize reply
         [0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068]

James Morse (3):
      PM / Hibernate: Call flush_icache_range() on pages restored in-place
         [f6cf0545ec697ddc278b7457b7d0c0d86a2ea88e]
      arm64: kernel: Include _AC definition in page.h
         [812264550dcba6cdbe84bfac2f27e7d23b5b8733]
      arm64: mm: Add trace_irqflags annotations to do_debug_exception()
         [6afedcd23cfd7ac56c011069e4a8db37b46e4623]

Jason Yan (1):
      scsi: libsas: stop discovering if oob mode is disconnected
         [f70267f379b5e5e11bdc5d72a56bf17e5feed01f]

Jeffrey Hugo (1):
      dmaengine: qcom: bam_dma: Fix resource leak
         [7667819385457b4aeb5fac94f67f52ab52cc10d5]

Johannes Berg (1):
      cfg80211: size various nl80211 messages correctly
         [4ef8c1c93f848e360754f10eb2e7134c872b6597]

Konstantin Khlebnikov (1):
      mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON
         [e4c5800a3991f0c6a766983535dfc10d51802cf6]

Laura Abbott (1):
      staging: ashmem: Avoid deadlock with mmap/shrink
         [18e77054de741ef3ed2a2489bc9bf82a318b2d5e]

Linus Torvalds (2):
      Make filldir[64]() verify the directory entry filename is valid
         [8a23eb804ca4f2be909e372cf5a9e7b30ae476cd]
      filldir[64]: remove WARN_ON_ONCE() for bad directory entries
         [b9959c7a347d6adbb558fba7e36e9fef3cba3b07]

Lorenzo Pieralisi (1):
      ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies
         [1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1]

Mark Rutland (1):
      asm-generic: Fix local variable shadow in __set_fixmap_offset
         [3694bd76781b76c4f8d2ecd85018feeb1609f0e5]

Mathias Nyman (2):
      xhci: Fix port resume done detection for SS ports with LPM enabled
         [6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15]
      xhci: fix USB3 device initiated resume race with roothub autosuspend
         [057d476fff778f1d3b9f861fdb5437ea1a3cfc99]

Navid Emamdoost (1):
      net: qlogic: Fix memory leak in ql_alloc_large_buffers
         [1acb8f2a7a9f10543868ddd737e37424d5c36cf4]

Peter Chen (1):
      usb: gadget: composite: fix dereference after null check coverify warning
         [c526c62d565ea5a5bba9433f28756079734f430d]

Peter Zijlstra (2):
      locking,x86: Kill atomic_or_long()
         [f6b4ecee0eb7bfa66ae8d5652105ed4da53209a3]
      x86/atomic: Fix smp_mb__{before,after}_atomic()
         [69d927bba39517d0980462efc051875b7f4db185]

Philip Oberstaller (1):
      usb: gadget: serial: fix re-ordering of tx data
         [3e9d3d2efc677b501b12512cab5adb4f32a0673a]

Qiao Zhou (1):
      arm64: traps: disable irq in die()
         [6f44a0bacb79a03972c83759711832b382b1b8ac]

Rajmal Menariya (1):
      staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT
         [1328d8efef17d5e16bd6e9cfe59130a833674534]

Ravindra Lokhande (1):
      ALSA: compress: add support for 32bit calls in a 64bit kernel
         [c10368897e104c008c610915a218f0fe5fa4ec96]

Roderick Colenbrander (2):
      HID: sony: Support DS4 dongle
         [de66a1a04c25f2560a8dca7a95e2a150b0d5e17e]
      HID: sony: Update device ids
         [cf1015d65d7c8a5504a4c03afb60fb86bff0f032]

Roger Quadros (1):
      usb: dwc3: gadget: Fix suspend/resume during device mode
         [9772b47a4c2916d645c551228b6085ea24acbe5d]

Rom Lemarchand (1):
      staging: ashmem: Add missing include
         [90a2f171383b5ae43b33ab4d9d566b9765622ac7]

Russell King (1):
      mmc: core: shut up "voltage-ranges unspecified" pr_info()
         [10a16a01d8f72e80f4780e40cf3122f4caffa411]

Theodore Ts'o (1):
      ext4: add more paranoia checking in ext4_expand_extra_isize handling
         [4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a]

Will Deacon (2):
      arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals
         [b9a4b9d084d978f80eb9210727c81804588b42ff]
      arm64: debug: Ensure debug handlers check triggering exception level
         [6bd288569b50bc89fa5513031086746968f585cb]

Winter Wang (1):
      usb: gadget: configfs: add mutex lock before unregister gadget
         [cee51c33f52ebf673a088a428ac0fecc33ab77fa]

Wolfram Sang (2):
      kbuild: setlocalversion: print error to STDERR
         [78283edf2c01c38eb840a3de5ffd18fe2992ab64]
      mmc: sanitize 'bus width' in debug output
         [ed9feec72fc1fa194ebfdb79e14561b35decce63]

Xerox Lin (1):
      usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG
         [207707d8fd48ebc977fb2b2794004a020e1ee08e]

Xiaolong Huang (1):
      can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
         [da2311a6385c3b499da2ed5d9be59ce331fa93e9]

Yoshihiro Shimoda (1):
      usb: renesas_usbhs: gadget: fix unused-but-set-variable warning
         [b7d44c36a6f6d956e1539e0dd42f98b26e5a4684]

YueHaibing (1):
      media: cpia2: Fix use-after-free in cpia2_exit
         [dea37a97265588da604c6ba80160a287b72c7bfd]

Yury Norov (1):
      arm64: fix COMPAT_SHMLBA definition for large pages
         [b9b7aebb42d1b1392f3111de61136bb6cf3aae3f]

 Makefile                                          |   4 +-
 arch/arm/Kconfig                                  |   6 +-
 arch/arm64/Kconfig                                |   5 +-
 arch/arm64/include/asm/page.h                     |   2 +
 arch/arm64/include/asm/shmparam.h                 |   2 +-
 arch/arm64/kernel/entry.S                         |   2 +-
 arch/arm64/kernel/kgdb.c                          |  15 +-
 arch/arm64/kernel/traps.c                         |   8 +-
 arch/arm64/mm/fault.c                             |  36 +++--
 arch/tile/lib/atomic_asm_32.S                     |   3 +-
 arch/x86/include/asm/atomic.h                     |  36 +----
 arch/x86/include/asm/atomic64_64.h                |   8 +-
 arch/x86/include/asm/barrier.h                    |   4 +-
 crypto/cts.c                                      |   8 +-
 drivers/dma/qcom_bam_dma.c                        |  14 ++
 drivers/hid/hid-core.c                            |   3 +
 drivers/hid/hid-ids.h                             |   2 +
 drivers/hid/hid-sony.c                            |   6 +
 drivers/media/usb/cpia2/cpia2_v4l.c               |   3 +-
 drivers/mmc/card/block.c                          |   7 +-
 drivers/mmc/core/core.c                           |  10 +-
 drivers/mmc/core/debugfs.c                        |   2 +-
 drivers/mmc/core/mmc.c                            |  13 +-
 drivers/mmc/core/mmc_ops.c                        |   2 +-
 drivers/net/can/usb/kvaser_usb.c                  |   6 +-
 drivers/net/ethernet/qlogic/qla3xxx.c             |   9 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |  16 +-
 drivers/net/wireless/mwifiex/cfg80211.c           |  17 ++-
 drivers/net/wireless/mwifiex/ioctl.h              |   1 +
 drivers/net/wireless/mwifiex/sta_ioctl.c          |  23 ++-
 drivers/scsi/libsas/sas_discover.c                |  11 +-
 drivers/staging/android/ashmem.c                  |   4 +-
 drivers/staging/android/ion/ion_carveout_heap.c   |   2 +-
 drivers/staging/android/uapi/ashmem.h             |   1 +
 drivers/staging/goldfish/goldfish_audio.c         |   1 +
 drivers/usb/dwc3/gadget.c                         |   6 +
 drivers/usb/gadget/composite.c                    |   2 +
 drivers/usb/gadget/configfs.c                     |   2 +
 drivers/usb/gadget/rndis.c                        |   6 +
 drivers/usb/gadget/u_serial.c                     |  12 +-
 drivers/usb/host/xhci-hub.c                       |   8 +
 drivers/usb/host/xhci-ring.c                      |  15 +-
 drivers/usb/host/xhci.h                           |   2 +
 drivers/usb/renesas_usbhs/mod_gadget.c            |   5 +-
 drivers/video/fbdev/goldfishfb.c                  |   2 +-
 fs/ext4/inode.c                                   |  15 ++
 fs/ext4/super.c                                   |  59 +++++---
 fs/readdir.c                                      |  40 +++++
 include/asm-generic/fixmap.h                      |  12 +-
 include/linux/swap.h                              |   1 -
 include/net/inet_connection_sock.h                |   5 -
 kernel/power/Makefile                             |   3 +-
 kernel/power/block_io.c                           | 103 -------------
 kernel/power/power.h                              |   9 --
 kernel/power/swap.c                               | 177 +++++++++++++++++-----
 kernel/sched/fair.c                               |  14 +-
 kernel/sched/sched.h                              |   2 -
 kernel/trace/trace_uprobe.c                       |   9 +-
 mm/page_io.c                                      |   2 +-
 mm/rmap.c                                         |   2 +-
 net/ceph/messenger.c                              |  12 +-
 net/dccp/ipv4.c                                   |   8 +-
 net/dccp/ipv6.c                                   |   2 +-
 net/ipv4/inet_diag.c                              |  18 ++-
 net/ipv4/tcp_ipv4.c                               |   7 +-
 net/ipv6/tcp_ipv6.c                               |   2 +-
 net/wireless/nl80211.c                            |  16 +-
 scripts/setlocalversion                           |   2 +-
 sound/core/compress_offload.c                     |  13 ++
 69 files changed, 533 insertions(+), 352 deletions(-)

-- 
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 01/63] net: qlogic: Fix memory leak in ql_alloc_large_buffers
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
@ 2020-01-08 19:42 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 02/63] net: qlogic: Fix error paths in ql_alloc_large_buffers() Ben Hutchings
                   ` (62 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:42 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Navid Emamdoost

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Navid Emamdoost <navid.emamdoost@gmail.com>

commit 1acb8f2a7a9f10543868ddd737e37424d5c36cf4 upstream.

In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb.
This skb should be released if pci_dma_mapping_error fails.

Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/ethernet/qlogic/qla3xxx.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -2789,6 +2789,7 @@ static int ql_alloc_large_buffers(struct
 				netdev_err(qdev->ndev,
 					   "PCI mapping failed with error: %d\n",
 					   err);
+				dev_kfree_skb_irq(skb);
 				ql_free_large_buffers(qdev);
 				return -ENOMEM;
 			}


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 02/63] net: qlogic: Fix error paths in ql_alloc_large_buffers()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
  2020-01-08 19:42 ` [PATCH 3.16 01/63] net: qlogic: Fix memory leak in ql_alloc_large_buffers Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 03/63] HID: sony: Update device ids Ben Hutchings
                   ` (61 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, David S. Miller

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

commit cad46039e4c99812db067c8ac22a864960e7acc4 upstream.

ql_alloc_large_buffers() has the usual RX buffer allocation
loop where it allocates skbs and maps them for DMA.  It also
treats failure as a fatal error.

There are (at least) three bugs in the error paths:

1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the
first buffer that couldn't be allocated will have .skb == NULL.
But the qla_buf[] array is not zero-initialised.

2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[].  This is
incorrect for the last allocated skb, if DMA mapping failed.

3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in
ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any()
after the skb is recorded in lrg_buf[], so ql_free_large_buffers()
will double-free it.

The bugs are somewhat inter-twined, so fix them all at once:

* Clear each entry in qla_buf[] before attempting to allocate
  an skb for it.  This goes half-way to fixing bug 1.
* Set the .skb field only after the skb is DMA-mapped.  This
  fixes the rest.

Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...")
Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...")
Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/net/ethernet/qlogic/qla3xxx.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -2758,6 +2758,9 @@ static int ql_alloc_large_buffers(struct
 	int err;
 
 	for (i = 0; i < qdev->num_large_buffers; i++) {
+		lrg_buf_cb = &qdev->lrg_buf[i];
+		memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb));
+
 		skb = netdev_alloc_skb(qdev->ndev,
 				       qdev->lrg_buffer_len);
 		if (unlikely(!skb)) {
@@ -2768,11 +2771,7 @@ static int ql_alloc_large_buffers(struct
 			ql_free_large_buffers(qdev);
 			return -ENOMEM;
 		} else {
-
-			lrg_buf_cb = &qdev->lrg_buf[i];
-			memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb));
 			lrg_buf_cb->index = i;
-			lrg_buf_cb->skb = skb;
 			/*
 			 * We save some space to copy the ethhdr from first
 			 * buffer
@@ -2794,6 +2793,7 @@ static int ql_alloc_large_buffers(struct
 				return -ENOMEM;
 			}
 
+			lrg_buf_cb->skb = skb;
 			dma_unmap_addr_set(lrg_buf_cb, mapaddr, map);
 			dma_unmap_len_set(lrg_buf_cb, maplen,
 					  qdev->lrg_buffer_len -


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 03/63] HID: sony: Update device ids
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
  2020-01-08 19:42 ` [PATCH 3.16 01/63] net: qlogic: Fix memory leak in ql_alloc_large_buffers Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 02/63] net: qlogic: Fix error paths in ql_alloc_large_buffers() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 04/63] HID: sony: Support DS4 dongle Ben Hutchings
                   ` (60 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jiri Kosina, Roderick Colenbrander,
	Benjamin Tissoires

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Roderick Colenbrander <roderick.colenbrander@sony.com>

commit cf1015d65d7c8a5504a4c03afb60fb86bff0f032 upstream.

Support additional DS4 model.

Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-core.c | 2 ++
 drivers/hid/hid-ids.h  | 1 +
 drivers/hid/hid-sony.c | 4 ++++
 3 files changed, 7 insertions(+)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1932,6 +1932,8 @@ static const struct hid_device_id hid_ha
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS3_CONTROLLER) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) },
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) },
+	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) },
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -876,6 +876,7 @@
 #define USB_DEVICE_ID_SONY_PS3_BDREMOTE		0x0306
 #define USB_DEVICE_ID_SONY_PS3_CONTROLLER	0x0268
 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER	0x05c4
+#define USB_DEVICE_ID_SONY_PS4_CONTROLLER_2	0x09cc
 #define USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER	0x042f
 #define USB_DEVICE_ID_SONY_BUZZ_CONTROLLER		0x0002
 #define USB_DEVICE_ID_SONY_WIRELESS_BUZZ_CONTROLLER	0x1000
--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -1998,6 +1998,10 @@ static const struct hid_device_id sony_d
 		.driver_data = DUALSHOCK4_CONTROLLER_USB },
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER),
 		.driver_data = DUALSHOCK4_CONTROLLER_BT },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2),
+		.driver_data = DUALSHOCK4_CONTROLLER_USB },
+	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2),
+		.driver_data = DUALSHOCK4_CONTROLLER_BT },
 	{ }
 };
 MODULE_DEVICE_TABLE(hid, sony_devices);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 04/63] HID: sony: Support DS4 dongle
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (2 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 03/63] HID: sony: Update device ids Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 05/63] crypto: cts - fix crash on short inputs Ben Hutchings
                   ` (59 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jiri Kosina, Roderick Colenbrander

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Roderick Colenbrander <roderick.colenbrander@sony.com>

commit de66a1a04c25f2560a8dca7a95e2a150b0d5e17e upstream.

Add support for USB based DS4 dongle device, which allows connecting
a DS4 through Bluetooth, but hides Bluetooth from the host system.

Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/hid/hid-core.c | 1 +
 drivers/hid/hid-ids.h  | 1 +
 drivers/hid/hid-sony.c | 2 ++
 3 files changed, 4 insertions(+)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1934,6 +1934,7 @@ static const struct hid_device_id hid_ha
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) },
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) },
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -877,6 +877,7 @@
 #define USB_DEVICE_ID_SONY_PS3_CONTROLLER	0x0268
 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER	0x05c4
 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER_2	0x09cc
+#define USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE	0x0ba0
 #define USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER	0x042f
 #define USB_DEVICE_ID_SONY_BUZZ_CONTROLLER		0x0002
 #define USB_DEVICE_ID_SONY_WIRELESS_BUZZ_CONTROLLER	0x1000
--- a/drivers/hid/hid-sony.c
+++ b/drivers/hid/hid-sony.c
@@ -2002,6 +2002,8 @@ static const struct hid_device_id sony_d
 		.driver_data = DUALSHOCK4_CONTROLLER_USB },
 	{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2),
 		.driver_data = DUALSHOCK4_CONTROLLER_BT },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE),
+		.driver_data = DUALSHOCK4_CONTROLLER_USB },
 	{ }
 };
 MODULE_DEVICE_TABLE(hid, sony_devices);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 05/63] crypto: cts - fix crash on short inputs
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (3 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 04/63] HID: sony: Support DS4 dongle Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 06/63] tracing/uprobes: Fix output for multiple string arguments Ben Hutchings
                   ` (58 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, linux-crypto, Eric Biggers

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

In the CTS template, when the input length is <= one block cipher block
(e.g. <= 16 bytes for AES) pass the correct length to the underlying CBC
transform rather than one block.  This matches the upstream behavior and
makes the encryption/decryption operation correctly return -EINVAL when
1 <= nbytes < bsize or succeed when nbytes == 0, rather than crashing.

This was fixed upstream incidentally by a large refactoring,
commit 0605c41cc53c ("crypto: cts - Convert to skcipher").  But
syzkaller easily trips over this when running on older kernels, as it's
easily reachable via AF_ALG.  Therefore, this patch makes the minimal
fix for older kernels.

Cc: linux-crypto@vger.kernel.org
Fixes: 76cb9521795a ("[CRYPTO] cts: Add CTS mode required for Kerberos AES support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 crypto/cts.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/crypto/cts.c
+++ b/crypto/cts.c
@@ -137,8 +137,8 @@ static int crypto_cts_encrypt(struct blk
 	lcldesc.info = desc->info;
 	lcldesc.flags = desc->flags;
 
-	if (tot_blocks == 1) {
-		err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, bsize);
+	if (tot_blocks <= 1) {
+		err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, nbytes);
 	} else if (nbytes <= bsize * 2) {
 		err = cts_cbc_encrypt(ctx, desc, dst, src, 0, nbytes);
 	} else {
@@ -232,8 +232,8 @@ static int crypto_cts_decrypt(struct blk
 	lcldesc.info = desc->info;
 	lcldesc.flags = desc->flags;
 
-	if (tot_blocks == 1) {
-		err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, bsize);
+	if (tot_blocks <= 1) {
+		err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, nbytes);
 	} else if (nbytes <= bsize * 2) {
 		err = cts_cbc_decrypt(ctx, desc, dst, src, 0, nbytes);
 	} else {


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 06/63] tracing/uprobes: Fix output for multiple string arguments
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (4 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 05/63] crypto: cts - fix crash on short inputs Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 07/63] libceph: handle an empty authorize reply Ben Hutchings
                   ` (57 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Masami Hiramatsu, Andreas Ziegler,
	Steven Rostedt (VMware),
	Ingo Molnar

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Andreas Ziegler <andreas.ziegler@fau.de>

commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream.

When printing multiple uprobe arguments as strings the output for the
earlier arguments would also include all later string arguments.

This is best explained in an example:

Consider adding a uprobe to a function receiving two strings as
parameters which is at offset 0xa0 in strlib.so and we want to print
both parameters when the uprobe is hit (on x86_64):

$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \
    /sys/kernel/debug/tracing/uprobe_events

When the function is called as func("foo", "bar") and we hit the probe,
the trace file shows a line like the following:

  [...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar"

Note the extra "bar" printed as part of arg1. This behaviour stacks up
for additional string arguments.

The strings are stored in a dynamically growing part of the uprobe
buffer by fetch_store_string() after copying them from userspace via
strncpy_from_user(). The return value of strncpy_from_user() is then
directly used as the required size for the string. However, this does
not take the terminating null byte into account as the documentation
for strncpy_from_user() cleary states that it "[...] returns the
length of the string (not including the trailing NUL)" even though the
null byte will be copied to the destination.

Therefore, subsequent calls to fetch_store_string() will overwrite
the terminating null byte of the most recently fetched string with
the first character of the current string, leading to the
"accumulation" of strings in earlier arguments in the output.

Fix this by incrementing the return value of strncpy_from_user() by
one if we did not hit the maximum buffer size.

Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de

Cc: Ingo Molnar <mingo@redhat.com>
Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andreas Ziegler <andreas.ziegler@fau.de>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/trace/trace_uprobe.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -151,7 +151,14 @@ static void FETCH_FUNC_NAME(memory, stri
 
 	ret = strncpy_from_user(dst, src, maxlen);
 	if (ret == maxlen)
-		dst[--ret] = '\0';
+		dst[ret - 1] = '\0';
+	else if (ret >= 0)
+		/*
+		 * Include the terminating null byte. In this case it
+		 * was copied by strncpy_from_user but not accounted
+		 * for in ret.
+		 */
+		ret++;
 
 	if (ret < 0) {	/* Failed to fetch string */
 		((u8 *)get_rloc_data(dest))[0] = '\0';


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 07/63] libceph: handle an empty authorize reply
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (5 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 06/63] tracing/uprobes: Fix output for multiple string arguments Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 08/63] ALSA: compress: add support for 32bit calls in a 64bit kernel Ben Hutchings
                   ` (56 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Sage Weil, Ilya Dryomov

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ilya Dryomov <idryomov@gmail.com>

commit 0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068 upstream.

The authorize reply can be empty, for example when the ticket used to
build the authorizer is too old and TAG_BADAUTHORIZER is returned from
the service.  Calling ->verify_authorizer_reply() results in an attempt
to decrypt and validate (somewhat) random data in au->buf (most likely
the signature block from calc_signature()), which fails and ends up in
con_fault_finish() with !con->auth_retry.  The ticket isn't invalidated
and the connection is retried again and again until a new ticket is
obtained from the monitor:

  libceph: osd2 192.168.122.1:6809 bad authorize reply
  libceph: osd2 192.168.122.1:6809 bad authorize reply
  libceph: osd2 192.168.122.1:6809 bad authorize reply
  libceph: osd2 192.168.122.1:6809 bad authorize reply

Let TAG_BADAUTHORIZER handler kick in and increment con->auth_retry.

Fixes: 5c056fdc5b47 ("libceph: verify authorize reply on connect")
Link: https://tracker.ceph.com/issues/20164
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
[idryomov@gmail.com: backport to 4.4: extra arg, no CEPHX_V2]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/ceph/messenger.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1984,15 +1984,19 @@ static int process_connect(struct ceph_c
 	dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
 
 	if (con->auth_reply_buf) {
+		int len = le32_to_cpu(con->in_reply.authorizer_len);
+
 		/*
 		 * Any connection that defines ->get_authorizer()
 		 * should also define ->verify_authorizer_reply().
 		 * See get_connect_authorizer().
 		 */
-		ret = con->ops->verify_authorizer_reply(con, 0);
-		if (ret < 0) {
-			con->error_msg = "bad authorize reply";
-			return ret;
+		if (len) {
+			ret = con->ops->verify_authorizer_reply(con, 0);
+			if (ret < 0) {
+				con->error_msg = "bad authorize reply";
+				return ret;
+			}
 		}
 	}
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 08/63] ALSA: compress: add support for 32bit calls in a 64bit kernel
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (6 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 07/63] libceph: handle an empty authorize reply Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 09/63] mmc: debugfs: Add a restriction to mmc debugfs clock setting Ben Hutchings
                   ` (55 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Takashi Iwai, Ravindra Lokhande,
	Vinod Koul, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ravindra Lokhande <rlokhande@nvidia.com>

commit c10368897e104c008c610915a218f0fe5fa4ec96 upstream.

Compress offload does not support ioctl calls from a 32bit userspace
in a 64 bit kernel. This patch adds support for ioctls from a 32bit
userspace in a 64bit kernel

Signed-off-by: Ravindra Lokhande <rlokhande@nvidia.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 sound/core/compress_offload.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -38,6 +38,7 @@
 #include <linux/uio.h>
 #include <linux/uaccess.h>
 #include <linux/module.h>
+#include <linux/compat.h>
 #include <sound/core.h>
 #include <sound/initval.h>
 #include <sound/compress_params.h>
@@ -864,6 +865,15 @@ static long snd_compr_ioctl(struct file
 	return retval;
 }
 
+/* support of 32bit userspace on 64bit platforms */
+#ifdef CONFIG_COMPAT
+static long snd_compr_ioctl_compat(struct file *file, unsigned int cmd,
+						unsigned long arg)
+{
+	return snd_compr_ioctl(file, cmd, (unsigned long)compat_ptr(arg));
+}
+#endif
+
 static const struct file_operations snd_compr_file_ops = {
 		.owner =	THIS_MODULE,
 		.open =		snd_compr_open,
@@ -871,6 +881,9 @@ static const struct file_operations snd_
 		.write =	snd_compr_write,
 		.read =		snd_compr_read,
 		.unlocked_ioctl = snd_compr_ioctl,
+#ifdef CONFIG_COMPAT
+		.compat_ioctl = snd_compr_ioctl_compat,
+#endif
 		.mmap =		snd_compr_mmap,
 		.poll =		snd_compr_poll,
 };


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 09/63] mmc: debugfs: Add a restriction to mmc debugfs clock setting
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (7 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 08/63] ALSA: compress: add support for 32bit calls in a 64bit kernel Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 10/63] mmc: sanitize 'bus width' in debug output Ben Hutchings
                   ` (54 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Pawel Wodkowski, Arnd Bergmann,
	Chuanxiao Dong, Ulf Hansson, Yuan Juntao

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chuanxiao Dong <chuanxiao.dong@intel.com>

commit e5905ff1281f0a0f5c9863c430ac1ed5faaf5707 upstream.

Clock frequency values written to an mmc host should not be less than
the minimum clock frequency which the mmc host supports.

Signed-off-by: Yuan Juntao <juntaox.yuan@intel.com>
Signed-off-by: Pawel Wodkowski <pawelx.wodkowski@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/core/debugfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/core/debugfs.c
+++ b/drivers/mmc/core/debugfs.c
@@ -195,7 +195,7 @@ static int mmc_clock_opt_set(void *data,
 	struct mmc_host *host = data;
 
 	/* We need this check due to input value is u64 */
-	if (val > host->f_max)
+	if (val != 0 && (val > host->f_max || val < host->f_min))
 		return -EINVAL;
 
 	mmc_claim_host(host);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 10/63] mmc: sanitize 'bus width' in debug output
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (8 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 09/63] mmc: debugfs: Add a restriction to mmc debugfs clock setting Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 11/63] mmc: core: shut up "voltage-ranges unspecified" pr_info() Ben Hutchings
                   ` (53 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Wolfram Sang, Ulf Hansson

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

commit ed9feec72fc1fa194ebfdb79e14561b35decce63 upstream.

The bus width is sometimes the actual bus width, and sometimes indices
to different arrays encoding the bus width. In my debugging case "2"
could mean 8-bit as well as 4-bit, which was extremly confusing. Let's
use the human-readable actual bus width in all places.

Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/core/core.c | 2 +-
 drivers/mmc/core/mmc.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -973,7 +973,7 @@ static inline void mmc_set_ios(struct mm
 		"width %u timing %u\n",
 		 mmc_hostname(host), ios->clock, ios->bus_mode,
 		 ios->power_mode, ios->chip_select, ios->vdd,
-		 ios->bus_width, ios->timing);
+		 1 << ios->bus_width, ios->timing);
 
 	if (ios->clock > 0)
 		mmc_set_ungated(host);
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -935,7 +935,7 @@ static int mmc_select_bus_width(struct m
 			break;
 		} else {
 			pr_warn("%s: switch to bus width %d failed\n",
-				mmc_hostname(host), ext_csd_bits[idx]);
+				mmc_hostname(host), 1 << bus_width);
 		}
 	}
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 11/63] mmc: core: shut up "voltage-ranges unspecified" pr_info()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (9 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 10/63] mmc: sanitize 'bus width' in debug output Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 12/63] usb: dwc3: gadget: Fix suspend/resume during device mode Ben Hutchings
                   ` (52 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Russell King, Ulf Hansson

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit 10a16a01d8f72e80f4780e40cf3122f4caffa411 upstream.

Each time a driver such as sdhci-esdhc-imx is probed, we get a info
printk complaining that the DT voltage-ranges property has not been
specified.

However, the DT binding specifically says that the voltage-ranges
property is optional.  That means we should not be complaining that
DT hasn't specified this property: by indicating that it's optional,
it is valid not to have the property in DT.

Silence the warning if the property is missing.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/core/core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -1181,8 +1181,12 @@ int mmc_of_parse_voltage(struct device_n
 
 	voltage_ranges = of_get_property(np, "voltage-ranges", &num_ranges);
 	num_ranges = num_ranges / sizeof(*voltage_ranges) / 2;
-	if (!voltage_ranges || !num_ranges) {
-		pr_info("%s: voltage-ranges unspecified\n", np->full_name);
+	if (!voltage_ranges) {
+		pr_debug("%s: voltage-ranges unspecified\n", np->full_name);
+		return -EINVAL;
+	}
+	if (!num_ranges) {
+		pr_err("%s: voltage-ranges empty\n", np->full_name);
 		return -EINVAL;
 	}
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 12/63] usb: dwc3: gadget: Fix suspend/resume during device mode
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (10 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 11/63] mmc: core: shut up "voltage-ranges unspecified" pr_info() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 13/63] arm64: mm: Add trace_irqflags annotations to do_debug_exception() Ben Hutchings
                   ` (51 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Roger Quadros, Felipe Balbi, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Roger Quadros <rogerq@ti.com>

commit 9772b47a4c2916d645c551228b6085ea24acbe5d upstream.

Gadget controller might not be always active during system
suspend/resume as gadget driver might not have yet been loaded or
might have been unloaded prior to system suspend.

Check if we're active and only then perform
necessary actions during suspend/resume.

Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/dwc3/gadget.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2955,6 +2955,9 @@ void dwc3_gadget_complete(struct dwc3 *d
 
 int dwc3_gadget_suspend(struct dwc3 *dwc)
 {
+	if (!dwc->gadget_driver)
+		return 0;
+
 	__dwc3_gadget_ep_disable(dwc->eps[0]);
 	__dwc3_gadget_ep_disable(dwc->eps[1]);
 
@@ -2968,6 +2971,9 @@ int dwc3_gadget_resume(struct dwc3 *dwc)
 	struct dwc3_ep		*dep;
 	int			ret;
 
+	if (!dwc->gadget_driver)
+		return 0;
+
 	/* Start with SuperSpeed Default */
 	dwc3_gadget_ep0_desc.wMaxPacketSize = cpu_to_le16(512);
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 13/63] arm64: mm: Add trace_irqflags annotations to do_debug_exception()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (11 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 12/63] usb: dwc3: gadget: Fix suspend/resume during device mode Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 14/63] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails Ben Hutchings
                   ` (50 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, James Morse, Will Deacon

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Morse <james.morse@arm.com>

commit 6afedcd23cfd7ac56c011069e4a8db37b46e4623 upstream.

With CONFIG_PROVE_LOCKING, CONFIG_DEBUG_LOCKDEP and CONFIG_TRACE_IRQFLAGS
enabled, lockdep will compare current->hardirqs_enabled with the flags from
local_irq_save().

When a debug exception occurs, interrupts are disabled in entry.S, but
lockdep isn't told, resulting in:
DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled)
------------[ cut here ]------------
WARNING: at ../kernel/locking/lockdep.c:3523
Modules linked in:
CPU: 3 PID: 1752 Comm: perf Not tainted 4.5.0-rc4+ #2204
Hardware name: ARM Juno development board (r1) (DT)
task: ffffffc974868000 ti: ffffffc975f40000 task.ti: ffffffc975f40000
PC is at check_flags.part.35+0x17c/0x184
LR is at check_flags.part.35+0x17c/0x184
pc : [<ffffff80080fc93c>] lr : [<ffffff80080fc93c>] pstate: 600003c5
[...]
---[ end trace 74631f9305ef5020 ]---
Call trace:
[<ffffff80080fc93c>] check_flags.part.35+0x17c/0x184
[<ffffff80080ffe30>] lock_acquire+0xa8/0xc4
[<ffffff8008093038>] breakpoint_handler+0x118/0x288
[<ffffff8008082434>] do_debug_exception+0x3c/0xa8
[<ffffff80080854b4>] el1_dbg+0x18/0x6c
[<ffffff80081e82f4>] do_filp_open+0x64/0xdc
[<ffffff80081d6e60>] do_sys_open+0x140/0x204
[<ffffff80081d6f58>] SyS_openat+0x10/0x18
[<ffffff8008085d30>] el0_svc_naked+0x24/0x28
possible reason: unannotated irqs-off.
irq event stamp: 65857
hardirqs last  enabled at (65857): [<ffffff80081fb1c0>] lookup_mnt+0xf4/0x1b4
hardirqs last disabled at (65856): [<ffffff80081fb188>] lookup_mnt+0xbc/0x1b4
softirqs last  enabled at (65790): [<ffffff80080bdca4>] __do_softirq+0x1f8/0x290
softirqs last disabled at (65757): [<ffffff80080be038>] irq_exit+0x9c/0xd0

This patch adds the annotations to do_debug_exception(), while trying not
to call trace_hardirqs_off() if el1_dbg() interrupted a task that already
had irqs disabled.

Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/mm/fault.c | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -518,18 +518,31 @@ asmlinkage int __exception do_debug_exce
 {
 	const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr);
 	struct siginfo info;
+	int rv;
 
-	if (!inf->fn(addr, esr, regs))
-		return 1;
+	/*
+	 * Tell lockdep we disabled irqs in entry.S. Do nothing if they were
+	 * already disabled to preserve the last enabled/disabled addresses.
+	 */
+	if (interrupts_enabled(regs))
+		trace_hardirqs_off();
 
-	pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n",
-		 inf->name, esr, addr);
+	if (!inf->fn(addr, esr, regs)) {
+		rv = 1;
+	} else {
+		pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n",
+			 inf->name, esr, addr);
 
-	info.si_signo = inf->sig;
-	info.si_errno = 0;
-	info.si_code  = inf->code;
-	info.si_addr  = (void __user *)addr;
-	arm64_notify_die("", regs, &info, 0);
+		info.si_signo = inf->sig;
+		info.si_errno = 0;
+		info.si_code  = inf->code;
+		info.si_addr  = (void __user *)addr;
+		arm64_notify_die("", regs, &info, 0);
+		rv = 0;
+	}
 
-	return 0;
+	if (interrupts_enabled(regs))
+		trace_hardirqs_on();
+
+	return rv;
 }


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 14/63] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (12 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 13/63] arm64: mm: Add trace_irqflags annotations to do_debug_exception() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 15/63] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON Ben Hutchings
                   ` (49 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ulf Hansson, Dong Aisheng, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dong Aisheng <aisheng.dong@nxp.com>

commit e51534c806609c806d81bfb034f02737461f855c upstream.

Currently MMC core will keep going if HS200/HS timing switch failed
with -EBADMSG error by the assumption that the old timing is still valid.

However, for mmc_select_hs200 case, the signal voltage may have already
been switched. If the timing switch failed, we should fall back to
the old voltage in case the card is continue run with legacy timing.

If fall back signal voltage failed, we explicitly report an EIO error
to force retry during the next power cycle.

Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16:
 - Delete now-unused err label
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1079,8 +1079,10 @@ static int mmc_select_hs400(struct mmc_c
 static int mmc_select_hs200(struct mmc_card *card)
 {
 	struct mmc_host *host = card->host;
+	unsigned int old_signal_voltage;
 	int err = -EINVAL;
 
+	old_signal_voltage = host->ios.signal_voltage;
 	if (card->mmc_avail_type & EXT_CSD_CARD_TYPE_HS200_1_2V)
 		err = __mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_120);
 
@@ -1089,7 +1091,7 @@ static int mmc_select_hs200(struct mmc_c
 
 	/* If fails try again during next card power cycle */
 	if (err)
-		goto err;
+		return err;
 
 	/*
 	 * Set the bus width(4 or 8) with host's support and
@@ -1104,7 +1106,12 @@ static int mmc_select_hs200(struct mmc_c
 		if (!err)
 			mmc_set_timing(host, MMC_TIMING_MMC_HS200);
 	}
-err:
+
+	if (err) {
+		/* fall back to the old signal voltage, if fails report error */
+		if (__mmc_set_signal_voltage(host, old_signal_voltage))
+			err = -EIO;
+	}
 	return err;
 }
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 15/63] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (13 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 14/63] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 16/63] kbuild: setlocalversion: print error to STDERR Ben Hutchings
                   ` (48 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Torvalds, Vlastimil Babka,
	Arnd Bergmann, Konstantin Khlebnikov, Vasily Averin

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

commit e4c5800a3991f0c6a766983535dfc10d51802cf6 upstream.

This check effectively catches anon vma hierarchy inconsistence and some
vma corruptions.  It was effective for catching corner cases in anon vma
reusing logic.  For now this code seems stable so check could be hidden
under CONFIG_DEBUG_VM and replaced with WARN because it's not so fatal.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Suggested-by: Vasily Averin <vvs@virtuozzo.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 mm/rmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -403,7 +403,7 @@ void unlink_anon_vmas(struct vm_area_str
 	list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {
 		struct anon_vma *anon_vma = avc->anon_vma;
 
-		BUG_ON(anon_vma->degree);
+		VM_WARN_ON(anon_vma->degree);
 		put_anon_vma(anon_vma);
 
 		list_del(&avc->same_vma);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 16/63] kbuild: setlocalversion: print error to STDERR
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (14 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 15/63] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 17/63] usb: gadget: composite: fix dereference after null check coverify warning Ben Hutchings
                   ` (47 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Wolfram Sang, Michal Marek

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Wolfram Sang <wsa@the-dreams.de>

commit 78283edf2c01c38eb840a3de5ffd18fe2992ab64 upstream.

I tried to use 'make O=...' from an unclean source tree. This triggered
the error path of setlocalversion. But by printing to STDOUT, it created
a broken localversion which then caused another (unrelated) error:

"4.7.0-rc2Error: kernelrelease not valid - run make prepare to update it" exceeds 64 characters

After printing to STDERR, the true build error gets displayed later:

  /home/wsa/Kernel/linux is not clean, please run 'make mrproper'
  in the '/home/wsa/Kernel/linux' directory.

Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Michal Marek <mmarek@suse.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 scripts/setlocalversion | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/setlocalversion
+++ b/scripts/setlocalversion
@@ -143,7 +143,7 @@ fi
 if test -e include/config/auto.conf; then
 	. include/config/auto.conf
 else
-	echo "Error: kernelrelease not valid - run 'make prepare' to update it"
+	echo "Error: kernelrelease not valid - run 'make prepare' to update it" >&2
 	exit 1
 fi
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 17/63] usb: gadget: composite: fix dereference after null check coverify warning
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (15 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 16/63] kbuild: setlocalversion: print error to STDERR Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 18/63] usb: gadget: serial: fix re-ordering of tx data Ben Hutchings
                   ` (46 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Peter Chen, Arnd Bergmann, Felipe Balbi

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Chen <peter.chen@nxp.com>

commit c526c62d565ea5a5bba9433f28756079734f430d upstream.

cdev->config is checked for null pointer at above code, so cdev->config
might be null, fix it by adding null pointer check.

Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/composite.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1729,6 +1729,8 @@ unknown:
 			break;
 
 		case USB_RECIP_ENDPOINT:
+			if (!cdev->config)
+				break;
 			endp = ((w_index & 0x80) >> 3) | (w_index & 0x0f);
 			list_for_each_entry(f, &cdev->config->functions, list) {
 				if (test_bit(endp, f->endpoints))


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 18/63] usb: gadget: serial: fix re-ordering of tx data
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (16 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 17/63] usb: gadget: composite: fix dereference after null check coverify warning Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 19/63] usb: gadget: Add the gserial port checking in gs_start_tx() Ben Hutchings
                   ` (45 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Philip Oberstaller, Felipe Balbi,
	Arnout Vandecappelle (Essensium/Mind)

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Philip Oberstaller <Philip.Oberstaller@septentrio.com>

commit 3e9d3d2efc677b501b12512cab5adb4f32a0673a upstream.

When a single thread is sending out data over the gadget serial port,
gs_start_tx() will be called both from the sender context and from the
write completion. Since the port lock is released before the packet is
queued, the order in which the URBs are submitted is not guaranteed.
E.g.

  sending thread                      completion (interrupt)

  gs_write()
    LOCK
                                      gs_write_complete()
                                        LOCK (wait)
    gs_start_tx()
      req1 = list_entry(pool->next)
      UNLOCK
                                        LOCK (acquired)
                                        gs_start_tx()
                                          req2 = list_entry(pool->next)
                                          UNLOCK
                                          usb_ep_queue(req2)
      usb_ep_queue(req1)

I.e., req2 is submitted before req1 but it contains the data that
comes after req1.

To reproduce, use SMP with sending thread and completion pinned to
different CPUs, or use PREEMPT_RT, and add the following delay just
before the call to usb_ep_queue():

		if (port->write_started > 0 && !list_empty(pool))
			udelay(1000);

To work around this problem, make sure that only one thread is running
through the gs_start_tx() loop with an extra flag write_busy. Since
gs_start_tx() is always called with the port lock held, no further
synchronisation is needed. The original caller will continue through
the loop when the request was successfully submitted.

Signed-off-by: Philip Oberstaller <Philip.Oberstaller@septentrio.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/u_serial.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/u_serial.c
+++ b/drivers/usb/gadget/u_serial.c
@@ -116,6 +116,7 @@ struct gs_port {
 	int write_allocated;
 	struct gs_buf		port_write_buf;
 	wait_queue_head_t	drain_wait;	/* wait while writes drain */
+	bool                    write_busy;
 
 	/* REVISIT this state ... */
 	struct usb_cdc_line_coding port_line_coding;	/* 8-N-1 etc */
@@ -366,7 +367,7 @@ __acquires(&port->port_lock)
 	int			status = 0;
 	bool			do_tty_wake = false;
 
-	while (!list_empty(pool)) {
+	while (!port->write_busy && !list_empty(pool)) {
 		struct usb_request	*req;
 		int			len;
 
@@ -396,9 +397,11 @@ __acquires(&port->port_lock)
 		 * NOTE that we may keep sending data for a while after
 		 * the TTY closed (dev->ioport->port_tty is NULL).
 		 */
+		port->write_busy = true;
 		spin_unlock(&port->port_lock);
 		status = usb_ep_queue(in, req, GFP_ATOMIC);
 		spin_lock(&port->port_lock);
+		port->write_busy = false;
 
 		if (status) {
 			pr_debug("%s: %s %s err %d\n",


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 19/63] usb: gadget: Add the gserial port checking in gs_start_tx()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (17 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 18/63] usb: gadget: serial: fix re-ordering of tx data Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 20/63] tcp/dccp: drop SYN packets if accept queue is full Ben Hutchings
                   ` (44 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Baolin Wang, Felipe Balbi

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Baolin Wang <baolin.wang@linaro.org>

commit 511a36d2f357724312bb3776d2f6eed3890928b2 upstream.

When usb gadget is set gadget serial function, it will be crash in below
situation.

It will clean the 'port->port_usb' pointer in gserial_disconnect() function
when usb link is inactive, but it will release lock for disabling the endpoints
in this function. Druing the lock release period, it maybe complete one request
to issue gs_write_complete()--->gs_start_tx() function, but the 'port->port_usb'
pointer had been set NULL, thus it will be crash in gs_start_tx() function.

This patch adds the 'port->port_usb' pointer checking in gs_start_tx() function
to avoid this situation.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/u_serial.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/u_serial.c
+++ b/drivers/usb/gadget/u_serial.c
@@ -363,10 +363,15 @@ __acquires(&port->port_lock)
 */
 {
 	struct list_head	*pool = &port->write_pool;
-	struct usb_ep		*in = port->port_usb->in;
+	struct usb_ep		*in;
 	int			status = 0;
 	bool			do_tty_wake = false;
 
+	if (!port->port_usb)
+		return status;
+
+	in = port->port_usb->in;
+
 	while (!port->write_busy && !list_empty(pool)) {
 		struct usb_request	*req;
 		int			len;


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 20/63] tcp/dccp: drop SYN packets if accept queue is full
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (18 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 19/63] usb: gadget: Add the gserial port checking in gs_start_tx() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 21/63] arm64: traps: disable irq in die() Ben Hutchings
                   ` (43 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Yuchung Cheng, Eric Dumazet,
	Neal Cardwell, David S. Miller

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071 upstream.

Per listen(fd, backlog) rules, there is really no point accepting a SYN,
sending a SYNACK, and dropping the following ACK packet if accept queue
is full, because application is not draining accept queue fast enough.

This behavior is fooling TCP clients that believe they established a
flow, while there is nothing at server side. They might then send about
10 MSS (if using IW10) that will be dropped anyway while server is under
stress.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16: Apply TCP changes in both tcp_ipv4.c and tcp_ipv6.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/inet_connection_sock.h
+++ b/include/net/inet_connection_sock.h
@@ -287,11 +287,6 @@ static inline int inet_csk_reqsk_queue_l
 	return reqsk_queue_len(&inet_csk(sk)->icsk_accept_queue);
 }
 
-static inline int inet_csk_reqsk_queue_young(const struct sock *sk)
-{
-	return reqsk_queue_len_young(&inet_csk(sk)->icsk_accept_queue);
-}
-
 static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk)
 {
 	return reqsk_queue_is_full(&inet_csk(sk)->icsk_accept_queue);
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -621,13 +621,7 @@ int dccp_v4_conn_request(struct sock *sk
 	if (inet_csk_reqsk_queue_is_full(sk))
 		goto drop;
 
-	/*
-	 * Accept backlog is full. If we have already queued enough
-	 * of warm entries in syn queue, drop request. It is better than
-	 * clogging syn queue with openreqs with exponentially increasing
-	 * timeout.
-	 */
-	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
+	if (sk_acceptq_is_full(sk))
 		goto drop;
 
 	req = inet_reqsk_alloc(&dccp_request_sock_ops);
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -391,7 +391,7 @@ static int dccp_v6_conn_request(struct s
 	if (inet_csk_reqsk_queue_is_full(sk))
 		goto drop;
 
-	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
+	if (sk_acceptq_is_full(sk))
 		goto drop;
 
 	req = inet6_reqsk_alloc(&dccp6_request_sock_ops);
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1292,12 +1292,7 @@ int tcp_v4_conn_request(struct sock *sk,
 			goto drop;
 	}
 
-	/* Accept backlog is full. If we have already queued enough
-	 * of warm entries in syn queue, drop request. It is better than
-	 * clogging syn queue with openreqs with exponentially increasing
-	 * timeout.
-	 */
-	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) {
+	if (sk_acceptq_is_full(sk)) {
 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
 		goto drop;
 	}
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1009,7 +1009,7 @@ static int tcp_v6_conn_request(struct so
 			goto drop;
 	}
 
-	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) {
+	if (sk_acceptq_is_full(sk)) {
 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
 		goto drop;
 	}


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 21/63] arm64: traps: disable irq in die()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (19 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 20/63] tcp/dccp: drop SYN packets if accept queue is full Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 22/63] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Ben Hutchings
                   ` (42 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Qiao Zhou, Will Deacon

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Qiao Zhou <qiaozhou@asrmicro.com>

commit 6f44a0bacb79a03972c83759711832b382b1b8ac upstream.

In current die(), the irq is disabled for __die() handle, not
including the possible panic() handling. Since the log in __die()
can take several hundreds ms, new irq might come and interrupt
current die().

If the process calling die() holds some critical resource, and some
other process scheduled later also needs it, then it would deadlock.
The first panic will not be executed.

So here disable irq for the whole flow of die().

Signed-off-by: Qiao Zhou <qiaozhou@asrmicro.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kernel/traps.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -178,10 +178,12 @@ void die(const char *str, struct pt_regs
 {
 	struct thread_info *thread = current_thread_info();
 	int ret;
+	unsigned long flags;
+
+	raw_spin_lock_irqsave(&die_lock, flags);
 
 	oops_enter();
 
-	raw_spin_lock_irq(&die_lock);
 	console_verbose();
 	bust_spinlocks(1);
 	ret = __die(str, err, thread, regs);
@@ -191,13 +193,15 @@ void die(const char *str, struct pt_regs
 
 	bust_spinlocks(0);
 	add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE);
-	raw_spin_unlock_irq(&die_lock);
 	oops_exit();
 
 	if (in_interrupt())
 		panic("Fatal exception in interrupt");
 	if (panic_on_oops)
 		panic("Fatal exception");
+
+	raw_spin_unlock_irqrestore(&die_lock, flags);
+
 	if (ret != NOTIFY_STOP)
 		do_exit(SIGSEGV);
 }


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 22/63] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (20 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 21/63] arm64: traps: disable irq in die() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 23/63] xhci: Fix port resume done detection for SS ports with LPM enabled Ben Hutchings
                   ` (41 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Yoshihiro Shimoda, Felipe Balbi, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit b7d44c36a6f6d956e1539e0dd42f98b26e5a4684 upstream.

The commit b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps
when the driver stops") causes the unused-but-set-variable warning.
But, if the usbhsg_ep_disable() will return non-zero value, udc/core.c
doesn't clear the ep->enabled flag. So, this driver should not return
non-zero value, if the pipe is zero because this means the pipe is
already disabled. Otherwise, the ep->enabled flag is never cleared
when the usbhsg_ep_disable() is called by the renesas_usbhs driver first.

Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops")
Fixes: 11432050f070 ("usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/renesas_usbhs/mod_gadget.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -611,14 +611,11 @@ static int usbhsg_ep_disable(struct usb_
 	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
 	struct usbhs_pipe *pipe;
 	unsigned long flags;
-	int ret = 0;
 
 	spin_lock_irqsave(&uep->lock, flags);
 	pipe = usbhsg_uep_to_pipe(uep);
-	if (!pipe) {
-		ret = -EINVAL;
+	if (!pipe)
 		goto out;
-	}
 
 	usbhsg_pipe_disable(uep);
 	usbhs_pipe_free(pipe);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 23/63] xhci: Fix port resume done detection for SS ports with LPM enabled
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (21 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 22/63] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 24/63] mmc: block: Allow more than 8 partitions per card Ben Hutchings
                   ` (40 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mathias Nyman, Greg Kroah-Hartman

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15 upstream.

A suspended SS port in U3 link state will go to U0 when resumed, but
can almost immediately after that enter U1 or U2 link power save
states before host controller driver reads the port status.

Host controller driver only checks for U0 state, and might miss
the finished resume, leaving flags unclear and skip notifying usb
code of the wake.

Add U1 and U2 to the possible link states when checking for finished
port resume.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Mathias Nyman: backport to 3.18 stable.]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-ring.c | 9 ++++++---
 drivers/usb/host/xhci.h      | 1 +
 2 files changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1645,10 +1645,13 @@ static void handle_port_status(struct xh
 		}
 	}
 
-	if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_U0 &&
-			DEV_SUPERSPEED(temp)) {
+	if ((temp & PORT_PLC) &&
+	    DEV_SUPERSPEED(temp) &&
+	    ((temp & PORT_PLS_MASK) == XDEV_U0 ||
+	     (temp & PORT_PLS_MASK) == XDEV_U1 ||
+	     (temp & PORT_PLS_MASK) == XDEV_U2)) {
 		xhci_dbg(xhci, "resume SS port %d finished\n", port_id);
-		/* We've just brought the device into U0 through either the
+		/* We've just brought the device into U0/1/2 through either the
 		 * Resume state after a device remote wakeup, or through the
 		 * U3Exit state after a host-initiated resume.  If it's a device
 		 * initiated remote wake, don't pass up the link state change,
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -283,6 +283,7 @@ struct xhci_op_regs {
  */
 #define PORT_PLS_MASK	(0xf << 5)
 #define XDEV_U0		(0x0 << 5)
+#define XDEV_U1		(0x1 << 5)
 #define XDEV_U2		(0x2 << 5)
 #define XDEV_U3		(0x3 << 5)
 #define XDEV_INACTIVE	(0x6 << 5)


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 24/63] mmc: block: Allow more than 8 partitions per card
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (22 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 23/63] xhci: Fix port resume done detection for SS ports with LPM enabled Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 25/63] arm64: fix COMPAT_SHMLBA definition for large pages Ben Hutchings
                   ` (39 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Colin Cross, Arnd Bergmann, John Stultz,
	Ulf Hansson, Shawn Lin, Adrian Hunter, linux-mmc,
	Android Kernel Team, Austin S Hemmelgarn, Chuanxiao Dong

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Colin Cross <ccross@android.com>

commit 382c55f88ffeb218c446bf0c46d0fc25d2795fe2 upstream.

It is quite common for Android devices to utilize more
then 8 partitions on internal eMMC storage.

The vanilla kernel can support this via
CONFIG_MMC_BLOCK_MINORS, however that solution caps the
system to 256 minors total, which limits the number of
mmc cards the system can support.

This patch, which has been carried for quite awhile in
the AOSP common tree, provides an alternative solution
that doesn't seem to limit the total card count. So I
wanted to submit it for consideration upstream.

This patch sets the GENHD_FL_EXT_DEVT flag, which will
allocate minor number in major 259 for partitions past
disk->minors.

It also removes the use of disk_devt to determine devidx
from md->disk. md->disk->first_minor is always initialized
from devidx and can always be used to recover it.

Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Chuanxiao Dong <chuanxiao.dong@intel.com>
Cc: Shawn Lin <shawn.lin@rock-chips.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Android Kernel Team <kernel-team@android.com>
Cc: linux-mmc@vger.kernel.org
Signed-off-by: Colin Cross <ccross@android.com>
[jstultz: Added context to commit message]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/card/block.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -168,11 +168,7 @@ static struct mmc_blk_data *mmc_blk_get(
 
 static inline int mmc_get_devidx(struct gendisk *disk)
 {
-	int devmaj = MAJOR(disk_devt(disk));
-	int devidx = MINOR(disk_devt(disk)) / perdev_minors;
-
-	if (!devmaj)
-		devidx = disk->first_minor / perdev_minors;
+	int devidx = disk->first_minor / perdev_minors;
 	return devidx;
 }
 
@@ -2169,6 +2165,7 @@ static struct mmc_blk_data *mmc_blk_allo
 	md->disk->queue = md->queue.queue;
 	md->disk->driverfs_dev = parent;
 	set_disk_ro(md->disk, md->read_only || default_ro);
+	md->disk->flags = GENHD_FL_EXT_DEVT;
 	if (area_type & MMC_BLK_DATA_AREA_RPMB)
 		md->disk->flags |= GENHD_FL_NO_PART_SCAN;
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 25/63] arm64: fix COMPAT_SHMLBA definition for large pages
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (23 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 24/63] mmc: block: Allow more than 8 partitions per card Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 26/63] ARM: 8458/1: bL_switcher: add GIC dependency Ben Hutchings
                   ` (38 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Will Deacon, Yury Norov, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Yury Norov <ynorov@caviumnetworks.com>

commit b9b7aebb42d1b1392f3111de61136bb6cf3aae3f upstream.

ARM glibc uses (4 * __getpagesize()) for SHMLBA, which is correct for
4KB pages and works fine for 64KB pages, but the kernel uses a hardcoded
16KB that is too small for 64KB page based kernels. This changes the
definition to what user space sees when using 64KB pages.

Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Yury Norov <ynorov@caviumnetworks.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/include/asm/shmparam.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/include/asm/shmparam.h
+++ b/arch/arm64/include/asm/shmparam.h
@@ -21,7 +21,7 @@
  * alignment value. Since we don't have aliasing D-caches, the rest of
  * the time we can safely use PAGE_SIZE.
  */
-#define COMPAT_SHMLBA	0x4000
+#define COMPAT_SHMLBA	(4 * PAGE_SIZE)
 
 #include <asm-generic/shmparam.h>
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 26/63] ARM: 8458/1: bL_switcher: add GIC dependency
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (24 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 25/63] arm64: fix COMPAT_SHMLBA definition for large pages Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 27/63] net: diag: support v4mapped sockets in inet_diag_find_one_icsk() Ben Hutchings
                   ` (37 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Russell King, Nicolas Pitre

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <arnd@arndb.de>

commit 6c044fecdf78be3fda159a5036bb33700cdd5e59 upstream.

It is not possible to build the bL_switcher code if the GIC
driver is disabled, because it relies on calling into some
gic specific interfaces, and that would result in this build
error:

arch/arm/common/built-in.o: In function `bL_switch_to':
:(.text+0x1230): undefined reference to `gic_get_sgir_physaddr'
:(.text+0x1244): undefined reference to `gic_send_sgi'
:(.text+0x1268): undefined reference to `gic_migrate_target'
arch/arm/common/built-in.o: In function `bL_switcher_enable.part.4':
:(.text.unlikely+0x2f8): undefined reference to `gic_get_cpu_id'

This adds a Kconfig dependency to ensure we only build the big-little
switcher if the GIC driver is present as well.

Almost all ARMv7 platforms come with a GIC anyway, but it is possible
to build a kernel that disables all platforms.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1485,7 +1485,7 @@ config BIG_LITTLE
 
 config BL_SWITCHER
 	bool "big.LITTLE switcher support"
-	depends on BIG_LITTLE && MCPM && HOTPLUG_CPU
+	depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC
 	select ARM_CPU_SUSPEND
 	select CPU_PM
 	help


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 27/63] net: diag: support v4mapped sockets in inet_diag_find_one_icsk()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (25 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 26/63] ARM: 8458/1: bL_switcher: add GIC dependency Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 28/63] asm-generic: Fix local variable shadow in __set_fixmap_offset Ben Hutchings
                   ` (36 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Lorenzo Colitti,
	Eric Dumazet, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>

commit 7c1306723ee916ea9f1fa7d9e4c7a6d029ca7aaf upstream.

Lorenzo reported that we could not properly find v4mapped sockets
in inet_diag_find_one_icsk(). This patch fixes the issue.

Reported-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -318,12 +318,18 @@ int inet_diag_dump_one_icsk(struct inet_
 	}
 #if IS_ENABLED(CONFIG_IPV6)
 	else if (req->sdiag_family == AF_INET6) {
-		sk = inet6_lookup(net, hashinfo,
-				  (struct in6_addr *)req->id.idiag_dst,
-				  req->id.idiag_dport,
-				  (struct in6_addr *)req->id.idiag_src,
-				  req->id.idiag_sport,
-				  req->id.idiag_if);
+		if (ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_dst) &&
+		    ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_src))
+			sk = inet_lookup(net, hashinfo, req->id.idiag_dst[3],
+					 req->id.idiag_dport, req->id.idiag_src[3],
+					 req->id.idiag_sport, req->id.idiag_if);
+		else
+			sk = inet6_lookup(net, hashinfo,
+					  (struct in6_addr *)req->id.idiag_dst,
+					  req->id.idiag_dport,
+					  (struct in6_addr *)req->id.idiag_src,
+					  req->id.idiag_sport,
+					  req->id.idiag_if);
 	}
 #endif
 	else {


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 28/63] asm-generic: Fix local variable shadow in __set_fixmap_offset
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (26 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 27/63] net: diag: support v4mapped sockets in inet_diag_find_one_icsk() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 29/63] staging: ashmem: Avoid deadlock with mmap/shrink Ben Hutchings
                   ` (35 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mark Rutland, Arnd Bergmann, Catalin Marinas

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mark Rutland <mark.rutland@arm.com>

commit 3694bd76781b76c4f8d2ecd85018feeb1609f0e5 upstream.

Currently __set_fixmap_offset is a macro function which has a local
variable called 'addr'. If a caller passes a 'phys' parameter which is
derived from a variable also called 'addr', the local variable will
shadow this, and the compiler will complain about the use of an
uninitialized variable. To avoid the issue with namespace clashes,
'addr' is prefixed with a liberal sprinkling of underscores.

Turning __set_fixmap_offset into a static inline breaks the build for
several architectures. Fixing this properly requires updates to a number
of architectures to make them agree on the prototype of __set_fixmap (it
could be done as a subsequent patch series).

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
[catalin.marinas@arm.com: squashed the original function patch and macro fixup]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/asm-generic/fixmap.h | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/include/asm-generic/fixmap.h
+++ b/include/asm-generic/fixmap.h
@@ -67,12 +67,12 @@ static inline unsigned long virt_to_fix(
 #endif
 
 /* Return a pointer with offset calculated */
-#define __set_fixmap_offset(idx, phys, flags)		      \
-({							      \
-	unsigned long addr;				      \
-	__set_fixmap(idx, phys, flags);			      \
-	addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \
-	addr;						      \
+#define __set_fixmap_offset(idx, phys, flags)				\
+({									\
+	unsigned long ________addr;					\
+	__set_fixmap(idx, phys, flags);					\
+	________addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1));	\
+	________addr;							\
 })
 
 #define set_fixmap_offset(idx, phys) \


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 29/63] staging: ashmem: Avoid deadlock with mmap/shrink
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (27 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 28/63] asm-generic: Fix local variable shadow in __set_fixmap_offset Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 30/63] staging: ashmem: Add missing include Ben Hutchings
                   ` (34 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Android Kernel Team, Laura Abbott,
	Osvaldo Banuelos, John Stultz, Syed Rameez Mustafa,
	Arnd Bergmann, Subbaraman Narayanamurthy, Greg KH,
	Matt Wagantall

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Laura Abbott <lauraa@codeaurora.org>

commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e upstream.

Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may
be possible for ashmem_mmap to invoke ashmem_shrink:

-000|mutex_lock(lock = 0x0)
-001|ashmem_shrink(?, sc = 0x0) <--- try to take ashmem_mutex again
-002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages
-002|=
-002|124)
-003|try_to_free_pages(zonelist = 0x0, ?, ?, ?)
-004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist =
-004|0xC11D0940,
-005|new_slab(s = 0xE4841E80, ?, node = -1)
-006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags =
-006|2148925462, ad
-007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208)
-008|shmem_alloc_inode(?)
-009|alloc_inode(sb = 0xE480E800)
-010|new_inode_pseudo(?)
-011|new_inode(?)
-012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags =
-012|187)
-013|shmem_file_setup(?, ?, flags = 187)
-014|ashmem_mmap(?, vma = 0xC5D64210) <---- Acquire ashmem_mutex
-015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472,
-015|flags = 57,
-016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd =
-016|157, pgoff
-017|ret_fast_syscall(asm)
-->|exception
-018|NUR:0x40097508(asm)
---|end of frame

Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex
is already held, do not attempt to shrink.

Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Android Kernel Team <kernel-team@android.com>
Reported-by: Matt Wagantall <mattw@codeaurora.org>
Reported-by: Syed Rameez Mustafa <rameezmustafa@codeaurora.org>
Reported-by: Osvaldo Banuelos <osvaldob@codeaurora.org>
Reported-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
[jstultz: Minor commit message tweaks]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ashmem.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -434,7 +434,9 @@ ashmem_shrink_scan(struct shrinker *shri
 	if (!(sc->gfp_mask & __GFP_FS))
 		return SHRINK_STOP;
 
-	mutex_lock(&ashmem_mutex);
+	if (!mutex_trylock(&ashmem_mutex))
+		return -1;
+
 	list_for_each_entry_safe(range, next, &ashmem_lru_list, lru) {
 		loff_t start = range->pgstart * PAGE_SIZE;
 		loff_t end = (range->pgend + 1) * PAGE_SIZE;


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 30/63] staging: ashmem: Add missing include
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (28 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 29/63] staging: ashmem: Avoid deadlock with mmap/shrink Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 31/63] staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT Ben Hutchings
                   ` (33 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Greg KH, John Stultz,
	Rom Lemarchand, Android Kernel Team

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Rom Lemarchand <romlem@android.com>

commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 upstream.

Include <linux/types.h> into ashmem.h to ensure referenced types
are defined

Cc: Android Kernel Team <kernel-team@android.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Signed-off-by: Rom Lemarchand <romlem@android.com>
[jstultz: Minor commit message tweaks]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/uapi/ashmem.h | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/android/uapi/ashmem.h
+++ b/drivers/staging/android/uapi/ashmem.h
@@ -13,6 +13,7 @@
 #define _UAPI_LINUX_ASHMEM_H
 
 #include <linux/ioctl.h>
+#include <linux/types.h>
 
 #define ASHMEM_NAME_LEN		256
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 31/63] staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (29 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 30/63] staging: ashmem: Add missing include Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 32/63] staging: goldfish: audio: fix compiliation on arm Ben Hutchings
                   ` (32 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Laura Abbott, sprd-ind-kernel-group,
	sanjeev.yadav, Arnd Bergmann, Sumit Semwal, Colin Cross, Greg KH,
	Rajmal Menariya, Android Kernel Team, John Stultz

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Rajmal Menariya <rajmal.menariya@spreadtrum.com>

commit 1328d8efef17d5e16bd6e9cfe59130a833674534 upstream.

In carveout heap, change minimum allocation order from 12 to
PAGE_SHIFT. After this change each bit in bitmap (genalloc -
General purpose special memory pool) represents one page size
memory.

Cc: sprd-ind-kernel-group@googlegroups.com
Cc: sanjeev.yadav@spreadtrum.com
Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Rajmal Menariya <rajmal.menariya@spreadtrum.com>
[jstultz: Reworked commit message]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Acked-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/android/ion/ion_carveout_heap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/android/ion/ion_carveout_heap.c
+++ b/drivers/staging/android/ion/ion_carveout_heap.c
@@ -168,7 +168,7 @@ struct ion_heap *ion_carveout_heap_creat
 	if (!carveout_heap)
 		return ERR_PTR(-ENOMEM);
 
-	carveout_heap->pool = gen_pool_create(12, -1);
+	carveout_heap->pool = gen_pool_create(PAGE_SHIFT, -1);
 	if (!carveout_heap->pool) {
 		kfree(carveout_heap);
 		return ERR_PTR(-ENOMEM);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 32/63] staging: goldfish: audio: fix compiliation on arm
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (30 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 31/63] staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 33/63] ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies Ben Hutchings
                   ` (31 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Greg Hackmann, Jin Qian, Arnd Bergmann,
	Greg Kroah-Hartman, Alan

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Greg Hackmann <ghackmann@google.com>

commit 4532150762ceb0d6fd765ebcb3ba6966fbb8faab upstream.

We do actually need slab.h, by luck we get it on other platforms but not
always on ARM. Include it properly.

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Jin Qian <jinqian@android.com>
Signed-off-by: Alan <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/staging/goldfish/goldfish_audio.c | 1 +
 1 file changed, 1 insertion(+)

--- a/drivers/staging/goldfish/goldfish_audio.c
+++ b/drivers/staging/goldfish/goldfish_audio.c
@@ -26,6 +26,7 @@
 #include <linux/sched.h>
 #include <linux/dma-mapping.h>
 #include <linux/uaccess.h>
+#include <linux/slab.h>
 #include <linux/goldfish.h>
 
 MODULE_AUTHOR("Google, Inc.");


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 33/63] ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (31 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 32/63] staging: goldfish: audio: fix compiliation on arm Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 34/63] arm64/kernel: fix incorrect EL0 check in inv_entry macro Ben Hutchings
                   ` (30 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Nicolas Pitre, Lorenzo Pieralisi,
	Russell King, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>

commit 1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1 upstream.

The code enabled by the ARM_CPU_SUSPEND config option is used by
kernel subsystems for purposes that go beyond system suspend so its
config entry should be augmented to take more default options into
account and avoid forcing its selection to prevent dependencies
override.

To achieve this goal, this patch reworks the ARM_CPU_SUSPEND config
entry and updates its default config value (by adding the BL_SWITCHER
option to it) and its dependencies (ARCH_SUSPEND_POSSIBLE), so that the
symbol is still selected by default by the subsystems requiring it and
at the same time enforcing the dependencies correctly.

Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm/Kconfig | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1486,7 +1486,6 @@ config BIG_LITTLE
 config BL_SWITCHER
 	bool "big.LITTLE switcher support"
 	depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC
-	select ARM_CPU_SUSPEND
 	select CPU_PM
 	help
 	  The big.LITTLE "switcher" provides the core functionality to
@@ -2201,7 +2200,8 @@ config ARCH_SUSPEND_POSSIBLE
 	def_bool y
 
 config ARM_CPU_SUSPEND
-	def_bool PM_SLEEP
+	def_bool PM_SLEEP || BL_SWITCHER
+	depends on ARCH_SUSPEND_POSSIBLE
 
 config ARCH_HIBERNATION_POSSIBLE
 	bool


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 34/63] arm64/kernel: fix incorrect EL0 check in inv_entry macro
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (32 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 33/63] ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 35/63] arm64: kernel: Include _AC definition in page.h Ben Hutchings
                   ` (29 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ard Biesheuvel, Arnd Bergmann, Catalin Marinas

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit b660950c60a7278f9d8deb7c32a162031207c758 upstream.

The implementation of macro inv_entry refers to its 'el' argument without
the required leading backslash, which results in an undefined symbol
'el' to be passed into the kernel_entry macro rather than the index of
the exception level as intended.

This undefined symbol strangely enough does not result in build failures,
although it is visible in vmlinux:

     $ nm -n vmlinux |head
                      U el
     0000000000000000 A _kernel_flags_le_hi32
     0000000000000000 A _kernel_offset_le_hi32
     0000000000000000 A _kernel_size_le_hi32
     000000000000000a A _kernel_flags_le_lo32
     .....

However, it does result in incorrect code being generated for invalid
exceptions taken from EL0, since the argument check in kernel_entry
assumes EL1 if its argument does not equal '0'.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kernel/entry.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -187,7 +187,7 @@ END(vectors)
  * Invalid mode handlers
  */
 	.macro	inv_entry, el, reason, regsize = 64
-	kernel_entry el, \regsize
+	kernel_entry \el, \regsize
 	mov	x0, sp
 	mov	x1, #\reason
 	mrs	x2, esr_el1


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 35/63] arm64: kernel: Include _AC definition in page.h
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (33 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 34/63] arm64/kernel: fix incorrect EL0 check in inv_entry macro Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 36/63] suspend: simplify block I/O handling Ben Hutchings
                   ` (28 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Will Deacon, Mark Rutland, Arnd Bergmann,
	James Morse, Catalin Marinas

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Morse <james.morse@arm.com>

commit 812264550dcba6cdbe84bfac2f27e7d23b5b8733 upstream.

page.h uses '_AC' in the definition of PAGE_SIZE, but doesn't include
linux/const.h where this is defined. This produces build warnings when only
asm/page.h is included by asm code.

Signed-off-by: James Morse <james.morse@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/include/asm/page.h | 2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm64/include/asm/page.h
+++ b/arch/arm64/include/asm/page.h
@@ -19,6 +19,8 @@
 #ifndef __ASM_PAGE_H
 #define __ASM_PAGE_H
 
+#include <linux/const.h>
+
 /* PAGE_SHIFT determines the page size */
 #ifdef CONFIG_ARM64_64K_PAGES
 #define PAGE_SHIFT		16


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 36/63] suspend: simplify block I/O handling
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (34 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 35/63] arm64: kernel: Include _AC definition in page.h Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 37/63] PM / Hibernate: Call flush_icache_range() on pages restored in-place Ben Hutchings
                   ` (27 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Rafael J. Wysocki, Christoph Hellwig,
	Pavel Machek, Ming Lin, Jens Axboe

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <hch@lst.de>

commit 343df3c79c62b644ce6ff5dff96c9e0be1ecb242 upstream.

Stop abusing struct page functionality and the swap end_io handler, and
instead add a modified version of the blk-lib.c bio_batch helpers.

Also move the block I/O code into swap.c as they are directly tied into
each other.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Pavel Machek <pavel@ucw.cz>
Tested-by: Ming Lin <mlin@kernel.org>
Acked-by: Pavel Machek <pavel@ucw.cz>
Acked-by: Rafael J. Wysocki <rjw@rjwysocki.net>
Signed-off-by: Jens Axboe <axboe@fb.com>
[bwh: Backported to 3.16 as dependency of commit f6cf0545ec69
 "PM / Hibernate: Call flush_icache_range() on pages restored in-place":
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 include/linux/swap.h    |   1 -
 kernel/power/Makefile   |   3 +-
 kernel/power/block_io.c | 103 --------------------------
 kernel/power/power.h    |   9 ---
 kernel/power/swap.c     | 159 ++++++++++++++++++++++++++++++----------
 mm/page_io.c            |   2 +-
 6 files changed, 122 insertions(+), 155 deletions(-)
 delete mode 100644 kernel/power/block_io.c

--- a/include/linux/swap.h
+++ b/include/linux/swap.h
@@ -395,7 +395,6 @@ extern void end_swap_bio_write(struct bi
 extern int __swap_writepage(struct page *page, struct writeback_control *wbc,
 	void (*end_write_func)(struct bio *, int));
 extern int swap_set_page_dirty(struct page *page);
-extern void end_swap_bio_read(struct bio *bio, int err);
 
 int add_swap_extent(struct swap_info_struct *sis, unsigned long start_page,
 		unsigned long nr_pages, sector_t start_block);
--- a/kernel/power/Makefile
+++ b/kernel/power/Makefile
@@ -7,8 +7,7 @@ obj-$(CONFIG_VT_CONSOLE_SLEEP)	+= consol
 obj-$(CONFIG_FREEZER)		+= process.o
 obj-$(CONFIG_SUSPEND)		+= suspend.o
 obj-$(CONFIG_PM_TEST_SUSPEND)	+= suspend_test.o
-obj-$(CONFIG_HIBERNATION)	+= hibernate.o snapshot.o swap.o user.o \
-				   block_io.o
+obj-$(CONFIG_HIBERNATION)	+= hibernate.o snapshot.o swap.o user.o
 obj-$(CONFIG_PM_AUTOSLEEP)	+= autosleep.o
 obj-$(CONFIG_PM_WAKELOCKS)	+= wakelock.o
 
--- a/kernel/power/block_io.c
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * This file provides functions for block I/O operations on swap/file.
- *
- * Copyright (C) 1998,2001-2005 Pavel Machek <pavel@ucw.cz>
- * Copyright (C) 2006 Rafael J. Wysocki <rjw@sisk.pl>
- *
- * This file is released under the GPLv2.
- */
-
-#include <linux/bio.h>
-#include <linux/kernel.h>
-#include <linux/pagemap.h>
-#include <linux/swap.h>
-
-#include "power.h"
-
-/**
- *	submit - submit BIO request.
- *	@rw:	READ or WRITE.
- *	@off	physical offset of page.
- *	@page:	page we're reading or writing.
- *	@bio_chain: list of pending biod (for async reading)
- *
- *	Straight from the textbook - allocate and initialize the bio.
- *	If we're reading, make sure the page is marked as dirty.
- *	Then submit it and, if @bio_chain == NULL, wait.
- */
-static int submit(int rw, struct block_device *bdev, sector_t sector,
-		struct page *page, struct bio **bio_chain)
-{
-	const int bio_rw = rw | REQ_SYNC;
-	struct bio *bio;
-
-	bio = bio_alloc(__GFP_WAIT | __GFP_HIGH, 1);
-	bio->bi_iter.bi_sector = sector;
-	bio->bi_bdev = bdev;
-	bio->bi_end_io = end_swap_bio_read;
-
-	if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE) {
-		printk(KERN_ERR "PM: Adding page to bio failed at %llu\n",
-			(unsigned long long)sector);
-		bio_put(bio);
-		return -EFAULT;
-	}
-
-	lock_page(page);
-	bio_get(bio);
-
-	if (bio_chain == NULL) {
-		submit_bio(bio_rw, bio);
-		wait_on_page_locked(page);
-		if (rw == READ)
-			bio_set_pages_dirty(bio);
-		bio_put(bio);
-	} else {
-		if (rw == READ)
-			get_page(page);	/* These pages are freed later */
-		bio->bi_private = *bio_chain;
-		*bio_chain = bio;
-		submit_bio(bio_rw, bio);
-	}
-	return 0;
-}
-
-int hib_bio_read_page(pgoff_t page_off, void *addr, struct bio **bio_chain)
-{
-	return submit(READ, hib_resume_bdev, page_off * (PAGE_SIZE >> 9),
-			virt_to_page(addr), bio_chain);
-}
-
-int hib_bio_write_page(pgoff_t page_off, void *addr, struct bio **bio_chain)
-{
-	return submit(WRITE, hib_resume_bdev, page_off * (PAGE_SIZE >> 9),
-			virt_to_page(addr), bio_chain);
-}
-
-int hib_wait_on_bio_chain(struct bio **bio_chain)
-{
-	struct bio *bio;
-	struct bio *next_bio;
-	int ret = 0;
-
-	if (bio_chain == NULL)
-		return 0;
-
-	bio = *bio_chain;
-	if (bio == NULL)
-		return 0;
-	while (bio) {
-		struct page *page;
-
-		next_bio = bio->bi_private;
-		page = bio->bi_io_vec[0].bv_page;
-		wait_on_page_locked(page);
-		if (!PageUptodate(page) || PageError(page))
-			ret = -EIO;
-		put_page(page);
-		bio_put(bio);
-		bio = next_bio;
-	}
-	*bio_chain = NULL;
-	return ret;
-}
--- a/kernel/power/power.h
+++ b/kernel/power/power.h
@@ -163,15 +163,6 @@ extern void swsusp_close(fmode_t);
 extern int swsusp_unmark(void);
 #endif
 
-/* kernel/power/block_io.c */
-extern struct block_device *hib_resume_bdev;
-
-extern int hib_bio_read_page(pgoff_t page_off, void *addr,
-		struct bio **bio_chain);
-extern int hib_bio_write_page(pgoff_t page_off, void *addr,
-		struct bio **bio_chain);
-extern int hib_wait_on_bio_chain(struct bio **bio_chain);
-
 struct timeval;
 /* kernel/power/swsusp.c */
 extern void swsusp_show_speed(struct timeval *, struct timeval *,
--- a/kernel/power/swap.c
+++ b/kernel/power/swap.c
@@ -211,7 +211,84 @@ int swsusp_swap_in_use(void)
  */
 
 static unsigned short root_swap = 0xffff;
-struct block_device *hib_resume_bdev;
+static struct block_device *hib_resume_bdev;
+
+struct hib_bio_batch {
+	atomic_t		count;
+	wait_queue_head_t	wait;
+	int			error;
+};
+
+static void hib_init_batch(struct hib_bio_batch *hb)
+{
+	atomic_set(&hb->count, 0);
+	init_waitqueue_head(&hb->wait);
+	hb->error = 0;
+}
+
+static void hib_end_io(struct bio *bio, int error)
+{
+	struct hib_bio_batch *hb = bio->bi_private;
+	const int uptodate = test_bit(BIO_UPTODATE, &bio->bi_flags);
+	struct page *page = bio->bi_io_vec[0].bv_page;
+
+	if (!uptodate || error) {
+		printk(KERN_ALERT "Read-error on swap-device (%u:%u:%Lu)\n",
+				imajor(bio->bi_bdev->bd_inode),
+				iminor(bio->bi_bdev->bd_inode),
+				(unsigned long long)bio->bi_iter.bi_sector);
+
+		if (!error)
+			error = -EIO;
+	}
+
+	if (bio_data_dir(bio) == WRITE)
+		put_page(page);
+
+	if (error && !hb->error)
+		hb->error = error;
+	if (atomic_dec_and_test(&hb->count))
+		wake_up(&hb->wait);
+
+	bio_put(bio);
+}
+
+static int hib_submit_io(int rw, pgoff_t page_off, void *addr,
+		struct hib_bio_batch *hb)
+{
+	struct page *page = virt_to_page(addr);
+	struct bio *bio;
+	int error = 0;
+
+	bio = bio_alloc(__GFP_WAIT | __GFP_HIGH, 1);
+	bio->bi_iter.bi_sector = page_off * (PAGE_SIZE >> 9);
+	bio->bi_bdev = hib_resume_bdev;
+
+	if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE) {
+		printk(KERN_ERR "PM: Adding page to bio failed at %llu\n",
+			(unsigned long long)bio->bi_iter.bi_sector);
+		bio_put(bio);
+		return -EFAULT;
+	}
+
+	if (hb) {
+		bio->bi_end_io = hib_end_io;
+		bio->bi_private = hb;
+		atomic_inc(&hb->count);
+		submit_bio(rw, bio);
+	} else {
+		error = submit_bio_wait(rw, bio);
+		bio_put(bio);
+	}
+
+	return error;
+}
+
+static int hib_wait_io(struct hib_bio_batch *hb)
+{
+	wait_event(hb->wait, atomic_read(&hb->count) == 0);
+	return hb->error;
+}
 
 /*
  * Saving part
@@ -221,7 +298,7 @@ static int mark_swapfiles(struct swap_ma
 {
 	int error;
 
-	hib_bio_read_page(swsusp_resume_block, swsusp_header, NULL);
+	hib_submit_io(READ_SYNC, swsusp_resume_block, swsusp_header, NULL);
 	if (!memcmp("SWAP-SPACE",swsusp_header->sig, 10) ||
 	    !memcmp("SWAPSPACE2",swsusp_header->sig, 10)) {
 		memcpy(swsusp_header->orig_sig,swsusp_header->sig, 10);
@@ -230,7 +307,7 @@ static int mark_swapfiles(struct swap_ma
 		swsusp_header->flags = flags;
 		if (flags & SF_CRC32_MODE)
 			swsusp_header->crc32 = handle->crc32;
-		error = hib_bio_write_page(swsusp_resume_block,
+		error = hib_submit_io(WRITE_SYNC, swsusp_resume_block,
 					swsusp_header, NULL);
 	} else {
 		printk(KERN_ERR "PM: Swap header not found!\n");
@@ -270,10 +347,10 @@ static int swsusp_swap_check(void)
  *	write_page - Write one page to given swap location.
  *	@buf:		Address we're writing.
  *	@offset:	Offset of the swap page we're writing to.
- *	@bio_chain:	Link the next write BIO here
+ *	@hb:		bio completion batch
  */
 
-static int write_page(void *buf, sector_t offset, struct bio **bio_chain)
+static int write_page(void *buf, sector_t offset, struct hib_bio_batch *hb)
 {
 	void *src;
 	int ret;
@@ -281,13 +358,13 @@ static int write_page(void *buf, sector_
 	if (!offset)
 		return -ENOSPC;
 
-	if (bio_chain) {
+	if (hb) {
 		src = (void *)__get_free_page(__GFP_WAIT | __GFP_NOWARN |
 		                              __GFP_NORETRY);
 		if (src) {
 			copy_page(src, buf);
 		} else {
-			ret = hib_wait_on_bio_chain(bio_chain); /* Free pages */
+			ret = hib_wait_io(hb); /* Free pages */
 			if (ret)
 				return ret;
 			src = (void *)__get_free_page(__GFP_WAIT |
@@ -297,14 +374,14 @@ static int write_page(void *buf, sector_
 				copy_page(src, buf);
 			} else {
 				WARN_ON_ONCE(1);
-				bio_chain = NULL;	/* Go synchronous */
+				hb = NULL;	/* Go synchronous */
 				src = buf;
 			}
 		}
 	} else {
 		src = buf;
 	}
-	return hib_bio_write_page(offset, src, bio_chain);
+	return hib_submit_io(WRITE_SYNC, offset, src, hb);
 }
 
 static void release_swap_writer(struct swap_map_handle *handle)
@@ -347,7 +424,7 @@ err_close:
 }
 
 static int swap_write_page(struct swap_map_handle *handle, void *buf,
-				struct bio **bio_chain)
+		struct hib_bio_batch *hb)
 {
 	int error = 0;
 	sector_t offset;
@@ -355,7 +432,7 @@ static int swap_write_page(struct swap_m
 	if (!handle->cur)
 		return -EINVAL;
 	offset = alloc_swapdev_block(root_swap);
-	error = write_page(buf, offset, bio_chain);
+	error = write_page(buf, offset, hb);
 	if (error)
 		return error;
 	handle->cur->entries[handle->k++] = offset;
@@ -364,15 +441,15 @@ static int swap_write_page(struct swap_m
 		if (!offset)
 			return -ENOSPC;
 		handle->cur->next_swap = offset;
-		error = write_page(handle->cur, handle->cur_swap, bio_chain);
+		error = write_page(handle->cur, handle->cur_swap, hb);
 		if (error)
 			goto out;
 		clear_page(handle->cur);
 		handle->cur_swap = offset;
 		handle->k = 0;
 
-		if (bio_chain && low_free_pages() <= handle->reqd_free_pages) {
-			error = hib_wait_on_bio_chain(bio_chain);
+		if (hb && low_free_pages() <= handle->reqd_free_pages) {
+			error = hib_wait_io(hb);
 			if (error)
 				goto out;
 			/*
@@ -444,23 +521,24 @@ static int save_image(struct swap_map_ha
 	int ret;
 	int nr_pages;
 	int err2;
-	struct bio *bio;
+	struct hib_bio_batch hb;
 	struct timeval start;
 	struct timeval stop;
 
+	hib_init_batch(&hb);
+
 	printk(KERN_INFO "PM: Saving image data pages (%u pages)...\n",
 		nr_to_write);
 	m = nr_to_write / 10;
 	if (!m)
 		m = 1;
 	nr_pages = 0;
-	bio = NULL;
 	do_gettimeofday(&start);
 	while (1) {
 		ret = snapshot_read_next(snapshot);
 		if (ret <= 0)
 			break;
-		ret = swap_write_page(handle, data_of(*snapshot), &bio);
+		ret = swap_write_page(handle, data_of(*snapshot), &hb);
 		if (ret)
 			break;
 		if (!(nr_pages % m))
@@ -468,7 +546,7 @@ static int save_image(struct swap_map_ha
 			       nr_pages / m * 10);
 		nr_pages++;
 	}
-	err2 = hib_wait_on_bio_chain(&bio);
+	err2 = hib_wait_io(&hb);
 	do_gettimeofday(&stop);
 	if (!ret)
 		ret = err2;
@@ -579,7 +657,7 @@ static int save_image_lzo(struct swap_ma
 	int ret = 0;
 	int nr_pages;
 	int err2;
-	struct bio *bio;
+	struct hib_bio_batch hb;
 	struct timeval start;
 	struct timeval stop;
 	size_t off;
@@ -588,6 +666,8 @@ static int save_image_lzo(struct swap_ma
 	struct cmp_data *data = NULL;
 	struct crc_data *crc = NULL;
 
+	hib_init_batch(&hb);
+
 	/*
 	 * We'll limit the number of threads for compression to limit memory
 	 * footprint.
@@ -673,7 +753,6 @@ static int save_image_lzo(struct swap_ma
 	if (!m)
 		m = 1;
 	nr_pages = 0;
-	bio = NULL;
 	do_gettimeofday(&start);
 	for (;;) {
 		for (thr = 0; thr < nr_threads; thr++) {
@@ -747,7 +826,7 @@ static int save_image_lzo(struct swap_ma
 			     off += PAGE_SIZE) {
 				memcpy(page, data[thr].cmp + off, PAGE_SIZE);
 
-				ret = swap_write_page(handle, page, &bio);
+				ret = swap_write_page(handle, page, &hb);
 				if (ret)
 					goto out_finish;
 			}
@@ -758,7 +837,7 @@ static int save_image_lzo(struct swap_ma
 	}
 
 out_finish:
-	err2 = hib_wait_on_bio_chain(&bio);
+	err2 = hib_wait_io(&hb);
 	do_gettimeofday(&stop);
 	if (!ret)
 		ret = err2;
@@ -905,7 +984,7 @@ static int get_swap_reader(struct swap_m
 			return -ENOMEM;
 		}
 
-		error = hib_bio_read_page(offset, tmp->map, NULL);
+		error = hib_submit_io(READ_SYNC, offset, tmp->map, NULL);
 		if (error) {
 			release_swap_reader(handle);
 			return error;
@@ -918,7 +997,7 @@ static int get_swap_reader(struct swap_m
 }
 
 static int swap_read_page(struct swap_map_handle *handle, void *buf,
-				struct bio **bio_chain)
+		struct hib_bio_batch *hb)
 {
 	sector_t offset;
 	int error;
@@ -929,7 +1008,7 @@ static int swap_read_page(struct swap_ma
 	offset = handle->cur->entries[handle->k];
 	if (!offset)
 		return -EFAULT;
-	error = hib_bio_read_page(offset, buf, bio_chain);
+	error = hib_submit_io(READ_SYNC, offset, buf, hb);
 	if (error)
 		return error;
 	if (++handle->k >= MAP_PAGE_ENTRIES) {
@@ -967,27 +1046,28 @@ static int load_image(struct swap_map_ha
 	int ret = 0;
 	struct timeval start;
 	struct timeval stop;
-	struct bio *bio;
+	struct hib_bio_batch hb;
 	int err2;
 	unsigned nr_pages;
 
+	hib_init_batch(&hb);
+
 	printk(KERN_INFO "PM: Loading image data pages (%u pages)...\n",
 		nr_to_read);
 	m = nr_to_read / 10;
 	if (!m)
 		m = 1;
 	nr_pages = 0;
-	bio = NULL;
 	do_gettimeofday(&start);
 	for ( ; ; ) {
 		ret = snapshot_write_next(snapshot);
 		if (ret <= 0)
 			break;
-		ret = swap_read_page(handle, data_of(*snapshot), &bio);
+		ret = swap_read_page(handle, data_of(*snapshot), &hb);
 		if (ret)
 			break;
 		if (snapshot->sync_read)
-			ret = hib_wait_on_bio_chain(&bio);
+			ret = hib_wait_io(&hb);
 		if (ret)
 			break;
 		if (!(nr_pages % m))
@@ -995,7 +1075,7 @@ static int load_image(struct swap_map_ha
 			       nr_pages / m * 10);
 		nr_pages++;
 	}
-	err2 = hib_wait_on_bio_chain(&bio);
+	err2 = hib_wait_io(&hb);
 	do_gettimeofday(&stop);
 	if (!ret)
 		ret = err2;
@@ -1066,7 +1146,7 @@ static int load_image_lzo(struct swap_ma
 	unsigned int m;
 	int ret = 0;
 	int eof = 0;
-	struct bio *bio;
+	struct hib_bio_batch hb;
 	struct timeval start;
 	struct timeval stop;
 	unsigned nr_pages;
@@ -1079,6 +1159,8 @@ static int load_image_lzo(struct swap_ma
 	struct dec_data *data = NULL;
 	struct crc_data *crc = NULL;
 
+	hib_init_batch(&hb);
+
 	/*
 	 * We'll limit the number of threads for decompression to limit memory
 	 * footprint.
@@ -1189,7 +1271,6 @@ static int load_image_lzo(struct swap_ma
 	if (!m)
 		m = 1;
 	nr_pages = 0;
-	bio = NULL;
 	do_gettimeofday(&start);
 
 	ret = snapshot_write_next(snapshot);
@@ -1198,7 +1279,7 @@ static int load_image_lzo(struct swap_ma
 
 	for(;;) {
 		for (i = 0; !eof && i < want; i++) {
-			ret = swap_read_page(handle, page[ring], &bio);
+			ret = swap_read_page(handle, page[ring], &hb);
 			if (ret) {
 				/*
 				 * On real read error, finish. On end of data,
@@ -1225,7 +1306,7 @@ static int load_image_lzo(struct swap_ma
 			if (!asked)
 				break;
 
-			ret = hib_wait_on_bio_chain(&bio);
+			ret = hib_wait_io(&hb);
 			if (ret)
 				goto out_finish;
 			have += asked;
@@ -1280,7 +1361,7 @@ static int load_image_lzo(struct swap_ma
 		 * Wait for more data while we are decompressing.
 		 */
 		if (have < LZO_CMP_PAGES && asked) {
-			ret = hib_wait_on_bio_chain(&bio);
+			ret = hib_wait_io(&hb);
 			if (ret)
 				goto out_finish;
 			have += asked;
@@ -1429,7 +1510,7 @@ int swsusp_check(void)
 	if (!IS_ERR(hib_resume_bdev)) {
 		set_blocksize(hib_resume_bdev, PAGE_SIZE);
 		clear_page(swsusp_header);
-		error = hib_bio_read_page(swsusp_resume_block,
+		error = hib_submit_io(READ_SYNC, swsusp_resume_block,
 					swsusp_header, NULL);
 		if (error)
 			goto put;
@@ -1437,7 +1518,7 @@ int swsusp_check(void)
 		if (!memcmp(HIBERNATE_SIG, swsusp_header->sig, 10)) {
 			memcpy(swsusp_header->sig, swsusp_header->orig_sig, 10);
 			/* Reset swap signature now */
-			error = hib_bio_write_page(swsusp_resume_block,
+			error = hib_submit_io(WRITE_SYNC, swsusp_resume_block,
 						swsusp_header, NULL);
 		} else {
 			error = -EINVAL;
@@ -1481,10 +1562,10 @@ int swsusp_unmark(void)
 {
 	int error;
 
-	hib_bio_read_page(swsusp_resume_block, swsusp_header, NULL);
+	hib_submit_io(READ_SYNC, swsusp_resume_block, swsusp_header, NULL);
 	if (!memcmp(HIBERNATE_SIG,swsusp_header->sig, 10)) {
 		memcpy(swsusp_header->sig,swsusp_header->orig_sig, 10);
-		error = hib_bio_write_page(swsusp_resume_block,
+		error = hib_submit_io(WRITE_SYNC, swsusp_resume_block,
 					swsusp_header, NULL);
 	} else {
 		printk(KERN_ERR "PM: Cannot find swsusp signature!\n");
--- a/mm/page_io.c
+++ b/mm/page_io.c
@@ -69,7 +69,7 @@ void end_swap_bio_write(struct bio *bio,
 	bio_put(bio);
 }
 
-void end_swap_bio_read(struct bio *bio, int err)
+static void end_swap_bio_read(struct bio *bio, int err)
 {
 	const int uptodate = test_bit(BIO_UPTODATE, &bio->bi_flags);
 	struct page *page = bio->bi_io_vec[0].bv_page;


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 37/63] PM / Hibernate: Call flush_icache_range() on pages restored in-place
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (35 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 36/63] suspend: simplify block I/O handling Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 38/63] usb: gadget: configfs: add mutex lock before unregister gadget Ben Hutchings
                   ` (26 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Will Deacon, Pavel Machek, Arnd Bergmann,
	James Morse, Rafael J. Wysocki, Catalin Marinas

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: James Morse <james.morse@arm.com>

commit f6cf0545ec697ddc278b7457b7d0c0d86a2ea88e upstream.

Some architectures require code written to memory as if it were data to be
'cleaned' from any data caches before the processor can fetch them as new
instructions.

During resume from hibernate, the snapshot code copies some pages directly,
meaning these architectures do not get a chance to perform their cache
maintenance. Modify the read and decompress code to call
flush_icache_range() on all pages that are restored, so that the restored
in-place pages are guaranteed to be executable on these architectures.

Signed-off-by: James Morse <james.morse@arm.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Acked-by: Rafael J. Wysocki <rjw@rjwysocki.net>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
[will: make clean_pages_on_* static and remove initialisers]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 kernel/power/swap.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- a/kernel/power/swap.c
+++ b/kernel/power/swap.c
@@ -36,6 +36,14 @@
 #define HIBERNATE_SIG	"S1SUSPEND"
 
 /*
+ * When reading an {un,}compressed image, we may restore pages in place,
+ * in which case some architectures need these pages cleaning before they
+ * can be executed. We don't know which pages these may be, so clean the lot.
+ */
+static bool clean_pages_on_read;
+static bool clean_pages_on_decompress;
+
+/*
  *	The swap map is a data structure used for keeping track of each page
  *	written to a swap partition.  It consists of many swap_map_page
  *	structures that contain each an array of MAP_PAGE_ENTRIES swap entries.
@@ -244,6 +252,9 @@ static void hib_end_io(struct bio *bio,
 
 	if (bio_data_dir(bio) == WRITE)
 		put_page(page);
+	else if (clean_pages_on_read)
+		flush_icache_range((unsigned long)page_address(page),
+				   (unsigned long)page_address(page) + PAGE_SIZE);
 
 	if (error && !hb->error)
 		hb->error = error;
@@ -1052,6 +1063,7 @@ static int load_image(struct swap_map_ha
 
 	hib_init_batch(&hb);
 
+	clean_pages_on_read = true;
 	printk(KERN_INFO "PM: Loading image data pages (%u pages)...\n",
 		nr_to_read);
 	m = nr_to_read / 10;
@@ -1127,6 +1139,10 @@ static int lzo_decompress_threadfn(void
 		d->unc_len = LZO_UNC_SIZE;
 		d->ret = lzo1x_decompress_safe(d->cmp + LZO_HEADER, d->cmp_len,
 		                               d->unc, &d->unc_len);
+		if (clean_pages_on_decompress)
+			flush_icache_range((unsigned long)d->unc,
+					   (unsigned long)d->unc + d->unc_len);
+
 		atomic_set(&d->stop, 1);
 		wake_up(&d->done);
 	}
@@ -1192,6 +1208,8 @@ static int load_image_lzo(struct swap_ma
 	}
 	memset(crc, 0, offsetof(struct crc_data, go));
 
+	clean_pages_on_decompress = true;
+
 	/*
 	 * Start the decompression threads.
 	 */


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 38/63] usb: gadget: configfs: add mutex lock before unregister gadget
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (36 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 37/63] PM / Hibernate: Call flush_icache_range() on pages restored in-place Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 39/63] usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG Ben Hutchings
                   ` (25 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Arnd Bergmann, Winter Wang, Felipe Balbi

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Winter Wang <wente.wang@nxp.com>

commit cee51c33f52ebf673a088a428ac0fecc33ab77fa upstream.

There may be a race condition if f_fs calls unregister_gadget_item in
ffs_closed() when unregister_gadget is called by UDC store at the same time.
this leads to a kernel NULL pointer dereference:

[  310.644928] Unable to handle kernel NULL pointer dereference at virtual address 00000004
[  310.645053] init: Service 'adbd' is being killed...
[  310.658938] pgd = c9528000
[  310.662515] [00000004] *pgd=19451831, *pte=00000000, *ppte=00000000
[  310.669702] Internal error: Oops: 817 [#1] PREEMPT SMP ARM
[  310.675211] Modules linked in:
[  310.678294] CPU: 0 PID: 1537 Comm: ->transport Not tainted 4.1.15-03725-g793404c #2
[  310.685958] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[  310.692493] task: c8e24200 ti: c945e000 task.ti: c945e000
[  310.697911] PC is at usb_gadget_unregister_driver+0xb4/0xd0
[  310.703502] LR is at __mutex_lock_slowpath+0x10c/0x16c
[  310.708648] pc : [<c075efc0>]    lr : [<c0bfb0bc>]    psr: 600f0113
<snip..>
[  311.565585] [<c075efc0>] (usb_gadget_unregister_driver) from [<c075e2b8>] (unregister_gadget_item+0x1c/0x34)
[  311.575426] [<c075e2b8>] (unregister_gadget_item) from [<c076fcc8>] (ffs_closed+0x8c/0x9c)
[  311.583702] [<c076fcc8>] (ffs_closed) from [<c07736b8>] (ffs_data_reset+0xc/0xa0)
[  311.591194] [<c07736b8>] (ffs_data_reset) from [<c07738ac>] (ffs_data_closed+0x90/0xd0)
[  311.599208] [<c07738ac>] (ffs_data_closed) from [<c07738f8>] (ffs_ep0_release+0xc/0x14)
[  311.607224] [<c07738f8>] (ffs_ep0_release) from [<c023e030>] (__fput+0x80/0x1d0)
[  311.614635] [<c023e030>] (__fput) from [<c014e688>] (task_work_run+0xb0/0xe8)
[  311.621788] [<c014e688>] (task_work_run) from [<c010afdc>] (do_work_pending+0x7c/0xa4)
[  311.629718] [<c010afdc>] (do_work_pending) from [<c010770c>] (work_pending+0xc/0x20)

for functions using functionFS, i.e. android adbd will close /dev/usb-ffs/adb/ep0
when usb IO thread fails, but switch adb from on to off also triggers write
"none" > UDC. These 2 operations both call unregister_gadget, which will lead
to the panic above.

add a mutex before calling unregister_gadget for api used in f_fs.

Signed-off-by: Winter Wang <wente.wang@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/configfs.c | 2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -1551,7 +1551,9 @@ void unregister_gadget_item(struct confi
 {
 	struct gadget_info *gi = to_gadget_info(item);
 
+	mutex_lock(&gi->lock);
 	unregister_gadget(gi);
+	mutex_unlock(&gi->lock);
 }
 EXPORT_SYMBOL_GPL(unregister_gadget_item);
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 39/63] usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (37 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 38/63] usb: gadget: configfs: add mutex lock before unregister gadget Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 40/63] video: fbdev: Set pixclock = 0 in goldfishfb Ben Hutchings
                   ` (24 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Amit Pundir, Arnd Bergmann, Xerox Lin,
	Rajkumar Raghupathy, Felipe Balbi

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xerox Lin <xerox_lin@htc.com>

commit 207707d8fd48ebc977fb2b2794004a020e1ee08e upstream.

When rndis data transfer is in progress, some Windows7 Host PC is not
sending the GET_ENCAPSULATED_RESPONSE command for receiving the response
for the previous SEND_ENCAPSULATED_COMMAND processed.

The rndis function driver appends each response for the
SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted,
the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset.
As the rndis response queue is not freed, the previous response is sent
as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host
block any more Rndis transfers.

Hence free the rndis response queue as a part of this soft-reset so that
the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the
response command.

Signed-off-by: Rajkumar Raghupathy <raghup@codeaurora.org>
Signed-off-by: Xerox Lin <xerox_lin@htc.com>
[AmitP: Cherry-picked this patch and folded other relevant
        fixes from Android common kernel android-4.4]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16:
 - Pass configNr instead of params as first argument to
   rndis_{get_next,free}_response()
 - Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/gadget/rndis.c | 6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@@ -686,6 +686,12 @@ static int rndis_reset_response(int conf
 	rndis_reset_cmplt_type *resp;
 	rndis_resp_t *r;
 	struct rndis_params *params = rndis_per_dev_params + configNr;
+	u8 *xbuf;
+	u32 length;
+
+	/* drain the response queue */
+	while ((xbuf = rndis_get_next_response(configNr, &length)))
+		rndis_free_response(configNr, xbuf);
 
 	r = rndis_add_response(configNr, sizeof(rndis_reset_cmplt_type));
 	if (!r)


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 40/63] video: fbdev: Set pixclock = 0 in goldfishfb
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (38 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 39/63] usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 41/63] arm64: kconfig: drop CONFIG_RTC_LIB dependency Ben Hutchings
                   ` (23 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Roman Kiryanov, Bartlomiej Zolnierkiewicz,
	Christoffer Dall, Peter Maydell, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Christoffer Dall <christoffer.dall@linaro.org>

commit ace6033ec5c356615eaa3582fb1946e9eaff6662 upstream.

User space Android code identifies pixclock == 0 as a sign for emulation
and will set the frame rate to 60 fps when reading this value, which is
the desired outcome.

Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Roman Kiryanov <rkir@google.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/video/fbdev/goldfishfb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/video/fbdev/goldfishfb.c
+++ b/drivers/video/fbdev/goldfishfb.c
@@ -234,7 +234,7 @@ static int goldfish_fb_probe(struct plat
 	fb->fb.var.activate	= FB_ACTIVATE_NOW;
 	fb->fb.var.height	= readl(fb->reg_base + FB_GET_PHYS_HEIGHT);
 	fb->fb.var.width	= readl(fb->reg_base + FB_GET_PHYS_WIDTH);
-	fb->fb.var.pixclock	= 10000;
+	fb->fb.var.pixclock	= 0;
 
 	fb->fb.var.red.offset = 11;
 	fb->fb.var.red.length = 5;


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 41/63] arm64: kconfig: drop CONFIG_RTC_LIB dependency
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (39 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 40/63] video: fbdev: Set pixclock = 0 in goldfishfb Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 42/63] mmc: mmc: fix switch timeout issue caused by jiffies precision Ben Hutchings
                   ` (22 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ezequiel Garcia, Will Deacon, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>

commit 99a507771fa57238dc7ffe674ae06090333d02c9 upstream.

The rtc-lib dependency is not required, and seems it was just
copy-pasted from ARM's Kconfig. If platform requires rtc-lib,
they should select it individually.

Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/Kconfig | 1 -
 1 file changed, 1 deletion(-)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -60,7 +60,6 @@ config ARM64
 	select PERF_USE_VMALLOC
 	select POWER_RESET
 	select POWER_SUPPLY
-	select RTC_LIB
 	select SPARSE_IRQ
 	select SYSCTL_EXCEPTION_TRACE
 	help


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 42/63] mmc: mmc: fix switch timeout issue caused by jiffies precision
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (40 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 41/63] arm64: kconfig: drop CONFIG_RTC_LIB dependency Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 43/63] cfg80211: size various nl80211 messages correctly Ben Hutchings
                   ` (21 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Chaotian Jing, Ulf Hansson, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Chaotian Jing <chaotian.jing@mediatek.com>

commit 987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1 upstream.

with CONFIG_HZ=100, the precision of jiffies is 10ms, and the
generic_cmd6_time of some card is also 10ms. then, may be current
time is only 5ms, but already timed out caused by jiffies precision.

Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/mmc/core/mmc_ops.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/core/mmc_ops.c
+++ b/drivers/mmc/core/mmc_ops.c
@@ -470,7 +470,7 @@ int __mmc_switch(struct mmc_card *card,
 		timeout_ms = MMC_OPS_TIMEOUT_MS;
 
 	/* Must check status to be sure of no errors. */
-	timeout = jiffies + msecs_to_jiffies(timeout_ms);
+	timeout = jiffies + msecs_to_jiffies(timeout_ms) + 1;
 	do {
 		if (send_status) {
 			err = __mmc_send_status(card, &status, ignore_crc);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 43/63] cfg80211: size various nl80211 messages correctly
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (41 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 42/63] mmc: mmc: fix switch timeout issue caused by jiffies precision Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 44/63] arm64: support keyctl() system call in 32-bit mode Ben Hutchings
                   ` (20 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Johannes Berg, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@intel.com>

commit 4ef8c1c93f848e360754f10eb2e7134c872b6597 upstream.

Ilan reported that sometimes nl80211 messages weren't working if
the frames being transported got very large, which was really a
problem for userspace-to-kernel messages, but prompted me to look
at the code.

Upon review, I found various places where variable-length data is
transported in an nl80211 message but the message isn't allocated
taking that into account. This shouldn't cause any problems since
the frames aren't really that long, apart in one place where two
(possibly very long frames) might not fit.

Fix all the places (that I found) that get variable length data
from the driver and put it into a message to take the length of
the variable data into account. The 100 there is just a safe
constant for the remaining message overhead (it's usually around
50 for most messages.)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/wireless/nl80211.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10463,7 +10463,7 @@ static void nl80211_send_mlme_event(stru
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + len, gfp);
 	if (!msg)
 		return;
 
@@ -10602,7 +10602,7 @@ void nl80211_send_connect_result(struct
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
 	if (!msg)
 		return;
 
@@ -10642,7 +10642,7 @@ void nl80211_send_roamed(struct cfg80211
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp);
 	if (!msg)
 		return;
 
@@ -10680,7 +10680,7 @@ void nl80211_send_disconnected(struct cf
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
 	if (!msg)
 		return;
 
@@ -10757,7 +10757,7 @@ void cfg80211_notify_new_peer_candidate(
 
 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + ie_len, gfp);
 	if (!msg)
 		return;
 
@@ -11133,7 +11133,7 @@ int nl80211_send_mgmt(struct cfg80211_re
 	struct sk_buff *msg;
 	void *hdr;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + len, gfp);
 	if (!msg)
 		return -ENOMEM;
 
@@ -11176,7 +11176,7 @@ void cfg80211_mgmt_tx_status(struct wire
 
 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+	msg = nlmsg_new(100 + len, gfp);
 	if (!msg)
 		return;
 
@@ -11886,7 +11886,7 @@ void cfg80211_ft_event(struct net_device
 	if (!ft_event->target_ap)
 		return;
 
-	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+	msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL);
 	if (!msg)
 		return;
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 44/63] arm64: support keyctl() system call in 32-bit mode
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (42 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 43/63] cfg80211: size various nl80211 messages correctly Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 45/63] stmmac: copy unicast mac address to MAC registers Ben Hutchings
                   ` (19 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Will Deacon, Arnd Bergmann, Eric Biggers

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

commit 5c2a625937ba49bc691089370638223d310cda9a upstream.

As is the case for a number of other architectures that have a 32-bit
compat mode, enable KEYS_COMPAT if both COMPAT and KEYS are enabled.
This allows AArch32 programs to use the keyctl() system call when
running on an AArch64 kernel.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/Kconfig | 4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -352,6 +352,10 @@ config SYSVIPC_COMPAT
 	def_bool y
 	depends on COMPAT && SYSVIPC
 
+config KEYS_COMPAT
+	def_bool y
+	depends on COMPAT && KEYS
+
 endmenu
 
 menu "Power management options"


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 45/63] stmmac: copy unicast mac address to MAC registers
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (43 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 44/63] arm64: support keyctl() system call in 32-bit mode Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 46/63] arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals Ben Hutchings
                   ` (18 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, David S. Miller, Bhadram Varka, Arnd Bergmann

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Bhadram Varka <vbhadram@nvidia.com>

commit a830405ee452ddc4101c3c9334e6fedd42c6b357 upstream.

Currently stmmac driver not copying the valid ethernet
MAC address to MAC registers. This patch takes care
of updating the MAC register with MAC address.

Signed-off-by: Bhadram Varka <vbhadram@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Arnd Bergmann <arnd@arndb.de>
[bwh: Backported to 3.16:
 - Pass priv->ioaddr as first argument to set_umac_addr operation
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 .../net/ethernet/stmicro/stmmac/stmmac_main.c    | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2388,6 +2388,20 @@ static int stmmac_ioctl(struct net_devic
 	return ret;
 }
 
+static int stmmac_set_mac_address(struct net_device *ndev, void *addr)
+{
+	struct stmmac_priv *priv = netdev_priv(ndev);
+	int ret = 0;
+
+	ret = eth_mac_addr(ndev, addr);
+	if (ret)
+		return ret;
+
+	priv->hw->mac->set_umac_addr(priv->ioaddr, ndev->dev_addr, 0);
+
+	return ret;
+}
+
 #ifdef CONFIG_STMMAC_DEBUG_FS
 static struct dentry *stmmac_fs_dir;
 static struct dentry *stmmac_rings_status;
@@ -2587,7 +2601,7 @@ static const struct net_device_ops stmma
 #ifdef CONFIG_NET_POLL_CONTROLLER
 	.ndo_poll_controller = stmmac_poll_controller,
 #endif
-	.ndo_set_mac_address = eth_mac_addr,
+	.ndo_set_mac_address = stmmac_set_mac_address,
 };
 
 /**


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 46/63] arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (44 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 45/63] stmmac: copy unicast mac address to MAC registers Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 47/63] arm64: debug: Ensure debug handlers check triggering exception level Ben Hutchings
                   ` (17 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mark Rutland, Will Deacon, Catalin Marinas

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit b9a4b9d084d978f80eb9210727c81804588b42ff upstream.

FAR_EL1 is UNKNOWN for all debug exceptions other than those caused by
taking a hardware watchpoint. Unfortunately, if a debug handler returns
a non-zero value, then we will propagate the UNKNOWN FAR value to
userspace via the si_addr field of the SIGTRAP siginfo_t.

Instead, let's set si_addr to take on the PC of the faulting instruction,
which we have available in the current pt_regs.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/mm/fault.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -512,11 +512,12 @@ void __init hook_debug_fault_code(int nr
 	debug_fault_info[nr].name	= name;
 }
 
-asmlinkage int __exception do_debug_exception(unsigned long addr,
+asmlinkage int __exception do_debug_exception(unsigned long addr_if_watchpoint,
 					      unsigned int esr,
 					      struct pt_regs *regs)
 {
 	const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr);
+	unsigned long pc = instruction_pointer(regs);
 	struct siginfo info;
 	int rv;
 
@@ -527,16 +528,16 @@ asmlinkage int __exception do_debug_exce
 	if (interrupts_enabled(regs))
 		trace_hardirqs_off();
 
-	if (!inf->fn(addr, esr, regs)) {
+	if (!inf->fn(addr_if_watchpoint, esr, regs)) {
 		rv = 1;
 	} else {
 		pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n",
-			 inf->name, esr, addr);
+			 inf->name, esr, pc);
 
 		info.si_signo = inf->sig;
 		info.si_errno = 0;
 		info.si_code  = inf->code;
-		info.si_addr  = (void __user *)addr;
+		info.si_addr  = (void __user *)pc;
 		arm64_notify_die("", regs, &info, 0);
 		rv = 0;
 	}


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 47/63] arm64: debug: Ensure debug handlers check triggering exception level
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (45 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 46/63] arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 48/63] x86/atomic: Fix smp_mb__{before,after}_atomic() Ben Hutchings
                   ` (16 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Will Deacon, Mark Rutland, Catalin Marinas

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Will Deacon <will.deacon@arm.com>

commit 6bd288569b50bc89fa5513031086746968f585cb upstream.

Debug exception handlers may be called for exceptions generated both by
user and kernel code. In many cases, this is checked explicitly, but
in other cases things either happen to work by happy accident or they
go slightly wrong. For example, executing 'brk #4' from userspace will
enter the kprobes code and be ignored, but the instruction will be
retried forever in userspace instead of delivering a SIGTRAP.

Fix this issue in the most stable-friendly fashion by simply adding
explicit checks of the triggering exception level to all of our debug
exception handlers.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kernel/kgdb.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c
index bcac81e600b9..f72743dc070d 100644
--- a/arch/arm64/kernel/kgdb.c
+++ b/arch/arm64/kernel/kgdb.c
@@ -215,22 +215,31 @@ int kgdb_arch_handle_exception(int exception_vector, int signo,
 
 static int kgdb_brk_fn(struct pt_regs *regs, unsigned int esr)
 {
+	if (user_mode(regs))
+		return DBG_HOOK_ERROR;
+
 	kgdb_handle_exception(1, SIGTRAP, 0, regs);
-	return 0;
+	return DBG_HOOK_HANDLED;
 }
 
 static int kgdb_compiled_brk_fn(struct pt_regs *regs, unsigned int esr)
 {
+	if (user_mode(regs))
+		return DBG_HOOK_ERROR;
+
 	compiled_break = 1;
 	kgdb_handle_exception(1, SIGTRAP, 0, regs);
 
-	return 0;
+	return DBG_HOOK_HANDLED;
 }
 
 static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr)
 {
+	if (user_mode(regs))
+		return DBG_HOOK_ERROR;
+
 	kgdb_handle_exception(1, SIGTRAP, 0, regs);
-	return 0;
+	return DBG_HOOK_HANDLED;
 }
 
 static struct break_hook kgdb_brkpt_hook = {


^ permalink raw reply related	[flat|nested] 68+ messages in thread

* [PATCH 3.16 48/63] x86/atomic: Fix smp_mb__{before,after}_atomic()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (46 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 47/63] arm64: debug: Ensure debug handlers check triggering exception level Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 49/63] locking,x86: Kill atomic_or_long() Ben Hutchings
                   ` (15 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ingo Molnar, Peter Zijlstra,
	Thomas Gleixner, Jari Ruusu, Greg Kroah-Hartman, Linus Torvalds

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>

commit 69d927bba39517d0980462efc051875b7f4db185 upstream.

Recent probing at the Linux Kernel Memory Model uncovered a
'surprise'. Strongly ordered architectures where the atomic RmW
primitive implies full memory ordering and
smp_mb__{before,after}_atomic() are a simple barrier() (such as x86)
fail for:

	*x = 1;
	atomic_inc(u);
	smp_mb__after_atomic();
	r0 = *y;

Because, while the atomic_inc() implies memory order, it
(surprisingly) does not provide a compiler barrier. This then allows
the compiler to re-order like so:

	atomic_inc(u);
	*x = 1;
	smp_mb__after_atomic();
	r0 = *y;

Which the CPU is then allowed to re-order (under TSO rules) like:

	atomic_inc(u);
	r0 = *y;
	*x = 1;

And this very much was not intended. Therefore strengthen the atomic
RmW ops to include a compiler barrier.

NOTE: atomic_{or,and,xor} and the bitops already had the compiler
barrier.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jari Ruusu <jari.ruusu@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/atomic.h      | 8 ++++----
 arch/x86/include/asm/atomic64_64.h | 8 ++++----
 arch/x86/include/asm/barrier.h     | 4 ++--
 3 files changed, 10 insertions(+), 10 deletions(-)

--- a/arch/x86/include/asm/atomic.h
+++ b/arch/x86/include/asm/atomic.h
@@ -49,7 +49,7 @@ static inline void atomic_add(int i, ato
 {
 	asm volatile(LOCK_PREFIX "addl %1,%0"
 		     : "+m" (v->counter)
-		     : "ir" (i));
+		     : "ir" (i) : "memory");
 }
 
 /**
@@ -63,7 +63,7 @@ static inline void atomic_sub(int i, ato
 {
 	asm volatile(LOCK_PREFIX "subl %1,%0"
 		     : "+m" (v->counter)
-		     : "ir" (i));
+		     : "ir" (i) : "memory");
 }
 
 /**
@@ -89,7 +89,7 @@ static inline int atomic_sub_and_test(in
 static inline void atomic_inc(atomic_t *v)
 {
 	asm volatile(LOCK_PREFIX "incl %0"
-		     : "+m" (v->counter));
+		     : "+m" (v->counter) :: "memory");
 }
 
 /**
@@ -101,7 +101,7 @@ static inline void atomic_inc(atomic_t *
 static inline void atomic_dec(atomic_t *v)
 {
 	asm volatile(LOCK_PREFIX "decl %0"
-		     : "+m" (v->counter));
+		     : "+m" (v->counter) :: "memory");
 }
 
 /**
--- a/arch/x86/include/asm/atomic64_64.h
+++ b/arch/x86/include/asm/atomic64_64.h
@@ -44,7 +44,7 @@ static inline void atomic64_add(long i,
 {
 	asm volatile(LOCK_PREFIX "addq %1,%0"
 		     : "=m" (v->counter)
-		     : "er" (i), "m" (v->counter));
+		     : "er" (i), "m" (v->counter) : "memory");
 }
 
 /**
@@ -58,7 +58,7 @@ static inline void atomic64_sub(long i,
 {
 	asm volatile(LOCK_PREFIX "subq %1,%0"
 		     : "=m" (v->counter)
-		     : "er" (i), "m" (v->counter));
+		     : "er" (i), "m" (v->counter) : "memory");
 }
 
 /**
@@ -85,7 +85,7 @@ static inline void atomic64_inc(atomic64
 {
 	asm volatile(LOCK_PREFIX "incq %0"
 		     : "=m" (v->counter)
-		     : "m" (v->counter));
+		     : "m" (v->counter) : "memory");
 }
 
 /**
@@ -98,7 +98,7 @@ static inline void atomic64_dec(atomic64
 {
 	asm volatile(LOCK_PREFIX "decq %0"
 		     : "=m" (v->counter)
-		     : "m" (v->counter));
+		     : "m" (v->counter) : "memory");
 }
 
 /**
--- a/arch/x86/include/asm/barrier.h
+++ b/arch/x86/include/asm/barrier.h
@@ -167,8 +167,8 @@ do {									\
 #endif
 
 /* Atomic operations are already serializing on x86 */
-#define smp_mb__before_atomic()	barrier()
-#define smp_mb__after_atomic()	barrier()
+#define smp_mb__before_atomic()	do { } while (0)
+#define smp_mb__after_atomic()	do { } while (0)
 
 /*
  * Stop RDTSC speculation. This is needed when you need to use RDTSC


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 49/63] locking,x86: Kill atomic_or_long()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (47 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 48/63] x86/atomic: Fix smp_mb__{before,after}_atomic() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 50/63] locking/x86: Remove the unused atomic_inc_short() methd Ben Hutchings
                   ` (14 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Paul E. McKenney, Ingo Molnar,
	Peter Zijlstra, Jesse Brandeburg, Linus Torvalds

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>

commit f6b4ecee0eb7bfa66ae8d5652105ed4da53209a3 upstream.

There are no users, kill it.

Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Link: http://lkml.kernel.org/r/20140508135851.768177189@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16 because this function is broken after
 "x86/atomic: Fix smp_mb__{before,after}_atomic()"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/x86/include/asm/atomic.h | 15 ---------------
 1 file changed, 15 deletions(-)

--- a/arch/x86/include/asm/atomic.h
+++ b/arch/x86/include/asm/atomic.h
@@ -218,21 +218,6 @@ static inline short int atomic_inc_short
 	return *v;
 }
 
-#ifdef CONFIG_X86_64
-/**
- * atomic_or_long - OR of two long integers
- * @v1: pointer to type unsigned long
- * @v2: pointer to type unsigned long
- *
- * Atomically ORs @v1 and @v2
- * Returns the result of the OR
- */
-static inline void atomic_or_long(unsigned long *v1, unsigned long v2)
-{
-	asm(LOCK_PREFIX "orq %1, %0" : "+m" (*v1) : "r" (v2));
-}
-#endif
-
 /* These are x86-specific, used by some header files */
 #define atomic_clear_mask(mask, addr)				\
 	asm volatile(LOCK_PREFIX "andl %0,%1"			\


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 50/63] locking/x86: Remove the unused atomic_inc_short() methd
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (48 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 49/63] locking,x86: Kill atomic_or_long() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 51/63] dmaengine: qcom: bam_dma: Fix resource leak Ben Hutchings
                   ` (13 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Ingo Molnar, Peter Zijlstra (Intel),
	Andrey Ryabinin, Mark Rutland, Dmitry Vyukov, Linus Torvalds,
	H. Peter Anvin, Thomas Gleixner

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Vyukov <dvyukov@google.com>

commit 31b35f6b4d5285a311e10753f4eb17304326b211 upstream.

It is completely unused and implemented only on x86.
Remove it.

Suggested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20170526172900.91058-1-dvyukov@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16 because this function is broken after
 "x86/atomic: Fix smp_mb__{before,after}_atomic()":
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/tile/lib/atomic_asm_32.S |  3 +--
 arch/x86/include/asm/atomic.h | 13 -------------
 2 files changed, 1 insertion(+), 15 deletions(-)

--- a/arch/tile/lib/atomic_asm_32.S
+++ b/arch/tile/lib/atomic_asm_32.S
@@ -24,8 +24,7 @@
  * has an opportunity to return -EFAULT to the user if needed.
  * The 64-bit routines just return a "long long" with the value,
  * since they are only used from kernel space and don't expect to fault.
- * Support for 16-bit ops is included in the framework but we don't provide
- * any (x86_64 has an atomic_inc_short(), so we might want to some day).
+ * Support for 16-bit ops is included in the framework but we don't provide any.
  *
  * Note that the caller is advised to issue a suitable L1 or L2
  * prefetch on the address being manipulated to avoid extra stalls.
--- a/arch/x86/include/asm/atomic.h
+++ b/arch/x86/include/asm/atomic.h
@@ -205,19 +205,6 @@ static inline int __atomic_add_unless(at
 	return c;
 }
 
-/**
- * atomic_inc_short - increment of a short integer
- * @v: pointer to type int
- *
- * Atomically adds 1 to @v
- * Returns the new value of @u
- */
-static inline short int atomic_inc_short(short int *v)
-{
-	asm(LOCK_PREFIX "addw $1, %0" : "+m" (*v));
-	return *v;
-}
-
 /* These are x86-specific, used by some header files */
 #define atomic_clear_mask(mask, addr)				\
 	asm volatile(LOCK_PREFIX "andl %0,%1"			\


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 51/63] dmaengine: qcom: bam_dma: Fix resource leak
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (49 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 50/63] locking/x86: Remove the unused atomic_inc_short() methd Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 52/63] mwifiex: Fix NL80211_TX_POWER_LIMITED Ben Hutchings
                   ` (12 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Vinod Koul, Jeffrey Hugo

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>

commit 7667819385457b4aeb5fac94f67f52ab52cc10d5 upstream.

bam_dma_terminate_all() will leak resources if any of the transactions are
committed to the hardware (present in the desc fifo), and not complete.
Since bam_dma_terminate_all() does not cause the hardware to be updated,
the hardware will still operate on any previously committed transactions.
This can cause memory corruption if the memory for the transaction has been
reassigned, and will cause a sync issue between the BAM and its client(s).

Fix this by properly updating the hardware in bam_dma_terminate_all().

Fixes: e7c0fe2a5c84 ("dmaengine: add Qualcomm BAM dma driver")
Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Link: https://lore.kernel.org/r/20191017152606.34120-1-jeffrey.l.hugo@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[Jeffrey Hugo: Backported to 4.4 which is lacking 6b4faeac05bc
 ("dmaengine: qcom-bam: Process multiple pending descriptors")]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/dma/qcom_bam_dma.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/dma/qcom_bam_dma.c
+++ b/drivers/dma/qcom_bam_dma.c
@@ -539,7 +539,21 @@ static void bam_dma_terminate_all(struct
 
 	/* remove all transactions, including active transaction */
 	spin_lock_irqsave(&bchan->vc.lock, flag);
+	/*
+	 * If we have transactions queued, then some might be committed to the
+	 * hardware in the desc fifo.  The only way to reset the desc fifo is
+	 * to do a hardware reset (either by pipe or the entire block).
+	 * bam_chan_init_hw() will trigger a pipe reset, and also reinit the
+	 * pipe.  If the pipe is left disabled (default state after pipe reset)
+	 * and is accessed by a connected hardware engine, a fatal error in
+	 * the BAM will occur.  There is a small window where this could happen
+	 * with bam_chan_init_hw(), but it is assumed that the caller has
+	 * stopped activity on any attached hardware engine.  Make sure to do
+	 * this first so that the BAM hardware doesn't cause memory corruption
+	 * by accessing freed resources.
+	 */
 	if (bchan->curr_txd) {
+		bam_chan_init_hw(bchan, bchan->curr_txd->dir);
 		list_add(&bchan->curr_txd->vd.node, &bchan->vc.desc_issued);
 		bchan->curr_txd = NULL;
 	}


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 52/63] mwifiex: Fix NL80211_TX_POWER_LIMITED
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (50 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 51/63] dmaengine: qcom: bam_dma: Fix resource leak Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 53/63] xhci: fix USB3 device initiated resume race with roothub autosuspend Ben Hutchings
                   ` (11 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov, Kalle Valo, Adrian Bunk

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Bunk <bunk@kernel.org>

commit 65a576e27309120e0621f54d5c81eb9128bd56be upstream.

NL80211_TX_POWER_LIMITED was treated as NL80211_TX_POWER_AUTOMATIC,
which is the opposite of what should happen and can cause nasty
regulatory problems.

if/else converted to a switch without default to make gcc warn
on unhandled enum values.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/cfg80211.c  | 13 +++++++++++--
 drivers/net/wireless/mwifiex/ioctl.h     |  1 +
 drivers/net/wireless/mwifiex/sta_ioctl.c | 11 +++++++----
 3 files changed, 19 insertions(+), 6 deletions(-)

--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -343,11 +343,20 @@ mwifiex_cfg80211_set_tx_power(struct wip
 	struct mwifiex_power_cfg power_cfg;
 	int dbm = MBM_TO_DBM(mbm);
 
-	if (type == NL80211_TX_POWER_FIXED) {
+	switch (type) {
+	case NL80211_TX_POWER_FIXED:
 		power_cfg.is_power_auto = 0;
+		power_cfg.is_power_fixed = 1;
 		power_cfg.power_level = dbm;
-	} else {
+		break;
+	case NL80211_TX_POWER_LIMITED:
+		power_cfg.is_power_auto = 0;
+		power_cfg.is_power_fixed = 0;
+		power_cfg.power_level = dbm;
+		break;
+	case NL80211_TX_POWER_AUTOMATIC:
 		power_cfg.is_power_auto = 1;
+		break;
 	}
 
 	priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY);
--- a/drivers/net/wireless/mwifiex/ioctl.h
+++ b/drivers/net/wireless/mwifiex/ioctl.h
@@ -245,6 +245,7 @@ struct mwifiex_ds_encrypt_key {
 
 struct mwifiex_power_cfg {
 	u32 is_power_auto;
+	u32 is_power_fixed;
 	u32 power_level;
 };
 
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -659,6 +659,9 @@ int mwifiex_set_tx_power(struct mwifiex_
 	txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf;
 	txp_cfg->action = cpu_to_le16(HostCmd_ACT_GEN_SET);
 	if (!power_cfg->is_power_auto) {
+		u16 dbm_min = power_cfg->is_power_fixed ?
+			      dbm : priv->min_tx_power_level;
+
 		txp_cfg->mode = cpu_to_le32(1);
 		pg_tlv = (struct mwifiex_types_power_group *)
 			 (buf + sizeof(struct host_cmd_ds_txpwr_cfg));
@@ -673,7 +676,7 @@ int mwifiex_set_tx_power(struct mwifiex_
 		pg->last_rate_code = 0x03;
 		pg->modulation_class = MOD_CLASS_HR_DSSS;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg++;
 		/* Power group for modulation class OFDM */
@@ -681,7 +684,7 @@ int mwifiex_set_tx_power(struct mwifiex_
 		pg->last_rate_code = 0x07;
 		pg->modulation_class = MOD_CLASS_OFDM;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg++;
 		/* Power group for modulation class HTBW20 */
@@ -689,7 +692,7 @@ int mwifiex_set_tx_power(struct mwifiex_
 		pg->last_rate_code = 0x20;
 		pg->modulation_class = MOD_CLASS_HT;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg->ht_bandwidth = HT_BW_20;
 		pg++;
@@ -698,7 +701,7 @@ int mwifiex_set_tx_power(struct mwifiex_
 		pg->last_rate_code = 0x20;
 		pg->modulation_class = MOD_CLASS_HT;
 		pg->power_step = 0;
-		pg->power_min = (s8) dbm;
+		pg->power_min = (s8) dbm_min;
 		pg->power_max = (s8) dbm;
 		pg->ht_bandwidth = HT_BW_40;
 	}


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 53/63] xhci: fix USB3 device initiated resume race with roothub autosuspend
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (51 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 52/63] mwifiex: Fix NL80211_TX_POWER_LIMITED Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 54/63] Make filldir[64]() verify the directory entry filename is valid Ben Hutchings
                   ` (10 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Mathias Nyman, Lee, Chiasheng,
	Greg Kroah-Hartman, Lee, Hou-hsun

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 upstream.

A race in xhci USB3 remote wake handling may force device back to suspend
after it initiated resume siganaling, causing a missed resume event or warm
reset of device.

When a USB3 link completes resume signaling and goes to enabled (UO)
state a interrupt is issued and the interrupt handler will clear the
bus_state->port_remote_wakeup resume flag, allowing bus suspend.

If the USB3 roothub thread just finished reading port status before
the interrupt, finding ports still in suspended (U3) state, but hasn't
yet started suspending the hub, then the xhci interrupt handler will clear
the flag that prevented roothub suspend and allow bus to suspend, forcing
all port links back to suspended (U3) state.

Example case:
usb_runtime_suspend() # because all ports still show suspended U3
  usb_suspend_both()
    hub_suspend();   # successful as hub->wakeup_bits not set yet
==> INTERRUPT
xhci_irq()
  handle_port_status()
    clear bus_state->port_remote_wakeup
    usb_wakeup_notification()
      sets hub->wakeup_bits;
        kick_hub_wq()
<== END INTERRUPT
      hcd_bus_suspend()
        xhci_bus_suspend() # success as port_remote_wakeup bits cleared

Fix this by increasing roothub usage count during port resume to prevent
roothub autosuspend, and by making sure bus_state->port_remote_wakeup
flag is only cleared after resume completion is visible, i.e.
after xhci roothub returned U0 or other non-U3 link state link on a
get port status request.

Issue rootcaused by Chiasheng Lee

Cc: Lee, Hou-hsun <hou-hsun.lee@intel.com>
Reported-by: Lee, Chiasheng <chiasheng.lee@intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20191211142007.8847-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Mathias Nyman: Backport for 4.9 and 4.4 stable kernels]
[bwh: Backported to 3.16: USB 3.0 SS is the highest speed we handle]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/usb/host/xhci-hub.c  | 8 ++++++++
 drivers/usb/host/xhci-ring.c | 6 +-----
 drivers/usb/host/xhci.h      | 1 +
 3 files changed, 10 insertions(+), 5 deletions(-)

--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -612,6 +612,14 @@ static u32 xhci_get_port_status(struct u
 			status |= USB_PORT_STAT_C_BH_RESET << 16;
 		if ((raw_port_status & PORT_CEC))
 			status |= USB_PORT_STAT_C_CONFIG_ERROR << 16;
+
+		/* USB3 remote wake resume signaling completed */
+		if (bus_state->port_remote_wakeup & (1 << wIndex) &&
+		    (raw_port_status & PORT_PLS_MASK) != XDEV_RESUME &&
+		    (raw_port_status & PORT_PLS_MASK) != XDEV_RECOVERY) {
+			bus_state->port_remote_wakeup &= ~(1 << wIndex);
+			usb_hcd_end_port_resume(&hcd->self, wIndex);
+		}
 	}
 
 	if (hcd->speed != HCD_USB3) {
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1605,9 +1605,6 @@ static void handle_port_status(struct xh
 		usb_hcd_resume_root_hub(hcd);
 	}
 
-	if (hcd->speed == HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE)
-		bus_state->port_remote_wakeup &= ~(1 << faked_port_index);
-
 	if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) {
 		xhci_dbg(xhci, "port resume event for port %d\n", port_id);
 
@@ -1626,6 +1623,7 @@ static void handle_port_status(struct xh
 			bus_state->port_remote_wakeup |= 1 << faked_port_index;
 			xhci_test_and_clear_bit(xhci, port_array,
 					faked_port_index, PORT_PLC);
+			usb_hcd_start_port_resume(&hcd->self, faked_port_index);
 			xhci_set_link_state(xhci, port_array, faked_port_index,
 						XDEV_U0);
 			/* Need to wait until the next link state change
@@ -1663,8 +1661,6 @@ static void handle_port_status(struct xh
 		if (slot_id && xhci->devs[slot_id])
 			xhci_ring_device(xhci, slot_id);
 		if (bus_state->port_remote_wakeup & (1 << faked_port_index)) {
-			bus_state->port_remote_wakeup &=
-				~(1 << faked_port_index);
 			xhci_test_and_clear_bit(xhci, port_array,
 					faked_port_index, PORT_PLC);
 			usb_wakeup_notification(hcd->self.root_hub,
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -288,6 +288,7 @@ struct xhci_op_regs {
 #define XDEV_U3		(0x3 << 5)
 #define XDEV_INACTIVE	(0x6 << 5)
 #define XDEV_POLLING	(0x7 << 5)
+#define XDEV_RECOVERY	(0x8 << 5)
 #define XDEV_COMP_MODE  (0xa << 5)
 #define XDEV_RESUME	(0xf << 5)
 /* true: port has power (see HCC_PPC) */


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 54/63] Make filldir[64]() verify the directory entry filename is valid
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (52 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 53/63] xhci: fix USB3 device initiated resume race with roothub autosuspend Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 55/63] filldir[64]: remove WARN_ON_ONCE() for bad directory entries Ben Hutchings
                   ` (9 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Torvalds, Eric W. Biederman,
	Siddharth Chandrasekaran, Alexander Viro, Jann Horn

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 8a23eb804ca4f2be909e372cf5a9e7b30ae476cd upstream.

This has been discussed several times, and now filesystem people are
talking about doing it individually at the filesystem layer, so head
that off at the pass and just do it in getdents{64}().

This is partially based on a patch by Jann Horn, but checks for NUL
bytes as well, and somewhat simplified.

There's also commentary about how it might be better if invalid names
due to filesystem corruption don't cause an immediate failure, but only
an error at the end of the readdir(), so that people can still see the
filenames that are ok.

There's also been discussion about just how much POSIX strictly speaking
requires this since it's about filesystem corruption.  It's really more
"protect user space from bad behavior" as pointed out by Jann.  But
since Eric Biederman looked up the POSIX wording, here it is for context:

 "From readdir:

   The readdir() function shall return a pointer to a structure
   representing the directory entry at the current position in the
   directory stream specified by the argument dirp, and position the
   directory stream at the next entry. It shall return a null pointer
   upon reaching the end of the directory stream. The structure dirent
   defined in the <dirent.h> header describes a directory entry.

  From definitions:

   3.129 Directory Entry (or Link)

   An object that associates a filename with a file. Several directory
   entries can associate names with the same file.

  ...

   3.169 Filename

   A name consisting of 1 to {NAME_MAX} bytes used to name a file. The
   characters composing the name may be selected from the set of all
   character values excluding the slash character and the null byte. The
   filenames dot and dot-dot have special meaning. A filename is
   sometimes referred to as a 'pathname component'."

Note that I didn't bother adding the checks to any legacy interfaces
that nobody uses.

Also note that if this ends up being noticeable as a performance
regression, we can fix that to do a much more optimized model that
checks for both NUL and '/' at the same time one word at a time.

We haven't really tended to optimize 'memchr()', and it only checks for
one pattern at a time anyway, and we really _should_ check for NUL too
(but see the comment about "soft errors" in the code about why it
currently only checks for '/')

See the CONFIG_DCACHE_WORD_ACCESS case of hash_name() for how the name
lookup code looks for pathname terminating characters in parallel.

Link: https://lore.kernel.org/lkml/20190118161440.220134-2-jannh@google.com/
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Jann Horn <jannh@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Siddharth Chandrasekaran <csiddharth@vmware.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/readdir.c | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -51,6 +51,40 @@ out:
 EXPORT_SYMBOL(iterate_dir);
 
 /*
+ * POSIX says that a dirent name cannot contain NULL or a '/'.
+ *
+ * It's not 100% clear what we should really do in this case.
+ * The filesystem is clearly corrupted, but returning a hard
+ * error means that you now don't see any of the other names
+ * either, so that isn't a perfect alternative.
+ *
+ * And if you return an error, what error do you use? Several
+ * filesystems seem to have decided on EUCLEAN being the error
+ * code for EFSCORRUPTED, and that may be the error to use. Or
+ * just EIO, which is perhaps more obvious to users.
+ *
+ * In order to see the other file names in the directory, the
+ * caller might want to make this a "soft" error: skip the
+ * entry, and return the error at the end instead.
+ *
+ * Note that this should likely do a "memchr(name, 0, len)"
+ * check too, since that would be filesystem corruption as
+ * well. However, that case can't actually confuse user space,
+ * which has to do a strlen() on the name anyway to find the
+ * filename length, and the above "soft error" worry means
+ * that it's probably better left alone until we have that
+ * issue clarified.
+ */
+static int verify_dirent_name(const char *name, int len)
+{
+	if (WARN_ON_ONCE(!len))
+		return -EIO;
+	if (WARN_ON_ONCE(memchr(name, '/', len)))
+		return -EIO;
+	return 0;
+}
+
+/*
  * Traditional linux readdir() handling..
  *
  * "count=1" is a special case, meaning that the buffer is one
@@ -157,6 +191,9 @@ static int filldir(void * __buf, const c
 	int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
 		sizeof(long));
 
+	buf->error = verify_dirent_name(name, namlen);
+	if (unlikely(buf->error))
+		return buf->error;
 	buf->error = -EINVAL;	/* only used if we fail.. */
 	if (reclen > buf->count)
 		return -EINVAL;
@@ -240,6 +277,9 @@ static int filldir64(void * __buf, const
 	int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
 		sizeof(u64));
 
+	buf->error = verify_dirent_name(name, namlen);
+	if (unlikely(buf->error))
+		return buf->error;
 	buf->error = -EINVAL;	/* only used if we fail.. */
 	if (reclen > buf->count)
 		return -EINVAL;


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 55/63] filldir[64]: remove WARN_ON_ONCE() for bad directory entries
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (53 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 54/63] Make filldir[64]() verify the directory entry filename is valid Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 56/63] ext4: Introduce ext4_clamp_want_extra_isize() Ben Hutchings
                   ` (8 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Linus Torvalds, Siddharth Chandrasekaran,
	syzbot+3031f712c7ad5dd4d926

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Torvalds <torvalds@linux-foundation.org>

commit b9959c7a347d6adbb558fba7e36e9fef3cba3b07 upstream.

This was always meant to be a temporary thing, just for testing and to
see if it actually ever triggered.

The only thing that reported it was syzbot doing disk image fuzzing, and
then that warning is expected.  So let's just remove it before -rc4,
because the extra sanity testing should probably go to -stable, but we
don't want the warning to do so.

Reported-by: syzbot+3031f712c7ad5dd4d926@syzkaller.appspotmail.com
Fixes: 8a23eb804ca4 ("Make filldir[64]() verify the directory entry filename is valid")
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Siddharth Chandrasekaran <csiddharth@vmware.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/readdir.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -77,9 +77,9 @@ EXPORT_SYMBOL(iterate_dir);
  */
 static int verify_dirent_name(const char *name, int len)
 {
-	if (WARN_ON_ONCE(!len))
+	if (!len)
 		return -EIO;
-	if (WARN_ON_ONCE(memchr(name, '/', len)))
+	if (memchr(name, '/', len))
 		return -EIO;
 	return 0;
 }


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 56/63] ext4: Introduce ext4_clamp_want_extra_isize()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (54 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 55/63] filldir[64]: remove WARN_ON_ONCE() for bad directory entries Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 57/63] ext4: add more paranoia checking in ext4_expand_extra_isize handling Ben Hutchings
                   ` (7 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Barret Rhoden, Theodore Ts'o

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

Based on commit 7bc04c5c2cc4 "ext4: fix use-after-free race with
debug_want_extra_isize".  We don't have that bug but this will make it
easier to backport commit 4ea99936a163 "ext4: add more paranoia
checking in ext4_expand_extra_isize handling".

Cc: Barret Rhoden <brho@google.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3423,6 +3423,36 @@ int ext4_calculate_overhead(struct super
 	return 0;
 }
 
+static void ext4_clamp_want_extra_isize(struct super_block *sb)
+{
+	struct ext4_sb_info *sbi = EXT4_SB(sb);
+	struct ext4_super_block *es = sbi->s_es;
+
+	/* determine the minimum size of new large inodes, if present */
+	if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
+		sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+						     EXT4_GOOD_OLD_INODE_SIZE;
+		if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
+				       EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE)) {
+			if (sbi->s_want_extra_isize <
+			    le16_to_cpu(es->s_want_extra_isize))
+				sbi->s_want_extra_isize =
+					le16_to_cpu(es->s_want_extra_isize);
+			if (sbi->s_want_extra_isize <
+			    le16_to_cpu(es->s_min_extra_isize))
+				sbi->s_want_extra_isize =
+					le16_to_cpu(es->s_min_extra_isize);
+		}
+	}
+	/* Check if enough inode space is available */
+	if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+							sbi->s_inode_size) {
+		sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+						       EXT4_GOOD_OLD_INODE_SIZE;
+		ext4_msg(sb, KERN_INFO,
+			 "required extra inode space not available");
+	}
+}
 
 static ext4_fsblk_t ext4_calculate_resv_clusters(struct super_block *sb)
 {
@@ -4245,30 +4275,7 @@ no_journal:
 	if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY))
 		sb->s_flags |= MS_RDONLY;
 
-	/* determine the minimum size of new large inodes, if present */
-	if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
-		sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
-						     EXT4_GOOD_OLD_INODE_SIZE;
-		if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
-				       EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE)) {
-			if (sbi->s_want_extra_isize <
-			    le16_to_cpu(es->s_want_extra_isize))
-				sbi->s_want_extra_isize =
-					le16_to_cpu(es->s_want_extra_isize);
-			if (sbi->s_want_extra_isize <
-			    le16_to_cpu(es->s_min_extra_isize))
-				sbi->s_want_extra_isize =
-					le16_to_cpu(es->s_min_extra_isize);
-		}
-	}
-	/* Check if enough inode space is available */
-	if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
-							sbi->s_inode_size) {
-		sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
-						       EXT4_GOOD_OLD_INODE_SIZE;
-		ext4_msg(sb, KERN_INFO, "required extra inode space not"
-			 "available");
-	}
+	ext4_clamp_want_extra_isize(sb);
 
 	err = ext4_reserve_clusters(sbi, ext4_calculate_resv_clusters(sb));
 	if (err) {


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 57/63] ext4: add more paranoia checking in ext4_expand_extra_isize handling
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (55 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 56/63] ext4: Introduce ext4_clamp_want_extra_isize() Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 58/63] Revert "sched/fair: Fix bandwidth timer clock drift condition" Ben Hutchings
                   ` (6 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, syzbot+33d7ea72e47de3bdf4e1,
	Theodore Ts'o, syzbot+f8d6f8386ceacdbfff57,
	syzbot+44b6763edfc17144296f

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a upstream.

It's possible to specify a non-zero s_want_extra_isize via debugging
option, and this can cause bad things(tm) to happen when using a file
system with an inode size of 128 bytes.

Add better checking when the file system is mounted, as well as when
we are actually doing the trying to do the inode expansion.

Link: https://lore.kernel.org/r/20191110121510.GH23325@mit.edu
Reported-by: syzbot+f8d6f8386ceacdbfff57@syzkaller.appspotmail.com
Reported-by: syzbot+33d7ea72e47de3bdf4e1@syzkaller.appspotmail.com
Reported-by: syzbot+44b6763edfc17144296f@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16:
 - Use EIO instead of EFSCORRUPTED
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5094,10 +5094,25 @@ static int ext4_expand_extra_isize(struc
 {
 	struct ext4_inode *raw_inode;
 	struct ext4_xattr_ibody_header *header;
+	unsigned int inode_size = EXT4_INODE_SIZE(inode->i_sb);
+	struct ext4_inode_info *ei = EXT4_I(inode);
 
 	if (EXT4_I(inode)->i_extra_isize >= new_extra_isize)
 		return 0;
 
+	/* this was checked at iget time, but double check for good measure */
+	if ((EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > inode_size) ||
+	    (ei->i_extra_isize & 3)) {
+		EXT4_ERROR_INODE(inode, "bad extra_isize %u (inode size %u)",
+				 ei->i_extra_isize,
+				 EXT4_INODE_SIZE(inode->i_sb));
+		return -EIO;
+	}
+	if ((new_extra_isize < ei->i_extra_isize) ||
+	    (new_extra_isize < 4) ||
+	    (new_extra_isize > inode_size - EXT4_GOOD_OLD_INODE_SIZE))
+		return -EINVAL;	/* Should never happen */
+
 	raw_inode = ext4_raw_inode(&iloc);
 
 	header = IHDR(inode, raw_inode);
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3427,11 +3427,15 @@ static void ext4_clamp_want_extra_isize(
 {
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	struct ext4_super_block *es = sbi->s_es;
+	unsigned def_extra_isize = sizeof(struct ext4_inode) -
+						EXT4_GOOD_OLD_INODE_SIZE;
 
-	/* determine the minimum size of new large inodes, if present */
-	if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
-		sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
-						     EXT4_GOOD_OLD_INODE_SIZE;
+	if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) {
+		sbi->s_want_extra_isize = 0;
+		return;
+	}
+	if (sbi->s_want_extra_isize < 4) {
+		sbi->s_want_extra_isize = def_extra_isize;
 		if (EXT4_HAS_RO_COMPAT_FEATURE(sb,
 				       EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE)) {
 			if (sbi->s_want_extra_isize <
@@ -3445,10 +3449,10 @@ static void ext4_clamp_want_extra_isize(
 		}
 	}
 	/* Check if enough inode space is available */
-	if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
-							sbi->s_inode_size) {
-		sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
-						       EXT4_GOOD_OLD_INODE_SIZE;
+	if ((sbi->s_want_extra_isize > sbi->s_inode_size) ||
+	    (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+							sbi->s_inode_size)) {
+		sbi->s_want_extra_isize = def_extra_isize;
 		ext4_msg(sb, KERN_INFO,
 			 "required extra inode space not available");
 	}


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 58/63] Revert "sched/fair: Fix bandwidth timer clock drift condition"
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (56 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 57/63] ext4: add more paranoia checking in ext4_expand_extra_isize handling Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 59/63] can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices Ben Hutchings
                   ` (5 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: akpm, Denis Kirjanov

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Hutchings <ben@decadent.org.uk>

This reverts commit eb29ee5a3873134917a760bf9c416da0a089a0be, which
was commit 512ac999d2755d2b7109e996a76b6fb8b888631d upstream.  This
introduced a regression and doesn't seem to have been suitable for
older stable branches.  (It has been fixed differently upstream.)

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3163,7 +3163,6 @@ void __refill_cfs_bandwidth_runtime(stru
 	now = sched_clock_cpu(smp_processor_id());
 	cfs_b->runtime = cfs_b->quota;
 	cfs_b->runtime_expires = now + ktime_to_ns(cfs_b->period);
-	cfs_b->expires_seq++;
 }
 
 static inline struct cfs_bandwidth *tg_cfs_bandwidth(struct task_group *tg)
@@ -3186,7 +3185,6 @@ static int assign_cfs_rq_runtime(struct
 	struct task_group *tg = cfs_rq->tg;
 	struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(tg);
 	u64 amount = 0, min_amount, expires;
-	int expires_seq;
 
 	/* note: this is a positive sum as runtime_remaining <= 0 */
 	min_amount = sched_cfs_bandwidth_slice() - cfs_rq->runtime_remaining;
@@ -3212,7 +3210,6 @@ static int assign_cfs_rq_runtime(struct
 			cfs_b->idle = 0;
 		}
 	}
-	expires_seq = cfs_b->expires_seq;
 	expires = cfs_b->runtime_expires;
 	raw_spin_unlock(&cfs_b->lock);
 
@@ -3222,10 +3219,8 @@ static int assign_cfs_rq_runtime(struct
 	 * spread between our sched_clock and the one on which runtime was
 	 * issued.
 	 */
-	if (cfs_rq->expires_seq != expires_seq) {
-		cfs_rq->expires_seq = expires_seq;
+	if ((s64)(expires - cfs_rq->runtime_expires) > 0)
 		cfs_rq->runtime_expires = expires;
-	}
 
 	return cfs_rq->runtime_remaining > 0;
 }
@@ -3251,9 +3246,12 @@ static void expire_cfs_rq_runtime(struct
 	 * has not truly expired.
 	 *
 	 * Fortunately we can check determine whether this the case by checking
-	 * whether the global deadline(cfs_b->expires_seq) has advanced.
+	 * whether the global deadline has advanced. It is valid to compare
+	 * cfs_b->runtime_expires without any locks since we only care about
+	 * exact equality, so a partial write will still work.
 	 */
-	if (cfs_rq->expires_seq == cfs_b->expires_seq) {
+
+	if (cfs_rq->runtime_expires != cfs_b->runtime_expires) {
 		/* extend local deadline, drift is bounded above by 2 ticks */
 		cfs_rq->runtime_expires += TICK_NSEC;
 	} else {
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -187,7 +187,6 @@ struct cfs_bandwidth {
 	u64 quota, runtime;
 	s64 hierarchal_quota;
 	u64 runtime_expires;
-	int expires_seq;
 
 	int idle, timer_active;
 	struct hrtimer period_timer, slack_timer;
@@ -377,7 +376,6 @@ struct cfs_rq {
 
 #ifdef CONFIG_CFS_BANDWIDTH
 	int runtime_enabled;
-	int expires_seq;
 	u64 runtime_expires;
 	s64 runtime_remaining;
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 59/63] can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (57 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 58/63] Revert "sched/fair: Fix bandwidth timer clock drift condition" Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 60/63] media: cpia2: Fix use-after-free in cpia2_exit Ben Hutchings
                   ` (4 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Xiaolong Huang, Marc Kleine-Budde

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Xiaolong Huang <butterflyhuangxx@gmail.com>

commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream.

Uninitialized Kernel memory can leak to USB devices.

Fix this by using kzalloc() instead of kmalloc().

Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/can/usb/kvaser_usb.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/net/can/usb/kvaser_usb.c
+++ b/drivers/net/can/usb/kvaser_usb.c
@@ -586,7 +586,7 @@ static int kvaser_usb_simple_msg_async(s
 		return -ENOMEM;
 	}
 
-	buf = kmalloc(sizeof(struct kvaser_msg), GFP_ATOMIC);
+	buf = kzalloc(sizeof(struct kvaser_msg), GFP_ATOMIC);
 	if (!buf) {
 		usb_free_urb(urb);
 		return -ENOMEM;
@@ -1109,7 +1109,7 @@ static int kvaser_usb_set_opt_mode(const
 	struct kvaser_msg *msg;
 	int rc;
 
-	msg = kmalloc(sizeof(*msg), GFP_KERNEL);
+	msg = kzalloc(sizeof(*msg), GFP_KERNEL);
 	if (!msg)
 		return -ENOMEM;
 
@@ -1240,7 +1240,7 @@ static int kvaser_usb_flush_queue(struct
 	struct kvaser_msg *msg;
 	int rc;
 
-	msg = kmalloc(sizeof(*msg), GFP_KERNEL);
+	msg = kzalloc(sizeof(*msg), GFP_KERNEL);
 	if (!msg)
 		return -ENOMEM;
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 60/63] media: cpia2: Fix use-after-free in cpia2_exit
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (58 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 59/63] can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:43 ` [PATCH 3.16 61/63] mwifiex: don't follow AP if country code received from EEPROM Ben Hutchings
                   ` (3 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Hans Verkuil, Mauro Carvalho Chehab,
	YueHaibing, Hulk Robot

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: YueHaibing <yuehaibing@huawei.com>

commit dea37a97265588da604c6ba80160a287b72c7bfd upstream.

Syzkaller report this:

BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363

CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 print_address_description+0x65/0x270 mm/kasan/report.c:187
 kasan_report+0x149/0x18d mm/kasan/report.c:317
 sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
 sysfs_remove_file include/linux/sysfs.h:519 [inline]
 driver_remove_file+0x40/0x50 drivers/base/driver.c:122
 usb_remove_newid_files drivers/usb/core/driver.c:212 [inline]
 usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005
 cpia2_exit+0xa/0x16 [cpia2]
 __do_sys_delete_module kernel/module.c:1018 [inline]
 __se_sys_delete_module kernel/module.c:961 [inline]
 __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc
R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff

Allocated by task 8363:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
 kmalloc include/linux/slab.h:545 [inline]
 kzalloc include/linux/slab.h:740 [inline]
 bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
 driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
 usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965
 0xffffffffc1b4817c
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8363:
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
 slab_free_hook mm/slub.c:1430 [inline]
 slab_free_freelist_hook mm/slub.c:1457 [inline]
 slab_free mm/slub.c:3005 [inline]
 kfree+0xe1/0x270 mm/slub.c:3957
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:67 [inline]
 kobject_put+0x146/0x240 lib/kobject.c:708
 bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
 driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
 usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980
 0xffffffffc1b4817c
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881f59a6b40
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40)
The buggy address belongs to the page:
page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                             ^
 ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc

cpia2_init does not check return value of cpia2_init, if it failed
in usb_register_driver, there is already cleanup using driver_unregister.
No need call cpia2_usb_cleanup on module exit.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/media/usb/cpia2/cpia2_v4l.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/media/usb/cpia2/cpia2_v4l.c
+++ b/drivers/media/usb/cpia2/cpia2_v4l.c
@@ -1249,8 +1249,7 @@ static int __init cpia2_init(void)
 	LOG("%s v%s\n",
 	    ABOUT, CPIA_VERSION);
 	check_parameters();
-	cpia2_usb_init();
-	return 0;
+	return cpia2_usb_init();
 }
 
 


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 61/63] mwifiex: don't follow AP if country code received from EEPROM
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (59 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 60/63] media: cpia2: Fix use-after-free in cpia2_exit Ben Hutchings
@ 2020-01-08 19:43 ` Ben Hutchings
  2020-01-08 19:44 ` [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Ben Hutchings
                   ` (2 subsequent siblings)
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:43 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Kalle Valo, Cathy Luo, Amitkumar Karwar

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Amitkumar Karwar <akarwar@marvell.com>

commit 947d315257f9b25b0e24f5706f8184b3b00774d4 upstream.

If device has already received country information from
EEPROM, we won't parse AP's country IE and download it to
firmware. We will also set regulatory flags to disable beacon
hints and ignore country IE.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filenames, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/cfg80211.c  | 4 ++++
 drivers/net/wireless/mwifiex/sta_ioctl.c | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -2917,6 +2917,10 @@ int mwifiex_register_cfg80211(struct mwi
 	wiphy->cipher_suites = mwifiex_cipher_suites;
 	wiphy->n_cipher_suites = ARRAY_SIZE(mwifiex_cipher_suites);
 
+	if (adapter->region_code)
+		wiphy->regulatory_flags |= REGULATORY_DISABLE_BEACON_HINTS |
+					   REGULATORY_COUNTRY_IE_IGNORE;
+
 	memcpy(wiphy->perm_addr, priv->curr_addr, ETH_ALEN);
 	wiphy->signal_type = CFG80211_SIGNAL_TYPE_MBM;
 	wiphy->flags |= WIPHY_FLAG_HAVE_AP_SME |
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -266,7 +266,8 @@ int mwifiex_bss_start(struct mwifiex_pri
 	priv->scan_block = false;
 
 	if (bss) {
-		mwifiex_process_country_ie(priv, bss);
+		if (adapter->region_code == 0x00)
+			mwifiex_process_country_ie(priv, bss);
 
 		/* Allocate and fill new bss descriptor */
 		bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (60 preceding siblings ...)
  2020-01-08 19:43 ` [PATCH 3.16 61/63] mwifiex: don't follow AP if country code received from EEPROM Ben Hutchings
@ 2020-01-08 19:44 ` Ben Hutchings
  2020-01-09 12:12   ` Salvatore Bonaccorso
  2020-01-08 19:44 ` [PATCH 3.16 63/63] scsi: libsas: stop discovering if oob mode is disconnected Ben Hutchings
  2020-01-08 22:52 ` [PATCH 3.16 00/63] 3.16.81-rc1 review Guenter Roeck
  63 siblings, 1 reply; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:44 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, huangwen, Ganapathi Bhat, Kalle Valo

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Ganapathi Bhat <gbhat@marvell.com>

commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.

mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can  force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.

This fix addresses CVE-2019-14895.

Reported-by: huangwen <huangwenabc@gmail.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
 - Use wiphy_dbg() instead of mwifiex_dbg()
 - Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/net/wireless/mwifiex/sta_ioctl.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -223,6 +223,14 @@ static int mwifiex_process_country_ie(st
 			  "11D: skip setting domain info in FW\n");
 		return 0;
 	}
+
+	if (country_ie_len >
+	    (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
+		wiphy_dbg(priv->wdev->wiphy,
+			  "11D: country_ie_len overflow!, deauth AP\n");
+		return -EINVAL;
+	}
+
 	memcpy(priv->adapter->country_code, &country_ie[2], 2);
 
 	domain_info->country_code[0] = country_ie[2];
@@ -266,8 +274,9 @@ int mwifiex_bss_start(struct mwifiex_pri
 	priv->scan_block = false;
 
 	if (bss) {
-		if (adapter->region_code == 0x00)
-			mwifiex_process_country_ie(priv, bss);
+		if (adapter->region_code == 0x00 &&
+		    mwifiex_process_country_ie(priv, bss))
+			return -EINVAL;
 
 		/* Allocate and fill new bss descriptor */
 		bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),


^ permalink raw reply	[flat|nested] 68+ messages in thread

* [PATCH 3.16 63/63] scsi: libsas: stop discovering if oob mode is disconnected
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (61 preceding siblings ...)
  2020-01-08 19:44 ` [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Ben Hutchings
@ 2020-01-08 19:44 ` Ben Hutchings
  2020-01-08 22:52 ` [PATCH 3.16 00/63] 3.16.81-rc1 review Guenter Roeck
  63 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-08 19:44 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: akpm, Denis Kirjanov, Jason Yan, John Garry, Gao Chuan,
	Martin K. Petersen

3.16.81-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jason Yan <yanaijie@huawei.com>

commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f upstream.

The discovering of sas port is driven by workqueue in libsas. When libsas
is processing port events or phy events in workqueue, new events may rise
up and change the state of some structures such as asd_sas_phy.  This may
cause some problems such as follows:

==>thread 1                       ==>thread 2

                                  ==>phy up
                                  ==>phy_up_v3_hw()
                                    ==>oob_mode = SATA_OOB_MODE;
                                  ==>phy down quickly
                                  ==>hisi_sas_phy_down()
                                    ==>sas_ha->notify_phy_event()
                                    ==>sas_phy_disconnected()
                                      ==>oob_mode = OOB_NOT_CONNECTED
==>workqueue wakeup
==>sas_form_port()
  ==>sas_discover_domain()
    ==>sas_get_port_device()
      ==>oob_mode is OOB_NOT_CONNECTED and device
         is wrongly taken as expander

This at last lead to the panic when libsas trying to issue a command to
discover the device.

[183047.614035] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000058
[183047.622896] Mem abort info:
[183047.625762]   ESR = 0x96000004
[183047.628893]   Exception class = DABT (current EL), IL = 32 bits
[183047.634888]   SET = 0, FnV = 0
[183047.638015]   EA = 0, S1PTW = 0
[183047.641232] Data abort info:
[183047.644189]   ISV = 0, ISS = 0x00000004
[183047.648100]   CM = 0, WnR = 0
[183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp =
00000000b7df67be
[183047.657834] [0000000000000058] pgd=0000000000000000
[183047.662789] Internal error: Oops: 96000004 [#1] SMP
[183047.667740] Process kworker/u16:2 (pid: 31291, stack limit =
0x00000000417c4974)
[183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G
W  OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1
[183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10,
BIOS 0.15 10/22/2019
[183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain
[183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO)
[183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
[183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw]
[183047.717153] sp : ffff00000f28ba60
[183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228
[183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200
[183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0
[183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228
[183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200
[183047.747464] x19: 0000000000f80800 x18: 0000000000000010
[183047.752848] x17: 0000000000000000 x16: 0000000000000000
[183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005
[183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20
[183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870
[183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0
[183047.779770] x7 : 0000000000000000 x6 : 000000000000003f
[183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0
[183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007
[183047.795922] x1 : 0000000000000008 x0 : 0000000000000000
[183047.801307] Call trace:
[183047.803827]  prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw]
[183047.809127]  hisi_sas_task_prep+0x750/0x888 [hisi_sas_main]
[183047.814773]  hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main]
[183047.820939]  hisi_sas_queue_command+0x28/0x38 [hisi_sas_main]
[183047.826757]  smp_execute_task_sg+0xec/0x218
[183047.831013]  smp_execute_task+0x74/0xa0
[183047.834921]  sas_discover_expander.part.7+0x9c/0x5f8
[183047.839959]  sas_discover_root_expander+0x90/0x160
[183047.844822]  sas_discover_domain+0x1b8/0x1e8
[183047.849164]  process_one_work+0x1b4/0x3f8
[183047.853246]  worker_thread+0x54/0x470
[183047.856981]  kthread+0x134/0x138
[183047.860283]  ret_from_fork+0x10/0x18
[183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800)
[183047.870097] kernel fault(0x1) notification starting on CPU 0
[183047.875828] kernel fault(0x1) notification finished on CPU 0
[183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE)
hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE)
[183047.892418] ---[ end trace 4cc26083fc11b783  ]---
[183047.897107] Kernel panic - not syncing: Fatal exception
[183047.902403] kernel fault(0x5) notification starting on CPU 0
[183047.908134] kernel fault(0x5) notification finished on CPU 0
[183047.913865] SMP: stopping secondary CPUs
[183047.917861] Kernel Offset: disabled
[183047.921422] CPU features: 0x2,a2a00a38
[183047.925243] Memory Limit: none
[183047.928372] kernel reboot(0x2) notification starting on CPU 0
[183047.934190] kernel reboot(0x2) notification finished on CPU 0
[183047.940008] ---[ end Kernel panic - not syncing: Fatal exception
]---

Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com
Reported-by: Gao Chuan <gaochuan4@huawei.com>
Reviewed-by: John Garry <john.garry@huawei.com>
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/scsi/libsas/sas_discover.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/scsi/libsas/sas_discover.c
+++ b/drivers/scsi/libsas/sas_discover.c
@@ -97,12 +97,21 @@ static int sas_get_port_device(struct as
 		else
 			dev->dev_type = SAS_SATA_DEV;
 		dev->tproto = SAS_PROTOCOL_SATA;
-	} else {
+	} else if (port->oob_mode == SAS_OOB_MODE) {
 		struct sas_identify_frame *id =
 			(struct sas_identify_frame *) dev->frame_rcvd;
 		dev->dev_type = id->dev_type;
 		dev->iproto = id->initiator_bits;
 		dev->tproto = id->target_bits;
+	} else {
+		/* If the oob mode is OOB_NOT_CONNECTED, the port is
+		 * disconnected due to race with PHY down. We cannot
+		 * continue to discover this port
+		 */
+		sas_put_device(dev);
+		pr_warn("Port %016llx is disconnected when discovering\n",
+			SAS_ADDR(port->attached_sas_addr));
+		return -ENODEV;
 	}
 
 	sas_init_dev(dev);


^ permalink raw reply	[flat|nested] 68+ messages in thread

* Re: [PATCH 3.16 00/63] 3.16.81-rc1 review
  2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
                   ` (62 preceding siblings ...)
  2020-01-08 19:44 ` [PATCH 3.16 63/63] scsi: libsas: stop discovering if oob mode is disconnected Ben Hutchings
@ 2020-01-08 22:52 ` Guenter Roeck
  2020-01-09  1:14   ` Ben Hutchings
  63 siblings, 1 reply; 68+ messages in thread
From: Guenter Roeck @ 2020-01-08 22:52 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, torvalds, akpm, Denis Kirjanov

On Wed, Jan 08, 2020 at 07:42:58PM +0000, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.81 release.
> There are 63 patches in this series, which will be posted as responses
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Fri Jan 10 20:00:00 UTC 2020.
> Anything received after that time might be too late.
> 

Build results:
	total: 136 pass: 136 fail: 0
Qemu test results:
	total: 227 pass: 227 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 68+ messages in thread

* Re: [PATCH 3.16 00/63] 3.16.81-rc1 review
  2020-01-08 22:52 ` [PATCH 3.16 00/63] 3.16.81-rc1 review Guenter Roeck
@ 2020-01-09  1:14   ` Ben Hutchings
  0 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-09  1:14 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: linux-kernel, stable, torvalds, akpm, Denis Kirjanov

[-- Attachment #1: Type: text/plain, Size: 758 bytes --]

On Wed, 2020-01-08 at 14:52 -0800, Guenter Roeck wrote:
> On Wed, Jan 08, 2020 at 07:42:58PM +0000, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.81 release.
> > There are 63 patches in this series, which will be posted as responses
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Fri Jan 10 20:00:00 UTC 2020.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 136 pass: 136 fail: 0
> Qemu test results:
> 	total: 227 pass: 227 fail: 0

Great, thanks for checking,

Ben.

-- 
Ben Hutchings
If God had intended Man to program,
we'd have been born with serial I/O ports.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 68+ messages in thread

* Re: [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
  2020-01-08 19:44 ` [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Ben Hutchings
@ 2020-01-09 12:12   ` Salvatore Bonaccorso
  2020-01-10 16:01     ` Ben Hutchings
  0 siblings, 1 reply; 68+ messages in thread
From: Salvatore Bonaccorso @ 2020-01-09 12:12 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, akpm, Denis Kirjanov, huangwen,
	Ganapathi Bhat, Kalle Valo, Brian Norris

Hi Ben,

On Wed, Jan 08, 2020 at 07:44:00PM +0000, Ben Hutchings wrote:
> 3.16.81-rc1 review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Ganapathi Bhat <gbhat@marvell.com>
> 
> commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
> 
> mwifiex_process_country_ie() function parse elements of bss
> descriptor in beacon packet. When processing WLAN_EID_COUNTRY
> element, there is no upper limit check for country_ie_len before
> calling memcpy. The destination buffer domain_info->triplet is an
> array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
> attacker can build a fake AP with the same ssid as real AP, and
> send malicous beacon packet with long WLAN_EID_COUNTRY elemen
> (country_ie_len > 83). Attacker can  force STA connect to fake AP
> on a different channel. When the victim STA connects to fake AP,
> will trigger the heap buffer overflow. Fix this by checking for
> length and if found invalid, don not connect to the AP.
> 
> This fix addresses CVE-2019-14895.
> 
> Reported-by: huangwen <huangwenabc@gmail.com>
> Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
> [bwh: Backported to 3.16:
>  - Use wiphy_dbg() instead of mwifiex_dbg()
>  - Adjust filename]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
>  drivers/net/wireless/mwifiex/sta_ioctl.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> --- a/drivers/net/wireless/mwifiex/sta_ioctl.c
> +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
> @@ -223,6 +223,14 @@ static int mwifiex_process_country_ie(st
>  			  "11D: skip setting domain info in FW\n");
>  		return 0;
>  	}
> +
> +	if (country_ie_len >
> +	    (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
> +		wiphy_dbg(priv->wdev->wiphy,
> +			  "11D: country_ie_len overflow!, deauth AP\n");
> +		return -EINVAL;
> +	}
> +
>  	memcpy(priv->adapter->country_code, &country_ie[2], 2);
>  
>  	domain_info->country_code[0] = country_ie[2];
> @@ -266,8 +274,9 @@ int mwifiex_bss_start(struct mwifiex_pri
>  	priv->scan_block = false;
>  
>  	if (bss) {
> -		if (adapter->region_code == 0x00)
> -			mwifiex_process_country_ie(priv, bss);
> +		if (adapter->region_code == 0x00 &&
> +		    mwifiex_process_country_ie(priv, bss))
> +			return -EINVAL;
>  
>  		/* Allocate and fill new bss descriptor */
>  		bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
> 

Brian Norris noted that this commit has unbalanced locking and
submitted a followup as per:

https://lkml.kernel.org/linux-wireless/20200106224212.189763-1-briannorris@chromium.org/T/#u
https://patchwork.kernel.org/patch/11320227/

Regards,
Salvatore

^ permalink raw reply	[flat|nested] 68+ messages in thread

* Re: [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
  2020-01-09 12:12   ` Salvatore Bonaccorso
@ 2020-01-10 16:01     ` Ben Hutchings
  0 siblings, 0 replies; 68+ messages in thread
From: Ben Hutchings @ 2020-01-10 16:01 UTC (permalink / raw)
  To: Salvatore Bonaccorso
  Cc: linux-kernel, stable, akpm, Denis Kirjanov, huangwen,
	Ganapathi Bhat, Kalle Valo, Brian Norris

[-- Attachment #1: Type: text/plain, Size: 961 bytes --]

On Thu, 2020-01-09 at 13:12 +0100, Salvatore Bonaccorso wrote:
> Hi Ben,
> 
> On Wed, Jan 08, 2020 at 07:44:00PM +0000, Ben Hutchings wrote:
> > 3.16.81-rc1 review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Ganapathi Bhat <gbhat@marvell.com>
> > 
> > commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
[...]
> Brian Norris noted that this commit has unbalanced locking and
> submitted a followup as per:
> 
> https://lkml.kernel.org/linux-wireless/20200106224212.189763-1-briannorris@chromium.org/T/#u
> https://patchwork.kernel.org/patch/11320227/

Right, but is the new behaviour (possible wrong preemption count)
actually worse than the old behaviour (possible heap buffer overflow)?

I think we are better off applying this now and adding that fix once
it's upstream.

Ben.

-- 
Ben Hutchings
Every program is either trivial or else contains at least one bug



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 68+ messages in thread

end of thread, other threads:[~2020-01-10 16:01 UTC | newest]

Thread overview: 68+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-08 19:42 [PATCH 3.16 00/63] 3.16.81-rc1 review Ben Hutchings
2020-01-08 19:42 ` [PATCH 3.16 01/63] net: qlogic: Fix memory leak in ql_alloc_large_buffers Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 02/63] net: qlogic: Fix error paths in ql_alloc_large_buffers() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 03/63] HID: sony: Update device ids Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 04/63] HID: sony: Support DS4 dongle Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 05/63] crypto: cts - fix crash on short inputs Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 06/63] tracing/uprobes: Fix output for multiple string arguments Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 07/63] libceph: handle an empty authorize reply Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 08/63] ALSA: compress: add support for 32bit calls in a 64bit kernel Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 09/63] mmc: debugfs: Add a restriction to mmc debugfs clock setting Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 10/63] mmc: sanitize 'bus width' in debug output Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 11/63] mmc: core: shut up "voltage-ranges unspecified" pr_info() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 12/63] usb: dwc3: gadget: Fix suspend/resume during device mode Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 13/63] arm64: mm: Add trace_irqflags annotations to do_debug_exception() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 14/63] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 15/63] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 16/63] kbuild: setlocalversion: print error to STDERR Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 17/63] usb: gadget: composite: fix dereference after null check coverify warning Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 18/63] usb: gadget: serial: fix re-ordering of tx data Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 19/63] usb: gadget: Add the gserial port checking in gs_start_tx() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 20/63] tcp/dccp: drop SYN packets if accept queue is full Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 21/63] arm64: traps: disable irq in die() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 22/63] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 23/63] xhci: Fix port resume done detection for SS ports with LPM enabled Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 24/63] mmc: block: Allow more than 8 partitions per card Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 25/63] arm64: fix COMPAT_SHMLBA definition for large pages Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 26/63] ARM: 8458/1: bL_switcher: add GIC dependency Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 27/63] net: diag: support v4mapped sockets in inet_diag_find_one_icsk() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 28/63] asm-generic: Fix local variable shadow in __set_fixmap_offset Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 29/63] staging: ashmem: Avoid deadlock with mmap/shrink Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 30/63] staging: ashmem: Add missing include Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 31/63] staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 32/63] staging: goldfish: audio: fix compiliation on arm Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 33/63] ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 34/63] arm64/kernel: fix incorrect EL0 check in inv_entry macro Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 35/63] arm64: kernel: Include _AC definition in page.h Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 36/63] suspend: simplify block I/O handling Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 37/63] PM / Hibernate: Call flush_icache_range() on pages restored in-place Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 38/63] usb: gadget: configfs: add mutex lock before unregister gadget Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 39/63] usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 40/63] video: fbdev: Set pixclock = 0 in goldfishfb Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 41/63] arm64: kconfig: drop CONFIG_RTC_LIB dependency Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 42/63] mmc: mmc: fix switch timeout issue caused by jiffies precision Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 43/63] cfg80211: size various nl80211 messages correctly Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 44/63] arm64: support keyctl() system call in 32-bit mode Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 45/63] stmmac: copy unicast mac address to MAC registers Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 46/63] arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 47/63] arm64: debug: Ensure debug handlers check triggering exception level Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 48/63] x86/atomic: Fix smp_mb__{before,after}_atomic() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 49/63] locking,x86: Kill atomic_or_long() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 50/63] locking/x86: Remove the unused atomic_inc_short() methd Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 51/63] dmaengine: qcom: bam_dma: Fix resource leak Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 52/63] mwifiex: Fix NL80211_TX_POWER_LIMITED Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 53/63] xhci: fix USB3 device initiated resume race with roothub autosuspend Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 54/63] Make filldir[64]() verify the directory entry filename is valid Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 55/63] filldir[64]: remove WARN_ON_ONCE() for bad directory entries Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 56/63] ext4: Introduce ext4_clamp_want_extra_isize() Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 57/63] ext4: add more paranoia checking in ext4_expand_extra_isize handling Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 58/63] Revert "sched/fair: Fix bandwidth timer clock drift condition" Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 59/63] can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 60/63] media: cpia2: Fix use-after-free in cpia2_exit Ben Hutchings
2020-01-08 19:43 ` [PATCH 3.16 61/63] mwifiex: don't follow AP if country code received from EEPROM Ben Hutchings
2020-01-08 19:44 ` [PATCH 3.16 62/63] mwifiex: fix possible heap overflow in mwifiex_process_country_ie() Ben Hutchings
2020-01-09 12:12   ` Salvatore Bonaccorso
2020-01-10 16:01     ` Ben Hutchings
2020-01-08 19:44 ` [PATCH 3.16 63/63] scsi: libsas: stop discovering if oob mode is disconnected Ben Hutchings
2020-01-08 22:52 ` [PATCH 3.16 00/63] 3.16.81-rc1 review Guenter Roeck
2020-01-09  1:14   ` Ben Hutchings

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.